Privacy Statement Cumul.io

This version is in effect since 2 April 2021

1. General

Your privacy is really important to us. We will ensure that your personal data is processed safely and lawfully, and always in accordance with applicable privacy legislation, and in particular with the General Data Protection Regulation ("GDPR").

This privacy statement sets out how Cumul.io, a public limited company ("naamloze vennootschap") with registered office at Tiensevest 102 box 201, B-3000 Leuven, Belgium, registered with the Crossroad Bank for Enterprises ("Kruispuntbank van Ondernemingen") under number 0640.944.227 (RLE Leuven) ("Cumul.io", "our" or "we") collects and uses personal information from customers and other individuals (collectively "you") who access or use our websites, including https://cumul.io, and our digital platform which allows you to connect and combine data and create dashboards, in order to get actionable insights from this data (the "Application") (together, the "Services").

By using our Services, you understand that we will collect and use your personal data as described in this Privacy Statement.

This Privacy Statement does not apply to any third-party websites and apps that you may use, including the ones in which our Services are embedded. You should review the terms and policies for such third-party websites and apps before using them.

If you have any questions about this Privacy Statement, you can join us at the following e-mail address: support@cumul.io.

2. Controller Identity

Cumul.io acts as controller of your personal data when you are using our Services.

However, in some cases we may process your personal data pursuant to an agreement (including a data processing agreement) with a third party organization. In those cases, we act as a processor and the terms of that agreement govern how we process your personal data. If you believe a third party organization has asked us to process your personal data on their behalf, please consult with them in the first instance as they will be the controller of your personal data and as such, responsible for how we process your personal data. Otherwise, you can also contact us directly and we will redirect you to the controller of your personal data in case we process your personal data pursuant to an agreement on its behalf.

3. What personal data do we collect and how?

We collect three broad categories of information about you ( your "personal data") when you interact with us.

We collect personal data that you provide us to give you more information about our Services or to provide you with our Services

When you register on our website or you contact us via email or our contact form to obtain a demo, more information about our Services or (free trial or paid) access to our Services, you provide us with your personal data such as:

  • When you request more information about our Services:
    • first name and surname
    • email address
    • organization
  • When you request a demo:
    • first name and surname
    • email address
    • organization
  • When you request a free trial:
    • first name and surname
    • address
    • email address
    • phone number
    • language
    • username
    • password
  • When you request a paid plan:
    • first name and surname
    • address
    • email address
    • phone number
    • credit card information or other payment information
    • organization information
    • language
    • username
    • password

We refer to this type of personal data as "Customer Account Data".

When you are using our Services, we process personal data that you give us or that we collect automatically.

When you use or interact with our Application, you provide us with:

  • Content, data, information or material that you provide us directly
  • Content, data, information or material that you request the Application to collect or generate for you.

When you use or interact with our Services, we also collect automatically the following personal data:

  • IP address of your computer
  • IP address of the internet service provider
  • the date and time you have accessed the Website
  • the internet address of the website from which you have linked directly to the website
  • the operating system you use
  • the divs of the Website you visited
  • the Website pages you accessed
  • the information you viewed
  • the materials posted to or downloaded from the Website
  • the types of visualizations
  • the number of dashboards you make
  • data collected through the use of cookies (for more information about cookies, please consult our cookie policy).
  • Invitation by email or shared Customer Data:
  • email address
  • email address of the person who you shared Customer Data with or gave access permission.

We refer to this type of personal data as "Customer Data".

When you subscribe to our newsletters (or white papers), you provide us with your email address. We refer to this type of personal data as "Marketing Data".

4. Why do we process your personal data and on which legal basis are we doing so?

The legal basis on which we rely to process your personal data depends on which type of data we process and for which purposes:

  • We use your Customer Account Data to the extent necessary to perform our Services in accordance with the agreement we entered into with you (you as a customer) or that we may enter with you (you as a potential customer).

