This SaaS Privacy Notice describes how we collect and use personal data of our customers in our role as a data controller in relation to the Immuta SaaS platform (“Services”).
This SaaS Privacy Notice does not apply to licensee data processed within the Services on behalf of Immuta’s customers, as in this situation, Immuta is not acting as a data controller, but as a data processor.
Please see our general Privacy Notice and Cookie Notice for additional information.
Personal data we collect and process
Personal data we may collect, receive, or generate about customer representatives may include:
- Contact information such as names, email addresses, job titles, work address, phone numbers, and signatures
- Account information related to customers’ authorized users of the Services such as names, email addresses, IP addresses, and other login details, which may be considered sensitive under certain applicable laws
- User metrics data, such as which role a user has within the customer’s Services instance, whether a user owns data sets, whether a user has created projects, whether a user has tagged data, and the user’s browser, device, and OS used, their referrer URL, and their Immuta user ID.
- Marketing and interest information, such as professional or business-related interests and characteristics, and communication traits.
- Feedback or correspondence, such as information you provide when you contact us with questions, feedback, or otherwise correspond with us about our Services, website, and other products and services, including chat transcripts and contents of emails you send.
Sensitive Personal Information
We recognize that certain jurisdictions have enacted laws with different requirements regarding the processing of certain sensitive personal information. “Sensitive Personal Information” includes special categories of personal information identified by certain laws. Except as set forth above, we do not collect Sensitive Personal Information in connection with the Services. Do not provide us with unsolicited Sensitive Personal Information.
How we collect personal data
Contact information, marketing and interest information, and feedback and correspondence are collected directly from customer representatives. Account information and user metrics data are collected directly from customer-authorized users of the Services. We may also receive information from our subsidiaries and affiliates.
Cookies. We also obtain certain information by automated means, such as cookies, web beacons, web server logs, and other technologies. A “cookie” is a text file that websites send to a visitor’s computer or other internet-connected device to uniquely identify the visitor’s browser or to store information or settings in the browser. A “web beacon,” also known as an internet tag, pixel tag or clear GIF, links web pages to web servers and cookies and may be used to transmit information collected through cookies back to a web server.
We may use these automated technologies on the Immuta SaaS offering to collect information about your equipment, browsing actions, and usage patterns. These technologies help us (1) remember your information so you do not have to re-enter it; (2) track and understand how you use and interact with our solution; (3) tailor the solution around your preferences; (4) measure the usability of our solution and the effectiveness of our communications; and (5) otherwise manage and enhance our products and services, and help ensure they are working properly.
Your browser may tell you how to be notified about certain types of automated collection technologies and how to restrict or disable them. Please note, however, that without these technologies, you may not be able to use all of the features of our solution. For mobile devices, you can manage how your device and browser share certain device data by adjusting the privacy and security settings on your mobile device.
For more information on our use of cookies and similar technologies, click here to review our cookie notice.
How we use personal data
We use personal data for the following purposes:
- Account registration, administration, billing, and communications with customers
- Perform accounting, and other internal functions such as internal reporting
- Enhance user experience and improve our products and services, such as to further develop popular features or new features, which we determine may be helpful for users based on user metrics data
- License compliance and fraud prevention, such as to ensure customers do not exceed the number of licenses to the Services they purchased, and to prevent fraudulent use of the Services by individuals not authorized to use them
- To maintain the security of our systems and facilities
- Prepare for and engage in internal and external audits and similar assurance-providing processes and procedures
- Prepare for, engage in, complete, or follow up on mergers, acquisitions, or similar corporate transactions
- Prepare for and engage in actual or anticipated legal proceedings, including alternative dispute resolution, mediation, or administrative or court proceedings
- Comply with and enforce applicable legal requirements, industry standards, and Immuta policies, agreements, and other terms
We may also use personal data in other ways for which we provide specific notice at the time of collection.
