PrivMX Privacy Policy
As an Internet company that creates secure tools for project management and communications within the team, we take privacy issues very seriously and we highly value your personal information and always treat them with confidentiality. We understand that you may require highest standard of confidentiality and compliance with rules concerning personal data processing. Therefore, we would like to inform you how we process your Personal Data.
Table of contents:
- Who is data controller?
- What is personal data?
- How can I contact a data controller?
- How do we obtain and process your Personal Data?
- Privacy Policy for PrivMX Services
- Concluding and performing an agreement
- Using PrivMX Services
- Privacy Policy for public web pages and standard communication means
- Public web pages
- Contacting us via e-mail, contact form, or phone
- Providing Personal Data on a public web page
- Processing Personal Data on social media
- Do we share your personal information with anyone else?
- What are your rights?
- Other provisions
- Cookies
1. Who is data controller?
This Privacy Policy concerns various cases of processing Personal Data by us. In each of the case described in this Privacy Policy, we, Simplito sp. z o.o. with its registered office in Toruń, address: Grudziądzka 1-3, 87-100 Toruń, 1-3 Grudziądzka, 87-100 Toruń, Poland, entered in the Register of Entrepreneurs of the National Court Register by the District Court in Toruń VII Commercial Division of the National Court Register under KRS No.: 0000305883, NIP: 9562217643, REGON: 340400555, share capital: PLN 190.491,00, are the data controller of your Personal Data.
2. What is Personal Data?
By the term "Personal Data", used in this Privacy Policy, we understand any information relating to an identified or identifiable natural person, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (such as IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
3. How can I contact the data controller?
If you have any question or doubts concerning processing of your Personal Data, please do not hesitate to contact us. You may write an e-mail to us: contact@privmx.com
4. How do we obtain and process your Personal Data?
We always process your Personal Data in accordance with the provisions of the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter: GDPR).
We may process your personal data in connection with various activities concerning providing services by us. We have described them below. These activities concern six major areas:
- concluding and performing an agreement with us,
- using PrivMX Services,
- processing Personal Data in connection with visiting our public web pages,
- contacting us via e-mail, contact form or phone,
- providing an e-mail address on one of our public web pages,
- processing Personal Data on social media.
When we use terms Client or User in this Privacy Policy, they should be understood as a Client or User as defined in our Terms of Services.
Usually, we receive your Personal Data directly from you – especially when you visit our public web pages, contact us, leave your e-mail or become our Client. There is one important exemption though – if you are a User of our PrivMX Services and your account was created by our Client (e.g. an entity that invited you to use PrivMX Services, like your employer, co-worker or contractor) or you were invited to use PrivMX Services by our Client, we obtain your Personal Data directly from our Client. Sometimes we also may receive your Personal Data from other sources like a social media platform, especially in connection with our marketing activities – we do it only if provisions of social media platform’s terms of service allows us to do it.
There are situations in which we are not processing personal data as the data controller and we act as a data processor. It means that we do not determine the purposes and means of the processing of Personal Data. In such cases, it is usually done by our Client, acting as a data controller - e.g. if a Client contacts other persons with tools provided by us (such as PrivMX Client Software) or store data within the PrivMX Infrastructure, we do not act in this regard as the data controller, but as a data processor, according to a separate data processing agreement, concluded between us and a Client.
5. Privacy Policy for PrivMX Services
Concluding and performing an agreement
We may process your Personal Data if you are using our services as a Client - a person who accepted our Terms of Service or entered in an agreement with us in any other way. We also process Personal Data of people that act on behalf of a Client - e.g. a CEO, board member, partner, proxy, contact person, or a person responsible for using PrivMX Services within a company. Therefore, we process Personal Data in connection with concluding and performing an agreement between you (or your organization) and us or using tools available on one of our websites to manage your services.
