Privacy Policy
Platform Privacy Policy
We, Piano Software Inc., Philadelphia, US and affiliated companies belonging to Piano group (collectively, “Piano”, “we”, “us”, “our”, or “we”), formerly known as Piano Media, Press Plus and Tinypass and now incorporating Newzmate, Cxense and AT Internet are committed, as data processor, to partnering with customers and users to help them understand and comply with data protection regulations (GDPR, ePrivacy, CCPA, LGPD …).
Piano provides online products for digital activities, as well as potential additional services on behalf, and based on instructions of the data controller, owners, and publishers of digital platforms – websites, mobile applications, or any other connected platform (“Publishers”).
We collect, process and store personal data and other information through our products – Composer , Analytics , DMP , VX , ID and ESP (“Platform”), or when providing our service to Publishers (“Service”).Personal Data Management on the Platform
To provide the Platform and/or perform the Service, Piano collect, process and store data on behalf of the Publisher. The answers to the following questions allow us to explain how we manage personal data on the Platform.
What kind of personal data do we collect?
Raw ID-type information: for instance, the user-terminal ID (cookie or mobile ID), that is transformed in a hashed visitor ID, or the IP address, that can be anonymized, to perform geolocation for instance
All standard business information provided by the products of the Platform: for instance, navigation data (browser and device type, type of events or content, …), behavior information (sources, navigation path, time spent on contents, …), information related to registered or subscribed users (first name, last name, email, …)
Additional and specific information that the Publisher can collect: based on the technology used to collect data (see following “How do we collect personal data?”), the Publisher can measure, collect, and analyze any business relevant information for him via our Platform
Composer, Analytics, and DMP collect by default pseudonymized information, but directly identifiable information can be added by the Publisher. VX, ID and ESP services are working with directly identifiable information.
We therefore consider by default all data collected, processed, and stored via our Platform as personal data according to GDPR art. 4.1.
What do we do with personal data?
We process the collected data to provide the information requested by the Publisher on the Platform: audience measurement data, content orchestration, account management, subscription processes, …
What are we not doing with personal data?
As data processor, and respecting the terms of contracts and the data processing agreement (DPA) signed with the Publisher acting as data controller, we do not:
Sell personal data to anyone;
Monetize personal data by other means;
Claim ownership over personal data;
Barter personal data for other services or products.
We do not knowingly process personal data relating to children less than 13 years of age (or 16 if the age of consent is higher in a particular country) or permit Publishers to provide us with such data. If we become aware that a Publisher has provided us with any personal data of children, we delete such data from our databases.
We do not knowingly process sensitive or special categories of personal data as defined in article 9 of the GDPR.
How do we collect personal data?
Personal data is collected via so called tagging libraries (mainly JavaScript on the web and SDK for native application) implemented by the Publisher on its online platforms. See Cookies and Similar Technologies below for further details on complementary data collection methods.
When a user/data subject visit a Publisher platform, and according to the legal basis chosen by the Publisher (see Purpose of Processing and Legal Basis below), https requests are sent to Piano servers to perform the service requested by the Publisher.
How long do we store personal data?
Depending on the product of the Platform, or regarding specific legal obligation to perform (e.g., for payment with VX), the data retention period can be different and always agreed in the contract with the Publisher acting as data controller. Analytics, for instance, has a predefined data retention period of 25 months with the opportunity for the Publisher to customize it.
For all products, all data is deleted at the end of the contract relationship with the Publisher.
Where do we store personal data?
Depending on the product used by the Publisher, the data collected from the end-user can be stored in different places. Please see the Piano Sub-Processors’ table in the Sub-processors and Affiliates paragraph below, to see where the data is stored/hosted.
Do we share personal data?
We, by default, do not share any data to anyone without the Publisher prior approval.
We, however, may share personal data, with all the adequate technical and organizational measures to protect it, in the following cases:
Intragroup: Only if necessary and for specific purposes, we may share personal data within affiliated companies belonging to Piano group (see Sub-processors and Affiliates below). Our employees might have access to personal data on a strictly need-to-know basis typically governed and limited by function, role, and department of the particular employee. All affiliated companies belonging to Piano group concluded an intra-group data processing agreement (DPA) with EU Standard Contractual Clauses.
Service providers: We use sub-contractors who might process personal data for us and to support us in providing the Platform and Services requested by the Publisher (see Sub-processors and Affiliates below).
