This Data Privacy Policy ("Policy") provides an overview of how Ontrex AG ("Ontrex", "we", "our"”), via our websites, products and services, handle privacy, and how we protect your Personal Data.
Data and its protection belong to the core of our business. Ontrex as well as our employees, contractors and service providers are committed to providing you with transparency and choice when it comes to Personal Data. We thereby define Personal Data as any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
We aim to process Personal Data in accordance with applicable legislation, while taking into account and transparently balancing the relevant interests of our customers, ourselves and other stakeholders.
We invite you to carefully read this Data Privacy Policy, which sets out in which context we are processing your Personal Data and explains your rights and our obligations when doing so.
Certain products and services provided by Ontrex may have additional specific privacy notices that describe how we handle Personal Data for those products and services. If any other privacy notice conflicts with this Data Privacy Policy, such specific notice will take precedence.
We may update this Data Privacy Policy from time to time. If we modify our Data Privacy Policy, we will post the revised version on this website, with an updated revision date. You agree to visit these pages periodically to be aware of and review any such revisions. If we make material changes to our Data Privacy Policy, we may also notify you by other means prior to the changes taking effect, such as by posting a notice on our websites or sending you a notification. By continuing to use our website or our products and services after such revisions are in effect, you accept and agree to the revisions and to abide by them.
A. What this Data Privacy Policy covers
This Data Privacy Policy describes the following general aspects of our collection and processing of Personal Data concerning you.
Please refer to our complementary product and service privacy notices for additional detail specific to those products and services.
B. What Personal Data we collect
a. General
When you visit and use our websites, products and services, we may collect data or ask you to provide certain data, including Personal Data, about you as you use our websites, products and services and interact with us, for the purpose of helping us manage our relationship with you. "Personal Data" is any data relating to an identified or identifiable individual. If we link other data with your Personal Data, we will treat that linked data as Personal Data. We also collect Personal Data from trusted third-party sources and engage third-parties to collect Personal Data to assist us. Personal Data may include:
We collect Personal Data for a variety of reasons, such as:
We and the third parties we engage may combine the information we collect from you over time and across our websites and Products and Services with information obtained from other sources. This helps us improve its overall accuracy and completeness, and also helps us better tailor our interactions with you.
If you choose to provide Ontrex with a third party's personal information, you represent that you have the third party's permission to do so.
b. Website
Most of our services provided on our websites do not require any form of registration, allowing you to visit our website without telling us who you are. However, some services may require you to provide us with Personal Data, which may include your direct identifiers, such as name, birth date, email address or telephone number. We may collect and use Personal Data to provide you with products or services, to bill you for products and services you request, to market products and services which we think may be of interest to you, or to communicate with you for other purposes which are evident from the circumstances or about which we inform you when we collect Personal Data from you.
We use JotForm to create contact and registration forms, to process data entered into those forms and to send automated responses regarding those forms. Please be referred to Jotform’s privacy policy at https://www.jotform.com/privacy/ to learn more about their processing of Personal Data.
We may collect and process information about your visit to our websites, such as the pages you visit, the website you came from and some of the searches you perform. Such information is used by us to help improve the contents of the website and to compile aggregate statistics using our site for internal, market research purposes. In doing this, we may install "cookies" (see further below) that collect the domain name of the user, your internet service provider, your operating system, and the date and time of access.
C. On what grounds and how we process your Personal Data
We may use your Personal Data for the purposes of operating our business, delivering, improving, and customizing our websites, products and services, sending marketing material and other communications related to our business, and for other legitimate purposes permitted by applicable law.
According to EU Regulation 2016/679 (“GDPR”), processing of Personal Data is lawful only if and to the extend specific grounds mentioned in the GDPR apply. Your Personal Data is used on the following grounds:
a. Your consent Article 6 (1) a) GDPR
You can give us your consent to process your Personal Data in order to:
b. Fulfilling our contracts Article 6 (1) b) GDPR
We may process your data in order to fulfil our contractual obligations with you and third parties, such as:
c. Legal obligations Article 6 (1) c) GDPR
Ontrex is obligated by law to keep records for accounting and tax reasons, to provide information to other public authorities and to be documented in case of legal proceedings.
d. Legitimate interest in accordance with Recital 47 of the GDPR
When delivering our products, services and communications to you as well as to our other customers and partners, we may process Personal Data of you to:
e. Legitimate interest in accordance with Recitals 39 and 49 and Article 32 of the GDPR
Some of our products and services support organizations to comply with Recital 39 and Article 32 of the GDPR, ensuring that Personal Data is processed in a manner that ensures appropriate security and confidentiality, including for preventing unauthorised access to or use of Personal Data and the equipment used for processing.
Ontrex processes Personal Data for network and information security purposes. Pursuant to Recital 49 of the GDPR, organizations have a recognized legitimate interest in collecting and processing Personal Data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security. According to Recital 49, network and information security means the ability of a network or of an information system to resist events, attacks or unlawful or malicious actions that could compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data, or the security of the related services offered by, or accessible via those networks and systems.
