TrustedForm Privacy Notice
Effective Date: May 19, 2023
You may have landed on this page by clicking on a link from one of our customers or partners websites or you are seeking more information about TrustedForm privacy practices and notice disclosures. This privacy notice is intended to explain how ActiveProspect, Inc (“we”or “our company’s) technology (called “TrustedForm”) is functioning when you visit webforms that use TrustedForm’s services and what data is being collected during your interaction with those webforms, how data is used, and how long it is retained.
Description
TrustedForm is a Lead certification service that independently verifies the origin of Internet Leads. It helps website owners and customers verify and document consent to assist with complying with privacy regulations as well as helping them verify that leads are authentic.
The TrustedForm service helps website owners and customers document, analyze or archive product or service registrations and the visitor interactions occurring around consent to contact notices, terms and disclosures on webpages. We help customers make more informed and compliant decisions about outreach to individuals who consent to be contacted by email, text message, phone call or postal mail.
TrustedForm works through the use of the proprietary JavaScript (“TrustedForm Certify Web SDK”) installed on a web page, a software development kit (“SDK”) (“TrustedForm Certify IOS and Android SDK”) installed within a mobile application, or application programming interface (API) requests to retrieve lead data from submissions to a Facebook Lead Ad (“TrustedForm for Facebook Lead Ads”) containing a contact request form. The TrustedForm Certify SDK, TrustedForm Certify IOS and Android SDK, and TrustedForm for Facebook Lead Ads each issue a digital certificate (“TrustedForm Certificate”) that is passed with the Lead as an additional data field. The TrustedForm Certificate includes information about the site visitor who submitted a Lead, the time of visit, and the form visited, including what was presented to the consumer.
Data Collection
TrustedForm is used to independently certify millions of consent to contact lead transactions for our customers every day. For visitors arriving on website webforms that use TrustedForm, the browser will download and run the TrustedForm script from the website shortly after arriving on the page. TrustedForm script does not use, set, save, read or rely on any browser cookie data for its services. The TrustedForm script instructs the browser to begin to share what is being presented on the screen in the DOM (Document Object Mode) framework so the TrustedForm service can recreate the exact elements on the webpage being shown on the visitors browser and all the DOM formatted interactions the visitor has on that webpage. This can include items such as window size of the webpage, the data fields requested, the formatting, the language, text, images. The TrustedForm service receives and archives the visitor’s interaction with the webpage including mouse movements on the page, letters, numbers, symbols typed into webforms. Also received is information the web browser generally shares on every web visit like date, time of visit, the web address (URL), a copy of the website’s content, ip address, browser details, computer operating system and version numbers. This standard browser data is not collected for any profiling or advertising re-identification purposes.
Technology Application
Website owners install the TrustedForm javascript or related code on mobile app, social media or lead ads where they want to document the visitor interaction, consent, notice language or data entry.
The TrustedFrom solution only runs on the specific pages where customers set it to run. The TrustedForm service is only intended to function as a way to help customers capture, document, analyze and archive webforms, mobile app or online lead ad consent-to-contact transactions.
Service Provider Position
We function as a service provider to customers that use the TrustedForm service. We operate under contracted agreements, terms of service (ToS), end user license agreements (EULA) and/or developer documentation that lays out data use allowances, data restrictions, data collection, data transfers, data ownership and data security commitments. We are not contracted to find or recruit individuals, consumers, business to business customers interested in products or services. We provide cloud base software as a service (SaaS) which customers use for data processing, data analysis, data hosting, data storage, data transfer. Data in the TrustedForm is generally customer owned, customer directed, customer actioned. ActiveProspect does retain rights to analyze and research aggregate or de-identified data for additional insights purposes for continual product functionality improvements, fraud detection, pattern recognition data analytics and insights. Our purpose and use of data is not for any larger personal data or consumer profiling or advertising re-identification purposes.
Webforms
“Webforms” are the boxes, text fields, dropdown, selection menus that you often see on websites asking you to enter your information, such as name, email and/or phone contact details or other relevant fields if you are interested in learning more about the product or service a company offers.
