(Updated February 6th, 2020)
- 1. Purpose and scope
- 2. Terms and definitions
- 3.1. Collection and Use of Information
- 3.1.1. Purposes of the data processing and the legal basis for it
- 3.1.2. Information Collected or Received from Customer
- 3.2. PII retention period
- 3.3. Personal Data Protection Controls
- 3.4. Sharing with Third Parties
- 3.5. Rights of the data subject
- 3.6. Do Not Track Signals
- 3.7. Enforcement and Dispute Resolution
1. Purpose and scope
This Policy determines the main principles of privacy and rules that are applied by CUJO LLC and all of its subsidiaries (“CUJO”, “We” or “Our”) with respect to PII (as defined below). This Policy is governed by Cujo’s Terms of Service (https://cujo.com/terms-of-service/). Capitalized terms that are not defined herein will have the meanings set forth in those Terms of Service.
This Policy covers information about the applicable data controller(s) and data processor(s), CUJO’s data protection officer, the business purpose and legal bases for processing, categories of personal data, information about data recipient(s), details of transfers to third countries, data protection controls, retention periods or criteria used to determine the retention period, information about data subject’s rights, and the sources of the PII at issue. Please contact us at [email protected] if you have any questions about this Policy.
2. Terms and definitions
“CCPA” means the California Consumer Privacy Act that took effect on January 1, 2020 and creates for California consumer new rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses;
“Data controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“Data processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of controller;
“Data subject” means a data subject is any person whose personal data is being collected, maintained or processed. Personal data can refer to a person’s name, his or her home address, publications on social networks and so forth. Any person becomes at some point a subject of data – whether they are applying for a job, booking a flight, using their credit card or simply surfing the internet.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal data” is defined as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“PII” means personally identifiable information.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Supervisory authority” means an independent public authority which is established by a Member State pursuant to GDPR Article 51 Other terms and definitions used in this policy have the same meaning as in International standard ISO/IEC 27000 “Information technology – Security techniques – Information security management systems-Overview and vocabulary”.
CUJO holds ISO/IEC 27001:2013 certificate and is committing to ensure protection of personally identifiable information (PII) by all available means. CUJO classifies PII as confidential information according to the CUJO information classification scheme set forth below. CUJO processes PII only with the individual’s (i.e., the data subject’s) consent or other legal bases. All data controllers and processors (if any) are responsible for proper application of this Policy. CUJO maintains a log of the chain of custody PII processing. To meet the European Union (“EU”) law requirements that PII transferred from the EU to the United States be adequately protected We do adhere to the Privacy Shield Principles.
3.1. Collection and Use of Information
CUJO holds ISO/IEC 27001:2013 certificate and is committing to ensure protection of personally identifiable information (PII) by all available means. CUJO classifies PII as confidential information according to the CUJO information classification scheme set forth below. CUJO processes PII only with the individual’s (i.e., the data subject’s) consent or other legal bases. All data controllers and processors (if any) are responsible for proper application of this Policy. CUJO maintains a log of the chain of custody PII processing.
3.1.1. Purposes of the data processing and the legal basis for it
CUJO processes the following personal data for the purposes listed below:
3.1.2. Information Collected or Received from Customer
Provision of services or products
Performance of contract or required
Consumer meta data
Performance of contract or required
CUJO’s primary goals in collecting PII are to provide and improve the Services provided to customers, to administer customers’ use of the Services (including customers’ Accounts, if customer is an Account holder), and to enable customers to enjoy and easily use the Services.
Account Information. If a customer creates an Account, CUJO will collect certain information that can be used to identify the customer, such as his or her name, email address, postal address and phone number. If the customer creates an Account through CUJO’s website, CUJO may also collect customer gender, date of birth and other information.
Information Collected Using Cookies and other Web Technologies. Like many website owners and operators, CUJO uses automated data collection tools on its website, such as cookies and Web Beacons, to collect certain information.
“Web Beacons” (also known as Web bugs, pixel tags or clear GIFs) are tiny graphics with a unique identifier that may be included on the Services for several purposes, including to deliver or communicate with cookies, to track and measure the performance of the Services, to monitor how many visitors view our Services, and to monitor the effectiveness of our advertising. Unlike cookies, which are stored on the user’s hard drive, Web Beacons are typically embedded invisibly on web pages (or in an e-mail.
Information Related to Use of the Services. Our servers automatically record certain information about how a person uses our Services (We refer to this information as “Log Data”), including both Account holders and non-Account holders (either, a “User”). Log Data may include information such as a User’s Internet Protocol (IP) address, browser type, operating system, the Web page that a user was visiting before accessing our Services, the pages or features of our Services to which a User browsed, and the time spent on those pages or features, search terms, the links on our Services that a User clicked on and other statistics. We use Log Data to administer the Services and We analyze (and may engage third parties to analyze) Log Data to improve, customize and enhance our Services by expanding their features and functionality and tailoring them to our Users’ needs and preferences.
As part of the Services, our hardware devices collect and transmit traffic identifying information. We store this information for up to thirty days on our servers.
Information Sent by Your Mobile Device. We collect certain information that a customer’s mobile device sends when he or she uses our Services, like the device identifier (aka MAC address), user settings and the operating system of the customer device, as well as information about customer’s use of our Services.
Location Information. When a customer uses our mobile App, We may collect and store information about the customer’s location by converting his or her IP address into a rough geo-location or by accessing the customer mobile device’s GPS coordinates or approximate location if the customer enables location services on his or her device. We may use location information to improve and personalize our services for customer. If customer does not want us to collect location information, he or she may disable that feature on the mobile device. The customer agrees and acknowledges that it has been informed about this the foregoing.
