Last revised: September 14, 2023
Your privacy is important to Koncert. We are committed to ongoing compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the California Consumer Privacy Act (CCPA).
EU-U.S. DPF: Controller vs Processor
Under the EU-U.S. DPF, an organization that determines the purposes and means of processing personal data is considered a “controller” of data, and an organization that handles the data (on behalf of a controller) is considered a “processor”. Any organization that is a controller or processor or an organization that monitors the behavior of EU residents is required to comply with the EU-U.S. DPF.
Most of Koncert’s customers fall into the “controller” category since they are collecting and using personal data about their prospects. Koncert falls under the “processor” category since we handle our customer’s data and therefore, we are required to treat our customers’ data in compliance with EU-U.S. DPF regulations.
Applications: Our Sales Engagement Software platform comprising the various products listed in the “Product” section of our website at koncert.com (referred to as the “Koncert Public Site”)
Customer: Our customer with whom we have entered into an agreement to provide the Services
Digital Properties: The Koncert Public Site, each Koncert Private Site; and the Applications within an Integrated CRM Solution on a CRM Partner Site
Integrated CRM Solution: Those CRM solutions designated on the Koncert Public Site with which we have integrated one or more of our Applications
Integrated Email Solution: Those email solutions (such as Gmail and Office 365) with which Koncert has integrated one or more of our Applications
Services: The various software as a service (SaaS) offerings that we make available to our Customers for their authorized user’s access to and use of the Applications online through a password-protected, customer-specific site that we make available (a “Koncert Private Site”). In addition to the Koncert Private Site, a Customer may have elected in its agreement with Koncert to enable (i) Koncert’s integration with an Integrated CRM Solution, (ii) Koncert’s integration with an Integrated Email Solution, and (iii) access to certain Applications from within an Integrated CRM Solution (a “CRM Partner Site”).
Information that we collect and how we use that information
(a) Information we collect from the Koncert Public Site
Voluntarily Provided Information. We collect the following Voluntarily Provided Information on the Koncert Public Site from our various web submission forms: Your first name, your last name, your company name, the state or region of your location, your email address, your phone number, your comments to us, your LinkedIn address, our products that you indicate you are interested in learning more information about, and the CRM type that you indicate you are using.
These web submission forms on the Koncert Public Site include, but are not limited to: demo requests, datasheet requests, contact requests, survey requests, and job application requests. Koncert may use your Voluntarily Provided Information to contact you about our products and services or about job opportunities at Koncert, depending on the nature of your inquiry to Koncert.
We will never provide nor sell your Voluntarily Provided Information to third party product or service providers to market their products and services to you.
You may opt out of Koncert using your Voluntarily Provided Information by contacting us at firstname.lastname@example.org. Within ten (10) days after our receipt of your opt out request, we will delete your Voluntarily Provided Information in our possession or control and cease any further attempt to contact you about our products and services or job opportunities at Koncert.
(b) Information that we collect from the Digital Properties
With respect to each active Customer, we logically partition and store the Customer’s information using a customer identifier and that information is accessible through a Koncert Private Site that is specific to that Customer.
Following are the types of information (collectively referred to as the “Customer Provided Information”) that we collect on the Koncert Private Site: (i) the Customer’s account information such as the Customer’s name, mailing address, website address, and phone number; (ii) name, email address, and mailing address for each of the Customer’s principal contacts; (iii) name, username, and password specific to the Koncert Private Site, along with job title, organization department, phone number, and email address for each Customer’s authorized user for the Koncert Private Site; (iv) Customer prospect information to enable use of our Services which includes, but is not limited to: account name, contact name, title, phone number, and email address; (v) metadata relating to communication with Customer prospect via one or more modes of communication (for example call, email, etc.) initiated through the Applications; and (vi) information necessary to enable integration of an Application with Customer’s designated Integrated CRM Solution, if any.
With respect to our Customers who enable integration of an Application with an Integrated Email Solution, each Customer user may configure the connectivity between Koncert Private Site and the Integrated Email Solution.
The following limitations are applicable to the integration with an Integrated Email Solution:
- Allowed Use: Koncert will use restricted scope data to provide or improve user-facing features that are prominent from the requesting Application's user interface. It will be clear to Customer users why and how Koncert will use the restricted scope data they've chosen to share with us.
- Allowed Transfer: Koncert will only transfer restricted scope data to others if that transfer is (a) to comply with applicable laws, or (b) a part of a merger, acquisition or sale of assets of Koncert. Except the foregoing situations, no other transfers or sales of user data will be performed by Koncert.
- Prohibited Advertising: Koncert will never use or transfer restricted scope data to serve advertisements to Customer users. This includes personalized, re-targeted, and interest-based advertising.
