Privacy & cookie policy
This privacy notice applies to websites, products and services offered by castLabs. We process your personal data in the scope of delivering services to you and this document clarifies how and why this processing takes place as required by GDPR Art.13. castLabs, we, our, and us refers to castLabs GmbH and castLabs Inc.
It describes what personal data is collected from you when you are in contact with us as service users, service providers, website visitors, suppliers and trade show visitors.
The data controller providing this policy is Castlabs GmbH. It can be reached by post (Wilhelmine-Gemberg-Weg 5-7, 10179 Berlin, Germany) or by email at data_protection@castlabs.com.
castLabs GmbH has appointed a data protection officer who can also be contacted independently: Silvan Jongerius (TechGDPR DPC GmbH, Heinrich-Roller Str. 15, 10405 Berlin, Germany) castlabs.dpo@techgdpr.com.
This policy clarifies:
- What personal data is collected and what are the purposes pursued depending on whether you are
a) a service account user– a user of our central services registered on our portal– a standalone user of our PRESTOplay SDK– a standalone user of our DRMtoday– a standalone user of our Video Toolkitb) a website visitorc) leads and interested partiesd) a newsletter subscribere) a third party service provider or contractor
- How you may exercise your rights under the GDPR
- What cookies we use on our website and set on the device you use to visit it
- How we handle the international transfers of personal data
- We also offer information on how to contact us and how we update this policy.
Glossary:
- Customers: Account holders of castLabs services who create an account to download and integrate our products to their solutions.
- End users: Consumers of media who have a service agreement with castLabs customers.
- Resellers: An organization that purchases castLabs products and/or services for distribution and sale to their own customers.
- Services: Products and services offered by castLabs. These include PRESTOplay, DRMtoday, and Video Toolkit.
1. Personal data collected and purposes pursued
In this section, we clarify what data we process from you and for what purposes.
Each table is dedicated to a specific groupof people who interact with our services (data subject categories).
Each table outlines:
- The processing activity in which your personal data is processed and the data subject categories,
- What data is being processed,
- What purpose it serves for us to do so and the legal base relied on to legitimize this processing,
- What retention we apply (how long this data is kept to these purposes).
1.a Service account users
(Typically, with access to DRMtoday, Video Toolkit, or Content Portal)
|
Processing activity & (data subject categories) |
Data points |
Purpose |
Retention period |
Available rights |
|---|---|---|---|---|
|
Authenticating users |
Email (login) & password pair |
Allows castLabs’central services to authenticate a customer (organizations, users and their relations) and log their user access to services via the API or front-end. This serves integrity and security purposes to our services. (Legitimate interest GDPR Art.6.1.f) |
1 hour |
The rights of access, rectification, erasure, restriction, the right to object and the right to lodge a complaint with a supervisory authority. More details are available below. |
|
Account administration |
Email (login), password & 2FA |
Allows castLabs to offer account management options such as managing notifications, resetting password, setting upMFA, editing account details or closing the account.
