Last updated: March 2023
1. The policy
1.3. All information stored and processed by the Service Provider is done within the EU/EEA.
1.4. You may exercise any of your rights in relation to your personal data by contacting our Data Protection Officer via email at firstname.lastname@example.org and attaching application with qualified electronic signature or visiting the company office in person.
2. Service provider as the data processor
2.2. We keep, process and transmit uploaded documents and information related to them. This data is processed solely in accordance with the directions provided by the data controller. The legal basis for the processing of personal data in this case is article 6(1)(b) of the GDPR.
2.3. We are not responsible for any Personal Data stored at Data Controller’s discretion – we are not responsible for how the Data Controller collects, handles, discloses, distributes or otherwise processes such data. The terms for such data processing are defined in the Data Processing Agreement.
2.4. Should we need to process Customer Data, the data will only be used in an anonymous form.
3. Service provider as the data controller
3.1. If you have signed a User Account with the Service Provider, we collect and associate with your User Account the information you provide us, for example: names, addresses, email addresses, phone numbers, log information regarding account’s confirmation, account creation date and account deletion date. The legal basis for the processing of personal data in this case is article 6(1)(b) of the GDPR.
3.2. If you have signed a User Account with the Service Provider, we collect for billing purpose your full name, address (house, flat, city, country, postal code) and e-mail addresses. The legal basis for the processing of personal data in this case is article 6(1)(b) of the GDPR.
3.3. If you have signed a User Account with the Service Provider, we collect for billing purpose also the IP address and phone number which provides us with location information which is needed for following accounting rules. The legal basis for the processing of personal data in this case is article 6(1)(c) of the GDPR.
3.4. We collect information related to how you use the Services. We may collect information like IP addresses, device information and the way you use our Services. This is for improving our Services for our Customers. The legal basis for the processing of personal data in this case is article 6(1)(f) of the GDPR.
3.5. We might use third-party tools to collect information regarding visitor behaviour and visitor demographics on our Services (see the Cookies section below). The legal basis for the processing of personal data in this case is article 6(1)(f) of the GDPR.
3.7. Service Provider collects some metadata such as browser information in server logs in case of an issue or an attack on the service. For that reason, IP address is also processed. The legal basis for the processing of personal data in this case is article 6(1)(b) of the GDPR.
3.8. Service Provider also logs whether you have given consent for direct marketing e-mails. In this case we are acting as a data controller for this information. The legal basis for the processing of personal data in this case is article 6(1)(a) of the GDPR.
4. Time of storage
4.1. Service Provider retains the personal data of you only as long as it is necessary, in accordance with the aim of collecting the data and required by law. Service Provider keeps billing information (including address and IP address) at least as long as required by law.
4.2. Once you delete your User Account from the Services, your Customer Data is deleted within 30 days.
4.3. Application log files are deleted 90 days after the collection.
4.4. Uploaded and unsigned files are deleted after 14 days.
4.5. Uploaded and signed files are deleted after 7 days, or sooner if the relevant API call is made.
4.6. All other data can be removed by you if you chose to.
5. The recipients of the data
5.1. Service Provider does not disclose personal data to third parties without your consent, except to the supervisory authorities to satisfy regulatory and legal requirements, accountants and in events arising from law or in case needed for submission or in process of claim against you.
5.2. In case your User Account is managed for you by an Account Administrator, this Account Administrator will have full access to your Account. The Account Administrator is able to access all your uploaded data (Customer Data), suspend or terminate your Account access and obtain your usage information.
5.4. We may share and/or transfer your Personal Data if we become involved in any merger, acquisition, reorganization, sale of assets, bankruptcy.
5.5. Service Provider does not transfer the data to third countries.
6. Security measures
6.1. Service Provider has had a security audit from security experts to ensure that the data is as safe as possible.
6.2. Service Provider keeps your data safe by using organisational, physical and technological measures.
6.3. The access to personal data is restricted and certain access rights are set.
6.4. Services are provided through 256-bit encryption TLS connections. All data is stored in data centers in compliance with ISO 27001 standard. All encrypted values are encrypted using OpenSSL and the AES-256-CBC cipher.
