Privacy Statement

Introduction

At Cordaata BV, we prioritize the security and privacy of the data entrusted to us across all regions where we operate. This Privacy Statement outlines how we collect, use, share, and protect personal data in compliance with applicable data protection laws worldwide, including the European Union General Data Protection Regulation (GDPR), the South African Protection of Personal Information Act (POPI), the California Consumer Privacy Act (CCPA), Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Singapore's Personal Data Protection Act (PDPA), Australia's Privacy Act, and other relevant privacy legislation across North America (NA), European Union (EU), Africa Middle East Asia (AMEA), and Asia-Pacific (APAC) regions. This statement also explains your rights regarding your personal data and our use of cookies and tracking technologies.

1. Responsible Entity

Cordaata BV Ltd and its affiliated entities act as the controllers of your personal data and are responsible for its processing, unless specified otherwise. References to "Cordaata," "we," "us," or "our" refer to Cordaata BV Ltd and its affiliates involved in the processing activity.

Data Controller Details:

• Company: Cordaata BV
• Address: Gaaienlaan 19, Oud-Turnhout, 2360 Belgium
• Email: info@cordaata.com
• Data Protection Officer: info@cordaata.com

Regional Representatives:

• EU Representative: For matters relating to GDPR compliance, you may contact our EU representative at info@cordaata.com
• UK Representative: For UK GDPR matters, contact info@cordaata.com
• APAC Privacy Officer: For Asia-Pacific privacy matters, contact info@cordaata.com

Global Operations: We operate across multiple jurisdictions including North America (United States, Canada), European Union (all member states), United Kingdom, Africa Middle East Asia (South Africa, UAE, India), and Asia-Pacific (Australia, Singapore, Japan, South Korea) regions, ensuring compliance with local data protection requirements in each territory.

2. Personal Data We Collect

We collect personal data in various ways, including when you:

• Visit our websites or social media pages
• Communicate with us via email, phone, or other means
• Use our products and services across our global regions (NA, EU, AMEA, APAC)
• Register for or attend our events, webinars, or programs worldwide
• Complete contact forms or request information (which constitutes opt-in consent for business communications)
• Participate in surveys or research
• Visit our offices or facilities globally
• Interact with our online advertisements or content
• Subscribe to our newsletters or marketing communications
• Download whitepapers, case studies, or other business content

The types of personal data we collect may include:

2.1 Personal Data We Collect Directly from You

The personal data we collect directly from you may include:

• Identifiers: Name, job title, company name, address, phone number, email address, username, and password.
• Professional or Employment-Related Information: Job title, company name, areas of expertise, interests, professional qualifications, and work experience.
• Financial Account Information: Billing name and address, credit card number, bank account information, and transaction history.
• Commercial Information: Purchase history, preferences, interactions with our services, and customer support records.
• Visual Information: Images and videos, including attendee badge information at events, profile pictures, and security camera footage.
• Internet Activity Information: IP addresses, device and application information, browser type, operating system, system configuration information, interactions with our websites or emails, and cookie data.
• Special Categories of Personal Data: With your explicit consent, we may collect biometric data for identification purposes at events, and dietary requirements or accessibility needs for event accommodations.

Collection Scenarios:

• Contact Forms and Information Requests: When you complete any "Contact Us" form, request a demo, download content, or submit inquiries through our websites, you provide implied consent for us to contact you for business purposes related to your inquiry. This includes follow-up communications, providing requested information, and relevant business communications about our products and services that may be of interest to you.
• Expressing Interest: When you express an interest in obtaining additional information about our services, request customer support, use our "Contact Us" or similar features, register to use our websites, sign up for an event, webinar, or contest, participate in a program, training, certification, or survey, use our products and services, or download certain content.
• Purchases and Registrations: When you make purchases via our websites or register for an event or webinar across any of our operating regions.
• Event Attendance: When you attend an event globally, including attendee badge information and, with explicit consent, biometric information for identification purposes.
• Office Visits: When you visit our offices worldwide, including name, email address, phone number, company name, time and date of arrival, and image or video.
• Surveys and Research: When you voluntarily submit information as part of surveys, questionnaires, or other forms of research conducted across our global operations.
• Supplier or Service Provider: When you are a supplier or service provider to Cordaata (or work for a supplier or service provider) across any of our operating regions, including contact information, payment, and billing information.
• Marketing Subscriptions: When you subscribe to our newsletters, marketing communications, or opt-in to receive promotional materials, which constitutes explicit consent for marketing communications.

2.2 Personal Data We Collect from Other Sources

We also collect information about you from other sources, including partners from whom we collect or purchase personal data or who provide us with publicly available information which may contain personal data. We may combine this information with personal data provided by you.

