CIRRUS INSIGHT PRIVACY POLICY

Cirrus Insight limits the data, generally, and PII, specifically, collected from users through their use of Cirrus Insight’s Products, Services, and Websites.Verification of Requests

When a Client purchases Cirrus Insight’s Service(s), the type of Service and settings selected by the Client determine what PII a Client may provide to Cirrus Insight and what PII Cirrus Insight can collect from the user. 

If you voluntarily provide PII through Cirrus Insight’s www.cirrusinsight.com website or directly to Cirrus Insight designated representatives, Cirrus Insight may retain this Information in accordance with the Data Storage section of this Privacy Policy.

PII stored by Cirrus Insight is encrypted and can only be decrypted by authorized Cirrus Insight representatives.

The section below describes the PII that may be collected by Cirrus Insight when acting as a Data Processor: 

End-User Records:  In order to provide the Services contracted by a Client, Cirrus Insight must collect end-user data and metadata from the Client operating systems.  All End-user records obtained by Cirrus Insight from a Client are the property of the Client and are under the control of that Client. Clients or the respective End-user owns the data. Cirrus Insight will follow the instructions provided by the Client, and their Privacy Policy controls the use of End-user Information. 

End-user records may include the following data: 

• First Name
• Last Name
• Company Name
• Cirrus Insight Profile Username
• Cirrus Insight Profile Password 
• Position Title
• Email Address
• Phone Number
• Exchange Username
• Exchange Password
• Office 365 OAuth Token
• Gmail OAuth Token
• Salesforce OAuth Token

Integrations and Linked Services: Cirrus Insight offers integrations with a number of third-party services. For instance, you can sign up and log into Cirrus Insight by using Salesforce, Gmail, Office 365 and other third-party authentication providers. You can also connect your Cirrus Insight account to services in order to be able to interact and analyze your data.

Whenever you or your account owner links to one of these third-party services, Cirrus Insight is only authorized by permission sets you authorize for the service.

We use this information to authenticate, connect, or link your third-party accounts to Cirrus Insight. However, we do not receive or store passwords for any of these third-party services.

If you are looking for information regarding your End-user records, please reach out to the Client.

The sections below describe the PII that may be collected by Cirrus Insight when acting as a Data Controller in specific scenarios:

Client Registration for Services: To register a Client to use the Cirrus Insight’s Services, an administrator account must be created. The Client-approved representative must provide PII, such as:

• Name
• Phone Number
• Client Name
• E-mail address

Customer Accounts and Payments: Cirrus Insight may also collect PII from Client-approved representatives using Cirrus Insight's Services to verify business information, establish customer accounts, and to process payments. Cirrus Insight may collect financial information from potential customers to process Cirrus Insight's customer payments, such as:

• Business Name
• Business Representative name
• Business e-mail address
• Business phone number
• Business address
• Bank account information
• Tax ID number

Sometimes Client-approved representatives may pay for the Services with a credit card. In those instances, Cirrus Insight uses a third-party processor to process payments. The information collected will only be used by Cirrus Insight's third-party processor for the purpose of purchasing the Services. The information collected may include the following: 

• Credit Card number
• Credit Card 3-4 digit security code
• IP address
• User agent
• Email address for receipt

Client and End-User Customer Service: You may contact Cirrus Insight about Cirrus Insight's products and Services or with customer service inquiries. Depending on the method by which you contact Cirrus Insight, certain PII will be visible to Cirrus Insight. This information is identified below. Other than this information that is inherently visible based on your selected communication platform and optionally if information is needed to verify your identity, such as your name, Cirrus Insight never requires that you disclose PII.

• Customer Service E-mails:  If you contact us by email, Cirrus Insight will obtain and store your email address.
• Customer Service Phone Calls: If you contact us by phone call, Cirrus Insight will obtain and store your phone number.
• Customer Service Live Chat: If you contact us through chat, Cirrus Insight will obtain your IP Address and store only part of it.

Marketing: Cirrus Insight may also collect the PII listed below from you so that we may send you marketing communications about Cirrus Insight's products and Services. These communications will only occur if you have consented to receiving this information or have not opted out of our marketing programs. Cirrus Insight may send marketing communications to End-users; however, certain Clients may opt-out of this type of communication on behalf of its End-users. 

