- Last updated at December 6, 2021
Time to read: 20 min
Here are the types of information that we collect about you and how we collect it from you:
We may automatically collect certain information from you, including certain technical information from your computer or mobile device when you use certain Services, such as your Internet Protocol address, your web browser type and version, the name and version of your operating system, the pages you view on the Website, the pages you view immediately before and after you access the Website, and the search terms you enter on the Website (if any). This information allows Ory to provide the Website to you, and to improve the Business Operations, the Website, and the Services.
The Services may use certain data collection technologies that rely on: (i) beacons; (ii) pixel tags and object hyperlinking tags; and (iii) other means to link an object to an Internet address, a remote software application, a remote database, or other remote means of receiving or processing information. We may use these technologies to tell us what portions of the Services have been visited or to measure the effectiveness of searches that users perform via the Services. We will always ask for your consent before we use these technologies to collect data that is stored on your device.
We may provide you with the ability (either directly or through a third-party service that may include social media channels) to engage with us and others in public exchanges, and these may include opportunities for you to provide comments, reviews, recommendations, information related to the Services, and other input (collectively, “User-Generated Content”). Please understand that anything you supply as User-Generated Content will be accessible to others to read, collect, re-publish, and otherwise freely use. We will only take down, remove, or edit User-Generated Content in our sole discretion, except as required by applicable law. If you include any information relating to others in your User-Generated Content, then you represent that you have full permission and authority to do so.
We may also collect, process, and use information that does not identify you or your devices, and which is neither stored on your device or already present on your device, including information that has been made anonymous by: (i) removing identifying fields and aggregating the information with other information so that individuals cannot be re-identified, or (ii) anonymizing the information with techniques (such as via GA4) that remove or modify the identifying data so as to prevent re-identification of the anonymized information (collectively, “Anonymous Information”). Information that meets these criteria might include, for example, demographic information, statistical information (e.g., page views and hit counts), and general tracking information.
We use your Personal Information for Business Operations. This includes, providing you with the Services you request or access, such as accessing or using the Services, creating and managing your user accounts, and communicating with you about our Services.
We may use your Personal Information and Anonymous Information to perform internal administration, auditing, operation, and troubleshooting in connection with Business Operations, including to evaluate and improve our Services, and to develop and test Services.
If you submit your Personal Information to us, we may provide you with information about Business Operations and the Services or required notices. Ory does not sell or share your Personal Information with other companies for purposes of marketing their goods or services to you. In some jurisdictions, you have the explicit right to request that we do not share your Personal Information with, or sell your Personal Information to, certain third-parties, and we will honor such requests in accordance with applicable law.
We may use your Personal Information for safety and security purposes, including sharing of your information for such purposes, when it is necessary to pursue our legitimate interests in ensuring the security of Business Operations and the Services, including detecting, preventing and responding to fraud, intellectual property infringement, violations of agreements with Ory or its service providers, violations of law or other misuse of the Services. We may also share your Personal Information when we believe, in good faith, that disclosure is necessary to protect our rights, the rights of other users of the Services, the integrity of the Services, your safety, or the safety of others.
We may have a legal obligations to collect, use, retain, or process your Person Information. If those obligations exists, then we will use your Personal Information to satisfy such obligations.
We use your Personal Information to respond to your requests through various channels (which may include in person, email, phone, and chat).
We may seek for your consent to use your Personal Information for additional purposes that we communicate to you.
We may engage third-party service providers to perform functions on our behalf, and these may include maintaining the Website or App, responding to and sending email or other messages, data analysis, and other functions useful to Business Operations or the Services. Such third-party service providers will have access to Personal Information to the extent needed to perform their function, but will not be permitted to use Personal Information for other purposes.
We may engage attorneys, accountants, and other consultants and subject matter experts to advise and assist it in connection with the Services. We will provide such consultants with access to Personal Information to the extent needed to perform their function, but will not permit them to use your Personal Information for purposes unrelated to their engagement with us.
We may disclose Personal Information about you to others: (i) if we have your valid consent to do so; (ii) to comply with a valid subpoena, legal order, court order, legal process, or other legal obligation; (iii) to enforce any of our terms and conditions or policies; or (iv) as necessary to pursue available legal remedies or defend legal claims.
