Last Revised on March 10, 2021
Spiff Inc. (“Spiff,” the “Company,” “We,” “Us,” or “Our”) is committed to individuals’ rights to privacy. This Privacy Statement applies to all Spiff affiliates and their and our respective websites (“Websites”) and products and services (“Services”) that we own and operate. It describes our privacy practices for how we collect, use, share, and process information relating to individuals (“Personal Data”) in connection with operating our Websites and Services, and describes how you can learn about your rights and choices regarding our processing of your Personal Data. As a global organization, we abide by all applicable data privacy laws, such as the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”).
Spiff and your Personal Data
Personal Data Collected
We collect Personal Data about you as described here. This includes identifiers and professional information (e.g., name, company name, email address, mailing address, phone number, portal login ID and password) and Internet / network activity information (e.g., Internal Protocol (IP) address, browser type, operating system, referring / exit pages, links clicked, and actions taken while browsing).
We receive your identifier and professional information Personal Data directly from you, primarily in the following situations:
- When expressing an interest in obtaining additional information about Spiff’s Services or accessing secure areas of our Websites, we may require you to provide the following personal information such as: full name, company name, email address, mailing address, phone number, portal login id and password.
- When you purchase Spiff’s Services, we will ask you to provide billing information. When you register for or attend corporate events, Spiff will ask you to provide basic contact information, billing information, and information related to your participation in the events on Spiff’s websites.
As you navigate our Websites, Spiff may collect your Internet / network activity information through the use of commonly used information gathering tools such as web beacons and cookies. Because our processing of this data is rather technical, we have explained this in more detail below under “Spiff and Website Functionalities.”
Use of Personal Data Collected
Spiff uses the Personal Data collected from our Websites to perform the services and make communications that you have requested. For example, we may use your identifiers to:
- Send requested product or service information
- Send product updates
- Respond to customer service requests
- Administer your account
- Send newsletters
- Send marketing communications
- Respond to questions and concerns
- Improve our Web site and marketing efforts
- Conduct research and analysis
- Respond to inquiries regarding career opportunities
Note specifically that your provision and our processing of your Personal Data are not contractual or statutory requirements, and we do not conduct automated decision-making or profiling with respect to your Personal Data.
Sharing your Personal Data
We will only share your Personal Data with third parties in the ways that are described in this Privacy Statement. None of these disclosures constitute “sales” of your Personal Data, and we do not otherwise sell your Personal Data.
Service Providers, Sub-Processors and Third Parties
We may provide your Personal Data to companies or their websites that provide services to help us with our business activities (such as customer support or billing for / otherwise providing our Services). Some examples include:
- Google Cloud Platform (GCP), which is our primary cloud infrastructure provider, to host our Services.
- Marketing tools (such as Salesforce, Hubspot, and Sendgrid).
- Communication tools (such as Zoom and Gong.io), which may record some of our conference calls with prospective customers.
Other Sharing Circumstances
We may also disclose your Personal Data (in any category):
- As required by law such as to comply with a subpoena, or similar legal process,
- When we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request,
- If we are involved in a merger, acquisition, or sale of all or a portion of our assets, we may disclose your Personal Data to the extent related to the consummation of that transaction. We may notify you via email and/or a prominent notice on our Website of any change in ownership or uses of your Personal Data, as well as any choices you may have regarding your Personal Data, but unless you hear specifically from us or our acquirer, your Personal Data will continue to be subject to this Privacy Statement, and
- To any other third party with your prior consent to do so.
Public Forums, and Customer Testimonials
Spiff may provide bulletin boards, blogs, or chat rooms on its Websites. Any Personal Data you choose to submit in such a forum may be read, collected, or used by others who visit these forums and may be used to send you unsolicited messages. We are not responsible for the Personal Data you choose to submit in these forums or for the processing of that Personal Data by participants in those forums or other third parties we do not control.
