Privacy Policy

Last updated: August 25, 2023


The right to privacy is at the forefront of everything we do

We always strive to align our data processing activities with applicable laws, regulations, and leading data protection standards. Our aim is to provide our customers with an experience that is tailored and personalised for them, while respecting their privacy choices.

Due to the services, we offer, how we process personal data will vary depending on which service you use. This privacy page describes on a higher level how we process personal data and work with privacy and data protection across our organisation.

We welcome any questions, thoughts and feedback on our privacy and data protection practices, and refer you to the(insert area) for more detailed information about your rights. In the meantime, we look forward to guiding you through Cludo’s privacy landscape.

Our way of working 

The services we provide have personalisation, understanding and anticipating customer behaviour as fundamental parts of satisfying customer expectations and needs. When we implement and maintain data-driven functionalities, we always keep data protection principles in mind.

Our dedicated Privacy Team consists of a mix of legal and IT. The team works on a daily basis to provide Cludo with the necessary tools and guidance for applying privacy by design and default principles across the organisation. Cludo has a privacy roadmap and governance wheel, indicating yearly goals and achievements for our data protection work. We require our service providers to process and protect personal data in accordance with our own high standards, which include state-of-the-art technical and organisational measures.

We believe privacy awareness should flow throughout our whole organisation. Data protection awareness trainings are mandatory for all employees. In addition, targeted trainings are held where necessary, internal privacy newsletter distributed and our internal CluedIn and company meetings bring legal matters to the table to constantly drive, raise and maintain awareness within Cludo.

Purpose, retention and legal basis 

The overarching purpose for Cludo processing personal data is to provide our customers and partners with a specific service they have requested from us.

For example, a Cludo customer’s personal data is processed for the provision of Cludo as a SaaS to such customer, but this can be broken down into several sub-purposes. These include meeting the customer’s expectations of receiving a personalised experience based on what they have previously searched and getting suggestions about which content to search next. The same data could also be processed to improve and develop our platforms and services, billing, and marketing purposes.
The legal basis for different processes will vary. For example, we base our processing to provide personalised searches in our Service on both our legitimate interest and the contractual obligation with the customer, since the personalisation feature forms a fundamental part of the service and is expected by our customers.

When we process data to improve our services, we base often base such processing on our legitimate interest to continuously adapt and develop our service. When data is processed with our legitimate interest as the legal basis, we perform a balance of interest test, weighing the interest in question against the individual’s interest, and add supplementary security measures where possible (often pseudonymisation or anonymisation).

In relation to marketing purposes, Cludo sends a variety of newsletters via email to people who choose to subscribe to such information. This data is processed for as long as the subscription continues. At any time, the subscriber can choose to opt-out from receiving further emails by using the unsubscribe button found in each newsletter or press release. The legal basis for sending electronic marketing communication in this manner is, depending on our relationship with the recipient and local laws, at times consent or otherwise legitimate interest with an absolute right to opt-out.

Personal data may also be processed in relation to our partners, vendors and suppliers, productions, etc. Such personal data is processed as would be expected to carry out or maintain business relationships, including managing issues of a commercial, security, support, or regulatory compliance nature. For example, we may use our business partners’ contact information when communicating via phone or email, performing audits or other actions that could reasonably be expected. For day-to-day activities, this personal data will be processed with our legitimate interest as the legal basis and kept for as long as reasonably necessary in relation to the purpose.
Personal data is only kept for as long as necessary to achieve the purpose for which it was collected, after which it is deleted or anonymised. We are constantly evaluating our retention routines and abide by the principle that “good to have” is never a valid reason to keep personal data.
For further information on how we process personal data when you are using our various services, please visit the applicable privacy statement or contact us via email to privacy@cludo.com.

How we protect personal data

Any personal data collected by Cludo is stored on secure servers, and we use rigorous procedures to protect against loss, misuse, unauthorised access, alteration, disclosure, or destruction of personal data. In the event of a physical or technical incident, we maintain strict security and incident response plans to handle such incidents in a timely manner and to limit their negative effects.

Here are some examples of the technical and organisational measures we have in place to protect your personal data:

  • We encrypt data to protect it during transmissions and, when possible, at rest.
  • We anonymise or pseudonymise personal data as soon as possible from a technical perspective as long as it does not infringe on any processing purpose.
  • Our services have security features including comprehensive DDoS protection and controls, logs and state-of-the-art firewalls.
  • Our data processors are bound by agreements to maintain a level of security appropriate to the data being processed. Some of our suppliers must also answer questionnaires that include questions on IT security and data protection.
  • We carry out a so-called penetration test, where an assigned third party tests our defences by trying to gain access to our systems.
  • We restrict access to personal information to the specific Cludo employees, suppliers and agents who need this information in order to process it. Everyone with such access has strict contractual confidentiality obligations and access is often secured with two-step authentication.
  • As part of our onboarding procedure, each new Cludo employee must complete a number of tests and trainings relating to information security, including the protection of personal data. The level of training is adapted to the level of sensitive information handled by the employee. All employees must complete annual training on data protection.

Behavioural data, personalisation and advertising

The core of many of our services is the way they are tailored and personalised to each customer’s preferences.  To be able to provide our customers users with the possibility to get the right content in our Solution, we need to process personal data, in addition to aggregated and statistical data. In particular, we may process information about how our customer and their end-users behave on our services – so called ‘behavioural data’ – to be able to provide a personalised content experience or to optimise our services.

We may process information about which search terms our customers are using, including how they spell it, and which terms are used, their device and geolocation. This behavioural data is used among other to provide personalised features in our service, such as suggest content, terms or spellings, that might be interesting based on the customer’s behaviour.

