Here, we implement security measures and follow best practices to ensure that your data remains secure when using our product and website.
Who are we?
ELOFY SISTEMAS TECNOLOGIA DA INFORMACAO LTDA | CNPJ: 28.718.613/0001-88
Elofy's purpose is to continue delivering a product that both HR professionals and new generations will love: intuitive, beautiful, easy to use, and transformative for the daily operations of companies.
To achieve our mission, we have created a performance and engagement management platform that includes the following features: Strategy (OKRs and goals), Performance Evaluation (Nbox, succession, calibration, and IDP), Feedback, 1-1 Conversations, Surveys, and Praise Wall.
Who is the Data Protection Officer (DPO)?
Name: Eduardo Knorst
How do we collect your data?
We use various means, such as the Elofy website and advertising platforms, to promote our activities and interact with people who may be interested in Elofy's solutions ("Prospects"). Through these channels, we collect information that you provide directly.
For example, we collect information when you create an account on our platforms, update your profile, participate in certain interactive features, fill out forms, surveys, request customer support, or communicate with us through various communication channels like social media, email, and phone.
The information we collect may include your name, email address, phone number, interests, company, job title, location, CPF, and other information necessary for interacting with our software.
We may collect and process your Personal Data in different situations, depending on the nature of your relationship and interaction with Elofy. In summary, we process your Personal Data when you access and use the Platform.
Note: If you provide us with another person's personal information, you must ensure that you have the right to disclose it to Elofy, including obtaining the necessary consent for such sharing.
Why is your data collected?
We collect and process your Personal Data for the following purposes:
Scenario 01 - Providing the platform to the customer and its users. If you are a user who accesses and uses Elofy's platform, the company you work for is a customer of Elofy. In these cases, the customer acts as the controller, and Elofy acts as the processor in the processing of this data. This means that the customer makes the relevant decisions about the purposes and means of processing Personal Data, and Elofy acts according to the customer's instructions to provide the performance management solutions of the platform to the customer and its users. To know the legal basis for the processing of your data on the platform, consult the Elofy representative in the customer that registers you as a platform user.
Scenario 02 - Communicating with you. When you contact us through the site (for example, on the "Contact Us" pages), are registered as a user (for purposes such as support or sending messages), or are registered for any activity in Intercom, we use your contact information to communicate with you. The legal basis for this Processing is Elofy's legitimate interest in continuing to provide high-quality service and personalized communication.
Scenario 03 - Enabling the Intercom channel is motivated by the execution of a contract between you and Elofy, to allow your participation in our activities and professional development.
Scenario 04 - Receiving feedback to improve the Platform. When you provide us with feedback about Elofy, the platform, Intercom, or Elofy's activities, whether by email, chat, or other channels, we process the data you provide solely to improve our services. The legal basis for this Processing is Elofy's legitimate interest in continually improving its software and services to maintain a high level of excellence for customers and users.
Scenario 05 - Analyzing the use and performance of the Platform. To improve the functionality and features of the Platform, as well as to identify and mitigate potential issues, we analyze usage data from the Platform. For these analyses, we use anonymized data, such as usage statistics. An example of these analyses is the use of information provided by users in response to Elofy's questions, such as "How many feedback exchanges have occurred this month?" or "What is the average duration of a performance evaluation?" The legal basis for this Processing is Elofy's legitimate interest in continuously improving its software and services, ensuring a high level of excellence for users.
What data is collected?
The types of Personal Data we collect and process also vary depending on the relationship and interaction we have with you, the data you decide to share with us, or the data the customer determines should be collected and processed by Elofy, among other circumstances.
However, it is possible to indicate which data, in general, we collect and process as part of our activities:
1 - Data collected on the Elofy Platform
These are collected to enable users on the platform; the customer needs to register its employees.
The customer may provide the following Personal Data:
- Work Email
- Additionally, there are various other fields with personal and professional information that can be filled out by the customer or directly by the user (as determined by the customer's settings). Such information may be mandatory or optional, as determined by the customer. In general, this information includes:
- Date of the last position change
- Date of hiring
- Date of departure
- Date of birth
- Reason for Departure
- Position Level
The platform also allows customers to create custom fields. Therefore, other Personal Data may be collected and processed, as defined by the customer as the Controller.
Furthermore, the platform collects and processes data related to your professional development, evaluations by your managers and colleagues, and other profile and rating information about you. Such data is collected and/or generated from your interaction with the customer and other users on the platform. This information is used by you and the customer to manage your performance and professional development.