Provision of Services:

• Publicly Available Information: Information you have made publicly available online (such as social media sites) or published by third parties (such as news articles).
• Location Information: Information from third parties to offer features like identity management and multi-factor authentication.

Advertising:

• Business Contact Information: Identifiers, professional or employment-related information, education information, commercial information, visual information, internet activity information, and inferences about preferences and behaviours from third-party providers for purposes of tailored advertising, delivering relevant email content, event promotion, profiling, determining eligibility, and verifying contact information.

Additional Sources:

• Organizational Information: Information provided by another individual at your organization, including personal data and special categories of personal data, for the purposes of obtaining services and assessing diversity goals.
• Open-Source or Community Development Projects: Information from platforms such as GitHub to manage code check-ins and pull requests, associated with your community account.

3. Legal Bases for Processing Personal Data

Under applicable data protection laws including GDPR (EU), UK GDPR, CCPA (California), PIPEDA (Canada), PDPA (Singapore), Privacy Act (Australia), POPI (South Africa), and other regional privacy legislation, we process personal data based on the following legal grounds:

3.1 Contractual Necessity (GDPR Art. 6(1)(b), similar provisions in other jurisdictions)

To perform our contractual obligations with you, provide requested services, process payments, and fulfill business transactions across all our operating regions.

3.2 Legitimate Interest (GDPR Art. 6(1)(f), equivalent provisions globally)

To improve our services, ensure security and prevent fraud, conduct business-to-business marketing communications, business development and analytics, and maintain customer relationships. Our legitimate interests include operating our global business, providing customer support, and developing our products and services.

3.3 Legal Obligation (GDPR Art. 6(1)(c), similar requirements worldwide)

To comply with applicable laws, regulations, tax requirements across NA, EU, AMEA, and APAC regions, and respond to legal processes and regulatory requests.

3.4 Consent (GDPR Art. 6(1)(a), global equivalent)

For marketing communications (where required by local law), cookies and tracking technologies, processing special categories of personal data, and where you have explicitly opted-in through contact forms or subscription processes. Contact Form Opt-In: By completing our contact forms or requesting information, you provide implied consent for business-related communications about our products and services.

3.5 Vital Interest (GDPR Art. 6(1)(d), international equivalent)

In emergency situations to protect health and safety of individuals.

Regional Compliance Notes:

• CCPA (California): We comply with California residents' rights regarding personal information
• PIPEDA (Canada): We ensure appropriate consent and accountability measures for Canadian data processing
• APAC Jurisdictions: We adhere to local privacy requirements in Australia (Privacy Act), Singapore (PDPA), Japan (APPI), and South Korea (PIPA)
• AMEA Region: We comply with South African POPI and other applicable regional privacy laws

Special Categories of Personal Data: We process special categories of personal data (including biometric data and dietary/accessibility information) based on explicit consent (GDPR Art. 9(2)(a)) or substantial public interest (GDPR Art. 9(2)(g)), with equivalent protections under other applicable privacy laws.

4. Purposes for Processing Personal Data

We process personal data for the following purposes:

• To provide and manage our websites and services globally across NA, EU, AMEA, and APAC regions
• To personalize your experience and deliver relevant content based on your location and preferences
• To communicate with you and respond to your inquiries, including follow-up business communications when you complete contact forms
• To manage event registrations and attendance for our global events and webinars
• To ensure the security of our websites and services worldwide
• To comply with legal obligations across all jurisdictions where we operate
• To conduct business-to-business marketing and promotional activities (with appropriate consent where required by local law)
• To improve our products and services through analytics and user feedback
• To prevent fraud and ensure platform security across all regions
• To manage business relationships with suppliers and partners globally
• To fulfill contractual obligations and process transactions in multiple currencies and jurisdictions
• To provide customer support and technical assistance across different time zones
• To conduct market research and business intelligence activities
• To maintain accurate business records and customer databases

5. Cookies and Tracking Technologies

5.1 What are Cookies?

Cookies are small text files stored on your device when you visit our websites. We also use similar technologies such as web beacons, pixels, and local storage to enhance your experience and analyze website usage.

