Kantega SSO Privacy Policy 

[02 August 2023 version,  with self-hosting regulation] 

1. Introduction 


We, Kantega SSO AS, business registration no. 921 336 195, Bassengbakken 4, 7042 Trondheim, Norway (“Kantega”), strive for full transparency of the way we process personal data for you when you use our products and services. 

In this privacy policy, we explain, among other things, what information we collect, why we collect it, and how we use the information that we process when you 

  • use our services and applications (collectively, “apps”) we make available in the Atlassian Marketplace, see below,  
  • visit our website, or
  • contact us for support. 

If you self-host our apps, this privacy policy applies only to any support provided. See sec. 2.4.  

We are the controller of the personal data that we process unless otherwise stated in this privacy policy or any applicable data processing agreement .  

 If you have any questions about the privacy policy or any other questions regarding our privacy practices, please contact us at privacy@kantega-sso.com. 

 

2. What kind of data do we collect and why? 


2. 1 When you visit our website 

When you visit our website, we collect the following information from your device: 

  • IP address, 
  • date and time of the access, 
  • name and URL of the accessed file, 
  • browser type and version, and 
  • further information sent by the browser (such as your computer’s operating system, the name of your access provider, geographical origin, etc.).

We only process these data to ensure trouble-free connection to the website, comfortable use of our website, for evaluating system security and stability, and for administrative purposes, unless otherwise stated in sec. 2.7 (cookies) and 3.1.3 (YouTube). The processing is necessary for the performance of a contract with you or to fulfill requests (General Data Protection Regulation (GDPR) art. 6 (1) b). 

Please note that we are not responsible nor can control how third parties’ websites that we link to from our website process personal data. 

Processing on our website is mainly based on cookies. For information about how long we store data through cookies, please see sec. 2.7 and our cookie policy.  

 

2.2 Onboarding of new customers 


When you install one of our apps, we process: 

  • email address, 
  • customer location,
  • company name, and 
  • name of the purchaser. 

The processing is necessary for the performance of a contract to which the legal entity that you represent is a party. 

The legal basis for the processing is the performance of our contract with you (GDPR art. 6 (1) b). 

Duration of processing is for as long as you use any of our apps and further in accordance with legal requirements that apply to our business, such as bookkeeping requirements.  
 

2.3 When you use our supplier-hosted Atlassian Cloud apps 

When you use our apps that we make available in Atlassian Cloud (supplier-hosted)  center, we process the following personal data: 

  • user ID in Atlassian services 
  • user details that you have registered in Atlassian like email address, position, telephone number, etc, and
  • technical and behavioural data, such as user events and log files.  

The above data is hosted by Atlassian.  

We process the personal data to authorize and onboard new users and provide our service in accordance with customer agreements and the users’ instructions. We perform such processing a data processor, subject to the relevant data processing agreement. 

We collect personal data as a data controller, including: 

  • user ID in Atlassian services 
  • technical and behavioural data, such as user events and log files, and/or  
  • user feedback.

When we collect such personal data, the purposes are analytics and product development and security. For instance, we want to analyse how you and others use our apps so that we can gain insights about usage patterns and the needs of our users. Such data are de-identified and processed on an aggregated level so that you or other users are not identified.  

The legal basis for this processing is our legitimate interest (GDPR art. 6 (1) f). You can, however, opt out of processing of technical and behavioural data and it is voluntary to provide us with feedback. 

Duration of processing of data used for analytics and product development is 36 months so that we can see how our products are used over time.  Duration of processing for data used for security purposes are 18 months or less.  

2.4 When you self-host our apps 


If you operate our apps on premises or otherwise under your control, such as with your cloud or data center provider (self-hosting), we will process personal data on your behalf only if we provide you with support. If so, see sec. 2.5 (support) and any applicable data processing addendum for support.  

