Frontify AG (“Frontify” or “We”) is a Swiss company, which provides a cloud-based brand management Software-as-a-Service (the “Platform”) to professionals and companies and operates frontify.com (the “Site”). Headquartered in St. Gallen, Switzerland, Frontify has additional offices in Frankfurt, Germany and New York, USA. The Platform is a customizable solution for every specific brand requirement and is designed to maximize brand consistency through centralization. Frontify offers a wide range of features, including but not limited to: the Brand Guidelines, the Digital Asset Management, the Digital & Print Templates and the Creative Collaboration. Additionally, the Platform is an intuitive solution enabling every user to: upload and centralize digital assets independently; define brand essentials with dynamic guidelines; build a design system for digital efficiency and create customized templates for always on-brand marketing material.
What is Personal Data and Who are the Data Subjects?
According to Art. 4 (1) GDPR, "Personal Data" means any information relating to an identified or identifiable natural person (the "Data Subject"). For the sake of clarity, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Frontify is a Processor, but exceptionally acts as a Controller
The GDPR differentiates between Controllers and Processors. Controllers are those who determine the purposes and means of the processing of Personal Data; whereas Processors are those that process Personal Data on behalf of the Controller.
In the relationship with our customers, We act as Processor. Natural persons and legal entities can purchase a Free-, Starter-, Team- or an Enterprise Plan (the “Frontify Plan”). In order to provide our services, We need to collect and use certain Personal Data. We process the Personal Data only on behalf and on instructions of our customers and in accordance with the relevant applicable laws. Our customers who purchase a Frontify Plan are primarily responsible for processing the Personal Data of all users accessing the Platform (e.g. employees of the customer and/or other natural persons invited by the customer to use the Platform). In our role as Processor, We redirect any requests We may receive from users of the Platform to the relevant Controller in terms of Art. 28 (3) e GDPR.
Nevertheless, in exceptional circumstances We act as Controller. This occurs in connection to: i) natural persons who materially purchase a Frontify Plan and do not sign in the name of a legal entity; ii) visitors of our Site; iii) interested natural persons who consent to provide their Personal Data; and iv) our employees. In this case, every request We may receive from Data Subjects belonging to one of the mentioned categories will be answered directly by our legal team.
Frontify Collects Personal Data
In the context of providing our services to the users, via the Platform and throughout the Site, we collect the following categories of personal data:
- General individual information. In order to register for the services available on our Site (e.g. newsletter, webinars, demos, etc.) and/or to sign-up and login to our Platform, current and prospective users of Frontify, are required to provide certain Personal Data. In particular, the following information must be provided:
- Name and Surname
- Email address
- Company Name
- Job Title or similar
- User data. Every user of the Platform, regardless of the specific Frontify Plan purchased, has to sign up and login to start collaborating. The provision of the following Personal Data is therefore mandatory:
- Name and Surname
- Email address
- IP address
- Personal Data contained in the assets uploaded on the Platform. The assets that You, as a user, upload to the Platform might contain Personal Data. In this case, the only processing activity We will perform on such Personal Data is hosting. You bear the responsibility to upload such assets exclusively in accordance with the instrumental professional use of the Platform and not for any other purposes. For instance, no assets containing Personal Data of minors and/or other special categories of Personal Data under any applicable data protection law (e.g. such as listed in Art. 9 (1) GDPR) shall be uploaded. You can be held accountable for any misuse or illegal use of our Platform.
- Billing: A person who is interested in purchasing a Frontify Plan must provide credit card information and/or a billing address. We neither collect nor store any credit card information ourselves. The process is completely outsourced to our payment service providers that collect and store this information on our behalf, namely, Recurly for billing and Adyen for money transfers.
- Browser data: We may collect standard website visitor information supplied by your browser (e.g. your operating system, the browser you are using, language settings) to ensure that the use of our Site is without disruption and as user-friendly as possible. This information is dependent on the type of device, browser and the settings You are using.
- Support: If You send us a request (for example via a support email or via one of our feedback mechanisms), We reserve the right to use this information to respond to your request, as well as, to offer support to other users. We take all reasonable measures to protect your Personal Data against the unauthorized access, use, alteration or destruction.
- Other usage statistics: Besides browser data, We may collect statistics, usage information and may record user sessions on how registered users interact with our Platform, in order to maintain and improve it. This usage data is collected anonymously, and it does not include user data as described above.
- Marketing: From time to time, We may send You marketing material. We may do that either if We believe there is a legitimate interest for You to receive it or, in the absence of such legitimate interest, only after receiving your explicit consent. This material may include marketing campaigns, product updates, news about future events and webinars and newsletters. We guarantee that none of your Personal Data will be shared with or sold to third parties and used for their marketing purposes.
