Privacy Policy

Version 3 – July 15, 2019 

1. Our commitment to Privacy

Your Privacy is critically important to us.

At IOSAE, we follow a few fundamental privacy principles :

• We are thoughtful about the personal information we ask you to provide and the personal information that we collect about you through the operation of our services.
• We store personal information for only as long as we have a reason to keep it.
• We aim to make it as simple as possible for you to control what information about you is shared publicly (or kept private), indexed by search engines, and permanently deleted.
• We help protect you from overreaching government demands for your personal information.
• We aim for full transparency on how we gather, use, and share your personal information.

Below is our Privacy Policy, which incorporates and clarifies these principles.

2. Who are we and what does this Privacy Policy cover?

We are IOSAE Lda. (“IOSAE”, “we”, “us”, “our”), a professional services firm specialized in organizational development, stewardship, open leadership, decentralized and distributed management, and the people behind a variety of products and services designed to unleash human creativity in organizations.

This Privacy Policy applies to information that we collect about you when you use:

• Our websites, including:
  • iosae.com;
  • hiveflex.org;
  • agilityconf.com;
  • scrumconf.com;
  • agileconnect.org; and
  • seriouslearning.org;
• Our other products and services that are available on or through our websites, such as:
  • IOSAE Training Courses;
  • IOSAE Consulting Services;
  • HiveFlex Official Courses;
  • HiveFlex Subscriptions;
  • HiveFlex Credentials and Certifications;
  • ScrumConf Conference Tickets;
  • AgilityConf Conference Tickets; and
  • AgileConnect Meetups;
• Other partners’ websites that use our Services, while you are logged in to your account with us.

Throughout this Privacy Policy, we will refer to our websites, products, and services collectively as “Services”. Below we explain how we collect, use, and share information about you, along with the choices that you have with respect to that information.

3. Creative Commons ShareAlike License

We have decided to make this Privacy Policy available under a Creative Commons ShareAlike license (CC BY-SA 4.0). You are more than welcome to copy it, adapt it, and repurpose it for your own use: just make sure to revise the language so that your policy reflects your actual practices.

Also, if you do use the policy we would appreciate a credit and link to IOSAE somewhere on your website as we do: some parts of this license are based on Automattic’s Privacy Policy (thank you!), the company behind WordPress (thank you once again!).

4. Definitions

The data protection declaration of IOSAE is based on the terms used by the European legislator for the adoption of the European Union’s General Data Protection Regulation (the “GDPR”). Our data protection declaration should be legible and understandable for the general public, as well as our customers and business partners. To ensure this, we would like to first explain the terminology used.

In this data protection declaration, we use, inter alia, the following terms:

4.1. Personal data

Personal data means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

4.2. Data subject

The data subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing.

4.3. Processing

Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

4.4. Restriction of processing

Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.

4.5. Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

4.6. Pseudonymization

Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

4.7. Controller, or controller responsible for the processing

The controller, or controller responsible for the processing, is the natural or legal person, public authority, agency or any other body which alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

4.8. Processor

The processor is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

4.9. Recipient

The recipient is a natural or legal person, public authority, agency or any other body, to which the personal data are disclosed, whether a third-party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

4.10. Third-party

Third-party is a natural or legal person, public authority, agency or any other body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

4.11. Consent

Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

5. Who is the Data Controller?

The controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in the Member states of the European Union and other provisions related to data protection is IOSAE, an EU-based company providing Services worldwide.

For any clarification, question or requirement related to your privacy and the processing of your personal data, you can contact us at any time by sending an email request to contact [ AT ] iosae.com (replace [ AT ] with @), or by writing to the address of IOSAE:

• IOSAE Lda.
  Rua D. Nuno Álvares Pereira, 1838 – 3D
  4585-014 Baltar
  Portugal

6. What personal data do we collect?

We only collect information about you if we have a reason to do so–for example, to provide our Services, to communicate with you, or to make our Services better. We collect information in three ways:

• if and when you provide information to us;
• automatically through operating our Services; and
• from outside sources.

