Understanding your business needs is Conga’s top priority. We record calls to focus on your needs and expectations, instead of taking notes and to coach our team to provide you with an even better experience. If at any moment you’d like to stop recording a call, let the host of the call know immediately and we will stop recording the conversation.
This notice (“Notice”) describes the types of Personal Data that Conga collects from or about you as a potential customer (“Prospect”) or as a current or former customer (“Customer”) who participates in a call recorded by Conga (together, “Call Attendees”). This Notice also explains how Conga uses and discloses the Personal Data it collects and how you can exercise your privacy rights and choices.
This Notice does not apply to Conga’s processing of Personal Data of our employees who participate in calls recorded by Conga.
This Notice also explains how Conga uses and discloses the Personal Data it collects and how you can exercise your privacy rights and choices.
1. Conga’s Role and Responsibilities
Conga is a global organization providing cloud-based document generation and reporting products, services, and applications (the “Services”) to businesses. For the purposes of this Notice, the term “Conga” refers to Apttus Corporation—a Delaware Corporation headquartered in Colorado—together with its worldwide affiliates, including AppExtremes, LLC DBA Conga; Conga EMEA Ltd.; Conga APAC Pty Ltd.; Apttus EMEA Ltd.; Apttus Australia Pty Ltd.; and Octiv, Inc. The Conga companies share Personal Data amongst themselves pursuant to a Data Transfer Agreement that complies with applicable data protection laws and regulations, and the Conga companies are jointly presenting you with this Notice.
When Conga records a call, Conga processes Personal Data Conga acts as a “Controller” with respect to that Personal Data, meaning Conga is primarily responsible for ensuring that the Personal Data is processed in an appropriate way.
2. Scope and Other Important Information
This Notice applies to the processing activities that Conga performs as a Controller, as that term is defined above. This Notice describes the types of Personal Data that Conga collects from or about you as a Call Attendee. This Notice also explains how Conga uses and discloses that Personal Data and how you can exercise your privacy rights and choices.
This Notice does not apply to Personal Data that Conga collects from or about you in recorded calls if you are a Conga employee or contractor. If you are a Conga employee or contractor, and you have questions about how Conga processes your Personal Data in the context of recorded calls, you may access Conga’s Personnel Privacy Notice here.
3. Categories of Personal Data that Conga Collects and Processes in the Context of Recorded Calls & Conga’s Purposes for Processing that Personal Data
When Conga records a call, Conga may obtain the following information about Call Attendees from the relevant conference provider (Zoom, Teams):
- The recording of the call, including voice and video.
- A transcript of the call.
- Your user identifier (your name and last name or your videoconferencing username).
- Your email address.
- Your Internet Protocol (IP) address.
- The web browser type you used for the call.
When a recorded call gets uploaded to the Gong.io platform, Conga also obtains certain inferred information about interactions which Conga can use for training on key topics such as product positioning and objection handling and focus its enablement efforts on topics where they are most needed.
Data privacy laws like the California Consumer Privacy Act (CCPA) require us to categorize the types of personal information we process about you. Under the CCPA, the above categories would fall under the categories Identifiers (your user identifier, your email address, and your IP address), Internet or other electronic network activity information (your IP address and your web browser) and Audio, electronic information, and visual information (the recording of the call), and Inferences (inferred information about interactions).
We ask you not to share any sensitive personal information of any kind (for example, your credit card or Social Security number, religion, or political opinion). We do not request and have no intention to collect this type of information. Besides, we do not intend to record people around you. It is your responsibility to make sure that other persons in your surroundings are not recorded unintentionally, or that you have provided them with this notice, and that they have acknowledged their approval of the recording.
We do not intend to collect personally identifiable data from anyone we know to be under 16 years old. If you believe that we have collected such information, please contact your call host or [email protected], and we will delete that information as soon as possible.
We process the recording, transcripts, user identifier, and email address for the following purposes:
- Focusing on conversing with you instead of taking notes.