Webforms should always ask for and document your consent to be contacted by the company (or affiliated partners) with more information about the product or service by phone, text message, or email. “Notice”, “Consent”, “Opt-In” are foundational privacy principles and some data privacy or consumer protection laws require specific language presented during these consent to contact transactions. Often customers that utilize webforms on webpages to sell products and services presented online are often requesting contact information and related details so the interested individual can be contacted by email, phone, mailing address for further communication and allow additional information to be exchanged and requested to help determine product or service applicability. For example you will often see webforms requesting contact or other details from you on websites selling or promoting products or services for your home (home renovation, roof repair, solar panels) automobile (purchase or insurance quotes), moving or relocations services (moving companies), financial services (interest in types of loans), insurance (interest in health, home insurance quotes), education or degree certification programs, etc
TrustedForm helps document the webform data entry with notice and consent language that may have been presented during the data request and data entry transaction. Customers may implement TrustedForm on their Webforms to ensure that interested parties are provided consent to be contacted language meeting various data law requirements.
Data Processing
As Service Providers we are processing data provided by customer controlled or directed webpage sources for processing and analysis. Data provided to TrustedForm is customer owned data. We have contracts or service agreements in place which identify our data processing role and purposes. We do not process data, including personal data beyond these agreed purposes.
Data Use
Customers provide data to TrustedFrom from their controlled or directed webpages for the intended purposes of documenting and archiving consent to contact transactions as well as data analysis, fraud detection, bot detection, data entry validation. TrustedForm data is regularly used by customers to capture and archive express written consent transactions during website registrations for compliance with data regulations such as the US Telephone Consumer Protection Act (TCPA).
The data in TrustedForm is not used or processed for any online advertising, retargeting or personal data profiling purposes by ActiveProspect.
Data Retention / Data Deletion
Data submitted by individuals filling out a webform using TrustedForm is retained for a period of 90 days as standard practice to allow reasonable time for customers to validate, confirm, retain and take action upon the data. “Claiming” a TrustedForm record is the action usually evoked when a customer wants to perform a contact outreach to the individual and ActiveProspect will store the transaction documentation data for a longer period of time for legal and data regulation compliance purposes. The standard or usual period for retention of the transaction data and session replay is 5 years. Customers can request a longer or shorter period of time for data retention but this has to be configured separately. TrustedForm data not claimed in the 90 day period from receipt to submission are marked for deletion in TrustedForm.
Occasionally there are webform submissions using the TrustedForm service where a submit button action is not able to be confirmed. Also there are webform submissions that are abandoned or not fully completed or submitted with a submit web button action. Data entries that fall into either of these categories are only retained for a period of 3 days. This 3 day period is to allow time for possible reconciliation where submit button action is later confirmed or the webform completion is resumed within 3 days and moving it to the claimed data process and the standard 100 day retention period.
Data Minimization
TrustedForm factors data minimization into its data practices by limiting retention periods of potential abandoned form entries or submission uncertainty events to 3 days by default. Also by default customers have only 90 days in which to claim and archive the TrustedForm transaction data.
TrustedForm and Application Programing Interfaces (API)
TrustedForm services allow subscribed authenticated customers to request, access, query, check, lookup, compare, certain TrustedFrom data fields for compatible purposes in lead generation optimization analysis related to duplication analysis, fraud detection, and criteria analysis. APIs are used across web connected systems to allow secure, controlled, pre-defined, permissible data lookup, data exchanges (push, pull) or confirmation signals (yes, no, true, false) communicated between systems.
CCPA / CPRA California / GDPR
Under California or GRPR in Europe, TrustedForm services to customers would be classified as a “service provider” or “data processor” under CCPA / CPRA, GDPR as we are processing customer data under contracted terms and on behalf of customers.
Data Subject Requests
We will assist customers that need to perform their own CCPA, CPRA, GDPR data subject rights searches and inquiries on TrustedForm data. Our Privacy Office assists in timely research, fulfillment and response to these data subject requests.
Even though ActiveProspect or TrustedForm is not interfacing with consumers or collecting data on behalf of customers, our privacy office will promptly research and respond to data subject requests. Our email address is [email protected] or by phone 1-512-361-1014.
