Privacy & cookie policy

This privacy notice applies to websites, products and services offered by castLabs. We process your personal data in the scope of delivering services to you and this document clarifies how and why this processing takes place as required by GDPR Art.13. castLabs, we, our, and us refers to castLabs GmbH and castLabs Inc.

It describes what personal data is collected from you when you are in contact with us as service users, service providers, website visitors, suppliers and trade show visitors.

The data controller providing this policy is Castlabs GmbH. It can be reached by post (Wilhelmine-Gemberg-Weg 5-7, 10179 Berlin, Germany) or by email at data_protection@castlabs.com.

castLabs GmbH has appointed a data protection officer who can also be contacted independently: Silvan Jongerius (TechGDPR DPC GmbH, Heinrich-Roller Str. 15, 10405 Berlin, Germany) castlabs.dpo@techgdpr.com.

This policy clarifies:

  1. What personal data is collected and what are the purposes pursued depending on whether you are
    a) a service account user
    – a user of our central services registered on our portal
    – a standalone user of our PRESTOplay SDK
    – a standalone user of our DRMtoday
    – a standalone user of our Video Toolkit
    b) a website visitor
    c) leads and interested parties
    d) a newsletter subscriber
    e) a third party service provider or contractor
  2. How you may exercise your rights under the GDPR
  3. What cookies we use on our website and set on the device you use to visit it
  4. How we handle the international transfers of personal data
  5. We also offer information on how to contact us and how we update this policy.

Glossary:

  • Customers: Account holders of castLabs services who create an account to download and integrate our products to their solutions.
  • End users: Consumers of media who have a service agreement with castLabs customers.
  • Resellers: An organization that purchases castLabs products and/or services for distribution and sale to their own customers.
  • Services: Products and services offered by castLabs. These include PRESTOplay, DRMtoday, and Video Toolkit.

1. Personal data collected and purposes pursued

In this section, we clarify what data we process from you and for what purposes.

Each table is dedicated to a specific groupof people who interact with our services (data subject categories).

Each table outlines:

  • The processing activity in which your personal data is processed and the data subject categories,
  • What data is being processed,
  • What purpose it serves for us to do so and the legal base relied on to legitimize this processing,
  • What retention we apply (how long this data is kept to these purposes).

1.a Service account users

(Typically, with access to DRMtoday, Video Toolkit, or Content Portal)

Processing activity & (data subject categories)

Data points

Purpose
& (legal base)

Retention period

Available rights

Authenticating users

Email (login) & password pair

Allows castLabs’central services to authenticate a customer (organizations, users and their relations) and log their user access to services via the API or front-end. This serves integrity and security purposes to our services.

(Legitimate interest GDPR Art.6.1.f)

1 hour

The rights of access, rectification, erasure, restriction, the right to object and the right to lodge a complaint with a supervisory authority. More details are available below.

Account administration

Email (login), password & 2FA

Allows castLabs to offer account management options such as managing notifications, resetting password, setting upMFA, editing account details or closing the account.


(Performance of a contract GDPR Art.6.1.b)

Duration of the contract

Accessing a purchased product or a product trial

Allows castLabs to provide the user with transactional email notifications around the management of the account.

Performance of a contract GDPR Art.6.1.b)

Duration of the contract/trial

Reporting on account or trial use

Allows castLabs to provide the user, product teams and finance with metrics on current and projected service use and billing. It also allows castLabs to send transactional emails to that effect.

Performance of a contract GDPR Art.6.1.b)

Duration of the contract/trial + 12 months

Setting options
(portal configuration)

Allows castLabs to offer a highly configurable account management environment with functionalities that include

viewing logging/debugging data, viewing statuspage information for all products, getting notified when the operation status of products change or is planned to change, configuring the side navigation pane for increased usability.

Performance of a contract GDPR Art.6.1.b)

Duration of the contract

Providing free trials

Mandatory contact form fields:

Company name, website, 1st name, last name, company email, country, expected monthly users

Optional:

Streaming formats used, encoders/packagers used, video players used, Streaming use cases, free text comments, how the person heard about castLabs, Recaptcha, devices customer wants to reach, content processing needs

Allows castLabs to address user queries. Allows castLabs to set upa user's free trial.

(Legitimate interest GDPR art.6.1.f)

Duration of the contract or trial

Providing resources
via the Downloads Portal

(customer employees)

User (email / pw)

Session cookie (Ipaddresses are not logged, no user-agent logs)

UUID (Universally Unified Identifier randomly generated, with validity/expiry time)

User activity table: customer emails (customer is top-level ID), customer the user belongs to, package (ex. PRESTOplay for iOS), version date/time

Allows castLabs to make resources available to customer organizations (SDKs, …).

