Privacy Policy

effective June 2022

This “Privacy Policy” describes the privacy practices of Treno, Inc. and our subsidiaries and affiliates (collectively, “Treno”, “we”, “us”, or “our”) in connection with the https://treno.io website, and any other website that we own or control and which posts or links to this Privacy Policy (collectively, the “Service”), in connection with our marketing activities, and as otherwise described in this Privacy Policy. In addition, this Privacy Policy describes your rights and choices with respect to the Personal Information we collect.

We provide important information for individuals located in the European Economic Area, Switzerland, and the United Kingdom (collectively, “Europe”) in the Notice to European Users, and for California residents in the section entitled Information for California Residents.

We collect personal information as described below. Note, however, that our business customers may transmit personal information to us as part of the services we provide through our security and compliance automation platform. This Privacy Policy does not apply to such personal information that we process on behalf of our business customers. Our use of this personal information is restricted by our agreements with those business customers. If you have concerns regarding personal information that we process on behalf of a business, please review their privacy policy and direct your concerns to that business, or review their privacy policy.

Table of Contents

Personal Information We Collect
How We Use Your Personal Information
How We Share Your Personal Information
Your Choices
Other Sites and Services
Security Practices
International Data Transfers
Children
Changes to this Privacy Policy
How to Contact Us
Information for California Residents
Your Rights Under California’s Shine the Light Law
Notice to European User

Personal Information We Collect

Information you provide to us. Personal information you provide to us through the Service or otherwise includes:

Business and personal contact information, such as your first and last name, email and mailing addresses, phone number, professional title and company name.
Profile information, such as your username and password that you may set to establish an online account with us.
Registration information, such as information that may be related to a service or an event you register for.
Feedback or correspondence, such as information you provide when you contact us with questions, feedback, or otherwise correspond with us online.
Transaction information, such as information about payments to and from you and other details of products or services you have purchased from us.
Usage information, such as any content you upload to the Service or otherwise submit to us, including information you provide when you use any interactive features of the Service.
Other information that we may collect which is not specifically listed here, but which we will use in accordance with this Privacy Policy or as otherwise disclosed at the time of collection.

Information we obtain from social media platforms. We may maintain pages for our Company on social media platforms, such as, LinkedIn, Twitter, Google, YouTube, Instagram, and other third-party platforms. When you visit or interact with our pages on those platforms, the platform provider’s privacy policy will apply to your interactions and their collection, use and processing of your personal information. You or the platforms may provide us with information through the platform, and we will treat such information in accordance with this Privacy Policy.

Information we obtain from other third parties. We may receive personal information about you from third-party sources, such as marketing partners, publicly-available sources and data providers. Our use of any information obtained from our business customers is restricted by our agreements with those business partners.

A list of our sub processors and nature of processing can be found at https://Treno.io/sub-processors.

Marketing and advertising. We, our service providers and our third-party advertising partners may collect and use your personal information for marketing and advertising purposes:

Direct marketing. We may send you Treno-related direct marketing communications as permitted by law, including by email and mail. You may opt-out of our marketing communications as described in the Opt-out of marketing communications section below.
Interest-based advertising. We may engage third-party advertising companies and social media companies to display ads on our Service and other online services. These companies may use cookies and similar technologies to collect information about your interaction (including the data described in the “Cookies and Other Information Collected by Automated Means” section below) over time across the Service, our communications and other online services, and use that information to serve online ads that they think will interest you. This is called interest-based advertising. We may also share information about our users with these companies to facilitate interest-based advertising to those or similar users on other online platforms. You can learn more about your choices for limiting interest-based advertising in the Advertising choices section below.

Cookies and Other Information Collected by Automated Means

We, our service providers, and our business partners may automatically log information about you, your computer, and activity occurring on or through the Service. The information that may be collected automatically includes your computer type and version number, manufacturer and model, device identifier (such as the Google Advertising ID or Apple ID for Advertising), browser type, screen resolution, IP address, the website you visited before browsing to our website, general location information such as city, state or geographic area; and information about your use of and actions on the Service, such as pages or screens you viewed, how long you spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, access times, and length of access. Our service providers and business partners may collect this type of information over time and across third-party websites.

On our webpages, this information is collected using cookies, browser web storage (also known as locally stored objects, or “LSOs”), web beacons, and similar technologies, and our emails may also contain web beacons.

Referrals

Users of the Service may have the opportunity to refer friends or other contacts to us. If you are an existing user, you may only submit a referral if you have permission to provide the referral’s contact information to us so that we may contact them.

How We Use Your Personal Information

We use your personal information for the following purposes and as otherwise described in this Privacy Policy or at the time of collection:

To operate the Service. We use your personal information to:

provide, operate and improve the Service;
provide information about our products and services;
establish and maintain your user profile on the Service;
communicate with you about the Service, including by sending you announcements, updates, security alerts, and support and administrative messages;
communicate with you about events or contests in which you participate;
understand your needs and interests, and personalize your experience with the Service and our communications;
provide support and maintenance for the Service; and
respond to your requests, questions and feedback

For research and development. We analyze use of the Service to analyze and improve the Service and to develop new products and services, including by studying user demographics and use of the Service.

To comply with law. We use your personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities.

For compliance, fraud prevention, and safety. We may use your personal information and disclose it to law enforcement, government authorities, and private parties as we believe necessary or appropriate to: (a) protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); (b) enforce the terms and conditions that govern the Service; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.

With your consent. In some cases we may specifically ask for your consent to collect, use or share your personal information, such as when required by law.

To create anonymous, aggregated or de-identified data. We may create anonymous, aggregated or de-identified data from your personal information and other individuals whose personal information we collect. We make personal information into anonymous, aggregated or de-identified data by removing information that makes the data personally identifiable to you. We may use this anonymous, aggregated or de-identified data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.

How We Share Your Personal Information

We do not share your personal information with third parties without your consent, except in the following circumstances or as described in this Privacy Policy:

Affiliates. We may share your personal information with our corporate parent, subsidiaries, and affiliates, for purposes consistent with this Privacy Policy.

Service providers. We may share your personal information with third party companies and individuals that provide services on our behalf or help us operate the Service (such as customer support, hosting, analytics, email delivery, marketing, and database management services). These third parties may use your personal information only as directed or authorized by us and in a manner consistent with this Privacy Policy, and are prohibited from using or disclosing your information for any other purpose.

Partners. We may sometimes share your personal information with partners or enable partners to collect information directly via our Service.

Professional advisors. We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.

For compliance, fraud prevention and safety. We may share your personal information for the compliance, fraud prevention and safety purposes described above.

Business transfers. We may sell, transfer or otherwise share some or all of our business or assets, including your personal information, in connection with a business transaction (or potential business transaction) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.

Your Choices

In this section, we describe the rights and choices available to all users. Users located in Europe can find additional information about their rights below in the section entitled Notice to European Users, and California residents can find additional information about their rights in the section entitled Information for California Residents.

Access or Update Your Information. If you have registered for an account with us, you may review and update certain personal information in your account profile by logging into the account.

Opt out of marketing communications. You may opt out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us at [email protected]. You may continue to receive service-related and other non-marketing emails.

Cookies. Most browser settings let you delete and reject cookies placed by websites. Many browsers accept cookies by default until you change your settings. If you do not accept cookies, you may not be able to use all functionality of the Service and it may not work properly. For more information about cookies, including how to see what cookies have been set on your browser and how to manage and delete them, visit https://www.allaboutcookies.org. We use Google Analytics to help us understand user activity on the Service. You can learn more about Google Analytics cookies at https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage and about how Google protects your data at https://policies.google.com/privacy.

Advertising choices. You can limit use of your information for interest-based advertising by:

Browser settings. Blocking third party cookies in your browser settings.
Privacy browsers/plug-ins. By using privacy browsers or ad-blocking browser plug-ins that let you block tracking technologies.
Platform settings. Google offers opt-out features that let you opt-out of use of your information for interest-based advertising:
- Google: https://adssettings.google.com
Ad industry tools. Opting out of interest-based ads from companies participating in the following industry opt-out programs:
- Network Advertising Initiative: https://optout.networkadvertising.org
- Digital Advertising Alliance: https://optout.aboutads.info
- AppChoices mobile app, available at https://www.youradchoices.com/appchoices, which will allow you to opt-out of interest-based ads in mobile apps served by participating members of the Digital Advertising Alliance.

