Last updated: January 23, 2020
ON24, Inc. and our subsidiaries (collectively, “ON24,” “our,” “us” or “we”) recognize the importance of privacy. ON24 is committed to protecting the personal information of our clients and prospective clients, as well as other users of our websites and services.
This table provides a summary of the personal information we collect and how we us it, which is further explained below. While the actual information we collect and our use of such personal information varies depending upon the nature of our relationship and interactions, the table below provides a general overview of the categories of personal information we collect and the purposes for which we use such information.
|Categories of Personal Information We Collect||Use of Personal Information|
|Name, contact information and other identifiers: identifiers such as a name, username, account name, address, phone number, email address, online identifier, IP address, or other similar identifiers.||Operating services and Site and providing related support |
Responding to requests
Analyzing and improving services, Site and our business
Advertising and marketing
Protecting our legal rights and preventing misuse
Complying with legal obligations
Related to our general business operations
|Customer records: paper and electronic customer records containing personal information, such as name, signature, contact information, and payment information.|
|Protected classifications: characteristics of protected classifications under California or federal law (e.g., such as disability provided by you related to an event registration).|
|Commercial information: such as records of products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies.|
|Internet or other electronic network activity information: such as browsing history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement.|
|Geolocation data: location information about a particular individual or device.|
|Audio, video and other electronic data: such as call recordings, as well as other audio, electronic, visual, or similar information.|
|Employment information: professional or employment-related information.|
|Profiles and inferences: Inferences drawn from any of the information identified above to create a profile reflecting a resident’s preferences, characteristics, behavior or attitudes. |
Individual rights. Please see the Your Choices and Rights section below for a description of the choices we provide and the rights you have regarding your personal information. If you are a California resident, please be sure to review the Additional Information for Individuals in Certain Jurisdictions section below for important information about the categories of personal information we collect and disclose and your rights under California privacy laws.
Introduction and Scope
Personal Information. In this privacy notice, our use of the term “personal information” includes other similar terms under applicable privacy laws—such as “personal data” and “personally identifiable information.” In general, personal information includes any information that identifies, relates to, describes, or is reasonably capable of being associated, or reasonably linked or linkable with a particular individual.
Controller and Responsible Party
For the purposes of the GDPR, ON24, Inc. is the controller of your personal information collected pursuant to this Policy. With respect to any Platform Data, our clients are the data controllers or businesses for their respective Platform Data, and we are a data processor or service provide, as defined under applicable privacy laws.
Information We Collect
The personal information that we collect and process will vary depending upon the circumstances. You do not have to provide us with your personal information to access much of the Site. If you choose not to disclose certain information, you can still visit our Site, but you will not be able to create an account with us, you may be unable to access certain options and services, and we may be unable to fully respond to your inquiries.
Sources of Personal Information. We collect personal information directly from individuals, automatically related to the use of our Site, and in some cases, from third parties (such as social networks, platform providers, payment processors, and operators of certain third party services that we use).
Information Collected Directly. We may collect personal information about you directly from you or from your company. For example, when you fill out a ‘Contact Us’ form, signup for our mailing lists, register for events we host or sponsor, or otherwise provide us information through the Site, we may collect personal information such as:
- name, company name, and title/position
- payment and billing information
- email address, phone number, mailing address and contact details
- job title, other company information (such as country and industry sector)
- contact preferences and interests
- business affiliations
- customer (and authorized user) account information (to access various parts of the Platform, and to create events and webinars) – name, email address, telephone number, company name, and other information necessary to confirm that you are an authorized user of a client (where relevant)
- other information related to your request or inquiry
Information Collected from Third Parties. We may collect personal information about you from third party sources, such as business partners, social media platforms, public sources, joint marketing partners, our resellers (so that we can deliver our Platform and related services) and third parties to whom you have expressed interest in our products and services, as well as information that you shared on social media platforms (subject to the respective platform terms and applicable laws).
Categories of Personal Information We Collect. Certain laws, such as the California Consumer Privacy Act (“CCPA”) requires that we disclose certain information about the categories of personal information that we collect about individuals. While the information we collect varies depending upon the circumstances, such as our interactions with you, we may collect the following categories of personal information (subject to applicable legal requirements and restrictions):
- Name, contact information and other identifiers: identifiers such as a name, username, account name, address, phone number, email address, online identifier, IP address, government-issued identification numbers or other similar identifiers.
