DirectMail2.0 (DM2.0) is a cloud based direct mail marketing technology platform intended to automate, report on, and enhance the effectiveness of direct mail marketing campaigns (“Services”). The primary use of information via DM2.0 is to identify for Partners and Customers when direct mail campaigns have been received, opened, and when direct mail campaigns actually generated a response from recipients. This enables Partners and Customers to have access to useful information about the effectiveness of their direct mail campaign efforts.
Third Party Platforms. The delivery of DM2.0 Services is fulfilled through various digital technologies that are owned and operated by third parties (“Third Party Platforms”) and made accessible in one platform through DM2.0 for the benefit of DM2.0 customers, partners and their clients (“Customers”). Users of DM2.0 should note that each Third-Party Platform has its own end user license agreement (“EULA”), privacy/security policies, and terms of use (collectively “Third Party Requirements”) that apply to Customer’s use of these Third-Party Platforms through DM2.0.
DM2.0 has no control over Customer information maintained in Third-Party Platforms. As a result, Customers should be aware of how information is collected and maintained in Third-Party Platforms and the steps Customers can take to further protect their information when using DM2.0. Customers must also ensure that website privacy policies adequately describe the use of Third-Party Platforms as required by applicable law.
DM2.0 Not Intended for Protected Information. Customers of DM2.0 should understand that DM2.0 is not intended to be used to create, receive, maintain or transmit protected health information (“PHI”) governed by HIPAA, or other highly sensitive information about individuals that are afforded special protections under State and/or Federal Laws (collectively “Protected Information”). While DM2.0 and Third-Party Platforms have practices and systems in place intended to protect the privacy and security of information (SOC 2® Certification), Customers agree not to store Protected Information in DM2.0 or Third-Party Platforms. Customers that anticipate Protected Information being disclosed over the phone should not utilize the DM2.0 Call Tracking Service. Customer also agrees to ensure that each of its users is aware of the requirements of this Privacy & Security Policy. While this Privacy & Security Policy is intended to summarize the privacy and security practices related to the Services offered through DM2.0, Customers are responsible for reviewing and complying with the applicable Third-Party Requirements as well.
Customer Tools for Managing Privacy & Security. In DM2.0, Customers have the ability to select and/or deactivate certain functions to further ensure the privacy and security of Customer information. Customers seeking to afford extra levels of privacy and security to their information should contact privacy@dm20.com for more information about these features. For example, in the DM2.0 portal, DM2.0 offers a “privacy restricted campaign” feature that users can select to add an additional layer of privacy/security for a specific mail campaign, restrict the information uploaded into the DM2.0 platform and/or the ability to purge mailing list data. Customers should configure their accounts based on the state laws applicable to their campaign. Customers should also ensure that users are managed by Customer to ensure that only authorized users have access to Customer information.
General Data Collection, Storage & Use. DM2.0 Services are offered to provide Customers with tracking and reporting metrics on the status of direct mail campaigns. Unlike mail houses or similar services, DM2.0 has very little interaction with actual communications between Customers and their mailing recipients. Rather, DM2.0 is intended for and configured to only collect and store postal mailing information and in limited situations, email addresses and other user defined fields when provided by Customers. Customers should understand that if Customer or its end users choose to maintain or transmit Protected Information in DM2.0 platforms, DM2.0 cannot guarantee the privacy of such information and the information may be accessible by Third-Party Platforms, whose policies shall apply.
SOC 2 Certification. DM2.0 was first awarded this certification in 2023. To maintain this status, must pass annual audits, penetration and hacking tests that show compliance with the current privacy and security standards required to handle and store PII and PHI.
How DM2.0 Uses Mailing Addresses. Postal mailing addresses are used by DM2.0 on behalf of Customers to initiate digital campaigns and mailings as needed to fulfill the advertising services DM2.0 has been engaged to perform.
Third Party Platform Disclaimer. DM2.0 specifically disclaims any and all warranties related to Third Party Platforms and makes no representations about the privacy or security of such Third-Party Platforms. However, Third-Party Requirements describe a range of privacy and security controls in place that are intended to protect Customer information.
Customer Provided Data. All data involving mailing campaign(s), including but not limited to mailing lists, designs, and customer information provided to DM2.0 as needed to receive services from DM2.0 (“Customer Data”), may be used by DM2.0 as needed to fulfill the services DM2.0 has been engaged to provide. DM2.0 does not share or sell customer data to any 3rd parties unless those 3rd parties are technology partners that are necessary to deliver the customer’s campaign i.e. Facebook, Google and Simpl.fi. However, DM2.0 may use de-identified aggregated data that does not specifically identify individuals or the Customer (“Aggregated Anonymous Data”). By using DM2.0, Customer acknowledges and agrees that DM2.0 may obtain and use Aggregated Anonymous Data it captures or comes in contact with through use of its Services. DM2.0 may use the Aggregated Anonymous Data to analyze, improve, support and operate the Services, DM2.0 may also use Aggregated Anonymous Data for any business purpose, during and after the term of any Customer agreement, including without limitation to generate industry benchmarks or best practices guidance, recommendation or similar reports for distribution to and consumption by Customer and other DM2.0 customers and prospects. In all cases, the Customer will not be identified unless prior approval has been obtained.
