Data Privacy Policy

Version: August 2024




Data Privacy Policy

Version: August 2024

By providing the following information, we want to give an overview of the processing of your personal data which is carried out by us and of your rights under the data protection law in the framework of the contractual relationship with Maltego Group (hereinafter referred to as “Maltego”). Which data is processed specifically and in what way it is used substantially depends on the ordered services. Therefore, not all parts of the provided information may apply to you.

  1. The data protection controller is Maltego Technologies GmbH, Paul-Heyse-Str. 29, D - 80336 Munich, Email: contact@maltego.com, Phone: +49 (0) 89 24418490. Especially with regard to data protection issues, you may also contact the Data Protection Officer at dataprotection@maltego.com at any time.
  2. We process personal data which we receive from our customers or other parties concerned in the course of our business relationship. In the context of the business relationship you are obliged to provide such personal data which is required in order to enter, conduct or terminate a business relationship and to perform the corresponding contractual obligations or such personal data which we are legally obliged to collect. Without this data we shall regularly not be able to conclude a contract with you or to conduct or terminate such a contract.
  3. For the performance of the contract we process the following information:
  • Your contact details (especially title, first name, last name, email address, address, telephone numbers, position, company details),
  • Your payment information (bank details),
  • Your data provided in the context of search queries with our software (IP address, contents of the search input, date and time of the request, operating system and Java Virtual Machine information, language and version of the browser software).
  • Your license key and logs (including the account creation and latest usage activity date, EULA acceptation date, machine ID/MAC address) and the utilized Maltego client version
  1. We process personal data in accordance with the provisions of the EU General Data Protection Regulation (GDPR) for the performance of contractual obligations (Article 6 (1) sentence 1 lit. b of the GDPR).

The processing of data is carried out in order to provide goods and services in the course of the performance of the contracts with our customers or the performance of pre- contractual measures that are provided upon request. The purposes of the processing primarily depend on the actual product (e.g. distribution of software licenses) and can include, inter alia, needs analysis and consulting.

  1. To the extent necessary for the performance of our services, we also process personal data which we obtain from public sources (e.g. the press, internet) or which is transferred to us by affiliated companies of Maltego or other third parties (e.g. a credit reporting agency).

  2. We also process personal data based on your consent (Article 6 (1) sentence 1 lit. a of the GDPR). If you give your consent to the processing of personal data for a specific purpose (e.g. disclosure of data to subcontractors, evaluation of license and payment data for marketing purposes, newsletters) the processing is considered lawful based on your given consent. Declarations of consent must be given freely. The declaration of consent must indicate the purpose of the processing of data. If you have given your consent to the processing of your data, you may withdraw your consent at any time without having to provide reasons. The lawfulness of processing based on an effectively given consent remains unaffected until the time the consent has been withdrawn.

  3. In some cases, we like to record customer meetings for internal training purposes. The recordings should be used to train our employees to enable a higher quality in our customer meetings. The recording is done. e.g. by MS Teams. We only record client meetings after you have given your consent. The consent is obtained online. We store the recordings for 2 years. You can revoke your consent at any time. For this purpose, please contact us using the contact details provided in this privacy policy in chapter 1.

  4. When you participate in a webinar that is either hosted or co-hosted by Maltego, you may be asked to provide your personal information, which will allow you to sign into, or otherwise participate in, the webinar. Webinars may be hosted and recorded by Maltego, its co-hosting partner and/or a sponsor of the webinar (each a “Host” and together the “Hosts”, whereby all Hosts will be disclosed as part of the webinar offering). Please refer to all other Hosts’ privacy policies for further information on how they use your personal information, as Hosts may collectively use and transfer amongst one-another your personal information, including, for example, your webinar sign-in information and any audio and/or video recordings of the webinar (if applicable) so long as the transfer is consistent with the uses contained in this paragraph and the relevant Host’s privacy policy. Accordingly, you will be asked to provide your consent to our and our Hosts’ use of your personal information for such purposes. Subject to any other terms and conditions of your consent, in addition to using your personal information for providing you with webinar access, information collected during a webinar may also be used by Maltego or a Host to understand industry- wide pain points, to enhance Maltego’s or a Host’s products and/or service offerings, or for Maltego’s or any Host’s general marketing purposes.

