1. Definitions

Capitalised terms not specifically defined herein shall have the meaning ascribed to them in the Terms of Service.

1.1. “Subscriber” means the entity that has subscribed to the Services by accepting the Terms of Service or by entering into an agreement for subscribing to Sprinto’s Services.

1.2. “Controller” means the natural or legal person, public authority, agency, or other body which alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.3. “End-User(s)” means any person or entity other than the Subscriber or the Users whose data is transmitted by or on behalf of the Subscriber to the Services.

1.4. “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.5. “Process/To Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.6. “Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller.

1.7. “Sprinto” shall mean Sprinto Technology Private Limited, Sprinto, Inc and any of its affiliates.

1.8. “Terms of Service” means the binding contract between Us and the Subscriber which governs the access and use of the Service(s) by You. Our standard Terms of Service is available at https://sprinto.com/terms.

1.9. “Website(s)” means the websites that We own and operate.

2. HOW WE COLLECT, USE AND SHARE YOUR PERSONAL DATA

2.1. PERSONAL DATA THAT YOU PROVIDE US

2.2 PERSONAL DATA THAT WE COLLECT NOT PROVIDED DIRECTLY BY YOU

2.3 If You provide Us with any Personal Data relating to other individuals, You represent that You have the authority to do so, and where required, have obtained the necessary consent, and acknowledge that it may be used in accordance with this Policy. If You believe that Your Personal Data has been provided to Us improperly, please contact Us by using the information in Clause 12 below.

2.4 In addition to the details provided in the table above, We may also share Your Personal Data with

a. an entity to which we divest all or a portion of Our business, or otherwise in connection with a merger, consolidation, change in control, reorganisation or liquidation of all or a portion of Our business.

b. Law enforcement authorities, government authorities, courts, dispute resolution bodies, regulators, auditors, and any party appointed or requested by applicable regulators to carry out investigations or audits of Our activities.

c. Professional advisors who advise and assist Us in enforcing Our contracts and policies, handling Our claims, effective management of Our company and in relation to any disputes We may become involved in.

d. credit reference agencies and use the resulting information to prevent fraudulent purchases.

2.5 Limited Use Disclosure: Our use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

3. INTERNATIONAL TRANSFER

3.1. We are a global company and as such, We may share Your Personal Data with Our group companies or service providers based outside Your country of residence. In such cases, We will ensure that the recipient of Your Personal Data offers an adequate level of protection, for example, by using approved model contractual clauses or by other appropriate means to ensure that Your Personal Data is protected.

3.2. Where required by applicable law, We will obtain Your consent for such cross-border transfers.

4. LEGAL BASIS FOR PROCESSING PERSONAL DATA (EEA AND UK INDIVIDUALS)

4.1. If You are from the European Economic Area (EEA) or United Kingdom (UK), Our legal basis for collecting and using the Personal Data described above will depend on the Personal Data concerned and the specific context in which We collect it.

4.2. We will normally collect and process Personal Data from You only where:

1. We have Your consent to do so, such consent can be shared with us directly or through Your other service providers;
2. where We need the Personal Data to perform a contract with You (e.g., to deliver the Services You have requested); or
3. where the Processing is in Our legitimate interests (provided these are not overridden by Your data protection interests or fundamental rights and freedoms) such as for research and development, marketing the Services, improving the Services, detecting or preventing illegal activities.

4.3 In some cases, We may also have a legal obligation to collect Personal Data from You or may otherwise need the Personal Data to protect Your vital interests or those of another person.

4.4 If We ask You to provide Personal Data to comply with a legal requirement or to perform a contract with You, We will make this clear at the relevant time and advise You whether the provision of Your Personal Data is mandatory or not (as well as of the possible consequences if You do not provide Your Personal Data).

4.5 Where required by law, We will collect Personal Data only where We have Your consent to do so. If You have any questions about the legal basis on which We collect and use Your Personal Data, please contact Us using the contact details provided in Clause 12 below.