Legal disclosures: We may have to release personal data and other information we possess when necessary or appropriate to comply with the law; cooperate with law enforcement or national security requirements; respond to lawful requests; protect the rights of Piano or a Publisher, other Piano customers, and users, and third parties; or to enforce our terms of use. However, in doing so, we may:
Dispute demands for release to the extent we believe, in our sole discretion, are unwarranted, illegitimate, or overbroad.
Will notify Publishers of any requests unless we have some contradictory orders.
Piano never had to disclose any personal data for legal purposes so far.
Cookies and Similar Technologies
To provide the products of the Platform, Piano is using trackers, especially cookies on standard websites, or mobile IDs on native applications. Local storage, server-to-server request, clear gifs, pixel tags, web beacons or other similar technologies may also be used in some cases.
You can access some information about the trackers used on and across all products (Composer, VX, ID, ESP, DMP, Analytics) under to the following link:
Users can control the use of trackers on their devices via the following means:
Use the opt-out mechanism on the dedicated online platform provided by the Publisher
Use the device appropriate configuration (browser or cellphone Operating System – Apple or Android mainly – settings)
Our third-party partners may also use tracker, cookies, or similar technologies, to provide users advertising based upon user´s browsing activities and interests. Users can opt out of interest-based advertising click here , or if located in the EEA click here .
Purpose of Processing and Legal Basis
Publishers can use the Piano Platform and the associated Services for the following main purposes:
Understand the audience
Optimize content
Engage the audience
Monetize the online platform
Based on the main purposes observed in the digital marketing world, the following table synthesized for each purpose, what Piano product is by default aimed for, and what is the by default legal basis for seen on our side for this purpose:
| Purpose | Product | Legal Basis |
|---|---|---|
| Audience and Analytics | Analytics, DMP | Consent under GPDR or Exemption under ePrivacy |
| Content Personalization or Performance | Composer, ESP | Consent under GDPR |
| Advertising (personalized or not) | DMP | Consent under GDPR |
| “One to one relationship” (account management, subscription, newsletter, …) | VX, ID, ESP | Consent or Contract under GDPR |
IMPORTANT: as a data controller, the Publisher can decide to use one or several products of the Platform for other purposes that the one foreseen originally, as well as to choose whatever legal basis he interprets to be the best in his specific case.
Each Publisher signs a data processing agreement (DPA) with Piano to formalize these purposes and associated responsibilities.
International Data Transfers
Depending on the products of the Platform used by the Publisher, as well as the potential additional services requested by him, data may be transferred outside of original country where the data has been collected.
Please see the hosting option by product within the Piano Sub-Processors’ table in the Sub-processors and Affiliates paragraph below, as well as the ‘Do we share personal data?’ part of the Personal Data Management on the Platform above.
To meet with European requirements under the GDPR in terms of data transfers, Piano uses the following mechanisms:
EU Standard Contractual Clauses (SCC) through the data processing agreement (DPA) signed with the Publisher as well as with sub-processors;
Binding Corporate Rules (BCRs) approved for both controller and processors transfers;
Additional technical measures as encryption, pseudonymization or anonymization of the data.
To meet the guidelines of the PIPEDA in the applicable Canadian provincial legislation, Piano recognizes and has controls in place to ensure that the privacy of personal information about an “identifiable individual” used in the course of “commercial activity” is protected and managed in the appropriate way.
Check the adequacy decisions under the GDPR, as well as the data protection around the world here .
Data Subject’s Rights
The GDPR, as many privacy laws around the word, empower data subject rights on its personal data. Piano’s Platform enable Publishers to apply these rights to what is applicable regarding the data collected for their purposes (see Purpose of Processing and Legal Basis above).
The following table list all the main applicable rights regarding online data that and end-user can request to Publishers, and where Piano provide standard solutions to these Publishers.
| Data Subject Right | Product | Mean |
|---|---|---|
| Information | All | Via Publishers’ information (CMP, Privacy Policy, …) |
| Access | All | Via a request to the Publisher’s DPO |
| Rectification | DMP, VX, ID, ESP | Via a request to the Publisher’s DPO |
| Erasure | All | Via a request to the Publisher’s DPO |
| Portability | All | Via a request to the Publisher’s DPO |
| Object | All | Via opt-out mechanism provided by the Publisher |
Piano’s data protection team is able to support the process of applying a data subject right.
Please contact privacy@piano.io, or any other communication channel listed in Data Protection Officer and Point of Contact below, for any further information.
Data Breaches and Security Measures
Data Breaches
Piano maintains an incident response plan which governs the communication and process in the case of a data breach. Contractually this is covered between Piano and all Publishers, in the Master Service Agreement.
