CATALOOP PRIVACY POLICY

Last modified 31 March 2025

Cataloop OÜ (“Cataloop,” “we” “us” or “Company;” for contact details see the end of this privacy policy) considers protecting and respecting your privacy and safeguarding your personal data as critically important aspects of its business. The first section of this policy details and regulates how we collect, store, process, transfer, share and use your personal data when you visit our website (https://www.cataloop.com/) for informational purposes, and information regarding our use of cookies and similar technologies. The second section of this policy details and regulates the aforementioned when you use our application which is accessible via our website (“Cataloop Application”). The third section of this policy contains general regulation on the protection measures concerning your personal data, on transferring your personal data, information on your rights, and our contact details.

If you have any questions about our privacy policy or how we process your personal data, please contact us via e-mail at hello@cataloop.com.

I. DATA PROCESSING WITH REGARD TO VISITING AND USING OUR WEBSITE

Who is Responsible for Processing Your Data

We are the data controller with regard to the personal data processed when you visit and use our website. This means that we determine and are responsible for how your personal data is processed. Our full contact details can be found at the end of this privacy policy.

Persons Affected by Data Processing, Types of Data Processed

The persons affected by data processing in visiting and using our website are the persons that visit and use our website over the internet.

If you visit our website, we may process personal data that we gather ourselves (or by using third-party services) regarding how, when and for what periods you access and use our website, and information about the device you use to access our website. We typically collect this data through various tracking technologies, e.g. cookies. This data includes information about pages visited, duration of visits, navigation patterns, IP address, browser type and version, device type and operating system, interactions with website elements, and general geographic location.

If you visit our website, we may also process personal data that you voluntarily and directly through our website provide us with. This includes data you provide to us when you book a demo, subscribe to our marketing communications, correspond with us, or use any other feature of our website. This data includes: first name, last name, e-mail address, phone number, employer, job position, communication, and correspondence data (including chats).

In requesting data from you, we will indicate to you if the provision of certain personal data is mandatory or optional. If you choose not to provide any personal data marked as mandatory, you may not be able to file your request and/or we may not be able to respond to your requests or provide other services to you.

We may combine the personal data you provide us with and that we collect ourselves or through third-party services.

Purposes and Lawful Basis for Data Processing

We process the personal data mentioned above to ensure the proper functioning of our website, to improve its performance and content, and to carry out analyses and usage statistics (such as tracking the number of visits or identifying navigation patterns). The lawful basis for such processing is our legitimate interest in maintaining and enhancing the functionality, security and relevance of our website.

We also process the personal data mentioned above in order to reply to the requests that you have submitted to us, e.g. for setting up a demo or negotiating over establishing a potential customer relationship. In such case, the lawful basis for such processing is either our legitimate interest, the performance of a contract or taking steps at your request to enter into or prepare the entry into a contract or hold negotiations related thereto.

In case you have subscribed to our marketing communications, we will process your personal data based on your consent which you may at all times withdraw by an unsubscribe link provided in the marketing communication.

We may convert any personal data into anonymous or aggregated information that can no longer be linked to any individual. We do this, for example, to better understand how our website is used or to help us improve and develop new features. Once the data has been fully anonymised, we may use it for various purposes, such as testing and improving the website and IT-systems, research, data analysis, providing or optimising our services, or developing new services and features. We may also share such anonymised and aggregated information with others, including for commercial purposes.

Data Retention

We retain the personal data we collect in connection with you visiting or using our website for a period of up to 2 years.

We retain the personal data you provide to us with your requests etc. for a period of three years to enable us to better manage the relationship between us and cater to any of your follow-up requests and queries.

We may be required to store your personal data for periods which are longer than the periods above when this is necessary for resolving disputes, protecting our lawful and legitimate interests, or required by applicable laws.

Some personal data may be retained in archived or backup systems for a limited period, solely for the purposes of ensuring data integrity, restoring systems in the event of failure, or fulfilling legal or compliance requirements. Such data is securely stored and access is strictly limited. It will be deleted or permanently anonymised once the relevant retention period expires or restoration is no longer required.

Cookies and Tracking

Cookies are small files or part of a file stored on your computer, created, and subsequently read by a website server, and containing personal information (such as a user identification code, customised preferences, or a record of pages visited).