|
Duration of the contract |
|
|
Accessing a purchased product or a product trial |
Allows castLabs to provide the user with transactional email notifications around the management of the account. Performance of a contract GDPR Art.6.1.b) |
Duration of the contract/trial |
||
|
Reporting on account or trial use |
Allows castLabs to provide the user, product teams and finance with metrics on current and projected service use and billing. It also allows castLabs to send transactional emails to that effect. Performance of a contract GDPR Art.6.1.b) |
Duration of the contract/trial + 12 months |
||
|
Setting options |
Allows castLabs to offer a highly configurable account management environment with functionalities that include viewing logging/debugging data, viewing statuspage information for all products, getting notified when the operation status of products change or is planned to change, configuring the side navigation pane for increased usability. Performance of a contract GDPR Art.6.1.b) |
Duration of the contract |
||
|
Providing free trials |
Mandatory contact form fields: Company name, website, 1st name, last name, company email, country, expected monthly users Optional: Streaming formats used, encoders/packagers used, video players used, Streaming use cases, free text comments, how the person heard about castLabs, Recaptcha, devices customer wants to reach, content processing needs |
Allows castLabs to address user queries. Allows castLabs to set upa user's free trial. (Legitimate interest GDPR art.6.1.f) |
Duration of the contract or trial |
|
|
Providing resources (customer employees) |
User (email / pw) Session cookie (Ipaddresses are not logged, no user-agent logs) UUID (Universally Unified Identifier randomly generated, with validity/expiry time) User activity table: customer emails (customer is top-level ID), customer the user belongs to, package (ex. PRESTOplay for iOS), version date/time |
Allows castLabs to make resources available to customer organizations (SDKs, …). (Performance of a contract GDPR Art.6.1.b) |
Duration of the contract |
|
|
Providing resources (customer employees) |
IP |
Allows castLabs to identify from where the request came from. (Legitimate interest GDPR art.6.1.f) |
30 days |
|
|
Providing resources via Content
Portal |
Name, Last Name, Email, Username, Country |
Allows castLabs to make resources available to customers (Performance of a contract GDPR Art.6.1.b) |
Indefinitely * |
|
|
Monitoring usage |
Mandatory for every view: ISO timestampof initialization, castlabs customer id, product SDK version, license_key_id. Depending on the contract (can be enforced by the license and may be required for billing): user_id – unique user id identifying customer's customers, device_id – unique device id identifying customer's customers devices. Optional if available upon SDK initialization: device brand which initialized our SDK, device model which initialized our SDK, OS family of the operating system that runs on the device initializing our SDK, OS version of the operating system that runs on the device initializing our SDK, browser family (applicable to browser SDK) browser version (applicable to browser SDK), is_live – was the content live, content_type – content type of the playback (e.g. mp4) asset_id – customers assed id, session_id – customers session id, drm_backend – if DRM was used which backend it was using (DRMtoday, none, …), drm_cdm – CDM used, drm_security_level – DRM security level, drm_offline – was it an offline DRM playback, plugins – what kind of plugins were enabled, drm_latency – time to obtain DRM license, drm_ip- ip from which the DRM request came from. |
Allows castLabs to monitor usage and gather data required for billing. (Legitimate interest GDPR art.6.1.f) |
1 year |
|
|
Improving usability of the websites |
Anonymised user Ipaddress 2 byte(s): 999.999.XXX.XXX, date and time of the request, time in local user’s timezone, title of the page being viewed (page title), URL of the page being viewed (i.e. page URL), URL of the page that was viewed prior to the current page (i.e. referer URL), viewing and clicking on content, including files downloaded, links to an outside domain that were clicked (i.e. outlink), pages generation time (page speed), location of the user: country, region, city, approximate latitude and longitude, main language of the browser being used, user agent of the browser being used (User-Agent header for browser, operating system, device used (desktop, tablet, mobile, tv, cars, console, etc.), brand and model), custom dimensions & screen resolution being used, custom variables, marketing campaigns, site search terms used (if used), conversion goals, events tracked, form interactions, media interactions (video and audio) |
Allows castLabs to better understand how the website is used to optimize its design. (Legitimate interest GDPR Art.6.1.f) |
25 months |
|
|
Maintaining operational error logs |
Remote address, remote user, local time, request URL, status, bytes sent, referrer, user agent, x-forwarded-to header |
Allows castLabs to deliver traces of activity to satisfy partner security requests. (legitimate interest GDPR Art.6.1.f) |
2 years |
|
|
Creating a customer in SAP and processing order forms from sales (customer representatives) |
Name, address, email, VAT ID, payment terms, order item, item price, item discount (if applicable) |
Allows castLabs to enter relevant data involved in invoicing organizations.
|
10 years |
|
|
Bookkeeping (customer account managers) |
Name, invoicing address, delivery address, email, VAT ID, payment terms, country, customer #, products purchased, due date, castLabs bank information |
Allows castLabs to fulfill its legal obligation to retain data pertaining to financial transactions. (legal obligation GDPR Art. 6.1.c) |
10 years |
|
|
Collecting payments from customers |
Bank statements |
Allow castLabs to ensure that payments are made and trigger a dunning run where necessary. (legal obligation GDPR Art. 6.1.c) |
10 years |
* We are currently working to decrease that number and aggregate the data.
