Privacy Policy
Overview
Intentsify, LLC, its subsidiaries, partners and affiliates (collectively, “Intentsify”, or “we”, “us”, “our”) respect your privacy. This Privacy Policy details the information we may collect through registration forms, resource libraries, advertising units, widgets, web sites and web pages, whether accessed via computer, mobile or tablet device, or other technology (collectively, the “Service”), collection and licensing of data through third parties we work with, and how such information may be used and/or shared with others, how we safeguard it, and your choices in controlling its use in connection with our marketing activities.
Update:
Intentsify is 100% Can-Spam Compliant
Intentsify has a zero tolerance spam policy. Any partner or publisher found to be using Intentsify promotional offers for spam will be immediately cut-off from use of the product. If you know of or suspect any violators, please notify us immediately at: marc.laplante@intentsify.io
Data Collection
Our purpose in collecting information is to help us provide you with better service, such as notifications about special offers and promotions, or other relevant content delivered through targeted advertising. The Intentsify.io website may also collect a recipient’s email address to help you to initiate and email the recipient you have selected. The recipient may contact us at: marc.laplante@intentsify.io to request that we remove this information.
How We Use the Information We Collect
Intentsify may use the information we obtain, license and collect about and from you for a number of business purposes, including for example, to: better tailor website and promotional content to visitor interests; verify your profile information; deliver targeted advertising; inform our partners of your business-related interests; improve the Service for internal business purposes; help our advertising partners better understand the audience they are reaching; and for purposes we disclose at the time you provide your Personal Information.
Cookies/Tracking Technologies
We and our publishing partners, affiliates, or analytics or service providers, use technologies such as cookies, beacons, tags, and scripts, to analyze trends, administer the website, tracking users’ movements around the website, and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual and compiled basis. As to information submitted to, through or on our website, we may likewise use service providers to host content, host or implement blogs and forums, or conduct data and marketing analytics with respect to information captured.
Intentsify may use a variety of technologies, including that automatically or passively collect information from your computer, mobile device or other technology when you are visiting a Intentsify or partner website or on a 3rd party’s behalf when we serve advertisements and store it in log files. Information collected may include data such as your IP address, browser type, operating system, your responses to advertisements delivered by us, date and time, referring URLs and other information normally transmitted in HTTP requests (“Usage Information”). This information may be associated with business profile information about you, such as your industry, company size, and job title. The purpose of this information is to keep the Service updated and interesting to our users and tailor content to each individual’s interests.
A cookie is a small text file stored on a user’s device containing information about the user. We may use cookies to reduce registration fields so that you can receive free content more easily, deliver targeted advertising, or understand your interests and focus areas of research. We believe this enables us to provide users with a more meaningful online experience.
We use Local Storage Objects (LSOs) such as Flash to store content information and preferences. Various browsers may offer their own management tools for removing HTML5 LSOs. Third parties with whom we partner to provide certain features on our site based upon your Web browsing activity use LSOs such as HTML 5 and Flash to collect and store information.
Advertising/Behavioral Targeting; How to Opt-Out
We may use third-party vendors to enhance the Service (e.g. for purposes of retargeting). When you opt out of the Service, Intentsify will no longer use or share any of your Personal or anonymous Usage Information, unless you recently submitted Personal Information (within last 30 days) in order to access free content, in which case only the Content Provider associated with the content you recently acquired will have access to your information.
When you opt out of the Service, we place a cookie on or otherwise identify your browser or device (and/or employ similar technology) to prevent future collection of Usage Information. Opting out of the Service is not the same as blocking cookies. When you opt out of Intentsify’s Service, we will place a special Intentsify cookie on (or otherwise identify) your device or browser in a way that informs our systems not to record information related to your business research activities. If you browse the web from multiple devices or browsers, you will need to opt out from each device or browser to ensure that we prevent personalization tracking on all of them. For the same reason, if you procure a new device, change browsers or delete the Intentsify opt out cookie (or clear all cookies), you will need to perform this opt-out task again.
Disabling Cookies
If you would prefer not to accept cookies, you can:
- change your browser settings to notify you when you receive a cookie, which lets you choose whether or not to accept it; or
- set your browser to automatically not accept any cookies
Please note, however, that cookies are used for a variety of reasons, not just marketing-related, so this may adversely impact your online experience.
