Concilio Labs, Inc. (“Concilio Labs”, “we”, or “us”) is committed to protecting your privacy. We have prepared this Privacy Notice to describe our practices regarding the Personal Data (as defined below) we collect from (i) each business (“Customer”) that uses Concilio Labs’ websites, mobile applications, and products (collectively, the “Products and Services”), (ii) Customer personnel (“Users”) that use the Products and Services under Customer’s account, and (iii) any visitors to Concilio Labs’ websites and mobile applications (collectively, “you”, “your”). The use of information collected shall be limited to the purpose of providing those Products and Services for which Concilio Labs’ Customers have engaged Concilio Labs.
You are deemed to use the Products and Services when you visit Concilio Labs’ website located at www.conciliolabs.com or use its applications and products, request a demonstration or submit any personal data through the website or create a Master Account or User Account for the Products and Services. Any capitalized terms not defined in this Privacy Notice will have the meanings set forth in the Concilio Labs' Terms and Conditions of Use.
Please read this Privacy Notice carefully. If you disagree with anything in this Privacy Notice you must not provide Personal Data (as further defined below) through the Products and Services. By using the Products and Services, you agree to the terms of this Privacy Notice and acknowledge and agree to the processing of your Personal Data in accordance with this Privacy Notice and further acknowledge any choices disclosed concerning the data processing activities described in this Privacy Notice. If you do not agree to our use of your Data in accordance with this Privacy Notice, you are not permitted to use our Products and Services. Your Personal Data may be processed in the country where it was collected and in other countries, including the United States, where laws regarding processing of Personal Data may be less stringent than the laws in your country. If you are a resident of a member of the European Union ("EU"), European Economic Area (“EEA”), Switzerland or the United Kingdom (“U.K.”), please see section 6(j) Transferring Personal Data from the EEA to the U.S in section 6: Residents of the European Union, European Economic Area, Switzerland & the U.K.
1. Who May Use Our Products and Services
Our Products and Services are not intended for children under the age of 18. We do not intentionally gather Personal Data about individuals who are under the age of 18.
2. The Types of Data We Collect & How We Use It
We collect Personal Data and Anonymous Data when you use our Products and Services and/or when you send us communications. “Data” means “Personal Data” and “Anonymous Data” collectively as defined below:
For purposes of this Privacy Notice, Concilio Labs adopts the definition of personal data set forth in the General Data Protection Regulation ("GDPR") at Article 4(1) which broadly defines personal data as "any information relating to an identified or identifiable person" and generally means data that allows someone to identify or contact you, including your name, address, telephone number, e-mail address, IP address, and any other non-public information about you that is associated with or linked to any of the foregoing data. This is not an exhaustive list of all types of Personal Data, but a few examples aimed at helping you understand what constitutes Personal Data. If you are from the United States, you may be accustomed to the term "personally identifiable information" or "PII" to describe personal data. For purposes of this Privacy Notice, personally identifiable information is personal data as defined in Article 4(1) of the GDPR.
For purposes of this Privacy Notice, “Anonymous Data” is data that should not identify a person or allow us to contact a specific person. Some examples of non-personal data are information about a user's computer operating system or browser, the number of users that visit our website and the pages of the website which are visited, as well as usage data as to certain features of our Products and Services that are not connected to any particular user. These are examples and not an exhaustive list of all types of non-personal data.
Where this Privacy Notice describes processing Personal Data, Concilio Labs adopts the definition of "processing" set forth under Article 4(2) of the GDPR: "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(a) Data You Provide to Us
We process Personal Data you provide to us through the Products and Services as described below.
(i) Creating a Master Account or User Account
When you create a Master Account or User Account for our Products and Services, we collect, store and otherwise process your first and last name, title, company name, username, password, email address, telephone number, and postal address to allow us to:
- Facilitate the creation of and secure your Master and/or User Account on our network;
- Identify you as a user in our system;
- Eliminate the risk of fraudulent users or fraudulent activity on our Products and Services;
- Permit you to recover or change lost or forgotten passwords;
- Send you administrative notifications, such as security or support and maintenance advisories; and
- Respond to your inquiries or other requests.
We will retain, use and otherwise process the Personal Data we collect for the purpose of creating a Master Account or User Account for as long as necessary to provide you with our Products and Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Individuals residing in any EU member state, the European Economic Area ("EEA"), Switzerland or the U.K. (collectively, “EEA Residents”) have specific rights that include the Right to Rectification and Right to Erasure under the GDPR, and which are explained in detail here in the section addressing EEA Residents.
