Exciting News:
Madkudu lands $18M Series A led by Felicis to accelerate PLG adoption
Read Now!

MadKudu Privacy Notice (Controller)

Effective on: 2023-10-04

1. Introduction and Scope

1.1. Introduction

MadKudu Inc. and its affiliate entities listed below under “Entities Covered by This Privacy Notice” (referred to collectively as "MadKudu", "we," "us," "our") take the protection of personal data ("Personal Data") very seriously. Please read this privacy notice (the “Notice”) to learn what we are doing with your Personal Data, how we protect it, and what privacy rights you may have under applicable data protection and privacy laws, such as the European Union General Data Protection Regulation (“GDPR”).

1.2. What Is Covered by this Privacy Notice?

This Notice addresses data subjects (which includes both individuals and households) whose Personal Data we:

1.3. What Is not Covered by this Privacy Notice?

This Notice does not apply to

1.4. What Can You Find in this Notice?

This Notice tells you, among other things:

1.4. Our Role With Respect to Your Personal Data

Within the scope of this Notice, MadKudu acts as a data controller or “business” for the Personal Data we process. This means that we decide whether, what, whose, how and why Personal Data is collected and further processed. If you want to learn about how MadKudu processes Personal Data on behalf of its Customers, read the MadKudu (Processor) Privacy Notice.

1.5. Entities Covered by this Privacy Notice

This Notice covers MadKudu and the following affiliate entities (the “Affiliates”):

1.6 Lawful Bases for Processing

We must have a valid reason to use your Personal Data. This is called the "lawful basis for processing". We may process your Personal Data based on:

We may process your Personal Data based on the following legitimate interests:

When we rely on legitimate interests as a lawful basis of processing, you have the right to ask us more about how we decided to choose this legal basis. To do so, please use the contact details provided here.

1.7 What Personal Data do we process and how we obtain it?

Depending on your relationship with MadKudu, we may collect Personal Data from you in different ways. MadKudu may collect Personal Data :

  • Provided by you directly: when you interact with us, our contact forms,  product sign up, customer support, sales team or other of our services. The Personal Data would the specific identifiers you provide directly to us
  • Collected from your device or browser through the MadKudu cookie while you are using or visiting our website, services or MadKudu customers’ websites. This Personal Data may include your IP address, cookie identifier, device identifier, geographic location, or usage information such as authentication, analytics, and other information that allows us to provide you with a more personalized experience.  Please see the section on Cookies and other trackers below for more details.
  • Provided by MadKudu Customers when using our services 
  • Provided by  third-party providers, who gather data from a variety of sources including data co-ops or publicly-available sources that we use to enrich profiles with.

The table below describes the categories of Personal Data we have collected about you in the last twelve months. 

How we obtain it

Category of Personal Data and specific data collected

Identifiers
name, email address, work address, work phone number, IP address

  • Provided by you directly
  • Provided by third-party providers
  • Provided by MadKudu Customers
  • Collected through MadKudu cookie or other trackers

Commercial Information
interactions with sales and marketing, and past purchases

  • Provided by you directly

Internet or similar network activity
IP address, Web application usage data, pages viewed, device, browser, behavior (for example, visits) on the customer’s website), behavior on madkudu’s website, interactions with madkudu’s ads 

  • Collected through MadKudu cookie or other trackers
  • Provided by our advertising and analytics partners 

Geolocation data
location (city, state, country)

  • Provided by you directly
  • Provided by third-party providers
  • Collected through MadKudu cookie or other trackers
    Provided by our advertising and analytics partners 

Inferences drawn from other Personal Data
Lead score generated by MadKudu

  • Generated by MadKudu based on other information

Additional categories of Personal Data 
Job title, company

  • Provided by you directly
  • Provided by third-party providers

We will not collect additional categories of Personal Data without informing you.

