PRIVACY POLICY

Last updated April 2021

SPS Commerce Privacy Statement

Ensuring the data protection rights for all data subjects and their personal information collected and processed by SPS through our internet facing websites, products and services is important. We have created this Privacy Policy (“Policy”) to publicly affirm commitment to the adherence of enacted privacy regulations applicable to our organization. This Policy provides and overview on how we handle information that can be used to directly or indirectly identify an individual (“Personal Information”).

This Policy describes how SPS Commerce, Inc. and its subsidiaries (“Company”, “SPS”, “we”, “us”, or “our”) collect, process, maintain, share, and delete Personal Information supplied by you.

Please review this Policy carefully. If you do not agree with any terms and conditions outlined in this Policy, please discontinue the use of our websites, products, and services.

NOTE – SPS may update this Policy periodically to ensure our privacy compliance standards remain in alignment with applicable regulations. We encourage you to review this Policy frequently to remain informed regarding how we handle the Personal Information provided to or collected by our organization.

If you have questions about this Policy, would like to opt out of our marketing emails, or submit other inquiry regarding the handling of your Personal Information, please contact us.

General Privacy Information

SPS recognizes its role and responsibility as a ‘Data Controller’ when we receive and process Personal Information from external audiences. This information is generally collected from you directly and will only be used for its intended purpose and we will abide by the lawful basis on which it was obtained (for example, consent or other lawful basis under applicable law).

SPS recognizes its role and responsibility as a ‘Data Processor’ and may have Personal Information flow through or be stored within our technology infrastructure on behalf of our customers. We maintain the obligation to ensure appropriate security and privacy safeguards exist and are properly functioning to comply with applicable privacy regulations including the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDPR).

In our capacity as a service provider for customers, SPS may process individual’s Personal Information provided by the customer. We are not responsible for the direct control of the customer’s data they input into our products or services, as we only provide the processing specified by the customer. Those customers are, in turn, responsible for the management and privacy compliance of Personal Information collected from you.

If Personal Information has been submitted to and is being processed by us on behalf of our customer, and you wish to exercise your data protection and privacy rights, please contact the applicable customer directly. If you make your request to us, we will refer your request to that customer as SPS may only access a customer’s data upon approval and in accordance with their instructions.

Please note, SPS is committed to maintaining applicable data security measures to aid in governing how we treat and protect our customer’s data. This is further validated by our annual Service Organizations Controls (SOC2 Type II) attestation.

Personal Information Collection

SPS needs to collect your Personal Information to provide you with access to resources, products and services, and to comply with regulatory requirements. We generally act as a data controller for this purpose. Our use of your Personal Information is based upon notice and consent through this Policy, opt-in mechanisms and other legal bases where applicable under relevant local law (such as performance of a contract or our legitimate interests in building, conducting and managing our business to better serve you, including a more secure experience).

Specifically, you share Personal Information with SPS by performing any of the following activities:

  • Visiting our websites that display or link to this Policy;
  • Visiting our branded social media pages managed by SPS;
  • Communicating directly with SPS via emails, phone calls, faxes, text messaging, or web chats;
  • Creating an user account profile to access SPS customer platforms and use our cloud-based products or services;
  • Registering for or attend our events, webinars, or contests; and/or
  • Participating in our community and open-source sponsored development activities.

The types of Personal Information collected by SPS depends on the scope and context of your interactions with us and the choices you make. These types of data may include:

  • Contact Information. We may collect first names, maiden names, last names, phone numbers, email addresses, and other similar information.
  • Online Identifiers. We may collect tools and protocols, such as IP (Internet Protocol) addresses, cookies and user identifier tags used for analytics and marketing, and other similar data such as from social media profiles, including if you “like” or “follow” us, and passwords and security information used for authentication and account access.

Use of Personal Information

SPS maintains processes to help ensure that it provides notice and, where applicable, obtains consent prior to its processing of Personal Information for a variety of business purposes and that there is a valid legal basis before processing. Use of Personal Information for business purposes include:

To operate our websites. Examples of activities we may engage in to operate our websites include:

  • Operating and administering our websites to provide you with access to content you request (e.g., to download content from our websites);
  • Tracking use of our websites, investigating suspicious activity, ensuring alignment with our terms and policies, and to measure and improve operation and security;
  • Managing user accounts for the purpose of performing our services; and/or
  • Developing and improving our websites and products and services and providing prospects and users with more relevant content and service offerings.

To send marketing, promotional, and administrative communications. We and/or our third-party marketing partners may use Personal Information to send you product, service, and new feature information, and/or information about changes to our terms, conditions, and policies. You can opt-out of our marketing and promotional emails at any time by contacting us or clicking on the “unsubscribe” link at the bottom of the email.

