Last Updated August 21, 2018
Extole, Inc. ("Extole", "us" or "we") offers a referral, advocacy, and analytics platform enabling brands (our "Clients")--whether those brands use websites or "apps," and across different types of devices--to allow their end users’ ("Users") to share, refer, and engage on those website and devices with content, and to derive additional insights into how their Users experience the brand. Extole recognizes and believes that data privacy is important to all Internet users, and therefore we design and operate our services in a privacy-first manner.
- Collection and Use of Information from Our Services: This section explains how information is collected about our Clients’ Users, and used, by Extole in connection with the provision of our products and services (the "Extole Services" or the "Services").
- Collection and Use of Information from Our Website: This section explains how information is collected and used by us from our website visitors through our website located at www.extole.com (the "Website"), which includes the dashboard provided to our Clients located at my.extole.com. If you are a Client using our Extole dashboard, this section applies to the data we collect from you.
Collection and Use of Information from Our Services
What Information Does Extole Collect from Our Services?
Below, we explain what information we collect on behalf of our Clients through the Services, and how we use it. We process information in a way that is relevant for the purpose for which it was collected as described below.
The Extole Services: Overview
Extole provides a variety of Services intended to help Clients deliver content, including rewards and links, to their Users across a wide array of platforms, devices, and applications so that Users can share content, links, and rewards with one another. Extole helps Clients by providing analytics to Clients. This information is used by the Client to better inform marketing and product decisions as well as to provide improved user experiences.
Extole has no direct relationship with Users. Extole’s Services are provided when Extole Clients install on their platforms “Extole Mechanisms” (including links, pixels, direct platform integrations, etc.) that capture the User action on behalf of the Client. By associating the information collected from these Mechanisms, Extole creates and stores identifiers unique to individual clients in the Extole platform, and then uses a variety of techniques to connect these User actions and identifiers together. Some of these common connection techniques include a direct pass-through of identifiers from platform to platform. These techniques help Clients match Users and issue rewards based on those matches. Extole stores this information separately for each Client program and does combine specific actions and information about individuals between different Client programs.
The key use cases of Extole’s service are:
- To support Clients in implementing refer-a-friend programs typically using rewards based on key events such as purchase.
- For example, Extole helps a Client create and deliver a sharing UI on a Clients website or app so that Users can create links and send them to other Users in email, over social networks, and directly to recommend purchase or sign-up. Extole tracks the events in this referral process and helps Clients deliver reward to Users.
- To report individualized and aggregated analytics metrics about the performance of the Client’s referral and advocacy initiatives to the Client directly.
- For example, Extole can tell a Client how many Users shared, visited their website, registered for their service, and/or purchased. Extole can also tell a Client about the rewards issued as a result of those events.
- To assist the Client by presenting real time, targeted offers and content to their Users depending on Client determined criteria in order to deliver more relevant referral and advocacy content and rewards.
- For example, a Client can use Extole Mechanisms to provide a tailored reward like a coupon code in the Client's website to users who have interacted with the Client's app and/or website in the past.
Extole requires that each Client commit to share with Extole only information that it has lawfully obtained (including, where necessary, by obtaining consent from Users, or from their parents for children under 13, or in certain jurisdictions such as the European Union, under 16), and that it has the right to share with Extole, and we strongly discourage Clients from sharing sensitive User information with us, as such information that is not necessary for the provision of the Services.
In the charts below, we summarize the information collected automatically by the Services.
Information Collected By Extole Links, Pixels, and Tags
Extole collects the following information from web URLs created by the Client and Users and from pixels and tags placed by the Client on its websites. Some of this information is considered personal data under applicable law (in other words, information that itself may identify a unique individual or can be linked back to an individual) (“Personal Data”).
|Type of Information Collected||Purpose|
|IP Address||Standard web HTTP request; used for matching|
|Cookie||Standard web cookies, used for matching|
|Link Data||Metadata controlled by the Client, which may be used to interpret the data for reporting, or for analytics|
|User Agent||Standard web browser user agent metadata; used for matching|
|Referrer||Standard web browser HTTP referrer; may be used for reporting and analytics|
|Request||Standard web HTTP request|
Address Book Information
Clients may allow Users in a sharing UI to connect their address books from Google, Yahoo, and other providers in order to simplify sharing by Users.
