This document describes the Privacy Policy of www.enovate.no (“our homepage”) and all other services offered by Enovate AS (“Enovate“,”we”,”us”). It is intended to help you, as a natural person (‘data subject’) or legal person (e.g. a private, non-profit or municipal corporation) to understand which personal data we collect about data subjects, as well as how and why we process it.
Throughout this document we will use terms like ‘personal data’, ‘controller’, ‘processor’, and others, as defined in European Union Regulation 2016/679 (General Data Protection Regulation,”GDPR”), Article 4.
This policy describes the data for which we are the controller. Please note that we may also act as processor of personal data on behalf of our customers. Our customers will then act as data controller, and we will process the data according to the corresponding customer agreement (‘data processing contract’). If so, the customer’s policies or other agreements with the data subjects replace this policy. Any requests you may have related to data for which we do not have the controller role, please contact the Enovate customer directly.
2. About the Personal Data We Collect
a) Contact Information
This may include your name, email address, phone number, country of residence and current employer or company affiliation (as existing or prospective Enovate customer). It may also include additional information you give us by your own choice when interacting with us.
Source: Forms you fill in (e.g. contact form on our homepage), social networking software (e.g. LinkedIn) or by corresponding with us at conferences, events, via email, phone or otherwise.
b) Correspondence Data
This include support tickets, questions, feedback, signed agreements, and/ or any content directly related to Enovate services or operations, which you send to us. It also includes any follow-up conversations and metadata (time, status, etc.).
Source: Information you share with us by your own choice, or information we derive from direct interaction with you – such as submission of forms, via email, phone or otherwise.
c) Technical Data
This may include information about the software (operating system, browser), the settings (display resolution, time zone, language preferences), the internet connection (IP address, bandwidth, latency, location) and the device (device type) you are using while accessing our services. Whenever you are logged out, this data does not identify you directly, but is still considered personal data as it could potentially identify you indirectly.
Source: This data will be collected or inferred from collected data whenever you use our services, either due to the requirements of the communication protocols (e.g. TCP/IP and HTTP) or from logging of your browser’s internal state and settings. This data is obtained via user-initiated requests and non-user-initiated background communication in web and mobile applications.
d) Interactivity Data
This may include information about the actions you perform (logins and logouts, form submissions, API calls, etc.), site navigation (menu choices, URLs visited) and your usage patterns (timing, mouse activity). Whenever you are logged out, this data does not identify you directly, but is still considered personal data as it could potentially identify you indirectly.
Source: This data will be collected or inferred from collected data whenever you use our services, either due to requirements in the communication protocols (e.g. TCP/IP and HTTP) or from logging of your browser’s internal state and settings. This data is generated via user-initiated requests and non-user-initiated background communication in web and mobile applications.
3. How We Use Personal Data
a) To Request Consent
We may use your contact information to request consent to send you marketing materials, surveys, statistics or product updates. We will not send you any of this unless you have given your consent. You will always have the option to opt out of such communication (‘right to restriction of processing’) or to have your contact information deleted entirely (‘right to erasure’), even if you have previously consented. You may also entirely ignore our communication and we will, after a time, stop communicating and automatically delete your data (cf. section 4a, below).
Reference: GDPR, Article 6 (1) f, implemented in compliance with the Norwegian “Marketing Control Act”, Section 15 and “E-commerce Act”, Section 9.
b) To Inform or Notify You
We may use your contact information to
i. send you marketing materials, newsletters, surveys, statistics or product updates you have given your consent to, or
ii. send you invoices, policy updates or any other relevant legal or administrative information relating to your company’s customer relationship to Enovate or
iii. send you security updates, personal data breach notifications or any other relevant technical information regarding the operation of Enovate services.
Reference: GDPR, Article 6 (1) a (cf. section 3a, above), implemented in accordance with the Norwegian “Marketing Control Act”, Section 15 and “E-commerce Act”, Section 9.
c) To Provide Customer Service and Relationship Management
We may use correspondence data to assist you, to communicate regarding contracts, terms and policies and to improve our customer service and management routines.
