Astrato Privacy Notice
Astrato is a software platform which provides data visualisation and analysis services.
Astrato is owned and operated by Vizlib Ltd, a company incorporated in England and Wales (registration number: 10431702) having its registered office at Vizlib Ltd, 25 North Row, Mayfair, London, England, W1K 6DJ (“we”, “us” or “Vizlib”). We attach great importance to protecting and respecting your privacy.
We are committed to protecting your personal data and privacy. The purpose of this policy is to inform you of our practices regarding the collection, use and sharing of personal data that is provided to us through your use of the Astrato services, products or website.
We understand the importance of the General Data Protection Regulation (GDPR), both as enacted under EU law and as retained in UK domestic law, and we try constantly to apply it to its fullest extent.
In our Privacy Notice we use a few GDPR terms; the understanding of these terms is essential, in order to better understand your rights and our Privacy Notice. Below you will find some terms as defined in the GDPR:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
(i) Personal data & Sources of data
This Privacy Notice applies to personal data provided by our clients (which may include the organisation, firm or entity for whom you work) and their staff, and any third party suppliers whose data we process. In this notice “you” refers to any individual whose personal data we hold or process.
For the vast majority of Astrato services, Vizlib is categorised as a controller when it collects data for processing, for instance for license key controls, service performance and improvement, technical assistance/support or client contact purposes.
Wherever the Astrato services enable a user to submit user-generated content when using the service, Vizlib is not the controller of any personal data contained in such content. We hold this information as a data processor. The relevant user of our service is the controller for this data. Our terms require that such users process this data in accordance with applicable data legislation. In our Terms & Conditions this is defined as “Collaborator Personal Data” and the processing of Collaborator Personal Data by us will be governed by the terms of our Data Processing Agreement (“DPA”). If you are using the service as an individual subscriber (as defined in our Terms & Conditions) then, unless otherwise agreed, we will be the controller of Collaborator Personal Data.
PERSONAL DATA YOU PROVIDE TO US:
More specifically, the following data is (or might be) provided directly by you (or on your behalf by the organisation, firm or entity for whom you work) when using Astrato and such data may constitute personal data:
- User ID
- Name and Surname
- Email address
- User password
- Telephone number (optional)
- Company name (optional)
- Information about your professional status or role such as your profession, country of employment and job title
- Personal data of any kind submitted via a part of the Astrato service which facilitates the input of user-generated content
PERSONAL DATA AUTOMATICALLY COLLECTED:
PERSONAL DATA PROVIDED FROM THIRD PARTIES:
We may receive personal data about you from third sources. This is the case when you use one of our resellers in order to have access to Astrato products and services or in case of online payment for our products. In the second case, we may provide you with another payment solution. Please, contact us.
If we obtain your personal data from the organisation, entity or firm for whom you work or from any other third party, your privacy rights under this Privacy Notice are not affected and you are still able to exercise the rights contained within this notice.
You do not have to supply any personal data to us however in practice we may be unable to provide our services to you without personal data (for instance we will need contact information in order to communicate with you or your organisation). You may withdraw our authority to process your personal data (or request that we restrict our processing) at any time but there are circumstances in which we may need to continue to process personal data (please see below).
(ii) Processing purposes
In order to be more transparent, we want to share with you our processing purposes:
- Provision of our service: It is necessary for us to obtain certain information from our users in order to provide its services and communicate with users in relation to the service.
- License check: We provide you with online services and products. For this reason, we have to check that you have the right to use them.
- Support: a SaaS license gives you access to our support services. We have to be able to identify the source of your technical problem and improve support or online services.
- Marketing purposes: We may contact you, in order to inform you about our products and services, promotions, product upgrades, special offers, and updates.
- Storing of user-generated content: if we offer any tool facilitating the input by you of user-generated content, such a tool might allow users to write comments and communicate with one another through our service, producing their own user-generated content. If this is applicable then users are free to input any data they like, which may include personal data. Such data will be stored by us but we will not process it in any other way.
- Supplier Information: we hold information about our suppliers such as contact information which we use to procure goods and services from those suppliers.
- Research: we track aggregated and anonymized user behaviour within the service for research purposes.
Please note that we do not collect data for commercial purposes that are not related to Astrato products & services, or other products and services operated by Vizlib.