Extole will only collect the first name, last name, and email address of the individual(s) Users select from their address books in order to:
- Personalize share messages;
- Deliver the share or referral message on that platform;
- Support accurate recognition of a referral in order to provide rewards depending on the rules of the Client program.
How Does Extole Use Information Collected by Our Services?
Data Extole collects through the Services is processed:
- to provide, maintain, optimize, research and improve the Extole Services.
- to fulfill Clients’ and prospective Clients’ requests for the Services including processing data at the Client’s direction and transferring User data to them. Extole does not control how Clients use information Extole shares with Clients and Users should read Clients’ Privacy Policies to understand how they use information they receive from Extole.
- to analyze and aggregate Client data with data of other Clients for Extole’s own internal business purposes and as permitted by applicable law.
- to create reports based on aggregated information, which is information that cannot be linked back to any individual person or Client, and share these reports with the public.
Our Clients’ Use of Information
Our Clients use the information collected via the Services to improve their Users’ brand experience and to better understand their marketing programs and how Users experience their brand and products. For example, a User may want to share information about a retailer that she loves with a friend. When that User sends her friend an Extole link to that retailer, after clicking the link the friend is brought directly to the website where often the Client will provide a reward because of User recommendation applicable at purchase. When the friend purchases, the Client will often give the User a reward as well. The Client would gain insights and analytics as to how their site and rewards appeal to Users and friends.
Extole supports functionality to allow Clients to respect granular controls regarding User data privacy rights. Clients can flag in the Extole SDK that a particular User has requested that their data not be processed by Extole, in which case Extole will no longer process engagement data on behalf of the Client for that User.
Collection and Use of Information from Our Website
What Information Does Extole Collect from Our Website?
Extole collects information from Website visitors (“you” or “Website Users”) located at www.extole.com (the “Website”), which includes the dashboard provided to our Clients located at my.extole.com. The types of information we may collect and our privacy practices depend on the nature of the relationship you have with us and the requirements of applicable law. Below are the legal bases and some of the ways we collect information and how we use it. We process information in a way that is relevant for the purpose for which it was collected as described below.
What We Collect from Clients that Use the Website
Extole collects personal and non-personal data via the Website. Personal Data is any information that relates to an identified or identifiable natural person. For example, when Clients register to use our Services, we ask them to provide us with Personal Data, including first and last name and email address.
Dashboard Information: Information we collect from visitors who register for an account on our dashboard includes the following, some of which is considered Personal Data under applicable law.
|Type of Information Collected||Purpose|
|IP Address||Standard web HTTP request; may be used for limited security login controls|
|Cookie (ours)||Standard web cookie used for dashboard session management|
|Cookie (third-party)||Third-party web tracking tools used for internal business intelligence|
|First, Last Name||Used for team user identification|
|Used as the primary login identifier|
|User Agent||Standard web browser user agent metadata; may be used for limited security login controls|
|Referrer||Standard web browser HTTP referrer; may be used for general internal business analytics|
|Request||Standard web HTTP request; may be used for general internal business analytics|
We also require Clients to set up a user ID and unique password for account security purposes. Clients must not share their passwords with anyone. Clients also have the option of adding other team members to their account. This account information enables us to set up an account for Clients, to provide the Services, and to otherwise manage Client accounts. We may also use this information to notify Clients about updates to our Services and provide them with promotional emails. We offer a mechanism to opt-out from promotional emails as described in the “Opt-out from Promotional Emails” section below.
Account and Billing Information: To the extent that we charge a fee for the Services, we may also collect billing and payment information from Clients through our third-party payment processors.
Third Party Connection Information: Some features of the Services allow Users to share information through Client accounts with other companies such as Facebook and Google. If Clients choose to connect Extole to such third-party services, we may collect information related to your use of those third-party services, such as authentication tokens that allow us to connect to your third-party service accounts. We will ask you for permission to authorize our collection of this information. We may also collect information about how you are using the Services to interact with those connected third-party services.
