1. Intro - Data Controller and Data Processor
ShiftX AS (organization number 920 936 628) ("ShiftX") is a company that helps its customer ("the Customer" to draw, structure, and work efficiently with improving business processes on the basis of a Software as a Service (SaaS) ("the Services").
Data privacy is important to ShiftX. This means that ShiftX processes data about data subjects (identified or identifiable individuals), with due care and in accordance with applicable data protection law.
This Privacy Policy describes how ShiftX processes personal data when ShiftX acts as a data controller.
In addition, ShiftX processes personal data that the Customers transmit to the solutions when using the Services. In legal terms, ShiftX is the data processor of such personal data when the Customer is not an individual, and the Customer is s the data controller. The processing of personal data on behalf of the Customer is based on a data processor agreement between ShiftX and the Customer and is not covered by this privacy policy.
If you have any questions regarding ShiftX's processing of your personal data or this privacy policy, you may contact ShiftX by using the following contact information:
Address: Nedre Vollgate 5, 0158 OsloEmail address: privacy@shiftx.com
2. Information about ShiftX’s processing of personal data
ShiftX mainly processes personal data about contact persons of Customers, suppliers, and other partners, subscribers to our newsletters or events, if you have applied to a position with us, visitors to our website, and persons who contact ShiftX, e.g. by sending us an inquiry via our website. The personal data may be provided by you or third parties such as customers, suppliers, partners, etc.
We may process your personal data in connection with the following processing activities:
- Contract management and administration of business Customers, supplier, and other business partner relationships; where personal data about employees and others of the customer, supplier, and other business partners are processed, such as contact information as name, business function, telephone number, and email address, in addition to personal data contained in contracts, ongoing commercial correspondence, invoices, minutes of the meeting, etc. The legal basis is ShiftX's legitimate interest in entering into business relationships, fulfilling contracts, and administrating such relationships (GDPR Article 6 (1) (f)).
- Contractual relationship; In a contractual relationship between ShiftX and individuals, personal data may be necessary for the execution or the performance of the contract (GDPR Article 6 (1) (b)), such as contact information and other personal data necessary to fulfill the contract.
- Marketing and market surveys; where contact information is processed to conduct information and marketing campaigns related to the Services and keeping you informed about the Services, which either is based on our legitimate interest in providing updates about our Services etc (for already existing customers in compliance with the Marketing Control Act (Nw. markedsføringsloven)) or your consent (for not already existing customer relationships).
- Recruitment; where ShiftX processes personal data in relation to your application, please see our recruitment data policy.
- Use of ShiftX's website; where ShiftX may process personal data about visitors on our website, where your IP address may be processed. ShiftX uses cookies and other information gathering methods to e.g. enhance the website and the use thereof, based on ShiftX's legitimate interest in improving and optimizing the website (GDPR Article 6 (1) (f)). For more information about our use of cookies etc., please see our cookie policy.
- Answering inquiries from you; where contact information and other information you provide us will be processed, based on our legitimate interest in following up your inquiry (GDPR Article 6 (1) (f)).
- Comply with statutory requirements and legal obligations; where ShiftX may process personal data due to legal obligations applicable to the operation of ShiftX (GDPR Article 6 (1) (c)), such as requirements in accounting legislation, and to comply with other orders from public authorities.
- Protect ShiftX' or third parties' rights; to determine, assert and defend legal claims that we believe we have or are directed against us from Customers, suppliers, partners, other third parties, or public authorities, which is based on our legitimate interest in securing our rights (GDPR Article 6 (1) (f)).
3. Retention and deletion of personal data
Personal data shall not be kept longer than necessary for the purpose they were collected for. The storage period depends on the type of personal data, the purposes, and the applicable law and therefore varies per use.
ShiftX will delete or anonymize personal data as soon as the purpose of the processing is fulfilled.
Personal data will nevertheless be stored for as long as what is necessary for ShiftX to fulfill statutory requirements and legal obligations, including requirements for continued storage in accordance with accounting legislation, as well as to the extent necessary to safeguard ShiftX's rights.
4. Disclosure and transfer of personal data to third parties
ShiftX will only disclose personal data to third parties if there is a legal basis for such disclosure.
ShiftX use data processors to process personal data on our behalf. The relationship with such data processors will be regulated through a data processor agreement, which, among other things, ensures confidentiality and safeguarding of information security at all levels.
In some cases, ShiftX may disclose personal data to public authorities in order to meet statutory requirements or comply with government orders, for example, to comply with obligations under accounting or tax legislation. Public authorities will be responsible for processing the personal data ShiftX provides in such cases.
5. Data subject’s rights
Data subjects may request access to data, rectification, and erasure of data ShiftX processes about you if the conditions are met.
Data subjects may also request the restriction of the processing, opposite on the processing and data portability where the conditions are met.
If our processing is based on your consent, you may withdraw your consent at any time.
You have the right to complain about ShiftX's processing of your personal data to the Norwegian Data Protection Authority. We encourage you to address any objections to ShiftX's processing of personal data with us first.
For questions relating to ShiftX’s processing of personal data, or requests to use any of your rights according to applicable personal data legislation, please contact ShiftX by using the contact information provided above.
6. Security
ShiftX has implemented appropriate technical and organizational measures to safeguard the personal data that it processes against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and other unlawful forms of processing. ShiftX uses administrative, technical, and physical measures to safeguard data against loss, theft, and unauthorized uses, access, or modifications.
7. Changes to the Privacy Policy
The current Privacy Policy will be available on our website at all times.
This Privacy Policy will be modified to reflect changes in applicable laws or regulations or changes in our practices or procedures. In the event of changes, this Privacy Policy will be updated on the website.
If changes are made to the processing of personal data that requires your consent, such consent will be obtained before such changed processing is implemented.
Last updated: 24. February 2022