Last modified: December 10, 2021
Nonetheless, we are careful to comply with applicable privacy laws. While very little personal data is collected from residents of the European Economic Area (“EEA”), Switzerland or the United Kingdom (“UK”) at present, we recognize that this may change over time, so we have adopted principles that reflect the requirements of the European laws generally referred to as the General Data Protection Regulation (“GDPR”), and post-Brexit to the UK’s version of GDPR, generally referred to as “UK-GDPR.” In addition, while we are not yet subject to California’s privacy law applicable to California residents(“CCPA”) we nonetheless follow procedures that adhere to that legislation as well with regard to your privacy rights. Toward the bottom of this Policy, we will enumerate the rights we afford to European residents whose personal data may be processed by us.
While the CCPA is intended to apply to all natural persons who are California residents, we have opted to extend the stringent California standards to all US users of the Site. You have the right to know and access what personal data we collect about you, where it was obtained/sourced and the purposes for which such information will be used, the categories of personal information that were collected in the twelve months preceding your request, and what categories of personal data were sold or disclosed for business purposes (although we do not sell your personal data), and to whom, in the 12-months preceding such a request for your information. Please review the “CCPA” section of this Policy below.
Personal Data We Collect: Basis for Collection, and Targets for Disclosure.
Most of the personal data we collect from you is obtained in the following ways: (1) Site visitors: personal data that you choose to provide to us during your use of certain areas of the Site, in order to download or obtain information from the Site, or in connection with your subsequent activities related to the Site, such as when you choose to subscribe to newsletters; (2) Contact information: Customer information, vendor information and similar contact information: personal data, mostly necessary contact information, that we get from Customers, vendors and their personnel via email, often stored in our email system on computers, or that is placed into contracts with Customers and vendors; (3) Analytics information: personal data we get from Google Analytics to enhance the Site experience and possibly use for promotional purposes, virtually all of it collected only in aggregate and/or anonymized manner. More specifically, we collect the following personal data from the sources listed below, and disclose it to the third parties listed below:
a. If you visit the Site and respond to one of the opportunities to obtain materials from us, e.g., to download a brochure, white paper or report, or to try the Promethium service for free, or to schedule a demonstration, or to make a sales inquiry you are asked to provide the following personal data for everything but the demonstration or sales inquiry: first name, last name and email address. If you wish to schedule a demonstration or make a sales inquiry, in addition to the personal data listed in the previous sentence, you are also asked to provide job title, company name, and phone number. This personal data is stored with a secure third-party service such as MailChimp or Wix, and is used to communicate with you about our company and products, and to fulfill your requests for information or for a product demonstration. You have the right to unsubscribe or opt out at any time (for residents of EEA, Switzerland and the UK, see GDPR-related sections below).
b. Contact information from Customers and vendors (and other business-related third parties): As mentioned, personal data from our business contacts, are mostly provided via exchange of emails, and stored in our email system. Other personal data may be found in contracts between the parties. Most personal data of this nature includes first name, last name and email address. Sometimes it includes physical address, telephone number(s) and job title.
c. Customer data and other personal information: CRM-type information, which may include personal data, is stored in Salesforce. There is a contractual basis and/or legitimate interests basis for collecting this personal data. A contest or survey could be a promotional use requiring opt-in. This data is not disclosed to any third parties.
d. The only personal data obtained by Promethium from use by Customers of its data solution/service is first name, last name and email address (required of all users). While a user of the Promethium software platform would log into Promethium using SSO and entering his or her user name and password, this information is maintained encrypted in Amazon Web Services, and we cannot access it.
e. Promethium does not track visitors to its Site, and therefore does not use nonessential cookies. Consequently, there is no need to seek opt-in consent under applicable law.
f. We do not knowingly collect personal data from users under the age of 13, nor is our service of interest to any minors. If we are made aware of that we have such personal information, we will take reasonable steps to delete that information. While consumers under 16 must opt-in to any sale of their personal data under the CCPA, we do not sell personal information.
Additional Information on Personal Data that We Collect and How We Use It.
• We do not sell your personal data or data to third parties, and except for the data collected in aggregate, anonymized or de-identified form, we do not disclose data to third parties unless we have informed you, been authorized by you as necessary based on applicable law, or are required to disclose such data by law.
