1. Introduction

This document describes the Privacy Policy of https://rayvn.global/ ("our Homepage") and all other services offered by RAYVN AS ("RAYVN", "We", "Us"). It is intended to help you, as a natural person (‘Data Subject’) or legal person (e.g. a private, non-profit or municipal corporation) understand which personal data we collect, how and why we process it.

In this policy we will apply terms like ‘Personal Data’, ‘Controller’, ‘Processor’, and other terminology as defined in European Union Regulation 2016/679 (General Data Protection Regulation, "GDPR"), Article 4.

This policy describes the data for which we are the Controller. Please note that we may also act as Processor of personal data on behalf of our customers. If so, our customers will act as Controller and we will process personal data as instructed by them, according to the corresponding customer agreement (‘Data Processing Agreement’). In those cases, the customer’s policies or other agreements with the data subjects will replace this policy.

Should you have any requests related to data for which we are not acting as Controller, please contact the RAYVN customer directly. 

2. Personal Data We Collect 

a) Contact Information 

This may include your name, email address, phone number, country of residence and current employer or company affiliation (as existing or prospective RAYVN customer). It may also include additional information that you voluntarily give us when you interact with us.

Source

Forms you fill in (e.g. contact or trial/ signup forms from our homepage), social networking software (e.g. LinkedIn) or by corresponding with us at conferences, events, email, phone or otherwise. 

b) Correspondence Data

This is support tickets, questions, feedback, signed agreements, and any other content directly related to RAYVN’s services or operations that you send us, including any follow-up conversations and metadata (time, status, etc.). 

Source

Information you voluntarily provide us with, or we derive from direct interaction with you by way of form submission, email, phone or otherwise. 

c) Technical Data

This may include information about the software (operating system, browser), the settings (display resolution, time zone, language preferences), the internet connection (IP address, bandwidth, latency, location) and the device (device type) you are using while accessing our services. Whenever you are logged out, this data does not identify you directly, but is still considered personal data as it could potentially be used to identify you indirectly. 

Source

This data will be collected or inferred from collected data whenever you use our services, either due to the requirements of the communication protocols (e.g. TCP/IP and HTTP) or from logging of your browser’s internal state and settings. This data is obtained both through user-initiated requests and non-user-initiated background communication in web and mobile applications. 

d) Interactivity Data 

This may include information about the actions you perform (logins and logouts, form submissions, API calls, etc.), site navigation (menu choices, URLs visited) and your user patterns (timing, mouse activity). Whenever you are logged out, this data does not identify you directly, but is still considered personal data as it could potentially be used to identify you indirectly. 

Source

This data will be collected or inferred from collected data whenever you use our services, either due to the requirements of the communication protocols (e.g. TCP/IP and HTTP) or from logging of your browser’s internal state and settings. This data is obtained both via user-initiated requests and non-user-initiated background communication in web and mobile applications. 

e) Location Data

RAYVN collects location data in the background even when the app is closed. Positions are required; administrators need to know where relevant personell is located in case they are mobilized to attend to an emergency. Positions will only be recorded if they are mobilized to handle an emergency, and have actively accepted the use of positioning tracking. Once the emergency situation has come to an end, the incident log is closed and the app will stop tracking the position.

Source

Location data is collected from the position data available on the device (GPS or proximity to base stations).

3. How We Use Personal Data - Purposes

a) To Ask for Consent 

We may use your contact information to ask for consent to send you marketing materials, surveys, statistics or product updates. We will not send you any of this unless you have consented. You will always have the opportunity to opt out of such communication (‘right to restriction of processing’) or to have your contact information deleted entirely (‘right to erasure’), even if you previously have consented. You may also entirely ignore our communication and we will, after a while, stop communicating and automatically delete your data (cf. section 4a, below). 

Legal basis

GDPR, Article 6(1)(f), implemented in accordance with the Norwegian "Marketing Control Act", Section 15 and "E-commerce Act", Section 9. 

b) To Inform or Notify You 

We may use your contact information to: 

  1. send you marketing materials, newsletters, surveys, statistics or product updates that you have consented to, or
  2. send you invoices, policy updates or any other relevant legal or administrative information relating to your company’s customer relationship to RAYVN, or
  3. send you security updates, personal data breach notifications or any other relevant technical information regarding the operation of RAYVN’s services. 