  5. You can participate in the Maltego Academic Program which is designed to enhance innovation by giving eligible participants access to the Maltego Software. The program is destinated to NGOs and other non-profit companies that are granted with Maltego licenses for conducting a research project for non-commercial purposes. Each participant shall complete an online application indicating the project for which the Participant would like to use the subscription licenses. Within the application the following data is collected: email address, name, physical address, LinkedIn accounts, Twitter accounts, Github accounts, project/training descriptions, NGO registration numbers, documents justifying registrations, countries partners are from, email address of students, names of students. The processing of this data is necessary to participate in the Maltego Academic Program. Please note that you need to inform your employees about the data processing if you register them for the program. The data is stored until the purpose no longer applies (end of the program) or until you request us to delete it.

  6. If you participate in the Train the Trainer Program your personal data is processed. This program is designed to empower trusted trainers to deliver training content developed by Maltego. Maltego teaches the registered participants on how to train others on Maltego products. If the participants successfully complete the training program they will be certified as Maltego trainers and will be able to deliver Maltego trainings according to program’s terms and conditions. The data is stored until the purpose no longer applies (end of the program) or until you request us to delete it.

The processing activities and categories of personal data processed within this program are the following:

  • Processing of personal data of program participants (companies in the program and the designated employees from their side): personal data is requested in the registration process and is needed to communicate with Maltego.** **Data categories: full name, organization, organization address, registration number, title, email address.
  • Processing of personal data of Maltego customers for whom Maltego requests newly certified trainers to provide training services.** **Data categories: full name, organization, organization address, title, email address.
  • Processing of personal data of Maltego customers participants when issuing certificates for them (based on the info provided by the newly trainers).** **Data categories: full name, name of course, course completion date.
  1. Sometimes we are asking for your user experience and your feedback. We send out surveys. Participation in the surveys is voluntary unless it is necessary for the fulfilment of the contract. Information that is required for participation in the survey is marked as mandatory. It is important to us that only the personal data required for the survey is collected. Where possible, we conduct the surveys anonymously. The data is stored for the purpose of conducting the survey and deleted once the purpose no longer applies.
  2. The processing of your personal data can also take place if this is necessary to realise the legitimate interests of Maltego (Article 6 (1) sentence 1 lit. f of the GDPR). Legitimate interests exist for example, if we assert a legal claim against you or we need to defend ourselves in a legal dispute. The processing of personal data on the basis of a legitimate interest shall not take place if there is an indication that the interest in the processing is overridden by your legitimate interest in that particular case. The existence of legitimate interests shall be assessed in each case of processing.
  3. Maltego processes personal data if you apply for a job. Detailed information about data processing can be found in the Applicant Privacy Policy.
  4. Fraud checks. In exceptional cases it might happen that your purchase is set on review. In this case Maltego requires further information for internal fraud checking purposes, to ensure the security of your data and to execute the purchase. In order to minimise these cases, Maltego has already banned the use of unusual email addresses and will also set on internal fraud check review of public email addresses.

As part of the fraud checking process, we will ask you to provide us the following information via phone (phone calls are never recorded) or via business email address:

  • a picture of the physical credit card used during payment, showing only the last 4 digits of the entire card number (all other data should be blurred or blackened).
  • any form of proof that there is a connection between you and the credit card holder, at your own discretion.

You will be asked to provide the above documents within the next 24 business hours. Otherwise, we have to suspend the license key until further notice. Please note that the refund will be initiated and the payment will be processed again as soon as the account will be validated.

Within the purchasing process Maltego never has access to view the full credit card number or security code, but Maltego has access to view the card type, expiration date, and last 4 digits of the card.

All data which is collected during the fraud checking process is stored until the purchase is validated and the amount is credited on Maltego’s accounts. Immediately after, the data is deleted as the purpose of the processing disappears.

