Zingtree’s General Data Protection Regulation (GDPR) Information & Data Privacy Framework Certification Notice

Last updated: August 2023

This General Data Protection Regulation (GDPR) Information and Data Privacy Framework Certification Notice (the “Notice”) is meant to inform Zingtree’s customers, service providers, users, and employees (collectively, the “Data Subjects”) of their rights, and the measures taken by Zingtree to protect their information.

All capitalized terms used in this Notice and not defined herein shall have the meanings ascribed to them in the GDPR. If there is any conflict between the terms in this Notice and the GDPR, the GDPR shall govern.

I. What is GDPR?

The GDPR is a European Union (EU) regulation, which is designed to improve the data security and privacy of individuals in the European Economic Area (EEA). For more information on GDPR, please visit the EU Commission’s GDPR website. The Swiss new Act on Federal Data Protection (nFADP) is a similar body of law tailored to Swiss individuals. For information on the Swiss nFADP, please visit the Swiss Federal Data Protection and Information Commissioner’s (FDPIC) nFADP website. The UK Extension to the EU-U.S. Data Privacy Framework (UK Extension) allows certified entities to rely on the EU-U.S. Data Privacy Framework for transfers of Personal Data of individuals in the UK. For the purposes of this Notice, the term UK shall include Gibraltar where applicable. For more information on the UK Extension, please visit the Data Privacy Framework’s Frequently Asked Questions webpage.

Zingtree is self-certified under the EU-U.S. Data Privacy Framework (EU DPF), the Swiss-U.S. Data Privacy Framework (Swiss DPF), and the UK Extension (collectively, the “Frameworks”).  As such, Zingtree is committed to adhering to the principles set forth in these Frameworks (the “DPF Principles”) with regard to the collection, use, and retention of Personal Data transferred from the EEA, Switzerland, the UK as applicable, to the United States. Data Subjects can view our certification status on the Data Privacy Framework Program List of certified entities. Additionally, for more information, Data Subjects can visit the DPF Program website or review Zingtree's Privacy Policy, which is binding on all customers and users.

Zingtree works diligently to ensure our product offerings and contractual commitments remain compliant with new standards. If there is any conflict between the terms in this notice and the DPF Principles, the DPF Principles shall govern. As the GDPR, nFADP, UK Extension, and DPF Principles are amended, adapted, or updated, Zingtree will update this Notice and any other affected policies, contracts, and practices.

II. Data Subject’s GDPR Rights

Depending on your location and subject to applicable law, you may have the following rights with regard to your Personal Data, for which Zingtree is a custodian (Please note: Under GDPR, nFADP, and UK Extension, Zingtree is considered a Processor and, therefore, will first notify the Controller associated with your Personal Data before acknowledging the possession of Personal Data):

  • Be Informed: The right to be informed about the collection and use of your Personal Data;
  • Request Access: The right to view and request a copy of that Personal Data;
  • Rectify Information: The right to request Zingtree rectify or update your Personal Data that is inaccurate, incomplete, or outdated;
  • Data Deletion: The right to request that Zingtree erase your Personal Data;
  • Data Restriction: The right to request that Zingtree restrict or suppress the processing of your Personal Data;
  • Data Portability: The right to request that Zingtree export your Personal Data to another company, where technically feasible, or provide it to you;
  • Withdraw Consent: The right to withdraw your previously granted consent to the processing of your Personal Data;
  • Objection: The right to object to the processing of your Personal Data; and
  • Automated Individual Decision-Making: The right to object to decisions being made with your Personal Data based solely on automated decision making or profiling.
III. GDPR Supplemental Information

Zingtree may disclose your information to third parties to provide services and for a variety of business, advertising, referral, etc. purposes.  Additionally, Zingtree may provide your information to protect us or others, or in the event of a major business transaction such as a merger, sale, or asset transfer.  Zingtree will not share your information with third parties for a purpose that is materially different from original purposes without your consent.

Zingtree is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). EEA, Swiss, and UK individuals have the right to invoke binding arbitration to determine whether a DPF-certified organization has violated its obligations under the DPF Principles.

Zingtree may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.

Zingtree’s liability regarding the onward transfer of personal information to third parties shall be governed by the applicable mutually executed agreements and the collective Data Privacy Framework requirements.

IV. GDPR For Your Published Trees

When you create a decision tree using the Zingtree platform, and you have customers located in the EEA, Switzerland, the UK, Zingtree suggests you adhere to the following general guidance:

  • Consent: If you are collecting any personal information using data entry fields (name, email, address, etc.), you are required to obtain consent first. We recommend using Zingtree's Require Confirmation feature to do this.
  • Breach notification policy: If we discover a data breach on our side, Zingtree will notify you as soon as possible or in accordance with the mutually executed agreement via your login email. It is your responsibility to notify any of your customers who may be affected.
  • Data Access: Individuals must have the right to request confirmation of whether you have their personal data, and this must be provided free of charge, in a format that is easily readable. If you are collecting personal data via Zingtree, you can use the Session List or Form Data reports to find, gather, and deliver this information.
  • Right to be Forgotten: If a customer asks to have their data erased, you can do this via the Session List Report, Session Details. Individual sessions can be erased, including their session transcript and any data collected.
  • Privacy by Design: Be judicious about what data you are collecting from the users of your trees. If it's not necessary, it's best to not ask.

Zingtree suggests you confer with your legal/privacy compliance resource for any specific guidance.

V. Zingtree Infrastructure (U.S. and EU Data centers)

Zingtree has established data center operations in both the US East (N. Virginia) and Europe (Ireland) AWS Regions. Thus, Zingtree can host a customer’s data in either location. Also, Zingtree will execute the requisite data protection agreements, as applicable.

VI. Zingtree Security And Privacy Program

Zingtree highly values the security and privacy of Personal Data, and is committed to proactively ensuring the confidentiality and integrity of all Personal Data, while also providing Data Subjects with access to that information. Consequently, Zingtree has designed its platform with security and privacy concerns at the forefront, rather than in the background. Zingtree’s security and privacy program is designed to not just satisfy compliance standards, but to go beyond to embrace the concept of industry’s “best practices.”  

Zingtree has implemented a wide array of security controls to ensure we meet and/or exceed multiple security compliance standards. Specifically, Zingtree has been awarded its SOC2/Type2 and HIPAA third-party compliance attestation. To supplement its security compliance program, Zingtree has adopted the National Institute of Technology and Standards’ (NIST) risk management framework (RMF) and the associated security policies and controls, as presented in its SP 800-53, r5. For details on Zingtree’s Security Program, please refer to Zingtree's Security Program.

VII. Data Processing Agreement

If you require a customized Data Processing Agreement with Standard Contractual Clauses, either send us your own copy, or download and complete this Word document[HEK1] , and send to Zingtree for signature.

VIII. Complaints And Enforcement

In compliance with the DPF Principles, Zingtree is committed to resolving complaints about our collection or use of your Personal Data. EEA, Swiss, and UK individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Zingtree at privacy@zingtree.com.

Zingtree has further committed to cooperate with the panel established by the EU Commission, the Swiss FDPIC, and the UK Information Commissioner’s Office with regard to fully or partially unresolved complaints concerning data transferred from the EEA, Switzerland, and the UK.

IX. Contact Us

If you have any questions about Zingtree’s GDPR, nFADP, UK Extension, or DPF compliance and/or would like to request a list of our sub processors, please send an email to privacy@zingtree.com or contact us at:

Zingtree Inc.
Attn: Security & Privacy Officer

700 Larkspur Landing Circle, Suite 199
Larkspur, CA 94939