Try for free

Retorio´s Privacy Policy

Version 0.1 | Last update: 14.10.2020

Many thanks for your interest in how we handle privacy and protection of your data at Retorio GmbH (commercial register Local Court Munich number HRB 243225-  “Retorio”, “we”, “us” or“our”) when you visit our website at or you use our services.

Your privacy is important to Retorio. Retorio strives to protect your privacy at all times and to apply the highest ethical and regulatory standards. That is why all communication by and in our Retorio Software-as-a-Service (the “SaaS”) is encrypted by state-of-the-art SSL encryption. This Retorio Privacy Policy (the "Privacy Policy") tells you about how we collect, use, disclose, transfer, and store your information, as well as the choices you have regarding your information including but not limited to personally identifiable information (the ”Personal Data”). It also gives you information about our use of cookies (cf. detailed description and definition below), analytics tools, and marketing and advertising practices.

Other than as expressly set out in this Privacy Policy or as otherwise required or permitted by law, we will not share, sell or distribute any of the information you provide to us without your consent (that in certain cases needs to be expressly granted).



I. Who is responsible for data processing and who can you contact?

As part of our provision of the Retorio SaaS to you and from our interactions with you, Retorio needs to  collect Personal Data either as controller or as processor on behalf of an employer.  

If you visit our website at we process personal data as controller. Please ask us if you would like information about the Personal Data we store. We will gladly provide this for you for free as quickly as possible. We can also send this information to you electronically.

Contact us at:

Retorio GmbH

Gaisbergstr. 11

81675 München


You can contact our data protection officer at:

II. Which data are being processed and what are the sources of these data?

We process personal data (Art. 4 Nr. 1 GDPR) which we receive in the course of conducting our business as provider of a SaaS-Product for AI video recruiting. Our service can be used by Attendees (hereinafter: “you”) in order to provide additional information for employer in a job application process. Typically we work on behalf of your possible employer (“employer”) who will be our customer. We provide our services to employers in order to enable him to use our services for its application process. So please also take notice of the Additional information with respect to Video-Recruiting (see below) and of the privacy policy of the respective employer to obtain more detailed information about the processing of personal data during a specific application process. However we also process personal data as data controller of you if you visit our website.

III. For what purpose and on what legal basis are the data processed?

We process personal data in order to be able to provide our services and in order to receive and reply your requests. We process personal data in accordance with the following data protection-related provisions:

a) Processing personal data with your consent (Art. 6 para. 1 a GDPR):

We process data according to Art. 6 para 1 a GDPR in order to communicate with you and advert for our services.

b) Processing personal data to fulfil contractual obligations (Art. 6 para. 1 b GDPR):

If we enter into a contractual relation (including the initiation of contractual relation) the processing of personal data takes place for the provision of our services as cloud software provider to Art. 6 para. 1 b GDPR.

c) Processing personal data to fulfil legal requirements (Art. 6 para. 1 c GDPR):

In the event that our company is subject to a legal obligation which requires the processing of personal data, such as for example the fulfilment of tax obligations, the processing of personal data is made pursuant to Art. 6 para. 1 lit. c GDPR.

d) Processing personal data according to Art. 6 para. 1 d GDPR:

In exceptional cases the processing of personal data may be required in order to protect the vital interests of the data subject or another natural person. This could for example be the case were a visitor will be injured in our premises and in consequence his name, age, health insurance data or other vital information need to be transmitted to a doctor, hospital or other third party. In that event the processing will be made pursuant to Art. 6 para. 1 lit. d GDPR.

e) Processing personal data according to Art. 6 para. 1 f GDPR:

Finally, data processing activities can be conducted on the basis of Art. 6 para. 1 lit. f GDPR which covers data processing activities which are do not fall under any of the aforementioned legal provisions and which covers data processing which is necessary for the purposes of the legitimate interests pursued by us or a third party and provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject.

