Solutions by Text, LLC Privacy Policy
Updated December 11, 2022
This amended Privacy Policy replaces the Solutions by Text, LLC (“SBT”) Privacy Policy in effect before December 11, 2022. By beginning or continuing to use SBT’s products and services, Customer consents to be bound by this Privacy Policy.
A. User Privacy
A.1. Incorporation and Conflict. All defined terms within the Agreement with Partner, if any, apply to this Privacy Policy. This Privacy Policy further applies to any Customers, Clients, Users, and/or Data Subjects, as those terms are defined herein. If anything within this Privacy Policy conflicts with the Agreement, this Privacy Policy will govern.
A.2. Privacy Policy Overview. At SBT, we are committed to protecting privacy rights. SBT wants any natural person who has or will enter into an agreement with SBT, visits our websites (“Sites”), or utilizes our API, UI, applications, widgets, sites, advertising services, products, or technologies (collectively “Web Services”) or otherwise interacts or communicates with SBT (collectively “Users”) to access safe content and feel comfortable utilizing SBT’s Web Services. The purpose of this Privacy Policy is to fully disclose and share the following information with our Users:
(a) how we gather information about our Users;
(b) how we use the information gathered about our Users;
(c) protection of database information;
(d) process for reviewing/changing information;
(e) limits on SBT’s abilities;
(f) procedure for initiating a complaint; and
(g) use of customer data.
A.3. How We Gather Information About Our Users. When a User enters information onto SBT’s website or creates or provides information to create or edit an existing account with SBT, the registration or amendment process will collect and store company names, designated contact names, designated signatories, addresses, phone numbers, service providers, email addresses, referral sources, software types and information, and other third-party service providers, and information about the company’s demographics. The registration process for group administrators will collect their names, group names, addresses, phone numbers, service providers, email addresses, and information regarding the type, location, and demographics of the group, and any other information SBT considers necessary to set up, maintain, or create an account with SBT (“Personal Information”).
When a User visits the SBT website, our servers may use technology to track the behavior patterns or visitors to our site by collecting the number of visits, average time spent, specific page views, the name of the domain used to access the Internet, the website the User came from, and the website User subsequently visits. SBT also uses “cookies” which allows data to be stored on the User’s web browser. These cookies have a finite lifetime, and a User can modify its web browser settings to limit the storage of and permissible use of cookies.
A.4. How We Use the Information Gathered About Our Users.
(a) our Users’ Personal Information will not be used or disclosed for purposes other than those set out in this Privacy Policy or the Agreement;
(b) SBT will not sell or rent Personal Information provided to SBT by Users. We review and process the User’s Personal Information to keep track of the Users’ specific utilization of SBT Services, to statistically analyze site usage, improve our content and product offerings, and customize our site’s content and layout. SBT collects this information to improve our site and better tailor it to meet our Users’ needs. We use information in the file we maintain about our Users, and other information we obtain from our Users’ current and past activities on our website, to resolve disputes, troubleshoot problems, enforce or perform any obligations under the Agreement, or in response to a request from User. SBT may use any User contact information including, but not limited to, email addresses, landline numbers, business numbers, wireless numbers, and/or physical addresses that Users provide to SBT to communicate from time to time regarding administrative notices, account information, updates and upgrades to SBT, and other SBT products that become available. In addition, we must comply with court orders, information requests from government agencies and regulators, and other legal and regulatory processes that may require the disclosure of our Users’ Personal Information.
(c) Wireless numbers will not be shared or sold to third parties, affiliates, or any other business outside of SBT, unless permitted hereunder, permitted by Users, or required by law. Any information collected as part of a communication campaign opt-in process, or by any other method SBT collects information, will not be shared or sold to third-parties outside of SBT unless required to do so by law or when permissible under this Section. Wireless numbers will not be shared or sold for marketing purposes.
(d) If SBT or all SBT’s assets are acquired, either by merger, acquisition, or sale, SBT may transfer our Users’ Personal Information to purchasers, Customers, or acquirers. Otherwise, we will not share Personal Information with any third-party except to our service providers as required to provide SBT Services to User, required to do so by law, or when otherwise described or permissible under this Section or the Agreement.
