Privacy Policy
1. Introduction
Data protection is of the utmost importance to goTom. We take various technical, organizational and contractual measures within the meaning of Art. 8 FADP and Art. 32 GDPR to ensure that your data is always kept up to date, stored securely and processed in accordance with Swiss and European data protection regulations (in particular the General Data Protection Regulation GDPR). However, whether and to what extent these laws are applicable depends on the individual case. This applies both within our company and in cooperation with our partners and suppliers.
With this privacy policy, we would like to inform you transparently about how we process your data.
- Contact details goTom
- Categories of personal data
- How we process data
- International data transfer
- Interfaces
- Data security
- Storage and deletion of data
- Rights of the data subjects
- Updates to the data protection policy
2. Scope of Application
This Privacy Policy applies to the website and software of goTom AG, Lessingstrasse 11, 8002 Zurich, Switzerland (hereinafter “goTom”). goTom is the author of this Privacy Policy and the owner of the information (data) collected about you under this Privacy Policy.
A. Contact details goTom
We are at your disposal for questions about data protection.
goTom AG
Lessingstrasse 11
8002 Zürich
Schweiz
B. Categories of personal data
The personal data (or personal data according to Art. 5 FADP, used synonymously below) processed by us is divided into the following categories:
- Basic data (e.g. surname, first name)
- Contact data (e.g. telephone, email, postal address)
- Browser and device data, usage data, content data that you transmit to us (e.g. via the contact form, registration for newsletters or trials)
- Location data
- Contact, sales, contract and payment data in our customer relationship management system
- Usage data for product development and communication with customers.
C. How we process data
1. Data that you make available to us
You voluntarily provide us with data in various situations. For example, when you contact us, subscribe to our newsletter, apply for a job or register for a webinar. If you would like to know more about how we process this data, for what purpose and on what legal basis, continue reading under “A. 1. Data you provide to us”.
2. Data processed by us
In order to provide our services, maintain our infrastructure and provide the best possible experience for all parties involved, we also process personal data. If you want to learn more about the purposes and legal basis for this, read more under “B. Data processed by us”.a
3. Data processed by our partners
In order to provide our services, maintain our infrastructure and provide the best possible experience for everyone involved, we work with partners. They also process personal data.
For example, when you visit our website, use the goTom software or as part of our marketing and social media activities. If you would like to find out more about the purpose and legal basis for this, please read “C. Data collected by our partners”.
D. International data transfer
Even if we endeavor to work with Swiss or European providers and, where possible, make European data storage a condition when involving new processors within the meaning of Art. 9 para. 1 FADP or processors within the meaning of Art. 28 GDPR, the outflow of data abroad cannot be completely prevented. You can find out how this is legally implemented by goTom and how your data is also transmitted in a legally secure manner in connection with transfers abroad under “D. International data transmission”.
E. Interfaces
Our software solution optionally integrates with our customers’ third-party systems via interfaces. You can find the data protection aspects of this under “E. Interfaces”.
F. Data security
The data provided to us is treated confidentially and protected against unauthorized access, damage or loss by technical and organizational measures. If you would like to find out more about how we protect your data technically, see “F. Data security”.
G. Storage and deletion of data
We only store the data for as long as is necessary to fulfill the contract. The statutory retention periods and your right to erasure in accordance with Art. 17 GDPR remain reserved, provided that the requirements for this are met “G. Data storage and erasure”.
H. Updates to the privacy policy
We will inform you about adjustments and additions in a suitable form, in particular by publishing the current privacy policy on our website. The processing of customer data is also regulated separately in an order processing contract.
C1. Data that you send us
1. Contact us
You can contact us through a variety of channels, email, chat, social media and webinar registration. We collect your contact details and information from the request. This may be stored in our CRM (Customer Relationship Management) system. This data is only stored for internal use.
1.1 Purpose of the processing
We store personal data in order to be able to respond to your request. In addition, this storage enables us to execute the contract or pre-contractual measures in the event of questions about an existing contractual relationship.
1.2 Legal basis
The basis for data processing is Art. 6 para. 1 lit. b GDPR, which allows us to process data for the performance of a contract or pre-contractual measures. Data processing is carried out in accordance with the data protection principles pursuant to Art. 6 FADP. We use the Salesforce and Intercom software to manage customer data and answer chat messages. You can find a link to their privacy policies here Salesforce Full Privacy Policy Statement and Intercom Privacy Policy.