Cirrus Insight does not sell, transfer or utilize your data for any purpose other than as described in this Privacy Policy.   

• Name
• Email address
• Organization
• Location

If you do not wish to receive marketing communications from Cirrus Insight, you may opt out here.

Surveys, Contests, Feedback:  Cirrus Insight may invite individuals to participate in surveys, questionnaires, contests, or to contact Cirrus Insight with questions, comments, or feedback.  Participation is voluntary and only those that have opted in/consented will be contacted. Due to the nature of some of these activities, they may include the collection of PII, such as your:

• Name
• Email address
• Organization details
• Location

Job Applicants: Cirrus Insight may also collect PII from job applicants needed for the employment applications, such as:

• Name
• Email address
• Mailing address
• Government ID numbers
• Date of Birth
• Employment History
• Academic History

Automatically Collected Information/ Log Information: When you access the Services and Websites of Cirrus Insight, including requests for Product demonstration, via a browser, application, or other devices, Cirrus Insight's servers automatically record certain information. These server logs will include information such as:

• Your web request
• Your interaction with a Service
• IP address (only part of the IP address is stored)
• Browser type
• Browser language
• Date and time of your request

Cirrus Insight stores anonymized web server log files by keeping only part of the user’s IP address and generalizing the user agent.  Cirrus Insight does not use any device fingerprinting in logs.

Disclosure of this information is voluntary and will never be sold to 3rd parties.

The section below describes how Cirrus Insight may use the PII collected (detailed in the above section “Collecting PII”) when acting as a Data Processor: 

When Cirrus Insight acts as a Data Processor on behalf of a Client, Cirrus Insight uses PII as instructed by the respective Client for the Client purposes specifically identified in Client contract and in the Client-configured settings.  

Please remember the Client decides which of Cirrus Insight's Services to use. Product details are on our Products page, but generally include 3 categories of services:

• Sync
• Sidebar
• Data Analytics

The section below describes how Cirrus Insight may use the PII collected (detailed in the above section “Collecting PII”) when acting as a Data Controller: 

When Cirrus Insight acts as a Data Controller, it utilizes the PII we collect when an individual contacts us directly, agrees to participate in certain activities, when visiting Cirrus Insight's websites, and/or when requesting a product demo for the legitimate business purposes as described below:

WebSite Operations and Web Security: Cirrus Insight automatically collects information and log details to operate the www.cirrusinsight.com websites.  

Cirrus Insight tracks the total number of visitors to Cirrus Insight's website, the number of visitors to each page of Cirrus Insight's Site, browser type, location, and IP addresses. Cirrus Insight may also analyze tracked data for analysis of business trends and statistics.  

Cirrus Insight anonymizes the IP address by removing the last octet of the address, making Cirrus Insight unable to identify you or your exact location.

Cirrus Insight also has in place website security tools and processes, including penetration testing and vulnerability scans, to better ensure website security and protection of Information. In the event of a firewall event or other attempt that triggers a firewall rule, either active or passive, the offending IP address is recorded in its entirety and maintained in our data security tracking systems.

Marketing: If you have opted to participate in Cirrus Insight marketing campaigns, surveys,  receive additional information on the Cirrus Insight Services, or have requested a product trial, we will utilize your PII to contact you directly with relevant information.  Some Cirrus Insight services include social media links and widgets. In order to function properly, these features may set a cookie that records the Cirrus Insight page from which you engaged them, as well as your IP address. These features may also link to other websites or services whose privacy policies differ from ours. As a result, any information you provide to them will be governed by their policies and not this one.

De-identified data/ aggregate information:  Cirrus Insight uses de-identified data for business analytics purposes. Such information will be maintained, used, and disclosed in aggregated form only and will not contain PII.

Business Operations:  We use the information collected to enter into the Agreement with the organization you represent; to process your requests or billing transactions; to provide you with information or services you request; to inform you about other information, events, promotions, products, or services we think will be of interest to you and to which you have consent; and to support and facilitate your usage of the Services.

