Privacy Policy
Last modified: October 25, 2024
1. Introduction
1.1 Identity and Contact Details of the Controller
Centify GmbH, Alter Güterbahnhof 5e, 22303 Hamburg, Germany (along with its affiliated companies within the meaning of §§ 15 ff. German Stock Corporation Act (AktG) involved in providing our products and services, hereinafter “Centify,” “we,” “our,” or “us”) is committed to protecting personal data in compliance with legal requirements. Contact: [email protected]
1.2 Scope
We provide incentive commission management solutions exclusively to corporate customers, but these services are used by natural persons. Consequently, we process both company data and personal data. As our products and services may be available within the European Union (EU), the European Economic Area (EEA), or the United Kingdom (UK), we process personal data in accordance with applicable data protection laws and this Data Privacy and Cookie Policy (the “Policy”). We comply in particular with the European Regulation (EU) 2016/679 (GDPR). Terms defined in the GDPR have the same meaning in this Policy unless otherwise defined herein. Please note that this Policy does not apply if our products and services are governed by distinct privacy policies or when services are managed by a company other than ours.
1.3 Content
In this Policy, we explain how we process personal data when you use our websites (the “Centify Websites”) and our web application (the “Centify Platform”); the services provided through the Centify Websites and the Centify Platform are jointly referred to as the “Centify Platform Services.” We also address the use of cookies and similar website technologies (“Cookies”). Please read this Policy carefully, as it applies to your use of the Centify Platform Services (accordingly, “you” or “your” refers to the relevant data subject interacting with us).
1.4 Role
In the context of your interaction with and use of the Centify Platform Services, we process specific personal data as a controller. In this capacity, we determine the purposes and means of the processing of personal data as explained in this Policy. Additionally, we also process personal data as a processor on behalf of our customers. In this role, we process personal data as instructed and based on a data processing agreement concluded separately with our customers.
1.5 Reference
By using the Centify Platform Services, you may share with us personal data concerning yourself or other natural persons (e.g., as part of the Centify Platform Services or when referring potential new customers). By doing so, you confirm that you have all necessary rights and permissions to share such personal data with us. If you provide us with information about other data subjects, please ensure that such data subjects are informed about the processing of their data if required by applicable data protection laws. You can refer them to this Policy for this purpose.
1.6 Changes
This Policy updates and replaces any prior policy. We may change, modify, or update this Policy at any time without prior notice to adapt it to legal and regulatory developments, including requirements of supervisory authorities and relevant case law, and to align it with new technical implementations, products, and services. Any changes will only affect the processing of personal data for the future; a reduction of the level of data protection below legal requirements is excluded. You may access the current version of this Policy on the Centify Websites.
1.7 Categories of Personal Data
We may process the following categories of personal data:
Contact Data: First and last name, email and postal addresses, phone numbers, or profiles on social media, if applicable.
Professional Data: Job title, role, employer, and in the case of job applications, curriculum vitae and cover letters with references.
Communication Data: Personal data used in or attached to any form of communication, including calls, chats, emails, or attachments.
Financial Data: Salary data, commission details.
User Data: Personal data related to a personal profile on the Centify Platform (the “Centify Account”), such as UserID, optional profile pictures, mobile phone numbers, personal IBAN for payouts, etc.
Marketing Data: Contact preferences, webinar/event registrations, attendance and participation information.
Traffic Data: Data about the device or browser, data volume, date, time, and duration of access, and reference to specific Centify Platform Services or Cookie information.
2. Personal Data Collected from Data Subjects
We process personal data when data subjects interact with the Centify Platform Services. The personal data we process depends on the specific service used. This includes:
2.1 Job Applications
We process personal data provided by candidates applying for a job at Centify. This may include contact data, professional data, communication data, employment and education history, transcripts, references, and traffic data. We also process data when communicating with applicants via phone, email, or other means.
2.2 Webchat and Other Communication
If you communicate or interact with us, including through calls, chats, or emails, we may process contact data, professional data, communication data, and traffic data.