You will need to apply these opt-out settings on each device from which you wish to opt-out.

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit https://www.allaboutdnt.com.

Choosing not to share your personal information. Where we are required by law to collect your personal information, or where we need your personal information in order to provide the Service to you, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with our services. We will tell you what information you must provide to receive the Service by designating it as required at the time of collection or through other appropriate means.

Other Sites and Services

The Service may contain links to other websites, and other online services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or online services that are not associated with us. We do not control third party websites, or online services, and we are not responsible for their actions. Other websites and services follow different rules regarding the collection, use and sharing of your personal information. We encourage you to read the privacy policies of the other websites and online services you use.

Security Practices

The security of your personal information is important to us. We employ a number of organizational, technical and physical safeguards designed to protect the personal information we collect. However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal information. Email, in particular, is an insecure way to transmit personal information. Please take special care regarding what information you send to us via email.

Children

The Service is not directed to, and we do not knowingly collect personal information from, anyone under the age of 13. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us. We will delete such information from our files as soon as reasonably practicable. We encourage parents with concerns to contact us.

Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Service. We may, and if required by law, will also provide notification of changes in another way that we believe is reasonably likely to reach you, such as via e-mail (if you have an account where we have your contact information) or another manner through the Service.

Any modifications to this Privacy Policy will be effective upon our posting the new terms and/or upon implementation of the new changes on the Service (or as otherwise indicated at the time of posting). In all cases, your continued use of the Service after the posting of any modified Privacy Policy indicates your acceptance of the terms of the modified Privacy Policy.

How to Contact Us

If you would like to exercise your rights under this Policy, please submit your request via this Web Form.

Please direct any questions or comments about this Policy or privacy practices to [email protected]. You may also write to us via postal mail at:

93 4th Avenue
Suite 1005
New York, NY 10003

Information for California Residents

Scope. This section applies only to California residents. It describes how we collect, use, and share Personal Information of California residents online and offline in our capacity as a “business” under the California Consumer Privacy Act of 2018 (“CCPA”) and their rights with respect to that Personal Information. For purposes of this section, “Personal Information” has the meaning given in the CCPA but does not include information exempted from the scope of the CCPA. In some cases we may provide a different privacy notice to certain categories of California residents, such as job applicants, in which case that notice will apply instead of this section.

Your California privacy rights. As a California resident, you have the rights listed below. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.

Information. You can request the following information about how we have collected and used your Personal Information during the past 12 months:
- The categories of Personal Information that we have collected;
- The categories of sources from which we collected Personal Information;
- The business or commercial purpose for collecting and/or selling Personal Information;
- The categories of third parties with whom we share Personal Information;
- The categories of Personal Information that we sold or disclosed for a business purpose; and
- The categories of third parties to whom the Personal Information was sold or disclosed for a business purpose.
Access. You can request a copy of the Personal Information that we have collected about you during the past 12 months.
Deletion. You can ask us to delete the Personal Information that we have collected from you.
Opt-out of sales. You can opt-out of any sale of your Personal Information.
Nondiscrimination. You are entitled to exercise the rights described above free from discrimination as prohibited by the CCPA.

Notice of right to opt-out of the “sale” of your Personal Information. Based on our understanding of the term “sell” under the CCPA, we do not “sell” your Personal Information and have not sold it to third parties for a business or commercial purpose in the 12 months preceding the effective date of this Privacy Policy. However, like many companies, we use services that help deliver interest-based ads to you. Our use of some of these services may be classified under California law as a “sale” of your Personal Information to the advertising partners that provide the services because they collect information from our users (e.g., device data and online activity data) to help them serve ads more likely to interest you. You can request to opt-out of this “sale” of your personal information here: Do Not Sell My Personal Information, where you will find instructions on opting-out of the use of your information for interest-based advertising.

