Data Processing Addendum
Last Updated: May 05, 2021
Kwinkie is committed to ensuring that the collection and processing of your data is carried out in a lawful, fair, and transparent manner, in accordance with the General Data Protection Regulations (“GDPR”) and its subsequent amendments from time to time, and the amended French Data Protection Act of 1978 (collectively, the “Regulations”).
The collection of personal data from its prospects and Clients is limited to what is strictly necessary, in accordance with the principle of data minimization, and indicates the purposes of the collection of this data, whether providing this data is optional or mandatory to manage requests and who can read them.
Kwinkie hereby clearly informs you about the processing of personal data that it implements in the course of its activity, how the data is collected, used and protected. Kwinkie hereby also informs you that data security is a priority and that tests are carried out regularly to preserve their integrity against any risk of voluntary or unintentional breach.
1. OUR COMMITMENTS AS PROCESSORS
Within the framework of their contractual relations, the parties undertake to respect the Regulations. The “parties” referred to are Kwinkie and the Client.
The parties recognize and accept that the Client is the person in charge of the processing of personal data collected and processed (the “Controller”) within the framework of the execution of the general conditions that the Client has agreed to, and that the Client alone assumes full responsibility for the conformity of the said processing with the applicable Regulations, in particular with regard to the Members. To the extent any investigation or action is commenced against us as a result of your processing, sharing, or transferring of the Members’ personal data (except if caused by our failure to fulfill our obligations under this DPA), you will indemnify, defend and hold us and our agents and representatives harmless.
The present policy defines the conditions in which Kwinkie commits itself as a processor to carry out on behalf of the Client, responsible for processing, the operations of personal data processing defined hereafter (the “Processor”).
1.1 DESCRIPTION OF THE DATA PROCESSING OPERATIONS
The Processor is authorized to process on behalf of the Controller the personal data necessary to provide the service(s) provided for in its subscription to the Kwinkie Platform (the “Platform”).
The processing operations governed by this DPA refer to any operation or set of operations carried out or not by means of automated processes and applied to data or sets of personal data via the Platform, such as collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, limitation, deletion or destruction.
The functionalities of the Platform are intended for the management of a client-prospect file, the online sale, and the delivery of their online services. Clients have tools and functionalities on the Platform allowing them to:
- create, customize and manage their sales tunnels with online payment methods.
- capture email data, send newsletters, email sequences, follow and optimize their commercial operations of launching and selling.
The Clients will collect and process the personal data categories of their Members on their Platform listed below:
- Identification data (Surname; forename; date of birth...)
- Contact data (telephone number; e-mail address; postal address...)
- Data related to professional life (company name; postal address of the company; company ID number; EIN...)
- Connection data (IP address; connection logs...)
- Training follow-up and content consultation data (progress logs; knowledge tests, etc.)
- Payment, banking, and billing data.
1.2 DATA RETENTION PERIODS
Data relating to the contractual relationship between Client and their Members are kept for the duration of the Client's subscription to the Platform, unless the Client deletes the data from the Platform or unless otherwise indicated below.
During the subscription period, certain data categories will be automatically deleted:
- Platform usage data will be deleted five years after that Member's last payment to the Client, with only information about their identity, contact information, and the order placed (date, price, content, billing...) being retained until the end of the Client's subscription.
- Browsing data, opening, and clicking of emails are kept for three years and then archived for a maximum period of two years, regardless of the duration of the Client's subscription to the Platform.
- The audience measurement statistics may be kept for a maximum of 13 months, then in an anonymized form only.
It is the Client's responsibility to delete contacts or deactivate the sending of its commercial prospecting messages on the Platform in accordance with the applicable deadlines.
It is up to the Client to proceed to any backup and/or archiving of the data concerning its Members by proceeding to their extraction and by storing them outside the Platform in a secure way. Kwinkie is under no obligation to archive or backup on behalf of the Client after the end of Client’s subscription and may proceed to automatic deletions according to the retention periods defined above.
The Client is the Controller within the meaning of the GDPR and is solely responsible for the determination of the retention periods which relate to Client’s Members, via the Platform where Client can manage manually the data which Client wishes to keep or not, and outside the Platform if necessary.