Spiff may post lists of Customers and testimonials on the Company’s Websites that contain information such as Customer names and titles. We obtain the consent of each Customer prior to posting any information on such a list or posting testimonials. To request removal of your Personal Data from our blog or forum or to have your testimonials removed, contact us at firstname.lastname@example.org.
Your Information on Customer Portals
If you would like to update or change your password, you may click on the “Forgot your password?” link on the login page. After you provide your username, a system generated password will be created and sent to the email address indicated on your profile. The email will contain a link where you can change your password.
Data Localization and Transfer
Spiff is based in the United States, and that is where we (and most of our processors and sub-processors) store and otherwise process Personal Data. When you provide Personal Data to us directly, you are knowingly consenting to our transferring to and processing that Personal Data in the United States. Unless you ask for that data back, we will not thereafter transfer Personal Data to another country unless we’ve put in place appropriate legal mechanisms to do so.
If you live in the European Economic Area, you should understand that the European Commission does not consider the United States to apply “adequate levels of protection” to Personal Data. This means that the EC is not satisfied with the scope, applicability, or level of protection granted by U.S. laws and regulations that relate to Personal Data. The EC has also raised concerns regarding the U.S. government’s ability to access Personal Data stored within the United States. Overall, this means that Personal Data in the U.S. may not be subject to the same stringent legal protections as it would be in Europe, so there is a theoretically increased risk that your Personal Data is accessed, used, or disclosed by unauthorized third parties. That said, we’d encourage you to review–and take comfort from–the section below describing our security measures. We take the security of your data very seriously and think you can trust that it will be kept as safe as it would be anywhere else.
Spiff will retain your information for as long as your account is active or as needed to provide you Services, and as necessary to comply with our legal obligations, resolve disputes, enforce our agreements, or as otherwise reasonably necessary for our business purposes.
Children and Minors
Spiff does not knowingly process or sell Personal Data concerning children under the age of sixteen, nor are any of our Websites or Services directed at minors. If you are under the age of thirteen, you must get your parents’ or guardians’ consent prior to using this Website.
Spiff and Customer Data
Spiff’s Customers may electronically submit data or information, including personal data (collectively, “Customer Data”), for hosting and processing purposes in connection with those Customers’ use of Spiff’s Websites and Services. Importantly, this Privacy Statement does not apply to Spiff’s processing of Customer Data. Instead, Spiff’s rights and obligations concerning that processing is addressed in the Spiff Master Subscription Agreement or other applicable Spiff-Customer agreement.
Spiff and Security
Security and Infrastructure
Data security is paramount for Spiff and our customers. Spiff protects Customer Data with world-class physical, network, application, and data-level security. In addition, Spiff invests in the most advanced and modern infrastructure available to provide an innovative, scalable, global, predictable, and secure environment.
Spiff maintains a comprehensive security program based on CIS Controls to ensure the confidentiality, integrity, and availability of customer data. Spiff is committed to ensuring our Websites and Services are available for operation and use at times set forth in service-level agreements, protected against unauthorized physical and logical access and that our system processing is complete, accurate, timely, and authorized.
Service Organization Controls
Spiff regularly passes rigorous third-party compliance audits of our robust security, confidentiality, and availability controls. Spiff publishes a Service Organization Controls 2 Type I (SOC 2 Type I) report under the Security and Availability Trust Service Principles (TSPs). Spiff service providers may also publish SSAE16 SOC 1 and 2 Type II and SOC3 (SysTrust) reports. These reports confirm that Spiff delivers fully secure and reliable, high quality operating standards in its data center operations, including provisioning, management and monitoring of the hardware, network, and firewalls. All of these reports are for limited distribution and shared under confidentiality agreement (CDA). Please direct all requests for any such reports through your Spiff Account Executive or Customer Service Representative.
Spiff and Website Functionalities
Web Sites Covered
As noted above, this privacy statement covers the information practices of the Websites and Services that link to this Privacy Statement, including www.spiff.com and app.spiff.com.