Feedback & Campaign Results Utilization. If Customer provides suggestions, comments and feedback regarding the Services, including but not limited to usability, bug reports and usage results, (collectively, “Customer Feedback”), DM2.0 may make, use, copy, modify, sell, distribute, sub-license, and create derivative works of the Customer Feedback as part of any of DM2.0’s products, technology, services, specifications or other documentation. In addition, DM2.0 may, in its sole discretion, use Customer’s campaign results and analytics, to include the number of calls received and website visitors, for both internal product development purposes, as well as marketing materials to be published to third parties. If DM2.0 uses Customer Data or Customer Feedback for such purposes, DM2.0 will not identify the Customer as the source of the information.
AWS (Amazon Web Services). This is DM2.0’s primary hosting and data storage provider. This is where all of the data used and collected resides as well as the code and application servers that host the DM2.0 platform. Links to their privacy and security docs can be viewed here: https://aws.amazon.com/privacy/
Netlify. This is DM2.0’s UI web development platform. Netlify distributes and hosts our white label UI features and provides a framework for us to build, scale and deploy future-proof, composable web experiences. Links to their privacy and security docs can be viewed here: https://www.netlify.com/privacy/
USPS/Informed Delivery. Processed mailing lists are shared with USPS Informed Visibility and Informed Delivery. DM2.0 only discloses IMb digits with the USPS for these services. No personal information is disclosed. The USPS Privacy Policy can be viewed here: https://faq.usps.com/s/article/Informed-Delivery- Privacy-Security-Concerns.
QR Code Tracking. DM2.0 offers many options of QR code use and tracking, from personalized (where each code identities a unique person or takes the scanner to a personalized unique URL) to static where all scans are anonymous and go to the same site without the ability to know who scanned. The technology was created and built by DM2.0 and no 3rd party vendors are used for this service. Information stored on DM2.0 AWS servers and reported is the scan frequency and some information on where the scan originated in terms of location, browser, device type, etc. There is no personally identifying information from the scan itself unless the Customer utilizes personalized codes or URLs in which case personally identifying information about who scanned the code, from when and where it was scanned is aggregated and reported on. This information is not shared with anyone but the Customers.
Call/Text Tracking. DM2.0 partners with Twilio and Trestle for call and text tracking. The information returned by Twilio and Trestle is password protected and stored on the DM2.0 AWS servers. The Call Tracking services include a feature to inform callers that the call may be recorded. Customers should confirm this feature is activated and in compliance with the state laws that apply to Customer. Recorded phone calls are ONLY accessible to the client the calls were made to. DM2.0 does not have access to recorded phone calls. The text tracking is response based only, it is not an outbound text so no opt-in is required. The Call/Text Tracking feature is not currently offered to Customers governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and/or other similar privacy laws, and Customers should not utilize the Call/Text Tracking service for Protected Information. Compliance with all laws applicable to the recording of calls remains Customer’s sole responsibility, including obtaining all necessary consents. Customer assumes full responsibility for compliance with all applicable laws related to the recording of calls, and fully releases and holds harmless DM2.0, its affiliates, officers, and agents for all damages, costs, third party claims related to Customer’s use of the call recording service offered by DM2.0. The DM2.0 call recording service is offered through Twilio & Trestle. Customers should review Twilio & Trestle’s security and privacy policy here: https://www.twilio.com/legal/privacy Trestle: https://trestleiq.com/privacy-policy/. Customer must comply with Twilio and Trestle’s Third-Party Platform Requirements, and ensure that Customer, and any clients of Customer, have included required information in any applicable privacy policies related to the use of these services.
Advertising & Ads. DM2.0 deploys all ad campaigns via the following Third-Party Platforms: Google Network, Facebook and Simpl.fi. Customer must ensure compliance with each of these Third-Party Platform’s advertising policies. DM2.0 has no special rights or access to any data going to or from each of these Third-Party Platforms. DM2.0 has no control over the ads these Third-Party Platforms will or will not accept. DM2.0 does not give, share or receive any personal information on ad targets belonging to clients of Customers in relation to advertising and ads through the Third-Party Platforms described in this paragraph. Each Third-Party Platform’s Privacy Policy and advertising policies can be reviewed by clicking the respective link below. Customer is responsible for ensuring that the requirements of applicable law are complied with when using these Services, including the requirement to inform individuals about how information is used in any applicable privacy policies.
