Supplemental Terms & Conditions (Contacts Feature)

Last updated: November 25, 2021

Contacts Feature

If the Contacts feature is included among the License Features ordered by Licensee, the following terms shall apply:

1. Business Information Terms and Conditions.
1.1 Access to Contacts Feature. Licensee’s License includes the Contacts feature (the “Contacts Feature”), which enables Licensee to search and access certain third-party business information (“Business Information”). Such Business Information is provided to Similarweb via a third-party service provider in accordance with such service provider’s terms and conditions, available here, and its privacy policy, available here. Business Information may include personally identifiable information or personal data, as such terms are defined under applicable data protection laws (“Personal Data”). Therefore, the Contacts Feature may not be available for Named Users in certain jurisdictions; the list of countries where the Contacts Feature is currently available is included below as Exhibit A. Similarweb and Licensee shall each be deemed distinct independent controllers with respect to such Personal Data. Licensee shall use and retain Personal Data solely in accordance with all applicable laws, including without limitation data protection laws and regulations, and shall defend, indemnify, and hold Similarweb and its affiliates, and each of their employees, directors, agents and shareholders, harmless from and against any and all damages, losses and expenses assessed against Similarweb (including without limitation reasonable attorneys’ fees and regulatory fines or other sanctions) arising from any violation of any such laws by Licensee or any party on its behalf. Licensee and Similarweb shall: (a) cooperate as reasonably necessary to respond to any requests submitted to either of them directly or indirectly by data subjects to whom such Personal Data relates to exercise their rights under applicable data protection laws; and (b) enter into any applicable agreements with respect to such Personal Data as may be required by such data protection laws. To the extent that such Personal Data is subject to the EU data protection laws or the UK data protection laws, the parties agree that such data will be processed in accordance with the data processing agreement included below as Exhibit B.

1.2 Terms of Existing Agreement. In the event Similarweb and Licensee have an existing valid agreement for the provision of Similarweb services and/or products (an “Existing Agreement”), and the Contacts Feature is being added to the License features under the Existing Agreement, then, notwithstanding anything to the contrary in such Existing Agreement, the following terms and conditions shall apply: (a) any representations, warranties and/or other provisions provided by Similarweb under the Existing Agreement with respect to Personal Data are of no further force and effect; and (b) SIMILARWEB’S MAXIMUM AGGREGATE LIABILITY UNDER, ARISING OUT OF OR RELATING TO THE CONTACTS FEATURE SHALL NOT EXCEED THE TOTAL AMOUNT OF LICENSE FEES PAID BY LICENSEE TO SIMILARWEB DURING THE TWELVE (12) MONTHS PRECEDING THE DATE THE LIABILITY FIRST ARISES; ANY SUCH LIABILITY ARISING OUT OF OR RELATING TO THE CONTACTS FEATURE SHALL BE CUMULATIVE WITH ANY OTHER LIABILITIES OF SIMILARWEB UNDER THE EXISTING AGREEMENT FOR PURPOSES OF DETERMINING SIMILARWEB’S MAXIMUM LIABILITY.

Exhibit A

  1. Andorra
  2. Argentina
  3. Australia
  4. Austria
  5. Belgium
  6. Brazil
  7. Bulgaria
  8. Canada (commercial organizations)
  9. Croatia
  10. Cyprus
  11. Czechia
  12. Denmark
  13. Estonia
  14. Faroe Islands
  15. Finland
  16. France
  17. Germany
  18. Greece
  19. Guernsey
  20. Hungary
  21. India
  22. Ireland
  23. Israel
  24. Isle of Man
  25. Italy
  26. Japan
  27. Jersey
  28. Latvia
  29. Lithuania
  30. Luxembourg
  31. Malta
  32. Netherlands
  33. New Zealand
  34. Poland
  35. Portugal
  36. Romania
  37. Singapore
  38. Slovakia
  39. Slovenia
  40. Spain
  41. Sweden
  42. Switzerland
  43. United Kingdom
  44. United States
  45. Uruguay

Exhibit B

This DPA forms part of the Purchase Order/Service Order Terms & Conditions (“Terms & Conditions”) entered into between Similarweb and Licensee.

