Privacy Policy

 

1. Introduction

This document describes the Privacy Policy of https://rayvn.global/ (“our homepage”) and all other services offered by RAYVN AS (“RAYVN”, “we”, “us”). It is intended to help you, as a natural person (‘data subject’) or legal person (e.g. a private, non-profit or municipal corporation), to understand what personal data we collect about data subjects as well as how and why we process it.

Throughout this document we will use terms like ‘personal data’, ‘controller’, ‘processor’, and others, as defined in European Union Regulation 2016/679 (General Data Protection Regulation, “GDPR”), Article 4.

This policy describes the data for which we are the controller. Note that we may also act as processor of personal data on behalf of our customers. Our customers will then act as data controller and we will process such data as instructed by them, according to the corresponding customer agreement (‘data processing contract’). In those cases, the customer’s policies or other agreements with the data subjects will apply instead of this policy. For any requests you may have related to data for which we are not acting as controller, please contact the RAYVN customer directly.

2. Personal data that we collect

a) Contact Information

This may include your name, email address, phone number, country of residence and current employer or company affiliation (as an existing or prospective RAYVN customer). It may also include additional information that you voluntarily give us when you interact with us.

Source: Forms that you fill out (e.g. contact or trial/signup forms on our homepage), social networking software (e.g. LinkedIn) or through correspondence with us at conferences, events, email, phone or otherwise.

b) Correspondence Data

This consists of support tickets, questions, feedback, signed agreements, and any other content directly related to RAYVN’s services or operations that you send to us, including any follow-up conversations and metadata (time, status, etc.).

Source: Information that you voluntarily give to us, or that we derive from direct interaction with you, by way of form submission, email, phone or otherwise.

c) Technical Data

This may include information about the software (operating system, browser), the settings (display resolution, time zone, language preferences), the internet connection (IP address, bandwidth, latency, location) and the device (device type) you are using while accessing our services. Whenever you are logged out, this data does not identify you directly, but is still considered personal data since it could potentially be used to identify you indirectly.

Source: This data will be collected or inferred from collected data whenever you use our services, either due to the requirements of the communication protocols (e.g. TCP/IP and HTTP) or from logging of your browser’s internal state and settings. This data is obtained both through user-initiated requests and non-user-initiated background communication in web and mobile applications.

d) Interactivity Data

This may include information about the actions you perform (logins and logouts, form submissions, API calls, etc.), site navigation (menu choices, URLs visited) and your usage patterns (timing, mouse activity). Whenever you are logged out, this data does not identify you directly, but is still considered personal data since it could potentially be used to identify you indirectly.

Source: This data will be collected or inferred from collected data whenever you use our services, either due to the requirements of the communication protocols (e.g. TCP/IP and HTTP) or from logging of your browser’s internal state and settings. This data is obtained both through user-initiated requests and non-user-initiated background communication in web and mobile applications.

3. How We Use Personal Data

a) To Ask for Consent

We may use your contact information to ask for consent to send you marketing materials, surveys, statistics or product updates. We will not send you any of this until you have consented. You will always have the option to opt out of such communication (‘right to restriction of processing’) or to have your contact information deleted entirely (‘right to erasure’), even if you have previously consented. You may also entirely ignore our communication and we will, after a time, stop communicating and automatically delete your data (cf. section 4a, below).

Legal basis: GDPR, Article 6 (1) f, implemented in accordance with the Norwegian “Marketing Control Act”, Section 15 and “E-commerce Act”, Section 9.

b) To Inform or Notify You

We may use your contact information to:

  1. send you marketing materials, newsletters, surveys, statistics or product updates that you have consented to, or

  2. send you invoices, policy updates or any other relevant legal or administrative information relating to your company’s customer relationship to RAYVN, or

  3. send you security updates, personal data breach notifications or any other relevant technical information regarding the operation of RAYVN’s services.

Legal basis: GDPR, Article 6 (1) a (cf. section 3a, above), implemented in accordance with the Norwegian “Marketing Control Act”, Section 15 and “E-commerce Act”, Section 9.

c) To Provide Customer Service and Relationship Management

We may use correspondence data to assist you, to communicate regarding contracts, terms and policies and to improve our customer service and management routines.

Legal basis: GDPR, Article 6 (1) b or f, depending on the established relationship we have with you or your company.

d) To Improve the Functionality of Our Services

We may use correspondence data, technical data and interactivity data to evaluate what features we need to work on.

Legal basis: GDPR, Article 6 (1) b or f, depending on the established relationship we have with you or your company.

e) To Improve the Usability and Performance of Our Services

We may use correspondence data, technical data and interactivity data to evaluate what non-functional requirements which need to be set and met.

Legal basis: GDPR, Article 6 (1) b or f, depending on the established relationship we have with you or your company.

f) To Ensure or Improve the Security of Our Services

We may use correspondence data, technical data and interactivity data to evaluate the operations of our services as well as for auditing purposes during and after an incident. We may also do profiling on technical and interactivity data for purposes of detecting or preventing intrusion, data breaches, denial of service or other fraudulent activity.

Legal basis: GDPR, Article 6 (1) b or f, depending on the established relationship we have with you or your company.

g) For Compliance and Documentation

We may use correspondence data to document legal or financial responsibilities and contractual obligations.

Legal basis: GDPR, Article 6 (1) f.

4. Retention Policy for Personal Data

a) Retention Policy for Data Use According to Purpose 3a
  1. If you do not reply: Your contact information and correspondence data will be erased within 2 months of first contact. After erasure we will have no record of any previous correspondence, so it is possible that you may be approached again at some later date.

