1. Introduction

This Privacy Policy describes the privacy practices of Cado Security Ltd and its affiliates and subsidiaries (“Cado”, “us”, “we”, or “our”) in relation to personal information that we collect through our website, providing services related to our cloud forensics and incident response platform (“Cado Platform”), our marketing, interactions with you in-person or otherwise and from other third parties (collectively referred to as the “Service” or “Services”). Cado is the controller of your personal information under this Privacy Policy - this simply means we are responsible for your personal information.

Where you are accessing the Cado Platform as a user, the Cado customer facilitating your access to the Cado Platform will be responsible for your personal information. Please refer to the Cado customer’s privacy policy for information on how they handle your personal information and your rights.

2. Personal Information We Collect

You may provide the following information to us:

• Contact Information and Communications: when you interact with us (including via web forms, phone, email, post or social media) we may collect your name, preferred salutation, job role, company name, contact information (including address, telephone number, email address) and the content of your communications.
• Surveys, Reviews and Testimonials: when you participate in and complete any of our surveys or when you write a review/testimonial about us or any of our products, we may collect your name, job role, contact information, survey responses and the content of your review/testimonial.
• Account Data: when you sign up for an account with us (as a Cado Platform user), we collect your username and password. We also collect Cado Platform account usage data.
• Suppliers/Partners and Representatives: when you enter into a supplier/partnership agreement or relationship with us or are a representative of a supplier/partner, we may collect your name, company, job role, contact information and the content of your communications with us.
• Request Information/Schedule a Demo: when you request an appointment to speak with any of our sales team about or products or for a demo, we may collect your name, company, job role, contact details and any pre-appointment notes you provide.
• Office Visitors: when you visit any of our offices, we may collect your name, company, the date and time of your visit.
• Marketing information: when you register to receive any kind of marketing communication from us or otherwise interact with our marketing communications, we may collect your name, email address, preferences for receiving our marketing communications and details about your engagement with them.
• Job Application: when you express interest in, or apply for a job role with us through our website or otherwise, we may collect your name, contact information, job role applied for, CV / résumé information (including education and job history), job expectations, assessment results, interview notes and any other job application related information you provide to us.
• Other information that we may collect which is not specifically listed here, but which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.

Information we obtain from other sources:

• Referrals: We may obtain personal information about you through referrals from third party sources. For example, if you are referred as a potential candidate for a job role with us, or as a representative of a business that may benefit from our services or a partnership with us.
• Social media information: We may maintain pages on social media platforms, such as Youtube, X, and LinkedIn. When you visit or interact with our pages on those platforms, you or the platforms may provide us with information through the platform.
• Other sources: We may obtain personal information from other third parties, such as marketing partners, publicly-available sources, and data providers.

Automatic data collection:

We and our service providers may automatically log and combine information about you, your computer or mobile device, and your interaction over time with the Services, our communications and other online services, such as:

• Device data such as your computer’s or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, device type (e.g., phone, tablet), IP address, device identifiers, language settings. and general location information such as city, state, or geographic area.
• Online activity datasuch as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Services, navigation paths between pages or screens, information about your activity on a page or screen, access times, duration of access, and whether you have opened or otherwise engage with our communications, such as our marketing emails or clicked links or files within them.

We use the following tools for automatic data collection:

• Cookies, which are text files that websites store on a visitor’s device to uniquely identify the visitor’s browser or to store information or settings in the browser for the purpose of helping you navigate between pages efficiently, remembering your preferences, enabling functionality, helping us understand user activity and patterns, and support our marketing and advertising initiatives.
• Local storage technologies, like HTML5, that provide cookie-equivalent functionality but can store larger amounts of data, including on your device outside of your browser in connection with specific applications.

For more information on these tools, please read our Cookie Policy.

3. How We Use Personal Information

We use personal information for the purposes described below or as otherwise described at the time of collection.

• Provide our Services. It is in our legitimate business interests to use personal information to operate, maintain, and provide you with our Services, including ensuring you can use our website and also providing your affiliated company with access to the Cado Platform. If we have entered into a contract with you, we will use your personal information as required for us to perform our contractual obligations under the relevant contract.
• Communicate with you about our Services. It is in our legitimate business interests to use personal information to respond to your requests, provide support, and communicate with you about our Services, including by sending announcements, updates, security alerts and support and administrative messages.
• Improve, monitor, personalize, and protect our Services. It is in our legitimate business interests to improve and keep our Services safe for our users, which includes:
  • Understanding your needs and interests, and personalizing your experience with the Services and our communications.
  • Troubleshooting, testing and research and to keep the Services secure.
  • Investigating and protecting against fraudulent, harmful, unauthorized, or illegal activity

• Research and development.We may use personal information for research and development purposes in our legitimate business interests, including to analyze and improve the Services and our business. As part of these activities, we may create or use aggregated, de-identified or other anonymized data from personal information we collect. We make personal information into anonymized data by removing information that makes the data personally identifiable to you. We may use this anonymized data and disclose it to third parties for our lawful business purposes, including to analyze and improve the Services and promote our business.
• Marketing and advertising:
  • Direct marketing. We may send you direct marketing communications about goods, services, and products that we think may be of interest to you as permitted by law, including by email. You may opt-out of our marketing communications as described in the “Opt-out of marketing communications” section below. Where required by law we will only send you marketing information if you consent to us doing so at the time you provide us your personal information. Otherwise, we will only send you marketing information if it is in our legitimate business interests to send such information.
  • Interest-based advertising. We engage our advertising partners, including third party advertising companies and social media companies, to display ads around the web. These companies may use cookies and similar technologies to collect information (including the automatically-collected data described above) about your interactions over time across our Services, our communications, and other online services, and use that information to serve online ads that they think will interest you. Where required by law we will undertake such advertising activities on the basis of your consent, otherwise we will do so only if it is in our legitimate business interests to undertake such activities.
• Supplier/Partner relationships. Where you are a supplier/partner or a representative of a supplier/partner, it is in our legitimate business interests to use your personal information to contact you and to manage our relationship with you and/or your company. If we have entered into a contract with you/your company, we will use your personal information as required for us to perform our contractual obligations under the relevant contract.

