Privacy Policy
Version 21.05.2024
This privacy policy (as amended from time to time, the "Privacy Policy") describes our policies and procedures on the collection, use, and disclosure of your personal data obtained through your access to and use of the Health Score and/or Risk Engine API ("HS/RE-API"), operated by dacadoo ag, Othmarstrasse 8, CH-8008 Zurich, Switzerland ("dacadoo"). The use of the HS/RE-API is governed by the Terms. dacadoo prepared this Privacy Policy to demonstrate our commitment to privacy and security of your personal data in accordance with our obligations under the applicable laws, rules, and regulations.
By accessing the HS/RE-API or using our services, you, the API user ("API User"), agree to accept and be bound by the current version of this Privacy Policy. In case you do not agree to the current version of this Privacy Policy, you are not authorized to continue accessing the HS/RE-API or using our services.
The HS/RE-API may contain links to websites or materials that are not operated by dacadoo and are not subject to this Privacy Policy, for example Google Analytics. We recommend that you read their policies to protect your personal data.
We may revise this Privacy Policy from time to time. The most current version is always available on our HS/RE-API. The revised Privacy Policy shall become effective from the date of publication on the HS/RE-API. Should these changes be substantial and where required by applicable law, we will provide you with notice (by email or by publication on the HS/RE-API) and/or obtain your consent.
What data we collect and for what purpose:
dacadoo collects the following personal data for product and service-related purposes:
- First name/ last name of API User, email address of API User, organization associated with API User.
- In order to provide you with information about our products and services you either requested or we think you might like, we may do so via your personal identification information such as name, email address, etc. If you no longer wish to be contacted for marketing purposes, please contact models-emea@dacadoo.com.
dacadoo receives, reviews, and stores technical data retrieved from the devices you are using to access the HS/RE-API.
How your data is collected
dacadoo collects your personal data as follows:- Directly through the HS/RE-API (e.g., you register online or place an order for any of our products or services, you voluntarily complete a customer survey or provide feedback on any of our message boards or via email.
How we protect your data
We restrict access to your personal data to those dacadoo employees or other parties who need access to such data in order to provide the services. We maintain appropriate physical, electronic, and procedural safeguards to protect your personal data, including firewalls, individual passwords, and encryption, and take all other necessary and adequate administrative, organizational, technical, personal, and physical measures to safeguard the same against unauthorized or unlawful processing and use, accidental loss or destruction or damage, theft, disclosure, or modification and to ensure its integrity.
Please note, however, that dacadoo has no control over the network infrastructure outside of dacadoo, and data transported over an open network, such as the internet or email, may be accessed by third parties (including, for example, a person standing behind you, or the local authorities under certain conditions). We cannot guarantee, and are not responsible for, the confidentiality of any communication or information transmitted via such open networks. When disclosing any data via an open network, you should consider that despite all measures in place such as encryption during transport, it is potentially accessible to others, and consequently, may be collected and used by others without your consent. Your personal data may also be lost during transmission. dacadoo will not accept any liability for direct or indirect losses as regards the security of your personal data and information out of its control, including during its transfer via Internet. dacadoo uses encryption software that may be subject to export control regulations and territorial restrictions.
How your data is shared and data we might receive
To process your personal data, dacadoo might require the services of subcontractors, which need to access directly or indirectly your personal data, our "Sub-Processors", e.g., data hosting providers. We ensure that, when working with Processors, these entities commit to an adequate level of protection and commit not to use your personal data unlawfully. From our side, we will share only the personal data our Processors need to proceed, and nothing more. We are currently working with the following main Processors:
| Sub-Processor | Sub-Processing Activity | Sub-Processor Location |
|---|---|---|
| Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg | Cloud Infrastructure Provider | EU-North-1, US-East-1, Asia Pacific-1 SoutheastAn API User can call HS/RE-API in a certain region and thus determine processing location or call a global endpoint that will typically route to closest HS/RE-API region in terms of network latency. |
| arch.cloud AG, Isisbüelstrasse 2,8800 Thalwil, Switzerland | SRE (Infrastructure Operations) | Switzerland |
| Arobs Transilvania Software SA, Str. Donath Nr.11, BL.M4 SC. 2 ET.3 AP 28, Cluj-Napoca, Romania | Quality Assurance, Software Development, SRE (Infrastructure Operations), Application Support | EU |
| Atlassian Pty Ltd., L 6 341 George St, 2000 Sydney, Australia | Monitoring and Alerting Solution Provider (OpsGenie) TicketingSystem Provider (JIRA) | EU (Germany, Ireland) |
| Ciklum SA, Lavaterstrasse 66, 8002 Zurich, Switzerland | Quality Assurance, Software Development, SRE (Infrastructure Operations), Application Support | EU |
| dacadoo APAC Pty Ltd, 1 Margaret St, Sydney NSW 2000, Australia | Service delivery/support | Australia |
| dacadoo North Americas Inc., 20 Wellington Street East, Toronto, Ontario M5E 1C5, Canada | Service delivery/support | Canada |
| Datadog Inc., Neue Rothofstr 13-19, 60313 Frankfurt, Germany | Centralized Logging, Monitoring and Alerting Solution Provider | Germany |
| Gravitational, Inc. (Teleport), 440 N Barranca Ave. #8219, Covina, CA91723. USA | Zero trust access | EU |
| Huanga IT Solutions AG, Sägereistrasse 21, 8152 Opfikon, Switzerland | SMTP Relay | Switzerland |
| Synchronit GmbH, Blegistrasse 5, 6340 Baar, Switzerland | Quality Assurance, Software Development, SRE (Infrastructure Operations), Application Support | EU, Uruguay, Argentina |
| Zitadel, CAOS AG, Lerchenfeldstrasse 3, 9014 St.Gallen, Switzerland | Authentication management | EU |
dacadoo will not sell, rent, or otherwise make available any personal data submitted by users to any third parties without the user’s consent, unless as permitted under this Privacy Policy or required by law. dacadoo may use personal data to contact users with respect to all matters related to the user’s activity on the HS/RE-API, including but not limited to sending informative e-mails and reminders.
