In the context of their contractual relations, the Parties undertake to comply with the regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable as from 25 May 2018 (hereinafter referred to as the "GDPR"), as well as Law No 78-17 of 6 January 1978 on data processing, files and freedoms (hereinafter referred to as the amended "Data Protection Act"). The purpose of this Annex is to define the conditions under which the processor undertakes to carry out on behalf of the controller the processing operations of personal data defined below.
For the purposes of this Agreement, the following terms shall have the following meaning:
• "Personal Data" means any information relating to an identified or identifiable natural person; an "identifiable natural person" is defined as a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more elements unique to him/her. In order to determine whether a person is identifiable, all means of identification available or accessible to the Data Controller or any other person must be considered.
• "Data Subject" refers to a natural person whose Personal Data are processed.
• "Data Controller" means the CLIENT, who determines the purposes and means of the Personal Data Processing.
• "Data Processor" refers to the PROVIDER who processes Personal Data under the authority, on instructions and on behalf of the Data Controller.
• "Processing" means any operation or set of operations involving Personal Data by the Data Processor on behalf of the Data Controller, regardless of the process used, and in particular the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, as well as limitation, deletion or destruction.
• "Personal Data Breach" means a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Personal Data transmitted, stored or otherwise processed.
The Data Controller acknowledges and guarantees:
- that the Processing is carried out in accordance with the provisions of the GDPR and the Data Protection Act, in particular, that the Data Subject has been informed of the purpose of the Processing, his rights, the recipients of the Personal Data and the policy on the protection of privacy and personal data;
- only in the event that the Data Controller processes "sensitive" data as defined in Article 9 of the GDPR (i.e. the Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person), the Data Controller has collected them and requires the Data Processor to carry out their Processing, in full compliance with the provisions of the said Article 9;
- that it will respond as soon as possible to any Data Protection Authority requests for information, if any;
- that it will respond, as soon as possible, to requests from any Data Subject by the Processing, to communicate information on its Personal Data and that it will give appropriate instructions to the Data Processor, in due course.
- The Data Controller also undertakes to:
document in writing any instructions concerning the Processing of Personal Data by the Data Processor;
o ensure, in advance and throughout the duration of the Processing, that the Data Processor complies with the obligations provided for in the European Data Protection Regulation;
o supervise the Processing, including carrying out audits and inspections of the Data Processor.
The Data Processor undertakes to:
- process the data only for the purposes indicated by the Data Controller;
- if the Data Processor considers that an investigation constitutes a violation of the European Data Protection Regulation or any other provision of Union law or of the law of the Member States relating to data protection, it shall immediately inform the Data Controller. In addition, if the Data Processor is required to transfer data to a third country or international organization, under the law of the Union or the law of the Member State to which it is subject, it must inform the Data Controller of this legal obligation before the Processing, unless the law concerned prohibits such information for important reasons of public interest;
- guarantee the confidentiality of the personal data processed under this Agreement;
- ensure that the persons authorized to process personal data under this Agreement:
- undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality;
- receive the necessary training in the protection of personal data;
- consider, with regard to its tools, products, applications or services, the principles of privacy by design and data protection by default;
- inform its employees of their responsibility regarding the protection of Personal Data, in particular as regards the confidentiality of such data;
- in the event of a possible legal, administrative or judicial prohibition that could prevent it from carrying out the Processing, the Data Processor shall inform the Data Controller and may then terminate the Agreement, without the Data Controller being able to hold the Data Processor liable or claim damages from him;
- cooperate with the CNIL in the event of a request for information from the latter and that it will comply with any recommendation of the CNIL relating to the Processing.
The Data Processor may use another subcontractor (hereinafter, the "Subprocessor") to carry out specific Processing activities. In this case, he/she shall inform the Data Controller in advance and in writing of any planned change concerning the addition or replacement of other Subprocessors. This information must clearly indicate the subcontracted Processing Activities, the identity and contact details of the Subprocessor and the dates of the subcontract. The Data Controller has a minimum period of one (1) month from the date of receipt of this information to present his objections. This subcontracting may only be carried out if the Data Controller has not raised any objection within the agreed period.
