Privacy policy

Effective date: 8 February 2022
1. General

We at Ortto, Inc. (“Ortto”) value your privacy and are committed to taking care of your data, and we take this responsibility very seriously. Please take the time to carefully read our Privacy Policy, which explains why we collect your Personal Data and how we process it when you:

  • visit our website (see, in particular, Section 3.1)

  • or express an interest in our Products (see, in particular, Section 3.2),

  • are our Customer (see, in particular, Section 3.3 below)

  • are a Consumer of one of our Customers (see, in particular, Section 3.4 below) or

  • are our Supplier or Business Partner (see, in particular, Section 3.5 below), or

  • apply for a position with us (see, in particular, Section 3.6 below).

Controller

Ortto Inc. ("Ortto")
1390 Market Street Suite 200
San Francisco CA 94102

2. Definitions

Unless otherwise indicated, capitalized terms used in this Privacy Policy are defined in Annex 1. Most of the definitions are derived from the California Consumer Privacy Act of 2018 (CCPA) which you can access from https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121 and the General Data Protection Regulation (GDPR) which you can access from https://eur-lex.europa.eu/eli/reg/2016/679/oj.

3. How do we process your Personal Data?

We process your data in different ways depending on whether you visit our website or express an interest in our Products, or whether you are our client, supplier, business partner or job applicant:

We do not sell your Personal Data within the meaning of Section 1798.140(t) of the CCPA.

3.1 Processing of Personal Data relating to visitors of our website

Cookies

We (or our third party service providers) use cookies to track visitor activity on the site. A cookie is a text file that a website transfers to your computer’s hard drive for record-keeping purposes. Our cookies assign a random, unique number to each visitor’s computer. They do not contain information that would personally identify the visitor, although we can associate a cookie with any identifying information that is or has been provided by a Customer while visiting our site. We or our third party service providers use cookies that remain on your computer for a specified period of time or until they are deleted (persistent cookies). These cookies record clickstream information (data reporting the URLs, or names of the pages, on our Site that have been visited). We may also use cookies that exist only temporarily during an online session (session cookies). These cookies allow you to log in to your account and they allow us to identify you temporarily as you move through the site. Most browsers allow users to refuse cookies, but doing so may impede the functionality of some portions of our site.

Web Beacons

Web beacons are tiny graphics with a unique identifier, similar in function to cookies, that are used to track the online movements of Web users. In contrast to cookies, which are stored on your computer’s hard drive, Web beacons are embedded invisibly on webpages and may not be disabled or controlled through your browser.

Third Parties

As noted, we may also engage third parties to track and analyze site activity on our behalf. To do so, these third parties may place cookies or web beacons to track user activity on our site. We use the data collected by such third parties to help us administer and improve the quality of the site and to analyze usage of the site.

3.2 Processing of Personal Data relating to potential Customers
Purpose and Legal Basis

When you contact us to inquire about our Products, we process the Personal Data you include in such a message in emails or collected during phone calls to answer and process such inquiry in a pre-contractual stadium. Such processing is necessary for Contract Performance in order to take steps at your request prior to entering into a contract. Contract Performance is also the purpose of any processing of your personal when you create an account in order to use our service.

Furthermore, we process your Personal Data provided with an inquiry for Direct Marketing purposes to convert a potential client into an actual client. Such processing is based on a Legitimate Interest. You have the right, at all times, to object to the Processing of your Personal Data for the purpose of Direct Marketing, without being required to state your reasons, and can do so by visiting https://prighter.com/cc/ortto.

Personal Data Processed

We mainly process the Personal Data which you provide us during a pre-contractual phase. For all Personal Data we collect from other sources please have a look at point 4.

We collect:

Identifiers (CCPA Category A)

  • Name

  • E-mail address

  • Other Personal Data you include in a free text field

Internet information (CCPA Category F)

  • Order History

  • IP Address and IP location

  • Referring (exit pages and URLs)

  • Number, duration and time of visits (your interaction with the Website)

  • Search engines, key phrases and keywords used to find our site

  • Browser type, type of device, screen size, internet service provider and operating system

Retention Period

The Personal Data will be deleted two years after a lead is lost.

