SECTION 1: INTRODUCTION
References to "you" or "your" are to the individual whose personal data we receive and/or access in connection with our business. References to "the service(s)" and "website(s)" are to the software products and websites provided by Shipamax.
The purpose of this policy is to let you know how we will use any personal data we collect from you or access about you in connection with our business. It also explains what rights you have to access or change your personal data.
We are the data processor of the personal data that is provided to us by you or our customer. In the event that data has been provided by our customer, our customer is the data controller of such personal data. We will only therefore process your personal data in accordance with the instructions of our customer. We may collect extra data about you to provide our service, as per Section 3.
SECTION 2: CUSTOMER'S OBLIGATIONS AS DATA CONTROLLER
The following capitalized terms shall have the meaning ascribed to them below:
(i) "Data Controller" has the meaning set out in GDPR;
(ii) "Data Processor" has the meaning set out in GDPR;
(iii) "Data Protection Regulator" means the applicable supervisory authority with jurisdiction over either party, and in each case any successor body from time to time;
(iv) "Data Subject" has the meaning set out in GDPR;
(v) "Privacy Laws" means all applicable data protection and privacy legislation, regulations and guidance governing the protection of Personal Information including but not limited to Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"); and
(vi) "Process", "Processing" or "Processed" have the meaning set out in GDPR.
Data Controller and Data Processor. The Parties acknowledge that the Customer is the Data Controller and Shipamax is the Data Processor of the Customer Personal Information. Shipamax will Process Personal Information in accordance with Section 3 of this Data Processing Addendum.
SECTION 3: SHIPAMAX's COLLECTION, USE, PROTECTION, STORAGE & DISCLOSURE OF
YOUR PERSONAL DATA
3.1 HOW WE COLLECT YOUR DATA
When you visit our websites or use our services, we collect personal data. The ways we collect it can be broadly categorised into the following:
Information that you provide to us:
'Personal Data' is information about an identifiable individual. We will collect and process the following information about you when you or your employer (our customer):
* create an account to use our website;
* make an enquiry, provide feedback, make a complaint or submit correspondence by post, by email or on our website;
* fill in forms on the websites provided by Shipamax. This includes information provided at the time of registering for the service or when requesting further information;
* subscribe to our newsletter and mailing lists; and
The information you provide to us will include (depending on the circumstances):
* Identity and contact data: your name, office location, job role, phone/mobile number, Skype or other chat username and email address;
* Financial data: if you purchase our services, you will also provide payment details, which may include billing addresses, credit/debit card details and bank account details
Information we collect automatically:
We collect some information about you automatically when you visit our websites or use our services, like your IP address and device type. We also collect information when you navigate through our websites and services, including what pages you looked at and what links you clicked on. This information is useful for us as it helps us get a better understanding of how you're using our websites and services so that we can continue to provide the best experience possible (e.g., by personalising the content you see).
Some of this information is collected using cookies and similar tracking technologies.
Information we get from third parties:
As a Data Processor, we will receive information about you from third parties:
* Our customers (your employer): we will receive personal information about you from your employer in the course of providing our services, such as your name, role and email address in order to create an account for you to access and use the service
* Our customer's email data: by providing the Shipamax service to our customers, we may receive personal information about you such as your name, employer and email address. Emails are processed to structure non-personal information such as open vessel positions. Personal data processed includes email address and company name as a source of the email. The day to day processing of this data is done by machines and is only accessible to the customer the emails were intended for.
We might also receive information about you from third parties if you have indicated to such third party that you would like to hear from us.
3.2 HOW WE USE YOUR DATA
First and foremost, we use your personal data to operate our websites and provide you with any services you've requested, and to manage our relationship with you. We also use your personal data for other purposes, which may include the following:
To communicate with you.
This may include:
* providing you with information you've requested from us (like training or education materials) or information we are required to send to you
* operational communications, like changes to our websites and services, security updates, or assistance with using our websites and services
* marketing communications in accordance with your marketing preferences
* asking you for feedback or to take part in any research we are conducting
To support you: This may include assisting with the resolution of technical support issues or other issues relating to the websites or services, whether by email, in-app support or otherwise.
To enhance our websites and services and develop new ones: For example, by tracking and monitoring your use of websites and services so we can keep improving, or by carrying out technical analysis of our websites and services so that we can optimise your user experience and provide you with more efficient tools.
To protect Shipamax and our customers: So that we can detect and prevent any fraudulent or malicious activity, and make sure that everyone is using our websites and services fairly and in accordance with our terms & conditions.
To analyse, aggregate and report: to carry out aggregated and anonymised research about general engagement with our website
For "Legitimate interests": where we refer to using your information on the basis of our "legitimate interests", we mean our legitimate business interests in conducting and managing our business and our relationship with you, including the legitimate interest we have in personalising, enhancing, modifying or otherwise improving the services and/or communications that we provide to you and improving security and optimisation of our network, sites and services.
Where we use your information for our legitimate interests, we make sure that we take into account any potential impact that such use may have on you. Our legitimate interests don't automatically override yours and we won't use your information if we believe your interests should override ours unless we have other grounds to do so (such as your consent or a legal obligation). If you have any concerns about our processing please refer to details of "Your Rights" below.
3.3 HOW WE PROTECT YOUR DATA
Shipamax endeavours to follow the procedures set out in SOC II for security, availability, processing integrity, confidentiality, and privacy of our system. We actively work with security consultants to ensure we are compliant with these standards. For further details on these, please contact email@example.com.
We take commercially reasonable technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data.
However, the transmission of information via the internet is not completely secure. That means we cannot guarantee the security of your data. Any transmission of data to our website and service is completely at your own risk. If you believe somebody has unauthorised access to your account please notify us immediately.
