Privacy Policy

Introduction
Protecting consumer privacy is important to Sovos. This privacy policy outlines our general policy and practices for implementing the Principles (defined below), including the types of information we gather, how we use it and the notice and choice affected individuals have regarding our use of and their ability to correct that information. This privacy policy applies to all personal information received by Sovos whether in electronic, paper or verbal format about persons who are not Sovos employees.

This privacy policy applies to Sovos Compliance, LLC, together with all of its US subsidiaries (Sovos): Image Science and Services, Inc.; Six88 Solutions, Inc.; 3PF, LLC; Convey Compliance Systems, LLC; 1099 Pro, LLC. and Invoiceware International, LLC.

For Sovos employees, this privacy policy applies to all personal information processed by Sovos for tax reporting purposes. Sovos has other privacy policies that apply to other data of its employees.

Privacy Shield Privacy Statement
Sovos complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries (and Iceland, Liechtenstein, and Norway) and Switzerland transferred to the United States pursuant to Privacy Shield.  Sovos has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/    

The Federal Trade Commission (FTC) has jurisdiction over Sovos’ compliance with the Privacy Shield.

Definitions
“Personal Information” or “Information” means information that (1) is recorded in any form; (2) is about, or pertains to a specific individual; and (3) can be linked to that individual; (4) can directly or indirectly identify an individual.

“Sensitive Personal Information” means personal information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health. Sovos’ services do not include the collection of Sensitive Personal Information.

Principles
Sovos collects data from the general public via the Sovos web site. This data may include information volunteered by an individual who wants to obtain more information about Sovos’ services or data which indicates who accessed Sovos’ web site and which pages they accessed. The latter type of data may or may not include Personal Information. This data is used for Sovos’ marketing and sales purposes and is not passed to third parties for any purpose other than assisting Sovos in its marketing and sales efforts. Sovos does not sell this data to third parties. Third parties who do receive this type of data are obligated to use the data only for the contracted purpose and to maintain the confidentiality of the data.

Sovos performs its tax determination, remittance, and reporting functions without retaining the personally identifiable information of consumers. Personally identifiable information is only used and retained to the extent necessary for the administration of the services with respect to exempt purchasers. Generally, Sovos does not obtain personally identifiable information directly from consumers. We primarily receive personally identifiable information as a result of consumers’ financial transactions with sellers. However, in the event Sovos collects information directly from consumers, we will obtain the personal information that is needed to provide our goods or services, to provide customer service and to fulfill any legal or regulatory requirements.

Data collected from customers related to Sovos’ services: Sovos’ customers provide Sovos with Personal Information necessary for Sovos or its customers to make required tax, compliance and/or business-to-government reporting disclosures to taxing authorities. This may include social security numbers and the name and address of an individual, and will include information about payments Sovos’ customer has made to the individual. Sovos may also collect data about individuals from government-run or sponsored web sites, such as sites designed to verify that social security numbers are accurate. This data is used solely for the provision of Sovos’ services to its customers and is not used for any other purpose.

Choice
Individuals who have provided information to Sovos via its web site may contact Sovos to have their names and information removed from Sovos’ marketing and sales databases by contacting us at privacy@sovos.com. Sovos complies with applicable law that requires all marketing emails to include the means to opt out of such email.

Individuals whose Personal Information is collected from Sovos’ customers can opt out of Sovos’ use of their information by contacting the Sovos customer who provided the information.

Sovos does not currently collect Sensitive Personal Information. In the event that Sovos does receive Sensitive Personal Information, Sovos shall treat Sensitive Personal Information received from an individual the same as the individual would treat and identify it as Sensitive Personal Information.

Use of Cookies
As you browse Sovos.com, advertising cookies will be placed on your computer so that we can understand what you are interested in. Our display advertising partner, Google AdWords, then enables us to present you with retargeting advertising on other sites based on your previous interaction with Sovos.com.

