Revision 2, 25 May 2018 – GDPR Updates
Definitions of Data Controller and Processor
- A Controller is an agency, entity, or legal person who determines the purposes and means of processing Personal Data.
- A Processor is an agency, entity, or legal person with responsibility for processing Personal Data on behalf of a Controller.
elapseit as a Data Processor
elapseit primarily provides its customers with a SaaS platform, has limited knowledge of customer data within the platform, and only processes the data in accordance with the customer’s instructions. elapseit is a Processor of data. All such information (“Customer Data”) is owned and controlled by our Customers, who are the Data Controllers for such information with respect to EU data protection law.
elapseit collects information under the direction of its customers and may have no direct relationship with the individuals whose Personal Data it processes. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their query to the elapseit customer (the Data Controller).
Similarly, elapseit has no direct control over the data collected by its customers. elapseit customers may choose the EU geographical restriction at signup for the storage of data for which they are the Controller and are responsible for adhering to legal and regulatory requirements for the data which they collect and process as a Controller. To ease the job of the Data Processor we have put at their disposal a feature to allow the Data Subjects to export their personal data in a common format (csv at this point), by explicitly selecting the “Allow your company users to export their profile, timesheets, vacations and allocation information.” checkbox in the dashboard of the platform, under settings – gdpr page.
elapseit as a Data Controller
In some circumstances, such as during the account registration process for customer use of elapseit Services, elapseit collects and maintains Personal Data. This data is collected and maintained solely for the offer and maintenance of elapseit Services for customer use, and for the relevant communications and uses detailed within this policy. For these purposes, elapseit is the Controller.
The collection and processing of your Personal Data for direct use and administration of our Services is based on contractual obligation, necessary to provide you with access and use of the Services.
To be fully compliant, we have implemented a feature that allows the export of all the company data, including the Personal Data of all the Data Subjects managed by our Customer in a common format (csv at this point), by using the export feature in the dashboard of the platform. This feature is only available for Customer Administrators.
Personal Data We Collect
Definition of Personal Data
“Personal Data” is any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable person is one who can be identified by referencing an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Information you give us
elapseit requires some of your Personal Data to effectively operate, while providing you the best experiences with our Services. Some of this data comes directly from you when you perform transactions with elapseit, such as place an order, create a elapseit account, administer your organizations, or register for a newsletter. This data may include name, username, title, address, organization or employer, phone number, and/or email address.
Information we collect automatically
As is true of most websites, we also gather certain information automatically when you visit our website, mobile application, or interact with our Services. This information is used to analyze aggregated trends and to administer our Services, and may include Internet protocol (IP) addresses, the type of device you use, operating system and version, device identifier, where the application was downloaded from, usage information, events that occur within the application, performance data, browser type, Internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.), date/time stamp, and/or clickstream data. Please see the Cookies and Similar Technology section below for more details.
Information we receive from third parties
We may receive information about you from other sources, including publicly available databases or from third parties. This data helps us to update, expand, and analyze our records, identify new customers, and identify Services that may be of interest to you. This may include purchased marketing data about our customers from third parties, that is combined with information we already have about you, to create more tailored advertising and Services.
How We Use Personal Data
This section describes how elapseit uses the Personal Data that we collect to operate our business and to provide you our Services, including improvements to those Services and in the personalization of your experiences. We may also use the data to communicate with you, providing account information, security updates and Service information. Additionally, data is used to market our Services, to comply with applicable laws and legal processes, to enforce our terms and conditions, and to allow us to pursue available remedies or limit any damages that we may sustain.
To provide a requested service or carry out a contract with you
We use data collected from you in the following ways:
- Customer Support: to diagnose and repair technical issues and provide other customer care and support services.
- Account Notifications: to communicate Service and account notifications to you. For example, we may contact you by phone, email, or other means to inform you of account status, usage, and billing details, and to notify you when security updates or new features are available.
- Security, Safety, and Dispute Resolution: to protect the security and safety of our Services and our customers, to detect and prevent fraud, to resolve disputes, and to enforce our agreements.
- Providing the Services: to carry out your transactions with us and to provide our Services to you.
Where we have a legitimate interest We use data collected from you in the following ways: \
- Business Operations: to develop aggregate analysis and business intelligence that enable us to operate, protect, make informed decisions about, and report on the performance of our business.
- Service Improvement: to continually improve our Services, including adding new features or capabilities. For example, we use error reports to improve security features of our Services, and usage data to determine new features or Services to prioritize. \
Where we rely on legitimate interest for processing your information, we carry out a ‘balancing test’ to ensure that our processing is necessary and that your fundamental rights of privacy are not outweighed by our legitimate interests, before we go ahead with such processing. You can find out more about the information in these balancing tests by contacting us using the details below.
Where we have your consent
- We use data we collect to communicate with you in a variety of formats and to tailor those communications to you. Examples include inviting you to participate in surveys, email subscriptions, and promotional communications from elapseit by email, SMS, physical mail, or telephone. You can opt out by visiting the elapseit platform, on the Settings – GDPR Compliance page.