A.5. Protection of Database Information. Any information sent by User to SBT in order to conduct the SBT Services, including information sent for text messaging and/or storage purposes, will remain the property of the User. This information will be held securely by SBT in accordance with this Privacy Policy, the Agreement, SBT’s internal processes and rules, and all applicable law. SBT will take reasonable measures to protect our Users’ Personal Information with security safeguards appropriate by using technological measures (e.g., firewalls, passwords, encryption) and by enforcing SBT’s stringent internal data and information security policies. SBT will not collect or redistribute any information without our Users’ consent, except when required to do so by law or when permissible under this Privacy Policy or the Agreement.
A.6. Process of Reviewing/Changing Information. If a User, at any time, would like to change any information that SBT has, the User can contact SBT by telephone, email, or the User can access its online account, if applicable, and review and/or change any relevant information.
A.7. Limits on SBT’s Abilities. Our Users’ privacy is incredibly important to us. Due to the existing legal and technical environment, we cannot ensure that Personal Information will not be disclosed to third-parties in instances not defined in this Privacy Policy when SBT, in its sole discretion, believes it to be necessary or appropriate to disclose this information pursuant to the Agreement, as required by law, or for any reason necessary for SBT to fulfill any obligation to the User or a third-party. Additionally, SBT can, and by using or continuing to use SBT’s Services, Users authorize us to, disclose any Personal Information to private entities and law enforcement or other governmental entities if SBT, in its sole discretion, believes it necessary or appropriate to address or resolve Users’ inquiries or issues, or when required to do so by law or court order.
A.8. Procedure for Initiating a Complaint. If a User has any complaints relating to any aspect of SBT’s Services in conjunction with this Privacy Policy or would like to confirm or specify the limitations on sharing its Personal Information, please contact SBT and clearly state the nature of the complaint or request. SBT will acknowledge your complaint or request within five (5) business days. The User issuing the complaint or request will be assigned an SBT contact name that will be responsible for keeping the User informed of the progress of the complaint.
SBT reserves the right to change this Privacy Policy from time to time at its discretion. Users will be notified of any changes in writing, the changes will be posted herein and will be effective thirty (30) days after notice of the changes. The User’s continued use of SBT Services after notice of changes to this Privacy Policy constitutes acceptance of all changes, unless otherwise agreed by the Parties. This Privacy Policy is subject to any applicable privacy laws. If you have further questions about our Privacy Policy or anything contained therein, please contact SBT at:
Solutions by Text, LLC
5001 Spring Valley Road, Suite 1000E
Dallas, Texas 75244
(800) 979-1212
[email protected]
A.9. SBT’s Privacy Representations. SBT represents that, in the course of providing any information that is directly from SBT, authored by SBT, and/or sent to SBT Users, that SBT will not:
(a) send information electronically that SBT knows contains falsified sender domain names, IP addresses, and company information;
(b) send information that SBT knows has confidential, misleading, deceptive, or inaccurate whether in a subject line or within the content itself;
(b) send information routed through servers that SBT does not have express authority to use;
(c) prevent Users from opting out of receiving such communications, and will process any opt out requests in a diligent manner; and
(d) send proprietary, confidential, or any type of information that SBT does not have the right to send.
THIS SECTION DOES NOT APPLY TO INFORMATION THAT SBT SENDS IN THE COURSE OF PROVIDING SBT SERVICES ON BEHALF OF CUSTOMERS. CUSTOMERS HAVE AND RETAIN ALL RESPONSBILITY FOR ALL CONTENT OF CUSTOMER MESSAGES SENT TO USERS.
B. California Privacy Addendum
B.1. California Consumer Privacy Act. The California Consumer Privacy Act of 2018, California Civil Code Sec. 1798.100 et seq., (“CCPA”) gives California residents the right to know what information is collected about them and the right to access and delete that information within certain limitations. They also have the right to tell companies not to sell personal information about them. SBT does not sell any personal information. Consumers may not be discriminated against for invoking these rights. SBT is aware of and complies with all rights and obligations of the CCPA and other relevant law.
B.2. Personal Information. SBT describes certain specific pieces of Personal Information we collect and how we use them in our Privacy Policy. The data we collect will, of course, depend on the User’s interactions with us as well as the products and services it purchases. The CCPA requires us to tell Users about the categories of Personal Information we collect about a User. SBT collects Personal Information as that term is defined within its Privacy Policy. We use the Personal Information we collect consistent with the relevant business and commercial purposes as they are defined under the CCPA. Service providers we use to provide SBT Services on our behalf may also use information for the same purposes. “Business and commercial purposes” includes providing services to Users, communicating with Users and providing customer service, User experiences, improving our services, providing marketing and advertising, debugging, auditing our processes and services, short-term transient uses, research, security, fraud, and legal compliance purposes.