Let’s go over the information that we collect.

6.1. Information you provide to us

It’s probably no surprise that we collect information that you provide to us. The amount and type of information depends on the context and how we use the information. Here are some examples:

• Basic account information: we ask for basic information from you in order to set up your account. For example, we require individuals who sign up for an account on one of the websites managed by IOSAE to provide an email address along with a username or name, depending on the service or website, and that’s it. You may provide us with more information – like your address and other information you want to share – but we don’t require that information to create an account on one of the websites managed by IOSAE.
• Public profile information: if you have an account with us, we collect the information that you provide for your public profile. For example, if you have an account on one of the websites managed by IOSAE, your username is part of that public profile, along with any other information you put into your public profile, such as a photo or an “About Me” description. Your public profile information is just that — public — so please keep that in mind when deciding what information you would like to include.
• Transaction and billing information: If you buy something from us – a HiveFlex subscription or training course, a Conference ticket, for example – you will provide additional personal and payment information that is required to process the transaction and your payment, such as your name, company information, credit card information, and contact information.
• Content information: depending on the Services you use, you may also provide us with information about you in draft and published content. For example, if you write a blog post that includes biographic information about you, we will have that information, and so will anyone with access to the Internet if you choose to publish the post publicly. This might be obvious to you…but it’s not to everyone!
• Account credentials: depending on the Services you use, you may provide us with credentials (username and password) for one of your website accounts with us. For example, HiveFlex members may provide us with these credentials in order to troubleshoot a problem with their own account or to allow us to troubleshoot some issues on the website more quickly.
• Communications with us: you may also provide us information when you respond to surveys, communicate with us about a support question, post a question in our public forums, or sign up for a newsletter like the one we send. When you communicate with us via form, email, phone, website comment, or otherwise, we store a copy of our communications (including any call recordings as permitted by applicable law).

6.2. Information we collect automatically

We also collect some information automatically:

• Log information: like most online service providers, we collect information that web browsers, mobile devices, and servers typically make available, such as the browser type, IP address, unique device identifiers, language preference, referring website, the date and time of access, operating system, and mobile network information. We collect log information when you use our Services – for example when you create or make changes to your account on one of the websites managed by IOSAE.
• Usage information: we collect information about your usage of our Services. For example, we collect information about the actions that users perform on a website – in other words, who did what, when and to what thing on a website (e.g., [username] deleted “[title of post]” at [time/date]). We also collect information about what happens when you use our Services (e.g., page views and other parts of our Services) along with information about your device (e.g., screen size, name of cellular network, and mobile device manufacturer). We use this information to, for example, provide our Services to you, as well as get insights on how people use our Services, so we can make our Services better.
• Location information: we may determine the approximate location of your device from your IP address. We collect and use this information to, for example, calculate how many people visit our Services from certain geographic regions. We may also collect information about your precise location via our mobile apps (when, for example, you post a photograph with location information) if you allow us to do so through your mobile device operating system’s permissions.
• Stored information: we may access information stored on your mobile device via our mobile apps. We access this stored information through your device operating system’s permissions. For example, if you give us permission to access the photographs on your mobile device’s camera roll, our Services may access the photos stored on your device when you upload a really amazing photograph of the sunrise to your website.
• Interactions with other website users: we collect some information about your interactions with other website users while you are logged in to your account with us, such as your “Likes” and the fact that you commented on a particular post, so that we can, for example, recommend posts we think may interest you. As another example we collect information about the comments you make while logged in to your account and use that information to, for example, tally up statistics about your comments (check them out in your dashboard!) and provide the information about your comments in your public profile.
• Information from cookies & other technologies: A cookie is a string of information that a website stores on a visitor’s device, and that the visitor’s browser provides to the website each time the visitor returns. Pixel tags (also called web beacons) are small blocks of code placed on websites and emails. IOSAE uses cookies and other technologies like pixel tags to help us identify and track visitors, usage, and access preferences for our Services, as well as track and understand email campaign effectiveness and to deliver targeted ads. For more information about our use of cookies and other technologies for tracking, including how you can control the use of cookies, please see our Cookie Policy.