  1. Within Maltego, your data may only be accessed by those who need this data to fulfil our contractual and legal obligations. As Maltego is a group of companies, data may be exchanged within the group. Service providers and vicarious agents can also receive data for this purpose. These are companies in the categories IT-services, logistics, debt collection, consulting as well as sales and marketing. We only pass on your personal data within the group or to third parties, if:
  • you have explicitly given your consent to this in accordance with Article 6 (1) sentence 1 lit. a of the GDPR,
  • this is permitted by law and - in accordance with Article 6 (1) sentence 1 lit. b of the GDPR - necessary to process contracts we concluded with you,
  • in case there is a legal obligation to transfer personal data according to Article 6 (1) sentence 1 lit. c of the GDPR, and
  • in case there is a legitimate interest according to Article 6 (1) sentence 1 lit. f of the GDPR and there is no reason to believe that you have an overriding legitimate interest in not passing on your data. In order to provide good customer service and quick response times, your customer enquiries may be forwarded to our resellers. The resellers will handle your request. We only forward your contact details and the request to the resellers. We also ensure that the reseller is located in the same country as you. Our resellers are contractually obliged to comply with the data protection regulations. The legal basis for the data transfer is our legitimate interest. You can object to the processing at any time with effect for the future.
  1. We partially use external service providers to process your data. These have been carefully selected and commissioned by us. They are bound by our instructions and controlled regularly. As far as our service providers or partners have their registered office in a country outside the European Union (so called third countries), we will provide information on the consequences of this fact beforehand. A transfer to third countries is carried out, as far as
  • this is required for the (partial) provision of the contractual performance (e.g. search queries with our software), or
  • you have given your consent.

To the extent that this is necessary, your personal data is transferred to an IT-service provider in the United States or another third country in order to ensure the IT operations in compliance with the European data protection level. You can find the service providers we are using in the table below.

  1. The nature of a web-based service means that information will be available to persons all over the world. Whilst Maltego does not routinely transfer the information it holds outside the EU, it is possible for the information contained in the Maltego public records register to be accessed from anywhere in the world. Making such information available to all without restriction is consistent with our public interest mission.

  2. We adhere to the principles of data avoidance and data minimization. Therefore we store your personal data only for as long as required to achieve the purposes mentioned here or for the duration of the diverse storage periods specified by the legislator. After the respective purpose has ceased to exist or after the expiry of these storage periods, the corresponding data is blocked or deleted routinely and in accordance with the legal provisions.

  3. Your data will no longer be used and will be deleted after the contract with you has ended, according to our internal data deletion policy or if you ask us for data deletion. Exceptions are only the use for recovery measures to the extent permitted by law or statistical evaluations or market research, provided you have given your consent. Apart from that, your data is stored only for as long as this is necessary to observe statutory obligations to archive and to retain the data.

  4. We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against access by unauthorized third parties. Our security measures are continuously improved in line with technological development.

  5. You have the right:

  • to access information on your personal data which has been processed by us in accordance with Article 15 GDPR. In particular, you may access the information on the purposes of processing, the categories of personal data, the categories of recipients to whom your personal data has been or will be disclosed, the envisaged period of storage, the existence of the right to rectification, erasure, restriction of processing data or objection, the existence of the right to lodge a complaint, the source of your data, insofar as it was not collected on our part, as well as the existence of automated decision-making, including profiling and, if applicable, meaningful information on the details;
  • to claim rectification of inaccurate personal data or the completion of incomplete personal data that is stored with us in accordance with Article 16 GDPR;
  • to claim the erasure of the personal data stored with us according to Article 17 GDPR, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;
  • to claim the restriction of processing of your personal data according to Article 18 GDPR as far as the accuracy of the personal data is contested, the processing is unlawful but you oppose to the erasure and we no longer need the data, but you require them for the establishment, exercise or defence of legal claims or you have objected to the processing of your personal data in accordance with Article 21 GDPR;
  • to receive the personal data you provided to us in a structured, commonly used and machine readable format or to claim the transmission to another controller according to Article 20 GDPR;
  • to withdraw your given consent at any time by notifying us in accordance with Article 7 (3) GDPR. This has the consequence that we cannot continue the data processing which was based on this consent in the future and
  • to complain with a supervisory authority in accordance with Article 77 GDPR. In general, you may turn to the supervisory authority of your habitual residence or your place of work or of the locations of our law office.
  1. Information on your right to object in accordance with Article 21 of the GDPR

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning yourself which is based on Article 6 (1) sentence 1 lit. f of the GDPR (processing on the basis of a balance of interests).

