Effective as of October 15, 2020
Previous versions of this document:

Contentful Privacy Notice

General information 

 Getting oriented

This privacy notice applies to

  • our website contentful.com

  • the Contentful Web App, which is the web user interface to access and use our services that you can subscribe to on contentful.com or via a separate agreement - please read our FAQ for an overview

  • other topics described in this privacy notice (such as marketing and events we organize) - please see separate sections for each topic

Not all sections will necessarily apply to you. It depends on how you interact with us, our services and website.

This notice does not cover any linked third-party websites or services that we do not own or control.

For cookies, please read the separate cookie notice on this site available via contentful.com/legal and please check the cookie consent manager implemented on both this website (see “Cookie Preferences” at the bottom of the page) and in the Web App (see the “Account Settings” page in the Web App). The cookie notice applies in addition to this privacy notice.

 An overview: broad categories of personal data we process

Contentful processes personal data in three broad categories:

  • data we collect through our website or when you otherwise interact with us

  • data from use of our services

  • data that may be included in the content that customers manage in our services

Some data protection and privacy laws talk about “personal data”, others about “personal information”. For simplicity, we use the term “personal data” throughout this privacy notice.

Who decides how personal data in these categories is processed (who is the “data controller”)?

Data protection and privacy laws in certain jurisdictions, like in the European Union, distinguish between “controllers” and “processors” of personal data. These concepts come from the European Union General Data Protection Regulation (“GDPR”). A controller decides why and how personal data is processed. A processor processes personal data on behalf of a controller.

The California Consumer Privacy Act (“CCPA”) has similar concepts: “business” (akin to data controller) and “service provider” (similar to data processor). For simplicity, when we talk about a “data controller”, we also mean a “business”. And when we talk about a “data processor” we also mean a “service provider”.

Contentful is the data controller of personal data in the first broad category. This means that we decide for what purposes and how we process this data. Generally speaking, we use this data for our legitimate business interests, for example to understand who our customers and potential customers are, what their interests in our services are, to manage our customer and supplier relationships.

Personal data in the second category can be controlled by both our customers and us, each for their own purposes. When we process such data for purposes of providing services to our customers, we are the data processor and the customer is the data controller. This includes purposes such as customer support. When we process this data for example to manage the customer relationship and billing, or to understand how our services are used for product development purposes, we process this data for our own purposes and we are therefore the data controller.

Personal data in the third category, customer content, is controlled by our customers. We are always the processor of personal data that may be included in customer content and process it in accordance with our customer agreements.

Who we are and how to contact us

The entity responsible for processing your personal data (the “data controller”) in accordance with this privacy notice is Contentful GmbH, with its registered office at Ritterstraße 12-14, 10969 Berlin, Germany.

If you have any questions about our processing of your personal data, you can contact our data protection officer at: Contentful GmbH/Data Protection Officer, Ritterstraße 12-14, 10969 Berlin, Germany and by email: privacy@contentful.com. You can also contact us at: support@contentful.com

In this privacy notice we refer to Contentful GmbH as “Contentful”, “we”, “us”, “our”.

About this privacy notice 

Brief overview

This privacy notice explains: 

  • Who we are and how to contact us

  • Your rights

  • When we collect personal data from you and from third parties

  • Data transfers and how we share personal data

  • Data collection on our website and in our Web App

  • Third-party content and services on our website and in our Web App

  • Data collection when contacting us and interacting in our communities

  • Data collection when using our services

  • Data collection when visiting our premises or participating in events or training

  • Personal data we collect and process for marketing purposes

  • How we keep personal data safe

Changes to this privacy notice

Please read this privacy notice carefully and note that we may change it. We may change it specifically if our products and services or the websites we offer evolve or if the relevant laws or their application change. We recommend that you read this privacy notice from time to time and take a copy for your files. We will post new versions of this privacy notice on our website and identify new notices with the date they take effect.

Your rights

This section explains what rights you have in relation to our processing of your personal data. If you want to make use of your rights, please contact us (please see contact details above in “Who we are and how to contact us”).

Your European rights under the GDPR

If our processing of your personal data is subject to the European Union General Data Protection Regulation (“GDPR”), you have the following rights with respect to your personal data:

  • Right of access: You can request information about your personal data that we process in accordance with GDPR article 15.

  • Right to erasure: You have the right to request the deletion of your personal data in accordance with GDPR article 17.

  • Right of rectification: If the information concerning you is not correct, you can request a correction in accordance with GDPR article 16. If your data is incomplete, you may request that it be completed.

  • Right to restrict processing: In accordance with GDPR article 18, you have the right to request a restriction of processing your personal data.

  • Right to withdraw your consent: If you have given your consent for processing, you have the right to revoke it according to GDPR article 7.3.

  • Right to data portability: You have the right to receive your personal data that you have provided to us in a structured, common and machine-readable format as well as the right to transfer this data to another data controller, if the conditions of GDPR article 20.1 (a), (b) are met.

  • Right to file a complaint: You have the right to file a complaint with a data protection supervisory authority about our processing of your personal data in accordance with GDPR article 77.

  • Right to object to processing: In accordance with GDPR article 21.1, you have the right at any time to object, for reasons arising from your particular situation, to processing your personal data on the basis of GDPR article 6.1 (e) or (f). In such a case we will not process your data unless we can demonstrate compelling legitimate reasons to do so which outweigh your interests, rights and freedoms, or if the processing is for purposes of establishing, asserting, exercising or defending against legal claims. Furthermore, according to GDPR article 21.2, you have the right at any time to object to processing your personal data for the purpose of direct marketing; this also applies to any profiling, insofar as it is connected with such direct marketing.

Your California rights under the CCPA

If our processing of your personal data is subject to the California Consumer Privacy Act (“CCPA”), you have the following rights with respect to your personal data:

  • Right of information and access: You can request information about and access to your personal data that we process in accordance with the CCPA.

  • Right to erasure: You have the right to request deletion of your personal data in accordance with the CCPA.