Personal Data collected for purposes related to Contract Performance shall be retained until such contract has been fully performed.

We may be allowed to retain Personal Data for a longer period whenever you have given consent to such processing (e.g. subscription to our newsletter), as long as such consent is not withdrawn. Furthermore, we may be obliged to retain Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an authority.

Summary

Answer Inquiry
Legal basis: Contract Performance
Recipients: N/A
Retention: Up to two years after a lead is lost

Direct Marketing Legal basis: Legitimate Interest
Recipients: N/A
Retention: Up to two years after a lead is lost

Newsletter Subscription Legal basis: Consent
Recipients: N/A
Retention: Up to two years after a lead is lost

3.3 Processing of Personal Data Relating to Customers

To use our Services you must create an account. To create an account, you must enter your full first and last name, business name and email address.

When you subscribe to our Services, we collect your billing address, credit/debit card number, expiration date, and other billing information necessary to process the transaction. We use this information to process your transaction.

We also collect information about our Customers’ use of the Services, including their order history, Services usage and other similar information.

We allow Customers to “Like” our Site and Services through their Facebook Account. However, while we do track which Customers choose to “Like” us, at this time we do not collect any information from Facebook about Customers who choose to “Like” us.

In addition, we may ask Customers to submit certain optional information about their business, such as their industry, target customers or demographics, and other information.

Purpose and Legal Basis

Your Personal Data as a customer is processed, first and foremost, for the purpose of providing services related to Ortto Products. We may use or process Personal Data in connection with pre-contract activities and discussion with you, and to perform the contractual legal relationship we have with you.

Furthermore, we process Personal Data when you open an account with us and place an order for goods via one of our websites as an Account Holder.

Such processing is based on Contract Performance and to manage and maintain our relationships with you and for ongoing customer service

Besides that, we use your contact information to send you information on our Products as a form of Direct Marketing. Your email address might be added to a contact list of those who may receive email messages containing information of commercial or promotional nature as a result of signing up to this Website or after making a purchase.

The processing activity related to Direct Marketing is based on Legitimate Interest. You have the right, at all times, to object to the Processing of your Personal Data for the purpose of Direct Marketing, without being required to state your reasons, and can do so by visiting https://prighter.com/cc/ortto.

Processed Personal Data

We mainly process the Personal Data which you provide us with.

For all data we collect from other sources please have a look at point 4.

We collect:

Identifiers (CCPA Category A)

  • Name

  • E-mail address and other contact details

Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) (CCPA Category B)

  • Payment data

  • Purchase information

  • Billing address

  • Credit/Debit card number,

  • Expiration date

  • Other billing information necessary to process transactions

Internet information (CCPA Category F)

  • Order History

  • IP Address and IP location

Professional or employment-related information (CCPA Category I)

  • Employment

  • Role and function in the company

  • Business activity

Recipients

To achieve the objectives described above, it may be necessary to disclose your Personal Data to the following Recipients in certain cases. We may disclose and transfer customer and consumer Personal Data to third parties, including to our contractors or service providers who provide services which are integrated into our Products or perform functions on our behalf. The actual Recipients depend on the Products the Customer has signed up for.

Personal Data may be disclosed by being transferred, disseminated, or provided by other means to the following parties on the basis that the Recipient is either subject to an EU Commission approved Standard Contractual Clauses (SCC) for data transfers between EU and non-EU countries or are located in an adequate third country according to GDPR:

  1. Facebook Inc. (USA)

  2. Google LLC (USA)

  3. LiveChat, Inc. (USA)

  4. Pipedrive (USA, Estonia)

  5. Recurly, Inc. (USA)

  6. Shopify Inc. (Canada)

  7. Slack Technologies, Inc. (USA)

  8. Twilio Inc. (USA)

  9. Zendesk, Inc. (USA)

If you are based in Australia, your Personal Data may be transferred outside of Australia to recipients located in the countries listed above.

Retention Period

All Data necessary for tax purposes, especially contracts, invoices and other bookkeeping documents as well as relevant correspondence in relation to our contractual relationship we store for a period of five years.

All other data we keep according to commercial law for a period of five years.

