Tidal Software GDPR Privacy Notice

This notice provides certain required information to persons located in the European Union (“EU”), a European Economic Area (“EAA”) member state, or Switzerland.   Before we collect any “personal data” from you, you are entitled under Regulation (EU) 2016/679 (commonly known as the EU General Data Protection Regulation, or the “GDPR”), to the information in this notice.  The GDPR does not apply to the processing of personal data from data subjects prior to May 25, 2018. This notice is supplemented by our general privacy notice (“General Privacy Notice”), which contains additional details on our privacy policies and which is available here.

The GDPR defines (a) “personal data” as information that identifies you, or may be used to identify you, such as your name, an identification number, location data, an online identifier, or factors specific to your physical, physiological, genetic, mental, economic, cultural or social identity, (b) “controller” as the entity that determines the purposes and means of the processing of personal data, (c) “processor” as the entity that processes personal data on behalf of the controller, and (d) “data subject” as a natural person who is identified, or can be identified, by reference to his or her personal data. For purposes of this notice, Tidal Software LLC (referred to as "Tidal" or “we” here) is the controller and processor of any personal data subject to the GDPR.

If you would like to review the GDPR Articles cited in this notice, please click here, https://www.eugdpr.org/.

Our Purposes and Legal Basis for Processing Personal Data

We will only process your personal data for lawful purposes or with your express consent under the GDPR and arising from your relationship with us as a prospective, current, or former customer (or as a customer’s employee or other representative), as a business partner or supplier or as our employee, contractor, or other relation.  

We will collect and process your personal data because (i) it is necessary for us to perform a contract to which you are a party or because we have another legitimate and lawful interest in doing so or (ii) you have provided your express prior consent.  GDPR Article 9 generally requires us to obtain your prior consent if we collect special categories of personal data protected under the GDPR (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, the processing of genetic or biometric data to uniquely identify a natural person, health data, or data related to one’s sexual activities or orientation).

The purposes for which we collect personal data, and the legal bases for processing such personal data, are that such collection (a) is “necessary for the performance of a contract”(b) conforms with our “legitimate interest”, but only after we determine after a prior “balancing test” that our legitimate interest in processing your personal data is not overridden by your interests or fundamental rights and freedoms in protecting such personal data; or (c) is done pursuant to your “prior consent”, which means your express voluntarily consent, given prior to the processing of your personal data.  If you would like to review the specific purposes, please refer to list of specific purposes set forth in our General Privacy Notice.

Transfer of Personal Data to the United States

Personal data subject to the GDPR that you provide hereunder will be transferred to the United States.  The GDPR permits such transfer when necessary for the performance of a contract between you and us, is done with a legitimate interest (after balancing our interest with yours) or if we obtain your explicit consent to such transfer.  In transferring your personal data to a processor, we will employ suitable safeguards, including those described in the Information Security section below, to protect the privacy and security of your personal data so that it is only used in a manner consistent with your relationship with us and this privacy notice (including our General Privacy Notice).

How Long Will Your Personal Data Be Stored?

The GDPR requires that your personal data be kept no longer than necessary.  The applicable time period will depend on the nature of such personal data and will also be determined by legal requirements imposed under applicable laws and regulations. Please see list of specific retention policies in our General Privacy Notice. 

You Have Certain Rights to Control Your Personal Data

Articles 15-21 of the GDPR give you the right to control your personal data under the GDPR by directing us, as controller, to do one or more of the following, subject to certain conditions and limitations:

(a)   allow you to access your personal data to see what information we have collected concerning you;

(b)   correct (rectify) any inaccuracy in your personal data;

(c)   delete (erase) your personal data, unless we can demonstrate that retention is necessary or that we have other overriding legitimate grounds for retention;

(d)   restrict the processing of your personal data;

(e)   transfer your personal data to a third party (portability);

(f)    the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you; and

(g) upon your objection, stop processing personal data when we are relying on a legitimate interest basis for processing such data unless we can demonstrate compelling legitimate grounds for processing that override your interests in prohibiting such processing.

If we have collected and processed your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.

You have the right to complain to a data protection authority about our collection, use and retention of your personal information.

You can exercise any of your rights by contacting us using the information provided in the “How to Contact Us” section below or as set forth in the General Privacy Notice. We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

GDPR Remedies Include the Right to File A Complaint With The Supervisory Authority

If you believe your privacy rights under the GDPR have been violated, the GDPR gives you the rights and remedies set forth in GDPR Articles 77-82.  These include the right to file a complaint with your local data protection supervisory authority.

Are You Obligated to Provide Personal Data?

As discussed above, we will sometimes ask you to provide information necessary to perform contracts to which you are a party, or to satisfy certain legal requirements binding upon us.  If you do not provide such information, we will not be able to process such contracts or comply with such legal requirements, and you will not be eligible to receive the benefits that may result from the processing of such contracts or compliance with such requirements.  For example, if you do not provide personal data needed to process an application or agreement, you will not receive the benefits of approval of such application or agreement. 

You Have The Right to Know If We Use Your Personal Data In Automated Decision-Making, Including Profiling

The GDPR limits our right to use your personal data for predictive purposes as part of an automated decision-making process, including profiling.  Such a process uses your personal data, such as preferences, interests, behavior, locations, and personal movement, to make an analytically-determined decision, instead of a personalized, individual decision. The GDPR limitation does not apply when such automated decision-making is necessary for the performance of a contract to which you are, or will be, a party.  We do not intend to use personal data in an automated decision-making process without seeking your consent for such use.

Information Security

By design, we work to take necessary steps to protect personal data from unauthorized access, unauthorized alteration, disclosure or destruction of information. In particular, we: 

  • use encryption in transit to protect personal data;
  • require log-in authentication for accessing services related to a data subject’s user account;
  • review our information collection, storage and processing practices, perimeter security and physical security measures, to guard against unauthorized access to systems;
  • restricts access to personal data on a “need to know” basis so that only authorized personnel and contractors have access to personal data and only for the permitted purpose
  • our employees and contractors are subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.

How to Contact Us

To exercise your data rights, navigate to https://support.tidalautomation.com, select “About”, select “Exercise your Data Rights” and choose one of the options.

Tom Cumbo
Data Protection Officer
Tidal Software LLC
222 S. Riverside Plaza
Suite 2800
Chicago IL 60606