- GDPR Data Processing Addendum
Specific Information for EU users – GDPR requirements
We store your personal information on our servers which are located in Canada. Canada provides an adequate level of data protection as required by Art 45 (1) GDPR.
The controller according to Art. 4 (7) GDPR is
102-155 Gordon Baker Road
Toronto, ON M2H 3N5
You can contact us as follows:
Privacy Officer (Data Protection Officer)
Sync has designated a Privacy Officer (Data Protection Officer) who you may contact via email at email@example.com.
Purposes and legal basis for the processing of your personal information
According to Art. 13 (1) (c) and Art. 14 (1) (c) GDPR, we have to inform you about the purposes of the processing for which your personal information is being collected and used as well as the legal basis for such processing.
Moreover, we process your personal information to:
- Provide you with the products or services you have requested (Legal basis: Art. 6 (1) (b) GDPR);
- Process your payment, including recurring payments as you request (Legal basis: Art. 6 (1) (b) GDPR);
- Communicate with you about the products or services you have requested (Legal basis: Art. 6 (1) (b) GDPR);
- Ensure that you are properly registered to use our products and services and to receive any associated technical support (Legal basis: Art. 6 (1) (b) GDPR); and
- Inform you of any important product revisions or updates (Legal basis: Art. 6 (1) (b) GDPR).
Where we process your personal information on the basis of Art. 6 (1) (b) GDPR, you are contractually required to provide us with your data and we are not able to provide our services without such data. If we process your personal information on the basis of our legitimate interests (Art. 6 (1) (f) GDPR) and in case you want to learn more about our balancing of interests, please contact our Privacy Office at firstname.lastname@example.org.
Visiting our Website
When visiting our Website, we collect and store the IP address assigned to your computer in order to provide you with the contents of our Website requested by you (e.g. texts, images and product information). The legal basis insofar is Art. 6 (1) (b) GDPR. We furthermore collect that information for the detection and defense of misuse which is justified by our legitimate interest according Art. 6 (1) (f) GDPR and is being conducted in order to ensure the proper functioning of our Website. Furthermore, we collect and process information about the browser type you use as well as date and time of access and use of our Website based on Art. 6 (1) (f) GDPR to optimize our Website and our services which also is our legitimate interest in the meaning of Art. 6 (1) (f) GDPR. This information is stored in log files and is not linked to personal information gathered elsewhere on the Website. You are contractually required to provide us with such information and we are not able to provide our services to you without such data.
Using our Services
When you create an account, Sync’s account creation process requires that you provide personal information and other contact information. Such personal information may include your e-mail address, first name, last name, and personal and/or business billing information. Access to your personal information is restricted to us, and in the case of a Business Pro plan, the account administrator. Your e-mail address and display name may also be visible to the people you share with, or accept a share invitation from. Your personal information will be processed by us for verification purposes and to provide our services to you on the legal basis of Art. 6 (1) (b) GDPR. You are contractually required to provide us with such information and we are not able to provide our services to you without such data.
When you use our Sync services your personal information and other information you provide is encrypted in transit using SSL/TLS encryption. Sync's desktop, mobile and web applications (“Sync Apps”) apply an additional layer of client side encryption automatically, during transit and at rest, which we define as end-to-end encryption.
Sync never collects or stores your file, file meta data, encryption keys or passwords (your “Encrypted Data”) in an unencrypted format, unless you request us to do so. The Encrypted Data you upload to Sync is always end-to-end encrypted, and stored in such a way that we cannot access it in a readable format, or share it with third-parties. Sync's applications and features allow you, and only you (or in the case of the Business Pro plan, you and the administrator) to control who can decrypt your Encrypted Data, for example when sharing with other people, when enabling in-app sharing with other apps, when enabling account or password recovery, or in the case of a Business Pro plan administrator, when provisioning an account.
We make every effort to ensure that we cannot access or decrypt your Encrypted Data, regardless of which features you may have enabled or use.
During the use of our service, you may also submit non-Encrypted Data, including your email address. We make every attempt to ensure that the transmission and storage of non-Encrypted Data is secure, and that access to this data is highly restricted. If you have any questions about the security of your Encrypted Data or non-Encrypted Data you can contact us at email@example.com
Further purposes/marketing communications
Sync may also use your personal information for purposes such as:
- Letting you know about new or upgraded Sync products and services; and
- Inviting you to participate in customer surveys or other opinion-gathering devices.
We will ask you for your prior consent before contacting you accordingly and the legal basis for such processing of your personal information is your consent (Art. 6 (1) (a) GDPR). Where you are able to subscribe to periodic information updates (e.g. our newsletters), we are using the double-opt-in method (confirmation of your email address by confirmation email before the first marketing communication is sent) in order to verify consent. You may withdraw your consent at any time with future effect which will not affect the processing of your personal information being undertaken until the withdrawal by
- using the unsubscribe link in the email we have sent you, or
- changing your media preferences in your control panel, or
- contacting us at firstname.lastname@example.org.
Transfer of personal information
We use service providers or other third parties to help us provide our products or services to you. Such service providers may have access to your personal information. Regardless of where these service providers or other third parties are located, we require that they also comply with the GDPR and the applicable data protection laws. We use the following categories of service providers or other third parties:
We share your personal information with service providers for billing purposes and payment processing (Paypal, U.S., Bitpay, U.S.), for sales and technical support (Helpscout, U.S.), for transactional email communications (SendGrid,U.S., MailJet, U.S.), and for marketing communications (MailChimp, U.S.).
Additional use of personal information
We will retain your Encrypted Data for as long as your account is active. You can cancel your account at any time, which will permanently delete your Encrypted Data. In addition, when sharing, you control the deletion of data shared with other users.
Moreover, we will retain your personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
If you want to learn more about our data retention concept, please contact our Privacy Office at email@example.com.
Information about your rights
You have the following rights:
Right of access (Art. 15 GDPR): You have the right to request confirmation as to whether or not your personal information is being processed, and, where that is the case, to request access to the personal information and information such as the purposes of the processing or the categories of personal information concerned.
- Right to rectification (Art. 16 GDPR): You have the right to request the correction of inaccurate personal information.
- Right to erasure (Art. 17 GDPR): You have the right to request erasure of personal information without undue delay under certain circumstances, e.g. if your personal information is no longer necessary for the purposes for which it was collected or if you withdraw consent on which processing is based according to Art. 6 (1) (a) GDPR and where there is no other legal ground for processing.
- Right to restriction of processing (Art. 18 GDPR): You have the right to request us to restrict the processing of your personal information under certain circumstances, e.g. if you think that the personal information we process about you is incorrect or unlawful.
- Right to object (Art. 21 GDPR): You have the right to object to the processing of your personal information under certain circumstances, in particular if we process your personal information on the legal basis of legitimate interest (Art. 6 (1) (f) GDPR) or if we use your personal information for marketing purposes.
- Right to data portability (Art. 20 GDPR): Under certain circumstances, you have the right to receive your personal information you have provided us with, in a structured, commonly used and machine-readable format and you have the right to transmit that information to another controller without hindrance or ask us to do so.
- You can assert your abovementioned rights by contacting our Privacy Office at firstname.lastname@example.org.
Automated individual decision-making
We don’t use your personal information for automated decision-making, including profiling.
Right to lodge a complaint before the data protection authority
You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or place of the alleged infringement if you consider that our processing of your information relating to you infringes the GDPR. Please contact our Privacy Office at email@example.com and we will provide you with detailed information as regards the contact details of the respective supervisory authority.
This file was last modified on May 16, 2018.