PRIVACY NOTICE
- GENERAL
- This website is operated by CybExer Technologies OÜ (“we” or “us”) that provides digital solutions and cyber security exercises (“Service”). We recognize the importance of your privacy and are committed to protecting your personal data.
- This privacy notice (“Notice”) explains the principles on how we collect and use information when you visit the website www.cybexer.com („Website“), contact us through the Website or other communication channels, the legal entity you work for or represent wants to conclude or has concluded a contract with us, submit to our partner program, request for a demo or a free trial or take any other actions on our Website, which entail us receiving and processing your personal data.
- We process your personal data as described in this Notice and in accordance with applicable legislation, including the European Union’s General Data Protection Regulation (2016/679) (“GDPR”) and the national data protection laws of the Republic of Estonia, as applicable towards the controller stated in Section 2 of this Notice.
- Please note that this Notice does not apply regarding the data which we process due to the provision of the Service. As we act as a data processor, the processing of such data is governed by the data processing agreement concluded with our client, a data controller. The data controller is responsible for such data processing and is obliged to provide you information about such data processing.
- In case you disclose any personal data regarding any third person(s) (e.g., your employee, management board member, co-worker, etc.) to us, you are obligated to refer them to this Notice.
- CONTROLLER
- For the personal data processing purposes brought out in Section 4 of this Notice, the controller of your personal data is:
CybExer Technologies OÜ
Registry code: 14013437
Address: Toompuiestee 35, 10149, Tallinn, Estonia
E-mail: info@cybexer.com
- In case of personal data protection related inquiries, please contact us by writing to: info@cybexer.com.
- CATEGORIES AND SOURCES OF PERSONAL DATA
- Personal data are information that can be used to directly or indirectly uniquely identify you as a private individual (“Personal Data”). The source of the collected Personal Data depends on how you interact with us. We may obtain and process the following categories of Personal Data:
- Main data: name, e-mail address, phone number, legal entity’s name (“Main Data”).
- Personal data are information that can be used to directly or indirectly uniquely identify you as a private individual (“Personal Data”). The source of the collected Personal Data depends on how you interact with us. We may obtain and process the following categories of Personal Data:
Source: Personal Data you directly provide to us upon submitting your information via our Website or by contacting us; or is provided to us by the legal entity you work for or represent.
- For concluding and managing contractual relationships with the legal entity you work for or represent, we process the following Personal Data: legal entity’s name, registry code and your job title (“Contract Data”).
Source: Personal Data you directly provide to us or is provided to us by the legal entity you work for or represent.
- If you interact with us via the Website, live chat or e-mails, we process the following Personal Data: Main Data, Contract Data, contents of your message. („Communication Data“).
Source: Personal Data you directly or via a data processor provide to us upon contacting us.
- Marketing data: Main Data, position. Additionally, we may supplement the Personal Data that you have provided to us directly with information that has been obtained from publicly available resources (i.e. LinkedIn, e-mail search, country specific commercial registrars) (“Marketing Data”).
Source: Information you directly provide to us and the information we have obtained from publicly available resources.
- When you use the Service, we process the following data, which may include your Personal Data: user ID, user role, action made in product, attributes to that action, error logs (“Usage Data”).
Source: While you are using the Service, the product infrastructure itself generates or automatically collects the Usage Data.
- Upon visiting the Website, our server processes the following data: IP address, access-provider, referring and exit URL, date, time, access tokens, session key, browser type and version, operating system, your navigation on the Website amount and state of transferred data (“Technical Data”).
Source: While you are browsing through the Website, the Website itself generates or collects the Technical Data from your device automatically.
- Cookie data. We implement cookies on the Website, for optimising the Website and its functionalities. The cookies may collect your Personal Data. For further information on the purposes and functions of the cookies, please see our cookie notice.
- If you do not provide the required information, we may not be able to contact you, provide our Services or fulfil any other purposes provided in Section 4 of this Notice.
