CyberGRX Privacy Notice

Created with Sketch.
mark

Last updated: May 4, 2020

CyberGRX, Inc. (“CyberGRX,” “we,” or “us”) respects your privacy. This Privacy Notice describes the types of information we may collect from you when you visit the following website: https://www.cybergrx.com, all CyberGRX-owned websites and domains (the “Site(s)”), or use our other products and services that include an authorized link to this Privacy Notice (collectively, the “Services”), how we use the personal data we collect, with whom we share it, how we protect it, and the choices we offer you regarding our collection and use of such personal data.

For purposes of the General Data Protection Regulation (the “GDPR”), the data controller for personal data processed under this Privacy Notice is CyberGRX, Inc., 1637 Wazee Street, Denver, CO 80202.

Privacy Principles

We follow the following principles in order to protect your privacy:

  • We do not collect any more personal data about you than is necessary;
  • We will be transparent about our uses of your personal data;
  • We do not keep your personal data if it is no longer needed for the purposes described in this Privacy Notice; and
  • Other than as we specify in this Privacy Notice, we do not share your personal data with third parties.

INFORMATION WE COLLECT

We may collect data relating to identified or identifiable individuals, and certain other information connected with that data (“personal data”) from users in a variety of ways, which vary depending on the context in which we process that personal data:

  • Data we collect from you – We collect personal data from you directly, for example, when you complete a registration form or provide data through our Service.
  • Data we receive from othersWe receive personal data from third parties with whom we have a relationship. For example, we may receive certain personal data from a vendor operating on our behalf, or from our clients.
  • Data collected automatically We may collect certain personal data automatically, for example, we collect Device/Network Data automatically using cookies and similar technologies when you browse our Site.

We generally process the following categories of personal data (note specific data elements are examples and may change):

  • Identity Data” such as name, name of your organization, job title, login information, such as username, password, and security questions and answers;
  • Commercial Data” such as information relating to the Services you purchase from us, information about your subscription, etc.;
  • Contact Data” such as mailing address, email address, and phone number;
  • Financial Data” payment and financial details, such as payment card or bank account number, expiration date, authentication code, and billing address; and
  • Device/Network Data” browser name, type of computer, webpages views and similar clickstream data, and technical information about your means of connection to the Sites, such as the operating system and the internet service providers utilized.

HOW WE USE PERSONAL DATA

We may collect and use personal data for the following purposes:

  • To create and maintain your account. We process the Identity Data, Contact Data, and other personal data you provide when you register for a user account as necessary to provide and maintain your account, to authenticate your right to access our Services, and as otherwise necessary to carry out our contractual obligations to you or provide you with the features and functionality you request. In connection with our legitimate interests, we may also use this personal data to provide you with important updates regarding your account, service downtime, or other transactional or informational materials.
  • To process transactions. We process the Identity Data, Contact Data, Commercial Data, and Financial Data and other personal data you provide as part of a commercial transaction as necessary to process those transactions, process a payment or other financial transaction, process the assessments you submit or request, and review scoping inquiries made on the Sites or otherwise as necessary for performance of our contractual obligations to you, including as applicable, order confirmation, billing, and delivering products or services. We do this on the basis of our contractual obligations to you, our legal obligations and our legitimate interests.
  • Internal Processes and Service Improvement. We may use Identity Data, Contact Data, Device/Network Data, Commercial Data, and any other personal data we process as necessary in connection with our legitimate interests in improving the design and performance of our Services, to create a personalized user experience, and for ensuring the security and stability of the Services. Specifically, (i) we may use this data to understand what parts of our Services are most relevant to users, how users interact with various aspects of our Services, how our Services perform or fail to perform, etc., and we may also use this information in connection with the provision of new features, products, and analytics tools to be used by other clients; (ii) we may personalize the Service by greeting you by name, or associating users with particular customers; and (iii) we may analyze use of the Services to determine if there are specific activities that might indicate an information security risk to the Services or our clients or users. We do this on the basis our legitimate interests.
  • Aggregate Analytics. We process Identity Data, Device/Network Data and Commercial Data in connection with to create aggregate analytics relating to trends in how our Services are used and perform, about patterns and trends among clients and responses to surveys/questionnaires, and to understand which aspects of our Services most relevant to users, and to create other reports regarding surveys/questionnaires, transactions and other aspects regarding the use of our Services. We perform this processing on the basis of our Legitimate Interests.
  • To respond to your inquiries. We will use your Contact Data and other personal data you may provide as necessary to respond to your inquiries, questions and/or other requests for information. We do this on the basis of our contractual obligations to you, our legal obligations, and our legitimate interests, depending on the nature of your inquiry.
  • Marketing Communications. We may process Identity Data, Device/Network Data and Contact Data in connection with our marketing and promotional communications if you sign up for such communications, or of you inquire about or register for our Services. We may also process Device/Network Data and Contact Data when you interact with our communications in connection with our interest in understanding communication response and open rates. When you sign up for marketing communications, we send you emails based on your consent, and any other processing is performed on the basis of our legitimate interests.
  • Exceptional Purposes. We may, without your consent or further notice to you, and to the extent required or permitted by law, process any of your personal data for purposes determined to be in the public interest or otherwise required by law. For example, we may process information as necessary to fulfil our legal obligations, to protect the vital interests of any individuals, or otherwise in the public interest or as required by a public authority. Please see the data sharing section for more information about how we disclose personal data in extraordinary circumstances. We may also send you communications required by law or which are necessary to inform you about our changes to the Services we provide you, for example, updates to this Privacy Notice and other legally required notices or information. We process data for these purposes as necessary in connection with our obligations to comply with laws, to protect the vital interests of natural persons, or because the processing is in the public interest, depending on the specific nature of the request.
  • To fulfill any other purpose for which you provide personal data. We may use your personal data for purposes that we make known to you at the time of collection of such information or otherwise upon your consent. If we process personal data in connection with our Services in a way not described in this Privacy Notice, this Privacy Notice will still apply generally (e.g. with respect to your rights and choices) unless otherwise stated when you provide it.
  • Data Sale. We do not sell your personal information for purposes of Cal Civil Code § 1798.101 et seq.

HOW WE PROTECT YOUR INFORMATION

The security of your personal data is important to us. We have adopted generally accepted industry standards in connection with our data collection, storage, and processing practices and security measures to protect against unauthorized access, alteration, disclosure, or destruction of your personal data, username, password, transaction information, and data stored on the Sites. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, while we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

DISCLOSURE OF YOUR PERSONAL DATA

We may disclose personal data about you in the following ways and/or to the following third parties. Note, we may disclose aggregated, or anonymized information without restriction:

  • Affiliates. In order to streamline certain business operations, develop products and services that better meet the interests and needs of our customers, and inform our customers about relevant products and services, we may share your personal data with any of our current or future affiliated entities, subsidiaries, and parent companies.
  • Agents, Service Providers, and other Business Purposes. To contractors, service providers, and other third parties we use to support our business, provide the Services, who complete transactions or perform services on our behalf or for your benefit, or otherwise in connection with our other legitimate business interests. For example, we may use cloud-based hosting providers to host our Services or may disclose information as part of our own internal operations, such as security operations, internal research, etc.) When we disclose information for business purposes we may disclose Identity Data, Contact Data, Financial Data, Device/Network Data, and Commercial Data.
  • Marketing. With your consent or where otherwise permitted by applicable law, to third parties for their own direct marketing purposes, to provide you with information about products that may be of interest to you, and for other purposes as specifically set forth in this Privacy Notice.
  • Legal Process. In limited circumstances, we may, without notice or your consent, Process your personal data, any communications sent or received by you, and any other information that we may Process from time to time, to the extent we believe such disclosure is legally required, to prevent or respond to a crime, to investigate violations of our Terms of Use, or in the vital interests of us or any person. Note, these disclosures may be made to governments that do not ensure the same degree of protection of your personal data as your home jurisdiction. We may, in our sole discretion (but without any obligation), object to the disclosure of your personal data to such parties.
  • Certain Business Transfers. Your personal data may be shared if we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, personal data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction.
  • Consent. We may share your personal data when and with the parties to whom you consent or direct us to share your data.