To whom we may disclose personal data
We disclose personal data to service providers or authorize them to process the data to pursue one or more of the purposes described in this Privacy Notice. Our service providers include:
- Billing and accounting tool providers
- Contract management tool providers
- Communication tool providers
- User metrics collection and management tool providers
- Technology, hosting, and other related providers
- Security providers
- Legal service providers
- Auditors
- Advisors and consultants
We may also disclose personal data to other third parties, such as governmental authorities (as may be required by law or legal process) and debt collection agencies, and in the context of corporate transactions (including mergers and acquisitions).
How we secure personal data
We maintain physical, technical, and administrative safeguards designed to protect personal data against accidental, unlawful, or unauthorized access, destruction, loss, alteration, disclosure, or use. Our security procedures mean that we may request proof of identity before we disclose personal data to you. Although we use measures to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Services. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures.
Location of personal data
Personal data is hosted in the United States. Whenever we transfer personal data subject to international transfer restrictions, we ensure that the information is transferred in accordance with this Privacy Notice and as permitted by applicable data protection laws.
Retention of personal data
We keep personal data for as long as it is required in order to fulfill the relevant purposes described in this Privacy Notice and as may be required by law (including for tax and accounting purposes), or as otherwise communicated to you. The period for which we retain personal data is based on factors such as the type of information collected (i.e., its sensitivity), the intended purposes or use, legal requirements, the potential risk of harm from unauthorized use or disclosure of the information, the resolution of any pending or threatened disputes, and enforcement of our agreements. If we de-identify your personal information (so that it can no longer be associated with you and thus is no longer considered personal information under applicable laws), we may retain this information for longer periods.
Your rights
Subject to applicable law, you may have the right to:
- Ask whether we hold personal data about you and request copies of such personal data and information about how it is processed.
- Request that the inaccurate, incomplete, or outdated personal data be corrected or completed.
- Request the deletion of personal data in certain circumstances.
- Request to restrict the processing of your personal data in certain circumstances.
- Object to the processing of personal data on grounds relating to your particular situation.
- Request that we provide a copy of your personal data to you in a structured, commonly used, and machine-readable format in certain circumstances.
When you consent to our processing your personal data for a specified purpose, you may withdraw your consent at any time, and we will stop any further processing of your data for that purpose. If you wish to exercise any of these rights, please contact us at [email protected]. You can also lodge a complaint with the data protection authority in your country.
You can contact our Data Protection Officer (DPO) at [email protected]. Individuals and the data protection supervisory authorities in the EU may also contact our EU representative according to Art. 27 GDPR: Mishcon de Reya Representative Services (Europe) Limited 2nd Floor, 1 – 2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland, [email protected]
Unsubscribing. You can tell us at any time not to send you marketing communications by e-mail by clicking on the unsubscribe link within the marketing emails you receive from us, or by sending an “opt out” request to the address indicated on such email. You may request not to be contacted in connection with any new services, updates, news, or events by contacting us as described below. You may also unsubscribe via our preference center at this link: https://go.immuta.com/manage-email-preferences.
Verifying Requests. To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to your personal information or complying with your deletion or correction request. We may require you to verify your email address or phone number in our records and/or provide any of the following information:
- Contact information (such as name, email, phone number, and address); and
- An indication of your prior contact with Immuta (such as prior contact with customer service, or other contact).
In addition, if you ask us to provide you with specific pieces of personal information, we may require you to sign a declaration under penalty of perjury that you are the individual whose personal information is the subject of the request.
Updates to our Privacy Notice
We may update this Privacy Notice from time to time and without prior notice to you to reflect changes in our personal data practices. We will indicate at the top of the policy when it was most recently updated.
How to Contact Us
You can update your preferences, submit a request or ask us questions about this Privacy Notice or our practices by emailing us at [email protected] or writing to us at:
Immuta, Inc.,
Attn: Mike Scott
886 N. High Street, 3rd Floor
Columbus, OH
43215, USA7878 Di
Additional information for certain jurisdictions
Please see below for additional information applicable to individuals who are located or reside in certain jurisdictions, such as the EEA,the United Kingdom, and California.
California, US
This California Consumer Privacy Statement supplements the Immuta SaaS Privacy Notice and applies solely to personal information collected about California consumers.