6.5. If users are using service only for identifying themselves or signing documents then their personal data (for example name and identity code) can be stored in a database in encrypted form. Personal data might also be written to application log files in encrypted form. User data might be stored in application log files for audit trail and debugging purposes.
6.6. If a user has connected their Facebook or Google account for convenience purposes then their data will be stored until these methods connection event is expired or these methods are detached from the user info. This is needed for providing the service and identify themselves in an easier way without strong identification methods.
6.7. Depending on the Customer’s preference, they may opt to store signed containers on our servers. Containers are only stored in encrypted form.
7. Your rights as a Data Subject
7.1. Right to access. As a user you can manage your personal data in the account/dashboard settings. We provide you, upon request and free of charge, a copy of your personal data that we process.
7.3. Right to data portability. You can easily copy, move, or transfer the personal data you provided us to a third-party service provider if you wish so, therefore keeping its usability.
7.4. Right to erasure. You have the right to request us to delete your personal data in case the obligation to retain the data is not set out by the law.
7.5. Right to object. You have the right to object to the way we are processing your data. You have the absolute right to object to your personal data being used for direct marketing. In any other circumstances, we will reply to your objection within one month .
7.6. Right to rectification. You have the right to modify and correct your personal data on your User Account at any time and you are therefore responsible for the accuracy of your personal data.
7.7. Right to restrict processing. According to the GDPR, you may have, depending on the circumstances, the right to ask us to suppress the use of your personal data. We reserve the right to store your personal data even if we will not use it.
7.8. Right to withdraw consent. You have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
7.9. Rights related to automated decision making, including profiling. We are not doing automated decisions.
7.10. Right to complain to a data protection authority. You have the right to lodge a complaint with the supervisory authority Estonian Data Protection Inspectorate, located at Tatari 39, 10134 Tallinn, Estonia.
8.1. A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser.
8.2.1. Essential cookies for provision of Services. These cookies ensure that information and services are delivered securely and optimally.
8.2.2. Functionality cookies for helping personalize your experience. For example, these cookies remember choices, language, preferred options etc.
8.2.3. Performance cookies to monitor your behaviour and help us improve our information and services.
8.3. Service Provider currently uses the following cookies:
|id.eideasy.com||laravel_session||Ensures the visitor sees (only) info that is related to their person, and not anyone else’s.||After current browsing session is closed.||Essential cookies|
|id.eideasy.com||XSRF-TOKEN||Prevents user from being vulnerable to CSRF attacks.||2 hours||Essential cookies|
|eideasy.com, id.eideasy.com||_ga||Allows us to collect information about visits to the websites. Used by Google Analytics.||2 years||Performance cookies|
|eideasy.com, id.eideasy.com||_gid, _gat||Same as previous.||1 day||Performance cookies|
|eideasy.com, id.eideasy.com||collect, r/collect||Same as previous.||After current browsing session is closed.||Performance cookies|
|eideasy.com, id.eideasy.com||TawkWindowName, ss, TawkConnectionTime||Necessary for the functionality of the website’s chat-box function.||After current browsing session is closed.||Functionality cookies|
|eideasy.com, id.eideasy.com||tawkUUID, __tawkuuid||Same as previous.||179 days||Functionality cookies|
|eideasy.com, id.eideasy.com||twk_*||Same as previous.||1 year||Functionality cookies|
8.4. It is possible to reject cookies from your browsers (different browsers have different options). Blocking all cookies may affect the usage of Service Provider’s Site.
14. Governing law, jurisdiction and submitting complaints
14.2. Any and all disputes arising from or related to the personal data protection will be settled by the parties by way of negotiations. Failing agreement, you shall have the right to lodge a complaint with the supervisory authority Estonian Data Protection Inspectorate or a claim to court.
14.3. In case the dispute between the parties is to be resolved in judicial proceedings, the parties agree to refer the dispute to Harju County Court in accordance with the legislation in force in the Republic of Estonia.
14.4. The above mentioned does not exclude consumers from their rights regarding jurisdiction.