Effective Date: November 27, 2023
1. Key Privacy Points:
Email Previews Services. Email submissions (“Email Submissions”) uploaded by a customer to our Services belong to that customer. We don’t use a customer’s Email Submissions, including any resulting email previews generated via the Services (“Email Previews”), for purposes unrelated to that customer or the use of our Services, except in limited circumstances (e.g., we are compelled by subpoena, or the customer has given us permission to do so). Email Submissions and content uploaded in connection with our Email Previews Services should never contain personal data.
Email Analytics Services. All data collected by Litmus on behalf of a customer that elects to use our email analytics Services (“Email Analytics”) belongs to that customer. We don’t use Email Analytics data for purposes unrelated to that customer or the use of our Services, except in aggregated, de-identified form as permitted under our Terms of Service or Governing Subscription Agreement (or such other service agreement between Litmus and the customer) or other limited circumstances (e.g., we are compelled by subpoena, or the customer has given us permission to do so).
Customers should never provide us with or collect any personal data in connection with their use of our Email Analytics Services. If a customer does elect to provide or collect that information, we don’t use it for any other purpose. Litmus is merely a custodian of that data.
If you use Email Analytics Services, you agree to comply with applicable privacy laws, including requirements to inform the recipients of your emails about the specific uses and disclosures of their data described herein, and to directly address any concerns they may have about your privacy policies and/or use of their information for this purpose.
Personalize Services. Content uploaded by a customer in connection with our dynamic content, recommendations, and related services (“Personalize Services”) belongs to that customer. We don’t use a customer’s content, including any resulting content generated via the Services, for purposes unrelated to that customer or the use of our Services, except in limited circumstances (e.g., we are compelled by subpoena, or the customer has given us permission to do so). Content uploaded by a customer in connection with our Preview Services should never contain personal data.
User Data. Personal data provided by customers to set up user accounts is used by Litmus only as authorized by the individual user (“User”) or as otherwise permitted by law.
Sharing. We only share your information in limited circumstances in accordance with applicable law.
Security and Storage. We hold customer data securely on servers located in the United States. We leverage Amazon’s AWS infrastructure and built-in security controls, which incorporate several modern security standards and best practices. Please see our Trust Center for more information on Litmus’ comprehensive security program.
This Policy applies to data, information, and content gathered by Litmus Software, Inc., including our wholly-owned subsidiaries, Litmus Software Ltd., and Kickdynamic Ltd. (collectively, “Litmus,” “we,” “us” or “our”), through your use of our Services.
This Policy does not apply to the practices of other businesses that we do not own or control, including third-party websites, services and applications (“Third-Party Services”) that you may access through our Services, or to individuals that we do not employ or manage. While we attempt to partner with only Third-Party Services that share our respect for your privacy, we are not responsible for the content or privacy policies of those third parties. You are responsible to review the privacy policies of any Third-Party Services you access.
3. What Information Does Litmus Collect?
Information You Provide to Us:
- Account Registration Information. You need a Litmus User account before you can use our Services. When you set up a User account, we collect personal data, such as your name and email address. You can choose not to provide us with certain information, but then you may not be able to register with us or take advantage of some features of our Services.
- Billing Information. If you sign up for our Services and/or to attend a paid event, we require you to provide billing details, such as a name, address, email address and financial information corresponding to your applicable method of payment. If you elect to make payments with a payment card, such information is processed by a PCI-compliant third-party payment card processor. If you provide a billing address, we will regard that as the location of the customer.
- Account Settings. You can set various preferences and personal details on your account preferences page, such as your username and communication preferences (e.g., opting in or out of receiving marketing emails from Litmus).
- Event Registration Information. If you elect to attend an event hosted by Litmus (e.g., Litmus Live conference or a webinar), we may collect personal data, such as your name, address, telephone number, email address and other information. You can choose not to provide us with certain information, but then you may not be able to register with us or take advantage of some features (e.g., receipt of emails regarding event details, electronic copies of event materials, etc.).
- Survey Data. If you elect to participate in a Litmus survey, we may collect, store and process your survey responses.
- Other Data. We may collect your personal data if you submit it to us in other contexts (e.g., sales inquiries, chat messages on our website, customer support requests, etc.).