This California Consumer Privacy Statement uses certain terms that have the meaning given to them in the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (collectively, the “CCPA”).
Notice of Collection and Use of Personal Information
We may collect (and may have collected during the 12-month period prior to the Last Updated date of this California Consumer Privacy Statement) the following categories of personal information about you:
- Identifiers such as real name, electronic identifier, job titles, and email address.
- Online activity such as Internet and other electronic network activity information, including, but not limited to, page views, clicks, and information regarding your interaction with Immuta SaaS website, portals, and applications, and customer support tools.
- Inferences: inferences drawn from any of the information identified above to create a profile about you, reflecting how our services are being used and how your user experience could be optimized.
- Sensitive information, such as login credentials to access the Services.
We may use (and may have used during the 12-month period prior to the Last Updated date of this California Consumer Privacy Statement) your personal information for the purposes described above in the section titled “How we use personal data.”
To the extent we process deidentified information, we will maintain and use the information in deidentified form and will not attempt to reidentify the information unless permitted by applicable law.
Sources of Personal Information
During the 12-month period prior to the Last Updated date of this California Consumer Privacy Statement, we may have obtained personal information about you from the following categories of sources:
- Directly from you and your devices, such as when you contact us, register as a user of the Services, or otherwise use the Services
- Our affiliates
Sale or Sharing of Personal Information
We do not sell or share your personal information in this context. For more information about marketing activities, see our main privacy notice.
Disclosure of Personal Information
During the 12-month period prior to the Last Updated date of this California Consumer Privacy Statement, we may have disclosed the following categories of personal information about you for a business purpose to the following categories of third parties:
| Category of Personal Information | Categories of Third Parties |
|---|---|
| Identifiers |
|
| Online Activity |
|
| Inferences |
|
| Sensitive information |
|
In addition to the categories of third parties identified above, during the 12-month period prior to the Last Updated date of this California Consumer Privacy Statement, we may have disclosed personal information about you to government entities and third parties in connection with corporate transactions, such as mergers, acquisitions, or divestitures.
Your California Privacy Rights
As a resident of California, you have certain rights under the CCPA, namely:
- Right to Access/ Know – You have the right to request any or all the following information relating to your personal information that we have collected and disclosed in the last 12 months, upon verification of your identity:
- The specific pieces of personal information we have collected about you.
- The categories of personal information we have collected about you.
- The categories of sources of personal information.
- The categories of personal information that we have disclosed to third parties for a business purpose, and the categories of recipients to whom this information was disclosed.
- The categories of personal information we have sold or shared about you (if any), and the categories of third parties to whom the information was sold or shared; and,
- The business or commercial purposes for collecting the personal information.
- We do not “sell” personal information as that term is defined in the CCPA.
- Right to request correction – You have the right to request that we correct the personal information we maintain about you, if that information is inaccurate.
- Right to request deletion – You have the right to request the deletion of personal information that we have collected from you, subject to certain exceptions.
- The Right to Opt Out of Sharing – You have the right to opt out of the sharing of your personal information for cross-context behavioral advertising purposes.
However, please note that if the exercise of these rights limits our ability to process personal information (such as in the case of a deletion request), we may no longer be able to provide you with our products and services or engage with you in the same manner.
- The Right to Non-Discrimination and Non-Retaliation – You have the right not to receive discriminatory or retaliatory treatment for exercising these rights.
- The Right to Limit Use of Sensitive Personal Information – You have the right to limit our use of your sensitive personal information (as defined in the CCPA). As discussed above, we do not require and do not wish to receive your sensitive personal information. Do not provide us with any sensitive personal information. If you think we have processed your sensitive personal information, please contact us.
- “Shine the Light” – California residents who have an established business relationship with us have rights to know how their information is disclosed to third parties for their direct marketing purposes under California’s “Shine the Light” law (Civ. Code §1798.83).
Exercising your rights
If you wish to exercise your California privacy rights, please click here to fill in the form.
You could also contact us at [email protected]. Please specify in your email which right(s) you are seeking to exercise.