Employment Applications: Your information will be used by Cirrus Insight for the purposes of carrying out its application and recruitment process which includes:

• Assessing your skills, qualifications and interests against our career opportunities;
• Verifying your information and carrying out reference checks and/or conducting background checks (where applicable) if you are offered a job;
• Communications with you about the recruitment process and/or your application(s), including, in appropriate cases, informing you of other potential career opportunities at Google;
• Creating and/or submitting reports as required under any local laws and/or regulations, where applicable;
• Where requested by you, assisting you with obtaining an immigration visa or work permit where required;
• Making improvements to Google’s application and/or recruitment process including improving diversity in recruitment practices;
• Complying with applicable laws, regulations, legal processes or enforceable governmental requests; and/or
• Proactively conducting research about your educational and professional background and skills and contacting you if we think you would be suitable for a role with us.
• As part of our commitment to equal opportunity employment, we may process information regarding your membership in various organizations to support our diversity and inclusion efforts. This may include associating participant membership with sensitive and/or demographic information.

We will also use your information to protect the rights and property of Cirrus Insight, our users, applicants, candidates, employees or the public as required or permitted by law.

If you are offered and accept employment with Cirrus Insight, the information collected during the application and recruitment process will become part of your employment record. Your data will also be utilized by our product engineering team in development and testing activities.

Cirrus Insight does not sell data to third parties.

The section below describes how Cirrus Insight may share the PII collected (detailed in the above section “Collecting PII”) when acting as a Data Processor: 

Google User Data: Cirrus Insight's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Other Cirrus Insight Users: Cirrus Insight is a collaborative platform that’s designed to let you share and disseminate your work. This means you are free to invite your peers to view, comment, download, or edit collaboratively in real-time, depending on the settings that you select. In addition, you may also grant your team members project access rights that are equivalent to yours, including the ability to transfer your ownership to a different account. Some of these collaborative features display your publicly accessible profile information to the other users you’ve invited to collaborate.

The section below describes how Cirrus Insight may share the PII collected (detailed in the above section “Collecting PII”) when acting as a Data Controller: 

In instances where Cirrus Insight is the controller and Cirrus Insight collects End-user PII, such as when a test taker contacts Cirrus Insight's Customer Service or requests Service information, information about Cirrus Insight's company, or other inquiries, Cirrus Insight may disclose your PII in the following limited circumstances:

Law and Harm: Cirrus Insight may disclose End-user Information if Cirrus Insight believes that it is reasonably necessary to comply with a law, regulation, or legal request; to protect the safety of any person; to address fraud, security, or technical issues; or to protect Cirrus Insight's rights or property. 

Business Transfers: End-user PII maintained in the Client’s platforms is the property of the Client. End-user data stored within the Cirrus Insight servers are encrypted and may be sold or transferred to a third party if Cirrus Insight is involved in an acquisition, merger or other corporate reorganization transaction. In such instances, and consistent with and limited to data protection laws and privacy commitments, marketing analytics data, CRM data, customer lists, and other pseudoanonymized data may be disclosed or transferred as part of a corporate reorganization transaction; provided that the acquirer commits to using the information in a manner consistent with applicable law and this Privacy Policy.

Payment Processing: Cirrus Insight uses a third-party payment processor to process credit card payments. Cirrus Insight does not directly collect payment information and is not a money-services business. To the extent such functionality is made available in the Services, it is provided by an unaffiliated third party, and like any other third-party service, is subject to their terms of use.

Third-Party Service Providers: Cirrus Insight uses third-party service providers to help provide Cirrus Insight's Services, such as hosting Cirrus Insight's various blogs, Help Center, and knowledge bases, and to help Cirrus Insight understand the use of Its Services Services. In all instances, third-party services providers can only use any data for Cirrus Insight's business purposes as specified in Cirrus Insight's written agreement with them and not their own purposes. These Services may collect information sent by your browser as part of a web page request, such as cookies or your IP request. 

The sub-processors that Cirrus Insight uses are listed below but Cirrus Insight may update this list periodically. 

LIST OF SUBPROCESSORS

Marketing: Cirrus Insight uses search engines (Bing and Google), paid social media (LinkedIn, Twitter, and Facebook), email marketing (current and future Cirrus Insight blog), contests (CRM info), surveys (anonymous and/or CRM), lead generation forms (Facebook and LinkedIn) to provide marketing to Client representatives who have opted in to receive marketing materials.