Service Providers
We may engage companies that provide services to help us with our business activities such as our blog and career pages. These companies are authorized to use your personal information only as necessary to provide these services to us.
Sharing of Information
Except as denoted in this Privacy Policy, we may share information such as compiled demographics, user statistics, interest categories, and Usage Information with third parties. We may combine your Usage Information with those of other users of the Service in order to share trend information with third parties, always in compiled form. We may compile Usage Information associated with your Personal Information into business-related research events, which include the form of engagement and content type, topics derived from the content of the event, and date/timestamp of when the event occurred, always in anonymous form. An interest event may be, for example, the downloading of a whitepaper on cloud computing, or clicking on an advertisement related to SSL certificates.
We may also disclose your personal information as required by law, such as to comply with a subpoena, bankruptcy proceedings, or similar legal process when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
Updating Personal Information
If you wish to verify, correct, or update your Personal Information collected through the Service, you may contact us at marc.laplante@intentsify.io. We will respond to your request within a reasonable timeframe. In accordance with our routine record keeping, we may delete certain records that contain Personal Information you have submitted through the Service. We are under no obligation to store such Personal Information indefinitely and disclaim any liability arising out of, or related to, the destruction of such Personal Information. We will retain your information for as long as your account is active or as needed to provide you the Service. If you wish to cancel your account or request that we no longer use your information to provide the Service, contact us at marc.laplante@intentsify.io. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. In addition, you should be aware that it is not always possible to completely remove or delete all of your information from our databases without some residual data because of backups and other reasons.
Data Security Precautions & Retention
Intentsify takes precautions to protect data and information under its control from misuse, loss or alteration. Intentsify’s security measures include industry-standard technology and equipment to help protect your information, and Intentsify maintains security measures to allow only the appropriate personnel and contractors access to your information. Unfortunately, no system can ensure complete security, and Intentsify disclaims any liability resulting from use of the Service or from third party hacking events or intrusions.
Other Websites
The Service may contain links to, or integrations with other sites that Intentsify does not own or operate. This includes links from customers and partners that may use the Intentsify logo in a co-branding agreement, or websites and web services that we work with in order to provide the Service. Intentsify does not control, nor is Intentsify responsible for these sites or services, or their content, products, services, privacy policies or practices. If you submit Personal Information on a web site using the Service, you are choosing to disclose information to both Intentsify and the third party with whose brand the website is associated. This Privacy Policy only governs Intentsify’s use of your information. The third party’s use of that Personal Information is governed by the partner’s privacy policy, and not by this Privacy Policy.
Business Sale
As we develop our business, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, or a sale of our significant assets, we reserve the right to include any information we have among the assets transferred to the acquiring company.
Children
Intentsify does not knowingly collect Personal or Usage Information from children under the age of 13 through https://www.intentsify.io nor from any of our affiliates and partners. If you are under 13, please do not give us any Personal Information, and do not provide Personal Information to any website or web service without consulting your parent or guardian. If you have reason to believe that a child under the age of 13 has provided Personal Information to Intentsify, please contact us, and we will seek to delete that information from our database.
Consent to Processing and Transfer of Information
The Service and the servers and facilities that maintain the data we hold, are operated in the United States. Given that we are an international business, our use of your information necessarily involves the transmission of data on an international basis. If you are located in the European Union, Canada or elsewhere outside of the United States, please be aware that information we collect may be transferred to and processed in the United States. By using the Service, or providing us with any information, you consent to the collection, processing, maintenance and transfer of such information in and to the United States and other applicable territories in which the privacy laws may not be as comprehensive as or equivalent to those in the country where you reside and/or are a citizen.
Social Media Widgets
Our website includes Social Media Features, such as the Facebook Like button, and Widgets, such as the Share This button or interactive mini-programs that run on our website. These Features may collect your Internet protocol address, which page you are visiting on our website, and may set a cookie to enable the Feature to function properly. Social Media Features and Widgets are either hosted by a third party or hosted directly on our website. Your interactions with these Features are governed by the privacy statement of the company providing it.
