Privacy policy
Privacy policy
Effective date: 8 February 2022
1. General
We at Ortto, Inc. ("Ortto") value your privacy and are committed to taking care of your data,
and we take this responsibility very seriously. Please take the time to carefully read our Privacy Policy,
which explains why we collect your Personal Data and how we process it when you:
•
visit our website (see, in particular, Section 3.1)
or express an interest in our Products (see, in particular, Section 3.2),
are our Customer (see, in particular, Section 3.3 below)
are a Consumer of one of our Customers (see, in particular, Section 3.4 below) or
are our Supplier or Business Partner (see, in particular, Section 3.5 below), or
apply for a position with us (see, in particular, Section 3.6 below).
Controller
Ortto Inc. ("Ortto")
1390 Market Street Suite 200
San Francisco CA 94102
2. Definitions
Unless otherwise indicated, capitalized terms used in this Privacy Policy are defined in Annex 1. Most of
the definitions are derived from the California Consumer Privacy Act of 2018 (CCPA) which you can
access from https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121 and
the General Data Protection Regulation (GDPR) which you can access from https://eur-
lex.europa.eu/eli/reg/2016/679/oj.
3. How do we process your Personal Data?
We process your data in different ways depending on whether you visit our website or express an
interest in our Products, or whether you are our client, supplier, business partner or job applicant:
We do not sell your Personal Data within the meaning of Section 1798.140(t) of the CCPA.
3.1 Processing of Personal Data relating to visitors of our website
Cookies
We (or our third party service providers) use cookies to track visitor activity on the site. A cookie is a text
file that a website transfers to your computer's hard drive for record-keeping purposes. Our cookies
assign a random, unique number to each visitor's computer. They do not contain information that would
personally identify the visitor, although we can associate a cookie with any identifying information that is
or has been provided by a Customer while visiting our site. We or our third party service providers use
cookies that remain on your computer for a specified period of time or until they are deleted (persistent
cookies). These cookies record clickstream information (data reporting the URLS, or names of the
pages, on our Site that have been visited). We may also use cookies that exist only temporarily during an
online session (session cookies). These cookies allow you to log in to your account and they allow us to
identify you temporarily as you move through the site. Most browsers allow users to refuse cookies, but
doing so may impede the functionality of some portions of our site.
Web Beacons
Web beacons are tiny graphics with a unique identifier, similar in function to cookies, that are used to
track the online movements of Web users. In contrast to cookies, which are stored on your computer's
hard drive, Web beacons are embedded invisibly on webpages and may not be disabled or controlled
through your browser.
Third Parties
As noted, we may also engage third parties to track and analyze site activity on our behalf. To do so,
these third parties may place cookies or web beacons to track user activity on our site. We use the data
collected by such third parties to help us administer and improve the quality of the site and to analyze
usage of the site.
3.2 Processing of Personal Data relating to potential Customers
Purpose and Legal Basis
When you contact us to inquire about our Products, we process the Personal Data you include in such a
message in emails or collected during phone calls to answer and process such inquiry in a pre-
contractual stadium. Such processing is necessary for Contract Performance in order to take steps at
your request prior to entering into a contract. Contract Performance is also the purpose of any
processing of your personal when you create an account in order to use our service.
Furthermore, we process your Personal Data provided with an inquiry for Direct Marketing purposes to
convert a potential client into an actual client. Such processing is based on a Legitimate Interest. You
have the right, at all times, to object to the Processing of your Personal Data for the purpose of Direct
Marketing, without being required to state your reasons, and can do so by visiting https://gdpr-
rep.eu/q/15786322.
Personal Data Processed
We mainly process the Personal Data which you provide us during a pre-contractual phase. For all
Personal Data we collect from other sources please have a look at point 4.
We collect:
Identifiers (CCPA Category A)
Name
• E-mail address
Other Personal Data you include in a free text field
Internet information (CCPA Category F)
Order History
• IP Address and IP location
•
•
Referring (exit pages and URLs)
Number, duration and time of visits (your interaction with the Website)
Search engines, key phrases and keywords used to find our site
Browser type, type of device, screen size, internet service provider and operating system
Retention Period
The Personal Data will be deleted two years after a lead is lost.
Personal Data collected for purposes related to Contract Performance shall be retained until such
contract has been fully performed.
We may be allowed to retain Personal Data for a longer period whenever you have given consent to such
processing (e.g. subscription to our newsletter), as long as such consent is not withdrawn. Furthermore,
we may be obliged to retain Personal Data for a longer period whenever required to do so for the
performance of a legal obligation or upon order of an authority.
Summary
Answer Inquiry
Legal basis: Contract Performance
Recipients: N/A
Retention: Up to two years after a lead is lost
Direct Marketing
Legal basis: Legitimate Interest
Recipients: N/A
Retention: Up to two years after a lead is lost
Newsletter Subscription
Legal basis: Consent
Recipients: N/A
Retention: Up to two years after a lead is lost
3.3 Processing of Personal Data Relating to Customers
To use our Services you must create an account. To create an account, you must enter your full first and
last name, business name and email address.
When you subscribe to our Services, we collect your billing address, credit/debit card number, expiration
date, and other billing information necessary to process the transaction. We use this information to
process your transaction.
We also collect information about our Customers' use of the Services, including their order history,
Services usage and other similar information.
We allow Customers to "Like" our Site and Services through their Facebook Account. However, while we
do track which Customers choose to "Like" us, at this time we do not collect any information from
Facebook about Customers who choose to "Like" us.
In addition, we may ask Customers to submit certain optional information about their business, such as
their industry, target customers or demographics, and other information.
Purpose and Legal Basis
Your Personal Data as a customer is processed, first and foremost, for the purpose of providing services
related to Ortto Products. We may use or process Personal Data in connection with pre-contract
activities and discussion with you, and to perform the contractual legal relationship we have with you.
Furthermore, we process Personal Data when you open an account with us and place an order for goods
via one of our websites as an Account Holder.
Such processing is based on Contract Performance and to manage and maintain our relationships with
you and for ongoing customer service
Besides that, we use your contact information to send you information on our Products as a form of
Direct Marketing. Your email address might be added to a contact list of those who may receive email
messages containing information of commercial or promotional nature as a result of signing up to this
Website or after making a purchase.
The processing activity related to Direct Marketing is based on Legitimate Interest. You have the right, at
all times, to object to the Processing of your Personal Data for the purpose of Direct Marketing, without
being required to state your reasons, and can do so by visiting https://gdpr-rep.eu/q/15786322.
Processed Personal Data
We mainly process the Personal Data which you provide us with.
For all data we collect from other sources please have a look at point 4.
We collect:
Identifiers (CCPA Category A)
• Name
• E-mail address and other contact details
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code §
1798.80(e)) (CCPA Category B)
• Payment data
• Purchase information
Billing address
Credit/Debit card number,
•
Expiration date
Other billing information necessary to process transactions
Internet information (CCPA Category F)
Order History
• IP Address and IP location
Professional or employment-related information (CCPA Category I)
Employment
• Role and function in the company
Business activity
Recipients
To achieve the objectives described above, it may be necessary to disclose your Personal Data to the
following Recipients in certain cases. We may disclose and transfer customer and consumer Personal
Data to third parties, including to our contractors or service providers who provide services which are
integrated into our Products or perform functions on our behalf. The actual Recipients depend on the
Products the Customer has signed up for.
Personal Data may be disclosed by being transferred, disseminated, or provided by other means to the
following parties on the basis that the Recipient is either subject to an EU Commission approved
Standard Contractual Clauses (SCC) for data transfers between EU and non-EU countries or are located
in an adequate third country according to GDPR:
1. Facebook Inc. (USA)
2. Google LLC (USA)
3. LiveChat, Inc. (USA)
4. Pipedrive (USA, Estonia)
5. Recurly, Inc. (USA)
6. Shopify Inc. (Canada)
7. Slack Technologies, Inc. (USA)
8. Twilio Inc. (USA)
9. Zendesk, Inc. (USA)
If you are based in Australia, your Personal Data may be transferred outside of Australia to recipients
located in the countries listed above.
Retention Period
All Data necessary for tax purposes, especially contracts, invoices and other bookkeeping documents as
well as relevant correspondence in relation to our contractual relationship we store for a period of five
years.
All other data we keep according to commercial law for a period of five years.
