Our Privacy Policy


PRIVACY POLICY

GENERAL PRINCIPLES

Starting with May 25, 2018 the new EU GDPR regulation has come into effect. Accordingly with the new law, processing personal data (also named hereby as Personally Identifiable Information or PII) must now be carefully handled and monitored.

We will cooperate in good faith with you and the appropriate local authorities in order to ensure fulfillment of all our obligations according to EU GDPR law, regarding personal information processing and respecting your rights. In this scope, we use advanced technical measures like: Cookie-less systems on our websites (target: zero cookies), stored data minimization, encrypted storage with key managed by our firm (not provided to third parties), time-limited processing, automated deletion of data when storage period expires, using data processors that comply with GDPR regarding personal data processing, insulating the data against the processors wherever possible, websites with minimal attack surface, and other measures of security and data protection.

 
Therefore, the privacy of users accessing our web pages and of our clients is very important to us, and in this respect we want to inform you through this privacy policy, regarding: (A) Identity and contact data of your data controller (our company), (B) expressing consent for personal data processing, (C) the purpose of personal data processing, (D) the target of data processing, (E) the duration of data storage, (F) measures implemented to prevent security incidents, (G) your rights and ways to enforce them.

(A) IDENTITY AND CONTACT INFORMATION.

Your personal data is processed by us, EMSAI INDUSTRIAL S.R.L. (trading as Emsai Software) located in Bucharest, Registered Address: 60 Spatar Milescu, Sector 2, Romania. Registered with Bucharest Trade Register under no. J40/10162/2000; company identification number 13506540.

(B) EXPRESSING CONSENT FOR PERSONAL DATA PROCESSING

When signing up with us OR when placing an online order or subscription request with us, before your information is accepted for order processing you are taken through our Privacy Policy. In order to continue processing the order you will check the appropriate checkbox to give your consent for such personal data processing. Upon checking, you will be redirected to your user account or order page (depending on the case) to finalize entering the data.

Newsletter: You also have the possibility to subscribe to newsletter through checking the second checkbox. By doing so, you will express your consent to receive our newsletter, news and special offers. Afterwards you will also receive a confirmation email and you need to confirm your option through the confirmation email (double opt-in). In the email you will always find the Unsubscribe option in order to withdraw your consent anytime. By unsubscribing, you will no longer receive e-mails about our news and special offers.

Automatic Notification Emails: We recommend all our Clients to opt in for automatic notifications so they get informed about important events such as maintenance intervals, account events, errors and more. You can opt-in/opt-out anytime about these automatic emails from your User Panel Settings.

(C) PURPOSE OF PROCESSING YOUR PERSONAL INFORMATION

I) ELECTRONIC PERSONAL DATA COLLECTION

a) ORDER PROCESSING, INVOICING AND SUBSCRIPTIONS

In order to complete an order, it is necessary to provide us with the following type of personal data: Name, surname, email address, phone number(s), invoicing address. All this PII is subsequently stored in our databases and processed in order to perform the following operations: Preparing and sending of quotes and offers upon request; generating pro-forma invoices, processing orders and issuing invoices.

b) LOGGING, TRAFFIC STATISTICS AND CONVERSIONS:

i) We collect traffic logging data that includes visitor's IP address and browser signature while making requests to our website. This PII is used and stored strictly for security and logging purposes only (legitimate interest); unless consent is given for additional usage (traffic statistics; conversions;) as described below in this document;

ii) For conversion tracking / statistics, our system might use a browser signature and/or persistent cookie depending on the case. However our Clients are required to obtain visitor consent before using such persistent tracking methods and corresponding PII. If consent is given, the data obtained at i) above might also be used in order to match the requests, generate statistics and track conversions.

c) CONTRACT FULFILLMENT

We will process your PII to the extent this is necessary for the performance of our contract with you for the use of our website and to fulfill our obligations under the applicable terms of use/service; where we have not entered into a contract with you, we base the processing of your PII on our legitimate interest to operate and administer our website and to provide you with content you access and request (e.g., download of certain content from our website) and with access to your user account and user panel.

d) COMPLYING WITH LEGAL OBLIGATIONS

We will process your PII when cooperating with public and government authorities, courts or regulators in accordance with our legal obligations under applicable laws to the extent this requires the processing or disclosure of PII to protect our rights, and is necessary for our legitimate interests to protect against misuse or abuse of our website, to protect personal property or safety, to pursue remedies available to us and limit our damages, to comply with a judicial proceedings, court order or legal process, and/or to respond to lawful requests.