Google: https://policies.google.com/privacy?hl=en-US
Facebook: https://www.facebook.com/policy.php
Simpli.fi: https://simpli.fi/services-privacy-policy
Email Notification of Mail Delivery. This is an opt-in service where the Customer must supply emails with the mailing list. These emails are only used to notify the mail recipient of imminent mail piece delivery, and not an advertisement or part of any continuing campaign. End users or email recipients can opt out of any future campaigns with a single click. The technology was created and built by DM2.0 and no 3rd party vendors are used for this service.
Personalized Landing Pages. DM2.0 now offers personalized landing pages. DM2.0 self-hosts these pages for our partners and clients on our secure AWS cloud platform. The purpose of these pages are to confirm and capture leads for clients from the campaign. The default privacy policy mirrors DM2.0 general privacy policy, but the partners/clients can replace it with any personalized policy related to their business. The leads captured are for the exclusive use of the client and are not shared with anyone else, and DM2.0 does not contact them either.
LEADMatch Services. Privacy laws are constantly evolving, so it is important for Customers to ensure they take appropriate steps when using LEADMatch Services. When utilizing LEADMatch, Customer represents that: (a) no terms of use, privacy policy, or representations made to Customer website visitors will be violated by such pixel use; (b) Customer will require each website (including websites of Customer’s clients) utilizing LEADMatch to display privacy policies that disclose applicable data collection practices, including the types of data collected and purposes for which data is collected by or transferred to third parties, plus working mechanisms that conspicuously enable consumer opt-outs and do-not- sell requests in accordance with applicable laws; and (c) the use of pixels will not be used in conjunction with any website or application directed to children under the age of 16, or in any manner implicating the Children’s Online Privacy Protection Act. DM2.0 and Third-Party Platforms reserve the right to exclude any use of pixels that does not comply with these terms. The current Third-Party Platform used by LEADMatch is NuCitrus. Customer must read and comply with the Third-Party Requirements for this vendor. See: https://nucitrus.com/privacy-policy
With permission and placement of the pixel by the client, the LEADMatch pixel returns to DM2.0 LEADMatch vendor provided data. A variety of matching and cross referencing of data is used to perform matches. First, the data fragments obtained (hashes, entry points, etc.), IP details, visitor behavior sets, device info, geography context and any third-party cookies are analyzed; these initial data points are then enriched further using key data partners including an internal data set to perform additional matches. Once a match is identified, an additional database cross reference is performed to achieve peak accuracy. Data points are acquired in real time at multiple data fragments and are related back to real time user information. For example, if an IP indicates California but the geography fragments and cookie behavior indicate New York, the data set is the further analyzed from both historical and third-party perspective providing a full verification before updating or denying the new locations accuracy (i.e., did the customer move or were they on vacation). This is happening all the time (in real time). The data is changing as quickly as possible without the need of having to do “refreshes” on stale data.
Personally Identifiable Information (PII) & General Data Protection Regulation (GDPR)
The technology and its data is sourced by public records such as public real estate transactional recordings. The service attempts to collect the postal address from website visitors. Being that postal addresses are publicly available there is no personal identifiable information provided as we are not identifying the person in the home who made the visit, only the most likely address. The technology is only active if a visitor is based in the USA. If desired Customers can implement a consent feature by requesting from DM2.0 a HTML “remove my data” button that can be provided to add to Customer’s website’s Terms of Service / Privacy Policy.
California Consumer Privacy Act (CCPA) & Data Sourcing Techniques
The technology adheres to the CCPA guidelines by adding some additional terms to Customer’s website (here’s how):
Visitor has right to know what personal data is being collected.
The data is always being refreshed and rotated out as enrichment happens so there are no permanent records. On average the data is modified every 90 days. All of the data obtained is securely stored using the latest security and encryption standards. No direct data sharing is currently allowed in the platform. What this means is that aggregate enrichment is happening on a platform level to deliver the best possible data but this data is not individualized and never is shared between multiple accounts. Sample Terms: Advanced analytics to track data are used that may help identify customer experiences, information and other visitor behavior in order to enhance the usability of the website and brand to all site visitors.
Data Deletion, Opt-Out Requests, and Do-Not-Sell Requests. Requests for deletion, opt-outs, and do- not-sell requests should be submitted to privacy@DM2.0.com.
Data Breaches. DM2.0 will notify Customers of data breaches in accordance with applicable law.
Limitation of Liability. DM2.0 is not intended for Protected Information. The maximum aggregate liability of DM2.0 for any and all claims related to the use of DM2.0 and Third-Party Platforms, including without limitation, data breaches and/or claims related to state and/or federal privacy laws, whether by Customer or a third-party, shall be limited to the total payment the applicable Customer made to DM2.0 in the preceding three (3) months from the date of the event giving rise to the claim. No claim, regardless of form, may be brought more than the shorter of one year or the period allowed by law after the cause of action has occurred.
If you have further concern or questions, please email privacy@dm20.com, call or write us at: DirectMail2.0, LLC.
c/o Privacy & Security Dept.
600 Cleveland Street
Suite 480
Clearwater, FL 33755
800.956.4129
DirectMail2.0 Privacy and Security Policy 9/17/2024