Privacy Policy

CASSIDI PEOPLE, S.L. Spanish company with registered office at C / Cazorla No. 2 Bajo, 28522, Rivas-Vaciamadrid, Madrid, Spain and NIF B-09751801, registered in the Commercial Register of Madrid, Volume 43111, Folio 41, Page M-761810, 1st Entry (hereinafter "Cassidi») is committed to protecting your personal data. This privacy policy (hereinafter, the "Privacy Policy") will inform you of how we take care of your personal data when you interact with our website (hereinafter, the "Website") or our platform (hereinafter, the "Platform").

Contact details: e-mail GDPR@cassidi.io

1. Cassidi HR Services 

Cassidi is a SaaS HR management platform used by organizations in their capacity as employers ("Clients") to improve their HR processes, centralizing and digitizing certain tasks related to their employees (hereinafter "End Users").

2. Data Processor

Cassidi may be both a Controller and a Processor of personal data for the purposes of the General Data Protection Regulation 2016/679 ("GDPR"). For example, Cassidi will be the Controller of personal data where a Client enters into a contract directly with us, for the processing of that Client's data.

However, in most cases, due to the nature of our business, Cassidi does not have a direct relationship with data subjects and exclusively processes End User personal data on behalf of clients and according to their instructions. Therefore, if you are an employee using our platform, we act solely as data processors of your data. Our Customers decide the purposes for which they use our Platform, as well as the means of data collection to the extent of the functions of our Platform.

In the case of users who browse our website, Cassidi will be responsible for the processing of data collected here, such as cookies, or any data that is interesting to enjoy our content. 

Example: if you are a user of our website and you need to access a particular service, such as requesting a product demo, we will manage your personal data for the intended purpose.  

3. Personal data of end-users received from our clients 

Before you can access our Platform, one of our Clients, such as your employer, has already created an End User account for you and provided us with certain information about you, including basic information such as full name or professional email address.

4. End-user personal data received from Google

If you choose to access our Platform via the website using the Google sign-in tool, Google Ireland Limited will share your full name, email address, language preferences and profile picture with us for authentication purposes.

5. End-user data collected by our website

In order to provide certain services through our website we collect the following personal data: 

  • Request a demo of our software: If you request an appointment for a demo we will use your details to contact you and set a date for the demo together. 

6. Purposes and basis for the processing of your personal data

Cassidi processes your personal data:

  • To respond to your request for demonstration, contact or additional information as a customer, supplier or end user. 
  • To draft, negotiate or sign contracts or other agreements with you.
  • To secure and present our website or platform.
  • For the purposes determined by our Clients - as data controllers - and under their instructions.
  • As each customer may use our services for different purposes, we recommend that you always check your company's specific privacy policy for the relevant data protection information.

Example: if you are a potential customer and want to do a demonstration with us, we will use your personal data to contact you. 

7. Legal basis for processing your data

The processing of your data is carried out in accordance with the following legal bases: your consent in accordance with Art. 6 para. 1 lit. a) GDPR or, as the case may be, Art. 9 para. 2 lit. a) GDPR, for the performance of a contract with you in accordance with Art. 6 para. 1 lit. b) GDPR, for the fulfilment of legal obligations in accordance with Art. 6 para. 1 lit. c) GDPR or for a legitimate interest in accordance with Art. 6 para. 1 lit. f) GDPR.

The legal basis for processing your data in accordance with the stated processing purposes is:

  • Contacts: if you want to contact us, for example because you send us an email or write to us via a contact form, the legal basis is Art. 6 para. 1 lit. f) of the GDPR. We have a legitimate interest in the full processing of your contact. Since you contact us, we assume that there are no interests on your part that conflict with the processing of your request. If the contact is for the purpose of entering into a contract or the performance of a contract, the legal basis for processing is § 6 (1) lit. b) GDPR. If consent is given, the legal basis for processing the contact is Art. 6 para. 1 lit. a) GDPR or, where applicable, Art. 9 para. 2 lit. a) GDPR.
  • Contracts: The legal basis for processing your personal data for the performance or initiation of contracts is Art. 6 (1) lit. b) GDPR. This includes, in particular, the processing of data through the use of our Platform, unless another described processing purpose (and corresponding legal basis) applies and is relevant. In addition, we also process your data in accordance with legal provisions arising, for example, from tax law. This type of processing is lawful in accordance with Art. 6 (1) c) GDPR. In the case of requests that do not give rise to a contractual relationship, we have a legitimate interest in accordance with Art. 6 (1) (f) GDPR to keep track of the request data for a limited period of time in order to assert our legal claims or defend ourselves against lawsuits.
  • Security and presentation of our website: Each time our website is accessed, usage data is transmitted by the respective Internet browser and stored in log files, so-called server log files. The data records that are stored are the name of the web page accessed, the file, the date and time of access, the amount of data transferred, the notification of successful access, the browser type and version, the operating system of the user, the referrer URL (the previously visited page), the IP address and the requesting provider. These data records from log files are evaluated to protect our website against attacks, to find and correct errors and to monitor server utilization. This is also our legitimate interest according to Art. 6 para. 1 lit. f) of the GDPR. Cookies and other technologies may be necessary for the complete and correct display of our website. Unless otherwise specified, complete and correct display is a legitimate interest on our part in this data processing in accordance with Art. 6 (1) (f) GDPR.
  • Events and demonstrations: Whenever you access our website, and complete a form to carry out some kind of action related to events and demonstrations, the basis of legitimacy that we will take into account is the consent of the person concerned. 