1.b Website visitors (castlabs.com)
|
Processing activity & (data subject categories) |
Data points |
Purpose |
Retention period |
Available rights |
|---|---|---|---|---|
|
Logging and maintaining server access log files |
Operating system, browser, IP, timestamp, URL, country |
Allows castLabs to investigate and clear occasional suspicion of security risks on pages delivering publicly available information. (legitimate interest GDPR Art. 6.1.f) |
1 month |
The rights of access, rectification, erasure, restriction, the right to object and the right to lodge a complaint with a supervisory authority. More details are available below. |
|
Responding to queries (leads) |
Email, name, timestamp, and message payload |
Allows castLabs to offer support and address client queries. (legitimate interest GDPR Art. 6.1.f) |
12 months |
|
|
Anonymised user Ipaddress 2 byte(s): 999.999.XXX.XXX, date and time of the request, time in local user’s timezone, title of the page being viewed (page title), URL of the page being viewed (i.e. page URL), URL of the page that was viewed prior to the current page (i.e. referer URL), viewing and clicking on content, including files downloaded, links to an outside domain that were clicked (i.e. outlink), pages generation time (page speed), location of the user: country, region, city, approximate latitude and longitude, main language of the browser being used, user agent of the browser being used (User-Agent header for browser, operating system, device used (desktop, tablet, mobile, tv, cars, console, etc.), brand and model), custom dimensions & screen resolution being used, custom variables, marketing campaigns, site search terms used (if used), conversion goals, events tracked, form interactions, media interactions (video and audio) |
Allows castLabs to better understand how the website is used to optimize its design. (legitimate interest GDPR Art. 6.1.f) |
25 months |
||
|
For more information, please see our Website cookies |
||||
1.c Leads and interested parties
|
Processing activity & (data subject categories) |
Data points |
Purpose |
Retention period |
Available rights |
|---|---|---|---|---|
|
Hosting webinars |
Registrant’s email, first/last name, company, job title, country, and other data voluntarily shared, as well as marketing email opt-in choice |
Allows castLabs to host remote events to help promote product features and keep the user community engaged. (legitimate interest GDPR, Art.6.1.f) |
12 months |
The rights of access, rectification, erasure, restriction, the right to object and the right to lodge a complaint with a supervisory authority. More details are available below. |
|
Integrate webinar registrants into CRM |
Registrant’s email, first/last name, company, job title, country, as well as marketing email opt-in choice |
Allow castLabs to integrate webinar registrants information into CRM |
12 months |
|
|
Make available VOD asset after the webinar |
Email address |
Allow castLabs to send the webinar video to all people who registered to the webinar |
12 months |
|
|
Scanning badges, collecting leads, and reaching out to partners and leads after an event (event attendees) |
Captured date, first name, last name, title, company, company address, email, phone, website |
Allows castLabs to create a list of interested parties and further engage in commercial talks. (legitimate interest GDPR Art.6.1.f) |
12 months |
|
|
Collecting leads information and reaching out to them after they complete a website form |
Email, first name, last name, title, company, country |
Allows castLabs to communicate to interested parties for relevant commercial discussions. (legitimate interest GDPR Art.6.1.f) |
12 months |
|
|
Placing a meeting request (interested parties) |
Name, company email address, company, company website, user submitted information (on contact forms), castLab products of interest, brief overview of existing infrastructure, Recaptcha proof of humanity |
Allows castLabs to get in touch with
requesters at an upcoming event. |
24 months |
|
|
Responding to customer queries (‘Technical consulting’ customer interest form) (Widevine 3PL certification customer interest form) |
Technical consulting:
Widevine 3PL certification:
|
Allows castLabs to get in touch with interested parties
placing queries on castLabswebsite forms. |
24 months |
|
|
Preventing spamming |
See table below: Newsletter |
