Skip to content See Autonomous Agents In Action
Close Modal

Anomalo Privacy Policy: Your Data Protection & Rights

Last Updated 01/31/2025

At Anomalo, we take your privacy seriously. Please read this Privacy Policy to learn how we treat your personal data. By using or accessing our Services in any manner, you acknowledge that you accept the practices and policies outlined below, and you hereby consent that we will collect, use and share your information as described in this Privacy Policy.

 

 

What Does This Privacy Policy Cover?

This Privacy Policy covers how Anomalo treats Personal Data gathered when you access or use Anomalo’s data quality software and services, website, and other products and services (“Services“). By using our Services, you accept these practices. Anomalo complies with applicable laws like GDPR, CCPA, and DPF Principles. This policy covers third-party practices as provided below but excludes social media features and services not directly exchanging data with Anomalo. We collect categories of Personal Data such as Profile or Contact Data, Payment Data, Device / IP Data, Web Analytics, Social Network Data, Professional- or Employment-related Data, and Geolocation Data from direct user input, automatic collection via Cookies, and third-party providers. This data is used for providing and marketing Services, as well as meeting legal requirements. We share Personal Data with Analytics Partners, Advertising Partners, Legal-related Providers, Parties You Authorize, Access, or Authenticate, and Service Providers. Anomalo may transfer Personal Data during corporate transfers, ensuring DPF compliance, and may use aggregated, de-identified, or anonymized data for business purposes. We use various tracking tools like cookies (Essential, Functional, Performance/Analytical, Retargeting/Advertising) and comply with DPF Principles for interest-based ads. We protect Personal Data with appropriate security measures and retain it as long as necessary. We do not knowingly collect data from children under 16. This policy may change, and continued use implies agreement. For questions, contact privacy@anomalo.com.

 

Schedule A. EU – US Data Privacy Framework

Schedule A outlines Anomalo's commitment to the EU-U.S. Data Privacy Framework (DPF), including the UK Extension and Swiss-U.S. DPF, as certified by the U.S. Department of Commerce. We adhere to DPF Principles such as Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity, Purpose Limitation, Access, Recourse, Enforcement, and Liability. This schedule details how Anomalo processes data, including transfers to third-party controllers and agents, ensuring DPF compliance. We retain Personal Data as long as necessary for processing purposes and comply with DPF principles even if we leave the program. EU data subjects have specific rights, and Anomalo may disclose data for lawful government requests. For dispute resolution, complaints can be submitted to privacy@anomalo.com, or independent recourse agencies like the European Data Protection Board, UK ICO, or Swiss FDPIC. Binding arbitration through the American Arbitration Association is also available. The U.S. Federal Trade Commission is the enforcement body for DPF compliance.

1.1. Overview of Commitment. Anomalo is committed to complying with DPF Principles so that our commitment to comply with the DPF is enforceable under U.S. law. Anomalo has self-certified its commitment to complying with the DPF, including DPF Principles related the rights of data subjects in the EU and providing such persons with accessible, independent means of resolving complaints about how their Personal Data are handled.

1.2. Certification. Anomalo complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

1.2.1. Anomalo has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

1.2.2. Anomalo has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

1.2.3. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

1.3. Scope. Anomalo will only collect, use, and retain Personal Data for data subjects in the European Union, the United Kingdom, and Switzerland to the extent such information is relevant for our purposes as described in the Privacy Policy, this Schedule A – EU – U.S. Data Privacy Framework, and Schedule B –Data Subject Rights, as applicable.

1.4. Applicable Framework. The DPF is available at the following location: https://www.dataprivacyframework.gov/EU-US-Framework.

1.5 List of Certified Entities. The list of certified entities under the DPF is available at https://www.dataprivacyframework.gov/list

2. Data Processing.

2.1. DPF Principles. Here is a summary of the DPF Principles that Anomalo will comply with related to your Personal Data:

2.1.1. Notice. Anomalo will be transparent about the Personal Data we may collect about you and about your rights related to your Personal Data, including your right to access your Personal Data, how to contact us or make complaints about our practices, and to disclose how we share your Personal Data.