- Prohibited Human Interaction: Koncert will not allow humans to read restricted scope user data. For example, Koncert will not allow its employees to read through a user's emails. There are four limited exceptions to this rule: (a) Koncert obtains a user's consent to read specific messages (for example, for tech support), (b) it's necessary for security purposes (for example, investigating abuse), (c) to comply with applicable laws, and (d) Koncert aggregates and anonymizes the data and only uses it for internal operations (for example, reporting aggregate statistics in an internal dashboard or improving the Services).
During the term of each Customer’s agreement with Koncert, our Customer can modify, delete and export its Customer Provided Information stored in the Applications. After the end of the term of Koncert’s agreement with its Customer, Koncert will continue to maintain the Customer Provided Information until the earlier of (i) 30 days after the agreement term, or (ii) within 10 days after Customer’s authorized representative has directed Koncert to delete all Customer Provided Information. Koncert does not collect or store login password for Integrated CRM Solutions if single sign-on features are used in the integration of the Applications with an Integrated CRM Solution.
We only retain and use a Customer’s Customer Provided Information to provide that Customer the Services that the Customer has entered into an agreement with Koncert to provide, and as described in the “Other disclosures” section below.
Google API Services - Usage Disclosure
Koncert's use and transfer to any other app of information received from Google Accounts will adhere to Google API Services User Data Policy, including the Limited Use requirements.
(c) Site usage information that we collect on our Digital Properties
With respect to our Customers, we require each Customer’s authorized users to log in to the Applications to use our Services. We monitor and collect certain usage information in connection with the use of our Services. For example, we track the computer or other device that an authorized user is logging in from, the Applications and Services that are used by the authorized user, and other usage data such as the date and time the Applications and Services were used.
Cookies: When you visit our Digital Properties, we send one or more “cookies” to your computer or other devices. Cookies are alphanumeric identifiers stored on your computer or device through your web browser and are used by most websites to help personalize your web experience. Some cookies may facilitate additional site features for enhanced performance and functionality such as remembering preferences, allowing social interactions, analyzing usage for site optimization, providing custom content and serving images or videos from third party websites. Some features on our Digital Properties will not function if you do not allow cookies. We may link the information we store in cookies to any Voluntarily Provided Information or Customer Provided Information that you submit while on any of our Digital Properties. We use both session ID cookies and persistent cookies. A session ID cookie expires when you close your browser, while a persistent cookie remains on your hard drive for an extended period. Persistent cookies enable us to track and target the interests of our users to enhance their experience on our Digital Properties. You can remove persistent cookies by following directions provided in your Internet browser’s “help” file. Functional cookies, both persistent and session, store information to enable core site functionality, such as Live Chat and login credential remembrance. Analytics cookies allow us to count page visits and traffic sources so we can measure and improve the performance of our Digital Properties and our marketing campaigns. If you reject cookies, you may still use the Digital Property pertaining to the deleted cookie, but some features on that site will not function properly.
Web Beacons: We use Web Beacons alone or in conjunction with cookies to compile information about our Digital Properties. A Web Beacon is a tiny graphic object that is embedded in a web page or email and is usually invisible to the user but allows checking that a user has viewed the page or email. Web Beacons may be used within the Digital Properties to track email open rates, web page visits, or form submissions. In some cases, we tie the information gathered by Web Beacons to the Voluntarily Provided Information or the Customer Provided Information. For example, we use clear gifs in our HTML emails to let us know which emails potential respondents have been opened. This allows us to gauge the effectiveness of certain communications and the effectiveness of our services.
Analytics Software: We and our third-party tracking-utility partners use log files on the Koncert Public Site to gather certain information automatically and store it for analytical purposes. This information includes internet protocol (“IP”) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data. We use this information to track and aggregate non-personally identifiable information to analyze trends, administer our Digital Properties, track users’ movements around our Digital Properties, and to gather demographic information about our user base in the aggregate.
Social Media Features and Widgets: The Koncert Public Site includes social media features such as Twitter and LinkedIn. These features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the feature to function properly. Social Media Features and widgets are either hosted by a third party or hosted directly on our Digital Properties. Your interactions with these Features are governed by the policy of the company providing it. We do not enable social media features on the Koncert Private Site or the CRM Partner Site unless the Customer enables such social media features on its Koncert Private Site or the CRM Partner Site.
"Do not track" and similar mechanisms: Some web browsers may transmit "do not track" signals to websites that are in communication with the website. Because of differences in how web browsers incorporate and activate this feature, it is not always clear whether users intend for these signals to be transmitted, or whether they are even aware of them. Participants in the leading Internet standards-setting organization that is addressing this issue are in the process of determining what, if anything, websites should do when they receive such signals. Koncert currently does not take action in response to these signals. If and when a final standard is established and accepted, we will reassess how to respond to these signals.