To submit a request as an authorized agent on behalf of a consumer, please submit a signed authorization form from the consumer.
Verifying Requests. To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to your personal information or complying with your deletion or correction request. If you have an account with us, we may verify your identity by requiring you to sign in to your account. If you do not have an account with us and you request access to, correction of or deletion of your personal information, we may require you to verify your email address or phone number in our records and/or provide any of the following information:
- Contact information (such as name, email, phone number, and address); and
- An indication of your prior contact with Immuta (such as prior contact with customer service, or other contact).
In addition, if you ask us to provide you with specific pieces of personal information, we may require you to sign a declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request.
To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.
European Economic Area (EEA) and the United Kingdom (UK)
Identity of the controller
Immuta, Inc., with offices at 886 N. High Street, 3rd Floor, Columbus, OH 43215, USA, is responsible for the processing of your personal data as described in this Privacy Notice.
Legal bases
We process your personal data on one or more of the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Account registration, administration, billing, and communications with customers. | As necessary to enter into a contract or to perform our contractual obligations. |
| Perform accounting and other internal functions such as internal reporting to generate statistics to identify trends and opportunities. | For compliance with legal obligations and for our legitimate interest in understanding our business context and environment, as well as the markets in which we operate. |
| Enhance user experience and improve our products and services. | For our legitimate interest in improving our products and services. |
| License compliance and fraud prevention. | For our legitimate interest in keeping our customers, suppliers, and Services safe and secure. |
| Prepare for and engage in internal and external audits and similar assurance-providing processes and procedures. | For our legitimate interest in verifying the compliance of our internal processes and procedures, and obtaining an adequate level of assurance. |
| Prepare for, engage in, complete, or follow up on mergers, acquisitions, or similar corporate transactions. | For our legitimate interest in engaging in corporate transactions. |
| Prepare for, and engage in, actual or anticipated legal proceedings, including alternative dispute resolution, mediation, or administrative or court proceedings. | For our legitimate interest in defending ourselves and our interests. |
| Comply with and enforce applicable legal requirements, industry standards, and Immuta policies, agreements, and other terms. | As necessary to comply with relevant law and legal obligations, including to respond to lawful requests and orders. For our legitimate interest in enforcing our agreements and implementing industry standards. |
In accordance with applicable law, we take reasonable measures to ensure that the interests we pursue are balanced with your interests, rights, and freedoms, which we are happy to explain upon request.
Your Rights
Subject to applicable law, you have the right to:
- ask whether we hold personal data about you and request copies of such personal data and information about how it is processed.
- request that inaccurate, incomplete or outdated personal data is corrected or updated.
- request the deletion of personal data in certain circumstances.
- request to restrict the processing of your personal data in certain circumstances.
- object to the processing of personal data on grounds relating to your particular situation.
- request that we provide a copy of your personal data to you in a structured, commonly used and machine readable format in certain circumstances.
When you consent to our processing your personal data for a specified purpose, you may withdraw your consent at any time, and we will stop any further processing of your data for that purpose. If you wish to exercise any of these rights, please contact us at [email protected]. You can also lodge a complaint with the data protection authority in your country.
You can contact our Data Protection Officer (DPO) at [email protected]. Individuals and the data protection supervisory authorities in the EU may also contact our EU representative according to Art. 27 GDPR:
Mishcon de Reya Representative Services (Europe) Limited 2nd Floor, 1 – 2 Victoria Buildings, Haddington Road, Dublin 4, D04 XN32, Ireland, [email protected]
International transfers
We transfer personal data from the EEA and the UK to the United States by entering into the European Commission’s EU Standard Contractual Clauses and the UK Transfer Addendum (if appropriate) or on the basis of either a derogation when the transfer is necessary for the conclusion or performance of a contract, for the implementation of pre-contractual measures taken at your request, or upon your explicit consent, depending upon the categories of personal data and the purpose of the processing at stake. To obtain a copy of the safeguards we have put in place, please contact us as indicated below.
Alternatively, we ensure that the data recipient is located in a country that has been the subject of an adequacy decision