Privacy Notice

General GDPR other Data Protection laws Service Providers Rights General

42Gears Mobility Systems Private Limited and its affiliates and subsidiaries (“We”) respects its users’ (“User”/”You”/”Customer”/”Your”) privacy and appreciates Your concern to protect Your privacy. This Privacy Notice has been adopted by us to inform You of how we handle the information that You share with us. Unless otherwise defined in this Privacy Notice, the terms used in this Privacy Notice have the same meanings as in our Terms and Conditions.

The purpose of this Privacy Notice is to outline how we have established measures to protect Your privacy rights in accordance with the GDPR (EU General Data Protection Regulation), California Consumer Privacy Act as well as the laws of India (together “Applicable Laws”) where 42Gears Mobility Systems Private Limited (the Parent Company) is incorporated.

 

WHAT DATA WE COLLECT

We collect some information to conduct our regular business operations and administration that may include some personal information such as name, email address and contact details. We outline this below as:

• Data collected from website users;
• Data collected through the use of our products and services; and
• Other data

Personal Data

Personal data is the information relating to an individual who can be directly or indirectly identified from that data. Identification of personal data can be through reference to the information itself, or in conjunction with any other information in our possession or is likely to come into such possession. The processing of personal data in the EU is governed by the General Data Protection Regulation.

Customer Data

We may receive, store or process certain information including personally identifiable information on behalf of our customers. For the purpose of this Privacy Notice, we are a Data Controller of Your Personal Data as and when You directly use/purchase our products and services. Data Controller means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed. However, in case You entrust any of Your data including Your customers or employees data through any of our structured means such as Resellers, Partners or distributers, we manage such data as a data processor or sub processor (Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller and Processor use another organization is sub processor) whatever the case may be.The data You entrust to us for processing is called Customer Data.

This Customer Data may include information from devices or other systems that the Customer manages and monitors using our services or products. It could also include end user data related to an individual’s activities on Customer’s network and systems including, but not limited to, email address, IP address, device information, CPU usage and any other data related to addressing a support or service request. Under GDPR we are primarily a data processor for Customer Data.

We do not sell or intend to sell or rent any personal data of Yours being collected, processed or stored in our systems in any manner whatsoever.

 

HOW WE COLLECT DATA

Data collected from website users

When You visit our website or seek to conduct business with us You may be prompted to provide certain personal information such as name, email address, mobile number, and geographic location etc. This information is used by us in the following ways:

• Help us connect with You or to establish communication at Your request.
• Collect Your Email address to subscribe to our newsletters.
• Register for webinars.
• Enquire about our products and services.
• Register or apply to our Partner Program

Generally, the personal information You provide to us is necessary to provide You with the information You have requested for and to resolve a complaint or address Your query.

We may also collect the personal information disclosed by You on our forums, blogs and testimonials or to any platforms to which You are able to post information and materials including third party services (such as social media channels) and through our any other Offerings.

We may also collect billing and transactional details of the Customer during their purchase of our products or services. We work with industry-standard payment providers to collect payment.

Please note that providing personal information to us is voluntary on Your part. If You choose not to provide us certain information, we may not be able to offer You certain products or services , and You may not be able to access certain features provided on our website.

Our servers automatically collect certain information when You visit our website. This information does not necessarily reveal Your identity directly but it may include information about the specific device used, such as the hardware model, operating system version, web-browser software (such as Firefox, Safari, or Internet Explorer) and the Internet Protocol (IP) address/MAC address/device identifier. In some countries, including the European Economic Area, this information may be considered personal information under the GDPR. We do not use this information to identify You, and do not process this information actively. The collection is a by-product of using the website.

Data Collected through the use of our Products and Services

Usage Data: Where our customers subscribe to our products and services we collect certain technical information obtained from software, systems hosting the services or products and devices accessing these products and services which do not directly identify the end user herein referred to as Usage Data. We collect this information for business analytics to identify how our products and services are used by our Customers. The extent of this collection is configurable by our customers, but as an indication, our collection of technical information that constitutes personal data includes (but is not limited to):

IP Address, Email address, Company name, Mobile number, Device Time, Device Model, RAM Information, Storage Information, Bluetooth Information, Data Usage details, Password Strength, Device Notes, Other usage statistics

We do not collect usage details about Customer’s end users, except as necessary for support or to provide the Services requested by Customers (in which case we are a data processor of such data). The information is only processed to provide the service requested by the Customer.