- Ensuring that appropriate steps are taken with each existing or former customer and prospect, with a focus on your key needs.
- Ensuring that we capture key next steps at each stage of lead and opportunity progression
- Allowing Conga Sales team managers to review recorded calls.
- Coaching our customer-facing teams and ensuring that important messaging is delivered and consistent with the Conga overall sales strategy.
- Automatically updating our CRM
- Being able to refer to past conversations easily and quickly.
If Conga, as a Controller, collects or processes Personal Data from a Call Attendee for any purpose not listed here, that purpose will be disclosed to you at the time you provide the Personal Data.
4. Conga’s Lawful Basis for Processing Personal Data
Some of the Personal Data processed by Conga in the context of recorded calls is subject to the General Data Protection Regulation (“GDPR”), which is effective throughout the European Economic Area (“EEA”), or other similar laws applicable within the United Kingdom (“UK”) or Switzerland (collectively, the “European Data Protection Laws”). The European Data Protection Laws require Controllers, like Conga, to have a “lawful basis” for processing your Personal Data for their stated purposes.
Conga’s lawful bases for processing your Personal Data include the following:
- Call Attendees’ Consent: Conga asks for consent before recording calls with Call Attendees. Where we process your Personal Data based on your consent, you may withdraw it at any time by asking the host to stop the recording or use any technical settings offered by our tool or the relevant videoconferencing tool, if any. However, this will not affect the lawfulness of our processing before you withdrew your consent. It will also not affect the validity of our processing of Personal Data performed on other lawful grounds.
- Conga’s Legitimate Interests: Conga processes information obtained during the call (not the recording itself, for which we need your consent) when such processing is necessary for the legitimate interests pursued by Conga, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject. Conga processes Personal Data in the pursuit of several legitimate interests. These include:
- Administering and conducting business.
- Sharing information with Partners regarding potential interest in our products.
- Preventing or investigating suspected or actual violations of law, breaches of a business customer contract, or non-compliance with Conga policies.
- Maintaining information about your marketing interests, attendance, and contract and contact preferences.
Please note that you have the right to ask us not to process your Personal Data for marketing purposes, which you may exercise at any time by sending an email to [email protected], or clicking on the ‘unsubscribe’ link in the last Conga marketing email you received.
Whenever we process your Personal Data based on our legitimate interests, it means that we have conducted a balancing test and determined that those legitimate interests outweigh any risks to the rights and freedoms of Data Subjects. Where relevant, you have the right to ask us more about how we decided to choose this legal basis. To do so, please send an email to [email protected].
5. How Conga Shares Personal Data
As a global business, Conga shares Personal Data among the Conga companies and with select third parties, subject to appropriate safeguards. In the context of recorded calls, Conga shares Personal Data with the Conga companies and with selected third parties for the purposes of operating our business, delivering, improving, and customizing our Services and sales strategy, and for other legitimate purposes permitted by applicable law.
When we share Personal Data, we do so in accordance with applicable data protection laws and regulations. We do not disclose your information to third parties except as noted below:
- Conga Companies. The Conga companies share Personal Data between and among themselves pursuant to a Data Transfer Agreement.
- Service Providers. Conga engages third-party vendors to perform certain functions, and Conga shares Personal Data about Call Attendees with those vendors. Conga employs vendors in the following categories:
- Sales enablement software providers located in Israel and the United States of America (in particular, Gong.io).
- Customer Relationship Management (CRM) providers located in the United States of America (in particular, Salesforce, Inc.).
To learn how Conga ensures the protection of your personal data when Conga shares it with vendors in jurisdictions other than yours, please review Section 7, below.
- Legal Obligations. Conga may disclose your Personal Data when necessary to comply with the law, such as to comply with a subpoena, regulation, or legal request, to respond to a government request, to address fraud or security issues, to protect the safety of any person, to enforce our agreements with you, and to investigate, prevent, or take other action regarding illegal activity, suspected fraud or other wrongdoing or to protect our own rights or property. This includes sharing such information with our legal counsel.
