General Data Protection Regulation Statement
Effective March 28, 2024
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy.
As the General Data Protection Regulation (“GDPR”) has come into force, Summit has been GDPR competent since May 2018.
Summit provides a number of services to you and our other customers. Our provision of services to you may or may not qualify as “processing” of personal data as that term is used in the GDPR, and the obligations incumbent upon a data processor of personal data may not apply to Summit with respect to any personal data that you or your customers transmit using our services. We encourage you to take active measures to protect the security of any sensitive data that you send using our services.
As part of the process to install, provide and maintain your services with Summit, we do from time to time request contact information for billing and technical contacts. This contact information constitutes personal data as defined by the GDPR (“Business Contact Personal Data”). When you provide us with Business Contact Personal Data, we are the data controller of Business Contact Personal Data processed under each Agreement. You warrant that you have obtained all necessary consents from the data subject concerned for the transfer of Business Contact Personal Data to us.
We will process Business Contact Personal Data as is necessary to maintain our business relationship with you and to meet our obligations to you under each Agreement in accordance with the terms of the data protection provisions contained in your Agreement. As part of these provisions, we ask that you provide our privacy notice to each data subject for whom you have provided Business Contact Personal Data to Summit.
This GDPR Privacy Policy applies to the Processing of Personal Data by Summit for Customers and Data located within the EEA, including in the UK, in our role as a Controller, or as otherwise covered by the GDPR, when individuals:
- Visit or use our Websites
- Interact with us on behalf of a Customer in connection with the provision of our Services
- Interact with us on behalf of a Service Provider in connection with the products and services our Service Provider provides to us
- Interact with us on behalf of a business partner in connection with our relationship with the business partner
- Apply to work with us
- Receive marketing communications from us
- Register for, attend and/or otherwise take part in our trade events, webinars, or conferences or communicate with us via email, phone, or in-person interactions
This GDPR Privacy Policy does not apply to any Personal Data Processed, stored, or hosted by Customers using any of our Services, or to the extent that we Process Personal Data in the role of a Processor on behalf of our Customers. Where we act as Processors on behalf of our Customers, that Processing is subject to the protections contained in our data processing agreements with Customers.
This GDPR Privacy Policy also does not apply to any third-party website or service that may be linked to the Websites unless that website or service is controlled by us. In the event of a conflict between this GDPR Privacy Policy and the General Privacy Policy, this GDPR Privacy Policy will prevail.
Please see the definitions as presented in the General Privacy Policy.
Summit does not maintain entities located in the EEA/UK that act as Controllers. As such, the Controller is the US entity Summit Hosting, LLC.
If you have any questions or concerns as to how your Personal Data is Processed, please write to us at privacy@summithq.com or at 6734 Jamestown Drive, Alpharetta, GA 30005 (Attn: Summit Legal Department).
What Types of Personal Data Does Summit Collect?
Summit collects and processes the following categories of Personal Data from Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, and individuals that interact with Summit, in each case to operate its business for the specific purposes identified below.
- Personal Details — names, titles, company names, departments, email addresses, physical addresses, telephone numbers, and social media usernames
- Login Credentials — usernames and passwords needed to access Summit Customer Portals and receive support
- Unique IDs — IP addresses and geolocation data obtained from Representatives, prospective employees, Website Visitors, and others that interact with us
- Payment Information — bank name, account numbers, routing numbers, check numbers, and wire transfer IDs
- Customer Support Records — call details and similar data regarding customer support communications and chat sessions
- Website Records — log data (preferences, settings, IP addresses, device information, geolocation) and traffic data (pages viewed, time on page, clickstream data, queries, purchases)
- Education and Work History — attended schools, past employers, roles performed, locations of employment, and reasons for leaving past employment
- Marketing and Event Records — personal details of Representatives signing up for marketing materials, completing surveys, or registering for trade events, webinars, or conferences
Why Does Summit Collect Personal Data, and What is the Lawful Basis?
