Cenote Privacy Policy

UPDATED: 2022-07-20

This Privacy Policy describes how your personal information is collected, used, and shared when you evaluate, purchase, install or use a product or service from Cenote Labs, Inc. (the "Products") or when you visit www.cenotelabs.com (the “Site”).

1. Personal Information We Track or Collect

1.1. When Purchasing Our Products (Order Information)

When you make a purchase or perform an evaluation of one of our Products through Atlassian, we collect certain information from Atlassian, including your name, country, email address, sales channel, and information about your Atlassian product instance. We refer to this information as “Order Information.”

1.2. When Visiting Our Site (Device Information)

When you visit the Site, we automatically collect certain information about your device, including information about your web browser, IP address, time zone, and some of the cookies that are installed on your device. Additionally, as you browse the Site, we collect information about the individual web pages or products that you view, what websites or search terms referred you to the Site, and information about how you interact with the Site. We refer to this automatically-collected information as “Device Information.”

When you visit the Site, we collect Device Information using the following technologies:

• “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org.
• “Log files” track actions occurring on the Site, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps.
• “Web beacons,” “tags,” and “pixels” are electronic files used to record information about how you browse the Site.

You may also explicitly supply us with your name and email address while visiting the Site in order to sign up for newsletters and other communications. We refer to this as "List Information".

1.3. When Using Our Cloud Services (Cloud Information)

When you install or use one of our Cloud Services, including the Lockpoint Cloud service, we may process or collect certain information from Atlassian about users who access our products, which may include a user's name, email address and other attributes from the user's profile, information related to Confluence spaces, pages and attachments, and we may also process information provided by your users' browsers, such as IP addresses and header metadata. We refer to this information as "Cloud Information".

1.4. When Using Our Server or Data Center Products (Server Information)

Other than the Order Information collected at the time of your order (as described in section 1.1), we do not collect any information regarding your use of our Server or Data Center products.

1.5. General (Personal Information)

When we talk about “Personal Information” in this Privacy Policy, we are talking about Order Information, List Information, Device Information and Cloud Information.

2. How Your Personal Information is Used

2.1. Order Information and List Information

2.1.1. Uses of Order Information and List Information

We use the Order Information and List Information that we collect to:

• Communicate with you regarding new features, security issues, and to open or respond to customer inquiries or support tickets;
• When in line with the preferences you have shared with us, provide you with information or advertising relating to our Products or services.

2.1.2. Data Retention of Order Information and List Information

When you evaluate or purchase one of our products through Atlassian, we will maintain your Order Information for our records unless and until you ask us to delete this information, at which point your information will be pseudonymized.

2.2. Device Information

2.2.1. Uses of Device Information

We use the Device Information that we collect from our Site to improve and optimize our Site (for example, by generating analytics about how our customers browse and interact with the Site, and to assess the success of our marketing and advertising campaigns).

2.2.2. Do Not Track

We do not alter our Site’s data collection and use practices when we see a Do Not Track signal from your browser.

2.3. Cloud Information

We use the Cloud Information that we process to supply Cloud services to you, and to send transactional emails that were requested by your users or site administrator.

For Cloud Information, we may process but we do not retain any Personally-Identifiable Information (PII).

A certain amount of Cloud Information is stored by us:

2.3.1. Cloud Information Stored Within the Atlassian Cloud

The majority of Lockpoint Cloud data is stored entirely within the Atlassian Cloud infrastructure. Data stored in the Atlassian Cloud includes information about:

• locks for attachments
• notification requests for attachments
• space-level configuration
• application-level configuration

The data stored within the Atlassian Cloud is automatically GDPR-compliant, meaning that no PII is persisted in specific fields. In particular:

• References to users are stored exclusively via their Atlassian AccountID (and not the user name or display name).
• References to attachments are stored exclusively via their attachment ID (and not the attachment name).

Data in the Atlassian Cloud is stored in the same physical region where your Atlassian instance is configured for data storage.

