This Privacy Policy describes how Torq Technologies Ltd. (together with its affiliated companies, “Torq”, “we”, “our” or “us”) collects, stores, uses and discloses information associated with an identified or identifiable individual (“Personal Data”). Torq greatly respects your privacy, so we make every effort to provide services that comply with the highest privacy standards. This Privacy Policy explains our practices in relation to Personal Data, and the choices that you can make about the way your Personal Data is collected and used in connection with Torq’s services.

Specifically, this Privacy Policy covers the following:

  1. WHO WE COLLECT PERSONAL DATA FROM
  2. CATEGORIES OF PERSONAL DATA THAT WE COLLECT
  3. WHAT WE USE PERSONAL DATA FOR
  4. WHO WE DISCLOSE PERSONAL DATA TO
  5. DATA RETENTION
  6. SECURITY
  7. COOKIES AND TRACKING TECHNOLOGIES
  8. INTERNATIONAL TRANSFERS OF PERSONAL DATA
  9. TORQ AS A DATA CONTROLLER AND DATA PROCESSOR
  10. YOUR RIGHTS AS A DATA SUBJECT
  11. YOUR RIGHTS UNDER US PRIVACY LAWS
  12. COMMUNICATIONS FROM TORQ
  13. ADDITIONAL NOTICES
  14. CONTACTING US

This Privacy Policy addresses the information we collect about you when you use our security management software-as-a-services product and related services (“Product”), visit our website (https://torq.io/) (“Website”), or otherwise interact with us (for example, by attending our events or by communicating with us) (collectively referred to as “Services”). This Privacy Policy does not apply to Personal Data that we process on behalf of our business customers (“Customers”) when accessing and using our Product. In this case, we process Personal Data in our capacity as a “data processor”, in accordance with instructions provided by our Customer and the terms of our Master Service Agreement (“MSA”) and Data Processing Agreement (“DPA”) entered into between Torq and Customer. For more information, please refer to Section ‎9 below.

Please note that you are not legally obligated to provide us with any Personal Data. If you do not agree with this Privacy Policy, please do not access or use our Services or interact with any other aspect of our business.

We reserve the right, at our discretion, to change this Privacy Policy at any time. The amended version will be effective as of the date it is published. When we make material changes to this Privacy Policy, we will give notice as appropriate under the circumstances (e.g. by displaying a prominent notice on our Website or by sending an email). Your continued use of our Services after the changes have been implemented will constitute your acceptance of the changes.

1. WHO WE COLLECT PERSONAL DATA FROM

Torq collects Personal Data relating to the following:

  • Customer Personnel: We collect the Personal Data of individuals engaging with Torq on behalf of our Customers, including each user accessing and using our Product and procurement and billing personnel (collectively, “Users”).
  • Prospects: We collect the Personal Data of prospective customers, channel partners or technology partners; individuals who interact with our website, social media accounts, digital ads and content, emails or communications under our control; and participants at our events (collectively, “Prospects”).
  • Partners and Vendors: We collect Personal Data relating to our channel partners, technology partners, service providers and vendors.
    As explained above, any Personal Data submitted by our Customers to our Product is processed by Torq in our capacity as a data processor, in accordance with Customer instructions and our MSA and DPA. Please refer to Section ‎9 below for more information.

2. CATEGORIES OF PERSONAL DATA THAT WE COLLECT

We collect or generate the following categories of Personal Data in respect of the Services:

