CUJO Privacy Policy
(Updated May 25th, 2018)

1. Purpose and scope
This Policy determines the main principles of privacy and rules that are applied by CUJO LLC (“CUJO”) with respect to PII (as defined below). This Policy is governed by Cujo’s Terms of Service (https://www.getcujo.com/terms-of-service/). Capitalized terms that are not defined herein will have the meanings set forth in those Terms of Service. Any information that is collected via our Services is covered by the Privacy Policy in effect at the time such information is collected. We may revise this Policy from time to time. If we make any material changes to this Privacy Policy, we’ll notify you of those changes by posting them on the Services or by sending you an email or other notification, and we’ll update the “Updated” date above to indicate when those changes will become effective. This Policy covers information about the applicable data controller(s) and data processor(s), CUJO’s data protection officer, the business purpose and legal bases for processing, categories of personal data, information about data recipient(s), details of transfers to third countries, data protection controls, retention periods or criteria used to determine the retention period, information about data subject’s rights, and the sources of the PII at issue. Please contact us at 1-844-GET-CUJO or hi@cujo.com if you have any questions about this Policy.
2. Terms and definitions
“PII” means personally identifiable information
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
“Supervisory authority” means an independent public authority which is established by a Member State pursuant to GDPR Article 51 Other terms and definitions used in this policy have the same meaning as in International standard ISO/IEC 27000 “Information technology - Security techniques - Information security management systems-Overview and vocabulary”.
3. Policy
3.1. About the data controller
CUJO holds ISO/IEC 27001:2013 certificate and is committing to ensure protection of personally identifiable information (PII) by all available means. CUJO classifies PII as confidential information according to the CUJO information classification scheme set forth below. CUJO processes PII only with the individual’s (i.e., the data subject’s) consent or other legal bases. All data controllers and processors (if any) are responsible for proper application of this Policy. CUJO maintains a log of the chain of custody PII processing.
3.2. Collection and Use of Information
3.2.1. Purposes of the data processing and the legal basis for it
CUJO processes the following personal data for the purposes listed below:

PII

Purpose of data processing

Legal basis (GDPR Article ref.)

Customer data

Provision of services or products

Performance of contract or required proof prior to entry into

contract (point (b), art. 6(1)))

Consumer meta data

Provision of services or products

Performance of contract or required proof prior to entry into

contract (point (b), art. 6(1)))

End-user meta data

Provision of services or products

Performance of contract or required proof prior to entry into

contract (point (b), art. 6(1)))

Customer support audio records

Customer service

Performance of contract or required proof prior to entry into

contract (point (b), art. 6(1)))

Personal data used for direct marketing

Direct marketing

Data subject consent (point (a), art. 6(1)))

Prospective customer (legal entity)

Internal administration

Data subject consent (point (a), art. 6(1)))

Third parties (suppliers, distributors, etc.) contact data

Customer service, Provision of services or products

Performance of contract or required proof prior to entry into

contract (point (b), art. 6(1)))

Candidates for employee data

Internal administration

Data subject consent (point (a), art. 6(1)))

Employee data

Internal administration

Legal obligation ( (point (c), art. 6(1)))

