PRIVACY POLICY, effective as of May 11, 2018

  • CREATIO (“we”, “us”, “ Creatio”, “our” or “the Company”) is committed to protecting the privacy of Data subjects (“you”). This Privacy Policy (together with Master Subscription Agreement, Terms of Use and other documents referred to it) sets out the basis on which any Personal data we collect from you, or that you provide to us, will be processed by the Company. It also covers processing of employee Personal data by the Company and Personal data the Company receives from suppliers.

  • By visiting the the Company site — creatio.com, hereinafter referred to as “the Site” or by subscribing to the Site or purchasing the Company Services, you accept privacy statements described in this Policy.

  • If you have questions or complaints regarding this Privacy Policy, please contact us – dpo@creatio.com

GLOSSARY

  • As used in this Privacy Policy, the following terms are defined as follows:

  • The Company — Creatio LTD and its affiliates.

  • Services — downloadable software, mobile applications, cloud services, trainings, technical support and other services provided by us.

  • Data subjects (“You”) – customers of the Company (persons who use the Company Services), visitors (persons who visit the Site), persons who registered to attend our events.

  • Registration data – contact information collected with the help of the registration form, such as your name, email address, user name. By specifying a country in the registration form, you confirm that you are a resident / citizen of this country.

  • Personal data — any information relating to an identified or identifiable Data subject or to the Clients of our Customers (if applicable).

  • Customer data – personal data that was added to Services during its use, reports, addresses and other data and files/documents in electronic form that Customer stores within Services.

INFORMATION WE COLLECT

  • We collect different types of information from or through the Services.

  • The Company needs the legal basis to process the collected information to ensure the provision of Services in accordance with the Terms of Use, Master Subscription Agreement and other documents referred to it and that the processing is carried out on the Company legitimate interests (further explained in the applicable section).

  • We may also process data upon your consent, asking for it in case of necessity.

  • When you

    • express an interest in obtaining additional information about Services;
    • register to use our Site or other Services;
    • register for an event;
  • the Company requires you to provide us with minimum necessary Personal contact information, such as:

    • name;
    • company name;
    • address;
    • phone number;
    • email address;
    • credit card or other billing information (financial qualification and billing information, such as billing name and address, credit card number, the number of employees of the organization that will be using the Services).
  • Personal data also includes other information, such as geographic area or preferences.

  • You may provide us with Personal data in various ways on the Services. For example, when you register on our web site, use Services or send us customer-related requests.

INFORMATION COLLECTED BY CUSTOMERS

  • Our Customers may store or upload Customer data to the Services.

  • The Company has no direct relationship with the Data subjects whose Personal data it hosts as part of Customer data.

  • Each Customer is responsible for notifying its clients and third parties concerning the purpose for which the Customer collects their data and how such Data is processed in or through the Services as part of Customer data.

  • The Company may also store information such as name, company name, address, phone number, emails of contacts that you choose to store into the Services in our applications. When you store personal information about your contacts, we will use this information only for the specific reason for which it is provided, such as to add new records to your Service account.

How the Company can use Customer’s data uploaded to the Services:

  • the Company uses Customer’s data only for providing and improving user-facing features. All other uses of Customer’s data are prohibited;
  • the Company can transfer Customer’s data in the following cases:
    • If it is necessary to provide or improve user-facing features;
    • If it is necessary to comply with applicable law or as part of a merger, acquisition, or sale of assets with notice to users;
  • The Company does not use or transfer Customer’s data for serving ads, including retargeting, personalized, or interest-based advertising;
  • The Company does not allow it’s stuff to read the Customer’s data unless:
    • The Company first obtained the Customer’s affirmative agreement for specific messages;
    • The Company has received the specific request from Customer during rendering technical support services;
    • It is necessary for security purposes (such as investigating bug or abuse);
    • It is necessary to comply with applicable law;
    • It is necessary for internal operations and the data (including derivations) have been aggregated and anonymized.

INFORMATION COLLECTED BY COOKIES

  • When you navigate the Site, the Company may automatically collect information with the help of the commonly used information-gathering tools, such as cookies, clear gifs, web beacons (website navigational information).

