Last updated: January 26, 2024

Table of Contents

1. Overview
2. How Can You Contact Us?
3. What Personal Data Does Granicus Collect, and for What Purposes?

4. How Do We Justify Collecting Your Data?
5. What Happens If We Process Your Data for Other Purposes?
6. What Happens If You Do Not Provide The Data?
7. Do We Use Algorithms To Make Decisions About You?
8. Do We Share Your Personal Data with Third Parties?
9. Do We Sell Your Data To Others?
10. Do We Participate in the Data Privacy Framework?
11. Where Does Your Data Go?
12. How Do We Protect Your Data?
13. How Long Will We Keep Your Data? 
14. What Rights Do You Have?
15. What If You Are a California Resident?
16. Will We Penalize You for Using Your Rights?
17. Do We Track You Online?

1. Overview

The Granicus entities which adhere to this Privacy Notice and the DPF Principles are Granicus LLC, and Granicus-Firmstep, Ltd., Granicus Canada Holdings ULC, Granicus Australia Pty Ltd., Granicus Technologies India Pvt Ltd, Rock Solid Technologies PR, and GovLoop ("Granicus" or "We"). Granicus is committed to maintaining your trust by protecting your personal data. This policy explains how we collect, use, share, and protect such data. Personal data is any information relating to an identified or identifiable person. Your name, address, phone number, email address, and IP address are some examples of personal data.

Unless otherwise specified, this policy applies to Granicus’ govService suite of products.

Granicus will process your personal data in a transparent and lawful way. Any personal data you provide when using our products and services will be used only in accordance with this privacy policy.

Granicus complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce.  Granicus has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Granicus complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce.  

If there is any conflict between the terms in this privacy policy and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

For further information regarding our participation in the Data Privacy Framework, please see Sections 10 and 11 below.

We may change this policy from time to time to reflect privacy or security updates. We encourage you to periodically review this page for the latest information on our privacy practices.

We have provided a table of contents so you can easily jump to the specific sections set out below.

Alternately, you can download a PDF version of the policy.

Back to Top

2. How Can You Contact Us?

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Granicus commits to resolve DPF Principles-related complaints about our collection and use of your personal information. If you have questions about this statement or if you would like to exercise any rights you may have in relation to your personal data, please contact us at support@granicus.com. If you have additional questions or need to escalate an issue, use the below details to contact our Data Protection Officer (DPO):

Full name of legal entity: Granicus, LLC and Granicus-Firmstep, Ltd. Email address: dpo@granicus.com
Postal address:  1152 15th Street NW, Suite 800 
Washington, DC 20005, USA 
Telephone number: 01 651 400 8730

Name of EU representative: DataRep Email address: granicus@datarep.com
You can also contact DataRep using this online form: https://www.datarep.com/data-request Postal address: The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland

Back to Top

3. What Personal Data Does Granicus Collect, and for What Purposes?

I. Through your interaction with govService suite of products

We collect the following personal data through your interaction with govService suite of products.
 

II. Through your interaction with Customer Support

We collect the following categories of personal data through your interaction with our Customer Support team:
 

Back to Top

4. How Do We Justify Collecting and Processing Your Data?

We will use your personal data only when the law allows us to.  Most commonly:

• Where we need to perform the contract we are about to enter into, or have entered into, with you or your employer.
• Where it is necessary for our legitimate interests (i.e. we have a business or commercial reason for using your information), and your interests and your fundamental rights do not override those interests.

Generally, we do not rely on your consent other than for sending marketing communications. Please see our US marketing privacy statement and our UK marketing privacy statement. In that case we will offer unsubscribe links on each communication, and you have the right to withdraw consent at any time.

When applicable, our legitimate interests may include the following:

• Being efficient about how we fulfil our legal and contractual duties.
• Providing high-quality customer service.
• Complying with laws or regulations that apply to us.
• Developing the govService suite of products, our websites, other products and services, and what we charge for them.
• Contacting you with important information regarding the operation of our products.
• Developing and improving the network security, efficiency, and technical specification of our IT systems and infrastructure.
• Delivering the govService suite of products, our websites, and other high-quality product and service features.

Back to Top
 

5. What Happens If We Process Your Data for Other Purposes?

We will only use your personal data for the uses and purposes set out above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original uses and purposes. If we need to use your personal data for an unrelated purpose, we will notify you and will explain the legal basis which allows us to do so.

Back to Top

6.  What Happens If You Do Not Provide The Data?

We are not generally relying on your consent, as stated above. Where we need to collect personal data by law or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform our obligations under the contract we have or are trying to enter into with you (for example, to provide you with services). In this case, we would not be able to provide you the access to use the service and may have to cancel a product or service you have with us. We will notify you if this is the case at the time.

Back to Top

7. Do We Use Algorithms To Make Decisions About You?

We do not use your personal data for decisions based solely on automated processing.

Back to Top

8. Do We Share Your Personal Data with Third Parties?

Yes. We share your personal data with the following categories of recipient:

• Agents and sub-processors. We disclose your personal data to our service providers. In these cases, the provider will be using the personal data in accordance with the terms of this policy. Your data will be shared with:
  • LogEntries
  • NewRelic
  • Salesforce
  • Sentry
• Government authorities as permitted or required by law. This may include disclosing your personal data to regulators, or law enforcement authorities. We may transfer and disclose the data we collect about you for the following reasons:
  • To comply with a legal obligation, including, but not limited to responding to a court order;
  • To prevent fraud;
  • To comply with an inquiry by a government agency or other regulator;
  • To address security or technical issues; or
  • To assist government entities in responding to an emergency
• As part of a business transaction. If the ownership of Granicus changes, or if we merge with, or are acquired by another organization, or if we liquidate our assets your personal data may be transferred to the new organization. If this occurs, the successor organization’s use of your data will also still be subject to this policy and the privacy preferences you have expressed to us.

