GDPR

This page contains the GDPR compliance explanation for Convify — the best marketing software for eCommerce.

GDPR

What is GDPR

The European Union’s General Data Protection Regulation (GDPR), that becomes effective on 25 May 2018, is a new regulation that extends the protection of Personal Data for European Union citizens. Under the GDPR, companies have new obligations regarding Personal Data processing and collection.

Know more about the GDPR.

Personizely complies with GDPR and will take each measure required to make sure our customers’ Personal Data safety, as data collector and chip.

See our updated Privacy Policy.

Personizely as Information Processor
Our Clients have the chance to collect with Personizely the data subjects (“connections”,”clients”) that they control. The contacts’ information may comprise Personal Data including full name, email address, telephone, address, IP address, bio, company name, name, location, and any other kind of data that may be attached as spiritual fields for further segmentation of contacts.

We have no direct relation with our Clients’ contacts, but we just store and process data, therefore, Personizely acts as Information Processor.

We’ve added a listing of new features to make certain that we as Data Processor, in addition to our Clients as Data Controllers, comply with all the GDPR regulations.

Now, data issues (in this instance”contacts”) have the following choices:

See or delete all of information collected for an individual person (Data theme ).
IP address will be added to the data accumulated through Widgets, in order to controller of the information, can verify that the information accumulated, was granted by the Information subject
Since Personizely is acting as Information Processor, it is the Client’s responsibility as Information Collector to meet information subjects’ requests by doing so directly or ask our team to perform it (we reserve the right to bill for quantity ).

In our role as Data Controller into our information subjects, We’ve implemented the following modifications:

CONSENT TO COLLECT AND PROCESS INFORMATION
New Personizely Clients will have to consent their Personal Data can be processed, otherwise, we are not going to be able to supply them our services. Before giving their approval, Clients can read our Privacy Policy, Data Processing Agreement, and this GDPR compliance record to find out what information Personizely collects, and how the information is used.

Personizely does not include automated check marks to acquire a customer’s consent.

WITHDRAW CONSENT AND DATA DELETION
Clients can withdraw their consent at any time throughout their lifecycle by canceling their subscription, meaning that Personizely will stop processing their Personal Data.

Our data subjects can also view each of their data Personizely has accumulated or is processing, and may decide to permanently delete their account and all associated data. After an account is deleted, it will also be removed from all of our third-party services Personizely is using, while our information security team will make sure no residual information is left.

RIGHT TO ACCESS DATA
Clients may request our team to hand over of any of the gathered information, or their contacts’ information, in a common format, without any additional fee.

DATA PROTECTION OFFICER (DPO)
Personizely has made a DPO to be certain that our support is totally compliant with GDPR, including all future upgrades in related regulations. The DPO will always monitor Personal Data processing tasks, will make sure that security checks are made on a rigorous regular basis, will cope with Data Security requests from our Clients and their Data Subjects, and will supervise Data Removal audits.

The DPO will also ensure the third-party providers Personizely is using for its operations are GDPR compliant, or may provide any other certification to make sure that data transfers are made securely.

PERSONAL DATA SECURITY
Personizely has executed and maintains reasonable, commercially suitable security processes and practices, suitable to the character of the information we store, so as to shield it from unauthorized access, destruction, use, modification, or disclosure.

However, please bear in mind that no method of transmission over the internet, or method of electronic storage is 100% protected and we cannot guarantee the complete security of the Personal Information we have collected from you.

ACCESS TO YOUR PERSONAL DATA AND DATA SUBJECTS YOU CONTROL
Quite a few key employees may have access to a Personal Data. Below We’ll list all of the Men and Women who have access to your data, what is their function within our company, and to what degree they can access or modify your data:

Product Management team (accessibility: web interface): Use Personal Data to get in touch with Clients, analyze user behavior and for Tracking. The lead Product Manager can alter or eliminate Personal Data from third party services; does not have access to data stored on servers.
Client Success staff (access: web interface): Use Personal Data to get in contact with Clients, analyze user behavior and for Tracking. Can’t change, export or remove Personal Data; doesn’t have access to information stored on servers.
Development group (access: web interface and/or resource code): Use Personal Data for Tracking. Doesn’t have access to stored Personal Data.
System management team (accessibility: source code, server infrastructure, backups): might use Personal Data for troubleshooting and service tracking; can modify or remove data under the oversight of the Data Protection Officer.
The access to Personal Data is approved by the Chief Executive Officer (CEO) and the Data Protection Officer. A worker is given access to our admin panel or third-party providers that store Personal Data. The access is given, but not guaranteed, for the entire amount of employment at our firm.