In connection with using PrivMX Services by you, we may process your Personal Data in order to:
-
conclude and perform the contract for the provision of electronic services, in accordance with the provisions of Terms of Service or other agreement concluded between us and you (if you are a party of an agreement with us) - the legal basis for processing Client's Personal Data in this regard is the necessity of processing for performance of the contract to which the data subject is a party or to take action at the request of the data subject before the conclusion of the contract, in accordance with the provisions of Article 6.1.b) of the GDPR,
-
enable you to act as a Client's representative, agent, employee or a contact person, e.g. if you are a CEO or a manager in a company and you are responsible for using PrivMX Services in your organization, we may process your Personal Data in order to conclude and perform the contract for the provision of electronic services, in accordance with the provisions of Terms of Service, e.g. in order to maintain communication between you and our company, issue invoices or enable you to choose and configure the specific services that are provided for you - the legal basis for processing your Personal Data in this regard is the necessity of processing of data for the purposes of the legitimate interests pursued by the data controller, in accordance with the provisions of article 6.1.f) of the GDPR,
-
comply with obligations imposed on the data controller by legal provisions, including in particular tax law or administrative law - the legal basis for Personal Data processing in this regard is the need for processing the data to fulfil the legal obligation to which data controller is subject, in accordance with the provisions of article 6.1.c) of the GDPR,
-
monitor the way in which PrivMX Services are being used, especially for statistical purposes, development of our services, purposes related to the prevention of errors and bugs, to ensure an appropriate level of security, create updates and possible fixes as well as in order to prevent actions which are not in accordance with provisions of our Terms of Services or generally applicable law – what constitutes the legitimate interest of the data controller, and the legal basis for Personal Data processing in this regard is the provision of article 6.1.f) of the GDPR, which indicates the possibility of processing personal data when it is necessary to achieve the objectives of legitimate interests pursued by the data controller or by a third party,
-
respond to your inquiries, review potential complaints concerning provision of services by us – what also constitutes the legitimate interest of the data controller, and the legal basis for Personal Data processing in this regard is the provision of article 6.1.f) of the GDPR, which indicates the possibility of processing personal data when it is necessary to achieve the objectives of legitimate interests pursued by the data controller or by a third party.
-
sometimes we also may process your Personal Data for the establishment, exercise or defence of legal claims – this also bases on our legitimate interest, as the data controller, and the legal basis for data processing in this regard is the provision of article 6.1.f) of the GDPR, which indicates the possibility of processing personal data when it is necessary to achieve the objectives of legitimate interests pursued by the data controller or by a third party.
According to purposes described above, we may process the following Personal Data:
- Identification data (name and surname),
- Data concerning your business activities or an entity for which you work for,
- Contact data (e.g. e-mail address, phone number),
- Data concerning contacts between us and you (e.g. content of e-mail messages),
- Data concerning providing services for you (e.g. provisions of agreements),
- Data concerning payments and invoices,
- Statistical and analytical data concerning your usage of PrivMX Services.
We process these data for the time when you are our Client (you are a party of a binding agreement between us and you) or you act on behalf of a Client as its representative, employee, co-worker, subcontractor, manager or agent. After the end of this time, we will process your Personal Data until the expiry of the limitation period on claims relating to the agreement, concluded between us and our Client. We also store the Personal Data as long as we are obliged to do that, basing on legal requirements (e.g. tax law) – what usually takes no longer than 5 years.
However, we may always erase your data earlier, if we are assume that they are no longer needed. We keep your personal data for only as long as we need to.
Using PrivMX Services
If you are a User of a PrivMX Services, especially:
- you may log into a PrivMX Services and use its functionalities as a User,
- you may communicate with other Users via PrivMX Services, we may also process some of your Personal Data. Please remember that, if you use our PrivMX Client Software (including web, mobile or desktop app), then your team’s content is encrypted on your devices before it arrives on our servers. We process Personal Data connected with using a PrivMX Services mostly basing on a Data Processing Agreement, concluded between us and our Client, as a data processor. However, in certain situations we may also process some of the Personal Data as a data controller in order to:
- Enable Users the use of a PrivMX Services, especially in order to authenticate their credentials during logging in, maintain communication between us and Users, reply to their possible requests or complaints or send them notifications - the legal basis for processing Users' Personal Data in this regard is the need to process them in order to execute the legitimate interest of the data controller, which is the obligation to provide services for a Client, in accordance with the provisions of the Terms of Service. The basis for processing Personal Data in this regard is the provision of Article 6.1.f) of the GDPR, which indicates the possibility of processing personal data when it is necessary for the purposes of legitimate interests pursued by the data controller or by a third party. However, if you, are a User of PrivMX Services and our Client at the same time (a party of an agreement concluded with us) we process this Personal Data in connection with performance of the contract, in accordance with the provisions of Article 6.1.b) of the GDPR.
