PRIVACY NOTICE
Last updated October 23, 2024
Cresta Intelligence Inc. (“ We”, “ Cresta”, or the “ Company”) respects your privacy and we are committed to protecting your personal information. Please carefully review this Privacy Notice (“ Notice”) to learn more about our privacy practices and your rights and choices. Throughout this Notice, “Personal Information” means information that identifies, relates to, or could reasonably be linked to you, directly or indirectly.
This Notice describes how we receive, use, disclose, and protect personal information collected:
- through our website, www.cresta.com, and any other Company website where this Notice is posted or linked;
- in connection with our business development and marketing activities; and
- through our other offline and business interactions with you, such as in-person interactions at conferences (collectively, 1-3 are referred to in this Notice as the “ Services”).
This Notice does not apply to:
- Personal information that we receive from our customers in connection with the delivery of our products and services to those customers (“ Customer Personal Information”). Our processing of Customer Personal Information is subject to our agreement with each specific customer.
- Personal Information collected from and about applicants, employees, and contractors, which is addressed in our
Employee Privacy Notice.
If you do not agree with our policies and practices, please do not use our Services. If you have any questions or concerns, please contact us at [email protected].
SUMMARY OF KEY POINTS
What personal information do we process? We process different personal information depending on how you interact with us and the Services. Learn more below about the information that we process.
Do we process any sensitive personal information? In the normal course of business, we do not process sensitive personal information through your use of the Services, nor do we have any need for your sensitive personal information. Please do not provide us with any sensitive personal information. If you believe that you have accidentally provided such information, please contact us as soon as possible.
Do we receive any information from third parties? We may receive your personal information from public databases, marketing partners, social media platforms, and other outside sources. Learn more about information collected from other sources.
How do we process your information? We process your personal information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with our legal obligations. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so. Learn more about how we process your information.
In what situations and with which types of parties do we share personal information? We may share your personal information in specific situations and with specific categories of third parties. Learn more about when and with whom we share your personal information.
How do we keep your information safe? We have organizational and technical processes and procedures in place that are designed to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure, and we cannot guarantee that unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Learn more about
how we keep your information safe.
What are your rights? Depending on your location, you may have certain rights regarding your personal information under applicable privacy law. Learn more about your privacy rights.
How do you exercise your rights? The easiest way to exercise your rights is by submitting a Data Subject Access Request
here or by contacting us via email at [email protected]. We will act upon any request in accordance with applicable data protection laws.
TABLE OF CONTENTS
- What information does Cresta collect?
- How do we collect your information?
- Why do we process your information?
- What legal bases do we rely on to process your information?
- Do we sell or share your personal information?
- Do we use cookies and other tracking technologies?
- Is your information transferred internationally?
- How long do we keep your information?
- How do we keep your information safe?
- Do we collect information from minors?
- What rights do you have in your data?
- How do you exercise your rights?
- Do we make updates to this notice?
- How can you contact us about this notice?
1. What information does Cresta collect?
In the regular course of business, we collect categories of personal information in accordance with the following table:
Category | Data types | Collected |
A. Identifiers. | A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. | YES |
B. Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) (“ California Personal Information”). | A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some Personal Information included in this category may overlap with other categories. | YES |
C. Protected classification characteristics under California or federal law. | Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). | NO |
D. Commercial Information. | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | YES |
E. Biometric Information. | Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. | NO |
F. Internet or other similar network activity (“ Internet Activity”). | Browsing history, search history, information on a Consumer’s interaction with a website, application, or advertisement. | YES |
G. Geolocation Data. | Physical location or movements. | YES |
H. Sensory Data. | Audio, electronic, visual, thermal, olfactory, or similar information. | YES |
I. Professional or employment-related information (“ Professional Information”). | Current or past job history or performance evaluations. | YES |
J. Non-public education information (per the Family Educational Rights and Privacy Act. | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. | NO |
K. Inferences drawn from other Personal Information (“ Inferential Information”). | Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. | YES |
L. Sensitive Personal Information | A Consumer’s social security, driver’s license, state identification card, or passport number; a Consumer’s account log-ln, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; a Consumer’s precise geolocation; a Consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; the contents of a Consumer’s mail, email and text messages, unless the business is the Intended recipient of the communication; a Consumer’s genetic data; and the processing of biometric information for the purpose of uniquely identifying a Consumer; Personal Information collected and analyzed concerning a Consumer’s health; or Personal Information collected and analyzed concerning a Consumer’s sex life or sexual orientation. | NO |
2. How do we collect your information?
A. Personal information you disclose to us
In Short:
We collect personal information that you provide to us.