Prior to being granted access to Clients’ Personal Data and their Data Subject, new workers pass an on-boarding training. Clients and customers’ data handling are extensively covered during the on-boarding.

Employees are provided a corporate email address they use to sign log or up in to the admin panel, and third-party services. Each email address is set up to give access into the admin panel and third-party apps with restricted roles that are determined by the CEO and DPO. Email addresses are disabled by the DPO in worker’s contract termination, therefore removing all the access to Clients’ Personal Data and their Data Topics.

BACKUPS
We copy Clients’ Personal Data, and the information they’ve imported to Personizely or accumulated with our support on dedicated servers leased with Hetzner Gmbh, in Germany.

Personal Data is retained during the subscription period of an active customer. If a customer cancels the subscription, we reserve our right to maintain the information up to 90 days, so returning Clients can restart their action in the accounts. After the 90 days period expires and the client didn’t reactivate the accounts, all information is deleted.

Personizely has set up two major security amounts to keep processed Personal Data secure.

1 level (net interface): We control workers’ data accessibility and activities within our merchandise or third party services where we shop Personal Data.
Two degree (server-side): Firewalls, all information transfer is encrypted with SSL, 24/7 tracking.
Accounts with admin entry need two-factor authentication and only the CEO and DPO have access to credentials, so no unauthorized employee can access them.

Notifications and alarms have been put up to inform the CEO and DPO whenever Client or client’s information is being exported.

PERSONAL DATA DESTRUCTION
Personizely is responsible for ruining the saved Personal Data in the conclusion of the retention interval.

When authorized, the data is digitally removed from our system along with backups.

In the end of the destruction process, our Server management teams will carry out an audit to assess if all relevant PII has been destructed and will provide reports upon request.

In case Personal Data is compromised due to a breach of safety, Personizely, as Data Controller, will notify our country’s supervisory authority of information breaches, as well as our customers, inside seventy-two (72) hours following the breach has been discovered (unless the data is encrypted or anonymized), in compliance with applicable law.

We will also take any needed step to mitigate the outcome of the information breach.

Data processing agreement
This DPA reflects Personizely’s and the Customer’s agreement Concerning the processing of Personal Data collected with Personizely from the Customer.

The terms used in this DPA shall have the meanings set forth within this Agreement. Capitalized terms not otherwise defined herein shall have the meaning given to them at the Principal Agreement. Except as modified below, the conditions of the Principal Agreement will stay in full force and effect.

Despite the mutual responsibilities set out herein, the parties hereby agree that the provisions and conditions set out below will be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.

ARTICLE 1.
1.1. THE PROCESSOR HEREBY AGREES UNDER THE CONDITIONS OF THIS DPA TO PROCESS PERSONAL DATA ON BEHALF OF THE CONTROLLER ONLY FOR THE PURPOSES SET ON THE PRIVACY POLICY.

1.2. THE PERSONAL DATA TO BE PROCESSED BY THE PROCESSOR FOR THE FUNCTIONS SET OUT IN THE FORMER CLAUSE AND THE CLASSES OF DATA SUBJECTS INCLUDED ARE SET OUT IN APPENDIX 1 FOR THE INFORMATION PROCESSING AGREEMENT. THE PROCESSOR WILL NOT PROCESS THE PERSONAL DATA FOR ANY OTHER PURPOSE UNLESS USING THE CONTROLLER’S APPROVAL. THE CONTROLLER SHALL NOTIFY THE PROCESSOR OF ANY PROCESSING PURPOSES TO THE EXTENT NOT ALREADY MENTIONED IN THIS DATA PROCESSING AGREEMENT. THE PROCESSOR, NEVERTHELESS, IS ALLOWED TO USE PERSONAL DATA FOR QUALITY ASSURANCE AND STATISTICAL RESEARCH PURPOSES REGARDING THE CALIBER OF THE PROCESSOR’S SERVICES.