2. Register for the newsletter
2.1 Purpose of the processing
Sending news and information about goTom.
2.2 Legal basis
When you subscribe to the newsletter, you give us permission to use your data to send you the newsletter. You also agree to the information described below. On the basis of Art. 7 para. 3 GDPR, you can revoke your consent at any time for the future; for this purpose, you will find an unsubscribe link in every e-mail sent. We use The Rocket Science Group, LLC (Mailchimp) software to send our newsletter. An overview of all partners with whom we work for internal purposes and links to their privacy policies can be found under “D. International data transfer”. We sometimes include visible and invisible image elements in our newsletters, which allow us to determine whether and when the email was opened. This allows us to analyze whether our communication has been read and is relevant to you. You can block this function in your e-mail program. You can find out more about MailChimp’s cookie policy here.
3. Applications
We use the JOIN service for job applications. The software used for this is GDPR- compliant. Employees and sub-processors are obliged to treat the data as strictly confidential. Further information can be found in the JOIN privacy policy. The applicant must also expressly consent to the processing of their data by means of an opt-in procedure and can decide whether they wish to remain in the system in the event of an unsuccessful application in order to be contacted for newly advertised positions.
3.1 Purpose of the processing
We process the personal data provided to us in order to review your application and to take pre-contractual measures and the conclusion of a possible employment contract with you.
3.2 Legal basis
We base our data processing on your consent in accordance with Art. 6 para. 6 FADP and Art. 6 lit. a GDPR. This consent can also be revoked for the future in accordance with Art. 7 para. 3 GDPR. Contact us using the contact details provided under Contact details. Data processing is carried out in accordance with the data protection principles in Art. 6 FADP.
C2. Data processed by us
1. Cookies
Cookies help to make your visit to our website easier, more pleasant and more meaningful. Cookies are information files that your web browser automatically stores on your computer’s hard disk when you visit our website and use our services.
You have the option of preventing cookies from being stored on your computer by making the appropriate browser settings or by making specific settings here.
2. Website
When you use our website, information that your browser transmits to us is automatically collected and stored. These are:
- Browser type and browser version
- Operating system
- IP address
- Referrer URL
- Hostname of the computer
- Date of request
When using this data, we do not draw any conclusions about your person.
2.1 Purpose of the processing
The data is required, for example, to correctly deliver the content of our website, to ensure the functionality of our website or to provide law enforcement authorities with the relevant information in the event of a cyber attack. The anonymous data of the server log files are stored separately from your personal data.
2.2 Legal basis
We base the collection of this anonymized data on the legitimate interest of a functioning website in accordance with Art. 6 para. 1 lit. f GDPR.
3. Customer data (CRM)
Data is stored in our CRM solution Salesforce for communication with customers and leads. You can find out more about data protection at Salesforce under Salesforce Privacy Policy. Data is deleted at or at the end of the statutory retention periods, which vary from country to country. Data processing is carried out in compliance with the data protection principles in accordance with Art. 6 FADP.
C3. Data collected by our partners
If we involve partners, this is done in accordance with the requirements of Art. 5 GDPR and Art. 28 GDPR or Art. 5 lit. K or Art. 9 FADP.
1. When visiting the website
In order to be able to operate a website technically, certain technical requirements are necessary for which we are dependent on partners.
1.1 Hosting
1.1.1 Purpose of the processing
Our hosting provider Cyon provides us with hosting infrastructure such as database services, computing capacity, security services and storage space as well as technical maintenance services, which we use for the purpose of operating our website.
Cyon is an offer from Cyon GmbH, Brunngässlein 12, 4052 Basel, Switzerland. You can find Cyon’s privacy policy here.
1.1.2 Legal basis
The basis for data processing is Art. 6 para. 1 lit. b GDPR, which allows us to process data for the fulfillment of a contract or pre-contractual measures.
1.2 Albacross
1.2.1 Purpose of the processing
On the website, we use Albacross, a service provided by Albacross Nordic AB, Kungsgatan 26, 111 35, Stockholm, Sweden, to analyze website access. By giving your consent, you agree to the processing of personal data on behalf of Albacross Nordic AB (“Albacross”). Information from cookies stored in your device that is considered personal data is processed by Albacross. This includes information about the IP address from which you visited our website, as well as technical information that enables Albacross to distinguish different visitors from the same IP address. Albacross stores the domain from the form input in order to correlate the IP address with your employer. This process provides us with information about the employers of people who have viewed our website. This helps us to generate new leads. For comprehensive information on the processing of personal data, please refer to Albacross’ full privacy policy.
