Authority Request Policy

Effective date: April 20, 2023

Cyango strongly believes its users should be in control of their personal information. Cyango will only disclose user data in response to valid legal processes unless we think the information could prevent serious harm. Cyango will not voluntarily give its user’s data to governments for surveillance purposes. Trust is important to us, so we’ll always be as transparent as laws will allow in relation to requests we receive for user data.

1.  Introduction

1.1 This Authority Request Policy sets out Cyango’s procedures for responding to a request received from a law enforcement or other government authority (together the “Requesting Authority“) to disclose User Data that is processed by Cyango” (“Authority Request“).

1.2 In this policy, “User Data” means any information we hold on users of, including customer account records, content in the account, activity, correspondence and associated metadata and personal information about a Cyango user as set out in Cyango’s privacy policy.

1.3 Where Cyango receives an Authority Request, we will handle that Authority Request in accordance with this policy. If applicable data protection law(s) require a higher standard of protection for User Data than is required by this policy, Cyango will comply with the relevant requirements of those applicable data protection law(s).

2.  Which Authority Requests will be approved?

2.1 Cyango does not disclose User Data in response to an Authority Request unless either:

2.1.1 it is under a compelling legal obligation to make such disclosure; or

2.1.2 there is an emergency due to an imminent risk of serious harm that the information Cyango holds could help prevent and therefore merits compliance with the Authority Request (especially harm to children), taking into account the nature, context, purposes, scope and urgency of the Authority Request and the privacy rights and freedoms of any affected individuals.

3.  What must a valid Authority Request include?

3.1 In order to respond to an Authority Request, Cyango will require evidence of a valid and enforceable legal process issued by a court of competent jurisdiction such as:

3.1.1 a search warrant;

3.1.2 a court order;

3.1.3 a subpoena;

3.1.4 a preservation order; or

3.1.5 the equivalent legal process to any of the above in the applicable jurisdiction.

3.2 All Authority Requests under clause 2.1.1 (compelling legal obligation) must include:

3.2.1 the Requesting Authority details, together with the name, contact information and badge/identification number of the Requesting Authority’s agent or representative who is authorised to serve the request;

3.2.2 evidence of the Requesting Authority’s right to compel Cyango to produce the Authority Request (as set out in clause 3.1);

3.2.3 a description of the specific personal information and data being requested, including the relevant user’s name and email address to enable identification of the account;

3.2.4 the categories and types of personal information sought;

3.2.5 the time period for the personal information sought; and

3.2.6 the timeframe for the provision of the User Data.

3.3 Cyango does not guarantee the existence or retention of particular user information. However, Cyango will honour valid requests made due to a compelling legal obligation to preserve information for up to 90 days and will extend the preservation for one additional 90-day period with an additional valid request for extension.

3.4. All Authority Requests made under clause 2.1.2 (emergency circumstances) must in addition to clause 3.2 also include:

3.4.1 the circumstances of the request and the nature of the claimed emergency;

3.4.2 explain why there is insufficient time to obtain and serve a valid and binding legal demand; and

3.4.3 explain how the information requested will assist in averting the claimed emergency.

3.5 The Authority Request must be sent by a law enforcement agency or official government entity via a registered email domain that aligns with the agency or by post on official letterhead.

3.6 Cyango requires that any individual or entity making an Authority Request ensure that the process or request is properly domesticated. Foreign law enforcement agencies making an Authority Request for data stored in another country should proceed through a mutual legal assistance treaty, letters rogatory processes or other diplomatic or legal processes.

3.7 Cyango does not accept requests for testimony from individual employees or contractors. These must be served personally.

3.8. Cyango will access the service of law enforcement requests by email to info[at], or at:

Head of Privacy
Wishes and Intuition Unip. LDA
Rua Circular Norte do PITE, NERE, 7005-841 Évora, Portugal

4.  Escalation of Authority Requests

4.1 If Cyango receives an Authority Request, the recipient of the request must pass it to Cyango´s Legal Team immediately upon receipt, indicating the date on which it was received together with any other information that may assist the Legal Team to respond to the request.

