Privacy Notice
Version July 29, 2024
1 Introduction
Frontify AG (“Frontify” or “We”) is a Swiss company that provides a cloud-based brand management Software-as-a-Service (“Platform”) to professionals and companies. Headquartered in St. Gallen, Switzerland, Frontify has subsidiaries in Frankfurt (Germany), New York (USA), London (UK), and Paris (France).
The Platform is a customizable solution for every specific brand requirement and is designed to maximize brand consistency through centralization. Frontify offers a wide range of features, including but not limited to the Brand Guidelines, the Digital Asset Management, the Creative Collaboration, and the Digital & Print Templates. Additionally, the Platform is an intuitive solution that enables every user to upload and centralize digital assets independently, define brand essentials with dynamic guidelines, build a design system for digital efficiency, and create customized templates for on-brand marketing material.
2 What does this Privacy Notice regulate?
This Privacy Notice describes how Frontify Processes Personal Data of individuals (“You”) who visit frontify.com or other websites operated by Frontify (as defined in section 5.19), use the Platform, participate in marketing events or other initiatives organized by Frontify (“Frontify Events”), and/or apply for a vacancy.
Frontify respects everyone’s privacy rights and applies the highest standards of data protection regardless of user’s location. We're committed to comply with all applicable laws and regulations globally.
We update this Privacy Notice on a regular basis and make the latest version available on the Site, with an indication of the date of last revision.
3 Definitions
For the purpose of this Privacy Notice, the following definitions apply:
- "Personal Data", “Data Subject”, “Processor”, “Controller”, and “Processing” shall have the meaning provided to them by the EU GDPR.
- Additional terms shall have the meaning provided by us in this Privacy Notice.
4 How does Frontify qualify with respect to the Personal Data Processed?
In the context of the services provided to our customers under the applicable agreement - which includes the General Terms and Conditions for Enterprise Customers (“GTC”) and the Data Processing Agreement (“DPA”) - Frontify qualifies as a Processor. We Process Personal Data of Platform users on behalf of the customer and in accordance with the terms of the DPA. The customer determines who shall be authorized to access their Platform environment and is primarily responsible for the Processing of the users’ Personal Data.
Frontify may also carry out processing activities to which it qualifies as a Controller. This applies to all processing activities where Frontify independently determines the purpose and means for Processing Personal Data. In such cases, every request received by a Data Subject is handled by Frontify.
To ensure transparency of information, We disclose the purpose and lawful basis applicable to each Processing activity in section 5 below. Frontify acts as a Controller for each Processing activity listed in section 5 except for section 5.1 where Frontify acts as a Processor.
5 Which Personal Data does Frontify Process?
In this section You can find relevant information about the different Processing activities We perform. This includes information about the purpose and the lawfulness of the Processing.
5.1 Platform user information
To be able to provide our services to customers, We perform the following Processing activities as a Processor:
a) In order to log in to the Platform and use our services, a Platform user must provide the following mandatory information:
- Name
- Work email address
b) On a voluntary basis, Platform users may provide the following optional information:
- Profile picture
- Job title
- Company name
c) In order to operate the Platform, keep it secure, improve its quality, design, and performance, maintain it and enhance the experience of users interacting with it, inform users about new features, services, trainings, help articles, webinars, and other events, and invite them to participate in surveys, We may collect data about the users’ usage of the Platform (“Platform Usage Data”). Such Platform Usage Data may include the following:
- IP address
- geographical location inferred from IP address (regional level)
- browser type and version
- referral source
- language preference
- length of visits
- conversation data with support
- interactions with functionalities of the Platform (e.g., pages viewed, download and upload history).
We process Platform Usage Data generally in pseudonymized or aggregated form. In specific cases, We de-pseudonymize an individual user for any of the above purposes and only selected Frontify employees have access to de-pseudonymized Platform Usage Data if necessary to complete a required task.
d) Additional categories of Personal Data may be embedded in the assets and brand content (e.g., pictures, videos, etc.) uploaded to the Platform by the customer and/or the users (“Content Data”). The uploading of Content Data is exclusively managed by the customer and the users and falls outside the direct control of Frontify. The customer and users are responsible and liable for the usage of the Content Data and the lawfulness of the Processing.
Lawful basis: Frontify Processes the Platform user information as a Processor. The customer, who qualifies as a Controller, is responsible for the lawfulness of Processing towards the Data Subjects.
