Privacy Policy

The ways we keep your information secure.

On May 25, 2018, the most significant piece of European data protection legislation in 20 years will come into force when the European Union's (EU) General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. This Privacy Policy is meant to help you understand what data we collect, why we collect it, and what we do with it. Please, take time to read our Privacy policy carefully. We want to be clear how we’re using information and the ways in which you can protect your privacy.

This Privacy Policy applies to your Personal Data when you visit www.kanbanize.com or use our Services through this website and does not apply to online websites or services that we do not own or control.

If you have any questions, please, contact us at: dpo (@) kanbanize.com

WHO WE ARE

The Company, providing you services through this website is Businessmap Ltd. (referred to hereinafter as BMAP), a company duly organized under the law of Bulgaria, registered in Bulgaria, having its working address at “ul. Akad. Metodi Popov, 24A, 4th floor, Sofia, Bulgaria”, represented by Dimitar Karaivanov.

We take your right to privacy seriously and work continuously to keep the data we process minimized and in your control. Nevertheless, to enable you to use our services and to improve and secure them, we need to process some personal data. By using any of our services and/or registering an account you agree to have read and understood this Privacy as well as our Cookie Policy.

PERSONAL DATA WE COLLECT AND HOW WE USE IT

Personal data is data that describes and is linkable to someone as a person. We collect some personal data in order to provide the services to all our clients and end users. We will only process personal data for legal reasons, if we are obliged to do so by legal authorities. We don’t sell or otherwise distribute your personal data. We may share it with our selected service providers only when it is vital for the provision of our services as explicitly described below. We may process your personal data for the following purposes:

Personal data of BMAP Software Users (“BMAP Software Users”)

  1. Names and Usernames – these are necessary for identification of each BMAP Software User, using BMAP Software. The main feature of BMAP Software is to manage and control processes, so it is vital to be able to recognise the person, performing the respective activities, which are being monitored.
  2. Email addresses – these are necessary for authenticating the BMAP Software Users before allowing their access to the Software, as well as for providing technical support, newsletters and notifications on the scope of BMAP Services, their update, upgrade, amendment, new releases, development and/or termination. During the trial period these are necessary for providing information and answering requests and enquiries, regarding BMAP Services.
  3. Phone numbers - these are necessary for providing technical support and communicating conditions in respect of the Service providing.
  4. Job positions – these are necessary for providing the BMAP Services according to the specific job description and job requirements of each BMAP Software User as well as for providing of proper technical support in accordance with the User qualifications.

The legal basis for processing such data by BMAP is the performance of a contract according to Article 6 (1) (b) GDPR.

Personal data of individuals involved in the sales and support activities related to the Software (“Individuals”):

  1. Name – necessary for identification of the Data Subject. It is vital to be able to recognise the person, performing the respective sales and support activities.
  2. Email address – necessary for authenticating the individual before allowing its access to the Software and any other data, as well as for communication in connection with the sales and support activities related to the Software.
  3. Phone number - necessary for providing technical support and communicating conditions in respect of the Software.
  4. Job position – necessary for providing adequate communication according to the specific job description and job requirements and providing of proper support in accordance with the individual qualifications.

The legal basis for the processing of data provided in the context of the collection and storage of business contact data is Article 6 (1) (f) GDPR. If the establishment of contact is based on pre-contractual measures or aims at the conclusion or prolongation of a contract, Article 6 (1) (b) GDPR is the additional legal basis for the processing.

In case of the subject's consent, the legal basis for processing of the data, is Article 6(1)(a). GDPR.

Purpose of data processing is administration of the contractual obligations with BMAP. The processing of business contact data may be used for one or more of the following purposes: maintenance of contact, information exchange, business cooperation, financial statements and issues. The necessary legitimate interest in the processing of the data is related to the aforementioned purposes.

Other Personal Data:

Other personal data may be entered or uploaded in the Software by the Users, the Individuals or third parties to which access to the BMAP Software has been provided in the process of using the Software.

The legal basis for processing such data by BMAP is the performance of a contract according to Article 6 (1) (b) GDPR.

