Zenfolio Data Protection Framework

Last Updated: November 17, 2023

DATA PRIVACY FRAMEWORK CERTIFICATION

Zenfolio, Inc. (hereinafter, “Zenfolio,” “we,” or “us”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Zenfolio has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF.  Zenfolio has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. The EU-U.S. DPF Principles and Swiss-U.S. DPF Principles shall be referred to collectively as the “DPF Principles”. To learn more about the Data Privacy Framework (DPF) program and the DPF Principles, and to view our certification, please visit https://www.dataprivacyframework.gov/.  

 Personal Data Processed by Zenfolio as a Controller

1. Purposes of Data Processing. As a data controller, Zenfolio processes personal data for the purpose of providing services to our customers and potential customers, providing administrative and security functions related to our services, recruitment, employment, and marketing, or for other purposes, which will be disclosed at the time we collect personal data. 

2. Types of Personal Data. The Zenfolio Privacy Policy/Notice describes the types of personal data that we collect in our role as a data controller.

3. Third Parties Who May Receive Personal Data. As described in the  Zenfolio Privacy Policy/Notice (Section 7. Third-Party Disclosures), Zenfolio uses a limited number of third-party service providers (i.e., subprocessors) to assist us process personal data. These subprocessors generally offer IT infrastructure and similar technical support, help protect security and monitor performance of our services, and assist us in our marketing programs. These third parties may access, process, or store personal data in the course of providing their services. Zenfolio maintains contracts with these third parties restricting their access, use and disclosure of personal data in compliance with our data protection obligations. See below, Accountability for Onward Transfer.

4. Rights to Access, Limit Use, and to Limit Disclosure of Personal Data. Individuals in the European Union, United Kingdom (and Gibraltar), and Switzerland have rights to access personal data about them, and to limit use and disclosure of their personal data. With our Data Privacy Framework self-certification, Zenfolio has committed to respect those rights. The Zenfolio Privacy Policy/Notice describes, in more detail, the data protection rights and responsibilities you may have and how you may exercise them. If you have questions regarding this Privacy Policy or our handling of your personal information, would like to request more information from us, or would like to exercise a data privacy right, please contact us at any of the following: (email) [email protected] or (mail) Zenfolio Inc., Attn: Legal Department – Privacy, 303 Twin Dolphin Dr, 6th Flr, Redwood City, CA 94065.

 Personal Data Processed by Zenfolio as a Processor

1. Purposes of Data Processing. Zenfolio photography portfolio websites make it easy for photographers (our “Clients”) to showcase their work and offer related services. As a data processor, Zenfolio processes personal data concerning the customers or end-users of our own Clients. In these circumstances, Zenfolio processes personal data in accordance with a data processing agreement, or similar data privacy contractual terms, with our Client.

2. Types of Personal Data. As a data processor, Zenfolio processes personal data concerning the customers or end-users of our own Clients, which may include their name, shipping address, email, telephone number, account usernames and registration information, payment card data, and individuals depicted in photographer’s images and photographs. 

3. Third Parties Who May Receive Personal Data. Zenfolio uses a limited number of subprocessors to assist us in providing our services to our Clients, and these subprocessors are set forth in the data processing agreement or similar privacy contractual terms that we execute with our Clients. These subprocessors offer IT infrastructure and similar technical support and help protect security and monitor performance of our services. These third parties may access, process, or store personal data in the course of providing their services. Zenfolio maintains contracts with these third parties restricting their access, use and disclosure of personal data in compliance with our Data Privacy Framework obligations, including the onward transfer provisions. See below, Accountability for Onward Transfer.

4. Rights to Access, Limit Use, and to Limit Disclosure of Personal Data. Individuals in the European Union, United Kingdom (and Gibraltar), and Switzerland have rights to access personal data about them, and to limit use and disclosure of their personal data. With our Data Privacy Framework self-certification, Zenfolio has committed to respect those rights. Because Zenfolio personnel have limited ability to access personal data that our Clients submit to our services, if you wish to request access to, or to limit use or to limit disclosure of, your personal data, please provide us with the name of the Zenfolio Client who submitted your personal data to our services. Thereafter, we will refer your request to that Client, and we will support them as needed in responding to your data privacy request.

