Date: 20.05.2020 (prev: 29.11.2019)
This Document describes and explains how cux.io (CUX, “We”, “Us”, “Our”, “Service”) collects and processes personal data, the purposes for processing and how we protect it.
It applies to:
- end-users (“End Users”) of Our Customers’ websites (“Customer Website(s)”) of Our Customers (“Our Customers”) – End Users section of this policy applies
- visitors (“Visitors”) of all our owned domains and operated websites and its subdomains – Visitors section of this policy applies
Please do not hesitate to contact us with any questions or issues you may have.
Who we are?
We are a company registered under the name CUX Research Sp. z o. o. having its registered address situated at Robotnicza 42A, 53-608 Wrocław, Poland REGON: 383714872, VAT ID: PL8943142798, KRS: 0000792391.
CUX complies with The Act of Personal Data Protection of Poland, (‘Applicable Law’), which transposes all the relevant European Union directives relating to data protection.
What we do?
CUX is a software as a service that analyse and visualise websites’ users behaviour. It helps our Customers out to understand how and why users behave in way they do.
We are delivering custom code snippet for each domain submitted to CUX by our Customer. This will allows us to connect browser of End User to our servers. Connection is always established directly after webpage is fully loaded and rendered end will be closed when user closes browser tab or internet connection will be interrupted. Every single connection is established using SSL encryption with subdomains of .track.cux.io pointing to our servers in Roubaix, France (EU) or St. Ghislain, Belgium (EU).
What we collect?
We are collecting several different informations from End User browser. Data we collect are necessary to visualise users behaviour and they are not excessive.
The information collected and processed includes:
- Device specific data
- device’s IP address (we set the last two octets of IPv4 addresses to 0 and we strip last 64 bits of IPv6 to ensure the full IP address is never written to our storage or cache)
- device screen resolution
- browser viewport
- browser color depth
- screen orientation
- device type (unique device identifiers), operating system, and browser type
- geographic location (country only) based on anonymised IP
- preferred language used to display site
- User interactions
- Pointer events (movements, location, clicks, taps, swipes, gestures)
- Keypresses (anonymised to the representation of key type like char, number, special)
- Website data
- referring URL and domain
- pages visited
- tabs opened and visited
- duration of the tab being focused
- date, time and timezone when website pages were accessed.
- local storage
- session storage
We are using several storage engines on End User browser to collect non-personal information including standard internet log information and behavioural metadata. This helps us to provide a better experience, identify preferences, diagnose technical problems, analyse trends and improve our services.
How we secure data?
We implemented various measures to ensure that the information is adequately protected against unauthorised access, use, disclosure, and destruction. Please keep in mind that risk can never be eliminated but can be significantly mitigated and reduced. CUX shall not be held liable by any Third Party, including our Customers and Visitors, in any event of unauthorised access, use and/or disclosure of information provided that such is not due to Gross Negligence, willful misconduct, fraud or bad faith by us.
What we did to significantly reduce the risk:
- access to the data stored on our servers are restricted to a limited number of employees and to users designated on our Customer’s accounts and Third Parties who can access the information only in specific and limited circumstances and are bound by confidentiality;
- our servers are protected by:
- firewalls – a barrier between Our trusted, secure internal network and the Internet
- IP restrictions, limiting access to whitelisted IPs
- services, applications and tools we are using are well known and delivered by trusted providers
- data collected from our Customers are stored only on servers related to a restricted area (which we identify as “production”) and can’t be copied to any other environment
- each Customer may only access information pertaining to its Customer Website that it is tracking and to the specific End Users visiting such Customers Website;
- we use HTTPS for providing secure transfer of data to prevent wiretapping and man-in-the-middle attacks
- due to our transparent policy, we are open to give You access to source code of our tracking code for audit purposes
Access and Disclosure
We do not rent or sell any information and data, but we do disclose Your information to a limited set of trusted Third Parties in the situations explained below, for which You, by using our Services, hereby explicitly consent.
- We will disclose Your personal information where We are bound to do so, at law or via a court order as well as to meet any legal or regulatory requirements or obligations. We will use all reasonable efforts to ensure that those requirements or obligations are in accordance with Applicable Law;
- We reserve the right to disclose Your information to any Third Party if We have reasonable information to believe that the disclosure is necessary for the purpose of an investigation and/or for the enforcement of any breaches of the Terms of Service (if applicable), to detect, prevent or otherwise address fraud, security, technical issues or other irregularities or illegalities, protect the rights and interests as well as the property of CUX;
- We may also share aggregated anonymised, non-personal information with the public or with any Third Party for publishing industry trends related to our services.