The techniques our partners employ do not collect personal information such as your name, email address, postal address or telephone number. You can visit this page to opt out of AdWords and their partners’ targeted advertising.

Onward Transfers
Sovos has certified that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. We are subject to the investigatory and enforcement powers of the Federal Trade Commission. To learn more about the Privacy Shield Principles, and to view our certification, please visit https://www.privacyshield.gov.

Data collected from the public via the Sovos website may be transferred to:

  • Sovos’ Customer Resource Management (“CRM”) provider
  • Firms which assist Sovos in sales and marketing
  • Sovos’ data hosting services providers
  • Sovos’ printing partners

These third parties all either: (a) have subscribed to the Privacy Shield Principles, (b) adopted the Model Clauses, or (c) have a contractual obligation to Sovos which prohibits them from making any use of the data beyond what is required to fulfill their obligations to Sovos. A list of these third parties is available upon request by contacting us at privacy@sovos.com.

Data collected from customers related to Sovos’ services may be transferred to:

  • Government agencies: Sovos may transfer tax-reporting related data to government agencies
  • Sovos’ data hosting services providers
  • Applicable member states of the Streamlined Sales Tax Initiative
  • Sovos’ print services providers

A list of these third parties is available upon request by contacting us at privacy@sovos.com.

Sovos lacks the power to dictate what government agencies do with the data. Sovos provides government agencies only with data required to fulfill tax reporting requirements of Sovos and its customers. Sovos’ data hosting services provider have a contractual obligation to Sovos which prohibits them from making any use of the data beyond what is required to fulfill their obligations to Sovos.

Except for disclosures to government agencies, Sovos shall ensure that any third party for which Personal Information may be disclosed subscribes to the Principles or are subject to law providing the same level of privacy protection as is required by the Principles or agree in writing to provide an adequate level of privacy protection.

In certain rare instances, law enforcement officials or a court may issue a subpoena that obligates Sovos to disclose those of its records relevant to an investigation. When that happens, Sovos makes sure that the disclosure of records is as narrow as possible. When the subpoena permits such notice, Sovos will notify the impacted individual of the subpoena and impending disclosure.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Sovos’ accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Sovos remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Sovos proves that it is not responsible for the event giving rise to the damage.

Data Security
Sovos shall take reasonable steps to protect the Information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Sovos has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the Information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Although information sent to and from Sovos is secured according to industry best practices, Sovos cannot guarantee the security of Information on or transmitted via the Internet.

Data Integrity
Sovos shall only process Personal Information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, Sovos shall take reasonable steps to ensure that Personal Information is accurate, complete, current and reliable for its intended use.

Access
Sovos shall allow an individual access to their Personal Information and allow the individual to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated. Where the information the individual seeks to edit was provided by a Sovos customer, Sovos will need to contact the customer and will only change the information after the customer has verified that the original information was inaccurate. Access can be initiated via email to privacy@sovos.com.

Enforcement
Sovos uses a self-assessment approach to assure compliance with this privacy policy and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Privacy Shield Principles. We encourage interested persons to raise any concerns using the contact information provided and we will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Information in accordance with the Privacy Shield Principles.

Dispute Resolution
In compliance with the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks, Sovos is committed to resolving complaints about your privacy and our collection or use of your Personal Information. Individuals with inquiries or complaints regarding this privacy policy should first contact Sovos at:

Sovos Compliance, LLC
Attn: Office of Information Security
200 Ballardvale Street
Building 1, 4th Floor
Wilmington, MA 01887

or by email to: privacy@sovos.com

We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of personal data within 45 days of receiving your complaint.

Sovos has further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.

If your complaint involves human resources data transferred to the United States from the EU and/or Switzerland in the context of the employment relationship, and Sovos does not address it satisfactorily, Sovos commits to cooperate with the panel established by the EU data protection authorities (DPA Panel) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable and to comply with the advice given by the DPA panel and/or Commissioner, as applicable with regard to such human resources data.  To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction.  Contact details for the EU data protection authorities can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.  Complaints related to human resources data should not be addressed to the BBB EU PRIVACY SHIELD.