  • This website navigational information may include:

    • Standard information from your browser (such as browser type, browser language);
    • IP address or other device address or ID;
    • Actions you take on the Site (such as the web pages viewed and the links clicked);
    • The pages or other content you view to interact with our Services;
    • Dates and times of the visit, access, or use of the Service;
    • Information regarding your interaction with emails, such as whether Data subject opens, clicks on or forwards a message.
  • This information is gathered from all Data subjects.

INFORMATION COLLECTED FROM OTHER SOURCES

  • We may obtain information, including Personal data from third parties and sources other than the Services, from our partners, advertisers.

  • If we combine or associate information from other sources with Personal data that we collect through the Services, we will treat the combined information as Personal data in accordance with this Policy.

BASIS FOR PROCESSING THE DATA

  • The Company processes your Personal data if and to extent that at least one of the following applies:

    • The Data subject has given the consent to the processing of personal data, including the consent given by filling the form on the Site;
    • Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the Data subject prior to entering into a contract (including employment agreement);
    • Processing is necessary for compliance with a legal obligation to which the Company is subject.

HOW THE DATA IS USED

  • The Company uses Personal data about Data subjects to perform Services requested, including the following*:

    • To plan and host Company’s events, forums, webinars, social networks in which Data subject may participate;
    • To populate online profiles for Data subjects on the Site;
    • For marketing purposes, for example to contact Data subject to discuss your interest in Services, to send you information regarding the Company, its affiliates, and its partners, such as information about products, promotions or events;
    • To check the necessary financial qualifications and collect payments from Customers (credit card or billing information);
    • The Company uses Cookies to operate and improve the Site; Cookies may be also used alone or in combination with personal data of the Data subject to provide personalized information about the Company;
    • To operate, maintain, enhance and provide Services and information that you request, to respond to comments and questions and to provide support (including Technical support) to Customers;
    • To improve Services, to develop new products, services, features and functionality;
    • The Company uses Google Analytics to measure and evaluate access to and traffic on the Site and create user navigation reports for our Site administrators, Google operates independently from the Company and has its own privacy policy. Google may use the information collected through Google Analytics to evaluate Data subject’s activity on our Site. We take measures to protect the technical information collected by our use of Google Analytics. The data collected will only be used on a need to know basis to resolve technical issues, administer the Site and identify visitor’s preferences; but in this case, the data will be in non-identifiable form. We do not use any of this information to identify Data subjects.
  • The Company processes Personal data solely in accordance with the directions provided by the applicable Data subject.

  • * This part does not apply for the information stored or uploaded by our Customers to the Services.

DISCLOSURE OF THE INFORMATION

  • Except as described in this Policy, the Company will not intentionally disclose Personal data or Customer data that we collect or store in the Services to third parties without the consent of the applicable Data subject.

  • We may disclose information to third parties if you consent us to do so, as well as in the following circumstances:

    • Service Providers or business partners.The Company may share Data about Data subject with the Company’s contracted service providers so that service providers can provide services on our behalf. Such service providers are authorized to use only Personal data necessary to provide the requested services to the Company. Without limiting the foregoing, the Company may also share Personal data about Data subject with the service providers to ensure the quality of information provided, and with third-party social networking and media websites (for example Facebook) for marketing and advertising on those websites. The Company limits the information provided to these service providers to the aforementioned cases, which is reasonably necessary for them to perform their functions. Company’s contracts with service providers require them to maintain the confidentiality of such information. Unless described in this Privacy Policy, the Company does not share, sell, rent or trade any information with third parties for these promotional purposes.
    • The Company affiliates. The Company may share Personal data about Data subjects with affiliates of The Company in order to work with them, for example for customer support, marketing, technical operations purposes.
    • Non-personally identifiable information. We may make certain automatically collected, aggregated, or otherwise non-personally-identifiable information available to third parties for various purposes, including (1) compliance with various reporting obligations; (2) for business or marketing purposes; or (3) to assist such parties in understanding Data subject interests, habits, and usage patterns for certain programs, content, services, and/or functionality available through the Services.
    • Law enforcement, legal process and compliance. The Company reserves the right to use or disclose information provided if required by law, or if the Company reasonably believes that usage or disclosure is necessary to protect the Company’s rights and/or to comply with a judicial proceeding, court order or legal process.
    • Billing. The Company uses a third party service provider to manage payment processing. This service provider is not permitted to store, retain or use billing information except for the sole purpose of credit card processing on the Company’s behalf.

DATA SUBJECT (YOUR) RIGHTS

  • Every Data subject has the following rights.

