Duck Creek Technologies
LLC PRIVACY NOTICE

Effective Date: June 25, 2024

Duck Creek Technologies LLC and its affiliates (collectively, “Duck Creek”, “we”, “our”) respect your privacy. This Privacy Notice describes the types of personal data we collect from our customers, suppliers, visitors to our website, and applicants to Duck Creek, how we use the personal data, and with whom we share it. We also describe the rights you may have and how you can contact us about our privacy practices. For the purpose of this Privacy Notice, “personal data” and “personal information” mean any information relating to an identified or identifiable natural person. References to our “services” in this Privacy Notice include our websites and apps and in-person and virtual events. This Privacy Notice applies to our services that display or reference this notice, but it does not apply to any services that display or reference a different privacy statement. 

Duck Creek software is intended for and provided to businesses and other organizations, and not individual consumers or end-users. In providing Duck Creek software, we may in some cases process personal data of consumers or end-users at the direction of our enterprise customers. When we do, we do so as a service provider or a “data processor” to those organizations, but we do not control and are not responsible for the privacy practices of those organizations. This Privacy Notice does not apply to personal data we process as a service provider or data processor on behalf of our enterprise customers. If you are a consumer end-user of one of those organizations, you should read that organization’s privacy notice and direct any privacy inquiries to that organization.

Duck Creek is responsible for the collection and use of your personal data for the purposes described in this Privacy Notice and its contact details can be found in the “How to Contact Us” section below.

I.        Personal Data We Collect

The personal data we collect depends on how you interact with us, the services you use, and the choices you make.

We collect information about you from different sources and in various ways when you use our services, including information you provide directly, information collected automatically, third-party data sources, and data we infer or generate from other data.

Information you provide directly.
We collect personal data you provide to us. For example:

  • Contact information. We collect name, username or alias, email address, postal address, phone number, fax number.
  • Content and files. If you send us email messages or other communications including free text in the Contact Us form, or any documents or files, we will collect and retain those communications.
  • Survey responses. Information you provide in response to customer and supplier services.
  • Image and Video. Images and video captured during our in-person and virtual events.

Information you provide directly when applying for a position at Duck Creek.

  • Contact information. We collect name, username or alias, email address, postal address, phone number.
  • Diversity and Inclusion Data. You may choose to provide, but are not required, information pertaining to your ethnicity, gender and sexual identity, and military background. This information is solely used by Duck Creek to measure its effectiveness in promoting a diverse and inclusive organization. This information may be required for collection in specific countries, such as India.
  • Application Information. You may choose to provide your resume, CV, references, educational background, job history, and another information you choose to provide during the application process.

Information we collect automatically.
When you use our services, we collect some information automatically. For example:

  • Identifiers and device information. When you visit our websites, our web servers automatically log information such as your Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration. As further described in the Cookies, Web Beacons and Other Technologies section below, our services store and retrieve cookie identifiers, mobile IDs, and other data.
  • Geolocation data. Depending on your device and app settings, we collect geolocation data when you use our apps or online services.
  • Usage data. We automatically log your activity on our websites, apps and connected products, including the URL of the website from which you came to our sites, pages you viewed, how long you spent on a page, access times, and other details about your use of and actions on our website. This may include screen recordings captured in anonymized format.

Information we create or generate.
We infer new information from other data we collect, including using automated means to generate information about your likely preferences or other characteristics (“inferences”). For example, we infer your general geographic location (such as city, state, and country) based on your IP address.

Information we obtain from third-party sources.
We also obtain information from third parties. These third-party sources include, for example:

  • Data brokers. Data brokers and aggregators from which we obtain data to supplement the data we collect.
  • Third party partners.  Third party applications and services, including social networks you choose to connect with or interact with through our services.
  • Co-Branding/Joint Partners.  Partners with which we offer co-branded services or engage in joint marketing activities.
  • Service providers.  Third parties that collect or provide data in connection with work they do on our behalf, for example companies that determine your device’s location based on its IP address.
  • Publicly available sources.  Public sources of information such as open government databases. 
  • Reference and/or background information for applicants to Duck Creek: Pursuant to our hiring policies and in accordance with applicable laws, Duck Creek may conduct background and/or reference checks, including criminal, educational, and job history.

When you are asked to provide personal data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or function correctly.

II.        Cookies, Web Beacons and Other Technologies

For Cookies, Web Beacons, and Other Technologies, please refer to the Duck Creek Cookie Notice.

