GDPR
Effective date: 30th September 2025. Previous effective date: Nov 22, 2022.
Application
This policy applies to all employees, contractors, and vendors while doing business with Ortto and others who have access to personally identifiable information (PII) also referred to as consumer information (“personal data”) in connection with Ortto’s operating activities.
Policy
Ensuring compliance with requirements imposed by relevant data privacy regulations
Providing for the establishment of data privacy policies that set forth, among other things, the required technical, physical, and administrative safeguards to maintain the security, confidentiality, and privacy of personal data
Setting forth the roles and responsibilities necessary for Ortto to meet its obligations with respect to activities related to the processing of personal data
use plain language and avoid jargon
use a format that is readable including on small screens
be available in the languages in which the company conducts the business
be reasonably accessible to consumers with disabilities in accordance with Web Content Accessibility guidelines version 2.1.
contain a meaningful description of categories of personal information collected
the business purpose for collection
include a link titled "Do-Not-Sell-My-Personal-Information" if the business sells personal information of California residents
description of consumer's right to opt-out the sale of their personal information
an interactive form by which consumers can opt-out
offline or alternative methods to opt-out
Name and contact information for all GDPR Article 27 Local Representatives
Name and contact information for the Data Protection Officer (DPO), if applicable
Roles and Responsibilities
Policy Adoption
Responsible Person
Data Protection Officer (DPO)
Inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
Monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
Provide advice when requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
Cooperate with the supervisory authority;
Act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
Implementation
Data Protection and Regulatory Compliance
Storage and Transmission: Personal data must be encrypted, with strong cryptography, whenever stored on or transmitted by Ortto systems
Disposal: Paper records must be securely shredded prior to disposal. Electronic media must be securely wiped, sanitized or physically destroyed prior to disposal or reuse
Awareness Training: Relevant personnel will receive appropriate training on their information security and data privacy responsibilities with regard to relevant regulations and the handling of personal data as well as the Consumer (Data Subject) Access Request (DSAR) procedure. Relevant persons shall be trained to properly direct consumers in the exercise of their privacy rights.
Ortto will not transmit personally identifiable information (PII) to any third-party or vendor until an
appropriate Data Protection Addendum (DPA), or sufficient contract language, has been fully executed by Ortto and the third-party.Ortto shall not sell the personal information or minors or of persons who have previously opted out of sales, without explicit permission and shall not ask for permission for at least twelve (12) months after a consumer has opted-out
Ortto shall ensure that no service providers continue to sell PII after a consumer has opted out
Ortto shall not use PII provided for the purposes of opting-out of a sale for any other purpose
Ortto shall not deny goods or services or otherwise discriminate against (i.e. charge different prices, or offer different levels of service) persons for exercising their privacy rights
Ortto shall provide at least two methods for consumers to submit data access requests including an email address or webform
Responses to access requests shall cover at least the preceding twelve (12) months
Ortto shall locate data in all relevant systems in response to access requests
A public-facing Privacy Policy shall include a description of consumers’ rights and shall be updated at least every twelve (12) months
PII collected for the purposes of responding to a SAR shall not be used for any other purpose
Ortto shall not sell any PII without posting a “Do Not Sell My Personal Information” link on the company homepage and Privacy Policy for consumers to opt-out of any sale.
Ortto shall provide at least two methods for opting out of sales of PII which are consistent with the manner in which the company typically interacts with customers
Ortto will allow consumers to opt-out of sales via web browser plugin or other privacy setting
When Ortto offers an opt-out of a specific use, it shall also offer a global opt-out
Ortto shall ensure that opt-out requests are honored as soon as feasibly possible and within fifteen (15) days in all cases
Ortto shall establish a process for consumers to submit requests via an authorized agent
Ortto shall ensure that a written contract is established with all service providers that prohibits the service provider from retaining, using, or disclosing the personal information for any purpose other than the specific purpose specified in the contract
Service providers shall only use, retain or disclose PII for the following purposes:
to provide service on behalf of the controller
to employ another service provider
to improve service quality
to detect security incidents and or fraud
to comply with the law or law enforcement
Ortto shall inform consumers of the company’s privacy practices at or before any PII collection. The Privacy Notice shall be made available via a link titled “privacy” on the company’s homepage.
Ortto shall deny access requests where the requestor’s identity cannot be reasonably verified
Ortto in any case where the company has a legal basis for denying a consumer request, it shall provide an explanation of its decision to the consumer including a reference to the relevant laws or regulations
Ortto shall provide an individual response to each requestor and not refer them to a policy or provide a generic response
Ortto may de-identify personal information in response to a request for deletion
Ortto shall not be required to delete personal information from backups unless the backups are restored, accessed or disclosed
Ortto may retain records of completed deletion requests for compliance purposes
Ortto shall deny fraudulent requests with an explanation as to why they believe the request is fraudulent
Opt-out processes shall require minimal steps and no multi-step opt-out process shall not have more steps than the opt-in process
Opt-in processes shall have two steps: an opt-in request followed by a verification of the request
When a consumer who has opted-out attempts to use a service that requires opt-in, the company shall inform the consumer how to opt-in
When the company collects personal information that a consumer would not reasonably expect from a mobile device then it shall provide a just-in-time notice containing a summary of categories collected and a link to the full notice.
Breach Notification
Identity Verification
The company shall implement reasonable security measures to detect and prevent fraudulent identity-verification activity.