Security Measures
Piano security measures by pseudonymization and encryption of personal data; maintaining a detailed DRP to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services which in turn allows Piano to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Piano maintains a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
For more information visit our Security documentation .
Sub-processors and Affiliates
Piano Sub-Processors
To support delivery of our Platform, we may engage and use data processors with access to certain Publisher’s Customer Data (“Sub-processor”).
The following table provides information about the identity, location, and role of core Sub-processors necessary to provide products of our platform:
* AWS is certified for following the CISPE code of conduct endorsed by the EDPB .
Piano may use the following Sub-processors to perform other services around the Platform:
| Entity name | Sub-processing activities | Entity (hosting) country | Products |
|---|---|---|---|
| Agent Infinity, Inc. | Global technical support team | Philippines | All |
| Alchemer | Survey Collection for Strategic Consulting | United States | Composer, VX, ID for Strategic Services clients only |
| Enreach Solutions Oy | Data segmentation provider | Finland | DMP |
| Google Inc. | Cloud Service Provider | United States | Composer, VX, ID |
| Google Ireland, Ltd. | Data backup storage | Ireland | DMP |
| MailChimp, Rocket Science Group | Cloud-based Email Notification Services | United States | VX |
| Mailgun Technologies, Inc | Cloud-based Email Notification Services | United States | ESP |
| Mode Analytics | Analytics Visualizations | United States | Composer, VX, ID |
| Salesforce.com France SAS | B2B Marketing automation (marketing & product communications to prospects and customers) | United States | Analytics |
| Zendesk, Inc. | Cloud-based Customer Support Services | United States (hosted in the EU) | Composer, VX, ID, ESP, DMP, Analytics |
Prior engaging any third-party Sub-processor, Piano performs diligence to evaluate their privacy, security, and confidentiality practices, and executes an agreement implementing its applicable obligations.
Piano Affiliates
Piano has offices located around the globe who, depending on the Service required by the Publisher, may process its data:
| Entity Name | Country (GDPR transfer mechanism) |
|---|---|
| Applied Technologies Internet GmbH | Germany (EU) |
| Applied Technologies Internet SAS | France (EU) |
| Newzmate Sp. z o.o. | Poland (EU) |
| Piano Japan Co. Ltd | Japan (Adequacy decision) |
| Piano Software B.V. | Netherlands (EU) |
| Piano Software GmbH | Germany (EU) |
| Piano Software Inc. | United States of America (BCR) |
| Piano Software LTD | United Kingdom (Adequacy decision) |
| Piano Software Norway NUF | Norway (EEA) |
| Piano Software s.r.o | Slovakia (EU) |
| PSIEZE Data Analytics S.R.L. | Argentina (Adequacy decision) |
| SocialFlow Inc. | United States of America |
Piano affiliates don’t have automatic access to all Platform data. The access of Platform data is managed and strictly limited to what is necessary. BCR details are available here.
Data Protection Officer and Point of Contact
For all questions related to our privacy policy and how Piano collects, processes and stores personal data, please feel free to contact the appointed Data Protection Officer (“DPO”):
Email: privacy@piano.io
Mail: Attn: Piano Software Group DPO
Štefánikova 14
Bratislava, 811 05
Slovakia (EU)
For specific request by legal authorities, courts, government agencies, or parties involved in litigation for customer data, disclosures should include the following information:
The requesting party;
The relevant criminal or civil matter;
A description of the specific Publisher’s data being requested, including the relevant Publisher’s name and relevant authorized user’s name (if applicable).
Requests should be prepared and served in accordance with applicable law. All requests should be narrow and focused on the specific customer data sought. All requests will be construed narrowly by Piano, so please do not submit unnecessarily broad requests.
Piano will notify the Publisher before disclosing any of its data so that the Publisher may seek protection from such disclosure unless Piano is prohibited from doing so or there is a clear indication of illegal conduct or risk of harm to people or property associated with the use of such Publisher’s data.
Privacy Policy Change Log
This Platform Privacy Policy includes information previously incorporated in documents “Piano and GDPR” and “Privacy Policy” of Piano Group.