Security

Zenfolio takes reasonable and appropriate measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction. We will permit only authorized personnel, who are trained in the proper handling of personal information, to have access to that personal data. When we adopt and implement new data protection policies, we promptly notify our personnel and/or reminded them about the importance we place on data privacy and information security, and what they can do to protect personal data. Employees who violate our security and privacy policies will be subject to our disciplinary process. We employ security measures to protect your information from access by unauthorized persons and against unlawful processing, accidental loss, destruction and damage.

Data Integrity and Purpose Limitation

Zenfolio will retain personal data for a reasonable period of time, taking into account legitimate business needs to capture and retain such data. Information will also be retained for a period of time necessary to comply with state, local, federal regulations, or country specific regulations and requirements, and in accordance with our records retention schedules or practices. We will not use personal data in a manner that is incompatible with the purpose for which it was originally collected without providing data subjects with notice and an opportunity to opt-out.

Accountability for Onward Transfer

Zenfolio may transfer personal data we collect and process to organizations acting as our subprocessors, when we are serving as a data processor; and, as otherwise set forth in the Zenfolio Privacy Policy/Notice (Section 7. Third-Party Disclosures), when we are serving as a data controller.  More specifically, Zenfolio may share personal data with external third parties, such as vendors, consultants and other service providers who are performing certain services on behalf of Zenfolio. Such third parties have access to personal data solely for the purposes of performing the services specified in the applicable service contract, and not for any other purpose. Zenfolio requires these third parties to undertake security measures consistent with the protections specified herein.

ZENFOLIO SHALL REMAIN LIABLE IF OUR SERVICE PROVIDERS, SUBPROCESSORS, OR OTHER AGENTS PROCESS SUCH PERSONAL DATA IN A MANNER INCONSISTENT WITH THE DPF AND OUR OBLIGATIONS TO YOU, UNLESS WE CAN PROVE THAT WE ARE NOT RESPONSIBLE FOR THE EVENT GIVING RISE TO THE DAMAGE.

In the event Zenfolio transfers personal data to a third party acting as a controller, we will do so consistent with any notice provided to data subjects and any consent they have given (where applicable), and only to the extent we assurances that the third party will (i) process the personal data for limited and specified purposes consistent with any consent provided, (ii) provide at least the same level of protection as is required by the DPF Principles and notify us if it makes a determination that it cannot do so, and (iii) cease processing of the personal data or take other reasonable and appropriate steps to remediate if it makes such a determination. If Zenfolio has knowledge that a third party acting as a controller is processing personal data in a manner inconsistent with the DPF Principles, Zenfolio will take reasonable steps to prevent or stop such processing. We may be required to disclose personal data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.

Inquiries and Dispute Resolution

In compliance with the EU-U.S. DPF and the Swiss-U.S. DPF, Zenfolio commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Zenfolio at: (email) [email protected] or (mail) Zenfolio Inc., Attn: Legal Department – Privacy, 303 Twin Dolphin Dr, 6th Flr, Redwood City, CA 94065.

In compliance with the EU-U.S. DPF and the Swiss-U.S. DPF, Zenfolio commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The JAMS Data Privacy Framework Dispute Resolution services are provided at no cost to you.

If neither Zenfolio nor our dispute resolution provider resolves your complaint, you may have the possibility to engage in binding arbitration through the Data Privacy Framework Panel. For more information on this option, please see Annex I of the EU-U.S. Data Privacy Framework Principles, which is available at https://www.dataprivacyframework.gov/s/framework-text.

 U.S. Federal Trade Commission Enforcement

The Federal Trade Commission has jurisdiction over Zenfolio’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

Compelled Disclosure

Zenfolio may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. 

 Contact Us

If you have questions regarding our DPF Certification or our handling of your personal information, would like to request more information from us, or would like to exercise a data privacy right, please contact us at any of the following: (email) [email protected] or (mail) Zenfolio Inc., Attn: Legal Department – Privacy, 303 Twin Dolphin Dr, 6th Flr, Redwood City, CA 94065.