Version 1.1.1., March 2021
All Rights Reserved, Property of Cirtuo GmbH, Krenngasse 12, A-8010 Graz, Austria, Cirtuo d.o.o., Medveščak 98, 10 000 Zagreb, Croatia, Cirtuo Inc, 1801 N. Broadway Street, Suite 500, Denver, Colorado 80202, United States
With this version of the document, all previous versions are no longer valid.
The data controller of www.cirtuo.com is Cirtuo GmbH, Krenngasse 12, 8010 Graz, Austria, E-mail: firstname.lastname@example.org, company registration number: FN 343985 k, UID number: ATU 65630329 (hereunder “Cirtuo”). Where a registration form is presented on this website, the data controller may vary depending on the actual offering or the purpose of the data collection but it is in any case displayed on the individual registration form’s privacy statement.
Cirtuo’s contact email address for data protection is email@example.com.
Information We Collect
Information you provide to us: In the course of engaging with our Services, you may provide Personal Information about you and your Contacts. Personal Information is often, but not exclusively, provided to us when you register for and use the Services (registration information), consult with our customer service team, send us an email or communicate with us in any other way.
Information we collect automatically: We collect information about log data and product usage data (IP address, the dates and times you access the Services). We also collect information regarding the performance of the Services, including metrics related to the deliverability of the Service.
What does Cirtuo do with my Personal Data?
Duration of the processing of Personal Data
Where Cirtuo is processing and using your Personal Data as permitted by law (see Section 2 below) or under your consent (see Section 3 below), Cirtuo will store your Personal Data
- only for as long as is required to fulfil the purposes set out below; or
- until you object to Cirtuo’s use of your Personal Data (where Cirtuo has a legitimate interest in using your Personal Data); or
- until you withdraw your consent (where you consented to Cirtuo using your Personal Data). However, where Cirtuo is required by mandatory law to retain your Personal Data longer or where your Personal Data is required for Cirtuo to assert or defend against legal claims, Cirtuo will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled.
Why am I required to provide Personal Data?
As a general principle, your granting of any consent and your provision of any Personal Data hereunder is entirely voluntary; there are generally no detrimental effects on you if you choose not to consent or to provide Personal Data. However, there are circumstances in which Cirtuo cannot take action without certain Personal Data, for example because this Personal Data is required to process your orders or provide you with access to the Cirtuo software or a web offering or newsletter. In these cases, it will not be possible for Cirtuo to provide you with what you request without the relevant Personal Data.
Where will my Personal Data be processed?
Cirtuo has affiliates and third-party service providers within the European Economic Area (the “EEA”). Cirtuo’s servers are located in the Amazon Web Services (AWS) “eu-central-1” region in Frankfurt, Germany.
Data subjects’ rights
You can request from Cirtuo at any time information about which Personal Data Cirtuo processes about you and the correction or deletion of such Personal Data. Please note, however, that Cirtuo can delete your Personal Data only if there is no statutory obligation or prevailing right of Cirtuo to retain it. Kindly note that if you request that Cirtuo delete your Personal Data, you will not be able to continue to use any Cirtuo service that requires Cirtuo’s use of your Personal Data.
If Cirtuo uses your Personal Data based on your consent or to perform a contract with you, you may further request from Cirtuo a copy of the Personal Data that you have provided to Cirtuo. In this case, please contact the e-mail address firstname.lastname@example.org and specify the information or processing activities to which your request relates, the format in which you would like this information, and whether the Personal Data is to be sent to you or another recipient. Cirtuo will carefully consider your request and discuss with you how it can best fulfill it.
Furthermore, you can request from Cirtuo that Cirtuo restricts your Personal Data from any further processing in any of the following events:
- you state that the Personal Data Cirtuo has about you is incorrect, (but only for as long as Cirtuo requires to check the accuracy of the relevant Personal Data),
- there is no legal basis for Cirtuo processing your Personal Data and you demand that Cirtuo restricts your Personal Data from further processing,
- Cirtuo no longer requires your Personal Data but you claim that you require Cirtuo to retain such data in order to claim or exercise legal rights or to defend against third party claims or
- in case you object to the processing of your Personal Data by Cirtuo (based on Cirtuo’s legitimate interest as further set out in Section 2 below) for as long as it is required to review as to whether Cirtuo has a prevailing interest or legal obligation in processing your Personal Data.
