Privacy Policy | Movable Ink (original) (raw)

Effective Date: August 9, 2024

This is the Privacy Policy for Movable, Inc. (“Movable Ink”) and its affiliates. It covers our handling of two categories of information:

Personal data we handle for our customers (“Service Data”). We collect this data through our Movable Ink platform, our Moments, Stories, Movable Ink Da Vinci and Builder services, additional Movable Ink products, and related training, support, consulting and professional services. We refer to all of these offerings as the “Services.” Under applicable law, Movable Ink is considered a “processor” of this data, and our customer (or our customer’s customer) is the “controller” of the data.
Personal data we handle for our own business (“Business Data”), other than for our own human resources activities. This includes certain data collected on our own website, such as newsletter signup forms, as well as data collected through other marketing-related efforts. Under applicable law, Movable Ink is a “controller” of this data.

This Privacy Policy has details specific to Service Data, details specific to Business Data, and information relevant to our handling of both kinds of data.

1. Privacy Practices Specific to Service Data

Types of Service Data

We receive limited information from or on behalf of our customers when they use the Services. This information may include:

Unique User ID (which may be an email address, though this is not required);
IP address;
User-agent from the HTTP header of a request for an image in an email or other communication;
Details about the user’s interaction with an email, mobile message or other communication that contains our technology;
Cookie identifiers;
Website or app behavior, including URLs associated with a consumer’s navigation of our client’s website or app;
Images and other content;
Data described in the Cookies and Automated Data Collection section below; and
Any other data that our clients choose to transmit to us (or have us collect on their behalf) to provide the Services. Depending on the service, this may include:
- Transaction history (e.g., goods or services purchased from the client, date, price, sales channel);
- Customer-level segmentation information (e.g., category affinity scores, gender)

Uses of Service Data

Subject to our contractual obligations, and depending on the particular Services, we use the information described above as follows:

To provide the Services, including to:
- allow clients to customize, personalize, optimize, target and automate marketing and other communications campaigns through various channels, including mobile messages, email, websites or apps, as applicable (for example, in the context of providing service to a shoe brand, we may do this by creating interest-based categories for that brand based on your interactions with that brand, such as an interest in particular kinds of women’s shoes, and we may use cookies and similar technologies to “remember” you in order to help tailor more relevant ads and communications to you for that brand);
- provide data and feedback to our clients in connection with the provision of our Services;
- facilitate and improve the Services, which may include analyzing usage trends, tracking the types of questions we receive and providing support to our clients and visitors to our websites;
To enforce the legal terms that govern the Services;
To comply with law and protect rights, safety and property; and
For other purposes requested or permitted by our customers or users.

Disclosures of Service Data

Subject to our contractual obligations, and depending on the particular Services, we disclose the information described above as follows:

To provide the Services;
To enforce the legal terms that govern the Services and our business;
To comply with law, and where we deem disclosure appropriate to protect rights, safety and property (for example, for national security or law enforcement);
As part of a business sale, merger, consolidation, change in control, transfer of substantial assets or reorganization; or
For other purposes requested or permitted by our customers or users.

For those purposes, we may disclose information to our affiliates and other entities that help us with or who are involved with any of the above.

Personal Data Rights and Choices

To exercise any rights you may have under privacy or data protection laws relating to Service Data, you should contact the Movable Ink customer on whose behalf we process the Service Data. If instead you contact us and identify the relevant customer, we may refer the request to the relevant customer and cooperate with their handling of the request, subject to any special contractual arrangement with that customer.

2. Privacy Practices Specific to Business Data

Types of Business Data

We collect:

Identifiers, e.g., name, email address, phone number, and IP address;
Professional or employment-related information, e.g., your title and the name of your employer;
Commercial information, e.g., your purchasing history;
Financial information, e.g., payment information;
Communications, e.g., responses to polls or surveys, questions, comments, or requests you send us;
Audio or video information, such recordings of meetings;
Internet or other electronic network activity information, e.g., browsing history, search history, and interactions with our emails and digital platforms (including, but not limited to, whether you open our emails) and third party websites and applications, and details about your browser, device, and internet connection, all as further detailed in Section 3 of this Privacy Policy; and
Inferences we generate from the Personal Data described above.