Your Rights

To the extent required under applicable law, and subject to our rights to limit or deny access/disclosure under applicable law, you may have the following rights in your personal data. You may exercise your rights by contacting us using the contact information below. Note, we may require that you provide additional personal data to exercise these rights, e.g. information necessary to prove your identity.

  • Correct your personal data. You can correct any errors in the personal data we hold about you. You may be able to update personal data associated with your account by logging into your account and visiting your account profile page. For other requests, please contact us.
  • Access your personal data. You have the right to view or request a copy of any personal data that we hold about you.
  • Portability. To the extent required by applicable law, we will send you a copy of your personal data in a common portable format of our choice.
  • Erasure. To the extent required by applicable law, you may request that we delete your personal data from our systems. It may not be possible for us to delete all of the information we hold about you. For example, we may be required or permitted by law to retain some personal data is certain circumstances. Please contact us to discuss how we can assist you with your request.
  • Withdraw Consent. When we process your information on the basis that you have consented to such processing, you have the right to withdraw your consent at any time by contacting us using the contact information below, or using the opt-out procedures we may make available from time to time.
  • Objection. You may have the right under applicable law to object to our processing of your personal data that we undertake without your consent as in connection with our legitimate business interests. You may do so by contacting us re: data rights requests. Note that we may not be required to cease, or limit processing based solely on that objection, and we may continue processing cases where our interests in processing are balanced against individuals’ privacy interests, or where we are otherwise not obligated to limit or cease processing.
  • Complaints. If you are in the European Union (or certain other countries), you may have the right to make a complaint at any time to the relevant data protection authority in your country.
  • Unsubscribe. You have the choice to opt-out of or withdraw your consent to processing related to direct marketing communications. If you receive marketing emails from us, you can unsubscribe here or our emails by clicking “unsubscribe” within each email. To opt-out of the collection of information relating to email opens, configure your email so that it does not load images in our emails. You may not have the right to opt-out of certain Service-related communications, transactional communications, or other messages which are not promotional in nature.
  • California Rights. Residents of California (and others to the extent required by applicable law) may request a list of personal data we have disclosed about you to third parties for direct marketing purposes during the preceding calendar year. Upon receipt of a verifiable request, you may also request that we provide you a copy of your personal data, direct us to stop selling or disclosing personal data for certain purposes (if we have done so), and receive information regarding: (1) the categories of personal data we have collected about you, or that we have sold, or disclosed for a commercial purpose; (2) the categories of sources from which your personal data was collected; (3) the business or commercial purpose for which we collected or sold your personal data; (4) the categories of third parties with whom we have disclosed your personal data, or sold, or disclosed it for a business purpose; and (5) the specific pieces of personal data we have collected about you.

RETENTION

We retain personal data for the periods stated above, or if none, for so long as it remains relevant to its purpose or for so long as is required by law (if longer). As we process personal data on behalf of our clients, we may retain information for the periods requested by the client or delete information upon the client’s request. We will review retention periods periodically, and if appropriate, we may de-identify or anonymize data held for longer periods.

THIRD-PARTY WEBSITES

You may find advertising or other content on the Sites that link to the websites and services of our partners, suppliers, advertisers, sponsors, licensors, and other third parties. We do not control the content or links that appear on these websites and are not responsible for the practices employed by websites linked to or from the Site. In addition, these websites or services, including their content and links, may be constantly changing. These websites and services may have their own privacy policies and customer service policies. Data collection and processing on any third party site, or by any third parties, will be subject to that website or party’s own terms and policies.