The Subprocessor is required to comply with the obligations of this Agreement on behalf of and in accordance with the instructions of the Data Controller. It is the initial Data Processor's responsibility to ensure that the Subprocessor provides the same sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the Processing operation complies with the requirements of the European Data Protection Regulation. If the subsequent processor does not fulfill its data protection obligations, the initial Data Processor remains fully liable to the Data Controller for the performance by the subsequent processor of its obligations.
2. Right of data subjects to be informed
It is the responsibility of the Data Controller to provide the information to the Data Subjects on the Processing operations at the time of data collection.
3. Exercise of data subject’s rights
The Data Controller grants requests to exercise the rights of the Data Subjects (right of access, rectification, deletion and opposition, right to limit the Processing, right to data portability, right not to be the subject of an automated individual decision, including profiling) and will give appropriate instructions to the Data Processor in due course. As far as possible, the Data Processor shall assist the Data Controller in fulfilling his obligation to comply with requests to exercise the rights of the Data Subjects.
4. Notification of Personal Data Breaches
The Data Processor shall notify the Data Controller of any breach of personal data as soon as possible and, at the latest, 72 hours after becoming aware of it. This notification shall be accompanied by all relevant documentation in order to enable the Data Controller, if necessary, to notify this Violation to the competent supervisory authority.The Data Processor must take all necessary steps to identify the causes of such Personal Data Violation and take all measures that it deems necessary and reasonable to remedy the origin of such Violation when such remedy is under the control of the Data Processor.
5. Security measures
The Data Processor must at all times have technical and organizational measures in place to prevent unauthorized access to the Personal Data and the use of the Personal Data for purposes other than those agreed for their transmission to the Data Processor. The Data Processor represents and warrants that the security measures taken are in no event less than those required by applicable law or those that a person performing the same activity as the Data Processor would reasonably have taken for the protection of Personal Data against unauthorized access or use.
In cases where the Data Processor has obtained the prior consent of the Data Controller for the transmission of Personal Data to a third party, the Data Processor must again take appropriate security measures to ensure the secure transmission of the Personal Data. The Data Processor must protect and maintain the Personal Data as confidential information. The confidentiality requirements required by each of the commercial documents and/or confidentiality agreements signed between the Data Controller and the Data Processor must apply to the Personal Data.
The Processor shall Process the Client’s Data on behalf of the Client as Client’s Data Processor. The scope, extent, and nature of the Processing are the sole purpose of facilitation of the provision of services through Baqs Analytics by the Processor to the Client.
The Processor shall ensure that any of its officers, directors, employees, consultants, representatives and other natural persons that participate in the Processing of the Client’s Data agree to the same restrictions and conditions as those listed in this Agreement.
The Client as the Data Controller shall be responsible for complying with the applicable Data Protection Law, including, but not limited to, the lawfulness of the Processing and the lawfulness of the transmission (if any) of the Client’s Data to the Processor.
The Processor shall Process the Client’s Data only to the extent required and with the purpose of fulfilling Processor’s obligations under the Contract, to the extent necessary for the provision of Baqs Analytics, and in accordance with Client’s Instructions.
Should the Processor wish to use the Client’s Data for the purposes that are not specified in this section 3, the Processor shall request the Client to provide prior consent in writing.
The Processor shall Process all Client’s Data submitted by the Client through LIFETIMELY. To the extent the Client’s Data contains Personal Data, it may consist of the following types of Data Subjects’ identifying information:
2. No special categories of Personal Data as defined in Art. 9(1) of the GDPR are processed according to this Agreement.
Personal identification information
We may collect personal identification information from Users in a variety of ways, including, but not limited to, when Users visit our site, subscribe to the newsletter, fill out a form, and in connection with other activities, services, features or resources we make available on our Site. Users may be asked for, as appropriate, name, email address, mailing address, phone number. Users may, however, visit our Site anonymously. We will collect personal identification information from Users only if they voluntarily submit such information to us. Users can always refuse to supply personally identification information, except that it may prevent them from engaging in certain Site related activities.
