Effective Date: October 2021
Centraleyes Ltd. (“Centraleyes“, “we“, “our” or “us“) offers an advanced integrated risk management platform that facilitates the automation and orchestration of cyber risk & compliance management (the “Platform“).
We also manage our website www.centraleyes.com (the “Site“, and together with the Platform – the “Services“), which provides further information regarding our Platform, our company and the ways to get in touch with us.
Specifically, it describes our practices regarding –
- Data Collection
- Data Uses
- Cookies and Tracking Technologies
- Storage and Retention
- Data Sharing
- Data Security
- Data Subject Rights
- Data Controller/Processor
- Updates & How to contact us
Please read this notice and make sure that you fully understand and agree to it. If you do not agree to the terms in this notice, please discontinue and avoid using our Services.
You are not legally required to provide us with your personal data, but without obtaining certain information upon login, we will not be able to provide you with our Services. All information collected via the Platform after login relates (and should relate) to the business entity which the Platform is evaluating, and should not include any Personal Data about individuals.
Our Platform and Services are intended for use by businesses, for business purposes only, and not for personal use by individuals. All information provided to us (other than information required for creation of a user profile and for login purposes) should relate to the business which has retained our Services and should not pertain to individuals in their non-business capacity.
- Data Collection
We collect the following categories of data (and to the extent it may enable the identification of a specific person, or is linked to such potentially identifying data, we will refer to such data as “Personal Data“):
- Data automatically collected or generated: When a user visits, interacts with or uses our Services, we may collect or generate technical data about them. We do so either independently or with the help of third-party services (as detailed in Sections 4 and 5 below).
Such data consists of connectivity, technical or aggregated usage data, such as IP address, non-identifying data regarding the device, operating system, browser version, locale and language settings used, and the activity (clicks and other interactions) of Users of our Services.
We do not use such data to learn a person’s true identity or contact details, but mostly to have a better understanding of how our Users typically use and engage with our Services, to better secure our Services and to optimize the overall user experience and performance of our Services.
- Data received from you: You may provide us with Personal Data voluntarily, such as your name and e-mail address when you contact us or when you sign-up to receive e-mail updates; or when you sign-up to use our Platform, and provide us with your name, e-mail address and (hashed) password; (which are required for use of the platform or when you use the 2-step authentication process to verify your account with us (in which case you may also provide us with your cellphone number).
- Data received from our Customers: Our Customers may provide us with Personal Data regarding their users, namely the designated individuals in their organization who will use our Platform. Such data is processed by us solely on behalf of our Customers, as further described in Section 10 below.
- Transaction Data: Customers may also provide additional data to us in order to complete their selected transaction, as well as their organization’s information and preferences. To the extent that such information concerns an entity (e.g., a company or business), we do not regard it as “Personal Data” and the terms of this Notice relating to Personal Data shall not apply to it.
- Data received from Third Parties: We may receive your Personal Data from other sources. For example, if you participate in an event or webinar that we sponsor or in which we participate, we may receive your Personal Data from the event organizers. We may also receive your contact and professional details (e.g., your name, company, position, contact details and professional experience, preferences and interests) from business partners or service providers and through the use of tools and channels commonly used to connect between companies and individuals in order to explore potential business and employment opportunities, such as LinkedIn.
- Data Uses
We will use your Personal Data only as necessary for the performance of our Services; for complying with applicable law; and based on our legitimate interests in maintaining and improving our Services and offerings: understanding how our Services are used, improving our customer service and support operations, and protecting and securing our Users, ourselves, our Services and members of the general public.
Accordingly, we use Personal Data for the following purposes:
- To facilitate, operate, and provide our Services;
- To authenticate the identity of our Users;
- To provide our Users with customer care, assistance and technical support services;
- To contact our Users with general or personalized service-related messages (such as purchase confirmations or system maintenance notices) and promotional messages (such as updates regarding new features and services, etc.), and to facilitate, sponsor and offer certain events and promotions;
- To support and enhance our data security measures, including for the purposes of preventing and mitigating the risks of fraud, error or any illegal or prohibited activity;
- To create aggregated statistical data, inferred non-personal data or anonymized or pseudonymized data (rendered non-personal), which we or our business partners may use to provide and improve our respective services; and
- To comply with any applicable laws and regulations.