- Monitor the way in which Users use PrivMX Services. We process data in connection with Users' activities for statistical purposes, purposes related to the prevention of errors and bugs concerning provided services, to ensure an appropriate level of security, create updates and possible fixes as well as in order to prevent actions of Users which are not legal in accordance with provisions of the Terms of Services or generally applicable law – what constitutes the legitimate interest of the data controller, and the legal basis for Personal Data processing in this regard is the provision of article 6.1.f) of the GDPR, which indicates the possibility of processing personal data when it is necessary to achieve the objectives of legitimate interests pursued by the data controller or by a third party.
- Enable Users to download, install and use PrivMX Client Software - our desktop app available on our website or our mobile app that may be downloaded from Apple Store or Google Play Store - the legal basis for processing Users' Personal Data in this regard is the need to process them in order to execute the legitimate interest of the data controller, which is connected with enabling Users to download our app and run it. The basis for processing Personal Data in this regard is the provision of Article 6.1.f) of the GDPR, which indicates the possibility of processing personal data when it is necessary for the purposes of legitimate interests pursued by the data controller or by a third party.
According to purposes described above, we may process the following Personal Data:
- Identification data (name and surname),
- Contact data (e.g. e-mail address, phone number),
- Data concerning contacts between us and you (e.g. content of e-mail messages),
- Statistical and analytical data concerning your usage of PrivMX Services, such as IP address, data about a device that you use, details which functionalities you use and what kind of version of PrivMX Client Software you use.
We process these data as long as you are a User of our services and for the time an entity that created your User’s account or invited you to use PrivMX Services, uses our services (is a party of a binding agreement between this entity, eg. a Client, and us). After the end of this time, we will process your Personal Data until the expiry of the limitation period on claims relating to this agreement, concluded between us and an entity that created your User’s account. We also store the data as long as we are obliged to do so, basing on legal requirements (e.g. tax law) – what usually takes no longer than 5 years.
However, we may always erase your Personal Data earlier, if we are assume that they are no longer needed. We keep your Personal Data for only as long as we need to.
6. Privacy Policy for public web pages and standard communication means
Public web pages
If you visit one of our public web pages, such as privmx.com (or our any other web page conected with providing PrivMX Services by us) we may process your Personal Data. In this case, processing your Personal Data is connected with:
- our use of cookie files or other, similar technologies, within public web pages,
- storing data about visits on a public web page (logs) such as IP address and data concerning the device you are using,
- analysing the way you use our public web pages and displaying advertisements of our services,
- your browsing history of the content you have visited on our public websites, including information on how you were referred to our sites via other websites.
The legal basis for processing this data is the provision of article 6.1.f) of the GDPR, stating that we may process Personal Data if it is necessary for the purposes of the legitimate interests pursued by the data controller.
Our legitimate interest is related to the:
- requirement of controlling the traffic within our public web pages,
- preventing errors and technical defects,
- safety of the public web pages, as well as the necessity to prevent abuse and violations of the law within the public web pages,
- analysing users' activities within public web pages, such as duration of visits, links clicked, country of origin or a type of a device used,
- performing marketing activities - we may process your Personal Data connected with using our public web pages in order to present you our marketing materials, including advertisements.
During your first visit on our public web page, we will inform you about our use of cookies and we will ask for your consent in this regard. Expressing consent to the use of cookies may also be made by changing the appropriate browser settings.
The Personal Data that we process usually involve information about the type of a device you are using, your web browser, your IP address, a country of origin, duration of a visit on our public web pages, number of visits, information about links clicked or other information stored within cookie files.
We process these data as long as you use our public web pages, and up to fourteen months after your last visit on a specific public web page. Data stored within cookie files may be processed as long as you store them on your device, no longer than for fourteen months. You may delete cookies by using functionalities of your web browser.
Contacting us via e-mail, contact form or phone
We publish our contact details on our public web pages. Therefore, if you use a contact form or chat on our public web pages, you send us a message or contact us by a phone or via an e-mail, we process your Personal Data in order to answer your question and maintain a contact with you. The necessity to process Personal Data in order to answer your question and to maintain contact with you is our legitimate interest, and the legal basis for data processing in this regard is the provision of article 6.1.f) of the GDPR.
In connection with processing Personal Data in order to maintain contact, we may process such data as your name and surname, contact details (especially e-mail address), and content of messages.
We process this data for the duration of the contact between us and you and up to three months after an end of this contact.
Please remember that, if you use our PrivMX Services, then your team’s content is encrypted on your computers before it arrives in our servers.