Automated decision making
elapseit employs automated decision making (also known as “profiling”) in the processing of your data in very limited ways, and only in accordance with the specifications of this Policy and applicable laws. For example, we may auto-assign customer support personnel to respond to your inquiries, based on your organization, and necessary details of that contract, or auto-assign a regional contact to assist you, based on your location. These actions are necessary to provide you with our Services and related support.
Similarly, some automated decision making is used, with your consent, to determine appropriate communications to you, as detailed above.
Reasons We Share Personal Data
This section describes how elapseit may share and disclose Personal Data. Customers determine their own policies and practices for the sharing and disclosure of data, and elapseit does not control how they choose to share or disclose Information.
elapseit may share your Personal Data with your consent, or as necessary to complete a transaction or provide a Service you have requested or authorized. For example:
- We share some of your Personal Data with our payment providers (at this point Braintree and PayPal) to be able to accept payments for the Service. The data shared is limited at the basics needed (at this moment name, company name, email and invoice amount). All the sensitive payment data (credit card number, CVV, card expiration) is handled by the payment provider directly and does not get to our servers.
- We share some of your Personal Data with our real time chat provider (at this point tawk.to) if you choose to use it, in order to be able to accept real time chats from our website. The data shared is limited at the basics needed (at this moment name and other data that you input into the chat box). If the data you wish to exchange is sensitive you can use other means of contact (email, private chat, telephone).
- We may disclose generic, aggregated (pseudonymized) demographic information, not linked to any specific Data Subject, regarding elapseit visitors and users to our business partners, trusted affiliates, and suppliers or agents working on our behalf.
- We may use third-party service providers to help us operate or administer the Services. For example, companies we’ve hired to provide customer service support or to assist in protecting and securing our services and systems may need access to Personal Data to complete those functions. In such cases, these companies must abide by our data privacy and security requirements and are not allowed to use Personal Data they receive from us for any other purpose.
- We may disclose Personal Data to a third-party in the event of any reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings).
- As we believe to be necessary or appropriate, we may disclose Personal Data: (a) under applicable laws, including laws outside your country of residence; (b) to comply with legal process; (c) to respond to requests from public and government authorities, including public and government authorities outside your country of residence; (d) to enforce our terms and conditions; (e) to protect our operations or those of any of our affiliates; (f) to protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.
- If you elect to use connected third-party applications, we may share Personal Data with companies who provide those applications. In those cases, we encourage you to review and understand the terms and conditions and privacy policies of those third parties, over whom we have no control.
How We Protect Your Information
elapseit has adopted reasonable security measures to protect Personal Data against loss, theft, unauthorized access, alteration, disclosure, or destruction. These measures include policies, procedures, employee training, physical access control, and technical elements relating to data access controls. In addition, elapseit uses industry standard encryption to facilitate the exchange and transmission of data. elapseit only processes Personal Data in compliance with the purposes for which it has been collected, in accordance with this Policy.
In the event that Personal Data is acquired by an unauthorized person, and applicable law requires notification, we will promptly notify the affected Data Subject. Notice will be consistent with the legitimate needs of law enforcement, and any measures necessary for elapseit or law enforcement to determine the scope of the breach and to ensure or restore the integrity of a system. elapseit may delay notification if we, or a law enforcement agency, determine that the notification will impede a criminal investigation. In such case, notification will not be provided unless and until we or the agency determines that notification will not compromise the investigation.
We only retain your Personal Data for as long as is necessary for us to use your information as described above or to comply with our legal obligations. Please be advised that this means that we may retain some of your information after you cease to use our Services. For instance, we may retain your data as necessary to meet our legal obligations, such as for tax and accounting purposes.
When determining the relevant retention periods, we take the following factors into account:
- our contractual obligations and rights in relation to the information involved;
- legal obligation(s) under applicable law to retain data for a certain period of time;
- our legitimate interest where we have carried out a balancing test;
- statute of limitations under applicable law(s);
- (potential) disputes;
- if you have made a request to have your information deleted; and
- guidelines issued by relevant data protection authorities.
Otherwise, we erase your information once this is no longer needed.
Your Rights as a Data Subject
You have a number of rights when it comes to your Personal Data. Further information and advice about your rights can be obtained from the data protection regulator in your country.