2.3.2. Cloud Information Stored Outside of the Atlassian Cloud

A limited amount of information is stored outside of the Atlassian Cloud, but entirely within managed services on the Heroku/Salesforce PaaS. We do not store any PII. Data stored here includes:

• Information required for the functioning of the Atlassian Connect platform, including the URL of your site and the corresponding clientKey.
• Logs showing when Lockpoint Cloud was installed and uninstalled on a particular client site.
• Pseudonymized logs of the metadata of transactional emails sent to end users, with recipient email addresses passed through a one-way SHA256 hash before being stored (retained for a maximum of 30 days).
• Records relating an Atlassian AccountID to the user's time zone and locale (language), only for users who explicitly interact with attachment locking features, for the purposes of correctly formatting and localizing dates/times in transactional emails (retained for a maximum of 30 days).
• An audit log containing records of locking-related transactions, including the date, time, AccountID and attachmentID for locking, unlocking, attachment updates and conflicts (retained for a maximum of 30 days).

Data stored outside of the Atlassian Cloud is physically stored within the Heroku platform, which runs on AWS in the United States.

2.3.3. Cloud Information Access Policy

The Lockpoint Cloud service makes the following commitments with regards to data access and your Confluence instance:

• Lockpoint Cloud reads attachment metadata (including attachment name, and metadata related to the containing page and the containing space). We use this data to display information to end users, such as permitting the display of locking status of particular attachments. This and similar types of information are used only in a transient manner, and although the data may occasionally be persisted in short-lived caches for performance reasons, this information is never otherwise stored on our infrastructure.
• Lockpoint Cloud never reads from or writes to the underlying data for a Confluence attachment.
• Lockpoint Cloud reads from and writes to metadata for the purposes of recording attachment lock status and notifications.
• Lockpoint Cloud has the ability to impersonate specific users when making API calls to the Confluence host. This ability is used when displaying lists of attachments, to ensure that the correct permissions are applied and that the user can only see the names of attachments to which the user has permission to view.
• If Lockpoint Cloud is ever uninstalled, deactivated or expired, all locked attachments become automatically writeable by all users. However, the locking metadata is retained and it can be reused upon reinstallation (meaning that locking status will not be lost).

2.3.4. Cloud Information Data Retention

Your Cloud Information may be processed by us, but except as outlined above, it is not collected or retained, other than information which may be temporarily stored in a short-term cache to enable our Products to operate efficiently, or that which may be temporarily registered in an outgoing email queue in order to deliver email notifications to end users. An anonymized and non-personally-identifiable version of certain Cloud Information may be still retained by us for diagnostic and troubleshooting purposes.

In general, Cloud Information stored by us is retained for a maximum of 30 days, unless retaining it for a longer period is essential to the operation of our Cloud service.

2.3.5. Cloud Subprocessors

We may engage one or more subprocessors to collect or process Cloud Information on your behalf. For further details, or if you are governed by the GDPR, see also the Data Processing Addendum (DPA) - Lockpoint Cloud, including a list of current subprocessors in Annex A.

2.4. Server Information

We do not collect or use Server Information, as indicated in section 1.4.

2.5. Nonresponsibility of Atlassian

Atlassian has no responsibility for any Order Information, List Information, Device Information or Cloud Information that may be collected or processed by us.

3. Sharing Your Personal Information

We share your Personal Information with certain third parties to help us use your Personal Information, as described above. For example:

• We use Atlassian to provide order fulfillment, evaluation and licensing services for our products. Atlassian's privacy policy can be found here: https://www.atlassian.com/legal/privacy-policy
• We use Twilio SendGrid to communicate with customers by email. Twilio SendGrid's privacy policy is here: https://sendgrid.com/policies/privacy/
• We also use Google Analytics to help us understand how our customers use the Site. Information about how Google uses your Personal Information can be found here: https://www.google.com/intl/en/policies/privacy/. You may opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout

Finally, we may also share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.

4. Your Rights

If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us through the contact information below.

Additionally, if you are a European resident, we note that we are processing your information in order to fulfill contracts we might have with you (for example, if you order one of our Products through Atlassian), or otherwise to pursue our legitimate business interests listed above. Additionally, please note that your information will be transferred outside of Europe, including to Canada and to the United States.

5. Changes

We may update this privacy policy from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons.

CONTACT US

For more information about our privacy practices, please contact us using our support portal, or by mail using the details provided below:

Cenote Labs, Inc.
CP 331 succ Rosemont
Montreal, QC H1X 3C6
Canada