2.5 Support 

We offer support through three different channels based on your choice: 

To provide you with support, we will collect: 
  • your name, 
  • email address, 
  • IP address, 
  • country of residence, 
  • relevant product information, and 
  • other personal data you choose to share with us,
 

in order to answer your questions or respond to your request, comment, or complaint. 

The processing is necessary for the performance of a contract with you (GDPR art. 6 (1) b). 

Duration of processing depends on the nature of the support request. If you stop using our apps, we typically delete personal data included in support request after six months after termination or up to three years in cases of disputes. 

2.6 Marketing communications and social media 

If you sign up for our newsletters, attend one of our events or we otherwise send you marketing communication in accordance with our customer relationship, we process the following personal data: 

  • your name, 
  • email address,  
  • company name 

We process such personal data to register you in our CRM system and send you marketing communication. The legal basis for this processing is legitimate interest (GDPR art. 6 (1) f). You may opt-out of receiving marketing communication by using the unsubscribe functionality in the message you receive from us.  

We also use marketing services from third party providers, including social media providers, to engage with or show you relevant ads on their platform. Our processing is based on our legitimate interest in reaching customers and potential customers (GDPR. Art. 6 (1) f). Please refer to sec. 3.1.1 (Facebook and LinkedIn), 3.1.2 (Twitter) and 3.1.3 (YouTube) for more information.  

Duration of processing is as long as you use one of our apps and a period after (six to 12 months) or until you opt-out of receiving marketing from us.  

2.7 Disputes 

We may process personal data which are necessary in connection with disputes. Personal data for this purpose is processed because we have a legal obligation to do so, cf. GDPR Art. 6 (1) c), or based on our legitimate interest in documenting and promoting our view in the event of a dispute, cf. GDPR art. 6 (1) f). 

Duration of processing depends on the nature of dispute and any legal obligations we need to consider, such as bookkeeping requirements.  
 

2.8 Cookies 

A “cookie” is a piece of data sent from a website that is visited and stored locally on your browser. The purpose of cookies is to maintain data related to user preferences, account settings, and evaluate and compile statistics about user activity. Please find our list of cookies we use on our website and other services here. 

You can choose whether to accept cookies by editing your browser settings. However, if cookies are refused, some features on our website may not work as intended.  Information about the procedure to follow in order to enable or disable cookies can be found at: 

For more information about other commonly used browsers, please refer to http://www.allaboutcookies.org/manage-cookies/. 
 

3. Where we process your data/Third parties 

3.1 Service providers 


We use third-party services for analytics, marketing, support and hosting. 

We will only process your personal data with third parties as described in this privacy policy and do not sell any personal data. The third parties will be responsible for any processing of personal data for their own purposes. Please find links to their privacy policy under the description of each third party below. If a third party uses cookies and similar technologies to collect information about activity on our website, you can find more information in our list of cookies and in sec. 2.7 above.

3.2 Facebook and LinkedIn 

We have an account on Facebook and LinkedIn to present our products and Kantega. 

Facebook and LinkedIn allow us to see posts, likes, followers, comments, messages, as well as aggregated statistics to help us understand the visitor’s actions on our pages. Facebook and LinkedIn process personal data in the USA and other countries listed in their privacy policy. The European standard contractual clauses are the legal basis for the transfer.  

Kantega will be the controller of the personal data we process for our own purposes of advertising and communication through Facebook and LinkedIn. However, the social platforms will be the controller of the personal data they process for their own purposes. 

Please read more about what information Facebook and LinkedIn process in their privacy policies. 

3.3 Twitter 

We use Twitter to present our products and Kantega. The only personal data we can see is your interactions with our tweets. 

Kantega will be the controller of the personal data we process for our own purposes of advertisement and communication through Twitter. However, Twitter will be the controller of the personal data it processes for its own purposes. 

Twitter processes personal data in the USA and other countries listed in their privacy policy. The legal basis for the processing is the European standard contract clauses. Kantega will be the controller of the personal data we process for our own purposes through YouTube. However, Google will be the controller of the personal data it processes for its own purposes. 
 

