Privacy notices

Privacy Notice for Customers and Users

In this Privacy Notice, we describe the types of personal data that we collect in connection with provision of any Phrase products, services and content (“Phrase Solutions”), how we use and protect that data and how you can contact us and exercise your rights regarding your personal data.

We reserve the right to make any changes to this Privacy Notice at any time. Please check the Privacy Notice periodically for changes, although, if you are our customer, we may also notify you via email of any changes that, in our sole discretion, materially impact your use of Phrase Solutions or the way we process your personal data. Your continued use of Phrase  Solutions covered by this Privacy Notice will signify your acceptance of all changes to this Privacy Notice made by us from time to time.

1. About Phrase

Phrase is a provider of SaaS based solutions for localization and translation management. The data controllers are (i) Phrase a.s., ID No. 24707139, with its registered office at Václavské náměstí 2132/47, 110 00 Prague 1, Czech Republic, and (ii) Phrase GmbH, with its registered office at ABC-Straße 4, 20354 Hamburg, Germany, registered with the District court Hamburg under HRB 109537 (“we” or “Phrase”) who are jointly responsible for compliance with the applicable data protection legislation. Phrase a.s. is primarily responsible for exercising the rights of data subjects and providing information about data processing.

2. How do we process personal data?

We collect personal data from our customers and users of Phrase Solutions to provide, manage and maintain Phrase Solutions and for other purposes set out in this Privacy Notice. We process this data as a data controller. This Privacy Notice covers our processing of such personal data.

We might also act as a data processor with respect to the personal data uploaded by our customers in order to provide them with and to maintain Phrase Solutions. While it is not Phrase Solutions’ primary function, we recognize that our customers have the ability to upload any content to Phrase Solutions and, thus, we do not have control over whether any personal data or what categories of personal data are contained within such content, as this depends solely on the decision of our customers and users. Our rights and obligations with respect to such personal data are stipulated in the Phrase Terms of Service or respective data processing agreements. Unless expressly stipulated otherwise, this Privacy Notice does not cover our processing of personal data as a data processor. 

Beside processing the uploaded content (potentially including the personal data contained within) in order to provide our services to our customers, we, in some cases, also use the content for our own purposes, primarily to enhance and maintain Phrase products and service offerings, as outlined in Section 5 below.

3. What personal data do we collect?

We collect personal data when you register, log in to Phrase Solutions by entering your email and password or by any other similar authentication means that we may make available to you, use Phrase Solutions, attend events organized by Phrase or our partner or when you otherwise interact with Phrase, for example contact us via a form on our website. 

We collect the following personal data in connection with your relationship with us or your relationship with our customers: your name, user name, email address, job title, name of your organization.

We may also receive your phone number, Phrase ID, billing address and bank account details, password, VAT number, information from your public LinkedIn profile, information about your participation in events organized by Phrase or in relevant industry conferences, information about our past interaction with you or your organization, IP address of your device, internet browser information, information about the use of Phrase Solutions by you or your organization. When we send you emails, we may track whether you open them to learn how to deliver a better customer experience and improve our services.

4. How do we obtain your personal data?

Your personal data can be:

• Obtained directly from you or from your organization, such as your name, surname and contact details,
• Included in the content you or our customers and users upload to, or create, generate, or translate within Phrase Solutions,
• Created in the course of our relationship with you or your organization, such as information about our interaction with you,
• Collected from public sources such as your LinkedIn profile.

5. How do we collect your personal data?

Your personal data will be processed for the following purposes:

• To enable you or your organization to use Phrase Solutions and to enhance its functionality,
• To maintain our business relationship with you or your organization,
• To send you marketing materials about Phrase and Phrase Solutions and determine their performance;
• Our internal reporting and archiving,
• To ensure network and information security,
• To analyze and understand how Phrase Solutions are being used and to enhance their functionality,
• To provide you or your organization with business proposals.

5.1. Machine Learning

We also use the content uploaded by our users and customers solely for the purposes of enhancing and maintaining Phrase products and service offerings. 

This includes using the content for machine learning in specifically limited ways; please note that we do not use any user or customer content or its translations to train models that would generate text or provide any text output. This means that our features could not generate anything that contains or otherwise discloses user or customer content or its confidential information or that could identify a specific customer or user to any other customer or any third party. 

