Last Updated: October 1, 2020
Overview of Privacy Practices
Categories of Personal Information Collected. Generally, we collect the following types of personal information:
- Identifiers: includes direct identifiers, such as name, alias, user ID, username or unique personal identifier; email address, phone number, address and other contact information; IP address and other online identifiers; tax ID and other government identifiers; and other unique identifiers.
- Customer Records: includes personal information, such as name, account name, user ID, contact information, employment information, and financial or payment information, that individuals provide us in order to purchase or obtain our products and services. For example, this may include information collected when an individual register for an account, purchases or orders our products and services, or enters into an agreement with us related to our products and services.
- Commercial Information: includes records of personal property, products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies.
- Usage Data: includes browsing history, clickstream data, search history, access logs and other usage data and information regarding an individual's interaction with our websites, mobile apps, and our marketing emails and online ads.
- Audio, Video and Electronic Data: includes audio, electronic, visual, thermal, olfactory, or similar information such as, thermal screenings and CCTV footage (e.g., collected from visitors to our premises), photographs and images (e.g., that you provide us or post to your profile) and call recordings (e.g., of customer support calls).
- Education Information: includes information you provide us or post to your profile about your education history.
- Professional Information: includes professional and employment-related information such as current and former employer(s) and position(s), business contact information and professional memberships.
- Inferences: includes inferences drawn from other personal information that we collect to create a profile reflecting an individual's preferences, characteristics, predispositions, behaviour, attitudes, intelligence, abilities or aptitudes. For example, we may analyse personal information in order to identify the offers and information that may be most relevant to customers, so that we can better reach them with relevant offers and ads.
Use of Personal Information. In general, we may use and disclose the personal information we collect for the following business and commercial purposes:
- Providing and supporting our services
- Supporting collaboration, networking, and projects
- Communicating with you
- Marketing and advertising
- Personalizing content and experiences
- Analysing and improving our services
- Protecting 99designs, you, and others
- Complying with legal obligations
- In support of our general business operations
California residents : If you are a California resident, please refer to the Additional Information for California Residents section below for important information about the categories of personal information we collect and disclose, as well as your rights under California privacy laws.
What personal information we collect and when and why we use it
In this section you can find out more about:
- The types of personal information we collect;
- When we collect personal information;
- The different kinds of personal information we collect for certain services we offer;
- How we use personal information;
- The legal basis for using personal information; and
- The collection of personal information from children.
Personal information we collect and use if you register to use or use one of our websites or services
Personal information that may be collected directly from you if you register to use or use one of our websites or services includes name, contact details, organization name and details, your own domain name, IP address, professional qualifications and billing details including credit card details.
We may also collect personal information such as IP address, device information and log information by using cookies. If you are a designer using our services, we will store the information on the profile you create and the content you choose to make available to other users, such as participation statistics, design concepts, design templates, service offerings, and messages and testimonials. We may also share this information with our third-party partners, including operators of other websites and platforms that choose to integrate our services into their websites and platforms, as part of providing services to you. We may also collect your tax information and information to verify your identity (passport, ID card or driver's license information).
If you are a customer using our services, we will store the information on the profile you create and the content you choose to make available to other users, such as design briefs, design contests, design concepts, and messages and testimonials.
We may process account behaviour for security purposes only to protect you from spam messages and to improve identification of spam and fraudulent activity.
We may also collect your personal information where you request information or materials from us, participate in surveys or polls, subscribe to our mailing list or join our social media pages. This information will typically be your name and email address, together with other information needed to respond to the particular campaign or your enquiry.
We also collect information about your marketing preferences including interests/marketing list assignments, record of permissions or marketing objections and website data.
Additionally, when you choose to provide a testimonial, we may use your testimonial for marketing purposes. If we offer a referral service from time to time and one of our users utilizes that referral service to tell a friend about our website, we will collect your name and email address from that user to send you a one-time email inviting you to visit our site. We store this information for the sole purpose of sending the one-time email and tracking the success of our referral program. You may contact us to remove this information from our database.
