COTANO PRIVACY POLICY

Account the primary means for accessing and using the SaaS Services, according to the selected Subscription plan.

Authorized User means a person, authorized to use the SaaS Services under the Terms of Service, including Customer employees, affiliates and representatives.

Customer an individual or legal person (corporate client) who has accepted the Terms of Services with the Provider.

Customer Data means all electronic data and materials provided by Customer to the Provider for use in connection with the SaaS Services, including, without limitation, Сustomer Personal Data, reports, emails, schedules, tasks, comments, graphics, media files, and other information, files and documents in electronic form.

Data Processing Addendum means the data processing addendum available at https://cotano.me/hub/data-processing-addendum.html and as updated from time to time, which shall govern Customer Data to the extent that it includes Personal Data and involves transferring such Personal Data outside the European Economic Area or Switzerland to any country not deemed by the European Commission as providing an adequate level of protection for personal data.

Documentation means all documentation, including without limitation, the user guides, training materials, release notes, updates, online help and other documentation provided or made available by Provider to Customer regarding the use or operation of the SaaS Services.

Mobile Application or Mobile App means the software application created, developed and owned by us to enable access and use of the SaaS Services through mobile or other handheld devices (such as apps on iOS or Android devices).

Personal Data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Processing/To Process means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

SaaS Services refers to the specific internet-accessible services that provides use of Provider’s web-based software solutions, the Cotano mobile application (including tablet applications) hosted by Provider or its service provider and made available to Customer in accordance with our Terms of Service.

Software means the source code and object code versions of any Provider’s software solution and a Mobile App to which Customer is provided access as part of the SaaS Services, including any updates or new versions.

Subscription Term means that period during which the Customer has agreed to subscribe to Provider’s web-based software solutions through SaaS Services. For entities, the Subscription Term will be specified in an Order Form.

1.1. Information you provide us directly. We may collect and process your information (including Personal Data) in order to provide the SaaS Services to you, or if you contact or interact with us:

- When you make a request to receive information about our SaaS Services;

- When you contact our sales team or customer support team; and

- When you subscribe, sign-up to, or use any of our SaaS Services.

Information gathered by us may include, but is not limited to, the following: (i) contact information such as name, email address, Internet Protocol (IP) address, technical data about your browser and operating system (PC or tablet /mobile device), geographic location, phone number and other information you provide; (ii) unique identifiers, such as username, account number or password. We use this information to operate, maintain, and provide to you the features and functionality of the SaaS Services, and as further detailed below.

1.2. Cookies information. When you visit our Website or access our SaaS Services via browser, we and our service providers acting on our behalf, may automatically collect certain information using tracking technologies like cookies and similar technologies.

We currently use, and may use in the future, the following types of cookies on our Website and the SaaS Services:

Session cookies: These are temporary cookies that only stored on your device (i.e. desktop computer, laptop, tablet or mobile phone) during a single visit to a website (called a “browser session”) and expire when you leave the website. These cookies help us maintain security and verify your details whilst you use our Website as you navigate from page to page, which enables you to avoid having to re-enter your details each time you enter a new page.

Persistent cookies: These remain on your device until they are set to expire or you choose to delete them from your browser cache. They are activated each time you visit the website that created them. For example, a persistent cookie lets us remember you when you return, helps analyze your behavior while you are on the site, and lets us identify any problems.

Both session cookies and persistent cookies are first-party cookies which belong to Cotano. In addition to our first-party cookies, we may also use various third-party cookies to report usage statistics of our Website and refine marketing efforts.

Third-party cookies: These are cookies that another party places on your browsing device through our Website. These cookies help us recognise you as a unique user when you return to our Website so that you do not have to input your details multiple times as you move between pages or the SaaS Services. Third-party cookies provide a service to Cotano, however Cotano cannot control how those third-party cookies are used.

We collect and may store information that your computer or mobile device provides to us when accessing our SaaS Services via browser or in connection with your use of the Website, such as your IP address or other device address, web browser and/or device type, browser language, mobile carrier, unique device identifier, the web pages or sites visited just before or just after using the SaaS Services, the content the Customer or Authorized User views or interacts with on the SaaS Services, and the dates and times of the visit, access, or use of the SaaS Service.