If you need information about previous wording of both documents, please visit following references:
Archive of Privacy Policies
Privacy Policy – Effective from Nov 1, 2020 - Apr 06, 2022
Privacy Policy – Effective from Jul 1, 2020 - Oct 31, 2020
Privacy Policy – Effective from Apr 1, 2019 - Jun 30, 2020
Privacy Policy – Effective from Feb 15, 2019 - Mar 01, 2019
Privacy Policy – Effective from Dec 01, 2018 - Feb 14, 2019
Privacy Policy – Effective from May 23, 2018 - Nov 30, 2018
Archive of "Piano and GDPR"
GDPR – Effective from Jan 29, 2021
GDPR – Effective from Dec 1, 2020
GDPR – Effective from Jun 24, 2020
GDPR – Effective from Apr 01, 2019
GDPR – Effective from Feb 15, 2019
GDPR – Effective from May 23, 2018
Online Tracking Policy
This Online Tracking Policy:
explains how Piano Software Inc., Philadelphia, US and affiliated companies belonging to Piano group (collectively, “Piano”, “us”, “our”, or “we”) use cookies, pixels and similar tracking tools at Piano when using and operating our websites, social media profiles, applications, when we send out direct marketing communication or newsletters or generally when we communicate with our online audience;
mainly concerns websites related to the domain www.piano.io but also any other websites, channels, profiles or online tracking tools operated by us;
supplements and applies jointly with the Corporate Privacy Policy;
does not apply to provisions of our services (please see or Platform Privacy Policy) where we act as data processors for our clients and/or customers.
1. Us, our DPO and our contact details
The primary controller is Piano Software, Inc., located at 111 S Independence Mall East, Suite 950, Philadelphia, PA 19106, US as the main Piano group entity. Piano group entity consists of other subsidiaries and affiliates listed in our Corporate or Platform Privacy Policy that operate their own websites or undertake their own online tracking. Generally, Piano group entities act as joint controllers when doing so (details can be found in our Binding Corporate Rules – Controller purposes). Therefore, this Online Tracking Policy covers any online tracking undertaken by any Piano group entity. Our group-wide DPO can be provided by email at: privacy@piano.io or by post at 111 S Independence Mall, Philadelphia, PA 19106, US. .
What types of online tracking tools do we use?
Generally, we distinguish between online tracking tools that are necessary for provision of the information society service that the user requested (such as our websites, online profiles, newsletters) and those online tracking tools that are not necessary for provision of such service. Those necessary tools might be understood as “necessary or functional tools” and those other tools might be understood as “analytical or advertisement tools”.
We do not apply this Online Tracking Policy just to cookies but to any technology that might fall under Article 5 (3) of the ePrivacy Directive. EDPB explains in its Guidelines 2/2023 that such regulation might cover: URL and pixel tracking; local processing; tracking based on IP only; intermittent and mediated Internet of Things (IoT) reporting; using unique identifiers.
In accordance with Article 5 (3) of the ePrivacy Directive, we rely on prior consent when using analytical or advertisement tools, unless the local law allow an exemption from this rule. You have the right to withdraw your consent at any time. With the necessary or functional tools, we do not rely on consent and generally rely on contract performance or our legitimate interests when processing your personal data.
What are our purposes of processing and legal bases?
We use online tracking use for the following purposes and based on the following legal grounds:
| Purpose of processing | Online tracking tool | Legal basis |
|---|---|---|
| Provision of the information society service | Necessary or functional tools | Legitimate interest |
| Direct marketing and PR purposes | Analytical or advertisement tools | Consent or legitimate interest |
The above purposes can be described in more detail as follows:
| Purpose of the processing | Detailed description of the purpose |
|---|---|
| Provision of the information society service | Optimal functioning of the website. Includes processing necessary and functional cookies and other tools used for basic functions of our websites, such as loading the next page, staying logged in, remembering selected language settings or configuration of active third-party plug-ins. Website Security. We use cookies and tools which contribute to the protection against bots and to activate the protection of websites against DoS / DDoS cyber-attacks. For example, Cloudflare is used to read and filter robot requests. Basic website traffic measurement. We obtain and evaluate basic statistics about the use of our websites, without the possibility of sharing them with a third party and using them for marketing analytics purposes. According to CNIL, such limited / basic traffic website measurement does not require opt-in consent. Communication. If you leave feedback or fill-out form on our websites to contact you, we regard this as a pre-contractual communication via our website or profiles that allow us to contact you either on the contract performance or legitimate interest basis. |
| Direct marketing & PR purposes | Personalized advertising. Third-party tools (such as LinkedIn cookies, pixels, and SDKs) are used for targeting our advertising campaigns and displaying ads on social networks or other platforms. Audience measurement. We use analytics tools (such as Commanders Act, 6sense, LinkedIn, Salesforce Account Engagement, Google, Piano Analytics) to better understand and interpret customer data, the way they use our services and websites, or measure success of our advertising campaigns and then use them to target advertising. As part of this, customers may also be segmented into different demographic groups to which their ad campaigns are tailored. Direct marketing communication (newsletter). Sending out direct marketing communication generally requires consent. However, some local laws allow direct marketing communication without the consent of the existing customers. You can always opt-out from newsletter using a link in a footnote or by contacting us. Raising awareness in an online environment. We operate a number of social media profiles to raise awareness about us in an online environment. If you interact with us using these profiles, we use online tracking tools including cookies of platform providers to communicate, respond or otherwise interact with you. Consent settings. We use cookies and tools that remember your consent preference settings. |
We rely on following legitimate interests:
Optimal functioning of the website;
Website security;
Basic website traffic measurement;
Communication based on filled out contact forms;
Direct marketing communication (newsletter) (where the consent is not required);
Raising awareness in an online environment;
Consent settings.
