Buffer Inc. (“Buffer”) complies with the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the Data Privacy Framework (the “DPFs”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information (as defined below) that is transferred from the European Economic Area (“EEA”), the United Kingdom (“UK”) and/or Switzerland, to the United States. Buffer has certified to the Department of Commerce that it adheres to the DPFs Principles (the “Principles”) with respect to such information.
Buffer will not rely on the Swiss-U.S. Data Privacy Framework or the UK Extension to the Data Privacy Framework until each enters into force, but Buffer adheres to their required commitments in anticipation of their doing so.
If there is any conflict between the terms in this DPFs Policy and the Principles, the Principles will govern. To learn more about the DPFs, and to view our certification, please visit https://www.dataprivacyframework.gov/s/
Personal Information Received from the EEA, UK & Switzerland
How We Obtain Personal Information
We obtain and process Personal Information in different capacities.
For all types of processing, Buffer commits to the Principles of the DPFs with respect to all Personal Information received from the EEA, UK and Switzerland.
When we process Personal Information on behalf of our commercial customers, our commercial customers determine the categories of data they provide to our Service and the purposes of the processing. Accordingly, our commercial customers are responsible for providing notice to individuals and you should review their privacy policies for more information regarding their data processing practices.
Data Integrity and Purpose Limitation
We use reasonable and appropriate measures to protect your Personal Information from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the Personal Information.
We will give you an opportunity to choose whether your Personal Information may be used for a purpose that is materially different from the purposes for which it was originally collected or subsequently authorized by you, or if we intend to disclose it to a third party acting as a data controller that we have not previously disclosed to you. In such circumstances, we will notify you and offer you the opportunity to opt-out of such uses and/or disclosures where non-sensitive Personal Information is involved, and to opt-in where sensitive Personal Information is involved.
Access to Personal Information
Where appropriate, Buffer will provide you with access to the Personal Information that we maintain about you. Buffer will also correct, amend or delete Personal Information that we maintain about you when it is inaccurate or has been processed in violation of the Principles and you send a written request to us using the information provided in the“Contact Information” section below. We will review your request in accordance with the Principles, and may limit or deny access to Personal Information where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by the Principles.
When we process Personal Information on behalf of our commercial customers, our commercial customers control the type of information we obtain, how that information is used and disclosed, and how it can be modified. Accordingly, if you wish to request access, limit use or disclosure of your Personal Information, please contact us using the information provided in the “Contact Information” section below.
Recourse and Enforcement
We conduct an annual self-assessment of our Personal Information practices to verify that the attestations and assertions made in this Policy are true and have been implemented as represented.
If you have any questions or concerns, we encourage you to write to us at the address listed below. We will investigate and attempt to resolve any complaints or disputes regarding our use and disclosure of Personal Information in accordance with the Principles. Within the scope of this privacy notice, if a privacy complaint or dispute cannot be resolved through Buffer, Inc.'s internal processes, Buffer, Inc. has agreed to participate in the DataRep DPF
Dispute Resolution Procedure
In the unlikely event that a dispute arises between you and Buffer regarding our handling of your User Personal Information, we will do our best to resolve it.
Additionally, if you are a resident of an EU member state you have the right to file a complaint through our GDPR Representative, DataRep, located in Ireland. Please address complaints to:
DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
If you are a resident of the UK you have the right to file a complaint through our GDPR Representative, DataRep, located in the UK. Please address complaints to:
DataRep, 107-111 Fleet Street, London, EC4A 2AB, United Kingdom
If you are a resident of Switzerland you have the right to file a complaint through our GDPR Representative, DataRep, located in Switzerland. Please address complaints to:
DataRep, Leutschenbachstrasse 95, ZURICH, 8050, Switzerland
Under certain conditions, more fully described on the Data Privacy Framework website, including when other dispute resolution procedures have been exhausted, you may invoke binding arbitration.
DPFs Policy Changes
This Policy may be changed from time to time, consistent with the requirements of the DPFs. You can determine when this Policy was last revised by referring to the “Last Updated” legend at the bottom of this Policy. Any changes to this Policy will become effective when posted to our website.
If you have questions, concerns, or complaints about this DPFs Policy or Buffer's privacy practices, or if you would like to exercise your rights and choices with regard to your Personal Information, please contact us by email at firstname.lastname@example.org or write to us at the following address:
2243 Fillmore St #380-7163
San Francisco, CA 94115
If you have any thoughts or questions about this DPFs Policy please let us know.
Last updated: October 5, 2023
|TYPE OF DATA||RECORD DESCRIPTION||RETENTION GUIDELINE|
|Customer Data (non-sensitive)||Current customer (free account)||2 years after a customer becomes inactive|
|Customer Data (non-sensitive)||Current customer (paid account)||2 years after a customer becomes inactive (specifically, from the point that they are downgraded to a Free account)|
A paying customer would only be inactive if they downgrade to Free plan and are not active on the Free plan for 2 years.
As long as a customer is paying, we will not delete the account.
|Customer Data (non-sensitive)||Current customer (free and paying accounts)||We will store User Content for up to 24 months for active customers. See more details below.|
|Customer Data (non-sensitive)||Customer invoice information||For tax and accounting purposes we will retain invoice information for up to 7 years after your last payment.|
|Customer Data (non-sensitive)||Prospective Customer Data (marketing leads)||2 years after last interaction with prospective customer.|