- Customer records: paper and electronic customer records containing personal information, such as name, signature, contact information, employment history, government identifiers, and financial or payment information.
- Protected classifications: characteristics of protected classifications under California or federal law (e.g., such as disability provided by you related to an event registration).
- Commercial information: such as records of property, products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies.
- Internet or other electronic network activity information: such as browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement.
- Geolocation data: precise location information about a particular individual or device.
- Audio, video and other electronic data: such as, CCTV footage, photographs, and call recordings, as well as other audio, electronic, visual, or similar information.
- Employment information: professional or employment-related information.
- Education information: education information and records.
- Profiles and inferences: Inferences drawn from any of the information identified above to create a profile reflecting a resident’s preferences, characteristics, behavior or attitudes.
Purposes and Legal Bases of Use
Certain laws, including the EU General Data Protection Regulation (“GDPR”), require that we inform you of the legal bases for our processing of your personal information. Pursuant to the GDPR (and other similar laws), we process personal information for the following legal bases:
- Performance of contract: as necessary to enter into or carry out the performance of our contract with you.
- Compliance with laws: for compliance with legal obligations and/or defense against legal claims, including those in the area of labor and employment law, social security, and data protection, tax, and corporate compliance laws.
- Our legitimate interests: in furtherance of our legitimate business interests, which are not overridden by your interests and fundamental rights, including:
- Performance of contracts with clients and other parties
- Implementation and operation of global support (e.g., IT) services for our business operations
- Improving our Site, developing trend and benchmark reports, and similar purposes
- Customer relationship management and improving our Site and Services, including other forms of marketing and analytics
- Fraud detection and prevention, including misuse of Services or money laundering
- Physical, IT, and network perimeter security
- Internal investigations
- Mergers, acquisitions, and reorganization, and other business transactions
- With your consent: where we have your consent the GDPR (where it applies) and other applicable laws give you the right to withdraw your consent, which you can do this at any time by contacting us using the details at the end of this privacy notice. In some jurisdictions, your use of the services may be taken as implied consent to the collection and processing of personal information as outlined in this privacy notice.
In addition, we may process your personal information where necessary to protect the vital interests of any individual.
Purposes for Using Personal Information. The purposes for which we may process personal information will vary depending upon the circumstances In general we use personal information for the purposes set forth below, and where the GDPR or other relevant laws apply, we have set forth the legal bases for such processing in parenthesis (see above for further explanation of our legal bases):
- Operating Site and services and providing related support: to provide and operate the Site and services, communicate with you about your use of the Site and our services, provide troubleshooting and technical support, respond to your inquiries, fulfill your orders and requests, process your payments, communicate with you, and for similar service and support purposes. (Legal bases: performance of our contract with you; and/or our legitimate interests)
- Responding to requests: to respond to your inquiries and requests, and consider your request or application. (Legal basis: performance of our contract with you)
- Analyzing and improving the Site, our services, and our business: to better understand how users access and use the Site and our services, as well as other products and offerings, both on an aggregated and individualized basis, to administer, monitor, and improve our services, for our internal purposes, and for other research and analytical purposes. (Legal basis: our legitimate interests)
- Personalizing experiences: to tailor content we may send or display on the Site, including to offer location customization and personalized help and instructions, and to otherwise personalize your experiences. (Legal basis: our legitimate interests)
- Advertising and marketing: to promote ON24’s products and services on third-party websites, as well as for direct marketing purposes, including to send you newsletters, client alerts and information we think may interest you. If you are located in a jurisdiction that requires opt-in consent to receive electronic marketing messages, we will only send you such messages if you opt-in to receive them. (Legal bases: our legitimate interests; and/or with your consent)
- Protecting our legal rights and preventing misuse: to protect the Site and our business operations; to prevent, detect and investigate fraud, misuse, harassment or other types of unlawful activities; where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party, or violations of this Policy and our applicable terms of service and agreements. (Legal bases: our legitimate interests; and/or compliance with laws)
- Complying with legal obligations: to comply with the law or legal proceedings. For example, we may disclose information in response to subpoenas, court order, and other lawful requests by regulators and law enforcement, including responding to national security or law enforcement disclosure requirements. (Legal bases: our legitimate interests; and/or compliance with laws)
- Related to our general business operations: to consider and implement mergers, acquisitions, reorganizations, and other business transactions, and where necessary to the administration of our general business, accounting, recordkeeping and legal functions. (Legal bases: our legitimate interests; and/or compliance with laws)
Aggregate, De-identified or Anonymous Data. We also create and use aggregate, anonymous and de-identified data to assess, improve and develop our business, products and services, and for similar research and analytics purposes. This information is not generally subject to the restrictions in this Policy, provided it does not identify and could not be used to identify a particular individual.