(ii) If You Contact Us for a Demo or Products & Services Info
If you contact us for more information about our Products and Services, or to request a demonstration, we collect, store or otherwise process your name, your company, your email address, your phone number, your country and your “primary interest” to allow us to contact you and understand which Products and Services to address with you. We delete this Personal Data within thirty (30) calendar days of receiving your request. If you become a Customer, your Personal Data will be collected in the manner described in the Creating a Master Account or User Account section above.
(iii) If You Contact Us Regarding an Employment Opportunity
If you contact us regarding an employment opportunity, we will collect, store or otherwise process the Personal Data contained in your email or job application. We will store this Personal Data for the period of time while we are recruiting for the particular position to which you are applying. Once the position has been filled, the successful applicant’s job application will go on file in our Human Resources department and all other candidates job application materials will be deleted.
(b) Data Our Customers Provide to Us
(c) Cookies & How to Manage Cookies
Cookies are text files, containing small amounts of information, which are downloaded to your browsing device (such as a computer or smartphone) when you visit a website. Cookies can be recognized by the website that downloaded them — or other websites that use the same cookies. This helps websites know if the browsing device has visited them before.
You can learn more about the cookies we use in the table below:
If you choose to reject cookies, may still use the Products and Services, however your access to some functionality may be restricted and/or some of the pages may not function or appear correctly.
3. How We Disclosure Your Data
Except as described below, we do not share Personal Data you disclose directly to us through our Products and Services with third parties:
We may share your Personal Data with any company that acquires our company or our assets. That company will possess the Personal Data collected by us and will assume the rights and obligations regarding your Personal Data as described in this Privacy Notice. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
We may share your Personal Data with our subsidiaries, joint ventures, or other companies under common control, in which case we will require them to honor this Privacy Notice.
We may disclose your Personal Data if we have a good faith belief that disclosure is necessary to: (1) comply with the law or with legal process served on us or to cooperate with any legal investigation; (2) protect and defend the rights or property of us or our users; (3) act in an emergency to protect someone’s safety; or (4) investigate any violation or potential violation of the law, this Privacy Notice, the Terms & Conditions of Use, the Master Services Agreement (“MSA”) and/or Statement of Work (“SOW”) or any other agreements between you and Concilio Labs.
If you believe your Personal Data has been disclosed to us through our Customer, please consult the Privacy Notice of the Customer and/or contact them to confirm the Personal Data collected or otherwise processed. If you are a resident of a member of the European Union (“EU”), European Economic Area (“EEA”) or Switzerland, you have certain rights that include a Right of Access under the GDPR, and which are explained in detail here in the section addressing EEA Residents.
4. Your Choices Regarding Your Personal Data
(b) If you are a resident of a member of the EU, EEA, Switzerland or the U.K., you have certain rights that include a Right to Rectification and Right to Erasure under the GDPR, and which are explained in detail here in the section addressing EEA Residents.
(c) If you are a guest or end-user of one of our Customer’s and you are a resident of the EU, EEA, Switzerland or the U.K, please refer to our section addressing EEA Residents if our Customer has disclosed Concilio Labs as a Processor or Joint Controller of your personal data.
(d) We will retain your Personal Data (including the personal data we process on behalf of our Customers) for as long as your account is active or as needed to provide you services. We will retain and use your Personal Data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
5. Use and Disclosure of Anonymous Data
We have the right to use, and share with third parties, Anonymous Data for any purpose and in any manner.
6. Residents of the European Union, European Economic Area, Switzerland & U.K.
For purposes of this Privacy Notice, we define EEA Residents to include individuals residing in any European Union member state, the European Economic Area ("EEA"), Switzerland or the U.K. EEA Residents have certain rights concerning the processing of their personal data under the GDPR.
This portion of our Privacy Notice advises EEA residents of the applicable GDPR rights (referred to under the GDPR as "data subject rights") and how to effectuate these rights by communicating with us.
If you are not an EEA resident, this section of the Privacy Notice does not apply to you.