  • Right to opt-out of the sale of your personal data: We have third party cookies on our website to assist us with analyzing our marketing effectiveness and providing you with tailored content and advertising. We may share cookie data as well as other data we may have on you with marketing companies (for example using your email address to obtain firmographic information about the company you work for) or with our business partners, such as in case of joint events organized with such partners. If you would like to know more about how you can control how we collect information through the use of cookies and similar technologies, including how to opt-out of such data processing, please see the separate cookie notice available via contentful.com/legal. To opt out of cookies and of sale (as defined in the CCPA) of your personal data please use the settings in the cookie consent manager implemented on our website and in our Web App or contact us via the form “Do not sell / Data access request” available on this site (click on the “Do not sell my personal information” link at the bottom of this page) or contact us using the contact details provided above in “Who we are and how to contact us”.

  • Right to non-discrimination: You have the right to receive non-discriminatory treatment if and when you exercise your rights to access, delete, or opt-out under the CCPA. This means we cannot, for example, deny goods or services to you or charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties, due to you having exercised your rights.

When we collect personal data from you and from third parties 

Collecting personal data from you

We collect personal data from you when you for example:

  • Visit our website

  • Use third party content integrated into our website or services

  • Contact our company

  • Interact in the Contentful community (contentfulcommunity.com) or our Slack channels

  • Sign up for newsletters or download whitepapers or reports

  • Read our emails

  • Participate in user research and surveys

  • Sign up for and use our services

  • Communicate with us via customer support tools

  • Visit our premises

  • Register for or attend our events and training

  • Apply for a job with us (please read the separate job applicant privacy notice on our website available via contentful.com/legal)

For more information, please read further below in this privacy notice in the applicable sections or feel free to contact us (contact details above in “Who we are and how to contact us”) and we will be happy to to answer your questions.

Collecting your personal data from third parties

We mostly collect personal data from you. However, we receive personal data about you from third parties when you for example:

  • Use the social media integrations on our website

  • Use our Slack channels

  • Participate in user research or surveys facilitated by third parties

  • Sign up for our services using a social media or other third party account

  • Register for an event or training through a third-party service

  • Marketing service providers such as data enrichment providers

For more information, please read further below in this privacy notice in the applicable sections or feel free to contact us (contact details above in “Who we are and how to contact us”) and we will be happy to to answer your questions.

Data transfers and how we share personal data

This section gives you an overview of how we may transfer and share personal data. Please note that other parts of this privacy notice and the separate cookie notice on this site include more information that may be relevant to transferring and sharing personal data.

How we share your personal data

We share your personal data with sub-processors and service providers that assist us with the provision of our services, as well as in connection with our business and business transactions or as necessary to comply with our legal obligations. 

How we share information with our sub-processors and service providers is described in various parts of this privacy notice, including:

  • Data collection on our website

  • Third-party content and services on our website and in our Web App

  • Contacting us and interaction in our communities

  • Using our services

  • Visiting our premises; events and training

  • Marketing

Please also view our cookie notice available via contentful.com/legal to learn about data collection and sharing via cookies.

Transferred data is protected by appropriate agreements

In general, we use service providers across our services and website with locations outside of the European Economic Area, including in the United States of America. We transfer data from our services and website to such locations.

If we transfer or otherwise process personal data in a country outside of the European Economic Area that has not been determined by the European Commission to offer adequate protection to personal data, we will ensure that such transfers and processing are covered by lawful data processing agreements and data transfer mechanisms (such as the EU Commission approved “standard contractual clauses” (https://ctfl.io/link_to_EU_SCC) in accordance with GDPR article 46.2(c)).

The sub-processors and service providers to whom we transfer personal data are vetted by our security team.

Third parties with whom we share personal data

Service providers – We share your identifiers, internet activity, billing details and sensory data (as may be recorded e.g. by CCTV on our premises or during user research or other interviews) with the relevant service providers such as security service providers or our customer relationship and billing management providers or with third parties who conduct research and surveys on our behalf. The legal basis for sharing your information is our legitimate interest in providing our services efficiently.

Some of such data sharing, including

  • integration of Google Maps, video hosting or social network plug-ins (please see in “Third-party content and services on our website and in our Web App”),

  • interaction in our communities or Slack channels (please see “Contacting us and interaction in our communities”), and

  • marketing tools integrated in our website and firmographic data providers (please see “Marketing”)

may be deemed a “sale” under the CCPA. To exercise your right to opt-out of such sharing please see the page “Do not sell / Data access request” on this site or contact us using the contact details provided above in “Who we are and how to contact us”.

Firmographic data providers – when you visit our website or use our services we may share your identifiers (like email address) with third parties who provide us with firmographic data (such as the name of the company you work at) related to your identifiers (for example based on your email address domain).

Third party marketing services – we share your identifiers, internet activity, and inferences from the foregoing with marketing and advertising partners to deliver tailored advertising to you (please see in “Marketing”).

Social media services – if you register or log in to our services using social media, your identifiers and other personal data you authorize may be shared with the particular social media service. The social media’s processing of your personal data is governed by their privacy policies and your settings in the relevant social media service. We further describe how we share information with social media services under: “Social networks integrations”.

Customer support services and customer engagement – when you communicate with us through our website or the Web App, we share your identifiers, internet activity, and any personal data you choose to include in your communication with customer support service providers such as Intercom and Zendesk (please see in “Contacting us and interaction in our communities” and “Using our services”).

Third-party app and extension providers in our Web App - if you install third-party apps or extensions in the Web App when using our services, the providers of such apps and extensions, and the providers of third-party services that the apps and extensions may connect with, will receive your identifiers and other data that you authorize such apps, extensions and third-party services to access. Please familiarize yourself with the applicable terms and privacy notices from such app and extension providers on contentful.com/marketplace.

Events and training hosts and facilitators – when you register for or attend an event, we share your identifiers and other registration information with such third parties. These third parties may include our business partners that participate in or organize such events with us. Please see in “Visiting our premises; events and training”.