  • Information about you: We may collect any of the following: full name, email address, phone number, company name, job title, profile picture (avatar), login credentials from third-party authentication providers (user name and password), social media profile, contractual and billing details, and any other information submitted or otherwise made available to us by Customers, Users and Prospects. We may also collect your resume/CV and LinkedIn profile in connection with any job application you make through our website and/or social media accounts. We collect this information directly from you, or from other sources and third parties that we engage, such as our Customers (your employer), organizers of events or promotions that both you and us were involved in, third party service providers offering services to be used in conjunction with our Services (such as our learning management service provider, support and ticketing services), and tools and channels we use to connect with individuals in order to explore potential employment and business opportunities, including for example LinkedIn, Greenhouse, ZoomInfo, and Nextroll.
  • Communications: We collect your communications as part of any of the following: interactions through our website, social media channels, and event registration; surveys, feedback and testimonials that you complete; support requests, including voice call and video conference recordings (e.g., with our customer success personnel and solution architects), as well as written correspondences, screen recordings, screenshots, documentation and related information that may be automatically recorded, tracked, transcribed and analyzed, for purposes including analytics, quality control and improvements, training, and record-keeping purposes. We engage third party service providers to assist us in communicating with you, such as Slack, Atlassian, Salesforce, Hubspot and Gong.
  • Usage and device information: We collect technical, connectivity and usage data, such as IP addresses and approximate general locations derived from such IP addresses, device and application data (like type, operating system, mobile device or app ID, browser version, location and language settings used); system logs of actions and events attributed to those IP addresses, devices and applications; the relevant cookies and pixels installed or utilized on your device; and the recorded activity (sessions, clicks, use of features, logged activities and other interactions) of Users and Prospects in connection with our Services. We collect and generate this information automatically, including through the use of analytics and system monitoring tools (including cookies and pixels), which collect data such as: how often Prospects visit or use our Website; which pages they visit and when; which website, ad or email message brought them there; how Users interact with and use the Services and its various features, and technical data concerning the performance, functionality and stability of the Services. We may also collect hashed email addresses derived from emails or other online identifiers collected on our Website, which allows certain service providers to recognize and deliver ads across devices and browsers. To read more about the technologies used by NextRoll, a service provider we engage to provide such marketing services, please refer to NextRoll’s Privacy Notice.

3. WHAT WE USE PERSONAL DATA FOR

Legal Bases: We collect Personal Data as necessary for the performance of our agreements with our Customers (“Performance of Contract”); to comply with our obligations under applicable laws, regulation and standards, as well as contractual obligations (“Legal Obligations”); and to support our legitimate interests in maintaining and improving our Services, to market, advertise and sell our Product to you and others, to provide support services, to effect billing and administrative functions, and to protect the security and integrity of the Services (“Legitimate Interests”); or for any other lawful purpose, or other purpose that you consent to in connection with the provisioning our Services.

If you reside or are using the Services in a territory governed by privacy laws under which consent is the only or most appropriate legal basis for processing Personal Data as described in this Privacy Policy (either in general, based on the types of Personal Data you expect or elect to process or have processed by us or via the Services, or due to the nature of such processing), your acceptance of our MSA and of this Privacy Policy will be deemed as your consent to the processing of your Personal Data for all purposes detailed in this Privacy Policy, unless applicable law requires a different form of consent. If you wish to revoke such consent, please email [email protected].

Uses: We use Personal Data for the following purposes, each in reliance upon one or more of the legal bases for processing noted above:

  • To facilitate, operate, provide and enhance the Services (Performance of Contract; Legitimate Interests);
  • To provide our Customers, Users and Prospects with assistance and support, and to train our Customers and Customer-facing staff (Performance of Contract; Legitimate Interests);
  • To test and monitor the Services, and diagnose or fix technical issues (Performance of Contract; Legitimate Interests);
  • To invoice and process payments (Performance of Contract; Legitimate Interests);
  • To communicate with our Customers, Users and Prospects with general or personalized Services-related messages, as well as promotional messages that may be of specific interest to them (Performance of Contract; Legitimate Interests);
  • To gain a better understanding on how Users and Prospects evaluate, use, and interact with the Services, and to utilize such information to continuously improve the Services, and the overall performance, user-experience and value generated therefrom. We collect such information automatically through such individuals’ usage of the Services (Legitimate Interests);
  • To create aggregated, statistical data and anonymized or pseudonymized data (which cannot be used to identify individuals), which we or others may use to provide and improve our Services, or for any other business purpose such as business intelligence (Legitimate Interests);
  • To facilitate and optimize our marketing campaigns, ad management and sales operations, and to manage and deliver advertisements for our Services more effectively, including on other websites and applications. This includes contextual, behavioral and interests-based advertising based on User and Prospect activities, preferences or other data available to us or to our service providers and business partners (Legitimate Interests);
  • To support and enhance our data security measures, including for the purposes of preventing and mitigating the risks of fraud, error or any illegal or prohibited activity (Performance of Contract; Legal Obligations; Legitimate Interests);
  • To explore and pursue growth opportunities, including through partnerships with resellers, distributors, MSSPs and other business partners related to our Services; to communicate and perform our obligations under our agreements with our channel partners (Performance of Contract; Legitimate Interest);
  • To facilitate, sponsor and offer certain events, webinars, contests and promotions (Legitimate Interest);
  • To provide you access to resources and assets (Performance of Contract; Legitimate Interest);
  • To process your job application and assess your candidacy (Performance of Contract; Legitimate Interest);
  • To publish your feedback and submissions to our Website, public forums and blogs (Legitimate Interest);

