Privacy policy for elastisys.com and elastisys.io, business contacts, authorized users, and recruitment.
Privacy Policy
- Transparent
- Easy to Understand
Elastisys Privacy Policy
- Date: 2024-05-30
- Author: DPO
- Reviewed by: Management Team
- Approved by: CEO
- Information owner: CEO
The latest version is available on our website.
Data of our Customers is processed only according to Appendix 1 Data Protection Agreement in our Terms of Service.
Introduction
Elastisys prides itself with being a data protection and privacy front-runner. Therefore, we take privacy seriously.
No "we value your privacy" BS. No "dark pattern" consent forms. No complicated cookie banners that try to trick you. No profiling.
We process personal data for various purposes, each with its own privacy policy. Please read the full details below.
Your Rights
You have the right to:
- access your personal data;
- request rectification or erasure of your personal data;
- object to the processing of your personal data;
- withdraw your consent to the processing of your personal data at any time;
- file a complaint with the Swedish Authority for Privacy Protection (IMY).
Contact Information
If you have any questions or concerns about our privacy policy or wish to file a complaint under GDPR, the EU ePrivacy Directive or the EU Digital Services Act, please contact our Data Protection Officer (DPO) at dpo@elastisys.com.
Name and contact details of the Data Controller:
Elastisys AB Org.nummer 556873-6135 Kuratorvägen 2A, 907 36 Umeå, Sweden
Privacy Policy for elastisys.com and elastisys.io
Purpose
We collect personal data for the following purposes:
- track campaign success;
- understand visitor demography and website journey.
Personal Data We Process
We collect:
- operating system;
- browser;
- browser plugins;
- IP address;
- browser language; and
- tracking links.
to compute a privacy-friendly industry-leading visitor "hash" number, which is valid for 24 hours. This solution is recommended by the CNIL, the French GDPR and ePrivacy supervisory authority.
You can find more information under:
We anonymize IPv4 addresses to /24 as soon as technically possible, and our self-hosted, first-party Matomo instance does not store the full information, as per their description of privacy controls.
Legal Basis
We believe we have a legitimate interest in processing IP addresses for the purpose of tracking campaign success and understanding visitors. IP addresses are expected to belong to corporate network endpoints and not identify data subjects. Furthermore, we anonymize IP addresses as soon as technically possible. Hence the impact on your privacy as a data subject is minimal.
Retention
IP addresses are anonymized as soon as technically feasible. Anonymized IP addresses are retained indefinitely.
Protection of Personal Data
We protect personal data as following:
- Encryption: Personal data is encrypted in-transit. If supported by the underlying subprocessor, personal data is also encrypted at-rest.
- Data minimization: We only process a minimal amount of personal data and anonymize it as soon as technically possible.
- Access minimization: Access to personal data is only permitted to Elastisys employees needing it.
Processors and Third Countries
We use the following Processors for processing personal data:
| Name of Subprocessor | Description of Processing | Location of Processing | Corporate Location | DPA |
|---|---|---|---|---|
| SafeSpring | Self-hosted Matomo instance | Sweden | Sweden | DPA stored internally |
| Bahnhof | website hosting elastisys.com | Sweden | Sweden | DPA stored internally |
| GitHub | website hosting elastisys.io | Global | US | DPA |
As of 2023-04-18, the US is a third country. See what this means on IMY's website: EN SE.
Cookies and Similar Technologies
We only use cookies and similar technologies in a way that do not invade your privacy and are exempted from requiring your consent, accoding to the Directive 2009/136/EC (a.k.a. ePrivacy Directive) Article 5.3.
We only use your browser's session storage to keep track of whether you've closed the information box informing you about our privacy policy. According to Opinion 04/2012 on Cookie Consent Exemption, this qualifies as "UI customization cookies" and does not require consent, if stored for no longer than a browser session or no more than a few additional hours.
| Name | Type | Domain | Purpose | Expiration | Vendor |
|---|---|---|---|---|---|
| consentDismiss | sessionStorage | elastisys.com | We use this to remember if you dismissed the no-consent-needed popup. | Session | Elastisys |
To understand website visitor interactions, we use cookieless tracking technology by Matomo. We self-host the Matomo instance, and it is thus not a third-party cloud service. Read more about cookieless tracking under:
Elastisys is aware of Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive published by the European Data Protection Board. Elastisys has participated in the public consultation to better understand whether our current practices comply with the ePrivacy Directive.
Automated Decision-Making, Including Profiling
We don't use automated decision-making or profiling.
IT Systems Outside the Scope of this Privacy Policy
We may link to various external websites, such as Google, YouTube, LinkedIn, Twitter, Instagram and Calendly. We make it very clear when you are about to exit our websites. By continuing to navigate to external websites, you accept their privacy policy. For your convenience, please find the privacy policies of external website below:
- Facebook Privacy Policy
- Google / YouTube Privacy Policy
- LinkedIn Privacy Policy
- Twitter Privacy Policy
- Instagram Privacy Policy
- Calendly Privacy Policy
Privacy Policy for Business Contacts
Purpose
We collect personal data for the following purposes:
- discuss our offers;
- fulfill our business agreements;
- improve customer satisfaction.
Personal Data We Process
We collect business contact information, such as first name, last name, business email address, business phone number, title and LinkedIn profile URL.
Legal Basis
For discussing our offers, we process personal data based on legitimate interest. Please find our Legitimate Interests Assessment below.
We collect personal data as part of our surveys based on your consent (GDPR Art 6. § 1.a).
Otherwise, we process personal data because it is necessary to fulfill our business agreement (GDPR Art. 6 § 1.b).
Retention
Business contact information is retained for as long as:
- we have an active dialog about our offers; or
- we have a business relationship.