We do not use your personal data for any reason that is not compatible with the purposes it was collected.
Astrato is a Business to Business software and it is not addressed to children! No personal data of children is intentionally collected! If we realize that a child has provided personal information, we will delete it with no delay.
We do not knowingly collect and process special categories of personal data. However, we cannot guarantee that personal data within a special category will not be generated by a user of our service and then stored on our database. This data is irrelevant to the services provided by us and incompatible with our processing purposes.
(b) Lawful basis & purpose limitation
Your data is collected for specified, explicit and legitimate purposes. Any processing made by us is compatible with the following purposes. We have determined a LAWFUL BASIS for each processing purpose, in order to process your data.
- Provision of our service: Legitimate interests
- License check: Legitimate interests
- Support: Legitimate interests
- Upgrades to Astrato Services and Product: Legitimate interests
- Third party Marketing purposes: Consent
- Storing of user-generated content: Legitimate interests
- Supplier Information: Legitimate interests
- Research: Legitimate interests
a legitimate interest in this context means a valid interest we have in processing your personal data which is not overridden by your interests in data privacy and security. Astrato is a SaaS platform that provides you with online services and products. We have a legitimate interest in processing our users’ personal data because without such data we cannot provide our services or support services. License checks, which require the use of personal data, are necessary to protect our products especially in relation to usage limitation and intellectual property rights. If users choose to submit user-generated content when using our services (which may include personal data), then we have a legitimate interest in storing this data so it can be viewed by other users at the time of posting and referred back to in future. Upgrades to our services and products affect the usage of our services, even under the freemium model.
(i) Our commitment
Adequate, relevant and limited to what is strictly necessary in relation to the processing purposes. When ordering a service, we only ask you to provide data that is necessary in order to provide you with our services or products.
Accurate and kept up to date; if we become aware that it is processing any inaccurate data it is erased or rectified without delay. Please consult your rights.
Data is stored no longer than is necessary for the processing purposes; Personal data collected by us from our clients and their users is kept during the entire duration of the contractual relationship and for the following 12 months. At the end of this retention period, such data is completely erased from all media and backups.
We will hold information for suppliers for up to 7 years from the date on which our agreement with that supplier terminated.
INTEGRITY & CONFIDENTIALITY:
Your data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. Please consult the security section of this Privacy Notice.
(ii) Your Rights
We take appropriate measures to provide you with any information related to your data and your rights. We also want to facilitate the exercise of your data rights. Please contact us at firstname.lastname@example.org, if you have any questions or you want to exercise any of your rights (see below); we will respond to your request as soon as possible and no later than a month after receiving your request.
Please note that any reasonable information queries related to your data or the exercise of your rights is free of charge!
RIGHT OF ACCESS:
You have the right to obtain confirmation as to whether or not your personal data is being processed.
In addition to that, you have the right to access your personal data and obtain information about the purposes of the processing, the categories of personal data concerned, the recipients or categories of recipient to whom the personal data has been or will be disclosed, the envisaged period for which the personal data will be stored, your GDPR rights, any available information as to the source of your data and finally the existence of automated decision-making, including profiling. Furthermore, in case of transfer to a third country, you have the right to be informed about measures of security relating to the transfer.
In order to exercise your right to access your personal data, we shall provide a copy of the personal data undergoing processing.
A number of the above questions are answered in the present Privacy Notice. Although, within a month from your request you will receive a copy of specific information about your personal data. Be aware that we will ask you to provide proof of identity, in order for you to exercise your rights.
RIGHT TO RECTIFICATION:
You have the right to demand rectification of inaccurate personal data and complete any incomplete personal data.
RIGHT TO ERASURE:
You have the right to make a request about the erasure of your personal data or request that your personal data be transferred or exported to another organisation. This right is not absolute and must be based on specific circumstances. You should be aware that we may reject your request if we deem this appropriate in accordance with applicable data protection legislation. For more information, please do not hesitate to contact us.
RIGHT TO RESTRICTION OF PROCESSING:
You may have the right to obtain restriction of processing for specific reasons mentioned in the GDPR (as enacted under UK domestic law) and or the Data Protection Act 2018. For more information, please do not hesitate to contact us. We shall inform you before the restriction of processing is lifted.