1. Definitions

DP Laws” means any applicable data protection and privacy laws relating to the protection of individuals with regards to the processing of personal data, including but not limited to (i) the General Data Protection Regulation (EU) 2016/679 (“GDPR“); (ii) the GDPR as transposed into the national laws of the United Kingdom (“UK GDPR“); (iii) Directive 2002/58/EC (“ePrivacy Directive“); (iv) the UK Data Protection Act 2018; and (v) any corresponding or equivalent national laws or regulations including any amendment, supplement, update, modification to or re-enactment of such laws;

controller“, “data subject“, “personal data“, “personal data breach“, “process/processing“, “sub-processor” and “supervisory authority” shall have the same meaning as in the DP Laws;

Legal Process” means any criminal, civil, or administrative subpoena, mandatory request, warrant or court order issued by a Public Body, including but not limited to subpoenas, warrants and orders authorized under local, regional, state, national and/or federal laws or regulations or any other laws applicable to Licensee in any Restricted Country;

Public Body” means any local, regional, state, national or federal law enforcement authority, regulator, government department, agency or court in any Restricted Country;

Restricted Country” means any country (i) which is not a member of the European Economic Area; or (ii) which has not been approved by the European Commission or the UK Government pursuant to Article 45 of the GDPR or the UK GDPR (as applicable), as ensuring an adequate level of data protection in relation to personal data;
“Restricted Transfer” means a transfer of personal data between the Parties which in the absence of the SCCs, would be unlawful under DP Laws; and

SCCs” means either module 1 of the Standard Contractual Clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“) or the Standard Contractual Clauses (controllers) set out in Decision 2004/915/EC; as amended or replaced from time to time, pursuant to Article 46 of the GDPR (“UK SCCs”).

2. The Parties acknowledge that each will be a separate and distinct independent controller in relation to the personal data which they process and the Parties shall each comply with their respective obligations under the DP Laws in respect of their processing of personal data.

3. Licensee acknowledges, confirms and represents that it shall (i) process the personal data solely in accordance with the Terms & Conditions, for the purposes set out in Annex 1 (“Purpose”) and in accordance with DP Laws; (ii) where applicable, provide necessary fair processing notices and obtain relevant permissions as required by DP Laws; (iii) have a lawful basis to process personal data for the Purpose; and (iv) implement appropriate technical and organisational security measures in relation to processing the personal data, which shall ensure a level of security appropriate to the risk and at a minimum shall include all the measures set out in Annex 2 of this DPA.

4. Data Processing

4.1 Licensee shall

  1. notify Similarweb as soon as reasonably practicable upon becoming aware of a personal data breach, not refer to Similarweb in any notification of such breach to a supervisory authority or third party unless required to do so by applicable EU or UK laws, and, where reasonably practicable, provide a copy of any proposed notification and consider in good faith any comments made by Similarweb before notifying the personal data breach to any third parties;
  2. in the event of a personal data breach, take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effect;
  3. where applicable, designate a representative located in the EU (“EU Representative“) and/or the UK (“UK Representative“) and make available the EU Representative’s and the UK Representative’s contact details to Similarweb, in accordance with DP Laws;

5. Where Licensee engages sub-processors in an arrangement that involves a Restricted Transfer, Licensee shall ensure that an adequate safeguard is in place between the Licensee and the sub-processor to protect the transferred personal data in compliance with DP Laws. Licensee shall make available evidence of such safeguard to Similarweb on reasonable request.

6. Each party will, on request, provide all assistance, information and cooperation reasonably necessary to enable the other party to comply with DP Laws in relation to the personal data, in particular with respect to responding to requests by data subjects and/or supervisory authorities, and personal data breaches.

7. Restricted Transfers

7.1. If there are Restricted Transfers of personal data, the following terms shall apply. In each case, the data exporter is Similarweb and the data importer is the Licensee, and the description of the transfer (Annex I of the EU SCCs; Annex B of the UK SCCs) is as set out in Annex 1 to this DPA:

  1. With respect to Restricted Transfers subject to the EU GDPR, Module 1 of the EU SCCs shall apply and is hereby incorporated into this DPA by reference. Clause 7 and the optional language in clause 11(a) shall not apply, the supervisory authority for the purposes of clause 13(a) shall be determined by the place of establishment of the data exporter’s (or its parent company’s) representative, the governing law and choice of forum and jurisdiction shall be that of the Republic of Ireland, and the technical and organisational security measures shall be as set out in Annex 2.
  2. With respect to Restricted Transfers subject to the UK GDPR, the UK SCCs shall apply and are hereby incorporated into this DPA by reference. For the purpose of clause 2.8 of the UK SCCs, the Parties shall be deemed to have selected option 2.8.3.

