Company

Data Privacy Framework

EU-US Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF Statement

Innodata Inc., including its subsidiaries referenced below, (collectively “Innodata”) complies with the EU-US Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the United States Department of Commerce. Innodata has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union (EU) in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern.  The Federal Trade Commission has jurisdiction over Innodata’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit: https://www.dataprivacyframework.gov/.

Definitions

The following definitions apply for purposes of this Privacy Statement:

“Affiliate” means a legal entity that controls, is controlled by, or is under common control with Innodata Inc., but only while that control relationship exists; “control” means the direct or indirect ownership or control of 50% or more of the stock or other equity interest entitled to vote for the election of directors or equivalent governing body.

“Personal Data” means data received by Innodata in any form or medium (i.e., electronic, paper, etc.) that either identifies an individual, or can be used to identify an individual.

“Principles” means the EU-U.S. DPF Principles.

“Sensitive Data” means Personal Data that specifies medical or health conditions, personal sexuality, racial or ethnic origin, political opinions, religious, ideological or trade union-related views or activities, or information on social security measures or administrative or criminal proceedings and sanctions (which are treated outside pending proceedings).

Scope

This Privacy Statement applies only to Personal Data, other than Human Resources Data, transferred pursuant to the Data Privacy Framework (DPF) program. All such Personal Data is subject to the Principles. “Human Resources Data” refers to Personal Data about employees, past or present, collected in the context of the employment relationship. Our privacy policy dealing with Human Resources Data is entitled “Innodata Employee Data Privacy Policy” and is available to employees on our organization’s intranet, via email distribution or by such other means as Innodata may deem reasonable.

Please note, except as set forth herein, Innodata generally provides services to entities that involve the processing of data on the entities’ behalf. Accordingly, when Innodata acts in such a capacity, it is acting as an agent and/or on behalf of the customer entity, and the customer entity, rather than Innodata, owns and/or controls the Personal Data. Therefore, to the extent Innodata receives Personal Data from a customer entity in this context, it is relying on the customer entity’s compliance with any applicable law governing the privacy and security of Personal Data with respect to the manner in which the Personal Data has been collected from individuals by the customer entity and the uses or disclosures of the Personal Data that are permitted or required to be made pursuant to law or the contract with the customer entity. Any distinction in this Privacy Statement with respect to the applicability of a standard when Innodata is acting as an agent and/or on behalf of a customer entity is noted below.

Types of Personal Data Collected

Innodata collects Personal Data from individuals who visit our public and customer-facing websites (“EU or UK Website Visitors”), and from certain corporate customers, suppliers and business partners in connection with the services we provide (“EU or UK Business Contacts”). Innodata also collects from time to time Personal Data available on public websites or directly from other third-parties relevant to products and services offered by Innodata (“EU or UK Third-Parties”).

The following types of Personal Data may be collected by Innodata from EU or UK Website Visitors, Business Contacts and Third-Parties:

  • company information;
  • activities, interactions, preferences, and other computer and connection information (such as IP addresses) relating to the use of our websites and services;
  • cookies and information collected by similar technologies that gather statistical data on how users use our websites;
  • images, photographs and voice recordings
  • names, addresses and usernames in connection with the services we provide;
  • resume and applicant information for those applying to job openings;
  • contact information; and
  • financial and billing information.

Purposes of Collection and Use

Innodata collects and uses Personal Data of EU or UK Website Visitors, Business Contacts and Third-Parties as permitted by law, including for the following purposes:

  • to provide products and services as well as support to our customers;
  • to personalize our customers’ experience with Innodata;
  • to keep our customers informed of our products and services that may be of interest;
  • to gather demographic data and aggregate such data for trends and statistical purposes;
  • to communicate with corporate suppliers and business partners about business matters; and
  • to invoice, collect and remit payments to EU Business Contacts.

We reserve the right to transfer and/or sell aggregate data collected as indicated above for lawful purposes.

How We Share Personal Data We Collect

Innodata may share Personal Data collected about individuals or companies in the EU or UK with third-parties only in the ways that are described in this Privacy Statement or as otherwise permitted by applicable law. We may share your Personal Data with our Affiliates, subsidiaries, and contractors. We also sometimes hire other companies to provide certain business related functions (“Service Providers”). These Service Providers have access to Personal Data as necessary to provide their respective services to us.

We also may disclose Personal Data: (a) in response to a lawful request by public authorities, such as to comply with a subpoena, or similar legal process, including to meet national security or law enforcement requirements; (b) under a good faith belief that such disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud or respond to a government request; (c) in connection with a corporate sale, merger, reorganization, dissolution or similar event (in this case, Personal Data may be a part of assets transferred from our company to the acquiring company); and (d) to any third-party as set forth herein or with your prior consent to do so.

Notice:

In the event Innodata collects Personal Data directly from individuals in the EU or UK it shall inform the individuals of (i) the purpose for which it collects and uses the Personal Data; (ii) the types of third parties to which Innodata discloses or may disclose the Personal Data; (iii) the choices and means Innodata offers individuals for limiting the use and/or disclosure of the Personal Data; and (iv) how to contact Innodata with any inquiries or complaints concerning the use or disclosure of the Personal Data. Innodata shall provide this notice in clear and conspicuous language when the individuals are first asked to provide the Personal Data to Innodata or as soon thereafter as is practicable, but in any event before Innodata uses such information for a purpose other than that for which it was originally collected.

In the event Innodata is acting as an agent and/or on behalf of a customer entity and does not receive Personal Data directly from the individual who is the subject of the information, it will use or disclose such information only to the extent permitted or required by law or the customer entity pursuant to the contract with the customer entity.