5.2 Contact information of Site visitors
To subscribe to services available on our Site (e.g. newsletters, webinars, demo, Frontify Events, etc.), You may provide certain contact information by filling in online forms or by using our chatbot (“Contact Information”). Depending on the service You request, We might ask You to provide some of following information:
- Name
- Work email address
- Phone number
- Company name (and other company-related information)
- Job title
We may enrich the Contact Information with Personal Data We receive from other sources, such as third-party providers of business information and publicly available sources (like social media platforms). This may include physical mail addresses, job titles, email addresses, phone numbers, IP addresses, and social media profiles. This helps us update and improve our records, identify new customers, create more personalized advertising, suggest products and services that may interest You, deliver personalized communications and promote events. The collection of Your Personal Data by these other third-party providers is governed by such provider’s privacy policy.
Lawful basis: We rely on our legitimate interest in providing You with the services You subscribed to, and also sending you personalized marketing communications. We may retain Personal Data processed for this purpose until You unsubscribe from our services or there is no longer a legitimate interest of Frontify in Processing your Personal Data.
5.3 Site visitors’ usage and statistics information
We use different tracking technologies (e.g., cookies, pixels, events, tags) to analyze how visitors interact with the Site, including collecting statistics about the use of certain features (“Site Visitor Information”). This helps us improve the quality, design, and performance of our Site, and to use it for our marketing communication. Site Visitor Information is Processed in an aggregate and anonymous form, unless You submit Contact Information as stated in section 5.2.
Site Visitor Information might contain the following:
- IP address
- geographical location
- browser type and version
- ISP information
- referral website source
- length of visits
- pages viewed
- language preferences
- download history
- conversation data with Our chatbot
- operating system
We use different types of cookies. Technical cookies are needed for the functionality and improvement of Our Site (e.g., identify visitors, keep preferences), while statistics and marketing cookies allows us to customize our online services and improve the visitor’s experience accordingly.
Except for strictly necessary cookies that are always active, You can decide which categories of cookies You want to activate, and which should remain off. The cookie banner displayed on the Site enables You to make Your choice when accessing the Site, and to get more details about cookies’ purposes. Additionally, You’ll be able to manage Your cookie settings at any time by clicking on the relevant button displayed on the left-bottom-side corner of the Site.
You can learn more about how the types of cookies We use and their purposes, and how to manage Your cookie preferences in Our Cookie Policy.
Lawful basis: Frontify relies on the consent of Site visitors to activate non-essential cookies. With regards to essential cookies, Frontify Processes such Personal Data based on Frontify’s legitimate interest to run the Site.
5.4 Billing information
For billing purposes, We may collect and use the following Personal Data if the contractual party is a natural person:
- Name of customer
- Customer’s credit card information
- Billing address
We neither collect nor store any credit card information ourselves. We use payment services providers, namely, Zuora, and Adyen.
Lawful basis: The Processing of billing information is necessary for the performance of the applicable contract to which the customer is a contractual party.
5.5 Product research
In order to collect useful insights regarding Your experience using the Platform and other services and to improve them, We may invite You to participate in interviews, surveys or other experimental studies and give us Your feedback (“Product Research Data”). Product Research Data might contain the following Personal Data:
- Name
- Email address
- Position
- Company
- Audio, video, and desktop recordings
- Content of feedback
If You intend to participate in one of our product research activities, We will ask for your prior written consent. The Personal Data collected in the context of such research activities will remain confidential. If We plan to use Product Research Data for other purposes than those set out above (e.g. publish parts of the Product Research Data), We will ask for Your specific consent beforehand or will only do so if the Product Research Data is anonymized.
Lawful basis: We rely on Your consent to Process Product Research Data.
5.6 Commercial research
In order to assess customer satisfaction using our Platform, including analyzing Frontify’s post-implementation impact, and enable data-driven and customer-centric commercial strategies, We may invite You to participate in interviews, surveys or other experimental studies and give us Your feedback (“Commercial Research Data”). Commercial Research Data might contain the following Personal Data:
- Name
- Email address
- Position
- Company
- Audio, video, and desktop recordings
- Content of feedback
If You intend to participate in one of our commercial research initiatives, We will ask for your prior written consent. The Personal Data collected in the context of such research activities will remain confidential. If We plan to use the Commercial Research Data for other purposes than those set out above (e.g., use your answers for quotations in marketing and promotional materials to highlight our customers’ experience and support our overall brand messaging), We will ask for your prior written consent beforehand, or would only do so if the Commercial Research Data is anonymized.
Lawful basis: We rely on Your consent to Process Commercial Research Data.