Reference: GDPR, Article 6 (1) b or f, depending on the established relation we have with you or your company.
d) To Improve the Functionality of Our Services
We may use correspondence data, technical data and interactivity data to evaluate features we need to improve.
Reference: GDPR, Article 6 (1) b or f, depending on the established relation we have with you or your company.
e) To Improve the Usability and Performance of Our Services
We may use correspondence data, technical data and interactivity data to evaluate which non-functional requirements which need to be set and met.
Reference: GDPR, Article 6 (1) b or f, depending on the established relation we have with you or your company.
f) To Enhance or Improve the Security of Our Services
We may use correspondence data, technical data and interactivity data to evaluate the operations of our services as well as for auditing purposes during and after an incident. We may also do profiling on technical and interactivity data for purposes of detecting or preventing intrusion, data breaches, denial of service or other fraudulent activity.
Reference: GDPR, Article 6 (1) b or f, depending on the established relation we have with you or your company.
g) For Compliance and Documentation
We may use correspondence data to document legal or financial responsibilities and contractual obligations.
Reference: GDPR, Article 6 (1) f.
4. Retention Policy for Personal Data
a) Retention Policy for Data Use According to Purpose 3a
i. If you do not reply: Your contact information and correspondence data will be deleted within 2 months of first contact. After deletion we will have no record of any previous correspondence, so you might be approached again at some other time.
ii. If you invoke your right for deletion: We will delete your contact information and correspondence data without further delay and no later than 1 month. After deletion we will have no record of any previous correspondence, so you might be approached again at some other time.
iii. If you invoke your right for restricted processing: We will store your contact information and flag you as restricted (‘opted out’). You will not hear from us again by way of this contact information.
iv. If you give your consent: We will retain your contact information as long as it is relevant for the purpose. You may withdraw your consent at any point in time by invoking option ii) or iii) as mentioned above.
b) Retention Policy for Data Use According to Purpose 3b
We will retain your contact information for this purpose for as long we have your consent. If you withdraw your consent, it will be handled in compliance with 4aii) or 4aiii), according to your choice.
c) Retention Policy for Data Use According to Purpose 3c, 3d, 3e and 3f
We will retain correspondence data, technical data and interactivity data for this purpose for as long as we have a contractual obligation or legitimate interest (e.g. for security purposes described in 3f). If retention was based on a contractual obligation ceasing to exist, we will consider if we still have a legitimate interest in the data:
i. If deemed feasible and desirable from a technical and legal perspective: We may keep the data in an anonymized or pseudonymized format without reference to your contact information or aggregate it so it no longer relates to you.
ii. Otherwise: We will delete the data without undue delay, e.g. as part of our next periodic purge routine
d) Retention Policy for Data Use According to Purpose 3g
We will retain the parts of the correspondence data that are necessary for the fulfillment of this purpose for as long as required, e.g. 10 years for accounting purposes. When retention is no longer necessary, we will delete the data without undue delay.
5. Personal Data Security
In order to protect the security (confidentiality, integrity and availability as commonly defined and understood in the information security field) of your data, the systems and services processing it, we will assess the related risks (threats, probabilities and consequences) and implement technical, organizational and physical measures as appropriate. Assumed costs and effectiveness of the measures will be taken into account.
Please understand that the landscape of threats and attack tools changes constantly and becomes increasingly smarter. Ensuring acceptable security over time requires a continuous process of evaluation and improvement. We have implemented routines to monitor data security. However, with the current backdrop we realize no process can guarantee absolute data security, but we do our utmost to comply with best industry practice and to update our routines and systems accordingly.
In the unfortunate event of a data breach, we will notify the involved parties, including the relevant supervisory authority, in compliance with GDPR, Article 33 and 34.
6. Sharing of Personal Data
a) General
We will only process your data or transfer your data to other processors (‘subprocessors’) as described in this document. In particular, we will not sell, rent or trade your data to/with any other party. We will only share it for the purposes stated below.
However, we may share or publish aggregated anonymized data (i.e. data derived from personal data, but no longer classified as such), for example traffic statistics from our homepage.
