Privacy Policy

Last revised: September 5, 2024

Your privacy is important to KoncertWe are committed to ongoing compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and the California Consumer Privacy Act (CCPA). 

This privacy policy describes how we collect data and treat that data collected from the Koncert Public Site and the Koncert Private Site.

EU-U.S. DPF and the Swiss-U.S. DPF: Controller vs Processor

Under the EU-U.S. DPF and the Swiss-U.S. DPF, an organization that determines the purposes and means of processing personal data is considered a “controller” of data, and an organization that handles the data (on behalf of a controller) is considered a “processor”. Any organization that is a controller or processor or an organization that monitors the behavior of EU and Swiss residents is required to comply with the EU-U.S. DPF and the Swiss-U.S. DPF.

Most of Koncert’s customers fall into the “controller” category since they are collecting and using personal data about their prospects. Koncert falls under the “processor” category since we handle our customer’s data and therefore, we are required to treat our customers’ data in compliance with EU-U.S. DPF and the Swiss-U.S. DPF regulations.

Definitions

In this privacy policy we refer to the following terms:

Applications:  Our Sales Engagement Software platform comprising the various products listed in the “Product” section of our website at koncert.com (referred to as the “Koncert Public Site”)

Customer: Our customer with whom we have entered into an agreement to provide the Services

Digital Properties: The Koncert Public Site, each Koncert Private Site; and the Applications within an Integrated CRM Solution on a CRM Partner Site 

Integrated CRM Solution: Those CRM solutions designated on the Koncert Public Site with which we have integrated one or more of our Applications

Integrated Email Solution: Those email solutions (such as Gmail and Office 365) with which Koncert has integrated one or more of our Applications

Services: The various software as a service (SaaS) offerings that we make available to our Customers for their authorized user’s access to and use of the Applications online through a password-protected, customer-specific site that we make available (a “Koncert Private Site”). In addition to the Koncert Private Site, a Customer may have elected in its agreement with Koncert to enable (i) Koncert’s integration with an Integrated CRM Solution, (ii) Koncert’s integration with an Integrated Email Solution, and (iii) access to certain Applications from within an Integrated CRM Solution (a “CRM Partner Site”).

Information that we collect and how we use that information

(a) Information we collect from the Koncert Public Site

Voluntarily Provided Information. We collect the following Voluntarily Provided Information on the Koncert Public Site from our  various web submission forms: Your first name, your last name, your company name, the state or region of your location, your email address, your phone number, your comments to us, your LinkedIn address, our products that you indicate you are interested in learning more information about, and the CRM type that you indicate you are using.  

These web submission forms on the Koncert Public Site include, but are not limited to: demo requests, datasheet requests, contact requests, survey requests, and job application requests. Koncert may use your Voluntarily Provided Information to contact you about our products and services or about job opportunities at Koncert, depending on the nature of your inquiry to Koncert.  

We will never provide nor sell your Voluntarily Provided Information to third party product or service providers to market their products and services to you.  

You may opt out of Koncert using your Voluntarily Provided Information by contacting us at privacy@koncert.com. Within ten (10) days after our receipt of your opt out request, we will delete your Voluntarily Provided Information in our possession or control and cease any further attempt to contact you about our products and services or job opportunities at Koncert.

(b) Information that we collect from the Digital Properties
With respect to each active Customer, we logically partition and store the Customer’s information using a customer identifier and that information is accessible through a Koncert Private Site that is specific to that Customer.  

Following are the types of information (collectively referred to as the “Customer Provided Information”) that we collect on the Koncert Private Site: (i) the Customer’s account information such as the Customer’s name, mailing address, website address, and phone number; (ii) name, email address, and mailing address for each of the Customer’s principal contacts; (iii) name, username, and password specific to the Koncert Private Site, along with job title, organization department, phone number, and email address for each Customer’s authorized user for the Koncert Private Site; (iv) Customer prospect information to enable use of our Services which includes, but is not limited to: account name, contact name, title, phone number, and email address; (v) metadata relating to communication with Customer prospect via one or more modes of communication (for example call, email, etc.) initiated through the Applications; and (vi) information necessary to enable integration of an Application with Customer’s designated Integrated CRM Solution, if any.

With respect to our Customers who enable integration of an Application with an Integrated CRM Solution, during the deployment of Koncert Private Site for a Customer, the report folder and fields of data that will be used with the Applications are configured in collaboration between Koncert support staff and Customer. Except for the data from the Integrated CRM Solution as defined by the foregoing configuration, no other data in the Customer’s Integrated CRM Solution is exposed to, or collected by, Koncert. This privacy policy does not apply to, and Koncert has no responsibility with respect to, data stored in the Customer’s Integrated CRM Solution.