  2. If you invoke your right to erasure: We will erase your contact information and correspondence data without undue delay and no later than 1 month. After erasure we will have no record of any previous correspondence, so it is possible that you may be approached again at some later date.

  3. If you invoke your right to restriction of processing: We will store your contact information and flag you as restricted (‘opted out’). You will not hear from us again by way of this contact information.

  4. If you consent: We will retain your contact information for as long as it is relevant for the stated purpose. You may withdraw your consent at any point in time by invoking option ii) or iii), above.
b) Retention Policy for Data Use According to Purpose 3b

We will retain your contact information for this purpose for as long we have your consent. If you withdraw your consent, it will be handled like 4aii) or 4aiii), according to your choice.

c) Retention Policy for Data Use According to Purpose 3c, 3d, 3e and 3f

We will retain correspondence data, technical data and interactivity data for this purpose for as long as we have a contractual obligation or legitimate interest (i.e. for the security purposes described in 3f). If retention was based on a contractual obligation that ceases to exist, we will consider whether we still have a legitimate interest in the data:

  1. If deemed feasible and desirable, both from a technical and legal perspective: We may keep the data in an anonymized or pseudonymized form (i.e. without reference to your contact information) or aggregate it in such a way that it is no longer related to you.

  2. Otherwise: We will erase the data without undue delay, e.g. as part of our next periodic purge routine.
d) Retention Policy for Data Use According to Purpose 3g

We will retain the parts of the correspondence data that are necessary for the fulfillment of this purpose for as long as required, e.g. 10 years for accounting purposes. After retention is no longer necessary, we will erase the data without undue delay.

5. Security of Personal Data

In order to protect the security (confidentiality, integrity and availability as they are commonly defined and understood in the information security field) of your data and the systems and services that process it, we will assess the related risks (threats, probabilities and consequences) and implement both technical and organizational measures as appropriate (taking assumed costs and effectiveness of the measures into account).

Please understand that the landscape of threats and tools changes all the time, sometimes overnight, and that ensuring acceptable security over time requires a continual process of evaluation and improvement. Indeed, no process can guarantee the absolute safety of your data, but we do our best to keep in line with best industry practices and to update our routines and systems as needed.

In the unfortunate event that a data breach or other relevant security incident happens, we will notify the involved and interested parties, including the relevant supervisory authority, in accordance with the GDPR, Article 33 and 34.

6. Sharing of Personal Data

We will only process your data or transfer your data to other processors (‘subprocessors’) as described in this document. In particular, we will not sell, rent or trade your data to/with any other party and we will only share it for the purposes stated below.

We may, however, share or publicize aggregated anonymized data (i.e. data that is derived from, but no longer classified as, personal data), for example traffic statistics from our homepage.

We may be compelled to release your data to comply with law enforcement or other legal requirements that we are subject to. If this situation occurs, we will attempt to notify you, to the extent permitted by law.

We may, in the event of a merger or an acquisition of RAYVN, transfer your data to an involved party to ensure the continuity of services, but will only do so after we have ensured (to a reasonable degree of certainty) that the third party will adhere to the terms of our Privacy Policy.

7. Your Rights

The GDPR grants you, as a data subject, several rights regarding storage and processing of, as well as access to, your own personal data. Here’s a quick summary of your rights:

Information About Registration

Data subjects must be able to get information about the terms of the processing of their own personal data, e.g. what kind of data is being processed, for what purpose, for how long, etc.

Access to Data

Data subjects must be able to access and review their own personal data (with some exceptions).

Rectification of Data

There must exist a process for data subjects to be able to notify the controller about incorrect/incomplete data and/or, whenever appropriate, to be able to correct and/or complete their own personal data.

Restriction of Processing

Data subjects must at any time be able to signal their objection, or withdrawal of prior consent, to process their own personal data.

Erasure of Data

There must exist a process for data subjects to be able to request erasure of their own personal data and for the request to be considered and handled within a reasonable time frame.

Portability of Data

Data subjects must be able to export their own personal data to a standard, open, electronic and machine-readable format, so that they can bring with them their data to a different provider without hindrance by the data controller.

If you would like to exercise any of these rights or have a question regarding them, see the “How to Contact Us” section, below. You can learn more about our approach to GDPR in our document, “GDPR – Introduction and Implications for RAYVN”, which is available on our homepage or may be sent to you upon request.

8. Changes to This Policy

We may revise our Privacy Policy if we deem it necessary, e.g. for legal reasons or to reflect changes to our services. Whenever we do, we will update the “Last revision date” and make the revised document publicly available along with a short description of what was changed (“changelog”). The revised Privacy Policy will take effect thirty (30) days after we make it available.

We will notify our existing customers of any substantial changes and we also encourage all data subjects (individuals) to review our Privacy Policy periodically and make themselves aware of any changes. We encourage you to contact us if you have specific questions or requests regarding the changes.

Your continued use of our services, after the changes take effect, will be regarded as your acceptance of the changes. Consequently, if you do not agree to the changes, we will unfortunately have to require you to stop using our services before the changes take effect. We hope you appreciate that this is a requirement that is necessary for us to deliver consistent services, under the same rules, to everyone.

9. How to Contact Us

If you have any question, request or concern related to our Privacy Policy, or RAYVN’s privacy and data protection practices in general, please contact us at privacy@rayvn.global and we will do our best to assist you.