Security Policy
Cresco Customer Data Security Policy
Introduction
This Privacy Policy explains what information Cresco Data Pte Ltd and Cresco Data Australia Pty Ltd (“Cresco”) collects about Customers, why and what we do with that information, how we share it, and how we handle the content Customers place in our platform. It also explains the choices available to you regarding our use of your Personal Information and how you can access and update this information.
Scope of Privacy Policy
In order to perform the Services, The Cresco Data Platform-as-a-Service Cresco is required to collect and store Customer Data. This Privacy Policy applies to the information that we obtain through your use of The Cresco Data Platform-as-a-Service and Commerce-as-a-Service as well as Personal Information you may send us in order to interact with our services.
Definitions
“Account Data” is information required from the Customer or The Merchant in order to deliver the Cresco Data services. This includes Customer and company information. Publishing Channel details and log-ins.
"Cresco Data Platform" means Cresco’s cloud-based commerce software platform that allows a Customer to automate and synchronise the delivery of product information to Publishing Destinations, which may include marketplaces, webstores and product listing advertisements.
“Customer Data” is the data associated with the Customer or Merchant’s account on The Cresco Data Platform and generated during the use of The Cresco Data Service.
“Content” is any information or data that you upload, submit, post, create, transmit, store or display whilst using a Cresco service.
"Product Data" means all information and materials related to Seller products and brands that Sellers provide to Customer that is uploaded, processed or otherwise stored in the Cresco Data Platform, or that The Customer directs Cresco to collect on its behalf, including image files, text, stock availability, templates, product descriptions, trade and service marks and other related information
“Services” This includes any and all data services provided by Cresco and as requested by Customers.
“Order Data” Order data is the data that is sent from a Publishing Destination surrounding the purchase of a product. This includes but not restricted to: Product ID, sale price RRP, shipping label information
"Publishing Destination" means the third party marketplaces, commerce sites, search engines, shopping sites, social commerce channels, digital ad networks and other third party channels supported by Cresco from time to time that are the subject of the Services, as set out in each Statement of Work.
“Personally Identifiable Information (PII)” information that may be used to readily identify or contact you as an individual person, such as: name, address, email address, or phone number. PII does not include information that has been anonymised such that it does not allow for the ready identification of specific individuals.
Changes to our Privacy Policy
We may change this Privacy Policy from time to time. If we make any changes, we will notify you by revising the "Effective Starting" date at the top of this Privacy Policy. If we make any material changes, we will provide you with additional notice (such as by adding a notice on the Cresco homepages, login screens, or by sending you an email notification). We encourage you to review our Privacy Policy whenever you use Cresco Data Services to stay informed about our information practices and the ways you can help protect your privacy.
If you disagree with any changes to this Privacy Policy, you will need to stop using Cresco Data Services and deactivate your account(s), as outlined below.
Information you provide to us
We collect the following information:
Account Data: for account and Profile Information: We collect information about you and your company as you register for an account, create or modify your profile, make a purchases through, use, access, or interact with The Cresco Data Platform and Services
Information we collect includes:
- Contact information such as name, email address, mailing address, and phone number
- Billing information such as credit card details and billing address
- Profile information such as a username, and job title
- Preferences information such as notification and marketing preferences
You may provide this information directly when you sign up for a Cresco Service
In some cases another user (such as a system administrator) may create an account on your behalf and may provide your information, including Personal Information (most commonly when your company requests that you use our products). We collect Information under the direction of our customers and often have no direct relationship with the individuals whose personal data we process. If you are an employee of one of our customers and would no longer like us to process your information, please contact your employer. If you are providing information (including Personal Information) about someone else, you must have the authority to act for them and to consent to the collection and use of their Personal Information as described in this Privacy Policy.
Content: We collect and store Content that you create, input, submit, post, upload, transmit, store or display in the process of using our PaaS or CaaS Products or Website. This includes participating in interactive features including surveys, requesting customer support or communicating with us via a third party social media website. For example, information regarding a problem you are experiencing with a Cresco product could be submitted to our Support Services or posted in our public forums.
Such Content includes any Personal Information or other sensitive information that you choose to include ("incidentally-collected Personal Information").
Information we collect from your use of Cresco Services
Storing Product Data is necessary in order to enable the listing of products on the Publishing Destinations. Cresco stores product and order data to enable reporting and to also enable Cresco to fix any support issues.
As shown in the examples above, the information we collect is required in order for us to deliver the Cresco Services.
As such, the analytics information we collect may include Personal Information or sensitive business information.
Information sharing and disclosure
We will not share or disclose any of your Personal Information or Content with third parties except as described in this policy. We do not sell your Personal Information or Content.
Access by your account administrator: You should be aware that the administrator of your Cresco Account may be able to:
- access information in and about your Cresco PaaS
- access account and sales history
- disclose, restrict, or access information that you have provided or that is made available to you when using your Cresco account, including your Content; and
- control how your Cresco account may be accessed or deleted.