|||
|
Sending out marketing communication (registered recipients) |
See table below: Newsletter |
|||
|
Understanding website use (through site analytics) |
Anonymised user Ipaddress, date and time of the request, time in local user’s timezone, title of the page being viewed (page title), URL of the page being viewed (page URL), URL of the page that was viewed prior to the current page (referrer URL), screen resolution being used, content viewing and links clicked, files downloaded, clicked links to an outside domain (outlink), pages generation time (page speed), location of the user: country, region, city, approximate latitude and longitude, main language of the browser being used (accept-Language header), user agent of the browser being used (User-Agent header), site search, form interactions, media interactions |
Allows castLabs to better understand visitors of the public webpages and help improve visitor experience. (legitimate interest GDPR Art.6.1.f) |
25 months |
|
1.d Newsletter subscribers
|
Processing activity & (data subject categories) |
Data points |
Purpose |
Retention period |
Available rights |
|---|---|---|---|---|
|
Sending out marketing communication |
Email address |
Allows castLabs to promote its products and
offerings. (consent GDPR Art.6.1.a) |
Until user unsubscribes |
The rights of access, rectification, erasure, restriction, the right to object (i.e. revoke consent), the right to data portability and the right to lodge a complaint with a supervisory authority. More details are available below. |
|
Preventing spamming |
IP address, referrer URL, operating system, cookies, mouse, movements/keyboard strokes, length of pauses between actions, device settings (e.g. language or location) |
Allows castLabs to ensure that only a natural/legal person registers to the newsletter rather than a bot.
|
19 years by Google |
1.e Third-party service providers or contractors *
|
Processing activity & (data subject categories) |
Data points |
Purpose |
Retention period |
Available rights |
|---|---|---|---|---|
|
Invoicing suppliers and contractors |
Supplier name, address, bank details, payment terms |
Allows castLabs to track the fulfillment of service and submit a payment order. (Performance of a contract – GDPR Art.6.1.b) |
10 years |
The rights of access, rectification, erasure, restriction, the right to data portability and the right to lodge a complaint with a supervisory authority. More details are available below. |
|
Delivering payment to suppliers |
Amount payable to supplier, supplier invoice number, IBAN and Swift BIC |
Allows castLabs to transfer funds to external
suppliers. |
1 week (for payment processing) |
|
|
Archiving records of payment |
castLabs IBAN, name of the recipient, IBAN of recipient, purpose of transaction |
Allows castLabs to maintain records of supplier
financial transactions. |
10 years |
The rights of access, rectification, erasure once the required retention has expired, restriction, and the right to lodge a complaint with a supervisory authority. More details are available below. |
|
Hiring process |
First Name, Last Name, Email, Phone, Linkedin Profile, Website, Skills (languages, programming, …), job experience, education information (school, university, discipline), freelancer willingness |
Assessing applicants suitability (Consent – GDPR Art. 6.1.a) |
1 year |
The rights of access, rectification, erasure once the required retention has expired, restriction, and the right to lodge a complaint with a supervisory authority. More details are available below. |
* Note for third party providers and contractors: While this table outlines how castLabs handles your personal data in the scope of the activities rendered for castLabs (GDPR Art.13) it does not in any way cover or preclude your contractual and statutory obligations with regards to data protection and the secure handling of castLabs customer data (GDPR Art.28, 32-36). The latter is outlined in the Data Processing Agreement you have executed with castLabs.
Matomo Analytics
Matomo cookies
We may use Matomo Analytics across our websites to analyze how our site is used to helpimprove it. When it is used, we collect anonymous visitor usage analytics without cookies, by default. Upon visiting one of our websites, we display a cookie banner providing an option to opt in to use third party Matomo usage analytics cookies.
