Global Privacy Notice

Date of last update: 23 August 2023

This Privacy Notice applies to ISI PSG Holdings d.b.a. Extu (collectively “Extu”, “we” or “our”) and describes how each of these companies uses your personal data. For more details about these companies please see section 14 (Contact Us).

Extu runs business-to-business digital through channel marketing campaigns and data analytics for our clients. As part of our services, we create webpages and produce communications, marketing materials and social media posts (“Marketing Materials”). We also provide lead qualification, lead generation and other marketing-related services through our websites (which are owned and operated by Extu), including www.extu.com (“Sites”). Sometimes we work with third party organizations (such as technology brands) who sponsor certain marketing-related services to make those services more widely available to our clients.

This Privacy Notice applies to (i) individuals who use or visit Extu’s Sites or Marketing Materials, and (ii) individuals whose personal data Extu processes in connection with the provision of our services (in each case “you” or “your”).

Extu operates in several jurisdictions, therefore our privacy practices may vary among the countries in which we operate to reflect local practices and legal requirements. Where applicable we will call out any differences in local privacy notices given to you when your data is collected.

1. Who is responsible for your personal data

  1. Extu – except as set out in paragraph 1(b) below, Extu process personal data for their own purposes (in some jurisdictions we are called the controller or responsible party). See Section 14 (Contact Us) for further details.
  2. Our clients – when Extu processes personal data in the course of providing services to clients, it is our clients that are (for the most part) responsible for the processing*. This means that we only process according to our clients’ instructions and on their behalf (in some jurisdictions this makes us a processor). We identify when we are acting as a processor in this policy by indicating that we are performing the processing on behalf of our client. Typically, our clients will provide us with personal data about those individuals with whom they have (or wish to have) a business relationship and we will use that data to provide our services to them. In this situation, it is our clients who are responsible for ensuring any personal data complies with applicable law and their privacy notices will apply.
    However, if we supplement our clients’ data or obtain additional data on behalf of our clients (e.g. in connection with our lead generation services) then typically both Extu and the client will be separate controllers (or separate responsible parties) in respect of that data and our respective privacy notices will apply.
    * The word “processing” (and its derivatives) covers anything that can be done with your personal data, such as collecting, storing, using, deleting, transferring, sharing and disclosing.
  3. Our sponsors – Extu works with third party organizations (e.g. technology brands) who sponsor the provision of certain services to our clients. We call these organizations “sponsors”. We may share limited personal data with these organizations in connection with their sponsorship (as described below) and when we do so, they will be responsible for that data (i.e. as controllers or responsible parties).

2. How we obtain your personal data

  1. We may obtain your personal data directly from you, for example when you:
    • communicate with us (e.g. by email or telephone)
    • respond to or participate in any polls or surveys, or provide feedback on products or services
    • subscribe to receive communications (such as newsletters or alerts) or notifications about offers
    • enter into any competitions or sign up for a webinar or event
    • respond to our lead qualification calls
    • complete a form to request pricing or more product data, or request that we contact you
    • access and use our Marketing Materials or Sites
    • otherwise interact with us or disclose your personal data to us; or
    • register to use any of our services on behalf of a client.
  2. We may also obtain personal data about you from third party sources, for example:
    • from our clients, sponsors or suppliers
    • social media platforms may share data about how you interact with our content or the content of third parties with whom you have a relationship (e.g. you’re a customer of theirs). Any data gathered through these social media platforms will be collected in accordance with the privacy settings, policies and/or procedures of the relevant platform, which we strongly recommend you to review
    • third party data sources, such as data providers or public databases.

3. Personal data we collect

  1. Personal data is any information about you from which you can be directly or indirectly identified. Depending on how and why we interact with you (see above), we may obtain any of the following categories of personal data about you:
    • contact details (such as your name, email address, telephone number)
    • employment details (such as job title, company you work for)
    • unique identifiers (such as your customer number or advertising ID number)
    • relationship information (such as your opinions, comments and preferences)
    • transaction information (such as details of your interactions with our website and services)
    • online and technical information (such as your IP address and pages visited and data collected by our cookies)
    • inferred and derived information (such as metrics and analytics).
  2. In some cases it is possible for you to engage with us anonymously or using a pseudonym. For example, if you wish to give feedback without requiring a response from us, you do not have to provide us with your full name or email address. However, if you do not provide us with some or all of the personal data requested, we may not be able to fulfil your request.
  3. When we provide services on behalf of our clients, they may provide us with personal data about you (typically contact and relationship details). We may supplement that data with additional information as required by our clients as part of our provision of services.
  4. In addition to the above, if you are an employee of one of our clients or any other organisation with whom we do business (such as our sponsors or suppliers), we may obtain personal data about you if (i) you register to use our services and/or (ii) you or your employer provide us with your details as a point of contact. The personal data we may get about you will generally be limited to your contact details and other information that we need for our business relationship with your company.

