EPPIONE PRIVACY STATEMENT

Last update : 18 January 2021

1. WHO WE ARE

The Platform is owned and operated by Eppione Solutions Limited, with company number 624852 and registered address at WeWork, 2 Dublin Landings, North Wall Quay, Dublin 1, Ireland (“we”, “our” or “us”). We are a provider of technology and software solutions and human resources consultancy services.

We are committed to respecting and protecting your privacy and making you aware of how and why we collect, use and process your information. This Privacy Statement applies to personal data that we may collect in connection with your access and use of the Platform. It also applies to personal data that we collect because you are a customer, a user or a prospective customer of the Platform or that we are provided pursuant to a business relationship you have with us. It is therefore important that you read it in full.

2. DEFINED TERMS

In this Privacy Statement, when we say:

Platform” we mean our Eppione online software platform, the website located at www.eppione.com, any materials, content or information they contain, and the other domains, software, products, services, information, tools, apps and technology that we make available;

Subscriber” we mean the company, organisation or business that is our customer and uses the Platform for its internal business operations and management; and

User” we mean the employees, contractors, subcontractors, representatives and agents of A Subscriber that access or use the Platform.

2.1 When we use the terms ‘personal data’, ‘data controller’, ‘data processor’ and ‘special categories of personal data’, those terms have the meaning given to them in the EU General Data Protection Regulation (“GDPR”).

3. OUR ROLE

In respect of most personal data that we process if you visit our website, if you submit a request to us directly, or if we market to you, we are the data controller of that personal data. If we ask for information from you directly in connection with our provision of a service or product, we may act as the data controller in respect of the provision of that service or product.

When we provide the Platform (and our other solutions and services) to A Subscriber, we provide access and use of the Platform (and our other solutions and services) through a separate set of terms and conditions with the Subscriber. In those cases the Subscriber is the data controller and we are the data processor.

Where the Platform is made available to a User through its organisation, such as its Subscriber, that organisation will be the administrator of the Platform. Accordingly, the Subscriber is responsible for its User accounts and is likely to be the data controller of the User’s personal data. We therefore encourage each User to send their data protection queries and requests to the Subscriber. The User’s use and access of the Platform will be subject to the Subscriber’s data protection rules and policies. We are not responsible for the security or privacy practices of A Subscriber.

4. WHAT INFORMATION WE COLLECT

In general, you may visit the Platform without identifying yourself or revealing any personal data. We collect domain information from your visit in order to customise and improve your experience on the Platform.

The Platform may collect and  process certain personal data from you, including the following:

Identity information includes title, first name, last name, date of birth, gender, marital status, photograph, username or similar identifier;

Contact information includes home or work address, home or work email address, home or work telephone numbers, billing address;

Profile information includes your username and password, purchases or your orders, your preferences, interests, feedback and survey responses;

Employment information includes your employment start date, employment role, terms of employment, annual leave, sick leave, sick note details, function, reviews, rostering function, office, work visa and training information;

Tax information includes your social security number and tax code;

Emergency Contact information includes name and telephone number;

Usage information includes information about how you use the Platform and our other services and products;

Technical information includes operating system, IP address, time zone setting and location, device ID, browser brand and version, browser plug-ins, other technology you use to access this Platform;

Marketing and Communications information includes your preferences in receiving marketing from us and our third parties and your communication preferences;

Financial information includes credit or debit card details, bank account details;

Transaction information includes information about payments to and from you; information about services and products you have purchased from us;

Location information includes the user’s clock-in/out events and office geofence entry/exit events if the geofencing feature is enabled.

Special categories of personal data includes health information in relation to sick leave, racial or ethnic origin which may be inferred from other data. No other special category personal data is collected or processed through the Platform.

We may also collect, use and share publicly aggregated non-personally identifiable data such as statistical or demographic data for any purpose. We may derive this aggregated data from your personal data but we do not consider it to be personal data as it will not reveal your identity. For example, we may share aggregated information to show trends about the general use of the Platform. However, if we combine aggregated data with your personal data in a way that could, directly or indirectly, identify you, we consider the combined data to be your personal data and we will treat it in accordance with this Privacy Statement.