In other words, Elofy does not profile or classify users - this profiling or classification is done by the customer and the users themselves when they interact with each other through the platform.
2 - Data collected on the Elofy Website
When you subscribe to our newsletter, we collect the following data:
When you use the Site to contact us (for example, on the "Talk to an Expert" page), we may ask you for the following information:
- Email address;
- Area of activity of the company;
- Approximate number of employees
3 - Elofy Ads
When you browse the Internet and certain services like LinkedIn, some advertising platforms we work with identify your interest in performance management solutions, HR, or similar products/services.
These platforms may collect and use certain Personal Data to target Elofy's ads to you.
4 - Intercom Platform
When you register with Intercom, we may collect and process the following Personal Data (depending on the platform):
- Email address
- Company's field of operation
- Number of company employees
5 - Security and Technical Performance
Furthermore, when you interact with the Platform, the website, and Intercom, we may also collect some data for security and technical performance purposes, such as:
- Browser Information (Name, Version)
- Information about the operating system (Name and Version)
- Monitor Resolution
- IP Address
- Visited URLs
- Interaction with interface components
- Logs (Date and Time)
We use this data to record user activities and the Platform's functioning, investigate any potential issues, and improve the Platform.
We may also use this information in cases where it is necessary for the customer to be notified of specific user actions. In these cases, Elofy also acts as a processor, acting on behalf of the customer.
With whom do we share the data collected?
Elofy, like other cloud companies, uses some third-party services and platforms to perform its activities. Consequently, to provide and operate the Platform, the website, Intercom, and other features, Elofy shares data (i.e., sends or receives Personal Data) with third parties.
Elofy does not exchange or sell your Personal Data to any third parties. Elofy signs specific data protection agreements or addendums (Data Protection Agreements or DPAs) with third parties.
We share data with the following third parties and for the following purposes:
Scenario 01 - Intercom
Customer support service, help center, and communication to improve the personalized service and communication experience for users. To provide its services, Intercom requires the transmission of identifiable data and information from the Platform users.
The transmission of data and identifiable information from users to Intercom enables the provision of personalized service to the user by Elofy's team. Besides technical support, the user may respond to a satisfaction survey about the service received; in this case, we store the survey response and the respondent's data.
Location: 55 2nd Street, 4th Floor, San Francisco, CA 94105 - United States.
Scenario 02 - SendGrid:
Email delivery service. To provide its services, SendGrid requires the transmission of the following user data: name, company, and email.
Location: United States.
Scenario 03 - Third-party tools for
Elofy's internal use:
We use some tools to investigate problems or requests. Developers and members of the Customer Success team exchange information with user data, and we also store information about potential new customers in the Marketing and Sales teams.
Cookies collected by Elofy
What is a cookie?
In the context of the internet, a cookie is a text that the server sends to your browser with some information that optimizes your use.
Navigation data, such as IP, ISP, browser, and other information, is collected solely for statistical purposes to improve the usability and relevance of our site to you. However, you can browse anonymously using this feature in your browser.
01 - Elofy Platform: In the case of the Platform, we store the user's ID in the cookie in an encrypted form to control the user's session as a logged-in user in the system, for example, to know how long you have been logged in. If this file is altered, it becomes invalid. We also collect cookies for login with Gmail or Outlook.
03 - Google Analytics: Google Analytics is a tool that helps website owners measure how users interact with their content. As a user navigates between web pages, Google Analytics records information about these pages, such as the page's URL. Google Analytics cookies are used to distinguish users and monitor the request rate.
04 - Intercom: Customer support service, help center, and communication to improve the personalized service and communication experience for users. To provide its services, Intercom requires the transmission of identifiable data and information from the Platform users.
The transmission of data and identifiable information from users to Intercom enables the provision of personalized service to the user by Elofy's team.
What are your rights?
According to LGPD, the Data Subject (in your case, you) has a series of rights that can be exercised against the Controller. This includes:
- Confirmation of the existence of Processing;
- Access to Personal Data;
- Correction and Update;
- Request for anonymization, blocking, or deletion;
- Information about shared use;
- Revocation of consent;
- Information about the possibility not to consent;
- Opposition to Processing;
- Review of automated decision.
By providing the Platform to the customer and its users, and by ensuring their security, Elofy acts merely as a processor on behalf of the customer. For this reason, to exercise these rights regarding access and use of the Platform as a user, you must make this request directly to the customer (i.e., the company that granted you user access to the Platform). If you submit the request directly to Elofy, we will forward it to the customer for the necessary steps to be taken.