1.2.2 Legal basis
The basis for data processing is Art. 6 para. 1 lit. b GDPR, which allows us to process data for the fulfillment of a contract or pre-contractual measures.
1.3 LinkedIn
1.3.1 Purpose of the processing
Our website uses the tracking script “LinkedIn Insight Tag” from LinkedIn Ireland Unlimited Company. This script creates a cookie in your web browser that enables the collection of the following data, among others: IP address, device and browser properties and page events (e.g. page views). You can opt out of this use via our cookie banner when you first visit our website. This data is encrypted, anonymized within seven days and the anonymized data is deleted within 90 days. LinkedIn does not share any personal data with goTom, but offers anonymized reports on the website target group and display performance. In addition, LinkedIn offers the possibility of retargeting via the Insight Tag. goTom can use this data to display targeted advertising outside its website without identifying you 7 as a website visitor. You can find more information on data protection at LinkedIn in the LinkedIn privacy policy. LinkedIn members can control the use of their personal data for advertising purposes in their account settings. To deactivate the Insight tag on our website (“opt-out”) click here.
1.3.2 Legal basis
We base our data processing on your consent in accordance with Art. 6 para. 6 FADP and Art. 6 lit. a GDPR.
2. When visiting the website or calling up our software
2.1 Hosting
2.1.1 Purpose of the processing
The goTom software is hosted on the Digital Ocean Platform. Digital Ocean is a service provided by DigitalOcean Holdings, Inc. Specific Digital Ocean privacy information can be found here.
When using the goTom software, the following categories of personal data are stored in goTom: first name, surname, email address, gender for goTom users and for customer contact persons. The following additional data is recorded for contact persons: Company name, date of birth and activities (call notes). Our customers receive detailed information in the Data Processing Addendum, which forms part of the SaaS contract concluded with goTom. The data is stored in an encrypted private cloud and the transmission to Digital Ocean is also secured with 256-bit AES encryption.
2.1.2 Legal basis
The basis for data processing is Art. 6 para. 1 lit. b GDPR, which allows us to process data for the fulfillment of a contract or pre-contractual measures.
2.2 Backups
2.2.1 Purpose of the processing
To fulfill our Service Level Agreement (SLA), the data stored in our software is backed up several times a day to the following providers:
- Amazon Web Services, Inc.
- Akenes SA (Excoscale)
The data will be deleted at the latest at the end of the SaaS contract term. At the customer’s request, the data can also be deleted earlier.
2.2.2 Legal basis
The basis for data processing is Art. 6 para. 1 lit. b GDPR, which allows us to process data for the fulfillment of a contract or pre-contractual measures.
3 Google Analytics
3.1 Purpose of the processing
We use the Google Analytics service from Google Inc (“Google”) to analyze our website traffic. Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. If you have registered with the service provider yourself, the service provider also knows you. The processing of your personal data by the service provider is then the responsibility of the service provider in accordance with its data protection provisions. You can opt out of this use via our cookie banner when you first visit our website. You can generally object to the collection and processing of this data by Google Analytics by installing a browser add-on to deactivate Google Analytics.
3.2 Legal basis
We base our data processing on your consent in accordance with Art. 6 para. 6 FADP and Art. 6 lit. a GDPR.
4 Google Tag Manager
4.1 Purpose of the processing
Our website uses Google Tag Manager. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Tag Manager is a solution that allows website tags to be managed through an interface. The Tag Manager tool (which implements the tags) is a cookieless domain and does not collect personal data. The tool handles the forwarding of data and the triggering of other tags, which in turn can collect data. Google Tag Manager does not have access to this data. If deactivation is done at the domain or cookie level, it remains in effect for all tracking tags implemented with Google Tag Manager.
4.2 Legal basis
We base our data processing on your consent in accordance with Art. 6 para. 6 FADP or Art. 6 lit. a GDPR.
5 Mailchimp
5.1 Purpose of the processing
goTom uses the technical service provider Mailchimp to send email campaigns, in particular newsletters. Mailchimp is a service provided by The Rocket Science Group, LLC, 512 Means Street, Suite 404 Atlanta, GA 30318, USA. Mailchimp offers extensiveanalysis options on how goTom’s newsletters are opened and used. Further information on Mailchimp’s data protection can be found here: mailchimp.com/legal/privacy/
5.2 Legal basis
We base our data processing on your consent in accordance with Art. 6 para. 6 FADP and Art. 6 lit. a GDPR.