4. WHO WE DISCLOSE PERSONAL DATA TO

We may disclose Personal Data as follows:

  • Service Providers: We engage selected third parties to perform services on our behalf. Our service providers may have access to Personal Data, depending on each of their specific roles in facilitating the provision of our Services or other activities, and may only use Personal Data as set forth in our service agreements with them. These include providers of third party products, services, applications and tools used in connection with the Services, including third party applications which interoperate with the Product (“Third Party Services”); our hosting providers; data, security and fraud detection services; web analytics services; session or activity recording services; performance measurement services; billing and payment processing services; customer relationship and customer service management services; learning management services; support and ticketing services; video conferencing services; sales engagement services; content, lead generation and marketing services; social media services; hiring management services; and our legal, compliance, financial and other professional advisors and auditors. If you wish to receive a detailed list of our service providers, please contact us.
  • Customers and Other Users: Your Personal Data may be shared with our Customer in respect of which you are a User (including data and communications concerning your user profile), as well as other Users within the same organization.
  • Third Party Service Integrations: You may choose to integrate the Product with certain Third Party Services. Depending on the nature and purpose of such integration, a Third Party Service provider may receive and/or share relevant Personal Data with us about you. Note that we do not receive or store your passwords for any of these Third Party Services, but we do typically require your API key in order to integrate with them. Third Party Services are independent of Torq, and each Third Party Service provider has their own privacy policies and practices in place for its collection, use, and sharing of your Personal Data. Please check the permissions, privacy settings, and notices for these Third Party Services or contact the provider directly with any questions.
  • Channel Partners: We engage selected resellers, distributors, MSSPs, and other business partners in order to explore and pursue growth opportunities. In such instances, we may share certain relevant Personal Data with the respective channel partner to allow them to engage with those Customers for such purposes. If you directly engage with any of our channel partners, any aspect of that engagement which is not directly related to our Services and/or directed by Torq is not subject to the terms of this Privacy Policy, and is governed by the relevant channel partner’s terms and privacy policy.
  • Events: If you register to any event that we host, organize or sponsor, we may share your registration details with others, including the hosts, organizers, speakers, service providers and sponsors of that event, so that they may contact you with relevant information and offers related to the event.
  • Feedback: If you submit a public review or feedback, we may store and present your review publicly, on our Website or on another public platform, at our discretion. If you wish to remove your public review, please contact us.
  • Legal Compliance: In exceptional circumstances, we may disclose or allow government, judicial or law enforcement officials access to your Personal Data, in response to a subpoena, search warrant or court order (or similar requirement), or in compliance with applicable laws and regulations. Such disclosure or access may occur if we believe in good faith that: (a) we are legally compelled to do so; (b) disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing; or (c) such disclosure is required to protect the security or integrity of the Services.
    Protecting Rights and Safety: We may share your Personal Data with others if we believe in good faith that this will help protect the rights, property or safety of Torq, any of our Customers or Users, or any members of the general public.
  • Torq Affiliates: We share Personal Data internally within our affiliates, for the purposes described in this Privacy Policy. In addition, should Torq or any of its affiliates be the subject of any change in control, including by means of merger, acquisition or purchase of all or substantially all of its assets, your Personal Data may be shared with the parties involved in such an event. If we believe that such change in control might materially affect your Personal Data then stored with us, we will notify you of this event and the choices you may have via email or prominent notice.

Torq may also share your Personal Data in ways other than those mentioned above, if you provide your consent or if we are legally obligated to do so, or if such data has become non-personal and anonymous.

5. DATA RETENTION

We retain your Personal Data for as long as it is reasonably needed in order to maintain our relationship and provide you with our Services; in order to comply with our legal and contractual obligations; and to protect ourselves from any potential disputes, all of which is further set forth in Torq’s data retention policy. We determine our retention periods by taking in account the amount, nature, and sensitivity of the applicable Personal Data, the purposes for which we process it, the potential risk of harm from unauthorized use or disclosure of such data, and applicable legal requirements.

6. SECURITY

We use industry-standard physical, procedural and technical security measures, including encryption as appropriate, to protect your Personal Data from loss, misuse and unauthorized access or disclosure. However, regardless of any security measures used, we are unable to guarantee the absolute protection and security of any Personal Data stored with us or with any third parties as described in Section 4 above. To learn more about our current practices and policies regarding security, please visit Torq’s Trust Centre.

7. COOKIES AND TRACKING TECHNOLOGIES

We, as well as certain service providers, utilize cookies and other similar technologies in our Services to assist us in collecting certain other information about you. To learn more about our practices concerning cookies and tracking, and your opt-out controls and other options, please refer to our Cookies Notice.

