“Because one copy is never enough. Control-C safeguards your Xero ledgers, Cin7 inventory, and XPM workflows, captured, searchable, and recoverable when the cloud isn’t.”

Legal

Control-C Privacy Policy

Explain data collection, retention, and user rights.

Review privacy policy Contact privacy office

1. Overview

This Privacy Policy explains how Control-C (“Control-C,” “we,” “us,” or “our”) collects, uses, shares, and protects personal data about individuals who visit our websites, interact with our platform, or communicate with us (collectively, the “Services”). We process personal data in accordance with applicable privacy laws and this policy.

2. Data We Collect

We collect the following categories of information:

  • Account data: Name, business email address, phone number, job title, organization, billing contacts, and authentication identifiers.
  • Usage data: Log files, device and browser metadata, IP address, pages viewed, session duration, and configuration changes.
  • Customer content: Files, records, and continuity plan data that you upload to the platform. Control-C processes this data on behalf of Customer under the Data Processing Addendum.
  • Support and communications: Information you provide when contacting support, participating in surveys, attending webinars, or exchanging emails with us.
  • Marketing data: Preference information, campaign engagement, and opt-in details collected through forms, cookies, or integrations.

3. How We Collect Data

We gather data from:

  • Information you provide when creating an account, completing forms, or submitting support requests.
  • Automated means such as cookies, web beacons, and analytics services.
  • Integrations that Customer chooses to connect (e.g., ticketing, chat, HRIS systems).
  • Third-party sources such as resellers, referral partners, or public business directories, to the extent permitted by law.

4. How We Use Data

We use personal data to:

  • Provide, configure, and maintain the Services.
  • Authenticate users, secure access, and detect fraudulent or malicious activity.
  • Process transactions, invoicing, and customer account administration.
  • Deliver customer success, technical support, and incident response.
  • Send transactional notifications, product updates, and marketing communications (where permitted).
  • Analyze usage to improve features, product roadmap, and user experience.
  • Comply with legal obligations, enforce our agreements, and protect rights and safety.

For individuals located in the European Economic Area, United Kingdom, or other jurisdictions requiring a legal basis, we rely on: (i) performance of a contract, (ii) legitimate interests in operating and improving our Services, (iii) compliance with legal obligations, and (iv) consent for optional marketing or analytics where required.

6. How We Share Data

We may share personal data with:

  • Subprocessors that provide infrastructure, analytics, communications, or support services as listed in the Subprocessor Registry.
  • Resellers or partners who assist with account management or implementation, only with Customer approval.
  • Professional advisors such as auditors, attorneys, or insurers bound by confidentiality.
  • Authorities or regulators when required by law, subpoena, or to protect rights, safety, or property.
  • Corporate transactions in connection with a merger, acquisition, or sale of assets, subject to safeguards.

We do not sell personal data to third parties. We do not permit subprocessors to use Customer Data for advertising or profiling purposes.

7. International Transfers

Control-C stores data primarily in the United States and European Union. When we transfer personal data across borders, we implement appropriate safeguards such as Standard Contractual Clauses, the UK Addendum, or other approved transfer mechanisms.

8. Retention

We retain personal data for as long as necessary to deliver the Services, fulfill the purposes described in this policy, and comply with legal obligations. Customer Data is retained according to Customer configuration and deleted in accordance with the Data Processing Addendum when a subscription ends.

9. Your Privacy Rights

Depending on your location, you may have rights to access, correct, update, delete, restrict, or object to our processing of your personal data. You may also have the right to portability and to withdraw consent for marketing communications. To exercise these rights, contact us at compliance@control-c.com. We will respond consistent with applicable laws. You may unsubscribe from marketing emails at any time using the link in those emails.

10. Cookies and Tracking

We use cookies and similar technologies to deliver the Services, remember preferences, measure performance, and personalize content. For details, see our Cookie Policy.

11. Security

We maintain administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, loss, misuse, or alteration. Security practices are detailed in the Trust Center. No system is entirely secure; please notify us immediately at security@control-c.com if you become aware of any suspected incident.

12. Children’s Privacy

The Services are intended for business use and are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us to request deletion.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in legal requirements or our processing practices. Material updates will be communicated via email or in-product notification at least thirty (30) days before the effective date. Continued use after the effective date constitutes acceptance.

14. Contact Us

For questions or concerns about this policy or our privacy practices, contact:
Email: compliance@control-c.com
Mail: Control-C Privacy Office, 200 Market Street, Suite 420, Wilmington, DE 19801, USA

If you are located in the EEA, you may lodge a complaint with your local supervisory authority. Our lead supervisory authority is the Irish Data Protection Commission.

Last updated: March 20, 2025