BunkerEx Limited (“BunkerEx”, “we” or “us”) are committed to protecting and respecting your privacy.
References to “you” or “your” are to the individual whose personal data we receive and/or access in connection with our business. References to “the service(s)” and “website(s)” are to the software products and websites provided by BunkerEx.
The purpose of this policy is to let you know how we will use any personal data we collect from you or access about you in connection with our business. It also explains what rights you have to access or change your personal data.
We are the data processor of the personal data that is provided to us by you or our customer. In the event that data has been provided by our customer, our customer is the data controller of such personal data. We will only therefore process your personal data in accordance with the instructions of our customer. We may collect extra data about you to provide our service, as per Clause 2.0.
The following terms shall have the meaning ascribed to them below:
(i) “Data Controller” has the meaning set out in GDPR;
(ii) “Data Processor” has the meaning set out in GDPR;
(iii) “Data Protection Regulator” means the applicable supervisory authority with jurisdiction over either party, and in each case any successor body from time to time;
(iv) “Data Subject” has the meaning set out in GDPR;
(v) “Privacy Laws” means all applicable data protection and privacy legislation, regulations and guidance governing the protection of Personal Information including but not limited to Regulation (EU) 2016/679 (the “General Data Protection Regulation” or “GDPR”); and
(vi) “Process”, “Processing” or “Processed” have the meaning set out in GDPR.
Data Controller and Data Processor
The Parties acknowledge that the Customer is the Data Controller and BunkerEx is the Data Processor of the Customer Personal Information. BunkerEx will Process Personal Information in accordance with Clause 2.0 of this Data Processing Addendum.
Customer’s Obligations as Data Controller
When you visit our websites or use our services, we collect personal data. The ways we collect it can be broadly categorised into the following:
Information that you provide to us:
‘Personal Data’ is information about an identifiable individual. We will collect and process the following information about you when you or your employer (our customer):
– create an account to use our website;
– make an enquiry, provide feedback, make a complaint or submit correspondence by post, by email or on our website;
– fill in forms on the websites provided by BunkerEx. This includes information provided at the time of registering for the service or when requesting further information;
– subscribe to our newsletter and mailing lists; and
The information you provide to us will include (depending on the circumstances):
– Identity and contact data: your name, office location, job role, phone/mobile number, Instant Messenger username and email address;
– Financial data: if you purchase our services, you will also provide payment details, which may include billing addresses, credit/debit card details and bank account details.
Information we collect automatically:
We collect some information about you automatically when you visit our websites or use our services, like your IP address and device type. We also collect information when you navigate through our websites and services, including what pages you looked at and what links you clicked on. This information is useful for us as it helps us get a better understanding of how you’re using our websites and services so that we can continue to provide the best experience possible (e.g. by personalising the content you see).
Some of this information is collected using cookies and similar tracking technologies.
Information we get from third parties:
As a Data Processor, we will receive information about you from third parties:
– Our customers (your employer): we will receive personal information about you from your employer in the course of providing our services, such as your name, role and email address in order to create an account for you to access and use the service
We might also receive information about you from third parties if you have indicated to such third party that you would like to hear from us (e.g. from integration with your existing ERP softwares).
First and foremost, we use your personal data to operate our websites and provide you with any services you’ve requested, and to manage our relationship with you. We also use your personal data for other purposes, which may include the following:
To communicate with you. This may include:
– providing you with information you’ve requested from us (like training or education materials) or information we are required to send to you.;
– operational communications, like changes to our websites and services, security updates, or assistance with using our websites and services;
– marketing communications in accordance with your marketing preferences;
– asking you for feedback or to take part in any research we are conducting.
To support you: This may include:
– assisting with the resolution of technical support issues or other issues relating to the websites or services, whether by email, in-app support or otherwise.
To enhance our websites and services and develop new ones: For example:
– by tracking and monitoring your use of websites and services so we can keep improving, or by carrying out technical analysis of our websites and services so that we can optimise your user experience and provide you with more efficient tools.
