Privacy Policy – Crealytics CLV platform
Last updated: April 27, 2021
This Privacy Policy provides you with information regarding which personal data we collect when you use our product by accessing clv.crealytics.com and for what purpose these data are used. You can access this Privacy Policy at any time by visiting our website: https://crealytics.com/clv-platform/privacy-policy/.
1. Controller/Contact
The controller within the meaning of applicable data protection law is:
crealytics GmbH
Salzufer 12
10587 Berlin
Germany
If you have questions or suggestions regarding any data protection matter, you can also write to us via email; our email address is info@crealytics.com.
You can reach our data protection officer at dataprotection@crealytics.com.
2. The data protected
3. Automated data collection
Whenever you access clv.crealytics.com, your device automatically transmits data for technical reasons. Unless otherwise stated in this Privacy Policy, these data are stored separately from other data, which you may transmit to us under certain circumstances:
• IP address.
• ensuring the security of our IT systems, e.g., to counter specific attacks on our systems and detect attack patterns,
• ensuring proper operation of clv.crealytics.com and our IT systems, e.g., if errors occur that we can only rectify by storing the IP address,
• enabling criminal prosecution, averting of dangers as well as legal prosecution in the event of specific indication of criminal offenses,
The IP address is stored for a period of 14 days.
The processing takes place to ensure the security of processing pursuant to Art 32 GDPR and based on our above-mentioned legitimate interests (Art. 6(1)(f) GDPR).
4. Provision of our services / Your clv.crealytics.com user account
4.1 Registration and Login
To use all functions of clv.crealytics.com, you need to login to your user account. To register you for your user account we will process your email address that you or our customer for whom you are working has provided to us to set up your account and send you your initial password. We will then ask you to change the initial password to a password of your choice.
To login to your account, you must provide the following mandatory information:
• Password
4.2 Managing your account
Further, we will process your personal data, such as your email address and the settings you have applied to manage your account and to provide you with our service, e.g., sending you email alerts (Alert Summary Emails). Further, we process the information you provide to us when you browse our Knowledge Center to make the information you require available to you.
4.3 Legal basis for the processing
The processing is based on Article 6(1)(f) GDPR as we have a legitimate interest in setting up and managing your account while providing our services, therewith allowing the performance of the respective contractual relationship with our customers.
We erase your data within 30 days after your account is permanently deactivated.
We further store your personal data in case such data is of legal relevance. The storage takes place based on our legitimate interest, the proper documentation of our business operations and the securing of our legal positions (Article 6(1)(f) GDPR) and, if applicable, for the fulfillment of legal obligations (Article 6(1)(c) GDPR).
5. Support requests
Your support requests are handled using the customer service platform Support Hero, a service provided by Support Hero LLC, 5280 Ivyfarm Rd, Cincinnati, Ohio, 45243, United States (“Support Hero”), which we use as a processor. Your data are processed in the United States. There exists no adequacy decision of the EU Commission for the United States. For this reason, we and Support Hero entered the standard contractual clauses adopted by the EU Commission in accordance with Article 46(2)(c) GDPR.
If you send us a support request through clv.crealytics.com, we will process the details regarding the topic of your request as well as any additional information you provide to respond to your request.
The processing is based on Article 6(1)(f) GDPR as we have a legitimate interest in effectively processing your request and allowing the performance of the respective contractual relationship with our customers.
In the case of requests, which have potential legal relevance, we reserve the right to retain the requests for a period equal to the respective statutes of limitation, that is: three years, commencing as of the end of the year in which we have received your request. Apart from said cases, we erase requests once we no longer need them for the purpose for which we collected them, such is the case once we have processed your request completely.
The storage takes place based on our legitimate interest, the proper documentation of our business operations and the securing of our legal positions (Article 6(1)(f) GDPR) and, if applicable, for the fulfillment of legal obligations (Article 6(1)(c) GDPR).
6. Newsletter
You have the option to register for our newsletter. With our newsletter, we would like to send you information about our services and product-related features and upgrades about once a month. By registering for our newsletter, you therefore consent to us processing your email address for the purpose of sending the newsletter. The legal basis for this processing is Article 6(1)(a) GDPR. When you register for the newsletter, we store the date and the time of registration. The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis results from our legal obligation to prove your consent (Article (6)(1)(c) in conjunction with Article (7)(1) GDPR).