Disclosures of Personal Information
In general, we disclose the personal information we collect as follows:
- Subsidiaries: to our subsidiaries, whose handling of your personal information is subject to this Policy. A list of our subsidiaries is available here.
- Service providers: to third party service providers who perform functions on our behalf. Third party service providers will only process your personal information in accordance with our instructions and will implement adequate security measures to protect your personal information.
- Enterprise users: if you use, access or communicate with us about our Platform or related services on behalf of your company (our client), we may share personal information about your access, and your communications or requests, with the relevant enterprise client.
- In response to legal process: in order to comply with the law, judicial proceedings, a court order, or other legal process, such as in response to a subpoena.
- Business transfers: as part of any merger, sale, and transfer of our assets, acquisition or restructuring of all or part of our business, bankruptcy, or similar event, including related to due diligence conducted prior to such event where permitted by law.
Aggregate, De-identified or Anonymous data. We may share aggregate, anonymous or de-identified data with third parties for research, marketing, analytics and other purposes, provided such information does not identify a particular individual.
Categories of Personal Information Disclosed. Certain privacy laws (such as the CCPA) require that we disclose the categories of personal information that we may disclose for a business purpose. (Further descriptions of the categories of personal information are provided above, in the Information We Collect section). In general, we may disclose the following categories of personal information in support of our business purposes identified above:
- Name, contact information and other identifiers
- Customer records
- Protected classifications
- Commercial Information
- Internet or other electronic network activity information
- Geolocation data
- Audio, video and other electronic data
- Employment information
- Education information
- Profiles and inferences
Categories of Personal Information Sold. The CCPA defines a “sale” as disclosing or making available to a third party personal information in exchange for monetary or other valuable consideration. While we do not disclose personal information to third parties in exchange for monetary compensation from such third parties, we do make certain categories of personal information available to third parties, in order to receive certain services or benefits from them (such as when we allow third party tags to collect browsing history and other information on our Site to improve and measure our ad campaigns), including:
- Name, contact information and other identifiers
- Usage data
- Profiles and inferences
Cookies and Similar Devices
Clear GIFs, Pixel Tags and Other Technologies. Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer’s hard drive, clear GIFs are embedded invisibly on web pages. We may use clear GIFs (also referred to as web beacons, web bugs or pixel tags), in connection with our services to, among other things, track the activities users of our services, help us manage content, and compile statistics about usage of our services. We and our third party service providers also use clear GIFs in HTML emails to our customers, to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded.
Log Files. Most browsers collect certain information, such as your IP address, device type, screen resolution, operating system version, and internet browser type and version. This information is gathered automatically and stored in log files.
ON24 is headquartered in the United States and has operations and service providers in the United States and throughout the world. As such, we and our service providers may transfer your personal information to, or access it in, jurisdictions (including the United States, the UK and the European Union, Australia and Singapore) that may not provide equivalent levels of data protection as your home jurisdiction. We will take steps to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it, including through appropriate written data processing terms and/or data transfer agreements.
Privacy Shield: ON24 has certified its adherence to and will comply with the EU-U.S. and Swiss-U.S. Privacy Shield Principles, which can be found at https://www.privacyshield.gov/ (collectively, “Privacy Shield Principles”), with respect to the Platform Data we receive from the European Economic Area and Switzerland. You can review the Privacy Shield Principles, learn more about Privacy Shield, and view our Privacy Shield certification at https://www.privacyshield.gov/. ON24’s commitments under the Privacy Shield are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
If you are in the European Economic Area, and we process your personal information in a jurisdiction that the European Commission has deemed to not provide an adequate level of data protection (a “third country”), we will implement measures to adequately protect your personal information, such as putting in place standard contractual clauses approved by the European Commission or another measure that has been approved by the EU Commission as adducing adequate safeguards for the protection of personal information when transferred to a third country. You have a right to obtain details of the mechanism under which your personal information is transferred outside of the EEA; you may request such details by contacting us as set forth in the Contact Us section below.
Protection of Children’s Personal Information
ON24 does not publish content that is targeted at children. The Site is not intended for minors under the age 16. We do not knowingly or specifically collect information about minors under the age of 16. If you believe we have unintentionally collected such information, please notify us as set out in the Contact Us section below.