(Performance of a contract GDPR Art.6.1.b)

Duration of the contract

Providing resources
via the Video Toolkit site

(customer employees)

IP

Allows castLabs to identify from where the request came from.

(Legitimate interest GDPR art.6.1.f)

30 days

Providing resources via Content Portal
(customer employees)

Name, Last Name, Email, Username, Country

Allows castLabs to make resources available to customers

(Performance of a contract GDPR Art.6.1.b)

Indefinitely *

Monitoring usage

Mandatory for every view:

ISO timestampof initialization, castlabs customer id, product SDK version, license_key_id.

Depending on the contract (can be enforced by the license and may be required for billing):

user_id – unique user id identifying customer's customers, device_id – unique device id identifying customer's customers devices.

Optional if available upon SDK initialization:

device brand which initialized our SDK, device model which initialized our SDK, OS family of the operating system that runs on the device initializing our SDK, OS version of the operating system that runs on the device initializing our SDK, browser family (applicable to browser SDK) browser version (applicable to browser SDK), is_live – was the content live, content_type – content type of the playback (e.g. mp4) asset_id – customers assed id, session_id – customers session id, drm_backend – if DRM was used which backend it was using (DRMtoday, none, …), drm_cdm – CDM used, drm_security_level – DRM security level, drm_offline – was it an offline DRM playback, plugins – what kind of plugins were enabled, drm_latency – time to obtain DRM license, drm_ip- ip from which the DRM request came from.

Allows castLabs to monitor usage and gather data required for billing.

(Legitimate interest GDPR art.6.1.f)

1 year

Improving usability of the websites

Anonymised user Ipaddress 2 byte(s): 999.999.XXX.XXX, date and time of the request, time in local user’s timezone, title of the page being viewed (page title), URL of the page being viewed (i.e. page URL), URL of the page that was viewed prior to the current page (i.e. referer URL), viewing and clicking on content, including files downloaded, links to an outside domain that were clicked (i.e. outlink), pages generation time (page speed), location of the user: country, region, city, approximate latitude and longitude, main language of the browser being used, user agent of the browser being used (User-Agent header for browser, operating system, device used (desktop, tablet, mobile, tv, cars, console, etc.), brand and model), custom dimensions & screen resolution being used, custom variables, marketing campaigns, site search terms used (if used), conversion goals, events tracked, form interactions, media interactions (video and audio)

Allows castLabs to better understand how the website is used to optimize its design.

(Legitimate interest GDPR Art.6.1.f)

25 months

Maintaining operational error logs

Remote address, remote user, local time, request URL, status, bytes sent, referrer, user agent, x-forwarded-to header

Allows castLabs to deliver traces of activity to satisfy partner security requests.

(legitimate interest GDPR Art.6.1.f)

2 years

Creating a customer in SAP and processing order forms from sales

(customer representatives)

Name, address, email, VAT ID, payment terms, order item, item price, item discount (if applicable)

Allows castLabs to enter relevant data involved in invoicing organizations.


(legitimate interest GDPR Art. 6.1.f)

10 years

Bookkeeping

(customer account managers)

Name, invoicing address, delivery address, email, VAT ID, payment terms, country, customer #, products purchased, due date, castLabs bank information

Allows castLabs to fulfill its legal obligation to retain data pertaining to financial transactions.

(legal obligation GDPR Art. 6.1.c)

10 years

Collecting payments from customers

Bank statements

Allow castLabs to ensure that payments are made and trigger a dunning run where necessary.

(legal obligation GDPR Art. 6.1.c)

10 years

* We are currently working to decrease that number and aggregate the data.

1.b Website visitors (castlabs.com)

Processing activity & (data subject categories)

Data points

Purpose
& (legal base)

Retention period

Available rights

Logging and maintaining server access log files

Operating system, browser, IP, timestamp, URL, country

Allows castLabs to investigate and clear occasional suspicion of security risks on pages delivering publicly available information.

(legitimate interest GDPR Art. 6.1.f)

1 month

The rights of access, rectification, erasure, restriction, the right to object and the right to lodge a complaint with a supervisory authority. More details are available below.

Responding to queries

(leads)

Email, name, timestamp, and message payload

Allows castLabs to offer support and address client queries.