Summary
Contract
Legal basis: Contract Performance
Recipients: 1-9, depending on the Product the Customer chooses
Retention: Up to five years after termination of contract with Ortto
Direct Marketing
Legal basis: Legitimate Interest
Recipients: N/A
Retention: Up to five years
3.4 Processing of Personal Data relating to Consumers of our Customers
While we do not directly collect any Personal Data from Consumers or users of our Customers' Sites, we
may collect certain Personal Data about Consumers that use our Customers' Sites, in order to provide
Customers with information about how their sites are accessed and used. With respect to this Personal
Data we act as a Processor and process the Personal Data submitted to the Services or collected
through the Services on behalf of or at the direction of our Customer which are Controllers regarding to
this processing activities.
For example, we may receive IP address, browser type, domain name, referring URL, page views and
information relating to the device through which Consumers access our Customers' Site.
In addition, our Customers may, through their Sites and their use of our Services, collect additional
information from Consumers such as name, e-mail address and other contact information. We may
receive this Consumer information, which may include Personal Data, and store it on behalf of our
Customers. However, we will not use this Personal Data about Consumers for our own purposes. We
maintain such Personal Data about Consumers only on behalf of our Customers; this information
belongs to our respective Customers, not to Ortto. As noted above, our Customers' collection, use
and disclosure of Consumer Personal Data is not governed by this Privacy Policy. By disclosing
Consumer Personal Data to Ortto, a Customer acknowledges that it has read, understood and
agreed to this Privacy Policy and warrants that it has obtained the consent of the relevant Consumer to
such collection, use and disclosure of Personal Data as described in this Privacy Policy.
Purpose and Legal Basis
Your Personal Data is processed, first and foremost, for the purpose of Contract Performance regarding
Ortto Products and services i.e. through websites developed and operated by our Customers. The
purpose of processing your Personal Data is the performance of our legal relationship with that
Customer.
3.5 Processing of Personal Data Relating to Suppliers and Business Partners
Purpose and Legal Basis
Your Personal Data is processed, first and foremost, for the purpose of Contract Performance regarding
Ortto Products and services. This includes providers of services that are integrated in Ortto's
Products. The purpose of processing your Personal Data is the performance of our legal relationship.
Processed Personal Data
We mainly process the Personal Data you provide us with. For all Personal Data we collect from other
sources please refer to point 4.
We collect:
Identifiers (CCPA Category A)
Name
• E-mail address and other contact details
Professional or employment-related information (CCPA Category I)
•
Employment
•
Role and function in the company
Business activity
If your company details include a name of an individual, we may be required that you provide us with your
Personal Data to enable us to enter into a business relationship with you.
Retention Period
All Personal Data necessary for tax purposes, especially contracts, invoices and other bookkeeping
documents as well as relevant correspondence in relation to our contractual relationship we store for a
period of five years.
All other Personal Data we keep according to commercial law for a period of three years.
Summary
Cooperation
Legal basis: Contract Performance
Recipients: N/A
Retention: Up to five years after contract is completed.
3.6 Processing of Personal Data Relating to Applicants
Purpose and Legal Basis
We process your Personal Data either:
to take steps prior to entering into a contract (conclusion of an employment agreement),
on the basis of your explicit consent if we would like to keep your application on file for future
consideration,
and to fulfil our legal obligations (registering you as an employee in the social security system).
Your Personal Data is processed for the purpose of completing the application process. If you do not
provide us with your Personal Data, we cannot process your application.
Processed Personal Data
We mainly process the Personal Data you provide us with. For all Personal Data we collect from other
sources please have a look at point 4.
We collect:
Identifiers (CCPA Category A)
Name
•
E-mail address and other contact details
Professional or employment-related information (CCPA Category I)
Employment
• Role and function in the company
Business activity
Retention Period
The Personal Data of applicants who are not hired will be erased six months after the closure of the
application. If the applicant consents to their Personal Data being kept on file for future consideration,
we do not delete such Personal Data.
Summary
Application
Legal basis: Contract Performance
Recipients: N/A
Retention: Six months
4. Collection of Personal Data from Sources other than the Data Subject himself or herself (Article 14 GDPR)
Purpose and Legal Basis
If we process your Personal Data we usually collect Personal Data from you, and it is usually you who
provides us with this Personal Data. Nevertheless, in individual cases, we may also obtain Personal Data
from other sources (e.g. Slack.com) or publicly available sources, such as information we obtain from the
Internet.
Processed Personal Data
The Personal Data we obtain from third sources about you which is stored in our systems is limited to:
Identifiers (CCPA Category A)
contact information (e-mail address and telephone number, postal address)
Professional or employment-related information (CCPA Category I)
•
your function in the company
your professional career
and your assignment to or responsibility for a particular company (usually your employer,
any affiliated company or for another reason with this related company) if you have not disclosed
that information to us as part of the communication.
If you are an applicant, we can also process the following information about you from publicly available
Sources:
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code §
1798.80(e)) (CCPA Category B)
your education,
• professional and academic career
• publications written by you
However, we usually ask you directly if you can provide us with this information if we could not find it in
your application documents.
This Processing is based on our Legitimate Interest in a complete set of Personal Data required for
professional communication, Contract Performance, our business relationships and the application
process, depending on the relationship we have with you.
5. Data Security
We handle Personal Data only as permitted by data protection regulations. We use a variety of technical
and organizational measures to help protect your Personal Data from unauthorized access, disclosure,
modification, loss or destruction in accordance with applicable data protection laws.
When handling Personal Data, our employees are obliged to comply with the regulations of the GDPR
and the CCPA and all other applicable data protection laws and regulations.
6. What are Your Rights with Respect to Processing of Personal Data?
6.1 Rights under CCPA and GDPR
Right of Access - right to obtain confirmation of which of your Personal Data is processed and
information about it, for instance, which are the purposes of the Processing, what are the conservation
periods, among others.
Right to Erasure ("right to be forgotten") - right to erase your Personal Data, provided that there are no
valid grounds for its retention, for example in cases where we have to keep the Personal Data to comply
with legal obligation or because a court case is in progress.
Right to Data Portability - right to receive the Personal Data you have provided us in a digital format of
current use and automatic reading or to request the direct transmission of your Personal Data to another
entity that becomes the new responsible for your Personal Data, however only if technically possible.
6.2 Rights Exclusively under GDPR
The GDPR protects further rights for Data Subjects in the European Union:
Right of Rectification - right to request modification of your Personal Data that is inaccurate or request
incomplete Personal Data, such as the address, VAT, email, telephone contacts, or others.
Right to Withdraw Consent or Right of Opposition - right to object or withdraw consent at any time to
Processing, for example in the case of Processing for marketing purposes, provided that no Legitimate
Interests exist prevailing over your interests, rights and freedoms, such as defending a right in a judicial
process.
Right of Limitation - right to request the limitation of the Processing of your Personal Data, in the form
of: (i) suspension of Processing or (ii) limitation of the scope of Processing to certain categories of
Personal Data or purposes of Processing.
Right to object and ADM - When the Processing of Personal Data, including the Processing for the
definition of profiles, is exclusively automatic (without human intervention) and may have effects in your
legal sphere or significantly affect it, you shall have the right not to remain subject to any decision based
on such automatic Processing, except as otherwise provided by law and shall have the right that we take
appropriate measures to safeguard its rights and freedoms and legitimate interests, including the right to
have human intervention in decision making by us, the right to express its point of view or contest the
decision taken on the basis of automated individual information Processing.
Right to complain - right to complain to the supervisory authority, in addition to us.
For rights asserted by Data Subjects from the EU under the GDPR the period for handling a request is
30 days unless it is a particularly complex request.
Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the
right to erasure, the right to rectification and the right to data portability cannot be enforced after
expiration of the retention period.
6.3 Rights Exclusively Under CCPA
The exercise of rights is free of charge, except in the case of a manifestly unfounded or excessive
request, in which case a reasonable fee may be charged regarding its costs.
The information must be provided in writing but may be given orally if requested. In this case, we should
verify your identity by means other than oral.
The response to requests based on the provisions of the CCPA should be provided within a maximum of
45 days. If we require more time (up to 90 days), we will inform you of the reason and extension period in
writing.
6.4 Rights Under the Australian Privacy Act
If you are in Australia, you may request access or correction of the Personal Data that we hold about you
by contacting us. Our contact details are set out below. There are some circumstances in which we are
not required to give you access to your Personal Information.
There is no charge for requesting access to your Personal Information but we may require you to meet
our reasonable costs in providing you with access (such as photocopying costs or costs for time spent
on collating large amounts of material).