5. HOW WE COLLECT INFORMATION

We collect personal data from you and about you in a number of ways, including:

Information collected through direct interactions: includes personal data you provide when you:

subscribe or create an account on the Platform;

enter personal data on the Platform;

interact with us or others through the Platform;

send feedback to us, or access customer support or our helpdesk by post, phone, email or otherwise;

request marketing materials or subscribe to our publications.

Information collected through Subscribers or Users: A Subscriber or User may keep or process information about you through the Platform. We may not have a relationship directly with the individual whose personal data we process as part of the information (including personal data) that A Subscriber or a User of the Platform provides to us (“Customer Data”). The Customer Data may include contact information, identity information, financial information and special categories of personal data’. Each Subscriber and User must make sure that:

it has the appropriate legal basis to process that data subject’s personal data; and

it provides notice to its staff, users and others regarding the purpose for which the Subscriber or User collects their personal data and how that personal data is processed through the Platform as part of Customer Data.

Information collected through automated technologies: includes information we automatically collect such as technical data about your devices, browsing actions and patterns through the use of cookies, “clear gifs”, “pixels”, “location services” or “beacons” and similar technology.

Information collected through third parties: includes personal data we obtain about you from third parties and publicly available sources, such as:

technical data from our analytics providers who may be based outside of your jurisdiction, advertising networks and search information providers;

contact, financial and transaction data from providers of technical, payment and delivery services;

identity and contact data from publicly available sources such as the Company Registration Office and the Electoral Register;

our related companies, affiliates and other entities within our company group.

6. LEGAL BASIS FOR PROCESSING INFORMATION

We only use your personal data for the purposes outlined below, except as restricted or required by law. In processing your personal data, we rely on a number of separate and overlapping legal bases:

Performance of a contract: We must process your personal data to meet the terms of our contract with A Subscriber or a User;

Consent: A Subscriber has obtained from a User, or a User has provided direct, agreement to us processing the personal data for a specific purpose that we notify;

Legitimate interests: The processing is necessary for our legitimate interests (or those of a third party) but not where our interests are overridden by your interests or rights;

Legal claims: The processing of your personal data is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

Legal obligation: We are required to process your personal data by an applicable law.

We will collect, store, process and use the information you provide in a manner compatible with applicable law. We will endeavour to keep your information accurate and up to date, and not keep it for longer than is necessary. Please keep us informed if your personal data changes during your relationship with us.

7.  PURPOSES FOR WHICH WE WILL USE INFORMATION

The table below sets out a description of all the ways we plan to use your personal data, the legal bases we rely on to do so, and our legitimate interests:

 

Purpose Type of information Lawful basis for processing
Set-up and register a new User on the Platform · Identity

· Contact

· Performance of a contract with you
Process an order or subscription including:

· manage payments, fees and charges

· collect and recover money owed to us

· Identity

· Contact

· Financial

· Transaction

· Marketing and Communications

· Performance of a contract with you

· Necessary for our legitimate interests of recovering debts due to us

· Run, maintain, improve and provide the features of the Platform;

· Provide A Subscriber or User with use and access of the Platform;

· Provide A Subscriber and User the information and analysis they request;

· Respond to queries and provide support to Users,

in accordance with the directions the applicable Subscriber or User provides.

· Identity

· Contact

· Transaction

· Profile

· Employment

· Tax

· Emergency Contact

· Location

· Special categories of personal data

· We will process this personal data in our role as a data processor on behalf of the Subscriber where the Subscriber or a User provide information to us though the Platform
Manage our relationship with you which will include:

· Notifying you about changes to our terms or privacy policy

· Asking you to leave a review or take a survey

· Identity

· Contact

· Profile

· Marketing and Communications

· Performance of a contract with you

· Necessary to comply with a legal obligation

· Necessary for our legitimate interests of keeping our records updated and to study how customers use our services and products

Enable you to complete a survey · Identity

· Contact

· Profile

· Usage

· Marketing and Communications

· Performance of a contract with you

· Necessary for our legitimate interests of studying how customers use our services and products, to develop them and grow our business