5.7 NPS survey
In order to be able to continuously improve our services, We may invite You to participate in NPS surveys to measure your satisfaction using the Platform and other services (“NPS Survey Data”). NPS Survey Data might contain the following Personal Data:
- Name
- Email address
- Position
- Company
- NPS score
- Content of feedback
After completing the NPS survey, We may contact You to get more details about Your feedback or ask You to leave us a review on one of our trusted third-party review platforms. The Personal Data collected in the context of such surveys will remain confidential. If We plan to use the NPS Survey Data for other purposes than those set out above (e.g. including your feedback in marketing and promotional materials to highlight customer experiences and support our overall brand messaging), We will ask You for your specific consent beforehand, or would only do so if the NPS Survey Data is anonymized.
Lawful basis: We rely on Your consent to Process NPS Survey Data.
5.8 Marketing communications
Depending on whether You are a Site visitor, a Platform user or a participant to a Frontify Event, We may send You marketing material that We believe may be of interest to You. This may include, but is not limited to marketing campaigns, product updates, news about future Frontify events, webinars, and newsletters. You can also subscribe to our newsletter to receive regular product updates, brand-related content, and general insights. You may unsubscribe from any communication at any time by using the relevant link included in each email. We will not share your Personal Data with third parties for their marketing purposes.
Lawful basis: We rely on our legitimate interest in promoting our services and providing You with the best possible user experience.
5.9 Customer testimonials
Subject to your consent, We may publish customer testimonials, which may include Personal Data, on the Site or use them in other marketing materials. You may withdraw your consent at any time by using the contact details in section 12.
Lawful basis: We rely on your consent to publish customer testimonials.
5.10 Job candidates’ profiles
If You apply for a vacancy at Frontify, We will process any information that You provide us, as well as information that is publicly available (e.g., Your LinkedIn profile), only for the purpose of evaluating You for a job position and for the time necessary to fulfill that purpose. Job candidates’ Personal Data might contain the following:
- Name
- Email address
- Contact information
- Education and professional background records
Sometimes, We may want to retain job applicants’ profiles for longer periods - for instance, when We believe that a candidate may be assessed for different job opportunities simultaneously - in which case, We request their prior written consent. We use a trusted third-party tool (“Lever”) to store and update all candidate profiles. If We decide not to move further with any application, and absent candidates’ consent to keep their profile in our talent pool (see section 5.11 of this Privacy Notice), We will delete or anonymize their Personal Data within 30 days.
Lawful basis: We rely on our legitimate interest in recruiting new employees.
5.11 Frontify talent pool
We are always looking for the best talents in different fields of expertise. Thus, to speed up our recruiting process and keep track of top-performing candidates, We maintain a talent pool database, by using a trusted third-party tool (“Lever”). Upon their application, all potential members can join the talent pool directly through the system, or, in other cases, provide their consent after being contacted by our Employee Success Team. Upon receipt of your consent, We will store Your information for one year. If Your initial application was unsuccessful, We will contact You for any new job opportunities that may arise during that one-year period and for which We believe You may be suitable. You have the right to request, at any time, a copy, correction or deletion of Your Personal Data by using the contact details in section 12 of this Privacy Notice. Within 30 days of Your request to delete your data, We will anonymize or delete Your Personal Data. Furthermore, at the expiry of each year following your initial consent, You will be able to either renew Your authorization for one additional year or to request deletion of Your profile from our talent pool, by following the relevant instructions provided to You via the talent pool.
Lawful basis: We rely on your consent to store your application data in the talent pool as outlined above.
5.12 Calls recording
For the purpose of coaching our commercial teams in handling external calls, improving our customer service and inform our product team about new features requested by our customers, We may record calls with prospects, clients and other partners, using a third-party provider. If You participate in these calls, You'll have the opportunity to consent or decline the call recording, by selecting the relevant option before the meeting starts. All recordings are automatically deleted after a three-year period. During such storage timeframe, recordings are made accessible only to those employees who have a clear need-to-know the information due to their position. Upon request, recordings can be shared with any participant to the call, who can also request at any time to delete or anonymize the recording by using the contact details in section 12.
Lawful basis: We rely on Your consent to record calls for the purposes set out above.
5.13 Frontify academy
The Frontify academy provides a comprehensive online learning environment where users can engage in courses and certification programs aimed at deepening their understanding and expertise in utilizing the Frontify platform. It is run by a third-party provider called Sana Labs AB (“Sana”). Interested individuals who want to join the Frontify academy need to log-in to the platform of Sana, which is the Controller of the personal data of its users. In order to create an account, users might need to provide the following personal data:
- Name
- Email address
However, for full details about what kind of Personal Data is Processed on Frontify academy and how it is used We recommend consulting the privacy policy of Sana. Sana’s privacy policy can be accessed here and is also linked during the log-in procedure.