We will need to verify your identity to process your information, access and deletion requests and reserve the right to confirm your California residency. To verify your identity, we may require government identification, a declaration under penalty of perjury or other information. Your authorized agent may make a request on your behalf upon our verification of the agent’s identity and our receipt of a copy of a valid power of attorney given to your authorized agent pursuant to California Probate Code Sections 4000-4465. If you have not provided your agent with such a power of attorney, you must provide your agent with written and signed permission to exercise your CCPA rights on your behalf, provide the information we request to verify your identity, and provide us with written confirmation that you have given the authorized agent permission to submit the request. We cannot process your request if you do not provide us with sufficient detail to allow us to understand and respond to it.

Personal information that we collect, use and disclose. The chart below summarizes the Personal Information we collect by reference to the categories of Personal Information specified in the CCPA, and describes our practices currently and during the 12 months preceding the effective date of this Privacy Policy. Information you voluntarily provide to us, such as in free-form web forms, may contain other categories of personal information not described below.

Heading #1	Heading #2
Statutory category of Personal Information (Cal. Civ. Code § 1798.140)	Personal Information we collect in this category (See the “Personal information We Collect” section above for description)
Identifiers (excluding online identifiers)	• Contact details • Data about others • Details that you provide when you visit our offices or our events
California Customer Records (as defined in California Civil Code section 1798.80)	• Contact details • Communications • Marketing data • Data about others
Commercial Information	• Profile data • Communications • Marketing data • Online activity data
Geolocation Information	• Information about your precise location based on your device’s GPS location
Sensory Information	• Information we capture through security cameras at our offices and facilities
Online Identifiers	• Profile data • Device data
Internet or Network Information	• Marketing data • Device data • Online activity data
Inferences	May be derived from the information listed above
Sources. We describe the sources from which we collect this Personal Information in the section above entitled Personal Information We Collect. Purposes. We describe the business and commercial purposes for which we collect this Personal Information in the section above entitled How We Use Your Personal Information. Disclosure. We disclosed this Personal Information to the categories of third parties described in the section above entitled How We Share Your Personal Information.

Notice to European Users – Commitment to Comply with Relevant Privacy Frameworks

Treno complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Treno has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Treno has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Treno commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Treno at: [email protected]

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Treno commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

Enforcement

Treno is subject to the investigatory and enforcement powers of the Federal Trade Commission.

Arbitration of Claims

Arbitration of claims will be handled following the terms set forth in Annex I of the DPF Principles, which can be found here: DPF Annex I Invoking of binding arbitration must be done by delivering written notice via email to [email protected] and following the procedures and condition set forth in Annex I of the DPF Principles

Onward Transfers of Third-Parties

Treno retains responsbility for any of your personal information that is shared under the Onward Transfer Principle with third parties for external processing on our behalf, as described in the How We Share Personal Information. To learn more about the DPF, please visit the DPF website.

Use for New Purposes

We may use your personal information for reasons not described in this Privacy Policy where permitted by law and the reason is compatible with the purpose for which we collected it. If we need to use your personal information for an unrelated purpose, we will notify you and explain the applicable legal basis.

Sensitive personal information. We ask that you not provide us with any sensitive personal information (e.g., information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) on or through the Service, or otherwise to us.

If you provide us with any sensitive personal information to us when you use the Service, you must consent to our processing and use of such sensitive personal information in accordance with this Privacy Policy. If you do not consent to our processing and use of such sensitive personal information, you must not submit such sensitive personal information through our Service.

Retention

We retain personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

When we no longer require the personal information we have collected about you, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. If we anonymize your personal information (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.

Your rights

European data protection laws give you certain rights regarding your personal information. If you are located within the European Union, you may ask us to take the following actions in relation to your personal information that we hold:

Access. Provide you with information about our processing of your personal information and give you access to your personal information.
Correct. Update or correct inaccuracies in your personal information.
Delete. Delete your personal information.
Transfer. Transfer a machine-readable copy of your personal information to you or a third party of your choice.
Restrict. Restrict the processing of your personal information.
Object. Object to our reliance on our legitimate interests as the basis of our processing of your personal information that impacts your rights

Cross-Border Data Transfer

If we transfer your personal information from Europe to another country that is not deemed by the European Commission and/or UK Government, as applicable, to provide an adequate level of protection to personal information, that transfer will be performed subject to appropriate safeguards (most commonly standard contractual clauses) and otherwise in accordance with applicable European data protection laws. Please contact us for further information about any such transfers or the specific safeguards applied.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.