Particip8 OÜ (hereinafter Alvin or we) is an Estonian company offering data governance automation software and services accessible via website www.alvin.ai (hereinafter service).
Alvin is a B2B company, meaning that most of our clients are other companies. Hence, in these privacy terms we describe how the personal data of contact persons of our clients and visitors of our website (hereinafter you or users) is processed when using our services or visiting or website.
The terms and conditions on how we process the data (including personal data) uploaded to or created when using our services by our clients will be regulated in the data processing agreement between us and our client.
For a better understanding, we hereby explain some data protection terms used herein.
GDPR means the General Data Protection Regulation (EU) 2016/679), implementation of which started on 25 May 2018 and which is directly applicable in all European Union member states.
Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, by a name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller means the entity that decides why and how the personal data is processed.
Processor means the entity which processes personal data on behalf of the controller.
1. Who is the data controller?
Registration code: 14656841
Address: Graniidi tn 8-11, Tallinn, Estonia
2. What type of data we collect and process?
Alvin collects different types of information when you use our services. As said above, we are a B2B business, hence we primarily use your personal data to communicate with the client for provision of services. Thus, processing of your personal data is based on our legitimate interest – you are the representative via whom our client communicates with us and vice versa.
2.1. Information provided by a user of our services
When using our services, you usually provide us the following data: your first and last name, e-mail address, geographic area, position in the company (i.e. our client), language preferences. You may provide this info when signing-up as a user of our services, when using our services via web, when giving us a marketing permission to receive messages from us, when giving us feedback or leave us a message to contact you or otherwise getting in touch with us.
When you are not a user of our services but visit our website and/or public areas of service you also may provide us with some limited personal information like your first and last name, e-mail address, company you are working for, etc.
2.2. Automatically collected information
If you use services as a user or visit our website or use publicly accessible areas of the service, we may automatically record certain information from your device by using different technologies such as cookies and web beacons.
The data automatically collected may include: IP addresses (to determine a user’s location) , information about browsers and user´s device, browsing activity across different sites, pages or other content you view or interact with on the service, dates and times of the visit, access, or use of the service.
2.3. Information obtained from other sources
We may also obtain information (incl personal data) from public sources, such as commercial/trade registers, the internet and from third parties, such as credit registers, for background and credit information analysis.
2.4. Information collected by our client
When using the services, our clients (the companies you represent/work for) upload and process various data (including personal data of their employees, customers, business partners, etc) through and to our services. In such a case, the personal data is under control of our client and Alvin may process the data only for the purposes and to the extent necessary to provide services to the client. So, in such a case Alvin acts as a data processor according to the data processing agreement concluded with its client.
3. Collecting information via integrated services
We may allow you to (i) access our services by using your account information (username and password) with certain third party service providers (e.g. via Google account) or (ii) otherwise authorize a third party service for uploading information (incl personal data) to our service or for provision of data to us. By authorizing us to connect with such integrated third party services, you authorize us to access and store the information that the third party service provider makes available to us (e.g. your name, date of birth, gender, email address, etc) and to use such data it in accordance with these privacy terms. To understand what information such third party service providers make available to us, please read the privacy terms of the third party service providers, check your privacy settings on such services and change the settings if needed and as appropriate.
3. How do we use your data and what is the legal basis for the use?
As explained above, we mainly use your data for rendering of the services which the client has ordered from us and for communicating with the client you represent. Doing that we use the data for (i) business operations (operating, maintaining, improving the features of our services, communicating with clients), (ii) business development (analyzing usage statistics, preferences, trends for development of new services and products), (iii) marketing (news and offers relating to our services and products). You may always opt-out of receiving any marketing communications as described below under What are your rights.
The legal basis for doing this is our legitimate interest – we need to communicate with a legal person and if you act as representative of one, we assume that there is a balance of interest and we do not conflict with your interests, rights and freedoms.