- If you choose to accept these cookies via the banner, then you will be helping us understand better how our site is used in order to improve it. If afterwards you wish to opt out of these cookies, you can press the button below. A functional first-party cookie will be created to remember your choice.
- If you choose to decline these cookies via the banner, then Matomo cookies will not be used while you use our site. A functional first-party cookie is created to remember your choice.
- If you perform no action with the cookie banner, Matomo cookies will continue to not be used while you use our site.
Opting in or out of analytics
You may choose to prevent our websites from aggregating and analyzing the actions you take while using them. Doing so will increase your privacy, but will also prevent us from learning from your actions and creating a better experience for you and other users. Opting out will create a cookie used to remember that data collected for analytics should be avoided. This is in line with the French data protection authority (CNIL) supported implementation of Matomo Analytics. This implementation allows us to collect user data anonymously. In any case, the anonymisation and the resulting anonymous site usage data is processed and stored within the EU. Aggregated (statistics) data does not lead back to an individual.
Additionally to the above, we may use your information in legal claims and compliance/regulatory/audit processes where required by law, or where we believe it is required to protect our legal rights and interests. We may also disclose your information in connection with the acquisition, merger, or sale of one of our business units. Should this happen, we would inform you of the intended data sharing and provide you with the opportunity to object ahead of time.
Data belonging to children
Our products and services are not intended for individuals under the age of 16. We do not knowingly or intentionally collect personal information from that demographic and if we become aware that someone under the age of 16 has provided us with personal information we will remove their data from our systems.
2. Exercising data subject rights under the GDPR
How to access your information (right of access)
You have the right to request a copy of the information we hold about you. To do so, please send an email to data_protection@castlabs.com requesting access to your information.
How to update your information (right to rectification)
You have the right to update the information we hold about you. To do so please send an email to data_protection@castlabs.com with instructions on what you would like rectified.
How to withdraw from communications (right to object to marketing communication)
You may withdraw consent from our marketing communications, including our
newsletter, by clicking the unsubscribe link in the emails you receive. You may also email data_protection@castlabs.com to request to
be removed from communications.
You may however not withdraw from our service communication
updates as these are intended to provide you with timely or critical information regarding system updates. This
communication and use of your contact details takes place under the performance of our contract.
How to request to port your data (right to data portability)
Data portability allows you to obtain your personally identifiable information in a format which you can move between service providers. Data portability requests may apply to some of your information, but not all, depending on the data’s specific circumstances. Upon request by emailing data_protection@castlabs.com, we will provide you with relevant personally identifiable information in an electronic format.
Notable exceptions to the exercise of data subject rights
Note that none of the following rights can be exercised if castLabs cannot identify you. Likewise, deletion requests cannot be performed where data is processed under Art.6.1.b performance of a contract and that contract happens to be running. Should castLabs have reason to believe the data it holds may helpin the preparation, defense or exercise of a legal claim, we will also not be able to act on a deletion or rectification request.
Castlabs will also provide an explanation as to which rights cannot be performed. castLabs may refuse to process requests that are unreasonably duplicated, require disproportionate technical efforts, jeopardize the confidentiality of other users, requests which are extremely impractical, or otherwise not required by law. The exercise of your rights, when they are not repetitive and unreasonable, is not subject to a fee.
Right to lodge a complaint
We encourage you to contact us at data_protection@castlabs.com if
you have a privacy related concern. You can also contact our data protection officer.
Should we fail to
respond to your request on one of the above rights within 30 days or if you deem our response unsatisfactory,
you have the right to lodge a complaint about the improper processing/usage of your personal data by us with our
supervisory authority:
Berliner Beauftragte für Datenschutz und Informationsfreiheit
An der Urania 4-10
10787 Berlin
http://www.datenschutz-berlin.de
Alternatively, you can contact the data protection authority of your choice.