6.3. Information we collect from other sources

We may also get information about you from other sources. For example, if you create or log into one of your accounts on one of the websites managed by IOSAE through another service (like Linkedin) or if you connect your account to a social media service (like Twitter), we will receive information from that service (such as your username, basic profile information, and friends list) via the authorization procedures used by that service. The information we receive depends on which services you authorize and any options that are available.

7. Why and how do we use your personal data?

We use information about you as mentioned above and for the purposes listed below:

• To provide our Services – for example, to set up and maintain your account, charge you for any of our paid Services, or provide essays and stories for your reading pleasure through our websites;
• To further develop and improve our Services – for example, by adding new features that we think our users will enjoy or will help them to create and manage their content more efficiently;
• To monitor and analyze trends and better understand how users interact with our Services, which helps us improve our Services and make them easier to use;
• To measure, gauge, and improve the effectiveness of our advertising, and better understand user retention and attrition – for example, we may analyze how many individuals purchased a Service plan after receiving a marketing message or the features used by those who continue to use our Services after a certain length of time;
• To monitor and prevent any problems with our Services, protect the security of our Services, detect and prevent fraudulent transactions and other illegal activities, fight spam, and protect the rights and property of IOSAE and others, which may result in us declining a transaction or the use of our Services;
• To communicate with you, for example through an email, about offers and promotions offered by IOSAE and others we think will be of interest to you, solicit your feedback, or keep you up to date on IOSAE and our products and services (which you can unsubscribe from at any time); and
• To personalize your experience using our Services, provide content recommendations (for example, through our reader post suggestions), target our marketing messages to groups of our users (for example, those who have a particular service plan with us or have been our user for a certain length of time), and serve relevant advertisements.

8. What is our legal basis for collecting and processing your personal data?

Under the EU data protection laws, our legal grounds for collecting and processing information about you is that our use of your information is based on the grounds that:

1. The use is necessary in order to fulfill our commitments to you under the applicable terms of service or other agreements with you or is necessary to administer your account – for example, in order to enable access to our website on your device or charge you for a service paid plan; or
2. The use is necessary for compliance with a legal obligation; or
3. The use is necessary in order to protect your vital interests or those of another person; or
4. We have a legitimate interest in using your information – for example, to provide and update our Services; to improve our Services so that we can offer you an even better user experience; to safeguard our Services; to communicate with you; to measure, gauge, and improve the effectiveness of our advertising; and to understand our user retention and attrition; to monitor and prevent any problems with our Services; and to personalize your experience; or
5. You have given us your consent – for example before we place certain cookies on your device and access and analyze them later on, as described in our Cookie Policy.

9. Do you share personal data with others?

9.1. Information we manage as controller

First of all, we do not sell our users’ private personal information.

Nevertheless, on a regular basis, and always with appropriate safeguards on your privacy, we need to share certain information about you with our employees and third parties for specific processing purposes outlined in section 10, “Who will process your personal data?”.

9.2. Information you share publicly

Information that you choose to make public is – you guessed it – disclosed publicly.

That means, of course, that information like your public profile, posts, other content that you make public on our website, and your “Likes” and comments on IOSAE’s websites, are all available to others – and we hope you get a lot of views! For example, the photo that you upload to your public profile, or a default image if you haven’t uploaded one, is your Globally Recognized Avatar, or Gravatar – get it? :). Your Gravatar, along with other public profile information, will display with the comments and “Likes” that you make on any of the websites managed by IOSAE. Public information may also be indexed by the search engines or used by third parties.