1.3. ALL PERSONAL DATA PROCESSED ON BEHALF OF THE CONTROLLER SHALL REMAIN THE PROPERTY OF THEIR CONTROLLER AND/OR THE INFORMATION ISSUES IN QUESTION.

ARTICLE 2.
2.1. CONCERNING THE PROCESSING OPERATIONS REFERRED TO IN THE PREVIOUS CLAUSE, THE PROCESSOR SHALL COMPLY WITH ALL APPLICABLE LAWS, INCLUDING ALL INFORMATION PROCESSING LAWS SUCH AS THE GENERAL DATA PROTECTION LEGISLATION (GDPR).

2.2. UPON THE FIRST PETITION, THE PROCESSOR SHALL INFORM THE CONTROLLER ANY MEASURES TAKEN TO COMPLY WITH ITS DUTIES UNDER THIS DATA PROCESSING AGREEMENT.

2.3. ALL DUTIES OF THE PROCESSOR UNDER THIS DATA PROCESSING AGREEMENT SHALL APPLY EQUALLY TO ANY PERSON PROCESSING PERSONAL DATA UNDER THE SUPERVISION OF THE PROCESSOR, SUCH AS BUT NOT LIMITED TO EMPLOYEES IN THE BROADEST SENSE OF THE TERM.

2.4. THE PROCESSOR SHALL INFORM THE CONTROLLER WITHOUT DELAY WHEN IN ITS VIEW A CONTROLLER’S INSTRUCTION WOULD VIOLATE THE LAWS REFERRED TO IN THE FIRST CLAUSE OF THIS ARTICLE.

2.5. THE PROCESSOR WILL PROVIDE REASONABLE ASSISTANCE TO THE CONTROLLER IN THE CIRCUMSTANCE OF ALMOST ANY PRIVACY IMPACT ASSESSMENTS TO BE PRODUCED BY THE CONTROLLER.

ARTICLE 3.
3.1. THE PROCESSOR MAY PROCESS THE PERSONAL DATA IN ANY COUNTRY WITHIN THE EUROPEAN UNION.

3.2. IN ADDITION THE PROCESSOR MAY MOVE THE PERSONAL DATA INTO A COUNTRY OUTSIDE THE EUROPEAN UNION, PROVIDED THAT COUNTRY ENSURES AN ADEQUATE LEVEL OF PROTECTION OF PERSONAL DATA AND COMPLIES WITH OTHER DUTIES IMPOSED ON IT UNDER THIS DATA PROCESSING AGREEMENT ALONG WITH THE GDPR, INCLUDING THE ACCESS TO SUITABLE SAFEGUARDS AND ENFORCEABLE DATA SUBJECT RIGHTS, AND EFFECTIVE LEGAL REMEDIES TO DATA SUBJECTS.

3.3. THE PROCESSOR WILL REPORT TO THE CONTROLLER OF THE STATES INVOLVED. THE PROCESSOR WARRANTS THAT, CONSIDERING THE CONDITIONS THAT ARE RELEVANT TO THE TRANSFER OF PERSONAL DATA OR SOME OTHER CATEGORY OF TRANSPORTS, THE COUNTRY OR STATES OUTSIDE THE EUROPEAN UNION HAVE A DECENT LEVEL OF SECURITY.

3.4. IN PARTICULAR, THE PROCESSOR SHALL TAKE INTO ACCOUNT THE LENGTH OF THE PROCESSING, THE COUNTRY OF ORIGIN AND THE STATE OF DESTINATION, THE GENERAL AND SECTOR-BASED PRINCIPLES OF REGULATION IN THE NATION OF DESTINATION AND THE PROFESSIONAL RULES AND SECURITY MEASURES WHICH ARE COMPLIED WITH IN THAT COUNTRY.

