Skip to content

Privacy Policy#

This privacy policy applies to meritboost, the websites and the services and products it provides (including the meritboost app). This privacy policy describes how we process personal data for the provision os this websites and our products.

The responsible party for the data processing described in this privacy policy and contact for questions and issues regarding data protection is:

Cyberfinity, Lda
Portugal
contact@cyberfinity.io

General Notes#

The operators of these websites and services take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the legal data protection regulations as well as this data protection declaration.

In cooperation with our suppliers, we make every effort to protect the databases and any of our users data as well as possible against unauthorized access, loss, misuse or falsification. We point out that data transmission over the internet in general may result in security risks. A complete protection of the data against access by third parties is not possible.

This website uses TLS encryption for security reasons and to protect the transmission of confidential content, such as requests that you send to us as the website operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://".

Data Controller and Processor Roles#

MeritBoost acts primarily as a data processor on behalf of our customers (the subscribing companies), who are the data controllers of their employees' personal data. This means:

  • Your employer determines the purposes and means of processing your personal data within our platform
  • MeritBoost processes this data according to your employer's instructions and our service agreement
  • For certain limited purposes (such as platform improvements and analytics), MeritBoost may act as an independent data controller

For data subject rights requests related to your employment data, please contact your employer's data protection team first. For requests related to MeritBoost's processing activities as a controller, you may contact us directly at contact@cyberfinity.io.

Processing of personal data#

Personal data is any information that relates to an identified or identifiable person. A data subject is a person about whom personal data is processed. Processing includes any handling of personal data, regardless of the means and procedures used, in particular the storage, disclosure, acquisition, deletion, storage, modification, destruction and use of personal data.

We will retain personal data for the period of time necessary for the particular purpose for which it was collected.

Subsequently, they are either deleted or made anonymous, unless we need them for a longer period of time in exceptional cases, e.g. due to legal storage and documentation obligations or our legitimate interests, such as the protection of rights to which we are entitled or the defense of claims.

Websites#

Our websites can generally be visited without registration. Each time one of our website is requested, data such as content of the requested page, name of the requested file, IP address, date and time are automatically stored in log files on the server.

This data is processed to enable correct delivery and functioning of the website. In addition, we use the data to optimize the website and to ensure the security of our systems.

meritboost Application#

The use of our services is generally only possible with registration. During registration and in the course of using the services, we collect and process various personal data.

In particular, the following personal data are part of the processing:

Type of Data Examples Affected Data Subjects
Basic Data Name, Email address All users
Internal Data Internal IDs, Corporate SSO data, Job areas, Organization Structure, Oragnization Skills and Proficiency levels All users
Profile Data Profile Pictures, Timezone, Language, Phone number(s) Users who voluntarily add profile data
Application Specific Data User provided data and Computed data, like User skills and proficiency levels, skill and performance scores, owned Merit Coins, Job title or Rewards bought All users
Usage meta data User agent, IP addresses, Operating system, Time and date All users

Unless otherwise mentioned, the nature and purpose of the processing is as follows:

The data is uploaded by customers in our services or collected by us based on requests from users. The personal data is processed by us exclusively for the provision of the requested services or the use of the agreed services.

The fulfillment of the contract includes in particular, but is not limited to, the processing of personal data for the purpose of:

  • Authentication and authorization of users
  • Storage and processing of user actions in the audit trail
  • Processing of personal data and login information
  • Processing of application data
  • Communication regarding service interruptions or service changes

Third parties sub-processors#

As a data processor, MeritBoost engages other service providers (sub-processors) to help deliver our services. We maintain a current list of these sub-processors at Third Party Sub-Processors.

We implement appropriate contractual safeguards with all sub-processors, including Data Processing Agreements that comply with Article 28 of GDPR.

We will inform our customers (your employer) of any intended changes concerning the addition or replacement of sub-processors, providing the opportunity to object to such changes as outlined in our service agreement.

As a data processor, MeritBoost processes personal data based on the instructions of our customers (employers). The legal bases your employer typically relies on include:

  • Performance of employment contract: Processing necessary for the performance of the employment relationship
  • Legitimate interests: Processing necessary for the legitimate interests of your employer, such as workforce management, skills development, and performance evaluation
  • Legal obligations: Processing necessary for compliance with legal obligations to which your employer is subject

For our own processing activities as a controller (such as account administration and service improvement), we rely on: - Contract performance: Processing necessary to fulfill our contract with your employer - Legitimate interests: Processing necessary for our legitimate interests in improving and securing our services - Legal obligations: Processing necessary for compliance with our legal obligations

Data Retention#

As a data processor, MeritBoost retains personal data for the duration specified by our customers (your employer) in our service agreement. Typically, this includes:

  • Retention during the subscription period
  • A defined period after contract termination to allow for data retrieval by your employer
  • Subsequent deletion or anonymization of data

Your employer's internal data retention policies determine how long your data is maintained within our platform. For questions about these retention periods, please consult your employer's privacy policy or data protection team.