Please keep all of this in mind when deciding what you would like to share.

10. Who will process your personal data?

In the limited circumstances spelled out below, and with appropriate safeguards on your privacy, we need to share information about you with our employees and third parties:

• With subsidiaries, employees, and independent contractors: we may disclose information about you to our subsidiaries, our employees, and the individuals we hired as independent contractors that need to know the information in order to help us provide our Services or to process the information on our behalf. We require our subsidiaries, employees, and independent contractors to follow this Privacy Policy for personal information that we share with them.
• With third-party vendors: we may share information about you with third-party vendors who need to know information about you in order to provide their services to us or to provide their services to you. This group includes vendors that help us provide our Services to you (like  payment providers that process your credit and debit card information, payment providers you use for our e-commerce operations, fraud prevention services that allow us to analyze fraudulent payment transactions, postal and email delivery services that help us stay in touch with you, and customer chat and email support services that help us communicate with you), those that assist us with our marketing efforts (e.g. by providing tools for identifying a specific marketing target group or improving our marketing campaigns), and those that help us understand and enhance our Services (like analytics providers), who may need information about you in order to, for example, provide technical or other support services to you. We require vendors to agree to privacy commitments in order to share information with them. Other vendors are listed in our more specific policies (e.g. our Cookie Policy).
• To comply with legal and regulatory requirements: we do not voluntarily provide governments with access to data about users for any reason, including for the purposes of law enforcement, intelligence gathering, or other surveillance. We only disclose information about you to third parties in response to a valid search warrant or court order, in each case issued by a Portuguese authority. For more information on how we respond to requests for information about IOSAE’s users, please see our Legal Guidelines.
• To protect the rights, property, and others: we may disclose information about you when we believe in good faith that disclosure is reasonably necessary to protect the property or rights of IOSAE, third parties, or the public at large – for example, if we have a good faith belief that there is an imminent danger of death or serious physical injury.
• In the case of a business transfer: in connection with any merger, sale of company assets, or acquisition of all or a portion of our business by another company, or in the unlikely event that IOSAE goes out of business or enters bankruptcy, user information would likely be one of the assets that is transferred or acquired by a third-party. If any of these events were to happen, this Privacy Policy will continue to apply to your information and the party receiving your information may continue to use your information, but only consistent with this Privacy Policy.
• With your consent: we may share and disclose information with your consent or at your direction. For example, we may share your information with third parties with which you authorize us to do so, such as the social media services that you connect to one of IOSAE’s websites.
• To aggregate or de-identify information: we may share information that has been aggregated or reasonably de-identified so that the information could not reasonably be used to identify you. For instance, we may publish aggregate statistics about the use of our Services and we may share a hashed version of your email address to facilitate customized ad campaigns on other platforms.
• To administer our websites: If you have an account on one of the websites managed by IOSAE and interact with them, your information may be shared with the administrators of those websites. For example, if you leave a comment on a website that uses our Services, your IP address and the email address associated with your account on one of the websites managed by IOSAE may be shared with the administrator(s) of the website where you left the comment. Or if you make a payment to a website, your public display name, user name, and email address may be shared with the administrator(s) of the website.
• To support you: if you send us a support request (for example, via a support email or one of our feedback mechanisms), we reserve the right to publish that request in order to help us clarify or respond to your request or to help us support other users.

11. Do we transfer your personal data outside of the EU?

11.1. Transferring information

Because IOSAE’s Services are offered worldwide, the information about you that we process when you use the Services in the EU may be used, stored, and/or accessed by individuals operating outside the European Economic Area (“EEA”) who work for us, other members of our group of companies, or third party data processors. This is required for the purposes listed in the “Why and how do we use your personal data?” section above. When providing information about you to entities outside the EEA, we will take appropriate measures to ensure that the recipient protects your personal information adequately in accordance with this Privacy Policy as required by applicable law. These measures include:

• In the case of US based entities, entering into European Commission approved standard contractual arrangements with them, or ensuring they have signed up to the EU-US Privacy Shield; or
• In the case of entities based in other countries outside the EEA, entering into European Commission approved standard contractual arrangements with them.

