PRIVACY STATEMENT – OUTSMART
OutSmart International B.V. (“OutSmart”), having its registered office in Amsterdam, the Netherlands and its business address at Nevelgaarde 5A (3436 ZZ), Nieuwegein, collects and uses your personal data in accordance with the General Data Protection Regulation (“GDPR”) and other data protection legislation currently in force and applicable to us.
We find it important to be transparent about how and why we process your personal data. Therefore, this Privacy Statement clearly explains:
- OutSmart’s role in relation to personal data;
- what personal data OutSmart collects and how we collect it;
- why OutSmart collects your personal data;
- who receives your personal data;
- how long OutSmart stores your personal data;
- how we secure your personal data;
- what your rights and obligations are;
- what happens if you do not want to provide us with your personal data.
This Privacy Statement applies to:
- the visitors of our website out-smart.com;
- the users of our OutSmart mobile applications Outsmart (iOS) and OutSmart WerkbonApp (Android) (“the Apps”). Please note: this Privacy Statement only applies to these users to a certain degree, please check “OutSmart’s role in relation to personal data” below);
- contact persons at our (potential) customers;
- contact persons at our (potential) business relations;
- contact persons at our referrers;
- people receiving our communications such as invitations;
- people contacting us via our contact form or otherwise.
OutSmart’s role in relation to personal data
Please note: besides processing your personal data for our own purposes we also process certain personal data on behalf of our business customers. For example: data in relation to our customers’ employees, contractors and customers that was submitted through our website, the Apps or otherwise (such as names, email addresses, phone numbers, photos, location data and metadata derived from use of our services). When processing that data we are considered to be the processor as defined in article 4 paragraph 8 of the GDPR and only act on the basis of our business customers’ instructions and the processors agreement. That also means that such processing is subject to the privacy policies of our business customers.
In the web accounts of our customers we have created a Privacy & data dashboard to give customers insight into relevant privacy issues in one place. This dashboard offers tools/functionalities both in relation to our role as controller as to our role as processor.
Data OutSmart collects and how we collect it
Your personal data, such as names, email address, phone number and IP-address, will be collected through the registration process and when you visit our website and/or the Apps. We may receive your data directly from you or via a third party (for example: a referral partner). Further information will be obtained directly from you during the course of your engagement with us, for example through communication with you, user support or surveys.
Why does OutSmart collect your data?
OutSmart collects your personal data for the following reasons:
- to be able to register our customers;
- to be able to provide our services;
- to manage our customers’ accounts;
- to contact our customers and maintain customer/visitor lists;
- to respond to inquiries or feedback;
- for identification and authentication purposes;
- for billing purposes;
- for service improvement;
- to be able to analyse the behaviour of our online visitors;
- for marketing purposes;
- for business planning and restructuring exercises;
- for statistical purposes;
- to deal with legal claims;
- to prevent criminal activities (such as fraud);
- to ensure OutSmart’s administrative and IT systems are safe, secure and robust against unauthorised access;
- for other legitimate business interests.
There may be more than one reason to validate the reason for processing your personal data. Furthermore, the reason(s) for processing your personal data will depend on whether you are a visitor of our website, user of the Apps, customer or other data subject.
The legal basis in the GDPR for processing your personal data is:
- that processing is necessary for the performance of the contract we have with you or in order to take steps at your request prior to entering into a contract; and/or
- that you have given your consent; and/or;
- that processing is necessary to comply with a legal obligation to which we are subject;
- that processing is necessary to pursue legitimate (business) interests of our own or those of third parties (for example: if OutSmart must handle a legal claim, in case of marketing interests or other legitimate business interests).
Who receives your personal data?
Your personal data may be shared by OutSmart with the following categories of recipients:
- CRM system provider (OutSmart);
- payment provider (Buckaroo). Since our payment service is provided by Buckaroo you will also be required to agree with Buckaroo’s terms;
- Mailchimp (we use this service to send emails to our customers);
- Atlassian (this is where tickets of customers contacting the service desk are logged);
- data center;
- web host provider;
- law firms.
In order to use the services of Mailchimp and Atlassian data may be transferred to the USA. There is not an adequacy decision by the European Commission in place with respect to this country. In a further effort to secure and protect the transfer of data to these third parties we have put the following measures in place: standard contractual clauses adopted by the European Commission. In addition, we have limited the amount of Data shared. To obtain more information on this/copies of the relevant documents, please contact the contact person(s) mentioned at the end of this Privacy Statement.
How long does OutSmart store your personal data?