We will respond to your requests to access or correct Personal Information in a reasonable time and will
take all reasonable steps to ensure that the personal data we hold about you remains accurate, up to
date and complete.
7. Non-Discrimination
We will not discriminate against you for exercising any of your rights. Unless for a good and reasonable
cause and unless permitted by law, we will not:
•
deny you goods or services.
charge you different prices or rates for goods or services, including through granting
discounts or other benefits, or imposing penalties.
provide you a different level or quality of goods or services.
suggest that you may receive a different price or rate for goods or services or a different level or
quality of goods or services.
8. Changes to our Data Protection Provisions
We reserve the right to modify this Privacy Policy, so it is always in compliance with the current legal
requirements or to implement changes to services in the Privacy Policy, e.g., when introducing new
services. In this case, your future visits to our website will be subject to the updated Privacy Policy.
If you have additional questions regarding the processing of your Personal Data, please feel free to
contact us directly, either by email at privacy AT ortto.com or via mail to Ortto, 1390 Market
Street Suite 200, San Francisco CA 94102.
9. Contact Information
9.1 Requests from California Residents According to the CCPA
To exercise the access, data portability, and deletion rights described above in 7.1., California residents
may submit a verifiable consumer request to us by email at privacy AT Orttoapp.com.
Only you or a person registered with the California Secretary of State that you authorize to act on your
behalf, may make a verifiable consumer request related to your Personal Information. You may also make
a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month
period. The verifiable consumer request must:
•
Provide sufficient information that allows us to reasonably verify you are the person about whom we
collected Personal Information or an authorized representative.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and
respond to it.
We cannot respond to your request or provide you with Personal Information if we cannot verify your
identity or authority to make the request and confirm the Personal Information relates to you. Making a
verifiable consumer request does not require you to create an account with us. We will only use Personal
Information provided in a verifiable consumer request to verify the requestor's identity or authority to
make the request.
9.2 Data Subject Requests from EU Data Subjects According to the GDPR
We value your Data Subject Rights under GDPR and therefore appointed GDPR-Rep.eu as
representative according to Art 27 GDPR and provide you with an easy way to submit us privacy related
request like a request to access or erase your personal data. If you want to make use of your data
subject rights, please visit: https://gdpr-rep.eu/q/15786322.
Contact:
GDPR-Rep.eu
GDPR-Rep.eu
Maetzler Rechtsanwalts GmbH & Co KG
Attorneys at Law c/o PersoGroup Ptd Ltd.
Schellinggasse 3/10, 1010 Vienna, Austria
Please add the following subject to all correspondence: GDPR-REP ID: 15786322
9.3 Data Subject Requests from Individuals in Australia
If you are in Australia you can contact us by email (privacy AT Orttoapp.com) or mail at the following
address:
Privacy Officer
OrttoHQ, Inc.
1390 Market Street, Suite 200
San Francisco California 94102
If you have further concerns about how we have handled a privacy issue, you may contact the Australian
Information Commissioner (www.oaic.gov.au)
Definitions
Account Holder means anyone who registers an account using the form accessible on the website
https://www.Orttoapp.com.
ADM means automated decision making
CCPA means the California Consumer Privacy Act (CCPA) signed into law on June 28, 2018, to amend
Part 4 of Division 3 of the California Civil
Code. http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375.
CCPA Code means the categories (A) to (K) of Personal Information as defined in the CCPA.
Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of
the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies
agreement to the Processing of Personal Data relating to him or her.
Consumer means clients of Ortto's Customers.
Contract Performance means concluding, maintaining, and completing of a contract concluded
between the Controller and a Data Subject, including Processing activities which take place at the
request of the Data Subject before entering into a contractual relationship.
Controller means the natural or legal person, public authority, agency or other body which, alone or
jointly with others, determines the purposes and means of the Processing of Personal Data; where the
purposes and means of such Processing are determined by Union or Member State law, the Controller
or the specific criteria for its nomination may be provided for by Union or Member State law.
Customers means Ortto's customers.
Data Subject is any natural person whose Personal Data is being collected, held or processed.
Examples of a Data Subject can be an individual, a customer, a prospect, an employee, a contact person,
etc.
Direct Marketing means personal data processed to communicate a marketing or advertising message.
This definition includes messages from commercial organisations, as well as from charities and political
organizations.
General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in
the European Union (EU) and the European Economic Area (EEA); Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard
to the processing of personal data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation) https://eur-lex.europa.eu/eli/reg/2016/679/oj.
Legitimate Interest means the Controller's interest to process Personal Data in order to carry out tasks
related to the Controller's business activities. The processing of Personal Data in that context may not
necessarily be justified by a legal obligation or carried out to execute the terms of a contract with a Data
Subject.
Personal Data means any information relating to an identified or identifiable natural person ('Data
Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier or
to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person. This includes, but is not limited to the term 'Personal Information'
according to Article 1798.140 (o) (1-2) of the CCPA.
Personal Information means personally identifiable information that you could trace back to a real
person according to Article 1798.140 (o) (1-2) of the CCPA.
Processing means any operation or set of operations which is performed on Personal Data or on sets of
Personal Data, whether or not by automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure or
destruction.
Processor means a natural or legal person, public authority, agency or other body which processes
Personal Data on behalf of the Controller.
Products means all products distributed and sold by Ortto.
Services means all services provided by Ortto as a part of their Products.
Recipient means a natural or legal person, public authority, agency or another body, to which the
Personal Data are disclosed, whether a third party or not. However, public authorities which may receive
personal data in the framework of a particular inquiry in accordance with Union or Member State law
shall not be regarded as Recipients; the Processing of those Personal Data by those public authorities
shall be in compliance with the applicable data protection rules according to the purposes of the
Processing.
Sites means websites of Customers.
Privacy policy
Effective date: 8 February 2022
1. General
We at Ortto, Inc. ("Ortto") value your privacy and are committed to taking care of your data,
and we take this responsibility very seriously. Please take the time to carefully read our Privacy Policy,
which explains why we collect your Personal Data and how we process it when you:
•
visit our website (see, in particular, Section 3.1)
or express an interest in our Products (see, in particular, Section 3.2),
are our Customer (see, in particular, Section 3.3 below)
are a Consumer of one of our Customers (see, in particular, Section 3.4 below) or
are our Supplier or Business Partner (see, in particular, Section 3.5 below), or
apply for a position with us (see, in particular, Section 3.6 below).
Controller
Ortto Inc. ("Ortto")
1390 Market Street Suite 200
San Francisco CA 94102
2. Definitions
Unless otherwise indicated, capitalized terms used in this Privacy Policy are defined in Annex 1. Most of
the definitions are derived from the California Consumer Privacy Act of 2018 (CCPA) which you can
access from https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121 and
the General Data Protection Regulation (GDPR) which you can access from https://eur-
lex.europa.eu/eli/reg/2016/679/oj.
3. How do we process your Personal Data?
We process your data in different ways depending on whether you visit our website or express an
interest in our Products, or whether you are our client, supplier, business partner or job applicant:
We do not sell your Personal Data within the meaning of Section 1798.140(t) of the CCPA.
3.1 Processing of Personal Data relating to visitors of our website
Cookies
We (or our third party service providers) use cookies to track visitor activity on the site. A cookie is a text
file that a website transfers to your computer's hard drive for record-keeping purposes. Our cookies
assign a random, unique number to each visitor's computer. They do not contain information that would
personally identify the visitor, although we can associate a cookie with any identifying information that is
or has been provided by a Customer while visiting our site. We or our third party service providers use
cookies that remain on your computer for a specified period of time or until they are deleted (persistent
cookies). These cookies record clickstream information (data reporting the URLS, or names of the
pages, on our Site that have been visited). We may also use cookies that exist only temporarily during an
online session (session cookies). These cookies allow you to log in to your account and they allow us to
identify you temporarily as you move through the site. Most browsers allow users to refuse cookies, but
doing so may impede the functionality of some portions of our site.
Web Beacons
Web beacons are tiny graphics with a unique identifier, similar in function to cookies, that are used to
track the online movements of Web users. In contrast to cookies, which are stored on your computer's
hard drive, Web beacons are embedded invisibly on webpages and may not be disabled or controlled
through your browser.
Third Parties
As noted, we may also engage third parties to track and analyze site activity on our behalf. To do so,
these third parties may place cookies or web beacons to track user activity on our site. We use the data
collected by such third parties to help us administer and improve the quality of the site and to analyze
usage of the site.
