Last Revised December, 2022
Spiff Inc. (“Spiff,” the “Company,” “We,” “Us,” or “Our”) is committed to individuals’ rights to privacy. This Privacy Statement applies to the products and services made available by Spiff (“Services”). It describes our privacy practices for how we collect, use, share, and process information relating to our users (“you”) (“Personal Data”) in connection with the Services, and describes how you can learn about your rights and choices regarding our processing of your Personal Data. As a global organization, we abide by all applicable data privacy laws, such as the California Consumer Privacy Act and the California Privacy Rights Act of 2020 (together, the “CA Acts”) and the European Union’s General Data Protection Regulation (“GDPR”).
Spiff and your Personal Data
Personal Data Collected
We collect Personal Data about you as described here. This includes identifiers and professional information (e.g., name, signatures, company name, email address, mailing address, phone number, portal login ID and password, sales, employment, and compensation information) and Internet / network activity information (e.g., Internal Protocol (IP) address, browser type, operating system, referring / exit pages, links clicked, and actions taken while browsing).
We receive your identifier and professional information Personal Data directly from you and your employer, primarily in the following situations:
- When you are signed up as a user of the Services and when you and your employer use Spiff’s Services, you or your employer were required to provide the following personal information such as: full name, company name, email address, mailing address, phone number, portal login id and password. Note: if you log-in via SSO, we pull the necessary information from the applicable third-party system. That information may be more limited than what we would use if you logged in other than through SSO.
- When you and your employer use Spiff’s Services, we collect certain information relating to that use, to enable you and your employer to get the most out of our Services, including: sales, employment, and compensation information, and Internet / network activity information (e.g., Internal Protocol (IP) address, browser type, operating system, referring / exit pages, links clicked, and actions taken while browsing).
- If you participate in a product discussion (including support requests), sales or marketing presentation, or similar session organized by Spiff, we may record that session. These recordings will capture any Personal Data you volunteer during the session, including your name, likeness, and voice. Note that recording functions are native to the third-party tools we use to organize these sessions (e.g., Zoom), and those tools are subject to the applicable third party’s privacy practices. If you’d like to know more, we encourage you to check out the relevant third-party privacy policies.
Use of Personal Data Collected
Spiff uses the Personal Data collected as described above to provide the Services and make communications that you have requested. For example, we may use your Personal Data to:
- Authenticate your login to the Services
- Send Services-related communications, including updates about new releases, maintenance windows, or other important info
- Handle and respond to your product support requests and make necessary changes to our support process
- Administer your account
- Conduct research and analysis regarding use of the Services and make improvements based on that analysis
Note specifically that we do not conduct automated decision-making or profiling with respect to your Personal Data.
Our use of your Personal Data is lawful and necessary to fulfill our contractual obligation to enable your use of the Services and otherwise to protect our legitimate interests in the provision, operation, and maintenance of the Services, which are core to our business. Your provision and our processing of your Personal Data is not a statutory requirement.
Sharing your Personal Data
We will only share your Personal Data with third parties in the ways that are described in this Privacy Statement. None of these disclosures constitute “sales” of your Personal Data (particularly under the CA Acts), and we do not otherwise sell your Personal Data.
Service Providers, Sub-Processors and Third Parties
We may provide your Personal Data to companies or their websites that provide services to help us with our business activities, specifically those related to our provision of the Services to you or the Spiff customer on whose behalf you use them (e.g., product support requests or Services billing). Some examples include:
- Google Cloud Platform (GCP), which is our primary cloud infrastructure provider, to host the Services and meet Spiff customers’ growing needs.
- Communication tools (such as Salesforce, Zoom, and Gong.io), which may record some of our chats and conference calls with you or your employer.
- Dropbox for signatures for your statements.
To see a list of our sub-processors, please visit: www.spiff.com/trust-privacy/.
Other Sharing Circumstances
We may also disclose your Personal Data (in any category):
- As required by law such as to comply with a subpoena, or similar legal process,
- When we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request,
- If we are involved in a merger, acquisition, or sale of all or a portion of our assets, we may disclose your Personal Data to the extent related to the consummation of that transaction. We may notify you via email and/or a prominent notice on our websites or in our Services of any change in ownership or uses of your Personal Data, as well as any choices you may have regarding your Personal Data, but unless you hear specifically from us or our acquirer, your Personal Data will continue to be subject to this Privacy Statement, and
- To any other third party with your prior consent to do so.
Data Localization and Transfer
Spiff is based in the United States, and that is where we (and most of our processors and sub-processors) store and otherwise process Personal Data. When you provide Personal Data to us directly, you are knowingly consenting to our transferring to and processing that Personal Data in the United States. Unless you ask for that data back, we will not thereafter transfer Personal Data to another country unless we’ve put in place appropriate legal mechanisms to do so.