We collect this information to: i) personalize our SaaS Services, such as remembering users’ information so that Authorized Users or Customers will not have to re-enter it during a visit or on subsequent visits; (ii) provide customized advertisements, content, and information; (iii) monitor and analyze the effectiveness of the SaaS Service; (iv) monitor aggregate website usage metrics such as total number of visitors and pages viewed; and (v) track your entries, submissions, and status in any activities on the Service.

If you do not wish to have cookies placed on your device, you should set your browser to refuse cookies before using our Website. You can obtain more information about cookies by visiting http://www.allaboutcookies.org.

1.3. Log file information: Log file information is automatically reported by your browser each time you access a web page or other content within the SaaS Services. We may also receive log information relating to your computer or mobile device and your use of our Mobile App. When you use the SaaS Services, our servers automatically record certain log file information (“Server Logs”). These Server Logs may include anonymous information such as your web request, Internet Protocol (IP) address, operating system, browser type, referring/exit pages and URLs, number of clicks and how you interact with links on the SaaS Services, domain names, landing pages, pages viewed, and such other information. The information contained in Server Logs is used to monitor, assess, manage, diagnose problems with, improve and otherwise administer the SaaS Services.

1.4. Analytics Information. We may use Google Analytics, Mixpanel, and Intercom to measure and evaluate access to and traffic on our SaaS Services. Google operates independently from us and has its own privacy policy, which we strongly suggest you review. Google may use the information collected through Google Analytics to evaluate users activity on our Website. For more information, see Google Analytics Privacy and Data Sharing; Mixpanel Privacy Statement and Intercom Terms and Policies.

1.5. Mobile App. When you download, install and use our Mobile App, we automatically collect information on the type of device you use, operating system version, and the device identifier. We use mobile analytics software to allow us to better understand the functionality of our Software on your phone. This Software may record certain information such as how often you use the application, the events that occur within the application, aggregated usage, performance data, and where the application was downloaded from. We do not link the information we store within the analytics software to any personally identifiable information you submit within the Mobile App. Subject to this Policy, we will use such data to (i) provide and manage Mobile App; (ii) if you have opted in to receiving push notifications, send you push notifications from time-to-time in order to update you about any events or promotions that we may be running and/or update you about new features to our SaaS Services; (iii) send you promotional and marketing communications (where you have requested us to do so). If you no longer wish to receive these types of communications, you may turn them off at the device level.

1.6. Information we may collect and/or receive from third parties. We may receive information about you from third parties, such as third party social networking services and other services (“Integrated Service” or “Integrated Services”). You may be given an option to access our SaaS Services through the use of your user name and password through your account created for such other services. These services will authenticate your identity and provide you the option to share certain Personal Data with us. By authorizing us to connect with the third party services, you authorize us to access and store your name, email address(es), date of birth, gender, current city, profile picture URL, and other information that the Integrated Service makes available to us, and to use and disclose it in accordance with this Policy. Please check your privacy settings on third party websites and services before connecting them to or accessing our SaaS Services.

1.7. Personal Data of Third Persons. Customers and Authorized Users may store or upload Customer Data into the SaaS Services. We have no direct relationship with the individuals whose Personal Data it hosts as part of Customer Data. Each Customer and each Authorized User is responsible for providing notice to its customers and third persons concerning the purpose for which their Personal Data is collected and how this Personal Data is processed in or through the SaaS Services.

1.8. COTANO WILL NOT SELL, RENT, EXCHANGE OR SHARE PERSONAL DATA WITH ANY THIRD PARTIES WITHOUT PERMISSION OR EXCEPT AS DESCRIBED IN THIS POLICY. COTANO WILL SHARE PERSONAL DATA WITH GOVERNMENT AUTHORITIES AND OTHERS IN ORDER TO RESPOND TO INVESTIGATIONS, COURT ORDERS, LEGAL PROCESS, OR TO INVESTIGATE, PREVENT OR TAKE ACTION REGARDING ILLEGAL ACTIVITIES, SUSPECTED FRAUD, OR SITUATIONS INVOLVING POTENTIAL THREATS TO THE PHYSICAL SAFETY OF ANY PERSON, VIOLATIONS OF OUR TERMS OF SERVICE, OR AS OTHERWISE REQUIRED BY LAW. COTANO MAY ALSO ANONYMIZE AND AGGREGATE DATA COLLECTED AND USE AND DISCLOSE IT FOR GENERAL PURPOSES.