5. NOTICE FOR CALIFORNIA RESIDENTS

5.1. Clause 5 applies only to California residents and the Personal Information We collect as a Business. “CCPA” means the California Consumer Privacy Act of 2018 as amended by the CPRA. “CPRA” means the California Privacy Rights Act of 2020. For the purposes of this section, the terms “Business”, “Business Purpose”, “Consumer” “Personal Information”, “Sale/Sell”, “Service Provider” and “Sensitive Personal Information” and “Share” shall have the meaning given to them under the CCPA

5.2. The categories of Personal Information We have collected in the twelve (12) months prior to the Effective Date and We may collect include:

1. Identifiers such as a real name, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, or other similar identifiers. 
2. Personal Information such as education, employment, employment history. 
3. Commercial Information such as transaction information, financial details, and payment information.  
4. Internet or other electronic network activity information and device information such as, Your usage of the Services, operating system, browser information, and Your session activity including page views, time spent on each page, scrolling activity, and data collected through cookies.
5. Geolocation data such as device location.

5.3. Disclosure of Personal Information. We have disclosed the categories of Personal Information listed in clause 5.2 above for a Business Purpose (which is listed under “How We use Your Personal Data” section in clauses 2.1 and 2.2) in the twelve (12) months prior to the Effective Date and may disclose such Personal Information to service providers or contractors or to any other third parties who support our business (who are listed under “Whom We share Your Personal Data with” section under clauses 2.1 and 2.2). We shall not disclose further the Personal Information collected for verification of a consumer’s request or retain it longer than it is necessary for the purpose of verification.

5.4. Sharing and Selling of Personal Information. We do not Sell or Share the Personal Information We collect without providing You a right to opt-out. We do not Sell or Share the Personal Information of minors of at least the age of thirteen (13) but less than sixteen (16) years without receiving such minor’s consent or the consent of the minor’s guardian if the minor is less than thirteen (13) years. We permit third parties (such as ad networks, analytics providers, or marketing providers) to collect information directly from Your browser or device through cookies or similar tracking technology when You visit or interact with Our Website or access Our Services. This information retrieved may include device information, browsing history, and location data that are used to undertake “cross-context behavioural advertising” that provides personalized advertisements to You on other websites or sites that You may visit or access.  This may be considered as a “Sale” or “Share” of Personal Information, You may opt-out of the Sale or Share by following the instructions provided under Clause 5.

5.5. As a California resident, You have the following additional rights under the California Consumer Privacy Act (CCPA):

1. Right to Know: You have the right to request that We disclose the categories and specific pieces of Personal Data We have collected about You, the categories of sources from which the Personal Data was collected, the business or commercial purpose for collecting the Personal Data, and the categories of third parties with whom We share Personal Data.
2. Right to Delete: You have the right to request that We delete any Personal Data We have collected about You, subject to certain exceptions.
3. Right to Opt-Out: You have the right to opt-out of the sale of Your Personal Data. We do not sell Personal Data.
4. Right to Non-Discrimination: You have the right not to be discriminated against for exercising any of Your rights under the CCPA.

5.6. To exercise any of these rights, please contact Us at privacy@sprinto.com. We will respond to Your request in accordance with applicable laws and may require You to verify Your identity before responding to Your request.

5.7. If You use an authorised agent to submit a request to exercise Your rights, We may require You to provide the agent with written permission to do so and to verify Your identity directly with Us.

6. SECURITY OF PERSONAL DATA

We use appropriate technical and organizational measures to protect the Personal Data that We collect and Process. The measures We use are designed to provide a level of security appropriate to the risk of Processing Your Personal Data. If You have questions about the security of Your Personal Data, please contact Us using the contact details provided under Clause 12.

7. RETENTION OF PERSONAL DATA

7.1. We retain Personal Data collected where an ongoing legitimate business requires retention of such Personal Data such as to defend or pursue legal claims, to fulfil any surviving obligations arising from a contract, to provide You with information regarding Our products or Services, or to comply with any legal, tax or accounting requirements.

7.2. In the absence of a need to retain Personal Data under Clause 6 above, We will either delete it or anonymize it,  or, if this is not technically possible then We will securely store Your Personal Data and isolate it from any further Processing until deletion is possible.

8. YOUR RIGHTS

8.1. Depending on where You are located and the applicable laws, You may have the following rights in relation to Your Personal Data:

1. Right to access: You have the right to request access to the Personal Data We hold about You and to receive a copy of it.
2. Right to rectification: You have the right to request that We correct any inaccuracies in Your Personal Data.
3. Right to erasure: You have the right to request that We delete Your Personal Data.
4. Right to restrict processing: You have the right to request that We restrict the Processing of Your Personal Data.
5. Right to data portability: You have the right to request that We provide Your Personal Data in a structured, commonly used, and machine-readable format and to transfer it to another controller.
6. Right to object: You have the right to object to the Processing of Your Personal Data based on Our legitimate interests or for direct marketing purposes.
7. Right to withdraw consent: If We are Processing Your Personal Data based on Your consent, You have the right to withdraw Your consent at any time.