II. NEWSLETTER SUBSCRIPTION (optional)

Any interested person can optionally subscribe to our newsletter, and if you intend to do so you will supply us with your name, surname and e-mail address. We use a double opt-in method, accordingly with local regulations and this means that our news and offers will be emailed only to those persons who have explicitly given consent in this matter. Important: We do not tolerate or send spam at all.

IV. OUR SERVERS

The servers that host our website automatically collect certain pieces of information in the format of log files (like any other average website or server). These log files contain the IP address of our visitors, they are used for security measures, and the processing is described below in this document.

(D) TARGET OF PERSONAL DATA

We do not share PII with third parties without user consent.

Conversions: For tracking conversions, we share our Clients with their own visitors' IP addresses and browser signature for the sole purpose of statistics and conversion tracking / matching. Our Client's visitor’s acceptance might be required before applying conversions, depending on the method being used. In such case consent must be obtained by our Clients from their own website visitors before PII is used. If consent does not exist, any non-anonymized PII will not be shared with any third party and will only be used for internal security and logging purposes.

(E) DURATION OF PERSONAL DATA STORAGE

We respect your right to privacy regarding personal information as provided in order to perform the services requested, (such as providing you with your user account) this being the sole purpose of processing.

The emails you send to us in order to place and order and/or to request an offer are stored for 3 years from completion, and deleted when this term expires; unless you have an user account with us.

If you have an user account with us, your PII is stored within your account for as long as your account exists. If you no longer intend to hold the account with us, simply request closure of your account.

Furthermore, your personal data used for invoicing are processed by our financial department for accounting and legal compliance purposes, being stored in both electronic and/or paper format for 10 years, starting with the end of current fiscal year, including users who have requested account closure and/or their data to be deleted. When this legal compliance term expires, your personal data is deleted and any associated paper documents are also securely destroyed.

(F) CONVERSION TRACKING AND PII

We might perform conversion tracking on behalf of our Clients regarding our Client's traffic handled through our platform as explained below. In the conversion process, our Clients are the Data Controller and we are Data Processors. Our Clients need consent from their own users before using a conversion method that processes PII. The process is explained here for both parties. We also fully recommend our Clients to seek legal advice before settling for a conversion method.

Purpose of Conversion Tracking: To allow our Clients to identify their sales values, the sources of traffic converting best plus optimizing landing pages.

Technical Methods of Conversion Tracking and impact on PII:

I) Tracking via session cookie and anonymized IP (default): it uses a temporary session cookie that gets erased when user browser is closed. The session cookie also lives for only an hour, while the session exists. This method only tracks direct conversions = sales made within the same browser session, such as direct purchases. If the session does no longer exist, depending on the user setting, the system might attempt to fallback and use the anonymized IP of the original request in order to "restore" the session and generate the conversion (imprecise). This default method is GDPR-compliant, but hardly accurate due to GDPR constraints. Direct purchases while session exists will however be tracked accurately; however session loss can be significant and session recovery often creates false matches. We recommend this method to our Clients whenever for any reasons, they cannot request consent from their users for using precise/persistent conversion tracking identifiers.

II) Tracking via Browser Fingerprinting and/or Persistent Cookie. This conversion tracking method uses a combination of browser fingerprinting and/or Cookie for conversion tracking. This is a highly accurate method. However, Our Clients need to obtain visitor consent before using this method.

Whenever consent is not given, our Clients can configure the system to fallback to option I) above.

Technical Notes:

- Session Cookie = is a session-based, non-persistent cookie that is destroyed after the session ends (user closes browser, or session expires);

  - Anonymized IP = an IPV4 IP that had its last octet set to 0. For example 22.33.44.55 becomes 22.33.44.0. In this way the original IP address cannot be identified with precision. This method is commonly used with web statistics and analytic tools, in order to provide GDPR compliance;

- Browser Fingerprinting / Browser signature = A technique to identify users. It uses the request data plus more detailed browser and OS information, such as operating system, screen size and more to create a unique "fingerprint" of a certain visitor. (Important: This technique requires visitor consent before being used);

- Persistent Cookie = A cookie that is set and persists on user's computer for longer time. (This technique requires visitor consent before being used).

(G) MEASURES TAKEN TO PREVENT SECURITY INCIDENTS

We perform activities to review and delete unnecessary personal data periodically.

Our Public Website: We currently do NOT use persistent cookies on our public website. We have a general "cookie-less" implementation of the public website in order to meet the data protection need of our users. We perform website reviews periodically in order to prevent the appearance of any unwanted cookies.