3.2 Processing of Personal Data relating to potential Customers
Purpose and Legal Basis
When you contact us to inquire about our Products, we process the Personal Data you include in such a
message in emails or collected during phone calls to answer and process such inquiry in a pre-
contractual stadium. Such processing is necessary for Contract Performance in order to take steps at
your request prior to entering into a contract. Contract Performance is also the purpose of any
processing of your personal when you create an account in order to use our service.
Furthermore, we process your Personal Data provided with an inquiry for Direct Marketing purposes to
convert a potential client into an actual client. Such processing is based on a Legitimate Interest. You
have the right, at all times, to object to the Processing of your Personal Data for the purpose of Direct
Marketing, without being required to state your reasons, and can do so by visiting https://gdpr-
rep.eu/q/15786322.
Personal Data Processed
We mainly process the Personal Data which you provide us during a pre-contractual phase. For all
Personal Data we collect from other sources please have a look at point 4.
We collect:
Identifiers (CCPA Category A)
Name
• E-mail address
Other Personal Data you include in a free text field
Internet information (CCPA Category F)
Order History
• IP Address and IP location
•
•
Referring (exit pages and URLs)
Number, duration and time of visits (your interaction with the Website)
Search engines, key phrases and keywords used to find our site
Browser type, type of device, screen size, internet service provider and operating system
Retention Period
The Personal Data will be deleted two years after a lead is lost.
Personal Data collected for purposes related to Contract Performance shall be retained until such
contract has been fully performed.
We may be allowed to retain Personal Data for a longer period whenever you have given consent to such
processing (e.g. subscription to our newsletter), as long as such consent is not withdrawn. Furthermore,
we may be obliged to retain Personal Data for a longer period whenever required to do so for the
performance of a legal obligation or upon order of an authority.
Summary
Answer Inquiry
Legal basis: Contract Performance
Recipients: N/A
Retention: Up to two years after a lead is lost
Direct Marketing
Legal basis: Legitimate Interest
Recipients: N/A
Retention: Up to two years after a lead is lost
Newsletter Subscription
Legal basis: Consent
Recipients: N/A
Retention: Up to two years after a lead is lost
3.3 Processing of Personal Data Relating to Customers
To use our Services you must create an account. To create an account, you must enter your full first and
last name, business name and email address.
When you subscribe to our Services, we collect your billing address, credit/debit card number, expiration
date, and other billing information necessary to process the transaction. We use this information to
process your transaction.
We also collect information about our Customers' use of the Services, including their order history,
Services usage and other similar information.
We allow Customers to "Like" our Site and Services through their Facebook Account. However, while we
do track which Customers choose to "Like" us, at this time we do not collect any information from
Facebook about Customers who choose to "Like" us.
In addition, we may ask Customers to submit certain optional information about their business, such as
their industry, target customers or demographics, and other information.
Purpose and Legal Basis
Your Personal Data as a customer is processed, first and foremost, for the purpose of providing services
related to Ortto Products. We may use or process Personal Data in connection with pre-contract
activities and discussion with you, and to perform the contractual legal relationship we have with you.
Furthermore, we process Personal Data when you open an account with us and place an order for goods
via one of our websites as an Account Holder.
Such processing is based on Contract Performance and to manage and maintain our relationships with
you and for ongoing customer service
Besides that, we use your contact information to send you information on our Products as a form of
Direct Marketing. Your email address might be added to a contact list of those who may receive email
messages containing information of commercial or promotional nature as a result of signing up to this
Website or after making a purchase.
The processing activity related to Direct Marketing is based on Legitimate Interest. You have the right, at
all times, to object to the Processing of your Personal Data for the purpose of Direct Marketing, without
being required to state your reasons, and can do so by visiting https://gdpr-rep.eu/q/15786322.
Processed Personal Data
We mainly process the Personal Data which you provide us with.
For all data we collect from other sources please have a look at point 4.
We collect:
Identifiers (CCPA Category A)
• Name
• E-mail address and other contact details
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code §
1798.80(e)) (CCPA Category B)
• Payment data
• Purchase information
Billing address
Credit/Debit card number,
•
Expiration date
Other billing information necessary to process transactions
Internet information (CCPA Category F)
Order History
• IP Address and IP location
Professional or employment-related information (CCPA Category I)
Employment
• Role and function in the company
Business activity
Recipients
To achieve the objectives described above, it may be necessary to disclose your Personal Data to the
following Recipients in certain cases. We may disclose and transfer customer and consumer Personal
Data to third parties, including to our contractors or service providers who provide services which are
integrated into our Products or perform functions on our behalf. The actual Recipients depend on the
Products the Customer has signed up for.
Personal Data may be disclosed by being transferred, disseminated, or provided by other means to the
following parties on the basis that the Recipient is either subject to an EU Commission approved
Standard Contractual Clauses (SCC) for data transfers between EU and non-EU countries or are located
in an adequate third country according to GDPR:
1. Facebook Inc. (USA)
2. Google LLC (USA)
3. LiveChat, Inc. (USA)
4. Pipedrive (USA, Estonia)
5. Recurly, Inc. (USA)
6. Shopify Inc. (Canada)
7. Slack Technologies, Inc. (USA)
8. Twilio Inc. (USA)
9. Zendesk, Inc. (USA)
If you are based in Australia, your Personal Data may be transferred outside of Australia to recipients
located in the countries listed above.
Retention Period
All Data necessary for tax purposes, especially contracts, invoices and other bookkeeping documents as
well as relevant correspondence in relation to our contractual relationship we store for a period of five
years.
All other data we keep according to commercial law for a period of five years.
Summary
Contract
Legal basis: Contract Performance
Recipients: 1-9, depending on the Product the Customer chooses
Retention: Up to five years after termination of contract with Ortto
Direct Marketing
Legal basis: Legitimate Interest
Recipients: N/A
Retention: Up to five years
3.4 Processing of Personal Data relating to Consumers of our Customers
While we do not directly collect any Personal Data from Consumers or users of our Customers' Sites, we
may collect certain Personal Data about Consumers that use our Customers' Sites, in order to provide
Customers with information about how their sites are accessed and used. With respect to this Personal
Data we act as a Processor and process the Personal Data submitted to the Services or collected
through the Services on behalf of or at the direction of our Customer which are Controllers regarding to
this processing activities.
For example, we may receive IP address, browser type, domain name, referring URL, page views and
information relating to the device through which Consumers access our Customers' Site.
In addition, our Customers may, through their Sites and their use of our Services, collect additional
information from Consumers such as name, e-mail address and other contact information. We may
receive this Consumer information, which may include Personal Data, and store it on behalf of our
Customers. However, we will not use this Personal Data about Consumers for our own purposes. We
maintain such Personal Data about Consumers only on behalf of our Customers; this information
belongs to our respective Customers, not to Ortto. As noted above, our Customers' collection, use
and disclosure of Consumer Personal Data is not governed by this Privacy Policy. By disclosing
Consumer Personal Data to Ortto, a Customer acknowledges that it has read, understood and
agreed to this Privacy Policy and warrants that it has obtained the consent of the relevant Consumer to
such collection, use and disclosure of Personal Data as described in this Privacy Policy.
Purpose and Legal Basis
Your Personal Data is processed, first and foremost, for the purpose of Contract Performance regarding
Ortto Products and services i.e. through websites developed and operated by our Customers. The
purpose of processing your Personal Data is the performance of our legal relationship with that
Customer.
3.5 Processing of Personal Data Relating to Suppliers and Business Partners
Purpose and Legal Basis
Your Personal Data is processed, first and foremost, for the purpose of Contract Performance regarding
Ortto Products and services. This includes providers of services that are integrated in Ortto's
Products. The purpose of processing your Personal Data is the performance of our legal relationship.
Processed Personal Data
We mainly process the Personal Data you provide us with. For all Personal Data we collect from other
sources please refer to point 4.
We collect:
Identifiers (CCPA Category A)
Name
• E-mail address and other contact details
Professional or employment-related information (CCPA Category I)
•
Employment
•
Role and function in the company
Business activity
If your company details include a name of an individual, we may be required that you provide us with your
Personal Data to enable us to enter into a business relationship with you.
Retention Period
All Personal Data necessary for tax purposes, especially contracts, invoices and other bookkeeping
documents as well as relevant correspondence in relation to our contractual relationship we store for a
period of five years.
All other Personal Data we keep according to commercial law for a period of three years.
Summary
Cooperation
Legal basis: Contract Performance
Recipients: N/A
Retention: Up to five years after contract is completed.