You can ask us for more information about the steps we take to protect your personal information when transferring it from the EU.

11.2. Ads and analytics services provided by others

Ads appearing on any of our Services may be delivered by advertising networks. Other parties may also provide analytics services via our Services. These ad networks and analytics providers may set tracking technologies (like cookies) to collect information about your use of our Services and across other websites and online services. These technologies allow these third parties to recognize your device to compile information about you or others who use your device. This information allows us and other companies to, among other things, analyze and track usage, determine the popularity of certain content, and deliver advertisements that may be more targeted to your interests. Please note this Privacy Policy only covers the collection of information by IOSAE and does not cover the collection of information by any third party advertisers or analytics providers.

12. How long do we keep your personal data?

We generally discard information about you when we no longer need the information for the purposes for which we collect and use it – which are described in section 7 above on “Why and how do we use your personal data?” – and we are not legally required to continue to keep it.

For example, we keep the web server logs that record information about a visitor to one of IOSAE’s websites, such as the visitor’s IP address, browser type, and operating system, for approximately 30 days. We retain the logs for this period of time in order to, among other things, analyze traffic to IOSAE’s websites and investigate issues if something goes wrong on one of our websites.

As another example, when you delete a post, page, or comment from one of IOSAE’s websites, it stays in your Trash folder for thirty days just in case you change your mind and would like to restore that content – because starting again from scratch is no fun, at all. After the thirty days are up, the deleted content may remain on our backups and caches until purged.

13. How do we keep you and your personal data secure?

While no online service is 100% secure, we work very hard to protect information about you against unauthorized access, use, alteration, or destruction, and take reasonable measures to do so, such as monitoring our Services for potential vulnerabilities and attacks.

Therefore, IOSAE has implemented several security measures, in line with the best national and international practices, which enable the protection of your personal data. This includes technological controls, administrative, technical and physical measures and procedures which ensure the protection of your personal data, and prevent improper use, unauthorized access and disclosure, loss, improper or negligent modification, or unauthorized destruction of personal data. In terms of data security, we apply the same principles of continuous improvement which we use in all our daily activities. Amongst others, we highlight the following security measures:

• Access to your personal data is restricted to those who need them for the purposes stated above;
• Personal data are stored and shared only using secure techniques;
• Information systems are protected to prevent unauthorized access to your personal data;
• Redundancy of storage, processing and communication devices, to avoid availability loss;
• Implementation of mechanisms to guarantee the integrity and quality of your personal data;
• Requiring you to establish a unique username and password to access your account on any of IOSAE’s websites;
• Continuous monitoring of information systems, with the aim of preventing, detecting and avoiding improper use of your personal data;
• Use of secure communication protocols such as Transport Layer Secure (TLS) to encrypt all personal data that you send us during the order process;
• Automatic transfer of all your credit/debit card details (card number, cardholder name, and CVV) to our authorized payment processors so as not to save those details that would allow third parties to transact using that same credit card/debit.

14. Other things you should know

…

15. What are your data protection rights?

As an European Union Citizen you have certain rights in relation to the personal data we hold about you, which we detail below. Some of these only apply in certain circumstances as set out in more detail below. We also set out how to exercise those rights. Please note that we will require you to verify your identity before responding to any requests to exercise your rights and that can include asking a set of security questions to ensure it is you. When you have appointed someone else to do the request on your behalf, that person and/or organization needs to show a valid power of attorney issued by you. We must respond to a request by you to exercise those rights without undue delay and at least within one month (although this may be extended by a further two months in certain circumstances).