(legitimate interest GDPR Art. 6.1.f)

12 months

Improving usability of the websites

Anonymised user Ipaddress 2 byte(s): 999.999.XXX.XXX, date and time of the request, time in local user’s timezone, title of the page being viewed (page title), URL of the page being viewed (i.e. page URL), URL of the page that was viewed prior to the current page (i.e. referer URL), viewing and clicking on content, including files downloaded, links to an outside domain that were clicked (i.e. outlink), pages generation time (page speed), location of the user: country, region, city, approximate latitude and longitude, main language of the browser being used, user agent of the browser being used (User-Agent header for browser, operating system, device used (desktop, tablet, mobile, tv, cars, console, etc.), brand and model), custom dimensions & screen resolution being used, custom variables, marketing campaigns, site search terms used (if used), conversion goals, events tracked, form interactions, media interactions (video and audio)

Allows castLabs to better understand how the website is used to optimize its design.

(legitimate interest GDPR Art. 6.1.f)

25 months

For more information, please see our Website cookies

1.c Leads and interested parties

Processing activity & (data subject categories)

Data points

Purpose
& (legal base)

Retention period

Available rights

Hosting webinars

(interested parties + customers)

Registrant’s email, first/last name, company, job title, country, and other data voluntarily shared, as well as marketing email opt-in choice

Allows castLabs to host remote events to help promote product features and keep the user community engaged.

(legitimate interest GDPR, Art.6.1.f)

12 months

The rights of access, rectification, erasure, restriction, the right to object and the right to lodge a complaint with a supervisory authority.

More details are available below.

Integrate webinar registrants into CRM

(interested parties + customers)

Registrant’s email, first/last name, company, job title, country, as well as marketing email opt-in choice

Allow castLabs to integrate webinar registrants information into CRM

12 months

Make available VOD asset after the webinar

(interested parties + customers)

Email address

Allow castLabs to send the webinar video to all people who registered to the webinar

12 months

Scanning badges, collecting leads, and reaching out to partners and leads after an event

(event attendees)

Captured date, first name, last name, title, company, company address, email, phone, website

Allows castLabs to create a list of interested parties and further engage in commercial talks.

(legitimate interest GDPR Art.6.1.f)

12 months

Collecting leads information and reaching out to them after they complete a website form

(interested parties)

Email, first name, last name, title, company, country

Allows castLabs to communicate to interested parties for relevant commercial discussions.

(legitimate interest GDPR Art.6.1.f)

12 months

Placing a meeting request

(interested parties)

Name, company email address, company, company website, user submitted information (on contact forms), castLab products of interest, brief overview of existing infrastructure, Recaptcha proof of humanity

Allows castLabs to get in touch with requesters at an upcoming event.

(legitimate interest GDPR Art.6.1.f)

24 months

Responding to customer queries

(‘Technical consulting’ customer interest form)

(Widevine 3PL certification customer interest form)

Technical consulting:
Required fields: Company name, name, company email
Optional fields: Website, phone, overview of their existing infrastructure, other requirements, requests, or questions

Widevine 3PL certification:
Required fields: Company name, website, user’s name, user’s email, user’s country
Optional fields: Phone, job title

Allows castLabs to get in touch with interested parties placing queries on castLabswebsite forms.

(legitimate interest GDPR Art.6.1.f)

24 months

Preventing spamming

See table below: Newsletter

Sending out marketing communication

(registered recipients)

See table below: Newsletter

Understanding website use (through site analytics)


Anonymised user Ipaddress, date and time of the request, time in local user’s timezone, title of the page being viewed (page title), URL of the page being viewed (page URL), URL of the page that was viewed prior to the current page (referrer URL), screen resolution being used, content viewing and links clicked, files downloaded, clicked links to an outside domain (outlink), pages generation time (page speed), location of the user: country, region, city, approximate latitude and longitude, main language of the browser being used (accept-Language header), user agent of the browser being used (User-Agent header), site search, form interactions, media interactions

Allows castLabs to better understand visitors of the public webpages and help improve visitor experience.

(legitimate interest GDPR Art.6.1.f)

25 months

1.d Newsletter subscribers

Processing activity & (data subject categories)

Data points

Purpose
& (legal base)

Retention period

Available rights

Sending out marketing communication

Email address

Allows castLabs to promote its products and offerings.

(consent GDPR Art.6.1.a)

Until user unsubscribes

The rights of access, rectification, erasure, restriction, the right to object (i.e. revoke consent), the right to data portability and the right to lodge a complaint with a supervisory authority. More details are available below.