We will take reasonable precautions to prevent the loss, misuse or alteration of your personal information. Data transmission over the Internet is inherently insecure and we cannot guarantee the security of data sent over the Internet. Koncert requires the use of Secure Socket Layer (SSL) encryption while utilizing our Services, which ensures that our Customer’s data is encrypted during the transmission between a Customer’s authorized user’s browser and Koncert’s servers. Data encryption mitigates the risk that no unauthorized changes are made to the data during transmission and mitigates the risk that the data will be viewed during transmission by any unauthorized party. Each Customer’s data set in our possession or control is logically partitioned using a customer identifier and stored in our data center. Each Customer’s authorized user is responsible for keeping his or her password to our Applications confidential. In the case of integration with an Integrated CRM Solution using single sign on we will not ask you for your passwords.
Third party websites
The Koncert Public Site may contain links to other websites. We are not responsible for the privacy policies of third-party websites or such site operators’ actions including the collection or use of your personal information.
Accountability for Onward Transfers
Koncert uses a limited number of third-party service providers to assist us in providing our Services to Customers. These third-party providers assist with the transmission of data, provide data storage services, and assist with certain call handling features that require manual intervention (“Call Handlers”). Call Handlers only receive temporary encrypted remote access to a small subset of Customer Provided Information necessary to perform their services and Customer Provided Information is not stored on Call Handler computers or devices. Koncert’s data transmission and data storage service providers all certify compliance with the EU-U.S. DPF and are restricted from direct access to Voluntarily Provided Information and Customer Provided Information. Only if necessary, these service providers may be granted access to such information only to the extent necessary to permit them to perform their contracted services, and they are bound by confidentiality agreements and are restricted from using the information for other purposes.
Access and "right to be forgotten"
EU-U.S. DPF provides EU residents the “right to be forgotten” by controllers and processors and CCPA provides California residents with the right to have their records deleted. If an individual data subject requests their data to be removed, controllers are responsible for deleting the data from their systems and ensuring processors delete data as well. Upon request to email@example.com, Koncert will grant individuals in the EU and California reasonable access to their personal information in Koncert’s possession or control and allow the individual to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated. In this regard, Koncert depends on its Customers to update and correct personal information to the extent necessary for the purposes for which the information was collected or subsequently authorized by the individuals. Individual data subjects and Koncert customers may contact Koncert as indicated below to request that Koncert update or correct or delete relevant personal information.
Data Protection Officer (DPO)
If a privacy complaint or dispute relating to Personal Data received by Koncert in reliance on the Data Privacy Framework (or any of its predecessors) cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure. Subject to the terms of the VeraSafe Data Privacy Framework Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Data Privacy Framework Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/
If a complaint or dispute cannot be resolved through our internal process, we have also agreed to cooperate with the EU protection authorities and to participate in the dispute resolution procedures of the panel established by such data protection authorities.
EU-U.S. Data Privacy Framework
Koncert processes data submitted by our Customers for the purpose of us providing our Services to our Customers. To fulfill these purposes, Koncert may access the data to provide the Services, to correct and address technical or service problems, or to follow instructions of our Customer who submitted the data, or in response to contractual requirements.
Koncert’s accountability for personal information that it receives under the EU-U.S. Data Privacy Framework and subsequently transfers to a third party is described in the EU-U.S. Data Privacy Framework Principles. In particular, Koncert remains responsible and liable under the EU-U.S. Data Privacy Framework Principles if third-party agents that we engage to process personal information on our behalf do so in a manner inconsistent with the EU-U.S. Data Privacy Framework Principles, unless we prove that we are not responsible for the event giving rise to the damage.
EU residents have rights to access personal data about them, and to limit the use and disclosure of their personal data. With our EU-U.S. Data Privacy Framework certification, Koncert has committed to respect those rights. Because Koncert personnel have limited ability to access data our Customers submit to our services, if you wish to request access, to limit use, or to limit disclosure, please provide the name of the Koncert Customer who submitted your data to our Services. We will refer your request to that Customer and will support them as needed in responding to your request.
In addition, Koncert provides individuals with certain choices regarding how we use and disclose personal information we receive under the EU-U.S. Data Privacy Framework. First, if Koncert uses your personal information for a materially different purpose than that for which it was originally collected or discloses your personal information to a third party (other than third party providers acting on our behalf), we will first provide you with a clear, conspicuous, and readily available mechanism to opt-out of any such use or disclosure (for example, by sending you an email seeking your consent). If you have any questions about your choices regarding how we use and disclose your personal information, or how to exercise these choices, please contact us according to the “Contact” section above.