8.2. To exercise any of these rights, please contact Us at privacy@sprinto.com. We will respond to Your request in accordance with applicable laws and may require You to verify Your identity before responding to Your request.

9. Cookie Policy

9.1. Cookies are text files that are placed on Your computer to collect standard internet log information and visitor behaviour information by Us. When You visit the Website(s), We may collect Personal Data automatically from You through cookies or similar technology. We set cookies to collect information that is used either in aggregate form to help Us understand how Our Website is being used or how effective Our marketing campaigns are, to help customize the Website for You or to make advertising messages more relevant to You.

9.2. Necessary Cookies: We set essential cookies that enable core functionality such as security, network management, and accessibility. You may not opt-out of these cookies. However, You may disable these by changing Your browser settings, but this may affect how the Website(s) functions.

9.3. Statistics, Preference, and Marketing Cookies: We set these cookies to help Us improve Our Website by collecting and reporting information on how You use the Website. The cookies collect information in a way that does not directly identify anyone.

9.4. When You visit the Website, a cookie banner will be displayed providing additional information about cookies and options to opt out of non-essential cookies as required by applicable laws.

10. PRIVACY OF CHILDREN

We recognize the importance of children’s safety and privacy. Our Services are not directed to individuals under the age of 16. We do not knowingly request, or collect, any Personal Data from children under the age of 16. If We become aware that an individual under 16 has provided Us with Personal Data, We will take steps to delete such data as soon as possible. If You become aware that a child has provided Us with Personal Data, please contact Us at privacy@sprinto.com.

11. EXCLUSIONS

11.1. End-User Exclusions. Our Services are intended for use by businesses. This Policy is not applicable to Our Processing of any Personal Data forming a part of the Service Data. We may receive End- Users’ Personal Data as a part of the Service Data for which We will only act as a processor and such Processing will be governed by the Terms of Service. In such a case, the End-User’s data privacy questions and requests should be submitted to the Subscriber in its capacity as a Data Controller. We are not responsible for Subscribers’ privacy or security practices which may be different from this notice. Subscribers of the Services are solely responsible for establishing policies for and ensuring compliance with all applicable laws and regulations, as well as any and all privacy policies, agreements, or other obligations, relating to the collection of Personal Data in connection with the use of Services by the Subscriber.

11.2. Third-party links. Our Website(s) contain links to other websites. Our Policy applies only to Our Website(s), so if You click on a link to another website, You should read their privacy policy. We encourage You to review the privacy statements of any such other websites to understand their Personal Data practices.

11.3. Dr. Sprinto. Where the Subscriber uses Dr. Sprinto tool, We are the Processor and the Subscriber is the Controller. The Subscriber, in its privacy notice to Users may describe what information the Dr. Sprinto tool collects and the purposes for which such information is used by the Subscriber. You may include the following text in the privacy notice modified as needed to make stylistic changes or include defined terms in the privacy notice without substantially changing its meaning:

“The Company uses Sprinto, a third-party tool to managetrack the Company’s compliances. As a part of it, the employee may be required to install a tool (“Dr. Sprinto”) on their device to enable reporting or collecting tracking of certain compliance-related processes of the Company.

The following information is collected by Dr. Sprinto and shared with the Company and Company’s information security auditors:

1. Device identity, such as the device name, serial number, operation system, etc.;
2. device’s operating system;
3. hard disk encryption configuration;
4. Screen lock status;
5. Antivirus installed on device
6. Additional information containing some operating system config values, a list of processes running on the device, etc. (“Debug Logs”) in the event the employee faces an issue relating to bugging of Dr. Sprinto.

The above-mentioned information is collected and used for the following purposes:

1. To run checks and alert the employee of any changes needed to be made to their device for compliance with the Company’s policies.
2. To enable reporting of device status as requested by the Company.
3. Debug Logs are used in order to resolve issues relating to support for the Dr. Sprinto feature.

Please note that Dr. Sprinto does not collect any private or sensitive information of the employee. If you have any questions, please reach out to your respective Customer Success Manager“

12. CONTACT INFORMATION

You may contact Us if You have any inquiries or feedback on Our data protection policies and procedures in the following manner:

Kind Attention: Privacy Team

Email Address: privacy@sprinto.com

13. OUR REPRESENTATIVES

If You are a resident of the EEA or the UK, please contact the respective representatives if You have any questions or concerns about how Your Personal Data is handled by Us..