You may opt-out from our services by turning on Do Not Track functionality in your browser. For more information please visit donottrack.us
CUX may obtain contact details for electronic mail in relation to the sale of its Services and may, therefore, use such details for direct marketing of its Services. In all correspondence, You shall have the opportunity to unsubscribe from receiving direct marketing free of charge.
You may access a broad range of information about Your interactions with Our Site, including updating of your Account details and information. As a data subject, You may ask us, as the Data Controller, to confirm whether any of Your personal data is being processed.
You may deactivate Your account and/or unsubscribe from receiving content or offers from Us at any time, by email us at email@example.com. Following termination of Your account, we shall retain your personal information for a limited time for customer service issues only.
We use a select number of trusted Third Party providers to help us provide Services to You. We only share information with the Third Party that is required for the service they are offering and contractually bind these providers to keep any information We share with them as confidential and to be used only for particular purposes. For example, amongst others, We have providers that process Our credit card transactions, support Our internal ticketing/support system, and manage Our marketing communications. Similarly, it may be necessary to share Your personal information or part of it, with OVH which stores the information within their servers, solely related to the storage facilities. By using CUX, You explicitly consent to and authorise us to sub-contract in this manner.
The Controller of your personal data is CUX Research Sp. z o. o. having its registered address situated at Robotnicza 42A, 53-608 Wrocław, Poland REGON: 383714872, VAT ID: PL8943142798, KRS: 0000792391
We will process your personal data to deliver services provided under the Agreement on the provision of services by electronic means, which provides a basis for processing of your personal data by Us. If you have also voluntarily consented to receive marketing and commercial information from us, we will be processing your personal data also for this purpose.
Please be advised that under the Agreement concluded with Us, you are contractually obliged to provide the following personal data (this also being a prerequisite for providing our services):
- email address, password, name
- company data and address.
The provision of data for the purpose of pursuing legitimate interests of CUX is voluntary, yet necessary for the performance of the Agreement.
We will continue to process your personal data until cooperation has been concluded, that is, upon termination of the Agreement and once CUX determines that a client has no payment claims towards CUX (until CUX’s entitlements are collected through a recovery procedure and completed legal proceedings resulting in a final and legally valid court decision). As regards the data we process based on the legitimate interests pursued by CUX and based on the consent you have expressed – until the moment you notify objection.
You have the right to request access to your personal data and order their rectification, erasure or restriction of processing. You also have the right to object to the processing of your personal data by CUX, as well as the right to transfer your personal data. If we are also processing your data under Article 6(1)(a) of the GDPR, that is, if you have given your consent to receiving marketing and commercial information, you have the right to withdraw this consent at any time. The processing of personal data by CUX is lawful from the moment consent has been expressed until it is withdrawn, which shall be the moment when such information has reached CUX. After the completion of the processing for the original purpose, data will not be processed for any other purpose. If you would like to exercise your rights referred to above, please email us at firstname.lastname@example.org.
- OVH: OVH Sp. z o.o. – stores the information within their servers, solely related to the storage facilities. https://www.ovh.pl/ochrona-danych-osobowych/
- OVH: OVH SAS – stores the information within their servers, solely related to the storage facilities. https://www.kimsufi.com/pl/dokumenty/
- GCP: Google Cloud Platform – stores the information within their servers, solely related to the storage and computing facilities. https://cloud.google.com/security/privacy
- HubSpot: HubSpot, Inc. – marketing and sales processes. https://legal.hubspot.com/privacy-policy
- PayLane Sp. z o.o – (Norwida 4, 80-280 Gdańsk, Poland, company number: 0000227278) – in order to process payments – https://paylane.pl/dokumenty-prawne/polityka-prywatnosci/
- Google Analytics – measure and analyse traffic on our website and app. https://policies.google.com/privacy
If You have any concerns about Your privacy, You are kindly requested to forward an email to us at email@example.com containing a detailed description of Your concerns. We will do our best to resolve such issues within a reasonable time.
Governing Law and Dispute Resolution