When processing personal data for achieving the purpose of improving our services, we do not need to know who the customer or the end-user is. This is why we anonymise the behavioural data as soon as technically possible without infringing on the purpose. When anonymised, the behavioural data allows us to evaluate how large groups of customers respond to our customers use of the solution. This allows us to make our sites and services better and provide content that our customers are more likely to enjoy.

We also use personal data for marketing purposes. Subject to legal requirements, our customers may receive emails and other types of notifications regarding matters they might find interesting or offers related to our solution. Behavioural data may also be used to market our services and content towards others, but not in a way that requires us to identify an individual. For example, the data can be narrowed down, and hence anonymised, to geographical-only data that helps us understand what kind of content is popular where and ensure that the content is marketed accordingly. Subject to legal requirements, we also process data to be able to show advertisements that may be of interest for our customers. If advertisements are targeted through the use of data collected via cookies, it is possible at any time to deny the use of cookies, which will lead to us serving advertisements without any tailoring to the customer’s interests.

How and where data is transferred

Companies within Cludo

Personal data may be disclosed to other companies within Cludo if necessary for either business, legal or other legitimate purposes. Cludo companies with access to personal data follow our internal practices on how to process personal data.

Third parties for security or other legitimate reasons 

We may disclose personal data to third parties if we reasonably believe that disclosure of such personal data is necessary:

  • To comply with valid legal obligations including subpoenas, court orders, governmental requests or search warrants, and as otherwise authorised by law – we assess and document each request thoroughly[1]
  • To protect our rights or property, or the safety of our customers or employees;
  • To protect against fraudulent, malicious, abusive, unauthorised or unlawful use of, or subscription to, our services and to protect our network, services, devices and customers from such use;
  • To advance or defend against complaints or legal claims in court, administrative proceedings and elsewhere;
  • As part of mergers or acquisitions, provided that the prospective buyer or seller agrees to respect processing of personal data in a manner consistent with data protection legislation;
  • To outside auditors and regulators.

Third party suppliers – as processors

We authorise third party suppliers to perform selected services for us, such as infrastructure and IT services (including but not limited to data storage), provision of communication, customer management, marketing and statistical analyses tools. In the performance of these services, third party suppliers may have access to personal data but are only authorised to process this data strictly on our behalf, in accordance with our instructions and bound by specific data processing agreements.

Where do we process personal data?

We strive to the greatest extent possible to process personal data within the European Union (“EU) and/or the European Economic Area (“EEA”). Unfortunately, this is not always possible, as many necessary service providers process data outside the EU/EEA. If personal data is to be transferred to or accessed from a destination outside the EU/EEA, we perform transfer impact assessments and take all necessary steps to ensure that the data is processed securely in accordance with relevant data protection laws and practices. Such transfers only occur to countries that offer an adequate level of data protection or where necessary safeguards are in place to reach such adequate levels, such as standard contractual clauses and binding corporate rules together with appropriate supplementary measures.

How to Contact Us

If you have questions or complaints regarding this Policy or about Cludo’s privacy practices, please contact us by email at privacy@cludo.com, or at:

Address:
Cludo ApS
Frederikskaj 4
2450 København, Denmark

CVR: 36 72 68 49

Email address: privacy@cludo.com
 
[1] During 2022, Cludo received zero requests from law enforcement to access information.

Data Subject Rights

Cludo strives to empower individuals and give them control over their personal data. For more information on how you can exercise your rights connected to a specific service, follow the links below to the privacy statement applicable to such service. If you have any questions about our data protection practices, please contact our privacy@cludo.com.

The right to be informed

We have detailed privacy statements in place to ensure that our customers, users, vendors, employees and other stakeholders stay informed and remain confident about the way we process personal data.

Right to access

You have the right to obtain confirmation from us as to whether your personal data is being processed, and, where that is the case, you have the right to access the personal data in question or a copy.

Right to rectification

If you find that the personal data that we process is inaccurate, you have the right to request that we correct this data.

Right to erasure (“right to be forgotten”)

Under certain circumstances, you have the right to request erasure of personal data processed by us as a controller. The right to have personal data erased is applicable if:

  • The personal data is no longer necessary for the purpose for which we originally collected or processed it;
  • We are relying on consent as the lawful basis for processing the data, and the consent is withdrawn by the individual;
  • We are relying on legitimate interests as the lawful basis for processing the personal data, and the individual objects to that processing, and we have no overriding legitimate interest to continue processing;
  • We are processing the personal data for direct marketing purposes and the individual objects to such processing;
  • We have processed the personal data unlawfully (i.e., in breach of the lawfulness requirement in article 5.1 (a) of the GDPR);
  • We must erase the data to comply with a legal obligation of the individual.

Right to restriction of processing

If the accuracy of personal data or our legitimate interest to process personal data are questioned, you have the right to request that we restrict processing of this data until a solution has been found.

Right to object to processing

If our legitimate interest to process personal data is questioned, you have the right to object to such processing.

Right to data portability

If personal data is processed by automated means based on consent or for the fulfilment of an agreement with you, you have the right to request that we provide you with the personal data in a machine-readable format for transmission to another data controller.

Right to lodge a complaint with a supervisory authority

If you have any questions or concerns with how we process personal data, we ask you to please let us know so that we can investigate the matter. You also have the right to file a complaint with a supervisory authority in Denmark:

Danish Data Protection Agency (“Datatilsynet”)

Carl Jacobsens Vej 35

2500 Valby, Denmark.