Generally, we will not keep your personal data longer than strictly necessary for the purposes for which they are processed, unless statutory requirements (for example: the fiscal retention period) oblige us to keep your personal data longer. More specifically the retention periods below apply:
- personal data from our customers (that is not subject to the fiscal retention period) will be stored until 1 year after we have lastly provided our services/delivered a product to you. This retention period also applies to people using the free 14-day trial;
- personal data from our business relations/referrers (that is not subject to the fiscal retention period) will be stored until 1 year after we have lastly cooperated with you;
- personal data from people receiving our communications such as invitations/newsletters etc. will be stored until you unsubscribe;
- personal data from people contacting us via our contact form or otherwise will be stored until the data is no longer needed for communication purposes;
- your IP address, collected during your website visits will be stored until 1 year, unless there are security reasons for keeping it;
For retention periods of cookies we refer to the Cookie Statement on our website.
At the end of the retention period your data will be reviewed and deleted, unless there are compelling reasons for keeping the personal data longer (e.g. in case of pending or expected legal disputes) or when the data are still needed for other purposes mentioned in this Privacy Statement.
How do we secure your personal data?
Protection of your personal data is crucial to us and we therefore do our utmost to take appropriate technical and organisational measures to protect against loss, abuse and alteration of your data. We also keep ourself informed of the latest information about security and amend our security measures when necessary. Obviously, we treat your personal data confidential.
Security (Management) Policy
The OutSmart Security Management policy is based on ISO 27001. This is the general standard for information security, which is also generally accepted. Compliance with security procedures is monitored by the security coordinator who reports directly to the OutSmart management team. The management team itself is also ISO 27001 certified and ensures optimum security. If the infrastructure is affected by a security incident (priority P1) OutSmart will take all required steps such as installing necessary patches.
All systems in the OutSmart infrastructure are located in rooms that are protected against physical access by unauthorized persons. For this, use is made of an access control system that is linked to a burglary protection system. The aforementioned spaces are also equipped with 24×7 security, emergency power provisions and fire extinguishers, which means that calamities are excluded as much as possible.
The logical security of the OutSmart network is set up in accordance with the ISO27001. Our customers have the opportunity to use two-factor authentication (2FA) for logging in. Every user on the web account must have his own login code so that it is always possible to trace who has access to the system.
Tier 3 data centers
OutSmart’s fault tolerant systems are hosted by Equinix Amsterdam Data Centers. They are located near the internet node in the Netherlands and have multiple redundant access to the internet. The locations are located in an office environment without risky activities. The locations are also above N.A.P (Normal Amsterdam Level). Separate rooms (private suites) are available in the data centers. Access to the suites is regulated by an electronic pass system. The racks in the suites also feature numeric code locks that can only be opened by authorized employees.
Both data centers are selected and certified according to the Security Management ISO 27001 standard and the Quality Management ISO 9001 standard.
Our Apps work safely and have sufficient login security (also support face-id and touch-id), continuous synchronization between App and web account and the possibility to block Apps from the web account (e.g. in case of theft).
What are your rights and obligations?
With regard to your personal data that OutSmart processes, you have the right to:
- access. This means that you have the right to access the personal data OutSmart keeps about you;
- rectification. Should any data OutSmart keeps about you be incomplete or inaccurate, you have the right to request OutSmart to correct it;
- erasure. You have the right to ask OutSmart to erase your personal data from OutSmart’s systems where you believe there is no reason for OutSmart to continue processing it;
- restriction of processing. In certain cases you have the right to obtain from OutSmart restriction of processing;
- objection to processing. In situations where OutSmart relies on a legitimate interest (or those interests of a third party) for the processing of your personal data you have the right to object to processing;
- portability. This means that you have the right to receive your personal data in a structured, commonly used and machine-readable format and to transmit those data to another party.
All these rights are subject to the conditions as laid down in the GDPR.
Where processing is based on consent you also have the right to withdraw consent at any time (without affecting the lawfulness of processing based on consent before its withdrawal). However, in certain cases the processing of your personal data is also based on another legal ground and in that case OutSmart will continue using your personal data.
In order to exercise your rights, please send a request to the contact person stated below in this Privacy Statement. Furthermore, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, www.autoriteitpersoonsgegevens.nl).
What if you do not want to provide us with your personal data?
Finally, what happens if you do not want to provide OutSmart with your personal data? Since providing certain information is a contractual requirement in case you want to use OutSmart’s service, neglecting to provide that information may affect OutSmart’s ability to enter into or continue with a contract with you and to use our services. In other cases it may hinder you from accessing (parts of) our website or the Apps.
Amendment of this Privacy Statement
We reserve the right to change this Privacy Statement at any time. If we decide to change this Privacy Statement we will announce this, for example by publishing our amended Privacy Statement on our website(s).
Should you have any questions with regard to this Privacy Statement and/or the processing of your personal data, please contact:
Bas Langenhuizen or Steven Rigter: firstname.lastname@example.org