Which specific cookies do we use?
On this specific website (www.piano.io), we use the following cookies:
| Cookie name | Expiry | Transfer to 3rd country |
|---|---|---|
| Purpose of processing: Provision of the information society service Type of cookies: Necessary or functional | ||
| _ablocker | 1 day | Unknown |
| _cfduid | session | Unknown |
| cookie_test | 1 day | YES - Ecuador |
| CookieConsent | 1 year | YES - USA |
| JSESSIONID | session | Unknown or n/a |
| tc_test_cookie | session | YES - USA |
| TCPID | 1 year | YES - USA |
| visitor_id#-hash | 1 year | YES - USA |
| _cf_bm | 1 year | YES - USA |
| pa_privacy | 13 months | YES - USA |
| Purpose of processing: Statistic cookies | ||
| _ls_sit | persistent | YES - Ecuador |
| _acid | 13 months | YES - USA |
| _pcx | 13 months | YES - Ecuador, USA |
| pa_user | session | YES - USA |
| uuid | 2 years | YES - UK |
| Purpose of processing: Direct marketing & PR purposes | ||
| Type of cookies: Analytical or advertisement or statistics (marketing cookies) | ||
| _pat | 30 days | n/a |
| pvi | 1 day | n/a |
| tbc | 2 years | n/a |
| cX_aft | persistent | YES - Ecuador |
| cX_lastP1Time | persistent | YES - Ecuador |
| cX_lst | persistent | YES - Ecuador |
| cX_s | session | YES - Ecuador |
| gd_session | 1 day | YES - Ireland |
| gd_visitor | 2 years | YES - Ireland |
| 6suuid | 400 days | n/a |
| cX_G | 13 months | YES - Ecuador |
| cX_P | 13 months | YES - Ecuador |
| gckp | 1 year | YES - USA |
| pardot | session | YES - USA |
| Rep/rep.gif | session | No |
| v1/beacon/img.gif | session | YES - Ireland |
| visitor_id# | 1 year | YES - USA |
| xbc | 2 years | n/a |
| Type of cookies: Unclassified cookies | ||
| _ppabc | 3 months | n/a |
| to_gaAccount | persistent | n/a |
| _fcus | 13 months | n/a |
| FDLBCLTY | session | YES - USA |
| STXXXKEY_language | 1 year | n/a |
What online tracking tools and vendors we use?
We use the following online tracking tools and vendors.
| Online tracking tool | Use | Vendors | Vendor's privacy policy |
|---|---|---|---|
| 6sense – Account based marketing platform which allows us to analyze anonymous buying behavior and engage with new accounts as they visit our websites. | Audience measurement | 6Sense Insights, Inc. 450 Mission Street, Suite 201, San Francisco, CA, 94105 | Privacy policy |
| Facebook Pixel - Allows better segmentation of the audience in order to personalize the editorial content and provide ads tailored to the audience on the Facebook social network. | Audience measurement & personalized advertising | Meta Platforms, Inc. 1601 Willow Rd Menlo Park, CA 94025 | Privacy policy |
| Fjord Technologies (Commanders Act) - Consent and Tag Management Platform | Consent settings | Commanders Act 3 Rue Taylor, 75010 Paris | Privacy policy |
| LinkedIn Insight Tag - Allows for better audience segmentation to personalize editorial content and provide audience-specific ads on the LinkedIn social network. | Audience measurement & personalized advertising | LinkedIn Corporation 1000 W Maude Ave Sunnyvale, CA 94085 | Privacy policy |
| Salesforce.com France SAS (Account Engagement) – Allows us to automate marketing tasks such as sending emailing, publishing content, displaying forms, identifying and managing prospects etc. (Marketing automation) | Audience measurement & personalized advertising | Salesforce.com France SAS 3 Avenue Octave Gréard - 75007 Paris | Privacy policy |
| Piano Analytics - Allows better segmentation of the audience in order to personalize the content and provide relevant information to the audience | Audience measurement | Piano Software, Inc. 111 S Independence Mall East, Suite 950 Philadelphia, PA 19106 | Privacy policy |
| Google Ads - Enables us to display our ads on third-party sites viewed by visitors who have already visited our website | Personalized advertising | Google LLC 1600 Amphitheatre Pkwy Mountain View, CA 94043 | Privacy policy |
Please read privacy policies of our vendors carefully. Our vendors provide services to as processors, however, some like Google, Meta/Facebook and Microsoft also declare controllership over your personal data. These vendors via their cookies or other online tracking tools, will collect and use your browsing data for their own purposes, in accordance with their privacy policy.