IV. Server Logfiles

We collect and store information on the basis of Art. 6 para 1 lit. f GDPR about your visits of our website in so called log-files on our server. The logfiles contain data that your browser is automatically sending to us, such as:               

  • shortended IP-adress
  • browser type/ browser version
  • your operating system
  • referrer URL (or the website visited previously)
  • date and time of the server request
  • amount of transmitted data
  • your internet service provider

These data will be collected and processed only for the purpose of measuring the statistics of our website performance. These data will not be connected with data from other data sources.

V. Use of Cookies

Our Website uses cookies on the basis of Art. 6 para 1 lit. f GDPR for cookies that are technically necessary and on the basis of Art. 6 para 1 lit. a GDPR. A cookie is a text file that is placed on the device of the user (PC, tablet, smartphone etc.) and stores certain information referring to the device. If you visit our website from the respective device our server receives information from a cookie. Our server can use this information for different purposes. For example can cookies be used for tailoring advertising to the user or in order to provide statistics for the use of the website. In your browser settings you can allow or deactivate cookies. In the case of deactivating cookies, however, some functionality of our website might not work.

VI. Period of Data Storage

We process and store personal data only for the period, which is required to meet the purpose of processing, or as long and to the extent as statutory laws require us to process and/or store such data.

If the purpose of processing does not apply anymore and the applicable statutory retention requirement expires, we will as a matter of routine erase data or restrict the processing of data in accordance with the applicable statutory laws.

VII. Information about the transfer of personal data to a third country

We use various cloud services as part of our service, i.e. US-based providers or providers from other states outside EU/EEA who also process personal data on our behalf (e.g. name, e-mail address and possibly others).

We expressly point out that, with regard to the USA, no adequacy decision of the European Commission has been issued so far.

We will only transfer personal data to a provider in the USA if this transmission is permitted in accordance with the so-called Privacy Shield Agreement and / or the transmission is legitimized by standard data protection clauses (standard contractual clauses). The guarantees for privacy shield can be found here:

The standard contract clauses can be found here:

VIII. Is there an automated decision-making process?

We do not use automated decision-making processes under Art. 22 GDPR for initiating decisions on the establishment or carrying out of the business relationship, which would have legal consequences for you or would have a similar significant negative impact. As far as an employer uses our SaaS as a part of a job application process our SaaS please take notice of the Additional information with respect to Video-Recruiting (see below) and of the privacy policy of the respective employer.

IX. Documentation of declared consents

If you have given us a consent under Art. 9 GDPR to anonymize your personal data, you consented to the following:


I agree that retorio anonymizes my personal data in order to be able to process personal data in anonymized form.



You can withdraw a given consent at any time free of charge. A withdrawal can e.g. done by email or by post.

X. Additional information with respect to Video-Recruiting

What is the purpose of the data processing and who is the data controller?

The SaaS has the purpose to provide you an objective personality profile of you by analyzing video and audio recordings of communications based on artificial intelligence technology. Retorio provides a SaaS on behalf of employers who will be acting as data controller. The SaaS measures personality traits according to the OCEAN framework, which is also known as the Big-5 personality model. You can find more detailed information about the OCEAN framework at Therefore, you start a video communication (a“Video Call”) via a web-application, which may be recorded and stored for the application process.

Which kind of data are processed?

When using the SaaS you may upload and share your own documents (the “User Generated Content”). Your video and audio recordings may include Personal Data. While providing our SaaS we collect and store the following information about your Video Call:

  • Video Call ID,
  • names of all session participants (only if you registered before),
  • IP addresses of all session participants;
  • and time-stamps of account registration.

With your consent given according to Art. 9 II a GDPR to the respective employer the Video Recording will be used in order to process data as follows:

Gesture analysis: Retorio evaluates your Video Recordings using gesture recognition n algorithms. These algorithms quantify your movements and store motion information. This information is then evaluated using various analysis methods, e.g. to determine how your gestures work. By using the Retorio SaaS, you expressly agree to the quantification and evaluation of your recorded movements.