Between our group companies and investors; due to corporate transactions - We may share your personal data to and from Contentful GmbH in Berlin, Germany and Contentful Inc. in San Francisco, California, U.S.A., as reasonably necessary for our day to day business operations. In addition, we may share your personal data if we are involved in a merger, acquisition, consolidation, change of control, or sale of all or a portion of our assets or if we undergo bankruptcy or liquidation. Such activity might involve us disclosing personal data to prospective or actual purchasers, sellers and their advisers. Such disclosures will only take place under appropriate confidentiality undertakings and if necessary for such purpose and your interests, rights and freedoms do not outweigh such disclosure. The legal basis for this sharing is our legitimate interest in carrying out our business operations.

Pursuant to your instructions – when requested, we will share or facilitate sharing your data with third parties pursuant to your instructions. The legal basis for this sharing is your request and the performance of our contract with you.

To comply with our legal obligations, protect our rights and those of others – we may share your personal data to comply with our legal obligations, and to protect our rights. We will share your personal data if we are legally required to do so, such as in response to a court order or legal process, or to establish, protect, or exercise our legal rights or to defend against legal claims or demands, or to comply with requirements of mandatory applicable law. We will also share your data as necessary to enforce terms of contract that you have agreed to, including to protect the rights, property, or safety of Contentful, its users, or any other person.

To prevent fraud and abuse of our services – we will share your identifiers, internet activity, sensory data, and other relevant data to prevent or detect fraud or to address technical issues and if we believe it is necessary to investigate, prevent, or take action regarding situations that involve abuse of our services or the Internet in general, such as spamming, denial of service attacks, or attempts to compromise the security of our infrastructure or our services.

Data collection on our website and in the Web App 

This section applies to our website and Web App, and the various methods of communicating with us via these properties. For information on cookies (and similar technologies) integrated in our website and the Web App, please read the cookie notice (which forms part of this privacy notice) accessible on this site via contentful.com/legal and check the cookie consent manager implemented on both this website (see “Cookie Preferences” at the bottom of the page) and in the Web App (see the “Account Settings” page in the Web App).

What data we collect (“Website Data”)

When you visit individual pages of our website contentful.com or our Web App at app.contentful.com, we generally collect the following data from you (also referred to as “Website Data”):

Identifiers, such as:

  • hostname of the accessing device

  • IP address

  • cookie ID

Internet activity, such as:

  • browser type/browser version

  • operating system used

  • language and version of the browser software

  • website from which the request comes

  • content of the request (specific page)

  • date and time of the server request

  • access status/HTTP status code

  • referrer URL (website visited before)

  • volume of data transferred

  • time zone difference from Greenwich Mean Time (GMT)

Additionally, in the Web App, we log the user activity, including log-in time-stamps and actions taken in the Web App. 

Legal basis for and purpose of processing personal data

Unless otherwise stated below, the legal basis to process this type of personal data is GDPR article 6.1(f), our legitimate interests to enable the provision of a functioning and appealing website and user experience and to ensure that our marketing messages are more relevant to the user. We will retain your data for as long as we consider it reasonably likely for you (or your organization) to become or remain a customer. For retention of cookie data, please refer to the cookie consent manager integrated on our website and in the Web App. To the extent that we use any tracking technologies, such as cookies, that are not technically essential, the legal basis for processing such data originating from the European Union is GDPR article 6.1(a), that is your consent that we request via the cookie consent manager.

If you sign up for our services or give us your consent for example when downloading certain materials from our website (such as a whitepaper), we will use your identifiers and internet activity, along with information such as firmographic information we receive about you from third parties (our marketing service providers), to provide you with tailored marketing (see below in “Marketing”). Such firmographic information allows us to analyse a deeper subset of data from which we may present personalized content and messages, for example to analyze if you or your organization would benefit from or be interested in certain service features or information related to our services. The legal basis of our processing your data this way is GDPR article 6.1(f), that is our legitimate interests to ensure that our content and messaging (including customer success, sales and marketing) provided to you are more accurate and suitable. To the extent that we require your consent, the legal basis for processing your data is your consent as per GDPR article 6.1(a). 

Third-party content and services on our website and in our services

The below sections apply to various third-party services and content that are integrated into our website and our Web App. Please note that information about cookies (and similar technologies) integrated in our website and services is in a separate cookie notice on this site available via contentful.com/legal.

The website and the Web App integrate third-party content such as videos, maps, RSS feeds and graphics from other websites. When you use the third-party content, we provide these third parties with your identifiers such as your IP address and Website Data. Without such data they would not be able to properly deliver the content to the requesting browser.

Some of the third parties may process data outside of the European Union and European Economic Area. For more information on data transfer please see above in “Data transfers and how we share personal data”.

Integration of certain Google services

Our website and the Web App use Google Maps enabling you to conveniently use the map function directly on our website or in the Web App.

When you use the Google Maps feature, we collect your Website Data. We use this information to provide you with the Google Maps integration. When you use this integration, we also share your Website Data with Google. If you are logged in to a Google Account, Google may associate your data with your account.

For more information about the purpose and scope of processing by Google, please refer to Google’s privacy policy. There you will also find further information about your rights in this regard and settings options to protect your privacy: policies.google.com/privacy.

Sharing such information with Google may constitute a “sale” of personal data under the CCPA. To exercise your rights to opt-out of such sharing, please see the page “Do not sell / Data access request” available on this site or contact using the contact details provided above in “Who we are and how to contact us”. Please note that if you opt out of sale we may not be able to provide you with the Google service.

We use Google reCAPTCHA on certain pages of our web pages. The purpose of reCAPTCHA is to check whether the data input on our webpages (e.g. in a contact form) is by a human or by a bot. For this purpose, reCAPTCHA analyzes the website visitor’s behavior based on different characteristics. This analysis starts automatically as soon as the website visitor enters the website. For analysis purposes, reCAPTCHA evaluates various information (e.g. IP address, time spent on the website or mouse movements). The data collected during the analysis is forwarded to Google. The analyses can run completely in the background. Website visitors are not necessarily notified that an analysis is taking place. Further information about Google reCAPTCHA and the Google privacy policy can be found at the following links: policies.google.com/privacy and google.com/recaptcha/about.