|Rights||What does this mean?|
|1. The right to object to processing||You have the right to object to certain types of processing, for example processing for direct marketing. You can opt out by visiting the elapseit platform, on the Settings – GDPR Compliance page.|
|3. The right of access||You have the right to obtain access to your Personal Data information that elapseit processes, in order to ensure that we’re using your information in accordance with data protection laws.|
|4. The right to rectification||You are entitled to have your information corrected if it’s inaccurate or incomplete. You can do this from the elapseit platform.|
|5. The right to erasure||This is also known as ‘the right to be forgotten’ and enables you to request the deletion or removal of your information where there’s no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions. You can delete your account from the elapseit platform.|
|6. The right to restrict processing||You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further. elapseit maintains lists of individuals who have asked for further use of their information to be ‘blocked’ or ‘restricted’ to ensure the request is respected in future.|
|7. The right to data portability||You have rights to obtain and reuse your Personal Data for your own purposes across different services. You can do this using the export function from the elapseit platform.|
|8. The right to lodge a complaint||You have the right to lodge a complaint about the way we handle or process your Personal Data with your national data protection regulator.|
|9. The right to withdraw consent||If you have given your consent to anything we do with your Personal Data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything we have done with your Personal Data with your consent up to that point is unlawful). This includes your right to withdraw consent to us using your Personal Data for marketing purposes. You can opt out by visiting the elapseit platform, on the Settings – GDPR Compliance page.|
Please contact us using the details below to exercise any of your rights. We usually act on requests and provide information free of charge, but may charge a reasonable fee to cover our administrative costs of providing the information for:
- baseless or excessive/repeated requests, or
- further copies of the same information.
Alternatively, we may be entitled to refuse to act on the request.
Please consider your request responsibly before submitting it. These requests do not apply to mandatory service communications that are part of certain elapseit services, or to surveys or other informational communications that can be managed directly by the Customer. We’ll respond as soon as we can. Generally, this will be within 30 days from when we receive your request, unless the request will take substantially longer to fulfill.
If you cannot access certain Personal Data collected by elapseit directly through the elapseit Services you use, or if you do not have a personal elapseit account, you can always contact elapseit by emailing us at email@example.com.
How to Access and Control Your Personal Data
Access and control to your Personal Data is managed from the elapseit platform. For example, in the settings – GDPR compliance you may elect to:
- Receive electronic communications from us. Change your mind? Opt-out for those promotional emails.
Cookies & Similar Technologies
- Strictly Necessary Cookies: These cookies are necessary for the website to function. They are usually only set in response to actions made by you that amount to a request for services, such as logging in or filling in forms.
- Performance Cookies: These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All of the information collected by these cookies is aggregated and therefore pseudonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance.
- Functionality Cookies: These cookies enable the website to provide enhanced functionality and personalization, such as customer support chat functionality. They may be set by us or by third-party providers whose services we have added to our pages. If you do not allow these cookies, then some or all of these services may not function properly.
- Web Beacons: elapseit web pages may contain electronic images known as web beacons (also called single-pixel gifs) that we use to help deliver cookies on our websites, count users who have visited those websites and deliver co-branded Services. We also include web beacons in our promotional email messages or newsletters to determine whether you open and act on them.
- Analytics Services: elapseit Services often contain web beacons or similar technologies from third-party analytics providers, which help us compile pseudonymized aggregated statistics about the effectiveness of our promotional campaigns or other operations. These technologies are strictly prohibited from collecting or accessing information that directly identifies you. If you do not allow these services, we will not be able to monitor the performance of some of our operations.
- Other Similar Technologies: In addition to standard cookies and web beacons, our Services can also use other similar technologies to store and read data files on your computer. This is typically done to maintain your preferences or to improve speed and performance by storing certain files locally. But, like standard cookies, these technologies can also be used to store a unique identifier for your computer, which can then be used to track behavior. If you block these at the browser level, you will experience less targeted content, and may also experience performance issues when visiting our website or using our Services.
International Data Transfers
elapseit does not transfer your data to countries outside EU if you selected the “I want my data to be hosted only on EU servers” in order to be GDPR compliant.
Other Important Privacy Information
Notice to Customers (Company Administrators)
You are using this Services on behalf of an organization, and you are agreeing to these Terms for that organization and acknowledge that you have the authority to bind that organization to these terms. In that case, “you” and “your” will also refer to that organization. You must be at least 18 years of age to use the services; by using our Services you warrant and represent to us that you are at least 18 years of age.
You may use the Services only in compliance with these Privacy Terms. You may use the Services only if you have the power to form a contract with elapseit and are not barred under any applicable laws from doing so. The Services may continue to change over time as we refine and add more features. We may modify the Services at any time without prior notice to you.
Notice to End Users
elapseit Services are intended for use by organizations and are administered to you by your organization. Your use of elapseit Services may be subject to your organization’s policies and procedures. If your organization is administering your use of the elapseit Services, please direct your privacy inquiries to your administrator. elapseit is not responsible for the privacy or security practices of our customers, which may differ from those set forth in this privacy statement.
If you use an email address provided by an organization you are affiliated with, such as an employer or school, to access elapseit online services, the owner of the domain (e.g., your employer) associated with your email address may: (i) control and administer your elapseit online services account and (ii) access and process your data, including the contents of your communications and files.
Information from Children
elapseit’s website and services are not designed for use by children under the age of 18. elapseit does not voluntarily or knowingly collect information from children under 18. As such, if you are under the age of 18, please stop using this website and/or elapseit services. If you are a parent or guardian and believe that we may have collected Personal Data from someone under the age of 18, please let us know by emailing firstname.lastname@example.org.
Elapse IT SRL
Registration and VAT number RO37287552
Str. Coral Nr. 9
Dumbravita, Timis 307160
Romania, European Union