    This processing is performed for the following purposes:

    • to create an account for you to access our Services
    • to issue invoices to you
    • to provide you with a demo of our Services or more information about our Services at your request for you to assess whether you could be interested in entering into a contract with us for our Services
    • to ensure the maintenance of the Services
  • We use your Customer Account Data also to comply with our legal obligations regarding accounting, filing taxes, and fulfilling regulatory obligations.
  • We use your Customer Account Data and Customer Data further to our legitimate interests to:

    • understand who our customers and potential customers are and their interests in our Services
    • investigate and understand how our Services are used
    • manage our relationship with you and other customers
    • help detect, prevent, or investigate security incidents, fraud and other abuse and/or misuse of our Services
    • send you (as customer) more information about our Services
    • to keep you informed (as customer) of similar new services or products
    • to send you (as customer) information about our events
    • to send you (as customer) marketing, advertising and promotional messages in relation to our Services or similar products or services
    • for the establishment, exercise or defense of legal claims (if necessary)
    • enhance your experience of the Services
    • get more analysis and insight on our Services, for example:

      • by analyzing users statistics
      • create aggregate tracking information reports regarding user demographics and the use of our Services.
  • We rely on your consent to use your Marketing Data to send you our newsletters via email when you subscribed and consented to it via our web forms.

5. Who do we share data with?

We will not transfer, transmit or otherwise disclose your personal data to third parties without your prior express consent except for the third parties described below:

  • to trusted businesses or persons to process your personal information on our behalf, based on our instructions and in compliance with applicable privacy laws and regulations
  • to companies, organizations or individuals if we have a good reason to believe that disclosure of the information is reasonably necessary to execute and enforce contractual terms
  • to regulatory or law enforcement agencies if we believe in good faith that we are required by law to disclose it in connection with the detection of crime, the collection of taxes or duties, in order to comply with any applicable law or order of a court of competent jurisdiction, or in connection with legal proceedings
  • to third parties as part of a merger, acquisition or bankruptcy, in the event we sell or transfer all or a portion of our business or assets (including through bankruptcy).

Such third parties will only have access to the personal data they need to perform their tasks, and may not use such data for other purposes. The third parties to whom the personal data is transferred are also subject to an obligation of confidentiality and must provide the necessary guarantees that appropriate organizational and technical security measures are taken to protect your personal data.

6. Will your personal information be transferred outside the european economic area?

In the event that the third parties listed above are located outside the European Economic Area, the transfer of personal data to these recipients will only take place if:

  • the European Commission has issued an adequacy decision for the country concerned, guaranteeing that an adequate level of protection of personal data is offered in that country
  • you have given explicit consent
  • appropriate safeguards have been provided, such as standard data protection clauses.

7. How long do we store your personal data?

We will ensure that your personal data is not kept longer than necessary to fulfill the purposes we explained you under point 4. If you want more information about the retention periods of your personal data, please contact us at support@cumul.io.

8. How do we protect your personal data?

We take appropriate and necessary organizational and technical security measures to protect your personal data and your privacy in order to prevent the loss, unlawful use or alteration of information we receive. Such measures include (i) log-on protection of the Personal Data, (ii) encryption of the Personal Data, (iii) anti-virus systems, (iv) anonymization of personal data; and (v) confidentiality obligations applying to all employees involved.

9. What are my rights as data subject and how do I exercise them?

You have certain rights related to your personal information, which may differ depending on the legal basis we use to process them. You can find a description of your rights below.

If you want to exercise these rights, please send an email to support@cumul.io. We undertake to respond to any request to exercise the aforementioned rights within thirty (30) calendar days.

9.1. My right to withdraw my consent

When we process your personal data on the basis of your consent, you have the right to revoke your consent to such processing at any time. You will not suffer any detrimental consequences if you do so. This consent withdrawal will not affect the lawfulness of the processing that occurred prior to the revocation of your consent.

9.2. My right to object to a data processing activity

When we process your data on the basis of our legitimate interests, you have the right to object to such processing activities at any time. If you object to a processing activity, we will no longer process your personal data for the purposes for which you do not want us anymore to process your data, unless we have compelling legitimate grounds for such processing or we need it for the establishment, exercise or defense of legal claims.