The provider of Google services is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S.A.

Integration of certain analytics and marketing services 

We use services provided by Hotjar Limited (Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta) to better understand our website users’ needs and to optimize the experience by for example tracking how much time users spend on which pages, which links they choose to click and so on. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes for example a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (device identifiers), browser information, and geographic location (country only). The service stores this information on our behalf in a pseudonymized user profile and does not sell the data collected on our behalf. The legal basis of our processing your data by HotJar is your consent as per GDPR article 6.1(a) which we request via the cookie consent manager implemented on our website. If you consented to cookies set by Hotjar, you can withdraw your consent on their website at https://www.hotjar.com/privacy/do-not-track/ or by adjusting your cookie settings either in the cookie consent manager implemented on our website or in your browser. 

We use services provided by Drift.com, Inc. (222 Berkeley Street, 6th Floor, Boston, MA 02116, U.S.A.). Drift provides us with a chatbot which we use to engage with website visitors subject to the visitor’s consent to marketing cookies via the cookie consent manager implemented on our website. Drift.com does not sell the data collected on our behalf. The service may use your IP address to check if it is associated with a business for us to determine whether you or your company could be interested in our services. Your consent is the legal basis of our processing your data by Drift.com as per GDPR article 6.1(a). If you have consented to cookies set by Drift.com, you can withdraw your consent by adjusting your cookie settings either in the cookie consent manager implemented on our website or in your browser. More information about Drift.com and their privacy practices can be found here: https://www.drift.com/gdpr

Video hosting

We may display videos on our website or offer videos to logged-in users in the Web App. Videos are hosted for us by a third-party service provider, currently Wistia (120 Brookline Street, Cambridge, MA 02139, U.S.A.). When you watch videos on our website, we collect identifiers and your Website Data. We collect this information to provide you with the requested videos. We share this information with the third-party video provider. Such third-party providers may process personal data for their own purposes. Please review Wistia terms and policies available at wistia.com/privacy. We may also embed videos from other services such as YouTube (provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, U.S.A.). You can review the YouTube privacy practices here: policies.google.com/privacy. These service providers are subject to change and we encourage you to review their privacy practices when using the relevant service.

Sharing such information with Wistia, YouTube, or other video service providers may constitute a “sale” of your personal data under the CCPA. To exercise your right to opt-out of such sharing please see the page “Do not sell / Data access request” on this site or contact using the contact details provided above in “Who we are and how to contact us”. If you opt out of sales we may not be able to provide you with these services. 

Social networks integrations

Some social network plug-ins are integrated in our website and services. When you use these plug-ins, we collect your identifiers and Website Data. We use this information to provide the social network integration in our website and services. We will also share your identifiers and Website Data with these social networks. The legal basis for processing your data provided to us via social media integrations is GDPR article 6.1(b) if you are using the social media to register or sign in to our services. Additionally we process your data based on GDPR article 6.1(f) to provide easy access to social media outlets via our website and also to improve our services by making them more interesting and convenient to you as a user.

The social networks may process your personal data for their own purposes. Please review their policies to learn more:

  • GitHub - help.github.com/articles/github-privacy-statement

  • Google - policies.google.com/privacy

  • Twitter - twitter.com/privacy

The social media integrations are provided for your convenience and are subject to change. Always review the current social media providers and their privacy practices when interacting with us through such providers. We do not have any control over these social media networks and how they process the personal data they collect. Please refer to their privacy policies and privacy controls. Please note that the social media networks may transfer your data to countries outside of the European Economic Area (such as the United States of America). Since the social media networks collect data also via cookies, we recommend you familiarize yourself with their cookie practices and check the cookie settings in your browser.

Sharing your personal data with these social networks may constitute a “sale” of your personal data under the CCPA. To exercise your rights to opt-out of such sharing, please see the page “Do not sell / Data access request” available on this site or contact us using the contact details provided above in “Who we are and how to contact us”. If you opt out of sale we may not be able to offer these integrations to you. 

Using our services 

This section describes how we process personal data and customer content in the Contentful services. This is in addition to “Data collection on our website and our services” above which is focused on third-party integrations generally across our website and Web App and how we collect and process Website Data.

Personal data in the context of our services includes

  • data related to you as the user of our service (that is, when you are logged in as a registered user), such as identifiers like email address and IP address

  • personal data that may be included in the customer content managed in our services if our customers choose to manage such content in our services - typically, though, the content managed in Contentful is editorial or marketing content intended for publication on the Internet that doesn’t include personal data, and

  • request headers in the API calls from customer applications (like websites to which the customer content is delivered from our service) can include personal data such as IP addresses that may belong to the end user of the customer application - like in any Internet service.

Purposes and legal basis for processing personal data

In respect of any of the personal data mentioned above, to the extent required to provide our services, we process such data as a data processor on behalf of our customers pursuant to an agreement with such customer. The legal basis for such processing is GDPR article 6.1(b).

To register for our services, we collect your identifiers such as your email address, name or alias, and IP address. We will also collect the date and time of registration and log-ins and log the actions taken in the services. For paid use of our services, we will also request additional personal data from you or your organization, including identifiers such as address and payment details. Due to mandatory commercial and tax regulations, we are obliged to keep your address, payment and subscription data for a period of ten years. We share your identifiers and payment information with our service providers for service provision and payment processing purposes.

We collect Website Data from logged-in users and combine it with identifiers (such as your signup data) and information about how you use our services as well as firmographic data about the business you work in and your role in that business. In such cases we process the data as a controller based on GDPR article 6.1(f), our legitimate interests to provide our product development and engineering teams with accurate usage data and to make our customer success operations, marketing and sales messages more helpful and relevant. We will retain the data for as long as we consider the data being valuable for purposes of product development, customer success and support as well as marketing.

To the extent that we use any tracking technologies, such as cookies, the legal basis for processing such data is GDPR article 6.1(a) in respect of data originating from the European Union, that is your consent that we request via a cookie consent manager implemented in the Web App (see in “Account Settings” in the Web App). Please see the separate cookie notice on this site available via contentful.com/legal.