If you apply for a job with us, we collect information such as your contact details and the information you submit in your application and CV.
When we collect information
We collect information about you if you register with or use one of our websites or online services, purchase or use one of our services, contact us or work with us as a business partner.
We may collect information about you indirectly from other sources and combine that with information we collect through our services where this is necessary to help manage our relationship with you. These other sources may include third party software applications and social media platforms such as Facebook, Google+ and Twitter.
How we use the personal information we collect
In general, we use and disclose personal information for the following business and commercial purposes:
- Providing and supporting our Services: we use personal information to provide and support our services, including to:
- provide you with our services and to maintain, manage, promote and improve our services;
- verify the identity of our designers;
- provide a professional work environment;
- enable you to access and use our services, including uploading, downloading, collaborating on and sharing content; and
- provide you with support including technical support and troubleshooting for example, to reset your password.
- Supporting collaboration, networking, and projects: we use personal information in order to enable collaboration and networking, and connect customers with designers, including to:
- enable you to communicate, collaborate and share content with users you designate; and
- enable users to connect with designers, submit projects and receive bids for design services and to otherwise connect users and designers or other providers.
- Communicating with you: to communicate with you about the services, including to:
- send you notifications when you receive new messages;
- provide you with information about the services and features;
- administer surveys and questionnaires about the services; and
- respond to your inquiries and requests.
- Marketing and advertising: to support our marketing and advertising activities, including to:
- contact you to let you know about updates to our services or information we feel may be of interest to you (see more in the "Direct marketing, profiling and analytics" section below)
- better reach you with more relevant ads (both on our websites and on third-party websites); and
- measure and improve our advertising and marketing campaigns.
- Personalizing content and experiences: to tailor the content you see in order to provide content, features, and information that match your interests and preferences, to offer location customization and personalized help and instructions and to otherwise personalize your experiences.
- Analysing and improving our services: to better understand how users access and use our services, for other research and analytical purposes, such as to evaluate and improve our services and business operations, develop new features, products, or services, and to otherwise improve our services and user experiences.
- Protecting 99designs, you and others: to protect our business and secure our network and information technology, assets and the services, including to:
- prevent and detect fraud, unauthorized activities, access and other misconduct
- as necessary to defend our legal interests and rights protect you and conduct security investigations and fraud analysis (including to help us flag spam messages and to prevent unauthorized access to our services).
Complying with legal obligations: to comply with the law or legal proceedings; For example, we may disclose information in response to subpoenas, court orders, and other lawful requests by regulators and law enforcement, including responding to national security or law enforcement disclosure requirements. We also use your personal information for data analytics, particularly to understand how you use our services. We use aggregated information derived from the use of our services to provide 99designs with information on usage trends and product insight. This aggregated information is used to improve 99designs' services and products only.
Legal basis for using your personal information under GDPR and other relevant laws
Certain laws, including the General Data Protection Regulation (GDPR), UK Data Protection Act, and the Brazilian General Data Protection Act (LGPD), require that we inform you of the legal bases for our processing of your personal information. Pursuant to the GDPR (and other similar relevant laws, including the LGPD and the UK Data Protection Act), we may process personal information for the following legal bases:
- Performance of contract: processing of your personal information which is required for us to perform obligations or exercise rights under contracts that you may have with us (for example, if you use our services).
- Compliance with laws: to comply with our legal obligations (for example, maintaining information in accordance with tax, audit, or company law requirements and responding to legal process).
- Our legitimate business interests: in furtherance of our legitimate business interests including:
- to facilitate your participation in interactive features you may choose to use on our websites and services and to personalize your experience with the services by presenting content tailored to you.
- to correspond with you, notify you of events or changes to our services, or otherwise respond to your queries and requests for information, which may include marketing to you.
- to send you advertising material via email, such as surveys and promotions (except where consent is required under applicable laws).
- to provide and personalize the services.