- Business Transfers. If Conga is involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Data may be transferred as part of that transaction to a successor in interest and to the applicable legal authorities, as well as legal counsel and other professional personnel, such as accountants and other officers of the government. Data Subjects will be notified via email and/or a prominent notice on our website for at least 30 days after any such change in ownership or control.
We reserve the right to use, transfer, sell and share aggregated or anonymous data for any legal purpose. Such data does not include any Personal Data. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and customers.
6. For California Consumers: Sale of Your Personal Data
Conga does not sell Personal Data obtained in the context of recorded calls. If you have any questions about your California rights, you can email us at [email protected].
7. How Conga Transfers Personal Data across Borders
Conga is a US-based global company, and Conga affiliates and their websites and Services operate around the globe. This means your Personal Data may be processed in the country where you live, as well as in other countries where the laws regarding the processing of Personal Data may be less stringent. However, Conga has implemented organizational and contractual measures designed to ensure that your Personal Data receives the same level of protection that you would expect, no matter where it goes.
When the Personal Data is subject to the European Data Protection Laws, these measures include:
- Where Conga shares Personal Data subject to European Data Protection laws with a recipient located in a country that has been deemed to grant a similar level of protection to Personal Data, the Personal Data is sometimes transferred under or pursuant to the decisions adopted by the relevant authorities of the European Union or Switzerland or the UK as relevant. For example, the European Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, and Uruguay as providing adequate protection.
As of the Last Updated Date, Conga transfers Personal Data subject to the GDPR and obtained in the context of recorded calls to Gong.io in Israel pursuant to the Israel adequacy decision and to the Conga Companies in the UK and Switzerland pursuant to the European Commission’s adequacy decisions for UK and Switzerland.
Standard Contractual Clauses:
- The Conga companies share Personal Data subject to the European Data Protection Laws with each other pursuant to a Data Transfer Agreement that incorporates and implements the most recent version of the Standard Contractual Clauses, as those clauses have been approved by the European Commission as an “adequate safeguard” pursuant to GDPR Article 46(2), as well as analogous mechanisms under UK and Swiss law.
- When Conga shares Personal Data subject to the European Data Protection Laws with vendors or other third parties, such as Gong and Salesforce, it always uses a similar agreement that incorporates the Standard Contractual Clauses and analogous mechanisms effective under UK and Swiss law, as well as, where necessary, the requirements of GDPR Article 28. You can find Gong’s Data Processing Addendum here and the Salesforce Data Processing Addendum here.
Privacy Shield Framework:
- In addition to the foregoing, Conga continues to comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as set forth by the U.S. Department of Commerce, regarding the collection, use, and retention of Personal Data transferred from the European Union and the United Kingdom and/or Switzerland to the United States. Conga has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles (non-U.S. entities are not covered by Conga’s Privacy Shield certification). If there is any conflict between the terms in this Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/list and search for “AppExtremes, LLC dba Conga” or “Apttus Corporation.”
- Conga is responsible for the processing of Personal Data it receives, under the Privacy Shield Framework, and subsequently transfers to a third-party acting as an agent on its behalf. Conga complies with the Privacy Shield Principles for all onward transfers of Personal Data from the EU or Switzerland, including the onward transfer liability provisions. With respect to Personal Data received or transferred pursuant to the Privacy Shield Framework, Conga is subject to the investigatory and regulatory enforcement powers of the U.S. Federal Trade Commission (“FTC”). In certain situations, Conga may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
- In compliance with the Privacy Shield Principles, Conga commits to resolve complaints about our collection or use of your Personal Data. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Conga’s Privacy Office using the information in the “How to Contact Us” section below.
- Conga has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you.
- Additionally, Conga commits to cooperate with the EU Data Protection Authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) (as applicable) and to comply with the advice given by such authorities regarding human resources or other Personal Data transferred from the EU and Switzerland in the context of the employment relationship. Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Please note that, while Conga has continued to adhere to the Privacy Shield Frameworks, Conga does not currently rely on the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks to render lawful any transfers of personal data from the European Economic Area, United Kingdom, or Switzerland to another jurisdiction. Instead, Conga relies on the Standard Contractual Clauses, as outlined above.