Data Transfers from Cirrus Insight Locations: Support Tickets are assigned an anonymous ID so that no support inquiry is personally identifiable. Additionally support tickets do not contain embedded PII/ Personal Data unless specifically provided by the user in the text of the support request. Cirrus Insight Support Representatives are located in multiple locations across the US.  

Support Representatives will have read-only access to the ID assigned to the user, along with any PII/ Personal Data needed to verify identity or that is voluntarily given by the user. The Support Representatives are required to delete all PII/Personal Data, required or voluntarily given, immediately after responding to and resolving the support request.

In addition, Cirrus Insight may collect and transfer the following information between the US and other countries when deemed necessary for operating of business or hired service(s):

• IP address
• User agent details
• Administrator account information
• Client billing information

This data is transferred depending on what is required by the Client, its users, and what is deemed necessary for the operation of Cirrus Insight's website(s), application(s), and/or Services.

Other Disclosures: Cirrus Insight may disclose information to fulfill the purpose for which you provide it and to enforce or apply agreements with Cirrus Insight.

Cookies: Cirrus Insight uses cookies and similar technologies for tracking across different devices, websites and online services. We use this information both for secure authentication and for the maintenance of your active sessions. 

When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email or home address. We (or service providers on our behalf) may then send communications and marketing to these email or home addresses.

For more details about our use of cookies, please refer to our Cookies Policy. 

Do Not Track Settings: When any individual uses the “Do Not Track” setting, Cirrus Insight will only log the action, but will not store the user agent or IP address. You may opt “Do Not Track” settings here.

Data Security: Cirrus Insight takes data security very seriously and implements the industry’s best practices and policies. We take all reasonable measures to protect your information and to prevent any kind of unauthorized access, misuse, loss, or disclosure.

Cirrus Insight is built on the Microsoft Azure platform and deploys some of the highest security measures to ensure data security; 256 Bit encryption for data in transit, TDE for encrypting data at rest, and automated data masking to protect personally identifiable information. 

We conduct regular, manual and automated security audits. We also participate in voluntary penetration tests performed by third parties; these tests are followed by concrete, internal security policy updates and actionable engineering items for our development team.

While no system is infallible, we strive to keep our systems secure and constantly updated.

Towards this end, Cirrus Insight takes the following actions whether it is acting as a Data Processor or a Data Controller:

1. Cirrus Insight limits employee access to End-user information to only those employees and contractors who need the information to fulfill their job responsibilities;
2. Cirrus Insight conducts regular employee privacy and data security training and education; and
3. Cirrus Insight protects your Information with technical, contractual, administrative, and physical security safeguards in order to protect against unauthorized access, release, or use.
4. All data centers are ISO 270001 certified and SOC 2 attested and payment processors are PCI compliant.

To learn more about Cirrus Insight’s approach to data security, please see Cirrus Insight's Information Security Policies.

Data Storage, Location, Retention, and Deletion: Cirrus Insight stores Client and End-user information, including PII, for the minimum amount of time required by the Client or by applicable law. The length, location and format of data storage varies and is dependent on applicable law and the information itself.

The section below describes how Cirrus Insight may store, retain and delete the PII collected (detailed in the above section “Collecting PII”) when acting as a Data Processor:

Cirrus Insight uses a third-party cloud provider for the storage of encrypted, collected data. Data is stored in data centers requested or chosen by the partnered Client. Clients can choose to store the data in a data center that is geographically relevant to their location or in another, potentially further away data center.

In relation to the Services that Cirrus Insight provides to a Client, Cirrus Insight retains data only as directed by that Client. As a standard practice, Cirrus Insight will store and maintain Client data for up to 90 days after the termination of an applicable agreement, unless a return of the data is requested by Client. Upon the conclusion of the 90 day post-termination period, all Client production data will be deleted, but all operational data related to the Cirrus Insight financial and operational records will be retained in accordance with applicable law.