With respect to our Customers who enable integration of an Application with an Integrated Email Solution, each Customer user may configure the connectivity between Koncert Private Site and the Integrated Email Solution. 

The following limitations are applicable to the integration with an Integrated Email Solution:

  1. Allowed Use: Koncert will use restricted scope data to provide or improve user-facing features that are prominent from the requesting Application's user interface. It will be clear to Customer users why and how Koncert will use the restricted scope data they've chosen to share with us.
  2. Allowed Transfer: Koncert will only transfer restricted scope data to others if that transfer is (a) to comply with applicable laws, or (b) a part of a merger, acquisition or sale of assets of Koncert. Except the foregoing situations, no other transfers or sales of user data will be performed by Koncert.
  3. Prohibited Advertising: Koncert will never use or transfer restricted scope data to serve advertisements to Customer users. This includes personalized, re-targeted, and interest-based advertising.
  4. Prohibited Human Interaction: Koncert will not allow humans to read restricted scope user data. For example, Koncert will not allow its employees to read through a user's emails. There are four limited exceptions to this rule: (a) Koncert obtains a user's consent to read specific messages (for example, for tech support), (b) it's necessary for security purposes (for example, investigating abuse), (c) to comply with applicable laws, and (d) Koncert aggregates and anonymizes the data and only uses it for internal operations (for example, reporting aggregate statistics in an internal dashboard or improving the Services).

This privacy policy does not apply to, and Koncert has no responsibility with respect to data stored in the Customer’s Integrated Email Solution.

During the term of each Customer’s agreement with Koncert, our Customer can modify, delete and export its Customer Provided Information stored in the Applications. After the end of the term of Koncert’s agreement with its Customer, Koncert will continue to maintain the Customer Provided Information until the earlier of (i) 30 days after the agreement term, or (ii) within 10 days after Customer’s authorized representative has directed Koncert to delete all Customer Provided Information. Koncert does not collect or store login password for Integrated CRM Solutions if single sign-on features are used in the integration of the Applications with an Integrated CRM Solution.

We only retain and use a Customer’s Customer Provided Information to provide that Customer the Services that the Customer has entered into an agreement with Koncert to provide, and as described in the “Other disclosures” section below.

Google API Services - Usage Disclosure

Koncert's use and transfer to any other app of information received from Google Accounts will adhere to Google API Services User Data Policy, including the Limited Use requirements.

(c) Site usage information that we collect on our Digital Properties
Through the use of cookies (as further described below), information is collected automatically when you access our Digital Properties through a web browser or communicate with us through a web browser on those sites. This information includes data about your visit, including the pages you view, the links you click, and other actions taken in connection with our Digital Properties. We also collect certain standard information that your browser sends to our Digital Properties that you visit, such as your IP address, browser type and language, access times, and referring website addresses. When you receive our newsletters or promotional emails, we may use Web beacons (described below), customized links, or similar technologies to determine whether the email has been opened and which links you click in order to tailor our newsletters, promotional emails, and prospecting activities to your interests.

With respect to our Customers, we require each Customer’s authorized users to log in to the Applications to use our Services. We monitor and collect certain usage information in connection with the use of our Services. For example, we track the computer or other device that an authorized user is logging in from, the Applications and Services that are used by the authorized user, and other usage data such as the date and time the Applications and Services were used.

Cookies: When you visit our Digital Properties, we send one or more “cookies” to your computer or other devices. Cookies are alphanumeric identifiers stored on your computer or device through your web browser and are used by most websites to help personalize your web experience. Some cookies may facilitate additional site features for enhanced performance and functionality such as remembering preferences, allowing social interactions, analyzing usage for site optimization, providing custom content and serving images or videos from third party websites. Some features on our Digital Properties will not function if you do not allow cookies. We may link the information we store in cookies to any Voluntarily Provided Information or Customer Provided Information that you submit while on any of our Digital Properties. We use both session ID cookies and persistent cookies. A session ID cookie expires when you close your browser, while a persistent cookie remains on your hard drive for an extended period. Persistent cookies enable us to track and target the interests of our users to enhance their experience on our Digital Properties. You can remove persistent cookies by following directions provided in your Internet browser’s “help” file. Functional cookies, both persistent and session, store information to enable core site functionality, such as Live Chat and login credential remembrance. Analytics cookies allow us to count page visits and traffic sources so we can measure and improve the performance of our Digital Properties and our marketing campaigns. If you reject cookies, you may still use the Digital Property pertaining to the deleted cookie, but some features on that site will not function properly.