3. Website cookies
First-party cookies
We implement and control these cookies ourselves on our website domains (castlabs.com, drmtoday.com, and portal.content.castlabs.com).
|
Name |
Description and purpose |
Expiration |
Where it’s used |
|---|---|---|---|
|
cl_banner_nok |
A functional cookie used to remember if you chose to opt in or out of usage analytics cookies via the cookie banner. |
13 months |
.castlabs.com |
|
cl:console:session |
User portal session cookie. |
Session |
User portal |
|
cl:console:session:expires |
User portal session expiration cookie that is used to indicate when to perform a token refresh operation. |
Session |
User portal |
Third-party cookies
We implement cookies provided by the following third parties.
|
Name |
Description and purpose |
Expiration |
Where it’s used |
|---|---|---|---|
|
cognito |
Amazon Cognito session cookie. |
Session |
Login portal Content portal |
|
mtm_cookie_consent |
This allows Matomo to remember that consent for storing and using cookies was given by the user. This cookie is created when you accept the cookie banner. |
13 months |
.castlabs.com |
|
sessionid |
AWS cookies used to identify the user’s session necessary for form submissions. |
2 weeks |
Our software Download Portal Our Video Toolkit Portal |
|
csrftoken |
A security token from AWS to prevent cross-site request forgery and maintain optimal service and user security. |
1 year |
Our software Download Portal |
|
XSRF-TOKEN |
This is an encrypted cookie to prevent CSRF attacks and maintain optimal service and user security. |
Session |
Login portal |
|
csrf-state |
Part of Amazon Cognito OAuth. |
Session |
Content portal |
|
csrf-state-legacy |
Part of Amazon Cognito OAuth. |
Session |
Content portal |
|
_pk_ref |
Used with Matomo to store the attribution information the referrer initially used to visit the site. |
6 months |
.castlabs.com |
|
_pk_cvar |
Short lived Matomo cookie used to temporarily store data for the visit. |
30 minutes |
.castlabs.com |
|
_pk_id |
Used with Matomo to store a few details about the user such as the unique visitor ID. |
13 months |
.castlabs.com |
|
_pk_ses |
Short lived Matomo cookie used to temporarily store data for the visit. |
30 minutes |
.castlabs.com |
|
mtm_consent |
This cookie allows Matomo to remember that consent was given by the user. |
13 months |
.castlabs.com |
|
mtm_consent_removed |
This cookie allows Matomo to remember that consent was removed by the user. |
30 years |
.castlabs.com |
|
matomo_ignore |
Allows Matomo to exclude usage analytics for a visitor/user (opt-out). This cookie does not contain personal information or any ID and the cookie value is the same for all visitors/users. |
30 years |
.castlabs.com |
|
matomo_sessid (essential cookie which does not contain data used to identify users) |
This nonce allows Matomo to prevent CSRF security issues and is triggered when the opt out feature is used. |
14 days |
.castlabs.com |
|
AWSELBCORS |
Part of Amazon load balancing functionality. |
1 week |
Our Video Toolkit portal |
|
AWSELB |
Part of Amazon load balancing functionality. Used to map the session to an instance. |
1 week |
Our Video Toolkit portal |
Local storage (JavaScript storage API) cookies
|
Name |
Description and security purpose |
Expiration |
Where it’s used |
|---|---|---|---|
|
amznfbgid |
Used to uniquely identify a browser |
Until user authenticates |
Content portal |
|
Amazon.AWS.Cognito.ContextData.LS_UBID |
Used to uniquely identify a browser |
||
|
id_token |
JSON web token (JWT) that contains information about the user’s identity (Name, Surname, Username, Email) and is used for authentication. |
Session |
|
|
access_token |
JSON web token (JWT) that contains the username and is used for authorizing API operations in the context of the user in the user pool. |
||
|
nonce |
OAuth Token used to secure against replay attacks. |
||
|
id_token_expires_at |
Expiration date of the id_token |
||
|
expires_at |
Expiration date of the access token |
||
|
access_token_stored_at |
Extracted from the id_token. It’s stored there to provide a shortcut to data from the id_token |
||
|
id_token_stored_at |