Uses of Business Data

Movable Ink uses Business Data as follows:

To manage our customer relationships and deliver our services;
To send you information about our products and services, including marketing communications;
To respond to your questions, concerns, or customer service inquiries;
To analyze market conditions and use of our services;
To customize the content and advertising you see on our website, across the Internet, and elsewhere;
To create anonymized, de-identified, or aggregated data, which we may use and disclose without any limitation;
To enforce the legal terms that govern our business and online properties;
To comply with law and protect rights, safety and property (for example, making disclosures that we believe are required or otherwise appropriate for national security or law enforcement);
As part of an actual or potential business sale, merger, consolidation, change in control, transfer of substantial assets or reorganization; and
For other purposes requested or permitted by our customers or users.

As part of a few of these uses of Business Data, during the 12 months leading up to the effective date of this Privacy Policy, we may have “sold” and “shared” (as those terms are narrowly defined under the California Consumer Privacy Act (“CCPA”)) California residents’ internet or electronic network activity (like a record of a browser’s visit to our website) and identifiers (like IP addresses) to marketing and advertising services to assist with such activities. This practice continues today. We do not “sell” or “share” personal data (as those terms are defined under the CCPA) if we have actual knowledge that the consumer is less than 16 years of age. California residents who wish to exercise a CCPA right to opt out of our “selling” or “sharing” of their California personal data can visit our Your Privacy Choices page.

Retention of Business Data

We plan to hold your information until we determine that we no longer need it to fulfill the purposes set forth in this Privacy Policy and are not legally required to retain it for longer. Because we may collect and use the same category of personal data for different purposes and in different contexts, there is not typically a fixed retention period that always will apply to a particular category of personal data. Also, our specific retention practices may vary by jurisdiction. For example, the chart below lists the categories of California personal data we collected about California residents in the last 12 months, along with examples of how long we typically would intend to retain those types of personal data in the particular situations described below. However, these are not necessarily the only retention periods applicable to California personal data, and data about residents of other states and countries may be handled differently.

Category of personal data regarding California residents	Examples of how long we normally plan to keep this information
Identifiers	If we collect an individual’s email when they sign up for marketing emails, we plan to retain it until they unsubscribe from those emails, and then indefinitely after that to comply with their unsubscribe request.
Professional or employment-related information	If we collect this information about an individual in the context of a request for marketing materials, we typically retain it as described in the row above.
Commercial information	We may retain information on a person’s interest in our products for up to three years after their or their organization’s last contact with us
Financial information	We retain payment information associated with a transaction for seven years after the transaction
Communications	Because communications could contain any type of record and pertain to any type of matter, retention periods vary.
Audio or video information	If a customer leaves us a voicemail, we typically dispose of it shortly after receiving it and responding to it.
Internet or other electronic network activity information	We retain logs associated with account logins from California IP addresses on our own platform for several years for account authentication, fraud detection, and other security purposes.
Inferences derived from other personal data	We typically retain inferences for the same period of time for which we retain the underlying data

Disclosures of Business Data

For those purposes, we may disclose information to our affiliates and other entities that help us with or are otherwise involved with any of the above. For example, we may disclose Business Data:

To our corporate affiliates: We may disclose Personal Data to any subsidiaries, parent companies, or other affiliated entities.
To service providers and other vendors: We may disclose Personal Data to service providers that help us with our business, such as companies involved with website hosting, payment processing, information technology, security, advertising, analytics, and marketing.
To customers and other counterparties.
For legal issues: We may disclose Personal Data to legal authorities and others where such disclosure is permitted or necessary to comply with or address applicable laws, regulations, or legal process. For example, we may disclose Personal Data to law enforcement or a government authority when we determine this is appropriate in response to a search warrant or other inquiry or order, or to investigate breach of an agreement, legal violations, or potential fraud. We may also disclose Personal Data where we think that our rights or the rights of our users or others are at risk.
In connection with business transfers: We may disclose Personal Data to any successor to all or part of our business and as part of, or as reasonably necessary to, proceed with a prospective or completed transfer of business assets (e.g., due to a merger, acquisition, or bankruptcy proceeding).
Other cases: We may disclose Personal Data in other situations, and we will obtain your consent for such disclosures where legally required.

Sources of Business Data

We obtain Business Data directly from the relevant individuals, and also from third-party sources, such as their employers, marketing or lead generation companies, data brokers, and social networking platforms (e.g., LinkedIn).

