Date: 20.05.2020 (prev: 29.11.2019)
This Document describes and explains how cux.io (CUX, “We”, “Us”, “Our”, “Service”) collects and processes personal data, the purposes for processing and how we protect it. It applies to:
end-users (“End Users”) of Our Customers’ websites (“Customer Website(s)”) of Our Customers (“Our Customers”) – End Users section of this policy applies
visitors (“Visitors”) of all our owned domains and operated websites and its subdomains – Visitors section of this policy applies
Please do not hesitate to contact us with any questions or issues you may have.
Who we are?
We are a company registered under the name CUX Research Sp. z o. o. having its registered address situated at Robotnicza 42A, 53-608 Wrocław, Poland REGON: 383714872, VAT ID: PL8943142798, KRS: 0000792391. CUX complies with The Act of Personal Data Protection of Poland, (‘Applicable Law’), which transposes all the relevant European Union directives relating to data protection.
What we do?
CUX is a software as a service that analyse and visualise websites’ users behaviour. It helps our Customers out to understand how and why users behave in way they do. We are delivering custom code snippet for each domain submitted to CUX by our Customer. This will allows us to connect browser of End User to our servers. Connection is always established directly after webpage is fully loaded and rendered end will be closed when user closes browser tab or internet connection will be interrupted. Every single connection is established using SSL encryption with subdomains of .track.cux.io pointing to our servers in Roubaix, France (EU) or St. Ghislain, Belgium (EU).
What we collect?
We are collecting several different informations from End User browser. Data we collect are necessary to visualise users behaviour and they are not excessive.
The information collected and processed includes:
Device specific data
device’s IP address (we set the last two octets of IPv4 addresses to 0 and we strip last 64 bits of IPv6 to ensure the full IP address is never written to our storage or cache)
device screen resolution
browser color depth
device type (unique device identifiers), operating system, and browser type
geographic location (country only) based on anonymised IP
preferred language used to display site
Pointer events (movements, location, clicks, taps, swipes, gestures)
Keypresses (anonymised to the representation of key type like char, number, special)
referring URL and domain
tabs opened and visited
duration of the tab being focused
date, time and timezone when website pages were accessed.
We are using several storage engines on End User browser to collect non-personal information including standard internet log information and behavioural metadata. This helps us to provide a better experience, identify preferences, diagnose technical problems, analyse trends and improve our services.
How we secure data?
We implemented various measures to ensure that the information is adequately protected against unauthorised access, use, disclosure, and destruction. Please keep in mind that risk can never be eliminated but can be significantly mitigated and reduced. CUX shall not be held liable by any Third Party, including our Customers and Visitors, in any event of unauthorised access, use and/or disclosure of information provided that such is not due to Gross Negligence, willful misconduct, fraud or bad faith by us.
What we did to significantly reduce the risk:
access to the data stored on our servers are restricted to a limited number of employees and to users designated on our Customer’s accounts and Third Parties who can access the information only in specific and limited circumstances and are bound by confidentiality;
our servers are protected by:
firewalls – a barrier between Our trusted, secure internal network and the Internet
IP restrictions, limiting access to whitelisted IPs
services, applications and tools we are using are well known and delivered by trusted providers
data collected from our Customers are stored only on servers related to a restricted area (which we identify as “production”) and can’t be copied to any other environment
each Customer may only access information pertaining to its Customer Website that it is tracking and to the specific End Users visiting such Customers Website;
we use HTTPS for providing secure transfer of data to prevent wiretapping and man-in-the-middle attacks
due to our transparent policy, we are open to give You access to source code of our tracking code for audit purposes
Access and Disclosure
We do not rent or sell any information and data, but we do disclose Your information to a limited set of trusted Third Parties in the situations explained below, for which You, by using our Services, hereby explicitly consent.
We will disclose Your personal information where We are bound to do so, at law or via a court order as well as to meet any legal or regulatory requirements or obligations. We will use all reasonable efforts to ensure that those requirements or obligations are in accordance with Applicable Law;
We reserve the right to disclose Your information to any Third Party if We have reasonable information to believe that the disclosure is necessary for the purpose of an investigation and/or for the enforcement of any breaches of the Terms of Service (if applicable), to detect, prevent or otherwise address fraud, security, technical issues or other irregularities or illegalities, protect the rights and interests as well as the property of CUX;
We may also share aggregated anonymised, non-personal information with the public or with any Third Party for publishing industry trends related to our services.
The Controller of your personal data is CUX Research Sp. z o. o. having its registered address situated at Robotnicza 42A, 53-608 Wrocław, Poland REGON: 383714872, VAT ID: PL8943142798, KRS: 0000792391 We will process your personal data to deliver services provided under the Agreement on the provision of services by electronic means, which provides a basis for processing of your personal data by Us. If you have also voluntarily consented to receive marketing and commercial information from us, we will be processing your personal data also for this purpose. Please be advised that under the Agreement concluded with Us, you are contractually obliged to provide the following personal data (this also being a prerequisite for providing our services):
email address, password, name
company data and address.
The provision of data for the purpose of pursuing legitimate interests of CUX is voluntary, yet necessary for the performance of the Agreement.
We will continue to process your personal data until cooperation has been concluded, that is, upon termination of the Agreement and once CUX determines that a client has no payment claims towards CUX (until CUX’s entitlements are collected through a recovery procedure and completed legal proceedings resulting in a final and legally valid court decision). As regards the data we process based on the legitimate interests pursued by CUX and based on the consent you have expressed – until the moment you notify objection. You have the right to request access to your personal data and order their rectification, erasure or restriction of processing. You also have the right to object to the processing of your personal data by CUX, as well as the right to transfer your personal data. If we are also processing your data under Article 6(1)(a) of the GDPR, that is, if you have given your consent to receiving marketing and commercial information, you have the right to withdraw this consent at any time. The processing of personal data by CUX is lawful from the moment consent has been expressed until it is withdrawn, which shall be the moment when such information has reached CUX. After the completion of the processing for the original purpose, data will not be processed for any other purpose. If you would like to exercise your rights referred to above, please email us at firstname.lastname@example.org.
OVH: OVH Sp. z o.o. – stores the information within their servers, solely related to the storage facilities. https://www.ovh.pl/ochrona-danych-osobowych/
OVH: OVH SAS – stores the information within their servers, solely related to the storage facilities. https://www.kimsufi.com/pl/dokumenty/
GCP: Google Cloud Platform – stores the information within their servers, solely related to the storage and computing facilities. https://cloud.google.com/security/privacy
HubSpot: HubSpot, Inc. – marketing and sales processes. https://legal.hubspot.com/privacy-policy
PayLane Sp. z o.o – (Norwida 4, 80-280 Gdańsk, Poland, company number: 0000227278) – in order to process payments – https://paylane.pl/dokumenty-prawne/polityka-prywatnosci/
Google Analytics – measure and analyse traffic on our website and app. https://policies.google.com/privacy
If You have any concerns about Your privacy, You are kindly requested to forward an email to us at email@example.com containing a detailed description of Your concerns. We will do our best to resolve such issues within a reasonable time.
Governing Law and Dispute Resolution