Version 0.1 | Last update: 14.10.2020
Many thanks for your interest in how we handle privacy and protection of your data at Retorio GmbH (commercial register Local Court Munich number HRB 243225- “Retorio”, “we”, “us” or“our”) when you visit our website at www.retorio.com or you use our services.
WE COLLECT, USE, TRANSFER OR FORWARD PERSONAL DATA IN COMPLIANCE WITH THE PRIVACY PROTECTION LAWS OF THE FEDERAL REPUBLIC OF GERMANY AS WELL AS WITH THE PRIVACY REGULATIONS OF THE EUROPEAN UNION.
I. Who is responsible for data processing and who can you contact?
As part of our provision of the Retorio SaaS to you and from our interactions with you, Retorio needs to collect Personal Data either as controller or as processor on behalf of an employer.
If you visit our website at www.retorio.com we process personal data as controller. Please ask us if you would like information about the Personal Data we store. We will gladly provide this for you for free as quickly as possible. We can also send this information to you electronically.
Contact us at:
You can contact our data protection officer at: privacy@Retorio.com
II. Which data are being processed and what are the sources of these data?
III. For what purpose and on what legal basis are the data processed?
We process personal data in order to be able to provide our services and in order to receive and reply your requests. We process personal data in accordance with the following data protection-related provisions:
a) Processing personal data with your consent (Art. 6 para. 1 a GDPR):
We process data according to Art. 6 para 1 a GDPR in order to communicate with you and advert for our services.
b) Processing personal data to fulfil contractual obligations (Art. 6 para. 1 b GDPR):
If we enter into a contractual relation (including the initiation of contractual relation) the processing of personal data takes place for the provision of our services as cloud software provider to Art. 6 para. 1 b GDPR.
c) Processing personal data to fulfil legal requirements (Art. 6 para. 1 c GDPR):
In the event that our company is subject to a legal obligation which requires the processing of personal data, such as for example the fulfilment of tax obligations, the processing of personal data is made pursuant to Art. 6 para. 1 lit. c GDPR.
d) Processing personal data according to Art. 6 para. 1 d GDPR:
In exceptional cases the processing of personal data may be required in order to protect the vital interests of the data subject or another natural person. This could for example be the case were a visitor will be injured in our premises and in consequence his name, age, health insurance data or other vital information need to be transmitted to a doctor, hospital or other third party. In that event the processing will be made pursuant to Art. 6 para. 1 lit. d GDPR.
e) Processing personal data according to Art. 6 para. 1 f GDPR:
Finally, data processing activities can be conducted on the basis of Art. 6 para. 1 lit. f GDPR which covers data processing activities which are do not fall under any of the aforementioned legal provisions and which covers data processing which is necessary for the purposes of the legitimate interests pursued by us or a third party and provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject.
IV. Server Logfiles
We collect and store information on the basis of Art. 6 para 1 lit. f GDPR about your visits of our website in so called log-files on our server. The logfiles contain data that your browser is automatically sending to us, such as:
These data will be collected and processed only for the purpose of measuring the statistics of our website performance. These data will not be connected with data from other data sources.
VI. Period of Data Storage
We process and store personal data only for the period, which is required to meet the purpose of processing, or as long and to the extent as statutory laws require us to process and/or store such data.
If the purpose of processing does not apply anymore and the applicable statutory retention requirement expires, we will as a matter of routine erase data or restrict the processing of data in accordance with the applicable statutory laws.
VII. Information about the transfer of personal data to a third country
We use various cloud services as part of our service, i.e. US-based providers or providers from other states outside EU/EEA who also process personal data on our behalf (e.g. name, e-mail address and possibly others).
We expressly point out that, with regard to the USA, no adequacy decision of the European Commission has been issued so far.
We will only transfer personal data to a provider in the USA if this transmission is permitted in accordance with the so-called Privacy Shield Agreement and / or the transmission is legitimized by standard data protection clauses (standard contractual clauses). The guarantees for privacy shield can be found here:
The standard contract clauses can be found here:
VIII. Is there an automated decision-making process?
If you have given us a consent under Art. 9 GDPR to anonymize your personal data, you consented to the following:
I agree that retorio anonymizes my personal data in order to be able to process personal data in anonymized form.
You can withdraw a given consent at any time free of charge. A withdrawal can e.g. done by email or by post.
X. Additional information with respect to Video-Recruiting
What is the purpose of the data processing and who is the data controller?
