We, Piano Software Inc., Philadelphia, US and affiliated companies belonging to Piano group (collectively, “Piano”, “we”, “us”, “our”, or “we”), formerly known as Piano Media, Press Plus and Tinypass and now incorporating Newzmate, Cxense and AT Internet are committed, as data processor, to partnering with customers and users to help them understand and comply with data protection regulations (GDPR, ePrivacy, CCPA, LGPD …).
Piano provides online products for digital activities, as well as potential additional services on behalf, and based on instructions of the data controller, owners, and publishers of digital platforms – websites, mobile applications, or any other connected platform (“Publishers”).
We collect, process and store personal data and other information through our products – Composer , Analytics , DMP , VX , ID and ESP (“Platform”), or when providing our service to Publishers (“Service”). .
To provide the Platform and/or perform the Service, Piano collect, process and store data on behalf of the Publisher. The answers to the following questions allow us to explain how we manage personal data on the Platform.
Raw ID-type information: for instance, the user-terminal ID (cookie or mobile ID), that is transformed in a hashed visitor ID, or the IP address, that can be anonymized, to perform geolocation for instance
All standard business information provided by the products of the Platform: for instance, navigation data (browser and device type, type of events or content, …), behavior information (sources, navigation path, time spent on contents, …), information related to registered or subscribed users (first name, last name, email, …)
Additional and specific information that the Publisher can collect: based on the technology used to collect data (see following “How do we collect personal data?”), the Publisher can measure, collect, and analyze any business relevant information for him via our Platform
Composer, Analytics, and DMP collect by default pseudonymized information, but directly identifiable information can be added by the Publisher. VX, ID and ESP services are working with directly identifiable information.
We therefore consider by default all data collected, processed, and stored via our Platform as personal data according to GDPR art. 4.1.
We process the collected data to provide the information requested by the Publisher on the Platform: audience measurement data, content orchestration, account management, subscription processes, …
As data processor, and respecting the terms of contracts and the data processing agreement (DPA) signed with the Publisher acting as data controller, we do not:
Sell personal data to anyone;
Monetize personal data by other means;
Claim ownership over personal data;
Barter personal data for other services or products.
We do not knowingly process personal data relating to children less than 13 years of age (or 16 if the age of consent is higher in a particular country) or permit Publishers to provide us with such data. If we become aware that a Publisher has provided us with any personal data of children, we delete such data from our databases.
We do not knowingly process sensitive or special categories of personal data as defined in article 9 of the GDPR.
When a user/data subject visit a Publisher platform, and according to the legal basis chosen by the Publisher (see Purpose of Processing and Legal Basis below), https requests are sent to Piano servers to perform the service requested by the Publisher.
Depending on the product of the Platform, or regarding specific legal obligation to perform (e.g., for payment with VX), the data retention period can be different and always agreed in the contract with the Publisher acting as data controller. Analytics, for instance, has a predefined data retention period of 25 months with the opportunity for the Publisher to customize it.
For all products, all data is deleted at the end of the contract relationship with the Publisher.
Depending on the product used by the Publisher, the data collected from the end-user can be stored in different places. Please see the Piano Sub-Processors’ table in the Sub-processors and Affiliates paragraph below, to see where the data is stored/hosted.
We, by default, do not share any data to anyone without the Publisher prior approval.
We, however, may share personal data, with all the adequate technical and organizational measures to protect it, in the following cases:
Intragroup: Only if necessary and for specific purposes, we may share personal data within affiliated companies belonging to Piano group (see Sub-processors and Affiliates below). Our employees might have access to personal data on a strictly need-to-know basis typically governed and limited by function, role, and department of the particular employee. All affiliated companies belonging to Piano group concluded an intra-group data processing agreement (DPA) with EU Standard Contractual Clauses.
Service providers: We use sub-contractors who might process personal data for us and to support us in providing the Platform and Services requested by the Publisher (see Sub-processors and Affiliates below).
Piano never had to disclose any personal data for legal purposes so far.
To provide the products of the Platform, Piano is using trackers, especially cookies on standard websites, or mobile IDs on native applications. Local storage, server-to-server request, clear gifs, pixel tags, web beacons or other similar technologies may also be used in some cases.
