Privacy statement
Version
1.7
—
Effective
General information about Framer’s Website and Service
This website (www.framer.com) (the “Website”), is owned and operated by Framer B.V.
Framer B.V. provides a platform for designing and publishing interactive websites (the “Service”).
Framer B.V. is an entity incorporated under the laws of the Netherlands and registered in the Netherlands with the Dutch Chamber of Commerce under registration number 59920637. Framer B.V. has its registered office at Rozengracht 207B, 1016 LZ Amsterdam, the Netherlands.
This privacy statement (“Privacy Statement”) specifies how Framer B.V. and its affiliates (hereinafter referred to as “Framer”, "we", "us", "our") process personal data of its Users in different contexts.
What are Framer roles and responsibilities under Data Protection Laws?
To understand Framer's obligations and your rights under this Privacy Statement, it helps to identify your relationship with Framer.
User: Visitors to our Website; prospective and potential customers; individuals who contact us or submit inquiries; affiliates, partners and Framer Community participants; job applicants; employees and contractors of Customers that use the Service, when Framer uses their personal data for Framer’s own purposes, as described in this Privacy Statement (for example, in respect of their login, usage and security logs, billing). Framer is the controller of Users' personal data, and this Privacy Statement governs that processing.
Customer: A Customer is a User that has engaged Framer to provide the Service (for example, to design, host and publish their websites). When Framer processes personal data on a Customer's behalf in providing the Service, Customer is the controller and Framer is the processor. Between Framer and the Customer, that processing is governed by the relevant data processing addendum, not by this Privacy Statement.
Customer’s End User: An individual who provides personal data to a Customer, for example an individual who visits or submits a form on a website that a Customer builds and operates using our Service. Framer does not have a direct relationship with Customer’s End Users and does not determine the purposes or means by which a Customer processes its End Users’ personal data. In this context, the Customer is the controller and Framer is the processor. For information about how that data of Customer’s End Users is handled, Customer’s End Users should review the relevant Customer's privacy policy, not Framer’s Privacy Statement.
Which personal data do we process?
In providing the Website, our Service and in relation to applicants, we may process the following personal data:
Personal data of whom? | Types of personal data | Purpose (see below) |
Website visitors | Data collected through cookies:
| 2, 3, 7, 8, 9 |
Individuals who submit inquiries | Data that personally identifies you when you e-mail us or otherwise correspond:
| 1, 3, 5, 8, 9 |
Potential customers | Data from individuals or companies who shared their contact information with us, whether it has been through a form on the Website, from information collected at a trade or marketing event, or from those have reached out directly to us:
| 1, 3, 5, 7, 8, 9 |
Customers (or employees and contractors of Customers) that use our Service | Data required to enter into a contract with the Customer, for the use of our Service by the Customer and data generated when using our Service:
| 1, 2, 4, 5, 7, 8, 9 |
Affiliates (e.g. Framer partners, Framer Community participants and Framer experts) | Data required to engage an affiliate and to enter into a contract with an affiliate:
| 1, 3, 4, 5, 8, 9 |
Job applicants | Data required to process an application and to contact a job applicant after the application, i.e.:
| 6, 8, 9 |
What are the purposes and legal grounds of processing?
We only process your personal data if we have a valid legal ground to do so. The Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) specifically states these legal grounds. In the case of Framer these are: performance of a contract, legitimate interest, compliance with a legal obligation and sometimes consent.
The purposes for which we process personal data, and the legal ground for each, are set out in the table below.
# | Purpose | Legal ground |
1 | To enter into and for the performance of agreements, with regard to our Service. | Performance of contract (Article 6(1)(b) GDPR) |
2 | To offer, maintain, secure and improve the Website and our Service, including to detect and prevent spam, automated abuse and malicious activity and to maintain the integrity and security of the platform. | Legitimate interest (Article 6(1)(f) GDPR) |
3 | To have and maintain contact with you, for example, through our contact form and to provide customer support. | Legitimate interest (Article 6(1)(f) GDPR) |
4 | To establish and maintain contact with (potential) customers and (potential) other business relations. | Legitimate interest (Article 6(1)(f) GDPR) |
5 | Internal business and management operations, for example financial processing. | Legitimate interest (Article 6(1)(f) GDPR); legal obligation (Article 6(1)(c) GDPR) |
6 | To assess whether you are a viable candidate for our company and to further process the application. | Performance of contract (Article 6(1)(b) GDPR); legitimate interest (Article 6(1)(f) GDPR); consent (Article 6(1)(a) GDPR, but only to keep your personal data for a longer period) |
7 | Marketing activities. | Consent (Article 6(1)(a) GDPR); legitimate interest (Article 6(1)(f) GDPR), as applicable and honoring your right to object |
8 | To establish, exercise and defend our rights. | Legitimate interest (Article 6(1)(f) GDPR) |
9 | To comply with applicable laws and regulations, including tax legislation (Algemene wet inzake rijksbelastingen), various statutory retention periods and the pension act (Pensioenwet), or an injunction or request from authorized regulators or other government agencies. | Comply with a legal obligation (Article 6(1)(c) GDPR); legitimate interest (Article 6(1)(f) GDPR) |
Legitimate interest: We will only process personal data based on legitimate interest if our interests outweigh the privacy interests of the person to whom the data relates. In that case, the legitimate interests of Framer correspond to the purposes set out below. For further information on the balancing of interests in a specific case, please contact us using the contact details at the bottom of this Privacy Statement. It may also be the case that Framer has to process personal data to comply with an applicable legal obligation, for example to meet applicable minimum retention periods.