The SaaS has the purpose to provide you an objective personality profile of you by analyzing video and audio recordings of communications based on artificial intelligence technology. Retorio provides a SaaS on behalf of employers who will be acting as data controller. The SaaS measures personality traits according to the OCEAN framework, which is also known as the Big-5 personality model. You can find more detailed information about the OCEAN framework at https://www.retorio.com/retorio-big-five-overview. Therefore, you start a video communication (a“Video Call”) via a web-application, which may be recorded and stored for the application process.
Which kind of data are processed?
When using the SaaS you may upload and share your own documents (the “User Generated Content”). Your video and audio recordings may include Personal Data. While providing our SaaS we collect and store the following information about your Video Call:
With your consent given according to Art. 9 II a GDPR to the respective employer the Video Recording will be used in order to process data as follows:
Gesture analysis: Retorio evaluates your Video Recordings using gesture recognition n algorithms. These algorithms quantify your movements and store motion information. This information is then evaluated using various analysis methods, e.g. to determine how your gestures work. By using the Retorio SaaS, you expressly agree to the quantification and evaluation of your recorded movements.
Voice analysis: The SaaS records your voice and quantifies voice patterns, e.g. via your voice height, voice volume and volume. The quantified voice patterns are evaluated with regard to different effects (e.g. emotions) and enable the Retorio SaaS to give you feedback on the effects of your voice.
Language analysis: The SaaS quantifies your voice-to-text, i.e., your spoken words, and transcribes them. Then the spoken words are analyzed with existing NLP libraries (e.g., sentiment). This is done to give feedback about, for instance, people's emotional word content.
Facial Analysis: Retorio uses face analysis algorithms to determine your facial expression and its effect. Retorio SaaS processes your facial expression both locally through your browser and centrally on servers. The facial analysis generates personal data such as estimates of your age, skin color/ethnicity and gender. Furthermore we collect and store information about your emotions on your face. This information is used to provide you with appropriate feedback on your effectiveness and to improve Retorio SaaS. By using our SaaS, you expressly consent to the processing and storage of this information.
You can withdraw your consent to process these data at any time.
You are not obliged to participate in Video Recruiting by law or by contract and you can also proceed in the application process if you decide not to participate.
Where are data stored and who will have access to your personal data?
We will have access to your personal data in our role as data processor for the respective employer who is our customer. Based on our contractual relation to our customers we are obliged to process personal data only for the purpose of the customer. With your consent me may anonymize personal data and process anonymized data in order to enhance our software and services. In the processing of your personal data we strictly follow directions of our customers.
User Generated Content on Google Cloud may be deemed as contract data processing (the “Contract Data Processing”) depending on the information stored in the User Generated Content. Contract Data Processing will be subject to a separate agreement between us and Google. This means that Google will be sub processor in relation to the employer who is the responsible data controller.For more information on Google Cloud's compliance with data protection, click here: https://cloud.google.com/terms/.
Google Cloud is audited annually on the basis of the following standards (based on Google's self-reporting):
ISO 27001: This is one of the best known internationally recognized independent safety standards. All systems, applications, employees, technologies, processes, and data centers used to deploy the Google Cloud Platform are ISO 27001 certified. The ISO 27001 certificate for the Google Cloud platform can be found on the Google website. Google has also received the ISO 27001 certificate for the common infrastructure from Google.
ISO 27017 - Cloud Security: This is an international application standard specifically targeted at cloud services for information security measures based on ISO/IEC 27002.
ISO 27018 - Cloud Privacy: This is an international application standard for the protection of personal data in public cloud services.
XI. Your Retorio Account – Information for employers with User Account
In order to activate and/or use some of our SaaS, you will need to create an account (the “Account”). During the process of setting up your Account, we will ask you for certain Personal Data such as your
We need this information to allow you to activate, manage or use your Retorio products and services. We may associate your email address and other Personal Data (such as name, telephone number and address) with your Account and access of our products or services. For further information, please see the User Experience and Statistics section below.
Device-related information: In addition, Retorio SaaS collects device-related information, such as model information of the hardware you are using, device identifiers, or the version of your operating system. Retorio may link this information to your user profile.
Log data: When you use our SaaS, we may collect and store certain information in serverlogs. This may include details about your behavior patterns when using the SaaS, such as the average length of your records, information about device features and events such as crashes, system activity, hardware configurations, browser variant and language, time of your request, referral URLs, and cookies.
Location-related information: When you use the SaaS, we may collect and process information about your location, such as IP addresses or WLAN access points. This information is used exclusively to personalize our services (e.g. automatic recognition of your native language) and to improve our services.