All account information that you use within our software (Baqs Analytics) is kept locally on your computer and we never have access to it in any way or form. Everything you do there is completely private and up to you and it’s your responsibility to keep it safe.
Non-personal identification information
We may collect non-personal identification information about Users whenever they interact with our Site. Non-personal identification information may include the browser name, the type of computer and technical information about Users means of connection to our Site, such as the operating system and the Internet service providers utilized and other similar information.
Web browser cookies
How we use collected information
Baqs Analytics collects and uses Users’ personal information for the following purposes:
To improve our Site
We continually strive to improve our website offerings based on the information and feedback we receive from you.
To improve customer service
Your information helps us to more effectively respond to your customer service requests and support needs.
To process transactions
We may use the information Users provide about themselves when placing an order only to provide service to that order. We do not share this information with outside parties except to the extent necessary to provide the service.
To send periodic emails
The email address Users provide will only be used to respond to their inquiries, and/or other requests or questions. If User decides to opt-in to our mailing list, they will receive emails that may include company news, updates, related product or service information, etc. If at any time the User would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email or User may contact us via our Site.
Provide, improve, test, and monitor the effectiveness of our Service.
Develop and test new products and features.
Diagnose or fix technology problems.
How we protect your information
We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our Site.
The security of your Personal Information is important to us, but remember that no method of transmission over the Internet, or method of electronic storage, is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.
What is your data retention policy?
We will make a good faith effort to:
Retain server logs containing the IP address of all requests to this server no more than 90 days.
Retain the IP addresses associated with registered users and their posts no more than 5 years.
Sharing your personal information
We do not sell, trade, or rent Users personal identification information to others. We may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above. We may use third party service providers to help us operate our business and the Site or administer activities on our behalf, such as sending out newsletters or surveys. We may share your information with these third parties for those limited purposes provided that you have given us your permission.
We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety. However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.
Third party websites
Users may find content on our Site that links to third parties. We do not control the content or links that appear on these sites and are not responsible for the practices employed by websites linked to or from our Site. In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites which have a link to our Site, is subject to that website’s own terms and policies.
Childrens Online Privacy Protection Act Compliance
We are in compliance with the requirements of COPPA (Childrens Online Privacy Protection Act), we do not collect any information from anyone under 13 years of age. Our website, products and services are all directed to people who are at least 13 years old or older.
Does Baqs Analytics comply with the EU General Data Protection Regulation?
Baqs Analytics respects privacy rights under Regulation (EU) 2016/679, the European Union’s General Data Protection Regulation (GDPR).
Information that GDPR requires Baqs Analytics to give can be found throughout this privacy notice.
How can I change or erase data about me?
You can change your account data at any time by visiting the profile settings page for your account. Closing your account will remove all data about you that is stored on our servers, you will also have to unsubscribe from our mailing list separately if you don’t wish to hear from us anymore.
In case you cannot access your profile page anymore you can also send us an email using the contact form and we’ll close your account for you.
How can I contact Baqs Analytics about privacy?
You can send questions and complaints to using our contact form and someone from our legal department will help you out.
For complaints under GDPR more generally, European Union users may lodge complaints with their local data protection supervisory authorities.
Third-Party Sites and technology partners
When used as a "connector", Baqs analytics access Google Analytics data using a secure Oauth connection. Your Data is then used in order to provide you with the requested services (including "Reporting"). Data stored are only necessary to provide the resquested service : Google analytics View ID and Google analytics secure access (access_token, refresh_token). This data is not shared to other companies.
Google adwords is used as a marketing platform. Check out their privacy here: https://www.google.com/intl/en/policies/privacy/
Baqs Analytics use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements
This version of Baqs Analytics’s privacy questions and answers took effect Nov 12, 2021.
Your acceptance of these terms
By using this Site, you signify your acceptance of this policy and our terms of service. If you do not agree to them, please do not use our Site. Your continued use of the Site following the posting of changes to this policy will be deemed your acceptance of those changes.