This Privacy Policy (Policy) sets forth Axessions Scandinavia AB’s, a Swedish corporation with an address at Storgatan 22 A, 211 42 Malmö, Sweden (Axessions) policy with respect to information that can be associated with or which relates to a person and/or could be used to identify a person (Personal Data) that is collected from You as a private individual (You) through the use of Axessions Software-as-a-Service (SaaS) and Cloud based Asset Access Control services and products (Accessy) via hosted online web services (Service) and Axessions’ App (App).

This Policy creates the legal framework for processing of personal data in a manner compliant with EU General Data Protection Regulation 2016/679 (GDPR), and describes how Axessions collects, uses, shares and secures the personal information that You provide. It also describes Your choices regarding use, access and correction of Your personal information.

Contact

If You have questions or complaints regarding this Policy or about Axessions’ privacy practices, please write to us at info@axessions.com.

Why does Axessions collect and process personal data?

General

The Service is intended for use by enterprises and organizations (each an Administrator) that has entered into a Subscription Agreement with Axessions for use of the Service. The Administrator is, through the Subscription Agreement, authorized to publish the Administrator’s Assets (as defined below) in the Service.

Asset – An object that belongs to an Administrator and that has been published in the Service by such Administrator. An Asset has certain asset operations where Asset Access (defined below) is controlled.

Asset Access – Access to an Administrator’s Asset operation published in the Service, to which a User has been granted access by the Administrator. A User may have one or multiple Asset Accesses, ad be granted access by one or multiple Administrators.

Axessions’ App (as defined below) is intended for use by persons using the Service (each a User or collectively Users).

The Administrator may invite Users (or approve membership) to access published Assets (Asset Access), and to allocate different roles and responsibilities within the scope of the Service and the Administrator’s subscription rights, such as Asset-Admin, Real Estate-Admin, Device-Admin and API-Admin.

A User’s Asset Access or utilization of the Service requires the App and a registration for an individual account with Axessions (Account).  When the User has registered the Account, then Assets published in the Service will be available to the User. Once approved by the Administrator in control of published Assets, the User may use the Service for Asset Access. Other Asset availabilities and Asset Access require memberships controlled by Administrators.

For the purposes of this Policy, we refer to any such Account registration information as Account Information for the purposes of this Policy.

Where our Service is made available to You through an Administrator, that enterprise or organization is the data controller of Your personal information submitted during use of the Service. User data privacy questions and requests should initially be submitted to the Administrator in its capacity as Your data controller. Axessions is not responsible for Administrator’s privacy or security practices which may be different than this Policy.

We collect information as described below and we have no direct relationship with individuals whose personal information we process in connection with use of our Service. Our use of information collected through our App and Service shall be limited to the purpose of providing and supporting the Service.

When creating an Account to use the Service and by voluntarily providing us with Account Information You consent to us processing Your personal data. By doing so You also represent that You are the owner of such personal information or otherwise have the requisite consent to provide it to us.

The lawful basis for Axessions to process Your personal data is Your Consent. We also base the processing of Your personal information on our legitimate interest to provide You with the necessary functionality required during Your use of our Service.

With the exception of Account Information and other information we collect in connection with Your registration or authentication into our Service, this Policy does not apply to our Security Standards in connection with Your access to and use of the Service. We follow generally accepted standards to protect the personal information submitted to us, both during transmission and once it is received. These security and privacy practices, including how we protect, collect, and use electronic data, text, messages, communications or other materials submitted to and stored within the Service by You are found Axessions’ applicable Data Security Standards (DSS).

Account Information

We collect and process personal information about You when You register for an Account to access or utilize our Service, such as Your name, mobile phone number and location to be able to provide our Service and is necessary for us to be able to identify Your Account in our Service.

When creating an Account, You provide us with Your name (first name and last name) and a mobile phone number.

Your mobile phone number is used to send You a SMS for activating Your Account.

Your name is only shared when requesting an Asset Access (defined below) and within organizations You choose to join.

Using the Service, Access Log and other user statistics

While using our Service we collect information about Asset Access, such as opening doors, enabling charging stations or whatever operation may be available from an Asset.

When You request an Asset Access, You will provide us with Your personal data and data of the Asset You request access to. Your personal data will be available to Administrator who has the permission to approve Your request.  This information is stored as long as Your Account is registered for use of the Service.

When Your request is approved and You choose to use it, every Asset Access attempt is logged in the access log. This data is stored by default in 14 days. The publisher of the Asset may require this data to be stored longer, but that will require Your consent when requesting Asset Access.

We may also collect anonymous usage statistics to be used solely by us to improve the Service and to find and fix problems. We also use mobile analytics software to allow us to better understand the functionality of our mobile versions of the App and the Service on Your mobile device. This software may record information such as how often You use the App, the events that occur within the App, aggregated usage, performance data, and where the application was downloaded from.

We do not link the information we store as usage statistics to any personally identifiable information You submit within the mobile application.

