Planview Privacy

Planview’s Privacy Policy is an internal guidance for how employees and contractors shall process and handle personal identifiable information of customers, users and prospects. The policy is complemented by specific instructions to each business area, depending on the nature of that business area and what personal identifiable information they process.

From a privacy perspective, Plainview’s operations are divided between processing activities we perform on behalf of our customers (our services), and activities performed for our own business (marketing). Our responsibilities are varying depending on the subject matter of the processing activities.

UPDATE WITH REGARDS TO NEW EU (202I/914) STANDARD CONTRACTUAL MODEL CLAUSES

Data transfers due to the new EU (2021/914) Standard Contractual Model Clauses (“SCC”), and in accordance with “Schrems II”.

Planview uses EU based data centers for hosting EMEA customer data. In the event customer is based outside EU, and Planview is instructed to process personal data of customers’ users based within EU, the EU Model Clauses shall be signed by the parties.

Planview’s data protection security program supplements the SCC’s. Regular testing, assessments, certifications, and reviews of security measures are performed to evaluate its effectiveness.

Planview believes the SCC in combination with all other safeguards in place align with the GDPR requirements. However, Planview follows the development and guidance’s from the EU Supervisory authorities and the EDPS closely for additional supplementary arrangements as updated.

The California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (CCPA) expands upon the privacy rights available to Californian citizens, listing data protection requirements with which companies must comply. Planview is adhering to the CCPA requirements, including opinions and guidance’s from regulatory authorities. Planview does not “sell” our customers’ personal identifiable information (PII). Planview does not rent, disclose, release, transfer, make available or otherwise communicate PII to a third party for monetary or other valuable consideration. Planview does share user aggregated and/or anonymized information regarding customer and users’ usage of our offered services with third parties (i.e. Sub-processors) through integrations, for the performance of the contracted services and to provide customers with more relevant content of our services. As Planview is a SaaS provider and processes customer and user data only as instructed for the purpose of executing the services as we’ve committed to in our customer contracts, we do not distribute or deploy customer data for any other commercial purposes.

For information of what PII we have received or collected of you as a user, or to exercise your rights as a registered, please make a request at our Data Subjects Access Request portal (DSAR).

EU General Data Protection Regulation (GDPR)

As a global company, Planview understands the important link between privacy and customer trust. All Planview entities adhere to the GDPR requirements. The appointment and ongoing efforts of a dedicated Data Privacy Officer (DPO), based in EU (Sweden), are the basis of an increased focus toward earning that trust.

The principles relating to processing of personal data as stated in the GDPR are focus for our compliance work.

• Lawfulness – We process personal data strictly for our own business, and in accordance with our privacy policy. We inform customers and individuals about our processing activities in our privacy statement. Our Data Processing Agreement (DPA) is available for any and all to review.

• Purpose limitation – We process personal data strictly for the purpose of 1) fulfilling the contractual requirements agreed upon between our customers and us, and/or 2) marketing our products to customers and prospects.

• Data Minimization – We require only identifiable contact information of customers and users of our products, as well as for our marketing activities. Customer records are regularly reviewed and evaluated for accuracy. We have processes in place to ensure we fulfill the rights of a registered individual (data subject) by our DSAR portal.

• Storage limitation (retention) – We keep and store customer data during the term of contract. Customer accounts are deleted after termination of the relationship. Back up logs are stored for an extended amount of time. Information in customer and user records are stored in our marketing systems for one year following termination of the contract. Consent is required for longer storage. At any time during the term of the contract, all customer data used in the product is offered portability.

• Integrity and confidentiality – We have implemented technical and organizational measures to protect and secure data, including access controls and authorization requirements. All employees are subject to our privacy policy and specific instructions. Annual mandatory trainings and seminars are provided to ensure sufficient awareness and knowledge is achieved. For further description of our technical measures to protect data, please review our information of security.