Privacy Policy

Introduction

Frontify AG (“Frontify” or “We”) is a Swiss company, which provides a cloud-based brand management Software-as-a-Service (the “Platform”) to professionals and companies and operates frontify.com (the “Site”). Headquartered in St. Gallen, Switzerland, Frontify has additional offices in Frankfurt, Germany and New York, USA. The Platform is a customizable solution for every specific brand requirement and is designed to maximize brand consistency through centralization. Frontify offers a wide range of features, including but not limited to: the Brand Guidelines, the Digital Asset Management, the Digital & Print Templates and the Creative Collaboration. Additionally, the Platform is an intuitive solution enabling every user to: upload and centralize digital assets independently; define brand essentials with dynamic guidelines; build a design system for digital efficiency and create customized templates for always on-brand marketing material.

Scope of the Privacy Policy

This Privacy Policy describes how Personal Data of every user (“You”) of the Site and/or of the Platform is collected and used. The provisions of this Privacy Policy apply globally to all Personal Data We process in order to fulfill our role and obligations as Processor and, from time to time, also as Controller, under the circumstances specified in the respective section below. We care about your Personal Data regardless of where you access and use the Platform and/or the Site from. Therefore, We commit to respect your privacy and comply with the applicable data protection laws globally. In this regard, as Frontify is a Swiss based company, our processing activities fall unexceptionally under the scope of the Swiss Federal Act on Data Protection (Bundesgesetz über den Datenschutz, the “DSG”). In parallel, due to our large European customer base, our processing activities fall in different cases also under the scope of the European Union General Data Protection Regulation (the “GDPR”). In fact, the provisions of the GDPR apply, on the one hand, to all Controllers and Processors established in the European Union (the “EU”) territory and, on the other hand, to non-EU Controllers and Processors, who, either offer goods and services to Data Subjects located in the EU or monitor the behavior of the same. Accordingly, every time We process Personal Data, We make our best efforts to guarantee the highest standards for data protection required by the GDPR and document them throughout this Privacy Policy with specific references to the relevant articles. Lastly, as We operate on a global level, where additional country-specific guarantees are required on a local basis, as for example with the California Consumer Privacy Act (the “CCPA”), We commit to fulfill the additional requirements and abide by the respective applicable data protection laws. A dedicated section about the CCPA can be found at the bottom of this Privacy Policy.

What is Personal Data and Who are the Data Subjects?

According to Art. 4 (1) GDPR, "Personal Data" means any information relating to an identified or identifiable natural person (the "Data Subject"). For the sake of clarity, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Frontify is a Processor, but exceptionally acts as a Controller

The GDPR differentiates between Controllers and Processors. Controllers are those who determine the purposes and means of the processing of Personal Data; whereas Processors are those that process Personal Data on behalf of the Controller.

In the relationship with our customers, We act as Processor. Natural persons and legal entities can purchase a Free-, Starter-, Team- or an Enterprise Plan (the “Frontify Plan”). In order to provide our services, We need to collect and use certain Personal Data. We process the Personal Data only on behalf and on instructions of our customers and in accordance with the relevant applicable laws. Our customers who purchase a Frontify Plan are primarily responsible for processing the Personal Data of all users accessing the Platform (e.g. employees of the customer and/or other natural persons invited by the customer to use the Platform). In our role as Processor, We redirect any requests We may receive from users of the Platform to the relevant Controller in terms of Art. 28 (3) e GDPR.

Nevertheless, in exceptional circumstances We act as Controller. This occurs in connection to: i) natural persons who materially purchase a Frontify Plan and do not sign in the name of a legal entity; ii) visitors of our Site; iii) interested natural persons who consent to provide their Personal Data; and iv) our employees. In this case, every request We may receive from Data Subjects belonging to one of the mentioned categories will be answered directly by our legal team.

Frontify Collects Personal Data

In the context of providing our services to the users, via the Platform and throughout the Site, we collect the following categories of personal data:

  • General individual information. In order to register for the services available on our Site (e.g. newsletter, webinars, demos, etc.) and/or to sign-up and login to our Platform, current and prospective users of Frontify, are required to provide certain Personal Data. In particular, the following information must be provided:
    • Name and Surname
    • Email address
    • Company Name
    • Job Title or similar
  • User data. Every user of the Platform, regardless of the specific Frontify Plan purchased, has to sign up and login to start collaborating. The provision of the following Personal Data is therefore mandatory:
    • Name and Surname
    • Email address
    • Password
    • IP address
  • Personal Data contained in the assets uploaded on the Platform. The assets that You, as a user, upload to the Platform might contain Personal Data. In this case, the only processing activity We will perform on such Personal Data is hosting. You bear the responsibility to upload such assets exclusively in accordance with the instrumental professional use of the Platform and not for any other purposes. For instance, no assets containing Personal Data of minors and/or other special categories of Personal Data under any applicable data protection law (e.g. such as listed in Art. 9 (1) GDPR) shall be uploaded. You can be held accountable for any misuse or illegal use of our Platform.
  • Billing: A person who is interested in purchasing a Frontify Plan must provide credit card information and/or a billing address. We neither collect nor store any credit card information ourselves. The process is completely outsourced to our payment service providers that collect and store this information on our behalf, namely, Recurly for billing and Adyen for money transfers.
  • Browser data: We may collect standard website visitor information supplied by your browser (e.g. your operating system, the browser you are using, language settings) to ensure that the use of our Site is without disruption and as user-friendly as possible. This information is dependent on the type of device, browser and the settings You are using.
  • Support: If You send us a request (for example via a support email or via one of our feedback mechanisms), We reserve the right to use this information to respond to your request, as well as, to offer support to other users. We take all reasonable measures to protect your Personal Data against the unauthorized access, use, alteration or destruction.
  • Other usage statistics: Besides browser data, We may collect statistics, usage information and may record user sessions on how registered users interact with our Platform, in order to maintain and improve it. This usage data is collected anonymously, and it does not include user data as described above.
  • Marketing: From time to time, We may send You marketing material. We may do that either if We believe there is a legitimate interest for You to receive it or, in the absence of such legitimate interest, only after receiving your explicit consent. This material may include marketing campaigns, product updates, news about future events and webinars and newsletters. We guarantee that none of your Personal Data will be shared with or sold to third parties and used for their marketing purposes.

If you are a registered user of our Site or Platform and have supplied your email address, We may occasionally send You an email to inform You about the release of new features, request your feedback, or just keep you up to date about Frontify and our services. In order to communicate this type of information, We mainly use our blog. However, You can also subscribe to our monthly newsletter to receive product updates, brand related content, and general insights. If You wish to unsubscribe from the newsletter, You can always do that by using the relevant link included in every email.

  • Personal Data of job applicants: If You apply for a vacancy at Frontify, We will collect and process all the information that You voluntarily provide us in connection with a potential employment, as well as information which is publicly available (e.g., your LinkedIn profile). Additionally, We store job applicants data using a trusted third-party tool (“Recruitee”), which ensures full GDPR compliance. In case We decide not to move further with your application, We’ll make sure to have all your Personal Data deleted from the tool in due course, in accordance with internal schedules and procedures.

  • Frontify talent pool: We are always looking for the best talents in different fields of expertise. Thus, to speed up our recruiting process and keep track of top-performing candidates, We created a talent pool database where We store the information of specific applicants. After sending your application to Frontify, You, as a potential member of our talent pool, will receive an email allowing you to explicitly opt-in to our talent pool. Upon receipt of your consent, We will store your information for one year. You have right to request, at any time, the correction or the deletion of your Personal Data by using the contact details found in the “Contact” section below. Furthermore, at the expiry of each year following your initial consent, You will be able to either confirm your initial authorization or to request deletion of your profile from our talent pool, by following the relevant instructions provided to you via email. In the event You decide to withdraw your original consent, your profile will be deleted from the talent pool as soon as reasonably possible, in accordance with our internal schedules and procedures.

  • Additional Services: From time to time, We may use third-party infrastructure and platform services to provide our clients, employees, or partners with additional services. To date the latter include:

a) the provision of online training sessions and tools for onboarding purposes

(Currently, We operate the Frontify Academy for such purposes. The Frontify Academy is a digital place where all its users are provided with the resources to familiarize themselves with Frontify, its services, and related topics. Specifically, it enables users to acquire know-how, access and collect resources, and gain an understanding of the world of branding and brand management in general)

b) the creation of a global community that connects all brand experts and enthusiasts with the purpose of shaping the future of brand management.

(To give every brand a voice, find inspiration, share and collect resources, discover brand evolutions, and meet peers with whom to share know-how, ideas, and struggles, We have created Voices of Brand. Voices of Brand is where the people behind brands come together to engage, inspire, and uplift one another on a shared journey to shape the future of branding hosted by Us.)

The data processed within the framework of the provision of the services above may include information relating to the users of such services that is collected upon their access to, use, and interaction with the tool. Such information may include the user’s name and email address, however for further details about what data is collected and how it is used We recommend consulting the privacy policy of the respective third-party providers that are linked below.