- LEGAL BASIS AND PURPOSES FOR PROCESSING PERSONAL DATA
- Our legal basis to process your Personal Data depends on the objective and context in which we collect the Personal Data. The following depicts a descriptive list of processing purposes that are linked to the specific data categories and legal basis for processing:
| Processing purpose | Legal basis for the processing purpose | Personal Data used for the processing purpose |
| Handling pre-contractual negotiations and communications, concluding the contract, performing the contract, and managing the contractual relationship | If the legal entity you work for or represent wishes to become or is already our client or partner and the enquiry concerns the potential or ongoing client or partnering relationship with us, the legal basis is our legitimate interest in taking and implementing pre-contractual measures or performing the contract concluded between the legal entity and us | Main Data, Contract Data, Communication Data |
| Performing the contract by delivering the purchased products (including providing you with free trial of our product), contacting you regarding the purchased products | Our legitimate interest in performing the contract concluded between the legal entity and us | Main Data, Contract Data, Communication Data |
| Providing you with an access to our demo environment | Our legitimate interest in taking pre-contractual measures of the potential contract to be concluded between the legal entity you work for or represent and us | Main Data |
| Sending you information about our Service’s updates via e-mail | Our legitimate interest in informing our clients about the Service’s updates | Main Data |
| Responding to your enquiries and requests submitted via the Website, live chat, or e-mail, including submissions regarding receiving a demo | Our legitimate interest in ensuring effective relationship management with potential clients, partners and interested parties
If the legal entity you work for or represent wishes to become or is already our client or partner and the enquiry or request is related potential or ongoing client or partnering relationship with us, the legal basis is taking and implementing the pre-contractual measures of a contract or performing the contract concluded between the legal entity and us |
Communication Data |
| Analysing your use of our products | Our legitimate interest in improving, upgrading, and enhancing our products | Usage Data |
| Gathering information about you from publicly available resources and registrars for creating client segments and for the purposes of customising the information we provide to you about our business | Our legitimate interest in promoting our business activities and ensuring effective relations management with potential clients, partners and interested parties | Marketing Data |
| Sending newsletters and other marketing information regarding our services via email | Consent given upon subscribing to our newsletter
If we have been in contact regarding our services, our legitimate interest in promoting our similar services |
Marketing Data |
| Administering newsletter subscription list | Our legitimate interest in ensuring valid legal basis for sending newsletters and recording given and withdrawn consents (subscriptions) | Marketing Data |
| Making available the basic functions of the Website and administering the Website, including gathering information about website visitor’s navigation on the Website | Our legitimate interest in providing the Website and understanding use patterns of the Website to be able to improve the Website and enhance the user experience | Technical Data |
| Diagnosing and repairing problems with the Website | Our legitimate interest in providing data security and preventing fraudulent actions related to the Website; ensuring the functioning of the Website | |
| Storing information containing Personal Data in our backup systems | Our legitimate interest in ensuring the continuity and security of data processing operations | All data categories named in Section 3.1 |
| Disclosing data to public sector authorities, supervisory and law enforcement authorities | Performance of our legal obligations | |
| Disclosing data to service providers or to co-operation partners | Our legitimate interest in utilising the information technology infrastructure and providing our services through our local co-operation partners | |
| Disclosing data to our professional advisors | Our legitimate interests in ensuring our proper economic activity | |
| Disclosing data to legal successors and/or potential acquirers of the company; arranging the sale or merger of our company and providing information for conducting the legal or other audit and the data exchange thereof | Our legitimate interest in facilitating proper due diligence process and business continuity by ensuring a successful merger, acquisition or restructuring of the company | |
| Establishing, exercising, or defending legal claims, whether in court proceedings or in an administrative or out-of-court procedure in relation to our, our users’ or employees’ rights | Our legitimate interest in facilitating effective establishment, exercise, or defence of legal claims |
- We may process your Personal Data for other purposes, provided that we disclose the purposes and use to you at the relevant time, and that you either consent to the proposed use of the Personal Data, other legal grounds exist for the new processing purposes, or the new purpose is compatible with the original purpose brought out above.