We use customer data for machine learning training only in models that provide non-text based output, such as a feature proposing the best machine translation service for the uploaded content at hand (MT Autoselect) or providing a numeric score of estimated quality assessment for particular tasks (QPS). For more information on machine learning visit our Artificial Intelligence and Machine Learning Statement. 

Our machine learning focuses solely on enhancement of translations provided while using Phrase Solutions and not for any other purposes. We only collect personal data as required for the operation of Phrase Solutions (e.g. usernames, emails), but any personal data potentially contained in the content uploaded by our customers to Phrase Solutions is not used for any other purpose than as described in this Section 5.1; we do not sell or otherwise provide this personal data or use it for direct marketing. Further, none of the user or customer data is stored with our machine translation providers (our personal data sub-processors) or used by them for the purpose of training or enhancing their AI models.

5.2. Phrase Academy

In Phrase Academy, which is our social user enablement and learning platform, hosted by a third party provider (360 Learning Ltd), new users are added to a public group. This setup allows for the user’s first and last name, courses views, comments received, achievements obtained, and any other personal information the users themselves add to their Phrase Academy account to be visible to other members of the group. Since users on Phrase Academy can follow each other’s progress and achievements, this visibility setting is essential for fostering social learning and is a prerequisite for accessing the platform.

6. On what legal basis do we use your personal data?

We use your personal data on the following basis:

• Processing your personal data for the purposes of providing the services and to communicate with you, to enable your use of Phrase Solutions (e.g. your identification data for administration of the account or for billing purposes), which is necessary so that we can perform the services set out in the contract we have concluded with you or your organization,
• Processing of your personal data to comply with our obligations under the applicable laws, e.g. obligation to archive accounting documents,
• Processing of your personal data for other purposes such as (i) to help us to maintain a productive business relationship with you or your organization, (ii) to offer you new products and services, (iii) to improve our ability to understand business needs of you or your organization; (iv) to improve and enhance Phrase Solutions and marketing materials; and (v) to ensure network and information security is based on our legitimate interest,
• Processing of your personal data for marketing and sales purposes is based on your consent (where such consent was given by you). In a limited scope permissible under applicable law, we may also use your email address to inform you about our services without your explicit consent, based on our legitimate interest.
  

7. How long will we keep your personal data?

Where we process personal data as data controller, we retain your personal data for the period necessary to fulfill the purposes outlined in this Privacy Notice and/or the Terms of Service, unless a longer retention is required by law (e.g. for tax and accounting purposes) or where we need to do so in connection with potential or actual legal action, or an investigation involving Phrase.

Where we process your personal data for marketing and sales purposes based on our legitimate interest, your personal data will be stored by us for two years after the end of your relationship with us, unless you opt-out from receiving our marketing communication earlier. In cases where you actively subscribed to our newsletters, your personal data will be kept by us until you opt-out. You can opt-out directly via the unsubscribe link found at the bottom of each of our emails that include marketing communications.

Where we process personal data on behalf of our customers as a data processor, we retain such data for the duration of our agreement with such customers and delete them in accordance with our retention and backup processes automatically within 60 days after the customer permanently deletes their content from Phrase Solutions or within 60 days from termination of the agreement.

8. Sharing your personal data for legal and business purposes

Your personal data might be accessible to our affiliates within the Phrase Group:

• Phrase a.s., with its registered office at Václavské náměstí 2132/47, 110 00 Prague 1, Czech Republic;
• Phrase GmbH, with its registered office at ABC-Straße 4, 20354 Hamburg, Germany;
• Phrase UK Ltd, with its registered office at 73 Cornhill, EC3V 3QQ, London, United Kingdom;
• Phrase OpCo Ireland Limited, with its registered office at Unit A6, Santry Business Park, Swords Road, D09 X651 Dublin 9, Ireland;
• Phrase OpCo Spain, S.L., with its registered office at Calle Entença, 325-335, Planta 1ª, 08029 Barcelona, Spain;
• Phrase, Inc., with its office at 350 East Avenue, Suite 203 in Rochester, NY 14604, United States of America.