3.4 YouTube 


We use YouTube (Google app) to show videos on our website for providing our users with instructions, advertising, and analytical purposes.   

We can see the usernames of our followers and anyone who comments on our videos. Any comments will automatically be deleted after 60 days. YouTube does not share personal data with us but provides us with analytics of the users who watches our videos. 

YouTube processes personal data in the USA and other countries listed in their privacy policy. The legal basis for the processing is the European standard contract clauses. 

Read more:  https://policies.google.com/privacy?hl=en 

 

3.5 HubSpot 

 We use HubSpot as a content management system (CMS) to host our website and publish content. See sec. 2.1.  ‘When you visit our website,’ to see what personal data is processed on the website. We have attempted to configure HubSpot in a privacy-friendly way, including limiting the tracking functionality  

We also use HubSpot as a customer relationship management (CRM) system to provide important communications and updates to our existing customers, track leads that can sign up to newsletters and otherwise maintain connections with our leads and customers. When managing contacts in the CRM, we process your email, name, company and work position.  

The personal data on our site is stored in the EEA. Read more: https://legal.hubspot.com/privacy-policy 
 

3.6 Atlassian 

 We use Atlassian Jira Service Management to manage support requests. User’s name and email address, technical information like logs and system configuration, as well as contextual information provided by the end-user, is collected to provide customer support when customers open a support request via Kantega’s support portal or email. Read Atlassian’s privacy policy for more information: https://www.atlassian.com/legal/privacy-policy. 

4 .Safety measures 


The protection of your personal data is a high priority for us. Our security measures include physical, technical, and organizational measures. Everyone at Kantega who handles personal data has received training and guidance on how to handle personal data safely and are bound with confidentiality obligations. We adopt industry-standard software and guidelines to protect your personal data and other confidential information. Our organization follows industry best practices for ensuring the confidentiality, integrity, and availability of your data. For more information, see info on our security practices. 
 

5. For how long do we store personal data 


We will retain and use personal information as necessary to comply with legal obligations, resolve disputes, and to deliver our services in accordance with customer agreements or otherwise as long as necessary for the purpose of the processing. For further details see the various purposes under sec. 3 above.  

Most of the apps we provide as well as our support service desk are delivered on Atlassian cloud infrastructure which we do not control, and Atlassian will process and store personal data as a data controller or as your data processor. We encourage you to read Atlassian`s privacy policy for further information about how long they store personal data.   

 

6. Your rights as a data subject 


Subject to applicable law, you may have certain rights with respect to our processing of your personal data. 

We will provide you with the right to have access to a copy of, rectify, correct, and update the personal data that we have about you in accordance with GDPR chapter 3. You may also have the right to restrict processing or have your data deleted. If our processing is based on your consent, you may also withdraw any consents you have given at any time. Please contact us at privacy@kantega-sso.com.. 

You may also opt-out of certain processing activities as described in sec. 2.3 and 2.5. 

Please let us know if you consider that our processing of your personal data infringes applicable law. 

If you believe that we process your data in violation of your rights, you have the right to complain to the Norwegian Data Inspectorate (“Datatilsynet”). You should always contact us before sending a complaint to Datatilsynet so that we can try to resolve or clarify the issue. 

7. CCPA and other US privacy laws 

 

If you are a California resident, there are some additional rights that may be available to you under the California Consumer Protection Act (“CCPA”). Depending on which state you live in, on the other US state privacy laws may also give you rights with regards to how we process your personal data.We inform specifically that we do not sell or share information under the CCPA.   

8. Changes in the privacy policy 


We may update our privacy policy based on changing business practices, technology, and legal requirements. Any such changes will be posted on this page. If we make a significant change in the way we use or share your personal information, you will be notified via email and/or through other prominent notice within at least 30 days prior to the changes taking effect.