Last Updated: June 30, 2020
ConvertKit is a United States limited liability company subject to the laws of the United States. The United States may not offer a level of privacy protection as great as that offered in other jurisdictions. Since our servers are located in the United States, your data may be transferred to, stored, or processed in the United States. By using our Services, you understand and consent to the collection, storage, processing, and transfer of your data to our facilities in the United States and those third parties we share your data with as described in this Policy and our Terms of Service Agreement.
a. Customer: a person or entity that is registered with ConvertKit to use the Services.
b. Distribution List: a list of Subscribers and all data related to those Subscribers.
c. Personal Data: any information relating to an identified or identifiable natural person.
d. Subscriber: any person or entity on your Distribution List.
e. You: a ConvertKit Customer or other person or entity who visits our Services.
2. INFORMATION WE COLLECT ABOUT YOU
The Services collects two kinds of information about you: (a) Personal Data; and (b) Non-Personal Data.
a. Personal Data. Personal Data is any information relating to an identified or identifiable natural person. Personal Data we may collect includes:
i. Identification and Contact Data: name, date of birth, gender, address, title, contact details, username, or other demographic information;
ii. Financial Information: credit card details, account details, payment information;
iii. Employment Details: employer, job, title, geographic location, area of responsibility;
iv. IT Information: IP address, cookie data; and
v. Personal Interests or Preferences: purchase history, social media profile information.
You may decline to provide Personal Data to the Services. However, some of the Personal Data we ask you to provide is mandatory for a service. If you decline to provide it, we may not be able to provide that service to you.
b. Non-Personal Data. Non-Personal Data is any information not relating to an identified or identifiable natural person. Non-Personal Data we may collect includes:
i. Browser and Device Data: IP address, device type, unique user device number, device manufacturer and model, type of browser or operating system, dates and times of use, screen resolution, plug- ins, add-ons, location, and the version of the Services you are using.
ii. Cookies and Tracking Technologies: time spent on the Services, pages visited, and email campaign performance.
iii. Aggregate Information: data about how you use the Services combined with data about how others use the Services in order to help us better develop new features and tailor the Services.
3. HOW WE USE YOUR INFORMATION
a. Personal Data. We may use your Personal Data to:
i. Provide the Services;
ii. Resolve disputes, calculate and collect fees, and troubleshoot problems;
iii. Verify your identity and the information you provide;
iv. Encourage a safe online experience and enforce our policies;
v. Customize your experience and analyze usage of, improve and measure interest in, and inform you about the Services;
vi. Provide you with information that may affect your use of the Services;
vii. Communicate marketing and promotional offers;
viii. Provide customer service, including receipts;
ix. Develop new products; and
x. Perform certain other business activities.
b. Non-Personal Data. We may use your Non-Personal Data for any purpose, including, but not limited to:
i. Measuring traffic patterns;
ii. Understanding demographics, customer interest, and other trends among users;
iii. Providing, improving, and modifying the Services; and
iv. For promotional and marketing purposes.
4. HOW WE MAY DISCLOSE YOUR INFORMATION
a. Personal Data. We may disclose, and you consent to our disclosing of, your Personal Data to:
i. Service Providers and others who help with our business operations and assist in the delivery of our products and services including, but not limited to, application development, site hosting, maintenance, data analysis, infrastructure provision, IT services, customer service, email delivery services, payment processing, marketing, analytics, and enforcement of our Terms of Service Agreement and other agreements;
ii. Third parties in the event of a reorganization, merger, sale, debt financing of assets, joint venture, assignment, transfer, or other disposition of all or any portion of our business or assets (including in connection with any insolvency, bankruptcy, receivership, or similar proceeding);
iii. A ConvertKit subsidiary, affiliate, or business partner;
iv. Other users of the site to identify you to anyone to whom you send messages or make comments through the Services;
v. Persons or entities with whom you consent to have your Personal Data shared;
vi. Third parties in order to prevent damage to our property (tangible and intangible), for safety reasons, or to collect amounts owed to us;
vii. Merchants and payment processors; and
viii. Third parties as we believe necessary or appropriate, in any manner permitted under applicable law, including laws outside your country of residence to: comply with legal process; respond to requests from public and government authorities, including public and government authorities outside your country of residence; enforce our Terms of Service Agreement and other agreements; protect our operations; protect our rights, privacy, safety or property, and/or that of our affiliates, you, or others; and allow us to pursue available remedies or limit the damages that we may sustain.
