Your privacy is extremely important to us and if you have any questions about the content of this policy document, please contact us at email@example.com.
The company responsible for the App and the processing of personal data included in the use of the App, is GLOBAL INTEGRATED SOLUTIONS CHILE SpA (hereinafter, “Company”, “our”, “responsible”), with address at Agustinas 815, Department 906, commune of Santiago, Santiago de Chile. You can contact the Company via the email address firstname.lastname@example.org.
The entity that signed the Agreement (such as your employer or other organization or individual) and accepted it (hereinafter referred to as “Customer”) has control over the services provided by us through the App, as well as the data of whoever uses the App. If you have questions about the processing of personal data carried out by the organization, we suggest that you contact the owner of the company on behalf of whoever uses our App.
The Company, as the person responsible for and provider of the App, uses some personal data to proceed with the registration, access and use of the App. Personal data is any information related to an identified or identifiable person (hereinafter, “interested party”, “you”, “user” or “your”). The interested party can be a natural or legal person, as appropriate, who for any reason accesses and/or uses our App.
Types and personal data that are processed
Our App uses personal identification and contact data, such as name, surname, unique national number, address, telephone number, internet protocol address, password and email address, which will be incorporated into virtual servers owned by DigitalOcean, LLC. In addition, personal data includes the details that you provide about your preferences, geographic location and areas of interest expressed during the use of the App.
Purpose of processing your personal data
Once you contract our services through the App, you will be provided with access credentials to your account in the App in the form of an email address and password. Thus, during the registration and use process, the personal data obtained will be processed, according to the purposes indicated below:
A. Registration and storage in our App: To register and use our App, you must fill out a “registration form” with personal data that is collected in order to provide our digital formulation generation, data capture and personalized reports services through our App, your consent being the basis of legitimacy of this treatment.
The data collected in the registry is the following: contact information, profile photo (optional), account username, email address, name and surname, postal address, unique national number, user ID, occupation, phone number (including mobile phone number), password. The purposes of the collection and storage of personal data indicated are:
1. Maintain, provide and improve the commercial service contracted by the user.
2. Allow the user to manage the use of the App.
3. Personalize the user experience and adapt it to her needs.
4. Guarantee the proper functioning and security of the App.
5. Use email service providers to send emails on our behalf informing of essential circumstances for the proper management of the service.
6. Customer service.
8. Compliance and Fraud Prevention.
You can update or modify your profile information and contact information at any time, except for the information of the company representative when you act as a Customer who contracts our service. Profile information is not publicly available in the App.
B. Contact form: Through our “contact form” you can send us any questions or comments regarding our Company and the services we provide. The form allows you to collect personal data such as name and surname, email address, as well as any other voluntarily provided. That is why we will only process the information necessary to respond to your query or need and provide the best possible service.
C. Use of the service: For the provision and use of contracted services, personal data of the user necessary for logging into the App will be processed. Furthermore, the functionalities of the App allow the user to collect non-personal data through video, audio, files, and documents, as long as you grant permission to the App and taking into account that the responsible party does not have any access to the data collected by any of these means on the part of the user. During the session, we may collect some information about your user experience, which will be processed in order to offer service improvements, profile preferences, and provide the most suitable functionalities available to users. In the use of the App, circumstances may arise that require customer service, technical support, training, during which we will collect personal data solely for the purpose of resolving incidents for our users. We will also send notifications, reminders, and alerts, as well as information about your account or changes in the App, necessary for the proper functioning and correct use of the App, which can be disabled in the settings panel of the same.
D. Payment for services: Our App offers paid services, so we work with a secure payment gateway provided by PayPal Pte. Ltd. and Webpay Plus, who will use payment data solely and exclusively to complete the payment transaction selected by our users. Payment can also be made through a direct bank transfer operation, for which the ordinary billing data of the user will be used. Once the payment is completed, a notification about its successful completion is generated through an email service provider, for purely informational purposes.
E. Email communication: We use your email address to provide you with information about your account and information related to purchased services and products, to deliver the requested or subscribed service, as well as reminders and information related to your account and requests. Occasionally, we may send news content through our newsletter to those users who have consented, which may include educational information about the App, promotional material related to it, and updates, among other related content. You can request at any time to unsubscribe from these communications by sending us your request to be removed from the distribution list at email@example.com.
Legal Bases for Data Processing
- We also collect personal data on the basis of the execution of a contract between you and the Company when we process your data to provide the contracted services in accordance with the Terms and Conditions.
- In cases where the existence of a legal obligation requires us to process personal data in accordance with the terms outlined in the law.
- We inform you that we use data in order to satisfy the legitimate interest of the Company in sending commercial communications for marketing purposes and analyzing user behavior in the App to optimize its functioning and offer services to improve the user experience, without jeopardizing the fundamental rights or freedoms of the data subject.
- If the interested party does not provide the Company with their data or does so incorrectly or incompletely, it will not be possible to proceed with the use of the App.