Legal Basis for Processing Business Data

The laws in some jurisdictions require companies to tell you about the legal ground they rely on to use or disclose your personal data. To the extent those laws apply, our legal grounds for processing Business Data are as follows:

Legitimate interests: In many cases, we handle personal data on the ground that it furthers our legitimate interests in commercial activities such as the following in ways that are not overridden by the interests or fundamental rights and freedoms of the affected individuals:
- Customer service
- Marketing
- Protecting our customers, personnel and property
- Analyzing and improving our business
- Managing legal issues
We may also process personal data for the same legitimate interests of our customers and business partners.
Consent: Where required by law, and in some other cases, we handle personal data on the basis of consent.
To honor our contractual commitments to you: Some of our processing of personal data is to meet our contractual obligations to our customers, or to take steps at customers’ request in anticipation of entering into a contract with them.
Legal compliance: We need to use and disclose personal data in certain ways to comply with our legal obligations.

We process Service Data pursuant to our contracts with our customers and applicable law.

Personal Data Rights and Choices (including Direct Marketing Opt-Out)

You may be able to review and update certain user information in our Business Data by logging in to the relevant portions of the Movable Ink website. You can unsubscribe from Movable Ink’s own marketing emails by clicking the "unsubscribe" link they contain. Controls related to third-party cookies and other automated data collection are described in the Cookies and Automated Data Collection section below.

Residents of the European Economic Area, United Kingdom, Switzerland and certain other and many other jurisdictions have certain legal rights (including, in certain cases, under the EU-U.S. Framework and, as they receive authorization from the appropriate Swiss and UK authorities, the Swiss-U.S. Data Privacy Framework and the UK extension to the EU-U.S. Data Privacy Framework (together, the “Data Privacy Framework”)) to obtain confirmation of whether we hold personal data about them as part of our Business Data, to access any such personal data we hold about them, and to obtain its correction, update, amendment, or deletion in appropriate circumstances. In limited cases, they have the right to receive information we hold about them in portable form and to have it transmitted to a third party.

They also have rights to object to our handling of their personal data, to restrict its processing, and to withdraw any consent they have provided. For example, such individuals have a right to opt out of our processing of Business Data for direct marketing purposes.

Many of the rights described here are subject to significant limitations and exceptions under the Data Privacy Frameworks and applicable law. For example, objections to the processing of personal data, and withdrawals of consent, typically will not have retroactive effect.

To exercise those rights for Business Data, they may submit a request here or contact us as described at the end of this Privacy Policy.

For Service Data (which we process on behalf of our customer), you should contact the customer directly. If instead you contact us and identify the relevant customer, we may refer the request to the relevant customer and cooperate with their handling of the request, subject to any special contractual arrangement with that customer.

Additional detail for California residents

This subsection applies only to “personal information” about California residents, as that term is defined in the CCPA, and it supplements the information in the rest of our Privacy Policy. Data about individuals who are not residents of California is handled differently and is not subject to the same California rights described below. This section does not apply to Service Data, even when such data is about a California resident. It also does not apply to publicly available information or other data that is exempt from the CCPA.

During the 12 months leading up to the effective date of this Privacy Policy, we made the following disclosures of personal information about Californians for the purposes described in the “How We Disclose Personal Data” section above:

Category of personal information	Category(ies) of entities to which the personal information was disclosed
Identifiers, e.g., name, email address, phone number, and IP address	Affiliates, vendors and service providers (e.g., provide us with data management services, manage our digital platforms, or manage our communications and perform market research for us), marketing partners, customers and other counterparties, and entities involved in legal matters.
Professional or employment-related information	Same as first row.
Commercial information	Same as first row.
Financial information	Affiliates and vendors.
Communications	Same as first row.
Audio or video information	Affiliates, vendors and service providers.
Internet or other electronic network activity information	Same as first row.
Inferences derived from other personal data	Same as first row.

‍

CCPA privacy rights

If you are a California resident, California law may permit you to request that we:

Inform you about the categories of personal information we have collected about you in the last twelve months; the categories of sources of such information; the business or commercial purpose for collecting or selling your personal information; and the categories of third parties to whom we disclosed personal information, and more specific information about what categories of personal information were “sold,” “shared,” or disclosed to particular categories of third parties, similar to the detail in the sections of this Privacy Policy above.
Provide access to and/or a copy of certain information we have about you.
Delete certain information we have about you.
Correct certain information we have about you.

