VYING TECHNOLOGIES OU is the company owning www.vying.io, hereinafter referred to as VYING, with registered office in ESTONIA, Harju County, Tallinn town, district Lasnamae linnaosa, Sepapaja tn Street, number 6, VAT code EE101978154, registered with the Trade Register under number 14073161 having the e-mail address email@example.com, to which you can send any kind of questions/complaints.
This document complements and is an integral part of the General Terms and Conditions and Data Protection Agreement and it is specifically addressed to VYING’ CUSTOMERS. It defines to what information VYING has access to, for what purpose, and for how long it is stored. This policy defines VYING as data controllers since VYING determines the means and purpose of the personal data processing. For the processing operations where the CUSTOMER collects the data and asks VYING to serve on their behalf as data processors, please visit the Data Protection Agreement section.
This document has been aligned with the requirements of the General Data Protection Regulation or “GDPR” which has become applicable as of 25 May 2018. Here you can consult the full legal text. The definitions of “Personal Data”, “Data Subject”, “Personal Data Breach”, “Process”, “Processor” and “Controller” will each have the meaning given to them in the GDPR.
1.1.1. What and how. By filling out one of our Forms we directly collect the necessary information for entering a pre-contractual relationship with VYING. For example, for the contact form we collect full name, e-mail, together with technical data submitted by the browser.
1.1.2. Purpose. We collect this information as a prerequisite for entering a contractual relationship with VYING
1.1.3. Legal basis. We process this information based on consent.
1.1.4. Who has access.One employee has access to this data on a need to know basis. This information is also available to our sub processors’ authorized persons and to our collaborators and contractual partners with whom we cooperate based on confidentiality obligations and data processing agreements.
1.1.5. How long. We keep the registration data for as long as the user is active. After 30 days of inactivity we delete the data together with all personal information.
1.2.1. What & How. When CUSTOMERS require VYING services, we ask personal information in order to identify them and to enter a contractual relationship. The information we directly collect from is: name/organization name, e-mail address, contact address, telephone and tax attribute together with technical data submitted by the browser (such as the IP address). Besides that we'll ask for copies of documents to prove the fiscal residency such as a personal ID document with picture for individuals and corresponding identification documents of the company for business customers. In case this data cannot be provided, the refusal determines the failure to conclude a valid service agreement and/or the impossibility of its execution.
1.2.2. Purpose. This information is needed for entering a contractual relationship as well as for legal obligations and for demonstrating financial/contractual obligations upon request from public authorities.
1.2.3. Legal basis. We process this information based on our contractual relationship.
1.2.4. Who has access. One employee has access to this data on a need to know basis. This information is also available to our sub-processors’ authorized persons and to our collaborators and contractual partners with whom we cooperate based on confidentiality obligations and data processing agreements.
1.2.5. How long. This information is stored for the duration of the contractual relationship and 5 years afterwards.
1.3.1. What & How. We collect e-mail and IP address, browser and country in different technical and statistical instances, as described below. This information is collected indirectly via specific tools mentioned in our Specification page.
1.3.2. Purpose. This information is necessary for debugging, log management and abuse prevention purposes. We also use this data for backup purposes. For example, for preventing attacks, we monitor and collect IP addresses in order to identify and stop the abuse coming from a particular IP address. We also perform statistics at IP address level for internal use only. The e-mails in discussion are in general transactional e-mails sent by the CUSTOMER's sites for various actions and notifications, such as password reset, comment notifications, new users notifications etc. These are stored for debugging purposes, such as cases when these e-mails do not arrive at their destination.
1.3.3. Legal basis. Our basis for processing this information is a legitimate interest to be able to protect and secure our service.
1.3.4. Who has access. Our employees in the development and support team, contractors and our sub-processors with whom we cooperate on a contractual basis.
1.3.5. How long. There are different retention periods for the different tools we use. For transactional e-mails we store information for 3 days. For debugging and log management we store the information for 14 days from its communication.
1.4.1. What & How. CUSTOMER’s e-mail communication with VYING is recorded and stored.
1.4.2. Purpose. We collect this information directly from the CUSTOMER in order to process the CUSTOMER’s request, to respond to claims and to improve our products, services and websites by creating internal and public documentation, as well as adding new features in our service, based on the feedback we receive. It is possible to use the collected information in order to provide, maintain, protect and improve our services and to develop new ones.
1.4.3. Legal basis. The legal basis under which we process this information is our contractual relationship.
1.4.4. Who has access: one employee has access to this data on a need to know basis. This information is also available to our sub-processors’ authorized persons and to our collaborators and contractual partners with whom we cooperate based on confidentiality obligations and data processing agreements.
1.4.5. How long. This information is stored for the duration of the contractual relationship and 5 years after that, for quality assurance and improvement of our services.