The personal information that we collect from you depends on the context of your interactions with us and the Services. We collect personal information that you voluntarily provide to us when you register to use the Services, express an interest in obtaining information about us or our products and Services, or when you otherwise contact us or interact with us, including through surveys or at events hosted by us or by third parties in which we participate (i.e. trade shows).
B. Information automatically collected
In Short:
Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you use the Services.
We automatically collect certain information when you use the Services, including through cookies and similar technologies. This may include Identifiers, California Personal Information, Internet Activity, Geolocation Data, Professional Information, and Inferential Information. This information is primarily needed for internal analytics, as well as to maintain the security and operation of our Services.
C. Information collected from other sources
In Short:
We may collect data from public databases, marketing partners, and other outside sources.
In order to provide relevant marketing, offers, and services to you (including through targeted advertising and event promotion) and update our records, we may obtain information about you from other sources, such as public databases, joint marketing partners, affiliate programs, and data brokers. This information includes Identifiers, California Personal Information, Internet Activity, Geolocation Data, Professional Information, Commercial Information, and Inferential Information.
3. Why do we process your information?In Short:
We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.
We process your personal information for a variety of reasons, depending on how you interact with our Services, including:
- To facilitate account creation and authentication and otherwise manage user accounts. We may process your information so you can create and log in to your account, as well as keep your account in working order.
- To deliver the Services. We may process your information to provide you with the requested Service.
- To respond to user inquiries/offer support to users. We may process your information to respond to your inquiries and solve any potential issues you might have with the requested service.
- To send administrative information to you. We may process your information to send you details about our products and services, changes to our terms and policies, and other similar information.
- To request feedback. We may process your information when necessary to request feedback and to contact you about your use of our Services.
- To send you marketing and promotional communications. We may process the personal information you send to us for marketing purposes. You can opt out of our marketing emails at any time. However, we may still communicate with you for non-marketing purposes — for example, to send you service-related messages that are necessary for the administration and use of your account, or to respond to service requests.
- To deliver targeted advertising to you. We may process your information to develop and display personalized content and advertising tailored to your interests, location, and more.
- To protect our Services. We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.
- To identify usage trends. We may process information about how you use our Services to better understand how they are being used so we can improve them.
- To determine the effectiveness of our marketing and promotional campaigns. We may process your information to better understand how to provide marketing and promotional campaigns that are most relevant to you.
- To save or protect an individual’s vital interest. We may process your information when necessary to save or protect an individual’s vital interest, such as to prevent harm.
4. What legal bases do we rely on to process your information?
In Short:
We only process your personal information when we believe it is necessary and we have a valid legal basis under applicable law, to comply with laws, to provide you with services, to enter into or fulfill our contractual obligations, to protect your rights, or to fulfill our legitimate business interests.
If you are located in the EU or UK, the following information applies to you.
The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. These legal bases include:
Processing Purpose | Category of Information | Legal basis |
Delivery of the Services (including account creation, support services, responding to user inquiries and providing administrative information to users, maintaining the security of the Services, and developing analytics of use of the Services) | Identifiers, Internet Activity, Geolocation Data, | Performance of a Contract, Legitimate Interests, Consent |
Marketing and Advertising purposes | Professional Information, Commercial Information, Internet Activity, Inferential Information | Performance of a Contract, Legitimate Interests, Consent |
To comply with applicable law | Any data relevant to comply with applicable law | Legal Obligations |
With your consent | Any data for which we are required to obtain consent by applicable law | Consent |
- Consent. We may process your information if you have given us permission to use your personal information for a specific purpose. You can withdraw your consent at any time. Learn more about withdrawing your consent.
- Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you.
- Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information in order to:
- Send you information about special offers and discounts on our products and services
- Analyze how our Services are used so we can improve them to engage and retain users
- Support our marketing activities
- Diagnose problems and/or prevent fraudulent activities
- Understand how our users use our products and services so we can improve user experience
- Legal Obligations. We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
- Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.
In legal terms, we are generally the “data controller” under European data protection laws of the personal information described in this privacy notice, since we determine the means and/or purposes of the data processing we perform. This privacy notice does not apply to the personal information we process as a “data processor” on behalf of our customers. In those situations, the customer that we provide services to is the “data controller” responsible for your personal information, and we process your information on their behalf in accordance with your instructions. If you want to know more about our customers’ privacy practices, you should read their privacy policies and direct any questions you have to them.
If you are located in Canada the following information applies to you
We may process your information if you have given us specific permission (i.e., express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (i.e., implied consent). You can withdraw your consent at any time.