For data where MeritBoost acts as a controller (such as account administration data), we retain information only as long as necessary for the relevant purpose and in accordance with legal requirements.

Cookies#

Our websites use cookies. These are small text files that make it possible to store specific information related to the user on the user's terminal device while the user is using the website. Cookies enable us, in particular, to offer a single sign-on procedure, to control the performance of our services, but also to make our offer more customer-friendly. Cookies remain stored beyond the end of a browser session and can be retrieved when the user visits the site again.

In particular, we use the following cookies to provide our services:

When you use our services, we may collect information about your visit, including via cookies, beacons, invisible tags, and similar technologies (collectively “cookies”) in your browser and on emails sent to you. This information may include Personal Information, such as your IP address, web browser, device type, and the web pages that you visit just before or just after you use the services, as well as information about your interactions with the services, such as the date and time of your visit, and where you have clicked.

Necessary cookies#

Some cookies are strictly necessary to make our services available to you. We cannot provide you with our services without this type of cookies.

Necessary cookies provide basic functionality such as:

  • Session Management
  • Single Sign-On
  • Rate Limiting
  • DDoS Mitigation
  • Remembering Preferences

Analytical cookies#

We also use cookies for website analytics purposes in order to operate, maintain, and improve the services for you. If you do not want us to use cookies during your visit, you can disable their use in your browser settings. In this case, certain parts of our website may not function or may not function fully. Where required by applicable law, we obtain your consent to use cookies.

International Data Transfers#

As a global service provider, MeritBoost may transfer personal data to countries outside the European Economic Area (EEA). We ensure appropriate safeguards for such transfers through:

  • Standard Contractual Clauses approved by the European Commission
  • Binding Corporate Rules (if applicable)
  • Adequacy decisions by the European Commission

Our customers (your employer) authorize these transfers as part of our service agreement. For details on specific transfer mechanisms used for your employer's data, your employer's data protection team can provide information based on their agreement with us.

Security Measures#

As a data processor handling workforce data, MeritBoost implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data in transit and at rest
  • Regular testing and evaluation of security measures
  • Access controls and authentication requirements
  • Regular security training for staff
  • Incident detection and response procedures
  • Business continuity and disaster recovery plans

We are committed to maintaining these security standards and regularly review and update our security practices. Our security measures are detailed in our Data Processing Agreement with your employer.

Automated Decision-Making and Profiling#

Our platform uses algorithms to calculate skill scores, performance metrics, and proficiency levels as part of the services we provide to your employer. These calculations:

  • Are based on data collected through the platform, including peer endorsements and appraisals
  • May be used by your employer for workforce management decisions
  • Are designed to be transparent in methodology

Your employer determines how these automated assessments are used in employment decisions. For questions about how these assessments affect your employment, please consult your employer's HR policies or data protection team.

Where MeritBoost controls such processing, you have the right to obtain human intervention, express your point of view, and contest any resulting decision by contacting us at contact@cyberfinity.io.

Rights of data subjects#

While you maintain your data subject rights under GDPR, in an employment context:

  • Requests to exercise your rights regarding data processed on behalf of your employer should first be directed to your employer's data protection team
  • Your employer may have legitimate grounds based on employment law to limit certain rights
  • The exceptions noted in our current policy regarding visibility of performance data, skills, and other information within the organization are based on the legitimate interests of your employer in workforce management

For data processed by MeritBoost as a controller, you can exercise your rights by contacting us directly at contact@cyberfinity.io.

Note

Any individual impacted by data processing holds the right to request information regarding their stored personal data from the responsible data processor. However, certain exceptions apply as they are critical to the way the meritboost application works:

  • Personal Information: Your personal information like name, email, and personal subtitle and your job title, and organization area are visible to all users from your organization.

  • Personal Scores and Percentiles: You can configure if you want your personal skill and performance scores as well as your skill and performance percentiles visible to any user in your organization. However, your managers will allways be able to see those values and any user that belongs to a group that was given that explicit permission (ex: Human Resources).

  • Endorsements: All skill endorsements remain private to the user who made the endorsement. This ensures that other users will not be able to see who endorsed them, the skill proficiency level or when the endorsement was made.

  • Appraisals: Similarly, all appraisals are kept private to the user who conducted the appraisal. This means that other users will not have access to information concerning appraisals conducted by their peers.

  • Rewards: The items you bought in the Rewards Marketplace will be visible to the users that belong to the group that was given that explicit permission so they may be able to process the orders.

  • Skills: Your skills and current proficiency levels are visible to all users from your organization.

  • Teams: The teams you participate and your weight in each team will be visible to all users from your organization.

These privacy provisions are essential to maintaining the integrity of the meritboost application and ensuring that users can provide honest responses without concerns about privacy breaches.