We use cookies and similar tracking technologies to distinguish you from other users of our website. This helps us to provide certain functionalities, to monitor and improve the website, as well as to allow our partners to determine products and services that may be of interest to you and to display relevant advertising to you as you browse the internet.

We use the following types of cookies, whereas a detailed list of cookies can be found in our cookie policy:

Strictly necessary cookies. These are cookies that are required for the operation of our website, and these are the only type of cookies from which it is not possible to opt out from.
Analytical cookies. These are cookies that track how users navigate and interact with our website. The information collected is used to help us improve the website.
Functionality/performance cookies. These are cookies that help enhance our website’s performance and functionality. We may use this information e.g. for remembering your settings and preferences.
Third party cookies. These are cookies that have been created by a website other than ours. These cookies are used to analyse users’ web usage in order to offer users a personalised web experience.

For non-essential cookies (e.g. analytics or personalisation), we rely on your consent, which you may give or withdraw via our cookie manager. You can modify cookies in your browser settings or in our cookie manager accessible via our website. Please note that if you disable all cookies which can be disabled, our website or parts of it may not function properly.

II. DATA PROCESSING WITH REGARD TO USING THE CATALOOP APPLICATION

Who is Responsible for Processing Your Data

The Cataloop Application is available and accessible on and through our website. The use of the Cataloop Application is regulated in detail in our Terms of Service.

In providing the Cataloop Application, we act both as a data controller and a data processor as outlined below.

In processing our customers’ general contact data, we act as a data controller.

In allowing our customers to transmit, input, view, edit, otherwise use and delete data in the Cataloop Application (“Customer Data”) using APIs or other tools and their dedicated exclusive access dashboards available in the Cataloop Application, we act as a data processor. Our customers are liable for ensuring that a lawful basis exists for the entry into and the further processing in the Cataloop Application of the Customer Data, including any personal and other data contained therein.

Persons Affected by Data Processing, Types of Data Processed

The persons affected by data processing in connection with managing Cataloop Application related customer relationships are the contact persons appointed by the customer and notified to us, as well as other customers’ employees contacting us. The data may include first name, last name, e-mail address, phone number, and job position (“Contact Data”). We also process company (customer) specific information, including with regard to invoicing.

The persons affected by data processing in connection with the functions and services of the Cataloop Application are the customer’s employees and natural persons regarding whom our customer has transmitted or input Customer Data into the Cataloop Application. The data may include first name, last name, job title, seniority, work e-mail address, phone number, correspondence data (“Data on Persons”).

Purposes and Lawful Basis for Data Processing

We process Contact Data for the administration and fulfilment of our customer contracts, and for ensuring that the customer contracts are duly fulfilled by our customers. The lawful bases for such processing activities are the fulfilment of a contract with a customer, and our legitimate interests in protecting our rights (e.g. in case of disputes, and in collection of debt).

We process Data on Persons included in the Customer Data both as a controller and a processor.

As a controller, we may process Customer Data for the purpose of maintaining and improving our services, including through analysis and the training of AI models. The lawful basis for such processing is our legitimate interest in developing and enhancing our services. Where required, and in particular if the data processed includes special categories of personal data or if local law so requires, we will obtain the data subject’s explicit consent.

As a processor, we process Data on Persons for the customer acting as a controller under a data processing agreement with the customer, and the customer is liable for and obliged to have a lawful basis for processing. In acting as a processor, we enable the customers to transmit, input, view, edit, otherwise use and delete Data on Persons included in the Customer DATA using APIs or other tools and their dedicated exclusive access dashboards available in the Cataloop Application.

We may convert any personal data (including Contact Data and Data on Persons) into anonymous or aggregated information that can no longer be linked to any individual. We do this, for example, to better understand how our services are used or to help us improve and develop new features. Once the data has been fully anonymised, we may use it for various purposes, such as testing and improving the Cataloop Application and IT-systems, research, data analysis, providing or optimising our services, or developing new services and features. We may also share such anonymised and aggregated information with others, including for commercial purposes.

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or to comply with legal obligations. Once data is no longer needed, we will either delete it or anonymise it. Anonymised and aggregated data that can no longer be linked to any individual may be retained and used indefinitely for purposes such as analytics, research, or service development.