In order to register the user, use the App, or carry out any other lawful processing of personal data, the interested party must be at least of 18 years old, or according to the legal age applicable in each territory. Individuals under the legal age, or as determined by the legal age applicable in each territory, may only use the App with legal authorization or legal consent signed by parents or legal guardians. The Company does not knowingly collect or request personal information from individuals under the age of 18 or the minimum age as per local laws. If you believe we may have information related to a minor, please contact the Company at firstname.lastname@example.org.
Retention Period for Personal Data
We will retain documents and process the personal data contained in them on our servers for the time necessary to fulfill the purpose stated in each of them, provided that the user does not exercise their right to deletion.
Once the purpose of the processing is fulfilled, and without prejudice to legal regulations to the contrary, the Company will proceed to delete the stored personal data, unless there is a legal or contractual obligation that requires their retention for the exercise and defense of judicial and/or administrative actions and claims. The collection, storage, modification, structuring, and, if necessary, deletion of data provided by data subjects constitute processing operations carried out by the Company, with the aim of ensuring the proper functioning of the App, content development, and the management, administration, information, provision, and improvement of the service.
The Company may grant access or transmit the personal data provided by the user to third-party service providers with whom it has entered into data processing agreements, and who only access such information to provide a service on behalf of and on behalf of the Data Controller. These third parties have signed confidentiality agreements with the controller, committing to maintain the confidentiality and security of the personal data to which they have access, in compliance with the provisions of the GDPR.
- Accounting Advisory: for the proper accounting maintenance of the Company.
- IT Advisory: for software development and maintenance of digital resources.
- Hosting of architecture and Virtual Private Cloud (VPC): to host all the software and data necessary to run the App.
- Email service provider: to send emails to users from an application running on a virtual machine (VM) instance of Compute Engine.
- Payment service provider.
If you would like more information about these third parties, please contact us at email@example.com. If you do not agree with any of the sub-processors from which we cannot reasonably separate our services, the only solution will be to cancel your subscription to the service that we cannot reasonably provide without a new sub-processor. This cancellation of service will be without the right to a refund of payments made for subsequent periods.
Transfer of Personal Data
In compliance with the regulations established by the GDPR regarding international data transfers, we inform you that due to the use of service providers who process personal data of our users, the following international data transfers are carried out:
- DigitalOcean LLC, located at 101 6th Ave, New York, NY 10013, United States, for cloud information storage. In contracting with this provider, the corresponding Standard Contractual Clauses for Module Two, approved by the European Commission, have been signed, as established in the following link: https://www.digitalocean.com/legal/data-processing-agreement DPA.
- Heroku Dev Center, located at 415 Mission Street, 3rd Floor, San Francisco, CA 94105, United States, is used to develop, deploy, and manage the internal architecture of the App. Heroku Dev Center is a part of Salesforce, Inc. In the contract with this provider, personal data protection has been ensured through the use of Standard Contractual Clauses https://www.salesforce.com/company/privacy/?_gl=1*99dv3c*_ga*MTQxNDUxMzM1NC4xNjk5Mjk2MTk3*_ga_62RHPFWB9M*MTY5OTI5NjE5Ni4xLjEuMTY5OTI5NjM0Ni4wLjAuMA, as indicated in the following link for the data protection annex between the parties DPA: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf.
- Google Cloud, located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States, is used for cloud information storage. Google Cloud is owned by Google LLC. In the contract with this provider, personal data protection has been ensured through the use of Standard Contractual Clauses, as indicated in the following link for the data protection annex between the parties DPA: https://cloud.google.com/terms/partners-data-processing-addendum.
- SendGrid, Inc., located at 1801 California Street, Suite 500, Denver, CO 80202, United States, as a messaging service of Twilio, Inc.. In contracting with this provider, data protection has been ensured through the use of Standard Contractual Clauses https://www.twilio.com/en-us/legal/privacy, as indicated in the following link corresponding to the data protection annex between the parties DPA: https://www.twilio.com/en-us/legal/data-protection-addendum
The Company will ensure that international data transfers are carried out in accordance with the current personal data protection regulations.
Technical and Organizational Precautions
In order to comply with the principles of data security, integrity, and confidentiality in accordance with the GDPR, the Company has implemented the following reasonable and necessary technical and organizational precautions to ensure the security of the personal data collected and to prevent tampering, loss, unauthorized access, or fraudulent use of the registered user’s personal information in the App:
- Measures to ensure the physical security of locations where personal data is processed: The Company’s offices are located in non-recognizable buildings that are physically monitored and managed 24 hours a day to protect data, prevent unauthorized access, and mitigate environmental threats. CCTV cameras are used to monitor physical access to the offices. Cameras are placed to monitor perimeter doors, entrances and exits, reception areas, external areas such as parking lots, and other areas of the buildings.
- Provision of access: To minimize the risk of data exposure, the Company follows the principle of least privilege through a system access control model. Company staff is authorized to access the user’s personal data according to their job function, position, and responsibilities, and such access requires approval. Access rights to non-time-based production environments are reviewed at least semi-annually. An employee’s access to the personal data of our users is immediately revoked upon the termination of their employment. To access the production environment, an authorized employee must have a unique username and password. Before a Company employee gains access to the production environment, management must approve such access.