4.1. THE PROCESSOR IS SOLELY RESPONSIBLE FOR ITS PROCESSING OF PERSONAL DATA UNDER THIS DATA PROCESSING AGREEMENT IN ACCORDANCE WITH THE INSTRUCTIONS SPECIFIED IN THE PRIVACY POLICY. THE PROCESSOR DOES NOT ACCEPT ANY RESPONSIBILITY FOR ANY PROCESSING OF PERSONAL DATA, SUCH AS BUT NOT LIMITED TO ANY COLLECTION OF PERSONAL DATA BY THE CONTROLLER, PROCESSING FOR FUNCTIONS NOT REPORTED ON THE PROCESSOR, PROCESSING BY THIRD PARTIES AND/OR FOR OTHER PURPOSES.

4.2. THE CONTROLLER REPRESENTS AND WARRANTS THAT THE INFORMATION, USE, AND DIRECTIONS TO PROCESS THE PERSONAL DATA AS INTENDED IN THIS DATA PROCESSING AGREEMENT ARE LAWFUL AND DO NOT VIOLATE ANY RIGHT OF ANY THIRD PARTY.

ARTICLE 5. THIRD PARTY DATA PROCESSORS
5.1. The Controller acknowledges that in the provision of some services, the Processor can transfer Personal Data to otherwise interact with third party data processors on the state that such parties have been reported ahead of the Controller. Find out more about the third party services that could be involved in data processing from the Privacy Policy.

5.2. The Controller considers that if and to the extent these transfers occur, the Controller is responsible for entering into different contractual arrangements with such third party data processors binding them to comply with obligations in accordance with the GDPR.

5.3. In any case, the Processor shall ensure that any third parties are bound to the same duties as agreed between the Controller and Processor.

ARTICLE 6. SECURITY
6.1. The Processor shall utilize reasonable efforts to implement appropriate technical and organisational steps to ensure a level of safety appropriate to the danger of the processing of required surgeries, against loss or unlawful processing (specifically from unlawful or accidental destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed).

6.2. The Processor shall implement specific security measures given in the GDPR. The Processor may correct the safety measures anytime period. The Processor shall notify the Controller of some alterations.

6.3. The Processor does not justify the safety is effective under most conditions. If any safety measure specifically agreed within this Data Processing Agreement is missing, then the Processor will use his best efforts to ensure a level of safety appropriate to the risk taking into account the state of the art, the costs of implementation and the character, scope, context and purposes of processing as well as the danger of varying likelihood and seriousness for the rights and freedoms of natural persons.

6.4. The Controller shall simply provide Personal Data to the Processor for processing if it has ensured that the required security measures have been taken. The Controller is responsible for the parties’ compliance with these security measures.

ARTICLE 7. NOTIFICATION AND COMMUNICATION OF DATA BREACHES
7.1. The Controller is responsible at all times for notification of any security breaches and/or Personal Data breaches (that are known as: a violation of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data sent, stored or processed) to the competent supervisory authority, and for communication of the exact same to data subjects.

7.2. A notification under the last clause shall be made at all times, but only for actual breaches.

7.3. The notification will include at least the fact that a breach has occurred. In addition, the notification will:

Describe the nature of the Personal Data violation including, wherever possible, the approximate amount of data issues concerned;
Describe the likely consequences of this Personal Data breach;
Describe the steps taken or proposed to be taken by the Processor to address the Personal Data violation, for example, where appropriate, measures to mitigate its possible adverse effects.
ARTICLE 8.
8.1. IN CASE A DATA SUBJECT MAKES A REQUEST TO EXERCISE HIS OR HER LEGAL RIGHTS UNDER DATA PROTECTION LEGISLATION, THE PROCESSOR SHALL PASS SUCH REQUEST TO THE CONTROLLER, AND THE CONTROLLER SHALL PROCESS THE PETITION. THE PROCESSOR MAY INFORM THE DATA SUBJECT THAT THE CONTROLLER WAS NOTIFIED OF THE REQUEST.