Lawful basis: Sana in its role as a Controller is responsible for the lawfulness of Processing towards the Data Subjects.
5.14 Frontify customer hub
The Frontify customer hub serves as an integrated online resource center, offering access to a variety of tools, tutorials, and onboarding guides designed to enhance the user experience with Frontify throughout their customer journey. It is run by a third-party provider called EverAfter AI Ltd. (“EverAfter”). Only invited and authorized users (e.g., admins or project owners of our customers) are able to log-in to the Frontify customer hub. In providing the Frontify customer hub, Frontify might Process the following Personal Data:
- Name
- Email address
- Frontify user role
Lawful basis: We rely on Frontify’s legitimate interest in offering the best user experience with the Platform and other Frontify’ services.
5.15 Customer feedback and ideas
We always encourage our customers, partners, prospects and Platform users to share their insights, ideas and requests to help us improve Our Platform and services. Everyone can send us their feedback by clicking “submit idea” and filling in the form available on our Site, or by communicating their ideas to the responsible Customer Success Manager or our support team who will circulate the feedback internally. In either case, to follow up on Your request or to process Your idea in our product roadmap, We might collect the following Personal Data:
- Name
- Email address
- Position
- Company
- Content of feedback
Lawful basis: We rely on Frontify’s legitimate interest in improving its Platform and services and providing the best user experience.
5.16 Frontify Marketplace
We offer our customers the possibility to access and use the Frontify Marketplace, which is integrated and part of the Platform. The Frontify Marketplace is the online directory or catalog of software applications, plugins, and extensions, that users may activate to enhance their experience through the Platform. Given that the Frontify Marketplace is available on the Platform, users can access it using the same unique credentials that allow them to enter the Platform (see section 5.1).
If You choose to activate a third-party app, You authorize the third-party app provider to access and use any of Your Personal data in accordance with the third-party app provider terms and acknowledge that Frontify will have no liability in regard to any Processing of Your Personal Data by a third-party app provider.
Lawful basis: The relevant third-party app provider is Controller of the Personal Data and responsible for the lawfulness of Processing towards the Data Subjects.
5.17 Special categories of Personal Data
Frontify does not process any special categories of Personal Data as defined under Art. 9 (1) GDPR. Therefore, We never ask our existing and/or prospective customers to provide Personal Data revealing their racial or ethnic origin, their political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. If We become aware that We received any such information from a user and/or customer, We act promptly to inform the latter, gather relevant consent and/or remove that information.
5.18 Personal Data of children
Our Platform is intended for business purposes and not for use by individuals under the age of sixteen, so We do not knowingly collect information from anyone under that age. If We become aware of receiving information from an individual under that age, We take immediate steps to delete such information.
5.19 Frontify’s websites
Frontify operates the following websites (each a “Site”):
- frontify.com
- help.frontify.com
- brand.frontify.com
- paradigms.frontify.com
- paradigms.io
- weare.frontify.com/d/G1bTDvE5HuEK
- developer.frontify.com
- ventura.frontify.com
The Personal Data processed in the context of the mentioned websites are mainly Site Contact Information (section 5.2) and Site Visitor Information (section 5.3) as described above. For a detailed list of cookies deployed on each of these websites, please check Our Cookie Policy.
6 How long does Frontify retain Personal Data?
We retain Your Personal Data for as long as it is necessary to fulfill the purpose for which it was collected. To ensure this, We have defined time frames, after which the data is deleted.
Besides that, You can reach out to us at any time using the contact details in section 12 and request deletion of Your Personal Data. Further information about how You can exercise Your privacy rights are included in section 10.
7 Where does Frontify store Personal Data?
The customer data, including Personal Data, is hosted on secure server locations of AWS, either in Europe or in the USA, depending on the customers' preference. Generally, and if not otherwise selected by the customer, We tend to store the data of our European-based customers in Europe and the data of our non-European-based customers in the USA. Additionally, We might also Process Personal Data in our office locations in Switzerland, France, Germany, UK and the USA.
8 Does Frontify engage with third parties?
We engage with trusted third-party vendors to provide certain services available on the Platform. Customers can consult the list of our current sub-processors, including details on processing activities in our DPA, which is accessible here. This list may be subject to change, which We reserve to communicate to customers in accordance with the terms of the DPA.
We also use other third-party vendors to improve your online experience when navigating through the Site or using other Frontify services, to enable our internal operations and to support our marketing and commercial teams. These third-party vendors may access and process some of Your Personal Data to the extent this is necessary to provide their services.