Please direct any such request to email@example.com.
Right to lodge a complaint
If you believe that Cirtuo is not processing your Personal Data in accordance with the requirements set out herein or applicable EEA data protection laws, you can at any time lodge a complaint with the data protection authority of the EEA country in which you live or with the data protection authority of the country or state in which Cirtuo has its registered seat.
Use of this website and websites of Cirtuo software client companies’ of by children
This website and client companies’ Cirtuo software websites is not intended for anyone under the age of 16 years. If you are younger than 16, you may not register with or use this website nor Cirtuo software.
Links to other websites
This website may contain links to foreign (meaning non-Cirtuo) websites. Cirtuo is not responsible for the privacy practices or the content of websites outside Cirtuo. Therefore, Cirtuo recommends that you carefully read the privacy statements of such foreign sites.
Where Cirtuo uses My Personal Data based on the Law
In the following cases, Cirtuo your Personal Data under applicable data protection law.
Providing the requested software or services
If you participate in tutorials or trainings provided by Cirtuo, Cirtuo may also track your learning progress in order to make this information available to you. Furthermore, Cirtuo communicates on a regular basis by email with users who subscribe to Cirtuo’s services, and Cirtuo may also communicate by phone to resolve customer complaints or investigate suspicious transactions. Cirtuo may use your email address to confirm your opening of an account, to send you notice of payments, to send you information about changes to Cirtuo’s software and services, and to send notices and other disclosures as required by law. Generally, users cannot opt out of these communications, which are not marketing-related but merely required for the relevant business relationship. With regard to marketing-related types of communication (i.e. emails and phone calls), Cirtuo will
- where legally required only provide you with such information after you have opted in; and
- provide you the opportunity to opt out if you do not want to receive further marketing-related types of communication from us. You can opt out of these at any time by sending an e-mail to firstname.lastname@example.org.
Cirtuo and its software, technologies, and services are subject to the export laws of various countries including, without limitation, those of the European Union and its member states, and of the United States of America. You acknowledge that, pursuant to the applicable export laws, trade sanctions, and embargoes issued by these countries, Cirtuo is required to take measures to prevent entities, organizations, and parties listed on government-issued sanctioned-party lists from accessing certain products, technologies, and services through Cirtuo’s website or other delivery channels controlled by Cirtuo. This may include:
- automated checks of any user registration data as set out herein and other information a user provides about his or her identity against applicable sanctioned-party lists;
- regular repetition of such checks whenever a sanctioned-party list is updated or when a user updates his or her information;
- blocking of access to Cirtuo’s services and systems in case of a potential match; and
- contacting a user to confirm his or her identity in case of a potential match.
Furthermore, you acknowledge that any information required to track your choices regarding the processing or use of your Personal Data or receipt of marketing materials (that is to say, depending on the country in which the Cirtuo operates, whether you have expressly consented to or opted out of receiving marketing materials) may be stored and exchanged between members of the Cirtuo Group as required to ensure compliance.
Cirtuo’s legitimate interest
Each of the use cases below constitutes a legitimate interest of Cirtuo to process or use your Personal Data. If you do not agree with this approach, you may object against Cirtuo’s processing or use of your Personal Data as set out below.
Questionnaires and surveys. Cirtuo may invite you to participate in questionnaires and surveys. These questionnaires and surveys will be generally designed in a way that they can be answered without any Personal Data. If you nonetheless enter Personal Data in a questionnaire or survey, Cirtuo may use such Personal Data to improve its software and services.
Recording of calls and chats for quality improvement purposes. In case of telephone calls or chat sessions, Cirtuo may record such calls (after informing you accordingly during that call and before the recording starts) or chat sessions in order to improve the quality of Cirtuo’s software and services.
In order to keep you up-to-date/request feedback. Within an existing business relationship between you and Cirtuo, Cirtuo may inform you, where permitted in accordance with local laws, about its software or services (including webinars, seminars or events) which are similar or relate to such software and services you have already purchased or used from Cirtuo. Furthermore, where you have attended a webinar, seminar or event of Cirtuo or purchased software or services from Cirtuo, Cirtuo may contact you for feedback regarding the improvement of the relevant webinar, seminar, event, software or service.