Back to Top

9. Do We Sell Your Data To Others?

No. We do not buy and sell personal data.

Back to Top

10. Do We Participate in the Data Privacy Framework?

Yes. Granicus complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
We are responsible for the processing of personal data we receive or subsequently transfer to a third party acting as an agent on our behalf. We will comply with the Data Privacy Framework Principles for all 6 onward transfers of personal data from the EU, and the UK, including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to Data Privacy Framework, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. 

In addition, Granicus commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), and the UK Information Commissioner’s Office (ICO),the Gibraltar Regulatory Authority (GRA) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF. You may engage such authorities if you have concerns regarding our adherence to the Data Privacy Framework Principles or any applicable privacy law or regulations. We will respond directly to such authorities regarding investigations and resolution of complaints. Under certain conditions, more fully described on the Data Privacy Framework website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

Back to Top

11. Where Does Your Data Go?

Granicus govService is hosted within our database service provider with both live and backup replication within EU and UK datacenters. 

The only instance when data is stored outside of the EU or UK is when you contact our customer support team and provide them your information. We will try and limit this to the minimum necessary for a given purpose, and ensure we have appropriate protections in place for your privacy that correspond with the highest global standards, such as the EU GDPR equivalent level protections wherever you or your data may be on the globe.

Granicus’ compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF deems the organization to provide adequate privacy protection, which is a requirement for the transfer of personal data outside of the European Union under the EU General Data Protection Regulation (GDPR), and outside of the United Kingdom under the UK Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR).

Back to Top

12. How Do We Protect Your Data?

We are committed to ensuring that your personal data is secure. In order to prevent unauthorized access, loss or disclosure, we have put in place security controls that reduce the risk of a security breach of your personal data.

If a data breach does occur, we will do everything in our power to limit the damage. In case of a high- risk data breach, and depending on the circumstances, we will inform you about remedial actions to prevent any further damage.

We also use other technical controls, including user confidentiality agreements and Data Loss Prevention (DLP) solutions locally, to secure data and keep it in appropriate systems. Access to customer data occurs on a case-by-case basis and is strictly controlled and limited to a small number of individuals based on their roles.

Employees and temporary workers are required to follow policies, procedures, and complete confidentiality training to understand the requirement of maintaining the confidentiality of customer information. If they fail to do so, they are subject to disciplinary action. All employees are required to complete privacy and security training. We also offer a wide variety of other training to all employees and temporary workers to help us achieve our goal of protecting your personal data.

Back to Top

13. How Long Will We Keep Your Data? 

Your data will not be retained for a period longer than necessary for the purposes above. Where there is a risk of a legal claim, we may also keep data for the relevant statutory period. In many cases, this means that your data will be retained for the duration of our contract with our client, plus any legal statutory period. Information retained during any legal statutory period will be minimized to only the data strictly necessary to resolve any legal claims that may arise.

When we no longer need to use your personal data, we will remove it from our systems and records or take appropriate steps to properly anonymize it so that individuals can no longer be identified from it (unless we need to keep your personal data to comply with any legal or regulatory obligations).

Back to Top

14. What Rights Do You Have?

To exercise any of the following rights, please contact support@granicus.com. Under certain circumstances, by law you have the right to:

• Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction or completion of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data only where we no longer have good reason for us continuing to process it.
• Request objection to processing of your personal data. This enables you to object to processing of your personal data where we are relying on a legitimate interest.
• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
• Withdraw your consent to the processing of certain personal data (only where you have previously provided consent, so this will only apply for marketing data).
• Make a complaint. You have the right to make a complaint at any time to the relevant local, national or industry privacy regulator.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Back to Top

15. What If You Are a California Resident?

The CCPA (California Consumer Privacy Act) will apply to your data. This legally gives you slightly less rights than the UK GDPR does (it only covers the last 12 months of data and gives some rights such as access, deletion, opt out of sale, etc.). But don't worry, we treat all our customers the same, so you can still use all the other GDPR rights that we mention in this policy.

Some timescales are different, and we'll notify you of them if you want to use the rights. In addition, you can bring your complaints to a regulator, in this case the California Attorney General.
Importantly, the CCPA requires us to notify if we buy or sell your data for any benefit, which we do not do.

We collect the same category of data irrespective of your location (whether you reside in the EU, UK or California) and for the same purpose. The collected data is shared only with the third parties mentioned in section #8 of this policy.

Back to Top

16. Will We Penalize You for Using Your Rights?

We will not discriminate against you for exercising any of your rights under applicable law (such as GDPR, CCPA etc.). Unless permitted by the applicable laws, we will not:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you a different level or quality of goods or services.
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Back to Top

17. Do We Track You Online?

Yes. We do use online tracking technologies, such as cookies, but we only place cookies on your device that are essential to allow us to operate our services, and do not use these for tracking your other internet use. These allow us to know that you are logged in and the same unique user when you go to each web page. Critically, we do not use these tracking technologies for online targeted behavioral advertising. You can control the use of cookies at the individual browser level, but if you choose to disable cookies, it may limit your use of certain features or functions on our website or service.

Currently, various browsers offer a “do not track” or “DNT” option and the global privacy control which sends a signal to websites visited by the user about the user's browser DNT preference setting. We will do our best to respect such signals we receive, and as required where placing tracking technologies on your device, notify you what and why.

Back to Top