This document oultines Attio’s approach to data privacy, and its compliance with important data privacy legislation, such as the EU’s General Data Protection Regulation 2016 (“GDPR”) and the UK’s Data Protection Act 2018.
GDPR is a piece of legislation from the European Union that lays out the groundrules on how companies can use data that relates to people, so called personal identifable information (“PII”). GDPR gives further rights to individuals regarding their personal data, sets limits on what companies can do without the consent of people and imposes strict fines on companies that do not comply with the legislation. It entered into force in April 2018.
Importantly, GDPR applies even to companies that are located outside of the European Union as long as they process data from European Union citizens.
Due to the sensitive nature of the data Attio is processing, we see strong data protection as paramount for the success of our clients as well as our own success. We welcome GPDR and related data privacy legislation. And we see transparent communication and fair usage of personal data as an important step torwards a well-balanced and open internet.
Attio views all data that you upload or put into Attio as your data / the data of your organisation. The legal term we use for this is Customer Data. This means that from a legal perspective you, as the client, are the owner of all data on the platform. In data privacy speech you are a “Controller”. Attio acts a “Processor” and processes data for you and according to your instructions.
This means that we cannot use the data for any other purpose. For example, we would never sell your data to 3rd parties nor would we ever target you with advertising or similar things. It’s your data, our mission is to help you understand your data better and not to sell it.
If you are not a client or user of Attio we may also receive your personal data in our platform because one of our clients has uploaded your details within their account on our platform. In such circumstances, we are the processor of your personal data and we shall only process your personal data in accordance with our client’s instructions.
Yes, you can read our legal obligations on how we protect your data in clause 11 of our Terms and Conditions. In short, they are in line with GDPR and set out legally-binding standards for what we can and cannot do with your data. We engage with all our customers either under our Terms and Conditions or under a contract with similar obligations, this means you as a customer profit from these protections by default.
Further to this, clients can also enter into a GDPR Amendment which specifies the data protection obligations of Attio in detail. This can be signed in addition to our Terms and Conditions or any potential contract (if required).
Attio employes several, strict technical measures to protect user data. Among other measures we encrypt client data, make data only available to logged-in, idenitfied users on a per organisation level. We also offer permissioned-based account access for larger organisations.
You can contact us with any questions or comments about your Personal Data, this Policy or any other privacy related enquiries by emailing firstname.lastname@example.org.