Ontrex is a provider of cybersecurity technologies and services which may include hosted and managed computer emergency and security incident response services. As described in Article 6(1) f) GDPR, it is in our legitimate interests as well as in our customers’, to collect and process Personal Data to the extent strictly necessary and proportionate for the purposes of ensuring the security of our own, and of our customers’ networks and information systems. This includes the development of threat intelligence resources aimed at maintaining and improving on an ongoing basis the ability of networks and systems to resist unlawful or malicious actions and other harmful events (“cyber-threats”). The Personal Data we process for said purposes includes, without limitation, network traffic data related to cyber-threats such as:
Depending on the context in which such data is collected, it may contain Personal Data concerning you or any other data subjects. However, in such cases, we will process the data concerned only to the extent strictly necessary and proportionate to the purposes of detecting, blocking, reporting (by removing any personally identifiable elements) and mitigating the cyber-threats of concern to you, and to all organizations relying on our products and services to secure their networks and systems. When processing Personal Data in this context, we will not seek to identify a data subject unless strictly indispensable to the remediation of the cyber-threats concerned, or required by law.
D. Marketing and Community Networking
Ontrex has a legitimate interest in promoting our commercial offerings and to optimize the delivery of communications to that effect to our customers and audiences that are most likely to find them relevant. We will therefore collect and process data to that end as explained below. However, where we are legally required to obtain your consent to provide you with certain marketing materials, we will only provide you with such marketing materials where we have obtained such consent from you. If you do not want to continue receiving any marketing materials from us, you can click on the unsubscribe function in the communication or e-mail.
a. Cookies
Cookies help to make your visit of our website easier, more enjoyable, and more efficient.
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain Personal Data, but Personal Data that we store about you may be linked to the information stored in and obtained from cookies.
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. Browsers regularly allow you to set your browser to notify you when you receive a "cookie”, this will enable you to decide if you want to accept it or not. You may also deactivate Cookies. However, if you do not accept our Cookies, you may not be able to use all functionalities of your browser software.
In addition, you may prevent or stop the installation and storage of cookies by you browser settings by downloading and installing the free Opt-out Browser Add-on available at https://tools.google.com/dlpage/gaoptout?hl=en.
If you do not accept cookies, you may not be able to fully experience all functions of our website.
b. Google Analytics
The use of our digital offerings is measured and evaluated by means of various technical systems, mainly from third-party providers such as Google Analytics. These measurements can be carried out in an anonymous or personalized form. The collected data may be passed on by us or the third-party providers of such technical systems based in Switzerland and abroad for processing. The most frequently used and the most popular analysis tool is Google Analytics, a service provided by Google Inc. located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, the US (“Google”).
Google Analytics uses Cookies (see above) stored on your computer to help analyse how users use our website. The information generated by Google Analytics about your use of the website (including your IP address) will be transmitted to and stored on a Google server in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for us, and providing other services relating to website activity and Internet usage. Google may also transfer this information to third parties if this is required by law or if third parties process this data on behalf of Google. Google will not associate your IP address with any other data held by Google.
If you do not want your website activity to be available to Google Analytics, you can install the browser add-on to disable Google Analytics that can be found at https://support.google.com/analytics/answer/181881?hl=en. This prevents the JavaScript (ga.js, analytics.js, and dc.js) running on the websites from sharing activity data with Google Analytics.
The analysis of data by other tools of the website owner is not disabled when you use the add-on. Data may still be sent to the website or other web analytics services.
c. Newsletter, Email and other forms of correspondence
If you sign up for our newsletter(s), or if you contact us via a contact form or directly by E-Mail, we will store some of your information, including your email address, IP address and certain information about the links you click within the emails we send you. We will not sell your email address or share it with any other party, unless we are legally compelled to do so.
In addition to the purposes described above, we may, in compliance with applicable legal requirements, use your Personal Data to provide you with advertisements, promotions and information about products and services tailored to you and your needs. This may include demographic data or trend data provided by third-parties, where permitted. Contact details, including phone numbers, mail and email addresses, may be used to contact you. If you do not want us to use your Personal Data in this way, you can simply choose not to consent to such use of your data on the webpages and/or forms through which such Personal Data is collected. You can also exercise this right at any time by contacting us as explained below.
d. Automated profiling
Where we process network traffic data for the purpose of network and information security based on our or our customers’ legitimate interest as outlined in the corresponding section of this Data Privacy Policy, automated decisions concerning particular data elements may occasionally be made. This could involve in particular assigning relative cybersecurity reputation scores to IP addresses and URLs based on objective cyber-threat indicators measured by our cyber-threat detection engines. Such indicators may be for instance the determination that malicious or otherwise harmful contents are hosted at a given URL or are emanating from a given IP address. Such automatically-assigned reputation scores may be leveraged by you, by Ontrex, by our partners and by other customers to detect, block and mitigate the identified cyber-threats. They could therefore result in our products and services blocking network traffic coming from or going to such URLs and IP addresses. No such processing is intended to produce any other effect than protecting you, our customers, Ontrex and our partners from cyber-threats. Should you nevertheless consider that such automated processing is unduly affecting you in a significant way, please contact directly the relevant data controller whose use of our products and services is thus impacting you. In case that data controller is Ontrex, please refer to the “Your Privacy Rights” and “Contact Us” sections of this Data Privacy Policy to raise your concerns and to seek our help in finding a satisfactory solution.