In case you object we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims.

In individual cases we process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning yourself for such marketing purposes.

  1. We reserve the right to adjust this Privacy Statement occasionally to make sure it always complies with the current legal requirements or to implement changes to our services in the privacy statement, for example, if new services are introduced.

  2. For the performance the services of Maltego, personal data of Maltego users are transmitted to the following third parties (subcontractors) for the following purposes:

Third Party name: **Purpose of the processing:**
**Categories of personal data:**
Legal basis and data protection contract: Name and address of the service provider: Privacy statement and contact details:
Asana

Internal task co-ordination and project management

Customer data: full name, user name, email address, telephone number, company, industry

Performance of contract, Art. 6 (1) (b) GDPR

SCC concluded

Asana, Inc, 1550 Bryant Street, Suite 200, San Francisco, CA 9411103, USA

https://asana.com/de/terms#privacy-policy  

**privacy@asana.com** 

Debounce.io Validating email addresses and prevent spam email addresses Customer data: email address

Legitimate Interest,

Performance of contract, Art. 6 (1) (f) GDPR

SCC concluded

debounce.io, 411088, Hadapsar, Maharashtram, Pune, India https://debounce.io/privacy-policy/
Freshworks (Freshsales, Freshdesk) Management of customer relationships, newsletter distribution, management of inquiries via the contact form of the website Customer data: full name, user name, email address, telephone number, company, industry

Performance of contract, Art. 6 (1) (b) GDPR

SCC concluded



Freshworks Inc., 1250 Bayhill Drive, Suite 315, San Bruno, CA 94066, USA

https://www.freshworks.com/privacy/

support@freshworks.com

GoToWebinar (LogMeIn Ireland Unlimited Company) Organise, host and record online webinars Customer Data: full name, email address, telephone number, company and number of employees, industry, country

Consent from the customer,

Performance of contract, Art. 6 (1) (a) GDPR

DPA concluded

The Reflector, 10 Hanover Quay, Dublin 2, D02R573, Ireland

https://www.logmein.com/legal/privacy

privacy@logmein.com

Keylight Management of the online shop and the user accounts Customer data, contract data: full name, user name, email address, telephone number, orders, order number, encrypted password

Performance of contract, Art. 6 (1) (b) GDPR

DPA concluded

Keylight GmbH, Nürnberger Straße 8, 10787 Berlin, Germany

https://www.keylight.de/de/privacy-policy 

privacy@keylight.de 

Matillion, Ltd. Cloud data Platform, analyze and organize customer data, automate data pipelines and build cloud warehouses from scratch Customer data: full name, username, email address, telephone number, company, industry

Performance of contract, Art. 6 (1) (b) GDPR

DPA concluded

Station House, Stamford New Road, Altrincham, Cheshire WA14 1EP https://www.matillion.com/about/legal/privacy/
Microsoft 365

Microsoft Forms: Creating relevant documents for Maltego’s service and surveys for customer feedback;

Communication purposes

PowerBI: visualize business intelligence

Customer data: full name, email address, position, company

Legitimate Interest, Art. 6 (1) (f) GDPR,

Performance of contract, Consent from the customer Art. 6 (1) (a) and (b) GDPR

DPA and SCC concluded

Microsoft Ireland Operations, Ltd. One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all
Nicereply Creating and managing customer surveys, receiving customer feedback Customer data: user name, email address

Consent from the customer,

Performance of contract, Art. 6 (1) (b) GDPR

SCC concluded

Nice Reply s.r.o, Stefanovicova 2971/8, Bratislava 811 04, Slovakia https://www.nicereply.com/product/privacy-policy
PandaDocs eSignature Customer data: full name, signature, email address