Securing and storing your information is important to us. In this Section, we describe how we store and secure your information.
We have implemented reasonable measures to protect your information from unauthorized access, use or disclosure. Ory maintains administrative, technical and physical safeguards designed to protect the collected information that are appropriate to the nature, size, and complexity of our Business Operations. Ory is not responsible for the security of information that you transmit over networks that Ory does not control, including the Internet and wireless networks. Retention. Ory retains information (including associated Personal Information) in accordance with applicable law and accepted retention practices. We will keep your Personal Information for as long as necessary to fulfill the purposes for which we collected it, including any legal, accounting or reporting requirements. In particular:
Ory retains information (including associated Personal Information) in accordance with applicable law and accepted retention practices. We will keep your Personal Information for as long as necessary to fulfill the purposes for which we collected it, including any legal, accounting or reporting requirements. In particular:
- Personal Information that we use to provide our Website to you will generally be deleted or anonymized immediately after you leave our Website. In case of actual or suspected security incidents, we may keep the relevant information for up to seven days in order to investigate said incidents.
- Personal Information processed for the purpose of performing a contract will generally be kept during the term of the contract and the subsequent statute of limitation period for claims arising out of the contract.
- If there is a legal obligation to retain Personal Information, in particular for tax purposes, Personal Information will be kept for as long as required by the applicable laws.
Ory is committed to empowering you to understand the information we have about you. In addition to any additional legal rights you may have that are described in Section 8.2 (United States State-Specific Notices Regarding Your Privacy Rights) and Section 8.3 (EEA-Specific Notices Regarding Your Privacy Rights), if you wish to review, correct, or request that we delete information about you (including incorrect Personal Information), you may send a written request to Ory using the contact information provided in Section 13 (Contact Information). Please understand that we may not be able to change or delete your information if the information is necessary for our Business Operations or necessary for compliance with applicable law.
- To enable and support security features, prevent fraud, and protect your data from unauthorized access.
- To enable features and help us provide you with personalized content.
- To analyze how you use the Website and to monitor site performance. These Cookies help us to identify and fix errors, understand and improve services, research and test out different features, and monitor how you reached the Website.
Ory uses the following third-party Cookies on the Website:
|Google Analytics||Required||2 years||Analytics services designed keep track of page traffic and user behavior while browsing the Website. We use this data internally to improve and enhance the usability and performance of the Website. Disabling this Cookie makes it more difficult for us to understand how our Website is being used and improve and enhance the Website.|
|Hubspot||Required||13 month||HubSpot develops cloud-based, inbound marketing software that allows businesses to transform the way that they market online|
|Google Tag Manager||Functional||N/A||Google Tag Manager allows us to determine how effective our advertising campaigns have been by measuring how many users arrived at our Website via external advertisements for our Services.|
|LinkedIn Insight Tag||Advertising||30 days||This Cookie allows us to determine how effective our LinkedIn campaigns are by measuring how many users have clicked prompts on LinkedIn to arrive at our Website.|
|Twitter Insight Tag||Advertising||30 days||This Cookie allows us to determine how effective our Twitter campaigns are by measuring how many users have clicked prompts on Twitter to arrive at our Website.|
If you have chosen or otherwise consented to receive, bulletins, updates, or other marketing-related materials, we will provide you with the ability to decline – or “opt out” – of receiving such communications. instructions for opting-out will be provided if and when we determine to send you such a communication. For example, if you no longer wish to receive email messages from us, you can opt out of this Service by either (i) following the “unsubscribe” instructions located near the bottom of each email message, or (ii) contacting us as provided in Section 13 (Contact Information). Opt outs will be free of charge; however, your telecommunications provider or the postal service may charge you normal rates for sending us your opt out request. Please understand that we may continue to communicate with you in connection with administrative notices concerning any transactions, operation of the Services and legal notices.
Shine the Light Law
California law requires certain businesses to respond to requests from California users who ask about business practices related to disclosing Personal Information to third-parties for direct marketing purposes. The California “Shine the Light” law further requires us to allow California residents to opt out of certain disclosures of Personal Information to third-parties for their direct marketing purposes.
