Privacy Policy

General Data Privacy Regulation (GDPR) Privacy Notice

Last Updated: May 23, 2024

This General Data Privacy Regulation (GDPR) privacy notice (Notice) is included in our Privacy Policy and applies to the ‘personal data,’ as defined in the GDPR, of natural persons located in the European Economic Area (EEA Individuals) processed by Postal Center International, Inc. (PCI or the Company).

To the extent of any conflict between this Notice and the PCI Privacy Notice, this Notice shall control only with respect to EEA Individuals and their personal data.

Controller Disclosure and Details

We are a data controller of personal data regarding the following EEA Individuals: Prospective/current customers and vendors (Business Contacts), our general website visitors (Site Visitors), and our employees and contractors (Workforce) for the purposes and under the legal basis described in the table below.  Please note that, in some cases, the categories of data subjects above may overlap (e.g., Business Contacts using the Website).

Data Subject Category Purpose & Legal Basis of Processing
General (applies to all data subjects)

Cookies and Browser Information: Our website servers will log your IP address and other information (e.g., browser information, operating system, request date/time, user agent string, referral and exiting URL) in order to maintain an audit log of activities performed.

We use this information pursuant to our legitimate interests in tracking website usage, combating DDOS (Distributed Denial of Service) or other attacks, and removing or defending against malicious visitors on the website.

Business Contacts

Direct Marketing: Our legitimate interest in sending current or prospective customers email marketing.

Platform Demonstrations: Our legitimate interest in setting up demos with prospective customers pursuant to their request.

Executing Contracts and other Legal Documentation: We will process all personal data as necessary for the performance of contracts to which Business Contacts are a party (such as our Master Services Agreement, Data Processing Agreement and Terms of Use) or to take requested steps to enter into such contracts.

General Business Development: Our legitimate interest in furthering business relationships (such as by storing Business Contact information within a CRM or file), ensuring customer satisfaction, and answering inquiries.

Site Visitors Web Audience Measurement and Retargeting: Our legitimate interest in the use of Google Analytics to understand how Site Visitors interact with our general Website and where such Site Visitors are located (up to city-level only) in order to optimize the Website experience. Note that the last octets of Site Visitors’ IP Addresses have been anonymized and ‘Sharing With Google’ and ‘Demographics/Advertising’ features have been disabled within Google Analytics.
Workforce

Employee or Contractor Information: Our legitimate interest in maintaining personal information required of individuals that perform services for PCI such as for processing payments for those services, background checks where permitted, and for user accounts to systems. Job application or resume information, past and current job history, and job performance information.

Executing Contracts and other Legal Documentation: We will process all personal data as necessary for the performance of contracts to which employees and contractors are a party (such as our Employment Agreements, Contractor Agreements, and Confidentiality Agreements) or to take requested steps to enter into such contracts.

Categories of Personal Information Collected

We maintain the following information when provided voluntarily by our Site Visitors: name and email address (business e-mail address preferred). We may also maintain additional information gathered from public sources like titles or phone numbers.

We maintain the following information provided voluntarily by our Business Contacts and gathered from public sources: Name, company, email (business email preferred), title, role, postal address, country, and telephone number (business number preferred).

We maintain the following information provided voluntarily by our Workforce: Name, email, role, postal address, country, telephone number, social security or national ID number, banking information and other information required for employment or contracted services.

We also process automatically gathered Cookie and Browser information as described above.

Recipients

Our sales, marketing, and finance teams process Business Contacts and Site Visitor information internally and such information is also disclosed to the following US-based recipients: our customer relationship management system, web audience measurement tools, and email marketing systems.

Information We Collect From Other Sources

We receive personal data about you from some of our service providers who assist us with marketing or promotional services related to how you interact with our websites, applications, products, services, advertisements or communications.

How and with Whom we Share Your Data

We do not share personal data with third parties except those who work on our behalf and provide us with services necessary to conduct our business activities or to assist us in providing you with our services. These parties include but may not be limited to:

  • Ad networks
  • Social media services
  • Analytics service providers
  • Staff augmentation and contract personnel
  • Hosting service providers
  • Cloud storage and service providers
  • Customer support

Before engaging a new processor, we perform security and privacy assessment of the processor, and we ensure that the processing of personal data is always regulated with written data processing agreements.

Other Disclosures

In accordance with our legal obligations, we may also transfer personal data, subject to a lawful request, to public authorities for law enforcement or national security purposes.

