1. Nature of business (publisher, publisher network, database aggregator, data miner, newsletter publisher, email marketer, telemarketer, research provider, etc.)
• 2XPAND is an AI (Artificial Intelligence) platform backed pipeline generation provider, and only charge our clients if they are satisfied with the experience/ results. We are the generators and the source of opt-in with a database of 62M global contacts, and fulfil leads that are sales nurture ready across top, middle, and bottom of the funnel programs. We prioritize email capabilities and have ability to incorporate targeted telemarketing leveraging callers that speak English, German, French, and Spanish (please note: all standard recommended programs are 100% email only).
2. Tactics leveraged in fulfilling a standard guaranteed lead program. (Links posted throughout site, promotions on site, whitepaper/asset library, newsletter inclusion, eblasts, telemarketing, etc.)
• Standard lead generation programs are fulfilled 100% via one-to-one targeted email sends, but we have the capability to fulfil via TM as well. TM is not required to complete standard recommended programs.
3. What marketing channels do you use for third-party offers?
• We use email and telemarketing, if requested.
4. What legal basis do you rely on for processing your marketing database?
• Our outreach to prospects is based on two legal bases: legitimate interest and explicit consent. We offer or reach out to prospects who have previously signed up to receive information from us, and we ensure that we capture their explicit consent on all telemarketing and email campaigns. Additionally, we collect details from interested parties who access our content sites, ensuring that all data is captured with full transparency and compliance with data protection regulations. We process data based on legitimate interest considering that prospective customers would benefit from the solution/service our customers are offering. We follow all privacy guidelines while processing data.
• As an organization, we are committed to following all applicable privacy guidelines, including those set forth by GDPR, CCPA, and CASL. We take data protection seriously, and we continuously review and improve our processes to ensure that we maintain the highest standards of privacy and security for our contacts' personal information.
5. Please provide full list of capture points where you capture data for use in marketing (landing pages, LinkedIn etc)
• Email Landing Pages and Telemarketing Calls.
6. Do you document consent on a per-record basis?
7. If so, please explain this process.
• Consent is recorded for all contacts via landing pages/telemarketing calls. This data is stored on our servers and is updated regularly.
8. Please identify your legitimate interests in processing the data.
• Prospects are contacted based on their interest in solutions according to their job roles or job titles.
9. Do you conduct Legitimate Interest Assessments (LIAs) to ensure that your processing is lawful?
10. If so, do you abide by the outcome?
11. Please provide evidence of a legitimate interest assessment for the work you are going to be carrying out for the company/ies identified on the first page
• Sample Attached. We do complete LIA before running any programs.
12. Do you specifically name the third party(ies) who you will be marketing on behalf of?
• Yes, we also include the privacy policies as well as opt in checkbox.
13. Do you specifically name the category of companies who you will be marketing on behalf of?
15. Where are they placed on your data capture points? At what point are they stated/referred to during a telemarketing call?
• Telemarketing – Post confirming the details.
• Email – On landing pages as well as the emails.
16. Do you use brand/trading names?
17. If so, do you make a clear link back to the main organizational trading name/brand?
18. At the point of data capture, do you clearly identify yourself and/or the organization on whose behalf you are obtaining personal data, the purpose for the data capture, together with other information so to guarantee fair processing?
19. Do you do telemarketing?
20. Do you clean telephone data against TPS and CTPS before calling?
21. Do you call telephone numbers which have been registered on TPS and CTPS for more than 28 days?
• No, we don’t.
22. Do you specifically name third parties for future marketing consent purposes?
23. How do you document consent provided by the user over the phone?
• Calls are recorded and stored.
24. Do you have the ability to suppress individual contact details, from email addresses to telephone numbers and postal addresses, where an individual has asked not to be contacted?
25. Please explain this process.
• We maintain the DNCs which are updated daily. We also have an opt-out list which is shared internally with all the team members.
26. Are telephone numbers, mobile numbers, email addresses and postal addresses cleansed against your suppression file before use?
27. Is postal address data cleansed against industry standard files before sending out direct marketing material?
28. How do you process suppression files you receive from clients you are marketing on behalf of?
• Suppression files are checked before the campaign is launched. All domains/emails/accounts are suppressed against the data which will be used on those specific campaigns.
29. Do you have automatic unsubscribe links in the body of every marketing email you send?
30. Is there any manual opt-out required?
31. If relying on legitimate interests, do you give the opportunity to opt out of marketing when collecting the data?
32. If received from a source other than the data subject, do you give them the opportunity to opt out of their data being processed within a month of collecting the data?
33. Do you give the opportunity to opt out of marketing when collecting data?
• Yes, we do give the opportunity to all prospects to opt out or amend their contact details.
34. If received from a source other than the data subject, do you give them the opportunity to opt out of their data being processed within a month of collecting the data?
• If we receive the request on behalf of the data subject, we validate the request and then update/amend or delete the information if it is a valid request.
35. Do you have a regular database validation process to ensure your data is accurate and up to date?
36. Do you have a regular database validation process to ensure your data reflects the current marketing preferences for each contact?
• Data is cleansed using technology platforms as well as by our internal team. All DNCs, Suppression files, opt-outs are updated daily. As we have our own data, this data is used daily to run programs. All marketing preferences are up to date to ensure that we do not have any contacts that they do not want us to contact them. The marketing preferences are almost updated daily by the MIS team.
37. Where can data subject find the info to contact you to update/rectify their preferences? Do you include an unsubscribe link in each email sent?
• Unsubscribe link is included in all emails.
38. How do you allow your database to update their preferences and ensure the information you hold about them is accurate and up to date?
• We take proactive steps to ensure that the data we hold is accurate and up to date. Our records are subject to a daily cleansing process, and we also update our database daily to reflect any changes.
39. If processing data as a co-controller, do you execute the relevant agreements?
40. If so, do you make them accessible to data subjects on request?
41. Do you rent or buy data for use in third party marketing?
42. Could you please detail where data subjects can find the info to contact you to update/rectify their info?
Please share evidence of your regular database validation process?
• Detailed process of database validation:
o With the help of multiple technology systems, data is checked against public sources to ensure that we have the most up to date information.
o We then use telemarketing/Email marketing to keep the information up to date.
o Data source is regularly checked and updated.
43. What Data Protection training do you offer staff and how often?
• All our employees have signed the employee policies and are also trained every quarter about these privacy guidelines.
44. How do you ensure your staff know where the individual’s data has come from when data subjects ask?
• They are trained in the processes and are aware of how data is collected.
45. Do you train staff with data management responsibility on CTPS requirements?
46. Could you please confirm in which modules staff get trained? Could you share info regarding the training institutes?
• We leverage certified training consultants as well as trainers from the Laurel Institute.
47. Do you have a Data Retention policy?
48. Do you retain UK personal data for longer than the purpose for which it was initially collected?
49. If so, what are your reasons for justifying the retention of personal data post a marketing campaign?
• We take the privacy and consent of our prospects seriously. Before collecting any information, we ensure that they are fully aware that their details will be stored with us and obtain their explicit consent. Additionally, we offer an easy way for prospects to exercise their right to be forgotten by emailing us to request the removal of their details from our database.
50. Could you please detail your process to respond to DSAR and Information Security Incidents?
51. Do you have an ISMS?