Consent: Where we rely on consent as the legal ground, you may withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
How do we obtain your personal data?
We obtain your personal data in various ways:
Provided by you. Some personal data we receive straight from you. For example, if you fill out a contact form on the Website, submit a support related ticket, communicate with Framer via collaborative communication tools, and/or if you apply for a job at Framer.
Through the use of the Website or our Service. For example, we may process your IP address or data about your use of our application (log data). Sometimes we process personal data not on our own initiative, but to comply with a legal obligation incumbent on us. This is the case, for example, when we retain personal data for a longer period in order to comply with a legal retention obligation.
Obtained from third parties. We could also obtain personal data about you from other persons or external parties. In principle, we only make use of this possibility in two scenarios:
Website visitors: we may receive information about you from third parties, in the context of the cookies and similar technologies we use. Further information about this is included in our Cookie Statement.
Applicants: we may obtain information from a referral included by you in your application or a recruiter we work with.
Derived. Certain personal data we do not receive directly, but can be derived from the information already in our possession. For example, information about your preferences and interests. We may derive inferences about preferences or interests based on Usage Data with the Website or Service. For these purposes, “Usage Data” means information and metadata collected about how a user interacts with the Website or the Service (e.g. production performance, use of features, etc.)
Public sources. We may also receive personal data through public sources, such as information from a public LinkedIn profile or a website.
In principle, you are under no obligation to provide any information about yourself to us. However, refusal to supply certain information could have a negative influence on, for example, your experiences on or functionality of our Website. If the provision of certain personal data is a legal or contractual obligation or an essential requirement for concluding an agreement with us, we will separately provide additional information about this for as far as this is not clear in advance. In this case we will also inform you about the possible consequences if this information is not provided.
Under which circumstances and with whom do we share your personal data?
We only share your personal data with third parties if:
This is necessary for the provision of a service or the involvement of the third party. Sub-contractors, for example, will in principle only get access to the personal data that they require for their part of the service provision.
The persons within the third party that have access to the personal data are under an obligation to treat the personal data confidentially. Where necessary this is also contractually agreed upon.
The third party is obliged to comply with the applicable laws for the protection of personal data, for instance because we have concluded an agreement with this party. This includes that the party is obliged to ensure appropriate technical and organizational security measures, and that any transfer of personal data to countries outside the European Economic Area (“EEA”)is adequately legitimized.
We could share your personal data on a need-to-know basis with the parties mentioned below. In this context, "need-to-know" means that a party only gets access to personal data if and insofar as this is required for the professional service provided by this party:
Authorized persons, employed by Framer, who are involved with the processing activity concerned. Such as, the members of the customer support team you are in contact with.
Authorized persons, employed by service providers / sub-contractors engaged by Framer, who are involved with the processing activity concerned.
Amazon Web Services, the provider of Framer’s hosting environment.
Authorized persons, employed by parties in the private sector with whom we may share certain personal data.
Authorized government institutions. Such as, courts, police, and law enforcement agencies. We may release information about our Website visitors, including IP address, when legally required to do so, at the request of governmental institutions conducting an investigation or to verify or enforce compliance with the policies governing the Website and applicable laws. We may also disclose such user information whenever we believe disclosure is necessary to protect the rights, property or safety of Framer, or any of our respective business partners, customers or others.
We may also disclose non-identifying, aggregated user statistics to third parties for a variety of purposes, including describing our Service to prospective partners and other third parties. Examples of such non-personal data include the number of users who visited the Website during a specific time period.
We may transfer or provide your personal data to a buyer or potential buyer in the event of a merger or acquisition (potential or prospective) of all or part of our business or assets. In the event of such a transfer, we will take all steps reasonably expected of us to ensure that the receiving party processes your information in accordance with this Privacy Statement.
How do we use automated systems and artificial intelligence?
Framer may use automated systems and artificial intelligence ("AI") tools to support certain internal business operations, including customer support, troubleshooting, product improvement, security monitoring, analytics, and service optimisation.
In connection with these activities, personal data submitted to or processed through our Service may be processed by such tools on our behalf and subject to applicable confidentiality, security, and data protection safeguards.