III.        How We Use the Personal Data We Collect

We use the personal data we collect for purposes described in this Privacy Notice or otherwise disclosed to you. For example, we use personal data for the following purposes:

Purposes of UseCategories of Personal DataLegal Basis
Product and Service Delivery. To provide and deliver our services, including troubleshooting, improving, and personalizing those services.Contact information, demographic data, content and files, identifiers and device information, geolocation data, usage data, inferencesContract
Business Operations. To operate our business, such as billing, accounting, improving our internal operations, securing our systems, detecting fraudulent or illegal activity, and meeting our legal obligations.Contact information, demographic data, content and files, identifiers and device information, geolocation data, usage data, inferencesContract

Legitimate Interest
Product Improvement, Development, and Research. To develop new services or features and conduct research. Contact information, demographic data, content and files, identifiers and device information, geolocation data, usage data, inferencesLegitimate Interest 
Personalization. To understand you and your preferences to enhance your experience and enjoyment using our services.Contact information, demographic data, content and files, identifiers and device information, geolocation data, usage data, inferencesLegitimate Interest

Consent
Customer Support. To provide customer support and respond to your questions.Contact information, demographic data, content and files, identifiers and device information, geolocation data, usage data, inferencesContract
Communications. To send you information, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages.Contact information, demographic data, content and files, identifiers and device information, geolocation data, usage data, inferencesContract

Legitimate Interest
Marketing. To communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our services and those of our selected partners (see the Choice and Control section of this privacy notice for how to change your preferences for promotional communications).Contact information, demographic data, payment information, content and files, identifiers and device information, geolocation data, usage data, inferencesConsent
Advertising. To display advertising to you (see the Duck Creek Cookie Notice for information about personalized advertising and your advertising choices).Contact information, demographic data, content and files, identifiers and device information, geolocation data, usage data, inferencesConsent
Applicants to Duck Creek
Process your application: We use the information you provide to process your application for employment at Duck Creek. Contact information, application dataLegitimate Interest
Diversity and Inclusion: We use this information to evaluate the effectiveness of our diversity and inclusion efforts. Diversity and inclusion dataLegitimate Interest
Conduct interviews: We use the information you provide to facilitate interviews related to the applications you submit. Contact information, application dataLegitimate Interest
Background Screenings: We process your information to ensure compliance with our internal hiring guidelines and applicable law. Contact information, application data, Reference and/or background informationLegitimate Interest

We combine data we collect from different sources for these purposes to give you a more seamless, consistent, and personalized experience.

IV.          How We Disclose Personal Data

We disclose personal data with your consent or as necessary to complete your transactions or provide the services you have requested or authorized. 

In addition, we disclose each of the categories of personal data described above for the following business purposes:

  • We enable access to personal data across our subsidiaries, affiliates, and related companies, for example, where we share common data systems or where access is needed to provide our services and operate our business.
  • We disclose personal data with vendors or agents working on our behalf for the purposes described in this notice. For example, companies we’ve hired to provide customer service support or assist in protecting and securing our systems and services may need access to personal data to provide those functions. 
  • We may also disclose personal data as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.

We will also access, transfer, disclose, and preserve personal data when we believe that doing so is necessary to:

  • comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies;
  • protect our customers and others, for example to prevent spam or attempts to commit fraud, or to help prevent the loss of life or serious injury of anyone;
  • operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or
  • protect the rights or property of ourselves or others, including enforcing our agreements, terms, and policies.

Personal data may be disclosed, including with Third-Party Partners, as further described in the Duck Creek Cookie Notice. 

Finally, we may share de-identified information in accordance with applicable law. 

Please note that some of our services include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. If you provide personal data to any of those third parties, or allow us to share personal data with them, that data is governed by their privacy statements.

V.        Choice and Control of Personal Data

Access, correction, and deletion.
You have the right to request a copy of your personal data held by Duck Creek. You may request your personal data be corrected, deleted, or ported to another organization. Additional rights are available to individuals in specific countries and regions. To exercise these rights, please email privacy@duckcreek.com and refer to the Contact Us section at the bottom of this Privacy Notice. 

If you are a user of Duck Creek software and wish to access, correct, or delete personal data about you that we hold, you may access your account by logging into the Duck Creek software you use. 