Information Collected Indirectly or Passively when You Interact with Us:
- Usage Data. We collect usage data about you whenever you interact with our website and Services. This may include information about the webpages you visit, what you click on, when you performed those actions and other related information. Additionally, like most websites today, our web servers keep log files that record data each time a device accesses those servers. The log files contain data about the nature of each access, including originating IP addresses, internet service providers, the files viewed on our website (e.g., HTML pages, graphics, etc.), operating system versions and timestamps.
- Device Data. We collect data from the devices and applications you use to access our Services, such as IP address, operating system version, device type, system and performance information and browser type. We may also infer your geographic location based on your IP address.
- Information from Cookies. We employ cookies and similar tools, including through the use of third-party analytics and tracking services, to collect data about individuals who access and use our website. This data includes usage and user statistics. For example, this data tells us how often individuals use parts of our websites, so that we can make our websites appealing and easy to use, and our content as relevant as possible.
- Information from Third Parties. We may collect your personal data from third parties if you give permissions to those third parties to share your information with us or where you have made that information publicly available.
Data Collected Through Use of Email Analytics Services
We offer Email Analytics Services that, if available through a customer’s subscription, may allow us to collect data on the customer’s behalf about the emails that the customer sends. We provide a pixel that the customer may include in the body of the emails the customer sends that enables the customer to collect certain data via our Services about its email recipients. Email Analytics Services are intended to allow the email sender to measure the performance of the email message and to learn how to improve email delivery and open rates. Such data may include, as determined by the User via its configuration of the Services, the browser and email clients used, and details about how their recipients engage with the email (e.g., whether or not the email was read, forwarded or printed). Click here for more information about the data elements processed in connection with Email Analytics Services.
It is in our customers’ discretion as to what data is collected in connection with Email Analytics Services and, therefore, each customer is solely responsible for the collection and use of any such data, including, without limitation, ensuring that such collection and use is in accordance with the customer’s privacy policies and all applicable laws.
4. How Does Litmus Use the Information We Collect?
We use the information we collect from you, on your behalf or related to you in connection with providing our Services to you, including as follows:
- Account Setup and Access to Services. You must have an account to use our Services. Litmus uses the information we collect for the creation of User accounts so that you can access our Services.
- Customer Support. We must access and use your information to provide customer support services, including troubleshooting, managing account usage, responding to billing inquiries, etc.
- Service Delivery. We perform internal evaluations and statistical analysis on the information we collect to, among other things, monitor the performance of our Services, analyze and measure visitor and User behavior and trends, to understand how our Services are used, to help us improve our Services, for market research and to develop new features and functionalities.
- Enforcement of our Terms of Service. We monitor Services to ensure that use is in accordance with our Terms of Service or Governing Subscription Agreement (or other service agreement between you and Litmus), including to prevent fraud, as well as illegal, abusive or undesirable activities.
- Transactional Communications. We may send you transactional communications (e.g., service-related announcements, billing-related matters, updates to our Terms of Service, Governing Subscription Agreement or other policies, changes to our Services, welcome emails when you register for Services, etc.). You can’t opt out of receiving these communications since they are required to provide our Services to you.
- Marketing Purposes. We will only send marketing-related communications if you have consented to receive such communications. We may combine information about you from third party sources with information we hold about you to create a user profile, which helps us to make our marketing and sales efforts more relevant to you and to personalize and improve your experience.
- Security. We use your information to maintain the security of our systems and Services (e.g., controlling abuse, spam and DDOS attacks), including the security of your User account.
- Legal Requests. We may need to inspect information we hold to determine how to respond to a subpoena or other legal request. We may also contact you, to the extent permitted, regarding such matters.
5. Will Litmus Share Any of the Information we Receive?
We may share your personal data with third parties as follows:
- With Your Organization; Billing Contacts. If the email address under which you have registered your User account belongs to or is controlled by an organization (e.g., your employer), we may disclose that email address and other pertinent account information to that organization in order to help it understand who associated with that organization uses Litmus, and to assist the organization with its enterprise accounts. In addition, if your User account details are different from the billing contact listed for your account, we may disclose your identity and the account details to the billing contact upon their request.
