TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 14:27:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

add mandatory DPF sections

Browse Source
This commit is contained in:
mffap
2025-06-13 15:41:45 +02:00
parent 2cf3ef4de4
commit 15b8446024
1 changed files with 55 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
docs/docs/legal/policies/privacy-policy.mdx
View File

@@ -3,7 +3,7 @@ title: Privacy Policy
custom_edit_url: null
---
Last updated on 20 March, 2025
Last updated on [[DRAFT]]
This privacy policy describes how ZITADEL Inc. and its wholly owned subsidiaries and affiliates (collectively, "**ZITADEL**", “**CAOS**", "**we**" or "**us**") collect, use, disclose and otherwise process your personal data in connection with the management of our business and our relationships with customers, visitors and event attendees.
@@ -57,11 +57,19 @@ In cooperation with our suppliers, we make every effort to protect the databases
This website uses TLS encryption for security reasons and to protect the transmission of confidential content, such as requests that you send to us as the website operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://".
## Data Privacy Framework (DPF) Adherence Statement
Zitadel complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.
Zitadel has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.
Zitadel has also certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.
If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.
To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/
## Processing of personal data, legal basis, storage period
**Personal data** is any information that relates to an identified or identifiable person. A **data subject** is a person about whom personal data is processed. Processing includes any handling of personal data, regardless of the means and procedures used, in particular the storage, disclosure, acquisition, deletion, storage, modification, destruction and use of personal data.
We process personal data in accordance with Swiss data protection law. In addition, we process - to the extent and insofar as the EU Data Protection Regulation is applicable - personal data in accordance with the following legal bases within the meaning of Art. 6 (1) DSGVO :
We process personal data in accordance with Swiss data protection law. In addition, we process - to the extent and insofar as the EU Data Protection Regulation is applicable - personal data in accordance with the following legal bases within the meaning of Art. 6 (1) DSGVO:
* Insofar as we obtain the consent of the data subject for processing operations, Art. 6 (1) a) DSGVO serves as the legal basis.
* When processing personal data for the fulfillment of a contract with the data subject as well as for the implementation of corresponding pre-contractual measures, Art. 6 para. 1 lit. b DSGVO serves as the legal basis.
@@ -69,7 +77,7 @@ We process personal data in accordance with Swiss data protection law. In additi
* For the processing of personal data in order to protect vital interests of the data subject or another natural person, Art. 6 para. 1 lit. d DSGVO serves as the legal basis.
* If personal data is processed in order to protect the legitimate interests of us or of third parties and if the fundamental freedoms and rights and interests of the data subject do not override our interests and the interests of third parties, Article 6 (1) (f) of the GDPR serves as the legal basis. Legitimate interests are in particular our business interest in being able to provide our website and our products, information security, the enforcement of our own legal claims and compliance with Swiss law.
We will retain personal data for the period of time necessary for the particular purpose for which it was collected and where we have an ongoing legitimate business need to do so (for example to comply with applicable legal, tax or accounting requirements). Subsequently, they are either deleted or made anonymous, unless we need them for a longer period of time in exceptional cases, e.g. due to legal storage and documentation obligations or our legitimate interests, such as the protection of rights to which we are entitled or the defense of claims.
We will retain personal data for the period of time necessary for the particular purpose for which it was collected and where we have an ongoing legitimate business need to do so (for example to comply with applicable legal, tax or accounting requirements). Subsequently, they are either deleted or made anonymous, unless we need them for a longer period of time in exceptional cases, e.g. due to legal storage and documentation obligations or our legitimate interests, such as the protection of rights to which we are entitled or the defense of claims.
### Processing of personal data when using the website, contact forms and in connection with newsletters
@@ -218,6 +226,47 @@ If you have a concern about how we collect and use personal data, please contact
* Swiss data protection authorities: [https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html](https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html);
* UK data protection authority: [https://ico.org.uk/global/contact-us/](https://ico.org.uk/global/contact-us/).
## Recourse, Enforcement, and Liability
Zitadel, Inc. is committed to addressing any concerns regarding its compliance with the Data Privacy Framework Principles.
### Commitment to Resolve Complaints
Zitadel commits to resolving complaints about our collection or use of your DPF-covered personal information.
Individuals from the EU, UK, or Switzerland with inquiries or complaints regarding our DPF policy should first contact Zitadel Inc. at:
Data Protection Officer
1 Embarcadero Center
Suite 1200
San Francisco, CA 94111-4164
United States of America
[legal@zitadel.com](mailto:legal@zitadel.com)
Zitadel will investigate and attempt to resolve DPF-related complaints and disputes within 45 days of receipt.
### Independent Dispute Resolution (IDR)
If you have an unresolved DPF-related privacy or data use concern that we have not addressed satisfactorily, Zitadel has designated an independent dispute resolution body to address complaints and provide appropriate recourse free of charge to the individual.
Zitadel has committed to cooperate with the panel established by the EU data protection authorities (DPAs) and, where applicable, the UK Information Commissioners Office (ICO) (and the Gibraltar Regulatory Authority (GRA)), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved DPF complaints concerning data transferred from the EU, UK, and Switzerland, respectively.
You may contact the relevant EU DPA, the UK ICO, or the Swiss FDPIC directly.
This choice of IDR mechanism, particularly cooperation with DPAs, is a recognized path under the DPF and ensures that individuals have access to a familiar and trusted recourse body.
### Binding Arbitration
Under certain conditions, more fully described on the [Data Privacy Framework website](https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction), you may be entitled to invoke binding arbitration for DPF complaints not resolved by any of the other DPF mechanisms.
This option serves as an ultimate recourse for individuals if other avenues for resolution have been exhausted.
### U.S. Regulatory Oversight
Zitadel's compliance with the Data Privacy Framework Principles is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
The FTC has jurisdiction over Zitadel's adherence to its DPF commitments.
This oversight by a U.S. regulatory authority is a key component of the DPF's enforcement structure.
### Cooperation with Data Protection Authorities
Zitadel commits to cooperate with the EU DPAs, the UK ICO (and GRA), and the Swiss FDPIC in the investigation and resolution of complaints brought under the DPF and will comply with the advice given by these authorities with regard to data transferred from the EU, UK, and Switzerland.
## Additional Information for U.S. Residents
Categories of personal data we collect and our purposes for collection and use
@@ -285,6 +334,9 @@ We actively try to minimize the use of tools from companies located in countries
Our Site is not intended for or directed to children under the age of 14. We do not knowingly collect personal data directly from children under the age of 14 without parental consent. If we become aware that a child under the age of 14 has provided us with personal data, we will delete the information from our records.
## Changes to this Privacy Policy
We may revise this privacy policy from time to time and will post the date it was last updated at the top of this privacy policy. We will provide additional notice to you if we make any changes that materially affect your privacy rights.