Our web server logs and traffic log database are stored for security purpose and to identify technical errors, for 5 years maximum and then they are deleted, with the exception of cases when longer storage is needed for justified reasons, and in this case they can be stored for 7 years max.

The server logs contain your IP addresses, browser signature, url, date and time as well as the referrer of the page being visited. These log are processed strictly as a security measure and/or in order to identify technical errors.

Conversion Tracking: Conversion tracking requires a different process where PII is used on behalf of our Clients. In this case, we are working as Data Processor on behalf of our Clients. The Client's traffic data is being matched with the sale via information extracted from existing log files and traffic log database; the sole purpose being applying conversion information and value into Client's statistics. Our Clients are required to firstly obtain their user's consent BEFORE using persistent user tracking on their website, in order to remain compliant themselves with GDPR.

Hosting: Our Clients' data is stored in servers hosted by OVH, one of the world leaders in the field. You can find more information here: (OVH DPA). OVH is a GDPR compliant host. Furthermore, they make use of a full virtualization system (KVM) that offers a high degree of data insulation between our databases and the host.

Encrypted databases: Our databases containing PII are fully encrypted at rest, and we store our own encryption keys. In this way, the data is insulated against the host/processor, and they have no direct access to it.

Encrypted backup: All our data is also saved in automated backup systems that comply with GDPR, such as CrashPlan (CrashPlan DPA) and iDrive (iDrive DPA), as well as on our own servers. Both backup systems mentioned earlier are certified as being in compliance with the EU-US Privacy Shield for transfers in third-party countries. Furthermore the data is stored in encrypted format, and we hold our own encryption keys. As a result, the backup data is insulated against these data processors, and they do not have direct access to the data.

(H) YOUR RIGHTS AND WAYS TO ENFORCE THEM

i) Your rights to access the data: the right to request a copy of your own personal data being stored and processed by us, but also, if possible and reasonable, information such as: the categories of data being processed, available information regarding the source of the data, commercial purposes of processing, retention period (or the criteria to establish the retention period), third party categories of receivers of PII, as well as information regarding the logical mechanism applied and potential negative consequences it might have against you, information regarding the existence of the right to intervene on the data and the right to opposition, as well as the conditions in which they can be exerted;

  ii) Right to opposition: the right to, in any moment, oppose for reasons related to your particular situation, against the processing of your personal data by us. The right to opposition gives you the possibility to request us to stop processing your personal data. In the event of you deciding towards exerting this right of yours, we will no longer process your PII in the specified purpose. Exerting this right does not incur any cost for you. This right might be invalidated, specifically of processing of your personal data is necessary for the formalities regarding entering a contract or fulfilling an existing contract;

iii) Right to porting data: the right to transmit your personal data we stored, in a structured format, a common one that can be read by devices and the right to transmit this data to another entity without objection from our part;

iv) Right to withdraw your data processing consent: you have the right to withdraw your consent you offered us for your personal data processing, at any given time and in a way as simple as the one used to give consent. Withdrawing consent does not have to be justified by you;

v) Right to rectification: the right to request us to correct your inaccurate personal data, as well as the right to complete your incomplete personal data whenever necessary;

vi) Right to data erasure ("right to be forgotten"), with certain exceptions: In the cases when we have a legal obligation to continue retaining your PII; in the cases when your data is used for archiving purposes for a public interest or statistic reasons; in the cases when the data is needed in order to verify, exert or defend a right in court;

vii) Right to restrict the processing: the right to request restriction of processing your personal data. In such case, your PII will be marked and processed by us only for some specific reasons;

viii) The right to complain to our authority "Autoritatea de Supraveghere a Prelucrarii Datelor cu Caracter Personal In Romania" (A.N.S.P.D.C.P.), address: B-dul G-ral Gheorghe Magheru nr. 28-30, Sector 1, cod postal 010336, Bucuresti, Sector 1, Romania - under the formats of a written request, at the authority headquarters, or electronically via the email address: anspdcp@dataprotection.ro.

The rights mentioned above from i) to vii) can be exerted through sending us a request through electronic means, by using the email address gdpr@ignore-emsai.ro, while providing sufficient identity information to allow us to securely identify you.

Any request or complaint regarding your personal data processing should be transmitted in writing by email, to the address gdpr@ignore-emsai.ro, in the attention of the company's data protection officer or assigned person.

We continuously commit to respect and to improve the privacy of our clients. Any suggestions regarding improving our data processing, security and user privacy are always welcome.

[ End of Document ]
© Emsai Software      Terms      Privacy      Contact