Local storage: The SaaS partly stores data locally on your device (e.g. in the web memory of your browser), e.g. to provide real-time feedback on your communication behavior. This data is usually deleted automatically by your device.
XII. Third Party Technology
Inviting others to use our products or services
You can invite a third party, e.g. your customer, to try our SaaS via email, Google etc.. To use the email invite feature, you will have to enter the third party’s email address (which is Personal Data). Retorio will then send your invitation to the email address you provide. This email invitation will contain your Personal Data (including your name and the email address you entered into your Account). Please do not do this without getting consent from the third party. If you choose to share the invitation via Facebook, Twitter or Google, you will need to log in to each service. We will interface with the respective API in order to share a link inviting the third party to our SaaS.
You can visit most areas of the Retorio website without disclosing any Personal Data. Retorio only logs the domain name, IP address and browser type of our website visitors via our webserver log les and analytics tools at irregular intervals. We use this information to log global access to our website. For our SaaS we will ask that you provide sign-up an Account at Retorio – see above “Account”. In some cases, you will be unable to complete a particular step in the process if you do not want to provide the information requested. For example, we will ask for Personal Data in the following instances: If you use our online technical support or ask questions about our products and services using the contact form or the contact options on our website, we will ask you to give us Personal Data required for processing the support request. This can include your email address, name and address, as well as information about your computer hardware and software and the type of problem you have. If you have requested a test license on our website, in order to activate such license, you may have to provide Personal Data, such as an email address. If you request a service from us via our website. If you participate in a survey on our website. If you subscribe to a newsletter. If you signed up for a newsletter and no longer want to receive it, you can unsubscribe at any time by using the unsubscribe option provided in the email or by sending us an email using the contact information provided below.
User Experience and Statistics
Google Tag Manager
Using Google Tag Manager: Google Tag Manager is a solution that allows marketers to manage website tags through a single interface. The Tool Tag Manager itself (which implements the tags) is a cookie less domain and does not collect any personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If deactivation has been made at the domain or cookie level, it remains for all tracking tags implemented with Google Tag Manager. http://www.google.de/tagmanager/use-policy.html (http://www.google.de/tagmanager/use-policy.html)Click here to opt out of Google Tag Manager collection.
We use the "LinkedIn pixel" from LinkedIn Ireland, Wilton Plaza, Wilton Place, Dublin 2, Irland(»LinkedIn«). This allows users' behaviour to be tracked after they have seen or clicked on aLinkedIn ad. This process is used to evaluate the effectiveness of LinkedIn advertisements for statistical and market research purposes and can help to optimise advertising measures. The data collected is anonymous to us, so it does not give us any indication of the identity of the users.
Tailored audiences is the tool of Twitter Inc., 1355 Market Street, Suite 900, San Francisco,CA 94103, USA, www.twitter.com (https://www.twitter.com/) (“Twitter”), used to target existing users and customers to create remarketing campaigns. Targeting activity can include directly reaching out to users or visitors to the Thought Works website and campaign pages and/or retargeting previous customer lists. Twitter sets a minimum size limit for a tailored audience to 500 users. If the tailored audience does not match 500 Twitter users, it will display as "audience too small" and will not be available for targeting. Details about Twitter’s policies for conversion tracking and tailored audiences can be foundat https://business.twitter.com/en/help/ads-policies/other-policy-requirements/policies-for-conversion-tracking-and-tailored-audiences.html (https://business.twitter.com/en/help/ads-policies/other-policy-requirements/policies-for-conversion-tracking-and-tailored-audiences.html).
XIII. Rights of Data Subjects
According to Art. 15 GDPR you have the right to obtain from the data controller free information on request about the personal data stored about you as well as the purpose of the data processing. Please take not that the respective employer is the data controller of the data processed during an Video Recruiting process. According to articles 16, 17 and 18 GDPR you also have the right to correct incorrect data and block and delete your personal data. Moreover according to Art. 20 GDPR, you have the right to receive the personal data concerning you which you provided to us, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from our part. According to Art. 21 (1) GDPR, you also have the right to object, on the basis of your particular situation, at any time to processing your personal data as far as it is based on Art. 6 (1) e) or f) GDPR. We will comply with the aforementioned requests if and to the extent such compliance is required by the applicable statutory laws. Requests for access to and rectification or erasure of personal data or restriction of processing may be directed to the email or post address stated in our website’s imprint. Each data subject has the right to lodge a complaint with a supervisory authority of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.