E. How we protect your Personal Data
a. Safeguards
Securing Personal Data is an important aspect of protecting privacy. We take reasonable and appropriate administrative, technical, organizational, and physical security and risk management measures in accordance with market standards and applicable laws to ensure that your Personal Data is adequately protected against accidental or unlawful destruction, manipulation, damage, loss or alteration, unauthorized or unlawful access, disclosure or misuse, and all other unlawful forms of processing of your Personal Data in our possession.
These measures include:
Our security organization applies policies, standards and supporting security controls at the level appropriate to the risk level and the services provided. In addition, appropriate security controls are communicated to application owners and technology teams to support secure development of products and a secure operating environment.
b. Storage / Duration
The data we collect from you may be stored, with risk-appropriate technical and organizational security measures applied to it, on in-house as well as third-party servers in Switzerland.
We will retain your personal information as needed to fulfill the purposes for which it was collected. We will retain and use your personal information as necessary to comply with our business requirements, legal obligations, resolve disputes, protect our assets, and enforce our agreements.
c. Measures upon Personal Data breaches
We take every reasonable measure to prevent Personal Data breaches. When these do occur, we have a process in place to take swift action within our responsibilities. These actions will be consistent with the role we have in relation to the products, services or processes affected by the breach. In all cases, we will work together with affected parties to minimize effects, to make all notifications and disclosures that are required by applicable law or otherwise warranted, and to take action to prevent future breaches.
d. No guarantee
The Internet, however, cannot be guaranteed to be 100% secure, and we cannot ensure or warrant the security of any personal information you provide to us.
F. How we disclose your Personal Data
a. General
We do not sell, lease, rent or give away your Personal Data. We may share your Personal Data with third parties for the purposes of operating our business, delivering, improving, and customizing our solutions, sending marketing and other communications related to our business, and for other legitimate purposes permitted by applicable law or otherwise with your consent.
b. Business Partners
We may provide your Personal Data to our business partners for the purpose of allowing them to conduct business. This may include:
c. Service Providers Processing Data on Our Behalf
We may use contractors and service providers to process your Personal Data on our behalf for the purposes described in this Statement and the relevant product and service privacy notices accessible below. We contractually require service providers to keep data secure and confidential and we do not allow our data processors to disclose your Personal Data to others without our authorization, or to use it for their own purposes. However, if you have an independent relationship with these service providers their privacy statements will apply to such relationships. Such service providers may include in particular contact centers, payment card processors and marketing/survey/analytics suppliers.
d. Public Authorities
In certain instances, it may be necessary for Ontrex to disclose your Personal Data to public authorities or as otherwise required by applicable law. No Personal Data will be disclosed to any public authority except in response to:
G. Your Privacy Rights
Whenever we process Personal Data, we take reasonable steps to ensure that your Personal Data is kept accurate and up-to date for the purposes for which it was collected. We will provide you with the ability to exercise the following rights under the conditions and within the limits set forth in the law:
In addition, you may at any time withdraw any consent you may have given for us to process Personal Data concerning you.
If you believe that your Personal Data was unduly collected or is unduly processed by Ontrex for purposes relating to network and information security, please be aware that if it is determined that Personal Data concerning you is processed by Ontrex because it is necessary for the detection, blocking or mitigation of convicted cyber-threats, in line with Article 21 (1) GDPR, objection, rectification or erasure requests may be rejected. It is our compelling legitimate interests to protect Ontrex and our customers from cyber threats, and therefore our interest may override your objection, rectification or erasure requests until you demonstrate the measures necessary to dissociate your Personal Data from any identified cyber-threat.
Where your exercise of any of the rights above is dependent on Ontrex’s action, we will abide by our legal obligation to take reasonable measures to ascertain your identity and the legitimacy of your request and may ask you to disclose to us any information necessary for that purpose. We will respond to legitimate request within 1 (one) calendar month. In certain limited circumstances, we may need to extend our response period as permitted by applicable law. Pursuant to any such requests, we may retain certain data necessary to prevent fraud or future abuse or as otherwise required or permitted by law, including to comply with legal obligations we are subject to, as well as to establish, exercise and defend our legal claims.
H. Contact us
Ontrex AG
Compliance
Haldenstrasse 23
8306 Brüttisellen
Switzerland
By contacting us, please note the name of the website, product or service related to your request, your relationship and/or interactions with us (as applicable), as well as the specifics of the information you would like us to provide.