4. Purposes for which we process your personal data

We may process your personal data for some or all of the following purposes:

  1. provision of services – we may process your personal data in order to:
    • provide and administer our services
    • manage our relationship with you and the organisation you represent
    • provide customer support and respond to questions, queries, requests for data and applications
    • send digital marketing material on behalf of our clients, including marketing emails, posts on social media platforms or display advertising
    • follow up on leads from our digital marketing activities on our clients’ behalf
    • develop and improve our services, including our Sites and Marketing Materials and provide a more personalised service
    • manage and carry out our business and operational functions, including business decisions and technical operations
    • validate sales, register a sales opportunity or otherwise process transactions
  2. competitions and promotions – we may process your personal data to operate competitions and promotions including determining entry eligibility, awarding prizes and publishing or otherwise making available a list of prize winners. Each time we will identify if the competition or promotion is being operated by us or one of our clients.
  3. analytics – we may analyze your personal data to:
    • improve and measure the effectiveness of our services
    • gain insights into how our services are being used and by whom
    • help us to generate new leads
    • help us to better understand visitors to our sites and users of our services.
    To assist us with the above activities we may combine personal data with other data which we may source from our Sites, Marketing Materials or third parties. We may also use your personal data in the creation of anonymised datasets.
  4. marketing and advertising – we may process your personal data to:
    • conduct marketing and advertising activities, including displaying content on our Sites and Marketing Materials and serving display advertising on third party websites
    • analyse the effectiveness and optimise the performance of any specific marketing campaign we undertake, including on behalf of our clients
    • undertake re-marketing and to permit our clients or third party suppliers to undertake re-marketing – please see further our Cookie Notice for more information
    • provide data about our services, including through the distribution of newsletters and other communications about our services and your use of our services.

5. Direct marketing

  1. Sending you marketing – we may use your personal data to send you direct marketing communications by email, telephone or text where we (or our clients) have obtained your prior consent, or we are able to rely on another lawful basis to send such communications (such as our legitimate interests).
  2. Right to opt out – you have the right to opt out of receiving any further marketing communications from us at any time.  You can do this by clicking on the unsubscribe link in a marketing communication, or by contacting our Privacy Officer directly you have the right to opt out of receiving any further marketing communications that we send at any time. You can do this by clicking on the unsubscribe link in a marketing communication, or by contacting our Privacy Officer directly (see Contact Us). Please note that if you unsubscribe with us, this relates to marketing communication sent by us. If this concerns communication that we have sent on behalf of a client, we will inform the client accordingly. We are not, however, responsible for any marketing communications sent by clients direct to you, as the client is itself responsible for managing its own marketing lists.

6. Who we share your personal data with and why

Depending on the purposes for which we have obtained your personal data, we may share it with others as follows:

  1. Extu group companies – we may share personal data within the Extu group of companies (as identified in the Contact Us section):
  2. Clients – we may share personal data with our clients in order to provide the services described in Section 4 above, such as:
    • for marketing and advertising
    • to analyse the effectiveness and optimise the performance of marketing campaigns
    • to administer client promotions and contests
    • to validate a sale, register a sales opportunity or assist with or fulfil a transaction
  3. Sponsors – we may share limited personal data with our sponsors in connection with the provision of our services to clients and to verify the effectiveness of those services.
  4. Third party suppliers – we may share personal data with our third party suppliers (i.e. third parties that provide products and services to us and our clients) in order to:
    • provide our services
    • help us deliver, administer, host and support our functions and activities
    • help maintain our Sites, Marketing Materials and databases
    • provide marketing services, including telemarketing services, data analysis and serving advertising
    • provide IT services, including data processing, storage and backup.
    Our service providers are required to keep personal data secure and their use of personal data is limited to the provision of services to us.

We may share your personal data if permitted by applicable law such as (i) to an acquiring entity if decide to merge, divest, restructure, reorganize, dissolve, sell or transfer some or all of our assets, (ii) to enforce our rights and contracts, (iii) if we have your consent or (iv) if it anonymized.

We will also share your personal data when required to do so by law, such as in response to a subpoena, including to law enforcement agencies, regulators and courts in the United States and other countries where we operate.

7. Legal basis for processing your data

We will only process your personal data where we have a lawful basis for doing so. The following are the lawful bases that we rely upon to justify our processing:

  1. your consent – we will process your personal data with your prior consent (which you may give directly to us, or to other organisations (such as our clients or third party data providers). For example, if you register to receive our newsletter then you may also opt in (consent) to receive marketing communications. You can withdraw your consent at any time – please see Section 11 (Your privacy rights)
  2. legitimate interests – we will process your personal data if necessary for the purposes of our legitimate interests, or the legitimate interests of our clients, sponsors (or other third parties), as long as these interests are not overridden by your fundamental privacy rights. For example, we may process your personal data for the following legitimate interests:
    • our own direct marketing activities (except where applicable law requires your consent)
    • provision of services to our clients or sponsors
    • our own internal management and administrative purposes (including verifying the effectiveness and performance of our services and creating anonymised datasets)
    • personalisation of the service(s) we provide to you and to gain a better understanding of our visitors/users/customers (and their end customers where applicable)
    • ensuring network and data security, including preventing unauthorised access to electronic communications networks and stopping damage to computer and electronic communication systems, and/or
    • reporting possible criminal acts or threats to public security to a competent authority
    • disclosure or transfer of personal data in the event of a merger, divest, restructure, reorganize, dissolve, sell or transfer of some or all our assets (except where applicable law requires your consent)
    • other everyday business purposes, such as for account management, quality control, website administration, business continuity and disaster recovery, security and fraud prevention, corporate governance, reporting and compliance.
  3. compliance with law – we will process your personal data if it is necessary to comply with a legal requirement (for example, to manage marketing opt-outs, comply with a court order requiring us to make a disclosure to law enforcement agencies, or to comply with employment or tax laws or other regulatory provisions).

8. Data retention

We will retain your personal data for as long as that data is needed for the purposes described above and for any additional period that may be required or permitted by applicable law. The length of time your personal data is retained depends on the purpose(s) for which it was collected, how it is used and the requirements to comply with applicable law. We will take all reasonable steps to delete or anonymise personal data that we no longer need for any of the purposes described above in accordance with our data disposal and retention policy, and applicable law.

9. International transfers

Extu is a global group of companies (see Contact Us for list of group companies) and your personal data may be transferred to other countries in connection with the provision of our services. We operate in Asia Pacific (including Australia, New Zealand and Philippines), North America (including the United States and Canada) as well as in the European Economic Area and the UK. Some of these countries may not have the same level of data protection that is in place in your country. However, rest assured that, before we transfer your personal data to these overseas recipients, we will take all reasonable steps to ensure that your personal data is only used for authorized purposes, in a manner that is consistent with our Privacy Notice and adequately protected using appropriate technical, organizational, contractual or other lawful means.
We generally use approved Standard Contractual Clauses to assure that personal data is adequately protected when it is transferred from the EEA, the UK, or Switzerland (or countries with similar transfer restrictions) to countries without an adequate level of data protection, but we may also make transfers using other approved mechanisms. Please contact our Privacy Officer via email to privacy@extu.com if you would like more information.

10. Keeping your data secure

  1. Our security measures – we take the security of your personal data seriously. We have implemented procedures to safeguard the security and confidentiality of your personal data. These measures include:
    • storing personal data in a secure environment and imposing electronic and physical restrictions to files containing personal data
    • procedures designed to safeguard personal data from misuse, interference, loss and unauthorised access, modification or disclosure
    • restricting access to authorized personnel for permitted purposes only.
  2. Transmission of data over the Internet – whilst we continually strive to ensure our systems and controls are updated to reflect technological changes, the transmission of data via the internet is not completely secure. If you communicate with us using a non-secure method, such as email, please do not transmit any sensitive personal data.
  3. How you can help to keep your data secure – you can help keep your data secure by ensuring you do not share any username and/or password (that you use in relation to our services) with any other person. You should stop using your username and password and notify us immediately if you suspect that someone else may be using them (see Contact Us below).

11. Your privacy rights

Extu respects the rights you may have under applicable law, which may include:

  1. access – the right to request information about our processing of your personal data and to get access to that data
  2. rectification – the right to request that we rectify or modify any personal data that we hold about you that is incorrect or incomplete
  3. erasure – the right to request the erasure of personal data that we process about you in certain circumstances
  4. restrict processing – the right to ask us to restrict the processing of your personal data in certain circumstances
  5. data portability – the right to receive certain personal data in a structured, commonly used and machine-readable format and to transmit that data to another controller. This right only applies to personal data that you have provided to us and that we process based on your consent or for the purpose of entering into or performing a contract
  6. objection – the right to object to the processing of your personal data where that processing is based on our legitimate interests. You have the right to opt out of direct marketing, including profiling, at any time. You can unsubscribe from direct marketing e-mails by clicking on the unsubscribe link that will be included in any marketing email we send you, or by contacting our Privacy Officer (see Contact Us)
  7. Right to withdraw your consent – where you have consented to the processing of your personal data, you have the right to withdraw your consent at any time. You can do so by contacting us (see Contact Us). If you withdraw your consent it will not affect the lawfulness of any processing that has already taken place based on your consent prior to its withdrawal.

To learn about the specific rights that you have and how to exercise your rights, you can contact our Privacy Officer at any time (see Contact Us). Where we process personal data about you on behalf of our clients (i.e. as a processor), we will use good faith efforts to refer you to the appropriate client or sponsor.
If you are a resident of California, USA, the California Privacy Act (CCPA) gives you the right to object to the sale of your personal data. Extu does not sell personal data. We only disclose personal data to third parties who are service providers or third parties for a business purposes, or to third parties at your direction, such as if you authorize the sharing or accept third party advertising cookies.

12. Use of cookies and other web tracking devices

For details of how we use cookies and other similar technologies – please see our Cookie Notice.

13. Complaints

  1. How we handle complaints – we take complaints seriously and will attempt to resolve any issues quickly and fairly. If you think we have not complied with our privacy obligations or this Privacy Notice, please contact us (see Contact Us). If you make a complaint, our Privacy Officer will contact you to try to resolve the matter. We may ask you for further details, consult with other parties and keep records regarding your complaint. We will notify you of the outcome of any investigation into your complaint once this is complete, including any actions we will take to address your complaint.
  2. Your right to complain to a regulator – if you believe we have not complied with our obligations under applicable privacy law, or you are unhappy about the way we have handled your privacy complaint, you have the right to complain to the relevant regulator. For example:
    • Europe: you can find your European national data protection authority by clicking here or by visiting the European Commission website (europa.eu), or
    • Australia: there is a Contact Us option on the website for the Office of the Australian Information Commissioner (https://www.oaic.gov.au/)
    • UK: there is a Contact Us option on the website for the Office of the Information Commissioner (https://ico.org.uk)
    But before you make a formal complaint to a regulator we very much hope you will give us a chance to address your concerns first.

14. Contact Us

If you wish to contact us for any reason, including to exercise any of your privacy rights, or to make a complaint about our handling of your personal data, you can do so as follows:

Contact:                 Privacy Officer
Email:                   privacy@extu.com

EU representative:     atprivacy GmbH,
Attn.OneAffiniti Ltd
Kattjahren 4, 22359 Hamburg, Germany.
Email:                oneaffiniti@gdpr-eu-rep.de

Asia Pacific

Company name:     Finnigan Investments (Australia) Pty Ltd
Contact address:     Suite 7, Level 10, 109 Pitt Street, Sydney NSW Australia
Tel:                         +61 2 8599 9898

Europe

Company name:      OneAffiniti Ltd
Contact address:     Venture House, 2 Arlington Square, Bracknell RG12 1WA, United Kingdom
Tel:                         +44 01344 289070

North America

Company name:     OneAffiniti LLC
Contact address:     9600 Great Hills Trail, Suite 220W Austin TX 78759, United States
Tel:                         +1 512 982 0928

15. Changes to this Privacy Notice

We keep this Privacy Notice under review and may revise it from time to time. Any revised Privacy Notice will take effect when it is published on our website. For the avoidance of doubt, any update to the online policy shall constitute notice to you.