2.3 Product Demonstrations
When scheduling and participating in a personal or self-guided demonstration of the Centify Platform Services, we process contact and professional data from the data subject requesting the demonstration (e.g., representatives of potential or existing customers), as well as communication and traffic data.
2.4 Customer Onboarding
During the onboarding process of our customers, we process contact data and communication data of data subjects filling out application forms.
2.5 User Registration and Login
We process contact data, professional data, and user data to personalize individual Centify Accounts. We also process account/login credentials, including hashed passwords and authentication information. When accessing and using the Centify Platform, we process traffic data.
2.6 Centify Platform Services
When providing services through the Centify Platform, we process financial and transaction data. In this context, we also process contact data, professional data, and user data, which may be associated with specific transactions or deals. We process communication and traffic data when you interact with other users through the Centify Platform (e.g., submitting a request to an administrator to approve a deal).
2.7 Notifications
We process contact data, professional data, user data, and traffic data to inform you via emails, in-app updates, or reminders about your Centify Account and other pertinent information regarding the Centify Platform Services. Some communications are personalized based on recent user behavior, interactions with the Centify Platform Services, or recent events (e.g., when your commission is ready to be paid out).
2.8 Customer Support and Success
When communicating with our customer support or success team, we process contact data, professional data, communication data, user data, and traffic data. This also applies to participation in customer trainings or surveys related to the Centify Platform Services.
2.9 Integrations
We may process contact data or financial data when using integrations to connect the Centify Platform Services with third-party services determined by the customer (e.g., financial institutions, payment service providers, or business software integrations such as CRM, HR systems, or Single Sign-On (SSO) service providers).
2.10 Marketing
We may process contact data, marketing data, and traffic data related to your consent for the purpose of receiving marketing communications or when you request marketing material from Centify.
2.11 Newsletter
When you subscribe to our newsletters, we process contact data along with professional data, communication data, and traffic data. To verify ownership of the provided email address and consent, we send an automated confirmation email after receiving the subscription request (double opt-in). After verification, your contact data is added to our internal newsletter distribution list.
3. Personal Data Collected from Other Sources
We may also process personal data collected from other sources, including:
3.1 Customers
We process personal contact data provided by customers for onboarding and delivering the Centify Platform Services. We also process contact data, professional data, and user data when a customer adds you as a user of the Centify Platform.
3.2 Other Service Providers
We may process contact data, professional data, and financial data from other third-party integrations or service providers in relation to the Centify Platform Services.
3.3 Publicly Available Sources
We process contact data, professional data, financial data, and marketing data available in the media or public domains to identify potential customers and partners.
4. Browsing Centify Websites
4.1 Log Data
When accessing and browsing the Centify Websites, we may process traffic data.
4.2 Cookies
Cookies are small data files stored on a device that serve to re-identify the device. Session cookies expire when you stop browsing the Centify Websites. Persistent cookies remain on your device and can be managed through your browser settings. It’s important to distinguish between first-party cookies, set exclusively by us as the provider of the Centify Websites, and third-party cookies set by other parties that enable certain features or content on the Centify Websites (such as advertising, interactive content, and social sharing). The latter can recognize your device when you visit the Centify Websites and other websites with which such parties have partnered. Cookies, as defined in this Policy, include similar technologies like pixel tags, web beacons, mobile identifiers, or JavaScripts when used for the same purpose.
4.3 Consent Management
The Cookies we use can be divided into two categories: consent-free and consent-requiring. Our consent management platform, which is automatically displayed and accessible at any time on the Centify Websites, allows you to manage these Cookies. It also provides further information, including the scope of data processing by the respective services. You can revisit the consent management platform at any time to update and control your settings.
4.4 Essential Cookies
Cookies that do not require consent are necessary for the safe and secure provision of the Centify Platform Services. For example, they help detect and analyze malfunctions or cyber-attacks on our resources and prevent our systems and data from being compromised.