Wherever your personal information may be held within ON24 or on its behalf, we take reasonable steps to protect the personal information that you share with us from unauthorized access or disclosure, including, without limitation, restricting access to certain portions of our website through access controls, and using firewalls. Regardless of the precautions taken by us, ON24 cannot ensure or warrant the security of any information you transmit to us, and you transmit such information at your own risk. You are responsible for all actions taken with your User ID and password, if any. Therefore, we recommend that you do not disclose your password to anyone. If you lose control of your password, you may lose substantial control over your personally identifiable information and may be subject to legally binding actions taken on your behalf.
Your Choices and Rights
Access, Amend and Correct. If you wish to access personal information that you have submitted to us, to request the correction of any inaccurate information you have submitted to us, or to request deletion of your information, please send your request to email@example.com. We will review your request and make reasonable efforts to respond to it as soon as practicable. We may ask you for additional information so that we can confirm your identity.
Direct Marketing. You may always opt-out of direct marketing emails. If you would like to unsubscribe from ON24 email subscriptions or otherwise change your email preferences with ON24, please click here or follow the instructions in any ON24 promotional email that we send to you. We may continue to send you transactional or service-related communications, such as service announcements and administrative messages.
Complaints. We will take steps to try to resolve any complaint you raise regarding our treatment of your personal information. You also have the right to raise a complaint with the privacy regulator in your jurisdiction.
Additional information for certain jurisdictions. We are committed to respecting the privacy rights of individuals under all privacy laws applicable to us. Some privacy and data protection laws require that we provide specific information about individual rights to applicable consumers, which we have set forth at the end of this privacy notice:
- California: if you are a California resident, you have certain rights, under California privacy laws, regarding your personal information as set forth below.
- EU/EEA: if you are in the European Union / European Economic Area, below we provide further details about your rights under the GDPR.
As a general rule, we retain your personal information for as long as necessary to fulfill the purposes for which it was collected or as necessary to comply with our legal obligations, resolve disputes, maintain appropriate business records, and enforce our agreements. In general, for example, we will retain relevant contact information of clients, prospective clients and Site visitors for three years from the date of our last interaction with you and in compliance with our obligations under applicable laws. Our clients instruct us on how long to retain Client Data, which we handle as a data processor. We may retain personal information for longer where required by our regulatory obligations, professional indemnity obligations, or where we believe necessary to establish, defend, or protect our legal rights and interests or those of others.
Changes to the Policy
ON24 may update this Policy to reflect new or different privacy practices or to reflect changes in industry standards or legal requirements. Revisions will be posted on our website. This statement of privacy is for the information of our users and does not constitute a contract or modification of any contract. When changes are made to this Policy, ON24 will post a new version of this Policy here. If the changes will materially affect the way we use or disclose your personal information, we will endeavor to notify you in advance of the change, such as by sending a notice to the primary email address associated with your account or by posting a notice on the Site. We encourage you to periodically review this Policy for the latest information on our privacy practices.
ON24 welcomes your comments regarding this Policy. Please feel free to email us at firstname.lastname@example.org or via postal mail at ON24, Attn: Privacy, 50 Beale Street, 8th Floor, San Francisco, CA 94105.
EU Representative. Individuals in the EU may also contact us through our UK office at ON24 Ltd., Attn: Privacy, 6th Floor, 210 Pentonville Road, Kings Cross, London N1 9JY, United Kingdom.
Additional Information for Individuals in Certain Jurisdictions
In this section, we provide information for California residents, as required under California privacy laws, including the California Consumer Privacy Act (“CCPA”), which requires that we provide California residents certain specific information about how we handle their personal information, whether collected online or offline. This section does not address or apply to our handling of publicly available information made lawfully available by state or federal governments or other personal information that is subject to an exemption under the CCPA.
California Residents’ Rights. California law grants California residents certain rights and imposes restrictions on particular business practices as set forth below.
- Do-not-sell: California residents have the right to opt-out of our sale of their personal information. If you are a California resident, you may submit an opt-out request here. We do not sell personal information about residents who we know are younger than 16 years old without opt-in consent.
- Notice before collection: We are required to notify California residents, at or before the point of collection of their personal information, the categories of personal information collected and the purposes for which such information is used.
- Request to delete: California residents have the right to request, at no charge, deletion of their personal information that we have collected about them and to have such personal information deleted, except where an exemption applies. We will respond to verifiable requests received from California residents as required by law.