Under certain limited circumstances, individuals in the EEA may invoke binding Privacy Shield arbitration as a last resort if all other forms of dispute resolution (discussed above) have been unsuccessful. To learn more about this method of resolution and its availability to you, please visit https://www.privacyshield.gov/.

Data Protection for Individuals in the European Union (EU)
In addition to the above information, as Sovos is a global business we may collect data from citizens within the EU.

Through this section of the Privacy Policy, we aim to inform you about the types of personal data we may collect from European individuals, the purposes for which we use the data and the ways in which the data is handled. We also aim to satisfy the obligation of transparency under the EU General Data Protection Regulation 2016/679 (“GDPR”) and national laws implementing GDPR.

Transfer of Information Outside the EEA
Under the General Data Protection Regulation, we are required to tell you if we transfer or intend to transfer information which we hold on you to countries outside the European Economic Area (“EEA”).

Except as prohibited by law, the information that you will provide us with us may be stored on Sovos servers outside of Europe and other Sovos companies or business partners may process this information on Sovos’ behalf, but always under strict conditions of confidentiality. Sovos will keep this information to enable it to properly and effectively administer and monitor the customer relationship it has with you. We transfer such information outside the EEA only if:

a) your product or service enquiry is are best handled by one of our companies located outside the EEA; or

b) the service you have requested, such as a newsletter, is delivered through a third-party located outside the EEA.

In either case, a list of companies we may utilize outside the EEA is available upon request by contacting us at privacy@sovos.com.

We apply equal rigour to the security of data held and processed by us or on our behalf outside of the EEA. We have taken steps to ensure that our subsidiaries and affiliates and those who process data on our behalf enter into the standard contractual clauses approved by the European Commission, to safeguard the personal information which is transferred to and from the EEA and beyond.

As some of our servers are located in the USA, transfer of some of our data outside the EEA is necessary to enable us to operate the Site. To the extent that any personal information is provided to third parties outside the EEA, or who will access the information from outside the EEA, we take steps to ensure that approved safeguards are in place, such as the approved standard contractual clauses or the EU-US Privacy Shield (see our Privacy Shield statement above).

Trusted Third Parties
We will only share your personal information with trusted third parties where we have retained them to provide services that you have requested or for our legitimate business purposes, such as IT or professional support services.

The Legal Basis for Processing your Personal Information

Sovos’ website
The Sovos website gathers and processes your personal data only if you actively give it to us. Under the GDPR, the legal basis for processing your personal information is Consent, respectively “legitimate interest”, which can mean you have asked us to provide a service (such as a newsletter) or to contact you using the details you have submitted.

To withdraw your consent, please use the unsubscribe link at the bottom of a newsletter or contact privacy@sovos.com.

Data Provided to Sovos by its customers to fulfill Sovos’ contractual obligation

Under our customer contracts, Sovos gathers and processes customers’ customers personal data only if provided to Sovos in order to fulfill its contractual obligations. Under the GDPR, the legal basis for processing your customers’ personal information is contractual obligation.

How Long We Will Hold Your Information
We will retain your personal information only for the time necessary to provide the Services we perform for you, or stated by the purposes outlined in this Privacy Policy. In particular, we will store certain categories of your personal information for the following periods of time:

Category of Personal DataStorage Time Period
Contact details for sales enquiries   2 years after last contact
Email address for newsletter Until you unsubscribe
Job applications & CVs Outside EUIndefinitely
Job applications & CVs – EU Citizens1 year (or until consent withdrawn, whichever is earlier)

Complaints from European Individuals
If you are unhappy about our use of your personal information, you can contact us using the details in the contact details below. You are also entitled to lodge a complaint with the UK Information Commissioner’s Office using any of the below contact methods:

Telephone: 0303 123 1111
Website: https://ico.org.uk/concerns/
Post: Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

You may prefer to, and are entitled to, lodge a complaint with a different supervisory authority in a country of your choice. A list of Supervisory Authorities is available here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

Privacy Notice for California Residents

Data Protection for California Consumers under the California Consumer Privacy Act

If you are a visitor, user, or other individual who resides in the State of California (“consumer”), you have the right to: (a) request that Sovos disclose what personal information it collects, uses, discloses and sells about you, (b) request deletion of the personal information you have provided to Sovos, and (c) be free from discrimination by Sovos as a result of you exercising your rights under the California Consumer Privacy Act of 2018 (“CCPA”).

