General Data Protection Regulation
Updated: January 10, 2023
To the extent of any conflict between this Notice and the Crosslake Privacy Notice, this Notice shall control only with respect to EEA Individuals and their personal data.
Controller disclosure and details
We are a data controller of personal data regarding the following EEA Individuals: Prospective / current customers and vendors (Business Contacts), our general website visitors (Site Visitors), and our employees and contractors (Workforce) for the purposes and under the legal basis described in the table below. Please note that, in some cases, the categories of data subjects above may overlap (e.g., Business Contacts using the Website).
|Category||Purpose and Legal Basis of Processing|
|General (applies to all data subjects)||Cookies and Browser Information: Our website servers will log your IP address and other information (e.g., browser information, operating system, request date / time, user agent string, referral and exiting URL) in order to maintain an audit log of activities performed. We use this information pursuant to our legitimate interests in tracking website usage, combating DDOS (Distributed Denial of Service) or other attacks, and removing or defending against malicious visitors on the website.|
|Business Contacts||Direct Marketing: Our legitimate interest in sending email marketing to current or prospective customers.|
Platform Demonstrations: Our legitimate interest in setting up demos with prospective customers pursuant to their request.
General Business Development: Our legitimate interest in furthering business relationships (such as by storing Business Contact information within a CRM or file), ensuring customer satisfaction, and answering inquiries.
|Site Visitors||Web Audience Measurement and Retargeting: Our legitimate interest in the use of Google Analytics to understand how Site Visitors interact with our general Website and where such Site Visitors are located (up to city-level only) in order to optimize the Website experience. Note that the last octets of Site Visitors’ IP Addresses have been anonymized and ”Sharing With Google” and ”Demographics / Advertising” features have been disabled within Google Analytics.|
|Workforce||Employee or Contractor Information: Our legitimate interest in maintaining personal information required of individuals that perform services for Crosslake, such as for processing payments for those services, background checks where permitted, for user accounts to access systems, job application or resume information, past and current job history, and job performance information. |
Executing Contracts and other Legal Documentation: We will process all personal data as necessary for the performance of contracts to which employees and contractors are a party (such as our Employment Agreements, Contractor Agreements, and Confidentiality Agreements) or to take requested steps to enter into such contracts.
Categories of personal information collected
We maintain the following information when provided voluntarily by our Site Visitors: name and email address (business e-mail address preferred). We may also maintain additional information, such as titles or phone numbers, gathered from public sources.
We maintain the following information provided voluntarily by our Business Contacts and gathered from public sources: Name, company, email (business email preferred), title, role, postal address, country, and telephone number (business number preferred).
We maintain the following information provided voluntarily by our Workforce: Name, email, role, postal address, country, telephone number, social security or national ID number, banking information and other information required for employment or contracted services.
We also process automatically-gathered Cookie and Browser information as described above.
Our sales, marketing, and finance teams process business contacts and site visitor information internally and such information is also disclosed to the following US-based recipients: our customer relationship management system, web audience measurement tools, and email marketing systems.
Information we collect from other sources
We receive personal data about you from some of our service providers who assist us with marketing or promotional services related to how you interact with our websites, applications, products, services, advertisements or communications.
How and with whom we share your data
We do not share personal data with third parties except those who work on our behalf and provide us with services necessary to conduct our business activities or to assist us in providing you with our services. These parties include, but may not be limited to:
Before engaging a new processor, we perform security and privacy assessments of the processor, and we ensure that the processing of personal data is always regulated with written data processing agreements.
In accordance with our legal obligations, we may also transfer personal data, subject to a lawful request, to public authorities for law enforcement or national security purposes.
In the normal course of Crosslake’s work, confidential information belonging to clients, the client’s assessment targets, or client affiliates (collectively “clients” and “client-provided information”) is provided in response to document requests or observed during online sessions as part of Crosslake’s service offerings. Client-provided information does not generally include personal information and personal information is not processed in our applications. To the extent that personal information is provided in client-provided information, we are a data processor of the personal data provided for GDPR purposes. When serving as a processor, we have certain obligations under GDPR that include only processing personal data at the instruction of our customers as reflected in the applicable Master Services Agreement, providing assistance with fulfillment of data subject rights requests, and implementing appropriate security for personal data.