Location Information

We request permission of Your location for helping You find assets nearby; we do not store this data. Some assets may be configured to require location when accessing them, then we will store Your location as part of our Asset Access logs.

App

When registering an App to Your Account and downloading to Your mobile device, we automatically collect information on the type of device You use, and the operating system version. If the App is running in iOS You also provide us with the device name such as “Eric’s iPhone”.

We store this information to allow You to easily detect what app is running on what device. In the event of You losing Your phone, You will need to block it in order to deny misuse of Your Account, You can now detect what Apps to block.

Other

As is true with most websites and services delivered over the Internet, we gather certain information and store it in log files when You interact with our websites and Service. This information includes internet protocol (IP) addresses as well as browser type, internet service provider, URLs of referring/exit pages, operating system, date/time stamp, information You search for, locale and language preferences, identification numbers associated with Your devices, Your mobile carrier, and system configuration information. Occasionally, we connect personal information to information gathered in our log files as necessary to improve our Websites and Service. In such a case, we would treat the combined information in accordance with this Policy.

Will collected Information be shared?

All Your data in the Service is processed by services hosted within the European Economic Area (“EEA”) and servers are hosted on our third-party service provider Azure’s servers in North and West Europe (Ireland and Netherlands).

We only share information, including personal information, with our third-party service providers that we use to provide hosting for and maintenance of our Service, App development, backup, storage, payment processing, analytics and other services for us. These third-party service providers may have Asset Access to or process Your personal information for the purpose of providing these services for us.

We do not permit our third-party service providers to use the personal information that we share with them for their marketing purposes or for any other purpose than in connection with the services they provide to us.

In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose personal information to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Subscription Agreement, or as otherwise required by law.

We may also share personal information with third parties when we have Your consent to do so.

When will Transfer of Personal Information occur?

Except as requested by the Data Processor and as explicitly approved by the Data Controller, the Data Processor and its Sub-Processors will only maintain Processing operations in countries that are inside of the EEA.

If the Data Controller has approved that Personal Data processed in the Service is transferred and/or processed in a country outside the EEA, the Data Processor shall ensure that such transferred and/or processed Personal Data are adequately protected. To achieve this, the Data Processor shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of Personal Data.

Axessions offers Administrator’s to enter into a separate Data Processing Agreement (DPA), provided upon request, which outlines Axessions’ and the Administrator’s and Axessions’ respective rights and obligations to guarantee an adequate level of data protection wherever Personal Data is physically kept.

How long do we keep Your data?

We will retain Your information for as long as Your Account is active or as needed to perform our contractual obligations, provide You the Services, to comply with legal obligations, resolve disputes, preserve legal rights, or enforce our agreements.

Once Your account is closed, we will automatically delete all data within 3 months from registration. If You want us to delete Your data more promptly, for example if You believe a Service Account was created for You without Your permission or You are no longer an active User, You can request that we delete Your Account You by sending an email to info@axessions.com with a request to do so. Your data will then be deleted no later than 28 days after receiving Your request.

Please note that if You are using the Service via an Administrator, You should first contact this Administrator with a request to stop Asset Access, storage, use of Your personal information. If there is delay or dispute as to whether we have the right to continue using Your personal information, we will restrict any further use of Your personal information until the request is honoured or the dispute is resolved, provided the Administrator does not object (where applicable).

How do I delete my Account?

If You no longer wish to use our Service You may contact us and request to deactivate and subsequent deletion of Your Account, please email info@axessions.com. Please be aware that deactivating Your Account does not delete Your information; Your information remains visible to other Service users based on Your past participation within the Service.

You may request that Your personal information no longer be accessed, stored, used and otherwise processed by us, see above underHow long do we keep Your data?

What if there is a data security breach?

We implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or Asset Access (a ”Data Security Breach”), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the processing and the nature of the Personal Data to be protected, including data security consistent with the Axessions’ Data Security Standards

Upon confirmation of a Data Security Breach concerning Your Personal Data, we will notify You without undue delay but in any event within 48 hours, and we will take necessary actions and measures to investigate, mitigate or remedy such Data Security Breach.

What are Your rights?

You have the right to be informed by what data we collect, which is covered by this policy. Furthermore, You have the right to access Your data.

If You believe that the information that we have collected about You may be incorrect, then You have the right to have it amended and, in some cases, deleted.

If You wish to exercise any of Your rights, You may contact us via info@axessions.com.

You have the right to complain to a Data Protection Authority about our collection and use of Your Personal Data. For more information, please contact Your local data protection authority in the EEA. If You are in Sweden you have the opportunity to complain to Datainspektionen, with contact details available at www.datainspektionen.se.

Will this Policy change?

Should European Parliament and/or the Council pass new regulations and/or issue any guidelines which contains terms that conflict with those used in this Policy, We reserve the right to change this Policy from time to time to make it compliant with any such new legislation or guideline. If we change the Policy the new version is valid from the moment we publish it on our website.

Do You still have an unanswered question?

Please contact us at info@accessy.se

 

***