B.3. Right to Access. California Users have the right to request access to the specific pieces and categories of User Personal Information we have collected for the preceding twelve (12) months, and such requests are limited to one (1) request per calendar year. SBT’s Privacy Policy defines the categories of sources we collect personal information from, the business or commercial purposes for collecting personal information, and the categories of third parties we share personal information with.
B.4. Right to Delete. Requests for SBT to delete User Personal Information are subject to exemptions under the CCPA. We will retain certain information required for security, legal, or other business or commercial purposes in accordance with SBT’s Data Retention policy and securely delete Personal Information at the end of the retention period in conjunction with SBT’s Data Destruction policy. All Personal Information that SBT collects and retains is used to provide the SBT Services and for related purposes as described in our Privacy Policy.
B.5. User Right to “Do Not Sell.” The CCPA gives California residents the right to say no to the sale of Personal Information.
SBT does not sell User Personal Information, as that term is defined based on our understanding of the CCPA and its implementing regulations, except when required by law or otherwise permissible under the Agreement. We also do not provide Personal Information to third parties for monetary or other valuable consideration. We share certain information with third parties doing work on our behalf for business purposes described herein.
B.6. Discrimination. If a User exercises any of the rights described herein, SBT will not discriminate against the User by denying SBT Services, charging different prices or rates for SBT Services, or altering the quality of the SBT Services provided.
B.7. Where to Exercise Rights. If a User or an authorized agent would like to exercise rights under this Privacy Policy, the User may contact SBT at the contact information identified in Section A.8. SBT will verify the User’s identity before fulfilling any requests.
B.8. Do Not Track Notice. SBT does not track its Users over time and across third-party websites to provide targeted advertising and therefore does not respond to Do Not Track (DNT) signals. However, some third-party sites do keep track of a user’s browsing activities when they provide content. Most web browsers allow a user to set the DNT signal on your browser so that third parties know you do not want to be tracked.
C. Nevada and Vermont Privacy Addendum
C.1. Nevada Privacy Rights. Nevada law allows Users to opt out of the sale of Personal Information by online service providers such as website operators. Nevada law defines “sale” as the exchange of certain personally identifiable information for money, where the recipient also intends to sell that information. Personal identifiable information includes name, address, phone number, Social Security number, or any identifier that can be used to contact a consumer electronically. To submit a written request for SBT refrain from selling any personal information collected, please email [email protected].
C.2. Vermont Privacy Rights. Vermont’s current law requires data brokers, defined as businesses that knowingly collect and license the personal information of consumers with whom such businesses do not have a direct relationship, to register annually with the Secretary of State. SBT does not consider itself to fall under the definition of a “data broker.” SBT’s data collection procedures are identified within its Privacy Policy. SBT has implemented and maintains a written information security program containing administrative, technical, and physical safeguards to protect personally identifiable information.
D. General Data Protection Regulation Addendum
The General Data Protection Regulation (“GDPR”) is a collection of guidelines that creates a legal framework for the collection and processing of personal information belonging to individuals who live in countries within the European Economic Area (EEA) including, but not limited to, member states of the European Union (EU), Norway, Iceland, Liechtenstein, and the United Kingdom.
D.1. Applicability. This GDPR Addendum shall apply only to the extent Customer distributes Messages to Subscribers within the areas references above or any territories for which the GDPR applies.
D.2. Parties’ Roles. Customer is the original custodian (“Controller”) of the Customer’s Clients’ Personal Information (“Customer Data”), and Customer appoints SBT (“Processor”) to process Customer Data on the Customer’s behalf. In some circumstances, Customer may be a Processor, in which case Customer appoints SBT as the sub-processor of Customer Data, which shall not change the obligations of either Customer or SBT under this GDPR Addendum, as SBT will remain a Processor with respect to the Customer in such event.
D.3. Instructions. If SBT believes that Customer’s Instructions infringe European Data Protection Laws (where applicable), SBT will inform Customer without delay. For purposes of this Section D, “Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the Processor or its authorized Sub-Processor to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deleting, making available).