8. Security measures

Cassidi implements state-of-the-art security standards to prevent unauthorized access, maintain data accuracy and ensure the correct use of information. We also implement appropriate organizational measures to protect your information. 

We apply our security standards also when working with business and technology partners. We only select and contract with processors and third parties that use appropriate security measures and provide sufficient safeguards, including technical and organizational measures, to ensure adequate protection of the data we entrust to them.

In addition, Cassidi employees sign a non-disclosure agreement or clause in connection with their employment and we have established internal processes such as ongoing training and policies that are frequently updated to ensure the availability and resiliency of our systems and services. 

9. Transfer of your personal data to third parties

The data processed by Cassidi is hosted in the EU and processed within the EU or in the third country determined by the European Commission to provide an adequate level of security, or by service providers who have entered into binding agreements that fully comply with the legality of transfers to third countries. Other recipients of your data may include government agencies and administrations, to the extent that we are legally obliged to do so, and service companies, such as tax advisors or lawyers.

10. International data transfers

The information we collect from you may be processed in third countries as understood in Article 44 of the GDPR. Some third countries, such as the United States, have not currently received an adequacy decision from the European Union under Article 45 of the GDPR, which means that your data may not receive the same level of protection there as under the GDPR.

International data transfers are usually carried out on the basis of contractual or other rules provided for by law, which aim to ensure adequate protection of your data and which you can consult on request. In doing so, we rely on the safeguards provided for in Article 46 of the GDPR or, where applicable, the provisions set out in Article 49 of the GDPR. We and our processors aim to apply appropriate safeguards to protect the privacy and security of your personal data. Therefore, we only process your personal data in accordance with the practices described in our Privacy Policy. 

11. Retention and storage of personal data 

We retain personal data for different periods, depending on the type of information, the period of our contract with our customers, legal requirements relating to certain types of data and other factors.

If we need to retain your information to comply with a contractual or legal hold obligation, or to resolve disputes or enforce our rights, we will restrict access to specific individuals or functions.

12. Exercising your personal rights

Under the GDPR, you have certain rights when it comes to our processing of your personal data:

  • Right to be informed: you have the right to receive clear, transparent and easily understandable information about how we use your personal data and your rights.
  • Right of access: You have the right to obtain access to your personal data.
  • Right of rectification: You have the right to have your personal data rectified if it is inaccurate or incomplete.
  • Right of erasure: this right allows you to request the deletion or removal of your personal data where there is no compelling reason for us to continue to use it. This is not an absolute right of erasure and exceptions apply.
  • Right to restrict processing: You have the right to "block" or delete further use of your personal data. When you restrict processing, we may continue to store your personal data, but we may no longer use it.
  • Right to data portability: You have the right to obtain and reuse your personal data for your own purposes in different services.
  • Right to object to processing: You have the right to object to certain types of processing.
  • Right to lodge a complaint: You have the right to lodge a complaint about the way we handle or process your personal data with your national data protection authority. 
  • Right to withdraw consent: If you have given your consent to anything we do with your personal data, you have the right to withdraw your consent at any time. 
  • Right not to be subject to automated decision-making: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal (or similarly important) effects for you.

Cassidi normally acts on requests and provides information free of charge, but may charge a reasonable fee to cover our administrative costs of providing the information to you:

  • unfounded or excessive/repeated requests; or
  • more copies of the same information. 

You can address your communications and exercise your rights by sending a written communication to the following email address GDPR@cassidi.io. In some cases, the request may be denied if the deletion of data necessary for compliance with legal obligations is requested.

13. Changes to this web privacy policy

We reserve the right to change this privacy policy to adapt it to product and service developments, industry standards or new regulations. If such changes are material, we will do our best to inform you.