1.3 KWINKIE'S COMMITMENTS AS PROCESSOR
Kwinkie undertakes to:
- Process the data only for the purposes for which it is a Processor;
- Process the data in accordance with the Client's instructions, and the Client's use of the Platform's features. If Kwinkie considers that an instruction constitutes a violation of the GDPR, it will inform the Controller;
- Guarantee the confidentiality of personal data processed in the context of the Client's subscription;
- Ensure that persons authorized to process personal data under this policy undertake to respect confidentiality or are subject to an appropriate legal obligation and receive the necessary training in data protection;
- Take into account, with regard to its tools, products, applications, or services, the principles of data protection by design and data protection by default.
Any advice on how to use the Platform is provided for informational purposes only and it is the Client's responsibility to select the settings, provide the information, and carry out any processing on the Platform in accordance with the GDPR, the framework for commercial prospecting, and any other rule applying to its activities.
1.4 THE CLIENT'S COMMITMENTS AS CONTROLLER
The Client guarantees and declares that:
- It only collects personal data that are adequate, relevant, and limited to what is necessary for the purposes for which they are processed. In this respect, the Client undertakes to use the functionalities of the Platform in compliance with the obligations provided for by the GDPR and not to divert them from their purpose;
- It respects the applicable Regulation, including the GDPR, and ensures that Client’s instructions on the Platform and to Kwinkie are in compliance with such Regulation;
- It is authorized, in accordance with the applicable Regulation, to communicate to Kwinkie the personal data of the Members concerned by the processing;
- It will provide the legal information required and will obtain, if necessary, the consent of the persons concerned in accordance with the applicable Regulations, in order to communicate and allow Kwinkie to process the data, and that Kwinkie may communicate them to its service provider partners; to any public authority where applicable; to any third party in the context of the performance of a legal or regulatory obligation on Kwinkie; and to any other person entitled to request the communication of the information, including where the recipients of the personal data are outside the European Economic Area.
Clients are expressly informed that no collection of data of ethnic, social, religious, political or any other type of personal data sensitive by nature is authorized by Kwinkie, in particular via surveys. As Controllers for their Members’ data, Clients are solely responsible for their collection.
The Client expressly accepts that it is solely responsible for the lawfulness and consequences of the collection and other processing of personal data carried out on the Platform under its control and directions.
The Client is solely responsible for the configuration of its Platform, particularly in terms of legal information to its Members, the reasonable and compliant use of emailing or SMS tools to carry out commercial prospecting, the information and collection of consent regarding cookies, the information requested via survey tools, the compliance of the affiliation system that it may set up, the control of the access rights that it is likely to grant to third parties, etc.
The Client is informed that Kwinkie ensures a “zero policy” with regard to SPAM at the time of the importation of contacts by a Client in the Platform. In particular, in the event that more than 0.35% of the recipients of an email report it as “junk mail,” Kwinkie reserves the right to ask the Client for any justification concerning its fair use of the emailing tools at its disposal.
Kwinkie may use another processor (hereinafter the “Sub-processor”) to conduct specific processing activities. In this case, it shall inform the Client in advance and in writing of any contemplated changes regarding the addition or replacement of other Sub-processors under the conditions provided for by the GDPR.
The subsequent Sub-processors involved in the provision of the Platform are listed in the Appendix to this policy. The Client declares that all of the listed Sub-processors present sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing meets its expectations and the requirements of the GDPR, including with regard to data transfers when this Sub-processor is located outside the European Union.
The Client has a period of ten days from the date of receipt of this information to raise any objections, unless otherwise stated in the communication. In the absence of objections, the change will be deemed accepted.
The use of these third-party solutions allows the Platform's standard functionality to be offered. If the Client refuses the use of these third-party solutions, Client will have to advise Kwinkie which will be able to propose alternative solutions whose cost will be estimated beforehand. The Client is informed that the refusal of a later Sub-processor can lead to dysfunctions.
The use of third-party solutions may be subject to certain conditions by their provider, for example, the YouTube API in accordance with its contractual documentation referred to in the Appendix.