3.6 Processing of Personal Data Relating to Applicants
Purpose and Legal Basis
We process your Personal Data either:
to take steps prior to entering into a contract (conclusion of an employment agreement),
on the basis of your explicit consent if we would like to keep your application on file for future
consideration,
and to fulfil our legal obligations (registering you as an employee in the social security system).
Your Personal Data is processed for the purpose of completing the application process. If you do not
provide us with your Personal Data, we cannot process your application.
Processed Personal Data
We mainly process the Personal Data you provide us with. For all Personal Data we collect from other
sources please have a look at point 4.
We collect:
Identifiers (CCPA Category A)
Name
•
E-mail address and other contact details
Professional or employment-related information (CCPA Category I)
Employment
• Role and function in the company
Business activity
Retention Period
The Personal Data of applicants who are not hired will be erased six months after the closure of the
application. If the applicant consents to their Personal Data being kept on file for future consideration,
we do not delete such Personal Data.
Summary
Application
Legal basis: Contract Performance
Recipients: N/A
Retention: Six months
4. Collection of Personal Data from Sources other than the Data Subject himself or herself (Article 14 GDPR)
Purpose and Legal Basis
If we process your Personal Data we usually collect Personal Data from you, and it is usually you who
provides us with this Personal Data. Nevertheless, in individual cases, we may also obtain Personal Data
from other sources (e.g. Slack.com) or publicly available sources, such as information we obtain from the
Internet.
Processed Personal Data
The Personal Data we obtain from third sources about you which is stored in our systems is limited to:
Identifiers (CCPA Category A)
contact information (e-mail address and telephone number, postal address)
Professional or employment-related information (CCPA Category I)
•
your function in the company
your professional career
and your assignment to or responsibility for a particular company (usually your employer,
any affiliated company or for another reason with this related company) if you have not disclosed
that information to us as part of the communication.
If you are an applicant, we can also process the following information about you from publicly available
Sources:
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code §
1798.80(e)) (CCPA Category B)
your education,
• professional and academic career
• publications written by you
However, we usually ask you directly if you can provide us with this information if we could not find it in
your application documents.
This Processing is based on our Legitimate Interest in a complete set of Personal Data required for
professional communication, Contract Performance, our business relationships and the application
process, depending on the relationship we have with you.
5. Data Security
We handle Personal Data only as permitted by data protection regulations. We use a variety of technical
and organizational measures to help protect your Personal Data from unauthorized access, disclosure,
modification, loss or destruction in accordance with applicable data protection laws.
When handling Personal Data, our employees are obliged to comply with the regulations of the GDPR
and the CCPA and all other applicable data protection laws and regulations.
6. What are Your Rights with Respect to Processing of Personal Data?
6.1 Rights under CCPA and GDPR
Right of Access - right to obtain confirmation of which of your Personal Data is processed and
information about it, for instance, which are the purposes of the Processing, what are the conservation
periods, among others.
Right to Erasure ("right to be forgotten") - right to erase your Personal Data, provided that there are no
valid grounds for its retention, for example in cases where we have to keep the Personal Data to comply
with legal obligation or because a court case is in progress.
Right to Data Portability - right to receive the Personal Data you have provided us in a digital format of
current use and automatic reading or to request the direct transmission of your Personal Data to another
entity that becomes the new responsible for your Personal Data, however only if technically possible.
6.2 Rights Exclusively under GDPR
The GDPR protects further rights for Data Subjects in the European Union:
Right of Rectification - right to request modification of your Personal Data that is inaccurate or request
incomplete Personal Data, such as the address, VAT, email, telephone contacts, or others.
Right to Withdraw Consent or Right of Opposition - right to object or withdraw consent at any time to
Processing, for example in the case of Processing for marketing purposes, provided that no Legitimate
Interests exist prevailing over your interests, rights and freedoms, such as defending a right in a judicial
process.
Right of Limitation - right to request the limitation of the Processing of your Personal Data, in the form
of: (i) suspension of Processing or (ii) limitation of the scope of Processing to certain categories of
Personal Data or purposes of Processing.
Right to object and ADM - When the Processing of Personal Data, including the Processing for the
definition of profiles, is exclusively automatic (without human intervention) and may have effects in your
legal sphere or significantly affect it, you shall have the right not to remain subject to any decision based
on such automatic Processing, except as otherwise provided by law and shall have the right that we take
appropriate measures to safeguard its rights and freedoms and legitimate interests, including the right to
have human intervention in decision making by us, the right to express its point of view or contest the
decision taken on the basis of automated individual information Processing.
Right to complain - right to complain to the supervisory authority, in addition to us.
For rights asserted by Data Subjects from the EU under the GDPR the period for handling a request is
30 days unless it is a particularly complex request.
Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the
right to erasure, the right to rectification and the right to data portability cannot be enforced after
expiration of the retention period.
6.3 Rights Exclusively Under CCPA
The exercise of rights is free of charge, except in the case of a manifestly unfounded or excessive
request, in which case a reasonable fee may be charged regarding its costs.
The information must be provided in writing but may be given orally if requested. In this case, we should
verify your identity by means other than oral.
The response to requests based on the provisions of the CCPA should be provided within a maximum of
45 days. If we require more time (up to 90 days), we will inform you of the reason and extension period in
writing.
6.4 Rights Under the Australian Privacy Act
If you are in Australia, you may request access or correction of the Personal Data that we hold about you
by contacting us. Our contact details are set out below. There are some circumstances in which we are
not required to give you access to your Personal Information.
There is no charge for requesting access to your Personal Information but we may require you to meet
our reasonable costs in providing you with access (such as photocopying costs or costs for time spent
on collating large amounts of material).
We will respond to your requests to access or correct Personal Information in a reasonable time and will
take all reasonable steps to ensure that the personal data we hold about you remains accurate, up to
date and complete.
7. Non-Discrimination
We will not discriminate against you for exercising any of your rights. Unless for a good and reasonable
cause and unless permitted by law, we will not:
•
deny you goods or services.
charge you different prices or rates for goods or services, including through granting
discounts or other benefits, or imposing penalties.
provide you a different level or quality of goods or services.
suggest that you may receive a different price or rate for goods or services or a different level or
quality of goods or services.
8. Changes to our Data Protection Provisions
We reserve the right to modify this Privacy Policy, so it is always in compliance with the current legal
requirements or to implement changes to services in the Privacy Policy, e.g., when introducing new
services. In this case, your future visits to our website will be subject to the updated Privacy Policy.
If you have additional questions regarding the processing of your Personal Data, please feel free to
contact us directly, either by email at privacy AT ortto.com or via mail to Ortto, 1390 Market
Street Suite 200, San Francisco CA 94102.
9. Contact Information
9.1 Requests from California Residents According to the CCPA
To exercise the access, data portability, and deletion rights described above in 7.1., California residents
may submit a verifiable consumer request to us by email at privacy AT Orttoapp.com.
Only you or a person registered with the California Secretary of State that you authorize to act on your
behalf, may make a verifiable consumer request related to your Personal Information. You may also make
a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month
period. The verifiable consumer request must:
•
Provide sufficient information that allows us to reasonably verify you are the person about whom we
collected Personal Information or an authorized representative.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and
respond to it.
We cannot respond to your request or provide you with Personal Information if we cannot verify your
identity or authority to make the request and confirm the Personal Information relates to you. Making a
verifiable consumer request does not require you to create an account with us. We will only use Personal
Information provided in a verifiable consumer request to verify the requestor's identity or authority to
make the request.
9.2 Data Subject Requests from EU Data Subjects According to the GDPR
We value your Data Subject Rights under GDPR and therefore appointed GDPR-Rep.eu as
representative according to Art 27 GDPR and provide you with an easy way to submit us privacy related
request like a request to access or erase your personal data. If you want to make use of your data
subject rights, please visit: https://gdpr-rep.eu/q/15786322.
Contact:
GDPR-Rep.eu
GDPR-Rep.eu
Maetzler Rechtsanwalts GmbH & Co KG
Attorneys at Law c/o PersoGroup Ptd Ltd.
Schellinggasse 3/10, 1010 Vienna, Austria
Please add the following subject to all correspondence: GDPR-REP ID: 15786322
9.3 Data Subject Requests from Individuals in Australia
If you are in Australia you can contact us by email (privacy AT Orttoapp.com) or mail at the following
address:
Privacy Officer
OrttoHQ, Inc.
1390 Market Street, Suite 200
San Francisco California 94102
If you have further concerns about how we have handled a privacy issue, you may contact the Australian
Information Commissioner (www.oaic.gov.au)
Definitions
Account Holder means anyone who registers an account using the form accessible on the website
https://www.Orttoapp.com.