7.2. If at any time the supervisory authority in the United Kingdom approves the EU SCCs for use under the UK GDPR, the provisions of clause 7.1(a) shall apply in place of clause 7.1(b) in respect of transfers subject to the UK GDPR subject to any modifications to the EU SCCs required by the UK GDPR (and subject to the governing law of the EU SCCs being English Law).

7.3. Licensee warrants that as of the effective date of this DPA, it has not been subject to any request for disclosure of personal data by a Public Body.

7.4. If Licensee receives a Legal Process requiring disclosure of personal data to a Public Body, Licensee shall: (i) promptly notify Similarweb, unless legally prohibited from doing so; (ii) use all reasonable efforts to redirect the Public Body issuing such Legal Process to request that personal data directly from Similarweb; and (iii) where (ii) is not possible, use all reasonable efforts to challenge the Legal Process (where there are grounds for doing so) and to minimize the amount of any personal data which Licensee is compelled to disclose.

8. Termination

8.1. The Parties agree that this DPA and the SCCs shall terminate automatically upon the termination of the Terms & Conditions.

8.2. Without affecting any other right or remedy available to it, Similarweb may terminate this DPA with immediate effect by giving written notice to Licensee, should Licensee fail to materially comply with its obligations set out in this DPA.

9. General Terms

9.1. Any obligation imposed on the Parties under this DPA in relation to the processing of personal data shall survive any termination or expiration of the Terms & Conditions.

9.2. Any breach of this DPA shall constitute a material breach of the Terms & Conditions.

9.3. A person who is not a party to this DPA shall have no right to enforce any term of this DPA, save to the extent set out in the relevant SCCs. The rights of the Parties to rescind or vary this DPA are not subject to the consent of any other person.

9.4. The provisions of this DPA are supplemental to the Terms & Conditions. In the event of inconsistencies between the provisions of this DPA and the Terms & Conditions, the provisions of this DPA shall prevail.

Part 1: List of Parties

Data exporter(s): Similarweb (as controller)
Data importer(s): Licensee (as controller)

Part 2: Description of Transfer

1. Categories of data subjects whose personal data is transferred

Members of the public whose names and business contact information appear in various sources, including social networks, recruitment, and company websites, in connection with their affiliation with those companies and businesses.

2. Categories of personal data transferred

First name, last name, verified email; telephone number and/or mobile number, company name, job title and industry.

3. Sensitive data transferred (if applicable) and applicable restrictions or safeguards

Not applicable.

4. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Personal data is transferred on a continuous basis.

5. Nature of the processing

The personal data transferred will be subject to the following basic processing activities, in each case strictly to the extent relevant to and in accordance with the obligations of the Parties under the Terms & Conditions: (i) retrieval, consultation or use of the personal data and (ii) alignment, combination, blocking, erasure or destruction of the personal data.

6. Purpose(s) of the data transfer and further processing

The Parties shall process the personal data for the purposes of sales prospecting and as set out in Section 9 of the Terms & Conditions.

7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

In line with the Parties’ data retention policies.

8. The personal data transferred may be disclosed only to the following recipients or categories of recipients

Employees and sub-processors of the importer only.

Part 3: Competent Supervisory Authority(ies)

Identify the competent supervisory authority(ies) in accordance with clause 13 of the EU Controller SCCs.

The Data Protection Commission (DPC) in the Republic of Ireland.


Licensee shall implement appropriate technical and organisational measures, policies and controls (“Licensee Controls“) to maintain the effective security of all Licensee computer or network systems accessing, storing, transmitting, processing or otherwise supporting the processing of personal data in accordance with this DPA (“Licensee Systems“), and to ensure that such personal data is protected from accidental, unauthorized or unlawful processing, access, disclosure, loss, alteration, damage or destruction.

At a minimum, Licensee shall ensure compliance with the requirements described at: https://mvsp.dev/mvsp.en/index.html. Licensee shall inform Similarweb in case of any material non-compliance with the requirements set out herein and will provide evidence of alternative or compensating controls implemented to protect personal data.