To the extent permitted by applicable law, we reserve the right to charge a fee, decline requests that are unreasonable or excessive. This includes where providing the data would be prohibited by law or could adversely affect the privacy or other rights of another person, where deleting data would interfere with a legal or business obligation that requires retention of the data, or where we are unable to authenticate you as the person to whom the data relates.  

Communications preferences.
You can choose whether to receive promotional communications from us by email, SMS, physical mail, and telephone. If you receive promotional email or SMS messages from us and would like to stop, you can do so by following the directions in that message or by contacting us as described in the Contact Us section below. If you receive a sales call from us, you can ask to be placed on our do-not-call list. These choices do not apply to certain informational communications including surveys and mandatory service communications. 

Choices for certain Technologies.
There are options which may help reduce the use of personal data collected or shared via Technologies for certain targeted advertising purposes, but these will not necessarily prevent having personal data we, and the Third-Party Partners we work with, collect from you being used for targeted advertising. These options include:

  • Industry opt-out tools. These include the NAI (http://optout.networkadvertising.org), DAA (http://optout.aboutads.info/), and European DAA (http://www.youronlinechoices.com/
  • Cookie controls. Most web browsers are set to accept cookies by default. If you prefer, you can go to your browser settings to learn how to delete or reject cookies. If you choose to delete or reject cookies, this could affect certain features or services of our website. If you choose to delete cookies, settings and preferences controlled by those cookies, including advertising preferences, may be deleted and may need to be recreated. 
  • Do Not Track. Some browsers include a “Do Not Track” (DNT) setting that can send a signal to the websites you visit indicating you do not wish to be tracked. There is not a common understanding of how to interpret the DNT signal; therefore, our website and services do not respond to browser DNT signals. 
  • Mobile advertising ID controls. iOS and Android operating systems may provide options to limit tracking and/or reset advertising IDs commonly used to help targeted advertising.

All of the options in this section are specific to the device or browser you are using. If you access our services from other devices or browsers, take these actions from those devices and browsers as well.

VI.          European Data Protection Rights

If the processing of personal data about you is subject to European Union data protection law, you have certain rights with respect to that data: 

  • You can request access to, and rectification or erasure of, personal data; 
  • If any automated processing of personal data is based on your consent or a contract with you, you have a right to transfer or receive a copy of the personal data in a usable and portable format;
  • If the processing of personal data is based on your consent, you can withdraw consent at any time for future processing; 
  • You can to object to, or obtain a restriction of, the processing of personal data under certain circumstances; and
  • For residents of France, you can send us specific instructions regarding the use of your data after your death.

To make such requests, please use the contact information at the bottom of this Privacy Notice.  When we are processing data on behalf of another party that is the “data controller,” you should direct your request to that party.  You also have the right to lodge a complaint with a supervisory authority. For a complete list of supervisory authorities, please refer to the EDPB members list

We rely on different lawful bases for collecting and processing personal data about you, for example, with your consent and/or as necessary to provide the services you use, operate our business, meet our contractual and legal obligations, protect the security of our systems and our customers, or fulfil other legitimate interests.

VII.        California Privacy Rights

If you are a California resident and the processing of personal information about you is subject to the California Consumer Privacy Act (“CCPA”), you have certain rights with respect to that information.  

Right to Know.
You have a right to request that we disclose to you the personal information we have collected about you.  You also have a right to request additional information about our collection, use, disclosure, or sale of such personal information.  Note that we have provided much of this information in this privacy notice. You may make such a “request to know” by contacting us at privacy@duckcreek.com

Right to Request Deletion.
You also have a right to request that we delete personal information under certain circumstances, subject to a number of exceptions. To make a request to delete, contact us at privacy@duckcreek.com or the mailing address listed below.

Right to Opt-Out.
You have a right to opt-out from “sales” of personal information as described below. 

Do Not Sell or Share My Personal Information.
The CCPA defines “sell” and “share” very broadly, and some of our data sharing described in this Privacy Notice may be considered a “sale” or “sharing” under those definitions. In particular, Third-Party Partners may collect or receive contact information, demographic data, identifiers and device information, content and files, geolocation data, usage data, and inferences through our website and services, including as further described in the Cookies Notice.

If you do not wish for us to “sell” personal information, or “share” personal information for cross-contextual behavioral advertising purposes, you can make your request to opt-out by emailing privacy@duckcreek.com or by updating your cookie preferences. For more information, refer to the Duck Creek Cookie Notice. 