• Compliance and protection. We may use personal information to comply with legal obligations, and to defend us against legal claims or disputes where it is in our legitimate business interests to do so, including to:
  • protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
  • audit our internal processes for compliance with legal and contractual requirements and internal policies;
  • enforce the terms and conditions that govern the Services;
  • prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft; and
  • comply with applicable laws, lawful requests and legal process, such as to respond to subpoenas or requests from government authorities.
• To assess your application for a job with us. We use the personal information you provide to us as part of your application to join us to assess your suitability for our roles, and to determine the role that best fits your profile. It is in our legitimate business interests to do so, and we may also do so in preparation of entering into a contract with you.

4. How We Disclose Personal Information

We may disclose personal information to the following categories of parties:

• Affiliates. We may share your personal information with our affiliates.
• Service providers. Companies and individuals that provide services on our behalf or help us operate the Services or our business (such as hosting, information technology, support, email delivery and website analytics services).
• Advertising partners. Third party advertising companies, including for the interest-based advertising purposes described above.
• Professional advisors. Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us.
• Authorities and others. Law enforcement, government authorities and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above.
• Business transfers.Acquirers and other relevant participants in business transactions (or negotiations for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business or assets of, or equity interests (including, in connection with a bankruptcy or similar proceedings).
• Your instruction or permission. A relevant third party, where you give us permission to do so in the course of your relationship with us from time to time.

5. Retention of Personal Information

Where required under applicable laws, we retain personal information only for as long as is necessary to fulfill the purposes for which it was collected and processed, in accordance with our retention policies, and in accordance with applicable laws and regulatory obligations or until you withdraw your consent (where applicable).

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of personal information, the purposes for which we use personal information and whether we can achieve those purposes through other means, any permissions you give us with regards to your personal information, and the applicable legal and regulatory requirements.

6. International Data Transfers

Cado is located in and processes personal information in the United Kingdom. A number of our external partners and service providers are also based in the United States which means your personal information may be processed in countries with data protection laws less stringent than or otherwise different from the laws in effect in your country.

Where there are cross border transfers of your personal information, unless we can rely on a derogation provided under data protection law, we will ensure that relevant safeguards are in place to afford adequate protection for your personal information, and we will comply with applicable data protection laws, by relying on an adequacy decision by the European Commission or the UK Government, or on pre-approved contractual protections for the transfer of your personal information. For more information about how we transfer personal information internationally, please contact us as set out in the “Contact Us” section below.

7. Privacy Rights and Choices

Opt-out of marketing communications. You may opt out of marketing-related emails and other communications by following the opt-out or unsubscribe instructions in the communications you receive from us or by contacting us as provided in the “How to Contact Us” section below. You may continue to receive Services-related and other non-marketing emails as permitted under law.

Limit online tracking. Some internet browsers can be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

Personal information requests. We offer you choices that affect how we handle the personal information that we control. Depending on your location and the nature of your interactions with our Services, you may request the following in relation to personal information:

• Information about how we have collected and used personal information. We have made this information available to you without having to request it by including it in this Privacy Policy.
• Access to a copy of the personal information that we have collected about you and information on how we have used your personal information. Where applicable, you can ask us for portability of this information (i.e. to provide personal information in a portable, machine-readable, readily usable format to you or another third party you designate).
• Correction of personal information that is inaccurate or out of date.
• Deletion of personal information that we no longer need to provide the Services or for other lawful purposes.
• Opt out of the sharing or processing of your personal information for targeted advertising purposes.
• Additional rights, such as to object to our processing of your personal information and request that we restrict our use of your personal information, and where applicable, you may withdraw your consent to our processing of your personal information.
• Right to complain. Depending on where you reside, you may have the right to complain to a data protection regulator where you live or work, or where you feel a violation has occurred. If you reside in the European Economic Area, click here to find your local supervisory authority, and here if you are in the United Kingdom.

To make a request, please email us or write to us as provided in the “How to Contact Us” section below. We may ask for specific information from you to help us confirm your identity. Depending on where you reside, you may be entitled to empower an authorized agent to submit requests on your behalf. We will require authorized agents to confirm their identity and authority, in accordance with applicable laws. You are entitled to exercise the rights described above free from discrimination.

Limits on your privacy rights and choices. In some instances, your choices may be limited, such as where fulfilling your request would impair the rights of others, our ability to provide a service you have requested, or our ability to comply with our legal obligations and enforce our legal rights. If you are not satisfied with how we address your request, you may submit a complaint by contacting us as provided in the “How to Contact Us” section below.

8. Security

We use reasonable organizational, technical and administrative measures designed to protect against unauthorized access, misuse, loss, disclosure, alteration and destruction of personal information we maintain. Unfortunately, data transmission over the Internet cannot be guaranteed as completely secure. Therefore, while we strive to protect your personal information, we cannot guarantee the security of personal information.

9. Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the website, or as otherwise required by law.

10. How to Contact Us

If you have any questions or comments about this Privacy Policy, our privacy practices, or if you would like to exercise your rights with respect to your personal information, please contact us by email at privacy@cadosecurity.com.

EEA Representative Contact Information. If you are an individual in the European Economic Area (EEA), you can also contact European Data Protection Office (EDPO), who have been appointed as our representative in the EEA for data protection matters, using the following details:

• by using EDPO’s online request form: https://edpo.com/gdpr-data-request/  
• by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium