GDPR Privacy Statement
Birdeye has received independent third party verification that it complies with the directives of GDPR. For more details, please contact privacy@birdeye.com.
This Notice is for people who are located in the European Economic Area (“EEA”), Switzerland or the United Kingdom (“UK”) and supplements our general Privacy Policy. Our processing of personal data of people who are in the EEA is governed by the European Union’s General Data Protection Regulation (the “GDPR”). Our processing of personal data of people who are in the UK is subject to the Data Protection Act 2018, which incorporates the GDPR as the UK GDPR. This Notice refers to the GDPR and the UK GDPR collectively as the “GDPR”. For the sake of administrative efficiency, this Notice applies to people in Switzerland as well as people in the EEA or UK. However, this does not limit any additional right that people in Switzerland may have.
The GDPR requires us to provide certain information to you about your personal data, which we refer to in this notice as your personal information.
Purposes of the processing
Our general Privacy Policy describes the personal information that we collect, use, share, or otherwise process personal information – and the purposes for that processing -- in the course of operating our business. Personal information gathered through cookies and similar tracking technologies is used for the purposes described in our Privacy Policy (link above).
Lawful basis for the processing
Generally, we process personal information provided by visitors through our website or users of our Services (as that term is defined in our Terms and Conditions) or other interactions with us on the basis of our legitimate interests in conducting our business as an online reputation management company. Where we ask for your consent, we process personal information on the basis of that consent.
We may also process personal information on other bases permitted by the GDPR and applicable laws, such as when the processing is necessary for us to comply with our legal obligations.
You have the right to file a complaint concerning our processing of your personal data with your national (or in some countries, regional) data protection authority.
Categories of personal information
The categories of personal information that we process are described in our general Privacy Notice but generally include your name, your email address and your phone number.
Recipients of your personal information
We use various service providers to manage our website and provide our Services such as emailing and texting. Our service providers have been long time partners but they may change from time to time. Note that our service providers have entered into contracts with us that restrict what they can do with your personal information. If you would like specific information about our service providers who have received your information, please contact us at privacy@birdeye.com and we will provide that information to you. We may also disclose your personal information to other categories of third parties as described in our Privacy Policy.
Information regarding the transfers of personal data outside of the European Economic Area (EEA)
Birdeye’s main offices are based in the USA and that’s where we process personal information collected through our website or the Services. When you provide personal information to us, we request your consent to transfer that personal information to the USA. At this time, the USA does not have an adequacy decision from the European Commission, which means that the Commission has not determined that the laws of the USA provide adequate protection for personal information. Although the laws of the USA do not provide legal protection that is equivalent to EU data protection laws, we safeguard your personal information by treating it in accordance with this GDPR Privacy Statement. We take all appropriate steps to protect your privacy and implement reasonable security measures to protect your personal information in storage. We use secure transmission methods to collect personal data through our website or Services. We also enter into contracts with our data processors that require them to treat personal information in a manner that is consistent with this Privacy Statement.
We have also incorporated the European Commission’s Standard Contractual Clauses (or “SCCs”) into applicable agreements to ensure compliance with GDPR’s data transfer requirements between the US and the EEA, UK and Switzerland.
Retention period for personal information
How long we retain personal information varies according to the type of information in question and the purpose for which it is used. We delete personal information within a reasonable period after we no longer need to use it for the purpose for which it was collected (or for any subsequent purpose that is compatible with the original purpose). This does not affect your right to request that we delete your personal data before the end of its retention period. We may archive personal data (which means storing it in inactive files) for a certain period prior to its final deletion, as part of our ordinary business continuity procedures.
Security Policies and Procedures to Ensure GDPR Compliance
We have developed, implemented and maintain data security policies and procedures to provide the highest level of data security possible including but not limited to:
- A range of encryption or related technologies to protect data in transmission and at rest.
- A comprehensive Data Security Policy to support its ongoing focus to protect the security of all data.
- A comprehensive Business Continuity Plan in the event of physical or technological incidents that might otherwise impact the security of data in our system.
- A program for testing its policies and procedures to maintain security.
Your data subject access rights
You have the right to request access to your personal data, to have your personal data corrected, restricted or deleted, to withdraw any consent that you have given to the processing of your personal data (without affecting the lawfulness of the processing prior to your withdrawal of consent) and to object to our processing of your personal data. You also have the right of data portability in certain circumstances, which means that you can request that we provide you (or a third party you designate) with a transferable copy of personal information that you have provided to us. Your rights may be subject to various limitations under the GDPR. If you wish to exercise any of these rights, or if you have any concerns about our processing of your personal data, please contact us in any of the ways listed in the section “How to Contact Us” in our Privacy Policy or by sending an email with detailed information to privacy@birdeye.com.
Absence of statutory or contractual requirement or other obligation to provide any personal data
Users of our website or Services are under no statutory or contractual requirement or other obligation to provide personal information to us, but it will not be possible to receive communications from us or register for our events without doing so.
Requests
Under the General Data Protection Regulation (GDPR), Europe residents have the rights to make the following requests:
Request Access to Your Personal Information
You have a right to access and review the personal information we have collected from or about you. Upon your request, we will provide you with a summary of all such personal information that we have. We understand that this request is important to you so we will respond to your request as soon as possible and will notify you via email if we need additional time.
Request Restrictions on Your Personal Information
By making this request, we will ensure that your personal information is not sold to any other person or entity.
Request the Deletion of Your Personal Information
Upon your request, we will delete the personal information we have received from or obtained about you. We complete your deletion as soon as possible and will email you if we need more information. You should be aware that we will not delete the information received from or about you which is not covered by the General Data Protection Regulation (GDPR).