We will never sell, rent, or lease your Personal Data to a third party.
b. Non-Personal Data. We may disclose Non-Personal Data for any purpose. Remember, Non-Personal Data cannot be used to identify you or another person.
a. Opting out of Receiving Electronic Communications from us. If you no longer want to receive marketing-related emails from us, you may opt-out via the unsubscribe link or by notifying us at email@example.com. We may still send you important messages regarding administrative matters, updates, disputes, and customer service issues that are required to provide you with the Services.
c. Web Beacons. When we send emails to Customers, we may use web beacons to track who opened the emails and clicked links to measure campaign performance and improve features for Customers. We also use web beacons in the emails we deliver for Customers to create reports about campaign performance and determine what actions Subscribers took.
6. DATA COLLECTED BY OUR CUSTOMERS
a. Our Relationship with Subscribers. Customers may import into the Services Personal Data they have collected from their Subscribers or other individuals. We have no direct relationship with Customers’ Subscribers or any individuals other than our Customers. Customers are responsible for making sure they have the necessary permissions for us to collect, store, and process Personal Data about Subscribers or other individuals.
A Subscriber should unsubscribe directly from a Customer’s newsletter or contact the Customer directly to change, update, or delete the Subscriber’s data. If a Subscriber contacts us, we will refer you to that Customer and support them in responding to your request if necessary.
7. PUBLIC DATA AND THIRD-PARTY SITES
a. Public Data. We may provide areas on the Services where you can publicly post information. This information may be read, collected, and used by anyone. We do not control or endorse the information posted by third-party users, are not liable for your or third-party posts to the Services, and specifically disclaim any liability resulting from such posts.
b. Third-Party Sites. Upon your consent, the Services may access third- party information through application interfaces. We may also provide links to third-party sites. When you click on links to third-party sites, you may leave the Services.
THIS POLICY DOES NOT COVER ANY COLLECTION, USE, OR DISCLOSURE BY THIRD PARTIES THROUGH ANY APPLICATIONS, WEBSITES, PRODUCTS, OR SERVICES THAT WE DO NOT CONTROL OR OWN, OR ANY THIRD-PARTY FEATURES OR SERVICES MADE AVAILABLE THROUGH THE SERVICES. BY USING THE SERVICES, YOU EXPRESSLY RELIEVE CONVERTKIT FROM ANY AND ALL LIABILITY ARISING FROM YOUR USE OF ANY THIRD-PARTY WEBSITE.
The inclusion of a link or accessibility of third-party sites does not imply endorsement of such third-party site by us. All trademarks, trade names, and logos of third parties featured on the Services belong to their respective owners.
8. DATA RETENTION
9. USERS UNDER 13 YEARS OF AGE
Our Services are not directed to and we do not knowingly collect Personal Data from children under the age of 13. If we become aware that a child under the age of 13 has provided us with Personal Data, we will take steps to remove such data. If you become aware that your child has provided us with Personal Data without your consent, please contact us at firstname.lastname@example.org. By using the Services, you are representing to us that you are not under the age of 13.
10. DATA SECURITY
We employ commercially reasonable security measures to protect your information; however, no system is impenetrable. If you create an account on the Services, you are responsible for protecting the security of your account, its content, and all activities that occur under the account or in connection with the Services. You must immediately notify ConvertKit of any unauthorized uses of your account or any other breaches of security by emailing us at email@example.com.
11. PRIVACY RIGHTS NOTICE TO CALIFORNIA RESIDENTS
The California Consumer Privacy Act (“CCPA”) provides California residents with specific rights regarding their Personal Data, including the right to request certain information from businesses subject to CCPA that collect Personal Data from you, the right to ask such businesses to delete Personal Data collected from you (subject to exceptions), the right to opt-out if a business sells your Personal Data, and the right of non-discrimination if you exercise any of these privacy rights.
ConvertKit acts as a “service provider” under CCPA when offering the Services to its Customers and our receipt and collection of any Personal Data is completed on behalf of our Customers in order for us to provide the Services. If you are a Subscriber of one of our Customers, please contact the Customer directly with your request for access or deletion under the CCPA. If you contact us, we will refer you to that Customer and support them in responding to your access or denial request if necessary.