With regard to Voices of Brand, following your registration as a member of the community, You might receive regular email communications with the most recent updates on the community. These may include a monthly newsletter highlighting the key topics of the past month, a link to register for an upcoming event, or other types of email that will help you navigate through the different activities available on the platform. If you wish to not receive these communications any longer, you can unsubscribe at any time by using the appropriate link included in each email.

The external third-party providers being used for purposes under lit. a) and b) are respectively Skilljar and Insided: https://www.skilljar.com/privacy/ https://www.insided.com/docs/privacy-policy

  • Personal Data of children (under the age of sixteen): Our Platform is not intended for people under the age of sixteen. Therefore, We do not voluntarily collect information from anyone under that age. Additionally, if We learn that We may have received information from someone under the age of sixteen, We will take immediate action and adopt all reasonable measures to remove that information.
  • Exclusion of special categories of Personal Data: In the context of the provision of our services, including those offered through the Site and Platform, We do not need to collect or process in any other way special categories of personal data. Therefore, We never ask our existing and/or prospective customers to provide Personal Data revealing their racial or ethnic origin, their political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. In the event that We accidentally receive any such information from a user and/or customer, We act promptly to inform the latter and remove that information.

Frontify Processes Personal Data

When processing Personal Data as Controller, We comply with the requirements set by Art. 6 GDPR on the “Lawfulness of Processing”. Specifically, the latter provides that the processing is lawful only if and to the extent that at least one of the following applies:

  • You have given your consent to the processing of your Personal Data for one or more specific purposes.
  • The processing is necessary for the performance of a contract between You and us or in order to take steps at your request prior to entering into a contract.
  • The processing is necessary to comply with a legal obligation to which We are subject.
  • The processing is necessary for the performance of a task carried out in the public interest.
  • The processing is necessary for the purposes of the legitimate interests We might have, except where such interests are overridden by your interests or your fundamental rights and freedoms which require protection of Personal Data.

When We process Personal Data as Processor, We act in full compliance with the provisions of Art. 28 ff. GDPR.

Frontify Limits the Processing

We care about your Personal Data, thus We limit the use of the collected information to the extent necessary to provide our services and/or to continuously improve our features. Specifically, We restrict the processing to the following purposes:

  • fulfilling the contract with our customers
  • complying with applicable laws and regulations
  • protecting our rights
  • fulfilling our marketing purposes
  • improving our Platform and our Site

Occasionally, We may release aggregated statistics publicly (e.g. reports on trends concerning the usage of our Site). Nevertheless, any usage information We rely on in order to monitor the usage of our Site and improve our Platform is encrypted, anonymized and aggregated. Additionally, We do not sell any Personal Data to third parties.

Frontify Acknowledges and Fulfills Your Rights to Personal Data

We consider of primary importance that You, as a user of our Site and/or Platform, are aware of your rights under the applicable data protection laws. In accordance with Art. 12 ff. GDPR, We acknowledge and safeguard the following rights:

  • the right to refuse to provide Personal Data
  • the right to access and request copies of your Personal Data
  • the right to rectify your Personal Data manually in your account using the account setting in our Platform
  • the right to erasure (“right to be forgotten”) and have your Personal Data deleted
  • the right to limit the processing of your Personal Data
  • the right to data portability and so to request the transfer of your Personal Data.
  • the right to object the processing of your Personal Data
  • the right not to be subject to an automated individual decision-making, including profiling.

Any of the above-mentioned rights can be exercised using the contact details provided in the “Contact” section below; with the caveat that limiting or objecting to some processing activities may prevent You from engaging in certain Site activities or limit your online experience when working with the Platform. In our capacity as Processor, We will forward all the relevant requests to the respective Controller pursuant to Art. 28 (3) (e) GDPR.

Frontify Stores Personal Data

All our customers’ Personal Data are hosted and stored by our trusted sub-processor Amazon Web Services, which offers best in class security services. Customers who sign up for an Enterprise Plan can decide whether they want to have their data stored in the EU, in the US, or in Switzerland; whereas customer who purchase a Free/Starter/Team Plan will have their data hosted in the US.

Frontify Engages with Third Parties

In order to provide parts of the services available on the Platform and/or the Site, We engage with trusted sub-processors. If you are a customer, You can always access the updated list of the sub-processors engaged for services on the Platform in our DPA, which can be downloaded and signed here. We also engage with third parties for additional purposes (e.g. billing, recruiting, marketing, etc.) and We mention these in the relevant sections throughout this Privacy Policy. By using the Site, you also consent to our use of cookies, with the purpose of collecting data on the user’s visits and/or for advertisement purposes. You can find more information in the relevant section below. The third-party providers We engage with might change from time to time. In that regard, We commit to notify You periodically about any such changes via our main communication channels.