Job Listings and Resume Submittal: We have a co-branding relationship with Jazz HR to process career applications submitted on our Website. Jazz is authorized to use your personal information only as necessary to provide service to Extole. You may choose not submit information or may request information to be updated or removed by emailing email@example.com.
Communications with Extole: Some Users may provide Personal Data to Extole by sending us an email or filling out an online form on the Website. We use this information to answer their question(s), and may store that information for our record keeping, marketing, and advertising purposes.
Cookies and Ads
- Strictly Necessary Cookies: These cookies allow you to navigate the Website and use its features. These cookies expire when the browser is closed.
- Functionality Cookies: We use these cookies to help us remember your preferences, such as language or location. These can be used to make your visit to our Website more tailored and pleasant.
- Performance Cookies: These cookies collect information on how people use our Website. For example, we use Google Analytics to collect information regarding visitor behavior, such as how users arrive at our Website, browse or use our Website. This helps us to highlight areas we can improve, such as navigation and user experience.
- Analytics Cookies: Our Website uses Google Analytics, which is a web analytics service provided by the third party provider Google, Inc., and is used to evaluate use of our Website, visitor demographics and to develop Website content. This analytics data is not tied to any Personal Data. For more information about Google Analytics, please visit google.com/policies/privacy/partners/. You can opt-out of Google’s collection and processing of data generated by your use of the Services by going to http://tools.google.com/dlpage/gaoptout.
- Advertising or Targeting Cookies: The Website utilizes third-party tracking tools from third-party service providers, which may enable these third parties to analyze our Website traffic for analytics purposes. Some of these third-party service providers may collect information from this Website for retargeting and interest-based advertising purposes. For more information about these forms of ad targeting and to understand your right to opt-out from these practices, please visit http://www.aboutads.info/choices/. All of these tools are hosted by the third parties who provide them, and your interactions with these features are governed by the privacy policies of the third parties providing them.
Opt-out from Website Cookies/Web Beacons
Also, you can choose to set your browser to remove cookies and to reject cookies. To exercise the Do Not Track settings, please visit the privacy settings of your browser. Where Extole is able to see that such a selection has been made, we will not use information collected from that device to target advertising on that browser. Dashboard users must use the “Cookie Consent” feature to revoke permission to place cookies.
Note that, even if you opt-out, we may still collect and use non-personal data regarding your activities on our Website. This also does not opt you out of being served advertising altogether; you will continue to receive generic advertisements.
How Does Extole Use the Information Collected through its Website?
Data Extole collects through the Website is processed:
- to communicate about products and services offered by Extole and Extole's selected partners. We receive opt-in consent to send promotional and marketing messages to users where required by applicable law. You can opt-out of receiving these messages at any time as described below in the section titled: “Opt-out from Promotional Emails”;
- for ad delivery and reporting purposes and to create data and analytics products and services;
- to provide, maintain, optimize, research and improve the Website;
- to fulfill your and prospective Clients’ requests for the Services;
- to send information about the Services including confirmations, technical notices, updates, security alerts, and support and administrative messages;
- to manage your information and account, to contact Website Users to answer questions or resolve problems, or to verify your identity;
- to develop new products, processes and services; or
- to comply with applicable legal or regulatory obligation, including, but not limited to, use in connection with legal claims, compliance, regulatory, or investigative purposes.
Legal Bases for Processing
We base the above mentioned processing activities of your Personal Data on the following legal bases:
- Processing for letters a) and b) is based on your consent (Art. 6 para. 1 sentence 1 a) GDPR).
- Processing for letters c) through g) is necessary to establish and fulfill a contract with you (Art. 6 para. 1 sentence 1 b) GDPR).
- Processing for letter h) is necessary for compliance with a legal obligation to which we are subject (Art. 6 para. 1 sentence 1 c) GDPR).
Where you have consented to Extole's processing of your Personal Data in connection with your use of the Website, you may withdraw that consent at any time by following the instructions below. Where your consent for the processing of Personal Data is otherwise required by law or contract, we will comply with the law or contract.
Opt-out from Promotional Emails
POLICIES APPLICABLE TO BOTH OUR SERVICES & OUR WEBSITE
How does Extole Share Information?