Customer content published through our services and end user interaction

This section explains how the Contentful services work. This section doesn’t apply to anyone visiting our website or using our services but the actual operation of our content management infrastructure and services.

Logged-in users can upload to (or create in) our services a variety of content such as texts, images and videos. Such content is typically non-sensitive editorial content that our customers wish to publish, such as marketing, news articles or product information. Such customer content may occasionally include personal data, such as images of individuals. Our customers are responsible for the customer content uploaded to or authored in our services. We will only process such customer content as necessary to provide our services. Customer content is hosted in our services running on Amazon Web Services in the United States of America and delivered via globally distributed Content Delivery Networks (“CDN”) as described in our FAQs available on this site via contentful.com/legal. If you have questions about personal data possibly processed in our services as part of customer content, please contact the applicable customer who controls that content.

We allow our customers to integrate their web and mobile applications with our services to deliver customer content into such applications. This happens through an application programming interface (API). The customer applications and data they collect from end users is under our customers’ control and their responsibility. We merely log the “request header” (such as browser information, operating system and IP address) of an end user from the API request to be able to properly deliver the customer content to the customer application. That's basically how any Internet service works. We process this data for purposes of providing our services in accordance with our customer agreements. The legal basis for processing is GDPR article 6.1(b) (customer contract). We do not have any means to trace such data back to individual end users of customer applications because we have no other information on them and our customers must not provide us with any such end user information. If you are a visitor of an application or a website, the contents of which are delivered from our services, the privacy policy of the provider of such app or website applies, not this privacy notice.

Support tools; Intercom and Zendesk

To be able to communicate better with our customers and users of our services, we use Intercom as a communications tool and Zendesk as a customer support tool on our website and in the Web App. For the chatbot integrated on our website, please see in “Integration of certain analytics and marketing services”. 

This involves transferring your data to Intercom Inc. (Intercom R&D Unlimited Company, Dublin, Ireland, 2nd Floor, Stephen Court, 18-21 St. Stephen’s Green, Dublin 2) and Zendesk Inc. (Zendesk Inc., 1019 Market St., San Francisco, CA 94103, U.S.A.). Such data includes your name or alias you use in our services as well as timestamp and IP address. Also, the contents of our communication are routed via the service provider platform. Intercom and Zendesk are both committed to complying with the European Union’s data protection regulations under a data processing agreement that incorporates the EU Commission approved “standard contractual clauses” (https://ctfl.io/link_to_EU_SCC) in accordance with GDPR article 46.2(c)).

To the extent that we use Intercom or Zendesk to communicate with you while you are logged in as a registered user, we process your data on the basis GDPR article 6.1(b), that is our contract with you to provide you with customer support and a communication channel between you and us, as well as GDPR article 6.1(f), that is our legitimate interest to ensure a more efficient and convenient user and customer support experience. If you are not logged in as a registered user, we process your data on the basis of GDPR article 6.1(f).

Please note that you may be able to request and receive support via other means too, such as those tools described in section “Contacting us and interaction in our communities”.

Apps and extensions in the Contentful Web App

It is possible to integrate various apps and extensions (together: “apps”) to the Contentful Web App. Such apps, that are available either directly in the Web App or via contentful.com/marketplace, are provided by the developer named in the app description. The apps may connect your Contentful spaces to third-party services and exchange data between them. Also, the apps, as well as such third-party services, may collect personal data for their own purposes.

Privacy and security of the apps and such third-party services are the sole responsibility of the developer and the provider of such third-party services, as applicable. Please review the applicable end user license agreement and other terms provided by the developer and the third-party service provider to familiarize yourself with their privacy practices. To learn more about the Contentful Marketplace, please visit the Marketplace page linked above. The terms and conditions applicable to the Marketplace itself (which are not applicable to the apps, extensions or third-party services) are available via contentful.com/legal.

We process your data in this context based on GDPR article 6.1(b), the Contentful marketplace agreement between you and us.

Contacting us and interaction in our communities 

In this section we give an overview of data collection and processing when you interact with us directly, not on our website or in our services.

General

We may use third parties to process the data you submit to us (our customer relationship management tools or providers of communication services) and we may combine such data with other data we may have, for example data regarding your subscription and contract in our billing tools or firmographic information about your business and your role in the business. We do this to ensure we provide the best possible customer support and user experience and we may also use the data for our product development and marketing purposes if we are legally allowed to do so, including through the use of web beacons and pixels in our newsletters (additionally, please see “Marketing” and the separate cookie notice available via contentful.com/legal).

We do not have any influence over whether certain of such third-party providers process personal data for their own purposes. This can be the case if you e.g. use a social media platform to communicate with us. Please review the privacy policy of the applicable third party to ensure you are aware of such processing. For general information about our sharing and transferring personal data, please see in “Data transfers and how we share personal data”. If such sharing constitutes a “sale” of your personal data under the CCPA, you may be able to exercise your rights to opt-out of such sharing. In such a case, please see the page “Do not sell / Data access request” on this site or contact using the contact details provided above in “Who we are and how to contact us”. If you opt out of such a sale we may not be able to provide the relevant service to you. 

Contact forms and support requests

There are various ways to contact us, for example by email or by using contact or support forms or a feedback tool on our website or via various social media platforms. If you contact us, we collect your identifiers such as your email address or social media profile name, and other personal data you choose to include in such contact. We will use your personal data to respond to your inquiry. If you do not provide us with any additional information we may request, we may not be able to properly handle your request. The contact forms or the applicable web page will inform you in more detail about the use and sharing of your personal data in that specific context (for example a sign-up form may explain with whom we may share data for that specific sign-up, such as for an event). 

The legal basis for processing your data is GDPR article 6.1(f) and 6.1(b). The former, to be able to address your inquiry and provide you with the information and services you request and to improve our services. Additionally, the latter, if the contact is made with the intention of concluding a contract or if you are already a Contentful customer, for example to provide customer support that you may request.

Because the communications services we may use are subject to change, please contact us to inquire what services we use at any given time. For customer communications and support services we typically use (Intercom and Zendesk), please see also in “Using our services” to read more about these communication tools.