(a) Legal Basis for Processing Personal Data
Except in those cases where Concilio Labs is the data processor because it processes Data Our Customers Provide to Us, Concilio Labs is the data controller of all Personal Data collected and otherwise processed through its Products and Services. Concilio Labs has a legitimate interest in providing its users and Customers with innovative Products and Services and to communicate with its users and Customers in the circumstances described above in section 2. In providing our Products and Services, we aim to collect the minimum amount of personal data necessary to achieve these goals.
With the exception of Personal Data processed for purposes of posting testimonials displayed on our website and described further in section 9 of this Privacy Notice, the lawful basis for processing EEA resident’s personal data is the legitimate interests grounds described under Article 6(1)(f) of the GDPR. Personal Data processed for the purpose of posting testimonials is processed pursuant to consent described under Article 6(1)(a) of the GDPR.
(b) Right of Access
EEA residents have the right to obtain from Concilio Labs the confirmation as to whether or not personal data concerning him or her are being processed. EEA residents may request access to the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing discussed in sections 8.3—8.6 of this Privacy Notice;
- the existence of the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
- Information as to whether the personal data of an EEA resident is transferred to a third country or to an international organization and. Where this is the case, the EEA resident shall have the right to be informed of the appropriate safeguards relating to the transfer.
- This Privacy Notice advises you as to the details of the personal data Concilio Labs is processing.
- If you need additional confirmation concerning the personal data Concilio Labs is processing you may request confirmation by sending an email to DataSupport@ConcilioLabs.com with Right of Access in the subject line.
The right to access is described under Article 15 of the GDPR.
(c) Right to Rectification
EEA residents have the right to request that Concilio Labs correct or “rectify” any inaccurate personal data concerning him or her. If an EEA resident believes Concilio Labs has inaccurate or incomplete personal data, he or she may request rectification by sending an email to DataSupport@ConcilioLabs.com with Right To Rectification in the subject line. Concilio Labs will ensure any inaccurate or incomplete data is corrected within thirty (30) calendar days of receiving your email request.
The right to rectification is described under Article 16 of the GDPR.
(d) Right to Erasure (Right to be Forgotten)
EEA residents have the right to request that Concilio Labs erase/delete personal data concerning him or her without undue delay. Concilio Labs shall have the obligation to erase personal data without undue delay under the following circumstances:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- The EEA resident objects to the processing pursuant to Article 21(1) of the GDPR described below, and there are no overriding legitimate grounds for the processing, or the EEA resident objects to processing personal data for direct marketing purposes which the EEA resident can terminate by following the instruction described here.
- The personal data have been unlawfully processed.
- The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
- If one of the aforementioned circumstances applies, and an EEA resident wishes to request the erasure of personal data stored by Concilio Labs, he or she may request erasure/deletion by sending an email to DataSupport@ConcilioLabs.com with Right To Be Forgotten in the subject line. Concilio Labs will comply with the erasure/deletion request within thirty (30) calendar days of receiving your email request.
The right to erasure is described under Article 17 of the GDPR.
(e) Right of Restriction of Processing
EEA residents have the right to restrict Tripwire’s processing of personal data if one of the following circumstances applies:
- the accuracy of the personal data is contested by EEA resident, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the EEA resident opposes the erasure of the personal data and requests the restriction of their use instead;
- Tripwire no longer needs the personal data for the purposes of the processing, but the EEA resident needs the personal data for the establishment, exercise or defense of legal claims;
- the EEA resident has objected to processing pursuant to Article 21(1) of the GDR pending the verification whether the legitimate grounds of the controller override those of the data subject.
- Where processing has been restricted because the accuracy of the personal data is contested by the EEA resident, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
- Concilio Labs will inform any EEA resident who has obtained restriction of processing because the accuracy of the personal data is contested by the EEA resident before the restriction of processing is lifted.
The right to restriction of processing is described under Article 18 of the GDPR.
(f) Right to Object
EEA residents have the right to object, on grounds relating to his or her particular situation, at any time, to processing of personal data concerning him or her, which is based on Concilio Labs’ legitimate interest grounds for lawful data processing under Article 6(1)(f) of the GDPR and described throughout section 2 of this Privacy Notice.
If you are an EEA resident and object to the processing of your personal data, please notify us by sending an email to DataSupport@ConcilioLabs.com with Data Right Objects to Processing in the subject line and we will no longer process the personal data if we cannot demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise or defense of legal claims.
The right to object is described under Article 21 of the GDPR.