2.1.2. Choice. Anomalo will honor requests to prevent your Personal Data from being disclosed to a third party or used for a purpose other than the ones for which the data was originally collected. We will ask for your consent if certain types of your Personal Data are to be disclosed to third parties or used outside the original purpose.

2.1.3. Accountability for Onward Transfer. Anomalo will accept responsibility for transfers of your data from us to third parties and will ensure continued compliance with relevant DPF Principles for such transfers.

2.1.4. Security. Anomalo will take appropriate measures to protect Personal Data that we collect, store, use, or share from loss, misuse, and unauthorized access, disclosure, altercation, and destruction, taking into account the risks involved in processing and the nature of your Personal Data.

2.1.5. Data Integrity and Purpose Limitation. Anomalo will take appropriate measures to ensure Personal Data that we collect is accurate, complete, up to date, and reliable for use. We will limit the Personal Data we collect to what is relevant for processing and will not retain Personal Data longer than necessary.

2.1.6. Access. Anomalo will honor requests to correct, amend, or delete Personal Data that is inaccurate or that has been used in violation of DPF Principles as provided in the Privacy Policy.

2.1.7. Recourse, Enforcement, and Liability. Anomalo will explain how to seek recourse or enforcement related to your rights, including by providing contact information for us, explaining how to submit complaints to independent agencies, and explaining how to request binding arbitration.

2.2. Transfers to Third-party Controllers. Anomalo will comply with the DPF’s Notice and Choice Principles whenever we transfer your Personal Data to a third party acting as a controller. Anomalo will enter into a contract with each such third parties that requires that (1) such Personal Data will only be processed by the controller for the limited and specified purposes consistent with the consent provided by the relevant data subject or other legal basis for processing, (2) the controller provide the same level of protection as the DPF Principles, and (3) the controller will notify Anomalo if the controller determines that it can no longer provide the same level of protection as provided under DPF Principles, and, (4) if such controllers are not able to provide such protection, the controller will cease processing or take other reasonable and appropriate steps to remediate its inability to provide such protection.

2.3. Transfers to Third-party Agents. Anomalo will comply with DPF Principles whenever we transfer your Personal Data to a third party acting as an agent. In such cases, Anomalo will (1) transfer such Personal Data for the limited and specified purposes described in the Privacy Policy, (2) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with Anomalo’s obligations under DPF Principles, (3) require the agent to notify Anomalo if the agent determines that it can no longer provide the same level of protection as provided under DPF Principles, (4) take reasonable and appropriate steps to stop and remediate unauthorized processing if Anomalo receives notice of such processing, and (5) provide a summary or representative copy of the relevant privacy provisions of its contract with such agents to the U.S. Department of Commerce upon request.

3. Data Retention. Anomalo will retain your Personal Data for as long as necessary to fulfill our original purpose of processing the Personal Data. Anomalo will comply with DPF Principles to all Personal Data received under any part of the DPF program and will continue to provide adequate protection for the information by authorized means for as long as Anomalo keeps such data even if Anomalo leaves the part of the DPF through which it received the data.

4. Your Rights. EU data subjects have the rights described in this Schedule A – EU – U.S. Data Privacy Framework and Schedule B – European Data Subject Rights, as well as rights provided through the DPF or otherwise provided under the Privacy Policy.

5. Disclosure to Lawful Government Requests. Anomalo is required to disclose Personal Data in response to lawful requests from certain public authorities.

6. Dispute Resolution.

6.1. Submitting a Complaint. You may bring a complaint related to Anomalo’s processing of your Personal Data by contacting privacy@anomalo.com. There is no fee or other cost to submit a complaint. Anomalo will respond to you within forty-five (45) calendar days and will investigate and resolve any disputes expeditiously.

6.2. Independent Recourse. If Anomalo is not able to resolve your complaint, you may seek independent recourse by contacting the independent recourse agency appropriate to where you reside to investigate your complaint:

6.3. ITA Facilitation. If you submit a complaint to a data protection authority in the European Union / European Economic Area, the United Kingdom, or Switzerland, the U.S. Department of Commerce’s International Trade Administration (“ITA”) has committed to receiving, reviewing, and undertaking best efforts to facilitate resolution of the complaint and to respond to the DPA within ninety (90) calendar days.