In some exceptional cases, we may be legally permitted to process your information without your consent, including, for example:
- If it is clearly in the interests of an individual and consent cannot be obtained in a timely way
- For investigations and fraud detection and prevention
- For business transactions, provided certain conditions are met
- If it is contained in a witness statement and the collection is necessary to assess, process, or settle an insurance claim
- If we have reasonable grounds to believe an individual has been, is, or may be victim of financial abuse
- If it is reasonable to expect collection and use with consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province
- If disclosure is required to comply with a subpoena, warrant, court order, or rules of the court relating to the production of records
- If it was produced by an individual in the course of their employment, business, or profession and the collection is consistent with the purposes for which the information was produced
- If the collection is solely for journalistic, artistic, or literary purposes
- If the information is publicly available and is specified by the regulations
In Short:
We may sell or share information in specific situations described in this section and/or with the following categories of third parties.
Vendors, Consultants, and Other Third-Party Service Providers. Although we do not and will not sell your data for monetary consideration (i.e. providing your data in exchange for money), our use of online tracking technologies and third-party vendors may be considered a “sale” / “sharing” under applicable law. We may sell or share your data to or with third-party vendors, service providers, contractors, or agents (“ third parties“) who perform services for us or on our behalf and require access to such information to do that work. We have contracts in place with our third parties that are designed to help safeguard your personal information. The categories of third parties we may share personal information with are as follows:
- Website Hosting Service Providers
- Cloud Computing Services
- Testing Tools
- Product Engineering & Design Tools
- Data Analytics Services
- Data Storage Service Providers
- Natural Language API Providers
- Ad Networks
- Communication & Collaboration Tools
- Sales & Marketing Tools
- Social Networks
We also may need to share your personal information in the following situations:
- Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
- Affiliates. We may share your information with our affiliates, in which case we will require those affiliates to honor this privacy notice. Affiliates include our subsidiaries, joint venture partners, or other companies that we control.
- Business Partners. We may share your information with our business partners to offer you certain products, services, or promotions.
In Short:
We may use cookies and other tracking technologies to collect and store your information.
We and our third–party partners and service providers (such as advertising networks, analytics providers and social media platforms and networks) use pixels, web beacons, software developer kits, third–party libraries, cookies, and other similar online tracking technologies (collectively, “online tracking technologies”) to gather information when you interact with the Servies. Some online tracking technologies help us maintain the security of our websites and your account, prevent crashes, fix bugs, save your preferences, and assist with basic site functions.
We also permit third parties and service providers to use online tracking technologies on our Sites for analytics and advertising, including to help manage and display advertisements and to tailor advertisements to your interests (depending on your communication preferences). The third parties and service providers use their technology to provide advertising about products and services tailored to your interests which may appear on Cresta’s websites or other websites or in our email communications
To the extent these online tracking technologies are deemed to be a “sale” / “sharing” (which includes targeted advertising, as defined under the applicable laws) under applicable U.S. state laws, you can opt-out of these online tracking technologies via the Privacy Settings link at the bottom of our website,www.cresta.com or by submitting a request via [email protected]. Please note, some features of our websites may not be available to you as a result. Within Google Analytics, you may exercise an opt out going to tools.google.com/dlpage/gaoptout or downloading the Google Analytics Opt-out Browser Add-on. You may adjust your Google advertising settings by visiting adssettings.google.com.
7. Is your information transferred internationally?
In Short:
We may transfer, store, and process your information in countries other than your own.
Our servers are located in the United States. If you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed by us in our facilities and by those third parties with whom we may share your personal information in the United States and other countries.
If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland (together, “ Europe”), then these countries may not necessarily have data protection laws or other similar laws as comprehensive as those in your country. However, in such cases, we take measures to protect your personal information in accordance with this privacy notice and applicable law.
International data transfers
We have implemented appropriate safeguards to protect your personal information, which are designed to give personal information effectively the same protection as it has in Europe, including by using standard-form contracts approved by the relevant authorities for transfers of personal information between our group companies and between us and our third-party providers. These clauses require all recipients to protect all personal information that they process originating from Europe in accordance with European data protection laws and regulations. Our standard-form contracts can be provided upon request.
8. How long do we keep your information?
In Short:
We keep your information for as long as necessary to fulfill the purposes outlined in this privacy notice unless otherwise required by law or until you request its deletion.
We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements) or if you request its deletion.
When we no longer need to process your personal information, we will either delete or anonymize such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
9. How do we keep your information safe?
In Short:
We aim to protect your personal information through a system of organizational and technical security measures.
We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.
10. Do we collect information from minors?
In Short:
We do not knowingly collect data from or market to children under 18 years of age.
We do not knowingly solicit data from or market the Services or our products to children under 18 years of age. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor dependent’s use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at [email protected].