Blogs
Our website offers publicly accessible blogs. You should be aware that any information you provide in these areas may be read, collected, and used by others who access them. To request removal of your personal information from our blog or community forum, contact us at marc.laplante@intentsify.io. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.
Changes to our Privacy Policy
Please note, we may modify information presented via the Service and/or this Privacy Policy from time to time without prior notice to you, and any changes will be effective immediately upon the posting of the revised Privacy Policy. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on this website prior to the change becoming effective. You are encouraged to periodically revisit the Intentsify Privacy Policy to see if it has been updated. We will always show the date of the latest modification date of the Privacy Policy at the top of the page so you can tell when it has last been revised.
Intentsify Services
Intentsify also collects information under the direction of any one of its Clients, in which case it collects cookie identifiers from the individuals. If you are a customer of one of any one of our Clients and would no longer like to be contacted by our Client that uses our Service, please contact the Client that you interact with directly. We may transfer personal information to companies that help us provide our Service. Transfers to subsequent third parties are covered by the service agreements with our Clients.
An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct his query to the Intentsify’s Client (the data controller). If requested to remove data we will respond within a reasonable time frame.
We will retain that personal information for as long as needed to provide services to any one of our Clients or as otherwise authorized, directed or permissioned by our Clients. In addition, Intentsify will retain this personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Contact Us
We regularly review our compliance with this Privacy Policy. Questions, comments and requests regarding this Privacy Policy are welcomed and should be addressed to: marc.laplante@intentsify.io or by mail to 1000 Franklin Village Drive, Suite 102, Franklin, MA 02038
UPDATE:
GDPR Code of Conduct for Intentsify
PART A: General
1. Applicability
This Document is the current operational version of the GDPR Compliance policy effective from September 12, 2018 and applies to activities of Intentsify LLC.
2. Introduction
The Core activity of Intentsify LLC is to provide support to its customers in marketing B2B products by generating effective leads from the target markets.
The Lead generation is done through intelligent market research collecting relevant data to identify reliable purchase intent of corporates through different channels including through business partners using relevant technology in web marketing, E mail marketing and Telemarketing.
In the process of these activities, Intentsify acts as an intermediary who adds value to the B2B marketing chain. The campaign information is provided by the Customers which are fine-tuned and converted into campaign materials for distribution to the potential market space.
The distribution to the end target customers by placement of the campaign materials in relevant media is done through external publishers who generate leads. A part of the leads are generated by in-house publishing activity and use of innovative corporate intent marketing tools developed by the R&D team of INTENTSIFY.
The leads generated by the publishers are intelligently filtered to improve their quality and converted into actionable marketing targets before being passed on to the customers.
INTENTSIFY has developed proprietary products, processes and information generation system which includes development of reliable vendors and trained manpower, which together reflect the value proposition that INTENTSIFY brings to the B2B marketing eco system across the globe. Sustaining and nurturing this expertise and using it for harnessing commercial opportunities represents a legitimate interest of the Intentsify Group.
This Code of GDPR Compliance adopted by INTENTSIFY declares that INTENTSIFY is committed to the concept of “Privacy as a fundamental right of a citizen of a democratic society” across the globe and in good faith shall implement all the Privacy principles mandated under GDPR where it is applicable.
INTENTSIFY however discloses that it is its legitimate interest that it carries on a legitimate business operation across the globe as a B2B market intermediary and it is the democratic right of INTENTSIFY to carry on its business in good faith without being in conflict with the rights of the individual natural persons whose Privacy is sought to be protected under GDPR.
INTENTSIFY also discloses that its business model requires collection of only the Data of business entities which are outside the purview of GDPR and Business Contact data which is not personal data per-se but may include personally identifiable information in part but does not include personal data of children and Personal data that is classified as “Special categories” under GDPR.
3. GDPR Exposure
Intentsify Group is basically a “B2B marketing intermediary” which operates across the globe generating marketing leads and servicing clients in many countries. INTENTSIFY does not operate in the consumer market and hence does not either directly or indirectly collect personal information of EU data subjects. The data that INTENTSIFY collects is generally in the category of Business Contact Data of corporate employees which inter-alia contains the name, the work e-mail and work phone number.