Performance of contract, Art. 6 (1) (b) GDPR

SCC concluded


101 California Street, Suite 3975, San Francisco, California 94111, USA https://www.pandadoc.com/privacy-notice/
SendGrid Sending order confirmations Customer data: full name, email address

Performance of contract, Art. 6 (1) (b) GDPR

SCC concluded

SendGrid Inc., 1801 California St 500, Denver, CO 80202, USA

https://sendgrid.com/policies/privacy/ 

datasubjectrequests@sendgrid.com

dpo@sendgrid.com

Snowflake, Inc. Cloud data Platform Customer data: full name, user name, email address, telephone number, company, industry

Performance of contract, Art. 6 (1) (b) GDPR

SCC concluded

450 Concar Drive, San Mateo, CA, 94402, United States https://www.snowflake.com/privacy-policy/
Stripe Payment processing Credit card information, customer data, contract data: full name, address, email address, telephone number, bank account number, bank identification number, credit card number, invoice amount, currency, transaction number

Performance of contract, Art. 6 (1) (b) GDPR

SCC concluded


Stripe Inc., 185 Berry Street, Suite 550, San Francisco, CA 94107, USA

https://stripe.com/de/privacy

info@stripe.com 

Zuora Management of billing data and subscriptions Customer data, contract data, credit card data: full name, address, email address, telephone number, bank account number, bank identification number, credit card number, invoice amount, currency, transaction number

Performance of contract, Art. 6 (1) (b) GDPR

SCC concluded


Zuora, Inc., 3050 S. Delaware Street, Suite 301, San Mateo, CA 94403, USA

https://www.zuora.com/privacy-statement/

support@zuora.com

Productboard Product management, optimization of products Customer data: email address

Performance of contract, Art. 6 (1) (b) GDPR

SCC concluded

ProductBoard, Inc. Delaware corporation with offices at 612 Howard St., 4th Floor, San Francisco, CA 94105

https://www.productboard.com/privacy-policy/2021-10-20/

privacy@productboard.com

gdpr@productboard.com

Sanscreen (BEX Components AG) Screenings against sanctions lists Company name, company address, full name, email address, phone number

Legal obligation, legitimate interest,

Performance of contract, Art. 6 (1) (c) and (f) GDPR

DPA concluded

BEX Components AG, Gartenstraße 97 in 73430 Aalen, German https://www.bex.ag/en/data-protection/; info@bex.ag
Fastspring Webshop hosting Customer data, bank information,

Legal obligation, legitimate interest,

Performance of contract, Art. 6 (1) (b)

SCC concluded

Bright Market, LLC dba FastSpring. 801 Garden St., Santa Barbara, CA 93101

https://fastspring.com/privacy/

privacy@fastspring.com

Digital River GmbH Webshop provider Costumer data, bank information

Legal obligation, legitimate interest,

Performance of contract, Art. 6 (1) (b)

SCC concluded

Digital River, Inc., 10380 Bren Road West, Minnetonka, Minnesota 55343, USA. Digital River Online Store - Privacy Policy
Make.com Automatically performance of actions/updates in systems Customer data: Depends on the integration. Ranges from names, email addresses, to transform usage or ARR

Legitimate interest,

Performance of contract, Art. 6 (1) (b) GDPR

DPA concluded

SCC concluded

Celonis, Inc.

One World Trade Center, 87th Floor, New York, NY, 10007, USA

https://www.make.com/en/privacy-notice

info@make.com

LearnWorlds Learning Management System, participants training

Customer Name

Customer Account

Customer Email Address

Customer Education progress (Certifications, for example)

Maltego Employee Information (Names and titles of employees associated with training, likely only Training and SME Team members)

Legitimate Interest, Art. 6 (1) (f) GDPR,

Performance of contract, Art. 6 (1) (b) GDPR

LearnWorlds (CY) Ltd, Gladstonos 120, Foloune Building, 2nd Floor, B1, 3032, Limassol, Cyprus https://www.learnworlds.com/privacy-policy/
AirTable Database and spreadsheet tool Status of customer outreach, event registration, and many other types of data (name, email addreses)

Legitimate Interest, Art. 6 (1) (f) GDPR,

Performance of contract, Art. 6 (1) (b) GDPR

DPA concluded

AirTable, 799 Market Street, 8th Floor, San Francisco, CA 94103 https://www.airtable.com/privacy
Discourse Hosting of our CE forum full name (pseudonyms are possible), customer email address, IP address.