Legal basis

GDPR, Article 6(1)(a) (cf. section 3a, above), implemented in accordance with the Norwegian "Marketing Control Act", Section 15 and "E-commerce Act", Section 9. 

c) To Provide Customer Service and Relationship Management

We may use correspondence data to assist you, to communicate regarding contracts, terms and policies and to improve our customer service and management routines.

Legal basis

GDPR, Article 6(1)(b) or (f), depending on the established relationship we have with you or your company. 

d) To Improve the Functionality of Our Services

We may use correspondence data, technical data and interactivity data to evaluate the features we need to work on.

Legal basis

GDPR, Article 6(1)(b) or (f), depending on the established relationship we have with you or your company. 

e) To Improve the Usability and Performance of Our Services

We may use correspondence data, technical data and interactivity data to evaluate which non-functional requirements need to be set and met.

Legal basis

GDPR, Article 6(1)(b) or (f), depending on the established relationship we have with you or your company. 

f) To Ensure or Improve the Security of Our Services

We may use correspondence data, technical data and interactivity data to evaluate the operations of our services as well as for auditing purposes during and after an incident. We may also do profiling on technical and interactivity data for purposes of detecting or preventing intrusion, data breaches, denial of service or other fraudulent activity.

Legal basis

GDPR, Article 6(1)(b) or (f), depending on the established relationship we have with you or your company. 

g) For Compliance and Documentation

We may use correspondence data to document legal or financial responsibilities and contractual obligations.

Legal basis

GDPR, Article 6(1)(f) 

h) For Mobilization Purposes

We use location data to track the current position of appropriate Emergency Personell who are mobilized to attend an emergency situation. This gives information about the distance they have to travel to get to the Situation Room or agreed meeting point, the time they can be expected in, and their current position as they are traveling. This has significance to planning in the early phase of an emergency. The user is asked for consent prior to use of location data.

Legal Basis

GDPR Article 6(1)(a) and (b)

4. Retention Policy for Personal Data 

a) Retention Policy for Data Use According to Purpose 3a 

  1. If you do not reply: Your contact information and correspondence data will be erased within 2 months of first contact. After erasure we will have no record of any previous correspondence, so it is possible that you may be approached again at some later date.
  2. If you invoke your right to erasure: We will erase your contact information and correspondence data without undue delay and no later than 1 month. After erasure we will have no record of any previous correspondence, so it is possible that you may be approached again at some later date.
  3. If you invoke your right to restriction of processing: We will store your contact information and flag you as restricted (‘opted out’). You will not hear from us again by way of this contact information.
  4. If you consent: We will retain your contact information for as long as it is relevant for the stated purpose. You may withdraw your consent at any point in time by invoking option 2) or 3), above.

b) Retention Policy for Data Use According to Purpose 3b

We will retain your contact information for this purpose for as long we have your consent. If you withdraw your consent, it will be handled like

4(a)(2) or 4(a)(3), according to your choice. 

c) Retention Policy for Data Use According to Purpose 3c, 3d, 3e and 3f

We will retain correspondence data, technical data and interactivity data for this purpose for as long as we have a contractual obligation or legitimate interest (i.e. for the security purposes described in 3f). If retention was based on a contractual obligation that ceases to exist, we will consider whether we still have a legitimate interest in the data:

  1. If deemed feasible and desirable, both from a technical and legal perspective: We may keep the data in an anonymized or pseudonymized form (i.e. without reference to your contact information) or aggregate it in such a way that it is no longer related to you.
  2. Otherwise: We will erase the data without undue delay, e.g. as part of our next periodic purge routine.

d) Retention Policy for Data Use According to Purpose 3g

We will retain the parts of the correspondence data that are necessary for the fulfillment of this purpose for as long as required, e.g. 10 years for accounting purposes. After retention is no longer necessary, we will erase the data without undue delay. 

5. Security of Personal Data 

In order to protect the security (confidentiality, integrity and availability as they are commonly defined and understood in the information security field) of your data and the systems and services that process it, we will assess the related risks (threats, probabilities and consequences) and implement both technical and organizational measures as appropriate (taking assumed costs and effectiveness of the measures into account).

Please understand that the landscape of threats and tools changes all the time, sometimes overnight, and that ensuring acceptable security over time requires a continual process of evaluation and improvement. Indeed, no process can guarantee the absolute safety of your data, but we do our best to keep in line with best industry practices and to update our routines and systems as needed.