Your interaction in our communities

We currently provide contentfulcommunity.com and our Slack channels for additional communication with us and other Contentful users and interested parties.

In both forums, when you post messages, your profile is linked to your posts. The profile details can be removed through anonymizing your profile if you ask us to do so or if you delete your profile or cancel your account. However, your posts are usually kept even after you delete your profile or account. The posts will then link to an anonymized profile. Therefore, you should not post anything that you do not wish to be published and kept public. We will, of course, work with the service providers to remove posts if you request us to do so. This may lead to deletion of entire discussion threads and not only a single post. However, in Slack channels you will be able to delete your own messages one by one.

If you or we delete your post, we may still process the email address, the name provided and other voluntary information up to the expiry of any applicable statutory limitation periods for purposes of detecting and preventing misuse and for purposes of possible legal claims. We may also use your personal data to contact you for any legitimate reasons related to the use of the forums, such as suspected misuse or abuse. We do not pass the data on to third parties except the service providers running the underlying service, unless we are obliged to do so by law or transmission is necessary for the enforcement of our legitimate interests. In each such case we process your personal data for our legitimate interests in accordance with GDPR article 6.1(f) for purposes of such legal actions.

Retention period for your data in these communication channels may vary depending on the type of data and our agreement with the service providers from time to time. Please reach out to us by using the contact details provided above (see “Who we are and how to contact us”) if you want to know more or wish to delete your data that you cannot delete yourself.

Contentful community

Contentful provides a discussion forum available at contentfulcommunity.com. You can participate in the forum by using your Contentful credentials via single sign-on. When you log in and post in the forum, we collect your identifiers such as your Contentful credentials, email address, and username, as well as any other personal data you choose to include in a post. We use your identifiers to manage user log-ins and users in the forum.

We process your personal data based on GDPR article 6.1(f) where our legitimate interest is to provide Contentful users and interested parties with a community to share their experiences of using Contentful services and to enhance the user and customer experience for example by way of providing a channel for best practice sharing.

The forum is based on an open source project by Civilized Discourse Construction Kit, Inc. who also hosts the forum. Please note that Civilized Discourse Construction Kit, Inc. (8 The Green,Suite #8383 Dover, Delaware 19901, U.S.A.) also processes data for their own purposes to provide the underlying hosted service. For such privacy practices please review their privacy policy available at discourse.org/privacy. The vendor is committed to complying with the European Union’s data protection regulations under a data processing agreement that incorporates the EU Commission approved “standard contractual clauses” (https://ctfl.io/link_to_EU_SCC) in accordance with GDPR article 46.2(c)).

To the extent sharing such information is a “sale” under the CCPA, you may be able to opt-out of such sharing on the page “Do not sell / Data access request” available on this site or by contacting using the contact details provided above in “Who we are and how to contact us”. Opting out of such a sale, you may not be able to use the service. 

Slack channels

Contentful offers various Slack channels for purposes of communicating with us and other Contentful users or interested parties. These channels are provided to us by Slack Technologies Limited (One Park Place, Upper Hatch Street, Dublin 2, Ireland). Use of Slack is subject to Slack’s own terms available here: slack.com/terms-of-service/user.

When you use the Slack channels, we collect your identifiers and other personal data you choose to submit to the channels. We will process your personal data in this context as the administrators of the Contentful Slack channels for purposes of managing the channels and our relationship with you. The data we process is such that you will voluntarily submit in Slack channels (such as your posts) and your sign-up information or data that we have from you or your organization to enable inviting you to the Slack channels. Our processing is based on GDPR article 6.1(f) where our legitimate interests are to provide Contentful users and interested parties with a community to share their experiences of using Contentful services and to enhance the user and customer experience for example by way of providing a channel for best practice sharing.

From time to time we may integrate third-party services with Slack. Such third-party services may share information from such services with Slack or vice versa. Please review your privacy settings in such services to manage data sharing from such third-party services.

To learn how Slack processes personal data, please review the Slack privacy policy available here: slack.com/privacy-policy.

We have contracted with Slack Technologies Limited in Ireland where Slack is subject to the European Union’s data protection regulations. Additionally Slack is contractually committed to complying with the European Union’s data protection regulations under a data processing agreement that incorporates the EU Commission approved “standard contractual clauses” (https://ctfl.io/link_to_EU_SCC) in accordance with GDPR article 46.2(c)). 

Video conferencing

When attending a video conference organized by us, your personal data will be necessarily processed. 

Such data includes: identifiers (such as name, email address, optional profile photo), content (such as voice and video calls, chat messages, files, whiteboards and other information shared in the video conferencing service), metadata related to the meeting and telephony or other connectivity data (such as meeting topic, start and end time, participant IP addresses, device/hardware information, phone number). 

Contentful currently uses services provided by Zoom Video Communication, Inc. (55 Almaden Boulevard, Flr 6, San Jose, CA 95113, U.S.A.)

While using Zoom, some data will be disclosed to other call participants and to meeting hosts. For example, when you attend a meeting, your name may appear in the attendee list. Turning on your video camera, your image and possibly your surroundings will be shown. If you send chat messages or share content or your screen, they can be viewed by others in the chat or the meeting.

Calls will not be recorded without permission. Contentful meetings that are primarily internal, such as company-wide town halls and training sessions, are recorded by default to allow later viewing by those who could not participate in the live session.

Contentful processes personal data for these purposes based on legitimate business interests (effective communication with relevant stakeholders) in accordance with GDPR Article 6.1(f). If the video conference relates to a contract, we additionally process data based on GDPR Article 6.1(b). Where applicable, call recording is based on consent as per GDPR article 6.1(a). Data is retained for as long as reasonably needed for each specific purpose.

Personal data will generally be shared with Zoom to provide the underlying service. Recordings may be stored in Zoom cloud or other repositories such as Google Drive. Meeting invitations, which may include personal data, are typically sent using email and calendar services provided by Google. Both providers are committed to EU data protection principles under data processing agreements containing the EU Commission approved “standard contractual clauses” (https://ctfl.io/link_to_EU_SCC) in accordance with GDPR article 46.2(c)).