Voice analysis: The SaaS records your voice and quantifies voice patterns, e.g. via your voice height, voice volume and volume. The quantified voice patterns are evaluated with regard to different effects (e.g. emotions) and enable the Retorio SaaS to give you feedback on the effects of your voice.

Language analysis: The SaaS quantifies your voice-to-text, i.e., your spoken words, and transcribes them. Then the spoken words are analyzed with existing NLP libraries (e.g., sentiment). This is done to give feedback about, for instance, people's emotional word content.

Facial Analysis: Retorio uses face analysis algorithms to determine your facial expression and its effect. Retorio SaaS processes your facial expression both locally through your browser and centrally on servers. The facial analysis generates personal data such as estimates of your age, skin color/ethnicity and gender. Furthermore we collect and store information about your emotions on your face. This information is used to provide you with appropriate feedback on your effectiveness and to improve Retorio SaaS. By using our SaaS, you expressly consent to the processing and storage of this information.

You can withdraw your consent to process these data at any time.

You are not obliged to participate in Video Recruiting by law or by contract and you can also proceed in the application process if you decide not to participate.

Depending on the specific demands of an employer Retorio might match the data obtained from the above mentioned analysis against specific requirements predefined by the employer in a model profile. In an automated procedure all attendees will be listed up for the employer in an order based on how close analyzed profiles come to the predefined model profiles. This order might have influence on employers further decisions in the application process.  For further details to your rights and the period of data storage please take notice of employer´s privacy policy.

Where are data stored and who will have access to your personal data?

We will have access to your personal data in our role as data processor for the respective employer who is our customer. Based on our contractual relation to our customers we are obliged to process personal data only for the purpose of the customer. With your consent me may anonymize personal data and process anonymized data in order to enhance our software and services. In the processing of your personal data we strictly follow directions of our customers.

Like many companies, all Retorio data will be stored and processed on Google Cloud Platform (the “GoogleCloud”)  a cloud solution provided by Please see Google’s Privacy Policy( for more information. Retorio limits Google Cloud to store data exclusively on servers located

User Generated Content on Google Cloud may be deemed as contract data processing (the “Contract Data Processing”) depending on the information stored in the User Generated Content. Contract Data Processing will be subject to a separate agreement between us and Google. This means that Google will be sub processor in relation to the employer who is the responsible data controller.For more information on Google Cloud's compliance with data protection, click here:

Google Cloud is audited annually on the basis of the following standards (based on Google's self-reporting):

ISO 27001: This is one of the best known internationally recognized independent safety standards. All systems, applications, employees, technologies, processes, and data centers used to deploy the Google Cloud Platform are ISO 27001 certified. The ISO 27001 certificate for the Google Cloud platform can be found on the Google website. Google has also received the ISO 27001 certificate for the common infrastructure from Google.

ISO 27017 - Cloud Security: This is an international application standard specifically targeted at cloud services for information security measures based on ISO/IEC 27002.

ISO 27018 - Cloud Privacy: This is an international application standard for the protection of personal data in public cloud services. 

XI. Your Retorio Account – Information for employers with User Account

In order to activate and/or use some of our SaaS, you will need to create an account (the “Account”). During the process of setting up your Account, we will ask you for certain Personal Data such as your

  • e-mail address;
  • personal name;
  • company name;
  • company website;
  • your position/department
  • number of positions you usually hire
  • address;
  • country;
  • IP Address; and
  • Time-stamp of Account registration.

We need this information to allow you to activate, manage or use your Retorio products and services. We may associate your email address and other Personal Data (such as name, telephone number and address) with your Account and access of our products or services. For further information, please see the User Experience and Statistics section below.

Device-related information: In addition, Retorio SaaS collects device-related information, such as model information of the hardware you are using, device identifiers, or the version of your operating system. Retorio may link this information to your user profile.

Log data: When you use our SaaS, we may collect and store certain information in serverlogs. This may include details about your behavior patterns when using the SaaS, such as the average length of your records, information about device features and events such as crashes, system activity, hardware configurations, browser variant and language, time of your request, referral URLs, and cookies.

