Privacy Policy as Data Processor
This privacy policy (“Privacy Policy”) is applicable to all processing activities of Ambassify (as defined below) as a data processor.
Please read this Privacy Policy together with our Cookie Policy. Ambassify may update this Privacy Policy in the future: the latest version can always be found on our Website.
1. About this Privacy Policy
Due to, for example, a visit to or action on our “Software Service” we may collect, store and otherwise process personal data relating to you or, if you are a company, your employees/ representatives (“your personal data”).
This Privacy Policy describes (i) how we collect, treat and store your personal data; (ii) the rights you can exercise in relation to your personal data; and (iii) the measures we take to protect it and to secure your personal data.
Ambassify respects your privacy and we always strive to act in accordance with the applicable privacy legislation, such as (non-exhaustive): (i) the General Data Protection Regulation 2016/679 of April 27, 2016 (“GDPR”); (ii) the Belgian Privacy Law of 30 July 2018; (iii) the ePrivacy Directive 2002/58/EC of 12 July 2002, including future amendments and revisions thereof; and/or (iv) (future) national legislation regarding the implementation of the GDPR (together: “Privacy Legislation”).
2. Ambassify is the Data Processor
We are Ambassify NV, a limited liability company with registered office at Everselstraat 133, 3580 Beringen, Belgium, registered with the Crossroads Database for Enterprises under number 0830.870.128 (“Ambassify” or “we / us”)
Ambassify is the developer and provider of the Ambassify Software Service as described and represented on the Website (the “Software Service”), the corresponding service of Ambassify (“Service”) and is the owner of the Website.
In light of the Privacy Legislation, Ambassify will act as the DATA PROCESSOR of your personal data for the purposes described in this Privacy Policy. This means we are in control of (and thus, responsible for) your personal data.
3. Ambassify’s Processing Activities
Which personal data we collect, store and process and the purpose for which we process this data may differ depending on your relation with Ambassify.
In particular, we identify two different scenarios:
- You’re an active Ambassify admin who manages the platform; or,
- You’re an active Ambassify user who participates in campaigns published through Ambassify and receives communication around this.
3.1. You’re an admin
You were added/invited as a manager in the Ambassify platform.
Optional * Data you as a Data Controller can choose to allow or not by specifying these in the Data Processing Agreement.
Required Data which is needed for the functionality of the platform.
Ref. | Data | Purpose | Lawfulness |
---|---|---|---|
M01 | passwords * Example: A hashed version of the password. | Identification | Contractual Necessity |
M02 | unique id Example: Universal Unique Identifier (UUID) generated by Ambassify for a specific person. Example: de595e11-8854-4dc2-868d-a69c94501040 | Identification | Contractual Necessity |
M03 | name Example: Example: John Doe | Identification | Contractual Necessity |
M04 | platform activity Example: We log for reporting purposes the different actions a users does on the platforms. Examples of such activity are: pageviews, campaign participations, errors triggered | Measurement | Contractual Necessity |
M05 | preferred language Example: Example: EN | Segmentation | Legitimate Interest |
M06 | chat Example: Intercom history | Contact | Contractual Necessity |
M07 | email Example: E-mails with Ambassify Staff | Contact | Contractual Necessity |
M08 | email address Example: The e-mail address that can be used by the advocate to login and we will also use this address as primary contact point. Example: dev@ambassify.com | Identification | Contractual Necessity |
M09 | IP address Example: For debugging purposes and audit logs we store the managers IP address. Example: 169.254.12.233 | Identification | Legitimate Interest |
M10 | browser Example: For debugging purposes we store the managers browser name and version. Example: Google Chrome 81 | Identification | Legitimate Interest |
M11 | country * Example: A manager can choose to set his country on his community profile | Segmentation | Subject Consent |
M12 | opt-in Example: Example: manager accepted the data processing agreement | Compliance | Legal Obligation |
M13 | access token * Example: Access token to share content on social networks of choice | Identification | Contractual Necessity |
3.2. You’re an End User
You were added/invited as a member in the Ambassify platform.
Optional * Data you as a Data Controller can choose to allow or not by specifying these in the Data Processing Agreement.
Required Data which is needed for the functionality of the platform.