  • Their assertion is to be handled immediately by the responsible unit and cannot pose any disadvantage to the data subject.

    • The Data subject may request information on which Personal data relating to him/her has been stored, how the data was collected, and for what purpose. If there are further rights to view the employer’s documents (e.g. personnel file) for the employment relationship under the relevant employment laws, these will remain unaffected.
    • If Personal data is transmitted to third parties, information must be given about the identity of the recipient or the categories of recipients.
    • If Personal data is incorrect or incomplete, the data subject can demand that it to be corrected or supplemented.
    • The Data subject can object to the processing of his or her data for purposes of advertising or market/opinion research. The data must be blocked from these types of use. Please, be aware that if you opt-out of receiving marketing/advertising email from the Company or modify the nature or frequency of promotional communications you receive from the Company, it may take up to 10 (ten) business days for us to process your request.
      NB! Even after you opt-out from receiving marketing/advertising emails, you will continue to receive administrative messages from us regarding ordered services.
    • The Data subject may request his/her data to be deleted if the processing of such data has no legal basis, or if the legal basis has ceased to apply. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Existing retention periods and conflicting interests meriting protection must be observed.
    • The Data subject generally has a right to object to his/her data being processed, and this must be taken into account if the protection of his/her interests takes precedence over the interest of the data controller owing to a particular personal situation. This does not apply if a legal provision requires the data to be processed.
  • At any time, Data subject may object to the processing of his/her Personal data on legitimate grounds, except it is permitted by applicable law.

  • If you believe your right to privacy granted by applicable data protections laws has been infringed upon, please contact us – dpo@creatio.com

  • Data subject also has a right to lodge a complaint with data protection authorities.

  • NB! This provision does not apply to Personal data that is a part of Customer data. In this case, the management of the Customer data is the Customer’s own subject.

  • Privacy policy and any request for access, correction or deletion should be made to the Customer responsible for the collecting and storage of such data into the Services.

  • Company has no direct relationship with the clients of our Customers whose Personal data may be processed on behalf of a Customer. An individual who seeks for the access, or who seeks to correct, amend, delete inaccurate data or withdraw consent for further contact should direct his or her query to the Customer they deal with directly. If the Customer requests the Company to remove the data, we will respond to this request within 15 (fifteen) business days. We will delete, amend or block access to any Personal data that we are storing only if we receive a written request to do so from the Customer who is responsible for such Personal data, unless we have a legal right to retain such Personal data. We reserve the right to retain a copy of such data for archiving purposes, or to defend our rights in litigation. Any of such requests regarding Customer data should be addressed as indicated in “How to contact us” section, and include sufficient information for the Company to identify the Customer or its Client or third party and the information to delete or amend.

DATA SECURITY

  • The Company uses robust security measures to protect Data against accidental or unlawful destruction, accidental loss, unauthorized alteration, and any other unlawful form of processing of the Personal data and Customer data in our possession.

  • Company follows generally accepted industry standards to protect Personal and Customer data.

  • It includes, for example, firewalls, password protection and other access and authentication controls.

  • Nevertheless, no method of transmission over the Internet, or method of electronic storage is 100% secure. We cannot ensure or warrant the security of any information you transmit to us or store in the Services, and you do so at your own risk. We also cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. If you believe your Personal data has been compromised, please contact us as set forth in the “How to contact us” section.

  • If we learn of a security system breach, we will inform you and the authorities on the occurrence of the breach in accordance with applicable law.

  • The Company uses our own Services to maintain Data about Data subject, information, which is stored in the Services, is secured as Customer data. For more details, please visit here: creatio.com/gdpr

SPECIFIC DATA PROTECTION PROVISIONS ON CUSTOMER DATA UPLOADED FOR THE COMPANY CLOUD SERVICES

  • The Company does not own, control or direct the use of any of the Customer Data stored or processed by a Customer via the Service. Only the Customer is entitled to access, retrieve and direct the use of such Customer Data. The Company is largely unaware of what Customer Data is actually being stored or made available by a Customer to the Services and does not directly access such Customer Data except as authorized by the Customer, or as necessary to provide Services to the Customer.