8. How Conga Secures Your Personal Data
Conga uses appropriate technical and organizational measures to protect the Personal Data that we collect and process. The measures we use are designed to provide a level of security appropriate to the risk of processing your Personal Data. If you have any questions about the security of your Personal Data, you can contact us at [email protected].
9. How Long Conga Keeps Your Personal Data
Conga retains your Personal Data for as long as is necessary to fulfill the purpose for which we collected your Personal Data and any other permitted linked purpose, and in compliance with our data retention policies. For example, we will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
If Conga processes your Personal Data for more than one purpose, we will retain it until the purpose with the longest retention period expires, but we will stop using it for the purpose with a shorter retention period once that period expires.
Our retention periods are also based on our business needs and good practice.
10. Personal Data about Children
Conga’s Services are not designed for and are not marketed to people under the age of sixteen (16) (“minors”). We do not knowingly collect or ask for information from minors. We do not knowingly allow minors to use our Services. We do not knowingly process any Personal Data about minors. Please contact our Privacy Office if you believe we might have information from or about a minor.
11. Your Rights as a Data Subject
You may have certain rights with respect to the Personal Data we obtain in the context of recorded calls. In this section, we describe the privacy rights and choices that you may have, and we explain how you might exercise those rights.
- Right to Know What Happens to Your Personal Data. This is called the right to be informed. It means that you may have the right to obtain certain information from us regarding our data processing activities that concern you, such as how we collect and use your Personal Data, how long we will keep it, and who it will be shared with, among other things. We are informing you of how we process your Personal Data with this Notice.
- Right to Know What Personal Data We Have About You. This is called the right of access. It means that you may have the right to ask for full details regarding the Personal Data we hold about you. For example, you may have the right to obtain confirmation from us as to whether we are processing your Personal Data, and, where that is the case, you may have the right to obtain a copy or access that Personal Data. Once we receive and confirm that the request came from you or your authorized agent, we will disclose to you:
- The categories of your Personal Data that we process.
- The categories of sources for your Personal Data.
- Our purposes for processing your Personal Data.
- Where possible, the retention period for your Personal Data, or, if not possible, the criteria used to determine the retention period.
- The categories of third parties with whom we share your Personal Data.
- The specific pieces of Personal Data we process about you in an easily sharable format.
- If we sold or disclosed your Personal Data for a business purpose, the categories of Personal Data and categories of recipients of that Personal Data for both sale and disclosure.
- If we rely on legitimate interests as a lawful basis to process your Personal Data, the specific legitimate interests; and
- The safeguards used to transfer your Personal Data from the EEA or the UK to a third country, if applicable.
Under some circumstances, we may deny your access request. In that event, we will respond to you with the reason for the denial.
- Right to Change Your Personal Data. This is called the right to rectification. It may give you the right to ask us to correct anything that you think is wrong with the Personal Data we have on file about you, and to complete any incomplete Personal Data.
- Right to Delete Your Personal Data. This is called the right to erasure, right to deletion, or the right to be forgotten. This right means that you may be able to ask for your Personal Data to be deleted. Sometimes we can delete your information, but other times it is not possible, for either technical or legal reasons. If that is the case, we will consider whether we can limit how we use it. We will also inform you of our reason for denying your deletion request.
- Right to Ask Us to Limit How We process Your Personal Data. This is called the right to restrict processing. It may give you the right to ask us to only use or store your Personal Data for certain purposes. You have this right in certain instances, such as where you believe the data is inaccurate or the processing activity is unlawful.
- Right to Ask Us to Stop Using Your Personal Data. This is called the right to object. This is your right to tell us to stop using your Personal Data. You have this right where we rely on our legitimate interests, or the interests of a third party, to process or share your Personal Data. You may also object at any time to the processing of your Personal Data for direct marketing purposes. We will stop processing the relevant Personal Data unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your Personal Data to establish, exercise, or defend a legal claim.
