Unidesk and Curvature violate their Privacy Policies

Each business day, I receive 5 to 15 cold calls and emails from companies wanting “just 15 minutes of my time” to tell me about their products and services. The voicemail box of my predecessor received 31 solicitation voicemails this week, and he left the company six months ago.

While I understand those salespeople and companies are trying to do their jobs, I’m also trying to do mine. For most callers, I simply inform them that I do not field cold solicitations. For unwanted email, I often reply “Please unsubscribe, please opt-out, please do not solicit.” I’ve done this for six months without a noticeable change in solicitation volume.

There is one sales or marketing trend, however, that sinks to a new low and annoying level. I’ve noticed that by simply visiting a company’s website to read about their products or services, I run the risk of receiving an unsolicited phone call or email shortly thereafter — all without entering any personally identifiable information. And what makes this practice more irritating, is that the privacy policy of these companies says they respect the privacy of their visitors and will respect the anonymity of their visitors.

This post will describe two such instances I experienced in the past year.

Unidesk is committed to violating your privacy

In May 2015, I was researching some VDI user profile solutions and visited Unidesk’s website. I read marketing content and watched a few videos, but never entered any personally identifiable information.

Just three hours later, I received a sales call from a Unidesk business development representative wanting to schedule some time to tell me about his company and services. Could this be random chance, or was something fishy going on?

I asked, “By chance are you calling me because I visited your website just a few hours earlier?” After a few seconds of hesitation, the reply was “yes.”

The caller then tried to spin it saying that he thought it was better to honest and forthright about his creepy timing, implying that Unidesk is a company I can trust.

While I was surprised and disturbed to have Unidesk stalking my online activity, I also had not reviewed their privacy policy. Perhaps it stated that privacy isn’t important and that by visiting their website they reserve the right to have a salesperson track me down.

As you might imagine, that wasn’t the case. Unidesk’s privacy policy said quite the opposite — frequently stating their commitment to protecting the privacy of their visitors.

Excerpts from Unidesk’s Privacy Policy

  • Unidesk is committed to protecting your privacy.
  • Unidesk does not link IP addresses to anything personally identifiable, so any tracking of user sessions is done so anonymously.
  • Protecting your privacy and your information is a top priority at Unidesk.
  • All Unidesk employees are aware of the company‚Äôs privacy and security policies.

See Unidesk’s privacy policy in its entirely in 2015 May.

One of my professional friends is a big supporter of Unidesk and has many inside contacts. I eventually exchanged emails with Andrew Nadeau who explained:

“We do not link IP addresses to personally identifiable information per our privacy policy. We use a marketing automation software called HubSpot. HubSpot does have a feature where, based on IP, shows the company that was on our website, but we do not use any other software to tie that back to an individual.”

Using that information from HubSpot, Unidesk then visited LinkedIn to find my profile as the person who was most responsible for virtual desktop infrastructure (VDI). Armed with my name and title, they called my employer’s main number, worked the menu, and made it to my desk.

So what do you think? Did Unidesk violate its privacy policy, which states that “Unidesk does not link IP addresses to anything personally identifiable”? Does it matter that it required a human to tie the IP address from my website visit to my company, my name, and my phone number?

Andrew appeared to think that because their process is not fully automated, Unidesk is not violating the spirit of its privacy policy.

I disagree. The process is irrelevant. In the end (and in only three hours), Unidesk used the IP address from my anonymous website visit to track me down. Not cool.

In General, Curvature does not respect your privacy

A similar instance happened earlier this week when I visited Curvature’s website. I spent about five minutes reading their materials and did not enter or submit any information.

The following day, I received an unsolicited phone call from Alex Small, a Curvature marketing development representative. After saying that I was not interested in speaking him, I received a follow up email a few minutes later.

Again, I turned to Curvature’s Privacy Policy to see what they state about the privacy of those who visit.

Excerpts from Curvature’s Privacy Policy

  • We are committed to respecting your privacy.
  • In general, you can visit www.curvature.com without telling us who you are or revealing any personal information about yourself.
  • We will let you know before we collect any personal information from you over the Internet.
  • In general, IP addresses (the Internet address of a computer) are logged to track a user’s session while the user remains anonymous.
  • In general, we do not link your IP addresses to anything personally identifiable to you.

See Curvature’s privacy policy in its entirely in 2016 January.

I emailed Curvature to question them about their policy and why I received a sales call a day later. I’ve yet to receive a reply.

If Unidesk and Curvature cannot be trusted to honor their own self-imposed privacy policies, why should I trust them with my business? While I hope to see less of this sales tactic (or more honest privacy policies), I imagine I will experience more instances like this in the future.

A note about HubSpot’s privacy policy

I visited HubSpot’s website (the IP to company-name tracking tool that Unidesk uses) to review their privacy policy. Ironically, their legal.hubspot.com URL uses an invalid security certificate, requiring the user to push through “This Connection is Untrusted” browser warnings before being able to review HubSpot’s stance on respecting the privacy of those who visit their website.

hubspot-invalid-security-certificate

I did not to continue, so visit https://legal.hubspot.com/privacy-policy at your own peril.