In the unfortunate event of a data breach, we will notify the involved and interested parties, including the relevant supervisory authority, in accordance with the GDPR, Article 33 and 34. 

6. Sharing of Personal Data 

a) General

We will only process your data or transfer your data to other processors (‘subprocessors’) as described in this document. In particular, we will not sell, rent or trade your data to/with any other party and we will only share it for the purposes stated below.

We may, however, share or publicize aggregated anonymized data (i.e. data that is derived from, but no longer classified as, personal data), for example traffic statistics from our homepage.

We may be compelled to release your data to comply with law enforcement or other legal requirements that we are subject to. If this situation occurs, we will attempt to notify you, to the extent permitted by law.

We may, in the event of a merger or an acquisition of RAYVN, transfer your data to an involved party to ensure the continuity of services, but will only do so after we have ensured (to a reasonable degree of certainty) that the third party will adhere to the terms of our Privacy Policy. 

b) Our Trusted Subprocessors

We may share your data with the following trusted subprocessors for the purposes stated below.

Name Freshworks, Inc.

Address 2950 S. Delaware Street, Suite 201, San Mateo, CA 94403, USA

Description of Processing Product/ service: Freshdesk, Freshsales, Freshsuccess

Storage and processing of contact information and correspondence data for the purpose of

    • customer service
    • sales activities
    • improving the usability and performance of our service
    • ensure or improve the security of our service

Name Google LLC

Address 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Description of Processing Product/ Service: G Suite.

Storage and processing of contact information and correspondence data for the purpose of

    • customer service and relationship management
    • compliance and documentation

Name New Relic, Inc.

Address 188 Spear Street, Suite 1000, San Francisco, CA 94105, USA

Description of Processing Product/ Service: New Relic Digital Intelligence Platform.

Storage and analysis of pseudonymous technical and interactivity section data, for the purpose of

    • improving the functionality of our service
    • improving the usability and performance of our service
    • ensure or improve the security of our service

Name The Rocket Science Group LLC

Address 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA

Description of Processing Product/ Service: MailChimp

Storage and processing of contact information and correspondence data for the purpose of

    • informing and notifying you

7. Your Rights

The GDPR grants you, as a Data Subject, several rights regarding storage and processing of, as well as access to, your own personal data. Here’s a quick summary of your rights: 

Information About Registration

Data subjects must be able to get information about the terms of the processing of their own personal data, e.g. what kind of data is being processed, for what purpose, for how long, etc. 

Access to Data

Data subjects must be able to access and review their own personal data (with some exceptions). 

Rectification of Data

There must exist a process for data subjects to be able to notify the controller about incorrect/incomplete data and/or, whenever appropriate, to be able to correct and/or complete their own personal data. 

Restriction of Processing

Data subjects must at any time be able to signal their objection, or withdraw prior consent, to process their own personal data. 

Erasure of Data

There must exist a process for data subjects to be able to request erasure of their own personal data and for the request to be considered and handled within a reasonable time frame. 

Portability of Data

Data subjects must be able to export their own personal data to a standard, open, electronic and machine-readable format, so that they can bring with them their data to a different provider without hindrance by the data controller. 

If you would like to exercise any of these rights or have a question regarding them, see section 9 “How to Contact Us”, below. You can learn more about our approach to GDPR in our document, "GDPR - Introduction and Implications for RAYVN", which is available on our homepage or may be sent to you upon request. 

8. Changes to This Policy 

We may revise this Privacy Policy if we deem it necessary, e.g. for legal reasons or to reflect changes to our services. Whenever we do, we will update the "Last revision date" and make the revised document publicly available along with a short description of what was changed ("changelog"). The revised Privacy Policy will take effect thirty (30) days after we make it available. 

We will notify our existing customers of any substantial changes and we also encourage all data subjects (individuals) to review our Privacy Policy periodically and make themselves aware of any changes. We encourage you to contact us if you have specific questions or requests regarding the changes. 

Your continued use of our services, after the changes take effect, will be regarded as your acceptance of the changes. Consequently, if you do not agree to the changes, we will unfortunately have to require you to stop using our services before the changes take effect. We hope you appreciate that this is a requirement that is necessary for us to deliver consistent services, under the same rules, to everyone. 

9. How to Contact Us 

If you have any questions, request or concern related to this Privacy Policy, or RAYVN’s privacy and data protection practices in general, please contact us at privacy@rayvn.global and we will do our best to assist you. 

Updated 2021/02/10.