Kerafen Privacy Policy

Privacy Policy

Effective Date: January 1, 2024

To discontinue receipt of communications, please complete the relevant form.

The website kerafen.com (“Website”) is operated by the entity referred to as “we,” “us,” or “our.” We safeguard the personal data of all visitors, recognizing the fiduciary relationship established by the information you voluntarily supply. This Privacy Policy articulates the systematic manner in which we collect, process, distribute, and protect your information throughout the browsing and transactional activities that occur on this Website.

The Policy details the data categories that may be gathered during your visit; the relative purposes for which that data is employed, the security measures employed to protect it, the planned retention period, and the categories of entities to which it may be disclosed. Furthermore, it delineates the rights granted to you by applicable data regulations and the methods by which you may exercise those rights. By accessing or utilising the Website, you affirm that you have read and understood the terms set forth herein and grant us the corresponding consent.

The Policy is incorporated by reference into the Terms of Service applicable to all users of the Website.

1. GDPR Compliance Statement: In accordance with the EU General Data Protection Regulation (GDPR), the Organisation acts as the Data Controller for all personal data gathered from visitors to the Website and from users of the Service. The following measures have been embedded across the Organisation to ensure ongoing adherence to the Regulation:

(a) The Organisation routinely undertakes due diligence to confirm that all third-party recipients of User data maintain a level of GDPR compliance that is commensurate with that of the Organisation itself;

(b) Personal data is structured, classified, and stored in a manner that facilitates the swift and irreversible erasure of all data related to a specified User, in accordance with the User's erasure request;

(c) All processing of collected data is strictly constrained to the purposes specified in the extant Privacy Policy, ensuring minimisation and relevance criteria are met;

(f) Any change to the provisions of the Privacy Policy will trigger an immediate notification to each User, thereby allowing continued and informed exercise of consent; and

(g) The Organisation has designated a Data Protection Officer (DPO) who operates at the internal level, is charged with the supervision of data protection policies, and serves as the designated contact point for any requests concerning data access or deletion.

2. Information We Collect. The platform acquires two primary classifications of data from Visitors:

(a) Personal Data:

(i) Definition and Scope. Personal Data comprises details that can be unequivocally attributed to an individual and, when such data is present, can unambiguously illuminate that individual’s identity. We acquire Personal Data as soon as Visitors fill out any web-accessed contact form. The collected segments typically include, but are not limited to, full name, electronic mail address, telephone number, country, municipality, administrative region, and postal code. Additional data belonging to this classification may surface in direct electronic mail sequences, in User forum narrative, or in chat transcripts.

(ii) Mechanism and Timing of Acquisition. Personal Data accrues through the following channels: (1) completion and transmission of the web form mentioned above; (2) employment of the web-accessed chat reagent; and (3) notification or commentary posted to the User forum. The platform simultaneously records the IP address or the unique identifier of any mobile device in use at the moment of web access. Although, viewed in isolation, such an IP address is not generally classified as Personal Data, the status may convert through eventual association with other data elements, e.g. by linkage to an email or to the transactional logs of chat exchanges.

(iii) Purposes of Using Personal Data. We process Personal Data to facilitate communication with Users and to fulfil requests for assistance. Users’ electronic mail addresses may, in addition to the provision of transactional messages, be used to deliver promotional or marketing communications concerning the Services. The Internet Protocol (IP) address is employed, solely on a statistical basis, to ascertain a general geographic origin for the purposes of rendering notices and disseminating other information mandated by the applicable jurisdiction or regulatory framework.

(iv) Geographic and Technical Storage of Personal Data. Personal Data obtained from Users residing both the United States and other jurisdictions will be directed, upon collection, to cloud storage managed by Amazon Web Services, Inc. The physical location of the data storage nodes may include but is not confined to United States territories or data-processing centres situated in jurisdictions internationally through the framework established by Amazon Web Services, Inc.

