These Terms of Use ("Terms of Use") shall be accepted when you register as a user of COMPANY ORGANIZER. The Terms of Use were last updated see the date at the top of each page of this document.
Background
At Qreo Broberg AB, we care about your privacy and security. GDPR, the new law for the processing of personal data, places higher demands on transparency and therefore this page is for you to know what we do in the processing of personal data. There are a number of areas that together give you the whole picture of how we view privacy and security, both regarding Company Organizer and for you as a user of Company Organizer and customer of Qreo Broberg AB. See below for details.
GDPR
Under GDPR, we have chosen to compile information about the law and what it means, as well as where you can find more information to get a better overview of how this affects you. There are a number of concepts that can be good to keep track of, especially as a user of Organizer.
Safety
Safety is something natural for us, which we have worked with since the start and constantly monitor and, if necessary, improve. In the role of data processor, Qreo Broberg AB is responsible for the technical and organizational security measures in the processing of personal data.
Integritetspolicy
In the Privacy Policy, we describe Qreo Broberg AB's processing of personal data as a personal data processor. We want to clarify our responsibility to protect your rights and privacy and explain how we use the personal data you share with us.
Incidenthantering
In compliance with the new requirements regarding incident management according to GDPR, we are now also presenting our incident response process. Above all, it is the requirement to report incidents within 72 hours that makes it important to have procedures for detecting, reporting and investigating if an incident occurs.
Cookies
Like most other websites, Qreo Broberg AB and Company Organizer use cookies to improve your user experience. What a cookie is and how we use it is described so that you can decide what you agree to when you visit our website and use the Company Organizer service.
GDPR
GDPR stands for General Data Protection Regulation and is a new data protection regulation from the EU that will become law in all EU member states from May 25, 2018. The GDPR will strengthen individuals' rights over how companies, authorities and organizations can collect and use their personal data.
Within each EU member state there is a supervisory authority that will check this. In Sweden, this authority is called the Swedish Authority for Privacy Protection, formerly the Swedish Data Protection Authority. On their website there is more information and help that you can take part in to find out what you need to do. The Swedish Authority for Privacy Protection
Processing of personal data
The GDPR is primarily about the protection of personal data and in Article 4 of the General Data Protection Regulation there are the following important definitions for "personal data" and "processing":
'personal data' means any information relating to an identified or identifiable natural person ('data subject'), in which case an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or online identifiers or to one or more factors specific to the natural person's natural person; physiological, genetic, mental, economic, cultural or social identity;
"processing" means an operation or set of operations concerning personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Data Controller and Data Processor
The controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A data processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Responsible and assistant for tasks in Company Organize
All processing of personal data in Company Organizer is the data controller for you as a customer. Qreo Broberg AB is a data processor and takes technical and organizational security measures to ensure that you feel confident that your collected personal data will be processed securely and in accordance with the law. Qreo Brobergs AB's technical and organizational measures are described under Security.
Qreo Broberg AB as data controller
We are the data controller for all processing of personal data about you as a customer or user when you order Company Organizer or contact us. What we do with your personal data is described in our Privacy Policy.
Legal bases
At the Swedish Authority for Privacy Protection, you can read about the legal bases that apply to personal data processing: In order for it to be allowed to process personal data, there must always be support in the General Data Protection Regulation, a so-called legal basis. One such legal basis is the consent of the data subject. Other legal bases are if the personal data processing is necessary for the performance of an agreement with the data subject, compliance with a legal obligation, protection of the data subject's fundamental interests, performance of a task in the public interest, for the exercise of public authority, and after a balancing of interests.
Legal basis for data in Qreo Broberg AB's services
As a data controller, you must find out and document the legal bases for the processing of personal data in Qreo Broberg AB's services. It can vary from case to case depending on the business, what laws you need to follow, whether you collect information that is required or that may be useful to have.
Safety
Qreo Broberg AB, as a data processor, is responsible for the technical and organizational security measures in and around Company Organizer. This means that we at Qreo must ensure that there is the security needed, such as encrypted storage, access control, the ability to make register extracts and delete personal data. When there are no functions in the program to handle the personal data, we have internal procedures for this. The actions taken by Company Organizer are described in more detail below.
