Convious B.V. – Privacy Policy

We, the company Convious B.V., take the protection of your personal data very seriously. With the entry into force of the EU General Data Protection Regulation ((EU) 2016/679, hereinafter “GDPR”) additional obligations have been imposed on us to ensure protection of the personal data of a person affected (data subject) through the processing of said data. With this declaration (hereinafter “Privacy Policy”) we inform you of how we will process your personal data.

This Privacy Policy is applicable if you visit our website convious.com (hereinafter referred to as “our website”), and if you visit our customers’ websites, in which our software is integrated (hereinafter referred to as “Convious-based website”). The information below applies to both cases, unless they are expressly differentiated.

  1. Name and contact data of the party responsible for the processing (controller) 

If you are visiting our website, we the company Convious B.V. Herengracht 440, 1017 BZ Amsterdam, Netherlands, telephone: +31 (0)20 261 5385, email: privacy@convious.com, are the party responsible for processing your personal data as defined in Article 4(7) GDPR (“controller”).

On the other hand, if you are visiting the Convious-based website of one of our customers, we are merely the processor as defined in Article 4(8) GDPR. In this case, the controller as defined in Article 4(7) GDPR is our customer, who has our software integrated into their website. And in this case, the processing activities listed below are performed exclusively on behalf of our respective customer and in compliance with said customer’s instructions. In this case, please also refer to our respective customer’s privacy policy.

  1. Data Protection Officer contact information

Our external Data Protection Officer is available to you at any time as your contact for any questions concerning data privacy. Contact information:

PROLIANCE GmbH

www.datenschutzexperte.de

Leopoldstr. 21

80802 München

datenschutzbeauftragter@datenschutzexperte.de

When contacting the data protection officer, please name the company to which your inquiry relates. Please refrain from enclosing sensitive information such as a copy of an ID card with your request.

 

  1. Collection and storage of personal data; type of personal data and the purposes for which it is used.

When visiting our website or a Convious-based website through the browser used on your end device, information is automatically sent to our website server. This information is stored temporarily in a so-called log file. In this process, the following information is collected without any action on your part and it will be stored until it is deleted automatically:

  1. IP address of the requesting computer
  2. Date and time of access
  3. Name and URL of the retrieved file
  4. Website from which the access occurs (referrer URL)
  5. Operating system of your computer, hardware version and device settings
  6. Name of the access provider or mobile phone provider
  7. Browser used, language and time zone
  8. Preferred display language of the website

We process the data cited above for the following purposes:

  1. To ensure a smooth connection with the website
  2. To ensure the website is convenient to use
  3. To evaluate system security and system stability

The legal basis for the data processing is Article 6(1)(1)(f) GDPR. Our legitimate interest follows from the purposes of the data collection cited above. We do not, under any circumstances, use the collected data to draw conclusions about your person.

The data cited above will be deleted as soon as it is no longer required to achieve the purpose for which it is collected. Usually, this is when you end the session. You cannot object to collection of the data cited above, since the processing of said data is mandatory in order to use the website.

When using the chat function on www.convious.com we process only the data that you provide to us in the chat. This processing occurs so that we can respond to your inquiry. The legal basis is Article 6(1)(1)(b) or (f) GDPR. Personal data will be stored for the period of time necessary to achieve the purpose of the processing. Data will be deleted as soon as it is no longer required to achieve the purpose.

When using the Contact Form on our website or on a Convious-based website, the data that you enter in the form (first name, last name, address, company, email address and time of transmission) will be processed. This processing occurs so that we can respond to your inquiry. Moreover, we use your email address to detect and prevent fraud, misuse or other harmful activities. The legal basis is Article 6(1)(1)(b) or (f) GDPR. If the inquiry is allocated to a contract, we delete the data collected in this manner after the contract term elapses. Otherwise, we delete the data after storage is no longer required, or we restrict the processing if statutory retention obligations exist.

If you purchase digital goods on a Convious-based website by means of our embedded software, we process the personal data you provided there (e.g. gender, first name and last name, address, company, email address, time of transmission, account number and credit card data). This occurs to process your purchase of goods. The legal basis is Article 6(1)(1)(b) or (f) GDPR. We delete the data collected in this manner after the contract term elapses, or we restrict processing if statutory retention obligations exist.

If you make a purchase on a Convious-based website, we also create a customer profile in which we store your name, your email address, an internal customer identification number, quantity and type of ordered products, date of visit, purchase date and purchase price, end device, as well as date and time the website was visited. Moreover, we also store information in this customer profile regarding whether or not you have agreed to marketing activities, and whether or not you use an app. The purpose of the processing is to adequately offer the service you have requested, since this is the only way we can know which of our service offerings you have acquired with the purchase. The legal basis is Article 6(1)(1)(b) or (f) GDPR. We delete the data collected in this manner after the contract term elapses, or we restrict processing if statutory retention obligations exist.