Providing Personal Data on a public web page
Sometimes we may provide you with the ability to provide your Personal Data, especially your name, surname, country of your residence, information about your company or your e-mail address, on our public web pages. This may be especially required in order to receive an invitation to start using PrivMX Services or to enter into an agreement with us. Consequently, we will process your Personal Data, basing on a necessity to process personal data in order to take steps at the request of the data subject prior to entering into a contract, according to the provision of article 6.1.b) of the GDPR.
We may also give you the opportunity to sign up for our newsletter and to provide us with your e-mail address in order to receive marketing messages. In such a case, we will process your Personal Data basing on our legitimate interest which is connected with performing marketing activities in order to promote our products and services. The legal basis for processing these data is the article 6.1.f) of the GDPR. Nevertheless, a specific legal obligations may require us to obtain a separate consent in order to send you marketing materials via an e-mail. Therefore, we may require you to give us such a consent before we will send any marketing e-mail to you. You will always have a possibility to withdraw a consent for receiving marketing information via e-mail, what will not have an impact on legality of sending you these e-mail before revoking this consent.
We will process these data as long as we will issue newsletter or provide marketing materials to interested people via an e-mail, no longer than to a moment of withdrawal of your consent, if a specific legal provisions require us to obtain such a consent. If you asked for a invitation to use PrivMX Services via our public web page, we will process your Personal Data for a term necessary to create an account for you. Then we may process them according to the regulation concerning processing data concerning using PrivMX Services, specified in this Privacy Policy.
Processing Personal Data on social media
We use social media in order to perform marketing activities concerning our products, services and our company. We note that social media platforms are managed by a separate entities and we process Personal Data of its' users in a very limited way. You may find detailed infomation about processing Personal Data by a social media platform on a a social media platform's website, usually in a privacy policy section.
Processing Personal Data on social media platforms by us is similar to using our website or contacting us via an e-mail or a contact form. We use social media platforms mostly in order to promote PrivMX Services and make sure that you may contact us easily. We own our social media fanpages for this purpose. Therefore, if you write a comment below our posts or interact with our profiles, that may lead to processing your Personal Data by us. We may also use plug-ins concerning specific social media platform on our public web pages, enabling us to connect our web page with a social media platform.
In connection with these activities, if you own an account within such a social platform and interact with our fanpage or website, your Personal Data may be processed by us - especially a name, surname, contact details and content of comments and correspondence stored on social media platform.
Due to the specific functioning of social media pages, we process your Personal Data together with an entity that is responsible for creating and maintaining social media website (owner of a specific social media website). Therefore, we are together both considered as controllers of your Personal Data.
Processing Personal Data for purposes concerning usage of social media platforms constitutes the legitimate interest of the data controller, and the legal basis for data processing in this respect is the provision of article 6.1.f) of the GDPR, which indicates the possibility of processing personal data when it is necessary to achieve the objectives of legitimate interests pursued by the data controller or by a third party. If a separate legal provisions require us to obtain your explicit consent in order to send a marketing content to you, we will ask you for a consent before sending such a marketing messages to you.
A detailed list of social media platforms that we use in connection with our business activities may be found on our public web page.
We will process your personal data within social media platforms as long as you follow us on social media, post comments or like our posts.
7. Do we share your personal information with anyone else?
First of all, we inform you that we do not sell your Personal Data to any third parties. However, we may use some of the external service providers that will process your Personal Data on our behalf.
Therefore, we would like to emphasize that we distinguish two kinds of data:
- your Personal Data that we process outside of the specified part of PrivMX Infrastructure used by you or your team - we share it with entities which provide us with specialized services that are necessary to conduct our business, as explained below,
- data created and stored by your team within a PrivMX Infrastructure - it is by-design encrypted on your side and we are even not able to make it readable. We do not share it with anyone, of course.
In order to provide our services we may use services of another entities that process your Personal Data. Consequently, the Personal Data provided to us may be transferred to entities which provide us with services like orders and payment processing, hosting, accounting, legal consulting, social media presence managing, mailing or measuring traffic on public websites.
You may find a detailed list of all data processors which services we use and share Personal Data with on our public web page. You may access a page with this list by clicking a link called PrivMX data subprocessors.
Note that not all of these data processors may automatically receive all your Personal Data, especially if you choose specific data center's location for hosting your data, then data centers in other locations will accordingly not receive your Personal Data.