Legitimate Interest, Art. 6 (1) (f) GDPR,

Performance of contract, Art. 6 (1) (b) GDPR

Civilized Discourse Construction Kit, Inc., 340 S Lemon AVE #1439, Walnut, CA 91789 https://www.discourse.org/privacy
Metabase App Tool for data visualization email address, IP address Legitimate Interest, Art. 6 (1) (f) GDPR, Metabase, 660 4th Street #557, San Francisco, CA 94107 https://www.metabase.com/privacy
Unique Call recording, call logs, call transcriptions, call training, call analyzes email address, name, phone, voice recording, video recording

Consent from the customer

Legitimate Interest, Art. 6 (1) (f) GDPR,

Performance of contract, Art. 6 (1) (b) GDPR

DPA concluded

Unique AG, Tödistrasse 7, 8002 Zürich, Switzerland https://www.unique.ch/privacy

Microsoft Azure B2C Active Directory (AD)

CE users registration email, password, first name and last name

Legitimate Interest, Art. 6 (1) (f) GDPR,

Performance of contract, Art. 6 (1) (b) GDPR

DPA concluded

Microsoft Ireland Operations, Ltd.

One Microsoft Place

South County Business Park

Leopardstown

Dublin 18, D18 P521, Ireland

https://www.microsoft.com/en-us/concern/privacy
Zoom Video Communications, Inc. Video conferencing tool Name, surname, email address

Legitimate Interest, Art. 6 (1) (f) GDPR,

Performance of contract, Art. 6 (1) (b) GDPR

DPA concluded

San Jose 55 Almaden Boulevard, Suite 600, San Jose, CA 95113 privacy@zoom.us
Salesforce CRM solution, cloud storage Corporate contact details, name, surname, corporate data, email threads, deal-related information, contract data, statistics

Legitimate Interest, Art. 6 (1) (f) GDPR,

Performance of a contract, Art. 6 (1) (b)

GDPR

DPA concluded

Salesforce Inc., Salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, Germany https://www.salesforce.com/eu/company/privacy/
Planhat Customer Success Platform Customer name, Customer email address and contact details, Customer company details and location, Customer gender, Social identity - e.g. linkedin link, photo from social network if available

Legitimate Interest, Art. 6 (1) (f) GDPR,

Performance of a contract, Art. 6 (1) (b)

GDPR

Planhat AB, c/o WeWork, Regeringsgatan 29, 111 53 Stockholm, Sweden https://www.planhat.com/privacy-policy/
Chatbot Automatic customer support tool e-mail address, chat content Art 6(1)(a) and (f) GDPR Text, Inc., 101 Arch Street, 8th Floor Boston, MA 02110 USA https://www.chatbot.com/legal/privacy-policy/
Articulate Customer training: dynamic, engaging, modern on-demand learning experiences for customers name, title, e-mail, education progress, preferred language, location Art 6(1)(b) and (f) GDPR Articulate Global, LLC, 244 5th Avenue, Suite 2960 https://www.articulate.com/trust/privacy/
Webflow Landing pages to present our ads and products Lead email address, location data Legitimate Interest, Art. 6(1)(f) GDPR Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103 https://webflow.com/legal/privacy
Amplitude Event tracking User localization Art 6(1)(a) GDPR Amplitude, Inc., 201 Third Street, Suite 200, San Francisco, CA 94103 https://amplitude.com/privacy/archive/2022-12
Hotjar Behavior analytics and feedback data PII data expressly shared by the Customer Art 6(1)(a) GDPR 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta, Europe https://www.hotjar.com/legal/policies/privacy/
Pick the right product and get started.