The personal data might be shared with the affiliates within the Phrase Group in order for them to provide you with certain support services, marketing and pre-sales activities, or to offer their own products and services to you or your organization.

We may share your personal data with other recipients, in particular, our suppliers, under a written agreement which commits such recipients to appropriate safeguards in relation to handling of your personal data (including in relation to maintaining confidentiality of your personal data and implementing appropriate technical and organizational security measures).

The list of our current sub-processors who have access to personal data for the purpose of providing our customers with Phrase Solutions is available here.

To the extent we act as a data controller with respect to personal data, we use the following processors to process personal data on our behalf:

• 360 Learning UK LTD, with offices at 205a High Street, West Wickham, Kent, United Kingdom, BR4 0PH – social learning platform used for Phrase Academy;
• ActiveCampaign LLC, with offices at 1 N Dearborn Suite 500 Chicago, IL 60602, USA – email delivery software provider;
• Atlassian Pty Ltd., with offices at Level 6, 341 George Street, Sydney NSW 2000, Australia – project management and internal ticketing system provider;
• Brightback Inc. , with offices at 548 Market St #69224, San Francisco, CA 94104-5401, USA – retention management system provider;
• Chargebee Inc., with offices at 909 Rose Avenue, Suite 610, North Bethesda, MD 20852, USA – accounting and billing software provider;
• Chili Piper Inc., with offices at 228 Park Ave S # 78136 New York, New York 10003-1502 USA – lead management software provider;
• Clari Inc., with offices at 1154 Sonora Ct, Sunnyvale, CA 94086, USA – revenue operations and conversation intelligence tool provider;
• Crossbeam Inc., with offices at 30 S 15th Street Ste. 1550 PMB 15987 Philadelphia, PA 19102-4826, USA – customer account mapping software provider;
• Databricks Inc., with offices at 160 Spear Street, 15th Floor, San Francisco, CA 94105, USA – data analysis software provider;
• Datadog Inc., with offices at 620 8th Ave 45th Floor, New York, NY 10018 USA – application monitoring and alerting software provider;
• Docusign, Inc., with offices at 221 Main Street, Suite 1550, San Francisco, CA 94105 – digital signature software provider;
• Fellow Insights Inc., with offices at 532 Montréal Rd #275, Ottawa, ON K1K, Canada – meeting management and record keeping software provider;
• Functional Software, Inc., with offices at 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA – application error alerting software provider;
• Google Ireland Limited, with offices at Gordon House, Barrow Street, Dublin 4, Ireland – email client and document storage provider;
• Hevodata Inc., with offices at 1390 Market St, Suite 200, San Francisco, California 94102, USA – ETL, data integration & data pipeline platform provider;
• Hook Technology Ltd., with offices at 21 Great Winchester St, London, EC2N 2JA, United Kingdom – monitoring and product analytics software provider;
• HubSpot Inc., with offices at 2 Canal Park, Cambridge, MA 02141, USA – marketing management and customer support software provider;
• Ironclad Inc., with offices at 71 Stevenson St # 600, San Francisco, USA – contract management system provider;
• Logshero Ltd., with offices at 35 HaMasger Street, Tel Aviv 6721407, Israel – infrastructure logging observability software provider;
• MAZE.DESIGN INC., with offices at 800 Menlo Ave, Suite 220, Menlo Park, CA 94025, USA – user experience research software provider;
• Mixpanel Inc., with offices at One Front Street, 28th Floor, San Francisco, CA 94111, USA – product analytics software provider;
• Notion Labs Inc., with offices at 2300 Harrison Street, San Francisco, CA 94110, USA – research insights repository and knowledge management platform provider;
• OpenAI Ireland Ltd, with offices at 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin, D01 YC43, Ireland – GenAI chatbot software provider;
• PayPal (Europe) S.à r.l, with offices at 22-24 Boulevard Royal, L-2449 Luxembourg, Luxemburg – payment system provider;
• Planhat AB, with offices at Malmskillnadsgatan 13; 111 57 Stockholm; Sweden – customer health and CSM activity platform provider;
• Sauce Labs Inc., with offices at 450 Sansome Street, 9th Floor, San Francisco, CA 94111, USA – application monitoring & crash reporting software;
• Seismic Software, Inc., with offices at 12390 El Camino Real, San Diego, CA 92130, USA – sales enablement software provider;
• SFDC Ireland Limited, with offices at Salesforce Tower Dublin, North Dock, Dublin, D01 W2Y3, Ireland – customer relationship management software provider;
• Slack Technologies Limited, with offices at Salesforce Tower Dublin, North Dock, Dublin, D01 W2Y3, Ireland – communication platform provider;
• Snowflake Computing Netherlands B.V., with offices at FOZ Building, Gustav Mahlerlaan 300-314, 1082 ME Amsterdam, Netherlands – data storage and data sharing platform provider;
• Stripe Payments Europe Ltd, with offices at 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland – payment system provider;
• Thoughtspot Inc., with offices at 444 Castro Street, Suite 1000, Mountain View, CA 94041, USA – internal data analytics and reporting platform provider;
• Twilio Inc., with offices at 01 Spear Street, First Floor, San Francisco, CA 94105, USA – email delivery system provider;
• Userpilot, Inc., with offices at 1401 Lavaca Street, Unit #7019, Austin, TX 78701, USA – product analytics system provider;
• Zendesk Inc., with offices at 989 Market St, San Francisco, CA 94103, USA – customer service and ticketing software provider;
• ZenLeads, Inc., with offices at Covina, 440 N Barranca Ave #4750, USA – sales intelligence and engagement platform provider;
• Zoom Video Communications, Inc., with offices at 55 Almaden Blvd, Suite 600, San Jose, CA 95113, USA – video conferencing solution provider