Preventing spamming
(Making use of Recaptcha at newsletter registration)

IP address, referrer URL, operating system, cookies, mouse, movements/keyboard strokes, length of pauses between actions, device settings (e.g. language or location)

Allows castLabs to ensure that only a natural/legal person registers to the newsletter rather than a bot.


(legitimate interest GDPR Art.6.1.f)

19 years by Google

1.e Third-party service providers or contractors *

Processing activity & (data subject categories)

Data points

Purpose
& (legal base)

Retention period

Available rights

Invoicing suppliers and contractors

Supplier name, address, bank details, payment terms

Allows castLabs to track the fulfillment of service and submit a payment order.

(Performance of a contract – GDPR Art.6.1.b)

10 years

The rights of access, rectification, erasure, restriction, the right to data portability and the right to lodge a complaint with a supervisory authority. More details are available below.

Delivering payment to suppliers

Amount payable to supplier, supplier invoice number, IBAN and Swift BIC

Allows castLabs to transfer funds to external suppliers.
(Performance of a contract – GDPR Art.6.1.b)

1 week (for payment processing)

Archiving records of payment

castLabs IBAN, name of the recipient, IBAN of recipient, purpose of transaction

Allows castLabs to maintain records of supplier financial transactions.
(Legal obligation – GDPR Art.6.1.c)

10 years

The rights of access, rectification, erasure once the required retention has expired, restriction, and the right to lodge a complaint with a supervisory authority.

More details are available below.

Hiring process

First Name, Last Name, Email, Phone, Linkedin Profile, Website, Skills (languages, programming, …), job experience, education information (school, university, discipline), freelancer willingness

Assessing applicants suitability

(Consent – GDPR Art. 6.1.a)

1 year

The rights of access, rectification, erasure once the required retention has expired, restriction, and the right to lodge a complaint with a supervisory authority.

More details are available below.

* Note for third party providers and contractors: While this table outlines how castLabs handles your personal data in the scope of the activities rendered for castLabs (GDPR Art.13) it does not in any way cover or preclude your contractual and statutory obligations with regards to data protection and the secure handling of castLabs customer data (GDPR Art.28, 32-36). The latter is outlined in the Data Processing Agreement you have executed with castLabs.

Matomo Analytics

Matomo cookies

We may use Matomo Analytics across our websites to analyze how our site is used to helpimprove it. When it is used, we collect anonymous visitor usage analytics without cookies, by default. Upon visiting one of our websites, we display a cookie banner providing an option to opt in to use third party Matomo usage analytics cookies.

  • If you choose to accept these cookies via the banner, then you will be helping us understand better how our site is used in order to improve it. If afterwards you wish to opt out of these cookies, you can press the button below. A functional first-party cookie will be created to remember your choice.

    Click here to opt out of analytics cookies

  • If you choose to decline these cookies via the banner, then Matomo cookies will not be used while you use our site. A functional first-party cookie is created to remember your choice.
  • If you perform no action with the cookie banner, Matomo cookies will continue to not be used while you use our site.

Opting in or out of analytics

You may choose to prevent our websites from aggregating and analyzing the actions you take while using them. Doing so will increase your privacy, but will also prevent us from learning from your actions and creating a better experience for you and other users. Opting out will create a cookie used to remember that data collected for analytics should be avoided. This is in line with the French data protection authority (CNIL) supported implementation of Matomo Analytics. This implementation allows us to collect user data anonymously. In any case, the anonymisation and the resulting anonymous site usage data is processed and stored within the EU. Aggregated (statistics) data does not lead back to an individual.

Additionally to the above, we may use your information in legal claims and compliance/regulatory/audit processes where required by law, or where we believe it is required to protect our legal rights and interests. We may also disclose your information in connection with the acquisition, merger, or sale of one of our business units. Should this happen, we would inform you of the intended data sharing and provide you with the opportunity to object ahead of time.

Data belonging to children

Our products and services are not intended for individuals under the age of 16. We do not knowingly or intentionally collect personal information from that demographic and if we become aware that someone under the age of 16 has provided us with personal information we will remove their data from our systems.


2. Exercising data subject rights under the GDPR

How to access your information (right of access)

You have the right to request a copy of the information we hold about you. To do so, please send an email to data_protection@castlabs.com requesting access to your information.

How to update your information (right to rectification)

You have the right to update the information we hold about you. To do so please send an email to data_protection@castlabs.com with instructions on what you would like rectified.