Extole may also share information with others under the following circumstances:
- With third-party vendors, consultants and other service providers who work for us and need access to information we collect to do that work. These third parties are prohibited from using the information for purposes other than performing services for us or to comply with applicable legal requirements.
- With our Clients and their agents, as described in this Policy.
- To comply with laws or to respond to lawful requests and legal process including to meet national security or law enforcement requirements, and in order to investigate, prevent, or take action regarding suspected, or actual, prohibited activities, including but not limited to fraud and situations involving potential threats to the physical safety of any person.
- To protect the rights and property of Extole, our agents, Clients, Users, Website Users, and others including to enforce our agreements and policies.
- In connection with or during negotiation of any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
Updating Your Information and Contact Preferences; California Privacy Rights
We provide Clients with a mechanism to access, review, and update their personal information via the dashboard. If you wish to review or update your information, please visit https://my.extole.com and login using the username and password you created. Next, please select “Settings”, then select the edit icon associated with your account in the Team list. If you would like to delete your account, please email firstname.lastname@example.org
Under California law, California residents who have an established business relationship with us may choose to opt-out of the disclosure of Personal Data about them to third parties for such third parties’ direct marketing purposes. Our policy is not to disclose Personal Data collected through our Website to a third party for direct marketing purposes without your approval. If you choose to opt-out at any time after granting approval, email email@example.com and/or https://www.extole.com/unsubscribe/
California residents who have provided us with Personal Data can also request and obtain from us once a year, free of charge, a list of the third parties to whom we have disclosed their Personal Data (if any) for such third parties’ direct marketing purposes in the prior calendar year, as well as the type of Personal Data disclosed to those parties.
We Secure the Information We Collect
Securing the information provided by our Clients and collected through our Website is important to us. Extole has implemented industry-standard technical, administrative, and physical safeguards to help protect the information on our servers against unauthorized access, alteration, disclosure or destruction. You are responsible for maintaining the secrecy of your own passwords. If you have reason to believe that your passwords or Personal Data are no longer secure, please promptly notify us at firstname.lastname@example.org.
Our Data Retention Policy
For our Services: Extole stores the information collected by our Services (see the “What Information Does Extole Collect from our Services?” section above) so long as our systems continue to encounter that User.
Usage activity logs, which are used for the purpose of reporting and analytics, are stored in an identifiable form for no more than 14 days, after which these logs are removed or pseudonymized. Any and all pseudonymized logs are deleted after 12 months.
Aggregated reporting metrics shared with Clients are retained (in aggregate and anonymized form) for a default of 6 months, unless otherwise required by applicable law or otherwise agreed between Extole and the Client.
For the Website: We store Personal Data such as email address or billing details for so long as you continue to have a business relationship with Extole and for a reasonable time thereafter for record-keeping purposes. If applicable to you, you may ask us to delete that information by following the instructions above or pursuant to your right of erasure as described in the “Rights of Access, Rectification, Erasure and Restriction” section below.
Links to Other Websites
The Website and/or Services may contain links to other websites and other websites may reference or link to our Website and/or Services. These other domains and websites are not controlled by Extole, and we do not endorse or make any representations about third-party websites or social media platforms. We encourage you to read the privacy policies of each and every website and application that you interact with. We do not endorse, screen, or approve, and are not responsible for the privacy practices or content of such other websites or applications. Visiting these other websites or applications is at your own risk.
Social Media Buttons
On our Website, we use the following social media plug-ins: Facebook, Twitter, LinkedIn and Google+. The plug-ins can be identified by the social media buttons marked with the logo of the provider of the respective social media networks.
We have implemented these plug-ins using the so-called 2-click solution. This means that when you visit our Website, Personal Data will initially not be collected by the providers of these social media plug-ins. Only if you click on one of the plug-ins will your Personal Data be transmitted: By activating the plug-in, data is automatically transmitted to the respective plug-in provider and stored by them. We neither have influence over the collected data and data processing operations conducted by the providers, nor are we aware of the full extent of data collection, the purposes or the retention periods.
Information on the purpose and scope of data collection and its processing by the plug-in provider can be found in the respective data protection policies of these providers, where you will also find further information on your rights and options for privacy protection.
Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA: https://www.facebook.com/privacy/explanation.
Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA: https://twitter.com/privacy.
LinkedIn Corp., 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA: https://www.linkedin.com/legal/privacy-policy?trk=uno-reg-guest-home-privacy-policy
Google, Inc., 1600 Ampitheatre Parkway, Mountain View, CA, 94043, USA: https://policies.google.com/privacy?hl=en
International Data Transfers
All information collected via the Website and Services is stored on servers located in the United States. In the process of providing the Services, we may transfer information across borders from other countries or jurisdictions into the United States. If you are visiting from the European Union or other regions with laws governing data collection and use that may differ from U.S. law, please note that you are transferring your personally identifiable information to the United States, or other jurisdictions, which does may not have the same data protection laws as the EU and other regions. With knowledge of these risks, by providing your personally identifiable information you acknowledge that you understand:
- Your Personal Data will be transferred to the United States as indicated above. .
Data transfers from the European Union are subject to our compliance with the Privacy Shield mechanism discussed in the “Privacy Shield” section below.
Rights of Access, Rectification, Erasure and Restriction
Services: Because Extole is a service provider that processes data on behalf of its Clients, any requests relating to European Users’ exercise of their rights of access, rectification, erasure, or restriction under the European General Data Protection Regulation (“GDPR”) must be provided to Extole by a Client. Clients can notify Extole of these requests here.
Moreover, Extole supports functionality to allow Clients to respect granular controls regarding User data privacy rights. Clients can flag that a particular User has requested that their data not be processed by Extole, in which case Extole will no longer process data on behalf of the Client for that User.
Website: Website Users who are residents of the European Economic Area may seek confirmation regarding whether Extole is processing Personal Data about you, request access to such data, and ask that we correct, amend, or delete it where it is inaccurate or has been processed in violation of the Privacy Shield Principles. You can submit such requests starting on May 25, 2018 by emailing email@example.com. Your request will be processed in line with applicable law. Although we make good faith efforts to provide you with access to your Personal Data, there may be circumstances in which we are unable to provide access, including but not limited to: where the information contains legal privilege, would compromise others’ privacy or other legitimate rights, where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question, or where it is commercially proprietary. To protect your privacy, we will take commercially reasonable steps to verify your identity before granting access to or making any changes to your Personal Data.
Our Policy Regarding Children
Services: The Extole Services are not directed to children. We require that Clients agree to either not send to us data relating to any children under 13 (or, in certain jurisdictions such as the European Union, under 16), unless they obtain all parental consents necessary under applicable law for collection of data from any such children. If you believe that we might have any information from or about a child under 13 (and in certain jurisdictions such as the European Union, under 16) without the requisite parental consent, please contact us at firstname.lastname@example.org, so that Extole can promptly investigate and delete any inappropriately provided information.
Website: The Extole Website is not directed to children. We do not knowingly collect through the Website Personal Data from anyone under the age of 13 (and in certain jurisdictions, such as the European Union, under the age of 16). If you are under 13 (and in certain jurisdictions, such as the European Union, under 16), please do not attempt to register or send any information about yourself to us, including your name, address, telephone number, or email address. No one under 13 (and in certain jurisdictions, such as the European Union, under 16) may provide any Personal Data to us. In the event that we learn that we have collected any such data from a child under 13 (and in certain jurisdictions, such as the European Union, under 16) through our Website, we will take reasonable steps to delete that information as quickly as possible. If you believe that we might have any information from or about a child under 13 (and in certain jurisdictions, such as the European Union, under 16), please contact us at email@example.com, so that Extole can promptly investigate and delete any inappropriately provided information.
In the event that all or part of our assets are sold or acquired by another party, or in the event of a merger, you grant us the right to assign the Personal Data collected via the Website.
We may change this Policy at any time in our sole discretion. We will post all changes to this Policy on this page and will indicate at the top of the page the modified Policy’s effective date. If you have any questions or suggestions regarding this Policy, please contact us at:
350 Sansome Street, Suite 700
San Francisco, CA 94104
or by email at firstname.lastname@example.org
Privacy Complaints by European Union Residents
We have further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles to the TrustArc, an alternative dispute resolution provider located in the United States.