Other Data Protection Rights
You may have the following data protection rights:
- To access, correct, update or request deletion of your Personal Information. You may contact us directly at any time about accessing, correcting, updating or deleting your Personal Information, or altering your data, by submitting a request to us viae-mail: email@example.com
Where Cirtuo uses My Personal Data based on My Consent
News about Cirtuo’s Software and Services
Subject to a respective provision and your consent, Cirtuo may use your name, e-mail and postal address, telephone number, job title and basic information about your employer (name, address, and industry) as well as an interaction profile based on prior interactions with Cirtuo (prior purchases, participation in webinars, seminars, or events or the use of (web) services displayed on the relevant Cirtuo’s website) in order to keep you up to date on the latest software-related announcements, software updates, software upgrades, special offers, and other information about Cirtuo’s software and services (including marketing-related newsletters) as well as events of Cirtuo and in order to display relevant content on Cirtuo’s websites. In connection with these marketing-related activities, Cirtuo may provide a hashed user ID to third party operated business and social networks or other web offerings (such as LinkedIn, Facebook, Twitter or Google) where this information is then matched against the social networks’ data or the web offerings’ own databases in order to display to you more relevant information.
Please refer to the privacy guidelines of the respective social network for information regarding the purpose, duration and scope of the data collection, the further processing and use of your data, your respective rights, and setting options to protect your privacy:
- LinkedIn: https://www.linkedin.com/legal/privacy-policy
- Facebook: http://www.facebook.com/policy.php
- Twitter: https://twitter.com/privacy?lang=de
- Google: http://www.google.de/intl/de/policies/privacy
Creating user profiles
Cirtuo offers you the option to use its web offerings including blogs and networks (such as Cirtuo’s business and social networks) linked to this website that require you to register and create a user profile. User profiles provide the option to display personal information about you to other users, including but not limited to your name, photo, social media accounts, postal or email address, or both, telephone numbers, personal interests, skills, and basic information about your company.
These profiles may relate to a single web offering of Cirtuo may also allow you to access other web offerings of Cirtuo, client companies’ unique Cirtuo software websites or any of these (irrespective of any consent granted under the section “Forwarding your Personal Data to other Cirtuo partner and supplier companies.” below). It is, however, always your choice which of these additional web offerings you use and your Personal Data is only forwarded to them once you initially access them. Note that without your consent for Cirtuo to create such user profiles Cirtuo will not be in a position to offer such services to you where your consent is a statutory requirement that Cirtuo can provide these services to you.
If you register for an event, seminar, or webinar of Cirtuo, Cirtuo may share basic participant information (your name, company, and email address) with other participants of the same event, seminar, or webinar for the purpose of communication and the exchange of ideas.
Forwarding your Personal Data to other Cirtuo partner and supplier companies
Cirtuo may transfer your Personal Data to other entities. In such cases, these entities will then use the Personal Data for the same purposes and under the same conditions as outlined in this Section 3. above.
Revocation of a consent granted hereunder
You may at any time withdraw a consent granted hereunder by unsubscribing by sending e-mail to firstname.lastname@example.org. In case of withdrawal, Cirtuo will not process Personal Data subject to this consent any longer unless legally required to do so. In case Cirtuo is required to retain your Personal Data for legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of personal data by Cirtuo up to the point in time of your withdrawal. Furthermore, if your use of a Cirtuo offering requires your prior consent, Cirtuo will not be (any longer) able to provide the relevant service (or services, if you revoke the consent for Cirtuo to use your profile under the Cirtuo Cloud Platform Identity Authentication Service for multiple Cirtuo offerings), offer or event to you after your revocation.
How We Share Information
- Our service providers: Sometimes, we share your information with our third-party service providers, who help us provide and support our Services and other business-related functions. For example, we may share Personal Information with a service provider for the purpose: analyzing data, hosting data, engaging technical support for our Services, processing payments, and delivering content.
- Any competent law enforcement body, regulatory body, government agency, court or other third party where we believe disclosure is necessary (a) as a matter of applicable law or regulation, (b) to exercise, establish, or defend our legal rights, or (c) to protect your interests or those of any other person.
- Any other person with your consent.