1.9. DISCLAIMER: We do not affirmatively solicit or attempt to collect, use and process any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or any Personal Data relating to criminal convictions and offenses.

2.1. Cotano uses the Personal Data you provide in a manner that is consistent with this Policy and the applicable Data Protection Laws. We use the information that we collect in a variety of ways in providing the SaaS Services and operating our business, including the following:

- to operate, maintain, enhance and provide all features of our SaaS Services, including Website and the Mobile App;

- to understand and analyze the usage trends and preferences of our Customers and Authorized Users, to improve the SaaS Services, and to develop new products, services, feature, effectiveness and functionality of the SaaS Services;

- to administer our Website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and research purposes;

- to personalise and optimise your experiences as part of our provision of the SaaS Services;

- for administrative purposes such as customer service, to address intellectual property infringement, right of privacy violations or defamation issues related to the Personal Data posted on the SaaS Services;

- to ensure that content from our website is presented in the most effective manner for you and for your computer. This involves conducting data and system analytics to develop and improve our SaaS Services. In such circumstances, we shall use anonymized data to the extent possible;

- to post your testimonials/comments/reviews on our Website which may contain your Personal Data. Prior to posting the testimonial, we will obtain your consent to post your name along with the testimonial;

- to provide updates relating to the SaaS Services offered by us and by third parties we work with.

We process Personal Data of Customers and Authorized Users solely in accordance with the directions provided by the applicable Customer or Authorized User.

2.2. Other than as described above, we may use your Personal Data or Customer Data:

- to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity;

- to verify accounts and activity, and to identify violations of our Terms of Service; and

- to comply with laws and to protect our legal rights and interests, and the legal rights and interests of you and other Customers and Authorized Users..

We consider your Personal Data and Customer Data to be a vital part of our relationship with you and do not sell this information to third parties. There are, however, certain circumstances in which we may share your Personal Data or Customer Data with certain third parties, as follows:

- Third-Party Service Providers. We sometimes engage certain third-party service providers (“Sub-Processors”) to carry out certain data processing functions on our behalf or to perform certain business-related functions, such as hosting, maintenance, payment processing, or conducting market research. We may also share your email address with third parties, such as Facebook, LinkedIn, Twitter and other services in order to provide custom marketing materials for you on their platforms. When we engage another company to perform a function of this nature, we limit the information provided to these service providers to which is necessary for them to perform their specific function. These companies are not permitted to use any Personal Data or Customer Data that we share with them for any other purpose aside from providing services to us. The list of Sub-Processors is included in the Terms of Service: https://cotano.me/hub/terms-of-service.html.

- Compliance with Legal Obligations. We may disclose your Personal Data and Customer Data, or other information, if required to do so by law or in the good-faith belief that such action is necessary to comply with applicable laws and regulations, court orders, judicial proceedings or similar legal process, or to otherwise cooperate with law enforcement or other governmental agencies.

We also reserve the right to disclose Personal Data or other information that we believe, in good faith, is appropriate or necessary to (i) take precautions against liability, (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity, (iii) investigate and defend ourselves against any third-party claims or allegations, (iv) protect the security or integrity of the SaaS Services and any facilities or equipment used to make the SaaS Services available, or (v) protect our property or other legal rights, enforce our contracts, or protect the rights, property, or safety of others.

We will take reasonable steps to ensure that we only collect that Personal Data that is relevant for the purposes for which it is to be used. Furthermore, we will not process your Personal Data in a way that is incompatible with these purposes.

- Change of Ownership. As we develop our business, we may go through a corporate sale, merger, reorganization, dissolution or similar event, or purchase businesses and assets. Your Personal Data or Customer Data may be part of the assets transferred to a buyer or other successor or shared in connection with due diligence for any such transaction. Any acquirer or successor of Cotano may continue to prove data consistent with this Policy.