- for data analysis, audits, fraud monitoring and prevention, and developing new products, enhancing, improving or modifying our websites, identifying usage trends, determining the effectiveness of our promotional campaigns and operating and expanding our business activities.
- to protect and defend our legal rights and interests and those of third parties.
Our services are not offered to persons under the age of 16 years old and we will not knowingly collect any personal data about children under 16 years old.
Sharing personal information with others
In this section you can find out more about how we share personal information:
- within 99designs;
- With third parties that help us provide our products and services; and
- With government organizations and agencies, law enforcement and regulators.
We may also share your personal information in the manner and for the purposes described below:
- With other companies within the 99designs group where such disclosure is necessary to provide you with our products or and services, including technical support or to manage our business. You can get a list of our group entities by contacting us;
- With third parties that operate other websites and platforms and who choose to integrate our services into their websites and platforms. They use your personal information to the extent required as part of integrating our services into their websites and platforms;
- Where you direct us as part of the services we are providing to share your personal information with another user or to a third-party service provider in order to integrate our services with a service that they may provide, for example with a third-party printing partner, website builder or web development service provider so that they can provide you with a quote or service;
- With government organizations and agencies, law enforcement, regulators to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies;
- With credit reference agencies and organizations working to prevent fraud in financial services and spam activities;
- If, in the future, we sell or transfer some or all of our business or assets to a third party, we may disclose information to a potential or actual third-party purchaser of our business or assets; and
- We may share in aggregate, statistical form, non-personal information regarding the visitors to our website, traffic patterns, and website usage with our partners, affiliates, or advertisers.
Direct marketing, profiling and analytics
In this section you can find out more about:
- How we use personal information to keep you up to date with our products and services;
- How you can manage your marketing preferences;
- When and how we undertake profiling and analytics; and
- When and how we carry out automated decision making.
How we use personal information to keep you up to date with our products and services
We may use your personal information to let you know about our services or related services that we believe will be of interest to you. We may contact you by email or through other communication channels that we think you may find helpful. In most cases our processing of your personal information for marketing purposes is based on our legitimate interests, although in some cases (such as where required by law or where we use or process any of your Sensitive Personal Data (as defined under the GDPR)) it may be based on your explicit consent. In all cases, we will respect your preferences for how you would like us to manage marketing activity with you.
How you can manage your marketing preferences
To protect your privacy rights and to ensure you have control over how we manage marketing with you:
- We will take steps to limit direct marketing to a reasonable and proportionate level and only send you communications which we believe may be of interest or relevance to you;
- You can ask us to stop direct marketing at any time - you can ask us to stop sending email marketing, by following the "unsubscribe" or opt-out links in electronic communications or by adjusting your marketing preferences from within your online account. Alternatively, you can contact us; and
- You can change the way your browser manages cookies, which may be used to deliver online advertising, by following the settings on your browser as explained below.
We recommend you routinely review the privacy notices and preference settings that are available to you on any social media platforms as well as your preferences within your account with us.
When and how we undertake profiling and analytics
We undertake profiling to lock stolen accounts or accounts that are used for spamming/fraud.
If you have signed up to receive marketing updates, we may use profiling to ensure that marketing materials are tailored to your preferences and to what we think you will be interested in. This does not have any significant effect or a legal effect on you.
A cookie is a small text file containing small amounts of information which is downloaded to / stored on your computer (or other internet enabled devices, such as a smartphone or tablet) when you visit a website.
Transferring personal information globally
In this section you can find out more about:
- How we operate as a global business and transfer data internationally; and
- The arrangements we have in place to protect your personal information if we transfer it overseas.
Your personal information may be disclosed, transferred to or processed outside of your country of residence. If you are an individual in Australia this may include the United States of America, Germany, the Philippines and Brazil, where it will be subject to the laws of the country to which it is transferred. These jurisdictions may not have an equivalent level of data protection laws as those in your country.
EU/UK individuals - If you are an individual based in or a resident of the European Union or the United Kingdom, your personal information may be processed outside of the European Union, in countries such as the United States of America, Australia, Brazil and the Philippines that are subject to different standards of data protection.