  • Because of the fact that the Company does not collect or determine the use of any Personal Data contained in the Customer Data and because it does not determine the purposes for which such Personal Data is collected, the means of collecting such Personal Data, or the uses of such Personal Data, the Company is not acting in the capacity of data controller in terms of the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter “GDPR”) and does not have the associated responsibilities under the GDPR. The Company should be considered only as a processor on behalf of its Customers as to any Customer Data containing Personal Data that is subject to the requirements of the GDPR. Except as provided in this Privacy Policy, the Company does not independently cause Customer Data containing Personal Data stored in connection with the Services to be transferred or otherwise made available to third parties, except to third party subcontractors who may process such data on behalf of the Company in connection with the Company’s provision of Services to Customers. Such actions are performed or authorized only by the applicable Customer.

  • The Customer is the data controller under the GDPR for any Customer Data containing Personal Data, meaning that such party controls how such Personal Data is collected and used as well as the determination of the purposes and means of the processing of such Personal Data.

  • The Company is neither responsible for the content of the Personal Data contained in the Customer Data or other information stored on its servers (or its subcontractors’ servers) at the discretion of the Customer, nor for the manner in which the Customer collects, handles disclosure, distributes or otherwise processes such information.

DATA RETENTION

  • The Company only retains the Personal data collected from Data subjects for as long as the Data subject profile is active or otherwise for a limited period as long as we need to fulfil the purposes and requests for which we have initially collected it, unless otherwise required by the Contract or law.

  • The Company will retain and use the Data as necessary to comply with legal obligations, resolve disputes and inforce our Contracts and Agreements.

    • Closed profiles are deleted within 15 (fifteen) business days after receiving the request;
    • Backups are kept for 90 (ninety) calendar days;
    • Billing and legal information is kept for 10 (ten) years;
  • Please, use this link for more information about Data retention: creatio.com/Privacy (section - Data Retention Policy).

TRANSFER DATA

  • The Company uses hosting for Data of Data subjects and Customer Data. The Company may transfer, process and store Personal data and Customer data through the Services in the centralized databases and with service providers located in EU and USA.

  • To facilitate the Company’s operations, the Company may transfer and access such information from around the world, including other countries in which the Company has operations.

  • This Privacy policy shall apply even if the Company transfers Data subject Personal data or Customer data to other countries.

THIRD PARTIES

  • Site and Services may contain features or links to websites and Services provided by third parties.

  • Information you provide on third party sites or services is provided directly to the operators of such services and is subjected to those operator’s policies if any, governing privacy and security, even if accessed through the Service.

  • Company is not responsible for the content or privacy and security practices and policies of third-party sites or services to which links or access are provided through the Service.

  • We recommend you to learn about third parties’ privacy and security policies before providing them with any information.

COOKIES

  • Company uses commonly used information-gathering tools, such as cookies, to collect information as you navigate Company’s Site. As described below, we used these cookies or similar technologies to analyze trends, administer websites and Services, track users’ movements related to our Site and Services, serve targeted advertisements and gather demographic information about our user base as a whole. This section describes the types of Cookies or similar technologies on the Site and Services, and how this information may be used.

  • Company uses cookies to make interactions with the Company’s Site easily and meaningfully. When Customer/You visits Site, Company’s servers send a cookie to Customer’s/Data subject’s computer/device.

  • Standing alone, cookies do not personally identify Data subject, cookies merely recognize your web browser.

  • Unless Data subject chooses to identify himself to the Company, either by responding to a promotional offer, opening an account or filling out a web form (for example “Contact me”, “Free trial” web form) or unless you have previously identified yourself to the Company, you remain anonymous to the Company.

  • Company uses cookies that are session based and persistent based. Session cookies exist only during one session. They disappear from your computer/device when you close your browser or turn off your computer/device.

  • Persistent cookies remain on your computer or device after you close your browser or turn off your computer.

  • Data subject can control the use of cookies at the individual browser level, but if you choose to disable cookies, it may limit your use of certain features or functions on the Site or using the Services.

  • The following types of Cookies are used on the Site:

Type of Cookies Description Managing Settings
     
Required cookies Required cookies enable you to navigate the Company’s Websites and use its features, such as accessing secure areas of the Websites and using the Company Services. If you have chosen to identify yourself to the Company, the Company may place on your browser cookies containing an encrypted, unique identifier. These cookies allow the Company to uniquely identify you when you are logged into the Websites and Services and to process your online transactions and requests. Because required cookies are essential to operate the Company’s Websites and the Services, there is no option to opt out of these cookies.
Functionality cookies

Functionality cookies allow the Company’s Web sites and Services to remember information you have entered or choices you have made (such as your username, language, or your region) and provide enhanced, more personal features. These cookies also enable you to optimize your use of the Company Websites and Services after logging in. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customize.