Our EU Representative is:

Rickert Rechtsanwaltsgesellschaft mbH

Colmantstraße 15

53115 Bonn

Germany

Contact: art-27-rep-sprinto@rickert.law

Our UK Representative is:

Rickert Services Ltd UK

PO Box 1487

Peterborough

PE1 9XX

United Kingdom

Contact: art-27-rep-sprinto@rickert-services.uk

14.  SUPPLEMENTAL TERMS

The Supplemental Terms below contain terms that are specific to certain features of the Service(s). For avoidance of doubt, in the event of a conflict or inconsistency between the Terms and these Supplemental Terms, these Supplemental Terms shall prevail.

Terms Of Sprinto AI

These terms apply to Your access and use of Sprinto AI.

1. Definitions:
   1. Input: means any input that You or the User provides to the Sprinto AI.
   2. Output: refers to any output generated and returned to You or the User, as applicable, based on the Input. 
   3. Sprinto AI: shall mean any machine learning capability or functionality made available by Us, including without limitation any capability or functionality or otherwise identified by Sprinto as AI-powered, the use of which You may elect to avail as a part of the Services.
2. Acceptable Use:
   1. You agree to not use or access the Sprinto AI (i) to train artificial intelligence or machine learning models either for Yourself or for any third-party; (ii) to generate content that is political, racial, discriminative or  harmful to an individual or  a group of an individual; (iii) to prompt an Output comprising malware, ransomware, viruses, or other harmful software; or (iv) to prompt an Output that is illegal, sexual, or obscene.
   2. You shall be responsible for (i) using the Output in compliance with applicable laws; (ii) misleading any person that the Output was solely human-generated; (iii)  making automated decisions based on the Output that may have a detrimental impact on individual rights without appropriate human supervision, (iv) using the Output in a manner that infringes, violates, or misappropriates any of Our rights or the rights of any third party, or (v) misleading any person that the Output may be substituted for professional advice.
3. Intellectual Property Rights:
   1. You shall retain all right, title, and interest (including all intellectual property rights) in and to the Input and the Output.
   2. Sprinto shall have the right to process the Service Data, the Input and Output for the purpose of providing, maintaining and improving Sprinto AI.
4. Third Party Providers: Sprinto uses services of third party providers to provide the Sprinto AI (“Third Party Providers”). You acknowledge that any Input You provide, including any Personal Data You choose to include within the Input, shall be shared with these Third Party Providers. By accessing the Sprinto AI, You instruct Sprinto to share Your Input (including, to the extent necessary, any Personal Data) and Service Data with the Third Party Providers.
5. DISCLAIMER OF WARRANTIES. YOU ACKNOWLEDGE THAT (A) OUTPUT IS GENERATED BY MACHINE LEARNING CAPABILITIES AND FUNCTIONALITY AND THAT YOU OR THE USER USE IT AT THEIR OWN RISK, (B) SPRINTO MAKES NO WARRANTY OR GUARANTEE AS TO THE UNIQUENESS, ACCURACY, COMPLETENESS, OR RELIABILITY OF THE OUTPUT AND (C) WE MAKE NO WARRANTY THAT THE OUTPUT CAN BE SUBSTITUTED FOR PROFESSIONAL ADVICE.
6. Indemnification. You will defend Sprinto and its Affiliates against any claim made or brought against Sprinto by a third party arising from Your acts or omissions in connection with these Terms (“AI Indemnity Claim”), and will indemnify Sprinto from any damages, attorney fees and costs finally awarded against Sprinto as a result of, or for any amounts paid by Sprinto under a settlement approved by You in writing of, an AI Indemnity Claim, provided Sprinto (i)  promptly  gives  You  written  notice  of  the  AI Indemnity Claim;  (ii)  gives  You  sole  control  of  the  defense  and  settlement  of  the  AI Indemnity Claim;  and  (iii)  gives You  all  reasonable  assistance,  at  Your expense.

15. CHANGES TO THE POLICY

We may update this Policy from time to time in response to changing legal, technical, or business developments. When We update Our Policy, We will take appropriate measures to inform You, consistent with the significance of the changes We make. We will obtain Your consent to any material Policy changes if and where this is required by applicable data protection laws.

You can see when this Policy was last updated by checking the “Last Updated” date displayed at the top of this Policy.