A part of B2B marketing leads are generated in the EU countries and in UK. Some of the Customers located in EU/UK may also avail the services of INTENTSIFY. Currently a majority of interactions with Customers is in US and a majority of interactions with Lead Generating business partners are in India.
The GDPR exposure of INTENTSIFY is therefore recognized when Business Contact Data is collected from business organizations operating in EU/UK regions.
4. Approach to GDPR Compliance
In order to enable application of as stringent a norm as feasible to the processing of Data which is exposed to GDPR Compliance Risk, INTENTSIFY adopts a policy to treat GDPR Sensitive Data (GSD) as “Sensitive Data” flowing through the INTENTSIFY’s resources by tagging the incoming data with a suitable tag to classify it as GSD where applicable.
ThePrivacy protection of data subjects and Security of information related to Privacy protection in respect of the GSD tagged data is factored into the design of the support structure.
Though data is processed in specific locations and the technical infrastructure for processing GSD are located in such specified locations, an enterprise level GDPR awareness has been created and will continue to be pursued so that the principles of this GDPR Code of Conduct percolates to the entire organization beyond GSD processing to include the Marketing, Financial, and Managerial functions which may be located in different locations with their own technical and administrative infrastructure.
In order to effectively implement the security for the entire data processing infrastructure, the Company has adopted a comprehensive information security policy which includes multiple sub policies regarding data access, processing storage, transmission etc.
5. Privacy Commitment
INTENTSIFY recognizes that “Privacy” is an important democratic right in the civil society. As a responsible corporate entity, INTENTSIFY is committed to protection of Privacy of all individual natural persons whose personal data comes into the corporate data repository for processing.
In view of the presence of Customers in EU/UK and the monitoring of activities of corporate employees residing in EU/UK, INTENTSIFY has chosen to adopt GDPR Compliance standards towards protection of Privacy of all natural persons who may interact with the Group even where such interaction is only in their capacity as employees of different business entities pursuing the business objectives of their respective business organizations.
6. Legitimate Interest
The Core activity of INTENTSIFY involves processing of data related to purchase of different products for corporate use. The activity spectrum includes Collection, Aggregation, Analysis, Segmentation and intent monitoring. In the process of such processing, INTENTSIFY adds value to the raw data that is collected from the business environment and converts it into value added business decision aiding information.
The Raw Data collected is recognized as data belonging to the data subject and to which the Data Subject’s rights under GDPR is applicable. The value addition to the data that occurs during the process arises out of the proprietary data processing capabilities of INTENTSIFY on which INTENTSIFY has a certain level of Intellectual Property Right claim.
If any data has been pseudonymized, the value added pseudonymized data shall be considered as data on which INTENTSIFY has legitimate interest to use for further research. Non Pseudonymized data even in the value added state is subject to the exercise of Data Subject’s rights such as Access, Rectification, Restriction, Portability and Erasure. Pseudonymized data if any will not be classified as GDPR sensitive.
INTENTSIFY possesses a legitimate business interest as recognized under Article 6(1)(f) of the EU GDPR regulations, in the collection and processing of Business related data such as firmographics and Business Contact data of decision making officials in the business entities
Also, the business of INTENTSIFY involves operations within and outside EU countries and hence is exposed to statutory obligations of different countries related to Data Processing as well as other laws applicable to business in general and IT related activities in particular, as envisaged under Article 6(1)(c) of the EU GDPR regulations.
Further INTENTSIFY has adopted business practices for lawful processing incorporating the principles of EU GDPR as enunciated under Article 6, including obtaining informed explicit consent where required and adhering to the requirements of contractual obligations with the data subjects if any.
The policies of INTENTSIFY on Privacy and Data Protection are therefore structured with specific Privacy and Information Security controls that address the issue of identifying GDPR sensitive data at the stage of its origin and entry into the INTENTSIFY system and tagging them throughout its life cycle of processing.
7. Expanding the Scope of Compliance to the Data Processing Eco-system
Further, keeping the legislative intent of protecting the fundamental right to privacy of individuals, enunciated under EU GDPR, appropriate Technical and Organizational/Administrative controls are maintained to ensure that all down stream business associates who may have access to GDPR sensitive data for processing on behalf of INTENTSIFY are also GDPR compliant.