Administer and protect our business and the Platform (including troubleshooting, data analysis, testing, system maintenance, penetration testing, security, reporting and hosting of data) · Identity

· Contact

· Technical

· Necessary for our legitimate interests of running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise

· Necessary to comply with a legal obligation

Deliver relevant Platform content and advertisements to you and understand the effectiveness of the content and advertising we serve to you · Identity

· Contact

· Profile

· Usage

· Marketing and Communications

· Technical

· Necessary for our legitimate interests of studying how customers use our services and products, to develop them, to grow our business and to inform our marketing strategy
Use data analytics to enhance the Platform, products, services, marketing, customer relationships and experiences · Technical

· Usage

· Necessary for our legitimate interests of defining types of customers for our services and products, to keep the Platform updated and relevant, to develop our business and to inform our marketing strategy
Make suggestions and recommendations to you about services or products that may interest you · Identity

· Contact

· Technical

· Usage

· Profile

· Marketing and Communications

· Necessary for our legitimate interests of develop our services and products and developing our business

 

We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using that data.

We will only use your personal data for the purposes for which we collected it, unless we believe that we need to use your personal data for another reason that is compatible with the original purpose.

If we intend to process personal data for an unrelated purpose, prior to that processing we will explain the legal basis that allows us to do so.

If we collect any special categories of personal data, such as health, religious beliefs, racial, ethnic origin, we will assume that the Subscriber has obtained your explicit consent.

You will have the option of not providing information, in which case you may still be able to access some parts of this Platform, although certain services or feature may not be available or fully functional.

8. SHARING INFORMATION WITH THIRD PARTIES

In certain instances we may make your personal data available to the third parties described below. We will only provide those third parties with information that is necessary and we will take measures to protect your information.

Our related companies: Our related companies, affiliates and other companies in our group who provide related services or products, or provide us with support or ancillary services (including help-desk, hosting and maintenance).

Third parties: The third parties we may share your personal data with include:

our trusted business partners and other businesses, contractors and consultants we work with;

third party service providers, for example, payment service providers, customer support service providers, advertising networks, data analytics providers, marketing agencies, and customer support consultants;

our technology service providers, including those who host store or process your data on our behalf or your behalf, or provide certain IT support and IT professional services to us, including telecommunications, managed services, data storage and document destruction (for example, Goldfish, Smart IT, Service Tech, Web CBG, Amazon Web Platform (AWS) and Microsoft 365);

our professional advisors, including lawyers, auditors and insurers;

business partners or possible acquirers or investors (and our and their advisors) in the context of facilitating or implementing a business reconfiguration or reorganisation or a transfer or sale of all or part of our assets or business, including, but not limited to a divestiture, acquisition or business reconfiguration. Alternatively, we may seek to acquire other businesses or merge with them;

state or government departments, regulators, bodies or agencies (where we are required to do so for mandatory reporting or other compliance with relevant legal and regulatory obligation);

if you are a User, we will share your personal data with your Subscriber that provides you with your access to the Platform.

We ask all third parties to safeguard your personal data and to treat it in accordance with applicable law. We do not allow our service providers to use your personal data for their own purposes and we only allow them to process your personal data for specified purposes and in accordance with our instructions.

In addition to the specific disclosures of personal data set out above, where required or authorised by applicable law we have the right to release personal data without your consent and without consulting you, when we believe that this is appropriate to comply with our legal obligations, to protect the security of the Platform, systems, property and related services, to prevent and minimise the effects of fraud, and otherwise to protect our vital interests or the vital interests of our staff, customers or members of the public.

9. DATA TRANSFERS

We operate on a global basis and accordingly, your personal data may be transferred and stored in countries outside the European Union that are subject to different standards of data protection. We will take appropriate steps to ensure that the transfer of personal data is in accordance with applicable law and is managed carefully to protect your data protection rights. As a result, if we transfer your personal data out of the EEA, we ensure a suitable level of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission; or

where we use certain service providers, we may use specific contracts approved by the European Commission that give personal data the same protection it has in Europe.