If you purchase multiple digital goods on a Convious-based website specifying the same email address at different times using the same end device or using different end devices, we aggregate this stored data in the customer profile cited above. The purpose of this aggregation is to ensure consistent processing of your inquiry, e.g. consistent communication of any changes relating to your planned visit. The legal basis is your consent granted in accordance with 6(1)(1)(a) GDPR and 6(1)(1)(b) GDPR. You can revoke this consent granted to us at any time. More information on this is provided under Clause 10 of this Privacy Policy. We delete the data collected in this manner after the contract term elapses, or we restrict processing if statutory retention obligations exist.

The data cited above is only used for marketing purposes, such as sending tailored offerings, with your express consent. In this case, the legal basis is 6(1)(1)(a) GDPR.

In addition, we use cookies when you visit our website or when you visit a Convious-based website. More information on this is provided under Clause 7 of this Privacy Policy. We also use tracking and analysis tools when you visit our website, convious.com. More information on this is provided under Clause 8 of this Privacy Policy.

  1. Transfer of data to third parties

We do not transfer your personal data to third parties for purposes other than the purposes listed below.

We only transfer your data to third parties, if:

  1. You, in accordance with Article 6(1)(1)(a) GDPR, have given us express permission to do so;
  2. the transfer in accordance with 6(1)(1)(f) GDPR is required for the establishment, exercise or defence of legal claims, and there is no reason to believe that you have an overriding interest in your data not being transferred;
  3. a statutory obligation exists for transfer in accordance with 6(1)(1)(c) GDPR;
  4. this is legally permitted, and in accordance with 6(1)(1)(b) GDPR, this is necessary to carry out contractual relationships with you.

The details concerning transfer are provided in the relevant provisions of this Privacy Policy, in Clauses 6 and 8.

  1. Transmission of personal data to third countries

Your personal data will only be transferred to countries outside of the European Economic Area (EEA) in order to fulfil contractual and business obligations and to maintain your business relationship with us. Transfer details are provided in the relevant provisions of this Privacy Policy, in Clauses 6 and 8.

Through so-called adequacy decisions, the European Commission has certified that the data protection in several countries is comparable to the data protection stipulated in the EEA standard. In other third countries to which personal data may be transferred, under certain circumstances a consistently high level of data protection does not exist, due to a lack of statutory regulations. If this is the case, we take measures to ensure adequate data protection. This is possible using binding company rules, standard contractual clauses of the European Commission for the protection of personal data, certificates or acknowledged codes of conduct. Please contact our Data Protection Officer for more information (contact information under Clause 2).

  1. Working together with processors

Like any larger company, we also use domestic and foreign external service providers to handle our business transactions. These service providers act in accordance with our instructions, and in accordance with Article 28 GDPR, they have been obligated to comply with statutory data protection regulations.

Specifically, we use the following processors:

  1. To send emails we use the “SendGrid” service of Twilio Inc., 645 Harrison Street, 3rd Floor, San Francisco, CA 94107, United States. Servers are located in Herndon, VA; Las Vegas, NV and Chicago, IL. These emails are sent to transmit the digital goods and to perform the service that you have requested. The legal basis is 6(1)(1)(b) or (f) GDPR. In this case, personal data that is processed by Twilio may be transmitted into third countries, including the United States, where Twilio’s main processing facilities are located. However, data security is assured through standard contractual clauses. More information is provided here. 

    Data addendum

    Transfer Impact Assessment

  2. To transmit data and establish our digital infrastructure, we use the “AWS Lambda” service of Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg. Servers and processing are located in Ireland. Convious remains the client and thus remains the owner of the content and selects which AWS services are allowed to process, store and host content. AWS does not access your content and does not use it for other purposes without your consent. AWS never uses customer content or derives information for marketing or advertising from this content. More information is provided here.

    Customer Agreement

    Data addendum

    Standard Contractual clauses - Processor to Processor

    EU Transfer compliance information

    Strengthened commitment measures

  3. To provide services via our mobile application (“Tap”) we use the “Firebase” service, which belongs to Google Ireland Limited, Google Asia Pacific Pte. Ltd, located in Grange Castle Business Park South, Baldonnel Rd, Dublin 22, D22 X602, Ireland. All Firebase services (except App Check, App Distribution and App Indexing) have successfully run through the ISO 27001 and SOC 1, SOC 2, and SOC 3 evaluation process, several services have also concluded the ISO 27017 and ISO 27018 certification process. In addition, the Firebase services also use the standard contractual clauses when transferring personal data to third countries More information is provided here.