If an individual contacts us about a data subject request we have procedures in place to search our systems for this data. If this data is still available and can be located and attributed to an individual or customer, we contact the customer contact and/or company legal compliance function informing them of the data subject request, any data we may have and request instructions for action they would like to take on the data.
Personal Data Subject requests in which we are the business or data controller like HR data, recruiting data or marketing data we review and research in similar manor and promptly respond back to the individual informing them of our findings and actions taken on personal data.
Sale Position in CCPA, CPRA, GDPR
ActiveProspect TrustedForm does not sell website webform data or personal data to other parties. We are a service provider processing customer owned or customer directed data under contracted terms and on behalf of customers. We do not sell consent to contact transaction personal data to third parties for any other marketing purposes including online behavioral cross-context behavioral advertising or targeted advertising. TrustedForm’s data intended is used for consent to contact transaction documentation and related data analysis use purposes only.
GPC Global Privacy Control and DNT Do Not Track Response Position
The TrustedForm is run on customer controlled website webform pages and works to operate and function under the same website technical privacy controls or do not track browser responses that the customer enables and allows on their website / domain. Generally it would not respond or action upon a browsers DNT Do Not Track request or flag. TrustedForm data collection and use is not for cross site or online behavioral advertising purposes.
Security
We take responsible and reasonable steps to ensure that your data is treated securely and in accordance with this privacy policy. All information you provide to us is stored on securely monitored servers. We limit access to the information by our own employees, contractors, site service providers and those individuals who are authorized for the proper handling of such information. We request that our third party contractors and site service providers follow similar standards of security and confidentiality. More information about our security controls can be reviewed on our Security Portal at security.activeprospect.com.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will take reasonable steps to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.
Encryption
TrustedForm website webform data is encrypted in transit using TLSv1.2 (minimum). Data is also encrypted at rest in AWS using AES-256 bit encryption.
Hashing
TrustedForm also performs a combined one way hash on email and phone number data fields to help enable two party match and verification controls before unlocking full data record fields for analysis .
Sensitive Data Field Flagging
TrustedForm should not be used for sensitive data analysis or collection including HIPAA Protected Health Information or credit card details, or government identification numbers. TrustedForm also has built in controls that allow customers to flag individual webform data fields that they do not want to transmit, stored or viewable in TrustedForm. If there are sensitive data fields that customers need to include for their purposes on their webforms, these fields can be configured in advance during the TrustedForm setup and sensitive data fields will not be transmitted to TrustedForm and replaced with ** characters in session replay and log of events. This feature is called Sensitive Data Field Flagging and setting of this flag is determined by customers.
Data Obfuscation
In a session replay, any data field with the Sensitive Data Field Flagging feature enabled play back with ****** marks over the data fields for visual reference these sensitive data fields are flagged, not visible and not saved in TrustedForm.
SOC2 Security Controls and External Audits
ActiveProspect attests to a series of security and internal controls continuously monitored throughout the year and independently audited to our SOC2 controls once a year. If you would like to see our security controls, policy procedures outlined please view our Security Portal at security.activeprospect.com/
For more information about our SOC2 and what it means please see activeprospect.com/blog/activeprospect-successfully-completes-soc-2-type-ii-security-audit/
Security Penetration Testing
The ActiveProspect services are continuously monitored for security events and vulnerabilities. We also have a security Penetration Test at least once a year. Pen test involve independent security professionals who scan our application looking for weaknesses and ways to access the application or data. Findings are shared in a detailed report and we work to promptly address and resolve findings from the penetration tests.
Changes to Our Privacy Notice
We reserve the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will post the updated notice on the Website and update the notice’s effective date.
ActiveProspect
You can also visit the ActiveProspect.com website for information about our company, products and services as well as our Privacy Policy activeprospect.com/privacy-policy/ for information about our company and website privacy practice.
Contact Information
If you have any questions or comments about this notice, the ways in which ActiveProspect collects and uses information described here and in the Privacy Policy, choices and rights regarding such use, or wish to exercise rights under European, California or other US State Laws law, please contact us at:
Email: [email protected] Privacy Office Phone: 512-361-1014
Mailing Address: ActiveProspect, Inc, P.O. Box 151136, Austin, TX 78715