ADM means automated decision making
CCPA means the California Consumer Privacy Act (CCPA) signed into law on June 28, 2018, to amend
Part 4 of Division 3 of the California Civil
Code. http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375.
CCPA Code means the categories (A) to (K) of Personal Information as defined in the CCPA.
Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of
the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies
agreement to the Processing of Personal Data relating to him or her.
Consumer means clients of Ortto's Customers.
Contract Performance means concluding, maintaining, and completing of a contract concluded
between the Controller and a Data Subject, including Processing activities which take place at the
request of the Data Subject before entering into a contractual relationship.
Controller means the natural or legal person, public authority, agency or other body which, alone or
jointly with others, determines the purposes and means of the Processing of Personal Data; where the
purposes and means of such Processing are determined by Union or Member State law, the Controller
or the specific criteria for its nomination may be provided for by Union or Member State law.
Customers means Ortto's customers.
Data Subject is any natural person whose Personal Data is being collected, held or processed.
Examples of a Data Subject can be an individual, a customer, a prospect, an employee, a contact person,
etc.
Direct Marketing means personal data processed to communicate a marketing or advertising message.
This definition includes messages from commercial organisations, as well as from charities and political
organizations.
General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in
the European Union (EU) and the European Economic Area (EEA); Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard
to the processing of personal data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation) https://eur-lex.europa.eu/eli/reg/2016/679/oj.
Legitimate Interest means the Controller's interest to process Personal Data in order to carry out tasks
related to the Controller's business activities. The processing of Personal Data in that context may not
necessarily be justified by a legal obligation or carried out to execute the terms of a contract with a Data
Subject.
Personal Data means any information relating to an identified or identifiable natural person ('Data
Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier or
to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person. This includes, but is not limited to the term 'Personal Information'
according to Article 1798.140 (o) (1-2) of the CCPA.
Personal Information means personally identifiable information that you could trace back to a real
person according to Article 1798.140 (o) (1-2) of the CCPA.
Processing means any operation or set of operations which is performed on Personal Data or on sets of
Personal Data, whether or not by automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure or
destruction.
Processor means a natural or legal person, public authority, agency or other body which processes
Personal Data on behalf of the Controller.
Products means all products distributed and sold by Ortto.
Services means all services provided by Ortto as a part of their Products.
Recipient means a natural or legal person, public authority, agency or another body, to which the
Personal Data are disclosed, whether a third party or not. However, public authorities which may receive
personal data in the framework of a particular inquiry in accordance with Union or Member State law
shall not be regarded as Recipients; the Processing of those Personal Data by those public authorities
shall be in compliance with the applicable data protection rules according to the purposes of the
Processing.
Sites means websites of Customers.
Privacy policy
Effective date: 8 February 2022
1. General
We at Ortto, Inc. ("Ortto") value your privacy and are committed to taking care of your data,
and we take this responsibility very seriously. Please take the time to carefully read our Privacy Policy,
which explains why we collect your Personal Data and how we process it when you:
•
visit our website (see, in particular, Section 3.1)
or express an interest in our Products (see, in particular, Section 3.2),
are our Customer (see, in particular, Section 3.3 below)
are a Consumer of one of our Customers (see, in particular, Section 3.4 below) or
are our Supplier or Business Partner (see, in particular, Section 3.5 below), or
apply for a position with us (see, in particular, Section 3.6 below).
Controller
Ortto Inc. ("Ortto")
1390 Market Street Suite 200
San Francisco CA 94102
2. Definitions
Unless otherwise indicated, capitalized terms used in this Privacy Policy are defined in Annex 1. Most of
the definitions are derived from the California Consumer Privacy Act of 2018 (CCPA) which you can
access from https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121 and
the General Data Protection Regulation (GDPR) which you can access from https://eur-
lex.europa.eu/eli/reg/2016/679/oj.
3. How do we process your Personal Data?
We process your data in different ways depending on whether you visit our website or express an
interest in our Products, or whether you are our client, supplier, business partner or job applicant:
We do not sell your Personal Data within the meaning of Section 1798.140(t) of the CCPA.
3.1 Processing of Personal Data relating to visitors of our website
Cookies
We (or our third party service providers) use cookies to track visitor activity on the site. A cookie is a text
file that a website transfers to your computer's hard drive for record-keeping purposes. Our cookies
assign a random, unique number to each visitor's computer. They do not contain information that would
personally identify the visitor, although we can associate a cookie with any identifying information that is
or has been provided by a Customer while visiting our site. We or our third party service providers use
cookies that remain on your computer for a specified period of time or until they are deleted (persistent
cookies). These cookies record clickstream information (data reporting the URLS, or names of the
pages, on our Site that have been visited). We may also use cookies that exist only temporarily during an
online session (session cookies). These cookies allow you to log in to your account and they allow us to
identify you temporarily as you move through the site. Most browsers allow users to refuse cookies, but
doing so may impede the functionality of some portions of our site.
Web Beacons
Web beacons are tiny graphics with a unique identifier, similar in function to cookies, that are used to
track the online movements of Web users. In contrast to cookies, which are stored on your computer's
hard drive, Web beacons are embedded invisibly on webpages and may not be disabled or controlled
through your browser.
Third Parties
As noted, we may also engage third parties to track and analyze site activity on our behalf. To do so,
these third parties may place cookies or web beacons to track user activity on our site. We use the data
collected by such third parties to help us administer and improve the quality of the site and to analyze
usage of the site.
3.2 Processing of Personal Data relating to potential Customers
Purpose and Legal Basis
When you contact us to inquire about our Products, we process the Personal Data you include in such a
message in emails or collected during phone calls to answer and process such inquiry in a pre-
contractual stadium. Such processing is necessary for Contract Performance in order to take steps at
your request prior to entering into a contract. Contract Performance is also the purpose of any
processing of your personal when you create an account in order to use our service.
Furthermore, we process your Personal Data provided with an inquiry for Direct Marketing purposes to
convert a potential client into an actual client. Such processing is based on a Legitimate Interest. You
have the right, at all times, to object to the Processing of your Personal Data for the purpose of Direct
Marketing, without being required to state your reasons, and can do so by visiting https://gdpr-
rep.eu/q/15786322.
Personal Data Processed
We mainly process the Personal Data which you provide us during a pre-contractual phase. For all
Personal Data we collect from other sources please have a look at point 4.
We collect:
Identifiers (CCPA Category A)
Name
• E-mail address
Other Personal Data you include in a free text field
Internet information (CCPA Category F)
Order History
• IP Address and IP location
•
•
Referring (exit pages and URLs)
Number, duration and time of visits (your interaction with the Website)
Search engines, key phrases and keywords used to find our site
Browser type, type of device, screen size, internet service provider and operating system
Retention Period
The Personal Data will be deleted two years after a lead is lost.
Personal Data collected for purposes related to Contract Performance shall be retained until such
contract has been fully performed.
We may be allowed to retain Personal Data for a longer period whenever you have given consent to such
processing (e.g. subscription to our newsletter), as long as such consent is not withdrawn. Furthermore,
we may be obliged to retain Personal Data for a longer period whenever required to do so for the
performance of a legal obligation or upon order of an authority.
Summary
Answer Inquiry
Legal basis: Contract Performance
Recipients: N/A
Retention: Up to two years after a lead is lost
Direct Marketing
Legal basis: Legitimate Interest
Recipients: N/A
Retention: Up to two years after a lead is lost
Newsletter Subscription
Legal basis: Consent
Recipients: N/A
Retention: Up to two years after a lead is lost
3.3 Processing of Personal Data Relating to Customers
To use our Services you must create an account. To create an account, you must enter your full first and
last name, business name and email address.
When you subscribe to our Services, we collect your billing address, credit/debit card number, expiration
date, and other billing information necessary to process the transaction. We use this information to
process your transaction.
We also collect information about our Customers' use of the Services, including their order history,
Services usage and other similar information.
We allow Customers to "Like" our Site and Services through their Facebook Account. However, while we
do track which Customers choose to "Like" us, at this time we do not collect any information from
Facebook about Customers who choose to "Like" us.
In addition, we may ask Customers to submit certain optional information about their business, such as
their industry, target customers or demographics, and other information.
Purpose and Legal Basis
Your Personal Data as a customer is processed, first and foremost, for the purpose of providing services
related to Ortto Products. We may use or process Personal Data in connection with pre-contract
activities and discussion with you, and to perform the contractual legal relationship we have with you.
