Commitment to the Privacy Shield principles
This Notice does not apply to data that we collect about employees of our subsidiaries in the EEA or Switzerland, or to data that we collect from other jurisdictions; we cover the legal requirements for these data transfers using the Standard Contractual Clauses, as well as separate notices.
Medallia provides a software-as-a-service platform and related online services to its customers, which are collectively called the Medallia Experience Cloud.
As a data controller, we process personal data of representatives of our clients, potential clients, vendors, service providers, professional advisors, business partners, consultants or other third parties in the EEA and Switzerland (“EEA Business Contacts”) to support our business operations, for example, in the context of sending marketing communications, making sales calls, providing support, invoicing, and collections. From our EEA Business Contacts, we typically collect name, job title, company affiliation and contact information.
As a data processor, we process personal data of EEA and Swiss individuals on behalf of the clients in the Medallia Experience Cloud (“EEA Customer Data”). Our clients use the Medallia Experience Cloud to process personal data at their discretion, including data pertaining to their own customers and employees.
The clients who use the Medallia Experience Cloud provide information on how they process their customers and employees’ data in their own, separate privacy notices. We support the clients who use the Medallia Experience Cloud as a data processor but do not control these customer’s data processing practices.
Purposes of collection and use
We collect and use personal data of EEA Business Contacts for purposes of providing information about our products and services to our clients, registering our clients for events, communicating with business partners, providing support, billing our clients, and conducting related tasks for legitimate business purposes. With respect to marketing, you may opt-out of receiving marketing communications from Medallia.
We collect and use personal data on behalf of the clients of our the Medallia Experience Cloud for the purposes of providing those platforms and services to our clients. We may access the data to provide the services, to correct and address technical or service problems, to follow instructions of the Medallia customer (and their customers and employees) who submitted the data, or in response to contractual and legal requirements.
Third parties who may process personal data
Medallia uses a limited number of third party service providers and partners to assist us in providing our products and services to our clients. Medallia maintains contracts with these third parties restricting their access, use and disclosure of personal data in compliance with our Privacy Shield obligations.
We may share the personal data of EEA Business Contacts with the providers of our business productivity software (such as email and teleconferencing platforms), consumer relationship management software, marketing and data enhancement software (including marketing communications automation platforms), marketing data analytics software, help desk ticketing software, and billing and collections software in order to enable their respective business functions. If you purchase Medallia products and services through our channel partners, such as distributors and resellers, we may provide the personal data of EEA Business Contacts to such third parties to provide you with information about Medallia’s products and services.
We may share personal data of EEA and Swiss individuals that is collected in the Medallia Experience Cloud (“EEA Customer Data”) with our subsidiaries, affiliates, partners and contractors who provide managed services and support for the platforms and services. We may also share EEA Customer Data with vendors to support our technical operations (including vendors who assist us with visitor analytics,SaaS event logging, and technical support), , and provide data storage.
Depending on the technology integrations or features chosen by the clients who purchase the Medallia Experience Cloud, we may also provide EEA Customer Data to partners who provide such integrations or features (including, for example, interactive voice response, SMS, translation integrations, and screen capture features).
Where we have received your personal data under the Frameworks and subsequently transfer it to a third party agent or service provider for processing, then we remain liable if such third party agent or service provider processes your personal data in a manner inconsistent with the Framework’s principles.
We may also disclose personal data of EEA Business Contacts and EEA Customer Data where we are legally required to disclose (e.g., under statutes, contracts or otherwise), in response to lawful requests by public authorities (including to meet national security or law enforcement requirements), or where the disclosure is permitted by law or the Privacy Shield principles and we have a legitimate business interest in such disclosure.
Your right to access, limit use, and limit disclosure
EU and Swiss residents have rights to access, correct and delete their personal data, and to limit use and disclosure of their personal data. Medallia honors these rights by responding to legitimate requests to access, correct, delete, limit use, or disclosure of personal data to email@example.com. Because Medallia has limited ability to access EEA Customer Data, if you send us a request related to EEA Customer Data please provide the name of the Medallia customer who provided us with or asked us to collect your data. We will refer your request to that customer, and we will support them as needed in responding to your request.
EEA Business Contacts may choose to unsubscribe from marketing communications by following the unsubscribe link contained in each marketing email. For communications from Medallia, Inc., you can also unsubscribe by accessing the preference center by clicking here
Inquiries and complaints
If you have any questions regarding this notice or if you need to update, change or remove personal data that we control, you can do so by contacting firstname.lastname@example.org or by regular mail addressed to:
Attn: General Counsel
575 Market Street, Suite 1850
San Francisco, C 94105
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, Medallia will cooperate with EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner (DPAs). Medallia will comply with information and advice provided by the DPAs with respect to such unresolved concerns, and will take appropriate steps to correct Privacy Shield compliance issues. Click here for a list of EU DPAs.
Under certain conditions, more fully described on the Privacy Shield website at www.privacyshield.gov, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Investigatory and enforcement powers of the FTC
Medallia is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).