In case processing of the personal data is based on the legitimate interest, the data subject always has the right to object to such processing. If you do object, we will inform our client asking to provide us with a new contact person or otherwise comment on your objection.
4. With whom may we share your data?
With Alvin your personal data is accessible only to those employees who need the data to perform their work duties (on a so-called need-to-know basis). Outside Alvin, we may share you data with the following persons under the following circumstances:
Persons providing services to us: Your data may be accessible by the persons providing services to us (data processors) and processing your data on our behalf and to the extent needed to perform such services. These include providers of hosting, maintenance, invoicing, and development services.
Public authorities and state institutions (e.g. police, courts, data protection authorities): we will only disclose your data when and to the extent we are legally obliged to do it.
Third parties in connection with legal processes: we may share or disclose your data, if it is necessary to (i) protect our property and rights (incl our service), (ii) enforce our contracts, (iii) defend ourselves against any third-party claims, (iv) protect ourselves, our service, our clients users and visitors from fraudulent, abusive, or unlawful uses or activity.
Third parties in connection with corporate transactions: We may share your information with third parties in the context of a corporate transaction, such as the sale of a company or its business/assets to another company. Also, in the context of the creation of a joint venture, merger or other reorganization.
As a rule, your personal data is processed in the European Economic Area (EEA). However, if there is a need to transfer the data out of EEA, we follow GDPR requirements regulating such transfers.
5. How long do we retain your data?
We retain your data for as long as necessary for the purposes of processing described in these privacy terms and to comply with any mandatory legislation: we will retain the user account data as long you are an active user and for thirty days after that; we are legally obliged to keep invoicing data and the documentation which it is based on for 7 years; we keep our backups for 90 days; we keep information on legal transactions between us and our client for the statutory limitation period set for civil claims (3 years, 10 years in case of intentional breach) to be able to protect ourselves against any legal claims and to file legal claims for our protection
In addition, we may process the data in an aggregated or anonymized format, for example for analysis and statistical purposes and to improve and develop our services.
6. What are your rights?
Right to access – you have the right to know which data we hold about you (if any).
Right to data rectification – you have the right to require corrections to your personal data in case they are inaccurate or incomplete.
Right to data deletion – you have the right under certain conditions to request the deletion of your personal data including in situations where the processing of your personal data is no longer necessary for the purposes for which it was collected, or if the processing of your personal data was based on your consent and you wish to withdraw your consent, and there are no other grounds for processing your personal data.
Right to restrict processing – you have the right under certain circumstances to forbid or restrict the processing of your personal data for a certain period (e.g. you have submitted an objection concerning data processing).
Right to object – You have the right to object to data processing which is based on our legitimate interest. Alvin will stop processing your personal data upon such objection, unless we can demonstrate compelling legitimate grounds for the processing or processing is needed for the establishment, exercise, or defense of legal claims. You also have the right to object at any time to processing of your personal data for direct marketing. Upon receiving such objection, we shall stop processing your personal data for direct marketing.
In order to exercise your rights, please send your respective inquiry to email@example.com. We have the right to respond to your query within 30 days.
For the sake of clarity, the provisions of this Section 6 do not apply to personal data that Alvin processes on behalf of its clients. In this case, the personal data is controlled by the client and managed according to the client's privacy terms. Hence, all data subject´s requests should be made to the client liable for uploading and storage of such data into the service.
7. The right to submit a complaint to a supervisory authority
Should you desire further information concerning your personal data or exercising your rights, you have the possibility to contact us at firstname.lastname@example.org.
If you believe that the processing of your personal data breaches the requirements of the GDPR, you have the right, without prejudice to any other administrative or judicial remedy, to file a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. In Estonia, the relevant supervisory authority is the Data Protection Inspectorate (Andmekaitse Inspektsioon).
8. Amending these privacy terms
Alvin has the right to unilaterally change these privacy terms in the event of changes in personal data protection legislation or our own data processing practices. We will notify you of changes on our website. The latest version of the privacy terms is always available on our website www.alvin.ai/privacy.