9.3. My right of access

You have the right to be informed whether we are processing your personal data and, if so, to obtain access to such Personal Data and to receive the following information:

  • the processing purposes
  • the categories of personal data concerned
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
  • the period for which the personal data will be stored or the criteria for determining such storage period
  • if we obtain personal data from third parties, information regarding the source of such personal data
  • the existence of automated decision-making (including profiling) regarding your personal data (if any), and where applicable, useful information about the underlying logic, as well as the importance and possible consequences of such automated decision-making.

Furthermore, you also have the right to receive a copy of the personal data that you have provided to us in a structured, common and machine-readable format (via the email address that you have provided us with) so that you can pass it on to another data controller or so that we can pass it on to another data controller at your request and if technically possible. Requesting a copy is free of charge. If you request additional copies of your personal data, we may charge a reasonable fee to cover administrative costs.

In order to exercise your right of access, and to prevent any unauthorized disclosure of your personal data, you must provide us with proof of your identity. When exercising your right of access, we therefore ask you to add a copy of the front side of your identity card to your written request by email or post.

9.4. My right to rectification and completion

You have the right to have your personal data corrected or have inaccuracies rectified free of charge if your personal data is incomplete or inaccurate or is processed in an unlawful manner. Furthermore, you also have the right to complete incomplete personal data, including by providing a supplementary statement.

9.5. My right to erasure of data ("right to be forgotten")

You have the right to request the deletion of your personal data as collected by us in the following cases:

  • your Personal Data is no longer required for the processing purposes set forth in this Privacy Statement
  • you revoke your previous consent for the processing of your personal data (where your consent was used as legal basis for our processing) and there is no other legal basis on which we can rely for the (further) processing of your personal data
  • you object to the processing (or further processing) of your personal data and there are no compelling legal grounds for the processing of your personal data by us
  • your personal data has been processed unlawfully
  • your personal data must be deleted in order to comply with a legal obligation incumbent upon us;
  • your personal data was collected when you were a minor.

In the event of a deletion request, you should be aware that we need to retain certain personal data in order to comply with our legal obligations or for the establishment, exercise or defense of legal claims.

9.6. My right to restriction of further processing

Furthermore, you also have the right to request that we restrict the processing of your personal data to processing made: (i) for storage purposes, (ii) with your consent or (iii) or for the establishment, exercise or defense of legal claims in the following cases:

  • you contest the accuracy of this personal data (in this context, the use of your personal data shall be restricted during a certain period of time in order for us to verify the accuracy of your personal data)
  • the processing of your personal data is unlawful and instead of its deletion, you request us to limit the processing of your personal data and its use
  • we no longer need your personal data for the processing purposes as described above, but you need this Personal Data for the initiation, exercise or substantiation of a legal claim
  • when after exercising your right to object to the processing of your personal data and as long as no decision has been made on the exercise of such right, you request us to limit the use of your personal data.

9.7. My right to file a complaint

If you have a complaint on the processing of your personal data or on the exercise of your rights, please send an email to support@cumul.io. We undertake to respond to any request to exercise the aforementioned rights within thirty (30) calendar days.

Furthermore, you always have the right to lodge a complaint or initiate proceedings with the data protection supervisory authority ("Data Protection Authority" or "Gegevensbeschermingsautoriteit") with the following contact details: Data Protection Authority (GBA), Rue de la Press 35, 1000 Brussels, +32(0)2 274 48 00/+32(0)2 274 48 35, contact@apd-gba.be, https://www.dataprotectionauthority.be.

10. Modification of this privacy statement

We may make improvements, additions or changes to this Privacy Statement for a variety of reasons. We will post a notice of those changes on our website https://cumul.io.

This version was drawn up on 2 April 2021.

Older versions of this Privacy Statement will be stored in our archive and can be retrieved at any time by sending an email to support@cumul.io.