15.1. Right to be informed

Each data subject shall have the right granted by the European legislator to obtain from the controller the confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wishes to avail himself of this right of confirmation, he or she may, at any time, contact our Data Protection Officer, or another employee of IOSAE.

Relevant provisions in the GDPR: see Article 12, Article 13, Article 14, Recital 58, Recital 60, Recital 61, and Recital 62.

15.2. Right of access

Each data subject shall have the right granted by the European legislator to obtain from the controller free information about his or her personal data stored at any time and a copy of this information. Furthermore, the European directives and regulations grant the data subject access to the following information:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
• the existence of the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

Furthermore, the data subject shall have a right to obtain information as to whether personal data are transferred to a third country or an international organisation. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.

If a data subject wishes to avail himself of this right of access, he or she may at any time contact our Data Protection Officer, or another employee of IOSAE, and request a copy of his/her information. However, if you require more than one copy of the data we hold about you, we may charge a reasonable administration fee.

Please note that:

• in “My Account” dashboards, you can see information about you, namely your account details (such as name, email, phone number, date of birth), the addresses you use for billing and shipping, your order history and shopping preferences;
• we may not provide you with certain personal data if providing it would interfere with another’s rights (e.g. where providing the personal data we hold about you would reveal information about another person) or where another exemption applies.

Relevant provisions in the GDPR: see Article 12, Article 15, Recital 63, and Recital 64.

15.3. Right to rectification

Each data subject shall have the right granted by the European legislator to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

If a data subject wishes to exercise this right to rectification, he or she may at any time contact our Data Protection Officer, or another employee of IOSAE.

Please note that:

• you can edit your personal information in “My Account” settings;
• You can also request the correction by emailing us;
• In some cases we can ask you to explain in detail why you believe the personal data we hold about you to be inaccurate or incomplete so that we can assess whether a correction is required;
• Whilst we assess whether the personal data we hold about you is inaccurate or incomplete, you may exercise your right to restrict our processing of the applicable data as described below.

Relevant provisions in the GDPR: see Article 5, Article 12, Article 16, and Article 19.

15.4. Right to erasure (right to be forgotten)

Each data subject shall have the right granted by the European legislator to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies, as long as the processing is not necessary:

• The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• The data subject withdraws consent to which the processing is based according to point (a) of Article 6 (1) of the GDPR, or point (a) of Article 9 (2) of the GDPR, and where there is no other legal ground for the processing;
• The data subject objects to the processing pursuant to Article 21 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2) of the GDPR;
• The personal data have been unlawfully processed;
• The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
• The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) of the GDPR.

If one of the aforementioned reasons applies, and a data subject wishes to request the erasure of personal data stored by IOSAE, he or she may at any time contact our Data Protection Officer, or another employee of IOSAE.

Where the controller has made personal data public and is obliged pursuant to Article 17 (1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. The Data Protection Officer of IOSAE, or another employee, will arrange the necessary measures in individual cases.

Please note that:

• you may exercise your right to restrict our processing the data whilst we consider your erasure request as described below;
• you need to provide as much detail as possible on your reasons for the request to assist us in determining whether you have a valid basis for erasure;
• however, we may retain the personal data if there are valid grounds under law for us to do so (e.g., for the defence of legal claims or freedom of expression) but we will let you know if that is the case.

Relevant provisions in the GDPR: see Article 6, Article 9, Article 12, Article 17, Recital 65, and Recital 66.

15.5. Right to restrict processing (with the exception of storage)

Each data subject shall have the right granted by the European legislator to obtain from the controller restriction of processing where one of the following applies:

• The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
• The processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use instead;
• The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
• The data subject has objected to processing pursuant to Article 21 (1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

If one of the aforementioned conditions are met, and a data subject wishes to request the restriction of the processing of personal data stored by IOSAE, he or she may at any time contact our Data Protection Officer, or another employee of IOSAE.

Please note that:

• if we stop processing the personal data, we may use it again if there are valid grounds under data protection law for us to do so (e.g. for the defence of legal claims or for another’s protection).