Service Providers, Business Partners and Others: Cresco Data works with third party service providers to provide, hosting, back-up, storage, virtual infrastructure, payment processing, analytics and insights, and other services for us. These service providers may have access to or process your Information for the purpose of providing those services for us. In all cases the third party providers comply with GDPR.
Compliance with Laws and Law Enforcement Requests; Protection of Our Rights:
We may disclose your Information (including your Personal Information) to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request, (b) to enforce our agreements, policies and terms of service, (c) to protect the security or integrity of Cresco's products and services, (d) to protect Cresco, our customers or the public from harm or illegal activities, or (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.
Business Transfers: We may share or transfer your Information (including your Personal Information) in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. You will be notified via email and/or a prominent notice on the Cresco Services of any change in ownership or uses of your Personal Information, as well as any choices you may have regarding your Personal Information.
Aggregated or Anonymized Data: We may also share aggregated or anonymized information that does not directly identify you with the third parties described above.
With Your Consent. We will share your Personal Information with third parties when we have your consent to do so.
Information we do not share
We do not share Personal Information about you with third parties for their marketing purposes (including direct marketing purposes) without your permission.
Data storage, transfer and security
Cresco ensures that Account Data is secure from any outside intrusion.
The Cresco Data Platform is hosted with Amazon’s cloud service AWS. None of the AWS components or data stores can be accessed directly from outside the Cresco account.
Restricted access
Access to any data is only possible through the GUI or the APIs. Access to Account Data is only available to limited Cresco staff members. Access to Customer Data is not available to contractors or third parties.
Platform security
The GUI is a single page app hosted on a public file share and communicates with the Cresco APIs to retrieve data. Without access to the APIs, the GUI has no data available.
Access to customer data is restricted by company ID.
Any data retrieved is associated with a company id. Data can only be forwarded or sent to systems setup with the same company id. There is no way to overlap orders or access orders from other accounts as this is password protected on The Cresco Data Platform. All authentication data is stored encrypted. The public facing APIs are secured with OAuth 2.
Cresco has taken advantage of AWS expertise to help solve challenges in complying with the EU’s GDPR using AWS’s advanced toolset for identifying, securing, and managing all types of data, including personal data.
While we take reasonable efforts to guard your Personal Information, no security system is impenetrable and due to the inherent nature of the Internet as an open global communications vehicle, we cannot guarantee that information, during transmission through the Internet or while stored on our systems or otherwise in our care, will be absolutely safe from intrusion by others, such as hackers.
Where data is transferred over the Internet as part of a Website or SaaS Product, the data is encrypted using industry standard SSL (HTTPS).
Where Downloadable Products are used, responsibility of securing access to the data you store in the Downloadable Products rests with you and not Cresco. We strongly recommend that administrators of Downloadable Products configure SSL to prevent interception of data transmitted over networks and to restrict access to the databases and other storage used to hold data.
Mandatory password reset
CrescoData Management Portal users must reset their account password every 90 days. User accounts are automatically locked after five failed login attempts.
Data Storage
All records that meet the following conditions are automatically deleted from the CrescoData Platform and will no longer be made available for download:
- Amazon records containing Personally Identifiable Information (PII) - 30 days after the records last update. This includes orders and order status updates.
- Non-Amazon records containing PII - 90 days after the records last update. This includes orders and order status updates.
- all other records two (2) years after inactivity.
Your Choices
You may opt out of receiving promotional communications from Cresco by using the unsubscribe link within each email, updating your email preferences or emailing us at privacy@crescodata.com to have your contact information removed from our promotional email list or registration database. Although opt-out requests are usually processed immediately, please allow ten (10) business days for a removal request to be processed. Even after you opt out from receiving promotional messages from us, you will continue to receive transactional messages from us regarding Cresco's Services.
Accessing and updating your information
You may often correct, update, amend, or remove your Personal Information in your account settings or by directing your query to your account administrator. You may also contact us at privacy@crescodata.com or contact us by postal mail using the address listed below. We will respond to your request for access within 30 days.
Security Audits and Certifications
Cresco Data engages annually with a leading Cyber Security Firm to conduct a third party penetration test on The Cresco Data API and Cresco Data Management Portal. A copy of the applicable report can be made available upon reasonable request.
Information about AWS security certifications and obtaining copies of security reports from AWS is available at http://aws.amazon.com/compliance/pci-data-privacy-protection-hipaa-soc-fedramp-faqs/
Data Protection Officer
Cresco Data has a dedicated Data Protection Officer to oversee and advise on our data security management and processes. You may also contact us at privacy@crescodata.com.
CrescoData, 8 Marina Boulevard #05-02, Marina Bay Financial Centre Singapore 018981.
This Security Policy was last updated 2 December 2021.