Please contact us if you would like further information on the specific mechanism used by us when transferring your personal data out of the EEA.

10. SECURITY

While we maintain appropriate technical and organisational measures to protect the security of your information, you should be aware of the many information security risks that exist and take appropriate care to help safeguard your information. The nature of the internet means that we cannot guarantee the security of the information you transmit to us electronically, and any such transmission is at your own risk. We also rely on you to maintain the security of your account(s) with us. You are responsible for safeguarding your account(s) by keeping secure all of your account information and passwords.

11. RETENTION

We are required to retain information in accordance with the law. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices.

Data will not be held for longer than is necessary for the purpose(s) for which they were obtained. To determine the appropriate retention period for personal data, we look at the type and sensitivity of the personal data, the volume of your personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements. We will process personal data in accordance with our retention policy , a copy of which can be requested by contacting dataprotection@eppione.com .

12. CHILDREN PRIVACY

The Platform is not aimed at anyone under the age of 16 and we do not knowingly collect personal data from anyone under the age of 16. If you are a parent or guardian and you are aware that your children under the age of 16 have provided us with personal data, please contact us. If we become aware that we have collected personal data from children under age 16 without verification of parental consent, we take steps to remove that information from our servers.

13. THIRD PARTY LINKS

This Platform contains links to other third party websites. We are not responsible for the privacy practices or the content of such websites. We do not control these websites and are not responsible for their personal data practices. We urge you to review any privacy statement posted on any website you visit before using the website or providing any personal data about you or others.

14. COOKIES

We use cookies and related technology on the Platform. For more information about the cookies we use, please see https://eppione.com/cookie-policy/

15. DATA SUBJECT RIGHTS

If you are resident in the European Union, in certain circumstances, as a data subject, you will have the following rights under European data protection law:

the right to know what personal data we process about you and how we use this personal data;

the right to obtain a copy of the personal data we hold about you;

the right to have any inaccurate personal data which we hold about you updated or corrected;

where we rely on our legitimate interest to use your personal data, you have a right to object to this use. We will desist from processing your personal data unless we can demonstrate an overriding legitimate grounds for the continued processing of your personal data;

the right to stop us from using your personal data in certain cases, including if you believe that the personal data we hold about you is inaccurate or our use of your information is unlawful;

in certain circumstances you may request that we delete the personal data which we hold about you; and

make a complaint about how your personal data is being processed or how your complaint has been handled. Our lead supervisory authority is the Irish Data Protection Commission and its website is www.dataprotection.ie.

These rights are not absolute and are subject to certain exemptions under applicable data protection law.

If we are unable to action your request, we will, as required by applicable law, annotate the personal data under our control with a note that action was requested but not made. In this event, we will notify you without undue delay of the reasons for not taking action, and you have the right to lodge a complaint as set out below.

Despite this clause 15, if you are a User, we encourage you to contact your Subscriber with queries about your personal data and to exercise your rights with respect to your personal data as, due to our role, in most cases we are only permitted to forward your request to the Subscriber for instructions on how best to respond to your request.

16. CONTACTING US

If we are the data controller of your personal data and you have any questions or comments about our Privacy Statement or wish to exercise any of your data subject rights set out above, please send an email to dataprotection@eppione.com.

You will not have to pay a fee to access your personal data or to exercise any of the other data subject rights. However, if your request is clearly unfounded, repetitive or excessive we may charge a reasonable fee or we could refuse to comply with your request.

We try to respond to all legitimate requests within 1 month. In some cases it could take us longer than 1 month if you have made a number of requests or if your query is particularly complex. In this case, we will let you know and update you regularly.

17. CHANGES TO THIS PRIVACY STATEMENT

We may modify or update this Privacy Statement from time to time. You can check the “Last Update” date above to see when the statement was last changed. The latest version of this Privacy Policy is always accessible on our website. We encourage you to check this Privacy Statement often so that you can continue be aware of how we are using your personal data. Your continued use of the Platform constitutes your consent to the contents of the latest version of this Privacy Statement.