Note that invoices may contain business contact information. We need to store those for at least 7 years, as required to comply with Swedish Accounting Laws (Bokföringslag 1999:1078).
Personal data in connection to surveys are stored until you withdraw your consent.
Protection of Personal Data
We protect personal data as following:
- Encryption: Personal data is encrypted in-transit. If supported by the underlying subprocessor, personal data is also encrypted at-rest.
- Data minimization: We only process a minimal amount of personal data and anonymize it as soon as technically possible.
- Access minimization: Access to personal data is only permitted to Elastisys employees needing it.
Processors and Third Countries
We use the following Processors for processing personal data:
| Name of Subprocessor | Description of Processing | Location of Processing | Corporate Location | DPA |
|---|---|---|---|---|
| Membrain | Customer Relationship Management | Sweden | Sweden | DPA |
| Telavox | Phone communication, storing contact information | Sweden | Sweden | DPA is stored internally |
| GetAccept | Managing contracts | US | US, Germany | DPA |
| Google Workspace (GMail, Drive) | Email communication, storing contact information | Global | US | DPA |
| SurveyMonkey | Customer Surveys | Global | US | DPA |
As of 2023-03-16, the US is a third country. See what this means on IMY's website: EN SE.
Legitimate Interests Assessment
Our assessment, based on the "three-part test" looks as follows:
- Purpose test:
- We want to collect business contact information to present our offering to potential new customers.
- Without processing this information, we would not be able to grow our business.
- Necessity test:
- Some public business contact information cannot be obtained with prior consent. This includes contact information which you made available on your company website. (For example: How would we write an email to ask for your consent without processing your email address in our email client first?)
- Balancing test:
- We only collect contact information found in a business context, such as company websites.
- We only collect your information if we assessed that you would likely benefit from knowing about our offering.
- This information is already public, hence neither sensitive nor private.
- In our experience, such usage of public business contact information can be expected, as long as the email is hand-written and tailored manually to the interests recipient.
- Swedish law allows for such communication on an opt-out basis. See Marknadsföringslag (1995:450) 13 b § 2st. "Obeställd reklam" and E-privacy Directive 2009/136/EC Article 13 "Unsolicitated communication" paragraph 3.
- Elastisys does not work with automated electronic communication, such as marketing, sequencing or equivalent, whether email, LinkedIn or similar. As an organization we do not believe that an automated first contact is an effective and appreciated way of doing business with other organizations.
- We only send automated emails if you gave your consent, for instance by subscribing to a newsletter or Terms of Service updates.
Privacy Policy for Office Visitors
Purpose
We collect personal data for the purpose of visitor management.
Personal Data We Process
We collect your name, company affiliation, mobile phone and which Elastisys employee you are visiting.
Legal Basis
We process personal data based on legitimate interest (GDPR Art 6. § 1.f).
Our assessment, based on the "three-part test" looks as follows:
- Purpose test: We need to collect personal data on visitors to ensure physical security of our offices.
- Necessity test: Collecting visitor information can help us deter information security incidents at our offices and also investigate information security incidents after-the-fact.
- Balancing test: Collecting visitor's information is an expected from an ISO 27001-certified company as Elastisys.
Retention
We retain visitor data for 90 days.
Protection of Personal Data
We protect personal data as following:
- Encryption: Personal data is encrypted in-transit. If supported by the underlying subprocessor, personal data is also encrypted at-rest.
- Data minimization: We only process a minimal amount of personal data and anonymize it as soon as technically possible.
- Access minimization: Access to personal data is only permitted to Elastisys employees needing it.
Processors and Third Countries
We use the following Processors for processing personal data:
| Name of Subprocessor | Description of Processing | Location of Processing | Corporate Location | DPA |
|---|---|---|---|---|
| Vizito | Vizitor Management | Belgium | Belgium | DPA stored internally |
Privacy Policy for Authorized Users
Please read Terms of Service, Appendix 4 "Privacy Policy for Authorized Users".
Privacy Policy for Recruitment
Purpose
We collect personal data for the purpose of recruitment.
Personal Data We Process
We collect:
- your contact information, such as first name, last name, email address and phone number;
- your CV.
Legal Basis
We collect this information based on consent. By responding to an Elastisys job ad, you consent to process your personal data as laid out in this privacy policy.
Retention
We retain candidate information for a maximum of 12 months. The retention period is based on our desire to keep a pool of candidates, in case we suddenly have a large number of openings. You may remove your personal data earlier by withdrawing your consent.
Protection of Personal Data
We protect personal data as following:
- Encryption: Personal data is encrypted in-transit. If supported by the underlying subprocessor, personal data is also encrypted at-rest.
- Data minimization: We only process a minimal amount of personal data and anonymize it as soon as technically possible.
- Access minimization: Access to personal data is only permitted to Elastisys employees needing it.
Processors and Third Countries
We use the following Processors for processing personal data:
| Name of Subprocessor | Description of Processing | Location of Processing | Corporate Location | DPA |
|---|---|---|---|---|
| Google Workspace (GMail, Drive) | Email communication, storing candidate database | Global | US | DPA |
As of 2023-02-03, the US is a third country. See what this means on IMY's website: EN SE.
Cookies and Similar Technologies
We don't use cookies and similar technologies.
Automated Decision-Making, Including Profiling
We don't use automated decision-making nor profiling.
IT Systems Outside the Scope of this Privacy Policy
If you apply to jobs via LinkedIn, you accept their privacy policy. For your convenience, please find the privacy policies of external website below:
If you do not accept the LinkedIn Privacy Policy, please apply via email. This will in no way affect how we evaluate your fitness for the job ad.