You can revoke your consent at any time with effect for the future by unsubscribing from our newsletter. To do this, you can use the unsubscribe link contained in every email or send us a message using the contact details provided above in Sec 1 or by adjusting the corresponding settings in your account. Upon your withdrawal we will delete your personal data in connection with the newsletter without undue delay.
Information that enables us to demonstrate that you have given your consent will be deleted once the statute of limitation has lapsed, that is, after three years, commencing as of the end of the year in which we received your withdrawal.
7. Web Host
clv.crealytics.com is hosted in Google Cloud Platform that servers are in EU.
8. Cookies
We store cookies, which make it possible for us to offer you all the features of clv.crealytics.com and to make our service more user-friendly. Cookies are small files that are stored on your end device, with the aid of your browser.
Specifically, we use the following cookies:
8.1 Strictly necessary:
These cookies are strictly necessary for the operation and functionality of clv.crealytics.com. They allow our service to be accessible and available; they provide essential and basic functionalities such as the navigation, the correct presentation of contents in your browser, or consent management. Without these cookies, clv.crealytics.com cannot function properly.
The legal basis for using strictly necessary cookies is Section 15(1) of the Telemediengesetz (Tele- communications Act) and Article 6(1)(b) GDPR, to the extent that these cookies are necessary for the use of clv.crealytics.com and the features used by you. Apart from the foregoing, we use cookies based on the consent given by you, Article 6(1)(a) GDPR.
We use the following cookies:
9. Sharing data
9.1
If necessary, for purposes of investigating the unlawful use of our services or for purposes of establishing our rights, personal data will be shared with law enforcement agencies and, where applicable, with injured third parties. Personal data will be shared, however, only if specific evidence exists, which is indicative of illicit or abusive conduct. Personal data can also be shared, when sharing that data serves to enforce terms of use or other agreements. Furthermore, we are required by law to provide information to certain public agencies. These include law enforcement agencies, government authorities that prosecute misdemeanors subject to fines, and fiscal authorities.
Personal data will be shared not only based on the legitimate interest we have in combatting abuse; in prosecuting crimes; and in securing, establishing, and enforcing claims, Article 6(1)(f) GDPR, but also based on a statutory obligation, as contemplated by Article 6(1)(c) GDPR.
9.2
We disclose personal data to auditors, accounting service providers, lawyers, banks, tax consultants and similar bodies insofar as this is necessary for the provision of our services (Article 6(1)(b) GDPR) or the proper operation of our business (Article 6(1)(f) GDPR) or we are obliged to do so (Article 6(1)(c) GDPR).
9.3
In providing our services, we rely on third-party undertakings and outside service providers (“Processors”), each bound by contracts. In these cases, personal data are shared with these Processors for further processing. These Processors are carefully selected by us and audited regularly to ensure your rights and freedoms are preserved. Processors may use the data only for the purposes specified by us and are also required by contract to handle your data only in compliance with this Privacy Policy and with applicable data protection law.
Data are shared with Processors based on Article 28(1) GDPR, alternatively based on the legitimate interest we have in the economic and technical benefits associated with the engagement of specialized Processors, Article 6(1)(f) GDPR. Beyond the Processers already specified in this Privacy Policy, we engage the following categories of Processers:
• Cloud service provider
• Hosting service provider
• Software service provider
9.4
While developing our business, it is possible that the structure of crealytics GmbH will be changed, by changing its legal form; by establishing, selling, or buying subsidiaries or business divisions. In the event of such transactions, customer information will be passed on, together with any portion of the business to be transferred. In the event personal data are shared with third parties within the scope described above, we shall ensure that those data are shared in accordance with this Privacy Policy and with applicable data protection law.
Sharing personal data is justified on the grounds that we have a legitimate interest in changing the form of our undertaking to align, whenever necessary, with the economic and legal particularities on the ground, Article 6(1)(f) GDPR.
10. Transfers to third countries
We also process data in countries outside the European Economic Area (“EEA”), in so-called third countries, and/or transfer data to recipients in these third countries. The foregoing also includes the United States. Please note that, at present, there exists no adequacy decision of the EU Commission; that, in general, these third countries have an adequate level of data protection. There exists, at present, no adequacy decision of the EU Commission for the United States. For this reason, we rely on the standard data protection clauses adopted by the EU Commission in accordance with Article 46(2)(c) GDPR, to structure the contractual relationships with third-country recipients. These can be viewed at any time by visiting: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en or by requesting corresponding copies using our contact details provided in Sec. 1 of this privacy policy. We and our service providers that process your data on our behalf (“Processors”) enter into the standard data protection clauses for data transfers to processers established in third countries (so-called EU controller to non-EU or EEA processor standard data protection clauses). For transfers to third parties in third countries, we use the relevant standard data protection clauses for transfers to third parties (so-called EU controller to non-EU or EEA controller standard data protection clauses).