6.4. Binding Arbitration. At your request, Anomalo will participate in binding arbitration through the American Arbitration Association to address any complaint that has been unable to be resolved by any other recourse and enforcement mechanism as provided under the DPF.

7. Enforcement.

7.1. Enforcement Agency. Anomalo has designated the U.S. Federal Trade Commission as the enforcement body under the DPF. In addition, Anomalo will respond promptly to inquiries and requests by the ITA for information related to the DPF and, as applicable, the UK Extension of the DPF and the Swiss – U.S. Data Privacy Framework. The U.S. Department of Commerce’s DPF program website is available at https://dataprivacyframework.gov and requests for Dispute Resolution and Enforcement at https://www.dataprivacyframework.gov/assistance

7.2. Transparency of Enforcement Actions. Anomalo will publish on its website any relevant DPF-related sections of any compliance or assessment report submitted to the Federal Trade Commission if Anomalo becomes the subject to an FTC or court order based on noncompliance with DPF Principles.

 

Schedule B. European Data Subject Rights

Schedule B details the additional rights you may have under the EU or UK General Data Protection Regulation (GDPR) if you are a resident of the European Union, United Kingdom, Lichtenstein, Norway, or Iceland. Anomalo complies with DPF Principles and acts as a controller for account information and a processor for data through Services. We process Personal Data based on lawful bases including contractual necessity and legitimate interests. Your rights include Access, Erasure, Filing a Complaint, Objection, Portability, Rectification, Restriction of Processing, and Withdrawal of Consent. To exercise these rights or for questions, contact privacy@anomalo.com or our EU/UK Data Protection Representatives. Personal Data transfers to the United States are consented to via data processing agreements and Anomalo's DPF self-certification.

1.1. Applicable Law. You may have additional rights under the EU or UK General Data Protection Regulation (“the GDPR“) with respect to your Personal Data if you are a resident of the European Union (“EU“), the United Kingdom (“UK“), Lichtenstein, Norway, or Iceland.

1.2. EU – U.S. Data Privacy Framework. Anomalo complies with DPF Principles, including the principles of Notice, Choice, Accountability of Onward Transfer, Security, Data Integrity, Purpose Limitation, Access, Resource, Enforcement, and Liability, as provided by the DPF.

1.3. Definitions. For the purposes of this Schedule B – European Data Subject Rights, the terms “Personal Data and “processing” shall have the definition provided under the applicable GDPR. Generally, “Personal Data” means information that can be used to individually identify a person, and “processing” covers actions that can be performed in connection with data such as collection, use, storage, and disclosure.

1.4. Conflicts. If there are any conflicts between this Schedule B – European Data Subject Rights and the Privacy Policy, the policy or portion that is more protective of Personal Data shall control to the extent of such conflict.

2. Contact Information.

2.1. About this Schedule. If you have any questions about your rights under this Schedule B – European Data Subject Rights, including whether it applies to you, please contact privacy@anomalo.com.

2.2. Third-party Controllers. If we are the processor of your Personal Data (i.e., not the controller), please contact the controller to address your rights with respect to such data; if you contact us, we will coordinate with the controller to the extent we can.

2.3. Data Protection Representatives. Individuals and data protection supervisory authorities in the EU and the UK may contact our data protection representatives pursuant to Article 27 of the GDPR at https://www.dp-dock.com or anomalo@gdpr-rep.com, or at the appropriate address below:

2.3.1. EU: DP-Dock GmbH, Attn: Anomalo, Ballindamm 39, 20095, Hamburg, Germany.

2.3.2. UK: DP Data Protection Services UK Ltd., Attn: Anomalo, 16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom

3. Controllers and Processors.

3.1. Controller. Anomalo will be the controller of your Personal Data processed in connection with the Services such as your account or user profile information.

3.2. Processor. Anomalo will be the processor for Personal Data that is processed through Services, as well as the Personal Data of our customers’ end users and employees in connection with the Services.