- RECIPIENTS OF PERSONAL DATA AND DATA TRANSFERS
- We disclose your Personal Data to third parties only in accordance with this Notice and who have undertaken to observe confidentiality or are subject to statutory confidentiality. Your Personal Data will be disclosed to our employees who due to their tasks must process your Personal Data.
- In some cases, to fulfil our statutory or contractual obligations, or to safeguard our legitimate interests we may disclose your Personal Data to the recipients in the following categories, who process your Personal Data as separate controllers:
| Category | Purpose of disclosure |
| Public sector authorities, supervisory and law enforcement authorities | We may disclose your Personal Data to public sector authorities, supervisory or law enforcement authorities to fulfil our statutory obligation, a court order or in other cases where this is necessary to prevent and deter unlawful acts. For example: Estonian Police and Border Guard Board, Estonian Tax and Customs Board, Estonian Data Protection Inspectorate. |
| Professional advisors (bound to confidentiality; to the extent that they do not act as processors) | If necessary, we may disclose your Personal Data to professional advisors to ensure our proper economic activity. For example: auditors, legal advisors, accounting service providers. |
| Service providers and co-operation partners (to the extent that they do not act as processors) | If necessary, we may disclose your Personal Data to service providers and co-operation partners to ensure the fulfilment of contractual obligations and communication with service providers and co-operation partners and provide you with our services through our co-operation partners. For example: IT service providers. |
| Our legal successors and/or potential acquirers of the company | If necessary and required for successfully transferring our business or for the purposes of merger and/or acquisition, your Personal Data may be disclosed to the specified acquirers or legal successors and their representatives and/or financial and legal advisors. |
- In the processing of Personal Data, we may disclose Personal Data to third party service providers who act as data processors only for the performance of a contract entered into with us and who apply the required level of safeguarding measures while processing the Personal Data. These processors belong to the following categories:
| Category | Purpose of disclosure |
| IT-service providers | Your Personal Data may be accessed by IT-service providers (e.g., our back-up and storage service providers) who operate the technical infrastructure which we need to host, store, manage and maintain the daily business functions. Respective services are provided within the European Union and the USA. |
| Analytics and marketing software services providers | Your Personal Data may be accessed by analytics and marketing software services providers who provide analytical insight and marketing tools for improving daily business functions. The respective services are provided within the European Union and the USA. |
| Customer relationship management and sales software services providers | Your Personal Data may be accessed by customer relations management and sales software providers who facilitate sales and administer our interactions with clients. The respective services are provided within the European Union. |
- To ensure that our service providers adhere to adequate data protection standards, we have concluded with all service providers engaged in the processing of Personal Data on our behalf written data processing agreements. For service providers located outside the European Union or the European Economic Area (“EU/EEA”), we use safeguards (e.g., standard contractual clauses approved by the European Commission) to ensure that a level of protection of Personal Data comparable to that applicable in the EU/EEA is applied to your Personal Data. We monitor the compliance of our service providers with the above requirements. Upon your request we will make available further information on the safeguards applied.
- PERSONAL DATA RETENTION PERIOD
- We will store your Personal Data as long as reasonably necessary to attain the objectives stated in Section 4 of this Notice, or until the legal obligation stipulates that we do so. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the processing purposes and whether we can achieve these purposes through other means, and applicable statutory obligations. Whilst retaining the Personal Data, we take into account the need to resolve disputes and enforce the contract between us or anonymize your Personal Data and retain this anonymized information indefinitely.
- Main Data and Contract Data relating to transactions will be stored for seven years from the beginning of the year following the financial year when the relevant Personal Data were collected.
- Your demo account (product tour) and related Personal Data shall be deleted after 60 days as of the creation of the account.
- In case the legal basis for processing your Personal Data is consent and you decide to withdraw the consent, we will stop processing Personal Data for the previously communicated purpose, however, we will retain a note regarding your withdrawal for the purposes of administering your decision and our data processing activities at least for a period of 3 and a half years.