If you exercise your rights under the CCPA, ConvertKit will not discriminate against you, deny, charge different prices for, or provide a different quality of the Services. If ConvertKit ever offers a financial incentive or product enhancement that is contingent upon you providing your Personal Data, we will not do so unless the benefits to you are reasonably related to the value of the Personal Data you provide to us. ConvertKit does not sell your Personal Data.
ConvertKit does offer a Data Processing Agreement for those Customers that are considered “businesses” under the CCPA and that process Personal Data on behalf of California residents. To request our Data Processing Agreement, please fill out this form.
12. EU-U.S. AND SWISS-U.S. PRIVACY SHIELD
ConvertKit complies with the EU-U.S. Privacy Shield Framework and the Swiss- U.S. Privacy Shield Framework (collectively, “Privacy Shield”), as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union (“EU”), the United Kingdom, the European Economic Area (“EEA”), and Switzerland to the United States.
a. Accountability for Onward Transfer
ConvertKit is responsible for the processing of Personal Data we receive under each Privacy Shield Framework and subsequent transfer to a third party acting as an agent on our behalf. We comply with the Privacy Shield Principles for all onward transfers of Personal Information from the EEA, United Kingdom, and Switzerland, including the onward transfer liability provisions.
In certain situations, we may need to disclose Personal Data in response to lawful requests by public authorities, including to meet national security and law enforcement requirements, or otherwise comply with the law or a court order.
We use reasonable and appropriate physical, electronic, and administrative safeguards to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Data and risks involved in processing that information.
c. Data Integrity and Purpose Limitation
We only collect Personal Data that is relevant for providing the Services. We process Personal Data in a way that is compatible with providing the Services or as otherwise authorized by you. We take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. We adhere to the Privacy Shield Principles for as long as we retain Personal Data.
d. Access to Personal Data
If you would like to review, correct, delete, or update personal data that you have previously disclosed to us, please email us at firstname.lastname@example.org. We may limit or deny access to Personal Data where providing such access is unreasonably burdensome, expensive, or as otherwise permitted by the Privacy Shield Principles.
We will assist our Customers in responding to EU/EEA, United Kingdom, and Swiss individuals exercising their rights under the Privacy Shield Principles.
If you are a Subscriber of one of our Customers, please contact the Customer directly with your request to access or limit the use or disclosure of your Personal Data. If you contact us, we will refer you to that Customer and support them in responding to your access request if necessary.
We need to retain certain information about you for legal and internal business reasons. We will retain your Personal Data for as long as necessary to provide you with the Services and as needed to comply with our legal obligations and enforce our agreements.
e. Recourse, Enforcement, and Dispute Resolution
If EU/EEA, United Kingdom, or Swiss individuals have questions or complaints about our compliance with the Privacy Shield Principles, please email us as email@example.com. If we do not resolve your complaint, you may contact JAMS, an independent third-party dispute resolution provider based in the United States, and they will investigate and assist you free of charge. A binding arbitration option may also be available to you in order to address unresolved complaints. More information about that is here. ConvertKit is subject to the investigatory and enforcement powers of the Federal Trade Commission.
f. Data Processing Agreement
ConvertKit offers a Data Processing Agreement for those Customers processing Personal Data on behalf of EU/EEA and Swiss individuals. To request our Data Processing Agreement, please fill out this form.
g. Notice and Choice
13. LEGAL BASIS FOR PROCESSING PERSONAL DATA
Under the General Data Protection Regulation (EU) 2016/679 (“GDPR”), ConvertKit generally acts as a processor on behalf of our Customers. When ConvertKit processes Personal Data as a data controller, we do so on the following legal bases:
a. To perform our contract with you for the use of the Services:
b. In reliance on our legitimate interests in administering, operating, and supporting the Services;
c. In reliance on our legitimate interests in providing certain features;
d. In reliance on our legitimate interests in enforcing our Terms of Service Agreement and applicable law;
e. In reliance on our legitimate interests in preventing fraud and abuse;
f. In reliance on our legitimate interests in meeting legal requirements;
g. In reliance on our legitimate interests in improving the Services;
h. In reliance on our legitimate interests in supporting our marketing activities;
i. In reliance on our legitimate interests in providing network and information security; and
j. You provided us your consent.
14. DO NOT TRACK DISCLOSURE
Currently, there is no industry standard for recognizing Do Not Track browser signals, so we do not respond to them.
16. CONTACT INFORMATION