4.5 Non-Essential Cookies
Cookies requiring consent make visiting the Centify Websites and using the Centify Platform Services more pleasant and user-friendly. We strive to increase the attractiveness of the Centify Platform Services by customizing our content and tailoring the information displayed specifically to each user. Non-essential cookies also help us monitor our advertisements and statistically record, fix bugs, and evaluate the use of the Centify Platform Services.
5. Purposes of and Legal Basis for Processing Personal Data
We process personal data to provide incentive commission management solutions that align closely with our customers’ needs. This involves:
5.1 Providing Services
We use all categories of personal data to provide product information and offer Centify Platform Services to our customers. Our objective is to leverage the technical capabilities of the Centify Platform Services, enabling various functionalities and executing specific business processes related to the management and control of commissions. This includes monitoring deal transactions in real-time and providing customers with comprehensive insights into their commissions and payouts. We utilize contact data, professional data, communication data, and traffic data to personalize the Centify Platform Services, enhancing the user interface to deliver a customized service. We rely on our legitimate interest in providing Centify Platform Services to our customers (Article 6(1)(f) GDPR) and acknowledge our customers’ legitimate interests (Article 6(1)(f) GDPR) in managing their commissions and overseeing corporate funds. To the extent that the processing of your personal data is necessary to take steps prior to entering into or for the performance of a contract with you, the legal basis for the processing is Article 6(1)(b) GDPR.
We use the following sub-processor for user invitations via Email:
MailerSend, Inc., 228 Park Ave S, PMB 54955, New York, New York 10003-1502, USA
5.2 Improving Services
We process all categories of personal data to gain insights into the use of the Centify Platform Services. This analysis encompasses activities like testing, research, and statistical analysis and serves the purpose of identifying trends, enhancing and improving performance, and developing and modifying new products and services. We rely on our legitimate interest in the development, promotion, and improvement of the Centify Platform Services, as well as identifying future business opportunities (Article 6(1)(f) GDPR). We may further ask for your consent in this regard as the legal basis (Article 6(1)(a) GDPR).
5.3 Security
We process all categories of personal data to uphold and guarantee the functionality and security of our information technology systems. This includes investigations and countermeasures for technical issues, the identification of suspicious activities, fraud detection, enforcement of terms and policies, and safeguarding the rights of our customers, partners, and ourselves. We rely on our legitimate interest in ensuring the safety and security of the Centify Platform Services (Article 6(1)(f) GDPR). This encompasses our interest in protecting our rights and those of our customers, affirming our zero-tolerance stance against any engagement in illicit or criminal activities. We also prioritize security measures to prevent any interference or breaches that could compromise the confidentiality of the data we handle. To this extent, the processing may also be necessary for the performance of a contract with your company (Article 6(1)(b) GDPR). If such data is required for the documentation of our technical or organizational security measures, the legal basis may also be Article 6(1)(c) GDPR.
5.4 Compliance
We process all categories of personal data to fulfill our legal and regulatory obligations, including preventing and detecting crime and averting misuse of the Centify Platform Services. Our responsibilities extend to safeguarding against fraudulent, unauthorized, or illegal activities. Further, we process personal data to protect our legal rights and pursue remedies to mitigate financial losses, claims, liabilities, or other damages. This includes complying with judicial proceedings, court orders, legal processes, or lawful requests. In cases of complying with court orders and similar legal processes, we uphold transparency and make reasonable efforts to inform our customers and users of any disclosure of their personal data, unless prohibited by law, court order, or exigent circumstances. The legal basis for the processing of personal data for this purpose rests on compliance with our legal and regulatory obligations (Article 6(1)(c) GDPR), as well as our legitimate interests (Article 6(1)(f) GDPR).
5.5 Efficient Support and Communication
We use all categories of personal data to enhance communication with our customers and users (e.g., sending confirmations, updates, or reminders; providing customer care and handling complaints; troubleshooting issues; addressing inquiries; identifying and investigating security and technical incidents; and, if applicable, sending technical notices and security alerts) and to improve the knowledge and training of our employees. The legal basis for processing personal data in this regard is our legitimate interest (Article 6(1)(f) GDPR) and, in some cases, compliance with our regulatory obligations (Article 6(1)(c) GDPR). Processing may also be necessary for the performance of a contract with your company (Article 6(1)(b) GDPR).