Relevant provisions in the GDPR: see Article 18, Article 19, and Recital 67.

15.6. Right to data portability

Each data subject shall have the right granted by the European legislator, to receive the personal data concerning him or her, which was provided to a controller, in a structured, commonly used and machine-readable format. He or she shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, as long as the processing is based on consent pursuant to point (a) of Article 6 (1) of the GDPR or point (a) of Article 9 (2) of the GDPR, or on a contract pursuant to point (b) of Article 6 (1) of the GDPR, and the processing is carried out by automated means, as long as the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Furthermore, in exercising his or her right to data portability pursuant to Article 20 (1) of the GDPR, the data subject shall have the right to have personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.

In order to assert the right to data portability, he or she may at any time contact our Data Protection Officer, or another employee of IOSAE.

Please note that:

• we are not responsible for the security of the personal data or its processing once received by the third party;
• we also may not provide you with certain data if providing it would interfere with another’s rights (e.g. where providing the personal data we hold about you would reveal information about another person or our trade secrets or intellectual property).

Relevant provisions in the GDPR: see Article 13, Article 20, and Recital 68.

15.7. Right to object

Each data subject shall have the right granted by the European legislator to object, on grounds relating to his or her particular situation, at any time, to the processing of personal data concerning him or her, which is based on point (e) or (f) of Article 6 (1) of the GDPR. This also applies to profiling based on these provisions.

IOSAE shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

If IOSAE processes personal data for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing. This applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to IOSAE to the processing for direct marketing purposes, IOSAE will no longer process the personal data for these purposes.

In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to the processing of personal data concerning him or her by IOSAE for scientific or historical research purposes, or for statistical purposes pursuant to Article 89 (1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

In order to exercise the right to object, the data subject may directly contact our Data Protection Officer, or another employee of IOSAE. In addition, the data subject is free in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to use his or her right to object by automated means using technical specifications.

Please note that:

• you can object to our processing of data by changing your marketing preferences at “My Account” or by ticking “unsubscribe” at the bottom of each marketing email we send you;
• however you will still receive emails related to the orders you make through our Website or updates to our Terms & Conditions and Privacy Policy;
• you need to provide us with details as to your reasoning so that we can assess whether there is a compelling overriding interest in us continuing to process such data or we need to process it in relation to legal claims;
• you may exercise your right to request that we stop processing the data whilst we make the assessment on an overriding interest.

Relevant provisions in the GDPR: see Article 6, Article 12, Article 21, Article 89, Recital 69, and Recital 70.

15.8. Rights related to automated individual decision-making, including profiling

Each data subject shall have the right granted by the European legislator not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or similarly significantly affects him or her, as long as the decision (1) is not necessary for entering into, or the performance of, a contract between the data subject and the data controller, or (2) is not authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or (3) is not based on the data subject’s explicit consent.

If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and the data controller, or (2) it is based on the data subject’s explicit consent, IOSAE shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and contest the decision.

If the data subject wishes to exercise the rights concerning automated individual decision-making, he or she may at any time contact our Data Protection Officer, or another employee of IOSAE.

Relevant provisions in the GDPR: see Article 4 (4), Article 9, Article 12, Article 13, Article 14, Article 15, Article 21, Article 22, and Article 35 (1) and (3).

15.9. Right to withdraw consent

Each data subject shall have the right granted by the European legislator to withdraw his or her consent to the processing of his or her personal data at any time.

If the data subject wishes to exercise the right to withdraw the consent, he or she may at any time contact our Data Protection Officer, or another employee of IOSAE.

Please note that:

• you can withdraw your consent at any time by changing your marketing preferences in “My Account”, by unsubscribing at the bottom of each email received, or by writing/emailing our Data Protection Officer.