How to manage your consent?
Through the interaction with the "Manage cookies" or “Privacy Center” on our websites, you can change your consent preferences with online tracking tools at any time. By default, your consent preferences are turned off, i.e. your consent is not automatically granted or ticked. Only by changing this default settings, you grant us valid consent. If you allow cookies or grant us cookie-related consent anywhere on our website, these consents are granted for direct marketing & PR purposes, as explained above including Personalized advertising & Audience measurement.
The setting changes take effect immediately. You can also revoke your consent by making a request sent to privacy@piano.io, but this process is not immediate and automatic. We therefore recommend that you change the settings directly on the website as described above.
Change your consent preferences
How to prevent cookies from being stored on your device?
If you do not give your consent through our cookie pop-up (in terms of applicable types of cookies), these cookies will not be stored on your device. Disabled analytics and advertisement cookies have no impact on the functionality of the website. You can delete all types of cookies at any time through the settings of your internet browser, but if you delete even the necessary cookies, some settings and functions of our website may not work optimally.
In relation to specific analytics and advertisement cookies of third parties, it is also possible to use the so-called opt-out mechanisms by which you prevent the use of specific third-party cookies not only in relation to our website, but in general to the use of any other websites, or in relation to specific social networks that you use and have set up your own user account.
Google and many other third parties involved in displaying personalized behavioral advertising on the Internet
If you do not want to display personalized ads, you can use the initiative www.youronlinechoices.com. By controlling preferences, you can disable multiple cookies to display these ads in relation to the participating companies that use cookies. Turning them off does not mean that your ad will no longer be shown to you but will not be based on your behavior.
Facebook (Meta)
If you have your own Facebook account, you can also use the cookie management controls integrated directly into this social network, which are available here: https://www.facebook.com/settings/cookie
At the same time, through the settings of your internet browser, it is possible to delete those cookies that are stored in your browser. Follow the information below, depending on which browser you're using:
If you want to increase your protection against unauthorized monitoring of your device and behavior on the Internet through cookies (especially third parties), use the "Do Not Track" function (or Blocking third party cookies), which you can turn on according to the type of browser used according to the following instructions:
Do we transfer your data to third countries outside the EU / EEA?
Yes, but only to the minimal extent necessary for operation of our business or provision of services. Some of our suppliers, which we use when using cookies, have their registered office or their other group companies are established in the United States of America, which is generally considered to be a third country which does not guarantee an adequate level of the personal data protection. In many cases, the data may not physically leave servers located in the EU, but processing due to the supplier's location may be subject to the law of a third country. We therefore carry out these cross-border transfers only in strict accordance with the law (in particular the GDPR) and local data protection legislation and only if, in our conclusions and findings, sufficient risk mitigation measures and safeguards are taken for the protection of fundamental rights and freedoms of the data subjects, as required by the Court of Justice in Case C-311/18 (Schrems II).
With external vendors, we generally prefer to rely on the EU standard contractual clauses (the “EU SCC”) or vendor’s BCRs instead of EU-US Data Privacy Framework. Before the EU-US Data Privacy Framework, EU SCC were concluded practically with all our US-based sub-contractors or recipients (such as Google, Meta/Facebook, Amazon or Microsoft). Currently, many of these US-based vendors are on the “Data Privacy Framework List” with active certifications but with EU SCC still validly concluded with us. We refer to these concluded and valid EU SCC below.