D.4. Purpose Limitation. SBT shall process Customer Data for the purposes set forth in the Agreement and only in accordance with the lawful, documented Instructions of Customer, except where otherwise required by applicable law. The Agreement and this GDPR Addendum set out Customer’s complete Instructions to SBT in relation to the processing of Customer Data on behalf of Customer’s Clients and end users (“Data Subjects”) and any processing required outside of the scope of these Instructions (inclusive of the rights and obligations set forth under the Agreement) will require prior written agreement of the parties.
D.5. Training. SBT shall ensure that its relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the processing, protection and confidentiality of Customer Data.
D.6. Compliance. Customer, as Controller, shall be responsible for ensuring that, in connection with Customer Data and the SBT Services, it has complied, and will continue to comply with all applicable laws relating to privacy and data protection and it has, and will continue to have, the right to transfer, or provide access to, the Personal Information to SBT for processing in accordance with the Agreement, including this Addendum.
D.7. Security. SBT shall implement appropriate technical and organizational measures designed to protect the Customer Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use (each a “Security Incident”) and in accordance with SBT’s security standards set forth in the Agreement.
D.8. Confidentiality or Processing. SBT shall ensure that any person or entity that it authorizes to process the Customer Data (including its staff, agents, and subcontractors) shall be subject to a duty of confidentiality (whether a contractual or a statutory duty) that shall survive the termination of their employment and/or contractual relationship.
D.9. Security Incidents. Upon becoming aware of a Security Incident, SBT shall notify Customer without undue delay and pursuant to the Agreement, but within no more than seventy-two (72) hours and shall provide such timely information as Customer may reasonably require to enable Customer to fulfil any data breach reporting obligations under EU Data Protection Legislation. SBT will take steps to immediately identify and remediate the cause of such Security Incident.
D.10. Sub-Processors. Customer agrees that SBT may engage SBT affiliates and third-party sub-processors (collectively “Sub-Processors”) to process the Customer Data on SBT’s behalf. The Sub-Processors currently engaged by SBT and authorized by Customer are listed on SBT’s Vendor List. The List shall include a mechanism for Customer to subscribe to notifications of any new Sub-Processors or changes to the Sub-Processor List. SBT shall impose on such Sub-Processors data protection terms that protect the Customer Data to the same standard provided for by this GDPR Addendum and shall remain liable for any breach of GDPR Addendum caused by a Sub-Processor engaged by SBT.
D.11. Changes to Sub-Processors. SBT may, by giving no less than thirty (30) days’ notice to Customer, add or make changes to the Sub-Processors. Customer may object to the appointment of an additional Sub-Processor within fourteen (14) calendar days of such notice on reasonable grounds relating to the protection of the Customer Data, in which case SBT shall have the right to cure the objection through one of the following options (to be selected at SBT’s sole discretion): (a) SBT will cancel its plans to use the Sub-Processor with regard to Customer Data or will offer an alternative to provide the SBT Services without such Sub-Processor; or (b) SBT will take the corrective steps requested by Customer in its objection (which remove Customer’s objection) and proceed to use the Sub-Processor with regard to Customer Data; or (c) SBT may cease to provide or Customer may agree not to use (temporarily or permanently) the particular aspect of the SBT Services that would involve the use of such Sub-Processor with regard to Customer Data, subject to a mutual agreement of the parties to adjust the remuneration for the SBT Services considering the reduced scope of the SBT Services. Objections to a Sub-Processor shall be submitted to SBT by following the directions set forth in the Vendor List. If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of the parties within thirty (30) days after SBT’s receipt of Customer’s objection, either Party may terminate the Agreement.
D.12. Emergency Replacement. SBT may replace a Sub-Processor if the reason for the change is beyond SBT’s reasonable control. In such instance, SBT shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Sub-Processor pursuant to Section D.11 (Changes to Sub-processors) above.
D.13. Subject’s Rights. SBT shall provide commercially reasonable assistance, including by appropriate technical and organizational measures as reasonably practical, to enable Customer to respond to any inquiry, communication or request from a Data Subject seeking to exercise his or her rights under EU Data Protection Legislation, including rights of access, correction, restriction, objection, erasure or data portability, as applicable. In the event such inquiry, communication, or request is made directly to SBT, SBT shall promptly inform Customer by providing the full details of the request. For the avoidance of doubt, Customer is responsible for responding to the Data Subject’s requests for access, correction, restriction, objection, erasure or data portability of that Data Subject’s Customer Data.