- User Profiles and Submissions. Certain User profile information, including without limitation a User’s name and location, and any email, video, image or other content that such User has uploaded to the Services, may be displayed to other Users to facilitate User interaction within the Services (e.g., to provide examples on our blog or to encourage interaction through a forum hosted on our website) or to address your request for Services and support. Your account privacy settings allow you to limit the other Users who can see the personal data in your User profile and/or what information in your User profile is visible to others. Any information you upload to your public User profile, along with any personal data or content that you voluntarily disclose online in a manner other individuals can view (e.g., on discussion boards, in forums, messages and chat areas, etc.) becomes publicly available, and can be collected and used by others. Your username may also be displayed to other Users if and when you send messages or comments or upload images or videos through public portions of our websites and other individuals can contact you through messages and comments.
- Affiliated Businesses and Third-Party Services We Do Not Control. In certain situations, businesses or Third-Party Services we are affiliated with may sell items or provide services to you through our Services (either alone or jointly with us). You can recognize when an affiliated business is associated with such a transaction or service, and we will share your personal data with that affiliated business only at your direction and to the extent that it is related to such transaction or service. We have no control over the policies and practices of Third-Party Services as to privacy or anything else, so if you choose to take part in any transaction or service relating to an affiliated Third-Party Service, please review all such policies that may apply.
- Business Transfers. We may choose to buy or sell assets, to the extent permitted by applicable law. In these types of transactions, customer information is typically one of the business assets that would be transferred. Also, if we (or substantially all of our assets) are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, personal data would be one of the assets transferred to or acquired by a third party.
- Protection of Litmus and Others. We reserve the right to access, read, preserve, and disclose any information that we reasonably believe is necessary to comply with law or court order; enforce or apply our Terms of Service, Governing Subscription Agreement, and other agreements; or to protect the rights, property, or safety of Litmus, our employees, our Users, or others. This includes exchanging information with other companies and organizations for fraud protection and credit risk reduction.
- Usage Information. We may collect usage information, such as the numbers and frequency of visitors to our websites through cookies or otherwise. We may use this information and/or data in aggregate form (as combined with information and/or data that we receive from our other Users and service providers) for our marketing or other business-related purposes. For example, usage information tells us how often visitors and Users use parts of our websites and, therefore, can be used to help us make our websites appealing as possible and our content relevant.
- With Your Consent. Except as set forth above, you will be notified when your personal data may be shared with third parties in personally identifiable form, and will be able to prevent the sharing of this information.
6. Is Personal Information About Me Secure?
- Security. Details regarding our security practices are available at our Trust Center. We endeavor to protect the privacy of your account and other personal data we hold in our records, but we cannot guarantee complete security. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of User information at any time. Please remember that you control the information that you input, upload or otherwise provide in connection with your use of the Services, including Email Submissions, as well as the data that is collected in connection with your subscription to our Email Analytics Services.
- User Accounts. Your User account is protected by a username and password for your privacy and security. You must prevent unauthorized access to your account and personal data by selecting and protecting your username and password, using other sign-on mechanisms appropriately and limiting access to your device and browser by signing off after you have finished accessing your account.
- Data Location. Our Services are based in the United States, so your personal data will be hosted and processed by us in the United States. Your personal data may also be processed in other countries in which Litmus offices and personnel are located, and in which our service providers are located or have servers. By using our Services, you consent to the processing of your data in these locations.
7. What Choices Do I Have?
- Access, Edit and Delete Personal Data. You may access, and, in some cases, edit or delete certain personal data that Litmus holds about you via your User account. Please note, however, that some information may remain in our records after deletion of such information from your account. In addition, we may use any aggregated, de-identified data derived from or associated with your personal data after you update or delete your personal data. If you request that any of your personal data be deleted, we reserve the right to terminate and/or limit your access to the Services to the extent Services cannot be reasonably provided without that information.
- General (non-EU) Data Privacy Requests. If you have any questions about updating information we have on file about you, please complete this form or contact us at email@example.com.
- CCPA/CPRA Requests. Some individuals, including those whose information is subject to the California Consumer Privacy Act of 2018, as amended (the “CCPA”) and the California Privacy Rights Act of 2020, as amended (the “CPRA”), have certain legal rights to obtain information related to the information we hold about them and to request deletion of certain information in appropriate circumstances. For some personal information, these rights may be exercised through your User account settings, and in all cases, requests to exercise these rights may be submitted by completing this form.
- EU/UK/Swiss GDPR Data Privacy Requests. Some individuals, including those whose information is subject to European Union (EU), United Kingdom (UK), and/or Swiss data privacy laws, have certain legal rights to obtain information on whether we hold personal data about them, to access personal data we hold about them, and to obtain the correction, update, amendment or deletion of such data in appropriate circumstances. For some personal data, these rights may be exercised through your User account settings, and in all cases, requests to exercise these rights may be submitted by completing this form.