The section below describes how Cirrus Insight may store, retain and delete the PII collected (detailed in the above section “Collecting PII”) when acting as a Data Controller: 

In situations when Cirrus Insight acts as a data controller, the PII provided by an individual is dependent on the activity conducted or requested by the individual.  Storage of this data provided may occur within a Cirrus Insight Microsoft Azure database for operations and/or the databases of third-party service providers. 

Cirrus Insight retains this Information only for as long as needed for Cirrus Insight’s legitimate business purposes and as required by applicable laws, investigations, or other security matters. All data collected will reside exclusively in North America unless specifically noted otherwise. 

Questions regarding data storage, recovery, and deletion should be directed through one of Cirrus Insight’s contact channels.

Data Breach Notification: In the event of a data breach, Cirrus Insight will activate Its Incident Response Program which includes isolation of the event, notification to impacted individuals, development of a remediation plan and corrective action. Notification to impacted individuals will be communicated as set forth below:

The section below describes how Cirrus Insight will provide notice to Clients in the event of a data breach when acting as a Data Processor:

Cirrus Insight will notify the Client via e-mail within 72 hours of the breach.  The Client is responsible for notifying End-users.

The section below describes how Cirrus Insight will provide notice to impacted individuals in the event of a data breach when acting as a Data Controller: 

If Cirrus Insight learns of a data breach, within 72 hours, Cirrus Insight may attempt to notify you electronically. Cirrus Insight may post a notice on Cirrus Insight's Sites and/or Services if a security breach occurs. Cirrus Insight may also send an email at the email address provided. Depending on where you live, you may have a legal right to receive notice of a security breach in writing.

Some countries and/or states have their own privacy and data security laws.  Cirrus Insight makes every effort to fully comply with each and every one of them.

United States Legal Basis for Processing Your Information

The section below describes your privacy rights when Cirrus Insight is acting as a Data Processor: 

End-users and those third-parties with whom they interface via Client technology platforms should contact the Client directly if they want to access, correct, delete, export, import, request a copy, exercise other rights they may have, or if they have questions about their PII. Cirrus Insight does not have the ability to edit, revise or delete any PII contained in Client records. We will send all requests we receive regarding Client, End-user or Third-party PII to the respective Client.

The section below describes your privacy rights when Cirrus Insight is acting as a Data Controller: 

When Cirrus Insight is acting as a Data Controller, we recognize the following rights in relation to your data: 

Opt Out of Promotional Communications: You have the right to opt-out of receiving any promotional communication. To unsubscribe from our newsletter, or other promotional emails, use the link at the bottom of the message. You can also contact us directly to have your information removed from our promotional contact list. Please note that, even if you unsubscribe, you will continue to receive non-promotional, transactional messages regarding your account and other essential services.  You may click here to Opt Out of Marketing Communications. 

Access and Update Personal Information: You have the right to access and edit your profile and billing information at any time. You also have the right to rectification in case your personal data is incomplete or inaccurate. To update your information, log in to your account and use the editing tools in your Cirrus Insight Dashboard. If you require assistance, please contact us.

Right to be Forgotten: You have the right to be forgotten which means that, at any time, you can request that Cirrus Insight permanently delete all applicable data records, including your profile information, both personal and financial, along with any user-created content. In some cases, we may need to retain partial information to fulfill our legal responsibilities, or to complete ongoing financial transactions.

Data Portability: You have the right, at any time, to request and receive the information that you have provided to Cirrus Insight. We will provide you with your information, in a machine-readable format, so that you can make use of it in other contexts, or with other service providers.

Request That We Stop Using Your Information: Even if you have previously consented to our Terms of Service and Privacy Policy, you have the right, at any time, to change your mind and object to the collection, use, and processing of your personal information. Additionally, you are under no contractual obligation to continue to provide any information to Cirrus Insight. However, we require certain information in order to provide you with our services. Therefore, if you disagree with the terms of this Privacy Policy or our Terms of Service, you should stop using Cirrus Insight, and contact us so that we may delete your information.

We will respond directly to requests regarding your PII held by Cirrus Insight.  Please contact us at privacy@cirrusinsight.com with any questions or requests you may have regarding your data privacy rights.

Note: California residents should read the CCPA Notice in this Privacy Policy for more information about their rights.  

