Who is responsible for the processing of your data?
Company: Arengu Spain S.L.U. (Hereinafter “ARENGU”)
Address: Ronda de Outeiro 289, 15011, A Coruña, Spain
For what purpose do we treat your personal data?
In ARENGU we treat the information that the interested persons facilitate us with the purpose of lending and / or commercializing the products and / or services offered by our firm.
What data you collect?
ARENGU is used by “Users” and by “Respondents”. The information we receive from Users and Respondents and how we handle it differs, as set out below.
Data collected by ARENGU Users
As a User, we collect information relating to you and your use of our Services from a variety of sources:
Information we collect directly from the User
a) Registration information: information you provide to us when you register for an account.
b) “My Profile” settings: you can view and edit various preferences and personal details on “My Profile” settings.
c) Arengu data: We store your forms data (questions and submissions) for you.
d) Plan and Billing info: we store information about your Plan. If you subscribe to a paid plan, we require you to provide your billing details.
Information we collect about the User indirectly or passively when interacting with ARENGU
a) Usage data: ARENGU collects usage data about Users whenever they interact with our services, including information they have elected to make publicly available.
b) Device and application data: ARENGU collects data from the device and application the User uses to access our services, such as the IP address and browser type. We may also infer the geographic location based on the User IP address.
c) Referral data: if the User arrives at a ARENGU website from an external source (such as a link on another website or in an email), we record information about the source that referred the User to us.
d) Information from third parties: ARENGU may collect User personal information or data from third parties if the User gives permission to those third parties to share such information with others or the data is extracted from publicly accessible sources.
For example, ARENGU may share minimal service data with a select third-party for data enrichment purposes, provided that User has given prior permission to those third parties to share such information with other parties (i.e. ARENGU may share Users’ email addresses with a third party to obtain some information like company name etc) or it comes from publicly accessible sources like social media profiles. Enriching data allows us to analyse a deeper subset of data from which we may present personalized content. Prior to sharing data with any data enrichment vendor, ARENGU signs the corresponding Data Protection Agreement with the vendor to ensure that the data is adequately protected, that it has been lawfully obtained by vendors enabling ARENGU to use such data in connection with the Services, and to ensure vendors adopt adequate security controls.
Data collected by ARENGU Respondents
As a Respondent, when you respond to forms hosted by ARENGU, we collect, on behalf and upon instructions of ARENGU’S Users, information relating to you and your use of our services from a variety of sources:
Information we collect directly from the Respondent
When responding to a form you may provide personal information or data. Please note that ARENGU is not responsible for the content of that form, so if you have any questions about a form you are taking, please contact the ARENGU User directly.
Information we collect about the Respondent from other sources on behalf of ARENGU’S Users
a) Usage data: on behalf of ARENGU Users, ARENGU collects usage data about Respondents whenever they interact with our services.
b) Device and application data: on behalf of ARENGU Users, ARENGU collects data from the device and application the Respondent uses to access our services, such as, among other, the IP address, browser type and operating system. We may also infer the geographic location based on the Respondent IP address.
c) Referral data: on behalf of ARENGU Users, ARENGU records information about the source that referred the Respondent to a form (i.e. a link on a website or in an email).
e) Email address: ARENGU records the email address if the User/Respondent provides it to us in order to send the Respondent a form notification email.
ARENGU’S obligations as data processor when processing Respondents’ data on behalf of Users
When ARENGU is processing Respondents’ Data on behalf of Users, the User who creates the form is the Data Controller in relation with the data of Respondents using such form, and ARENGU is the Data Processor of such Respondents data (hereinafter, User shall be referred to as the “Data Controller” and ARENGU as the “Data Processor”).
For the processing of Respondents’ data on behalf of the Data Controller, the Data Processor undertakes to fulfil the following obligations:
a) To treat the personal data only to carry out the provision of the contracted Services, in accordance with the instructions given in writing, at any time, by the Data Controller (unless there is a legal rule that requires complementary processing, in such a case, the Data Processor will inform the Data Controller of that legal requirement prior to the processing, unless the Law prohibits it on public interest grounds).
b) To maintain the duty of secrecy with respect to the personal data to which the Data Processor has access, even after the termination of the contractual relationship, and to ensure that their employees have committed in writing to maintain the confidentiality of the personal data processed.
c) To ensure, taking into account the available technology, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risks of varying probability and severity for the rights and freedoms of natural persons, that they will apply adequate technical and organizational measures to ensure a level of security appropriate to the risk, including, where appropriate, among other things:
-The pseudonymisation and encryption of personal data;
-The ability of ensuring the continued confidentiality, integrity, availability and resilience of the systems and services;
-The ability of restoring the availability and access to personal data quickly in the event of a physical or technical incident;
-A process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures in order to ensure the safety of the processing.
When evaluating the adequacy of the security level, special account shall be taken of the risks presented by the data processing, in particular as a consequence of the destruction, loss or accidental or unlawful alteration of the personal data transmitted, stored or otherwise processed, or the communication or unauthorized access to such data.
In the event that the implementation of specific and concrete security measures is needed, those measures will be added to this Agreement by means of an Annex.
d) To keep under their control and custody the personal data to which they have access in relation with the provision of the Service, and to not disclose them, neither transfer or otherwise communicate them, not even for their preservation, to persons unrelated with the provision of the Service covered by this Agreement.