The Websites may contain links to other websites. Spiff is not responsible for the information practices or the content of such other websites. If you submit Personal Data to any of those sites, your information is governed by their privacy statements. We encourage you to carefully read the privacy statement of any website you visit.
Our Website also includes social media features, such as the Facebook button and Widgets or interactive mini-programs that run on our site. These features may collect your IP address, which page you are visiting on our Website, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our Website. Your interactions with these features are governed by the privacy statement of the company providing it.
Web Site Navigational Information
Spiff uses commonly-used information-gathering tools, such as cookies and web beacons, to collect information as you navigate our Websites (“Website Navigational Information”). This section describes the types of Website Navigational Information that may be collected on our Websites and how this information may be used.
Cookies and Other Tracking Technologies
A cookie is a small text file that is stored on a user’s computer for record-keeping purposes. Technologies such as: cookies, beacons, tags and scripts are used by Spiff and some of our business partners (e.g., our tracking utility company), affiliates, or analytics or service. These technologies are used in analyzing trends, administering the site, tracking users’ movements around the site and to gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.
We use session cookies to make it easier for you to navigate our Websites. A session ID cookie expires when you close your browser. Cookies enable us to track and target the interests of our users to enhance the experience on our Websites.
Enabling these cookies is not strictly necessary for the Websites to work but it will provide you with a better browsing experience. You can delete or block these cookies, but if you do that some features of our Websites may not work as intended.
What cookies do we use?
We use the following categories of cookies on our Websites and Services:
Category 1 — Strictly Necessary Cookies
These cookies are essential to enable you to browse around our Websites and use their features. Without these cookies, services including user account login and access to video content cannot be provided.
Category 2 — Preference Cookies
These cookies collect information about how you use our Websites and remember choices you make while browsing. This data may be used to help optimize our Websites and make them easier for you to navigate.
For instance, we may store your geographic location in a cookie to ensure that we show you our Websites localized for your area. We may also remember preferences such as text size, fonts, and other customizable site elements. They may also be used to keep track of what featured products or videos have been viewed to avoid repetition. The information these cookies collect will not personally identify you, and they cannot track your browsing activity on non-Spiff websites.
Category 3 — Statistics Cookies
These cookies help Spiff understand how visitors interact with our Websites and help us improve our overall site experience.
Spiff primarily uses Google Analytics on our Website to provide statistics and reporting on our Website performance. Our implementation of Google Analytics does not collect any Personal Data.
Spiff Network Users: The user IDs used in Google Analytics are not personally identifiable, and there are several thresholds in place to link this non-identifiable user ID to an identifiable Spiff Network user. Spiff Network users may turn off the usage of Google Analytics within the application of Spiff Network via their user profile which is described in Spiff Network Online Help.
Category 4 — Marketing Cookies
These cookies are used to track visitors’ behavior on our site and potentially across non-Spiff websites. The intention is to display Spiff-specific content and advertisements that are relevant and engaging for the individual user. The information these cookies collect will not personally identify you and is used to target content to users anonymously.
How to control cookies
You can control and/or delete cookies as you wish – for details, see aboutcookies.org. You can delete all cookies that are already on your computer, and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.
EU Users: Update your cookie preferences for this site.
Spiff uses web beacons alone or in conjunction with cookies to compile information about Customers and visitors’ usage of our Websites and interaction with emails from the Company. Web beacons are clear electronic images that can recognize certain types of information on your computer, such as cookies, when you viewed a particular website tied to the web beacon, and a description of a website tied to the web beacon. For example, Spiff may place web beacons in marketing emails that notify the Company when you click on a link in the email that directs you to one of the Websites. Spiff uses web beacons to operate and improve the Websites and email communications.
Spiff may use information from web beacons in combination with data about Spiff customers to provide you with information about the Company and Services.
As is true of most websites, we gather certain information automatically and store it in log files. This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data. We may combine this automatically collected log information with other information we collect about you. We do this to improve Services we offer you.