We note that the CCPA temporarily exempts personal information reflecting a written or verbal business-to-business communication from some of its requirements, such that the rights to access and delete your personal information do not apply with respect to such information.

In addition, under the CCPA, none of the rights set forth in this Notice apply to, and “personal information” does not include, certain categories of information, such as (i) publicly available information from government records, (ii) deidentified or aggregated consumer information, (iii) health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data, and (iv) information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

If you wish to exercise any of these rights, you must submit a Verifiable Consumer Request, which can be submitted here, or by emailing privacy@sovos.com. The procedures Sovos uses to evaluate your request can be found here.  Furthermore, in accordance with the CCPA, you can designate a third party agent to exercise your CCPA rights on your behalf by following the procedures that can be found here.

Categories of Personal Information We Collect

Sovos has collected the following types of personal information about consumers in the preceding 12 months:

CategoriesExamplesCollected
A. Identifiers.A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.YES
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.YES
C. Protected classification characteristics under California or federal law.Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).YES
D. Commercial information.Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.YES
E. Biometric information.Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.NO
F. Internet or other similar network activity.Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.YES
G. Geolocation data.Physical location or movements.NO
H. Sensory data.Audio, electronic, visual, thermal, olfactory, or similar information.NO
I. Professional or employment-related information.Current or past job history or performance evaluations.YES
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.YES
K. Inferences drawn from other personal information.Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.NO

Sources of Personal Information Collected

Sovos obtains the categories of personal information listed above from the following categories of sources: (a) directly from you, for example, if you contact us via our website; (b) indirectly from you, for example, via Internet cookies; and (c) from customers.

Disclosures for a Business or Commercial Purpose

In the preceding 12 months, Sovos has disclosed the following types of personal information to its service providers and affiliates for business purposes: A. Identifiers; B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)); C. Protected classification characteristics under California or federal law; D. Commercial information; F. Internet or other similar network activity; I. Professional or employment-related information; and J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

California Consumers’ Right to Know

If you are a consumer, you have the right to request the following information regarding Sovos’ practices regarding your personal information: (a) the categories of personal information we have collected about you; (b) the categories of sources from which the personal information about you was collected; (c) the business or commercial purpose for which we collect or sell your personal information; (d) the categories of third parties with whom we share your personal information; (e) the specific pieces of personal information we have collected about you; (f) the categories of personal information that we sold about you, and categories of third parties to whom the information was sold; and (g) the categories of personal information that we disclosed about you for a business or commercial purpose.

California Consumers’ Right to Request Deletion

If you are a consumer, you have the right to request that Sovos delete the personal information that Sovos has collected about you that you provided to Sovos.  Please note that in certain instances we may not be able to process your request, such as (i) due to the existence of a legal obligation, (ii) to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities, or (iii) in order to complete a transaction for which your personal information was collected.

California Consumers’ Right to Opt Out

Sovos has not sold the personal information of any California consumer to third parties in the preceding 12 months.  Sovos does not sell the personal information of minors under 16 years of age without affirmative authorization.

Further Information on Data Protection and Personal Privacy
If you have any enquiries or if you would like to contact us about our processing of your personal information, including to exercise your rights as outlined above, please contact us by one of the methods listed below. When you contact us, we will ask you to verify your –

Sovos Compliance, LLC
Attn: Office of Information Security
200 Ballardvale Street
Building 1, 4th Floor
Wilmington, MA 01887
privacy@sovos.com