8. What are your rights?
Considering that we process your Personal Data, you are entitled to:
- Request access to your Personal Data from the Service Provider – you may always request this access. We will then provide you with access to this data that we have access ourselves – like e-mail messages, agreements or invoices. However, we note that we will not be able to provide you with this data that are encrypted within the PrivMX Infrastructure.
- Request rectification of your Personal Data – if you notice that your Personal Data are incorrect or outdated, just let us know and we will rectify them.
- Request erasing your Personal Data – in specific situations, especially if you do not use our services anymore, you may request us to erase your Personal Data. However, we sometimes may refuse to do so, according to the provisions of the GDPR – especially if we still need them in order to exercise or defence of legal claims or to be compliant with a legal obligation which requires processing your Personal Data.
- Request to restrict the processing of your Personal Data – you may ask us to restrict processing your Personal Data if you believe that processing is unlawful or we do not need your Personal Data anymore, you ask us to rectify incorrect data, or you object to processing of your Personal Data.
- Request the transfer of your Personal Data to other service providers – you may always ask us to transfer your data, which comes directly from you, are processed by automated means and are processed basing on a necessity to perform a contract. However we notice that we may only see your data stored on PrivMX Infrastructure in an encrypted form. Therefore, we cannot decrypt nor read nor send to you your team's decrypted data.
- File a complaint about the unlawful processing of your Personal Data to the competent data protection authority – you can always file a complaint about incorrect processing your Personal Data to competent authority.
To the extent that the processing of your personal data takes place basing on the basis of the legitimate interest of the data controller, you have the right to object to the processing of your Personal Data.
9. Other provisions
Providing Personal Data may be required to conclude a contract for the provision of electronic services or to create a User's account. It may also be needed to comply with legal provisions, especially concerning invoicing and tax law.
We do not process your Personal Data in a way that includes automated individual decision-making or profiling according to the GDPR.
10. Cookies
In case if you visit at least one of our public web pages the cookies we use may be stored on your device. Cookies mean small files that enable or facilitate the use of certain functions of the public web pages or Control Center. They can be saved on your device directly by us or by third parties with whom we cooperate. As part of the use of cookies, we may process your Personal Data, especially your IP address, history of your activities within Control Center or our public web pages, or information about the device or software that you use. As using Control Center may also be connected with using cookies, if we refer to cookies used by our public web pages, it also concerns using cookies within Control Center.
On our public web pages we also use other technologies similar to cookies that optimize how the page works. That also may be connected with processing personal data. If we refer to cookies in this policy, it also means technologies similar to cookies.
Cookies are used to control the traffic within our web pages, create statistics of the use of the web page by its users, to conduct marketing activities, to prevent errors and technical defects, to ensure the safety of the web page or to prevent abuse and violations of the law. We use cookies according to the provisions of this Privcy Policy concerning processing Personal Data.
We may use two types of cookies:
- Session cookies: they are stored on your device during the time you use our web pages and they are deleted when you close your internet browser. Session cookies enable the correct use of our web pages and blocking them may result in errors or prevent the use of our web pages or application.
- Persistent cookies: they are stored on your device until they are deleted. They are used to analyse the traffic on our web pages and to associate your visit on the web pages with the social networks you use. We do our best to use only the services of such entities that guarantee the security of your device, software and your data. This also applies to cookies used by these entities.
Additionally, cookies that we use are divided into the following categories:
- Technical cookies - these files are necessary for the proper display and operation of the website. These files can also detect irregularities in the functioning of the website and help correct errors, as well as enable verification of the scope of the user's consent to other cookies. Blocking them may cause the website to malfunction,
- Analytical and statistical - these cookies enable statistics on the use of our website by users. They enable, among others: verifying website traffic, counting the number of visits, measuring how the website is used and analyzing what devices and browsers users use. To conduct analytical activities, we use tools such as Google Analytics. These tools may require the use of cookies.
You may choose which cookies will be stored on your device when you visit one of our web pages for the first time. You also have the option of limiting or disabling cookies on your device. Settings regarding the use of cookies can be found in the settings of your web browser. Web browsers allow you to disable all cookies or certain types of cookies (e.g. from third parties). If you disable cookies in part, some necessary cookies may still be saved on your device by our web page, enabling the web page to work properly. In this case, however, the cookies of the third parties with whom we cooperate will not be saved.
Remember that if you limit the use of cookies, the use of specific services provided by us may be limited, and in some cases may not be possible.
//rev30092023
PrivMX data subprocessors