If you opt-out using these choices, we will take steps to stop disclosing personal information in ways that are considered a “sale” or “sharing” (for cross-contextual behavioral advertising) for which opt-out rights are required under applicable law. However, we will continue to disclose personal information to service providers and others as allowed by applicable law. We do not knowingly sell or share personal information of minors under 16 years of age.

Requests by agents.
You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under the CCPA. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us. 

Verification.
Further, to provide or delete specific pieces of personal information we will need to verify your identity to the degree of certainty required by law. We will verify your request by asking you to send it from the email address associated with your account or requiring you to provide information necessary to verify your account. 

Notice and nondiscrimination.
Finally, you have a right to receive notice of our practices at or before collection of personal information, and you have a right to not be discriminated against for exercising these rights set out in the CCPA.

Third party direct marketing law.
Additionally, under California Civil Code section 1798.83, also known as the “Shine the Light” law, California residents who have provided personal information to a business with which the individual has established a business relationship for personal, family, or household purposes (“California Customers”) may request information about whether the business has disclosed personal information to any third parties for the third parties’ direct marketing purposes. Please be aware that we do not disclose personal information to any third parties for their direct marketing purposes as defined by this law. Additional information. California Customers may request further information about our compliance with this law by e-mailing privacy@duckcreek.com. Please note that businesses are required to respond to one request per California Customer each year and may not be required to respond to requests made by means other than through the designated e-mail address.

VIII.       Location of Data and Transfers

The personal data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, or service providers maintain facilities. Currently, we primarily use data centers in the United States. The storage location(s) are chosen to operate efficiently and improve performance. We take steps designed to ensure that the data we collect under this notice is processed and protected according to the provisions of this notice and applicable law wherever the data is located.

Location of Processing European Personal Data.
We transfer personal data from the European Economic Area (EEA), UK, and Switzerland to other countries, some of which have not been determined by the European Commission to have an adequate level of data protection. When we do so, we use a variety of legal mechanisms, including contracts, to help ensure your rights and protections. To learn more about the European Commission’s decisions on the adequacy of personal data protections, please visit: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en.

IX.   How We Protect Personal Data

Duck Creek maintains reasonable and appropriate technical and organizational safeguards to help provide an appropriate level of security and confidentiality for your personal data to protect it from unauthorized access, use, disclosure, alteration, and destruction, in accordance with our policies and applicable legislation.

These safeguards encompass the following controls:

  •  Organization of Information Security Controls
  • Asset Management Controls
  • Human Resources Security Controls
  • Physical and Environmental Security Controls
  • Communications and Operations Management Controls
  • Access Controls
  • End User Devices Controls
  • Security Information and Event Management Controls
  • Business Continuity Management Controls
  • Vulnerability Management Controls

To help us protect personal data, we request that you use a strong password and never share your password with anyone or use the same password with other sites or accounts.

X.   Retention of Personal Data

We retain personal data for as long as necessary to provide the services and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and other legitimate and lawful business purposes. Because these needs can vary for different data types in the context of different services, actual retention periods can vary significantly based on criteria such as user expectations or consent, the sensitivity of the data, the availability of automated controls that enable users to delete data, and our legal or contractual obligations.

XI.   Third Party Links

Our website may contain links to other third-party sites that are not operated by us, such as Facebook, Instagram, twitter and YouTube. These linked sites are not under our control and as such, we are not responsible for the privacy practices or the content of any linked sites. If you choose to use any third-party sites, any personal data collected by the third party’s site will be controlled by the Privacy Notice of that third party. We strongly recommend that you take the time to review the privacy policies of any third parties to which you provide information.

XII.   Updates To Our Privacy Notice

This Privacy Notice may be updated periodically at our discretion to reflect changes in our privacy practices or relevant laws. We will make any changes to this Privacy Notice by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This Privacy Notice is effective from the date specified in the ‘Effective Date’ section at the top of this Privacy Notice. If we make material changes to the statement, we will provide notice or obtain consent regarding such changes as may be required by law.

XIII.   How to Contact Us

If you have questions about how Duck Creek handles your personal data or would like to exercise your rights, please reach out by emailing or writing to us at:

Duck Creek Technologies LLC
Privacy Officer
100 Summer Street, 8th Floor
Boston, MA 02210 USA
Email: privacy@duckcreek.com