3.2.2. Information Collected or Received from Customer
CUJO’s primary goals in collecting PII are to provide and improve the Services provided to customers, to administer customers’ use of the Services (including customers’ Accounts, if customer is an Account holder), and to enable customers to enjoy and easily use the Services.
Account Information. If a customer creates an Account, CUJO will collect certain information that can be used to identify the customer, such as his or her name, email address, postal address and phone number. If the customer creates an Account through CUJO’s Site, CUJO may also collect customer gender, date of birth and other information.
Information Collected Using Cookies and other Web Technologies. Like many website owners and operators, CUJO uses automated data collection tools on its Site, such as cookies and Web Beacons, to collect certain information.
“Cookies” are small text files that are placed on a customer device by a Web server when a customer accesses our Services. CUJO may use both session cookies and persistent cookies to identify that a customer has logged in to the Services and to tell CUJO how and when the customer interacts with the Services. CUJO may also use cookies to monitor aggregate usage and web traffic routing on our Services and to customize and improve our Services. Unlike persistent cookies, session cookies are deleted when a customer logs off from the Services and closes his or her browser. Although most browsers automatically accept cookies, the customer can change his or her browser options to stop automatically accepting cookies or to prompt customer before accepting cookies. However, if the customer doesn’t accept cookies, he or she may not be able to access all portions or features of our Services. Some third-party service providers that we engage (including third-party advertisers) may also place their own cookies on the customer’s hard drive. This Privacy Policy covers only customer use of CUJO’s cookies and not third parties’ cookies.
“Web Beacons” (also known as Web bugs, pixel tags or clear GIFs) are tiny graphics with a unique identifier that may be included on the Services for several purposes, including to deliver or communicate with cookies, to track and measure the performance of the Services, to monitor how many visitors view our Services, and to monitor the effectiveness of our advertising. Unlike cookies, which are stored on the user’s hard drive, Web Beacons are typically embedded invisibly on web pages (or in an e-mail).
Information Related to Use of the Services. Our servers automatically record certain information about how a person uses our Services (we refer to this information as “Log Data”), including both Account holders and non-Account holders (either, a “User”). Log Data may include information such as a User’s Internet Protocol (IP) address, browser type, operating system, the Web page that a user was visiting before accessing our Services, the pages or features of our Services to which a User browsed, and the time spent on those pages or features, search terms, the links on our Services that a User clicked on and other statistics. We use Log Data to administer the Services and we analyze (and may engage third parties to analyze) Log Data to improve, customize and enhance our Services by expanding their features and functionality and tailoring them to our Users’ needs and preferences.
As part of the Services, our hardware devices collect and transmit traffic identifying information. We store this information for up to thirty days on our servers.
Information Sent by Your Mobile Device. We collect certain information that a customer’s mobile device sends when he or she uses our Services, like the device identifier, user settings and the operating system of the customer device, as well as information about customer’s use of our Services.
Location Information. When a customer uses our App, we may collect and store information about the customer’s location by converting his or her IP address into a rough geo-location or by accessing the customer mobile device’s GPS coordinates or approximate location if the customer enables location services on his or her device. We may use location information to improve and personalize our services for customer. If customer does not want us to collect location information, he or she may disable that feature on the mobile device. The customer agrees and acknowledges that it has been informed about this the foregoing.
3.3. PII actors
The following is information about who controls, processes, provides and gets processed PII in connection with CUJO’s Services:

PII

Data controller

Data processor

Data provider (3rd party)

Data recipient (3rd party)

Customer data

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

Logistics service provider, United States of America;

Online advertising service provider, United States of America;

Payment gateway, United States of America;

Social Media Marketing provider, United States of America;

CRM software provider, United

States of America;

Google, United States of America

None

None

Consumer meta data

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

None

None

End-user meta data

Telecommunication companies

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

Telecommunication companies

None

Customer support audio records

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

None

None

Personal data used for direct marketing

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America;

Marketing Automation software service provider, United States of America;

Online advertising service provider, United States of America;

Social Media Marketing provider, United States of America;

CRM software provider, United States of America

None

None

Prospective customer (legal entity)

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

None

None

Third parties (suppliers, distributors, etc.) contact data

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

None

None

Candidates for employee data

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

CV database platforms and recruitment services, Lithuania

None

Employee data

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

CUJO Baltic, UAB, Lithuania;

CUJO, LLC, United States of America

Recruitments services provider, Lithuania;