4. Data Processing.

4.1. Lawful Basis. Anomalo will only process your Personal Data if we have a lawful basis for doing so. Lawful bases for processing, include consent, contractual necessity, and our legitimate interests, as well as the legitimate interests of others and other lawful bases.

4.2. Contractual Necessity. Anomalo processes the following categories of Personal Data as a matter of contractual necessity: Profile or Contact Data, Payment Data. “Contractual necessity” means that we need to process the data to perform under our contract with you, which enables us to provide you with Services. When we process data due to contractual necessity, the failure to provide such Personal Data may will result in your inability to use some or all the Services that require such data.

4.3. Legitimate Interests. Anomalo process the following categories of Personal Data as a matter of the legitimate interests of Anomalo or some third party: Profile or Contact Data, Device / IP Data, Web Analytics, Social Network Data, Professional- or Employment-related Data, and Geolocation Data. Our legitimate interests include, as described in more detail in the Privacy Policy, Providing Services, Marketing Services, and Legal Requirements. Anomalo may also de-identify or anonymize Personal Data to further our legitimate interests.

4.4. Other Lawful Bases. From time to time, Anomalo may process Personal Data to comply with a legal obligation, when necessary to protect the vital interests of your or other data subjects, or when it is necessary for a task to be carried out in the public interest.

5. Data Subject Rights.

5.1. Your Rights. You have certain rights with respect to your Personal Data. For more information about these rights, or to submit a request, please email us at privacy@anomalo.com.

5.1.1. Access. You can request more information about the Personal Data we hold about you and request a copy of such Personal Data. You can also access certain of your Personal Data by logging on to your account.

5.1.2. Erasure. You can request that we erase some or all of your Personal Data from our systems.

5.1.3. File a Complaint. You have the right to file a complaint about Anomalo’s practices with respect to your Personal Data with the supervisory authority of your country or EU member state. A list of supervisory authorities is available here.

5.1.4. Objection. You can request that we stop further use or disclosure of your Personal Data for certain purposes, such as for Marketing Services.

5.1.5. Portability. You can request a copy of your Personal Data that we are holding in a machine-readable format. You can also request that we transmit the data to another controller where technically feasible.

5.1.6. Rectification. If you believe that any Personal Data that we are holding is incorrect or incomplete, you can request that we correct or supplement that data.

5.1.7. Restriction of Processing. You can request that we restrict further processing of your Personal Data.

5.1.8. Withdrawal of Consent. If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note that if you withdraw your consent, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data if such use or disclosure is necessary to enable you to use some or all of the Services.

5.2. Compliance with Requests. Anomalo will comply with your requests related to your rights as required by applicable law and the DPF. Anomalo may not be able to comply with your request, in whole or in part, if it frivolous, extremely impractical, jeopardizes the rights of others, or not required by law or the DPF. In some cases, we may need you to provide us with additional information, which may include Personal Data, as necessary to verify your identity and the nature of your request.

6. Transfers. The Services are hosted and operated in the United States through Anomalo and its Service Providers. If you do not reside in the United States, the laws in the United States may differ from the laws where you reside. BY using the Services, you acknowledge that any Personal Data about your, regardless of whether provided by you or obtained from a third party, is being provided to Anomalo in the United States and will be hosted on servers in the United States and other countries, and you authorize Anomalo to transfer, store, and process your Personal Data to and in the United States and other such countries. You further consent to the transfer of your Personal Data to the United States pursuant to (1) a data processing agreement incorporated standard data protection clauses, often called Standard Contract Clauses (“CCCs“), (2) Anomalo’s self-certification of its compliance with the DPF, including as applicable the UK Extension to the DPF and the Swiss-U.S. DPF Principles.

 

Schedule C. California Resident Rights

Schedule C outlines the additional rights you may have under the CCPA and other California law if you are a resident of California. Anomalo acts as a controller for your account information and a service provider for data processed through Services. Your rights include Access to information about data collection and use over the past 12 months, Deletion of your Personal Data (with exceptions), and the right to Prevent Direct Marketing by Third Parties. To exercise these rights, you or your Authorized Agent must submit a valid request to privacy@anomalo.com. Anomalo will not discriminate against you for exercising these rights. Anomalo does not sell your Personal Data and has not done so over the last twelve months, nor does it sell the Personal Data of minors under 16.