1.8 Cookies and other trackers

A “cookie” is a small file stored on your device that contains information about your device. We may use cookies to provide basic relevant ads, website functionality, authentication (session management), usage analytics (web analytics), to remember your settings, and to improve our website and Services. We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser, but always have an expiration date. Most of the cookies placed on your device through our Services are first-party cookies which are placed directly by us. Other parties, such as Google or LinkedIn, also set their own (third-party) cookies on our websites. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you:

  1. Google’s Privacy Policy
  2. Segment
  3. HubSpot

If you would prefer not to accept cookies, you can change the setup of your browser to reject all or some cookies. Note, if you reject certain cookies, you may not be able to use all features of our Services. For more information, please visit https://www.aboutcookies.org/.You may also use a browser that sends Global Privacy Control (GPC) signals. For more information, please visit https://allaboutdnt.com/ and https://globalprivacycontrol.org/.  Some browsers have incorporated “Do Not Track” (DNT) features. MadKudu does not respond to DNT signals. For more information about our use of cookies, please see our cookie notice.

1.9. For What Purposes Do We Use Your Personal Data? 

We may process your Personal Data for the following purposes:

1.10. How Long do We Keep Your Personal Data

We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

Generally, we retain usage data for a shorter period, except when this data is used to strengthen the security or to improve the functionality of our services, or we are legally obligated to retain this data for longer time periods. We will retain Personal Data:

If your Personal Data is used for more than one purpose, we will retain it until the purpose with the longest retention period expires; but we will stop using it for the purpose with a shorter retention period once that period expires. Our retention periods are also based on our business needs and good practice.

Your Personal Data may need to be retained in our backup systems and will only be deleted or overwritten later, normally one month after the data is deleted from the production environment. This may be the case even when you or a Supervisory Authority has validly asked us to delete your Personal Data or when we do not no longer have a legal basis for processing such Personal Data.

1.11. Sharing Personal Data with Third Parties

The following table describes, in the last twelve months, the categories of information we have disclosed to third parties for business purposes, and the categories of those third parties.

These are the specific service providers we are referring to:

Infrastructure services providers:
AWS (Amazon Web Services, Inc.) (USA)
MongoDB, Inc. (USA)
Datadog, Inc. (USA)
Customer relationship management software providers:
Zendesk, Inc. (USA)
HubSpot, Inc. (USA)
Salesforce.com, Inc. (USA)
Incident management and response platform providers:
PagerDuty, Inc. (USA)
Payment software or processing providers:
Bill.com, Inc. (USA)
Stripe, Inc. (USA)
B2B marketing data engines:
APIHub, Inc. doing business as Clearbit (USA)
Web analytics providers:
Google LLC (USA)
Collaboration tool providers:
Slack Technologies, Inc. (USA)
Google LLC (USA)
Osano, Inc. (USA)
Analytics providers:
Segment.io, Inc. (USA)
Scheduling assistance software providers:
Calendly, Inc. (USA)
Intrusion detection and prevention providers:
Sqreen SAS (France)

Categories of Service Providers MadKudu Shares Personal Data with for Business Purposes

Category of Personal Data

Identifiers

  • Collaboration tool providers
  • Scheduling assistance software providers
  • Customer relationship management software providers
  • Infrastructure service providers
  • Analytics service providers
  • Payment software or processing providers
  • B2B marketing data engines

Commercial Information

  • Scheduling assistance software providers
  • Web Analytics providers
  • Infrastructure service providers
  • Analytics service providers
  • B2B marketing data engines

Internet or similar network activity

  • Web Analytics providers
  • Infrastructure service providers
  • Analytics service providers
  • Incident management and response platform providers
  • Intrusion detection and prevention providers
  • B2B marketing data engines

Geolocation data

  • Web Analytics providers
  • Infrastructure service providers
  • Analytics service providers

Inferences drawn from other Personal Data

  • Web Analytics providers
  • Infrastructure service providers
  • B2B marketing data engines


The following table describes the categories of information we sell to third parties, and the categories of those third parties.

Categories of Third Parties MadKudu Shares Personal Data with

Category of Personal Data

Identifiers

  • MadKudu Customers
  • Advertising platforms

Commercial Information

  • None

Internet or similar network activity

  • MadKudu Customers
  • Advertising platforms

Geolocation data

  • MadKudu Customers
  • Advertising platforms

Inferences drawn from other Personal Data

  • MadKudu Customers

When the Personal Data is protected by the GDPR, before transferring your Personal Data to these third parties, we will either ask for your explicit consent or require the third party to maintain at least the same level of privacy and security for your Personal Data that we do. Also, in some cases, the European Commission may have determined that in some countries, their data protection laws provide a level of protection equivalent to European Union law. You can see here the list of countries that the European Commission has recognized as providing an adequate level of protection to Personal Data. We remain liable for the protection of your Personal Data that we transfer or have transferred to third parties through our designated data transfer mechanism, such as Standard Contractual Clauses (“SCCs”) as approved by the European Commission under Article 46.2 of the GDPR, except to the extent that we are not responsible for the event that leads to any unauthorized or improper processing.