Furthermore, we process Personal Data when you open an account with us and place an order for goods
via one of our websites as an Account Holder.
Such processing is based on Contract Performance and to manage and maintain our relationships with
you and for ongoing customer service
Besides that, we use your contact information to send you information on our Products as a form of
Direct Marketing. Your email address might be added to a contact list of those who may receive email
messages containing information of commercial or promotional nature as a result of signing up to this
Website or after making a purchase.
The processing activity related to Direct Marketing is based on Legitimate Interest. You have the right, at
all times, to object to the Processing of your Personal Data for the purpose of Direct Marketing, without
being required to state your reasons, and can do so by visiting https://gdpr-rep.eu/q/15786322.
Processed Personal Data
We mainly process the Personal Data which you provide us with.
For all data we collect from other sources please have a look at point 4.
We collect:
Identifiers (CCPA Category A)
• Name
• E-mail address and other contact details
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code §
1798.80(e)) (CCPA Category B)
• Payment data
• Purchase information
Billing address
Credit/Debit card number,
•
Expiration date
Other billing information necessary to process transactions
Internet information (CCPA Category F)
Order History
• IP Address and IP location
Professional or employment-related information (CCPA Category I)
Employment
• Role and function in the company
Business activity
Recipients
To achieve the objectives described above, it may be necessary to disclose your Personal Data to the
following Recipients in certain cases. We may disclose and transfer customer and consumer Personal
Data to third parties, including to our contractors or service providers who provide services which are
integrated into our Products or perform functions on our behalf. The actual Recipients depend on the
Products the Customer has signed up for.
Personal Data may be disclosed by being transferred, disseminated, or provided by other means to the
following parties on the basis that the Recipient is either subject to an EU Commission approved
Standard Contractual Clauses (SCC) for data transfers between EU and non-EU countries or are located
in an adequate third country according to GDPR:
1. Facebook Inc. (USA)
2. Google LLC (USA)
3. LiveChat, Inc. (USA)
4. Pipedrive (USA, Estonia)
5. Recurly, Inc. (USA)
6. Shopify Inc. (Canada)
7. Slack Technologies, Inc. (USA)
8. Twilio Inc. (USA)
9. Zendesk, Inc. (USA)
If you are based in Australia, your Personal Data may be transferred outside of Australia to recipients
located in the countries listed above.
Retention Period
All Data necessary for tax purposes, especially contracts, invoices and other bookkeeping documents as
well as relevant correspondence in relation to our contractual relationship we store for a period of five
years.
All other data we keep according to commercial law for a period of five years.
Summary
Contract
Legal basis: Contract Performance
Recipients: 1-9, depending on the Product the Customer chooses
Retention: Up to five years after termination of contract with Ortto
Direct Marketing
Legal basis: Legitimate Interest
Recipients: N/A
Retention: Up to five years
3.4 Processing of Personal Data relating to Consumers of our Customers
While we do not directly collect any Personal Data from Consumers or users of our Customers' Sites, we
may collect certain Personal Data about Consumers that use our Customers' Sites, in order to provide
Customers with information about how their sites are accessed and used. With respect to this Personal
Data we act as a Processor and process the Personal Data submitted to the Services or collected
through the Services on behalf of or at the direction of our Customer which are Controllers regarding to
this processing activities.
For example, we may receive IP address, browser type, domain name, referring URL, page views and
information relating to the device through which Consumers access our Customers' Site.
In addition, our Customers may, through their Sites and their use of our Services, collect additional
information from Consumers such as name, e-mail address and other contact information. We may
receive this Consumer information, which may include Personal Data, and store it on behalf of our
Customers. However, we will not use this Personal Data about Consumers for our own purposes. We
maintain such Personal Data about Consumers only on behalf of our Customers; this information
belongs to our respective Customers, not to Ortto. As noted above, our Customers' collection, use
and disclosure of Consumer Personal Data is not governed by this Privacy Policy. By disclosing
Consumer Personal Data to Ortto, a Customer acknowledges that it has read, understood and
agreed to this Privacy Policy and warrants that it has obtained the consent of the relevant Consumer to
such collection, use and disclosure of Personal Data as described in this Privacy Policy.
Purpose and Legal Basis
Your Personal Data is processed, first and foremost, for the purpose of Contract Performance regarding
Ortto Products and services i.e. through websites developed and operated by our Customers. The
purpose of processing your Personal Data is the performance of our legal relationship with that
Customer.
3.5 Processing of Personal Data Relating to Suppliers and Business Partners
Purpose and Legal Basis
Your Personal Data is processed, first and foremost, for the purpose of Contract Performance regarding
Ortto Products and services. This includes providers of services that are integrated in Ortto's
Products. The purpose of processing your Personal Data is the performance of our legal relationship.
Processed Personal Data
We mainly process the Personal Data you provide us with. For all Personal Data we collect from other
sources please refer to point 4.
We collect:
Identifiers (CCPA Category A)
Name
• E-mail address and other contact details
Professional or employment-related information (CCPA Category I)
•
Employment
•
Role and function in the company
Business activity
If your company details include a name of an individual, we may be required that you provide us with your
Personal Data to enable us to enter into a business relationship with you.
Retention Period
All Personal Data necessary for tax purposes, especially contracts, invoices and other bookkeeping
documents as well as relevant correspondence in relation to our contractual relationship we store for a
period of five years.
All other Personal Data we keep according to commercial law for a period of three years.
Summary
Cooperation
Legal basis: Contract Performance
Recipients: N/A
Retention: Up to five years after contract is completed.
3.6 Processing of Personal Data Relating to Applicants
Purpose and Legal Basis
We process your Personal Data either:
to take steps prior to entering into a contract (conclusion of an employment agreement),
on the basis of your explicit consent if we would like to keep your application on file for future
consideration,
and to fulfil our legal obligations (registering you as an employee in the social security system).
Your Personal Data is processed for the purpose of completing the application process. If you do not
provide us with your Personal Data, we cannot process your application.
Processed Personal Data
We mainly process the Personal Data you provide us with. For all Personal Data we collect from other
sources please have a look at point 4.
We collect:
Identifiers (CCPA Category A)
Name
•
E-mail address and other contact details
Professional or employment-related information (CCPA Category I)
Employment
• Role and function in the company
Business activity
Retention Period
The Personal Data of applicants who are not hired will be erased six months after the closure of the
application. If the applicant consents to their Personal Data being kept on file for future consideration,
we do not delete such Personal Data.
Summary
Application
Legal basis: Contract Performance
Recipients: N/A
Retention: Six months
4. Collection of Personal Data from Sources other than the Data Subject himself or herself (Article 14 GDPR)
Purpose and Legal Basis
If we process your Personal Data we usually collect Personal Data from you, and it is usually you who
provides us with this Personal Data. Nevertheless, in individual cases, we may also obtain Personal Data
from other sources (e.g. Slack.com) or publicly available sources, such as information we obtain from the
Internet.
Processed Personal Data
The Personal Data we obtain from third sources about you which is stored in our systems is limited to:
Identifiers (CCPA Category A)
contact information (e-mail address and telephone number, postal address)
Professional or employment-related information (CCPA Category I)
•
your function in the company
your professional career
and your assignment to or responsibility for a particular company (usually your employer,
any affiliated company or for another reason with this related company) if you have not disclosed
that information to us as part of the communication.
If you are an applicant, we can also process the following information about you from publicly available
Sources:
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code §
1798.80(e)) (CCPA Category B)
your education,
• professional and academic career
• publications written by you
However, we usually ask you directly if you can provide us with this information if we could not find it in
your application documents.
This Processing is based on our Legitimate Interest in a complete set of Personal Data required for
professional communication, Contract Performance, our business relationships and the application
process, depending on the relationship we have with you.
5. Data Security
We handle Personal Data only as permitted by data protection regulations. We use a variety of technical
and organizational measures to help protect your Personal Data from unauthorized access, disclosure,
modification, loss or destruction in accordance with applicable data protection laws.
When handling Personal Data, our employees are obliged to comply with the regulations of the GDPR
and the CCPA and all other applicable data protection laws and regulations.
6. What are Your Rights with Respect to Processing of Personal Data?
6.1 Rights under CCPA and GDPR
Right of Access - right to obtain confirmation of which of your Personal Data is processed and
information about it, for instance, which are the purposes of the Processing, what are the conservation
periods, among others.