11. What rights do you have in your data?
In Short:
Under applicable law, you may have various rights with respect to your data, however, these rights are not absolute, and in certain cases, we may decline your request as permitted by law.
If we maintain your Personal Information, you may have the right to:
- Be informed about our collection and use of your personal information; the categories of personal information that we collect; the purposes for which the collected personal information is used; whether we sell or share personal information to third parties; the categories of personal information that we sold, shared, or disclosed for a business purpose; the categories of third parties to whom the personal information was sold, shared, or disclosed for a business purpose; the business or commercial purpose for collecting, selling, or sharing personal information; and the specific pieces of personal information we collected about you;
- Access your Personal Information;
- Correct inaccuracies in your Personal Information;
- Request deletion of your Personal Information: You can ask us to delete your personal information and we will respect your request and delete your personal information, subject to certain exceptions provided by law, such as (but not limited to) the exercise by another consumer of his or her right to free speech, our compliance requirements resulting from a legal obligation, or any processing that may be required to protect against illegal activities;
- Obtain a copy of the Personal Information you previously shared with us;
- Opt out of or object to the processing of your Personal Information, including if it is used for targeted advertising, the sale or sharing of Personal Information, or profiling in furtherance of decisions that produce legal or similarly significant effects;
- Opt out of automated decision making;
- Withdraw your consent: If we are relying on your consent to process your personal information, which may be express and/or implied consent depending on the applicable law, you have the right to withdraw your consent at any time. You can contact us at any time to withdraw your consent. Please note that this will not affect the lawfulness of the processing before its withdrawal nor, when applicable law allows, will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
We may use your personal information for our own business purposes, such as for undertaking internal research for technological development and demonstration. This is not considered to be “selling” of your personal information.
We have shared personal information with the following categories of third parties: Ad Networks, Data Analytics Services, Social Networks.
California Residents
California residents may request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request using the contact information provided below.
12. How do you exercise your rights?
To exercise your rights, or for any other inquiry related to our processing of Personal Information please contact us by submitting a Data Subject Access Request
here
or by referring to the contact details at the bottom of this document. If you have a complaint or question(s) about how we handle your data, we would like to hear from you. We will not discriminate against you if you exercise your privacy rights.
Verification process
Upon receiving your Data Subject Access Request, we will need to verify your identity, which may require you to provide additional personal information or require us to contact you through a communication method (e.g., phone or email) that you have previously provided to us. We may also use other verification methods as the circumstances dictate.
You can designate an authorized agent to make a request on your behalf. However, we may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with applicable law.
We will only use personal information provided in your request to verify your identity or authority to make the request. To the extent possible, we will avoid requesting additional information from you for the purposes of verification. However, if we cannot verify your identity from the information already maintained by us, we may request that you provide additional information for the purposes of verifying your identity and for security or fraud-prevention purposes. We will delete such additional information as soon as we finish verifying you.
Upon receiving your request and verification of your identity, we will respond without undue delay but, in all cases, within the time period required by applicable law.
If we decline to take action regarding your request and you wish to appeal our decision, please email us at [email protected]. Within the time period required by law, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of our decision.
Depending on applicable law, if your appeal is denied or if you otherwise believe that our processing of your personal information is unlawful, you may contact your attorney general, privacy commissioner, or other relevant data protection authority to submit a complaint:
- For users in the European Economic Area – the contact information for the data protection regulator in your place of residence can be found here: https://edpb.europa.eu/about-edpb/board/members_en
- For users in the UK – the contact information for the UK data protection regulator can be found here: https://ico.org.uk/make-a-complaint/
- For users in Switzerland – the contact information for the Swiss data protection regulator can be found here:https://www.edoeb.admin.ch/edoeb/en/home/meldeportale.html
13. Do we make updates to this notice?
In Short:
Yes, we will update this notice as necessary to stay compliant with relevant laws and as our business practices change.
We may update this privacy notice from time to time. The updated version will be indicated by the “last updated” date at the top of this page and the updated version will be effective as soon as it is publicly accessible. If we make material changes to this privacy notice, we will notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information.
14. How can you contact us about this notice?
If you have questions or comments about this notice, you may contact our Data Protection Officer (DPO), Jake McDermott, by email at [email protected], by phone at +1 415-234-3366, or by post at:
Cresta Intelligence Inc.
Jake McDermott
540 Bryant St., Suite 200
Palo Alto, CA 94301
United States
If you are a resident in Europe, we are the “data controller” of your personal information. We have appointed Cresta GmbH to be our representative in the EEA and Switzerland. You can contact Cresta GmbH by email at [email protected] or by post to:
Cresta GmbH
Max-Urich-Str. 3
Berlin, Berlin 13355
Germany