Children’s Privacy Rights: When Cirrus Insight’s Services are used by an educational Client for an educational purpose, Cirrus Insight is permitted by the Client to process that student Information as a School Official and only for legitimate educational purposes authorized by the Client. In these instances, the Client (on behalf of the parent) provides the required consent for Cirrus Insight to collect PII of a child under 18 for this purpose as a “School Official.” Under FERPA, Clients in the United States subject to this law must provide an annual notice to parents of third parties that are providing services under the FERPA “School Official” exception.

Other than as described above, Cirrus Insight's Site and Services are not directed to children. Furthermore, we do not knowingly collect personal information from individuals under 16 years of age, unless consent is given or authorized by the holder of parental responsibility over the child. If we become aware that someone under 16 has provided us with personal details, we will take steps to delete such information. If you become aware that a child has unlawfully or unwittingly provided us with personal data, please contact us.

California Privacy Rights: Cirrus Insight does not sell your PII to any third parties for direct marketing purposes as defined in California Civil Code Section § 1798.83. Please contact privacy@cirrusinsight.com for any questions regarding your PII.

CCPA Notice: The following disclosures are made pursuant to the California Consumer Privacy Act of 2018 (“CCPA”). These disclosures supplement any privacy notices Cirrus Insight has provided to you. In Cirrus Insight's Privacy Policy, Cirrus Insight describes the categories of PII Cirrus Insight has collected from California consumers over the past twelve (12) months, the categories of sources from which the Information was collected, the business or commercial purpose for which the Information was collected, and the categories of third parties with whom it has been shared. Cirrus Insight will not collect additional categories of PII or use the PII Cirrus Insight collected for materially different, unrelated, or incompatible purposes without providing you notice. 

For purposes of this CCPA Notice, “PII” means information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Under the CCPA, Cirrus Insight collects, retains, uses, and discloses PII, which may include student data under these Client agreements only as a “service provider” to Cirrus Insight's Client customers. The respective Client’s privacy policies apply to their End-users.

Please note that government agencies are not subject to CCPA.

If you have a question or would like to exercise your California consumer rights to knowledge, access, or deletion, please contact the Client directly.

Cirrus Insight does not sell PII.  Cirrus Insight uses PII to provide Cirrus Insight’s Services and respond to individual inquiries.

Third parties receiving PII are only permitted to process that PII as described in Cirrus Insight's Privacy Policy and Cirrus Insight's written agreements and are not permitted to sell PII or market to any test taker.

If you are a resident of California, you have other rights under the CCPA as follows: 

Right of Access: You can access your collected PII by contacting Cirrus Insight. Cirrus Insight describes in Cirrus Insight's Privacy Policy about PII Cirrus Insight collects, how Cirrus Insight uses it, and to whom Cirrus Insight discloses it.

Right to Correct, Update or Delete: You can correct, update, or request deletion of your PII by contacting Cirrus Insight through one of the channels listed below. Cirrus Insight can’t make changes to or delete your Information in some situations where it is necessary for Cirrus Insight to maintain your Information, for example if Cirrus Insight needs the Information to comply with applicable law or based on other exceptions as indicated in the CCPA.

Right to Request Disclosure of Information Collected:  Please contact Cirrus Insight as indicated below to request further information about the categories of PII Cirrus Insight has collected about you, where Cirrus Insight collected your PII, and for what purpose Cirrus Insight uses your PII.

Right to Disclosure of Information Sold and Right to Opt-Out:  You have the right to know what Information of yours Cirrus Insight has sold and you have the right to opt-out of any sale of your Information.  Cirrus Insight does NOT sell your PII. 

Right to Non-Discrimination: Cirrus Insight does not and will not discriminate against you if you exercise your rights under the CCPA. 

To exercise the rights described in this Privacy Policy, please submit a verifiable consumer request to us

via phone:  Toll Free xxxxx

via e-mail:  privacy@cirrusinsight.com

Only you, or someone legally authorized to act on your behalf and registered with the California Secretary of State, may make a verifiable consumer request related to your PII. You may also make a verifiable consumer request on behalf of your minor child. You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

1. Provide sufficient information that allows Cirrus Insight to reasonably verify you are the person about whom Cirrus Insight collected PII or an authorized representative, which may include the user’s
   • First Name
   • Last Name
   • Email Address
2. Describe your request with sufficient detail that allows Cirrus Insight to properly understand, evaluate, and respond to your request. 