Location-related information: When you use the SaaS, we may collect and process information about your location, such as IP addresses or WLAN access points. This information is used exclusively to personalize our services (e.g. automatic recognition of your native language) and to improve our services.

Local storage: The SaaS partly stores data locally on your device (e.g. in the web memory of your browser), e.g. to provide real-time feedback on your communication behavior. This data is usually deleted automatically by your device.

XII.  Third Party Technology

Google Sign-In

For our SaaS (for example, the login via we offer a log in via Google Sign-In or other third party services as SalesForce etc. Google Sign-In is a service of Google, Inc. (“Google”). If you use Google Sign-In, we process and store the data you transmit only for registration purposes. The use of Google Sign-In is subject to the Google privacy policies and terms of use. When using Google Sign-In, your Google login information data (which may contain Personal Data such as your name, email address, phone and other information you have entered as part of your Google pro le) will be transferred from Google to Retorio. To obtain more information about Google Sign-In and how to manage your Google+ access rights, please click here ( you do not agree to such a data transfer, please use your Retorio Account as a login instead of Google Sign-In.

Inviting others to use our products or services

You can invite a third party, e.g. your customer, to try our SaaS via email, Google etc.. To use the email invite feature, you will have to enter the third party’s email address (which is Personal Data). Retorio will then send your invitation to the email address you provide. This email invitation will contain your Personal Data (including your name and the email address you entered into your Account). Please do not do this without getting consent from the third party. If you choose to share the invitation via Facebook, Twitter or Google, you will need to log in to each service. We will interface with the respective API in order to share a link inviting the third party to our SaaS.


You can visit most areas of the Retorio website without disclosing any Personal Data. Retorio only logs the domain name, IP address and browser type of our website visitors via our webserver log  les and analytics tools at irregular intervals. We use this information to log global access to our website. For our SaaS we will ask that you provide sign-up an Account at Retorio – see above “Account”. In some cases, you will be unable to complete a particular step in the process if you do not want to provide the information requested. For example, we will ask for Personal Data in the following instances: If you use our online technical support or ask questions about our products and services using the contact form or the contact options on our website, we will ask you to give us Personal Data required for processing the support request. This can include your email address, name and address, as well as information about your computer hardware and software and the type of problem you have. If you have requested a test license on our website, in order to activate such license, you may have to provide Personal Data, such as an email address. If you request a service from us via our website. If you participate in a survey on our website. If you subscribe to a newsletter. If you signed up for a newsletter and no longer want to receive it, you can unsubscribe at any time by using the unsubscribe option provided in the email or by sending us an email using the contact information provided below.

Use of Cookies

Cookies are small text  les that are stored on your computer or in your browser. Cookies are loaded on your browser when you first use a product or service. Cookies do not include any Personal Data. We may use cookies to identify the browser you are using so that our website displays properly. We also use cookies in various places on our website in order to document your visit to the Retorio website and allow for a more efficient website design. For example, to optimize the shopping cart feature used for ordering in the Retorio online store. If you do not want to allow Retorio or someone else to use cookies, you can disable cookie installation via your browser setting. While you also have the option of deleting cookies from your computer's hard disk at any time, if you choose to do so, you may be unable to use some of the features of our website, products and services.