If you live in the European Economic Area, you should understand that the European Commission does not consider the United States to apply “adequate levels of protection” to Personal Data. This means that the EC is not satisfied with the scope, applicability, or level of protection granted by U.S. laws and regulations that relate to Personal Data. The EC has also raised concerns regarding the U.S. government’s ability to access Personal Data stored within the United States. Overall, this means that Personal Data in the U.S. may not be subject to the same stringent legal protections as it would be in Europe, so there is a theoretically increased risk that your Personal Data is accessed, used, or disclosed by unauthorized third parties. That said, we would encourage you to review–and take comfort from–the section below describing our security measures. We take the security of your data very seriously and think you can trust that it will be kept as safe as it would be anywhere else.
Spiff will retain your information for as long as your Services account is active or as otherwise needed to provide you the Services, and as necessary to comply with our legal obligations, resolve disputes, enforce our agreements, or as otherwise reasonably necessary for our business purposes.
Children and Minors
Spiff does not knowingly process or sell Personal Data concerning children under the age of sixteen, nor are our Services directed at minors. If you are under the age of thirteen, you must get your parent’s or guardian’s consent prior to using the Services.
Spiff and Customer Data
Spiff’s Customers may electronically submit data or information, including Personal Data (collectively, “Customer Data”), for hosting and processing purposes in connection with those Customers’ use of the Services. Spiff’s rights and obligations concerning that processing are addressed in the Spiff Master Subscription Agreement or other applicable Spiff-Customer agreement.
Spiff and Security
Security and Infrastructure
Data security is paramount for Spiff and our customers. Spiff protects Personal Data and Customer Data with world-class physical, network, application, and data-level security. In addition, Spiff invests in the most advanced and modern infrastructure and tools available to provide an innovative, scalable, global, predictable, and secure environment.
Spiff maintains a comprehensive security program based on CIS Controls to ensure the confidentiality, integrity, and availability of customer data. Spiff is committed to ensuring our Services are available for operation and use at times set forth in service-level agreements, protected against unauthorized physical and logical access and that our system processing is complete, accurate, timely, and authorized.
Service Organization Controls
Spiff regularly passes rigorous third-party compliance audits of our robust security, confidentiality, and availability controls. Spiff publishes a Service Organization Controls 1 and 2 (SOC 1 and 2) Type II report under the Security and Availability Trust Service Principles (TSPs). Spiff service providers may also publish SSAE16 SOC 1 and 2 Type II and SOC3 (SysTrust) reports. These reports confirm that Spiff delivers fully secure and reliable, high quality operating standards in its data center operations, including provisioning, management and monitoring of the hardware, network, and firewalls. All of these reports are for limited distribution and shared under a confidentiality and non-disclosure agreement (NDA). Please direct all requests for any such reports through your Spiff Account Executive or Customer Service Representative.
As noted above, this privacy statement covers the information practices of the Services accessed at app.spiff.com.
Services Navigational Information
Spiff uses commonly-used information-gathering tools, such as cookies and web beacons, to collect information as you navigate our Services (“Services Navigational Information”). This section describes the types of Services Navigational Information that may be collected in our Services and how this information may be used.
Cookies and Other Tracking Technologies
A cookie is a small text file that is stored on a user’s computer for record-keeping purposes. Technologies such as: cookies, beacons, tags and scripts are used by Spiff and some of our business partners (e.g., our tracking utility company), affiliates, or analytics or service. These technologies are used in analyzing trends, administering the Services, tracking users’ movements around the Services and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.
We use session cookies to make it easier for you to navigate our Services. A session ID cookie expires when you close your browser. Cookies enable us to track and target the interests of our users to enhance the experience on our Services.
Enabling these cookies is not strictly necessary for the Services to work but it will provide you with a better experience. You can delete or block these cookies, but if you do that some features of our Services may not work as intended.
What cookies do we use?
We use the following categories of cookies in our Services:
Category 1 — Strictly Necessary Cookies
These cookies are essential to enable you to browse around our Services and use their features. Without these cookies, services including user account login and access to video content cannot be provided.
Category 2 — Preference Cookies
These cookies collect information about how you use our Services and remember choices you make while using our Services. This data may be used to help optimize our Services and make them easier for you to navigate. The information these cookies collect will not personally identify you, and they cannot track your browsing activity on non-Spiff websites or outside our Services.
Category 3 — Statistics Cookies
These cookies help Spiff understand how visitors interact with our Services and help us improve our overall site experience.
Spiff primarily uses Google Analytics in our Services to provide statistics and reporting on our Services performance. Our implementation of Google Analytics does not collect any Personal Data.
Spiff Network Users: The user IDs used in Google Analytics are not personally identifiable, and there are several thresholds in place to link this non-identifiable user ID to an identifiable Spiff Network user. Spiff Network users may turn off the usage of Google Analytics within the application of Spiff Network via their user profile which is described in Spiff Network Online Help.