Authentication and encryption
All data communication is done using Secure Sockets Layer (SSL). To access the Services, login with username and password is required. We also support Two-step authentication, which we recommend for additional security for your accounts.
Company Organizer uses encrypted communication in the form of 256-bit SSL encryption and 2048-bit public keys from RSA. All data communication to and from users' computers is encrypted using SSL, the most widely used Internet standard for encrypted communication. Company Organizer applies password protection in the form of the login procedure being fully encrypted, which means that no information is sent as unencrypted text. The user's password is stored in a one-way encrypted format (with a standardized one-way cipher and so-called "salting"). The Customer is always responsible for the risk of unauthorized use of the Services as a result of the User leaving a logged-in computer unattended. There is continuous verification of users. Every call to Company Organizer's servers involves a check of the logged-in person's permissions.
Storage and backups
Company Organizer is operated on servers in a data center that is monitored around the clock and there are always staff available. The storage of data is located on our servers, at Cleura, with continuous database backup.
The data center is equipped with an alarm and climate system as well as with very high security. High-capacity connections ensure users' access to Company Organizer.
Integrity policy
The purpose of this document is to :
1.Clarify the responsibility to protect your rights and privacy
2.Explain how we use the personal data that you share here on the website or when you use the Company Organizer service
3.Give you an understanding of what personal data we collect and what we do with it
Parties and responsibilities for the processing of your personal data
Qreo Broberg AB, 556849–6843, is the software provider
of Company Organizer, which is hereinafter referred to as the
"Service". Qreo Broberg AB is the data processor for the processing
of your personal data in the Service and is then responsible for the
organizational and technical security measures described on this website under
"What you need to think about". The data controller for the processing
of your data in the Service is the "Customer", which is the
registered company in Company Organizer. If you are a user and have your own
login details to the Service, you are referred to below as the
"User". In the Service, there is the role of
"Administrator" who is the representative of the Customer in the
Service with responsibility for adding users and other administrators,
assigning rights and giving instructions to the Company Organizer regarding the
processing of data, including personal data in the Service. Qreo Broberg AB is
the data controller for the processing of the personal data that you share with
us when:
1. you order the Service
2. you receive login details and become a user of the Service
3. you use the Service app
4. You sign up for one of our trainings
5. you have a question and/or contact us
6. You visit our website and accept cookies
What personal data do we process about you?
The personal data that is processed varies depending
on the type of company you have. Company information may become personal data
for a Customer who is a sole proprietorship. When you order the Service, we
collect your contact information and company information. All users have
registered contact details, login details and online identifiers with us in
order to use the Service. When you use the Service's App, you may upload images
to the Service, which will then be processed by us. When using this, the location
(GPS) can be stored when time registration takes place (if the Administrator of
your account has activated this). If you have a question or contact us
regarding any other matter, the amount of personal data and what it is may vary
depending on the communication channel used. Categories of personal data are
usually contact details, online identifiers, company details and the case
itself as unstructured material, which contains the personal data you have
chosen to share with us. A detailed list of the personal data that occurs
within the different categories, on what occasions and on what legal basis the
processing is based, can be found in Appendix 1.
Information about what cookies are and how we handle
cookies is described under the Cookies section of our page.
Why do we process your personal data?
Qreo Broberg AB collects this personal data about you as a user and customer in order to be able to provide the Service, fulfill obligations to you according to agreements, and give you the best possible experience of both the Service and our website. This is necessary for us to identify you, administer your account, for statistical purposes and for direct marketing purposes (which you can unsubscribe from). The personal data collected when placing an order is needed to handle the order, invoice and send you login details. All users' personal data is needed to be able to give you access to the Service, to be able to use the Service, to be able to create a processing history for you as a customer, to be able to identify you and to know which users and customers use the Service. By using the Company Organizer App, you agree that Company Organizer will have access to your camera phone and photo gallery in order for you to be able to upload and process your images in the Service. If the "Administrator" has activated it, you agree that the location can be saved when time registration takes place. When you contact us via one of Qreo Broberg AB's communication channels, the information about you is used to be able to handle the case, be able to contact you and help improve our service by saving the case for recurring questions. If you visit Qreo Broberg AB's website, you consent to cookies for the processing of your data.