- Cookies and Tracking Technologies
Specifically, we utilize such technologies offered by Google Analytics, Google APIs, Hubspot, LinkedIn.
While we do not change our practices in response to a “Do Not Track” signal in the HTTP header from a browser, most browsers allow you to control cookies, including whether or not to accept them and to remove them. You may set most browsers to notify you if you receive a cookie, or to block cookies with your browser. You may also prevent your data from being used by Google Analytics by downloading and installing the Google Analytics Opt-out Browser Add-on, available at https://tools.google.com/dlpage/gaoptout/.
- Storage and Retention
Your Personal Data may be maintained, processed, accessed and stored by Centraleyes and our authorized affiliates, Service Providers (as defined below) and business partners in the European Union, the United States of America, and Israel, as well as other jurisdictions as necessary for the proper delivery of our Services, or as may be required by law.
Centraleyes Ltd. is based in Israel, which is considered by the European Commission to be offering an adequate level of protection for the Personal Data of EU Member State residents.
While privacy laws may vary between jurisdictions, Centraleyes has taken reasonable steps to ensure that your Personal Data is treated by its affiliates and Service Providers in a secure and lawful manner, and in accordance with common industry practices, regardless of any lesser legal requirements that may apply in their jurisdiction.
We retain your Personal Data for the period necessary in order to maintain and expand our relationship, and to provide you with our Services. In other words, we will retain your Personal Data for as long as you remain our User and have not notified us otherwise. We will also retain your Personal Data for legal and accounting purposes (i.e., as required by laws applicable to our record and bookkeeping, and in order to have proof and evidence concerning our relationship, should any legal issues arise following your discontinuance of use), all in accordance with our data retention policy. If you have any questions about our data retention policy, please contact us at [email protected]
Please note that except as required by applicable law, we will not be obligated to retain your data for any particular period, and are free to securely delete it for any reason and at any time, with or without notice to you.
- Data Sharing
We may share your data with certain third parties, including law enforcement agencies, our Service Providers and our affiliates – but only in accordance with this Policy, as follows:
- Compliance with Laws, Legal Orders and Authorities: We may disclose or allow government and law enforcement officials access to certain Personal Data, in response to a subpoena, search warrant or court order (or similar requirement), or in compliance with applicable laws and regulations, including for national security purposes. Such disclosure or access may occur with or without notice to you, if we have a good faith belief that we are legally compelled to do so, or that disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing.
- Service Providers and Business Partners: We may engage selected third-party companies and individuals to perform services complementary to our own (e.g. hosting and database services, data analytics services, data and cyber security services, marketing and advertising services, payment processing services, e-mail distribution and monitoring services, session recording services, and our business, legal, financial and compliance advisors) (collectively, “Service Providers“). These Service Providers may have access to your Personal Data, depending on each of their specific roles and purposes in facilitating and complementing our Services, and may only use it for such purposes.
- Sharing Personal Data with our Customers: We may share the Personal Data of our Customer’s users with such Customer. Centraleyes is not responsible for and does not control any further disclosure, use or monitoring by or on behalf of its Customers, that themselves may act as the “Data Controller” of such data (as further described in Section 10 below).
- Protecting Rights and Safety: We may share your Personal Data with others, if we believe in good faith that this will help protect the rights, property or personal safety of Centraleyes, any of our Users or any members of the general public.
- Centraleyes Subsidiaries and Affiliated Companies: We may share Personal Data internally within our family of companies, for the purposes described in this Policy. In addition, should Centraleyes or any of its affiliates undergo any change in control or ownership, including by means of merger, acquisition or purchase of substantially all or part of its assets, your Personal Data may be shared with the parties involved in such event. If we believe that such change of control might materially affect your Personal Data then stored with us, we will notify you of this event and the choices you may have via e-mail and/or prominent notice on our Services.
