Frontify AG, based in St. Gallen, and its subsidiaries Frontify Deutschland GmbH, based in Frankfurt, and Frontify Inc., based in New York, ("Frontify", "we") is a technology company. Frontify provides a brand management software as a service (“Service”) to private and enterprise customers, and operates frontify.com.
Frontify, as a Swiss company, is therefore also affected by the provisions of the GDPR.
We might also process Personal Data outside the territory of the European Union (EU). In that case, we guarantee that Personal Data are handled by trustworthy vendors and processed in accordance with the applicable data protection laws. In particular, in full respect of the GDPR relevant requirements, the transfer of Personal Data outside the EU is only allowed to countries which are deemed by the EU Commission to provide an adequate level of data protection, or, in the absence of such adequacy decision of the EU Commission, where appropriate safeguards under art. 46 GDPR have been adopted.
Vendors are carefully selected based on the assessment of their security standards and regularly audited to ensure ongoing compliance with the highest standards of protections. In light of the latest developments in the European legal framework, in particular following the “Schrems II” judgement of the Court of Justice of the European Union, Frontify has strengthened its security controls on vendors and updated the existing Data Processing Agreements to incorporate the Standard Contractual Clauses adopted by the EU Commission.
As to date, Frontify has signed Data Processing Agreements incorporating the SCCs with all its relevant sub-processors located outside the EU.
According to art. 4 para. 1 GDPR "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
The GDPR differentiates between Data Controller and Data Processor. Controllers are those who determine the purposes and means of the processing of personal data. In case the purposes and means of such processing are determined by European Union Law, the criteria to be identified as Data Controller are determined by European Union Law itself. Processors are those that process Personal Data on behalf of the Controller.
For providing the Service to its customers Frontify acts as a Data Processor in terms of GDPR. Natural Persons or legal entities can purchase a Free-, a Starter-, a Team- or an Enterprise Plan (“Frontify Plan”). In order to provide the Service at all, we need to collect and use certain Personal Data. We process the Personal Data only on behalf, and on instruction of, our customers, and in accordance with the relevant applicable law. For this reason, our customers who purchase a Frontify Plan are primarily responsible for processing the Personal Data of all users (e.g. employees of the customer and/or other natural persons invited by the customer to join the Platform).
Nevertheless, in exceptional circumstances Frontify acts as Data Controller. This occurs in connection to i) those natural persons who materially purchase a Frontify Plan and do not sign in the name of a legal entity; ii) visitors of our website; iii) interested natural persons who consent to provide their Personal Data; and iv) our employees.
Frontify lawfully “processes” Personal Data in accordance with the meaning given to this term by article 4 of the GDPR.
In addition, article 6 of the GDPR prescribes that the processing is lawful only if and to the extent that at least one of the following applies:
We care about your Personal Data and therefore we limit its processing to the following purposes, and always upon prior explicit and informed consent:
You Come First, thus You Choose You may refuse to provide Personal Data at any time, with the caveat that it may prevent you from engaging in certain website-related activities or limiting you from working with the Service.
You may correct the Personal Data manually in your account using the account settings in our Service.
You may always request us to correct and delete your Personal Data using the contact details below.
General Individual information: In order to register to our Services, to show interest in getting more insights about our Product, to receive our newsletter, and in general, to be reached out to for marketing purposes, current and future perspective users of Frontify upon prior explicit consent may provide Personal Data in the form of their email address, name and surname, name of the company, job title, or similar.
User Data: Every user of Frontify independently from its peculiar contractual Frontify Plan must register and login to our Platform in order to work on Frontify. Therefore, to sign up and login to Frontify the following Personal Data is mandatory:
On the contrary, the following Personal Data is optional:
Billing: In order to subscribe for Frontify and purchase a Frontify Plan (except the Enterprise Plan), potential customer must provide credit card information and a billing address. Frontify does not collect nor store any credit card information itself. The process is completely outsourced to our payment service providers (Recurly and Zuora for billing, and Wirecard for money transfer) that collect and store this information on our behalf.
Browser Data: We may collect standard website visitor information supplied by your browser (e.g., your operating system, the browser you are using, IP addresses, language settings). This information is dependent on the type of device, browser, and the settings you are using.
Other Usage Statistics: Besides browser data, we may collect statistics, usage information, and may record user sessions on how registered users use our Services in order to maintain and improve our Services. This usage data is collected anonymously, and it does not include User Data as described above.