- De-identified data. We might also share data with third parties if the data has been de-identified or aggregated in a way so it cannot be used to identify a Customer or its Authorized Users.

4.1. To protect confidentiality and integrity of Personal Data of our Customers and Authorized Users, we will maintain administrative, physical, and technical safeguards for protection of the security, as described in this Policy and the Terms of Service. These safeguards will include:

- Authentication measures, including secure methods of assigning, selecting, and storing access credentials, measures designed to restrict access to active users, and blocking access after a reasonable number of failed authentication attempts.

- Secure access controls, including measures designed to limit access to personal data of data subjects based on need-to-know, supported by appropriate policies, procedures and controls to facilitate access authorization, establishment, modification, and termination.

- Use of appropriate encryption technologies.

- Appropriate monitoring systems and other technical security measures intended to prevent and detect security breaches such as firewall protection, antivirus protection, security patch management, logging of access to or disclosure of personal information, and intrusion detection.

- Appropriate physical security to safeguard facilities and records containing personal information from unauthorized physical access, tampering or theft, such as facility access controls.

- Training and awareness programs designed to ensure workforce members are aware of and adhere to the security procedures and practices.

- Data back-up and disaster recovery procedures intended to permit continued provision of service in an emergency or disaster.

- Periodic assessment of threats and vulnerabilities to personal information and the effectiveness of the security procedures and practices implemented to comply with the GDPR.

Nonetheless, please note that no communication via the Internet can ever be 100% secure, and no security measures can ever be assured to be effective. Accordingly, you are advised to use caution and discretion when determining what Personal Data to disclose to us.

5.1. We do not knowingly permit children (under the age of 13 in the US or under the age of 16 in the European Economic Area) to sign up for an Account within our SaaS Services.

5.2. If you believe a person who is underage has signed up for an Account and provided us with Personal Data without a parental consent, please contact us at support@cotano.me. We will take reasonable steps to promptly remove that person’s Personal Data from our records.

6.1. We will retain your information (including Personal Data):

- as long as your subscription is active, and for a commercially reasonable time thereafter for backup, archival, fraud prevention or detection, or audit purposes, or as otherwise required by law

- for the purposes outlined in this Policy, our Terms of Service and, if applicable, a separate SaaS Agreement between the parties; and

- as necessary to comply with our legal obligations, for litigation/defense purposes, maintain accurate financial and other records, resolve disputes, and enforce our agreements.

6.2. We may use remote backup features that will send information from your device and/or browser to be stored on servers operated by or on behalf of the Cotano. Except to the extent specifically prohibited by applicable law, Cotano has no responsibility for any data transmitted to and from your device and/or computer and Cotano recommends that you make regular back-ups of all information and data on your device and/or computer.

6.3. If you wish to request that we no longer use your Personal Data, please contact us at support@cotano.me.

7.1. If you are a natural person residing within the European Economic Area (“Data Subject”), the following additional rights as expressed under the EU General Data Protection Regulation are applicable to you:

a) Basis for processing Personal Data: When the Customer is a legal entity, our legal basis for the processing of Personal Data may be the fulfillment of a legal contract executed between the Customer and Cotano or the fulfillment of a requested service (legitimate interests). On certain occasions, Cotano relies on the consent of the Data Subject to process Personal Data. Data Subjects must be at least the age of 16 to consent to the processing of their Personal Data. Data Subjects under the age of 16 must obtain their parent’s or legal guardian’s permission to consent to the processing. In other occasions, we may process information when we need to do so to fulfill a contract, provide services or where we are required by law to do so. We may also process data when it is in our legitimate interests to do so and when these interests are not overridden by the Data Subject’s data protection rights (which may vary based on the Data Subject’s jurisdiction). Such legitimate interests include, but are not limited to, operation of our business and services, verifying user’s identity, serving advertisement, improving products and services, analyzing performance, debugging, troubleshooting, and providing customer support.

b) Access, correct or update your Personal Data: Cotano takes reasonable steps to ensure that the information we collect is reliable for its intended use, accurate, complete and up to date. You may access, correct, or modify Personal Data that you provided to Cotano and that is associated with your Account. You may exercise these rights by contacting us as described below.

