Data Governance and Privacy at Clearbit
Clearbit is a B2B marketing data engine that helps businesses discover and attract more ideal prospects, personalize their marketing and sales interactions, and enrich and inform their go-to-market systems.
Our Services are designed to help our customers and partners in a wide variety of ways, including by helping them determine which companies might make the best customers, identify the contacts within those organizations by department, role or seniority that might improve or expedite their interactions with those companies, and enabling them to personalize their interactions with those companies.
Clearbit primarily processes B2B data for your use within a business context, regardless of where an individual is based, across all of our solutions. This is essentially information that is available on someone’s business card, email signatures or company websites. Clearbit does not provide or collect consumer data, which includes, but is not limited to, things like web browsing history, health records, financial information, or economic status.
Our proprietary indexing systems ("Clearbit Indexers") collect information from a variety of sources in order to compile "Attribute Data" about corporations, non-profits, and similar entities ("Companies") and the professionals that work for them ("Professionals"). A complete list of Attribute Data we make available to users of the Site and Services (defined below) can be found at www.clearbit.com/attributes.
Clearbit acquires the data used in its Services either through public datasets, third-party paid sources or when users use our free tools such as our Logo API, and they contribute data back to us as a result of their use.
At Clearbit, privacy and security are top priorities for us. Clearbit understands the importance of protecting the critical business and personal information entrusted to Clearbit by its customers.
Clearbit is a registered data broker in California and Vermont, and is subject to CCPA (California Consumer Privacy Act) and other applicable US privacy laws.
We’re aligned with the General Data Protection Regulation (GDPR) principles.
We continue to bolster our already-strong data protection practices by continuously evaluating and updating our company privacy policies and practices.
For privacy inquiries, please contact firstname.lastname@example.org.
Clearbit and the GDPR
The EU's General Data Protection Regulation (GDPR) strengthens the rights of EU individuals regarding how their personal data is used & collected.
Clearbit is headquartered in the United States. Our websites and services are controlled and operated by us from the United States and are not intended to subject us to the laws or jurisdiction of any state, country or territory other than that of the United States. However, some of our enterprise customers may be based in the EU or engage in other activities that require them to comply with the GDPR.
Today, thousands of organizations rely on Clearbit as the data backbone for their cutting-edge sales & marketing efforts. We know that our customers take GDPR seriously and need vendors that can help accommodate their GDPR needs. Our legal, operations, and product teams therefore, consistently ensure that we have appropriate product safeguards, policies, and knowledge to facilitate our customers' continued use of Clearbit via our Platform and APIs.
Since some elements of Attribute Data are not collected from data subjects directly, Clearbit’s processing activities are based on (i) consent or (ii) the legitimate interest of both Clearbit and its business customers, among other legal bases as applicable depending on the context. Clearbit’s data is processed to provide business intelligence (for sales, marketing, and operations) and help organizations drive revenue by providing users with accurate and up-to-date business information.
Legitimate Interest and Data Protection Impact Assessment
Many advanced privacy regimes claim that personal data must be obtained and processed lawfully and fairly. Personal data should be collected and processed based on a legitimate purpose, after balancing the interests of the organization against the interests and rights of the individual whose data is processed.
Clearbit conducted a Data Privacy Impact Assessment (“DPIA”) with the help of privacy experts. The DPIA confirms that Clearbit’s processing of business profile information satisfies the grounds for the processing of personal data for a legitimate interest. It also determined that this legitimate interest is not overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data. Here are the findings:
- Nature of the data. The information collected by Clearbit is extremely limited. It does not contain any special categories of personal data and is not related to children.
- Reasonable expectations of Contacts. Although any personal information about data subjects that we provide our customers access to can be found on business social platforms or during the course of normal business correspondence, we do not collect data directly from the data subjects. As a result, they may not know that their data is in our database. They can always exercise their rights in relation to their data through our Privacy Request Form.
- Processing proportionate to the purpose. Clearbit follows data minimization principles and only collects data that are strictly necessary to achieve its purposes. Clearbit has processes in place to limit the data processed to business contact information which is professional in nature. Through our Privacy Request Form, individuals can claim control over their data.
Data subject rights
Clearbit operates in accordance with fundamental privacy principles that underlie global privacy regulations, with respect to an individual’s right to know what personal data is collected and how it is used or otherwise processed.
Clearbit has features that support customers' ability to handle data subject requests, such as requests for access, correction, or erasure, by allowing individuals to access and modify applicable personal information via our Privacy Request Form.
Data deletion and retention
Clearbit periodically verifies the accuracy of all of the information in its databases. Data that is found to be inaccurate or out of date is removed from the database. In addition, we honor all opt-out requests so if any person requests deletion of their data, then such data would be deleted.
When a customer terminates their contract with us, we delete their account and remove any associations of such customer with any data in our databases promptly, and no later than 90 days of termination of their contract.
Clearbit enforces the “rule of least privilege” and has documented segregation of duties. We also enforce formal logical and account separation of the development, QA and production environments.
Currently, Clearbit stores all its data in servers of US-based cloud companies. The GDPR doesn’t require personal data of EU citizens and residents to be only stored within the EU.
We maintain a list of the subprocessors that we use as part of our products and services, including the activities and services performed by such subprocessors and their country location.
We operate in accordance with internal privacy and data protection policies that are based on privacy principles that underlie international privacy regimes, including the GDPR and the California Consumer Privacy Act (CCPA). We actively monitor and intend to comply with any new applicable privacy laws.
Training and awareness
We require annual privacy and security training that’s mandatory for all Clearbit personnel. These trainings are actively tracked and regularly reviewed to help ensure compliance and relevance for our business activities. We also deliver periodic privacy and security communications to supplement required trainings, further reinforcing data privacy and data security best practices.
Governance and accountability
Clearbit’s privacy program is directed and overseen by its VP, Legal and Privacy and a team of dedicated professionals. IAPP-certified privacy professionals review company activity with privacy and data protection implications, assess compliance and make recommendations to help meet compliance requirements.
Privacy by design
Our product and engineering teams work closely with our global privacy team to embed privacy principles in our products and services and help ensure privacy compliance with respect to the various phases of product development, starting at concept, through requirements gathering, to implementation and release.
Beyond product development activities, our privacy team drives our privacy by design approach on a corporate-wide basis, including assessing a variety of activities across the company involving personal data for privacy compliance.