Category 4 — Marketing Cookies
These cookies are used to track visitors’ behavior in our Services and potentially across non-Spiff websites. The intention is to display Spiff-specific content and advertisements that are relevant and engaging for the individual user. The information these cookies collect will not personally identify you and is used to target content to users anonymously.
How to control cookies
You can control and/or delete cookies as you wish – for details, see aboutcookies.org. You can delete all cookies that are already on your computer, and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.
EU Users: Update your cookie preferences for this site.
Spiff uses web beacons alone or in conjunction with cookies to compile information about Customers and visitors’ usage of our Services and interaction with emails from the Company. Web beacons are clear electronic images that can recognize certain types of information on your computer, such as cookies, when you viewed a particular website tied to the web beacon, and a description of a website tied to the web beacon. For example, Spiff may place web beacons in marketing emails that notify the Company when you click on a link in the email that directs you to our Services or one of our websites. Spiff uses web beacons to operate and improve the Services and email communications.
Spiff may use information from web beacons in combination with data about Spiff customers to provide you with information about the Company and Services.
As is true of most online services, we gather certain information automatically and store it in log files. This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data. We may combine this automatically collected log information with other information we collect about you. We do this to improve Services we offer you.
We use Local Storage (LS) such as HTML5 to store content information and preferences. Third parties with whom we partner to provide certain features on our site or to display advertising based upon your Web browsing activity use HTML 5 to collect and store information. Various browsers may offer their own management tools for removing HTML5.
Do Not Track
Currently, various browsers (such as Internet Explorer, Firefox, and Safari) offer a “do not track” or “DNT” option. Spiff does not currently commit to responding to browsers’ DNT signals with respect to the Company’s Services or websites, in part because no common industry standard for DNT has been adopted by industry groups, technology companies or regulators, including no consistent standard of interpreting user intent. Spiff takes privacy and meaningful choice seriously and will make efforts to continue to monitor developments around DNT browser technology and the implementation of a standard.
Behavioral Targeting / Re-Targeting
We partner with a third party to either display advertising in our Services or to manage our advertising on other sites. Our third-party partner may use technologies such as cookies to gather information about your activities in our Services in order to provide you advertising based upon your browsing activities and interests. If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt-out by clicking here (https://adssettings.google.com/authenticated). Please note this does not opt you out of being served all ads. You will continue to receive generic ads.
Spiff and Data Privacy Rights
User privacy is important to us (truly). A significant part of respecting that privacy is making you aware of and welcoming your exercise of your data privacy rights under applicable law, including the GDPR or the CA Acts. Those rights may include:
- Right to Know: You may have the right to request information about the processing of your Personal Data if you think it is missing from this Privacy Statement (e.g., if you would like to see what precise pieces of Personal Data we have).
- Right to Access: You may have the right to access your Personal Data that we process.
- Right to Rectification: You may have the right to request that we fix errors or omissions in your Personal Data that we process.
- Right to Erasure (a/k/a the Right to be Forgotten): You may have the right to have us delete your Personal Data.
- Right to Object: You may have the right to object to our processing of your Personal Data or to stop it altogether.
- Right to Restrict Processing: You may have the right to limit the ways in which we process your Personal Data.
- Right to Data Portability: You may have the right to request a portable version of your Personal Data. There may be costs associated with these types of requests.
- Right to Non-Discrimination: We will not treat you unfairly as a result of your choice to exercise any of the above rights.
Your entitlement to one or more of the rights above may depend on your location or other circumstances surrounding our processing of your Personal Data, but we’ll always do our best to accommodate your requests. You may request to exercise one or more of these rights by contacting us as set forth under “Spiff and Communication / Updates” below.
When handling requests to exercise data privacy rights, we may take steps to verify your identity or the authority of an authorized agent you’ve appointed (more on that in a few). Where possible, we’ll try to accomplish that verification by referring only to Personal Data we already have on hand. If you live in California, you may be able to appoint an authorized agent to exercise your data privacy rights on your behalf (in which case we may take steps to verify your agent’s authorization to act on your behalf).
If you think we have done something wrong concerning your Personal Data, we hope that you will reach out to us as soon as possible so that we can resolve your concern. However, you are always free to file complaints concerning violations of this Privacy Statement or applicable law with appropriate government agencies. If you live in the European Union, this includes your local “supervisory authority” that is responsible for GDPR compliance.
Spiff and Communication / Updates
At Spiff, we strive to maintain productive communication with our current and prospective customers. You may manage your preferences by clicking on the “unsubscribe” link located on the bottom of our marketing emails. Please note that customers cannot opt out of receiving transactional emails related to usage of Spiff’s Services.
Spiff’s Privacy Officer is happy to help with questions or inquiries. You can direct those questions or inquiries to our attention at:
9815 South Monroe Street, Suite 501, Sandy, UT 84070, USA
privacy [at] spiff [dot] com
This Privacy Statement is current as of December 2022. Spiff reserves the right to update this Privacy Statement to reflect changes to our practices. We will provide notification of material changes here or directly to our Customers via email prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.