We can also transfer personal data to our processors operating from Canada based on European Commission´s adequacy decision and we also rely on the European Commission's decision on adequacy in relation to Japan and Commission´s decision on adequacy in relation to UK
| Supplier / Third-Party | Appropriate safeguards and supplementary measures for cross-border transfers to third countries |
|---|---|
| Google LLC, with registered seat 1600 Amphitheatre Pkwy Mountain View, CA 94043, US (Google Ads - Personalized advertising) | Google's Privacy Policy Data Privacy Framework New type of standard contractual clauses approved by the relevant decision of the European Commission (module 1 and module 2) and appropriate additional measures with further explanation of the settings. |
| Meta Platforms, Inc., with registered seat 1601 Willow Rd Menlo Park, CA 94025, US (Audience measurement & personalized advertising) | Facebook's Privacy Policy Data Privacy Framework - EU SCC – available here |
| LinkedIn Corporation with registered seat 1000 W Maude Ave Sunnyvale, CA 94085, US (Audience measurement & personalized advertising) | LinkedIn's Privacy Policy Data Privacy Framework A new type of standard contractual clauses approved by the relevant European Commission decision is used (module 2), which also describes the additional measures taken. |
| 6Sense Insights, Inc., with registered seat 450 Mission Street, Suite 201, San Francisco, CA, 94105, US (Audience measurement) | Privacy Policy | 6sense Data Privacy Framework |
| Commanders Act, with registered seat 3 Rue Taylor, 75010 Paris (Consent settings) | Commanders Act's Privacy policy A new type of standard contractual clauses approved by the relevant European Commission |
| Salesforce.com France SAS with registered seat 3 Avenue Octave Gréard - 75007 Paris (Audience measurement & personalized advertising) | Salesforce.com's Privacy Policy Data Privacy Framework EU SCC – available here: data-processing-addendum.pdf |
| Piano Software, Inc. with registered seat 111 S Independence Mall East, Suite 950 Philadelphia, PA 19106, US (Audience measurement) | Piano Software, Inc.'s Privacy Policy A new type of standard contractual clauses approved by the relevant European Commission decision is used (module 2), which also describes the additional measures taken. |
| Microsoft Corporation, with registered seat Redmond Washington 98052-6399, US (Audience measurement) | Microsoft's Privacy Policy Approved adequacy mechanism - self-certification EU SCC – available here: https://docs.microsoft.com/en-us/microsoft-365/compliance/offerings-eu-model-clauses?view=o365-worldwide |
Is the use of online tracking tools contractual or legal requirement?
Use of online tracking tool is not a legal requirement. However, the use of necessary and functional tracking tools can be considered necessary for the provision of the information society services (for example this website) applicable to you during your visit and usage of our website. If we did not use such tools this would have certain negative effects on your experience and the proper working of website functionalities and third-party add-ons or plug-ins integrated to our website. Basic website functionalities will always work but as a consequence may be worse or sub-optimal as a result of the configuration of settings stemmed from your cookie preferences and choices made. In the case of analytics or advertisement tracking tools, their provision is exclusively voluntary and is governed by the granting or non-granting of your consent. Failure to give this consent has no negative consequences for you.
Do we use online tracking tools in relation to our social media profiles?
Yes. Please read relevant privacy policies to better understand processing of your personal data by providers of social media platforms. We only have standard admin control over the personal data processed by us via our own company profile. We assume that by using these social media platforms, you understand that your personal data might be processed for other purposes and that your personal data might by transferred to other third countries and third parties by providers of social media platforms.
Meta / Facebook
In connection with the processing of statistical data on the use of our Facebook profile, we have the status of a joint controller with Meta Platforms, Inc., while basic information on the agreement of joint controllers pursuant Art. 26 (1) and (2) can be found here: https://www.facebook.com/legal/terms/page_controller_addendum
Our social media add-ons are integrated on our website. You will recognize them by the Meta logo on the website. When you visit our website, Meta receives information that you have visited our website with your IP address. If you click on the Meta icon available on our website while you are signed in and / or registered to your Meta account, the content of the website is redirected to your Meta profile. Consequently, Meta may associate your visit to your website with your user account. Data is transferred regardless of whether you have a Meta account or not. Please note that when using our website, we have no influence on the data collected and the data processing processes, and we also do not know the overall scope of the data being collected, the purpose of the processing or the data processing of such data. Meta stores your information about you as user profiles and uses it for your own advertising, market research, and / or customizing services and tools to registered users. Such evaluation is performed in order to inform other Meta users of your activities on our website. You are entitled to object against the creation of such user profiles, and you must contact Meta to lodge an objection against that processing. We always recommend you sign out of your Meta account, especially to avoid associating your online activity with your profile. For more information about the purpose and scope of your data discovery and processing by Meta, please visit the Meta Privacy Statement at: https://www.facebook.com/policy.php
We would also like to inform you that we can use the services provided by Facebook Ireland Limited, which are labelled as “data file custom audiences” – the management of the audience for advertising campaigns, and may combine the data we process with personal data processed in Facebook and “measurement and analytics”, in which Facebook processes personal data on our behalf to measure the performance and reach of our advertising campaigns and provide us with user reports that have seen and responded to our advertising content. Therefore, this processing of your personal data may occur if you interact with our advertising content or our websites as you use your Facebook-based user profile. In such cases, we use Facebook as the processor, using the following legal safeguards to process your personal data: https://www.facebook.com/legal/terms/businesstools, https://www.facebook.com/legal/terms/dataprocessing.