5.6 Marketing
We use contact data, user data, and traffic data to properly implement and execute events or webinars or to communicate with our customers. Additionally, we process traffic data for the display of marketing campaigns. The legal basis is our legitimate interest (Article 6(1)(f) GDPR) in marketing the Centify Platform Services. We further rely on your consent (Article 6(1)(a) GDPR) for specific marketing communications.
5.7 Consent
We may process personal data with your consent (Article 6(1)(a) GDPR) or, if applicable, Section 26 of the German Federal Data Protection Act (BDSG). You can withdraw your consent at any time without affecting the lawfulness of any prior processing of personal data. For Cookies, managing consent is easily done through the consent management platform available on the Centify Websites. Within emails, we provide an unsubscribe link for this purpose. If storing your consent is necessary for processing your personal data, the legal basis is Article 6(1)(c) GDPR.
6. Storage Period
6.1 General Principle
Personal data will be deleted as soon as it is no longer needed for the intended purposes mentioned above, its legal basis for processing no longer applies, and any applicable retention periods have expired.
6.2 Legal Obligations
We are required to retain personal data to comply with legal obligations, including those outlined in regulatory, tax, commercial, and civil laws such as the German Commercial Code (HGB) and the German Fiscal Code (AO). These obligations necessitate data retention periods ranging from two (2) to ten (10) full calendar years. Additionally, we may store data as required to preserve evidence in compliance with applicable limitation periods, such as §§ 194 ff. of the German Civil Code (BGB). In some cases, these retention periods can extend from three (3) to as long as thirty (30) years. Regarding data related to legal claims, we will delete this information once the claim is fully resolved, unless it is subject to longer retention periods as specified by law.
6.3 Newsletter
Data collected for our newsletter will be retained only for the duration required to send the newsletter. If we choose to cease sending the subscribed newsletter, the data will be promptly deleted.
6.4 Cookies
Session cookies are automatically deleted at the end of your browser session. Persistent cookies remain on your device for a specific duration after your browser session concludes. Personal data related to Cookies is deleted when it is no longer necessary for processing purposes. You can find detailed information about the retention periods for individual Cookies on our consent management platform, accessible on the Centify Websites at any time.
6.5 Termination
If a customer terminates its contract with Centify, it results in the permanent loss of access to the Centify Account and associated personal data. Nevertheless, personal data may still be retained by us when necessary to comply with legal obligations, fulfill contractual commitments, or conduct legitimate business activities.
8. Data Processing in the EU/EEA and UK; Exceptions
The processing of personal data generally takes place within the member states of the EU/EEA and the UK when Centify Platform Services are used there. We may transfer personal data to contractual and business partners in third countries (subject to the European Commission’s adequacy decision or agreed standard contractual clauses) if necessary to execute orders of our customers, provide our products or services, or as required by law. We will provide a copy of these standard contractual clauses upon request by the data subject.
9. Automated Processing
In general, we do not make decisions based solely on automated individual decision-making and profiling within the meaning of Article 22 GDPR. Should we use such processes, we will inform you separately and as required by law.
10. Protection of Personal Data
10.1 Security
We store personal data within highly secure networks, accessible solely by a designated group of our employees with specific access permissions. All employees are bound by strict confidentiality and data secrecy obligations. They also undergo comprehensive training and authorization procedures. Additionally, we enforce robust technical and organizational safeguards to protect personal data against loss or any unauthorized processing.
10.2 Data Breach
In the event of a data breach, we will promptly notify the competent supervisory authority and any affected data subjects without undue delay and within the timeline set by the GDPR. This notification will be made as soon as practically possible unless the breach is unlikely to pose a risk to the rights and freedoms of natural persons. We will thoroughly document all data breaches, including pertinent details about the breach, its consequences, and the corrective measures implemented.