Right to Erasure ("right to be forgotten") - right to erase your Personal Data, provided that there are no
valid grounds for its retention, for example in cases where we have to keep the Personal Data to comply
with legal obligation or because a court case is in progress.
Right to Data Portability - right to receive the Personal Data you have provided us in a digital format of
current use and automatic reading or to request the direct transmission of your Personal Data to another
entity that becomes the new responsible for your Personal Data, however only if technically possible.
6.2 Rights Exclusively under GDPR
The GDPR protects further rights for Data Subjects in the European Union:
Right of Rectification - right to request modification of your Personal Data that is inaccurate or request
incomplete Personal Data, such as the address, VAT, email, telephone contacts, or others.
Right to Withdraw Consent or Right of Opposition - right to object or withdraw consent at any time to
Processing, for example in the case of Processing for marketing purposes, provided that no Legitimate
Interests exist prevailing over your interests, rights and freedoms, such as defending a right in a judicial
process.
Right of Limitation - right to request the limitation of the Processing of your Personal Data, in the form
of: (i) suspension of Processing or (ii) limitation of the scope of Processing to certain categories of
Personal Data or purposes of Processing.
Right to object and ADM - When the Processing of Personal Data, including the Processing for the
definition of profiles, is exclusively automatic (without human intervention) and may have effects in your
legal sphere or significantly affect it, you shall have the right not to remain subject to any decision based
on such automatic Processing, except as otherwise provided by law and shall have the right that we take
appropriate measures to safeguard its rights and freedoms and legitimate interests, including the right to
have human intervention in decision making by us, the right to express its point of view or contest the
decision taken on the basis of automated individual information Processing.
Right to complain - right to complain to the supervisory authority, in addition to us.
For rights asserted by Data Subjects from the EU under the GDPR the period for handling a request is
30 days unless it is a particularly complex request.
Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the
right to erasure, the right to rectification and the right to data portability cannot be enforced after
expiration of the retention period.
6.3 Rights Exclusively Under CCPA
The exercise of rights is free of charge, except in the case of a manifestly unfounded or excessive
request, in which case a reasonable fee may be charged regarding its costs.
The information must be provided in writing but may be given orally if requested. In this case, we should
verify your identity by means other than oral.
The response to requests based on the provisions of the CCPA should be provided within a maximum of
45 days. If we require more time (up to 90 days), we will inform you of the reason and extension period in
writing.
6.4 Rights Under the Australian Privacy Act
If you are in Australia, you may request access or correction of the Personal Data that we hold about you
by contacting us. Our contact details are set out below. There are some circumstances in which we are
not required to give you access to your Personal Information.
There is no charge for requesting access to your Personal Information but we may require you to meet
our reasonable costs in providing you with access (such as photocopying costs or costs for time spent
on collating large amounts of material).
We will respond to your requests to access or correct Personal Information in a reasonable time and will
take all reasonable steps to ensure that the personal data we hold about you remains accurate, up to
date and complete.
7. Non-Discrimination
We will not discriminate against you for exercising any of your rights. Unless for a good and reasonable
cause and unless permitted by law, we will not:
•
deny you goods or services.
charge you different prices or rates for goods or services, including through granting
discounts or other benefits, or imposing penalties.
provide you a different level or quality of goods or services.
suggest that you may receive a different price or rate for goods or services or a different level or
quality of goods or services.
8. Changes to our Data Protection Provisions
We reserve the right to modify this Privacy Policy, so it is always in compliance with the current legal
requirements or to implement changes to services in the Privacy Policy, e.g., when introducing new
services. In this case, your future visits to our website will be subject to the updated Privacy Policy.
If you have additional questions regarding the processing of your Personal Data, please feel free to
contact us directly, either by email at privacy AT ortto.com or via mail to Ortto, 1390 Market
Street Suite 200, San Francisco CA 94102.
9. Contact Information
9.1 Requests from California Residents According to the CCPA
To exercise the access, data portability, and deletion rights described above in 7.1., California residents
may submit a verifiable consumer request to us by email at privacy AT Orttoapp.com.
Only you or a person registered with the California Secretary of State that you authorize to act on your
behalf, may make a verifiable consumer request related to your Personal Information. You may also make
a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month
period. The verifiable consumer request must:
•
Provide sufficient information that allows us to reasonably verify you are the person about whom we
collected Personal Information or an authorized representative.
Describe your request with sufficient detail that allows us to properly understand, evaluate, and
respond to it.
We cannot respond to your request or provide you with Personal Information if we cannot verify your
identity or authority to make the request and confirm the Personal Information relates to you. Making a
verifiable consumer request does not require you to create an account with us. We will only use Personal
Information provided in a verifiable consumer request to verify the requestor's identity or authority to
make the request.
9.2 Data Subject Requests from EU Data Subjects According to the GDPR
We value your Data Subject Rights under GDPR and therefore appointed GDPR-Rep.eu as
representative according to Art 27 GDPR and provide you with an easy way to submit us privacy related
request like a request to access or erase your personal data. If you want to make use of your data
subject rights, please visit: https://gdpr-rep.eu/q/15786322.
Contact:
GDPR-Rep.eu
GDPR-Rep.eu
Maetzler Rechtsanwalts GmbH & Co KG
Attorneys at Law c/o PersoGroup Ptd Ltd.
Schellinggasse 3/10, 1010 Vienna, Austria
Please add the following subject to all correspondence: GDPR-REP ID: 15786322
9.3 Data Subject Requests from Individuals in Australia
If you are in Australia you can contact us by email (privacy AT Orttoapp.com) or mail at the following
address:
Privacy Officer
OrttoHQ, Inc.
1390 Market Street, Suite 200
San Francisco California 94102
If you have further concerns about how we have handled a privacy issue, you may contact the Australian
Information Commissioner (www.oaic.gov.au)
Definitions
Account Holder means anyone who registers an account using the form accessible on the website
https://www.Orttoapp.com.
ADM means automated decision making
CCPA means the California Consumer Privacy Act (CCPA) signed into law on June 28, 2018, to amend
Part 4 of Division 3 of the California Civil
Code. http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375.
CCPA Code means the categories (A) to (K) of Personal Information as defined in the CCPA.
Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of
the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies
agreement to the Processing of Personal Data relating to him or her.
Consumer means clients of Ortto's Customers.
Contract Performance means concluding, maintaining, and completing of a contract concluded
between the Controller and a Data Subject, including Processing activities which take place at the
request of the Data Subject before entering into a contractual relationship.
Controller means the natural or legal person, public authority, agency or other body which, alone or
jointly with others, determines the purposes and means of the Processing of Personal Data; where the
purposes and means of such Processing are determined by Union or Member State law, the Controller
or the specific criteria for its nomination may be provided for by Union or Member State law.
Customers means Ortto's customers.
Data Subject is any natural person whose Personal Data is being collected, held or processed.
Examples of a Data Subject can be an individual, a customer, a prospect, an employee, a contact person,
etc.
Direct Marketing means personal data processed to communicate a marketing or advertising message.
This definition includes messages from commercial organisations, as well as from charities and political
organizations.
General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in
the European Union (EU) and the European Economic Area (EEA); Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard
to the processing of personal data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation) https://eur-lex.europa.eu/eli/reg/2016/679/oj.
Legitimate Interest means the Controller's interest to process Personal Data in order to carry out tasks
related to the Controller's business activities. The processing of Personal Data in that context may not
necessarily be justified by a legal obligation or carried out to execute the terms of a contract with a Data
Subject.
Personal Data means any information relating to an identified or identifiable natural person ('Data
Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier or
to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person. This includes, but is not limited to the term 'Personal Information'
according to Article 1798.140 (o) (1-2) of the CCPA.
Personal Information means personally identifiable information that you could trace back to a real
person according to Article 1798.140 (o) (1-2) of the CCPA.
Processing means any operation or set of operations which is performed on Personal Data or on sets of
Personal Data, whether or not by automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure or
destruction.
Processor means a natural or legal person, public authority, agency or other body which processes
Personal Data on behalf of the Controller.
Products means all products distributed and sold by Ortto.
Services means all services provided by Ortto as a part of their Products.
Recipient means a natural or legal person, public authority, agency or another body, to which the
Personal Data are disclosed, whether a third party or not. However, public authorities which may receive
personal data in the framework of a particular inquiry in accordance with Union or Member State law
shall not be regarded as Recipients; the Processing of those Personal Data by those public authorities
shall be in compliance with the applicable data protection rules according to the purposes of the
Processing.
Sites means websites of Customers.