RIGHT TO DATA PORTABILITY
You have the right to receive your data in a structured, commonly used and machine-readable format, in order to transmit it to another service provider. To exercise your data portability right you can request that your data be transmitted directly to the service provider that you shall indicate to us, if technically possible.
RIGHT TO OBJECT:
You can at any time object to processing of your personal data. As of such request, we shall no longer process your data. To exercise this right you must provide us with an objection on grounds that are related to your situation in particular.
RIGHT TO WITHDRAW CONSENT
At any time, you may withdraw any permission you have given us to process your personal data. For example, you can request that your personal data will not be used to contact you for direct marketing purposes. You also have the right to request that your personal data will not be used for profiling purposes.
RIGHT TO COMPLAIN:
If you are not satisfied with the way we apply rules under any applicable data protection legislation or if we do not respect the one-month response time previously announced, please be aware that you have the right to lodge a complaint with a supervisory authority; The supervisory independent authority in the United Kingdom is the ICO (Information Commissioner’s Office).
(iii) Subcontractors & Data transfers
We keep your personal data in the European Union. However, it is possible that personal data we collect through our online platform or as part of our services will be transferred to other countries, some of which may have less protective personal data protection legislation. This is particularly the case regarding data transmitted to any subcontractors located outside the UK and the EU, in particular in the United States.
Subcontractors are called processors by the GDPR. Where we work with subcontractors outside the UK or the EU (if any), we have contracts with processors that provide sufficient guarantees about data protection, respect the GDPR and only act on our instructions.
There are certain additional circumstances in which we may disclose your personal data to third parties, as follows:
- we may be required to disclose certain data to regulators or other lawful authorities;
- we may disclose information to our group companies, which include companies incorporated outside of the UK or the EU;
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation (for example, if required to do so by a court order or for the purposes of prevention of fraud or other crime);
- in order to enforce any terms and conditions or agreements for our services that may apply;
- if we are sub-contracting services to a third party we may provide information to that third party in order to provide the relevant services;
- we may transfer your personal data to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation or investment round, but we will take steps with the aim of ensuring that your privacy rights continue to be protected;
- to protect our rights, property and safety, or the rights, property and safety of our users or other third parties. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
(iv) Security measures:
We take the necessary precautions by having implemented appropriate technical and organisational measures to preserve the security and confidentiality of personal data, in particular to prevent any accidental, unauthorised or unlawful access, disclosure, alteration, loss or destruction.
If personal data we hold about you is subject to a breach or unauthorised disclosure or access, we will report this to our management team and/or the Information Commissioner’s Office (ICO) as is deemed necessary. If a breach is likely to result in a risk to your data rights and freedoms, we will notify you as soon as reasonably possible.
(v) Summary of commitment
- Data minimisation;
- transparency about our processes, policies & actions;
- daily backups;
- an authorisation management system that limits access to data only to those who need access to it in the context of their duties and scope of activity;
- a strict password policy for our personnel including two-way authentication;
- processes to trace all actions performed on our information system; we perform regular penetration tests and write reports in the event of an incident affecting our customers’ data;
- a limited storage period (12 months after your contract term);
- regular reviews of personal data;
- updated documentations;
- encryption by default;
- contracts with subcontractors which are compliant with applicable data protection legislation;
- servers based in the UK or in the European Union;
- Data Protection Impact Assessment reports for future projects.
Cookies are small texts used to store information on web browsers. They are used in particular to store and receive identifiers and other information on devices.
Please refer to our Cookies policy by clicking here: https://app.termly.io/document/cookie-policy/8951e6b2-da1c-4356-a45d-3f4513bd2884.
(vii) Password confidentiality
For your own safety, keep your password secret and do not communicate it to anyone.
(viii) Links to 3rd party websites
The present Privacy Notice does not concern web links that lead to 3rd party websites. When it comes to your personal data, please remember to consult those 3rd party privacy policies.
We regularly review our Privacy Notice. We will post details of any changes to our policy on our website to help ensure you are always aware of the information we collect, how we use it, and in what circumstances, if any, we share it with other parties. Please ensure you check the website regularly for any updates.
(x) Contact details
Address: Vizlib Ltd, 25 North Row, Mayfair, London, England, W1K 6DJ
You have the right to lodge a complaint with a supervisory authority; The supervisory independent authority in the United Kingdom is the ICO (Information Commissioner’s Office).