Privacy Notice for End Customers

1. Introduction

The Kiflo Company (“Kiflo”, “we, “our”) is committed to protecting the privacy and security of the personal data we collect about the users of our product and those who we market to (“you/your”).

The purpose of this privacy notice is to explain what personal data we collect about you when enquire about or purchase our product or when we send you direct marketing material. When we do this, we are the data controller.

Please read this privacy notice carefully as it provides important information about how we handle your personal information and your rights. If you have any questions about any aspect of this privacy notice you can contact us using the information provided below or by emailing us at contact@kiflo.com.

2. What is personal data?

‘Personal data’ is any information from which you can be identified, either directly or indirectly. For example, your name or an online identifier.

‘Special category personal data’ is more sensitive personal data and includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying someone, data concerning physical or mental health or data concerning someone’s sex life or sexual orientation.

3. Personal data we collect

We collect, use and are responsible for certain personal data about you. When we do so we are subject to the General Data Protection Regulation (GDPR).

The personal data we collect includes:

• First name
• Last name
• Address
• Job title
• Payment details
• Any other personal information you may provide us

4. How we collect your personal data

When you enquire about or purchase our product, we only collect personal data directly from you, either within communication between yourself and us or where you provide personal data in order for us to fulfil your requests or our obligations.

For the purposes of direct marketing, we may also collect personal data from publicly available sources and other third-party databases such as LinkedIn, DropContact or G2.

5. Purposes for which we use your personal data and the lawful basis

When you contact us to make an enquiry or otherwise, we will use your personal data to respond to your message. When we do so, we rely on the lawful basis of our legitimate interest in responding to a request, enquiry, question and other communications.

When you enter your personal data to book a demo, we will use your personal data to provide you with a demo version of our product. When we do so, we rely on the lawful basis of our legitimate interest in providing potential customers with a demo of our product.

When we collect your personal data in the process of purchasing our product, we will use that data to process the transaction and to provide our product to you. Our lawful basis for this processing is the performance of a contract.

Where personal data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.

Where we process your personal data to send you marketing material, our lawful basis is our legitimate interests in promoting our product to individuals who we think may be interested.

6. Sharing your personal data

In providing our services to you, we may share your personal data with our third-party service providers, for instance, to provide our customer data storage services. We will only share your personal data with those service providers who are necessary in order for us to perform our processing activity.

When we share your personal data with our service providers, we ensure that they will only process your personal data in accordance with our documented instructions.

7. International Transfers

When we collect your personal data, it may be processed outside the European Union (“EU”)/European Economic Area (“EEA”). This is because the organisations we use to provide our services to you are located outside of these territories.

We have taken appropriate steps to ensure that where personal data processed outside the EU/EEA, it has an essentially equivalent level of protection as it has within the EU/EEA. We do this by ensuring that:

• Your personal data is only processed in a country which the European Commission has confirmed has an adequate level of protection (an adequacy decision); or
• We enter into Standard Contractual Clauses (SCCs) with the receiving organisations and ensure that supplementary measures are also applied, where necessary. (A copy of the existing SCCs can be found here Standard Contractual Clauses (SCCs).

8. How long we keep your personal data

We will retain your personal data for as long as is necessary to perform the processing activity and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints and claims.

At the end of the retention period, your personal data will be securely deleted or anonymised.

9. Security of your personal data

We have implemented appropriate technical and organisational measures to safeguard your personal data and protect it from accidental or unlawful destruction, loss or alteration and from unauthorised disclosure or access.

In addition to the technical and organisational measures we have put in place, there are a number of simple things you can do to in order to further protect your personal information, such as;

1. Never share a One Time Passcode (OTP).
2. If you’re logged into a platform/website, do not leave your computer unattended.
3. Close down the application/internet browser once you’ve logged off.

Secure Online Services

You can easily identify secure websites by looking at the address in the top of your browser which will begin https:// rather than http://.

10. Your rights

You have certain rights in relation to the processing of your personal data, including to:

• Request access to your personal data (commonly known as a “Subject Access Request”). This enables you to receive a copy of the personal data we hold about you.
• Request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. If you object to us using your personal data for marketing purposes we will stop sending you marketing material.
• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal data to another party (data portability).
• Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.

Right to withdraw consent

Where you have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we are permitted by law to do so.

Please note that we do not rely on your consent for the processing of any personal data.

Opting out of marketing

In every marketing email we send, we will include an opt-out feature. Where you have opted out of marketing, we will add you to a suppression list so you won’t receive marketing emails from us in the future.

How to exercise your rights

You will not usually need to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. If you wish to exercise your rights, please contact us at contact@kiflo.com.

11. How to complain

You have the right to lodge a complaint with the supervisory authority, if you believe we are infringing the EU data protection laws or you are concerned about the way in which we are handling your personal data. The supervisory authority in France is the Commission nationale de l'informatique et des libertés (CNIL) who can be contacted online at:

• CNIL – Contact us ; or by phoning
• +33 (0)1.53.73.22.22

‍

12. How to contact us

If you wish to contact us in relation to this privacy notice or if you wish to exercise any of your rights outlined above, then please email us at contact@kiflo.com.