(g) Right to Data Portability
The right to data portability is available when the data processing activity is based on consent under Article 6(1)(a) or Article 9(2)(a) or when the data processing is necessary for the performance of a contract under Article 6(1)(b). The only Personal Data processed on the basis of consent is Personal Data processed for purposes of testimonial displayed on our website and described further in section 9 of this Privacy Notice. If you want Personal Data collected for a testimonial submitted please contact us at DataSupport@ConcilioLabs.com.
The right to data portability is described under Article 20 of the GDPR.
(h) Right to Lodge a Complaint with a Supervisory Authority
EEA residents have the right to lodge a complaint with a supervisory authority if the EEA resident believes the processing of personal data relating to him or her infringes the GDPR.
The right to lodge a complaint is described under Article 77 of the GDPR.
(i) Transferring Personal Data from the EEA to the U.S.
Concilio Labs has its headquarters in the United States. Information we collect from you will be processed in the United States. The United States has not sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR. A finding of “adequacy” in short means that the European Commission has decided that this country outside the EEA ensures an adequate level of data protection. In instances where Concilio Labs is the data processor, it relies on Standard Contractual Clauses described in Article 28 of the GDPR to transfer Personal Data from the EEA to the U.S. In instances where Concilio Labs is the data controller in processing Personal Data of visitors to its website or Consumers, it relies on Article 49 of the GDPR as the United States has no “adequacy” decision and no other safeguards under the GDPR are in place (for example binding corporate rules on the transfer of Customer Personal Data outside the EEA). In particular, the Personal Data Concilio Labs processes and transfers to the U.S. concerns only a limited number of data subjects and either processed and transferred with your consent (testimonials) or is necessary for the purposes of the compelling legitimate interests of Concilio Labs in providing superior Products and Services to its Customers and visitors to its website in a manner that does not outweigh your rights and freedoms. Concilio Labs endeavors to apply suitable safeguards to protect the privacy and security of its Customers and website visitors Personal Data and to use it only consistent with the specific relationship with Concilio Labs and the practices described in this Privacy Notice. Concilio Labs also minimizes the risk to your rights and freedoms by not collecting or storing sensitive information about you.
If you wish to confirm that Concilio Labs is processing your personal data, or to have access to the personal data Concilio Labs may have about you, please contact us at DataSupport@ConcilioLabs.com and/or refer to The Right of Access described above.
We have commercially reasonable security measures in place to help protect against loss, misuse and alteration of your Personal Data in our possession. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, while Concilio Labs uses reasonable efforts to protect your Personal Data, Concilio Labs cannot guarantee its absolute security. If you have any questions regarding security you can contact us at Support@ConcilioLabs.com.
8. Links to Other Sites
The Products and Services may contain links to other sites that are not owned or controlled by Concilio Labs. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage you to be aware when you leave our site and to read the privacy statements of each and every website that collects personally identifiable information. This privacy statement applies only to information collected by the Services.
We receive consent to post Customer testimonials offline prior to posting them on our website. If you post a testimonial on this site, you should be aware that any Personal Data you submit there can be read, collected, or used by other visitors to our website, and could be used to send you unsolicited messages. We are not responsible for the Personal Data you choose to submit in connection with a testimonial.
If you want your testimonial removed please contact us at Marketing@ConcilioLabs.com with Remove My Testimonial in the subject line.
We may amend this Privacy Notice from time to time. If we make material changes to the Privacy Notice, we will notify you by posting a prominent notice on our website and/or sending you an e-mail at your primary email address, as specified in your Master Account or User Account. Any changes to this Privacy Notice will be effective immediately for new users of our Product and Services; otherwise these changes will be effective upon the earlier of thirty (30) calendar days following our dispatch of an e-mail notice to you or thirty (30) calendar days following our posting of a notice on our website(s) and application(s). You are responsible at all times for updating your Master Account or User Account to provide to us your most current e-mail address. If the last email address that you have provided to us is not valid, or for any reason is not capable of delivering to you the notice described above, our dispatch of the e-mail containing such notice will nonetheless constitute effective notice of the changes described in the notice. Continued use of our Services following notice of such changes shall indicate your acknowledgment of, and agreement to be bound by, such changes. Except as otherwise provided in this Section, no amendment to this Privacy Notice will be valid.
11. Contact Concilio Labs.
8000 Westpark Drive, Suite 620, McLean, VA 22102
Last modified: May 2018