4.2 All Authority Requests must be notified to the Legal Team for review regardless of the form that it is submitted.

4.3 Cyango´s  Legal Team will carefully review each Authority Request on a case-by-case basis to ensure that it is legitimate and valid. The Legal team will liaise with outside counsel as appropriate to deal with the request to determine the nature, context, purposes, scope and urgency of the Authority Request and its validity under applicable laws, to identify whether an action may be needed to challenge the Authority Request and/or to notify the user and/or competent data protection authorities in accordance with clauses 5 and 6 respectively. When challenging an Authority Request, Cyango may seek interim measures to suspend the effects of the order until the court has decided on the merits that the Authority Request should be fulfilled.

5.  Notice of an Authority Request

5.1 Notice to the user

5.1.1 Cyango will ordinarily ask the Requesting Authority to make the Authority Request directly to the relevant user. If the Requesting Authority agrees, Cyango will support the user in accordance with the terms of its contract to respond to the Authority Request.

5.1.2 If this is not possible (for example, because the Requesting Authority declines to make the Authority Request directly to the user, does not know the user’s identity, or if Cyango is not permitted by law to disclose the Authority Request), Cyango will notify and provide the user with the details of the Authority Request prior to disclosing any User Data, unless legally prohibited from doing so or where an imminent risk of serious harm exists that prohibits prior notification. Requesting Authorities who believe that notification would jeopardize an investigation should obtain an appropriate court order or other processes that specifically prohibits customer notification.

5.1.3 If Cyango is legally prohibited from notifying the user prior to disclosure, Cyango will take reasonable steps to notify the user of the demand after the non-disclosure requirement expires.

5.1.4 If Cyango receives a legal process subject to an indefinite non-disclosure requirement (including a US National Security Letter), Cyango may challenge that non-disclosure requirement in court.

5.1.5 Cyango may seek reimbursement for costs associated with responding to Authority Requests, particularly if the costs incurred are the result of responding to burdensome or unique requests.

5.1.6 If an Authority Request places Cyango on notice of a violation of our Terms of Service, we will take action to enforce our Terms of Service. Cyango will consider a Requesting Authority’s request to defer Cyango´s enforcement on a case-by-case basis.

5.2 Notice to the competent data protection authorities

5.2.1 If the Requesting Authority is in a country that is not regarded as providing an adequate level of protection for the User Data of people located in the data subject’s country under applicable data protection laws, then Cyango may also put the request on hold to notify and consult with the competent data protection authorities unless legally prohibited or where an imminent risk of serious harm exists that prohibits prior notification.

5.2.2 Where Cyango is prohibited from notifying the competent data protection authorities and suspending the request, Cyango will use commercially reasonable efforts (taking into account the nature, context, purposes, scope, and urgency of the request) to inform the Requesting Authority about its obligations under applicable data protection law and to obtain the right to waive this prohibition. Such efforts may include asking the Requesting Authority to put the request on hold, so that Cyango can consult with the competent data protection authorities, or to allow disclosure to specified personnel at Cyango’s user, and may also, in appropriate circumstances, include seeking a court order to this effect. Cyango will use commercially reasonable efforts to maintain a written record of the efforts it takes.

6.  Data Minimisation

6.1 All requests will be interpreted narrowly by Cyango. Unnecessarily broad requests are subject to challenge.

6.2 In no event will Cyango transfer User Data to a Requesting Authority in a bulk manner for multiple users or in a disproportionate, and indiscriminate manner that goes beyond what is necessary for a democratic society.

7.  Transparency Reports

7.1 Cyango will prepare a semi-annual report (a “Transparency Report”), which reflects the number and type of Authority Requests it has received for the preceding six months, as may be limited by applicable law or court order. Cyango will publish the Transparency Report on its website, and make the report available upon request to competent data protection authorities.

7.2 The Transparency Reports will be made available below going forward.