COOKIES AND OTHER TRACKING TECHNOLOGIES

  • We, and certain third parties, may process Device/Network Data and Inference Data when you interact with cookies and similar technologies on our Site. A cookie is a small file, which often includes an anonymous unique identifier, which is sent to your browser from a website’s computers and stored on your computer’s hard drive. Together with other similar technologies, these technologies may reveal information such as Internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, the files viewed on our Site (e.g., HTML pages, graphics, etc.), operating system, date/time stamp, and/or clickstream data to analyze trends in the aggregate and administer the Site. We may also receive this data from third parties to the extent allowed by the applicable partner. The privacy policies of third parties may apply to these technologies and information collected. Note, some of these technologies can be used by third parties to identify you across platforms, devices, sites, and services. Clients may also have access to information, such as reports and analytics, generated through these services. See below for information on how to opt out of the use of these technologies.
  • In connection with our legitimate interests in providing and improving the user experience and efficiency of our Services, and understanding information about the devices and demographics of visitors to our Services, we use the Device/Network Data and Inference Data (i) for “essential” or “functional” purposes, such as to enable various features of the Services such as your browser remembering your username or password, maintaining a session, or staying logged in after a session has ended; and (ii) for analytics and site performance purposes, such as tracking how the Services are used or perform, how users engage with and navigate through the Services, what sites users visit before visiting our Services, how often they visit our Services, and other similar information.
  • You can modify your settings with respect to cookies and similar technologies by following the instructions provided by your browser. These instructions are usually found in the “Tools,” “Help” or “Edit” tabs. If you set your browser to disable cookies and similar technologies, you may not be able to fully access and use our Sites. You must opt out of third-party services directly via the third party. For example, to learn more about or opt-out of Google’s analytics services, visit Google Analytics Terms of Use, the Google Privacy Policy, or Google Analytics Opt-out. Please note, currently our Service does not respond to your browser’s do-not-track request.
  • Our website uses Google Analytics. Google Analytics is a service which transmits traffic data to Google Servers in the United States. Google Analytics does not identify individual users or associate your IP address with any other data held by Google. We use reports provided by Google Analytics to help us understand traffic and usage of our website.
  • If you access our Services using a mobile device, you may adjust the settings on your mobile device to allow or prevent the sharing of location information, if it is requested. For example, you can disable “Location” (or “Location Services” on iOS-based devices) on your mobile device to prevent sharing your location information with us. Please refer to instructions provided by your mobile service provider or the manufacturer of your mobile device to learn how to adjust your mobile device settings. Please note that if you disable the sharing of location information, you may be unable to access some features of our Sites that are designed for mobile devices.

CHANGES TO THIS PRIVACY NOTICE

We have the discretion to update this Privacy Notice at any time. When we do, we will revise the updated date at the top of this page. If we make material changes to this Privacy Notice, we will notify you here, by email, or by means of a notice on the Site prior to the change becoming effective. We encourage you to frequently check this page for any changes to stay informed about how we are helping to protect the personal data we collect. You acknowledge and agree that it is your responsibility to review this Privacy Notice periodically and become aware of modifications.

CHILDREN UNDER THE AGE OF 16

The Sites are not directed to, and we do not knowingly collect or solicit personal data from, children under the age of 16. If we learn we have collected or received personal data from a child under the age of 16, we will delete that information. If you believe we might have any information from or about a child under the age of 16, please contact us using the contact information below.

WHERE WE STORE YOUR INFORMATION

CyberGRX is based in the State of Colorado in the United States. When we process personal data about you, we may transfer, process, and store such information outside of the country in which you reside, including in the United States. The United States may have different data protection laws than those in the country where you reside.

CONTACTING US

If you have any questions about this Privacy Notice, the practices of the Sites, or your dealings with us, please contact us at:

Privacy Office
CyberGRX, Inc.
1637 Wazee Street, Suite 400
Denver, CO 80202