8. INTERNATIONAL TRANSFERS OF PERSONAL DATA

In order to facilitate our Services, we may transfer your Personal Data to countries other than the one in which you live. Torq Technologies Ltd. is headquartered in Israel. We and our service providers collect, process, maintain and store Personal Data in Israel, the United States, Europe, and other locations as reasonably necessary for the proper performance and delivery of the Services or as may be required by applicable law. Torq ensures compliance with the requirements of appliable data protection laws and regulations with regards to the transfer of Personal Data overseas.

For individuals located in the EEA, the UK and Switzerland, Israel is considered by the European Commission, the United Kingdom Secretary of State, and the Swiss Federal Data Protection and Information Commissioner (FDPIC), as a jurisdiction which offers an adequate level of protection for Personal Data of individuals of EU Member States, the UK and Switzerland. We transfer Personal Data from the EEA, the UK and Switzerland to Israel on this basis. With regards to transfer of Personal Data to countries which are not considered to offer an adequate level of data protection, we and the relevant data importers enter into Standard Contractual Clauses as approved by the European Commission, UK Information Commissioner’s Office, and the FDPIC (as appropriate).

When Torq processes Personal Data on behalf of a Customer, such Personal Data is processed in the locations as permitted in our MSA and DPA with such Customer (as further described in Section ‎9 below).

9. TORQ AS A DATA CONTROLLER AND DATA PROCESSOR

Data protection laws and regulations, including the EU and UK General Data Protection Regulation (GDPR), and California Consumer Privacy Act (including the California Privacy Rights Act) (“CCPA”), make a distinction between the party determining the purposes and means of processing of Personal Data (the “data controller”, or “business” under the CCPA); and the party processing Personal Data on behalf of the data controller (or business) (the “data processor” or “service provider” under the CCPA).

With respect to Personal Data that Torq collects from its Customers, Users and Prospects as set forth in this Privacy Policy, Torq is a data controller.

With respect to Personal Data that Users submit when accessing and using our Product, Torq is a data processor.  We process Personal Data on behalf of our Customers (who are the data controllers of such Personal Data) in accordance with our Customers’ reasonable instructions and subject to our MSA and DPA. When using our Product, our Customers are solely responsible for determining how they wish to use our Services, and for ensuring that all Users, as well as all individuals whose Personal Data may be processed through the Product, have been provided with adequate notice and given their informed consent to the processing of their Personal Data, where such consent is necessary or advised, and that all legal requirements applicable to the collection, use or other processing of data through our Product are fully met by the Customer. Our Customers are also responsible for handling data subject rights requests under applicable law, by their Users and other individuals whose data they process through the Product.

If you would like to make any requests or queries regarding Personal Data we process as a data processor on our Customers’ behalf, including accessing, correcting or deleting your Personal Data, please contact us.

10. YOUR RIGHTS AS A DATA SUBJECT

You are entitled to exercise your privacy rights under data protection laws and regulations applicable to you, such as the EU and UK GDPR, CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act and any other applicable data protection law. These rights may include the following:

  • Your right to access Personal Data held by Torq. Your right of access may normally be exercised free of charge, however we reserve the right to charge an appropriate administrative fee where permitted by applicable law;
  • Your right to request that we rectify any Personal Data we hold that is inaccurate or misleading;
  • Your right to request the deletion of your Personal Data. Please note that there may be circumstances in which we are required to retain your Personal Data, for example for the purposes of legal claims and proceedings;
  • Your right to object to or to request restriction of the processing;
  • Your right to receive your Personal Data in a structured, commonly used and machine-readable format, and that you have the right to transmit that data to another controller (data portability);
  • Your right to object to profiling;
  • Your right to withdraw your consent at any time. Please note that there may be circumstances in which we are entitled to continue processing your data, such as if the processing is required to meet our legal and regulatory obligations. Please also be aware that the withdrawal of consent shall not affect the lawfulness of processing based on consent prior to withdrawal;
  • If you are protected by EU GDPR, you also have a right to request certain details regarding the transfer of your Personal Data outside of the EEA, it being clarified that any data transfer agreements and/or other details requested may need to be partially redacted for reasons of commercial confidentiality;
  • Your right to lodge a complaint with your local data protection supervisory authority. We ask that you please attempt to resolve any issues with us before you contact your local supervisory authority and/or relevant institution.