Data Privacy Breach Policy
Data privacy breach – general
A data breach generally refers to the unauthorized access and retrieval of information that may include corporate and personal data. Managing data breaches is important to protect personal data of our clients and their employees when a data breach occurs.
How data breaches could occur
Data breaches can occur for different reasons. They may be caused by employees, parties external to the organisation or computer systems errors. Possible ways in which a data breach may occur, and our employees should be thoroughly aware of, are:
- Human error:
- loss of laptop, phone containing client and/or personal data
- Sending client and/or personal data to a wrong email address, or disclosing data to a wrong recipient;
- Unauthorised access or disclosure of client and/or personal data by employees
- Malicious activities:
- Hacking incidents / illegal access to databases containing client and/or personal data;
- Theft of laptop, phone containing client and/or personal data;
- Computer system error:
- Errors or bugs in the programming code of websites, databases and other software which may be exploited to gain access to personal data stored on computer systems.
Data Breach Management Plan
In the event that a data breach happens, the following breach management plan is strictly adhered to:
- Identification and classification – When a data breach occurs, this should be immediately reported by sending a Data Breach Incident Report to: email@example.com, with details about: date, time, who reported the breach, description of the breach, systems involved, corroborating material such as error messages, log files and immediate actions taken.
- Containment and recovery – the following measures have to be considered immediately, where applicable:
- Shut down the compromised system that led to the data breach;
- Prevent further unauthorised access to the system;
- Reset passwords if accounts and passwords have been compromised;
- Establish whether steps can be taken to recover lost data and limit any damage caused by the breach (e.g. remotely disabling a lost laptop containing
- personal data of clients and/or individuals);
- Isolate the causes of the data breach in the system, and where applicable,
- change the access rights to the compromised system and remove external connections to the system;
- Notify the police if criminal activity is suspected and preserve evidence for
- investigation (e.g. hacking, theft or unauthorised system access by an employee);
- Put a stop to practices that led to the data breach;
- Address lapses in processes that led to the data breach.
- Risk assessment: Knowing the risks and impact of the data breach will help to determine the consequences to affected organisations and individuals, as well as the steps necessary to notify the organisations and individuals affected. For each data breach it has to be assessed:
- How many people were affected?
- To whom does the personal data belong? (e.g. clients, their employees, Cirtuo’s employees, contractors, vendors or other third parties)
- What types of personal data were involved?
- How sensitive is the information?
- Do any additional measures have to be put in place to minimise the impact of the data breach?
- What caused the data breach?
- When and how often did the breach occur?
- Who might gain access to the compromised personal data?
- Reporting of breach: Clients and/or individuals affected by the data breach shall be notified immediately in the most effective way, taking into consideration the urgency of the situation and number of individuals affected (e.g. e-mails, telephone calls). Cirtuo should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless Cirtuo is able to demonstrate, in accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
- How and when the data breach occurred, types of personal data involved in the data breach; including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
- Likely consequences of the personal data breach;
- What Cirtuo has done or will be doing in response to the risks brought about by the data breach;
- Specific facts on the data breach where applicable, and actions individuals can take to prevent that data from being misused or abused;
- contact details of the contact point where more information can be obtained;
- Evaluation of the response & recovery to prevent future breaches: After steps have been taken to resolve the data breach,the cause of the breach has to be reviewed and it has to be evaluated whether existing protection and prevention measures are sufficient to prevent similar breaches from occurring.
Where Cirtuo is subject to U.S. privacy requirements, the following also applies:
Do Not Track
Your browser may allow you to set a “Do not track” preference. Unless otherwise stated, Cirtuo sites do not honor “Do not track” requests. However, you may elect not to accept cookies by changing the designated settings on your web browser if the relevant website contains a link to it. Cookies are small text files placed on your computer while visiting certain sites on the Internet used to identify your computer. Note that if you do not accept cookies, you may not be able to use certain functions and features of Cirtuo website or client companies’ unique Cirtuo software websites. This site does not allow third-parties to gather information about you over time and across sites.
Requirements to Protect Children’s Privacy
Cirtuo does not intend for Cirtuo’s websites or online services to be used by anyone under the age of 16. If you are a parent or guardian and believe Cirtuo may have collected information about a child, please contact Cirtuo at firstname.lastname@example.org.