Cookies and similar technologies
The web app to our HS/RE-API uses one strictly necessary cookie only, called access_token.
How long your data is stored
We store your personal data for as long as you have not opted-out. We reserve the right to keep data to the extent we reasonably believe it is necessary to satisfy any applicable law or regulation, and/or according to security and privacy industry practices.
Where your data is stored
Your personal data is stored through a secure cloud provider as described below. If, for any reason, dacadoo will need to transfer any of your personal data to any country without adequate level of data protection as decided by the European Commission, dacadoo will procure that appropriate contractual obligations apply in line with relevant data protection laws (such as EU standard contractual clauses).
Legal basis for data processing
dacadoo relies on the following legal basis for processing your personal data:
- Consent (or explicit consent, where applicable), which means that you have given your (explicit) consent for processing your personal data for one or more specific purposes.
- Performance of a contract, which means that processing your personal data is necessary for the performance of an agreement with you and/or for any pre-contractual obligations thereof.
- Legal obligations, which means that processing your personal data is necessary for compliance with dacadoo’s legal obligation.
- Vital interests, which means that processing your personal data is necessary to protect your vital interests or the vital interests of another natural person.
- Public interests, which means that processing your personal data is related to a task that is carried out in the public interest or in the exercise of official authority vested in dacadoo.
- Legitimate interests, which means that processing your personal data is necessary for the purposes of the legitimate interests pursued by dacadoo.
Your data protection rights
dacadoo would like to make sure you are fully aware of all of your data protection rights as follows:
- The right to access, which means you have the right to request dacadoo for copies of your personal data. (We may charge you a small fee for this service.)
- The right to rectification, which means you have the right to request that dacadoo correct any personal data you believe is inaccurate and/or to complete the personal data you believe is incomplete.
- The right to erasure, which means you have the right to request that dacadoo erase your personal data, under certain conditions.
- The right to restrict processing, which means you have the right to request that dacadoo restrict the processing of your personal data, under certain conditions.
- The right to object to processing, which means you have the right to object to dacadoo’s processing of your personal data, under certain conditions.
- The right to data portability, which means you have the right to request that dacadoo transfer the data that we have collected to another organization, or directly to you, if technically feasible and under certain conditions.
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us via email at: privacy@dacadoo.com
Disclosure of data
We reserve the right to disclose your data to the extent we reasonably believe it is necessary to (i) satisfy any applicable law, regulation, legal process or governmental request, (ii) enforce the Terms, including investigations of a potential violation thereof, (iii) detect, prevent or otherwise address fraud, security or technical issues, (iv) respond to user support requests, or to (v) protect the rights, property or safety of dacadoo, its users and the public.
How to contact dacadoo or the appropriate authority
If you have any questions about dacadoo’s Privacy Policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us at:
dacadoo ag
Othmarstrasse 8
CH-8008 Zurich
Switzerland
privacy@dacadoo.com
For EU residents a contact in the EU has been established at:
MLL EU-GDPR GmbH
Ganghoferstrasse 33
80339 Munich
Germany
dacadoo@mll-gdpr.com
For UK residents a contact in the UK has been established at:
MLL Meyerlustenberger Lachenal Froriep LLP
17 Godliman St
London EC4V 5BD
United Kingdom
dacadoo@mll-gdpr.com
You also have the right to contact the data protection supervisory authority in your country of residence.