- Password control: The current password management policy for employees in the Company focuses on the use of longer passwords, including special characters, and requires frequent password changes.
- Sharing data with business partners: In order to ensure data security, our company shares personal information with its business partners, such as IP addresses, geographical location, and general user data, always using aggregated and anonymized data. Due to the non-identifiable nature of this information, its processing is exempt from personal data protection regulations.
- User data backup: The Company regularly backs up information provided by users, which is hosted on the infrastructure of data centers of: 1) DigitalOcean, LLC., 2) Google Cloud, 3) Heroku Dev Center and 4) SendGrid, Inc.
- Protection against computer viruses: The Company protects its computers with antivirus software and firewalls.
- Email protection: The Company uses email services that have security features to protect emails from spam, phishing, and malware.
- API security: Regarding the security of our App, it’s important to note that all accesses to the APIs, which facilitate communication between the user and the server, are rigorously restricted through a prior authorization system using tokens. The only exception to this rule applies to essential APIs that allow system access. These aforementioned security measures are implemented inflexibly.
- Customized data privacy: In terms of data management and user privacy, each user has access only to the information that their privileges within the App allow them to see. We offer a wide variety of privilege levels to choose from. This ensures that each user sees exclusively the data related to their company and nothing else. Additionally, business representatives have the ability to manage what information their employees can see in different areas of the system, preventing the possibility of leaking confidential data within the company itself.
- Data security: Currently, the App version boasts a robust layer of security thanks to the implementation of an SSL certificate. This is essential for preventing any data leakage through network interception.
- Internal private network for enhanced security: App accesses are safeguarded on a secure machine operating within an internal private network that connects the database, files, and the system. This means they are not exposed over the internet, ensuring the security of your data.
The Company has controls in place to maintain the confidentiality of user data. All employees and contracted staff of the Company are subject to the Company’s internal policies regarding the confidentiality of user data and are contractually obligated to comply with these obligations.
Employee training: At least once a year, Company employees must complete security and privacy training covering security policies, security best practices, and the Company’s privacy principles.
Virtual Private Server
DigitalOcean, LLC: The Company’s servers are hosted by DigitalOcean LLC in the United States of America and are protected by DigitalOcean, LLC’s environmental and security controls. The production environment within DigitalOcean, LLC where the Company’s services and user data segment services are hosted is logically isolated on a virtual private server. User data stored on DigitalOcean, LLC is encrypted at all times. DigitalOcean, LLC does not have access to unencrypted user data. More information about the security of DigitalOcean, LLC is available at https://www.digitalocean.com/legal/data-processing-agreement. Additionally, it’s important to note that the virtual private servers of Heroku Dev Center are used to host the application architecture and are hosted in data centers managed by Amazon. Customer data stored in Heroku Dev Center undergoes a continuous encryption process. For detailed information about security, we invite you to visit the following link: https://www.heroku.com/policy/security. Furthermore, the cloud storage services of Google Cloud are located in data centers managed by Google. Customer data is similarly protected through constant encryption, supported by the following security measures: https://cloud.google.com/terms/partners-data-processing-addendum.
As the data subject of personal data protection rights, you have the following rights:
A. Access: You have the right to contact the Company to find out if your personal data is being processed and to obtain information about the purposes, data being processed, third parties to whom the data is communicated, retention period, origin, the existence of automated decisions including profiling, the existence of international transfers, and to obtain a copy of the personal data being processed. We may charge a small fee unless it is a second copy.
B. Rectification: You have the right to obtain the correction of inaccurate or incomplete personal data, clearly indicating the data and the correction in the request, and providing supporting documents as appropriate.
C. Objection: You have the right to object to the Company processing your personal data.
D. Deletion (“Right to be Forgotten”): This right allows you to request that the Company delete your personal data from the databases that contain them. It can be exercised once personal data has been used for the purposes for which it was collected, if consent is withdrawn, if the right to object has been exercised, and for compliance with a legal obligation. The App user acknowledges and accepts that in the event of a request to block or delete their personal data, such requests will not affect data processing carried out prior to the user’s request, which will remain valid and lawful.
E. Restriction of data processing: This right is exercised when challenging data processing or in the case of previous objection to data processing. It also involves preventing deletion and requesting data retention in the event of exercising or defending claims.
F. Data portability: The data subject has the right to receive their personal data that concerns them in a structured, commonly used, and machine-readable format and to request our Company to transfer the data to another data controller/recipient if it is technically feasible and not prevented by the designated recipient.
If the data subject wishes to exercise any of their rights, please send your request to GLOBAL INTEGRATED SOLUTIONS CHILE SPA through our email address: firstname.lastname@example.org, and it will be responded to within a maximum period of one month, as established by the international GDPR regulation. To process your request, it must contain a clear and precise description of the right being exercised, the data subject’s personal data, and a copy of their identity document or that of the legal representative or proxy of the data subject, subject to accreditation of representation or proxy, if requested by the Company. You also have the right to file a complaint with the competent authority for the protection of personal data.