If you are a registered user of our Site or Platform and have supplied your email address, We may occasionally send You an email to inform You about the release of new features, request your feedback, or just keep you up to date about Frontify and our services. In order to communicate this type of information, We mainly use our blog. However, You can also subscribe to our monthly newsletter to receive product updates, brand related content, and general insights. If You wish to unsubscribe from the newsletter, You can always do that by using the relevant link included in every email.
Personal Data of job applicants: If You apply for a vacancy at Frontify, We will collect and process all the information that You voluntarily provide us in connection with a potential employment, as well as information which is publicly available (e.g., your LinkedIn profile). Additionally, We store job applicants data using a trusted third-party tool (“Recruitee”), which ensures full GDPR compliance. In case We decide not to move further with your application, We’ll make sure to have all your Personal Data deleted from the tool in due course, in accordance with internal schedules and procedures.
Frontify talent pool: We are always looking for the best talents in different fields of expertise. Thus, to speed up our recruiting process and keep track of top-performing candidates, We created a talent pool database where We store the information of specific applicants. After sending your application to Frontify, You, as a potential member of our talent pool, will receive an email allowing you to explicitly opt-in to our talent pool. Upon receipt of your consent, We will store your information for one year. You have right to request, at any time, the correction or the deletion of your Personal Data by using the contact details found in the “Contact” section below. Furthermore, at the expiry of each year following your initial consent, You will be able to either confirm your initial authorization or to request deletion of your profile from our talent pool, by following the relevant instructions provided to you via email. In the event You decide to withdraw your original consent, your profile will be deleted from the talent pool as soon as reasonably possible, in accordance with our internal schedules and procedures.
Additional Services: From time to time, We may use third-party infrastructure and platform services to provide our clients, employees, or partners with additional services. To date the latter include:
a) the provision of online training sessions and tools for onboarding purposes
(Currently, We operate the Frontify Academy for such purposes. The Frontify Academy is a digital place where all its users are provided with the resources to familiarize themselves with Frontify, its services, and related topics. Specifically, it enables users to acquire know-how, access and collect resources, and gain an understanding of the world of branding and brand management in general)
b) the creation of a global community that connects all brand experts and enthusiasts with the purpose of shaping the future of brand management.
(To give every brand a voice, find inspiration, share and collect resources, discover brand evolutions, and meet peers with whom to share know-how, ideas, and struggles, We have created Voices of Brand. Voices of Brand is where the people behind brands come together to engage, inspire, and uplift one another on a shared journey to shape the future of branding hosted by Us.)
With regard to Voices of Brand, following your registration as a member of the community, You might receive regular email communications with the most recent updates on the community. These may include a monthly newsletter highlighting the key topics of the past month, a link to register for an upcoming event, or other types of email that will help you navigate through the different activities available on the platform. If you wish to not receive these communications any longer, you can unsubscribe at any time by using the appropriate link included in each email.
- Personal Data of children (under the age of sixteen): Our Platform is not intended for people under the age of sixteen. Therefore, We do not voluntarily collect information from anyone under that age. Additionally, if We learn that We may have received information from someone under the age of sixteen, We will take immediate action and adopt all reasonable measures to remove that information.
- Exclusion of special categories of Personal Data: In the context of the provision of our services, including those offered through the Site and Platform, We do not need to collect or process in any other way special categories of personal data. Therefore, We never ask our existing and/or prospective customers to provide Personal Data revealing their racial or ethnic origin, their political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. In the event that We accidentally receive any such information from a user and/or customer, We act promptly to inform the latter and remove that information.
Frontify Processes Personal Data
When processing Personal Data as Controller, We comply with the requirements set by Art. 6 GDPR on the “Lawfulness of Processing”. Specifically, the latter provides that the processing is lawful only if and to the extent that at least one of the following applies:
- You have given your consent to the processing of your Personal Data for one or more specific purposes.
- The processing is necessary for the performance of a contract between You and us or in order to take steps at your request prior to entering into a contract.
- The processing is necessary to comply with a legal obligation to which We are subject.
- The processing is necessary for the performance of a task carried out in the public interest.
- The processing is necessary for the purposes of the legitimate interests We might have, except where such interests are overridden by your interests or your fundamental rights and freedoms which require protection of Personal Data.
When We process Personal Data as Processor, We act in full compliance with the provisions of Art. 28 ff. GDPR.