- After the expiry of the retention period determined in accordance with Section 6 of this Notice or the termination of the legal basis for processing purpose, we may retain the materials containing the Personal Data in the backup systems, from which the corresponding materials will be deleted after the end of the backup cycle. We ensure that during the backup period appropriate safeguards are applied and the backed-up materials are put beyond the use.
- We will store your Personal Data as long as reasonably necessary to attain the objectives stated in Section 4 of this Notice, or until the legal obligation stipulates that we do so. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the processing purposes and whether we can achieve these purposes through other means, and applicable statutory obligations. Whilst retaining the Personal Data, we take into account the need to resolve disputes and enforce the contract between us or anonymize your Personal Data and retain this anonymized information indefinitely.
- YOUR RIGHTS AS A DATA SUBJECT
- We have a legal obligation to ensure that your Personal Data is kept accurate and up to date. We kindly ask you to assist us to comply with this obligation by ensuring that you inform us of any changes that have to be made to any of your Personal Data that we are processing.
- You may, at any time, exercise the following rights with respect to our processing of your Personal Data:
- Right to access: you have the right to request access to any data that can be considered your Personal Data. This includes the right to be informed on whether we process your Personal Data, what Personal Data categories are being processed by us, and the purpose of our data processing;
- Right to rectification: you have the right to request that we correct any of your Personal Data if you believe that we are processing inaccurate or incomplete Personal Data;
- Right to object: you are entitled to object to certain processing of Personal Data, including for example, the processing of your Personal Data for marketing purposes or when we otherwise base our processing of your Personal Data on our legitimate interest;
- Right to restrict Personal Data processing: you have the right to request that we restrict the processing of your Personal Data if: (i) you wish to dispute the accuracy of certain Personal Data we are processing, such right applies until we have had the opportunity to satisfy ourselves of the accuracy of the Personal Data; (ii) we have been processing your Personal Data unlawfully, but you only request the restriction of the use of the Personal Data in question instead of its deletion; (iii) we no longer need the Personal Data for the original purposes of processing, but you still need such Personal Data to assert, exercise or defend against legal claims; (iv) you have objected to our processing of certain of items of your Personal Data until a determination is made whether or not your concerns are outweighed by our legitimate interests in processing your Personal Data;
- Right to erasure: you may request your Personal Data to be erased if the Personal Data is no longer necessary for the purposes for which it was collected, or if you consider that the processing is unlawful, or if you consider that the Personal Data has to be erased to enable us to comply with a legal requirement;
- Right to data portability: if your Personal Data is being automatically processed with your consent or on the basis of a mutual contractual relationship, you may request that we provide you that Personal Data in a structured, commonly used and machine-readable format. Moreover, you may request that the Personal Data is transmitted to another controller. Bear in mind that the latter can only be done if that is technically feasible;
- Right to withdraw your consent: in cases where the processing is based on your consent, you have the right to withdraw your consent to such processing at any time;
- Right to contact the supervisory authority: if you are not satisfied with our response to your request in relation to Personal Data processing or you believe we are processing your Personal Data not in accordance with the law, you can submit your claim to the Estonian Data Protection Inspectorate (in Estonian Andmekaitse Inspektsioon) at info@aki.ee(https://www.aki.ee/).
- To exercise the above rights, please contact us as specified in Section 2 of this Notice. Please note that you should supply us with adequate information for us to respond to your requests concerning the rights listed in Section 2. Prior answering your request, we may ask you to provide additional information for the purposes of authenticating you and evaluating your request.
- LINKS TO OTHER WEBSITES
- Where we provide links to websites of third parties, this Notice does not apply to data processing conducted by such third parties. The content and links displayed on such websites are outside of our control, and we are not responsible for the practices of websites linked from our own Website (or linking to our Website). To find out more about how third parties process your personal data, please refer to the respective privacy notices of the other websites you visit.
- AMENDMENTS TO THIS NOTICE
- This Notice may be amended or modified from time to time to reflect changes in the way we process Personal Data and, in such case, the most recent version of the Notice will appear on this page. Please check back periodically, and especially before you provide any new personally identifiable information.
Version: 2022-1