To protect BunkerEx and our customers:
To analyse, aggregate and report:
– anonymous research about general engagement within our website.
For “Legitimate interests”:
– where we refer to using your information on the basis of our “legitimate interests”, we mean our legitimate business interests in conducting and managing our business and our relationship with you, including the legitimate interest we have in personalising, enhancing, modifying or otherwise improving the services and/or communications that we provide to you and improving security and optimisation of our network, sites and services.
Where we use your information for our legitimate interests, we make sure that we take into account any potential impact that such use may have on you. Our legitimate interests don’t automatically override yours and we won’t use your information if we believe your interests should override ours unless we have other grounds to do so (such as your consent or a legal obligation). If you have any concerns about our processing please refer to details of “Your Rights” (Clause 3.1) below.
BunkerEx endeavours to follow the procedures set out in SOC II for security, availability, processing integrity, confidentiality, and privacy of our system. We actively work with security consultants to ensure we are compliant with these standards. For further details on these, please contact email@example.com.
We take commercially reasonable technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data. However, the transmission of information via the internet is not completely secure. That means we cannot guarantee the security of your data. Any transmission of data to our website and service is completely at your own risk. If you believe somebody has unauthorised access to your account please notify us immediately.
For details of our security practices, please contact us at firstname.lastname@example.org.
Personal Data is stored at our hosting provider Microsoft Azure at servers based within the European Economic Area (“EEA”).
Please also note that the data that we collect from you may be transferred to a destination outside the European Economic Area (“EEA”). It may also be processed by persons operating outside the EEA who work for us, for one of our suppliers. Such persons maybe engaged in, amongst other things, the provision of certain services which support our website and allow us to provide the services to you. It may also be processed by persons operating outside the EEA who work for our customer as a part of the service we provide to them.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following transfer solutions are implemented:
– We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries;
– Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries; and
– Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Our service providers:
Providers involved in the delivery and support of the service, who are acting as processors, including for the storage of data provided that such service providers comply with all applicable laws and regulations and our instructions in relation to the processing of personal data. We respect your privacy and only pass on this information to enable the provision of the service.
Other third parties (including professional advisers):
Prospective sellers and buyers of our business:
We may also share personal data with third parties in connection with, or during negotiations of, any merger, sale of assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or into another company.
We will retain your information for as long as is necessary to provide you with the services that you have requested from us or for as long as we reasonably require to retain the information for our lawful business purposes, such as for the purposes of exercising our legal rights or where we are permitted to do. We operate a data retention policy and look to find ways to reduce the amount of information we hold about you and the length of time that we need to keep it. For example, we maintain a suppression list of email addresses of individuals who no longer wish to be contacted by us. So that we can comply with their wishes we must store this information permanently.
It’s your personal data and you have certain rights relating to it. When it comes to marketing communications, you can ask us not to send you these at any time: just follow the unsubscribe instructions contained in the marketing communication, or send your request to email@example.com.
You also have rights to:
– know what personal data we hold about you, and to make sure it’s correct and up to date;
– request a copy of your personal data, or ask us to restrict processing your personal data or delete it;
– object to our continued processing of your personal data.
You can exercise these rights at any time by sending an email to firstname.lastname@example.org.
If you’re not happy with how we are processing your personal data, please let us know by sending an email email@example.com. We will review and investigate your complaint, and try to get back to you within a reasonable time frame. You can also complain to your local data protection authority. They will be able to advise you on how to submit a complaint.
To exercise these rights, or any other rights you may have under applicable laws, please contact us at firstname.lastname@example.org.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Our customer is the data controller of any personal data processed by our services. As our customer’s data processor, we will only process your personal data as instructed by our customer. You will need to contact our customer directly if you wish to exercise your rights in relation to the data processed by our service. If you do contact us directly in relation to your rights we will notify our customer as soon as reasonably practicable and, taking into account the nature of the processing, we will assist the controller by appropriate technical and organisational measures, to enable the fulfilment of the its obligation to you in respect of your rights.
You will not have to pay a fee to obtain a copy of the personal data that we hold for you (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.