Effective date: 2019-11-26
Andea and its associated companies act as joint data controllers, who are jointly responsible for compliance with data protection legislation. Andea is primarily responsible for exercising of rights of data subjects and providing information about data processing.
Safety of personal data is a fundamental value for Andea. We pay great attention to protecting your personal data and complying with the law when we collect, process and use such data.
For the avoidance of doubt, this policy does not apply to the extent Andea process data in the role of a processor on behalf of Customers in accordance with Andea Data Processing Addendum. We are not responsible for the privacy or data security practices of our Customers, which may differ from those set forth herein.
Should you need any further information about processing or protection of your data by Andea do not hesitate to contact us.
Andea means Andea Solutions limited liabity company with a registered office at Kapelanka 26, 30-347 Kraków, Poland; and its associated companies like subsidiaries and affilaites also reffered to as „we”, „us”, „our”.
Customer means an entity of which you are an employee or contractor that has concluded a binding agreement with Andea for provision of services via Manufacturo.
CCPA means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) .
Legal Grounds means the legal basis for the collection, processing and storage of your Personal Information.
Log Data means information that is automatically reported by your browser or mobile application each time you access Manufacturo or use Services and which is sent by your web browser that our servers automatically record. Log Data may include information such as your IP address, operating system, browser type, URL address, web requests, domain names, User login information. Log data are collected to identify bugs, performance issues, availability issues and perform security monitoring as well as statistical analysis.
Personal Information / Data means any data relating to an identified or identifiable natural person (‘data subject’); who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Manufacturo means Andea’s platform available in manufacturo.cloud domain. The exact address of the environment will be agreed individually with a client during the ordering process.
You means an individual that uses Manufacturo as a User designated by the Customer.
WHAT PERSONAL INFORMATION DO WE COLLECT?
We collect Information about you:
directly from our Customers when we create for you a Manufacturo account (usually our Customer provide us with all relevant data about you required during such process),
through your use of Manufacturo, e.g. when you contact us via trouble ticket system and when you visit or otherwise interact with our websites.
The categories of your Data that we collect may include:
Name and surname
SSH public key
Information about subscription and payments
Area in which the User works (ex. specific facility, department or a product line)
Comments, voluntarily provided feedback, and any data provided in survey responses
Phone number/s (optional)
WHAT INFORMATION WE DO NOT COLLECT?
We do not intentionally collect sensitive personal information, such as social security numbers, genetic data, health information, or religious information. Although we do not request or intentionally collect any sensitive personal information, we realize that you might store this kind of information in your account. If you store any sensitive personal information on our servers, you are responsible for complying with any regulatory controls regarding that data.
DEVICE AND USAGE DATA
We may also automatically collect information from your activities on Manufacturo through the usage of device and usage data (including Log Data). This information may include:
– Log data about usage of Manufacturo product and services, IP address (or proxy server), device and application identification, location, browser type, operating system and system configuration information and date/time stamps associated with your usage.
This information is used to help us provide and improve Manufacturo and to guarantee security and continued proper functioning.
COOKIES AND OTHER TRACKING TECHNOLOGIES
We also use a number of third party analytics and service providers (such as Functional Software Inc., Google Analytics) to help us evaluate Customers’ use of Manufacturo, compile statistical reports on activity and improve our content and website performance. In addition, we use our own internal analytics software to provide features and improve our content and performance.
We do not track your online browsing activity on other online services over time.
When you use our Services, we automatically collect information on the type of device you use, and the operating system version, to perform our Agreement with you.
We use mobile analytics software to allow us to better understand the functionality of mobile versions of our Services on your mobile device. This software may record information such as how often you use the application, the events that occur within the application, aggregated usage, performance data and where the application was downloaded from. We do not link the information we store within the analytics software to any personally identifiable information you submit within the mobile application.