Innodata may collect or receive Personal Data from individuals, such as employees of its customers, in the course of providing or prospecting its services to its customers, and Innodata may use and/or disclose such information in furtherance of providing or prospecting its services or for purposes of Innodata’s business operations.

Choice:

In the event Innodata collects Personal Data directly from individuals in the EU or UK, and unless an exception applies, it shall offer the individuals the opportunity to choose (opt-out) as to whether their Personal Data is (i) to be disclosed to a third-party (see “Onward Transfer” section below); or (ii) to be used for a purpose other than the purpose for which the Personal Data was originally collected or subsequently authorized by the individuals. For Sensitive Data Innodata collects directly from individuals in the EU or UK, and unless an exception applies, Innodata will provide individuals the opportunity to affirmatively or explicitly consent (opt-in) to the disclosure of the Sensitive Data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individuals.

In the event Innodata is acting as an agent and/or on behalf of a customer entity and does not receive Personal Data or Sensitive Data directly from the individual who is the subject of the information, it will use or disclose such information only to the extent permitted or required by law or the customer entity pursuant to the contract with the customer entity. Innodata shall treat information as Sensitive Data where it receives the information from a third party and the third-party treats and identifies the information as Sensitive Data.

Onward Transfer:

In the event Innodata collects Personal Data directly from individuals in the EU or UK, in order to disclose such Personal Data to a non-Affiliate third-party, Innodata will apply the “Notice” and “Choice” principles described above. Where Innodata wishes to transfer such Personal Data from the EU or UK to a non-Affiliate third-party, unless an exception applies, it will (i) ensure that the third-party is contractually obligated to process the subject Personal Data only for limited, specific purposes consistent with the consent provided by the individual; and (ii) ensure that the third-party recipient provides at least the same level of privacy protection as is required by the relevant Principles and notify Innodata if it makes a determination that it can no longer meet this obligation. Innodata may potentially be liable if these requirements are not met.

In the event Innodata is acting as an agent and/or on behalf of a customer entity and does not receive Personal Information directly from the individual who is the subject of the information, it will use or disclose such information only to the extent permitted or required by law or the customer entity pursuant to the contract with the customer entity.

Security:

Innodata shall take reasonable precautions to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Data Integrity:

Innodata only processes Personal Information that is relevant to the products and services it provides and only for purposes compatible with those for which the Personal Data was collected, received, or otherwise authorized. To the extent necessary for such purposes, Innodata shall take reasonable steps to do either of the following: (i) where Innodata receives Personal Data directly from an individual, ensure that the Personal Data is accurate, complete and current, and is reliable for its intended use; or (ii) where Innodata is acting as an agent and/or on behalf of a customer entity and does not receive Personal Data directly from an individual, notify the customer entity of any potential data integrity concerns known to Innodata.

Innodata will retain Personal Information for as long as it continues to serve the purposes for which it was collected, received, or otherwise obtained.

Access:

In the event Innodata collects Personal Data directly from individuals in the EU or UK, Innodata shall allow individuals access to their Personal Data and permit individuals to correct, amend or delete inaccurate information, unless an exception applies, such as where the burden or expense of providing such access would be disproportionate to the risks to the privacy of the individuals in the case in question or where the rights of persons other than the individuals would be violated.

In the event Innodata is acting as an agent and/or on behalf of a customer entity and does not receive Personal Data directly from the individual who is the subject of the information, it will cooperate with the customer entity and take any reasonable steps necessary to allow the customer entity to provide any requested access to the individual in accordance with the contract with the customer entity.

Recourse:

Innodata uses a self-assessment approach to assure compliance with this Privacy Statement and periodically verifies that this Privacy Statement is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in adherence to the Principles.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Innodata commits to resolve DPF Principles-related concerns about our collection and use of your Personal Data. EU and UK individuals with inquiries or complaints regarding our handling of Personal Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF should first contact Innodata using the contact information provided below, in which case Innodata will investigate and attempt to internally resolve any complaints and disputes regarding the use and disclosure of Personal Information within forty-five (45) days of an inquiry or complaint.

If you are an individual in the EU or UK and have utilized Innodata’s internal dispute resolution process, but your complaint or dispute remains unresolved, Innodata is committed to utilizing the independent dispute resolution process of the International Centre for Dispute Resolution/American Arbitration Association (ICDR/AAA) based in the United States with respect to all unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF (except complaints regarding Human Resources Data). If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed, please contact the ICDR/AAA (free of charge) at https://go.adr.org/dpf_irm.html for more information on how to file a complaint. Note that in some limited cases with respect to compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, you may be able to invoke binding arbitration for complaints regarding EU-U.S. DPF and the UK Extension to the EU-U.S. DPF compliance not resolved by any of the other EU-U.S. DPF or the UK Extension to the EU-U.S. DPF mechanisms. For further information please see  https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2.

Amendments

Innodata reserves the right to change this Data Privacy Framework Statement from time to time consistent with the Principles as well as applicable law. Innodata will post any revised policy on this website.

Contact Information

Questions, requests, comments or complaints regarding this Data Privacy Framework Statement can be mailed or emailed to:

Innodata Inc.
Office of General Counsel
55 Challenger Road, Suite 202
Ridgefield Park, New Jersey 07660
legal@innodata.com

Innodata Subsidiaries also adhering to this Privacy Statement:

  • Innodata Synodex, LLC
  • Agility PR Solutions LLC
  • Bulldog Reporter LLC
  • Innodata docGenix, LLC
  • Innodata Services, LLC

Last Updated: August 15, 2024