You can access some information about the trackers used on and across all products (Composer, VX, ID, ESP, DMP, Analytics) under to the following link:
Users can control the use of trackers on their devices via the following means:
Use the opt-out mechanism on the dedicated online platform provided by the Publisher
Use the device appropriate configuration (browser or cellphone Operating System – Apple or Android mainly – settings)
Our third-party partners may also use tracker, cookies, or similar technologies, to provide users advertising based upon user´s browsing activities and interests. Users can opt out of interest-based advertising click here , or if located in the EEA click here .
Publishers can use the Piano Platform and the associated Services for the following main purposes:
Understand the audience
Engage the audience
Monetize the online platform
Based on the main purposes observed in the digital marketing world, the following table synthesized for each purpose, what Piano product is by default aimed for, and what is the by default legal basis for seen on our side for this purpose:
|Audience and Analytics||Analytics, DMP||Consent under GPDR or Exemption under ePrivacy|
|Content Personalization or Performance||Composer, ESP||Consent under GDPR|
|Advertising (personalized or not)||DMP||Consent under GDPR|
|“One to one relationship” (account management, subscription, newsletter, …)||VX, ID, ESP||Consent or Contract under GDPR|
IMPORTANT: as a data controller, the Publisher can decide to use one or several products of the Platform for other purposes that the one foreseen originally, as well as to choose whatever legal basis he interprets to be the best in his specific case.
Each Publisher signs a data processing agreement (DPA) with Piano to formalize these purposes and associated responsibilities.
Depending on the products of the Platform used by the Publisher, as well as the potential additional services requested by him, data may be transferred outside of original country where the data has been collected.
Please see the hosting option by product within the Piano Sub-Processors’ table in the Sub-processors and Affiliates paragraph below, as well as the ‘Do we share personal data?’ part of the Personal Data Management on the Platform above.
To meet with European requirements under the GDPR in terms of data transfers, Piano uses the following mechanisms:
EU Standard Contractual Clauses (SCC) through the data processing agreement (DPA) signed with the Publisher as well as with sub-processors;
Binding Corporate Rules (BCRs) approved for both controller and processors transfers;
Additional technical measures as encryption, pseudonymization or anonymization of the data.
To meet the guidelines of the PIPEDA in the applicable Canadian provincial legislation, Piano recognizes and has controls in place to ensure that the privacy of personal information about an “identifiable individual” used in the course of “commercial activity” is protected and managed in the appropriate way.
Check the adequacy decisions under the GDPR, as well as the data protection around the world here .
The GDPR, as many privacy laws around the word, empower data subject rights on its personal data. Piano’s Platform enable Publishers to apply these rights to what is applicable regarding the data collected for their purposes (see Purpose of Processing and Legal Basis above).
The following table list all the main applicable rights regarding online data that and end-user can request to Publishers, and where Piano provide standard solutions to these Publishers.
|Data Subject Right||Product||Mean|
|Access||All||Via a request to the Publisher’s DPO|
|Rectification||DMP, VX, ID, ESP||Via a request to the Publisher’s DPO|
|Erasure||All||Via a request to the Publisher’s DPO|
|Portability||All||Via a request to the Publisher’s DPO|
|Object||All||Via opt-out mechanism provided by the Publisher|
Piano’s data protection team is able to support the process of applying a data subject right.
Please contact firstname.lastname@example.org, or any other communication channel listed in Data Protection Officer and Point of Contact below, for any further information.
Piano maintains an incident response plan which governs the communication and process in the case of a data breach. Contractually this is covered between Piano and all Publishers, in the Master Service Agreement.
Piano security measures by pseudonymization and encryption of personal data; maintaining a detailed DRP to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services which in turn allows Piano to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. Piano maintains a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
For more information visit our Security documentation .
To support delivery of our Platform, we may engage and use data processors with access to certain Publisher’s Customer Data (“Sub-processor”).
The following table provides information about the identity, location, and role of core Sub-processors necessary to provide products of our platform:
|Entity name||Sub-processing activities||Entity (hosting) country||Products|
|Amazon Web Services, Inc.*||Cloud Service Provider||USA (hosting option in the EU, US, Australia, and Japan)||Composer, VX, ID, ESP, Analytics (EU), SocialFlow|
|Braintree||Payment Provider||United States||Composer, VX, ID|
|Google Inc.||Cloud Service Provider (for logs only)||United States||Composer, VX, ID, ESP|
|Hetzner Online GmbH||Data center provider||Germany||DMP|
|Microsoft Azure||Cloud Service Provider (Operations)||United States (hosting EU, US, Japan)||ESP, DMP|
|Packet Host, Inc.||Data center provider||United States||DMP|
|Snowflake Computing, Inc.||Data platform solution||USA (hosted in the EU)||Analytics|
|SoftLayer Technologies, Inc. (IBM Cloud)||Data center provider||United States||DMP|
* AWS is certified for following the CISPE code of conduct endorsed by the EDPB .