6 Intercom
6.1 Purpose of the processing
The chat function on our website, in the application and the Help Center at help.gotom.io are provided by Intercom. 2nd Floor, Stephen Court, 18-21 Saint Stephen’s Green, Dublin 2. The data is stored at Amazon Webservices in the USA.
6.2 Legal basis
The chat function is a quick and convenient way for our customers to get in touch with us. These are legitimate interests pursuant to Art. 6 I lit. f GDPR. You can find more
information about Intercom’s privacy policy here.
7 Sendgrid
7.1 Purpose of the processing
We use Sendgrid, a service provided by Twilio Inc. based at 101 Spear Street, 1st Floor, San Francisco, California, 94105, United States of America, to send emails from our application to recipients. For this purpose, we transmit the e-mail address to the Sendgrid servers. You can view the corresponding privacy policies of Twilio Inc. here.
7.2 Legal basis
Sending emails is part of our software solution. The basis for data processing is Art. 6 para. 1 lit. b GDPR, which allows us to process data for the fulfillment of a contract or pre-contractual measures.
8 Datadog
8.1 Purpose of the processing
The functions of the Datadog service are integrated into our application. Datadog is a monitoring system from the American company Datadog, Inc, 620 8th Ave, 45th Floor, New York, NY 10018 USA. The system notifies our development team of possible errors in the application. Log data is transmitted to Datadog, Inc. for this purpose. Further information on the collection and use of data by Datadog, Inc. can be found here.
8.2 Legal basis
Error-free software is part of our service promise. The basis for data processing is Art. 6 para. 1 lit. b GDPR, which allows us to process data for the performance of a contract or pre-contractual measures
9 Favro
9.1 Purpose of the processing
For the development of our application we use the internal task management tool Favro, located at Drottninggatan 2, SE-753 10 Uppsala, Sweden. We use the system for internal collaboration between developers and product management. For example, specifications and error descriptions are recorded in Favro. In rare cases, personal data (e.g. information about users of our application) may be stored in Favro. Further information on the collection and use of data by Favro AB. can be found here.
9.2 Legal basis
The further development of our software is part of our service promise. The basis for data processing is Art. 6 para. 1 lit. b GDPR, which allows us to process data for the performance of a contract or pre-contractual measures.
10 Google Workspace
10.1 Purpose of the processing
We use Google Workspace from Google Inc. (“Google”) for communication with our customers (email), storage of files or for video telephony.Further information on the collection and use of data by Google Inc. can be found here.
10.2 Legal basis
The Google Workspace solutions enable us to communicate with our customers and handle our day-to-day business. These are legitimate interests pursuant to Art. 6 I lit. f
GDPR.
11 Heyflow
11.1 Purpose of the processing
We create the registration page for trials or webinars with the software of Heyflow GmbH.
Further information on the collection and use of data by HeyFlow GmbH can be found here.
11.2 Legal basis
We base our data processing on your consent in accordance with Art. 6 para. 6 FADP or Art. 6 lit. a GDPR.
D. International data transfer
Whenever possible and economically justifiable, goTom endeavours to work with providers from Switzerland, the EEA or the EU, or with countries for which the Federal Council has recognized an adequate level of data protection in accordance with Art. 16 FADP or the EU Commission in accordance with Art. 45 of the GDPR.
Alternatively, data is transferred on the basis of standard contractual clauses in accordance with Art. 16 para. 2 lit. b FADP or Art. 46 GDPR. We are aware that the judgment of the European Court of Justice C-118-311 of July 16, 2020 declared the Privacy Shield invalid and requires our sub-processors to implement the new standard contractual clauses published by the EU Commission on June 4, 2021.
goTom has conducted an internal Data Transfer Impact Assessment. Based on the data processed by goTom and the security measures taken by us and our partners, we have come to the conclusion that the risk of data access by the US authorities is considered to be very low for reasons of national security. An internal process has been established in the event of a request from the authorities.
We work exclusively with reputable partners who share our conviction regarding the importance of data protection. The guarantee of data protection is also contractually ensured by data processing agreements with our partners and suppliers.