To request feedback. We may use Personal Information to request feedback and to contact you about your use of our websites and products and services.

To respond to inquiries and support requests. We may use Personal Information to respond to your inquiries and solve any potential issues you might have with the use of our websites, products or services.

For other business purposes. We may use Personal information for other business purposes, such as data analysis, identifying usage trends, determining the effectiveness of our marketing and promotional offers and campaigns and to evaluate and improve our websites or services, products, marketing and your experience.

Sharing of Personal Information

SPS takes the sharing of your Personal Information seriously and we strive to ensure the proper handling and protection of this information. We share Personal Information when:

  • We have obtained your consent to do so;
  • We are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or other legal process;
  • We have a contract requirement and are maintaining our commitments to you or our customers; and/or
  • We maintain a legitimate business interest and doing so does not violate applicable laws.

For example, we may share your Personal Information within SPS with our vendors and/or third parties who provide business services to us, with our professional advisors (e.g., lawyers, accountants, insurers), with law enforcement, court authorities and regulatory agencies, and in the event of a business merger.

Protection of Personal Information

SPS has implemented technical and organizational security measures designed to protect your Personal Information from theft, loss, and/or unauthorized access. These measures help ensure only permitted individuals may gain access to and handle your Personal Information. Further, our alignment with applicable regulations help to safeguard and protect the confidentiality and integrity of Personal Information provided to SPS.

Additionally, SPS has established data retention guidelines that aid in defining handling requirements and timeframes for maintaining Personal Information provided to us based on factors such as our legal obligations, the nature of the Personal Information, the potential risk of harm and the purpose for which it is processed. It is our practice to provide layered security measures to protect confidential Personal Information until the retention period has expired and then undertake to securely delete or anonymize the data.

However, no website, database or system is completely secure or “hacker proof.” You are also responsible for taking reasonable steps to protect your Personal Information against unauthorized disclosure or misuse.

Limiting Use of Personal Information

SPS recognizes your right to limit our use of your Personal Information. There are several steps you can take to limit how we use Personal Information, which include:

  • You may request a copy of your non-anonymized Personal Information and submit corrections to have your information amended.
  • If you have created an account with us, you may directly make changes to your Personal Information through modifying your account profile.
  • Withdrawal or removal of consent for us to use your Personal Information.
  • Opting out of receiving marketing and non-transactional communications by clicking on the “unsubscribe” link located at the bottom of our email communications.
  • Updating your browser settings to clear stored cookies and discontinue user tracking.

Subject to applicable law, you may also have rights to delete, request the transfer of or restrict or object to the use of your Personal Information.

Please contact us if you require assistance in facilitating changes to limit or change the use of your Personal Information. Please note, we try to respond to all legitimate requests within one month and will contact you if we need additional information from you in order to support your request.

Also, as we stated above, SPS may process your Personal Information as a data processor after receiving it from one of our customers. We may only access that Personal Information when we receive consent from a customer to do so. If Personal Information has been sent to us by or on behalf of a SPS customer, and you wish to exercise your right to limit or remove its use, please contact that customer directly. If you make your request directly to us, we will refer you to the applicable customer.

Transfer of Personal Information

SPS’s systems and technical infrastructure are primarily located in the United States. Additionally, we do maintain limited business operations internationally and partner with vendors and other third parties. If you are located anywhere outside of the United States, please be aware that information we collect, including your Personal Information, may be transferred to, processed in, and stored within the United States. By accessing our websites, products and services, or providing us with Personal Information, you consent to the transfer, processing, and storage of Personal Information in the United States.

If you are located outside of the United States, please be aware that data protection and privacy laws within the United States may differ from those of the country in which you are located. As such, your Personal Information can be subject to access requests from governments, courts, or law enforcement in the United States in accordance with and subject to the laws of the United States.

For compliance with GDPR, SPS takes steps to implement any necessary contractual protections, including ‘Model Clauses’, between our applicable international and domestic legal entities, and where applicable with other third-party recipients.

Additional Privacy Considerations

SPS’s websites, products, and services are not directed at children. We do not knowingly collect Personal Information from children under the age of 13. If you believe your child has provided us with Personal Information without your consent, please contact us.

If you have any questions related to this Policy, please contact us. You have the right to make a complaint at any time to your local regulator for data protection issues. We would, however, appreciate the chance to deal with your concerns directly, so please contact us first.

For information on the sub processors used by SPS please visit Sub processors. The list is subject to change and will be updated as needed.