We do not use customer personal data to train third-party general-purpose AI models unless expressly disclosed otherwise or permitted in our agreements with customers.
To which countries do we transfer your personal data?
Transfers outside the EEA and UK
Framer may transfer personal data to third parties (e.g., our cloud service provider) located outside the EEA. This will involve transferring your data to countries outside the EEA and UK (“Third Countries”), including the United States of America (“U.S.”), where the servers we use are located. A list of countries to which Framer transfers personal data can be found in Framer’s Trust Center (available at https://trust.framer.com). Any data transfer shall always take place in compliance with Chapter V of the GDPR and additional recommendation or decision issued in this regard by the European Data Protection Board (“EDPB”), European Commission, or other competent authority or body under the applicable laws.
If you are a resident of a U.S. state with comprehensive privacy laws, including residents of California., you may have additional rights. Please see section 13 (“Your U.S. State Privacy Rights (California and other U.S. states”) for further details.
Legitimisation of transfers outside the EEA and UK
Transfers of your personal data to a country outside the EEA may in the first place be legitimized based on a so-called adequacy decision. This is a decision in which the European Commission states that e.g. a certain country offers a level of data protection similar to the GDPR. The current list of adequacy decisions of the European Commission is available here. An example of transfer of Framer based on an adequacy decision is the transfer of your personal data to the U.S. (insofar as the recipient is certified under the Data Privacy Framework). The transfer of your data from the UK to a third party outside the UK may primarily be legitimized based on an adequacy regulation of the UK government. An overview of the applicable adequacy regulations of the UK government is available here.
If we transfer personal data to Third Countries to which no adequacy decision or adequacy regulation applies, we will conclude the applicable version of the model clauses to safeguard data protection as published by the European Commission, so called standard contractual clauses (“Transfer SCCs”). If deemed required under the applicable law, additional measures will be taken. This may concern technical, organizational and/or contractual measures. Where the UK GDPR is applicable, a UK Addendum will be added to the Transfer SCCs, as required by UK laws and regulations.
Further information on our legitimization of data transfers to Third Countries will be provided upon your request. Please use our contact details to make such a request, as stated below.
How do we protect your personal data?
Protecting your privacy and personal data is very important to us. Therefore, Framer has implemented appropriate technical and organizational measures to protect and secure the personal data we process, in order to prevent violations of the confidentiality, integrity and availability of data.
Framer has internal processes according to which we safeguard an appropriate level of technical and organisational security. That includes ensuring only authorised personnel have access to that personal data and taking reasonable steps to prevent data breaches, monitoring and acting upon unauthorized access, improper use or disclosure, unauthorized modification, and unlawful destruction or accidental loss. We also have technologies and systems in place to utilize and maintain processes aimed at safeguarding and ensuring an appropriate level of technical and organizational security.
What are your privacy rights?
In relation to the processing of your personal data by Framer, you have the following privacy rights:
Right of access. This concerns the right to request access to your personal data. This enables you to receive a copy of the data we hold about you (but not necessarily the files themselves). We will then also provide further specifics of our processing of the personal data. For example, the purposes for which we process the data, where we got it from, and with whom we share it.
Right to rectification. This concerns the right to request rectification of the data that we hold about you. This enables you to have any incomplete or inaccurate data corrected.
Right to erasure. This concerns the right to request erasure of the data. This enables you to ask us to delete or remove personal data where: (i) the data is no longer necessary, (ii) the processing activities have been objected to, (iii) the data has been unlawfully processed, (iv) the data has to be erased on the basis of a legal requirement, or (v) where the data has been collected in relation to the offering of information society services. However, we do not have to honour such request in all cases.
Right to object. This concerns the right to object to the processing of personal data where we are relying on legitimate interest as processing ground (see above). Insofar as the processing of the data takes place for direct marketing purposes, we will always honour an objection. For processing for other purposes, we will also cease and desist processing, unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or that are – for example - related to the institution, exercise or substantiation of a legal claim. If such is the case, we will inform on our compelling interests and how we have balanced them.
Right to restriction. The right to restriction of processing means that Framer will continue to store personal data at the request of you but may in principle not do anything further with it. In short, this right can be exercised when Framer does not have (or no longer has) any legal grounds for the processing of the data or if this is under discussion.
Right to data portability. This concerns the right, where the processing is based on your consent or on a contract and is carried out by automated means, to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to have that data transmitted to another controller where technically feasible
Right not to be subject to automated decision-making. This concerns the right not to be subject to a decision based solely on automated processing, which significantly affects you. In this respect, please be informed that when processing your data, we do not make decisions producing legal or similarly significant effects based solely on automated processing.