Verification of Requests

Cirrus Insight cannot respond to your request or provide you with PII if Cirrus Insight cannot verify your identity or authority to make the request and confirm the PII relates to you. If Cirrus Insight cannot verify your identity or authority, Cirrus Insight will follow procedures to verify your identity and authority. Cirrus Insight attempts to respond to a verifiable consumer request within forty-five (45) days of its receipt. If Cirrus Insight requires more time (up to 45 days), Cirrus Insight will inform you of the reason and extension period in writing.

If you have an account with Cirrus Insight, Cirrus Insight will deliver Cirrus Insight's written response to that account. If you do not have an account with Cirrus Insight, Cirrus Insight will deliver Cirrus Insight's written response by mail or electronically, at your option.

Any disclosures Cirrus Insight provides will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response Cirrus Insight provides will also explain the reasons Cirrus Insight cannot comply with a request, if applicable. For data portability requests, Cirrus Insight will select a format to provide your PII that is readily usable and should allow you to transmit the Information from one entity to another entity.

Cirrus Insight does not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If Cirrus Insight determines that the request warrants a fee, Cirrus Insight will tell you why Cirrus Insight made that decision and provide you with a cost estimate before completing your request.

Changes to Cirrus Insight’s CCPA Privacy Notice

Cirrus Insight reserves the right to amend this CCPA privacy notice at Cirrus Insight's discretion and at any time. When Cirrus Insight makes changes to this CCPA privacy notice, Cirrus Insight will notify you by email or through a notice on Cirrus Insight's website homepage.

Contact Cirrus Insight

When you contact Cirrus Insight regarding any of your rights under the CCPA, Cirrus Insight will verify your identity before Cirrus Insight provides any information. You may contact Cirrus Insight through the following channel:

Via Email:  privacy@cirrusinsight.com

We do not discriminate against California residents who exercise their CCPA privacy rights.

AB 1584 is a California law that defines student and educational agencies rights regarding student records. Cirrus Insight complies with AB 1584 as described in this Privacy Policy and as applicable in Cirrus Insight's agreements with California Client(s).

Canadian Legal Basis for Processing Your Information

Canadian User Rights- FIPPA

Cirrus Insight makes every effort to cooperate with Clients in the compliance with the Canadian Freedom of Information and Protection of Privacy Act ("FIPPA"), as well as all federal and provincial laws and regulations, including those related to privacy and anti-spam legislation.

FIPPA provides Canadian citizens with the right to access information under the control of Clients.

The SaaS Agreement and the Terms of Service fully detail both Cirrus Insight’s and the Client’s obligations in relation to the confidentiality of data. FIPPA compliance is predicated on the Parties’ compliance to these provisions. These Confidentiality Obligations can be found in our Terms of Service.

European Legal Basis for Processing Your Information

Cirrus Insight complies with the EU General Data Protection Regulation (“GDPR”).

If you are a Cirrus Insight user or are visiting Cirrus Insight's Site(s) and are located in the European Economic Area ("EEA"), Cirrus Insight's legal basis for collecting and using the PII described above will depend on the Personal Data concerned and the specific context in which Cirrus Insight collects it.

When Cirrus Insight is a Data Processor, you must contact the Client regarding your information and exercising any of your data protection rights. When Cirrus Insight is a processor for a Client, their privacy policy controls the processing of your Personal Data. Cirrus Insight encourages you to read the Client’s privacy policy for a legal understanding of how, when, and why your Personal Data may be collected and how it is used.

When Cirrus Insight is a Data Controller: When Cirrus Insight is a controller, Cirrus Insight will normally collect PII from you only where Cirrus Insight has your consent to do so for marketing purposes, to perform a contract, or where the processing is in Cirrus Insight's legitimate business interests for Site and Cirrus Insight's business operations purposes. Where legitimate interest is Cirrus Insight's lawful basis for processing, Cirrus Insight has conducted an assessment to balance the individual’s privacy rights against Cirrus Insight's legitimate need to process the PII. In some cases, Cirrus Insight may also have a legal obligation to collect PII from you.