Processing activities:

Processing activities are performed for the purpose of and in relation to providing the Services through the BMAP software, including storage, processing and use of Data for the purpose of providing the Services, providing technical support, communication in regard to use of Services and related activities. Users’ and Individuals' personal data may be used also, where applicable, for accounting, billing and payment purposes, digital signing and other facilitations, related to our services and the performance of our contractual obligations.

Other Personal Data uploaded in the BMAP Software, not indicated in the categories of data above, if any, shall be stored by BMAP within the scope of the BMAP Services.

Data processing activities, listed above, are necessary for the performance of the contracts with our clients, which in this case is the provision of Services we offer through www.kanbanize.com. Under these contracts we are obliged to provide you with information about the latest updates on features and developments of BMAP software, so we shall use your emails to comply with such obligation. All such notifications shall be strictly service-related. We shall not be using your contacts to promote third party products or services.

BMAP shall not use any other personal data, entered or uploaded by BMAP Software Users, Individuals or third parties to which access to the software has been given, except for categories of data, described above. BMAP will ask for your consent before using information for a purpose other than those that are set out in this Privacy Policy.

METHOD OF COLLECTION

Each BMAP Software User and Individual provides personally the Personal data, entered or uploaded to the Software.

BMAP Software Users and Individuals are not allowed to enter third party personal data, including sign up a third party using their email address, without due authorization by such third party or upload any Other Personal data without due authorization by such third party. BMAP does not monitor or control the content, entered or uploaded by BMAP Software Users and Individuals.

It is the BMAP Clients’ and each User’s/Individual’s responsibility to provide and guarantee that the processing personal data activities, performed by the Clients and Users, respectively Individuals, with the BMAP Software are compliant with the requirements of the GDPR, including in regard to the transfer of data towards the subprocessors listed herein and the transfer of data outside the EU/EEA as described herein.

SECURITY MEASURES

We take appropriate technical and organisational measures to protect your personal data against loss or other forms of unlawful processing. We make sure that personal data is only accessible by only those who need access to do their job, and that they are properly trained and authorised. Our staff is required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, ethics, and appropriate usage of data. Staff is required to execute a confidentiality agreement and are provided with proper training in online privacy and security.

SUBPROCESSORS AND PROCESSING OUT OF EU

For providing quality services BMAP engages third party service providers - Subprocessors, carefully selected according to their capacity for personal data protection and processing in compliance with BMAP’s obligations under the GDPR. We provide personal data to our Subprocessors to process it for us, only based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.

Based on the above BMAP stores and processes Data out of the EU, including in the United States of America, where some BMAP’S Subprocessors are based.

By using our website and Services, you consent to your Personal Data being transferred to other countries, including countries that have different data protection rules than your country.

You give your explicit consent for personal data transfers outside the EU/EEA to the subprocessors listed below, on your own behalf (for subprocessors, to which BMAP Software Users and Individuals personal data is transferred) and on behalf of all data subjects, whose personal data is entered in the Software by you or by any third party to which you have provided access to the BMAP Software (for subprocessors, to which third party personal data is transferred), including Other Personal Data. You confirm that you have been informed and aware that there may be certain possible risks of transfers of personal data to third countries outside the EU/EEA, including the USA, such as: the third country may not ensure an adequate level of data protection pursuant to Article 45 of the GDPR.

You are responsible for informing all data subjects, whose personal data you entered in the Software, including Other Personal Data, that such personal data may be transferred outside the EU/EEA, including the USA, towards the subprocessors listed herein below, and about all possible risks of such transfer. It shall be your sole responsibility to acquire all data subjects’ explicit consent for such transfer after providing them with the information on possible risks and before entering or uploading any third party personal data in the Software.

BMAP uses as Subprocessors and personal data, entered or uploaded by you in the Software, shall be transferred to the Subprocessors, listed in Annex "Approved Subprocessors" below.

BMAP uses as Subprocessors and BMAP Software Users and Individuals personal data may be transferred to the Subprocessors, listed in Annex "BMAP Subprocessors" below.

BMAP may replace its Subprocessors from time to time. You agree that the list of current Subprocessors may be amended. You agree that if we amend the list of subprocessors in Annex "BMAP Subprocessors", we may inform you about such updates via our monthly newsletters. You agree that if we amend the list of subprocessors in the Annex "Approved Subprocessors", BAMP shall give the clients a written notice of 30 calendar days through a newsletter or via email.