Relevant provisions in the GDPR: see Article 4 (11), Article 6 (1)(a), Article 7, Article 8, Article 9 (2)(a), Recital 32, Recital 38, Recital 40, Recital 42, Recital 43, and Recital 171.

16. How can you exercise your data protection rights?

Pursuant to Article 15 et seq. of the General Data Protection Regulation (GDPR), you have special rights to your personal data, notably the right of rectification, erasure, and restriction of data processed by IOSAE. To exercise these rights, we ask that you fill out the form below, which is for any individual whose data may be processed by Gandi. The mandatory fields are indicated as (required).

Please also note that:

• IOSAE will always ask you to provide a valid proof of ID.
• IOSAE will process your request within one (1) month of the reception of the said request.
• Personal data sent within the framework of the exercising of your rights is processed with the exclusive purpose of meeting your demand and is stored for a maximum duration of one (1) year from the date of the request.

17. What are your other choices?

You have several choices available when it comes to information about you:

• Limit the information that you provide: if you have an account with us, you can choose not to provide the optional account information, profile information, and transaction and billing information. Please keep in mind that if you do not provide this information, certain features of our Services may not be accessible.
• Limit access to information on your mobile device: your mobile device operating system should provide you with the ability to discontinue our ability to collect stored information or location information via our mobile apps. If you do so, you may not be able to use certain features (like adding a location to a photograph, for example).
• Opt-out of marketing communications: you may opt-out of receiving promotional communications from us. Just follow the instructions in those communications or let us know. If you opt-out of promotional communications, we may still send you other communications, like those about your account and legal notices.
• Set your browser to reject cookies: at this time, IOSAE does not respond to “do not track” signals across all of our Services. However, you can usually choose to set your browser to remove or reject browser cookies before using IOSAE’s websites, with the drawback that certain features of IOSAE’s websites may not function properly without the aid of cookies.
• Close your account: While we’d be very sad to see you go, if you no longer want to use our Services, you can close your account (just send us an email to privacy [ AT ] iosae.com). Please keep in mind that we may continue to retain your information after closing your account, as described in “How do we keep you and your personal data secure?” section above – for example, when that information is reasonably needed to comply with (or demonstrate our compliance with) legal obligations such as law enforcement requests, or reasonably needed for our legitimate business interests.

18. How can I file a complaint?

Should you be dissatisfied with how we use your personal data or with our response to your request to exercise your rights, you may file a complaint with the Portuguese Data Protection Authority responsible for compliance with the rules on personal data protection:

• Comissão Nacional de Proteção de Dados (CNPD)
  Rua de São Bento, 148 – 3º
  1200-821 Lisboa
  Portugal
• Phone: +351213928400
• Fax: +351213976832
• Email: geral [ AT ] cnpd.pt (replace [ AT ] with @)
• Web: https://www.cnpd.pt/english/index_en.htm

19. Legislative references and useful links

The processing of your personal data is carried out by IOSAE in compliance with:

• The European Regulation 2016/679 (GDPR, General Data Protection Regulation);
• The Portuguese Law 58/2019 (ensures the implementation of the GDPR in the Portuguese legal order).
• The Portuguese Regulation 1/2018 (list of processing of personal data subject to Data Protection Impact Assessment).

20. Changes to this Privacy Policy

Although most changes are likely to be minor, IOSAE may change its Privacy Policy from time to time. IOSAE encourages visitors to frequently check this page for any changes to its Privacy Policy. If we make changes, we will notify you by revising the change log below, and, in some cases, we may provide additional notice (such as adding a statement to our homepage or sending you a notification through email or your dashboard). Your further use of the Services after a change to our Privacy Policy will be subject to the updated policy.

That’s all! Thanks for reading!

21. Change log

• July 2019 (v3): Language simplification, adding lots of examples, form to exercise GDPR rights, and links to legislation.
• May 2019 (v2): Major rewrite based on Automattic’s Privacy Policy.
• May 2018 (v1): Initial version.