VYING processes the collected information on servers situated in EU and abroad, especially in the US, under the Privacy Shield agreement. It is highly possible that we process the obtained information outside the CUSTOMER’s country. We rely on sub-contractors for specific parts of our operations, however we only work with sub-processors who take GDPR compliance seriously and similar data protection laws.
All VYING computers are password protected with strong passwords (minimum 10 characters long, letters, numbers and special symbols). In case a laptop is stolen or lost, the corresponding SSH key used for connecting to the VYING infrastructure is immediately disabled in order to prevent unauthorized access to any parts of the infrastructure. The data centers where the CUSTOMER’s personal data is stored are strictly monitored and protected, according with each supplier's policies.
A personal data breach can happen for a number of reasons, for example: inappropriate access controls allowing unauthorized/unnecessary access to data, equipment failure, human error, hacking attack, loss or theft of data or equipment on which data is stored, or through which it can be accessed.
As soon as a personal data breach is identified or suspected we will assess whether a full investigation into the breach is required.
The investigation will:
a) Establish the nature of the incident, the type and volume of data involved and the identity of the data subjects
b) Consider the extent of a breach and the sensitivity of the data involved
c) Perform a risk assessment
d) Identify actions VYING needs to take to contain the breach and recover information
e) Assess the ongoing risk and actions required to prevent a recurrence of the incident.
The General Data Protection Regulation (GDPR) requires data controllers that all relevant breaches are reported to the supervisory authority within 72 hours of becoming aware of a relevant breach. If the breach is evaluated to result in a high risk for the rights and freedoms’ of the data subject, the incident it will also be reported to the CUSTOMER without undue delay.
At the end of our contractual relationship we will delete the CUSTOMER’s personal data, as well as existing copies no later than 30 days after the contractual relationship has ended, unless the applicable European Union or Estonian law requires storage of the data.
GDPR makes data subject's rights much more explicit. Please find below information about individual rights. In order to exercise your rights as a CUSTOMER, please send us your request by email at firstname.lastname@example.org The request will be handled by our Support and Administrative teams, based on the nature of the request. We will respond promptly or no later than 30 days.
This is a right for an individual to obtain confirmation whether a controller processes personal information about them and, if so, to be provided with details of that personal information and access to it. Individuals should receive a description of the personal information being processed, for which purposes personal information is being collected and processed and the recipients or categories of recipients to whom personal information is disclosed. The communication of individual’s personal information will be in an understandable form and without compromising the privacy of other individuals. An individual may make a request only in respect of their own personal information. However, an individual may give their consent, in writing, to another individual to make a request on their behalf (e.g. a lawyer acting on behalf of the individual). A right to access may be restricted where providing access would be impossible or involve disproportionate effort. VYING may also deny or limit access to personal information to the extent that granting full access would reveal confidential commercial information (e.g. where the information is subject to contractual obligations of confidence or is being processed as part of an ongoing audit, investigation or enforcement activities).
Individuals have the right to correct data if it is inaccurate or incomplete.
Individuals can request the data controller to erase personal information about them in case the data collection was unlawful or on other legal grounds.
Individuals have the right to object to the processing of their data.
This is a right for an individual to require a data controller to restrict processing of personal information about them in order to limit future processing operations.
You have the right to receive your personal information in a structured, commonly used and machine readable format and to transmit that information to another controller, if certain grounds apply.
Individuals have the right to complain to the National Data Protection Authority and to address a court. Where the processing operations are based on consent, you have the right to withdraw your consent at any time. Withdrawing your consent will only have effect in the future, the processing operations prior to withdrawal of consent will remain valid.
The cookie is a small file of letters and numbers that will be stored on a user’s computer, mobile terminal or other equipment from which the Internet is accessed without allowing it to be personally identified.
The cookie is installed through the request issued by the user’s terminal to a vying.io server or to a third-party server.
Only one cookie per session that allows us to show you the cookie banner. For now.
If we will add some more we will keep you up to date.
The cookies per session are temporary files that remain in the user’s terminal until the end of the session (or maximum one day) or until the browser is closed.
Why don't we use more cookies?
Well, because we do not have time to use the infos that cookies can deliver.And because we do not provide a login option yet.Also, because GDPR got so complicated, we prefer not to set them just to have cookies.
As of 1th of January 2020 we started using Google Analytics.You can opt out of those cookies by pushing opt-out of Google Analytics
If you want to block cookies, some site functionality will be stopped, and this may cause some malfunctions or errors in using it.
For example, blocking cookies can prevent you getting our cookie info. 🙂
If you agree to these limitations and want to block cookies, you can find at www.youronlinechoices.com very interesting informations, but also clear instructions on how to disable them on the web the browser that you are using.
On www.allaboutcookies.org you can find everything with and about cookies. Also on www.cookiepedia.co.uk you can find information about each cookie separately. 🙂
Please keep in mind that cookies are not a bad thing at ALL. They can help you track a lot of useful things on the world wide web, can help your online stores not to show stupid things and thus waste your time, but only what matters to you, also they can help taylor content for kids and a lot more.