Newsletters, whitepapers and reports

This section explains how you can subscribe to or otherwise obtain more information about our company. Please note that we address marketing communications in a separate section below (see “Marketing”): for example if you are an existing customer and have not unsubscribed from such communications, you may receive marketing communications from us as explained in that section.

You may have the possibility to subscribe to email newsletters on our website, which we use to inform you regularly about various topics related to our company and services. You may also have the opportunity to download white papers and reports from our website. In such cases you may also have the opportunity to opt in to receive marketing communications from us.

When you subscribe to a newsletter or when you download whitepapers or reports, we collect the personal data requested in the applicable form, such as email address to be able provide the requested information and materials. Processing your personal data in this context is based on GDPR article 6.1(f) where our legitimate interest is to promote our company by serving you with information and materials that you are interested in. Additionally we may ask your permission in such request forms to approach you with marketing communications. Giving your permission is of course optional. In such a case processing your data is based on your consent as per GDPR article 6.1(a), as may be applicable to you. All our newsletters include a link to manage your subscription preferences: you can always opt out of our newsletters. You can also always contact us through the contact details given above in “Who we are and how to contact us” for assistance.

We analyse how recipients interact with the newsletters. They may contain so-called web beacons or tracking pixels. We use them to collect your identifiers such as your email address and to collect your internet activity, such as when the newsletter is read and which links are clicked. We use this personal data, combined with other personal data we may have on you, such as your employer as well as your role in that organization, to create inferences about you. We use this data to tailor the newsletter to your inferred interests and your organization. We perform this type of analysis and process the related data for as long as we reasonably believe that you (or your organization) could become or remain a customer. After such time or after you have opted out of such communications, we retain contact details to ensure we no longer send newsletters to those who have unsubscribed. The legal basis of this kind of processing is GDPR article 6.1(f) where our legitimate interest is to analyze the use of our newsletters and to optimize and tailor them to provide more suitable information to the subscriber.

Surveys and user research

We occasionally send out surveys, conduct user and other research and may invite you to participate in such surveys and research so that you can provide us with your feedback and ideas. Participation in our surveys and user research is of course voluntary.

We will process personal data in that context for purposes of our legitimate interests in accordance with GDPR article 6.1(f): to provide our product development and marketing teams with relevant information and to enable such research projects, for example to organize meetings and video or phone calls. To record video or audio calls or to make screen captures, we will ask for your permission. In such cases processing your data is subject to your consent in accordance with GDPR article 6.1(a), as may be applicable to you.

The surveys and research may take different forms from face-to-face discussions to video or audio calls or online survey forms. You may be able to participate via different methods, such as via our website, through a third-party website or a survey form. Please note that such third-party tools (such as web forms or survey tools that you may be directed to) may process personal data for their own purposes, such as via cookies. Because third-party tools are subject to change, please ask us at the time of participating if you would like to know more.

In each case we will collect your identifiers such as your contact details and IP address, as well as sensory information such as video and audio recording (if you give us your consent, where applicable). A video usually captures your device screen while you are interacting with our services but may also capture images of you or your surroundings. An audio recording typically captures your comments while you use our product and your answers to our questions. We will also collect the personal data that you voluntarily give to us in such surveys and research, for example as may be included in your answers.

We collect and use your personal data to the extent needed to carry out the research and to stay in touch with you for any possible follow-up. We may share your personal data, including your identifiers and sensory information, with third parties who act as our service providers. Such service providers are subject to change, so please ask us at the time of participating in the research and familiarize yourself with the privacy practices of the applicable provider.

We will keep the research data, including your personal data, for as long as we consider the research data to be useful for example for product development purposes. The exact time depends on the research, the answers and the possible use case.

Visiting our premises; events and training 

In this section we describe how personal data is processed when we are in touch in person or for example in an online training environment.

Visits

When you visit our offices, we collect identifiers such as your name, surname, phone number and email address). We use this information to organize reception and your meetings. We share this information with our visitor management system that will connect to our communication tools (chat, email and calendar systems), alerting your host. These services are provided by third parties located outside of the European Economic Area, mainly in the United States of America. We currently use services provided by Envoy Inc. (410 Townsend St. STE 410, San Francisco, CA 94107, U.S.A.) for this purpose. Please see “Data transfers and how we share personal data” for information on how we share personal data and how it is protected.

Depending on the purpose of your visit, the legal basis for processing your data will vary and the retention period for your data will depend on the legal basis. For example, if you are a customer or a potential customer or a supplier, we will process your data based on GDPR article 6.1(b), that is our contract or intended contract with you, and 6.1(f) where the legitimate interests are related to security of our employees, premises and information as well as our business interests related to your visit. If you are a job applicant, please see our Privacy Notice to Candidates available on this site via contentful.com/legal.

We also collect sensory data through the use of closed-circuit television (CCTV). We have CCTV in operation in our offices directed at entrances to capture anyone entering and exiting our offices. We use this information for security purposes to prevent and detect burglary and vandalism on the basis of GDPR article 6.1(f), our legitimate interests. CCTV footage is stored locally for a maximum period of 72 hours. To the extent that CCTV is operated by the building management or other third party (like in shared office buildings where we do not maintain or control the facilities), please inquire with such third party. 

If you are a contractor, you may receive an electronic key or a key card. We collect identifiers through the use of such keys. The identifiers are linked to the holder of the key. When you open doors at our offices using your electronic key, we collect access information (timestamp and user ID). We use this information for security purposes to prevent and detect burglary and vandalism as per GDPR article 6.1(f). This information is stored locally until the memory is full and overridden by new entries.

Events

Contentful organizes, hosts or participates in various events. These may take place at our offices (please see “Visits” above) or at third-party venues. If you attend an event, we collect identifiers such as your contact details. We use this information to organize and manage these events and to contact you afterwards for follow-up and marketing purposes (for marketing, please see the section “Marketing” below). The legal basis for processing your personal data related to events depends on your relationship with Contentful. For example, if you are a customer or a prospective customer, the legal basis will be GDPR article 6.1(b), that is your contract or intended contract with us, and 6.1(f), where the legitimate interests are related to organizing and managing the events and our legitimate marketing purposes.