In transfers of personal data outside the EU/EEA BMAP shall take such measures as are reasonably applicable to ensure the transfer is in compliance with applicable data protection legislation. You declare to be informed and agree that such measures shall be transferring the personal data: (i) to a recipient in a country that the European Commission has decided provides adequate protection for personal data; or (ii) to a recipient that has achieved binding corporate rules authorisation in accordance with the applicable data protection legislation; or (iii) to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.

In order to provide your optimal comfort, thorough understanding and effective use of BMAP Software, BMAP may also from time to time engage local partners, speaking the language of your country of origin, registration or operations. By using our website and Services, you consent to BMAP introducing you to such partners via email for the purposes described herein.

All our Subprocessors do not have any right to use the personal information we share with them beyond what is necessary to assist us in making our services possible. When we cooperate with third parties and they process your personal data on our behalf, we make sure your personal data will be handled with the same integrity and security as we do.

You should keep in mind that our website is integrated with and uses Google Analytics. Google platform uses tools to acquire information when you have visited our site. Within these tools, we do not have the ability to recognize the individuals whose data is generated. However, this information can be personalized by Google and affect the content Google shows you. For more information and deactivation of certain features, you should use the settings of the Google platform, as we have no control over it and we can not block its functionalities. Through the control panels of your accounts on the platform, you can also make the appropriate privacy and privacy management settings, including the data management and information Google receives from us, since after the data is transmitted we cannot exercise full control over data processing, including data deletion.

If you need an extensive overview of our trusted partners, please, contact us at: dpo (@) kanbanize.com

INFORMATION WE SHARE

We do not share personal information with companies, organizations and individuals unless one of the following circumstances applies:

  1. With your consent - we will share personal information with companies, organizations or individuals when we have your consent to do so.
  2. For making some services possible – to third party processors, as described above.
  3. For legal reasons - we will share personal information with companies, organizations or individuals if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to:
    • meet any applicable law, regulation, legal process, or enforceable governmental request.
    • enforce applicable Terms of Use, including investigation of potential violations.
    • detect, prevent, or otherwise address fraud, security, or technical issues.
    • protect against harm to the rights, property, or safety of BMAP, our users, or the public as required or permitted by law.

We may share non-personally identifiable information publicly and with our partners. For example, we may share information publicly to show trends about the general use of our services.

MINORS

We provide services to and allow our website to be used only by persons aged 18 and over. If aged under 18, please ask for the assistance of a person aged at least 18 in order to use our services. If we obtain actual knowledge that we have collected personal data from a person under the age of 18, we will promptly delete it, unless we are legally obligated to retain such data. Please, contact us, if you believe that we have mistakenly or unintentionally collected information from a person under the age of 18.

DATA DELETION

In general BMAP processes data while User is using BMAP services and 180 days afterwards in order to prevent loss of data, valuable for the User, and compliance with applicable legislation. Data, collected in trial period, shall be processed for 180 days after trial period in order to facilitate sustainable communication and integrity with returning users.

YOUR RIGHTS

You have the right to request a copy of your personal details at any time, to check the accuracy of the information held and/or to correct or update this information. You may ask your personal information to be deleted completely, if no enquiry from you is in progress. You also have the right to complain when your personal data protection rights have been violated. For your convenience we have provided a full list of our rights in the last Section GDPR Subject Rights.

We will make commercially reasonable efforts to provide you with reasonable access to any of your personal information we maintain or correct it within 30 days as of receipt of your access request.

If you have given your consent to the processing of personal data, you have the possibility to withdraw your consent for processing. In this case, all personal data will be deleted, unless there are legal reasons to the contrary.

Please, note that after deleting your information, you shall not be able to use adequately the BMAP Services. Users have the right to delete Client Data during the above term in a manner consistent with the functionality of the Services, if such deletion is in accordance with the GDPR (please, see Section GDPR Subject Rights). BMAP will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days, unless EU or Bulgarian law requires storage. Please, note that BMAP may keep that information for legitimate business or legal purposes or be required (including by contract or GDPR) to keep certain of information and not delete it (or to keep this information for a certain time, in which case BMAP will comply with the deletion request only after BMAP has fulfilled such requirements).