    Firebase Data Processing and Security Terms

    Distribution data processing terms

    Standard Contractual Clause



  4. Furthermore, we use HubSpot to provide contact forms and automation and to manually send emails. However, this only affects partners and potential partners. It does not affect end-customers of the Convious-based website.

    Data Processing Agreement

  5. We use Groove Networks, LLC. to provide our partners with first and second-line support. When providing this service, we sometimes need to share and use customer data to troubleshoot in communication with partners and among the Convious support team via Groove.

    Data Processing Agreement

  6. We may use our Google Workspace Suite to collaborate when carrying out requested services such as email campaigns and open support tickets. 

    Data Processing Agreement

Data processing occurs based on your consent as stipulated in Article 6(1)(a) GDPR. If you do not want the cited data to be collected and processed by HubSpot, you can refuse consent or revoke your consent at any time with future effect.

For our partners, the legal basis for this processing is stipulated in Article 6(1)(1)(b) or (f) GDPR.

Personal data will be stored for as long as necessary to fulfil the purpose of the processing. The data will be deleted as soon as it is no longer required to achieve said purpose.

As part of HubSpot’s processing, data may be transmitted into the USA. Transmission security is safeguarded by so-called standard contractual clauses. These standard contractual clauses should ensure that personal data processing is subject to a level of security equivalent to that stipulated in the GDPR.

 

  1. Cookies

We use cookies on our website and on Convious-based websites. Cookies are small text files that are stored on your hard disk by the browser that you use by means of a unique character string and through which certain information flows to the website that sets the cookies. Cookies cannot execute any programs or transmit viruses to your computer; they cannot cause any harm. They are used to make the overall Internet offering more user-friendly and more effective, in other words, more convenient for you.

Cookies may contain data that enables recognition of the device used. However, in some cases cookies also contain information only for specific settings that are not related to you personally. Cookies cannot directly identify a user. 

A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the specific session. In terms of content, a distinction is made between necessary cookies, which are essential for website function, and optional cookies (such as performance cookies, functional cookies or marketing cookies) that are not absolutely necessary for website function.

The legal basis for setting of cookies that are technically necessary is Article 6(1)(1)(f) GDPR. On the other hand, each use of cookies that is not strictly technically necessary is considered data processing, and data processing is only permitted with your express and active consent in accordance with Article 6(1)(1)(a) GDPR. 

Most browsers accept cookies automatically. However you can configure your browser in such a manner that no cookies are stored on your computer, or that a notice always appears before a new cookie is created. Please note that completely deactivating cookies may result in you being unable to use all the functions of our website or of the Convious-based website.

On a Convious-based website we set the following cookies:

 

Name

Category

Function

Deletion

_cdd#

Necessary

Helps us to set the so-called “convious_cookie_id”

After the session ends

convious-tab-id

Necessary

Used for troubleshooting when the website is used

After the session ends

reduxPersist:session

Necessary

Tracks your visit to the website to improve the services offered and to display exclusively relevant information

After the session ends

 

The “convious_cookie_id” cited above is multifunctional and consequently is cited twice:

convious_cookie_id

Necessary

Used for functionality of the services to be provided, particularly web-shop services

After 24 months

convious_cookie_id

Optional

Used to identify relevant content based on your previous activities. We can then personalise the experience on the website or in the web-shop.

After 24 months

On our website, convious.com, in addition to the cookies cited above, we also use the cookies cited in our Cookie statement. More information concerning the cookies used by www.convious.com is provided in our Cookie statement. 

 

  1. Analysis tools and tracking tools

If you visit our convious.com website, we also use analysis tools and tracking tools.

The tracking measures cited below and which we use are implemented on the basis of Article 6(1)(1)(a) GDPR, this means they are implemented with your consent. With the tracking measures used, we want to ensure needs-oriented design and continuous optimisation of our website. Furthermore, we use the tracking measures to statistically record and evaluate the use of our website and to optimise our offering.

  • Google Analytics

We use a web tracking service from Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) on our website. We use this tool to enable analysis of your user interactions on websites and in apps, and to improve our offering and make it more interesting to you as a user through the statistics and reports obtained.

We record the interaction between yourself as user of a Convious enabled website and our website primarily with the aid of cookies and data concerning your device/browser, IP addresses, and website activities or app activities. Furthermore, in Google Analytics, your IP address is recorded to ensure security of the service and to enable us, as the website operator, to assess the country, region or city of the respective user (so-called “IP location determination”). Of course, for your protection we use the anonymisation function (“IP masking”), this means that within the EU/EEA Google truncates the IP addresses by removing the last octet.