Summary

Contract Legal basis: Contract Performance
Recipients: 1-9, depending on the Product the Customer chooses
Retention: Up to five years after termination of contract with Ortto

Direct Marketing Legal basis: Legitimate Interest
Recipients: N/A
Retention: Up to five years

3.4 Processing of Personal Data relating to Consumers of our Customers

While we do not directly collect any Personal Data from Consumers or users of our Customers’ Sites, we may collect certain Personal Data about Consumers that use our Customers’ Sites, in order to provide Customers with information about how their sites are accessed and used. With respect to this Personal Data we act as a Processor and process the Personal Data submitted to the Services or collected through the Services on behalf of or at the direction of our Customer which are Controllers regarding to this processing activities.

For example, we may receive IP address, browser type, domain name, referring URL, page views and information relating to the device through which Consumers access our Customers’ Site.

In addition, our Customers may, through their Sites and their use of our Services, collect additional information from Consumers such as name, e-mail address and other contact information. We may receive this Consumer information, which may include Personal Data, and store it on behalf of our Customers. However, we will not use this Personal Data about Consumers for our own purposes. We maintain such Personal Data about Consumers only on behalf of our Customers; this information belongs to our respective Customers, not to Ortto. As noted above, our Customers’ collection, use and disclosure of Consumer Personal Data is not governed by this Privacy Policy. By disclosing Consumer Personal Data to Ortto, a Customer acknowledges that it has read, understood and agreed to this Privacy Policy and warrants that it has obtained the consent of the relevant Consumer to such collection, use and disclosure of Personal Data as described in this Privacy Policy.

Purpose and Legal Basis

Your Personal Data is processed, first and foremost, for the purpose of Contract Performance regarding Ortto Products and services i.e. through websites developed and operated by our Customers. The purpose of processing your Personal Data is the performance of our legal relationship with that Customer.

3.5 Processing of Personal Data Relating to Suppliers and Business Partners
Purpose and Legal Basis

Your Personal Data is processed, first and foremost, for the purpose of Contract Performance regarding Ortto Products and services. This includes providers of services that are integrated in Ortto's Products. The purpose of processing your Personal Data is the performance of our legal relationship.

Processed Personal Data

We mainly process the Personal Data you provide us with. For all Personal Data we collect from other sources please refer to point 4.

We collect:

Identifiers (CCPA Category A)

  • Name

  • E-mail address and other contact details

Professional or employment-related information (CCPA Category I)

  • Employment

  • Role and function in the company

  • Business activity

If your company details include a name of an individual, we may be required that you provide us with your Personal Data to enable us to enter into a business relationship with you.

Retention Period

All Personal Data necessary for tax purposes, especially contracts, invoices and other bookkeeping documents as well as relevant correspondence in relation to our contractual relationship we store for a period of five years.

All other Personal Data we keep according to commercial law for a period of three years.

Summary

Cooperation Legal basis: Contract Performance
Recipients: N/A
Retention: Up to five years after contract is completed.

3.6 Processing of Personal Data Relating to Applicants
Purpose and Legal Basis

We process your Personal Data either:

  • to take steps prior to entering into a contract (conclusion of an employment agreement),

  • on the basis of your explicit consent if we would like to keep your application on file for future consideration,

  • and to fulfil our legal obligations (registering you as an employee in the social security system).

Your Personal Data is processed for the purpose of completing the application process. If you do not provide us with your Personal Data, we cannot process your application.

Processed Personal Data

We mainly process the Personal Data you provide us with. For all Personal Data we collect from other sources please have a look at point 4.

We collect:

Identifiers (CCPA Category A)

  • Name

  • E-mail address and other contact details

Professional or employment-related information (CCPA Category I)

  • Employment

  • Role and function in the company

  • Business activity

Retention Period

The Personal Data of applicants who are not hired will be erased six months after the closure of the application. If the applicant consents to their Personal Data being kept on file for future consideration, we do not delete such Personal Data.