You can exercise your rights by emailing [email protected]. You may use an authorized representative to submit a request on your behalf if you provide the authorized representative written permission signed by you. To protect your privacy, we may take steps to verify your identity before fulfilling your request. Subject to legal and other permissible considerations, we will make every reasonable effort to respond your request promptly in accordance with applicable law or inform you if we require further information in order to fulfill your request. When processing your request, we may ask you for additional information to confirm or verify your identity and for security purposes, before processing your request. We will not be able to fulfill your request unless you have provided sufficient information that enables us to reasonably verify that you are the individual about whom we collected the Personal Data, and that such data is processed on behalf of any of our Customers, so that we may forward it to such Customer for their further handling. Such additional information may then be retained by us for legal purposes (e.g. as proof of the identity of the person submitting the request, and of how each request was handled), in accordance with Section ‎5 above. We reserve the right to charge a fee where permitted by law, for instance if your request proves to be unfounded or excessive.

In the event that your request would adversely affect the rights of others (for example, confidentiality) or if we are legally entitled to deal with your request in a different way than initial requested, we will address your request to the maximum extent possible, all in accordance with applicable law. This may include redacting data which we make available to you.

If your request relates to Personal Data that is processed on our Customer’s behalf in our capacity as a data processor (please refer to Section ‎9 above), please note that it is the Customer who exclusively determines how Personal Data is processed, as well as if and how your request should be handled. We recommend that you submit your request directly to the relevant Customer.

11. YOUR RIGHTS UNDER US PRIVACY LAWS

We describe in this Privacy Policy, the categories of personal information we may collect and the sources of such information (Section ‎2), and details of what we use your information for, and who we provide your information to (Sections ‎3‎4), which includes “business purposes” under the CCPA and similar US state laws, as applicable. We also provide describe our retention of Personal Data (Section ‎5) and the rights of data subjects in relation to the Personal Data that we collect (Section ‎10).

We do not “sell” or “share” your Personal Data for the intentions and purposes of the CCPA, nor disclose personal information to any third party for their direct marketing purposes. We may disclose Personal Data to certain third parties, and allow certain third parties to collect Personal Data from our Services, as follows: (a) our service providers or partners who have agreed to our terms regarding retention, use, and disclosure of such Personal Data; (b) Third Party Service providers with whom you have integrated our Product; (c) third parties to whom we disclose your Personal Data on your instruction; or (d) any other third party as otherwise described in Section 4 above. You may also designate an authorized representative to request to exercise your privacy rights on your behalf. We will not penalize you by withholding our Services or providing a lower quality of service to you for requesting to exercise your rights under the law.

If you would like to exercise your rights under any applicable US Privacy Law or have any questions in this regard, please email [email protected].

12. COMMUNICATIONS FROM TORQ

Communications regarding our Services: We may contact you with important information regarding our Services For example, we may send you notifications (through any of the means available to us) of changes or updates to our Services, billing issues, log-in attempts or password reset notices, etc. You can control your communications and notifications settings in accordance with the instructions that may be included in the communications sent to you. However, please note that you will not be able to opt-out of receiving certain Services communications which are required for your use of the Services (like password resets or billing notices).

Promotional Communications: We may also notify you about new features, additional offerings, events and special opportunities or any other information we think you will find valuable, as a Customer, User or Prospect. We may provide such notices by posting the same of our Website; by contacting you by phone, mobile, or email; or through our marketing campaigns on any other sites or platforms. If you do not wish to receive such promotional communications, please contact us or follow the “unsubscribe”, “stop”, “opt-out” or “change email preferences” instructions contained in the promotional communications you receive.

13. ADDITIONAL NOTICES

Third Party Websites and Services: Our Services includes links to third party websites and services, including integrations of Third Party Services. Such third party websites and services, and any information you submit to such third party websites and services, are governed by such third party’s terms and privacy practices and policies, and not by this Privacy Policy. Please carefully read the terms and privacy policies of such third party websites and services.

Children under the age of 16: We do not knowingly collect Personal Data of children under the age of 16, and do not wish to receive such Personal Data. We will attempt to block any use of our Services by any child under the age of 16, and use best efforts to promptly delete any Personal Data stored with us pertaining to such child. If you believe that we may be in possession of any such Personal Data, please notify us immediately.

14. CONTACTING US

If you have any comments, questions or complaints regarding our Privacy Policy or our privacy practices, or if you have any concerns regarding your Personal Data held with us, please contact Torq by emailing [email protected], or at our mailing address at 3 HaMelacha St., Tel Aviv, 6721503, Israel.

Last update: October 24, 2023