We will take appropriate steps ensure that transfers of personal information are in accordance with applicable law and carefully managed to protect your privacy rights and interests and transfers are limited to countries which are recognized as providing an adequate level of legal protection or where we can be satisfied that alternative arrangement are in place to protect your privacy rights. To this end:
- We ensure transfers within 99designs' group of companies will be covered by an agreement entered into by members of 99designs' group of companies (an intra-group agreement) which contractually obliges each member to ensure that personal information receives an adequate and consistent level of protection wherever it is transferred within 99designs' group of companies;
- Where we transfer your personal information outside of our group of companies or to third parties who help provide our services (an ' onward transfer'), we obtain contractual commitments from them to protect your personal information. This includes the use of EU approached Standard Contractual Clauses ( 'EU Model Clauses' ) for controller to controller and /or controller to processor transfers from the EU /UK to jurisdictions, such as Australia, who do not have an adequacy finding from the EU Commission; and
- Where we receive requests for information from law enforcement or regulators, we carefully validate these requests before any personal information is disclosed.
You have a right to contact us for more information about the safeguards we have put in place to ensure the adequate protection of your personal information when this is transferred as mentioned above.
If you have a question or complaint you believe to be within the scope of our Privacy Shield certification, please contact us first at firstname.lastname@example.org, or using the contact details in the "Contact us" section below.
For any complaints that we can't resolve directly, JAMS is a US-based independent provider responsible for reviewing and resolving complaints about US Privacy Shield compliance. You can contact JAMS free of charge at https://www.jamsadr.com/eu-us-privacy-shield.
As further explained by the Principles, binding arbitration is available to address residual complaints not resolved by other means. As a US-based company, 99designs, Inc. is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission.
Please note: on July 16, 2020 the European Court of Justice invalidated the EU-US Privacy Shield Program as an adequacy mechanism for transfers of personal data from the EU to the United States. 99designs will continue to comply with its Privacy Shield commitments for so long as it remains an active participant in the program. In addition, we will work to implement additional adequacy measures where necessary under applicable data protection laws, such as the EU standard contractual clauses for the transfer of personal data to processors established in third countries ("Standard Contractual Clauses").
Users in Brazil. If your personal information is subject to Brazilian laws, 99designs will ensure that appropriate safeguards are in place to protect your personal information, as required by the LGPD (once effective).
How we protect and store your information
We store most of your personal information electronically. We implement and maintain technical and organisational security measures, policies and procedures, appropriate to the nature of the information concerned, designed to reduce the risk of accidental destruction or loss, misuse or interference or the unauthorised disclosure, access or modification to such information, which include, where appropriate, encryption of personal information in transmission, access controls, and written confidentiality obligations applicable to personnel and vendors who may access personal information.
Storing your personal information
In some circumstances we may store your personal information for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax, accounting requirements.
Where you request that we delete your account from our system, we will lock the account and delete it from our servers within 30 days. However, in specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings.
Legal rights available to help manage your privacy
You may access or request correction of the personal information that we hold about you by contacting us. There are some circumstances in which we are not required to give you access to your personal information.
We will respond to your requests to access or correct personal information in a reasonable time and will take all reasonable steps to ensure that the personal information we hold about you remains accurate, up to date, and complete.
Legal rights for individuals under GDPR and Similar Laws
If you are an individual based in or a resident of the European Union, United Kingdom, or Brazil, or a person to whom the GDPR, UK Data Protection Act or LGPD applies, there are additional rights available to you. Subject to certain exemptions, and in some cases dependent upon the processing activity we are undertaking, you have certain rights in relation to your personal information.
- To access personal information;
- To rectify / erase personal information;
- To restrict the processing of your personal information;
- To transfer your personal information;
- To object to the processing of personal information;
- To object to how we use your personal information for direct marketing purposes;
- To obtain a copy of personal information safeguards used for transfers outside your jurisdiction; and
- To lodge a complaint with your local supervisory authority.