ARTICLE 9. CONFIDENTIALITY OBLIGATIONS
9.1. All Personal Data the Processor receives in the Controller and/or collects itself is subject to strict obligations of confidentiality towards third parties. The Processor will not use this information for any goals other than for which it had been obtained, not even if the information has been converted into a type that’s no more related to an identified or identifiable natural person.

9.2. The confidentiality obligation shall not apply to this extent the Controller has given explicit permission to supply the information to third parties The supply to third parties is reasonably necessary considering the nature of the mission to the Controller or if the provision is legally required.

AUDIT
10.1. The Controller has the right to have audits done on the Processor with an independent third party bound by confidentiality obligations to verify compliance with the security conditions, GDPR compliance, and unauthorized use of Personal Data from the Processor’s employees, compliance with the Data Processing Agreement, and all issues reasonably connected thereto.

10.2. This audit may be performed after a year as well as in case of a substantiated allegation of misuse of Personal Data.

10.3. The Processor will offer its entire cooperation to the audit and shall make available employees and all reasonably relevant information, such as supporting data such as system logs.

10.4. The audit findings shall be evaluated from the parties in joint appointment and might or might not be implemented by either party or jointly.

10.5. The expenses of this audit will be borne by the Controller.

11.1. Pursuant to article 82(2) of this GDPR, the Processor will only be responsible for harm brought on by processing in which the Processor has not complied with duties of this GDPR specifically directed to chips or where the Processor has acted outside or against the Agreement.

11.2. The Processor shall be exempt from liability if it demonstrates that it is not in any way responsible for the event giving rise to the damage.

11.3. The Processor’s cumulative liability to the Controller or any other party for any loss or damages resulting from claims, demands or actions arising out of relating to this Agreement will not exceed the entire paid-in fee in the Controller to the Processor within the 12 months previous to the date the claim is brought against the Processor.

ARTICLE 12. TERM AND TERMINATION
12.1. This Data Processing Agreement enters into force upon signature by the parties and about the date of the last signature, or on the Customer’s given permission to Personal Data processing and approval of Personizely’s Privacy Policy and DPA when subscribing to Personizely’s service.

12.2. This Data Processing Agreement is entered into for the duration of the Agreement, the subscription period of the Client, or for up to 90 days after the subscription has been canceled but the Client hasn’t withdrawn consent for information processing.

12.3. Upon termination of this Information Processing Agreement, whatever the reason or manner, the Processor will — in the selection of the Controller — reunite in original format or ruin all Personal Data available to it.

12.4. This Info Processing Agreement may be altered in precisely the exact same fashion as the Deal.

The Service processes two types of Personal Data: Client Personal Data and Data Controlled by Client. The Processor shall process the under Personal Data under the supervision of the Control, as specified in article 1 of the Information Processing Agreement:

Client Personal Data: When registering and using the Service we will ask you to provide us with certain Personal Data that includes:

Email address
First name and last name
Company name
Title
Phone number
IP address
Location (state and/or city)
You will decline to share certain Personal Information with us, in which case you won’t be able to sign up and utilize the Service.

Data Developed by Client: While using the Service, you are able to gather the following data about your customers utilizing the Service:

Data subject’s email address
Data subject’s first name and last name
Data subject’s company name
Data topic’s name
Data subject’s phone
Data subject’s address
Data subject’s bio
Data subject’s IP address
Data subject’s location (country or town )
Any other areas generated utilizing the Service to accumulate Data subject’s information
The Service doesn’t have direct connection with an individual’s clients, and every user is solely responsible for notifying his customers about the reason behind the collection of the Personal Data and the way this information is processed in or via the Service.

The Processor shall process the under Personal Data under the supervision of the Control, as stated in article 1 of this Information Processing Agreement:

The Controller represents and warrants that the description of Personal Data and the categories of data topics in this Appendix 1 is accurate and complete, and shall indemnify and hold harmless Process for all faults and claims that might arise from a violation of this representation and warranty.