Internal marker that is set to the time the id_token was acquired |
||
|
id_token_claims_obj |
Extracted from the id_token. It’s stored there to provide a shortcut to data from the id_token |
||
|
PKCE_verifier |
OAuth Token Proof Key for Code Exchange is a security key for preventing malicious attacks by securely performing code authorization flow. |
||
|
session_state |
Indicates the End-User's login state. |
||
|
refresh_token |
OAuth Token |
Until session ends or 30 days |
|
|
ng2Idle.main.idling |
Angular verification of user’s activity that tracks when the user is idle (security) |
Until new login |
|
|
ng2Idle.main.expiry |
4. Data transfers
Note that we do not sell, trade, or rent personal identification information of users of our products and services to others. We only provide access to data you entrust us to our trusted sub-processors and ensure we have the appropriate required documentation to do so, including service contracts, data protection agreements and standard contractual clauses for out-of-EU transfers. We are currently performing an international transfer assessment to determine whether supplementary measures required in the wake of the EUCJ Schrems II decision are required.
Transfers within castLabs GmbH & castLabs Inc.
Information is regularly shared internally with our staff around the world between our two business
units: castLabs GmbH, located in Germany and castLabs Inc, located in the US. Our
worldwide business requires information to be periodically transferred outside of where data is stored for
access in countries where we operate (for example, by our staff on a need-to-know basis and under strict
security measures) for the purposes detailed in this policy.
We use
HTTPS encryption for data transmission where available to prevent interception of data across networks.
Site visitor analytics
Through the EU-based cloud use of Matomo Analytics, the implementation of which followed strict CNIL (Commission Nationale de l'Informatique et des Libertés) guidance, we do not share identifiable visitor data outside of the EU.
International data transfers
Over the course of our processing, your data may remain in the EU or be transferred internationally. For details, please refer to the processing activity of interest below.
|
Category of processor involved |
contracting entity |
location of the processing |
International transfer instrument relied on |
|---|---|---|---|
|
Authentication service |
Luxembourg |
EU |
None needed |
|
Invoicing and finance |
Germany |
Germany |
None needed |
|
Cloud hosting provider |
Luxembourg |
EU |
SCCs |
|
Usage analytics for website visitor activity |
New Zealand |
Germany and Ireland (backup) |
None needed |
|
CRM |
Germany |
US |
SSCs |
|
Web hosting |
Spain |
Netherlands |
SSCs |
|
Ticketing system |
Australia |
US, Australia, Singapore, Ireland * |
SCCs |
|
Log analysis |
United States |
US |
SCCs |
|
Applicant tracking system |
United States |
EU |
None needed |
* Atlassian moves data around globally to optimize product performance.
Note: We rely on Standard Contractual Clauses (SCCs) for all our international transfers, if you wish to consult any of them, please get in touch with us to request a copy.
5. Updates to this document
Changes to this privacy policy
We may modify this privacy policy at any time to comply with legal requirements as well as developments within our organization. When we do, we will revise the date at the bottom of this page. Each visit or interaction with our products and services will be subject to the new privacy policy. We will record past versions of this policy through an archive on this page. We encourage you to review our privacy policy whenever you use our products and services to stay informed about our policies.
Contacting us
If you have any questions about this policy, please contact us at:
castLabs GmbH
Wilhelmine-Gemberg-Weg 5-7
10179 Berlin, Germany
Our data protection officer
castLabs has appointed TechGDPR DPC gmbH as its external Data Protection Officer.
TechGDPR DPC GmbH
Heinrich-Roller Str. 15
10405 Berlin, Germany
You may contact them directly at castlabs.dpo@techgdpr.com.
Policy version effective as of: 15 May 2023