User Experience and Statistics

We use our own technology (including soft authentication systems, storage and messaging engines, databases and big data repositories) to perform statistical evaluations using pseudonymized user pro les. We do this to optimize your experience with our products and provide relevant content and advertisements. If you utilize multiple email addresses to access your Retorio Account, we may tie those emails to one pro le. We may combine information we gather about your use of one product or service with your use of another product or service. We also use the information we collect to offer you content, search results and advertisements that will be of most interest to you. We believe more relevant advertising provides a better Internet experience. This is also how we support our business while still providing certain products or services to you free of charge. As part of this process, we may collect information about how you use and interact with the advertisements that we offer. We may also use information about how you use our products and services across various Devices. Based on this Device-specific information (for example, the hardware model, operating system, version, device, mobile network information including your phone number)and the unique application number assigned to some of our products and services, we may be able to compile a personal pro le about you. When you log in and access your Account or our products, we may automatically collect and store certain information. For example, details of how you use our products, what kind of search queries you conduct, where your computer is routing from, your browser type and version, and Cookies that may identify your browser and/or Account. By reviewing and accepting this privacy policy, you understand and agree that we may combine non-Personal Data or pseudonymized data obtained via our proprietary soft authentication systems with Personal Data obtained when you sign up for an Retorio Account. We do not share this combined data with third parties. In addition to our own proprietary technology, we use the following third-party analytics tools to better understand your interaction with our website and use of our products/services. Our ultimate goal is to create a more user-friendly experience for you:

Google Analytics

We use Google Analytics, a web analysis service from Google, Inc. ("Google"). GoogleAnalytics uses Cookies to make it possible to analyze your use of our website. Information about your use of our website the Cookie generates is usually transferred to a Google server in the USA and saved there. However, before this happens, Google shortens and anonymizes your IP address (Google's anonymize Ip process) if located within a member state of the European Union or in other contracting member states to the Agreement on the European Economic Area. The entire IP address is transferred to a Google server in the USA and saved there only in exceptional cases. This anonymization ensures that your IP address cannot be traced back to you. Google will use this information to evaluate your use of the website in order to compile reports about website activities for Retorio and provide additional services associated with website and Internet usage. Google can transfer this information to third parties, where appropriate, if legally mandated or if Google contracts with third parties to process such data. Google will not associate your IP address with other Google data. By using our website, you expressly consent to Google’s collection and storage of your data in the manner and for the purposes described above. You also have the option to prevent Google from acquiring and processing data generated by Cookies and data related to your use of our website (including your IP address) by downloading and installing a Google-provided browser plugin. More information about Google Analytics can be found here(

Facebook Pixel

Our website measures conversions using visitor action pixels from Facebook, Facebook Inc.,1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”).These allow the behavior of site visitors to be tracked after they click on a Facebook ad to reach the provider’s website. This allows an analysis of the effectiveness of Facebook advertisements for statistical and market research purposes and their future optimization. The data collected is anonymous to us as operators of this website and we cannot use it to draw any conclusions about our users’ identities. However, the data are stored and processed by Facebook, which may make a connection to your Facebook pro le and which may use the data for its own advertising purposes, as stipulated in the Facebook privacy policy ( This will allow Facebook to display ads both on Facebook and on third-party sites. We have no control over how this data is used. Check out Facebook’s privacy policy to learn more about protecting yourprivacy: can also deactivate the custom audiences remarketing feature in the Ads Settings section at You will first need to log into Facebook.

Quora Pixel

The Quora pixel is a small piece of code that’s added to our website pages to enable us to measure, optimize and build audiences for our Quora advertising campaigns. Lastly, here’s a link to Quora’s privacy policy (

Google Tag Manager

Using Google Tag Manager: Google Tag Manager is a solution that allows marketers to manage website tags through a single interface. The Tool Tag Manager itself (which implements the tags) is a cookie less domain and does not collect any personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If deactivation has been made at the domain or cookie level, it remains for all tracking tags implemented with Google Tag Manager. ( here to opt out of Google Tag Manager collection.

LinkedIn Pixel

We use the "LinkedIn pixel" from LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Irland(»LinkedIn«). This allows users' behaviour to be tracked after they have seen or clicked on aLinkedIn ad. This process is used to evaluate the effectiveness of LinkedIn advertisements for statistical and market research purposes and can help to optimise advertising measures. The data collected is anonymous to us, so it does not give us any indication of the identity of the users.