- Request to know: California residents have the right to request and, subject to certain exemptions, receive a copy of the specific pieces of personal information that we have collected about them in the prior 12 months and to have this delivered, free of charge, either (a) by mail or (b) electronically in a portable and, to the extent technically feasible, readily useable format that allows the individual to transmit this information to another entity without hindrance. California residents also have the right to request that we provide them certain information about how we have handled their personal information in the prior 12 months, including:
- categories of personal information collected;
- categories of sources of personal information;
- business and/or commercial purposes for collecting and selling their personal information;
- categories of third parties/with whom we have disclosed or shared their personal information;
- categories of personal information that we have disclosed or shared with a third party for a business purpose; and
- categories of third parties to whom the residents’ personal information has been sold and the specific categories of personal information sold to each category of third party.
California residents may make a Request to Know up to twice every 12 months, at no charge. We will respond to verifiable requests received from California residents as required by law.
- Discrimination and financial incentives:The CCPA prohibits discrimination against California residents for exercising their rights under the CCPA. A business may offer financial incentives for the collection, sale or deletion of California residents’ personal information, where the incentive is not unjust, unreasonable, coercive or usurious, and is made available in compliance with applicable transparency, informed consent, and opt-out requirements. California residents have the right to be notified of any financial incentive offers and their material terms, the right to opt-out of such incentives at any time, and may not be included in such incentives without their prior informed opt-in consent. We do not offer any such incentives at this time.
Submitting Verifiable Requests. Requests to Know and Requests to Delete may be submitted:
We will respond to verifiable requests received from California residents as required by law. For more information about our privacy practices, you may contact us as set forth in the Contact Us section above.
Individuals in the European Union / European Economic Area
This section explains the right that data subjects in the European Union / European Economic Area (“EEA”) have pursuant to the GDPR.
Rights under the GDPR. Individuals in the EEA have the below rights with respect to their personal information.
- Right of access: You can ask us to: confirm whether we are processing your personal information; give you a copy of that information; provide you with other information about your personal information such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your information from and whether we have carried out any profiling, to the extent that such information has not already been provided to you in this Policy.
- Right to rectify and complete personal information: You can ask us to rectify inaccurate information. We may seek to verify the accuracy of the data before rectifying it.
- Right of erasure: You can ask us to erase your personal information, but only where: it is no longer needed for the purposes for which it was collected; you have withdrawn your consent (where the data processing was based on consent); following a successful right to object (see ‘Objection’ below); it has been processed unlawfully; or to comply with a legal obligation to which we are subject. We are not required to comply with your request to erase your personal information if the processing of your personal information is necessary: for compliance with a legal obligation; or for the establishment, exercise or defense of legal claims. There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request.
- Right of restriction. You can ask us to restrict (i.e. keep but not use) your personal information, but only where: its accuracy is contested, to allow us to verify its accuracy; the processing is unlawful, but you do not want it erased; it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; you have exercised the right to object, and verification of overriding grounds is pending. We can continue to use your personal information following a request for restriction, where: we have your consent; to establish, exercise or defend legal claims; or to protect the rights of another natural or legal person.
- Right to object to our use of your personal information for direct marketing purposes: You can request that we change the manner in which we contact you for marketing purposes. You can request that we not transfer your personal information to unaffiliated third parties for the purposes of direct marketing or any other purposes.
- Right to object for other purposes: You have the right to object at any time to any processing of your personal information which has our legitimate interests as its legal basis. You may exercise this right without incurring any costs. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. The right to object does not exist, in particular, if the processing of your personal information is necessary to take steps prior to entering into a contract or to perform a contract already concluded.
- Right to (data) portability: You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it ‘ported’ directly to another Data Controller, but only where our processing is based on your consent and the processing is carried out by automated means.
- Right to withdraw consent: You can withdraw your consent in respect of any processing of personal information which is based upon a consent which you have previously provided.
- Right to obtain a copy of safeguards: you can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside the EU/EEA. We may redact data transfer agreements to protect commercial terms.
- Right to lodge a complaint with your local supervisory authority: You have a right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal information. We ask that you please attempt to resolve any issue with us first, although you have a right to contact your supervisory authority at any time.
Submitting a GDPR Request. Please contact us as set out in the Contact Us section above to exercise one of these rights. If we receive any requests from individuals related to the Platform Data, we will forward the request to the relevant clients.