Right to withdraw consent. This concerns the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right to lodge a complaint. This concerns the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work or where an alleged infringement took place. Please be referred to the website of the EDPB for an overview of the supervisory authorities and their contact details. However, we would appreciate the chance to deal with any concerns before the supervisory authority is approached, so please contact us beforehand.
How to exercise your privacy rights?
You can exercise the privacy rights above free of charge by e-mail via the contact details displayed below. If requests are manifestly unfounded or excessive, in particular because of the repetitive character, we have the right to either charge a reasonable fee or refuse to comply with the request. In addition, we may request specific information to help us confirm your identity before we further respond to a privacy request. Finally, we will provide information about the follow-up of the request without undue delay and in principle within one month of receipt of the request. Depending on the complexity of the request and the number of requests, this period can be extended by another two months.
How long do we keep your personal data?
In general, Framer does not keep personal data for longer than is necessary in relation to the purposes for which we process the personal data. Specific retention periods that Framer applies are the following:
Transaction data – 7 years;
Contact & communication data – up to 2 years after last contact or interaction;
Account & access data – up to 2 years after account closure;
Marketing and prospect data – until withdrawal of consent or 2 years after last interaction;
Job application data:
4 weeks after end of application if rejected;
Up to 1 year with applicant’s consent.
Legal or dispute data – as long as necessary for legal proceedings or compliance.
There could, however, be exceptions applicable to the general retention terms. In view of this, shorter retention periods could apply: if an individual exercises certain privacy rights, it is possible that we retain it for a shorter period of time. Longer retention periods could also apply. In certain situations, we process personal data of individuals for a longer period of time than what is necessary for the purpose of the processing. This is for instance the case when we have to process personal data for a longer period of time:
Retention obligation - to comply with a minimum retention period or other legal obligation to which Framer is subject based on EU law or the law of an EU Member State;
Procedure - personal data which is necessary in relation to a legal procedure;
Freedom of expression - when further processing of personal data is necessary in order to exercise the right to freedom of expression and information; and
Consent - for example: With the job applicant's consent, we retain their data for one year from the end of the application procedure instead of 4 weeks.
Your U.S. State Privacy Rights (California and other U.S. states)
This section applies to residents of U.S. states with comprehensive privacy laws (“U.S. State Privacy Laws”), including residents of California under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the "CCPA"). It supplements the information above and applies only where Framer acts as a business or controller; where Framer processes personal information on behalf of a Customer, the Customer is responsible for its own disclosures and for responding to its consumers' requests.
Information we collect and how we use it. The categories of personal information we collect, the purposes, the sources, the categories of recipients, and our retention periods are described in sections 3, 4, 5, 6 and 12. We collect account log-in credentials, which are treated as sensitive personal information; we use this sensitive personal information only to provide, maintain and secure the Service and for other purposes permitted by applicable law, and not to infer characteristics about you.
Do Not Sell or Share My Personal Information. If you are a resident of a state with U.S. State Privacy Laws, you may have the right to opt out of the “sale” or “sharing” of your personal information, including the processing of your personal information for purposes of targeted advertising. Targeted advertising is when we or our partners display ads to you based on your personal information that is collected across different businesses. Residents of states with U.S. State Privacy Law states who would like to exercise their right to opt out of the “sale” or “sharing” of their personal information can do so by sending an email to legal@framer.com.
Your Rights. Subject to the exceptions and limits in applicable law, and in addition to the right to opt out of the “sale” or “sharing” of your personal information described in the paragraph above, you may have the right to: know and access the personal information we hold about you; correct it; delete it; obtain a portable copy; opt out of certain profiling that produces legal or similarly significant effects; limit the use of your sensitive personal information; appeal a decision on your request; and not be discriminated against for exercising your rights.
How to exercise your rights. Contact us using the details below. We may verify your identity using information we already hold about you (any additional information you provide is used only to verify your identity and to prevent fraud), and you may use an authorized agent. Where applicable law gives you a right to appeal a decision on your request, we will explain how to exercise it in our response; if your appeal is denied, you may contact your state's attorney general. These rights may not apply to information that is exempt under applicable law, including, in most states, information processed in an employment or business-to-business context.
Children
The Service is not for use by children under the age of 16 years and we do not knowingly collect, store, share, or use personal data of children under 16 years. If you are under the age of 16 years, please do not provide any personal data, even if prompted by the Service to do so. If you are under the age of 16 years and you have provided personal, please ask your parents or guardians) to notify us and we will delete all such personal data.
Contact information
If you have any questions regarding this Privacy Statement, or data collection by Framer in particular, please contact us at legal@framer.com or by using the contact information below:
Framer B.V.
Rozengracht 207B
1016 LZ Amsterdam
The Netherlands
Changes to this Privacy Statement
Occasionally, we may need to update or change this Privacy Statement. In case of important changes, we will inform you in an appropriate manner and ask you to take note of the changes made. The latest version of the Privacy Statement is always available on our Website.