Your personal data may also be shared with other recipients, such as government authorities or other subjects where we have a valid legal title under the applicable data protection laws to share your personal data (e.g. in certain cases when deemed reasonable, we can share details on your logs to Phrase Solutions to comply with our legal obligations).

We do not sell your personal data to any third parties.

9. Location of your data

Your personal data may be transferred to, stored and processed in the countries outside the European Economic Area (EEA) to countries in which Phrase, its affiliates, suppliers, contractors or other vendors are located or maintain facilities. These countries include the USA, United Kingdom and Japan.

We reserve the right to change our business partners and/or data locations. When we transfer any personal data to the USA or any other country outside the EU or EEA in which Phrase, its affiliates, contractors, suppliers or vendors maintain facilities, we will implement such appropriate legal mechanisms as are required by EU data protections laws to ensure an adequate level of personal data protection by such third parties receiving your personal data.

When transferring personal data to third countries outside the EEA, we will rely (i) either on adequacy decisions of the European Commission under Article 45 of the GDPR (where the European Commission recognizes that a third country ensures a level of protection adequate to the GDPR) or (ii) on standard contractual clauses agreed with the parties with which we share the data internationally.

The countries recognized by the European Commission as having an adequate level of protection can be found on the webpages of the European Commission here, and include, among others, also the USA (when sharing personal data with commercial organizations participating in the EU-US Data Privacy Framework), Japan (when sharing personal data with private sector organizations) and Canada (when sharing personal data with specific federally regulated organizations).

Where we cannot rely on the adequacy decision, we will rely on data transfer agreements based on model standard contractual clauses (SCCs) approved by the European Commission to ensure that the persons to whom we transfer data in those countries commit to ensure an adequate level of protection of your personal data. In addition to the SCCs we require strict security standards and measures to be employed by each of our processors and sub-processors, including additional technical and organizational measures as required by applicable EU case law and guidelines. We also contractually require our processors and sub-processors to provide us with a prompt notice of any data breach or security incident concerning processed data.

10. Protecting your personal data

We have implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines in accordance with good industry practice while keeping in mind the state of technological development in order to protect your data against accidental loss, destruction, alteration, unauthorized disclosure or access or unlawful destruction. Such measures may include, without limitation, taking reasonable steps to ensure the reliability of employees having access to your data and providing for limited access rights and access controls on a need-to-know basis; authentication; personnel training; regular back up; data recovery and incident management procedures; restrictions on storing, printing and disposal of personal data; software protection of devices on which personal data is stored; etc.

We have also implemented Information Security Management in accordance with the requirements of information security standard – ISO 27001, including penetration tests, vulnerability scans, secure development frameworks, access management, supplier management and compliance processes.