Marketing: We might use the information collected for our own marketing purposes. This includes, but is not limited to: marketing campaigns, marketing events, and newsletters. This information will be used solely for marketing purposes by Frontify and we will not share it with any third parties.
Exclusion of Special Categories of Personal Data: Frontify will never ask its current and perspective potential customers to provide Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, including genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation. In case we might come across any of this data, its use by Frontify is strictly prohibited.
Personal Data of Job Applicants: If you apply for a vacancy at Frontify, we will collect and process information that you voluntarily communicate to us about yourself for purposes related to a potential employment. Additionally, we may collect publicly available information (e.g., your LinkedIn profile). Frontify will store and manage this information with a trusted third-party providing a state-of-the-art solution for recruiting processes. You can request access, correction, or deletion of job applicant information about you at any time using the contact details below.
Personal Data of Children (under the age of sixteen): We do not voluntarily collect information from anyone under the age of sixteen. If we learn that we may have received information from someone under the age of thirteen, we will take immediate action and all reasonable measures to remove the information.
All our Customers’ Personal Data are hosted and stored by our trusted sub-processor Amazon Web Services, which offers best in class security services. Customers who signed up for an Enterprise Plan can decide whether they want to have their data stored in the EU, in the US or in Switzerland.
Frontify will use the collected information to provide the Service to the customer and continuously improve and ameliorates its features in order for you to build powerful brand experiences. Frontify does not resell any Personal Data to any third-party.
Occasionally, we may publicly release aggregated statistics (e.g., by publishing reports on trends in the usage of our Sites).
Nevertheless, any usage information used to monitor the usage of our Sites and improve our Service is encrypted, anonymized and aggregated.
If you are a registered user of a Frontify Site or Service and have supplied your email address, Frontify may occasionally send you an email to communicate the release of new features, solicit your feedback, or just keep you up to date with what’s going on with Frontify and our products. We primarily use our product blog to communicate this type of information, so we keep this type of email to a minimum.
If you send us a request (for example, via a support email or one of our feedback mechanisms), we reserve to use this information in order to help us clarify or respond to your request, or to help us support other users. Frontify takes all measures reasonably necessary to protect against the unauthorized access, use, alteration, or destruction of Personal Data.
Frontify engages the following trusted Third-Parties Sub-Processors which provide parts of the Service on behalf of Frontify in regard to the processing of Personal Data:
Amazon Web Services (AWS) – Location: Frankfurt DE or North Virginia USA (depending on the Frontify Customer Agreement) – Service: Data processing and hosting
Wildbit (Postmark) – Location: Philadelphia USA – Service: Email processing
Algolia – Location: Germany – Service: Real-time search
Pusher – Location: London UK – Service: Real-time messaging
Intercom – Location: San Francisco USA – Service: In-app support/chat-system
Recurly – Location: San Francisco USA – Service: billing management
Wirecard – Location: Aschheim Germany – Service: money transfer
Recruitee – Location: Amsterdam Netherlands – Service: recruitment software
Frontify provides the highest attainable standards of legal protection to Personal Data. Thus, we generally apply a policy of non-disclosure of any Personal Data, and all our employees and third parties are bound by Non-Disclosure Agreements.
In particular circumstances, the disclosure of Personal Data is necessary, but encompasses only our employees, contractors, and affiliated organizations, and is limited to those cases where one of these parties needs to know that information in order to process it on behalf of Frontify, or to provide Services available at Frontify’s Sites.
Our employees, contractors, and affiliated organizations may also be located outside the home country of the user. Thus, by using Frontify’s Site, users consent to the transfer of such information to them.
Other than the case described above, Frontify may need to disclose Personal Data in response to a subpoena, court order, or other governmental request, or when Frontify believes in good faith that disclosure is reasonably necessary to protect the property or rights of Frontify, third parties, or the public at large.
By using our Sites, you also consent to cookies used for collecting the data on the user’s visits and/or for advertisement purposes by the following third-party services:
You can always turn cookies off. The Help feature on most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether.
Frontify Deutschland GmbH is the representative of Frontify AG in the EU. This applies especially in connection to article 9 of the Standard Contractual Clauses, in connection with the Jurisdiction of the legal entity within an EU Member State.