How to withdraw from communications (right to object to marketing communication)

You may withdraw consent from our marketing communications, including our newsletter, by clicking the unsubscribe link in the emails you receive. You may also email data_protection@castlabs.com to request to be removed from communications.
You may however not withdraw from our service communication updates as these are intended to provide you with timely or critical information regarding system updates. This communication and use of your contact details takes place under the performance of our contract.

How to request to port your data (right to data portability)

Data portability allows you to obtain your personally identifiable information in a format which you can move between service providers. Data portability requests may apply to some of your information, but not all, depending on the data’s specific circumstances. Upon request by emailing data_protection@castlabs.com, we will provide you with relevant personally identifiable information in an electronic format.

Notable exceptions to the exercise of data subject rights

Note that none of the following rights can be exercised if castLabs cannot identify you. Likewise, deletion requests cannot be performed where data is processed under Art.6.1.b performance of a contract and that contract happens to be running. Should castLabs have reason to believe the data it holds may helpin the preparation, defense or exercise of a legal claim, we will also not be able to act on a deletion or rectification request.

Castlabs will also provide an explanation as to which rights cannot be performed. castLabs may refuse to process requests that are unreasonably duplicated, require disproportionate technical efforts, jeopardize the confidentiality of other users, requests which are extremely impractical, or otherwise not required by law. The exercise of your rights, when they are not repetitive and unreasonable, is not subject to a fee.

Right to lodge a complaint

We encourage you to contact us at data_protection@castlabs.com if you have a privacy related concern. You can also contact our data protection officer.
Should we fail to respond to your request on one of the above rights within 30 days or if you deem our response unsatisfactory, you have the right to lodge a complaint about the improper processing/usage of your personal data by us with our supervisory authority:

Berliner Beauftragte für Datenschutz und Informationsfreiheit

An der Urania 4-10

10787 Berlin

http://www.datenschutz-berlin.de

Alternatively, you can contact the data protection authority of your choice.


3. Website cookies

First-party cookies

We implement and control these cookies ourselves on our website domains (castlabs.com, drmtoday.com, and portal.content.castlabs.com).

Name

Description and purpose

Expiration

Where it’s used

cl_banner_nok

A functional cookie used to remember if you chose to opt in or out of usage analytics cookies via the cookie banner.

13 months

.castlabs.com

cl:console:session

User portal session cookie.

Session

User portal

cl:console:session:expires

User portal session expiration cookie that is used to indicate when to perform a token refresh operation.

Session

User portal

Third-party cookies

We implement cookies provided by the following third parties.

Name

Description and purpose

Expiration

Where it’s used

cognito

Amazon Cognito session cookie.

Session

Login portal

Content portal

mtm_cookie_consent

This allows Matomo to remember that consent for storing and using cookies was given by the user. This cookie is created when you accept the cookie banner.

13 months

.castlabs.com

sessionid

AWS cookies used to identify the user’s session necessary for form submissions.

2 weeks

Our software Download Portal

Our Video Toolkit Portal

csrftoken

A security token from AWS to prevent cross-site request forgery and maintain optimal service and user security.

1 year

Our software Download Portal

XSRF-TOKEN

This is an encrypted cookie to prevent CSRF attacks and maintain optimal service and user security.

Session

Login portal
Content portal

csrf-state

Part of Amazon Cognito OAuth.

Session

Content portal

csrf-state-legacy

Part of Amazon Cognito OAuth.

Session

Content portal

_pk_ref

Used with Matomo to store the attribution information the referrer initially used to visit the site.

6 months

.castlabs.com

_pk_cvar

Short lived Matomo cookie used to temporarily store data for the visit.

30 minutes

.castlabs.com

_pk_id

Used with Matomo to store a few details about the user such as the unique visitor ID.

13 months

.castlabs.com

_pk_ses

Short lived Matomo cookie used to temporarily store data for the visit.

30 minutes

.castlabs.com

mtm_consent

This cookie allows Matomo to remember that consent was given by the user.

13 months

.castlabs.com

mtm_consent_removed

This cookie allows Matomo to remember that consent was removed by the user.

30 years

.castlabs.com

matomo_ignore

Allows Matomo to exclude usage analytics for a visitor/user (opt-out). This cookie does not contain personal information or any ID and the cookie value is the same for all visitors/users.

30 years

.castlabs.com

matomo_sessid

(essential cookie which does not contain data used to identify users)

This nonce allows Matomo to prevent CSRF security issues and is triggered when the opt out feature is used.

14 days

.castlabs.com

AWSELBCORS

Part of Amazon load balancing functionality.