If you wish to access any of the above-mentioned rights, we may ask you for additional information to confirm your identity and for security purposes, before disclosing personal information to you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive.
You can exercise your rights by contacting us. Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information in order to fulfil your request.
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.
Right to access personal information
You have a right to request that we provide you with a copy of your personal information that we hold and you have the right to be informed of; (a) the source of your personal information; (b) the purposes, legal basis and methods of processing; (c) the data controller's identity; and (d) the entities or categories of entities to whom your personal information may be transferred.
Right to rectify or erase personal information
You have a right to request that we delete your personal information or rectify inaccurate personal information, subject to certain exceptions under applicable laws. We may seek to verify the accuracy of the personal information before rectifying it.
You can also request that we erase your personal information in limited circumstances where:
- it is no longer needed for the purposes for which it was collected; or
- you have withdrawn your consent (where the data processing was based on consent); or
- following a successful right to object (see right to object); or
- it has been processed unlawfully; or
- to comply with a legal obligation to which 99designs is subject.
We are not required to comply with your request to erase personal information if the processing of your personal information is necessary:
- for compliance with a legal obligation; or
- for the establishment, exercise or defence of legal claims.
Right to restrict the processing of your personal information
You can ask us to restrict your personal information, but only where:
- its accuracy is contested, to allow us to verify its accuracy; or
- the processing is unlawful, but you do not want it erased; or
- it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or
- you have exercised the right to object, and verification of overriding grounds is pending.
We can continue to use your personal information following a request for restriction, where:
- we have your consent; or
- to establish, exercise or defend legal claims; or
- to protect the rights of another natural or legal person.
Right to transfer your personal information
You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where:
- the processing is based on your consent or on the performance of a contract with you; and
- the processing is carried out by automated means.
Right to object to the processing of your personal information
You can object to any processing of your personal information which has our legitimate interests as its legal basis, if you believe your fundamental rights and freedoms outweigh our legitimate interests.
If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
Right to object to how we use your personal information for direct marketing purposes
You can request that we change the manner in which we contact you for marketing purposes.
You can request that we not transfer your personal information to unaffiliated third parties for the purposes of direct marketing or any other purposes.
Right to obtain a copy of personal information safeguards used for transfers outside your jurisdiction
You can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of the European Union.
We may redact data transfer agreements to protect commercial terms.
Right to lodge a complaint with your local supervisory authority
You have a right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal information.
We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
Via e-mail: email@example.com
If you are resident in Australia:
99designs PTY Ltd
41-43 Stewart Street
Richmond, VIC 3121
If you are resident in the US:
2201 Broadway, Suite 815
Oakland, CA 94612
If you are resident in the EU/UK/CH:
In all other cases:
Data protection officer:
99designs PTY Ltd
41-43 Stewart Street
Richmond, VIC 3121
To contact your data protection supervisory authority
You have a right to lodge a complaint with your local regulator, which if you are located in the EU /EEA/ UK, will be your local data protection supervisory authority (i.e., your place of habitual residence, place of work or place of alleged infringement).
If you are located in:
- Australia, you can contact the Office of the Australian Information Commissioner at www.oaic.gov.au.
- Germany, you can contact the Federal Commissioner for Data Protection and Freedom of Information at www.bfdi.bund.de/.
- US, you can contact the relevant information commissioner's office in your respective US State.
We would ask that you please attempt to resolve any issues with us before your local supervisory authority.
Additional Information for California Residents
In this section, we provide additional information to California residents about how we handle their personal information, as required under California privacy laws including the California Consumer Privacy Act ("CCPA"). This section does not address or apply to our handling of publicly available information lawfully made available by state or federal government records or other personal information that is exempt under the CCPA.
Categories of Personal Information Under the CCPA
While our collection, use and disclosure of personal information varies based upon our relationship and interactions with you, in this section we describe, generally, how we have collected and disclosed personal information about consumers in the prior 12 months (from the Last Updated date above).