INTENTSIFY recognizes that in most part of its operations, it is not a “Data Controller” but is a “Data Processor” for the purpose of GDPR. It may assume the role of a “Joint Controller” when it uses the services of sub-contractors for any part of its processing.
Keeping these roles in view, INTENTSIFY’s policies and controls are structured to ensure GDPR compliance, including maintenance of appropriate Technical and Organizational/Administrative controls to keep itself duly informed about the GDPR compliance activities of its business partners and also sharing with them INTENTSIFY’s own GDPR Compliance measures as may be necessary.
8. Limitations of this Document
The Following paragraphs provides the umbrella policy of INTENTSIFY for GDPR compliance at the Corporate level highlighting the approach of INTENTSIFY on achieving a satisfactory level of compliance of GDPR principles in its operations.
This policy document is meant for limited sharing with stake holders including business entities outside the INTENTSIFY and hence excludes proprietary information on the processing where it is essential to protect the Intellectual Property of the organization.
Any request for disclosure of information beyond what is stated here will be addressed under the Data Disclosure Policy of INTENTSIFY and such requests may be directed to the Privacy Manager through a non repudiable authenticated e-mail.
Part B: Specific Policy Outlines
9. Assigned Responsibility
INTENTSIFY has designated Privacy Manager who will be the contact person to handle all Data Subjects requests and complaints. Considering the current level of risk exposure to GDPR sensitive data in the INTENTSIFY, it is considered that the core activity of INTENTSIFY does not involve a large scale and systematic monitoring of EU data subjects nor offering of any services to individuals in EU and hence there is no requirement to designate a “Data Protection Officer” as envisaged under GDPR.
An Information Security Governance Committee (ISGC) will be overall in charge of Information Security including GDPR compliance. It will be the apex policy making body of the INTENTSIFY group responsible for laying down all information security policies including GDPR policy and will monitor the need to designate any person or a consultant as Data Protection Officer in due course.
10. Data Classification
Intentsify is not involved in marketing to any individual natural persons and hence does not normally collect personally identifiable data coming under the regulatory provisions of GDPR. However all potentially identifiable personal data such as e-mail address and phone number of an employee of an organization is classified as “GDPR Sensitive” if the business unit or the employee is known to be located in EU/UK.
Accordingly, the entire Business contact data set associated with a physical location address in EU/UK is identified as GDPR Sensitive Data (GSD) and tagged during further processing within the organization.
In the absence of the physical location information of the data subject, the physical location of the associated business organization would be considered relevant.
11. Data Audit
Once before September 12, 2018 and thereafter at monthly intervals or as otherwise determined by the ISGC, stored data sets will be verified to locate any GSD and verify the compliance requirements associated with it such as whether the data needs to be archived, deleted or otherwise specially secured.
Any GSD data set not accompanied by an appropriate “Consent” or “Legitimate Interest Note” will be recommended for deletion.
On confirmation, such data will be forensically deleted.
12. GDPR Impact Assessment
A GDPR Gap assessment has been undertaken and corrective action has been implemented as required before September 12, 2018. After September 12, 2018, a Data Protection Impact Assessment ( DPIA) will be undertaken whenever a significant new project is undertaken as and when the ISGC identifies the necessity.
13. New Business Acceptance Policy
On or after September 12, 2018 all new business commitments involving processing of data will be subject to the approval of the ISGC with a specific GDPR Impact Assessment note submitted from DPO in consultation with the Technical team in charge of the processing.
14. GSD Data Storage Policy
GSD shall be stored in systems which are accessed only by designated persons on a strict “Need To Know Basis”.
Every GSD set shall be tagged with the Data Controller from whom it was sourced and who is responsible for the collection of the data under a consent or contract.
Any specific restrictions associated with such data set shall also be tagged with the data set.
The Data storage shall enable individual data set to be located and processed for execution of any Data Subject’s rights such as request for data rectification, data portability, data erasure or data access at any time during its life cycle.