• No Sensitive Information. In connection with the Site, we do not collect any “sensitive personal information” or “sensitive personal data” as defined by applicable law, such as financial or health data about individuals. We do not process or hold credit or debit card information, we cannot access such information, nor do we see it or store it; such data is provided to our third-party payment processor, and such third party fully complies with all of the data security required to collect and store sensitive personal information. With respect to human resources personal data, we only have employees in the United States.
• Targeted Information. If we engage a service to provide targeted ads or data, it will not associate a cookie or anonymous identifier with sensitive personal categories, such as those based on race, religion, health or sexual orientation.
Data Subject Rights for Residents of the EEA, Switzerland and the UK: Compliance.
If we process any personal data from residents of the EEA, Switzerland or the UK, please see the paragraphs below for relevant details.
b. Legal Basis of Processing.
II. Promethium also may have legitimate interests under Article 6(1)(f) of the GDPR with respect to certain situations where Promethium needs to process your personal data to comply with applicable law (for example, we are required to comply with California law, where we are based), provide adequate customer service, or improve our products and services. In these cases, we will ensure that your privacy and other fundamental interests do not override our legitimate interests.
III. Finally, if Promethium determines that it wants to target ads to you based on the limited personal information provided on the Site, we would seek your opt-in consent first. At this time, we do not knowingly collect any personal data from EEA, Swiss or UK residents.
c. Personal Data Transfers outside the EEA/UK. It is possible that some of your personal data would be transferred to servers in the United States, which may not provide adequate data protection according to the European Commission. For example, SSO data is located in Amazon Web Services data centers, subject to a high degree of security and protection. Other personal data is maintained by well-known service providers such as Salesforce for CRM data. In the event that Promethium enters into Customer contracts in the EEA, Switzerland or the UK, Promethium would enter into appropriate data transfer agreements based on language approved by the European Commission pursuant to GDPR Art. 46(5), generally the Standard Contractual Clauses, implementing appropriate physical, technical and organizational security measures to protect personal data against accidental or unlawful destruction, alteration, loss, unauthorized disclosure or access, and other unauthorized or unlawful processing; and taking other measures to provide an adequate level of protection in accordance with applicable law. Any onward transfer would be subject to onward transfer requirement per applicable law.
d. Data Retention. Promethium keeps personal data for as long as required to meet our obligations to you, often contractual requirements, and to comply with applicable law. For example, if you register with Promethium on the Site for a newsletter, brochure, free use of the service or a demonstration, we retain your personal data for as long as we believe you may be actively interested in our services, and thereafter for as long as required for us to comply with applicable law, fulfill our contractual obligations to you or defend our legal interests in connection with any claim or action we might face before a dispute resolution body. We take commercially reasonable measures to ensure that personal data is deleted, erased or anonymized as soon as possible once the purposes for which such data was collected have been fulfilled.
e. Data Subject Rights. You have a right to request from Promethium access to and rectification, updating or erasure of your personal data. You also have the right to request the restriction of processing concerning you, in which case such personal data would be marked and processed by us only for certain purposes. We will not charge a fee for this, provided the request is not excessive or unreasonable. In addition, you have the right to data portability, which allows you to receive from us personal data about you which you have provided to us in a structured, commonly used and machine-readable format, such as a CSV file. We will do this free of charge. If it is technically feasible, you can request that we transmit the personal data directly to another organization, rather than to you. We will respond to the request within 30 days, unless the request is complex or you send us multiple requests, in which case we can extend our response by another 2 months upon notice to you.
You also have the right to object to various data processing activities, including processing activities that are based exclusively on your consent or processing for the purposes of direct marketing. You can exercise such rights by accessing the information in your account and/or by emailing us at email@example.com. Please note that these rights may be subject to limitations and conditions under the GDPR or applicable national data protection laws.
If our collection of personal data from you has been based on obtaining your consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. You have the right to lodge a complaint with a supervisory authority in the EEA, Switzerland or the UK, as applicable.
We may choose not to fulfill any request that we determine is illegal or incorrect, where we need to maintain the personal data because of our contractual or legal obligations (e.g., personal data in case files), where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, or where the rights of persons other than the individual would be violated, but our intention is to comply with opt-out requests, and other requests that seek to correct, update or delete your personal data , as fully as possible in accordance with applicable law. You will also be given notice should we use your personal data for a purpose other than that for which it was originally collected or processed. We do not ask for, collect or knowingly receive sensitive personal data, i.e., personal data specifying medical or health conditions, racial or ethnic origin, political opinions, religious beliefs, or information relating to sex life.
f. Profiling. Promethium does not, and the Promethium SaaS services do not, engage in profiling as defined in Art. 4(4) of GDPR; that is, we do not engage in “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person.”
Data Subject Rights under CCPA: Correcting or Deleting Your Information and Opting Out.
• If you are a natural person, you have the right to request that we give you access and/or delete your personal information under CCPA (called “personal information” rather than “personal data” under CCPA), which is basically any information that could be used to identify you, such as name, address, telephone, email address that we might collect as we have indicated above. To exercise your right to access your personal information, you must send us a verifiable consumer request (“VCR”). Once received, we will disclose and deliver, free of charge to you, the personal information that we hold about you. We will deliver this information by mail or electronically, in the latter case it shall be in a portable and if technically feasible, readily useable format so that you can re-transmit this information to another entity without problem. We will deliver this information within 45 days of receiving a verifiable request from you, and if reasonably necessary, we can extend this for an additional 45 days if we provide you notice of the extension. Our disclosure will cover the 12-month period preceding receipt of your VCR, and if you maintain an account with Promethium, we will deliver the disclosure through your account, or by mail or electronically at your option if you have no account with us. This is an obligation we have no more than twice in any 12-month period. We are not required to maintain your personal information from a single, one-time transaction.
• To exercise your right to have your personal information deleted, you must send us a VCR to this effect. Once you request deletion, we shall delete your personal information from our records, and direct any service provider who has obtained your personal information from us also to delete such personal information from its records. However, we are NOT required to delete your personal information if we need it to (i) complete the transaction or sale for which the personal information was provided or otherwise perform a contract; (ii) detect security incidents, or protect against malicious or fraudulent or other harmful activity; (iii) debug to identify and repair errors that impair intended functionality; (iv) exercise free speech or ensure the right of another consumer to exercise free speech as provided by law; (v) comply with the California Electric Communications Privacy Act per Chapter 3.6 thereof; (vi) engage in public or peer-reviewed scientific, historical or statistical research in the public interest in accordance with applicable ethics and privacy laws if to delete would likely impair or render impossible the achievement of the research; (vii) enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the business relationship; (viii) comply with a legal obligation; (ix) otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.
• If we sell your personal information to third parties, we must inform you that your personal information may be sold, and then you have the right opt out of the sale of your personal information. However, we do not sell personal information.
• To contact us, you can use the Contact Information set forth below.
• In addition, with respect to our newsletter, upon your request we will remove your personal information from our data base or permit you to opt-out of further communication of this nature if you simply send an email to firstname.lastname@example.org, and place the word “REMOVE” in the subject field.
• We will not discriminate against you or any consumer for exercising any of your consumer privacy rights under the CCPA , which includes but is not limited to: (i) Denying goods or services to the consumer; (ii) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (iii) Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights set forth in Section 5 above; or (iv) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
• Promethium uses current industry standard technology and security procedures to maintain the confidentiality and accuracy of the personal information/data that you provide to us or we obtain and to prevent against its loss or misuse.
• Moreover, this Site is hosted by Wix, which uses Amazon Web Services data centers, which maintains state-of-the-art security throughout its global data centers, with restricted access.
• Although no data transmission over the Internet can be guaranteed to be 100% secure, and despite the care we exercise to provide a secure transmission, we cannot guarantee that the personal data you submit to us will be free from unauthorized third- party intrusion. You therefore understand and agree that all information you submit to Promethium or post on the Site is done at your own risk.
In the event that we believe that there has been a security breach involving your personal data, we would endeavor to notify you promptly in accordance with applicable law. In the event such notification is appropriate under the circumstances, we would first try to notify you at the latest email address we have for you on record, subject to legal requirements.
Changes and Updates.
Or you can correspond with us by regular mail at:
101 Jefferson Road, Suite 236
Menlo Park, CA 94025 USA