For other purposes, where Elofy acts as a controller (e.g., for communication with you, enabling your participation on the platform, sending promotional information, or receiving feedback to improve the Platform), you can contact us through the email email@example.com.
Security measures for your data
To ensure the security of your Personal Data, we use industry-standard technologies that are always up to date in their latest stable versions. We also work with vendors and partners who have a high level of commitment to data security.
Additionally, Elofy has policies, procedures, and controls related to information security and the protection of Personal Data. This includes internal training, confidentiality agreements with employees, computer protection, regular information security meetings, among other security practices.
Elofy provides access to Personal Data only to those employees who have a strict need to access it due to their job function. Such access is restricted, and these employees are properly trained and qualified to handle Personal Data securely. Furthermore, all accesses to user data on the Platform made by these employees are recorded with identification, action performed, and time.
To prevent accidents and breaches regarding your Personal Data, we have a list of controls that the engineering team needs to follow whenever dealing with infrastructure and software development. Checks range from strict permissions to backup policy settings.
We have a mandatory information security study for all Elofy employees. Periodically, all employees take courses, read, watch videos, and answer assessments on various security-related topics, such as legislation, hacker attack methods, password best practices, and more.
What happens in cases of suspected Personal Data breach?
We have a security incident policy that provides an action plan for Personal Data breach cases. In the event of a data leak, we will notify affected companies and users by email within 24 hours of identifying and confirming the incident. Our security management policy includes three pillars:
Pillar 01 - Incident identification (discovery/confirmation);
Pillar 02 - Incident evaluation (incident record and risk assessment);
Pillar 03 - Notification preparation (including scope, data, criticality, and exposure).
It is important to note that Elofy follows recommendations from the National Data Protection Authority (ANPD), which we have transcribed:
Whenever the security incident poses a significant risk or damage to the affected data subjects, the controller shall internally assess the relevance of the incident's risk or damage to determine whether the ANPD and the data subject should be notified.
To report security incidents, send an email to firstname.lastname@example.org or open a ticket through the Intercom platform, providing as many details as possible about the situation. We will make every effort to respond as quickly as possible, with a maximum deadline of 24 hours from the identification and confirmation of the incident.
How long will we keep your data?
We will keep your Personal Data for as long as necessary to fulfill the services offered and acquired. However, we may retain certain information as required by applicable law. When we no longer have a basis to continue processing your Personal Data, it will be deleted or anonymized in accordance with applicable laws.
In cases where, due to the purpose or technical limitations, it is not possible to delete or anonymize your Personal Data (e.g., for backup purposes), we will retain such data solely for preservation purposes (without secondary use) in a secure environment with stricter access restrictions.
What are your privacy-related rights regarding your data?
You can exercise your rights provided by the General Data Protection Law (LGPD), such as confirming the existence of processing, the right of access, correction of incomplete, inaccurate, or outdated data, portability, consent revocation, objection to processing, or requesting deletion, by making a request to our security team.
How to request assistance with a right?
Data subjects are provided with a support channel through the INTERCOM software to request data or confirmation of the existence of data. Data will be provided within 15 days, in accordance with the transparency principle as discussed in the legislation. Access will be provided with a clear and complete statement indicating:
- Specific processing purpose;
- Form and duration of processing;
- Identification and contact information of the controller;
- Information about data sharing by the controller and the purpose;
- Responsibility of the agents who will perform the processing;
- Data subjects' rights.
Additionally, you can contact us through the email email@example.com.
How do I file a complaint with the National Data Protection Authority (ANPD)?
To file a complaint with the National Data Protection Authority, follow the procedures defined by the authority.
The content of this page is the sole property of Elofy and may not be distributed, reproduced, or used without prior written consent from Elofy.
The purpose of the website is solely informative and does not imply the existence of a contractual relationship between Elofy and the user.
Some parts of the website may not be used without a username and password, which is made available to users upon registration. The user agrees to use the website as intended, without misusing information, accessing information for illegal or unauthorized purposes, and without distributing any type of content that could harm Elofy or third parties.
By using this website, you agree to these terms. If you disagree with any part of these terms, please do not use this website. Elofy reserves the right to change these terms at any time.
Cookies may be used on the website to monitor website usage and improve the overall website experience. Cookies are used to store and manage passwords and the identity of website users.
- The Privacy and Data Protection Policy is approved by Information Security Management, together with the ELOFY Board of Directors.
- The Privacy and Data Protection Policy was approved on 2021/06/17.
- The Privacy and Data Protection Policy was revised on 2022/09/12.
Responsible DPO: Eduardo Kafruni