15. GSD Data Access Policy
GSD shall be accessed as per the Access Control policy which ensures that each GSD data set shall have specific access parameters which defines who can access the data and how they access the data.
Only those who are designated as GSD work force shall be allowed access to the GSD data set.
Use of access parameters such as Passwords shall be defined with a degree of complexity and uniqueness as may be required and supplemented with Encryption and Machine ID tags so that GSD data may be accessed only from specific hardware which are assigned to authorized GSD work force.
Where data storage is on the cloud, only GDPR compliant cloud services shall be used along with additional controls as may be required in ensuring that data at storage and transit shall be protected from unauthorized access.
Project specific GSD shall be stored in such a manner that only employees associated with a given project get access to the data. Cross project access shall be regulated on a need basis.
16.GSD Data Retention Policy
GSD shall be retained in active process environment only for the minimal period for which it is required for processing.
Thereafter, the data shall be archived securely as per the requirement identified under legitimate interest for example until the project billing cycle is complete.
Subsequently, data shall be continued in secure archiving or destroyed as per the identified legitimate interest requirements of the Company.
A monthly review of archived data shall be undertaken to identify data that is no longer required which shall be referred to ISGC for disposal instructions.
Legal obligations on data retention which may arise due to any overlapping legislations shall be factored into the legitimate interest assessment.
17. GSD Data Disclosure Policy
Any request for disclosure of GSD shall ordinarily be received only from the source Data Controller.
It is recognized that requests received directly from the data subjects are subject to phishing risk and such requests if any shall be referred to the corresponding Data Controller who collected the data from the data subject under a consent or contract that may exist between them.
The data to be disclosed shall be sent only to the Data Controller for onward transmission to the Data subject after properly authenticating the identity of the representative of the Data Controller who makes the request.
In exceptional circumstances where data needs to be disclosed directly either to a data subject or his authorized representative or a law enforcement authority, adequate authentication of the identity of the person making the request shall be ensured.
All data disclosure requests are to be approved by the ISGC before release of the data and the request as well as the assessment documents shall be considered as required GDPR compliance documentation.
18. GSD Data Incident Management Policy
An “Incident” under this code shall be any observation that has the potential to indicate that GSD compliance code or any policies or procedures there under has been violated whether or not any data is suspected to have been compromised.
A whistleblower’s policy may be used to ensure that incidents are reported promptly by any observer either within the Company or outside.
Any such incident which comes to the knowledge of INTENTSIFY shall be logged in a GSD Incident Management Register and referred to the DPO for immediate action.
The DPO shall review the incident report and take immediate steps to resolve the incident and also to report the incident to the ISGC.
The ISGC will convene a meeting expeditiously and evaluate the incident to identify if it involves any suspected data breach.
Where necessary, ISGC may order an immediate techno legal audit of for a risk assessment of the incident. Based on the risk assessment ISGC shall decide the need for further action including sending a data breach notification to the Data Controller associated with the Data.
An incident where GSD has been accessed by another employee of the organization is considered as a Security Incident and not necessarily a “Breach”. However such incidents shall be investigated as to the cause of unauthorized access and if it is an unintentional accidental access it may be resolved with a suitable internal disciplinary action as per the HR policy.
If data has not moved out or accessed by an outsider, the incident may be classified as an internal data accident not amounting to a breach.
In the event the access or data moved out is known to be in encrypted form and was in a state in which it was undecipherable by the recipient, subject to suitable internal investigation as to the security of the associated decryption key, the access may be classified as an internal data accident not amounting to a breach.
19. GSD Data breach Notification Policy
A “Data Breach” incident is an incident in which INTENTSIFY has after necessary investigation, come to the knowledge that access to any specific data set under GSD has been compromised and an external entity has come to access or send out a GSD set.
Such data breach incident shall be immediately reported to the ISGC which shall without further delay notify the Data Controller associated with the data set along with relevant details of the incident.
Such report shall specify the nature and extent of the breach, time and data of the breach, the details of the affected data subjects, action taken on the noticing of the breach etc.
Where necessary the data breach may be also reported to a supervisory authority.