California Consumer Privacy Act Disclosure
The California Consumer Privacy Act (the “CCPA”) provides various rights to individuals and households with respect to the collection and use of Personal Information that we have collected about California residents. We use the term “resident” to refer to a California resident to whom the CCPA applies. Among other rights under the CCPA, as further set out in this Section, a resident has the right to request that we (i) disclose to the resident Personal Information that we have about such resident (including Personal Information about such resident that is sold), and (ii) subject to certain exceptions, delete Personal Information that we have about such resident. A resident may request a copy of the following using the mechanism set out in Section 8.2.3 (Submission of a Consumer Request): (a) the categories of Personal Information we collected about such resident; (b) the categories of sources from which the Personal Information is collected; (c) the business or commercial purpose for collecting or selling the Personal Information; (d) the categories of third-parties with whom we share Personal Information; and (e) the specific pieces of Personal Information we have collected about such resident. A resident may submit a request for such information no more than twice in any twelve (12) month period, and our disclosure of such requested information shall only cover the twelve (12) month period preceding our receipt of such request. Additionally, a resident may request that we delete such resident’s Personal Information using the mechanism set out in Section 8.2.3 (Submission of a Consumer Request). A resident’s rights as to such deletion requests are set out in Section 6.3 (Reviewing, Deleting, or Correcting Information).
Submission of a Consumer Request
We are in the process of implementing methods for residents to submit requests to us to access or delete their Personal Information. In the interim, please submit such requests to the email address provided in Section 13 (Contact Information). We will respond to your request within forty-five (45) days or as permitted by applicable law.
Other California Disclosures
We do not provide a financial incentive or a price or service difference to customers in exchange for the retention or sale of their Personal Information. We may send promotions and other offers to those individuals subscribing to our marketing communications and, unless an individual has opted out of such communications, the individual will continue to receive such communications irrespective of whether a disclosure, deletion, or “Do Not Sell” request has been submitted. We do not offer financial incentives to deter customers from making such requests.
- We do not illegally discriminate against any customer for exercising their privacy rights.
- If you are a job applicant submitting Personal Information to us in connection with an application for employment, you will be provided with a privacy notice regarding how we handle such information as part of the application process.
- If you have any questions about our privacy practices in connection with the California Consumer Privacy Act, please contact Us as directed in Section 13 (Contact Information).
For Nevada residents, please note that We do not sell personal information as defined by Nevada law. You can submit a request to Us as set out in in Section 13 (Contact Information).
If you wish further information concerning privacy policies in general, you should visit the following site: www.ftc.gov/privacy/index.html.
Regulation (EU) 2016/679 (General Data Protection Regulation) (“EU GDPR”) EEA, i.e., the European Union, Iceland, Liechtenstein and Norway when accessing our website or being offered products or services by us. It also applies where your data is processed by one of our Affiliates or other establishments in the EEA. Likewise, the UK General Data Protection Regulation tailored by the Data Protection Act 2018 (“UK GDPR”) applies when you are located in the United Kingdom of Great Britain and Northern Ireland (“UK”) under the same circumstances.
The representative of Ory Corp in the EEA is Ory Systems GmbH, Schloßschmidtstraße 5, 80639 München, Germany.
Legal Basis for Processing
For purposes of the GDPR, the legal basis for the processing of your Personal Information is as follows:
- Where we use your Personal Information for Business Operations (Section 4.1 – Business Operations and Services), the processing is generally necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (Article 6(1)(b) of the GDPR). Where you are not our actual customer but a contact person of our customer, the legal basis our legitimate interest (Article 6(1)(f) of the GDPR) to communicate with our customer through you.
- For the use of your Personal Data to provide you with information about Business Operations and the Services (Section 4.3 – Information and Notices), the legal basis is generally our legitimate interest (Article 6(1)(f) of the GDPR) to market our business to you. Notwithstanding, if you request more concrete information, the processing may also be necessary to take steps prior to entering into a contract (Article 6(1)(f) of the GDPR). For notices required by law, the processing of your personal data is necessary for compliance with such legal obligation (Article 6(1)(c) of the GDPR).
- The use of your Personal Information for safety and security purposes (Section 4.4 – Security) is generally based on our legitimate interest (Article 6(1)(b) of the GDPR) in ensuring said safety and security. In some situations, there may also be a legal obligation to implement such measures (Article 6(1)(c) of the GDPR).