Piano may use the following Sub-processors to perform other services around the Platform:
|Entity name||Sub-processing activities||Entity country||Products|
|Agent Infinity, Inc.||Global technical support team||Philippines||All|
|Alchemer||Survey Collection for Strategic Consulting||United States||Composer, VX, ID for Strategic Services clients only|
|Enreach Solutions Oy||Data segmentation provider||Finland||DMP|
|Google Inc.||Cloud Service Provider||United States||Composer, VX, ID|
|Google Inc.||Analytics and reporting||United States||SocialFlow|
|Google Ireland, Ltd.||Data backup storage||Ireland||DMP|
|MailChimp, Rocket Science Group||Cloud-based Email Notification Services||United States||VX|
|Mailgun Technologies, Inc||Cloud-based Email Notification Services||United States||ESP|
|Mode Analytics||Analytics Visualizations||United States||Composer, VX, ID|
|Salesforce.com France SAS||B2B Marketing automation (marketing & product communications to prospects and customers)||United States||Analytics|
|Zendesk, Inc.||Cloud-based Customer Support Services||United States||Composer, VX, ID, ESP, DMP, Analytics, SocialFlow|
|TextRazor||Link text analysis||United Kingdom||SocialFlow|
|Twilio||SMS for OTP codes||United States||SocialFlow|
|Sailthru||Transactional Email||United States||SocialFlow|
|Intercom||In-App communications||United States||SocialFlow|
|Sentry||Error reporting||United States||SocialFlow|
|WPEngine||Marketing site hosting||United Kingdom||SocialFlow|
Prior engaging any third-party Sub-processor, Piano performs diligence to evaluate their privacy, security, and confidentiality practices, and executes an agreement implementing its applicable obligations.
Piano has offices located around the globe who, depending on the Service required by the Publisher, may process its data:
|Entity name||Entity country (EU transfer mechanism)|
|Applied Technologies Internet GmbH||Germany (EU)|
|Applied Technologies Internet SAS||France (EU)|
|AT Internet LTD||United Kingdom (adequate third country based on Commission Adequacy Decision )|
|Cxense Finland Oy||Finland (EU)|
|Cxense Holdings||United States (BCR)|
|Cxense, Inc.||United States (BCR)|
|Newzmate Sp. z o.o.||Poland (EU)|
|Piano Software B.V.||Netherlands (EU)|
|Piano Software, Inc.||United States (BCR)|
|Piano Software GmbH||Germany (EU)|
|Piano Co. Ltd.||Japan (adequate third country based on Commission Adequacy Decision )|
|Piano Software Norway NUF||Norway (EEA)|
|Piano Software Singapore PTE LTD||Singapore (BCR)|
|Piano Software, s.r.o.||Slovakia (EU)|
|SocialFlow, Inc.||United States|
Piano affiliates don’t have automatic access to all Platform data. The access of Platform data is managed and strictly limited to what is necessary. BCR details are available here.
Mail: Attn: Piano Software Group DPO
Bratislava, 811 05
For specific request by legal authorities, courts, government agencies, or parties involved in litigation for customer data, disclosures should include the following information:
The requesting party;
The relevant criminal or civil matter;
A description of the specific Publisher’s data being requested, including the relevant Publisher’s name and relevant authorized user’s name (if applicable).
Requests should be prepared and served in accordance with applicable law. All requests should be narrow and focused on the specific customer data sought. All requests will be construed narrowly by Piano, so please do not submit unnecessarily broad requests.
Piano will notify the Publisher before disclosing any of its data so that the Publisher may seek protection from such disclosure unless Piano is prohibited from doing so or there is a clear indication of illegal conduct or risk of harm to people or property associated with the use of such Publisher’s data.
If you need information about previous wording of both documents, please visit following references:
GDPR – Effective from Jan 29, 2021
GDPR – Effective from Dec 1, 2020
GDPR – Effective from Jun 24, 2020
GDPR – Effective from Apr 01, 2019
GDPR – Effective from Feb 15, 2019
Notifications should be sent to the following:
Piano Software, Inc.
Attn: Stuart Ashford
111 S Independence Mall East, Suite 950
Philadelphia, PA 19106