1.12. Other Disclosure of Personal Data

We may disclose Personal Data:

  1. To the extent required by law or if we have a good-faith belief that such disclosure is necessary in order to comply with official investigations or legal proceedings initiated by governmental and/or law enforcement officials, or private parties) If we must disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.
  2. if we sell or transfer all or some of our company's business interests, assets, or both, or in connection with a corporate merger, consolidation, restructuring, or other company change; or
  3. to our subsidiaries or affiliates only if necessary for business and operational purposes as described in the section above.

We reserve the right to use, transfer, sell, and share aggregated, anonymous data, which does not include any Personal Data for any legal business purpose, such as analyzing usage trends and seeking compatible advertisers, sponsors, clients, and Customers.

2.What Privacy Rights do you have?

Certain privacy laws give you specific rights regarding your Personal Data that we collect and process. Please note that you can only exercise these rights with respect to Personal Data that we process about you when we act as a data controller. To exercise your rights with respect to information processed by us on behalf of one of our Customers, please read the privacy notice of that Customer and contact the Customer.

2.1 Right to be informed

If this right applies to you under applicable laws, this means that you have the right to obtain from us all information regarding our data processing activities that concern you such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things.

We are informing you of how we process your Personal Data with this Notice.

We will always try to inform you about how we process your Personal Data. However, if we do not collect the Personal Data directly from you, note that the GDPR exempts us from the obligation to inform you (i) when providing the information is either impossible or unreasonably expensive; (ii) the gathering and/or transmission is required by law, or if (iii) the Personal Data must remain confidential due to professional secrecy or other statutory secrecy obligations.

2.2 Right of Access

This right allows you to ask for full details of the Personal Data we hold about you.

If this right applies to you under applicable laws, you have the right to obtain from us, including confirmation of whether or not we process Personal Data concerning you and, where that is the case, a copy or access to the Personal Data and certain related information. 

Once we receive and confirm that the request came from you or your authorized agent, we will disclose to you:

  • The categories of your Personal Data that we process;
  • The categories of sources for your Personal Data;
  • Our purposes for processing your Personal Data;
  • Where possible, the retention period for your Personal Data, or, if not possible, the criteria used to determine the retention period;
  • The categories of third parties with whom we share your Personal Data;
  • If we carry out automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you;
  • The specific pieces of Personal Data we process about you in an easily-sharable format;
  • If we sold, shared, or disclosed your Personal Data for a business purpose, the categories of Personal Data and categories of recipients of that Personal Data for both sales, sharing, and disclosures for business purposes;
  • If we rely on legitimate interests as a lawful basis to process your Personal Data, the specific legitimate interests; and
  • The appropriate safeguards used to transfer Personal Data from the EEA or the UK to a third country, if applicable.

Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial. 

The CCPA does not allow us to disclose Social Security numbers, driver’s license numbers or other government-issued identification numbers, financial account numbers, any health insurance or medical identification numbers, account passwords, or security questions and answers. We can inform you that we have this information generally, but we may not provide the specific numbers, passwords etc. to you for security and legal reasons.

2.3 Right to rectification

If this right applies to you under applicable laws, it gives you the right to ask us to correct without undue delay anything that you think is wrong with the Personal Data we have on file about you, and to complete any incomplete Personal Data. 

If your account settings do not allow you change the information yourself, please contact us and we will do our best to change the Personal Data for you.

2.4 Right to deletion

This is also called the right to erasure, or the right to be forgotten. If this right applies to you under applicable laws, this right means you can ask for your Personal Data to be deleted.

To delete your account with MadKudu, please submit a request at support@madkudu.com.

Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.