Summary

Application Legal basis: Contract Performance
Recipients: N/A
Retention: Six months

4. Collection of Personal Data from Sources other than the Data Subject himself or herself (Article 14 GDPR)
Purpose and Legal Basis

If we process your Personal Data we usually collect Personal Data from you, and it is usually you who provides us with this Personal Data. Nevertheless, in individual cases, we may also obtain Personal Data from other sources (e.g. Slack.com) or publicly available sources, such as information we obtain from the Internet.

Processed Personal Data

The Personal Data we obtain from third sources about you which is stored in our systems is limited to:

Identifiers (CCPA Category A)

  • contact information (e-mail address and telephone number, postal address)

Professional or employment-related information (CCPA Category I)

  • your function in the company

  • your professional career

  • and your assignment to or responsibility for a particular company (usually your employer,

  • any affiliated company or for another reason with this related company) if you have not disclosed that information to us as part of the communication.

If you are an applicant, we can also process the following information about you from publicly available sources:

Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) (CCPA Category B)

  • your education,

  • professional and academic career

  • publications written by you

However, we usually ask you directly if you can provide us with this information if we could not find it in your application documents.

This Processing is based on our Legitimate Interest in a complete set of Personal Data required for professional communication, Contract Performance, our business relationships and the application process, depending on the relationship we have with you.

5. Data Security

We handle Personal Data only as permitted by data protection regulations. We use a variety of technical and organizational measures to help protect your Personal Data from unauthorized access, disclosure, modification, loss or destruction in accordance with applicable data protection laws.

When handling Personal Data, our employees are obliged to comply with the regulations of the GDPR and the CCPA and all other applicable data protection laws and regulations.

6. What are Your Rights with Respect to Processing of Personal Data?

6.1 Rights under CCPA and GDPR

Right of Access - right to obtain confirmation of which of your Personal Data is processed and information about it, for instance, which are the purposes of the Processing, what are the conservation periods, among others.

Right to Erasure ("right to be forgotten") - right to erase your Personal Data, provided that there are no valid grounds for its retention, for example in cases where we have to keep the Personal Data to comply with legal obligation or because a court case is in progress.

Right to Data Portability - right to receive the Personal Data you have provided us in a digital format of current use and automatic reading or to request the direct transmission of your Personal Data to another entity that becomes the new responsible for your Personal Data, however only if technically possible.

6.2 Rights Exclusively under GDPR

The GDPR protects further rights for Data Subjects in the European Union:

Right of Rectification - right to request modification of your Personal Data that is inaccurate or request incomplete Personal Data, such as the address, VAT, email, telephone contacts, or others.

Right to Withdraw Consent or Right of Opposition - right to object or withdraw consent at any time to Processing, for example in the case of Processing for marketing purposes, provided that no Legitimate Interests exist prevailing over your interests, rights and freedoms, such as defending a right in a judicial process.

Right of Limitation - right to request the limitation of the Processing of your Personal Data, in the form of: (i) suspension of Processing or (ii) limitation of the scope of Processing to certain categories of Personal Data or purposes of Processing.

Right to object and ADM - When the Processing of Personal Data, including the Processing for the definition of profiles, is exclusively automatic (without human intervention) and may have effects in your legal sphere or significantly affect it, you shall have the right not to remain subject to any decision based on such automatic Processing, except as otherwise provided by law and shall have the right that we take appropriate measures to safeguard its rights and freedoms and legitimate interests, including the right to have human intervention in decision making by us, the right to express its point of view or contest the decision taken on the basis of automated individual information Processing.

Right to complain - right to complain to the supervisory authority, in addition to us.

For rights asserted by Data Subjects from the EU under the GDPR the period for handling a request is 30 days unless it is a particularly complex request.

Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

6.3 Rights Exclusively Under CCPA

The exercise of rights is free of charge, except in the case of a manifestly unfounded or excessive request, in which case a reasonable fee may be charged regarding its costs.

The information must be provided in writing but may be given orally if requested. In this case, we should verify your identity by means other than oral.

The response to requests based on the provisions of the CCPA should be provided within a maximum of 45 days. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.

6.4 Rights Under the Australian Privacy Act

If you are in Australia, you may request access or correction of the Personal Data that we hold about you by contacting us. Our contact details are set out below. There are some circumstances in which we are not required to give you access to your Personal Information.