We use Local Storage (LS) such as HTML5 to store content information and preferences. Third parties with whom we partner to provide certain features on our site or to display advertising based upon your Web browsing activity use HTML 5 to collect and store information. Various browsers may offer their own management tools for removing HTML5.
Do Not Track
Currently, various browsers (such as Internet Explorer, Firefox, and Safari) offer a “do not track” or “DNT” option. Spiff does not currently commit to responding to browsers’ DNT signals with respect to the Company’s Websites, in part because no common industry standard for DNT has been adopted by industry groups, technology companies or regulators, including no consistent standard of interpreting user intent. Spiff takes privacy and meaningful choice seriously and will make efforts to continue to monitor developments around DNT browser technology and the implementation of a standard.
Behavioral Targeting / Re-Targeting
We partner with a third party to either display advertising on our Websites or to manage our advertising on other sites. Our third-party partner may use technologies such as cookies to gather information about your activities on our Websites in order to provide you advertising based upon your browsing activities and interests. If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt-out by clicking here (https://adssettings.google.com/authenticated). Please note this does not opt you out of being served all ads. You will continue to receive generic ads.
Spiff and Data Privacy Rights
User privacy is important to us (truly). A significant part of respecting that privacy is making you aware of and welcoming your exercise of your data privacy rights under applicable law, including the GDPR or the CCPA. Those rights may include:
- Right to Know: You may have the right to request information about the processing of your Personal Data if you think it is missing from this Privacy Statement (e.g., if you’d like to see what precise pieces of Personal Data we have).
- Right to Access: You may have the right to access your Personal Data that we process.
- Right to Rectification: You may have the right to request that we fix errors or omissions in your Personal Data that we process.
- Right to Erasure (a/k/a the Right to be Forgotten): You may have the right to have us delete your Personal Data.
- Right to Object: You may have the right to object to our processing of your Personal Data or to stop it altogether.
- Right to Restrict Processing: You may have the right to limit the ways in which we process your Personal Data.
- Right to Data Portability: You may have the right to request a portable version of your Personal Data.
- Right to Non-Discrimination: We will not treat you unfairly as a result of your choice to exercise any of the above rights.
Your entitlement to one or more of the rights above may depend on your location or other circumstances surrounding our processing of your Personal Data, but we’ll always do our best to accommodate your requests. You may request to exercise one or more of these rights by contacting us as set forth under “Spiff and Communication / Updates” below.
When handling requests to exercise data privacy rights, we may take steps to verify your identity or the authority of an authorized agent you’ve appointed (more on that in a few). Where possible, we’ll try to accomplish that verification by referring only to Personal Data we already have on hand. If you live in California, you may be able to appoint an authorized agent to exercise your data privacy rights on your behalf (in which case we may take steps to verify your agent’s authorization to act on your behalf).
If you think we have done something wrong concerning your Personal Data, we hope that you will reach out to us as soon as possible so that we can resolve your concern. However, you are always free to file complaints concerning violations of this Privacy Statement or applicable law with appropriate government agencies. If you live in the European Union, this includes your local “supervisory authority” that is responsible for GDPR compliance.
Spiff and Communication / Updates
At Spiff, we strive to maintain productive communication with our current and prospective customers. You may manage your preferences by clicking on the “unsubscribe” link located on the bottom of our marketing emails. Please note that customers cannot opt out of receiving transactional emails related to usage of Spiff’s Services.
Spiff’s Privacy Officer is happy to help with questions or inquiries. You can direct those questions or inquiries to our attention at:
9815 S Monroe St, STE 500, Sandy, UT 84070, USA
privacy [at] spiff [dot] com
385-287-0603 Ext 823
This Privacy Statement is current as of March of 2021. Spiff reserves the right to update this Privacy Statement to reflect changes to our practices. We will provide notification of material changes here or directly to our Customers via email prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.