If you wish to access, delete (when applicable) or correct your personal information please contact: dpo (@) kanbanize.com. Please state clearly in the subject that your request concerns a privacy matter, and more specifically whether it is a request to access, correction or deletion. Bear in mind that we may ask for additional information to determine your identity.

You can at any moment unsubscribe from our newsletters and notifications, by sending a notification to dpo (@) kanbanize.com or by using the link in the mailings, but after that we shall not be able to provide you with the full set of BMAP Services, which includes regular update and information about our software and its features.

We may reject requests that are unreasonably repetitive, require disproportionate technical effort (for example, developing a new system or fundamentally changing an existing practice), risk the privacy of others, or would be extremely impractical (for instance, requests concerning information residing on backup systems). Where we can provide information access and correction, we will do so for free, except where it would require a disproportionate effort.

If you interact with our Clients and you seek to access, or correct, amend, or delete inaccurate data, especially when regarding data, entered or uploaded by Clients and/or Users/Individuals, you should address its inquiry directly to the Client because the Client is the data controller and we are only data processors. If the Client requests us to provide, correct or remove the Personal Information, we will respond to their request within 30 days, if the GDPR and our contract with the Client requires so.

Complaints, in case of conflict, can be addressed to dpo (@) kanbanize.com

If you file a privacy-related complaint, we will collect your name and/or company name, name of a complaint-related person, email, and country location and details that gave rise to your complaint. We will use the information you provide to investigate your complaint and to send you an answer once your complaint is reviewed.

SUPERVISORY AUTHORITY

If you think we have infringed your privacy rights, you can lodge a complaint with the supervisory authority of Bulgaria, which is the Commission for personal data protection. More information can be found at: www.cpdp.

You can also lodge your complaint in particular in the country where you live, your place of work or place where you believe we infringed your right(s).

Annex "Approved Subprocessors"

For Clients who have opted to use the EU Amazon Web Services, BMAP shall not use the services of US Amazon Web Services.

Type

Subrocessor

EU / Non-EU

Client Data

Comment

Email server

Superhosting

EU

Email-related data

 

Hosting

Amazon Web Services

EU

All application data

Data center in Ireland. Client can request to move the Data to the EU data center.

Hosting

Amazon Web Services

USA

All application data

Data center in USA. This is the default data center.

 

Annex "BMAP Subprocessors"

Name

Service

Country

HubSpot

Customer relationship management

USA

Superhosting

Email server

BG

Braintree

Payment gateway

USA

Amazon Web Services

Hosting services US

USA

Amazon Web Services

Hosting services EU

Ireland

Freshbooks

Billing software services

Canada

Zapier

Cloud-based integration platform

USA

 

GDPR SUBJECT RIGHTS

Right of access by the data subject

  1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
    • the purposes of the processing;
    • the categories of personal data concerned;
    • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
    • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
    • the right to lodge a complaint with a supervisory authority;
    • where the personal data are not collected from the data subject, any available information as to their source;
    • the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
  3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
  4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (‘right to be forgotten’)

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
    • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    • the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
    • the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
    • the personal data have been unlawfully processed;
    • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
    • the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
  2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
  3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
    • for exercising the right of freedom of expression and information;
    • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    • for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
    • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    • for the establishment, exercise or defence of legal claims.

Right to restriction of processing

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
    • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    • the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
    • the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
    • the personal data have been unlawfully processed;
    • the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
    • the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
  2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
  3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
    • for exercising the right of freedom of expression and information;
    • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    • for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
    • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    • for the establishment, exercise, or defence of legal claims.

Notification obligation regarding rectification or erasure of personal data or restriction of processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

Right to data portability

  1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
    1. the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
    2. the processing is carried out by automated means.
  2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
  3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Right to object

  1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
  4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
  5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
  6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Automated individual decision-making, including profiling

  1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  2. Paragraph 1 shall not apply if the decision:
    1. is necessary for entering into, or performance of, a contract between the data subject and a data controller;
    2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
    3. is based on the data subject's explicit consent.
  3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
  4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.