Clients may use other third-party solutions than those used by default on the Platform and listed as a Sub-processor in the Appendix and/or provide Members with links to other sites, platforms, applications, and services, distributed and operated by third-party companies. Before using the services of a third-party involving co-processing or Sub-processing of personal data, it is the Client's responsibility to check the compliance with the GDPR of this third-party and the lawfulness of the processing envisaged. Kwinkie can in no way be held responsible for the compliance of these third-parties with the GDPR.
1.6 RIGHTS OF THE PERSONS CONCERNED
The rights of the persons concerned are the rights of access, rectification, erasure and objection, right to limitation of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
When Members and/or persons concerned make requests to Kwinkie to exercise their rights, Kwinkie will send these requests upon receipt to the Client at the last email address provided. Kwinkie is authorized to inform the Members and/or persons concerned that it is not responsible for the exercise of their rights and may transmit the email and/or postal address of the Client to the Member and/or person concerned to enable him/her to contact the Client directly.
1.7 SECURITY MEASURES
Kwinkie undertakes to implement all appropriate technical and organizational measures through physical and logistical means of security sufficient to provide a level of security appropriate to the risks of a security breach.
The websites created on the Platform are by default subject to the HTTPS security protocol applicable to data storage in particular.
The Client is informed and accepts that the Platform may include technical devices that allow the use of its sites and services to be tracked (user account connected, IP address, type of application used, various logs of connection and use of the User's account, etc.) and that may be used in the context of the fight against counterfeiting, and/or to identify and/or prevent any illicit or non-compliant use of the Platform by its Members. It is the Client's responsibility to inform its Members.
At the request of the Client and excluding the strategic or sensitive information concerning the business secret, Kwinkie can transmit a more detailed description of its security and governance policy.
In the event of a breach of security on the Platform leading to, accidentally or unlawfully, the destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data, Kwinkie will inform the Clients concerned by the breach being responsible for processing so that they are able to fulfill their obligations to Members.
1.8 DATA DISPOSITION
During the Client's subscription and beyond if necessary, Kwinkie undertakes to destroy the personal data at the end of the periods defined in this DPA.
When the Client has terminated his subscription, Kwinkie reserves the right to reduce these periods at any time after having informed the Client. The Client may ask Kwinkie to return all personal data collected and processed on its Platform before proceeding with their final destruction.
This return is not automatic and must be the object of an express request before the end of the subscription and at the latest 10 days after its termination. The Client can also make this request to Kwinkie during the subscription. In any case, the operations of extraction and restitution of data in a readable format can give place to intervention expenses according to the nature and the quantity of data to extract, of which the Client will be informed beforehand.
In case of termination, the Client is informed that Kwinkie will maintain its Platform on a data backup system ("back-up") for a limited period of thirty days at the end of its subscription. At the end of this period, all the data on the Client's Platform will be permanently deleted from the servers, which the Client expressly accepts.
1.9 DATA TRANSFERS
The Client is informed that the use of the Platform may involve a transfer of data concerning the Members to countries outside the European Union, given the features included in the Client's subscription that may be provided or hosted by third-parties established outside the European Union.
The Client may inquire at any time about the status of the transfers and the documentation relating to the guarantees provided by the subsequent Sub-processors for the compliance of these transfers in the Appendix and ask Kwinkie for any additional information on the details of the transfers.
In case of transfer to the United States, Kwinkie verifies that the Sub-processor complies with the standard contractual clauses (“SCC”), i.e., the model contracts for the transfer of personal data adopted by the European Commission, and that the American legislation does not compromise the adequate level of protection that the clauses and measures provided by the SCC guarantee.
Client's acceptance of the Sub-processor involved in a data transfer shall constitute acceptance without reservation of the guarantees relating to the transfer provided by that Sub-processor in the documentation referred to in the Appendix. It is the Client's responsibility to inform the persons concerned in accordance with the GDPR that their registration on the Client's Platform is likely to lead to data transfers, in particular to the United States.
1.10 PRECEDENCE AND BINDING CONTRACT
APPENDIX: LIST OF SUB-PROCESSORS
1 North Dearborn St
548 MARKET ST, #62411, SAN FRANCISCO, CA, 94104, USA
|Application Interconnection||https://zapier.com/help/account/data-management/zapiers-data-processing-addendum ;|
5, Rue Plaetis, Luxembourg City, L-2338, Luxembourg