Before engaging with any third-party vendor, We make sure that they adhere to applicable data protection laws and that they meet standards of security and confidentiality which are at least equivalent to ours.
9 Does Frontify perform international data transfers?
We may transfer Personal Data outside of Switzerland and the European Union. In such cases, We guarantee that data are handled by trustworthy vendors in accordance with the applicable data protection laws. The transfer of Personal Data outside of the EU may concern countries deemed by the EU Commission to provide an adequate level of data protection according to Art. 45 GDPR (“Safe Third Countries”), but also other countries. In these circumstances, We implement appropriate safeguards as required by Art. 46 GDPR (e.g. EU Standard Contractual Clauses, “EU SCC”). To the extent that Swiss or UK data protection laws require additional safeguards, We implement such in accordance with the instructions of the Swiss Federal Data Protection and Information Commissioner, and the Information Commissioner of the UK.
10 How can I exercise my privacy rights?
Subject to the applicable data protection laws, You may have the following rights:
- the right to access and request copies of Your Personal Data
- the right to rectify Your Personal Data
- the right to request deletion of Your Personal Data
- the right to restrict the processing of Your Personal Data
- the right to request the transfer of Your Personal Data.
- the right to object to the processing of Your Personal Data
- the right not to be subject to automated individual decision-making, including profiling.
If You wish to exercise Your rights with respect to Your Personal Data or raise a complaint about how We Process Your Personal Data, You can contact Us using the contact details in section 12. We’ll respond to Your request as soon as possible, and in any case not later than 30 days of receipt of your request . Also, You have the right to lodge a complaint with the competent data protection authority in Your country or where Frontify operates.
If You wish to unsubscribe from any communication You receive from Frontify (e.g., newsletters or marketing emails), You may use the “unsubscribe” link included at the bottom of our emails.
As a Platform user (see section 5.1), You can either exercise your rights listed above by using the functionalities of the Platform (e.g. adjusting your profile settings) or by contacting the relevant Controller (which is normally the company which grants You access to the Platform, e.g. Your Employer). In case We receive a request from You regarding Personal Data that We use as a Processor, We will forward such request to the respective Controller or advise You to contact the relevant Controller of Your Personal Data pursuant to Art. 28 (3) (e) GDPR.
Please note that, limiting or objecting to some Processing of Your Personal Data may prevent You from engaging in certain Site activities or impact Your online experience when working with the Platform.
11 Which rights do I have as a California resident?
If You are a California resident and We process Your Personal Data, the CCPA may apply to Our processing activities. The requirements of the CCPA substantially overlap with existing obligations under the GDPR, therefore, they have been addressed throughout this Privacy Notice. This paragraph supplements the information provided in this Privacy Notice with certain additional rights that California residents are specifically entitled to under the CCPA. For clarification purposes, hereafter, You will find a non-exhaustive list of CCPA terminology with their meaning related to the GDPR.
- GDPR = CCPA
- Personal Data = Personal Information
- Controller = Business
- Processor = Service Provider
To be transparent with Our California customers, We list below Your rights under the CCPA:
- Right to know: The right to request information about the categories of Personal Information and the purpose of collection.
- Right to delete: The right to request deletion of your Personal Information with specific limitations concerning Personal Information required for providing our services to You, public interest reasons, and other legal obligations.
- Right to correct: The right to request the correction of inaccurate information that We have about You.
- Right to limit use and disclosure of sensitive personal information: The right to direct us to only use your sensitive personal information for limited purposes, such as providing You with the services You requested. It should be noted in this context that We do not process sensitive personal data as stated in section 5.19 of this Privacy Notice.
We do not sell any of your Personal Data.
You may submit any request concerning the CCPA to our privacy team, using the contact details provided in section 12 below. Once We’ve verified Your identity, your request will be answered promptly, within 30 days at the latest.
We’ll not discriminate You for exercising any of your rights under the CCPA.
12 How can I contact Frontify for privacy matters?
Please find here our contact information:
Frontify AG
Unterstrasse 4
9000 St. Gallen
Switzerland
Email address: privacy@frontify.com
If You have any privacy related questions or You want to exercise your privacy rights, You can write an email to privacy@frontify.com at any time.
We’ll respond to Your request as soon as possible but latest within 30 days.
Does Frontify have a representative in the EU?
Frontify Deutschland GmbH is the representative of Frontify AG in the EU. Please find below the contact details:
Frontify Deutschland GmbH
Friedrich- Ebert- Anlage 36
60325 Frankfurt am Main
Email address: privacy@frontify.com
This Privacy Notice was last reviewed and updated on July 29, 2024.