Who do we share personal data with?
In order to maintain a quality service, we use subcontractors for certain functions, both within and outside the EU/EEA. A complete overview of recipients and locations for each processing of personal data in the Service is available in Appendix 2. The suppliers have corresponding obligations regarding the processing of personal data that you as a customer have agreed with us and are set out in the Data Processing Agreement. If you choose to activate an integration to account in the Service, we will share the personal data that the integrator requires, which will then be done at your request.
How long do we keep your personal data?
Qreo Broberg AB saves personal data about you as a customer for as long as there is a customer relationship or is necessary to achieve the purposes described in this policy. Upon termination of the agreement, Qreo Broberg AB will delete or anonymize your data within one year after termination, unless other Swedish or European law, court or authority states otherwise. Your data can be saved based on a balancing of interests if there are security or financial reasons. How long your personal data as a user is stored with us varies depending on the purpose for which it was collected. Data in the Service is deleted by the Administrator, but in cases where there is no technical function for deletion, your Administrator needs to contact us. Personal data processed for invoicing is stored for as long as it is required as a basis for the bookkeeping. Data collected when you contact us is stored for as long as you are a customer with us in order to fulfil our commitment. At the end of the customer relationship, we can store it based on a balancing of interests as evidence in case of problems. Storage is then limited to one system and with controlled access control.
What rights do you have?
As a registered customer of Qreo Broberg AB, you have several rights that you should be aware of. You have the right to request a register extract of the information registered about you free of charge once a year, provided that you have legitimate reasons. In some cases, you also have the right to data portability of the personal data. You have the right to have your personal data corrected if it is inaccurate, incomplete or misleading and the right to restrict the processing of personal data until it is amended. You have the right to be forgotten, but deletion of personal data cannot take place if it is required to fulfil the agreement or if other Swedish or European law, court or authority decisions say otherwise, and if it is based on a balancing of interests. Should you think that there are no legitimate reasons or that the balancing of interests is incorrect, you have the right to object to the processing. You also have the right to withdraw consent, lodge a complaint about the processing with the Swedish Data Protection Authority, object to automated decision-making, profiling and object to direct marketing.
If you want to know more
If you have questions about this policy and the processing of your personal data, or wish to delete or change incorrect information, you can contact us through the user support available in the Service.
Appendix 1
Categories of personal data
In order to use the Service, we need certain information about you. Examples of such data are your contact details, company details, login details and online identification. In cases where you contact us via our case management, telephone or chat, information may appear in unstructured material, which means that the information that is handled depends on what information you choose to share with us.