We may be compelled to release your data to comply with law enforcement or other legal requirements we are subject to. If so, we will attempt to notify you to the extent permitted by law.
In the event of a merger or an acquisition of *company name*, we may transfer your data to an involved party to ensure the continuity of services. We will only do so after we have ensured (to a reasonable degree of certainty) that the third party will adhere to the terms of our Privacy Policy.
b) Our Trusted Subprocessors
We may share your data with the following trusted subprocessors for the purposes listed below:
Freshworks, Inc.
Product/Service
Freshdesk
Purpose
Storage and processing of contact information (cf. section 2a) and correspondence data (cf. section 2b), primarily for the purpose described in section 3c (customer service). Data from such communication may later be used to improve our services as described in sections 3d, 3e and 3f.
Privacy Policy
https://www.freshworks.com/privacy/
Residency
USA (San Bruno, CA 94066)
Functional Software, Inc.
Product/Service
Sentry.io
Purpose
Storage and analysis of pseudonymous technical (cf. section 2c) and interactivity (cf. section 2d) data for the purposes described in sections 3d, 3e, 3f and 3g.
Privacy Policy
https://sentry.io/privacy/
Residency
USA (San Francisco, CA 94105)
Microsoft Corporation.
Product/Service
Office 365
Purpose
Storage and processing of contact information (cf. section 2a) for the purposes described in section 3a and 3b.
Privacy Policy
https://privacy.microsoft.com/en-us/privacystatement
Residency
USA (Redmond, Washington, 98052-6399)
Tripletex AS.
Product/Service
Tripletex
Purpose
Storage of orders and invoices related to you as a customer.
Privacy Policy
https://www.tripletex.no/personvernerklaering/
Residency
Norway (Karenslyst allé 56, 0277 OSLO)
7. Your Rights
The GDPR grants you, as a data subject, several rights regarding storage, processing and access to your own personal data:
Information About Registration
Data subjects must be able to get information about the terms of the processing of their own personal data, e.g. what kind of data is being processed, for what purpose, for how long, etc.
Access to Data
Data subjects must be able to access and review their personal data. Please note there might be some exceptions.
Rectification
A process must be available for data subjects to notify the controller about incorrect/ incomplete personal data and/ or whenever appropriate.
Restricted Processing
Data subjects must at any time be able to object or withdraw from consent given previously to process their own personal data.
Data Deletion
A process must be available for data subjects to request deletion of their personal data. The request must be assessed and handled within a reasonable time frame.
Data Portability
Data subjects must be able to export their personal data via a standard, open, electronic and machine-readable format. This shall enable them to take their data to a different provider without any hindrance by the data controller.
Should you wish to make use of any of these rights or if you have a question related to this, please refer to section 9 “How to Contact Us”.
8. Changes to This Policy
We may update this Privacy Policy when necessary, e.g. for legal reasons or to reflect changes in our service. If so, we will provide the change date and change log upon publishing the document. The revised Privacy Policy will be effectuated thirty (30) days after publishing.
We will notify our existing customers of any substantial changes. We will also encourage all data subjects (individuals) to review our Privacy Policy periodically and make themselves aware of any changes. We encourage you to contact us if you have specific questions or requests regarding the changes.
Your continued use of our services after the changes are effectuated, will be regarded as accept of the changes. If you do not agree to the changes, we will unfortunately have to ask you to please stop using our services before the changes take effect. We hope you appreciate this requirement, as it is vital for us to provide consistent services under the same rules to everyone.
9. How to Contact Us
If you have any question, request or concern related to this Privacy Policy, or Enovate privacy and data protection practices in general, please contact us at support@enovate.no and we will do our best to assist you.
Copyright 2022 © All rights Reserved. Design by Enovate.
Så hyggelig at du vil vite mer om oss! Fyll inn skjemaet for å booke et uforpliktende møte med oss. Møtet vil som hovedregel foregå digitalt over Teams, men vi er åpne for å gjøre det på andre måter, dersom det passer bedre for deg.
Vi vil ta kontakt med deg innen 24 timer.