5.2 Types of Cookies We Use:

Essential Cookies (No Consent Required):

• Authentication and session management
• Security and fraud prevention
• Website functionality and navigation
• Load balancing and performance optimization

Functional Cookies:

• Language and regional preferences
• User interface customization
• Remember login details and form data
• Accessibility settings

Analytics Cookies:

• Website usage statistics and performance monitoring
• User behavior analysis and heatmapping
• A/B testing and website optimization
• Traffic source analysis

Marketing Cookies:

• Targeted advertising and retargeting
• Social media integration and sharing
• Cross-platform marketing campaigns
• Conversion tracking and attribution

5.3 Third-Party Cookies

We work with third-party service providers who may set cookies, including:

• Google Analytics and Google Ads
• Social media platforms (LinkedIn, Facebook, Twitter)
• Marketing automation platforms
• Customer support and chat services

5.4 Managing Your Cookie Preferences

You can control cookies through:

• Our cookie consent banner and preference center (updated regularly to comply with regional requirements)
• Your browser settings (though this may limit website functionality)
• Third-party opt-out tools and industry programs (IAB Europe, NAI, DAA)
• Regional-specific opt-out mechanisms where required by local law
• Directly contacting us at info@cordaata.com

Regional Cookie Compliance:

• EU/UK: We obtain explicit consent for non-essential cookies as required by ePrivacy Directive and UK PECR
• California: We comply with CCPA requirements for cookie disclosure and opt-out rights
• Canada: We follow PIPEDA guidelines for online tracking technologies
• APAC: We adhere to local cookie and tracking requirements in Australia, Singapore, and other jurisdictions

6. Sharing Personal Data

We may share personal data with:

• Service providers who process data on our behalf (IT services, payment processors, marketing platforms, customer support)
• Affiliates within our corporate group for business operations and service delivery
• Event sponsors and partners (with your explicit consent for marketing purposes)
• Professional advisers (lawyers, auditors, consultants) for business and legal purposes
• Public authorities as required by law or to protect our rights and interests
• Business partners for joint marketing initiatives and service integration (with appropriate consent)
• Third parties in connection with corporate transactions (mergers, acquisitions) with appropriate confidentiality protections

Data Sharing Principles: We only share personal data when necessary for legitimate business purposes, with appropriate legal safeguards, and in compliance with applicable data protection laws.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside your jurisdiction as part of our global operations across North America, European Union, Africa Middle East Asia, and Asia-Pacific regions. These transfers may involve countries that have different data protection standards than your home country.

Transfer Safeguards: We ensure adequate protection for international data transfers through:

• European Commission adequacy decisions (for EU transfers)
• UK adequacy regulations (for UK transfers)
• Standard Contractual Clauses (SCCs) approved by the European Commission and equivalent mechanisms in other jurisdictions
• Binding Corporate Rules (BCRs) for intra-group transfers
• Cross-Border Privacy Rules (CBPR) for APAC transfers where applicable
• Appropriate technical and organizational measures
• Other legally recognized transfer mechanisms under GDPR, CCPA, PIPEDA, PDPA, and other applicable privacy laws

Primary Transfer Destinations:

• North America: United States (with appropriate safeguards including SCCs), Canada (adequacy decision)
• European Union: All EU member states, United Kingdom, Switzerland
• AMEA Region: South Africa, United Arab Emirates, India (with appropriate safeguards)
• APAC Region: Australia, Singapore, Japan (adequacy decisions where applicable), South Korea, with appropriate safeguards

Cross-Border Processing: We maintain data processing agreements with all international service providers and partners to ensure consistent privacy protection standards across all regions where we operate.

8. Data Retention

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

Retention Periods:

• Customer account data: Duration of relationship plus 7 years for legal and tax purposes
• Marketing data: Until opt-out or 3 years of inactivity, whichever comes first
• Transaction records: 7 years from transaction date for financial and legal compliance
• Event attendance data: 2 years from event date unless ongoing business relationship exists
• Cookie data: As specified in our cookie policy (typically 12-24 months)
• Legal and compliance records: As required by applicable law (typically 7 years)

After the retention period expires, we securely delete or anonymize personal data using industry-standard methods to prevent unauthorized access or reconstruction.

9. Your Rights Under Global Privacy Laws

Your rights regarding personal data vary by jurisdiction. Below are the rights available under major privacy frameworks:

9.1 Right of Access (GDPR Art. 15, POPI s.23, CCPA, PIPEDA, PDPA, Privacy Act)

Request confirmation of processing and obtain copies of your personal data.

9.2 Right to Rectification (GDPR Art. 16, POPI s.24, similar provisions globally)

Correct inaccurate or incomplete personal data.

9.3 Right to Erasure/Right to be Forgotten (GDPR Art. 17, similar in other jurisdictions)

Request deletion of your personal data in certain circumstances.

9.4 Right to Restrict Processing (GDPR Art. 18, equivalent provisions)

Limit how we process your personal data in specific situations.

9.5 Right to Object (GDPR Art. 21, POPI s.11, similar provisions)

Object to processing based on legitimate interest or for direct marketing purposes.

9.6 Right to Data Portability (GDPR Art. 20, equivalent in other laws)

Receive your personal data in a structured, machine-readable format.

9.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time across all jurisdictions.

