Privacy Policy

The ways we keep your information secure.

PRIVACY POLICY

On May 25, 2018, the most significant piece of European data protection legislation in 20 years will come into force when the European Union's (EU) General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. This Privacy Policy is meant to help you understand what data we collect, why we collect it, and what we do with it. Please, take time to read our Privacy policy carefully. We want to be clear how we’re using information and the ways in which you can protect your privacy.


This Privacy Policy applies to your Personal Data when you visit www.kanbanize.com or use our Services through this website and does not apply to online websites or services that we do not own or control.


If you have any questions, please, contact us at: dpo (@) kanbanize.com


WHO WE ARE

The Company, providing you services through this website is Businessmap Ltd. (referred to hereinafter as BMAP), a company duly organized under the law of Bulgaria, registered in Bulgaria, having its working address at “ul. Akad. Metodi Popov, 24A, 4th floor, Sofia, Bulgaria”, represented by Dimitar Karaivanov.


We take your right to privacy seriously and work continuously to keep the data we process minimized and in your control. Nevertheless, to enable you to use our services and to improve and secure them, we need to process some personal data. By using any of our services and/or registering an account you agree to have read and understood this Privacy as well as our Cookie Policy.


PERSONAL DATA WE COLLECT AND HOW WE USE IT

Personal data is data that describes and is linkable to someone as a person. We collect some personal data in order to provide the services to all our clients and end users. We will only process personal data for legal reasons, if we are obliged to do so by legal authorities. We don’t sell or otherwise distribute your personal data. We may share it with our selected service providers only when it is vital for the provision of our services as explicitly described below. We may process your personal data for the following purposes:

  1. Names and Usernames – these are necessary for identification of each BMAP Software User, using BMAP Software. The main feature of BMAP Software is to manage and control processes, so it is vital to be able to recognise the person, performing the respective activities, which are being monitored.
  2. Email addresses – these are necessary for authenticating the BMAP Software Users before allowing their access to the Software, as well as for providing technical support, newsletters and notifications on the scope of BMAP Services, their update, upgrade, amendment, new releases, development and/or termination.
  3. Phone numbers - these are necessary for providing technical support and communicating conditions in respect of the Service providing.
  4. Job positions – these are necessary for providing the BMAP Services according to the specific job description and job requirements of each BMAP Software User as well as for providing of proper technical support in accordance with the User qualifications.

Data processing activities, listed above, are necessary for the performance of the contracts with our clients, which in this case is the provision of services we offer through www.kanbanize.com. Under these contracts we are obliged to provide you with information about the latest updates on features and developments of BMAP software, so we shall use your emails to comply with such obligation. All such notifications shall be strictly service-related. We shall not be using your contacts to promote third party products or services.


BMAP shall not use any other personal data, entered or uploaded by BMAP Software Users, except for categories of data, described above. BMAP will ask for your consent before using information for a purpose other than those that are set out in this Privacy Policy.


METHOD OF COLLECTION

Each BMAP Software User provides personally the Personal data, entered or uploaded to the Software.

BMAP Software Users are not allowed to enter third party personal data, including sign up a third party using their email address, without due authorization by such third party. BMAP does not monitor or control the content, entered or uploaded by Users.


It is the Clients’ and each User’s responsibility to provide and guarantee that the processing personal data activities, performed by the Clients and Users with the BMAP Software are compliant with the requirements of the GDPR.


SECURITY MEASURES

We take appropriate technical and organisational measures to protect your personal data against loss or other forms of unlawful processing. We make sure that personal data is only accessible by only those who need access to do their job, and that they are properly trained and authorised. Our staff is required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, ethics, and appropriate usage of data. Staff is required to execute a confidentiality agreement and are provided with proper training in online privacy and security.


SUBPROCESSORS AND PROCESSING OUT OF EU

For providing quality services BMAP engages third party service providers - Subprocessors, carefully selected according to their capacity for personal data protection and processing in compliance with BMAP’s obligations under the GDPR. We provide personal data to our Subprocessors to process it for us, only based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.


Based on the above BMAP stores and processes User Data out of EU, including in the United States of America, where some BMAP’S Subprocessors are based. We always check our US Supbrocessors, if they are compliant with the EU-U.S. and Swiss-U.S. Privacy Shield Framework. European Commission has deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers to USA under EU law.


By using our website and Services, you consent to your Personal Data being transferred to other countries, including countries that have different data protection rules than your country.


BMAP uses as Subprocessors and User personal data may be transferred to the providers of the following services:

  1. Customer relationship management (HubSpot);
  2. Email server (Superhosting)
  3. Payment gateway (Braintree)
  4. Hosting services (Amazon Web Services)
  5. Billing software services (Freshbooks)
  6. Communications software (Intercom)
  7. Survey software (Wootric)

BMAP may replace its Subprocessors from time to time following above rules of strict selection. Updated information about the list of current Subprocessors may be found at all times here on our website and we may inform you about such updates via our monthly newsletters.


All our Subprocessors do not have any right to use the personal information we share with them beyond what is necessary to assist us in making our services possible. When we cooperate with third parties and they process your personal data on our behalf, we make sure your personal data will be handled with the same integrity and security as we do.