c) Right to Be Forgotten: You may request to have your Personal Data erased, or otherwise request that your Personal Data not be processed. Please note that the SaaS Services, or parts of the SaaS Services, may become inaccessible or otherwise not function properly if you request to have your Personal Data erased or not be processed. You may exercise this right by contacting us as described below.

d) Object, Restrict, or Withdraw Consent: You may withdraw consent you previously provided to Cotano or restrict the processing of your Personal Data. Please note that the SaaS Services, or parts of the SaaS Services, may become inaccessible or otherwise not function properly if you withdraw certain consents to restrict the processing of your Personal Data. You may exercise these rights by contacting us as described below.

e) Portability: You may request to receive a copy of the Personal Data you have previously provided to us during your use of our SaaS Services. You may do so by contacting us as described below.

f) International Transfers: Please be aware that the information we collect may be transferred to and maintained on servers or databases located outside your jurisdiction, where the privacy laws may not be as protective as those in your location. Cotano offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our Customers that operate in the European Union, and other international transfers of Customer Data. A copy of our standard Data Processing Addendum, incorporating Model Clauses, is available at: https://cotano.me/hub/data-processing-addendum.html.

g) Right to complain to a data protection authority: If you wish to raise a concern about our use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local data protection authority.

7.2. If you are a resident of California, under the age of 18 and have registered for an account with us, you may ask us to remove content or information that you have posted to our websites. Please note that your request does not ensure complete or comprehensive removal of the content or information, because, for example, some of your content may have been reposted by another visitor to our websites.

8.1. In the event of an unlawful data breach of our Website’s database or the database(s) of any of our third-party data processors, we will report it to any and all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data stored in an identifiable manner has been stolen.

9.1. This Policy applies only to our Website. The Website may contain links to other web sites not operated or controlled by us. The policies and procedures described here do not apply to web sites or other services that Cotano does not operate or control. These links from our Website do not imply that we endorse or have reviewed those web sites or other services. We suggest contacting those services directly for information on their privacy policies.

10.1. You may receive marketing communications from us if you have subscribed to our newsletter. You have the right to withdraw consent to marketing at any time by emailing us at support@cotano.me or by clicking unsubscribe at the bottom of our emails.

10.2. We will never share your Personal Data with any third party for marketing purposes.

11.1. Cotano does not own, control or direct the use of any of the Customer Data (including Personal Data) stored or processed by a Customer or Authorized User via the SaaS Services. Only Customer or Authorized Users are entitled to access, retrieve and direct the use of such Customer Data. Cotano is largely unaware of what Customer Data is actually being stored or made available by a Customer or Authorized User to the SaaS Service and does not directly access such Customer Data except as authorized by the Customer, or as necessary to provide SaaS Services to the Customer and its Authorized Users.

11.2. Because Cotano does not collect or determine the use of any Personal Data contained in the Customer Data and because it does not determine the purposes for which such Personal Data is collected, the means of collecting such Personal Data, or the uses of such Personal Data, Cotano is not acting in the capacity of data controller in terms of the GDPR and does not have the associated responsibilities under the GDPR. Cotano should be considered only as a processor on behalf of its Customers and Authorized Users as to any Customer Data containing Personal Data that is subject to the requirements of the GDPR. Except as provided in this Policy, Cotano does not independently cause Customer Data containing Personal Data stored in connection with the SaaS Services to be transferred or otherwise made available to third parties, except to third party subcontractors who may process such data on behalf of Cotano in connection with Cotano’s provision of SaaS Services to Customers. Such actions are performed or authorized only by the applicable Customer or Authorized User.

11.3. The Customer or the Authorized User is the data controller under the GDPR for any Customer Data containing Personal Data, meaning that such party controls the manner such Personal Data is collected and used as well as the determination of the purposes and means of the processing of such Personal Data.

11.4. Cotano is not responsible for the content of the Personal Data contained in the Customer Data or other information stored on its servers (or its subcontractors’ servers) at the discretion of the Customer or Authorized User nor is Cotano responsible for the manner in which the Customer or Authorized User collects, handles disclosure, distributes or otherwise processes such information.