You can find an up-to-date overview of our partners and their data storage locations here.
E. Interfaces
When using the optionally available interfaces of goTom or when connecting your own instance to the software of a third-party provider (e.g. ad server), data is exchanged between goTom and the third-party system. The data exchange takes place within the scope of the tasks to be fulfilled. By using the interfaces, the customer declares his explicit consent to this data exchange in accordance with the provisions of this privacy policy.
F. Data security
Data security is very important to us, as we store sensitive customer and sales data in our software, we are aware of our responsibility. We implement comprehensive technical and organizational measures to ensure the security of data. In addition, we only work with renowned companies that meet high data security requirements and have the relevant certifications. Furthermore, all employees are subject to a confidentiality agreement, which also includes a note on data protection.
1. Access
Our software is accessed via transport encryption (SSL / TLS, in particular with the Hypertext Transfer Protocol Secure, abbreviated to HTTPS).
Even if the data is stored locally with us, it is in safe hands. All our devices have encrypted hard disks. We also store data that we process locally with Google (Workspace), which has extensive security guidelines.
2. Access Management
Access is based on the need-to-know principle and is role-based. In addition, all access management issues are documented in an internal guideline. All employees are also subject to a confidentiality obligation.
3. Data Availability
The data is provided on demand and backed up several times a day in encrypted form to various cloud providers so that the data is available at all times.
G. Storage and Deletion of Data
When using the goTom software, personal data of employees and contact persons of the end customer are naturally transmitted to goTom. goTom handles these data with appropriate care and ensures their security in accordance with the standards in this data
protection declaration. The end customer declares its consent and releases goTom from any possible claims by employees of the end customer against goTom. The end
customer further declares that it bears sole responsibility for informing its employees regarding the possible storage, use and processing of data by goTom in accordance with the guidelines in this data protection declaration. If individual employees of the end customer do not agree with the intended data processing, the end customer is responsible for deleting the respective data of its employees in its goTom application accordingly.
We respect your data and only store it for as long as is absolutely necessary for the intended purpose (principle of data minimization in accordance with Art. 5 lit. c GDPR and Art. 6 para. 3 FADP). We process and store your personal data for as long as is necessary for the fulfillment of our contractual and legal obligations or otherwise for the purposes pursued with the processing, i.e., for example, for the duration of the entire business relationship (from the initiation, processing to the termination of a contract) and beyond that in accordance with the statutory retention and documentation obligations. In the case of data that you have provided to us as part of an order, we delete the data in accordance with the provisions of the main contract. Personal data is only collected, processed and used insofar as it is necessary for the establishment, content or modification of the legal relationship (inventory data). This is done on the basis of Art. 6 para. 1 lit. b GDPR, which allows us to process data for the fulfillment of a contract or pre-contractual measures. At the customer’s request, the data will also be stored for longer. The right to erasure in accordance with Art. 17 GDPR is always reserved, provided that the legal requirements for this right are met. In principle, shorter retention periods of twelve months or less apply to operational data (e.g.system protocols, logs).
H. Rights of the data subjects
You have the right to information, correction, deletion, the right to restrict data processing and otherwise to object to our data processing, in particular for the purposes of direct marketing or other legitimate interests in processing, as well as to the disclosure of certain personal data for the purpose of transfer to another body (so– called data portability) within the framework of the data protection law applicable to you and insofar as provided for therein (such as in the case of the GDPR). Please note, however, that we reserve the right to assert the restrictions provided for by law, for example if we are obliged to store or process certain data, have an overriding interest in doing so (insofar as we are entitled to invoke this) or need it to assert claims. If you incur costs, we will inform you in advance. Please note that the exercise of these rights may conflict with contractual agreements and this could have consequences such as premature termination of the contract or cost consequences. We will inform you in advance if this is not already contractually regulated.
The exercise of such rights generally requires that your identity is clearly proven (e.g. by a copy of your identity card, where your identity is otherwise not clear or cannot be verified). To assert your rights, you can contact us at the address given in section 1 /it A. Every data subject also has the right to enforce their claims in court or to lodge a complaint with the competent data protection authority. The competent data protection authority in Switzerland is the Federal Data Protection and Information Commissioner (http://www.edoeb.admin.ch).
I. Updates
We may amend and supplement this Privacy Policy at any time. We will inform you of such amendments and additions in an appropriate form, in particular by publishing the current privacy policy on our website.