Web Beacons: We use Web Beacons alone or in conjunction with cookies to compile information about our Digital Properties. A Web Beacon is a tiny graphic object that is embedded in a web page or email and is usually invisible to the user but allows checking that a user has viewed the page or email. Web Beacons may be used within the Digital Properties to track email open rates, web page visits, or form submissions. In some cases, we tie the information gathered by Web Beacons to the Voluntarily Provided Information or the Customer Provided Information. For example, we use clear gifs in our HTML emails to let us know which emails potential respondents have been opened. This allows us to gauge the effectiveness of certain communications and the effectiveness of our services.

Third Party Tracking Technologies: The use of cookies and web beacons by any tracking utility company or third-party service provider is not covered by this privacy policy. We do not have access or control over these cookies and web beacons.

Analytics Software: We and our third-party tracking-utility partners use log files on the Koncert Public Site to gather certain information automatically and store it for analytical purposes. This information includes internet protocol (“IP”) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data. We use this information to track and aggregate non-personally identifiable information to analyze trends, administer our Digital Properties, track users’ movements around our Digital Properties, and to gather demographic information about our user base in the aggregate.

Social Media Features and Widgets: The Koncert Public Site includes social media features such as Twitter and LinkedIn. These features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the feature to function properly. Social Media Features and widgets are either hosted by a third party or hosted directly on our Digital Properties. Your interactions with these Features are governed by the policy of the company providing it. We do not enable social media features on the Koncert Private Site or the CRM Partner Site unless the Customer enables such social media features on its Koncert Private Site or the CRM Partner Site.

"Do not track" and similar mechanisms: Some web browsers may transmit "do not track" signals to websites that are in communication with the website. Because of differences in how web browsers incorporate and activate this feature, it is not always clear whether users intend for these signals to be transmitted, or whether they are even aware of them. Participants in the leading Internet standards-setting organization that is addressing this issue are in the process of determining what, if anything, websites should do when they receive such signals. Koncert currently does not take action in response to these signals. If and when a final standard is established and accepted, we will reassess how to respond to these signals.

Other Disclosure

In addition to the disclosures reasonably necessary for the purposes identified elsewhere in this privacy policy, we may disclose Voluntarily Provided Information and Company Provided Information in the following circumstances: (i) to the extent that we are required to do so by law; (ii) in connection with any legal proceedings or prospective legal proceedings; (iii) in order to establish, exercise, or defend our legal rights; and (iv) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Security

We will take reasonable precautions to prevent the loss, misuse or alteration of your personal information. Data transmission over the Internet is inherently insecure and we cannot guarantee the security of data sent over the Internet. Koncert requires the use of Secure Socket Layer (SSL) encryption while utilizing our Services, which ensures that our Customer’s data is encrypted during the transmission between a Customer’s authorized user’s browser and Koncert’s servers. Data encryption mitigates the risk that no unauthorized changes are made to the data during transmission and mitigates the risk that the data will be viewed during transmission by any unauthorized party. Each Customer’s data set in our possession or control is logically partitioned using a customer identifier and stored in our data center.  Each Customer’s authorized user is responsible for keeping his or her password to our Applications confidential. In the case of integration with an Integrated CRM Solution using single sign on we will not ask you for your passwords.

Policy amendments

We may update this privacy policy from time to time by posting a new version on the Koncert Public Site. We encourage you to periodically review this privacy policy to be informed of how Koncert is protecting your information.

Third party websites

The Koncert Public Site may contain links to other websites. We are not responsible for the privacy policies of third-party websites or such site operators’ actions including the collection or use of your personal information.

Accountability for Onward Transfers

Koncert uses a limited number of third-party service providers to assist us in providing our Services to Customers. These third-party providers assist with the transmission of data, provide data storage services, and assist with certain call handling features that require manual intervention (“Call Handlers”). Call Handlers only receive temporary encrypted remote access to a small subset of Customer Provided Information necessary to perform their services and Customer Provided Information is not stored on Call Handler computers or devices. Koncert’s data transmission and data storage service providers all certify compliance with the EU-U.S. DPF and Swiss-U.S. DPF and are restricted from direct access to Voluntarily Provided Information and Customer Provided Information. Only if necessary, these service providers may be granted access to such information only to the extent necessary to permit them to perform their contracted services, and they are bound by confidentiality agreements and are restricted from using the information for other purposes.