2.5 Right to restrict processing

f this right applies to you under applicable laws, it is the right to ask us to only use or store your Personal Data for certain purposes. You have this right in certain instances, such as where you believe the data is inaccurate or the processing activity is unlawful. 

2.6 Right to object

If this right applies to you under applicable laws, this is your right to tell us to stop using your Personal Data. You have this right where we rely on a legitimate interest of ours (or of a third party). You may also object at any time to the processing of your Personal Data for direct marketing purposes.

We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.

If we have received your Personal Data in reliance on the Data Privacy Frameworks, you may also have the right to opt out of having your Personal Data shared with third parties and to revoke your consent to our sharing your Personal Data with third parties. You may also have the right to opt out if your Personal Data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you originally authorized. 

2.7 Right to Data Portability

If this right applies to you under applicable laws, it is the right to ask for and receive a portable copy of your Personal Data that you have given us or that you have generated by using our services, so that you can:

  • Move it;
  • Copy it;
  • Keep it for yourself; or
  • Transfer it to another organization.

We will provide your Personal Data in a structured, commonly used, and machine-readable format. When you request this information electronically, we will provide you with a copy in electronic format.

2.8 Right Related to Automated Decision Making

We sometimes use computers to study your Personal Data. We might use this Personal Data so we know how you use our services. For decisions that may seriously impact you, you have the right not to be subject to automatic decision-making, including profiling. But in those cases, we will always explain to you when we might do this, why it is happening and the effect.

To turn off personalized advertising, please reject cookies on our website by clicking on "Cookie Settings"in this website footer.

2.9 Right to Withdraw Your Consent

Where we rely on your consent as the legal basis for processing your Personal Data, you may withdraw your consent at any time. If you withdraw your consent, our use of your Personal Data before you withdraw is still lawful.

If you have given consent for your details to be shared with a third party and wish to withdraw this consent, please also contact the relevant third party in order to change your preferences.

2.10 Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. Unless the applicable data protection laws permit it, we will not:

  • Deny you goods or services;
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits or imposing penalties;
  • Provide you a different level or quality of goods or services; or
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

2.11 Right to Opt Out of sales of Personal Data 

If this right applies to you under applicable laws, you have the right to ask us to not sell or share your Personal Data at any time. To exercise the right to opt out, you may submit a request to us by completing our webform here.

Once you make an opt-out request, we will not ask you to reauthorize sale of your Personal Data for at least twelve months. However, if you change your mind, you may opt back into Personal Data sales at any time by using the contact details below. We will only use Personal Data you provide us in an opt-out request to review and comply with the request.

To exercise the right to opt out of sales of Personal Data happening through cookies and other trackers, clean your browser cookies and reject cookies on our website.

2.12 Right to Opt Into the Sale of Personal Data

If you have directed us not to sell your Personal Data, you can opt into the sale of your Personal Data at any time by reaching out to us using the contact details below. Please note that we do not sell the Personal Data of individuals that we know are less than 16 years old. Individuals who opt-in to Personal Data sales may opt-out of future sales at any time.

2.13 Right to Opt Out of Sharing of Personal Data

If this right applies to you under applicable laws, you have the right to ask us to not share your Personal Data at any time for cross-context behavioral advertising with third parties. To exercise this right, reject cookies on your website.

2.14 Right to Lodge a Complaint with a Supervisory Authority

Applicable laws may give you the right to lodge a complaint with a supervisory authority if you are not satisfied with how we process your Personal Data. 

Specifically, if the GDPR applies to our processing of your Personal Data, you can lodge a complaint in the Member State of the European Union of your habitual residence, place of work, or the alleged violation of the GDPR.

3. How Can You Exercise Your Privacy Rights?

To exercise any of the rights described above, please submit a request by either:

To exercise the right to opt out of disclosures and sales of Personal Data happening through cookies and other trackers, clean your browser cookies and reject cookies on our website.

Verification of your Identity: To correctly respond to your privacy rights requests (except requests to stop the sale and share of your Personal Data), we need to confirm that YOU made the request. Consequently, we may require additional information to confirm that you are who you say you are.For changes to your Personal Data submitted via password-protected accounts, your identity is already verified. For requests sent by other means, we may request additional information from you to verify your identity.We will only use the Personal Data you provide us with in a request to verify your identity or authority to make the request.