Human resource management software provider, United States of America

None

None

3.4. PII retention period
CUJO stores PII in an encrypted state and only to the extent required to fulfill the purposes stated in this document. The retention period depends on legal requirements and the duration of the contractual and/or subscription relationship. CUJO will retain PII we process on behalf of our customers or collect directly from our customers for as long as needed to provide service to our customers, subject to our compliance with this policy, or as required or permitted under the applicable law. PII will be anonymized and/or deleted in accordance with legal regulations when no longer be used for the purposes set forth in paragraph 3.2. Collection and Use of Information.
3.5. Personal Data Protection Controls
CUJO takes reasonable administrative, physical and electronic measures designed to protect PII from unauthorized or unlawful processing and against accidental loss, destruction or damage.
3.6. Sharing with Third Parties
CUJO will take efforts to manage and coordinate appropriate onward transfers of PII to third parties in accordance with this Policy. CUJO will not sell share or otherwise distribute PII to third parties except as provided in this Policy. CUJO will not directly disclose the identity of any person. PII may be transferred to third parties who act for or on CUJO behalf, who are contracted to use not to sell your PII to third parties, and not to disclose it to third parties except as may be required by law, as permitted by us or as stated in this Policy. CUJO may share PII also as described below:
Information Disclosed in Connection with Business Transactions. If we are acquired by a third party as a result of a transaction such as a merger, acquisition or asset sale or if our assets are acquired by a third party in the event we go out of business or enter bankruptcy, some or all of our assets, including your PII, may be disclosed or transferred to a third-party acquirer in connection with the transaction.
Information Disclosed for Our Protection and the Protection of Others. We cooperate with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate: (i) to respond to claims, legal process (including subpoenas); (ii) to protect our property, rights and safety and the property, rights and safety of a third party or the public in general; (iii) to stop any activity that we consider illegal, unethical or legally actionable activity and (iv) in response to other lawful requests by public authorities, including to meet national security or law enforcement requirements.
3.7. Rights of the data subject
Access: The data subject has the right to access his or her PII that is processed by CUJO and to obtain information, free of charge once per year, on the sources and the type of his or her PII that has been collected, the purpose of processing of such PII and the data recipients to whom the PII are disclosed or have been disclosed by CUJO in connection with the Services, and other related information according to GDPR Article 15. CUJO shall reply not later than 30 calendar days from receipt of the request in writing and shall provide the requested information or justification for the refusal to grant the request of the data subject. Upon the request of the data subject, such information must be provided by CUJO in writing.
Rectification: If the data subject finds out that his or her PII on the Services is incorrect, incomplete or inaccurate, he or she may contact CUJO (in writing, by e-mail, via the Site or any other form). CUJO will then review such PII and rectify the incorrect, incomplete and inaccurate PII (if any) without delay and/or suspend processing of such PII, except for the purpose of storage, or provide a written explanation to the data subject describing why such efforts were not necessary. CUJO may keep archive copies of such data if doing so is necessary to fulfill contractual obligations to the data subject and/or if it is required by applicable law or regulation (for example, for accounting purposes, cybercrime investigation, etc.).
Right to File Complaint: A data subject may appeal against actions of CUJO, acting as data controller and/or processor, to the appropriate supervisory authority or enforcement agency within three months of receipt of the refusal to grant the request or within three months of the date when the period imposed by applicable law or regulation for giving a reply (if any) expires. In order to avail him- or herself of the rights set forth in this section, the data subject must provide a valid identity document or otherwise verify his or her identity according to applicable laws or through electronic means of communication, which must provide reliable identification of the person.
3.8. Do Not Track Signals
CUJO’s Site does not have the capability to respond to “Do Not Track” signals received from various Web browsers.
3.9. Enforcement and Dispute Resolution
CUJO LLC complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States.  CUJO LLC has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/ In compliance with the Privacy Shield Principles, CUJO LLC commits to resolve complaints about our collection or use of your PII.  Individuals residing in the EU, United Kingdom, Lichtenstein, Norway or Iceland (collectively, “EU Residents”) who have inquiries or complaints regarding our Privacy Shield policy should first contact CUJO LLC at: Email: hi@getcujo.com CUJO LLC has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship. If the data subject does not receive timely acknowledgement of his or her complaint, or if complaint is not satisfactorily addressed, as a last resort and in limited situations, EU Residents may seek redress from the Privacy Shield Panel, which is a binding arbitration body. The Federal Trade Commission (FTC) has jurisdiction over CUJO LLC’s compliance with the Privacy Shield.