The table below sets out the types of Personal Data Summit Processes, the purposes of Processing, and Summit’s lawful basis for doing so.
| Summit’s Purpose of Processing Personal Data | Summit’s Lawful Basis for Collecting Personal Data |
|---|---|
| To engage in transactions with Customers, Service Providers, and business partners. When a Customer places an order for our Services, Summit Processes Personal Details, Login Credentials, Unique IDs, and Payment Information to administer the relevant transactions necessary to deliver and provide such Services (i.e., signing a contract, creating an account, sending invoices, receiving payments, granting access to customer portal). | Summit has a legitimate business interest in processing Personal Data in order to engage in transactions with its Customers, Service Providers and business partners and efficiently run its business. |
| To provide customer and technical support. Summit collects and processes Personal Details, Login Credentials, Unique IDs, and Customer Support Records to provide Customers and their Representatives with technical and general support. | Summit has a legitimate business interest in being able to provide its Customers with customer and technical support. |
| To communicate and respond to requests and inquiries. When a Customer, Service Provider, business partner or other person contacts us, Summit collects and Processes Personal Details, Unique IDs, Website Records, and Marketing and Event Records in order to communicate and respond to their requests and inquiries. | Summit has a legitimate business interest in being able to communicate with its Customers, Service Providers, business partners and other persons and respond to their inquiries. |
| To market our Services and tailor our marketing and sales activities. Summit may Process Personal Details, Unique IDs, Website Records, and Marketing and Event Records when marketing new and existing Services and features and in an effort to personalize such experience. | Except in cases where opt-in consent is required by law for processing email addresses, IP addresses or other unique identifiers to send electronic communications, Summit processes this data for marketing purposes on the basis of its legitimate interests. |
| To analyze, improve, and optimize the use, function and performance of our Website and Services. Summit may Process Personal Details, Unique IDs, Website Records, and Marketing and Event Records in order to analyze and improve its Website and Services, including for quality assurance, training, and marketing and sales campaigns. | Summit has a legitimate business interest in improving and optimizing the use of its Website and Services. |
| To comply with applicable laws, regulations and internal policies, practices, and procedures. Summit may be required to disclose certain categories of Personal Data to comply with applicable laws and regulations, for example, to respond to a government request or to defend a legal claim. | Legal Obligation; Summit has a legitimate business interest in complying with all applicable laws, regulations, and internal policies. |
| To effectuate a reorganization, sale, merger, assignment, transfer or other disposition of Summit’s business. In the event Summit reorganizes its business or enters into a transaction involving the sale, merger, assignment, transfer, or disposition of all or part of its business, it may be required to share all above categories of Personal Data with a third party. | Summit has a legitimate business interest in being able to carry out a reorganization, sale, merger, assignment, transfer or disposition of its assets or business should the need arise. |
| To receive applications for employment. Summit may Process Personal Details, Login Credentials, Unique IDs, and Education and Work History when receiving, reviewing, using, and storing applications for employment. | Summit has a legal obligation to collect certain information to confirm your right to work. Otherwise, Summit has a legitimate business interest in Processing the Personal Data of job applicants to assess them as candidates for employment. |
If at any time you wish for us to cease communicating with you with marketing materials, please use the “unsubscribe” link found in any of our written electronic communications or email us at marketing@summithq.com. Please note you may still receive some communications related to the Services you are receiving or in response to inquiries you have made to us.
Except as described below, we will not share or disclose Personal Data with or to outside third parties. We will never sell Personal Data collected for the purposes of Service provision, nor knowingly permit it to be used for marketing purposes by any person outside of Summit.
- Service Providers. We may share Personal Data with our Service Providers in connection with advertising, hosting, data analytics, information technology, billing, contract management, email delivery, auditing, events, and other related activities. Our contracts require them to act only under our instruction and prohibit them from sharing such Personal Data with third parties without our authorization.
- Business Partners. We may share your Personal Data with trusted business partners pursuant to our contractual arrangements, which will include appropriate safeguards. These may include third parties that organize tradeshows, consultants, experts, and auditors.
- Affiliated Entities. We share Personal Data with our Affiliates, who may use such data to provide services offered by our Affiliates, to provide support, or for any other purposes described in this GDPR Privacy Policy.
- Payment Processing. We work with a payment processing partner to process credit card payments. If you make any credit card payment to us, our payment processing provider will store your full name and credit card details.
- Fraud Prevention and Protection of Legal Rights. We may use and disclose Personal Data to the appropriate legal, judicial or law enforcement authorities when we believe disclosure is necessary to investigate, prevent, or respond to suspected illegal or fraudulent activity, or to exercise or protect legal rights.