D.14. Data Protection for Impact Assessments and Prior Consultation. SBT shall, to the extent required by EU Data Protection Legislation, provide Customer with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under EU Data Protection Legislation.
D.15. Security Reports and Audits. Any provision of security attestation reports (such as SOC 2, Type II or equivalent report) or audits shall take place in accordance with Customer’s rights under the Agreement. SBT shall provide a copy of its most current security attestation report upon Customer’s written request no more than once annually. SBT reserves the right to charge a fee (based on its reasonable costs) for any such audit. SBT will provide further details of any applicable fee and the basis of its calculation to Customer in advance of such an audit.
D.16. Deletion or Return of Data. SBT will process and store Customer Data only for the period necessary to achieve the purpose of the storage, or as permitted by law. In the event SBT is required by law to retain some or all of the Customer Data, the protections of the Agreement and this GDPR Addendum shall extend to such Customer Data and limit any further processing of such Customer Data to only those limited purposes that require the retention for so long as SBT maintains the Customer Data.
D.17. Miscellaneous. Except as amended by this GDPR Addendum, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this GDPR Addendum, the language of this GDPR Addendum will control. Any claims brought under this GDPR Addendum shall be subject to the Agreement, including, but not limited to, the exclusions and limitations set forth herein.
E. Canada’s Anti-Spam Legislation (CASL) Commitments
E1. Conflict. If anything within this Privacy Policy Section E. conflicts with the Agreement, the Privacy Policy Section E. will govern.
E2. Notices. SBT will notify Customer of any unsubscribe requests received from a Data Subject on a regular basis.
E3. Records. SBT agrees to maintain records in compliance with CASL and agrees to allow Customer to inspect and/or audit any records related to SBT’s compliance with CASL.
E4. Commercial Electronic Messages (“CEMs”). SBT will urge Customer to send Commercial Electronic Messages (“CEMs”), as defined in CASL, that contain the following information within each CEM transmitted:
(a) Identity of who the CEM is sent on behalf of;
(b) Provide information enabling the Data Subject to contact the entity in (a) supra;
(c) Provide a clear, simple unsubscribe mechanism in each CEM using the same electronic means by which the CEM was sent. Specifically, the unsubscribe mechanism must:
i. Allow a Data Subject to unsubscribe from any CEM by providing the option in each CEM transmitted;
ii. Require only the Data Subject’s email address to process the unsubscribe request;
iii. Not request the Data Subject wishing to unsubscribe to log into the sender’s website or visit more than one webpage to complete the unsubscribe request; and
iv. Be processed and in effect within ten (10) business days of receiving same.
SBT IS NOT RESPONSIBLE FOR THE CONTENT OF CEMS OR ANY OTHER MESSAGES SENT TO DATA SUBJECTS. CUSTOMER HAS THE ULTIMATE APPROVAL FOR THE CONTENT OF ANY MESSAGE. CUSTOMER MAY CHOOSE TO SEND CONTENT THAT IS IN CONFLICT WITH THE ADVICE AND RECOMMENDATION OF SBT. AS SUCH, SBT IS NOT RESPONSIBLE FOR THE CONTENT OF ANY MESSAGES SENT.
E5. Consent. SBT will and is entitled to rely on Partner’s representation as to whether a Data Subject receiving a CEM has given the required consent, whether express or implied, to receive the CEM.
SBT IS NOT RESPONSIBLE FOR SENDING A CEM TO A DATA SUBJECT WHO DID NOT PROVIDE THE REQUIRED CONSENT TO RECEIVE SAME IF SBT RELIED ON THE CUSTOMER’S REPRESENTATION THAT THE REQUIRED CONSENT WAS PROVIDED TO CUSTOMER.
E6. Proof of Opt-In. To the extent that SBT has the information in its possession, custody, and/or control, SBT will save the following information pursuant to the Agreement or applicable law:
(a) Data User’s email address;
(b) Data User’s IP address;
(c) The date and time of the Data User’s opt-in;
(d) The specific URL of the acquisition source (or, if no longer live, a screenshot of same).