Where Cirrus Insight is the controller, if you have questions about or need further information concerning the legal basis on which Cirrus Insight collects and uses your PII, please contact our Data Protection Officer at privacy@cirrusinsight.com. 

European Economic Area (EEA) or Switzerland User Rights

When Cirrus Insight is a Data Controller: If you are based in the EEA or Switzerland, you acknowledge that Cirrus Insight may transfer your Information (including Personal Data) to Cirrus Insight and Cirrus Insight’s facilities in the United States or elsewhere, including those of third parties as described in the “Business Transfers” and “Third-Party Service Providers” sections of this Privacy Policy. Please review Cirrus Insight's Terms of Service for more information regarding any other applicable data protections.

When Cirrus Insight is a controller with respect to your Personal Data, such as for customer support, service, and other inquiries, and you are based in the EEA or Switzerland, you may have other rights as provided below:

Access: If you wish to access your Personal Data that Cirrus Insight collects, you can do so at any time through the Service or by contacting the Cirrus Insight Data Protection Officer.

Correction, Update, or Deletion: You can correct, update, or request deletion of your Personal Data through the Service-interface, or by contacting the Cirrus Insight Data Protection Officer.

Data Protection Authority: You have a right to raise questions or complaints with your local data protection authority at any time.

Right to Object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of your Personal Data by Cirrus Insight. If you have a right to object and you exercise this right, your Personal Data will no longer be processed for such purposes by Cirrus Insight. You may exercise this right without incurring any costs.

Right to Withdraw Consent: You have the right to withdraw your consent for Cirrus Insight to process your Personal Data when your consent is the lawful basis for processing.

Right to Restriction:  You may have the right to restrict Cirrus Insight's processing of your Personal Data unless Cirrus Insight's processing is otherwise authorized by applicable law.

Right to Data Portability: You may have the right to receive the Personal Data that you have given Cirrus Insight, in a structured, commonly-used, and machine-readable format. You have the right to send that Personal Data to another controller if the processing is based on consent or on a contract and is carried out by automated means.

Option to Opt-Out: For Client-approved representatives, you have the right to opt-out of marketing communications Cirrus Insight sends you at any time. You can do this by clicking the "unsubscribe" link in the marketing email Cirrus Insight sent you or by contacting the Cirrus Insight Data Protection Officer.

In order to process your request, you must provide your:

• Full Name
• Email Address
• Any other relevant information that may be required to address your request to opt-out. 

Please note that such marketing opt-out does not impact any transaction or operation notices that Cirrus Insight may need to send you. Note that Cirrus Insight does not market to test takers.

If you have any questions or comments about EEA or Swiss User Rights, please contact Cirrus Insight through one of Cirrus Insight's contact channels.

EU-US and Swiss-US Privacy Shield Frameworks

PLEASE NOTE:  Privacy Shield has been invalidated by the Court of Justice of the European Union.  Cirrus Insight is using Standard Contractual Clauses (“SCCs”) in addition to other mechanisms and implementing supplemental measures as applicable to better ensure that EU individuals’ Personal Data is subject to adequate protections.

Cirrus Insight participates in and has certified its compliance with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework. Although this is no longer a valid data transfer mechanism in the EU, Cirrus Insight will continue to self-certify under Privacy Shield as it provides additional protections. Cirrus Insight is committed to subjecting all Personal Data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework's applicable principles. To learn more about the Privacy Shield Frameworks, and to view Cirrus Insight's certification, visit the US Department of Commerce's Privacy Shield website.

With respect to Personal Data received or transferred pursuant to the Privacy Shield frameworks, Cirrus Insight remains subject to the regulatory enforcement powers of the US Federal Trade Commission (for issues pertaining to Privacy Shield). In situations where public authorities make lawful requests for information, such as to meet national security or law enforcement requirements, Cirrus Insight may be required to disclose Personal Data.

If you have an unresolved privacy or data use concern that Cirrus Insight has not addressed satisfactorily, please contact Cirrus Insight's US-based, third-party dispute resolution provider: Jams. This service is free of charge.

As more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.