Location Related Information

We give our users more control over how our applications collect location data from their devices.

Whenever You elect to provide access for the location based information while using our SureMDM Nix Agent, we collect such location data for the purposes including, but not limited to location tracking, Geo-Fencing etc etc..

With Your consent, our Products may also collect additional asset related information such as IMEI, IMSI, Phone Number, Serial Number etc  only for the purpose necessary for support or to provide the services requested by the user.
In addition, some of the features of our Product may enable us to access Your location in order to customize Your experience with the Service based on Your location (“Location based Services”). In order to use certain Location based Services, You must enable certain features of Your device such as GPS, WiFi, and Bluetooth, which will enable us to identify Your location through a variety of means, including GPS location, IP address, geo-fencing technology, as available. The Location-based Services feature in our Products is powered by Google Maps.
(Please make sure You check and agree with Google Maps Privacy Policy and terms of use)
In case the user enables the location services and provides their express consent by way of the device settings while using our Service,our application will collect location data even when the application is running in the background.

The data stored on your mobile device and their location information to which the mobile applications have access will be used in the context of the mobile application, and transferred to and associated with your account in the corresponding services.

Call Logs Related Information:

With the clear and explicit prior consent of our users, we may further request access or permission to certain features from Your mobile devices, including but not limited to Your device’s Call logs, Contacts, etc for the purpose of collecting data for inventory management, call tracking, incoming/outgoing call restrictions and accessing SIM Card information for IT administrators.

The administrators may configure SureMDM to collect usage information, such as the number of calls, statistics (number of calls made or received, duration of calls, contact information etc)

The SureMDM will be able to read Your Call logs including contact name, phone number, duration of the call which is transmitted and stored in our secure SureMDM server. This information is available even when the application is running in background or is not actively used. The call log information stored in the server will never be shared with any third party or applications for any reason whatsoever.

SMS Related Information

With clear and explicit prior consent the SureMDM may be configured by the IT administrator to collect the text messages sent or received. This information may assist the administrator in managing SMS limits on the user cellular plan.

Based on how the administrator has configured SureMDM Agent, the data may include:

1. The number of SMS sent or received; and
2. Contact name date and time
3. Content of the SMS, etc

The aforesaid collection of the SMS logs are limited to the legitimate purpose(s) mentioned herein and stored in our secure SureMDM server which is never shared or transferred to any third party or applications. This information is available even when the application is running in background or is not actively used.

Storage Usage:

This is a SureMDM functionality that allows access to a device’s internal and external storage. When enabled, SureMDM may collect the contents of the device storage, including the SD card and locally stored files. Also, based on how the user has configured SureMDM Agent, certain functionality may allow administrators to have read, write, delete, modify and execute access to the device file system.
The Storage Usage information is transmitted and stored in our secure SureMDM server. This allows administrators to download, upload and execute files on the device remotely, even when the application is running in the background or is not actively used.

For further information about SureMDM Agent’s other data collection and purpose(s), kindly have a look at our Security and Compliance Page which talks about the “Required App Permissions“.

Contacts: If You choose to enable the functionality of “Contacts”, the SureMDM Agent will be able to collect Your Contact Information including contact name, phone number, even when the app is running in the background or is not actively being used. This will allow your SureMDM Administrator to allow or block the incoming and outgoing calls based on the contact information, and remotely delete a contact.

Further, Contact details may be transmitted and stored on our SureMDM secure server for purposes of generating reports for SMS and Call logs . The data stored in the server is never shared with any third party or applications and processed only in accordance with applicable privacy regulations, including Art. 6 Para. 1 (f) GDPR on the basis of our legitimate interest.

SureLock Access: We provide our users the ability to control the types of information they collect about user’s devices:

SureLock will allow us to capture the SMS content, Call Logs, Storage, Location, All Files Access in order to function properly and for the purpose of the administrator to change passwords through received SMS Commands, block or allow phone calls, and SMS and others.