- Law Enforcement. We may have to disclose Personal Data if a court, law enforcement or other public authority with appropriate competency requests it and we believe, in our reasonable discretion, that such request was made in compliance with applicable law.
- Corporate Reorganization. We may transfer Personal Data to a third party in the case of the reorganization, sale, merger, joint venture, assignment, transfer or other disposition of all or any portion of our business, asset or stocks, including in the event of bankruptcy or corporate restructuring.
For cross-border transfers of EEA, UK or Swiss Personal Data to Group Affiliates in the US and/or to third parties in countries outside the EEA/UK/Switzerland that are not considered to provide an adequate level of data protection, Summit will adopt safeguards consistent with applicable data protection law. These include transferring data to a recipient covered by a suitable framework or legally adequate transfer mechanism, a recipient with binding corporate rules authorization, or a recipient that has executed appropriate standard contractual clauses (“SCCs”) as adopted or approved in accordance with EEA, UK, or Swiss data protection law.
Although Summit no longer relies on the Privacy Shield Framework as a lawful transfer mechanism, we remain subject to the regulatory enforcement powers of the U.S. Federal Trade Commission with respect to Personal Data that was transferred to us pursuant to the Privacy Shield Framework.
We will retain Personal Data that we collect and Process where we have a justifiable business need to do so and/or for as long as it is needed to fulfill the purposes outlined in this GDPR Privacy Policy. We may retain Personal Data as required by law, such as for tax, legal, or accounting purposes.
When we have no justifiable business need to Process your Personal Data, we will either delete it or anonymize it.
The GDPR grants individuals who are in the EEA/UK the following rights, with some limitations. Individuals may contact us at the address provided in the Contact Details section above to exercise any of these rights.
- Right Not to Provide Consent or to Withdraw Consent. Where we rely on consent to Process Personal Data, you have the right not to provide your consent, and the right to withdraw it at any time. Withdrawal will not affect the lawfulness of Processing conducted based on consent before its withdrawal.
- Right of Access. You have the right to obtain confirmation as to whether or not we collect or Process Personal Data concerning you and, if so, to request a copy of such Personal Data in digital format.
- Right of Rectification. You have the right to require that we correct any inaccurate Personal Data concerning you, and that we complete incomplete Personal Data.
- Right of Erasure. In certain circumstances, you have the right to request that we erase Personal Data concerning you, for example if it is no longer necessary for the purposes for which it was originally collected. We may need to retain certain Personal Data when legally required or for internal record keeping. Where we are unable to delete data from our systems, we will anonymize it so it is no longer tied to your identity.
- Right to Restrict Processing. In certain circumstances, you have the right to request that we restrict the Processing of Personal Data we have collected about you.
- Right to Data Portability. In certain circumstances, you have the right to receive Personal Data concerning you that you have provided to us in a structured, commonly used, machine readable format, and for us to transmit it to another entity where technically feasible.
- Right to Object to the Processing. In certain circumstances, you have the right to request that we stop Processing your Personal Data, including where we rely on legitimate interests as legal basis. If you receive commercial electronic communications from us, you can unsubscribe from future commercial communications by clicking the “unsubscribe” link provided in such communications.
- Right Not to be Subject to Automated Decisions. We do not make decisions based solely on automated processing — including profiling — that produces legal effects or similarly affects you.
- Right to Complain to a Supervisory Authority. You have the right to lodge a complaint with a Supervisory Authority if you believe that our Processing of Personal Data relating to you is inconsistent with our obligations under the GDPR. We ask that you please consider contacting us first so that we can try and address your concern.
To exercise any of your rights, please contact us in writing via email or postal mail as indicated in the Contact Details section above. We may ask that you provide: your name, User ID, email address, or other identifier; the country in which you are located; a clear description of the Personal Data or action you wish to be taken; and sufficient information to allow us to locate the relevant content or data. We will try to comply with your request as soon as reasonably practicable and within the timelines prescribed by applicable laws.
We may update this policy from time to time. Any changes will be posted on this page. Please check back frequently to see any updates or changes to this policy.
You can also review our general privacy practices and commitments at summithq.com/about-us/legal/privacy-policy/.