Categories of Personal Information Collected and Disclosed. The table below identifies the categories of personal information (as defined by the CCPA) we have collected about consumers, as well as how we have disclosed such information for a business purpose. For more information about the business and commercial purposes for which we collect and use personal information, please see the "What personal information we collect and when and why we use it" and the "How we use the personal information we collect" sections above.
|Categories||Description||Categories of Third Parties to Whom We May Disclose this Information for a Business Purpose|
|Identifiers||includes direct identifiers, such as name, alias, user ID, username or unique personal identifier; email address, phone number, address and other contact information; IP address and other online identifiers; tax ID and other government identifiers; and other unique identifiers.|
|Customer Records||includes personal information, such as name, account name, user ID, contact information, employment information, and financial or payment information, that individuals provide us in order to purchase or obtain our products and services. For example, this may include information collected when an individual register for an account, purchases or orders our products and services, or enters into an agreement with us related to our products and services.|
|Commercial Information||includes records of personal property, products or services purchased, obtained, or considered, or other purchasing or use histories or tendencies.|
|Usage Data||includes browsing history, clickstream data, search history, access logs and other usage data and information regarding an individual's interaction with our websites, mobile apps, and our marketing emails and online ads.|
|Audio, Video and Electronic Data||includes audio, electronic, visual, thermal, olfactory, or similar information such as, thermal screenings and CCTV footage (e.g., collected from visitors to our premises, photographs and images (e.g., that you provide us or post to your profile) and call recordings (e.g., of customer support calls).|
|Education information||includes information you provide us or post to your profile about your education history.|
|Professional information||includes professional and employment-related information such as current and former employer(s) and position(s), business contact information and professional memberships.|
|Inferences||includes inferences drawn from other personal information that we collect to create a profile reflecting an individual's preferences, characteristics, predispositions, behaviour, attitudes, intelligence, abilities or aptitudes. For example, we may analyse personal information in order to identify the offers and information that may be most relevant to customers, so that we can better reach them with relevant offers and ads.|
Sources of Personal Information.As further described in the "What personal information we collect and when and why we use it" section above,we may collect personal information from the following sources:
- directly from the individual
- from designers and other users
- advertising networks
- data analytics providers
- social networks
- internet service providers
- operating systems and platforms
- government entities
- business customers
California Residents' Rights
CCPA Rights. In general, California residents have the following rights with respect to their personal information:
- Do-not-sell (opt-out): to opt-out of our sale of their personal information. We do not sell personal information about California consumers, including those we have actual knowledge are younger than 16.
- Right of deletion:to request deletion of their personal information that we have collected about them and to have such personal information deleted (without charge), subject to certain exceptions.
- Right to know: with respect to the personal information we have collected about them in the prior 12 months, to require that we disclose the following to them (up to twice per year and subject to certain exemptions):
- categories of personal information collected;
- categories of sources of personal information;
- categories of personal information about them we have disclosed for a business purpose or sold;
- categories of third parties to whom we have sold or disclosed for a business purpose their personal information;
- the business or commercial purposes for collecting or selling personal information; and
- a copy of the specific pieces of personal information we have collected about them.
- Right to non-discrimination: the right not to be subject to discriminatory treatment for exercising their rights under the CCPA.
Submitting CCPA Requests. California residentsmay submit CCPA requests to know (access) and requests to delete their personal information through one of the following methods:
- Email at firstname.lastname@example.org
- By phone at 1-800-513-1678 (toll free)
When you submit a request to know or a request to delete, we will take steps to verify your request by matching the information provided by you with the information we have in our records. You must email us with any requested information (or otherwise provide us with this information via the above toll-free number) to verify your request. In some cases, we may request additional information in order to verify your request or where necessary to process your request. If we are unable to adequately verify a request, we will notify the requestor. Authorized agents may initiate a request on behalf of another individual via email to email@example.com; authorized agents will be required to provide proof of their authorization and we may also require that the relevant consumer directly verify their identity and the authority of the authorized agent.
For more information about our privacy practices, you may contact us as set forth in the "Contact Us" section above.