Frontify Limits the Processing
We care about your Personal Data, thus We limit the use of the collected information to the extent necessary to provide our services and/or to continuously improve our features. Specifically, We restrict the processing to the following purposes:
- fulfilling the contract with our customers
- complying with applicable laws and regulations
- protecting our rights
- fulfilling our marketing purposes
- improving our Platform and our Site
Occasionally, We may release aggregated statistics publicly (e.g. reports on trends concerning the usage of our Site). Nevertheless, any usage information We rely on in order to monitor the usage of our Site and improve our Platform is encrypted, anonymized and aggregated. Additionally, We do not sell any Personal Data to third parties.
Frontify Acknowledges and Fulfills Your Rights to Personal Data
We consider of primary importance that You, as a user of our Site and/or Platform, are aware of your rights under the applicable data protection laws. In accordance with Art. 12 ff. GDPR, We acknowledge and safeguard the following rights:
- the right to refuse to provide Personal Data
- the right to access and request copies of your Personal Data
- the right to rectify your Personal Data manually in your account using the account setting in our Platform
- the right to erasure (“right to be forgotten”) and have your Personal Data deleted
- the right to limit the processing of your Personal Data
- the right to data portability and so to request the transfer of your Personal Data.
- the right to object the processing of your Personal Data
- the right not to be subject to an automated individual decision-making, including profiling.
Any of the above-mentioned rights can be exercised using the contact details provided in the “Contact” section below; with the caveat that limiting or objecting to some processing activities may prevent You from engaging in certain Site activities or limit your online experience when working with the Platform. In our capacity as Processor, We will forward all the relevant requests to the respective Controller pursuant to Art. 28 (3) (e) GDPR.
Frontify Stores Personal Data
All our customers’ Personal Data are hosted and stored by our trusted sub-processor Amazon Web Services, which offers best in class security services. Customers who sign up for an Enterprise Plan can decide whether they want to have their data stored in the EU, in the US, or in Switzerland; whereas customer who purchase a Free/Starter/Team Plan will have their data hosted in the US.
Frontify Engages with Third Parties
Frontify Ensures Secure Data Transfers
In the context of the use of the services of our sub-processors, We might also process Personal Data outside the EU territory. In that case, We guarantee that such data are handled by trustworthy vendors and processed in accordance with the applicable data protection laws, in particular with full respect of the requirements of the GDPR. Specifically, the transfer of Personal Data outside the EU is only allowed to countries which are deemed by the EU Commission to provide an adequate level of data protection, according to Art. 45 GDPR, or, in the absence of such an adequacy decision of the EU Commission, where appropriate safeguards have been adopted in accordance with Art. 46 GDPR, for example the signature of the Standard Contractual Clauses (“SCCs”). Vendors are carefully selected based on the assessment of their security standards and regularly audited to ensure ongoing compliance with the highest applicable standards of data protection. In light of the latest developments in the European legal framework, in particular following the “Schrems II” judgement of the European Court of Justice, We have strengthened our security controls on vendors and updated the existing data processing agreements to incorporate the currently valid version of the SCCs adopted by the EU Commission. As to date, We have signed data processing agreements incorporating the SCCs with all our relevant sub-processors located in the United States. In addition, We constantly monitor developments regarding the new regulations, guidelines or judgments and We make all the necessary steps to attain to the highest level of compliance.
Frontify Doesn’t Disclose Personal Data
We aim to provide You with the highest standards of legal protection to Personal Data. Thus, We generally apply a policy of non-disclosure of any Personal Data with the exception of Personal Data which are needed to provide our services to You. Therefore, our employees, affiliates and sub-contractors may have access to and process your Personal Data to the extent this is needed to serve you. All of them are bound by strict confidentiality obligations. Other than the case described above, We may need to disclose Personal Data in response to a subpoena, court order or other governmental request, or where We believe in good faith that disclosure is reasonably necessary to protect the property or rights of Frontify, third parties or the public at large.
Frontify Might Change
Frontify Representative in the EU
To comply with Art. 27 (1) GDPR, Frontify Deutschland GmbH is the representative of Frontify AG in the EU.
Frontify and the California Consumer Privacy Act (CCPA)
To be transparent with our Californian customers, we present your additional rights under the CCPA:
- The right to be informed about the categories of Personal Information and the purpose of collection.
- The right of access to your Personal Information.
- The right to request deletion of your Personal Information with specific limitations concerning Personal Information required for providing our services to You, public interest reasons and other legal obligations.
- The right to non-discrimination if You exercise any of your rights under the CCPA.
As We do not sell Personal Data of our users, We do not provide an opt-out option. Nevertheless, You may submit any request concerning the CCPA using the contact details provided in the “Contact” section below. Once We’ve verified your identity, your request will be answered promptly, within 45 days at the latest.