Certain information is exempt from such requests under applicable law. For example, if we need certain information to continue providing Services to you that you request, we may reject a request to delete such information while providing the Services to you.

You also may have the right to receive information about the financial incentives that we offer to you (if any).

To request to exercise those CCPA rights and receive the fastest response, please click here. Alternatively, you can make your CCPA request via voicemail at the following number: 1-800-270-6033.

To exercise your CCPA right to opt out of what the CCPA calls “sales” or “sharing” of personal data, call that number or visit our Your Privacy Choices / Do Not Sell/Share pages. Your browser may also offer a way to activate the Global Privacy Control signal (“GPC”). Our websites each treat qualifying browsers for which the user has activated the GPC signal as having opted out of what CCPA calls a “sale” or “sharing” of any California personal information that is collected on that site from that browser using cookies and similar technology. You can override that treatment for a GPC-enabled browser by using the cookie controls available from the website’s footer to opt into particular categories of cookies from that browser. In that case, “sales” and “sharing” via cookies and similar technology in those categories may resume on that browser.

We may take reasonable steps to verify your identity before responding to your request, which may include, depending on the sensitivity of the information involved, the nature of our relationship with you, and the type of request you are making, verifying your name, email address, and other information regarding your use of our Services.

You can designate an authorized agent to make a CCPA request on your behalf. To do so, we must receive a legally sufficient power of attorney signed by you or other written authorization acceptable to us for the agent to act on your behalf. You may still need to verify your identity and confirm the agent’s authority directly with us if we are not convinced of the validity of the agent’s request. For security and legal reasons, Movable Ink will not accept requests that require us to access third-party websites or services.

Because opt-out requests for “sales” and “sharing” made through cookies and similar technologies must be performed from each browser that is used to access our services, it is easiest for the consumer to perform such opt-outs themselves. However, if you wish for an agent to perform browser-based requests on your behalf, you may arrange for the agent to your consumer’s browser to make such requests, but you may not share your login credentials or logged-in access to our websites with an agent or any other third party. We are not responsible for the security risks of giving an agent browser access or any other arrangements that you may have with an agent.

You have a right not to receive “discriminatory treatment” (within the meaning of the CCPA) for the exercise of CCPA privacy rights.

3. Additional Information About Our Privacy Practices (applicable to both Service Data and Business Data)

Data Security

To provide security for Service Data, we maintain physical, organizational and technical safeguards, which are subject to periodic changes. We use different safeguards to help secure Business Data.

Cookies and Automated Data Collection

In our websites, apps and emails, we and third parties may collect certain information by automated means such as cookies, Web beacons, JavaScript and mobile device functionality. This information may include unique browser identifiers, IP address, browser and operating system information, geolocation, other device information, Internet connection information, as well as details about individuals’ interactions with apps, websites and emails (for example, the URL of the third-party website from which you came, the pages on our website that you visit, and the links you click on in our websites).

We and third parties may use automated means to read or write information on users’ devices, such as in various types of cookies.

Cookies are files that contain data, such as unique identifiers, that we or a third party may transfer to or read from a user’s device for the purposes described in this Privacy Policy, such as recognizing the device, service provision, record-keeping, analytics and marketing, depending on the context of collection.

You may be able to set your web browser to refuse certain types of cookies, or to alert you when certain types of cookies are being sent. However, if you block or otherwise reject certain cookies, JavaScript or other technologies, certain websites (including our own websites) may not function properly.

These technologies help us (a) keep track of whether you are signed in or have previously signed in so that we can display all the features that are available to you; (b) remember your settings on the pages you visit, so that we can display your preferred content the next time you visit; (c) display personalize content; (d) perform analytics, and measure traffic and usage trends, and better understand the demographics of our users; (e) diagnose and fix technology problems; and (f) otherwise plan for and enhance our business.