Google acts as the processor and we have an appropriate standard contract with Google. As a rule, the information generated by the cookie concerning your use of this website and the (truncated) IP addresses will be transferred to a Google server in the USA where it will be stored and processed. As stated by Google, in these cases Google has imposed a standard that is equivalent to the previous EU-US Privacy Shield, and has promised to comply with the data protection legislation for international data transmission. In addition, Google protects the collected data by means of so-called standard contractual clauses. The objective of these clauses is compliance with an appropriate level of data protection in a third country.

The legal basis for collection and further processing of the information (which occurs for a maximum of 14 months) is the consent that you have granted (Article 6(1)(1)(a) GDPR). It is possible to revoke your consent at any time; note that this will not affect the permissibility of the processing up to the time of revocation. In apps, you can reset the advertising ID under the Android or iOS settings. The easiest way to revoke your consent is via the respective Consent Manager or by installing Google’s Browser add-on, which can be accessed with the following link: https://tools.google.com/dlpage/gaoptout?hl=en-GB.

The personal data will be stored for the period of time necessary to achieve the purpose of the processing. The data will be deleted as soon as it is no longer required to achieve said purpose.

More information concerning the Google Analytics scope of service is provided at https://marketingplatform.google.com/about/analytics/terms/de/. Information concerning data processing when using Google Analytics is provided by Google at the following link: https://support.google.com/analytics/answer/6004245?hl=en. General information concerning data processing, which Google states should also apply for Google Analytics, is available in the Google Privacy Policy at https://policies.google.com/privacy?hl=en&gl=en

  • Hotjar

Our website also uses the Hotjar web analysis service. The provider is Hotjar Inc. with registered office at Level 2, St. Julian’s Business Centre, 3, Elia Zammit Street, St. Julian’s STJ 1000, Malta.

We use Hotjar to analyse the use of our website and improve it on a regular basis. We can use the statistics obtained to improve our offering and make it more interesting for you as a user. On our behalf, Hotjar uses this information to analyse the use of the website, compile reports of website activities, and to provide other services associated with website and Internet use. As a rule, the information generated by the cookie about your use of this website will be transferred to a Hotjar server and stored there.

We use Hotjar’s anonymisation function on our website. With this function, your IP address is truncated and we ensure that the analysis data cannot be personally identified. We do not aggregate the data with other personal data.

We use the tool only after we have obtained your consent, which you can grant via the Consent Manager; the legal basis is Article 6(1)(1)(a) GDPR. You can revoke this consent granted to us at any time. More information in this regard is provided under Clause 10 of this Privacy Policy. Moreover, you can decide to disable the analysis function by activating the default function “Do not Track” in your browser. In this case, we will not process your personal data in the manner described here. An explanation of how to activate the “Do not Track” function is provided at this link: www.hotjar.com/legal/compliance/opt-out/.

The personal data will be stored for the period of time necessary to achieve the purpose of the processing. The data will be deleted as soon as it is no longer required to achieve said purpose.

  • HubSpot

We also use the services of the software company HubSpot (2nd Floor 30 North Wall Quay, Dublin 1, Ireland) on this website.

By using HubSpot we can improve email marketing, social media publishing and reporting, general reporting, contact management (e.g. user segment marketing and customer care), landing pages and contact forms.

In addition, we also use HubSpot to provide contact forms.

Data processing occurs based on your consent as stipulated in Article 6(1)(a) GDPR. If you do not want the cited data to be collected and processed by HubSpot, you can refuse consent or revoke your consent at any time with future effect. More information on this is provided under Clause 20 of this Privacy Policy. 

Personal data will be stored for as long as necessary to fulfil the purpose of the processing. The data will be deleted as soon as it is no longer required to achieve said purpose.

As part of HubSpot’s processing, data may be transmitted into the USA. Transmission security is safeguarded by so-called standard contractual clauses. These standard contractual clauses should ensure that personal data processing is subject to a level of security equivalent to that stipulated in the GDPR.