There is no charge for requesting access to your Personal Information but we may require you to meet our reasonable costs in providing you with access (such as photocopying costs or costs for time spent on collating large amounts of material).

We will respond to your requests to access or correct Personal Information in a reasonable time and will take all reasonable steps to ensure that the personal data we hold about you remains accurate, up to date and complete.

7. Non-Discrimination

We will not discriminate against you for exercising any of your rights. Unless for a good and reasonable cause and unless permitted by law, we will not:

  • deny you goods or services.

  • charge you different prices or rates for goods or services, including through granting

  • discounts or other benefits, or imposing penalties.

  • provide you a different level or quality of goods or services.

  • suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

8. Changes to our Data Protection Provisions

We reserve the right to modify this Privacy Policy, so it is always in compliance with the current legal requirements or to implement changes to services in the Privacy Policy, e.g., when introducing new services. In this case, your future visits to our website will be subject to the updated Privacy Policy.

If you have additional questions regarding the processing of your Personal Data, please feel free to contact us directly, either by email at privacy AT ortto.com or via mail to Ortto, 1390 Market Street Suite 200, San Francisco CA 94102.

9. Contact Information
9.1 Requests from California Residents According to the CCPA

To exercise the access, data portability, and deletion rights described above in 7.1., California residents may submit a verifiable consumer request to us by email at privacy AT ortto.com.

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.

  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

9.2 Data Subject Requests from EU Data Subjects According to the GDPR

We value your Data Subject Rights under GDPR and therefore appointed GDPR-Rep.eu as representative according to Art 27 GDPR and provide you with an easy way to submit us privacy related request like a request to access or erase your personal data. If you want to make use of your data subject rights, please visit: https://prighter.com/cc/ortto.

Contact:
GDPR-Rep.eu

GDPR-Rep.eu
Maetzler Rechtsanwalts GmbH & Co KG
Attorneys at Law c/o PersoGroup Ptd Ltd.
Schellinggasse 3/10, 1010 Vienna, Austria

Please add the following subject to all correspondence: GDPR-REP ID: 15786322

9.3 Data Subject Requests from Individuals in Australia

If you are in Australia you can contact us by email (privacy AT ortto.com) or mail at the following address:

Privacy Officer
Ortto, Inc.
1390 Market Street, Suite 200
San Francisco California 94102

If you have further concerns about how we have handled a privacy issue, you may contact the Australian Information Commissioner (www.oaic.gov.au)

Definitions

Account Holder means anyone who registers an account using the form accessible on the website https://www.ortto.com.

ADM means automated decision making

CCPA means the California Consumer Privacy Act (CCPA) signed into law on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180AB375.

CCPA Code means the categories (A) to (K) of Personal Information as defined in the CCPA.

Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her.

Consumer means clients of Ortto's Customers.

Contract Performance means concluding, maintaining, and completing of a contract concluded between the Controller and a Data Subject, including Processing activities which take place at the request of the Data Subject before entering into a contractual relationship.

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the Controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Customers means Ortto's customers.

Data Subject is any natural person whose Personal Data is being collected, held or processed. Examples of a Data Subject can be an individual, a customer, a prospect, an employee, a contact person, etc.

Direct Marketing means personal data processed to communicate a marketing or advertising message. This definition includes messages from commercial organisations, as well as from charities and political organizations.

General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA); Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) https://eur-lex.europa.eu/eli/reg/2016/679/oj.

Legitimate Interest means the Controller’s interest to process Personal Data in order to carry out tasks related to the Controller‘s business activities. The processing of Personal Data in that context may not necessarily be justified by a legal obligation or carried out to execute the terms of a contract with a Data Subject.

Personal Data means any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This includes, but is not limited to the term ‘Personal Information’ according to Article 1798.140 (o) (1-2) of the CCPA.

Personal Information means personally identifiable information that you could trace back to a real person according to Article 1798.140 (o) (1-2) of the CCPA.

Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

Products means all products distributed and sold by Ortto.

Services means all services provided by Ortto as a part of their Products.

Recipient means a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as Recipients; the Processing of those Personal Data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the Processing.

Sites means websites of Customers.