11. Change in purpose
Your personal data will be processed for purposes other than those described only to the extent such is permitted by law or to the extent to which you have given your consent that your data can be processed for the purpose so changed. In the event your data are processed for purposes other than those for which the data were originally collected, but before those data are so processed, we will inform you of such other purposes and provide you with all further information material to such purpose(s).
12. Erasure of your data
Unless otherwise specified in this Privacy Policy, we erase or anonymize your personal data once they are no longer needed for the purposes for which we have collected or used them in accordance with the foregoing sections.
They will be stored for a longer period only to the extent required by law, including, but not limited to, for the purposes of establishing, securing, or defending against claims.
The data are stored based on our legitimate interest, of the requirement to create proper documentation of our business operations, and of our need to secure our legal position (Article 6(1)(f) GDPR). Insofar as your data are relevant for purposes of performing contracts, they are stored for purposes of initiating and performing each individual contractual relationship (Article 6(1)(b) GDPR).
To the extent that we are bound by law to retain your data, we will store your data throughout the time prescribed by law (Article 6(1)(c) GDPR). Statutory rules and regulations governing storage of data can arise from the retention periods contemplated by the Handelsgesetzbuch (Commercial Code) or by the Abgabenordnung (German Fiscal Code). As a rule, the retention periods contemplated by these statutes are 6 years, commencing as of the end of the year in which we received your request.
13. Providing your personal data
Neither by law nor by contract are you required to provide your personal data.
To some extent, however, it is necessary that you provide personal data, so that we can provide you with our services and the features available on clv.crealytics.com. It is necessary that you provide your personal data, so that we can create and manage your user account for clv.crealytics.com and take into receipt and process any requests you send to us.
Wherever it is necessary for you to provide certain data, we have identified that data by making it a required field. Providing further data is voluntary. The consequence of not providing the required data is that we will be unable to provide the relevant services and features, including, but not limited to, our inability to create or manage your account and to take into receipt and to process your requests.
Where voluntary information is concerned, the consequence of not providing such information will be that we will be unable to provide the relevant features and services or that we will be unable to provide them as they are intended to be provided.
14. Automated individual decisions or profiling measures
We do not use automated processing processes to make decisions, including profiling.
15. Your rights as data subject
15.1 Right of access
Within the scope of Article 15 GDPR and § 35 BDSG, you have the right to obtain from us, at any time you request, access to the personal data concerning you. To exercise this right, you can submit your request by mail or via email by using the address given in Section 1 above.
15.2 Right to rectify inaccurate data
You have the right to obtain from us without undue delay the rectification of any inaccurate personal data concerning you. To exercise this right, please use the contact address specified in Section 1 above.
15.3 Right to erasure
Given the prerequisites described in Article 17 GDPR and § 35 BDSG, you have the right to obtain from us the erasure of personal data concerning you. In particular, these prerequisites prescribe a right of erasure, whenever the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed as well as in cases of unlawful processing, of the existence of an objection, or in case the data have to be erased for compliance with a legal obligation under European Union law or the law of any Member State, to which we are subject. To exercise your right set out in the foregoing, please use the contact address specified in Section 1 above.
15.4 Right to restriction of processing
15.5 Right to data portability
15.6 Right to object
To the extent we process personal data concerning you for direct marketing purposes, including profiling, you have the right to object to such processing. Once you object, we will stop such processing.
Unless otherwise specified in this Privacy Policy, please use the contact address specified in Section 1 to exercise your right, as set out above.
15.7 Right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority of your choice.
15.8 Data processed when you exercise your rights
Finally, we advise that we process the personal data transmitted by you, when you exercise your rights under Articles 15 through 22 GDPR, not only for the purpose of complying with these rights, but also so that we can demonstrate such compliance. This processing is based upon the legal basis of Article 6(1)(c) GDPR in conjunction with Articles 15 through 22 GDPR and § 34(2) BDSG.