  1. The rights of those affected (data subjects)

You have the right:

  1. In accordance with Article 15 GDPR, to demand information from us concerning your personal data that we process. In particular, you can demand information concerning the purposes of the processing, the category of the personal data, the categories of recipients to whom your data has been or will be transferred, the planned duration of storage, the existence of a right of correction, deletion, restriction of, or objection to the processing, the existence of a right to lodge a complaint, the origin of your data, if it was not collected by us, and concerning the existence of an automated decision-making procedure, including profiling and, if necessary, you can demand meaningful information concerning the details thereof.
  2. In accordance with Article 16 GDPR, you have the right to demand immediate correction or completion of your personal data stored by our company.
  3. In accordance with Article 17 GDPR, you have the right to demand deletion of your personal data stored by us, if the processing is not required for the exercise of the right of free expression of opinion and information, for fulfilment of a legal obligation or for establishing, exercising or defending legal claims.
  4. In accordance with Article 18 GDPR, you have the right to demand restriction of the processing of your personal data if you dispute the accuracy of the data, if the processing is unlawful, if you no longer need the personal data but we need to keep it in order to establish, exercise or defend a legal claim, or if in accordance with Article 21 GDPR you have lodged an objection to the processing.
  5. In accordance with Article 20 GDPR, you have the right to demand that you receive your personal data that you have provided to us in a structured, prevalent and machine-readable format, or transmission of said personal data to a different responsible party (controller).
  6. In accordance with Article 7(3) GDPR, you have the right to revoke at any time the consent that you have granted to us. This has as its consequence that we are no longer allowed for the future to continue with the data processing on which this consent was based.
  7. In accordance with Article 77 GDPR, you have the right to lodge a complaint with a supervisory authority. As a rule, for this purpose you can contact the responsible supervisory authority for your usual place of residence or workplace.

  1. Right to object

If your personal data is processed on the basis of legitimate interests in accordance with Article 6(1)(1)(f) GDPR, you have the right as set forth in Article 21 GDPR to object to the processing of your personal data that arises from your particular situation or that is directed to the objection against direct advertising. In the latter case you have a general right of objection, which will be implemented by us without specification of a particular situation.

If you want to exercise your right of revocation or objection, simply email privacy@convious.com.

  1. Data security

When you visit our website or a Convious-based website, we use the popular SSL (Secure Socket Layer) procedure in conjunction with the highest level of encryption that is supported by your browser. As a rule this is a 256-bit encryption. If your browser does not support a 256-bit encryption, then instead we fall back on 128-bit v3 technology. You can tell whether a specific page of our web presence or the web presence of a Convious-based website is transmitted with encryption if there is a closed key symbol or lock symbol in the lower status bar of your browser.

In all other aspects we use suitable technical and organisational measures to protect your data against random or wilful manipulation, partial or total loss, destruction, or from unauthorised third-party access. Our security measures are subject to continuous improvement in accordance with technological development.

For example, Convious has already implemented the following security measures:

  • While access to our facilities is protected by keys, access to the information on the Convious servers is restricted to the employees who require such access to fulfil their tasks, and to the users that are cited in the customer accounts, and to third parties, who can only access the information under specific and limited circumstances, and who are obligated to maintain confidentiality. Access to data that is stored on Convious servers is assigned in levels and exclusively to Convious employees based on their professional function, and to specific users of our customers and third parties. However the latter only obtain access under very specific circumstances and after entering into a confidentiality agreement. In this regard, internal and external users only obtain the data that they require to fulfil their obligations. All instances of access to data stored within Convious are recorded, analysed, and reviewed.
  • To protect the confidentiality of your data, accessing, reading, and copying information stored at Convious is limited to the Convious employees who are executing this task after commissioning and review of the order, for service reasons. Accessing, reading or copying with private devices is neither permitted nor enabled.
  • As soon as you have exercised your right to deletion (Article 17 GDPR) all collected data will be anonymised, so that said data can no longer be linked to yourself.
  • To protect the integrity and confidentiality of your data, all instances of access to the information stored at Convious are logged, reported, and reviewed by our security team. The Convious servers are protected by: a) Firewalls that are placed between our confidential and secure internal network and the Internet; b) IP restrictions that restrict access to approved IPs; and c) encrypted communications between the services;
  • Each of our partners can only access data that is used for tracking that partner’s customer website and for the respective end user that uses this customer website.
  • We use HTTPS for the Convious services, to guarantee secure data transmission and to prevent eavesdropping and man-in-the-middle attacks.
  • Convious reviews its data collection and processing methods on a regular basis and will revise and supplement this Privacy Policy accordingly.
  1. Topicality and amendment of this Privacy Policy

This Privacy Policy is currently valid and has the status of March 2022.

This Privacy Policy may require amendments due to further development of our website and offerings, or of the Convious-based website and of our respective customer’s offerings, or due to changes to statutory or government agency requirements. You can retrieve and print out the current Privacy Policy at any time on our website at https://www.convious.com/privacy-policy.