9.8 Right to Lodge a Complaint

File complaints with supervisory authorities in your jurisdiction.

Regional-Specific Rights:

California (CCPA/CPRA) Rights:

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of the sale of personal information (Note: We do not sell personal information)
• Right to non-discrimination for exercising privacy rights
• Right to correct inaccurate personal information

Canadian (PIPEDA) Rights:

• Right to access personal information
• Right to request correction of personal information
• Right to file complaints with the Privacy Commissioner

APAC Rights:

• Australia: Rights under Privacy Act including access, correction, and complaint mechanisms
• Singapore: Rights under PDPA including access, correction, and data portability
• Japan: Rights under APPI including disclosure, correction, and deletion

Exercising Your Rights: To exercise any of these rights, please contact us at info@cordaata.com . We will respond to your request within the timeframes required by applicable law (typically 30 days for GDPR/POPI, 45 days for CCPA, 30 days for PIPEDA) and may request verification of your identity.

10. Data Security

At Cordaata BV, we take the security of your personal data very seriously and implement comprehensive technical, administrative, and physical measures to protect against unauthorized access, use, disclosure, alteration, or destruction.

Our data security measures include:

• Data Classification: We classify data based on its sensitivity and apply appropriate security controls to protect it.
• Access Controls: We enforce strict access controls with role-based permissions, multi-factor authentication, and regular access reviews to ensure only authorized personnel can access sensitive data.
• Encryption: All sensitive data is encrypted both at rest and in transit using industry-standard encryption protocols (AES-256, TLS 1.3).
• Security Awareness Training: We conduct regular security awareness training for our employees and maintain security policies and procedures.
• Incident Response: We have a robust incident response plan in place to address any security breaches or incidents, including notification procedures as required by GDPR and POPI.
• Regular Audits and Assessments: We perform regular security audits, vulnerability assessments, and penetration testing to identify and address potential vulnerabilities.
• Data Backup and Recovery: We maintain secure, encrypted backups of critical data and have tested disaster recovery plans in place.
• Vendor Management: We ensure third-party service providers implement appropriate security measures through contractual obligations and regular assessments.
• Compliance with Standards: We comply with relevant data protection regulations, industry security standards (ISO 27001), and best practices.

Data Breach Notification: In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authorities within the timeframes required by applicable law (72 hours for GDPR, similar requirements for other jurisdictions) and inform affected individuals without undue delay where required by law across all our operating regions.

11. Automated Decision-Making and Profiling

We may use automated processing, including profiling, for:

• Personalizing content and service recommendations
• Fraud detection and security purposes
• Marketing segmentation and targeting
• Service optimization and improvement

Your Rights: You have the right not to be subject to decisions based solely on automated processing that produce legal effects or significantly affect you. You may request human intervention, express your point of view, and contest such decisions by contacting us at info@cordaata.com .

12. Changes to This Privacy Statement

We may update this Privacy Statement from time to time to reflect changes in our practices, services, legal requirements, or other operational reasons. We will notify you of any material changes by:

• Posting the updated statement on our website with a new effective date
• Sending you email notification (for significant changes)
• Providing notice through our services or other appropriate channels

We encourage you to review this Privacy Statement periodically to stay informed about how we protect your personal data.

13. Contact Us and Supervisory Authorities

Contact Information: If you have any questions, concerns, or requests regarding this Privacy Statement, our data practices, or wish to exercise your rights, please contact us at:

• Company: Cordaata BV
• Email: info@cordaata.com
• Address: Gaaienlaan 19, Oud-Turnhout, 2360 Belgium
• Data Protection Officer: info@cordaata.com

Supervisory Authorities: You have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction if you believe your data protection rights have been violated:

European Union & EEA:

• Belgium: Gegevensbeschermingsautoriteit (GBA) / Autorité de protection des données (APD)
• Other EU Member States: Contact your local Data Protection Authority

Other Regions:

• United Kingdom: Information Commissioner's Office (ICO)
• South Africa: Information Regulator South Africa (inforegulator.org.za)
• Canada: Office of the Privacy Commissioner of Canada (priv.gc.ca)
• United States: State Attorneys General (for state privacy laws like CCPA)
• Australia: Office of the Australian Information Commissioner (OAIC)
• Singapore: Personal Data Protection Commission (PDPC)
• Japan: Personal Information Protection Commission
• South Korea: Korea Internet & Security Agency (KISA)

Regional Privacy Authorities: We maintain updated contact information for privacy authorities across all regions where we operate and will assist you in directing complaints to the appropriate authority based on your location.

Response Times: We aim to respond to all privacy-related inquiries within 30 days. For complex requests, we may extend this period by up to 60 additional days and will inform you of any such extension.