You can register as a guest or a speaker on our website or via a separate registration form that we may send to you. When you register, we collect identifiers such as your contact information and other personal data that we reasonably need to organize and manage the related event.

Certain events may allow you to register for various meetup groups via third-party services (such as meetup.com). When you register through a third-party service, the third-party service will share certain personal data with us. Please refer to the privacy policies of such third-party services (for example meetup.com/privacy) and their privacy settings to control the data they share with us.

We may share your identifiers and other registration information with third-parties or also receive personal data from third-parties (e.g. event hosts and organizers and third-party platforms or services used to organize events or our business partners participating or jointly organizing the event) for purposes of registration and for organizing and managing events and for example to dispatch event materials. Some of these third parties may be located outside of the European Economic Area (please see “Data transfers and how we share personal data” above). Please refer to the third party’s privacy policies to review and control the data that you have allowed them to share.

We will retain your data for as long as it is necessary to organize and manage the event and for follow-up and marketing communications (see “Marketing” below). If you are a customer, we may retain the data for as long as required for purposes of the customer relationship.

Training; Webinars

We may provide you with opportunities to participate in training and webinars. If you wish to participate in on-site training, please refer to the “Visits” section above. Training may also be organized by or with third parties, for such training please see “Events” above. In each case (whether on-site or online training or webinars) we will make additional and more detailed information available in conjunction with the training (e.g. by linking relevant privacy policies to our learning portal or the web page or registration form that we may use). Feel free to approach our organizers for more information on processing your personal data or get in touch with us via the contact details provided above (see “Who we are and how to contact us”).

Data processing may vary depending on the venue, partners and organizers or tools and facilities used to provide the training. In some instances, if we record the training, we will collect your sensory data as may appear in such recordings. The organizers or host venue may also collect additional personal data for their own purposes. Please refer to their privacy notices for their use of your personal data.

When we provide online training or webinars, we share your personal data with third parties to facilitate the provision of training content (such as online video or webinar providers or third-party learning management portals) or the business partners participating in or facilitating such training or webinars. Some of such providers (especially online training service providers) may reside outside of the European Economic Area, e.g. in the United States of America (please see “Data transfers and how we share personal data”above). We currently use TalentLMS (Epignosis LLC, 1209 Orange Street, City of Wilmington, Delaware, DE 19801, U.S.A.) as an online training portal. Please review their privacy practices here: talentlms.com/privacy.

For some training opportunities we may provide you with the opportunity to take exams or certify, for instance as a “Contentful Certified Professional”. In such cases we may share personal data with third parties, such as our partners, customers and interested parties, whether your certification is valid.

Processing your personal data for training purposes is based on GDPR article 6.1(b) if you have a contract with us for such training, and additionally GDPR article 6.1(f) where our legitimate interests are ensuring a better customer experience and customer satisfaction and more efficient use of our services. The data is retained for as long as reasonably necessary for the training purposes and any legitimate follow-up, such as for certification purposes.

Marketing

In this section we elaborate on our marketing practices. Please note that our cookie notice available on this site as well as other sections of this privacy notice may be relevant for marketing purposes too, such as “Newsletters, whitepapers and reports”. 

Email marketing

We send various email newsletters and marketing messages to different groups of customers and those who have expressed interest in receiving such messages from us (for example by expressing their interest at an event or by opting in in a web sign-up form). By way of example, we may send developer newsletters to customers and customer personnel that are likely to be developers. We may also send an enterprise newsletter to our enterprise customers and partner newsletters to our technology and solution partners. The newsletters may include offers from our portfolio, news articles, information about our company events or events that we will attend, technical information, updates from our blog and updates from the Contentful community.

The newsletters discussed above in “Newsletters, whitepapers and reports”, as well as other communications from us, may be considered marketing. We only approach existing customers in accordance with and on the basis of statutory requirements related to marketing (including in accordance with GDPR article 6.1(f)) or based on newsletter subscriptions or marketing consent you may have given in accordance with GDPR article 6.1(a), as may be applicable to you. We will not process your personal data for such purposes if you request us to not do so. In such a case we will block your data for the relevant marketing purposes when you cancel your newsletter subscription or otherwise object to marketing communications or withdraw your consent, where applicable. Our newsletters will always include a link to unsubscribe or to manage your subscriptions.

Marketing tools integrated in our website

We use various marketing tools integrated in our website. These tools use cookies and similar technologies, which are discussed in the separate cookie notice on this site available via contentful.com/legal. Many of the marketing tools set so called third-party cookies and thereby collect and process data for their own purposes. Some of them are based outside of the European Economic Area, for example in the United States of America. Their own use of data collected from our website is subject to their privacy policy available on their websites. Please review the cookie inventory available in the cookie consent manager implemented on our website and in the Web App for more details.

Use of cookie data for these purposes is based on your consent (GDPR article 6.1(a), as may be applicable to you) which we request via a cookie consent manager implemented on our website and in our Web App. In other cases, you can opt out of cookies by following the instructions in the cookie notice or by managing your cookie preferences in the cookie consent manager implemented on our website (see “Cookie Preferences” at the bottom of the page) and in the Web App (see the “Account Settings” page in the Web App). Sharing your personal data with these third-party marketing service providers may constitute a “sale” under the CCPA. To exercise your right to opt-out of such sharing, please see the page “Do not sell / Data access request” on this site or contact us by using the contact details provided above in “Who we are and how to contact us”. 

Security of personal data

We take appropriate technical and organizational measures to protect your personal data from unauthorized access, abuse, loss and other disruption. To this end, we regularly review our security measures and adapt them to current standards. Contentful is certified according to ISO 27001 standard and continuously invests in and improves its security practices. You can find out more by visiting our security page at contentful.com/legal/de/2017-01-31/security.

Previous versions of this document:
add-circle remove style-two-pin-marker subtract-circle