- Cancel Your Account. You may cancel your account via your User account at any time. In the event that your account is cancelled by you or Litmus, or your subscription to the Services terminates or expires, following such cancellation, termination, or expiration, you will no longer be able to access any of your account information, the information that you upload or receive through your use of the Services or other personal data that we hold in our records (except as otherwise provided by applicable law).
- California Civil Code Sections 1798.83-1798.84. Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to ask us for a notice identifying the categories of personal data that we share with our affiliates and/or third parties for marketing purposes, and to provide contact information for such affiliates and/or third parties. If you are a California resident and would like a copy of this notice, please submit a written request by sending an email to firstname.lastname@example.org.
- Decline to Provide. You may always opt not to disclose information to us, but keep in mind some information may be needed to register with us or to take advantage of some of the features of our Services.
- Marketing Communications. You may opt out of receiving marketing communications at any time by clicking the “unsubscribe” link located in the footer of any marketing email you have received from Litmus, or by sending an email to email@example.com.
9. For How Long Does Litmus Retain Data?
We generally retain data for as long as you have an account with us, or to comply with our legal obligations, resolve disputes or enforce our agreements. For more information, please see Litmus’ Data Retention Policy.
10. Safety of Children and Children’s Online Privacy Protection Act (COPPA)
Our Services are not intended for, and may not be permissibly used by, individuals under the age of 13. Litmus does not knowingly collect personal data from persons under 13 or allow them to register for Services. If it comes to our attention that we have collected personal data from such person, we may delete this information without notice. In addition, if you utilize our Email Analytics Services, then you may not provide information that pertains to any persons under the age of 13 (unless you have received such information from a parent on that child’s behalf and have authorization to provide to such information to Litmus in connection with your use of the Services). If you have reason to believe that we might have any information from or about a child under 13 that was not supplied by that child’s parent, please contact us by completing this form.
11. Data Privacy Framework Principles:
- Data Privacy Framework Principles. Litmus complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Litmus has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Litmus has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
- Data Transfers. Your personal data is hosted and processed by us in the United States, and may also be processed in other countries in which Litmus offices and personnel are located, and in which our service providers are located or have servers. We ensure that the recipient of your personal data offers an adequate level of protection by adhering to the Data Privacy Framework Principles and by entering into appropriate agreements and, if required and to the extent applicable, a Data Processing Agreement with Standard Contractual Clauses (SCCs) for the transfer of data as approved by the European Commission, and UK Addendum to the SCCs, as approved by the UK Information Commissioner’s Office (ICO).
- Onward Transfers. Litmus complies with the Data Privacy Framework Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions.
- Enforcement. Litmus is subject to the jurisdiction of the U.S. Federal Trade Commission, including the FTC’s investigatory and enforcement powers, regarding our compliance with the Data Privacy Framework Principles. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or legal enforcement requirements.
- Resolution Mechanisms.
- In compliance with EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Litmus commits to resolve DPR Principles-related complaints concerning our handling of personal data in reliance on EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. EU, UK, and Swiss individuals with inquiries or complaints regarding our compliance with the Data Privacy Framework Principles should first contact Litmus electronically through this form.
- In compliance with EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Litmus has further committed to refer unresolved complaints concerning our handling of personal data received in reliance on EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgement of your DPR Principles-related complaint from us, or if we have not addressed your DPR Principles-related complaint to your satisfaction, please contact or visit JAMS at https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
- You may also have the right to invoke binding arbitration under certain conditions for complaints regarding Data Privacy Framework Principles compliance that is not resolved by any other mechanisms. For more information, please reference https://www.dataprivacyframework.gov/s/.
- Intra-company Data Transfer Agreement. There is an intra-company data transfer agreement in place between Litmus Software, Inc. and Litmus Software Ltd. and in place between Litmus Software, Inc. and Kickdynamic, Ltd., to ensure that any exchange of personal data between the entities will be adequately protected in accordance with applicable law.
The best way to reach us for inquiries related to the processing of your personal data is to complete the applicable form below:
Litmus Software, Inc.
675 Massachusetts Ave., 10th Floor
Cambridge, MA 02139