(b) General Information: General Information comprises data that is stripped of any identifiers that could link it to an individual, rendering it anonymous. The data points include, but are not limited to, the Internet Protocol (IP) address of the requesting computer, the distinctive identifier of the mobile device, the type of web browser, the name of the Internet Service Provider (ISP) or mobile carrier, and the Uniform Resource Locator (URL) of the preceding page visited prior to entering our domain. The aggregation of these data elements allows us to discern broad, anonymous patterns of site and product use across visitors. The collection is accomplished through the deployment of browser cookies—standard web mechanisms in the form of minute lines of programmable code—that are deposited onto the computer's persistent storage by the web browser and that allow the automatic logging of the aforementioned General Information. The primary operational rationale for the activity is the continual assessment of user affinity for the Service.

(i) Utility of the General Information: The derived General Information offers continuous, quantitative feedback on user navigation within the Service, thereby informing operational decisions related to the service’s maintenance, adaptation, and augmentation. Cookies serve the auxiliary function of personalizing the user journey by retaining minimal state information across discrete user sessions. Further, we have engaged third-party analytical and interaction platforms—specifically Hotjar, Google Analytics, Facebook, and Zendesk—each of which deploys cookies at the individual User level upon site entrance or Service engagement. The cumulative insights derived from the use of these technologies, both in-house and external, contribute to an iterative cycle of performance improvement while maintaining a dispassionate separation from personally identifiable information.

The General Information obtained from Users, both domestic and international, is migrated first to, and then kept in, cloud-based infrastructures operated by Amazon Web Services.

The criteria under which we disclose information is as follows. We refrain from sharing Personal Data with unrelated entities for advertising or promotional activities unless affirmative consent by the User has been secured in advance. We do, however, exchange Personal Data with select counterparties under the following limited circumstances:

(a) Service Providers. We engage multiple delegated service providers to execute specific operational tasks. Personal Data is transferred to these counterparties only to the procedural extent warranted by the designated functions:

(i) Amazon Web Services operates the underlying hosting and storage architecture for the Web platform (review their privacy guidelines);

(ii) ZenDesk supplies integrated customer-service and interactive chat modules (review their privacy guidelines);

(iii) Amazon Simple Email Service manages outbound and inbound email-related communication (review their privacy guidelines);

(iv) Google Analytics supplies aggregated traffic and usage insight through measurement codes (review their privacy guidelines);

(v) Hotjar enables empirical use-testing and interface feedback through session-replay scripts (review their privacy guidelines).

(b) Competent Authorities: Upon lawful request by governmental law enforcement bodies, judicial authorities, or regulatory agencies, we may disclose any data pertaining to our users. Such obligations may encompass the full range of user-related information within our possession. Furthermore, we reserve the right to share Personal Data whenever required to safeguard our legal entitlements or to contest, mitigate, or avoid the risk of legal liability. Any such disclosures will be undertaken within the bounds of the applicable legislation or judicial order, which may or may not afford prior notice to the affected user.

(c) Reorganization Transactions: Purchases, dispositions, or transfers of corporate assets, including any involving a change of ownership, may involve the procurement or divestiture of user-related data as a class of secured assets. Consequently, whenever we elect to divest, acquire, or transfer all or a significant portion of our business assets, or in the hypothetical case of insolvency, bankruptcy, or other disposition of the entire enterprise, Personal Data will likely be encompassed within the assets transferred to the acquiring entity. By continuing to interact with our services, you acknowledge the potentiality of such transfers and the fact that the resulting steward of the data will remain bound by the privacy obligations established in the current Privacy Policy.

(d) Other third parties: Subject to the limitations described elsewhere herein, our company may, in the absence of prior user consent, disclose to third parties any information concerning you or your utilisation of the Service, if we reasonably conclude that such disclosure is necessary, in good faith, to safeguard our legal, proprietary, or personal rights, or those of any affiliate, any user of the Service, or any member of the general public.