- In other cases where we need to comply with a legal obligation (Section 4.5 – Comply with Legal Obligations), the processing is based on the necessity to comply with such obligation (Article 6(1)(c) of the GDPR).
- Where we use your Personal Information to communicate with you (Section 4.6 – Responding to Your Requests), the legal basis will be one of the above depending on the purpose of such communication.
- Where we seek your consent for other purposes (Section 4.7 – Other Purposes for Which We Seek Your Consent), the legal basis is consent (Article 6(1)(a) of the GDPR).
Transfers to Third Countries
We may process your Personal Information in countries outside the EEA (“Third Countries”), including in the United States. We may also disclose your Personal Data to Affiliates and third parties (cf. Section 5 – Sharing Information) in Third Countries.
- If we disclose Personal Information to recipients in Third Countries, we may rely on an adequacy decision of the European Commission that confirms that the laws of the Third Country in question provide for an adequate protection of Personal Information.
- For other Third Countries, we will take steps to protect your privacy and fundamental rights in accordance the GDPR, and arrange for additional safeguards. Such safeguards will typically be based on a contract that binds the recipient in the Third Country to adhere to data protection standards similar to those under the GDPR. We will usually rely on the standard contractual clauses pre-approved by the European Commission or on other clauses approved by a competent data protection authority. If available, we may also rely on so-called binding corporate rules of the recipient approved by a competent data protection authority. These safeguards will generally include you as a third-party beneficiary, allowing you to enforce the data protection standards directly against the recipient. In order to obtain a copy of the safeguards used for a recipient, you may contact us using the contact information provided in Section 13 (Contact Information).
Your GDPR Rights
Under the GDPR, you have the following rights in relation to your Personal Information each subject to the legal requirements set out in the respective provisions of the GDPR:
- The right to request access to information regarding our processing of your Personal Information (Article 15 of the GDPR);
- The right to obtain rectification of your Personal Information that is inaccurate (Article 16 of the GDPR);
- The right to obtain the deletion of your Personal Information (Article 17 of the GDPR), or the restriction the processing of your Personal Information (Article 18 of the GDPR);
- The right to receive a copy of your Personal Information in a structured, commonly used and machine-readable format (data portability) (Article 20 of the GDPR);
- Where processing of your Personal Information is based on your consent (cf. Section 8.3.3 – Legal Basis for Processing), the right to withdraw consent at any time, without affecting the lawfulness of processing based on such consent before such withdrawal;
- Where processing takes place for the purpose of direct marketing, the right to object to the use of your Personal Information (Article 21(2) of the GDPR) at any time;
- Where processing is based on our legitimate interest (cf. Section 8.3.3 – Legal Basis for Processing), the right to object to the use of your Personal Information on grounds relating to your particular situation (Article 21(1) of the GDPR)and any time; we may, however, continue the processing if (i) we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms; or (ii) for the establishment, exercise or defense of legal claims.
- If you wish to exercise any of your rights above, please contact us using the contact information provided in Section 13 (Contact Information). You also have the right to lodge a complaint with your local competent supervisory authority or any authority that applies to Ory.
We respect the our customers and we want to encourage your feedback. If you have a suggestion or concerns you would like us to address, please contact us using the contact information provided in Section 13 (Contact Information). Certain jurisdictions may also provide you with additional avenues for lodging complaints. Please check with your jurisdiction’s consumer protection authority.
The Services and our communications may contain links to websites and platforms operated by third-parties. You acknowledge and agree that Ory is not responsible for the collection and use of your information by such websites or platforms that are not under Ory’s control. We encourage you to review the privacy policies of each website and platform you visit or access so you understand such website operator’s privacy practices.
The Services are not directed to, nor does Ory knowingly collect information from, children under the age of 13 in connection with Business Operations. If you become aware that your child or any child under your care has provided information without your consent, please contact Ory immediately using the contact information provided in Section 13 (Contact Information).
Our Website does not change its behavior when receiving “Do Not Track” signals from browser software. We will instead ask for your explicit consent before we place Cookies that are not necessary for Website features requested by you.
We do not make decisions which will have a legal effect for you or otherwise affect you in a significant way on the sole basis of automated processing, including profiling.
© 2021 Ory Corp. All rights reserved. No part of this content may be reproduced, stored in any form without written permission from Ory.