However, the Data Controller may authorize, expressly and in writing, the Data Processor to use another data processor (hereinafter, the “Subcontractor”), whose identification data (full company name and fiscal identification number) and subcontracted services must be communicated to the Data Controller, prior to the provision of the service, at least with one (1) month in advance. The Data Processor will also inform the Data Controller of any change envisaged in the incorporation or substitution of the Subcontractors, giving thus to the Data Controller the opportunity to object such changes.
In case of making use of the power recognized in the previous paragraph, the Data Processor is obliged to transfer and communicate to the Subcontractor the whole obligations that for the Data Processor derive from this Agreement and, in particular, the provision of enough guarantees that he will apply appropriate technical and organizational measures, so that the processing complies with the applicable regulations.
In any case, access to the data made by natural persons who render their services to the Data Processor, acting within the organizational framework of the latter by virtue of a commercial and non-labour relationship, is authorized. In addition, access to the data is granted to companies and professionals that the Data Processor has hired in their internal organizational framework in order to provide general or maintenance services (computer services, consulting, audits, etc.), as long as such tasks have not been arranged by the Data Processor with the purpose of subcontracting with a third party all or part of the Services provided to the Data Controller.
e) To delete or return to the Data Controller, at their choice, all personal data to which they have had access in order to provide the Service. Likewise, the Data Processor undertakes to delete the existing copies, unless there is a legal rule that requires the preservation of the personal data. However, employees and other personnel working for the Data Processor are entitled to access Users and Respondents data as required to carry out their obligations under the terms of their contract.
f) To notify the Data Controller, without undue delay, of any personal data security breaches of which he is aware, giving support to the Data Controller in the notification to the Spanish Data Protection Agency or other competent Control Authority and, if applicable, to the interested parties of the security breaches that occur, as well as to provide support, when necessary, in the carrying-out of privacy impact assessments and in the prior consultation to the Spanish Data Protection Agency, where appropriate, as well as to assist the Data Controller so they can fulfil the obligation of responding the requests to exercise certain rights.
g) To bring, in writing, a record of all categories of processing activities performed on behalf of the Data Controller.
h) To cooperate with the Spanish Data Protection Agency or with other Control Authority, at its request, in the fulfilment of its power.
i) To make available to the Data Controller the whole information necessary to demonstrate the fulfilment of the obligations established under this Agreement, as well as to allow and contribute to the performance of audits, including inspections, by the Data Controller or by a third party authorized by them.
If the Data Processor or any of his Subcontractors violates this Agreement or any regulation when determining the purposes and means of the processing, they shall be held responsible for such processing. Furthermore, if such Subcontractors are based in countries which do not have a legislation on data protection which is equivalent to the EU legislation (“Third Countries”), Data Processor shall establish all safeguards required by the EU legislation in order to comply with all obligations arising from transfers of data to Third Countries, and shall promptly inform Data Controller about such safeguards if so requested.
How long will we keep your data?
The personal data provided will be kept for the time necessary for the provision of the service requested or marketing of the product and during the legally established periods.
What is the legitimacy for the treatment of your data?
The legal basis for the treatment of your data is the execution of a contract or if it is not the case, it will be the consent of the interested party.
To which recipients will your data be communicated?
The data will not be communicated to third parties except legal obligation.
What are your rights when you provide us with your data?
Anyone has the right to obtain information about whether ARENGU is processing personal data that concerns them, or not.
Interested persons have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes that were collected.
In certain circumstances, the interested parties may request the limitation of the processing of their data, in which case we will only keep them for the exercise or defense of claims.
In certain circumstances and for reasons related to their particular situation, the interested parties may object to the processing of their data. In this case, ARENGU will stop processing the data, except for compelling legitimate reasons, or the exercise or defense of possible claims. You can materially exercise your rights in the following way: by sending an email to firstname.lastname@example.org, duly identifying yourself and expressly indicating the specific right you wish to exercise.
If you have given your consent for a specific purpose, you have the right to withdraw the consent granted at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal.
In case you feel your rights are violated in relation to the protection of your personal data, especially when you have not obtained satisfaction in the exercise of your rights, you can submit a claim to the competent Data Protection Control Authority through of its website: www.agpd.es
Access and modification of user data
The user can modify at any time his user data or the accounts of which he owns. ARENGU does not store the modified information, so that once the user modifies or deletes the information, he will lose it forever within the application.
The data we share
We do not share personal information with companies, organizations or individuals that are not related to ARENGU, unless any of the following circumstances apply:
Consent: We will share your personal information with companies, organizations or individuals outside of ARENGU when you have given us your consent to do so. Your consent will be required to share specially protected personal data.
Legal reasons: We will share your personal data with companies, organizations or individuals outside of ARENGU if we consider in good faith that there is a reasonable need to access, use, retain or disclose such information in order to: comply with any requirement under applicable legislation or regulations; Comply with the provisions of the current Conditions of Service, including investigating possible infringements, detecting or preventing any fraud or technical or security incidents, or otherwise dealing with them, protecting the rights, property Or the security of ARENGU, our users or the general public to the extent required or permitted by applicable law.
For ARENGU, security is the most important thing. Currently the data storage service is done through specialized providers with security certificates and anti hacking systems. ARENGU has decided to outsource storage to ensure the vendor meets the highest security standards, at levels that ARENGU could not offer on its own storage servers.