Before providing categories of personal information, the company shall verify the identity of requesters to a "reasonable degree of certainty." Before providing specific pieces of personal information or honoring a deletion request, a company shall verify the identity of requesters to a "high degree of certainty," depending on the sensitivity of the personal information or the risk of harm from an unauthorized deletion request.
whenever feasible identifying information provided by a requestor should be matched with identifying information already maintained by the company, or use a third-party identification service
avoid collecting unnecessary personal information
consider the sensitivity of information requested, the risk of harm to the consumer, the likelihood of fraud, the manner in which the business interacts with the consumer and the availability of verification technology.
Agent Verification
Verify their own identity directly with the company.
Directly confirm with the company that they provided the authorized agent permission to submit the request
Request Verification for Minors
Providing a consent form to be signed by the parent or guardian under penalty of perjury and returned to the company by postal mail, facsimile, or electronic scan
Requiring a parent or guardian, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
Having a parent or guardian call a toll-free telephone number staffed by trained personnel;
Having a parent or guardian connect to trained personnel via video- conference;
Having a parent or guardian communicate in person with trained personnel; and
Verifying a parent or guardian’s identity by checking a form of government- issued identification against databases of such information, as long as the parent or guardian’s identification is deleted by the business from its records promptly after such verification is complete.
Consumer (Data Subject) Access Requests (DSAR/SAR)
Access (a copy of the personal data undergoing processing)
Rectification of personal data (correction of data stored or processed)
Erasure (‘right to be forgotten’)
Notification regarding rectification or erasure
Objection to processing (withdrawal of consent to processing)
Right to opt-out of any sale of PII (i.e. Do Not Sell requests)
SAR/DSAR Response Requirements:
Categories of PII collected
Categories of PII sold and disclosed to third parties
SAR when Ortto is the data controller:
Categories of PII sold and disclosed to third parties
- A SAR must be made using the link on Ortto’s website https://ortto.com/gdpr/. If the consumer has a password-protected account on Ortto systems, the company may provide an “interface” or self-service mechanism that the consumer is instructed to use to initiate the SAR process.
- A SAR can also be made using the email address privacy@ortto.com.
- A SAR may be made using the webform available on the website https://prighter.com/cc/ortto.
- Where required, the consumer must provide reasonable evidence of their identity in the form of valid identification, for example, email verification.
- When submitting the SAR via the interface, the consumer must identify the SAR type that is being requested, e.g., erasure.
- If a SAR is submitted by an agent, the submission must include the identification of the consumer as well as a signed authorization from the consumer. Ortto must make reasonable efforts to verify the identity of the consumer and legitimacy of all requests submitted by authorized agents.
- If a SAR is received which does not meet Ortto criteria, the Ortto shall inform the consumer or agent how to correct the SAR in order to receive a response from Ortto
SAR when Ortto is the data processor:
- The SAR must be submitted via the user interface in the Ortto Services.
- Ortto shall direct the consumer to the relevant Controller in accordance with all contractual commitments.
SAR requirements:
- The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded; Ortto will acknowledge any manual requests within 10 business days. The acknowledgement will describe the verification process and when the consumer should expect a response.
- Ortto has thirty (30) days from the initial request date to complete the request. If the company cannot respond within thirty days, it shall provide notice to the consumer. In California, the company may extend the response timeline up to an additional forty-five (45) days.
- The SAR application will be documented and can be audited using Ortto's internal processes.
- Ortto shall ensure that deletion and correction requests are sent to subprocessors as needed
Ortto as the data controller
- Collect the data specified by the consumer.
- Verify the identity of the consumer by email.
- Search all databases and all relevant filing systems (manual files) in Ortto, including all back up and archived files, whether computerized or manual, and including all email folders and archives. Ortto maintains a record that identifies where personal data in Ortto is stored.
- Ortto will maintain a record of requests for data and of its receipt accessible by Ortto’s Data Protection Officer, and/or any other designated Ortto representatives. Ortto will also keep a record of processing to include dates.
- Provide consumers an online mechanism for making requests and all such requests will be logged.
- Ortto will acknowledge the SAR within ten (10) days of the initial request and respond to any SAR within 30 days of the initial request.
- SARs from employees or previous employees will be coordinated with HR and the employees’ current or previous departmental leadership.
SAR Exemptions
- Ortto may withhold information requested under SAR in accordance with any exemption under applicable law. Any such exemption must be reviewed and approved by the Data Privacy Officer.
Compelled Disclosure
If determined to be appropriate by legal, and executive management, the Ortto will investigate the demands, and if it is determined at Ortto’s sole discretion that they are valid, we will search for and disclose the information that is specified and that we are reasonably able to locate and provide. Ortto shall not process overly broad or vague demands, and will not disclose information that is not specifically demanded, except in response to follow-up demands.
Enforcement
Disciplinary Action
Records Retention and Metrics
- request date
- nature of request
- request method
- date of company response
- nature of company response
- basis for any denial
- the number of requests "to know" received and processed
- the number of requests "to delete" received and processed
- the number of requests "to opt-out" received and processed
- the median number of days to respond
Disclosures Log
Special Cases
Household Requests
- all consumers of the household submit a joint request
- the company individually verifies all members of the household
- the company verifies that each requestor is member of the household
Reporting
Applicable Laws, Regulations and Standards
ISO 27001 Information Security Management System (ISMS)
ISO 27701 Privacy Information Management System (PIMS)
SOC 2 Privacy Criterion
General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
The Messaging, Malware and Mobile Anti-Abuse Working Group (M
3
AAWG)