A detailed list of the personal data that is processed and the legal basis for the processing is described below
|
When |
Category of task |
Personal data |
Legal basis |
|
Ordering a trial period of the Service |
Företagsuppgifter |
Company |
Fulfilling our contractual obligations to you |
|
|
Contact |
First name Last name Email |
Fulfilling our contractual obligations to you |
|
Ordering a Service |
Listing |
Company name Address Postal code City Organization number Contact person E-mail |
Fulfilling our contractual obligations to you |
|
|
Contact |
First name Last name Email |
Fulfilling our contractual obligations to you |
|
Contact by email |
Listing |
Company Name CustomerNr/UserID |
Fulfilling our contractual obligations to you |
|
|
Contact |
First name Last name Phone number Email |
Fulfilling our contractual obligations to you |
|
When using the Service |
Company Listing |
Company name Address Postal code City Organization number Contact person E-mail Customer nr |
Fulfilling our contractual obligations to you |
|
|
Payment details |
Billing address |
Fulfilling our contractual obligations to you |
|
|
Contact |
First name Last name Social security number (may apply) Phone number E-mail |
Fulfilling our contractual obligations to you |
|
|
Credentials |
Username Email |
Fulfilling our contractual obligations to you |
|
|
Online identification |
IP-adress |
Fulfilling our contractual obligations to you |
|
|
Pictures |
Pictures that you upload |
Fulfilling our contractual obligations to you |
|
Vid användning av mobilapp |
Listing |
Company name Address Postal code City Organization number Contact person E-mail Customer nr |
Fulfilling our contractual obligations to you |
|
|
Contact |
First name Last name Social security number (may apply) Phone number E-mail |
Fulfilling our contractual obligations to you |
|
|
Credentials |
Username Email |
Fulfilling our contractual obligations to you |
|
|
Location tracking (only occurs when registering time if the Administrator has enabled this |
GPS coordinates |
Fulfilling our contractual obligations to you |
Appendix 2
Sub contractors
|
Function |
Company |
Country |
Purpose |
|
Database backup |
Cleura |
Sweden |
Continuous backup of the database |
|
Document storage |
Cleura |
Sweden |
Storage of documents uploaded to the Service |
|
Google Analytics |
|
USA |
Improve our website |
|
Push notifications |
|
USA |
To send push notifications to Qreo Broberg's Apps |
|
SMS |
3 |
Sweden |
Used to send SMS |
|
Server hosting |
Cleura |
Sweden |
Hosting of the servers for the Service |
|
Send email |
GoDaddy |
USA |
Used to send emails from the Service |
Incidenthantering
Incident
If an application-related incident occurs, it could mean that there will be a personal data breach. An issue in Company Organizer that generates incorrect data or missing data is categorized as an application-related incident. Should this data contain personal data, it will also be a personal data breach. It can also become a personal data breach if a security incident leads to unauthorised disclosure of or unauthorised access to the processed personal data.
Incidentprocess
The process is divided into the sub-processes of incident detection, impact analysis, remediation process, communication and Root Cause Analysis (RCA).
When an incident is identified, the type of incident is identified. In the Impact Assessment sub-process, an analysis is made of the extent of which customers and users are affected by the incident and what the consequences will be. In the Remediation Process, the assessment and prioritization of the problem is carried out in order to ensure the action plan and the implementation of the measure. In the event of a personal data breach, the compilation of a report is an activity, where we start from the Swedish Authority for Privacy Protection's template, which describes that we must include information about:
• The nature of the incident
• The categories of persons who may be affected
• How many people it affects
• What consequences the incident may have
• What measures have been taken to counteract any negative consequences.
Incidents and measures are communicated to those affected. In the event of a personal data breach, notification to the Swedish Authority for Privacy Protection is an activity in this sub-process. After actions have been implemented and those affected have been informed, a Root Cause Analysis is conducted to prevent the problem from occurring again.
Cookies
What are cookies and how do we use cookies?
Company Organizer contains so-called cookies. Cookies are small text files that are placed on your computer by a web server and act as an ID card. Cookies enable the website to remember important information that makes your visit to the website more convenient. Like most other websites, Hellapp uses cookies to improve your internet experience in the following ways:
1. Count the number of users and traffic. Understanding how the website is used allows us to develop and improve it.
2. Collect and analyze behavioral data based on the use of the website and services in order to improve the user experience and also enable personalized communication and messages to the user.
3. You have logged in to the website and should therefore not have to log in to each new page you visit.
4. Customize our services according to the user preferences you have set.
There are two types of cookies. One type, called a Permanent Cookie, saves a file that remains on the visitor's computer. It is used, for example, to be able to adapt a website to the visitor's wishes, choices and interests, as well as for statistical follow-up. The second type is called a Session Cookie. While a visitor is on a website, it is temporarily stored in the memory of the visitor's computer. Session Cookies disappear when you close your browser. If you do not want to receive cookies, you can change the cookie settings in your browser, and you can also block cookies. Please note that if you block cookies, you will not be able to use the Company Organizer service because the session required to use Company Organizer is stored in a cookie.