If you need an extensive overview of our trusted partners, please, contact us at: dpo (@) kanbanize.com


INFORMATION WE SHARE

We do not share personal information with companies, organizations and individuals unless one of the following circumstances applies:

  1. With your consent - we will share personal information with companies, organizations or individuals when we have your consent to do so.
  2. For making some services possible – to third party processors, as described above
  3. For legal reasons - we will share personal information with companies, organizations or individuals, if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
  • a) meet any applicable law, regulation, legal process or enforceable governmental request.
  • b) enforce applicable Terms of Use, including investigation of potential violations.
  • c) detect, prevent, or otherwise address fraud, security or technical issues.
  • d) protect against harm to the rights, property or safety of BMAP, our users or the public as required or permitted by law.

We may share non-personally identifiable information publicly and with our partners. For example, we may share information publicly to show trends about the general use of our services.


MINORS

We provide services to and allow our website to be used only by persons aged 18 and over. If aged under 18, please ask for the assistance of a person aged at least 18 in order to use our services. If we obtain actual knowledge that we have collected personal data from a person under the age of 18, we will promptly delete it, unless we are legally obligated to retain such data. Please, contact us, if you believe that we have mistakenly or unintentionally collected information from a person under the age of 18.


DATA DELETION

In general BMAP processes User data while User is using BMAP services and 180 days afterwards in order to prevent loss of data, valuable for the User and compliance with applicable legislation.


YOUR RIGHTS

You have the right to request a copy of your personal details at any time, to check the accuracy of the information held and/or to correct or update this information. You may ask your personal information to be deleted completely, if no enquiry from you is in progress. You also have the right to complain when your personal data protection rights have been violated. For your convenience we have provided a full list of our rights in the last Section GDPR Subject Rights.


We will make commercially reasonable efforts to provide you with reasonable access to any of your personal information we maintain or correct it within 30 days as of receipt of your access request.


Please, note that after deleting your information, you shall not be able to use adequately the BMAP Services. Users have the right to delete Client Data during the above term in a manner consistent with the functionality of the Services, if such deletion is in accordance with the GDPR (please, see Section GDPR Subject Rights). BMAP will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days, unless EU or Bulgarian law requires storage. Please, note that BMAP may keep that information for legitimate business or legal purposes or be required (including by contract or GDPR) to keep certain of information and not delete it (or to keep this information for a certain time, in which case BMAP will comply with the deletion request only after BMAP has fulfilled such requirements).


If you wish to access, delete (when applicable) or correct your personal information please contact: dpo (@) kanbanize.com. Please state clear in the subject that your request concerns a privacy matter, and more specific whether it is a request to access, correction or deletion. Bear in mind that we may ask for additional information to determine your identity.


You can at any moment unsubscribe from our newsletters and notifications, by sending a notification to dpo (@) kanbanize.com or by using the link in the mailings, but after that we shall not be able to provide you with the full set of BMAP Services, which includes regular update and information about our software and its features.


We may reject requests that are unreasonably repetitive, require disproportionate technical effort (for example, developing a new system or fundamentally changing an existing practice), risk the privacy of others, or would be extremely impractical (for instance, requests concerning information residing on backup systems). Where we can provide information access and correction, we will do so for free, except where it would require a disproportionate effort.


If an End User interacts with one of our Clients and the End User seeks to access, or correct, amend, or delete inaccurate data, especially when regarding data, entered or uploaded by Clients and End Users, the End User should address its inquiry directly to the Client because the Client is the data controller and we are only data processors. If the Client requests us to provide, correct or remove the Personal Information, we will respond to their request within 30 days, if the GDPR and our contract with the Client require so.


Complaints, in case of conflict, can be addressed to dpo (@) kanbanize.com


If you file a privacy-related complaint, we will collect your name and/or company name, name of a complaint-related person, email, and country location and details that gave rise to your complaint. We will use the information you provide to investigate your complaint and to send you an answer once your complaint is reviewed.


SUPERVISORY AUTHORITY

If you think we have infringed your privacy rights, you can lodge a complaint with the supervisory authority of Bulgaria, which is the Commission for personal data protection. More information can be found at: www.cpdp.


You can also lodge your complaint in particular in the country where you live, your place of work or place where you believe we infringed your right(s).

GDPR SUBJECT RIGHTS

Right of access by the data subject

  1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
    • (a) the purposes of the processing;
    • (b) the categories of personal data concerned;
    • (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
    • (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    • (e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
    • (f) the right to lodge a complaint with a supervisory authority;
    • (g) where the personal data are not collected from the data subject, any available information as to their source;
    • (h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

  2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
  3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
  4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (‘right to be forgotten’)

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
    • (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    • (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
    • (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
    • (d) the personal data have been unlawfully processed;
    • (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
    • (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
  2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
  3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
    • (a) for exercising the right of freedom of expression and information;
    • (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    • (c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
    • (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    • (e) for the establishment, exercise or defence of legal claims.

Right to restriction of processing

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
    • (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    • (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
    • (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
    • (d) the personal data have been unlawfully processed;
    • (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
    • (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
  2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
  3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
    • (a) for exercising the right of freedom of expression and information;
    • (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
    • (c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
    • (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
    • (e) for the establishment, exercise or defence of legal claims.

Notification obligation regarding rectification or erasure of personal data or restriction of processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

Right to data portability

  1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
    • (a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
    • (b) the processing is carried out by automated means.
  2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
  3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Right to object

  1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
  3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
  4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
  5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.
  6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Automated individual decision-making, including profiling

  1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  2. Paragraph 1 shall not apply if the decision:
    • (a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
    • (b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
    • (c) is based on the data subject's explicit consent.
  3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
  4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.