For details of our security practices, please contact us on firstname.lastname@example.org
3.4 WHERE YOUR DATA IS STORED & INTERNATIONAL TRANSFERS
Personal Data is stored at our hosting provider Amazon Web Services at servers based within the European Economic Area ("EEA").
Please also note that the data that we collect from you may be transferred to a destination outside the European Economic Area ("EEA"). It may also be processed by persons operating outside the EEA who work for us, for one of our suppliers. Such persons maybe engaged in, amongst other things, the provision of certain services which support our website and allow us to provide the services to you. It may also be processed by persons operating outside the EEA who work for our customer as a part of the service we provide to them.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following transfer solutions are implemented:
* We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries;
* Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, European Commission: Model contracts for the transfer of personal data to third countries; and
* Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
A list of the countries outside of the EEA to which we may transfer your personal information include the following:
Amazon Web Services (owned by Amazon.com Inc)
* Location: Ireland
* Type: Web app hosting and data processing
* Purpose: Used to host parts of our web app and websites which are used to provide the services to you.
* Privacy Shield: Yes
Jira and Trello (Atlassian PTY Ltd)
* Location: USA
* Type: Product management software. This will sometimes reference certain users or companies to record bugs reported or features requested.
* Purpose: Used for our customer product roadmap
* Privacy Shield: Yes
Slack Technologies Inc.
* Location: USA
* Type: Internal communication software
* Purpose: Used for communications at Shipamax, including reporting customer support issues
* Privacy Shield: Yes
* Location: USA
* Type: Internal file storage, email, usage analytics and hosting
* Purpose: Used for communication with users and internally.
* Privacy Shield: Yes
* Location: USA
* Type: Internal file storage at Shipamax
* Purpose: Used for storing customer contracts and invoices
* Privacy Shield: Yes
3.5 WHEN WE MIGHT DISCLOSE YOUR PERSONAL DATA
* Our service providers: involved in the delivery and support of the service, who are acting as processors, including for the storage of data provided that such service providers comply with all applicable laws and regulations and our instructions in relation to the processing of personal data. We respect your privacy and only pass on this information to enable the provision of the service.
* Other third parties (including professional advisers): disclosure of your personal data to third parties may also occur if we are required to disclose your personal data in order to comply with any legal obligation, to enforce our Terms of Service, or to protect the property, rights or safety of Shipamax, users of our services or others. This includes using third party organisations in order to prevent fraud or reduce credit risk.
* Prospective sellers and buyers of our business: We may also share personal data with third parties in connection with, or during negotiations of, any merger, sale of assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or into another company.
We may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer's hard drive.
They help us to improve the Website and to deliver a better and more personalised service. They enable us:
* to estimate our audience size and usage pattern;
* to store information about your preferences, and so allow us to customise our site according to your individual interests;
* to speed up your searches; and
* to recognise you when you return to our site.
Most web browsers offer users controls, to give you the option to delete or disable cookies. You can usually find out how to do so by referring to the "Help" option on the menu bar of your browser, or by visiting the browser developer's website. This will usually tell you how to prevent your browser from accepting new cookies; notify you when you receive new cookies; and disable cookies altogether. Please note that disabling cookies will stop you accessing private areas of the website.
We will retain your information for as long as is necessary to provide you with the services that you have requested from us or for as long as we reasonably require to retain the information for our lawful business purposes, such as for the purposes of exercising our legal rights or where we are permitted to do.
We operate a data retention policy and look to find ways to reduce the amount of information we hold about you and the length of time that we need to keep it. For example,
* we maintain a suppression list of email addresses of individuals who no longer wish to be contacted by us. So that we can comply with their wishes we must store this information permanently;
SECTION 4: YOUR RIGHTS & HOW TO EXERCISE THEM
4.1 YOUR RIGHTS
It's your personal data and you have certain rights relating to it. When it comes to marketing communications, you can ask us not to send you these at any time - just follow the unsubscribe instructions contained in the marketing communication, or send your request to email@example.com.
You also have rights to:
* know what personal data we hold about you, and to make sure it's correct and up to date
* request a copy of your personal data, or ask us to restrict processing your personal data or delete it
* object to our continued processing of your personal data
You can exercise these rights at any time by sending an email to firstname.lastname@example.org
If you're not happy with how we are processing your personal data, please let us know by sending an email email@example.com. We will review and investigate your complaint, and try to get back to you within a reasonable time frame. You can also complain to your local data protection authority. They will be able to advise you how to submit a complaint.
4.2 HOW TO EXERCISE YOUR RIGHTS
To exercise these rights, or any other rights you may have under applicable laws, please contact us at
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Our customer is the data controller of any personal data processed by our services. As our customer's data processor, we will only process your personal data as instructed by our customer. You will need to contact our customer directly if you wish to exercise your rights in relation to the data processed by our service. If you do contact us directly in relation to your rights we will notify our customer as soon as reasonably practicable and, taking into account the nature of the processing, we will assist the controller by appropriate technical and organisational measures, to enable the fulfilment of the its obligation to you in respect of your rights.
You will not have to pay a fee to obtain a copy of the personal data that we hold for you (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
SECTION 5: CHANGES TO POLICY & CONTACT DETAILS
5.2 HOW TO CONTACT US
We're always keen to hear from you. If you're curious about what personal data we hold about you or you have a question or feedback for us on this notice, our websites or services, please get in touch.
As a technology company, we prefer to communicate with you by email - this ensures that you're put in contact with the right person, in the right location, and in accordance with any regulatory time frames.
Our email is firstname.lastname@example.org