Please see our Security Statement for more information.

11. Your rights

This section describes your rights under the applicable laws and the procedures for exercising them. If you exercise any of your rights pursuant to this section or pursuant to the applicable laws, we will notify each recipient to whom your personal data has been disclosed, as specified in Section 8 of this Privacy Notice, about any correction, deletion, or restriction of processing carried out in accordance with your request, unless this notification proves impossible or requires disproportionate effort.

To exercise your rights, please contact us at privacy@phrase.com. We will respond within one (1) month after receipt of your request. In exceptional circumstances, we retain the right to extend this period by up to two (2) months. We will in any event inform you within one (1) month after receipt of your request if we decide to extend the period for our response. If needed, we might ask you for additional information to confirm your identity before processing your request.

You are not required by law to provide your personal data to us, however, if you don’t, then we may not be able to provide you or your organization with our service. If you object to the processing of your personal data, we will respect that choice in accordance with our legal obligations. Depending on the scope of your request, this could mean that we will not be able to provide you or your organization with our service.

If you would like to exercise any of your rights, please let us know by getting in touch using the contact details below.

You are entitled to:

Request access to processing information

You have the legal right to request information at any time about whether we are processing your personal data. If this is the case, you have the right to be informed about the extent to which your personal data is being processed as well as to be provided with a copy of your personal data. Where the personal data is transferred to third countries, you also have the right to be informed of the appropriate safeguards implemented by us in relation to the transfers.

Request the correction and/or deletion of your personal data

You have the right to obtain the rectification of inaccurate personal data concerning you and/or to have incomplete personal data completed. In certain circumstances you have the right to erasure of the personal data concerning you without undue delay. The right to erasure does not apply, in particular, if processing is necessary to comply with legal obligations.

Object to the processing of your personal data

You have the right to object at any time to the processing of your personal data that is based on legitimate interest. We will no longer process personal data unless we can demonstrate legitimate grounds for the processing which override the interests, rights and freedoms of you as data subject or for the establishment, exercise or defense of legal claims. If you object to processing of your data for direct marketing purposes, we will cease to process your data for these purposes.

Request the restriction of the processing of your personal data

If you request us to restrict the processing of your personal data, e.g. in circumstances when you contest the accuracy, lawfulness or our need to process your personal data, we will limit processing of your personal data to the necessary minimum (storage) and, if applicable, will process them only for the establishment, exercise or defense of legal claims or, where necessary, for protection of rights of another natural or legal person, or other limited reasons dictated by the applicable law. In case the restriction is lifted, and we continue processing your personal data, you will be informed accordingly without undue delay.

Portability of your personal data

You have the right to receive personal data relating to you and which you have provided to us. If you approach us with such a request, we will provide your personal data in commonly used and machine-readable format to you without undue delay from receipt of your request. If you request so, we will send your personal data to a third party (another data controller) which you will identify in your request, unless such request would adversely affect rights or freedoms of others and where technically feasible.

Withdraw your consent

If you have provided us with any consent to the processing of personal data, for example for marketing communication, you can withdraw your given consent at any time without stating any reason. We will stop any further processing of your personal data. Please note that the withdrawal of your consent does not affect the lawfulness of any processing based on consent before its withdrawal.

Children’s privacy

Phrase Solutions are not intended for individuals under the age of 16, and we do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take immediate steps to delete such information and close the associated account. Legal guardians who believe that we may have collected data from their child under 16 should contact us in accordance with this Privacy Notice to request the removal of the data.

Complain to a data protection authority 

You have the right to submit a complaint concerning our data processing activities of

Phrase a.s.: 

Úřad pro ochranu osobních údajů, at Pplk. Sochora 727/27, 170 00 Praha 7, Czech Republic

Phrase GmbH:

Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Ludwig-Erhard-Str. 22, 7.OG, 20459 Hamburg, Germany

12. Use of Google Workspace APIs

We affirm that the Google Workspace APIs accessed through our services are not used for developing, improving, or training generalized artificial intelligence (AI) or machine learning (ML) models.

13. Contact Us

If you have questions or requests regarding the processing of your personal data or require additional information, please contact us at privacy@phrase.com.

Last updated: December 19, 2024