PURPOSES AND LEGAL GROUNDS FOR WHICH WE PROCESS PERSONAL INFORMATION
Your local law may require to set out the Legal Grounds on which we rely in order to process your Data. Here you will find an outline of the purposes for which we may process your Data accompanied by an indication of a relevant Legal Grounds for such processing:
Managing User registrations: if we register for you an account, we base the processing of your Data on our legitimate interest to manage your User account on Manufacturo;
Providing Manufacturo and Services: we base the processing of your Data on our legitimate interest to operate and administer Manufacturo and to provide you with access to Manufacturo;
Providing necessary functionality: we base the processing of your Data on our legitimate interest to provide you with the necessary functionality required during your use of Manufacturo and Services;
Handling contact and User support requests: if you contact us or request User support, we base the processing of your Data on our legitimate interest to fulfill your requests and communicate with you;
Managing payments: if you have provided financial information to us, we base the processing of your Data on our legitimate interest to verify that information and to collect payments to the extent that doing so is necessary to complete a transaction;
Assessing capacity requirements: we base the processing of your Data on our legitimate interest to assess the capacity requirements of our Services to ensure that we are meeting the necessary capacity requirements of our service offering;
Pursuing claims or defending against claims: we base the processing of your Data on our legitimate interest to pursue any claims with regard to the usage of Manufacturo or Services or to defend against such claims;
Complying with legal obligations: we process your Data when cooperating with public and government authorities, courts or regulators in accordance with our legal obligations under applicable laws to the extent this requires the processing or disclosure of Personal Information to protect our rights or is necessary for our legitimate interest in protecting against misuse or abuse of Manufacturo, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes or to respond to lawful requests.
Ensuring accountability: we base the processing of your Data on our legitimate interest to ensure accountability, i.e. to demonstrate compliance with our obligations under the law, in particular GDPR;
Storing for archiving or statistical purposes: we base the processing of your Data on our legitimate interest to archive the Data or use them for statistical purposes.
YOUR RIGHTS RELATING TO YOUR PERSONAL INFORMATION
ou have certain rights relating to your Personal Data, subject to local data protection laws. Depending on the applicable laws, these rights may include:
What Andea does to protect your legal rights?
The right to be informed
the categories of personal information we collected about you,
the categories of sources for the personal information we collected about you,
our purpose for collecting that personal information,
the categories of third parties with whom we share that personal information.
The right of access
Andea ensures you the right to access your Information. You can request a copy of your Data that we hold about you by contacting us.
The right to rectification
Andea aims to keep your Personal Information accurate and complete. We encourage you to contact us if any of your Data is not accurate or not complete, so that we can keep your Data up-to-date.
The right to erasure
In some circumstances you have the right to the erasure of your Data without undue delay (sometimes called ‘right to be forgotten’). Those circumstances include situations when: the Data is no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent-based processing; the processing is for direct marketing purposes; and the Data has been unlawfully processed. However, there are certain general exclusions of the right to erasure. Those general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise or defense of legal claims.
The right to restriction processing
In some circumstances you have the right to restrict the processing of your Data. Those circumstances are the following: you contest the accuracy of the Data; processing is unlawful but you oppose erasure; we no longer need the Data for the purposes of our processing, but you require Data for the establishment, exercise or defense of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your Data. However, we will only otherwise process it: with your consent; for the establishment, exercise or defense of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
The right to Data portability
Andea must allow you to obtain and reuse your Data for your own purposes across Services in a safe and secure way without it affecting the usability of your Data. This right only applies to Personal Information that you have provided to us as the Data Controller. The Data must be held by us by consent or for the performance of a contract and the processing is carried out by automated means.
The right to object (opt-out right)
In some circumstances, you have the right to object to the processing of your Personal Information where, for example, your Data is being processed on the basis of legitimate interests and there is no overriding legitimate interest for us to continue to process your Data, or if your Data is being processed for direct marketing purposes.
The right to withdraw consent
If you have given your consent to process your Data but changed your mind later, you have the right to withdraw your consent at any time, and Andea has to stop processing your Data unless Andea has other Legal Ground for processing of your Data. The withdrawal of consent does not affect the compliance of the processing which was made on its basis before the withdrawal of consent.
The right to complain
You have the right to lodge a complaint with the Supervisory Authority in particular if you feel that Andea has not responded to your requests to solve a problem.
We will not discriminate against you for exercising any of your rights. Unless permitted by the respective law, we will not:
Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
HOW TO EXERCISE YOUR RIGHTS
To exercise your rights, please contact us using the contact information provided in the ‘Contacting us’ section below.
YOUR RIGHTS RELATING TO CUSTOMER DATA
HOW DO WE PROTECT YOUR PERSONAL INFORMATION
We take precautions including organizational, technical and physical measures to help safeguard against the accidental or unlawful destruction, loss, alteration and unauthorized disclosure of, or access to, the Personal Information we process or use. These standards include:
Personnel. Only qualified and authorized employees or subcontractors are permitted to access Personal Information, and they may do so only for permitted business functions;
Data Protection Officer. We appointed a Data Protection Officer who in particular watches over the security of your Data, monitors our compliance with GDPR, and is a point of contact for you in all matters regarding Data protection;
Security Measures. We use encryption in the transmission of your Personal Information between your system and ours, and we use various mechanisms to help prevent unauthorized persons from gaining access to your Personal Information (the description of our Security Standards is available upon request);
Additional Safeguards. We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of your Information. Our security procedures mean that we may request proof of your identity before we disclose Personal Information to you.