Frontify Ensures Secure Data Transfers

In the context of the use of the services of our sub-processors, We might also process Personal Data outside the EU territory. In that case, We guarantee that such data are handled by trustworthy vendors and processed in accordance with the applicable data protection laws, in particular with full respect of the requirements of the GDPR. Specifically, the transfer of Personal Data outside the EU is only allowed to countries which are deemed by the EU Commission to provide an adequate level of data protection, according to Art. 45 GDPR, or, in the absence of such an adequacy decision of the EU Commission, where appropriate safeguards have been adopted in accordance with Art. 46 GDPR, for example the signature of the Standard Contractual Clauses (“SCCs”). Vendors are carefully selected based on the assessment of their security standards and regularly audited to ensure ongoing compliance with the highest applicable standards of data protection. In light of the latest developments in the European legal framework, in particular following the “Schrems II” judgement of the European Court of Justice, We have strengthened our security controls on vendors and updated the existing data processing agreements to incorporate the currently valid version of the SCCs adopted by the EU Commission. As to date, We have signed data processing agreements incorporating the SCCs with all our relevant sub-processors located in the United States. In addition, We constantly monitor developments regarding the new regulations, guidelines or judgments and We make all the necessary steps to attain to the highest level of compliance.

Frontify Doesn’t Disclose Personal Data

We aim to provide You with the highest standards of legal protection to Personal Data. Thus, We generally apply a policy of non-disclosure of any Personal Data with the exception of Personal Data which are needed to provide our services to You. Therefore, our employees, affiliates and sub-contractors may have access to and process your Personal Data to the extent this is needed to serve you. All of them are bound by strict confidentiality obligations. Other than the case described above, We may need to disclose Personal Data in response to a subpoena, court order or other governmental request, or where We believe in good faith that disclosure is reasonably necessary to protect the property or rights of Frontify, third parties or the public at large.

Frontify Uses Cookies

We use cookies for different purposes. We use technical cookies that are necessary for the functionality and improvement of our Site – identify visitors, keep preferences, etc. – as well as statistics and marketing cookies which give us the opportunity to customize our online services and provide You the best online experience accordingly. You can always turn cookies off. The Help feature on most browsers will tell You how to prevent your browser from accepting new cookies, how to have the browser notify You when You receive a new cookie, or how to disable cookies altogether. You can learn more about how We use cookies, which cookies We make use of and how to manage your cookie preferences in our Cookie Policy.

Frontify Might Change

If Frontify or substantially all of its assets were acquired, your information as a user of our Site and/or Platform would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of Frontify may continue to use your Personal Data as set forth in this Privacy Policy.

Frontify Updates its Privacy Policy

We may update this Privacy Policy from time to time. You can always find the latest version of the Privacy Policy on our Site. Additionally, We inform you about updates of this Privacy Policy via our newsletters.

Frontify Representative in the EU

To comply with Art. 27 (1) GDPR, Frontify Deutschland GmbH is the representative of Frontify AG in the EU.

Frontify and the California Consumer Privacy Act (CCPA)

If You are a Californian resident and We process your Personal Data, the CCPA might be applicable when We act as Processor. This regulation came into effect on January 1, 2020 and many of its requirements substantially overlap with existing obligations under the GDPR, thus they have been already addressed in the relevant sections of this Privacy Policy. This paragraph supplements the information provided in this Privacy Policy with certain additional rights that Californian residents are specifically entitled to under the CCPA. For clarification purposes here You can find a non-exhaustive list of terms of the CCPA with their meaning related to the GDPR.

GDPR CCPA
Personal Data Personal Information
Controller Business
Processor Service Provider

To be transparent with our Californian customers, we present your additional rights under the CCPA:

  • The right to be informed about the categories of Personal Information and the purpose of collection.
  • The right of access to your Personal Information.
  • The right to request deletion of your Personal Information with specific limitations concerning Personal Information required for providing our services to You, public interest reasons and other legal obligations.
  • The right to non-discrimination if You exercise any of your rights under the CCPA.

As We do not sell Personal Data of our users, We do not provide an opt-out option. Nevertheless, You may submit any request concerning the CCPA using the contact details provided in the “Contact” section below. Once We’ve verified your identity, your request will be answered promptly, within 45 days at the latest.

Contact

Please don't hesitate to contact our privacy team at privacy@frontify.com if You have any questions about our Privacy Policy, other privacy-related matters or for any request related to the processing of your Personal Data.