3.2. PII retention period
CUJO stores PII in an encrypted state and only to the extent required to fulfill the purposes stated in this document. The retention period depends on legal requirements and the duration of the contractual and/or subscription relationship.
CUJO will retain the PII We do process on behalf of our customers or collect directly from our customers for as long as needed to provide service to our customers, subject to our compliance with this Policy, or as required or permitted under the applicable law. PII will be anonymized and/or deleted in accordance with legal regulations when no longer be used for the purposes set forth in paragraph 3.1. Collection and Use of Information.
3.3. Personal Data Protection Controls
CUJO takes reasonable administrative, physical and electronic measures designed to protect PII from unauthorized or unlawful processing and against accidental loss, destruction or damage.
3.4. Sharing with Third Parties
CUJO will take efforts to manage and coordinate appropriate onward transfers of PII to third parties in accordance with this Policy. CUJO will not sell share or otherwise distribute PII to third parties except as provided in this Policy. CUJO will not directly disclose the identity of any person. PII may be transferred to third parties who act for or on CUJO behalf, who are contracted to use not to sell your PII to third parties, and not to disclose it to third parties except as may be required by law, as permitted by us or as stated in this Policy.
If CUJO has knowledge that data processor is processing PII in a manner contrary to this Policy, it will take all reasonable steps to prevent or stop the processing. Under certain circumstances, we may remain liable for the processing of EEA residents PII that we transfer to our data processors and the onward transfer thereof.
CUJO may share PII also as described below:
Information Disclosed in Connection with Business Transactions. If We are acquired by a third party as a result of a transaction such as a merger, acquisition or asset sale or if our assets are acquired by a third party in the event We go out of business or enter bankruptcy, some or all of our assets, including your PII, may be disclosed or transferred to a third-party acquirer in connection with the transaction.
Information Disclosed for Our Protection and the Protection of Others. We cooperate with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose any information about you to government or law enforcement officials or private parties as We, in our sole discretion, believe necessary or appropriate: (i) to respond to claims, legal process (including subpoenas); (ii) to protect our property, rights and safety and the property, rights and safety of a third party or the public in general; (iii) to stop any activity that We consider illegal, unethical or legally actionable activity and (iv) in response to other lawful requests by public authorities, including to meet national security or law enforcement requirements.
3.5. Rights of the data subject
Access: The data subject has the right to access his or her PII that is processed by CUJO and to obtain information, free of charge, on the sources and the type of his or her PII that has been collected, the purpose of processing of such PII and the data recipients to whom the PII are disclosed or have been disclosed by CUJO in connection with the Services, and other related information according to GDPR Article 15 and the CCPA. CUJO shall reply not later than 30 calendar days from receipt of the request in writing and shall provide the requested information or justification for the refusal to grant the request of the data subject. Upon the request of the data subject, such information must be provided by CUJO in writing.
Rectification: If the data subject finds out that his or her PII on the Services is incorrect, incomplete or inaccurate, he or she may contact CUJO (in writing, by e-mail, via the Site or any other form). CUJO will then review such PII and rectify the incorrect, incomplete and inaccurate PII (if any) without delay and/or suspend processing of such PII, except for the purpose of storage, or provide a written explanation to the data subject describing why such efforts were not necessary. CUJO may keep archive copies of such data if doing so is necessary to fulfill contractual obligations to the data subject and/or if it is required by applicable law or regulation (for example, for accounting purposes, cybercrime investigation, etc.).
Erasure: The data subject may request that CUJO erase some or all of his or her PII from CUJO’s systems.
Restriction of Processing: The data subject can ask us to restrict further processing of his or her PII.
Portability: The data subject can ask for a copy of his or her PII in a machine-readable format. He or she can also request that CUJO transmit the data to another controller where technically feasible.
Objection: The data subject can contact CUJO to let us know that he or she objects to the further use or disclosure of his or her PII for certain purposes, such as for direct marketing purposes or for the purposes of the legitimate interests pursued by the controller or by a third party.
Right to File Complaint: A data subject may appeal against actions of CUJO, acting as data controller and/or processor, to the appropriate supervisory authority or enforcement agency within three months of receipt of the refusal to grant the request or within three months of the date when the period imposed by applicable law or regulation for giving a reply (if any) expires. In order to avail him- or herself of the rights set forth in this section, the data subject must provide a valid identity document or otherwise verify his or her identity according to applicable laws or through electronic means of communication, which must provide reliable identification of the person.
3.6. Do Not Track Signals
CUJO’s Site does not have the capability to respond to “Do Not Track” signals received from various Web browsers.
3.7. Enforcement and Dispute Resolution
CUJO complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States.
To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/ In compliance with the Privacy Shield Principles, CUJO commits to resolve complaints about our collection or use of your PII.
Individuals residing in the EU, United Kingdom, Lichtenstein, Norway or Iceland (collectively, “EU Residents”) who have inquiries or complaints regarding our Privacy Shield policy should first contact CUJO at: Email: [email protected] CUJO has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship.
If the data subject does not receive timely acknowledgement of his or her complaint, or if complaint is not satisfactorily addressed, as a last resort and in limited situations, EU Residents (other that employees of CUJO) may seek redress from the ICDR/AAA Privacy Shield Program, which is a binding arbitration mechanism. The Federal Trade Commission (FTC) has jurisdiction over CUJO’s compliance with the Privacy Shield.