Functional cookies may also be used to improve how the Company's Websites and Services function and perform, to enhance and customize your interactions with the Company, and to help us provide you with more relevant messages, including marketing communications. These cookies collect information about how Visitors use our Websites and Services, including which pages visitors go to most often and if they receive error messages from certain pages.

The Company may use its own technology (under the the Company brand name or an affiliated brand name) or third parties to track and analyze the usage and volume statistical information from Visitors, Attendees, and Customers, to provide enhanced interactions and more relevant communications, and to track the performance of the Company's advertisements.

The Company and its third-party partners may also utilize HTML5 local storage or Flash cookies for these purposes. Flash cookies and HTML local storage are different from browser cookies by the amount of, type of, and the way the data is stored. The Company also uses Flash cookies, to store your preferences or display content based upon what you view on our Websites and Services to personalize your visit.

To learn more about how to control cookies using your browser settings click here.

To learn how to manage privacy and storage settings for Flash cookies click here.

Targeting or Advertising cookies The Company sometimes uses cookies delivered by third parties to show you ads of the Company products and services that we think may interest you on any devices you may use and to track the performance of Company advertisements. For example, in these cases, cookies remember information such as what browsers have visited the Company’s Websites. The information provided to third parties does not include personal information, but this information may be re-associated with personal information after the Company receives it. If the Company is using one of its own cookie-related products on our own Website, then a cookie related to ads may appear on our Website under the the Company or one of our affiliated company's name.

To learn more about these and other advertising networks, and your ability to opt out of collection by certain third party, please visit the opt-out pages of the Network Advertising Initiative here, and the Digital Advertising Alliance here.

To learn how to manage privacy and storage settings for Flash cookies click here. Various browsers may offer their own management tools for removing HTML5 local storage.

LOG FILES, IP ADDRESSES, URLS AND OTHER DATA

  • The Company gathers certain information automatically to analyze trends to aggregate and administer the Site and Services.

  • This information may include Data subject’s Internet Protocol (IP) address (or the proxy server you use to access the world wide web), device and application identification number, your location, browser type, internet service provider and/or mobile carrier, the pages and files you viewed, your searches, your operating system and system configuration information, and time/date stamps associated with your usage.

  • Due to Internet communication standards, when you visit or use the Site and Services, the Company automatically receives the URL of the website from which you came and website to which you go when you leave our Site.

  • This information is used to analyze overall trends to help Company improve the Site and Services, to track and aggregate non-personal information, and to provide Site and Services.

  • For example, the Company collects IP addresses to monitor the region from which Customer navigates the Site.

CHILDREN PRIVACY

  • The Company Site and Services are not directed to children under the age of 16.

  • Company does not knowingly collect Personal data from children under the age of 16 without obtaining parental consent. If you are under 16 years of age, then, please, do not use or access Services at any time or in any matter.

  • If the Company discovers that Personal data has been collected on the Services or Site from persons under 16 years of age and without verifiable parental consent, then the company will take the appropriate steps to delete this information.

  • If you are a parent or a guardian and discover that your child under 16 years old obtained an account on the Site or the Services, please notify us at dpo@creatio.com and request to delete this child’s Personal data from our systems and databases.

CHANGES AND UPDATES TO THIS POLICY

  • The Company reserves the right to change this Privacy policy.

  • The Company will provide notification through the site about material changes to this Policy.

  • Please, revisit this page periodically to stay aware of any changes to this Policy.

  • If the Company amends the Policy, the Company will make it available through the Site and indicate the date of the latest revision, and will comply with the applicable law.

  • Your continued use of the Site and Services after the revised Policy has become effective indicates as your active deeds, and you have read, understood and agreed to the current version of the Policy.

CONTACTING US

  • Questions regarding this Privacy Policy or the information practices of the site and Services, your consent choices, concerns or complaints about this Policy or your Personal data should be directed to our Privacy team by email dpo@creatio.com or by mailing us at:

    BPMONLINE LTD, 1 Kinyra Street, Kinyras Tower, 3rd Floor, 1102 Nicosia, Cyprus