1.1. Applicable Law. You may have additional rights under the CCPA and other California law with respect to your Personal Data if you are a resident of California.

1.2. Definitions. For the purposes of this Schedule C – California Resident Rights.

1.3. Conflicts. If there are any conflicts between this Schedule C – California Resident Rights and the Privacy Policy, the policy or portion that is more protective of Personal Data shall control to the extent of such conflict

2. Contact Information.

2.1. About this Schedule. If you have any questions about your rights under this Schedule C – California Resident Rights, including whether it applies to you, please contact privacy@anomalo.com.

2.2. Third-party Controllers. If we are processing your Personal Data as a service provider for a third party, please contact the entity that collected your Personal Data that we are processing in the first instance to address your rights with respect to such data; if you contact us, we will coordinate with that entity to the extent we can.

3. Controllers and Service Providers.

3.1. Controller. Anomalo will be the controller of your Personal Data processed in connection with the Services such as your account or user profile information.

3.2. Service Provider. Anomalo will be the processor for Personal Data that is processed through Services, as well as the Personal Data of our customers’ end users and employees in connection with the Services.

4. Data Subject Rights.

4.1. Your Rights. You have certain rights with respect to your Personal Data. For more information about these rights, or to submit a request, please email us at privacy@anomalo.com.

4.1.1. Access. You have the right to request certain information about our collection and use of your Personal Data over the past twelve (12) months. In response to such requests, we will provide you with the following information:

4.1.1.1. The specific pieces of Personal Data that we have collected about you;

4.1.1.2. The categories of Personal Data we have collected about you;

4.1.1.3. The categories of sources from which that we used to collect that Personal Data;

4.1.1.4. The business or commercial purpose for collecting or selling your Personal Data;

4.1.1.5. The categories of third parties with whom we have shared your Personal Data; and

4.1.1.6. The categories of Personal Data we have shared with each category of third party with whom we have shared or sold your Personal Data.

4.1.2. Deletion. You have the right to request that we delete the Personal Data that we have collected about you. Under the CCPA, this right is subject to certain exceptions. For example, we may need to retain your Personal Data to provide you with the Services or complete a transaction or other action you have requested. If your deletion is subject to one of these exceptions, we may deny your deletion request.

4.1.3. Prevent Direct Marketing by Third Parties. You have the right to request that we prevent disclosure of Personal Data to third parties for such third parties’ direct marketing purposes. See California Civil Code Section 1798.83 to 1798.84 for additional information.

4.2. Compliance with Requests. To exercise your rights, you or your Authorized Agent, you must provide a valid request, which is one that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected Personal Data, and (2) describes your request in sufficient detail to allow us to understand, evaluate, and respond to it. We will also only use Personal Data provided in a valid request to verify your identity and complete your request; you do not need an account to submit a valid request. We will respond to valid requests within forty-five (45) days of receipt. If you do not provide a valid request, we may not respond. We will not charge you a fee for making a valid request unless your request is excessive, repetitive, or manifestly unfounded. If we determine that your valid request warrants a fee, we will notify you of the fee and explain that decision before completing your request.

4.3. Authorized Agent. You may authorize an agent to exercise your rights on your behalf (“Authorized Agent“). To do this, you must provide your Authorized Agent with written permission to exercise your rights on your behalf. Your Authorized Agent must provide a copy of that written permission to us when the Authorized Agent makes a request on your behalf.

4.4. No Discrimination for Exercising Rights. We will not discriminate against you for exercising your rights under the CCPA or other applicable law. We will not deny you our goods or services, charge you different prices or rates, or provide you a lower quality of goods and services if you exercise your rights under the CCPA or other applicable law.

5. Transfers.

5.1. Sale of Data. Anomalo does not sell your Personal Data and we have not done so over the last twelve (12) months. To our knowledge, we do not sell the Personal Data of minor under 16 years of age.

 

Schedule D. Rights of Residents or Data Subjects in Other Jurisdictions

1. Nevada. If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Data to third parties who intend to license or sell that Personal Data. You can exercise this right by contacting privacy@anomalo.com with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account.