For the avoidance of doubt, Centraleyes may share your Personal Data in additional manners if we are legally obligated to do so, pursuant to your explicit approval, or if we have successfully rendered such data non-personal and anonymous. We may share or otherwise use anonymized or non-personal data in our sole discretion and without the need for further approval.
Service Communications: we may contact you with important information regarding our Services. For example, we may notify you (through any of the means available to us) of changes or updates to our Services, billing issues, etc. You will not be able to opt-out of receiving such service communications.
Promotional Communications: we may also notify you about new services, events and special opportunities or any other information we think you will find valuable. We will provide such notices through any of the contact means available to us (e.g. phone, mobile or e-mail), through the Services, or through our marketing campaigns on any other sites or platforms. If you wish not to receive such promotional communications, you may notify Centraleyes at any time by e-mailing us at [email protected] or by following the “unsubscribe”, “stop” or “change e-mail preferences” instructions in the promotional communications you receive.
- Data Security
In order to protect your Personal Data held with us and our Service Providers, we are using industry-standard physical, procedural and electronic security measures, including encryption where deemed appropriate. However, please be aware that regardless of any security measures used, we cannot and do not guarantee the absolute protection and security of any Personal Data stored with us or with any third parties.
- Data Subject Rights
If you wish to exercise your rights under applicable law (e.g. the EU GDPR) to request access to, rectification of, or erasure of your Personal Data held with Centraleyes, or to restrict or object to such Personal Data’s processing, or to port such Personal Data – please contact us at [email protected]
Please note that once you contact us by e-mail, we may require additional information and documents, including certain Personal Data, in order to authenticate and validate your identity and to process your request. Such additional data will be then retained by us for legal purposes (e.g. so we have proof of the identity of the person submitting the request), in accordance with our data retention policy.
Please note that in some cases, as we may rely on our Service Providers’ APIs and systems, your requests may require up to a few weeks to process.
Our Services are not designed to attract children under the age of 16. We do not knowingly or intentionally collect Personal Data from children and do not wish to do so. If we learn that a child is using the Services, we will prohibit and block such use and will make all efforts to promptly delete any Personal Data stored with us with regard to such child.
If you believe that we might have any such data, please contact us at [email protected]
- Data Controller/Processor
Certain data protection laws and regulations, such as the EU GDPR, typically distinguish between two main roles for parties processing Personal Data: the “Data Controller”, who determines the purposes and means of processing, and the “Data Processor”, who processes the data on behalf of the Data Controller. Below we explain how these roles apply to our Services, to the extent that such laws and regulations apply.
Centraleyes is the “Data Processor” of Visitors’ and Customers’ Personal Data (to the extent we receive any). This means that in such cases, we will only process such data on behalf of our Customer and in accordance with their reasonable instructions, subject to our contractual agreements. The Customer will be solely responsible for meeting any legal requirements applicable to Data Controllers (such as establishing a legal basis for processing and responding to Data Subject Rights requests concerning the data they control).
If you are a data subject of any of our Customers, please note that Centraleyes only processes your data solely on such Customer’s behalf. If you would like to make any requests or queries regarding your Personal Data, we encourage you to contact such Customer(s) directly. For example, if you wish to access, correct, or delete data processed by Centraleyes on behalf of its Customers, please direct your request to the relevant Customer (who is the “Controller” of such data). If requested by the Customer to remove such Personal Data, we will respond to such request within thirty (30) days. Unless otherwise instructed by our Customer, we will retain the Personal Data processed on their behalf for the period set forth in Section 4 above.
Aside from information required for login purposes, Customers should not be uploading any Personal Data about individuals. If a Customer uploads or submits any Personal Data concerning Users from the Customer’s organization, Centraleyes bears no responsibility for such data.
- Updates & How to Contact Us
Updates and amendments: We may update and amend this Policy from time to time by posting an amended version on our Services. The amended version will be effective as of the published effective date. We will provide an advance notice if any substantial changes are involved, via any of the communication means available to us, or on the Services. After this notice period, all amendments shall be deemed accepted by you.