Also, in some cases (not when providing our Services), we arrange for the collection of information by advertising services administered by third parties. The ad services may track users’ online activities over time by collecting information through automated means such as cookies, and they may use this information to show users ads that are tailored to their individual interests or characteristics and/or based on prior visits to certain sites or apps, or other information we or they know, infer or have collected from the users. For example, we and these providers may use different types of cookies, other automated technology, and data (a) to recognize users and their devices; (b) to inform, optimize, and serve ads; and (c) to report on our ad impressions, other uses of ad services, and interactions with these ad impressions and ad services (including how they are related to visits to specific sites or apps).

To learn more about interest-based advertising generally, including how to opt out from the targeting of interest-based ads by some of our current ad service partners, visit aboutads.info/choices from each of your browsers and devices. You can opt out of Google Analytics and customize the Google Display Network ads by visiting the Google Ads Settings page. Google also allows you to install a Google Analytics Opt-out Browser Add-on for your browser. Because your cookies preferences described in this privacy policy may be stored in a cookie, if you replace, change or upgrade your browser, delete your cookies, or use a browser that automatically expires or deletes cookies, you may need to use these opt-out tools again. We do not respond to browser-based “Do-Not-Track” signals.

Please visit your mobile device manufacturer's website (or the website for its operating system) for instructions on any additional privacy controls in your mobile operating system, such as privacy settings for device identifiers and geolocation.

International Data Transfers

We are based in the United States, and recipients of the data disclosures described in this Privacy Policy are located in the United States and elsewhere in the world, including where privacy and data protection laws may not provide as much protection as the country in which you are located. Movable Ink complies with legal requirements for cross-border data protection, including through the use of European Commission-approved Standard Contractual Clauses.

Movable Ink complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Movable Ink has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Movable Ink has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Movable Ink's commitments under the DPF Program are subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

When Movable Ink receives personal data under the Data Privacy Framework and then transfers it to a third-party service provider acting as an agent on Movable Ink’s behalf, Movable Ink may have certain responsibility under the Data Privacy Framework if both (a) the agent processes the information in a manner inconsistent with the Data Privacy Framework and (b) Movable Ink is responsible for the event giving rise to the damage.

Covered European residents should direct any questions, concerns or complaints regarding Movable Ink’s compliance with the Data Privacy Framework to Movable Ink as described at the bottom of this Privacy Policy. Movable Ink will attempt to answer your questions and satisfy your concerns in a timely and complete manner as soon as possible. If, after discussing the matter with Movable Ink, your issue or complaint is not resolved, Movable Ink has agreed to participate in the Data Privacy Framework independent dispute resolution mechanism operated by JAMS, free of charge to you. You can file a complaint with JAMS here: https://www.jamsadr.com/DPF-Dispute-Resolution. Please contact Movable Ink first. Every individual also has a right to lodge a complaint with the relevant supervisory authority, regardless of whether Data Privacy Framework applies.

If after following all of the steps above, your complaint still is not resolved, under limited circumstances, an additional binding arbitration option may be available before a Data Privacy Framework panel, as described at https://www.dataprivacyframework.gov/s/.

Please note that Movable Ink’s customers may transfer personal data to Movable Ink on the basis of other legal mechanisms approved by the European Commission and other relevant authorities for cross-border data transfers, such as Standard Contractual Clauses. To exercise any legal right to see copies of the data transfer mechanism documents that Movable Ink uses to transfer data to third parties, please contact us. Please also note that the European Data Protection Board has determined that when an individual in the EU directly provides personal data about themselves to a recipient in a third country such as the United States (such as by visiting a U.S. company’s website and submitting personal information to it), this is not a “transfer” within the meaning of the EU General Data Protection Regulation (“GDPR”), and accordingly our Data Privacy Framework certification will not apply to such transmissions of information to us.

Notification of Changes

Movable Ink may change this Privacy Policy to reflect changes in the law, our data handling practices or the features of our business. The updated Privacy Policy will be posted on movableink.com.

Contact Information

If you have questions regarding our practices or this Privacy Policy, or to send us requests or complaints relating to personal data, please contact us:

Movable, Inc.
Attention: Legal Department
841 Broadway, 3rd Floor
New York, NY, 10003
privacy@movableink.com

Movable, Inc.
Attention: Legal Department
Kings Place, Level 7 90 York Way
London N1 9AG, United Kingdom
privacy@movableink.com

For requests relating to Service Data (personal data that we process on behalf of a customer), please contact that customer directly.