Ref. | Data | Purpose | Lawfulness |
---|---|---|---|
A01 | passwords * Example: A hashed version of the password. | Identification | Contractual Necessity |
A02 | interests * Example: Groups that were assigned to the advocate by one of the managers or that the advocate subscribed to. | Segmentation | Legitimate Interest |
A03 | unique id Example: Universal Unique Identifier (UUID) generated by Ambassify for a specific person. Example: de595e11-8854-4dc2-868d-a69c94501040 | Identification | Contractual Necessity |
A04 | name Example: Example: John Doe | Identification | Contractual Necessity |
A05 | profile picture * Example: Link to a profile or avatar picture | Identification | Contractual Necessity |
A06 | platform activity Example: We log for reporting purposes the different actions a users does on the platforms. Examples of such activity are: pageviews, campaign participations, errors triggered | Measurement | Contractual Necessity |
A07 | birth date * Example: Example: 2021-10-30 | Segmentation | Legitimate Interest |
A08 | preferred language Example: Example: NL | Segmentation | Legitimate Interest |
A09 | email Example: Copies of the emails that managers send through Ambassify to this advocate. | Contact | Contractual Necessity |
A10 | text messages * Example: Copies of the text messages that managers send through Ambassify to this advocate. | Contact | Contractual Necessity |
A11 | notifications Example: Mobile application notifications that were send through the Ambassify platform to this advocate. | Contact | Contractual Necessity |
A12 | employer * Example: Example: Acme Corporation | Segmentation | Legitimate Interest |
A13 | job titles * Example: Example: CEO | Segmentation | Legitimate Interest |
A14 | social unique id * Example: Once a advocate decides to connect his social media account to Ambassify we will receive a unique identifier for that specific user from the social platform. Example: linkedin|5-l9LKSrox | Identification | Subject Consent |
A15 | connections * Example: The number of connections (friends, connections, followers) someone has on the social media channel that gets connected. We use this value to calculatete potential reach for shared content. This is only a numeric value and not a list of names. Example: 15 | Measurement | Subject Consent |
A16 | email address Example: The e-mail address that can be used by the advocate to login and we will also use this address as primary contact point. Example: dev@ambassify.com | Identification | Contractual Necessity |
A17 | telephone number * Example: Example: +32 12 34 56 78 | Contact | Subject Consent |
A18 | physical address * Example: Example: Everselstraat 133, 3583 Beringen, Belgium | Contact | Subject Consent |
A19 | IP address Example: For debugging purposes we store the advocates IP address. Example: 169.254.12.233 | Identification | Legitimate Interest |
A20 | browser Example: For debugging purposes we store the advocates browser name and version. Example: Google Chrome 81 | Identification | Legitimate Interest |
A21 | country * Example: An advocate can choose to set his country on his community profile | Segmentation | Subject Consent |
A22 | opt-in Example: To keep track of the advocates communication preferences: Example: Only emails about new campaigns | Compliance | Legal Obligation |
A23 | access token * Example: Access token to share content on social networks of choice | Identification | Contractual Necessity |
4. Legal grounds
You can find more information on the applicable ground for each of the identified processing activities in Section 3 above.
In case the legal ground for processing happens to be legitimate interest, Ambassify shall always (i) assess whether this is in proportion with the purpose for which your personal data was collected and used; and, (ii) take your reasonable expectations into account and ensure a balance with your fundamental rights and freedoms. If we cannot guarantee this, we will stop storing / using your personal data or we will determine a new legal ground.
5. Retention periods
Unless a longer storage period is required or justified (i) by law or (ii) through compliance with another legal obligation, Ambassify shall only store your personal data for the period necessary to achieve and fulfil the purpose in question.
6. Disclosure of personal data to third parties
Ambassify shall not disclose your personal data to other third parties, unless it is necessary to achieve the purposes described in this Privacy Policy. In this respect, (some of) your personal data may be disclosed to:
- Software and cloud providers
- Marketing agencies
- Freelancers or other service providers
Of course we have made sure that the necessary contracts or similar legal binding acts are in place to ensure that these third parties treat your personal data in accordance with the Privacy Legislation (e.g. Article 28 GDPR).
In addition, we might transfer your personal data:
- To competent authorities: for instance, because (i) we are obliged to provide your personal data under law or in the scope of (future) legal proceedings, or (ii) this is necessary to safeguard our rights; or,
- In M&A(Mergers & Acquisitions) context: meaning, if Ambassify or the majority of its assets, is taken over by a third party, in which case your personal data – which Ambassify has collected – may be one of the transferred assets.
7. Cross-border processing of personal data
In case any of the above mentioned third parties or other recipients are located in a country outside the European Economic Area, Ambassify will ensure that one or more of the listed EU-approved safeguards are in place:
- European Commission adequacy decision;
- Data transfer agreement (cfr. the Standard Contractual Clauses as provided in the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including the performance of a transfer impact assessment);
- Binding corporate rules; or,
- Certification mechanisms.
8. Your privacy rights
The Privacy Legislation (e.g. GDPR) gives you certain rights over your personal data vis-à-vis Ambassify. You can exercise these rights by contacting us, as specified in Section 11, and by using the Data Subject’s Rights Form.
Access | you can ask for confirmation of whether or not personal data that relates to you is being processed. If so, you can ask us to give you copies of your personal data. We may charge you a small fee for this service; |
Rectification | you can ask us to correct and/or complete any information you believe is inaccurate | incomplete; |
Erasure | you can ask us to erase your personal data, under certain conditions. Please be aware that in this context certain services will no longer be accessible and/or can no longer be provided. |
Objection | You can object to us processing your personal data, under certain conditions. |
Restriction of processing | you can ask us to restrict the processing of your personal data, unless we have legitimate interests for the processing of your personal data that prevail over your interests |
Data portability | you can ask us to transfer your personal data to another organization, or directly to you in a commonly used structured format readable by automatic device, under certain conditions. |
9. Security
Ambassify undertakes to take reasonable, physical, technological and organizational precautions in order to avoid (i) unauthorised access to your personal information, and (ii) loss, abuse or alteration of your personal data.
10. Updates
We are entitled to update this Privacy Policy by posting a new version on the Website whereby we will indicate the revision date at the top of this Privacy Policy. As such, it is strongly recommended to regularly consult the Website and the page displaying the Privacy Policy, to make sure that you are aware of any changes.
11. Notifications and questions
Notifications under this Privacy Policy (such as, exercising your rights as a data subject) and/or any questions or concerns with regard to the provisions of this Privacy Policy must be directed at our DPO, via dpo@ambassify.com.
12. Complaints?
You are not satisfied with the manner in which we collect, store or otherwise treat or secure your personal data? We are sorry to hear that and are prepared to take all measures to remedy this situation. Please do contact us!
You also have the right to lodge a complaint with the authorized supervisory authority (i.e. the Belgian Data Protection Authority or the data protection authority of (i) your residence or (ii) your workplace) should you consider that the processing of your personal data infringes the Privacy Legislation. You can send an email to the Belgian Data Protection Authority at contact@apd-gba.be or any other email address provided by the Belgian Data Protection Authority (https://www.dataprotectionauthority.be/contact-us).