- Right to Move Your Personal Data. This is called the right to data portability. It is the right to ask for and receive a portable copy of your Personal Data that you have given us or that you have generated by using our services, so that you can move it; copy it; keep it for yourself; or transfer it to another organization. We will provide your Personal Data in a structured, commonly used, and machine-readable format. When you request this information electronically, we will provide you with a copy in electronic format.
- Right to Withdraw Your Consent. Where we rely on your consent as the legal basis for processing your Personal Data, you may withdraw your consent at any time. If you withdraw your consent, our use of your Personal Data before you withdraw it is still lawful. If you have given consent for your Personal Data to be shared with a third party and you wish to withdraw this consent, please also contact the relevant third party to change your preferences.
- Right to Non-Discrimination. Conga will not discriminate against you for exercising your privacy rights. Unless the applicable data protection laws permit it, we will not deny you goods or services, charge you different prices or rates, or provide you with a different level or quality of goods or services simply because you exercise your privacy rights.
12. How to Contact Conga
To exercise any of your privacy rights and choices, or to ask for more information regarding Conga’s data protection practices, you may contact Conga by completing this form, by sending your request in an email to [email protected], or by sending postal mail to the address listed below:
Conga (global headquarters)
13699 Via Varra
Broomfield, CO 80020
Verification of Your Identity: To correctly respond to any privacy request that you may make, we may need to begin by confirming that YOU made the request. Consequently, we may require additional information to confirm that you are who you say you are. For requests submitted via password-protected accounts, your identity is already verified. For requests sent by other means, we will verify your identity by comparison to information that we already have on file, or by asking you to provide additional information. We will only use the Personal Data you provide us in a request to verify your identity or authority to make the request.
Verification of Authority: If you are submitting a request on behalf of somebody else, we will need to verify your authority to act on behalf of that individual. When contacting us, please provide us with proof that the individual gave you signed permission to submit the request, a valid power of attorney on behalf of the individual, or proof of legal guardianship. Alternatively, you may ask the individual to directly contact us by using the contact details above to verify their identity with Conga and confirm with us that they gave you permission to submit this request.
Response Timing and Format: Please allow us up to a month to reply to your requests from the day we received your request. If we need more time (up to 90 days in total), we will inform you of the reason why and the extension period in writing.
If we cannot satisfy a request, we will explain why in our response. For data portability requests, we will choose a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without difficulty.
We will not charge a fee for processing or responding to your requests. However, we may charge a fee if we determine that your request is excessive, repetitive, or manifestly unfounded. In those cases, we will explain our decision and provide you with an estimate before completing the request.
Right to Lodge a Complaint with a Supervisory Authority: We are committed to working with you to obtain a fair resolution of any complaint or concern that you may have about your privacy. If, however, you believe that we have not been able to assist with your complaint or concern, and you are located within the EEA, UK, or Switzerland, you have the right to lodge a complaint with the appropriate supervisory authority.
13. Our EU/UK Data Protection Representatives
We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact Conga directly, you may choose to contact VeraSafe on matters related to the processing of Personal Data subject to the GDPR. To contact VeraSafe as our EU Data Protection Representative, please use this contact form or reach out via telephone at +420 228 881 031.
Alternatively, you can contact VeraSafe at:
VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
We have also appointed VeraSafe as our representative in the UK for data protection matters. While you may also contact Conga directly, you may choose to contact VeraSafe on matters related to the processing of UK Personal Data. To contact VeraSafe as our UK Data Protection Representative, please use this contact form or reach out via telephone at +44 (20) 4532 2003.
Alternatively, you can contact VeraSafe at:
VeraSafe United Kingdom Ltd.
37 Albert Embankment
15. Updates to This Privacy Notice
Conga will update this Notice on a regular basis, and the Effective Date will always appear at the top. We invite you to visit this Notice whenever you interact with our website, so that you may remain constantly informed on how collect and use Personal Data.