Access and "right to be forgotten"

EU-U.S. DPF and Swiss-U.S. DPF provides EU and Swiss residents the “right to be forgotten” by controllers and processors and CCPA provides California residents with the right to have their records deleted. If an individual data subject requests their data to be removed, controllers are responsible for deleting the data from their systems and ensuring processors delete data as well. Upon request to privacy@koncert.com, Koncert will grant individuals in the EU and California reasonable access to their personal information in Koncert’s possession or control and allow the individual to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated. In this regard, Koncert depends on its Customers to update and correct personal information to the extent necessary for the purposes for which the information was collected or subsequently authorized by the individuals. Individual data subjects and Koncert customers may contact Koncert as indicated below to request that Koncert update or correct or delete relevant personal information.

EU-U.S. and Swiss-U.S. Data Privacy Framework

Koncert complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and Swiss-U.S. Data Privacy Framework (Swiss-U.S DPF) as set forth by the U.S. Department of Commerce.   Koncert has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. Koncert has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) Program, and to view our certification,  please visit https://www.dataprivacyframework.gov/

Koncert processes data submitted by our Customers for the purpose of us providing our Services to our Customers. To fulfill these purposes, Koncert may access the data to provide the Services, to correct and address technical or service problems, or to follow instructions of our Customer who submitted the data, or in response to contractual requirements.

Koncert’s participation in the EU-U.S. DPF ans Swiss-U.S. DPF applies to all personal information that is subject to this privacy policy and is received by or on behalf of Koncert from the European Union and European Economic Area. Koncert will comply with the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework Principles in respect of such personal information. If there is any conflict between the terms in this privacy policy and the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework Principles, the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework Principles shall govern in respect of such personal information. Koncert’s adherence to the EU-U.S. Privacy Framework and Swiss-U.S. Data Privacy Framework Principles may be limited to the extent necessary to meet national security, public interest, or law enforcement requirements.

Koncert’s accountability for personal information that it receives under the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework subsequently transfers to a third party is described in the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework PrinciplesIn particular, Koncert remains responsible and liable under the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framer work Principles if third-party agents that we engage to process personal information on our behalf do so in a manner inconsistent with the EU-U.S. Data Privacy Framework and Swiss-U.S Data Privacy Framework Principles, unless we prove that we are not responsible for the event giving rise to the damage.

EU residents have rights to access personal data about them, and to limit the use and disclosure of their personal data. With our EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework certification, Koncert has committed to respect those rightsBecause Koncert personnel have limited ability to access data our Customers submit to our services, if you wish to request access, to limit use, or to limit disclosure, please provide the name of the Koncert Customer who submitted your data to our ServicesWe will refer your request to that Customer and will support them as needed in responding to your request.

In addition, Koncert provides individuals with certain choices regarding how we use and disclose personal information we receive under the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy FrameworkFirst, if Koncert uses your personal information for a materially different purpose than that for which it was originally collected or discloses your personal information to a third party (other than third party providers acting on our behalf), we will first provide you with a clear, conspicuous, and readily available mechanism to opt-out of any such use or disclosure (for example, by sending you an email seeking your consent).  If you have any questions about your choices regarding how we use and disclose your personal information, or how to exercise these choices, please contact us according to the “Contact” section below.

Contact

If you have any questions about this privacy policy or our treatment of your personal information or our compliance with EU-U.S. DPF and Swiss-U.S. DPF or CCPA, please write to us by email to privacy@koncert.com or by mail to Koncert, 47 Enterprise Dr, Windham, NH  03087.


In compliance with the EU-U.S. DPF and the Swiss-U.S. DPF, Koncert commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Koncert at: 

Data Protection Officer (DPO)
Koncert
privacy@koncert.com

Dispute Resolution

In compliance with the EU-U.S. DPF and the Swiss-U.S. DPF, Koncert commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the Swiss-U.S. DPF to VeraSafe Data Privacy Framework Dispute Resolution Procedure, an alternative dispute resolution provider based in the United States and the European Union.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.verasafe.com/public-resources/dispute-resolution/submit-dispute/ for more information or to file a complaint.  The services of VeraSafe Data Privacy Framework Dispute Resolution Procedure are provided at no cost to you.

Koncert is obligated to arbitrate claims and follow the terms as set forth in ANNEX-I of the DPF Principles, provided that an individual has invoked binding arbitration by delivering notice to Koncert and following the procedures and subject to conditions set forth in ANNEX-I of Principles.

The Federal Trade Commission has jurisdiction over Koncert's compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).