We do not share client-provided personal data with third parties except when necessary to assist us in providing clients with our services. Our third-party providers include Microsoft 365, Salesforce and Amazon Web Services used in the delivery of our services. In accordance with our legal obligations, we may also share client-provided personal data, subject to a lawful request, to public authorities for law enforcement or national security purposes.
We will hold personal data for so long as we have an obligation to the client to provide the services, and thereafter until such time as we delete the client’s account in accordance with our Master Services Agreement.
We will forward any inquiries, complaints, or requests received from data subjects with respect to the Platform Data to the appropriate customer and await instructions before taking any action.
Information regarding the transfers of personal data outside of the European Economic Area
Crosslake’s administrative offices, our internally-developed applications, and third-party vendor applications used in our services are hosted and operated in the United States (U.S.) through infrastructure service providers. By submitting your personal information through our website or including personal information in client-provided information, you acknowledge that any personal data is being provided to a company in the U.S. and will be hosted on U.S. servers, and you authorize Crosslake to transfer, store and process your information in the U.S.
The U.S. does not have an adequacy decision from the European Commission, which means that the Commission has not determined that the laws of the U.S. provide adequate protection for personal information. Although the laws of the U.S. do not provide legal protection that is equivalent to EU data protection laws, we safeguard personal information by treating it in accordance with this GDPR Privacy Notice. We take appropriate steps to protect your privacy and implement reasonable security measures to protect your personal information in storage. We use secure transmission methods to collect personal data through our website. We limit access to client-provided information to those who have a genuine business need to know it. We also use subprocessors that maintain controls over security and privacy and enter into contracts with our subprocessors that require them to treat personal information in a manner that is consistent with this Notice.
Crosslake also has procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Retention period for personal information
How long we retain personal data varies according to the type of information in question and the purpose for which it is used. We delete personal information within a reasonable period after we no longer need to use it for the purpose for which it was collected. This does not affect your right to request that we delete your personal data before the end of its retention period. We may archive personal data (which means storing it in inactive files) for a certain period prior to its final deletion, as part of our ordinary business continuity procedures.
Personal data relating to current Business Contact (or Business Contacts with whom we’ve had a relationship) will be retained until the relationship terminates, at which point their personal data will be retained for seven (7) years for finance and tax purposes and in case of repeat business.
Your GDPR rights
EEA Individuals have a right to:
In addition to the above rights, EU data protection law provides applicable individuals the right to object, on grounds relating to your particular situation, at any time to any processing of your personal data for which we have justified on the basis of a legitimate interest, including profiling (as opposed to your consent) or to perform a contract with you. You also have the right to object at any time to any processing of your personal data for direct marketing purposes, including profiling for marketing purposes.
You may exercise these rights and submit a GDPR complaint by contacting email@example.com with the subject line “GDPR Notice.” You may also object at any time to processing of your personal data for direct marketing purposes by clicking “Unsubscribe” within an automated marketing email.
We will endeavor to update your personal data within thirty (30) days of any new or updated personal data being provided to Crosslake, in order to ensure that the personal data we hold about you is as accurate and up to date as possible.
You also have the right to lodge a complaint about the processing of your personal data with an appropriate data protection authority, and, as applicable, to exercise third-party beneficiary rights under our Master Services Agreement. Contact details for the EU data protection authorities can be found at:
Updates to this Notice
If, in the future, we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately within this Notice, and the “Last Updated” date at the top of this page will be updated accordingly.
How to contact us
Crosslake’s main office is located at 5605 Carnegie Boulevard, Suite 175, Charlotte, NC 28209. Please use this address or, preferably, reach out to firstname.lastname@example.org for any questions, complaints, or requests regarding this Notice; please include the subject line “GDPR Notice.”