1 week

Our Video Toolkit portal

AWSELB

Part of Amazon load balancing functionality. Used to map the session to an instance.

1 week

Our Video Toolkit portal

Local storage (JavaScript storage API) cookies

Name

Description and security purpose

Expiration

Where it’s used

amznfbgid

Used to uniquely identify a browser

Until user authenticates

Content portal

Amazon.AWS.Cognito.ContextData.LS_UBID

Used to uniquely identify a browser

id_token

JSON web token (JWT) that contains information about the user’s identity (Name, Surname, Username, Email) and is used for authentication.

Session

access_token

JSON web token (JWT) that contains the username and is used for authorizing API operations in the context of the user in the user pool.

nonce

OAuth Token used to secure against replay attacks.

id_token_expires_at

Expiration date of the id_token

expires_at

Expiration date of the access token

access_token_stored_at

Extracted from the id_token. It’s stored there to provide a shortcut to data from the id_token

id_token_stored_at

Internal marker that is set to the time the id_token was acquired

id_token_claims_obj

Extracted from the id_token. It’s stored there to provide a shortcut to data from the id_token

PKCE_verifier

OAuth Token

Proof Key for Code Exchange is a security key for preventing malicious attacks by securely performing code authorization flow.

session_state

Indicates the End-User's login state.

refresh_token

OAuth Token
Used to retrieve new ID and access tokens.

Until session ends or 30 days

ng2Idle.main.idling

Angular verification of user’s activity that tracks when the user is idle (security)

Until new login

ng2Idle.main.expiry


4. Data transfers

Note that we do not sell, trade, or rent personal identification information of users of our products and services to others. We only provide access to data you entrust us to our trusted sub-processors and ensure we have the appropriate required documentation to do so, including service contracts, data protection agreements and standard contractual clauses for out-of-EU transfers. We are currently performing an international transfer assessment to determine whether supplementary measures required in the wake of the EUCJ Schrems II decision are required.

Transfers within castLabs GmbH & castLabs Inc.

Information is regularly shared internally with our staff around the world between our two business units: castLabs GmbH, located in Germany and castLabs Inc, located in the US. Our worldwide business requires information to be periodically transferred outside of where data is stored for access in countries where we operate (for example, by our staff on a need-to-know basis and under strict security measures) for the purposes detailed in this policy.
We use HTTPS encryption for data transmission where available to prevent interception of data across networks.

Site visitor analytics

Through the EU-based cloud use of Matomo Analytics, the implementation of which followed strict CNIL (Commission Nationale de l'Informatique et des Libertés) guidance, we do not share identifiable visitor data outside of the EU.

International data transfers

Over the course of our processing, your data may remain in the EU or be transferred internationally. For details, please refer to the processing activity of interest below.

Category of processor involved

contracting entity

location of the processing

International transfer instrument relied on

Authentication service

Luxembourg

EU

None needed

Invoicing and finance

Germany

Germany

None needed

Cloud hosting provider

Luxembourg

EU

SCCs

Usage analytics for website visitor activity

New Zealand

Germany and Ireland (backup)

None needed

CRM

Germany

US
(migration to EU pending)

SSCs

Web hosting

Spain

Netherlands

SSCs

Ticketing system

Australia

US, Australia, Singapore, Ireland *

SCCs
(with Australia)

Log analysis

United States

US

SCCs

Applicant tracking system

United States

EU

None needed

* Atlassian moves data around globally to optimize product performance.

Note: We rely on Standard Contractual Clauses (SCCs) for all our international transfers, if you wish to consult any of them, please get in touch with us to request a copy.


5. Updates to this document

Changes to this privacy policy

We may modify this privacy policy at any time to comply with legal requirements as well as developments within our organization. When we do, we will revise the date at the bottom of this page. Each visit or interaction with our products and services will be subject to the new privacy policy. We will record past versions of this policy through an archive on this page. We encourage you to review our privacy policy whenever you use our products and services to stay informed about our policies.

Contacting us

If you have any questions about this policy, please contact us at:

castLabs GmbH

Wilhelmine-Gemberg-Weg 5-7

10179 Berlin, Germany

data_protection@castlabs.com

Our data protection officer

castLabs has appointed TechGDPR DPC gmbH as its external Data Protection Officer.

TechGDPR DPC GmbH

Heinrich-Roller Str. 15

10405 Berlin, Germany

You may contact them directly at castlabs.dpo@techgdpr.com.

Policy version effective as of: 15 May 2023