Customer Data shall be retained for the duration of the relevant customer contract and for a period of three years thereafter. Customer Data which is related to accounting, billing and taxes shall be retained for a period of ten years or until required by applicable legislation. We may be required to store Customer Data for longer periods when this is necessary for resolving disputes, protecting our lawful and legitimate interests, or required by applicable laws.

Data on Persons shall be retained for the duration of the relevant customer contract and shall be deleted within 12 months as of termination of the relevant customer contract. Unless otherwise permitted by applicable legislation, Data on Persons shall also be deleted if requested by the relevant data subject or the customer, and we shall in such case follow the instructions of the data subject or the customer. Please note that such data deletion requests may result in us being unable to continue the provision of our services.

III. GENERAL REGULATION

Storing and Transferring Your Personal Data

We implement appropriate technical and organisational measures to protect your personal data, Customer Data and Data on Persons against accidental or unlawful destruction, loss, change or damage. All data we collect will be stored on the secure servers of our reputable cloud service providers.

If you wish to enquire further about the safeguards we use, please contact us using the details set out at the end of this privacy policy.

Any transfers of personal data outside the EU/EEA shall be carried out in accordance with Chapter V of the GDPR, including on the basis of an adequacy decision, or by implementing appropriate safeguards such as Standard Contractual Clauses approved by the European Commission.

Recipients

Your personal data may be shared with third party service providers that perform services for us or on our behalf. Such services may include e-mail and chat services, cloud services, large language model services’ providers, machine translation services’ providers, fraud prevention services, and analytics services. Our full list of subprocessors is available here.

Your personal data may also be shared with external recipients if we are legally obliged to do so. This may include court orders and judgements, and data protection supervisory authority requests. In honouring such orders, judgements, and requests, we shall make sure that a lawful basis exists under which we share the information.

We may share your personal data in connection with legitimate exercise or protection of our or our customers’ rights, or in investigating contract breaches or illegal activity. In such cases the recipients of your personal data may be professional advisors or law enforcement agencies.

Your personal data may be disclosed to third parties if we are involved in a merger, sale of all or part of our assets or shares, reorganisation, or financing.

Your Rights

In accordance with and subject to exceptions prescribed by applicable law, you as a data subject have the following rights against us to the extent we act as a data controller, which you may exercise by submitting a relevant request to us which we shall process in accordance with applicable legislation:

Right to Information: You have the right to obtain clear and transparent information about how we process your personal data, including the purposes for the processing and the lawful basis.
Right of Access: You may request access to your personal data processed by us, including a copy of such data.
Right to Data Portability: You may request that we provide your personal data in a structured, commonly used, and machine-readable format, or that we transfer your data directly to another controller, where technically feasible.
Right to Rectification: If your personal data is inaccurate or incomplete, you have the right to request correction or completion of the data held by us.
Right to Restrict Processing: You may request the restriction of processing in certain circumstances, such as when you contest the accuracy of the data, the processing is unlawful, or when you need the data for legal claims, and we no longer require it for processing purposes.
Right to Object: You have the right to object to the processing of your personal data based on our legitimate interests or for direct marketing purposes. In such cases, we will cease processing unless we can demonstrate compelling legitimate grounds that override your rights or if the processing is required for legal claims.
Right to Erasure: You may request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when processing is unlawful. This right is subject to exceptions, such as where processing is required to comply with legal obligations or to establish, exercise, or defend legal claims.
Right to Withdraw Consent: If our processing of your personal data is based on your consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint: If you believe we have not complied with applicable data protection laws, you have the right to lodge a complaint with your local data protection authority.

Amendments to the Privacy Policy

This privacy policy may be amended by us from time to time with reasonable notice to you of such amendments e.g. via our website or e-mail. We recommend that you periodically review this page. In amending the privacy policy, the “last modified” date at the top of this privacy policy shall be updated. The privacy policy currently published on our website (https://www.cataloop.com/) is regarded as valid and effective.

Contacting Us

Please contact us if you have any questions, comments, or requests regarding this privacy policy. Our contacts are as follows:

Cataloop OÜ
Estonian commercial register code: 17020739
Registered address: Telliskivi tn 57b/1, 10412 Tallinn, Estonia
e-mail address: hello@cataloop.com
Our supervisory authority is the Estonian Data Protection Inspectorate (www.aki.ee).