Processor Disclosure

In the normal course of PCI’s work, confidential information belonging to clients or the client’s workforce (collectively “clients” and “client provided information”) is provided to be processed within our applications. To the extent that personal information of EEA Individuals is provided in client provided information, we are a data processor of the personal data provided for GDPR purposes. When serving as a processor, we have certain obligations under GDPR that include only processing personal data at the instruction of our customers as reflected in the applicable Master Services Agreement, providing assistance with fulfillment of data subject rights requests, and implementing appropriate security for personal data.

We do not share customer provided personal data with third parties except when necessary to assist us in providing customers with our services.  These include Microsoft 365 and Amazon Web Services used in the delivery of our services. In accordance with our legal obligations, we may also share customer provided personal data, subject to a lawful request, to public authorities for law enforcement or national security purposes.

We will hold personal data for so long as we have an obligation to the customer to provide the services, and thereafter until such time as we delete the Customer’s account in accordance with our Master Services Agreement.

We will forward any inquiries, complaints, or requests received from data subjects with respect to the Platform Data to the appropriate customer and await instructions before taking any action.

Information regarding the transfers of personal data outside of the European Economic Area

PCI’s administrative offices, our internally developed applications, and third-party vendor applications used in our services are hosted and operated in the United States (U.S.) through infrastructure service providers. By submitting your personal information through our website or including personal information in client provided information, you acknowledge that any personal data is being provided to a company in the U.S. and will be hosted on U.S. servers, and you authorize PCI to transfer, store and process your information in the U.S.

The U.S. does not have an adequacy decision from the European Commission, which means that the Commission has not determined that the laws of the U.S. provide adequate protection for personal information. Although the laws of the U.S. do not provide legal protection that is equivalent to EU data protection laws, we safeguard personal information by treating it in accordance with this GDPR Privacy Notice.  We take appropriate steps to protect your privacy and implement reasonable security measures to protect your personal information in storage. We use secure transmission methods to collect personal data through our website. We limit access to client provided information to those who have a genuine business need to know it. We also use subprocessors that maintain controls over security and privacy and into contracts with our subprocessors that require them to treat personal information in a manner that is consistent with this Notice.

PCI also has procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Retention period for personal information

How long we retain personal data varies according to the type of information in question and the purpose for which it is used.  We delete personal information within a reasonable period after we no longer need to use it for the purpose for which it was collected. This does not affect your right to request that we delete your personal data before the end of its retention period. We may archive personal data (which means storing it in inactive files) for a certain period prior to its final deletion, as part of our ordinary business continuity procedures.

Current Business Contacts’ (or Business Contacts with whom we’ve had a relationship) personal data will be retained until the relationship terminates, at which point their personal data will be retained for seven (7) years for finance and tax purposes and in case of repeat business.

Your GDPR Rights

EEA Individuals have a right to:

  • Obtain a copy of your personal data together with information about how and on what basis that personal data is processed.
  • Rectify inaccurate personal data (including the right to have incomplete personal data completed).
  • Erase your personal data (in limited circumstances, such as where it is no longer necessary in relation to the purposes for which it was collected or processed).
  • Restrict processing of your personal data under certain circumstances.
  • Have a copy of your personal data sent to another controller, in a structured, commonly used and machine-readable format under the right of data portability.
  • Withdraw your consent to our processing of your personal data (where that processing is based on your consent).
  • Obtain or see a copy of the appropriate safeguards under which your personal data is transferred to a third country or international organization.

In addition to the above rights, EU data protection law provides applicable individuals the right to object, on grounds relating to your particular situation, at any time to any processing of your personal data for which we have justified on the basis of a legitimate interest, including profiling (as opposed to your consent) or to perform a contract with you. You also have the right to object at any time to any processing of your personal data for direct marketing purposes, including profiling for marketing purposes.

You may exercise these rights and submit a GDPR complaint by contacting: info@surfpci.com with the subject line “GDPR Notice.” You may also object at any time to processing of your personal data for direct marketing purposes by clicking “Unsubscribe” within an automated marketing email.

We will endeavor to update your personal data within thirty (30) days of any new or updated personal data being provided to PCI, in order to ensure that the personal data we hold about you is as accurate and up to date as possible.

You also have the right to lodge a complaint about the processing of your personal data with an appropriate data protection authority, and, as applicable, to exercise third-party beneficiary rights under our Master Services Agreement. Contact details for the EU data protection authorities can be found at:

http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

Updates to this Notice

If, in the future, we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately within this Notice, and the “Last Updated” at the top of this page will be updated accordingly.

How to Contact Us

PCI’s main office is located at 2965 West Corporate Lakes Boulevard Weston, FL 33331.   Please use this address or, preferably, reach out to info@surfpci.com for any questions, complaints, or requests regarding this Notice; please include the subject line “GDPR Notice.”

This will close in 20 seconds