Tailored audiences is the tool of Twitter Inc., 1355 Market Street, Suite 900, San Francisco,CA 94103, USA, ( (“Twitter”), used to target existing users and customers to create remarketing campaigns. Targeting activity can include directly reaching out to users or visitors to the Thought Works website and campaign pages and/or retargeting previous customer lists. Twitter sets a minimum size limit for a tailored audience to 500 users. If the tailored audience does not match 500 Twitter users, it will display as "audience too small" and will not be available for targeting. Details about Twitter’s policies for conversion tracking and tailored audiences can be foundat (


We use HubSpot for optimization of our marketing measures and the improvement of our service quality on the website ("HubSpot"). HubSpot is a software company from the USA with a branch in Ireland. This is an integrated software solution with which we cover various aspects of our online marketing. These include, among other things: E-mail marketing(newsletters as well as automated mailings, e.g. for the provision of downloads), socialmedia publishing & reporting, reporting (e.g. traffic sources, accesses, etc...), contact management (e.g. user segmentation & CRM), landing pages and contact forms. Our registration service allows visitors to our website to learn more about our company, download content and provide their contact information and other demographic information. This information and the contents of our website are stored on servers of our software partner HubSpot. They can be used by us to contact visitors to our website and to determine which services of our company are of interest to them. All information we collect is subject to this privacy policy. We use all collected information exclusively for the optimization of our marketing measures. Furthermore, to improve the user experience on our website, we use the live chat service "Messages" from HubSpot (round chat icon at the bottom right of the screen) for sending and receiving messages on some subpages. If this function is enabled and used, the following data will be transmitted to the HubSpot servers: Content of all sent and received chat messages, Context information (e.g. page on which the chat was used), Optional: e-mail address of the user (if provided by the user via chat function)If you generally do not want HubSpot to collect data, you can prevent cookies from being stored at any time by changing your browser settings. More information about HubSpot can be found here. (


We use Pipe to process videos. Pipe Services S.R.L. - with registered office at street General Budisteanu 12-14, building C, appartment 11, ground floor, Bucharest, Romania (EU). This is an integrated software solution with which we cover various aspects of video processing. These include, among other things: recording or uploading videos. The videos are processed by the pipe video services (e.g., converted from .mov to .mp4) and subsequently stored on the servers used by Retorio. We use this service to make sure that different video sizes and formats can be adequately processed from various devices. Furthermore, we use Pipe to make sure no video gets lost during the recording or uploading process. All information we collect is subject to this privacy policy ( More information about the GDPR compliance can be found here:


We use third-party analytics services to help understand your usage of our services. In particular, we provide a limited amount of your information (such as your email address and sign-up date) to Intercom, Inc. (“Intercom”) and utilize Intercom to collect data for analytics purposes when you visit our website or use our product. Intercom analyzes your use of our website and/or product and tracks our relationship so that we can improve our service to you. We may also use Intercom as a medium for communications, either through email, or through messages within our product(s). As part of our service agreements, Intercom collects publicly available contact and social information related to you, such as your email address, gender, company, job title, photos, website URLs, social network handles and physical addresses, to enhance your user experience. For more information on the privacy practices of Intercom, pleasevisit Intercom’s services are governed by Intercom’s terms of use which can be found at ( If you would like toopt out of having this information collected by or submitted to Intercom, please contact usat (

XIII. Rights of Data Subjects

According to Art. 15 GDPR you have the right to obtain from the data controller free information on request about the personal data stored about you as well as the purpose of the data processing. Please take not that the respective employer is the data controller of the data processed during an Video Recruiting process. According to articles 16, 17 and 18 GDPR you also have the right to correct incorrect data and block and delete your personal data. Moreover according to Art. 20 GDPR, you have the right to receive the personal data concerning you which you provided to us, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from our part. According to Art. 21 (1) GDPR, you also have the right to object, on the basis of your particular situation, at any time to processing your personal data as far as it is based on Art. 6 (1) e) or f) GDPR. We will comply with the aforementioned requests if and to the extent such compliance is required by the applicable statutory laws. Requests for access to and rectification or erasure of personal data or restriction of processing may be directed to the email or post address stated in our website’s imprint. Each data subject has the right to lodge a complaint with a supervisory authority of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.