20. GSD Data Subject’s Rights Management policy
The INTENTSIFY data processing system has incorporated “Privacy and Security by design” so as to enable compliance of GDPR requirements particularly in respect of the Rights of the Data Subject provided under GDPR.
In order to meet these rights of the data subject such as “Access”, “Rectification”, “Erasure”, “Portability” and Right to impose “Restrictions”, INTENTSIFY has enabled its GSD storage and access systems in such a manner that a data set belonging to a specified data subject may be extracted separately and processed.
The system has therefore been designed to be compliant to the most stringent requirements of GDPR.
Whenever a request for exercising of such rights is received from a Data Subject, as per the Data disclosure policy, the request is first validated and then in case the data has been received from a Data Controller, the data controller would be requested to confirm the data disclosure.
Ordinarily the request is processed in communication with the data controller and if it is to be ported, it is returned back to the data controller.
In exceptional circumstances where INTENTSIFY has to handle the request of a data subject without the cooperation of the data controller, appropriate precautions will be taken to prevent a wrongful disclosure since it would be in the legitimate interest of INTENTSIFY to be indemnified against any possible wrongful disclosure.
21. GSD Data Transmission Policy
GSD data may ordinarily flow into the system through an application interface (API). The access to the interface is through secure password access system augmented with a suitable second factor authentication where significant GSD risk is identified.
The data transmission is on an encryption basis subject to management of transmission security covering known vulnerabilities.
The application itself along with its inherent storage and processing elements and the API are secured against unauthorized access and malicious attacks by an appropriate malware and secured access management system
Where GSD set is transmitted to the Customer or Sub contractor also, the transmission is managed through encrypted communication channels either through an API or an encrypted e-Mail.
22. GSD Marketing use Policy
When INTENTSIFY uses GSD for any marketing purpose either through E Mail or Telecalling or otherwise, care is taken to ensure that there is an appropriate consent or contract to enable such communication.
INTENTSIFY also insists that its partners both the lead generators, sub contracting processors and customers do not use the GSD except as per the available permissions.
Where an unambiguous consent is not available, no business contact data is collected from the lead generators or passed onto the customers or processed through the sub contractors.
Such data is killed at the first instance when it enters the INTENTSIFY system and identified as a “GSD without proper processing consent”.
23. GSD Consent Policy
All information classified as GSD by virtue of the data subject being located in EU/UK or his/her employer being located in EU/UK shall be accepted only if the data subject has provided an explicit consent based on the format as required under GDPR.
In the pre-GDPR scenario, such consents had been generally collected under the principles of Personal data processing which included a Privacy Notice. Such Privacy Notice indicated what information was being collected, the purpose of collection, the time for which it would be retained, how it would be secured, whether the information was accurate, whether it would be transferred out of EU for processing etc., Some of the consents were based on the “Opt-in” principle as a default setting.
Under GDPR, it is essential that personal data is collected only on the basis of an Explicit Consent where “Opt-Out” is the default option and only on the basis of an affirmative action indicating acceptance, the consent would be accepted.
Additionally, the Privacy notice should also indicate that the Data subject has certain rights such as “Right to be informed of the identity of downstream processors”, “Right to access and rectification”, “Right to Portability and Erasure”.
In view of the new requirements, all consents obtained in the pre-GDPR format shall be considered as invalid and such data would be discarded by INTENTSIFY.
External Publishers who generate Leads for INTENTSIFY shall confirm through their contracts that they would provide only leads generated with the new form of consent in case the data subject is located in EU/UK.
24. GSD Stakeholder Communication Policy
INTENTSIFY operates through many external organizations who are stake holders in INTENTSIFY GDPR compliance program. Such organizations includes its Customers, Lead Generators, Sub-Contractors etc.
For effective compliance, no GSD data should be exchanged in any communication with the stake holders except through secure transmission and to authorized representatives only.
While the communication through API is controlled by the access policy, any other communication through e-mail should be controlled with an E Mail Communication policy.
Essentially an E Mail Communication policy shall define that sharing of any GSD or GDPR compliance information with a stake holder shall be only through a notified contact e-mail address who will be in most cases the DPO of the other organization,
Where necessary the E Mail communication may be encrypted and authenticated with a digital signature.