If the above-described processing of personal data interferes with you, you can object to it or you can also use the available self-regulatory tools developed for the online marketing sector, available here: http://www.aboutads.info/choices or www.youronlinechoices.eu. These online tools allow you to automatically identify and delete third-party digital identifiers (including those from Facebook) in your browser, thereby preventing your personal data from being processed.
Our website also has an integrated plug-in of the LinkedIn social network, which is operated by LinkedIn Company, Inc., 1000 W Maude Sunnyvale, CA 94085, USA. Vestberry has no influence on the processing of your personal data by LinkedIn as controller of this social network nor control except common administration of our profile available here: https://www.linkedin.com/company/piano-io. For more information on the processing of your personal data, you can use the link: https://www.linkedin.com/legal/privacy-policy
We can use LinkedIn also as our processor during support the sales, recruiting, marketing, educational or other business practices aimed on increasing awareness of Piano Software in online environment towards relevant professional audience based on this Data Processing Addendum: https://www.linkedin.com/legal/l/dpa
X Corp./Twitter
Our website also has an integrated plug-in of the platform “X” (formerly known as Twitter) - social network, which is operated by X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103 U.S.A. Piano has no influence on the processing of your personal data by X as controller of this social network nor control except common administration of our profile available here: https://twitter.com/piano_io. For more information on the processing of your personal data, you can use the link: https://twitter.com/privacy.
What rights do you have?
You have the right to withdraw your consent at any time and the withdrawal of the consent does not affect the lawfulness of the consent processing prior to its withdrawal.
You also have a right to object to any direct marketing processing of your personal data including profiling. You have right to object to any processing that is based on legitimate interest including to profiling based on such legitimate interest pursuant to the Article 21 GDPR.
In case of exercising the right, we will gladly demonstrate to you how we have evaluated these legitimate interests as compelling over the rights and freedoms of data subjects.
The GDPR lays down general conditions for the exercise of your individual rights. However, their existence does not automatically mean that they will be accepted by us because in a particular case exception may apply. Some rights are linked to specific conditions that do not have to be met in every case. Your request for an enforcing specific right will always be dealt with and examined in terms of legal regulations and applicable exemptions. Among others, you have:
Right to request access to your personal data according to Article 15 of the GDPR. This right includes the right to confirm whether we process personal data about you, the right to access to personal data and the right to obtain a copy of the personal data we process about you if it is technically feasible.
Right to rectification according to Article 16 of the GDPR, if we process incomplete or inaccurate personal data about you.
Right to erasure of personal data according to Article of the 17 GDPR, if one of the conditions for erasure is fulfilled and no exception applies.
Right to restriction of processing according to Article 18 GDPR, if one of the conditions for restriction is fulfilled.
The right to data portability according to Article 20 of the GDPR, if the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1) GDPR. Your California Privacy Rights: California residents under 18 years old, in certain circumstances, may request and obtain removal of personal information or content that they have posted on our website. Please be mindful that this would not ensure complete removal of the content posted by you on our website. To make any request pursuant to California privacy law, please contact us using the information provided below. You have a right to lodge a complaint related to personal data to the relevant data protection supervisory authority or apply for judicial remedy. Please note that our competent (leading) data protection authority is the Office for Protection of Personal Data of the Slovak Republic. In any case we advise to primarily consult us with your questions or requests.
Changes to this Online Tracking Policy
We may change this online tracking policy on time to time by posting the most current privacy policy and its effective date on our website. In case we change this cookie policy substantially, we may bring such changes to your attention by explicit notice, on our websites or by email.
April 2024
Piano Software, Inc.