4. Safeguards for information: The company utilises technical and organisational measures commensurate with the risk presented to the personal information collected, in order to protect that personal data from unauthorised or unlawful processing and from accidental loss, destruction, or damage. Access to identifiable user data is, in accordance with the principle of least privilege, confined to personnel whose functional responsibilities require such access and to the minimum extent necessary thereto. Nevertheless, no safeguard can ensure absolute security. Accordingly, a residual risk does remain, and the company is unable to warrant that a given data set material to you will remain inviolable. The company further observes that security of any linked third-party web portal cannot be guaranteed since such sites exist outside our operational environment. When you access the Service from a shared computer or from a workstation to which multiple unauthorised parties may have access, we recommend that your log-off commands be executed and that the browser window be closed on conclusion of each Service session.

5. Duration of Information Retention. Personal Data and General Information shall be preserved only for the time required to satisfy a legitimate operational objective or to satisfy a pertinent legal obligation. In specific instances, we may implement techniques for anonymization that sever any remaining link to your identity, thus permitting the continued retention of de-identified data. Should continued retention be impeded by this retention period, we will render such data incapable of re-identification and will preserve it only for the duration required to satisfy the underlying purpose for which it was collected. In addition, you possess the right to effectuate deletion of your data by employing the procedure delineated in Section 6, and we shall respond to such a request in accordance with applicable legal and operational protocols.

6. Your Options and Rights. Users presently enjoy the following alternatives with respect to the manner in which we collect, use, and preserve information, or to otherwise assert entitlements under relevant privacy legislation: (a) All Users: You may instruct us to cease the delivery of non-account-related electronic communications by selecting the “unsubscribe” feature situated at the footer of such messages. You may alternatively convey to our Data Protection Officer a demand that we expunge all information we have gathered about you, in which case we will undertake a deletion of reasonably requested information, or you may limit disclosure of your Personal Data to selected third parties, in which case use of the Website may become restricted or unavailable. (b) EU Citizens: EU citizens are entitled to receive a structured copy of their Personal Data, to demand its deletion, and otherwise to discharge their entitlements under the GDPR. Such requests may be addressed to the Data Protection Officer, will incur no administrative fee, and shall be processed within thirty (30) calendar days.

(c) California Residents: Pursuant to the California Online Privacy Protection Act (“CalOPPA”), California Residents may, upon written request, obtain information about the categories of Personal Data disclosed to third parties for direct marketing, as well as the identities of those third parties, during the preceding calendar year. To remain fully compliant, further inquiries regarding our CALOPPA compliance should be directed to our Data Protection Officer. Please be advised that our obligations under CALOPPA permit us to honor only one request per Resident per calendar year and mandate that all such requests be sent exclusively to our Data Protection Officer.

7. Tracking Technology and Do-Not-Track Disclosures. Our operations include the deployment of applications capable of monitoring user activity over time and across external domains. We are committed to honoring Do-Not-Track signals communicated by standard browser implementations.

8. Age Restrictions. Our Website is designed for an audience eighteen years of age and older; accordingly, we do not knowingly gather Personal Data from individuals below that age. Should we ascertain that an entry has been submitted by an underage individual, we will endeavor to expunge the Data from our systems in an expedited manner.

9. Amendments to this Privacy Policy. The University retains prerogative to revise, amend, or otherwise modify this Privacy Policy at its unfettered discretion. Any revision shall be signalled to all Users via a prominent pop-up notification on the Website. Continued access or use of the Website after the notification shall operate as acceptance of the revised Privacy Policy in its entirety.

10. Inquiries. Should you require clarification regarding this Privacy Policy, or should you wish to review the Personal Data or General Information that we have obtained, please direct your inquiry to the Data Protection Officer. Your rights and privacy are of paramount importance to us, and we shall respond to all questions or concerns in a prompt and courteous manner.

Data Protection Officer Contact: support@kerafen.com