25. GSD Legitimate Interest identification Policy
INTENTSIFY recognizes that certain rights of the data subjects such as Data Erasure or Data Rectification could be in conflict with the legitimate interest requirements of INTENTSIFY or may be in conflict with the data retention laws which may be otherwise applicable for the data in view of other legislatory obligations.
In call cases of Data Subject’s Rights being implemented, INTENTSIFY would evaluate the request before taking further action. In the event INTENTSIFY recognizes a need to refuse the request or modify it for acceptance, the reasons would be documented and a GSD Legitimate interest note would be developed by the ISGC.
Where the data is not required to be active, it may be archived securely until the legitimate interest expires.
The reasons for exercising legitimate interest argument for processing the data subject’s request shall be conveyed to the Data Controller who is responsible for the Data Subject for onward transmission to the data subject.
26. GSD People Management Policy
GSD will be considered as a data set that requires exclusive and special attention in terms of information security while it is in the custody of INTENTSIFY.
Hence, GSD would be suitably tagged and processed on a need to know basis by a specially trained set of employees.
These employees and the systems in which GSD would be stored, accessed and processed would be managed securely considering the level of risk that is associated with GSD.
Assignment of people to this GSD processing and their removal shall be managed with the appropriate security measures including a higher level of back ground verification, training, physical access identities, sanction policies etc.
The HR policies need to be appropriately upgraded for the GSD workforce as may be required.
27. GSD Pseudonymization Policy
It is recognized that Pseudonymization is a strategy to reduce the risks in the processing of GSD.
Pseudonymized personal data is not considered as “Personal Data” for the purpose of GDPR regulation provided the Pseudonymization process is adequately structured.
In view of the current level of exposure of its operations to the GDPR Risks INTENTSIFY has not considered it necessary at present to use Pseudonymization as a strategy for risk mitigation.
28. GSD DRP-BCP Policy
INTENTSIFY recognizes the importance of an effective Disaster Recovery and Business Continuity plan for its operations including the operations involving GSD processing.
INTENTSIFY will maintain adequate back up of GSD data and reasonable ability to maintain Business Continuity in case of any contingency.
29. GSD Compliance Documentation Policy
The measures of GDPR compliance shall be documented so that they would be available for review.
The Compliance documentation shall be retained for a minimum period of 6 years since its creation.
In the event any document is a potential evidence for law enforcement requirements or for defending the legitimate interest of INTENTSIFY, such document would be retained as long as the requirement persists.
30. GSD Audit policy
An Internal Security audit team of INTENTSIFY shall audit the information assets of INTENTSIFY at least once in an year to assess the level of security and compliance to GDPR and other regulatory requirements.
External audits may be considered on the basis of an assessment by the ISGC whenever a substantial change in business profile occurs.
INTENTSIFY reserves the right to conduct an audit of the facilities of any of its sub-contractors to ensure compliance as per the contractual obligations.
INTENTSIFY however recognizes that the empowerment to audit a sub contractor’s facilities is an enablement and shall be used only under exceptional circumstances. This does not reduce the responsibility of the sub contractor to meet the compliance requirements at their end as per the contractual assurances provided.
31. GSD Grievance Redressal Policy
INTENTSIFY will provide a multi level Grievance redressal policy to redress disputes if any with any data subject. Such grievances will be addressed by the DPO at the first level, the ISGC at the second level and an Online Dispute Resolution Committee set up for the purpose by the Board at the third level.
Any queries from a GDPR supervisory authority shall be handled by the DPO and escalated to the ISGC where required.
Any disputes with the Customers, Publishers or Sub Contractors shall be handled as per the respective contractual agreements.
32. Network Security Policy
In order to ensure that the IT infrastructure used by the Company is secure, INTENTSIFY shall adopt a robust information security policy inclusive of Firewalls, Intrusion Detection Systems, Malware Prevention system and System Patching etc as required.
A designated Information Security Manager shall be responsible for maintenance of Network security.
Designated Contact
Until further notice, Mr Marc Laplante, located at the Intentsify LLC, US office, is the designated Privacy Manager and he would be available at marc.laplante@intentsify.io
P.S: This Code is subject to revision from time to time.