We want you to feel confident using Manufacturo and Services. However, you should also take care of how you handle and disclose your Data and avoid sending Personal Information through insecure channels or networks. It is important for you to protect yourself against unauthorized access to your password and to your computer. You are solely responsible for protecting your password, limiting access to your devices and signing out of websites after your sessions. If you have any questions about the security of our Services, please contact us by using the information in the “Contacting Us” section, below
WHO DO WE SHARE PERSONAL INFORMATION WITH?
We do not sell or otherwise share personal information with third parties for marketing purposes.
We may disclose your Personal Information only to the following trusted third parties:
Safety, Legal Purposes and Law Enforcement. We may use and disclose the Data when we believe it is necessary: (i) under applicable law, and (ii) to comply with court order, law enforcement agencies, regulatory agencies, and other public and government authorities.
Service providers. We may also engage third parties that support the operation of our Services (acting on our behalf), such as Cloud, analytics or IT services providers.
INTERNATIONAL TRANSFER OF PERSONAL INFORMATION
We provide clear methods of unambiguous, informed consent at the time of data collection, when we do collect your personal data using consent as a basis.
We collect only the minimum amount of personal data necessary for our purposes,
We provide you with simple methods of accessing, correcting, or deleting the User Personal Information we have collected.
We limit the purpose for processing.
Andea may transfer Data to a country outside of the European Economic Area (EEA), i.e. to the territory of United States of America for which the European Commission has adopted an adequacy decision (Privacy Shield), in order to protect storage and processing of data using IT services, as well as operating the Platform and providing the Services.
Here you have the list of entities to which we currently transfer your Data to the territory of United States of America:
Microsoft Corp. (Microsoft Azure Services)
Zendesk Inc. (helpdesk services)
Functional Software Inc. (system log analytics services)
All these entities are compliant with Privacy Shield frameworks.
The EU-U.S. Privacy Shield framework is a “partial” adequacy decision, as, in the absence of a general data protection law in the U.S., only the companies committing to abiding by the binding Privacy Shield principles benefit from easier data transfers.
For the above reasons, in such cases your Personal Data will be transferred to the territory of USA in accordance with applicable laws, with appropriate safeguards in place, only to Privacy Shield certified vendors (according to the EU Commission Decision 2016/1250) or by using standard contractual clauses adopted by the European Commission (EU Commission Decision on standard contractual clauses for the transfer of Personal Data to processors established in third countries under Directive 95/46/EC (the “Model Contract Clauses”), or based on other applicable transborder data transfer mechanisms.
If you are located in the EEA, you may contact us if you require a copy of the safeguards which we have put in place to protect your Data transferred outside of the EEA and your privacy rights in these circumstances.
You may also learn more about:
Privacy Shield Program – here https://www.privacyshield.gov/Program-Overview and here https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en
EU Commission Decision on standard contractual clauses for the transfer of personal data to processors established in third countries – here https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32010D0087 and here https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.
RETENTION OF YOUR PERSONAL INFORMATION
Andea stores your Information for a period of time required for the purposes for which it was collected using generally accepted security standards and in compliance with applicable laws. Andea will not retain your Personal Information for longer than required. After expiry of the applicable retention periods, your Personal Information will be deleted. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of such data.
Manufacturo is not intended for, designed to be used by, or targeted at children. We do not knowingly collect Data from any person who is an individual under the age of 13. If you are a parent or a guardian who knows or has otherwise discovered that your child under the age of 13 has submitted his or her Personal Information, or other Information, to us without your consent, permission or authorization, do not hesitate to contact us by using the information in the “Contacting us” section, below. We will promptly remove your child’s Personal Information or other Information from our system, cease the use of such Information and direct any third party with access to it to do the same.
CHANGES TO THIS POLICY
If you have questions regarding this Policy or you would like to exercise your rights regarding your Personal Information, you may contact us using the information below:
Our Data Protection Officer: Grzegorz Fura.
Andea Solutions Sp. z o.o.
Street: Kapelanka 26
Postal Code: 30-347
Telephone: +48 12 259 35 20