Verification of Authority: If you are submitting a request on behalf of somebody else, we will need to verify your authority to act on behalf of that individual. When contacting us, please provide us with proof that the individual gave you signed permission to submit this request, a valid power of attorney on behalf of the individual, or proof of parental responsibility or legal guardianship. Alternatively, you may ask the individual to directly contact us by using the contact details above to verify their identity with MadKudu and confirm with us that they gave you permission to submit this request.

Response Timing and Format of Our Responses: We will confirm the receipt of your request within ten (10) business days and, in that communication, we will also describe our identity verification process (if needed) and when you should expect a response, unless we have already granted or denied the request.
Please allow us up to a month to reply to your requests (except requests to stop selling your Personal Data) from the day we received your request. If we need more time (up to 90 days in total), we will inform you of the reason why and the extension period in writing.
We will act upon your request to opt out from selling your Personal Data within fifteen (15) business days. We will also notify the third parties to whom we sold your Personal Data of your request and instruct them not to further sell your Personal Data. We will inform you about this in ninety (90) days from the receipt of your request.
If we cannot satisfy a request, we will explain why in our response. For data portability requests, we will choose a format to provide your Personal Data that is readily usable and should allow you to transmit the information from one entity to another entity without difficulty.

4. Privacy of Children

The Services are not directed at, or intended for use by, children under the age of 13.

5. Data Integrity & Security

MadKudu has implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect Personal Data from unauthorized processing, such as unauthorized access, disclosure, alteration, or destruction. 

6. EU-U.S. DPF, UK Extension to the EU-U.s. DPF, and Swiss-U.S. Data Privacy Frameworks

For Personal Data processed in the scope of this Notice, MadKudu complies with the principles of the EU-U.S. Data Privacy Framework (EU-U.S. DPF) the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as adopted and set forth by the U.S. Department of Commerce regarding the processing of Personal Data transferred under the DPF from the European Union, the European Economic Area, the United Kingdom, or Switzerland to the United States, or otherwise received in reliance on the DPF. 

We commit to continue to adhere to the DPF Principles and have certified to the Department of Commerce that we will continue to adhere to the DPF Principles with regard to Personal Data received in reliance on DPF. MadKudu does not currently use the DPF as its data transfer mechanism from the EEA and uses the Standard Contractual Clauses as its primary data transfer mechanism for Personal Data governed by the GDPR, the UK GDPR and the Swiss data protection laws.

To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

7. Dispute Resolution

Where a privacy complaint or dispute relating to Personal Data received by MadKudu in reliance on the DPF cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe DPF Dispute Resolution Procedure. Subject to the terms of the VeraSafe DPF Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe DPF Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/

8. Binding Arbitration

If your dispute or complaint related to your Personal Data that we received in reliance on DPF cannot be resolved by us, nor through the dispute resolution program established by VeraSafe, you may have the right to require that we enter into binding arbitration with you under the DPF’s “Recourse, Enforcement and Liability Principle” and Annex I of the DPF.

9. U.S. Regulatory Oversight

MadKudu is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

10. Changes to this Privacy Notice

If we make any material change to this Notice, we will post the revised Notice to this web page. We will also update the “Effective” date. By continuing to use our Services after we post any of these changes, you accept the modified Notice.

11. Contact Us

If you have any questions about this Notice or our processing of Personal Data, or want to submit a verifiable consumer request, please contact us by email at privacy@madkudu.com, by phone at +1 (203) 216-9872, or by postal mail at:

MadKudu Inc.
MadKudu Controller Privacy Notice
Attn: Francis Brero 333 W Maude Ave., Suite 207, Sunnyvale, CA 94085 USA

Please allow up to four weeks for us to reply.

11.1. European Union Representative

We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/

Alternatively, VeraSafe can be contacted at:

VeraSafe Czech Republic s.r.o. Klimentská 46, Prague 1, 11002, Czech Republic

11.2. United Kingdom Representative

We have appointed VeraSafe as our representative in the UK for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form:

https://www.verasafe.com/privacy-services/contact-article-27-representative/ or via telephone at: +44 (20) 4532 2003.

VeraSafe United Kingdom Ltd. 

37 Albert Embankment

London

SE1 7TL

United Kingdom