Based on how the administrator configured the run-time permissions, the data may include but is not limited to:

SureLock will read only the “Phone Number” to allow/block the incoming and outgoing calls with Call log permission.

SureLock can read “Name of contact”, “content of the SMS” in order to change the Android lock screen PIN with SMS permission.

The details are mentioned below:

Call Logs Related Information: With the clear and explicit prior consent of our users, we may further request access or permission to certain features from Your mobile devices, including but not limited to Your device’s Call logs, Contacts, etc for the purpose of collecting data for inventory management, call tracking, incoming/outgoing call restrictions and accessing SIM Card information for IT administrators.

The administrators may configure SureLock to collect usage information, such as the number of calls, statistics (number of calls made or received, duration of calls, contact information etc). The SureLock will be able to read Your Call logs including contact name, phone number, duration of the call which is transmitted and stored in our secure server. This information is available even when the application is running in the background or is not actively used. The call log information stored in the server will never be shared with any third party or applications for any reason whatsoever.

SMS Related Information:

With clear and explicit prior consent the SureLock may be configured by the IT administrator to collect the text messages sent or received. This information may assist the administrator in managing SMS limits on the user cellular plan.

Based on how the administrator has configured SureLock, the data may include:

1. The number of SMS sent or received; and
2. Contact name date and time
3. Content of the SMS, etc

The aforesaid collection of the SMS logs are limited to the legitimate purpose(s) mentioned herein and stored in our secure server which is never shared or transferred to any third party or applications. This information is available even when the application is running in the background or is not actively used.

Contacts: If You choose to enable the functionality of “Contacts”, the SureLock will be able to collect Your Contact Information including contact name, phone number, even when the app is running in the background or is not actively being used. This will allow your SureLock Administrator to allow or block the incoming and outgoing calls based on the contact information, and remotely delete a contact.
Further, Contact details may be transmitted and stored on our secure server for purposes of generating reports for SMS and Call logs . The data stored in the server is never shared with any third party or applications and processed only in accordance with applicable privacy regulations, including Art. 6 Para. 1 (f) GDPR on the basis of our legitimate interest.

SureVideo:

• Access to All Files Permissions: SureVideo has the ability to read all your files on the device storage (including all the documents, pictures, and music), which allows the administrator to remotely configure application settings, set up a custom album view, and add playlists.
  Allowing SureVideo to have file system access allows you to use the full functionality for the aforementioned purpose(s).
  SureVideo will request this access, and You can choose to allow or deny the request as per your preference. SureVideo maintains privacy by not sending or storing this data to its server. Further, SureVideo doesn’t transfer or share this information with any other third-party application for any reason whatsoever.
• Location Permission:  If enabled, SureVideo will be able to read your location data which includes access to your precise and approximate location. The location data is collected to allow Your SureVideo administrator to search and connect to the desired network via the Wi-Fi center plugin. The location data captured shall never be shared by SureVideo with any other third-party application.
  No location data is sent or stored in the server as the data is merely required to derive the scan results to connect to the desired wifi network.

CamLock Permissions: We use similar app permissions such as accessibility settings, background location, runtime permissions etc. to function Camlock properly which is a part of our SureMDM product. For further details, please refer: https://www.42gears.com/security-and-compliance/.

Cookies: Our website uses “cookies”, which are files in text format placed on Your (User’s) computer, to help the website analyze how Users use the site. The cookie provides information about Your use of the website (including Your IP address) for the purpose of evaluating and compiling reports on website activity and internet usage. You may refuse the use of cookies by selecting the appropriate settings on Your browser, however, please note that if You do this You may not be able to use the full functionality of this website.

• Examples of Cookies we use: For analytics and performance: These cookies help us understand how you use our services and use that data to optimize and improve our services. For example we use Google Analytics cookies to understand how visitors arrive at our website, which content they read or spend their time on, identify areas such as website navigation, user experience and marketing campaigns.
  Targeting Cookies or Advertising Cookies: These cookies collect information about your browsing habits in order to make advertising relevant to You and Your interests. They remember the websites You have visited and that information is shared with other parties such as advertising technology service providers and advertisers. In addition to our own cookies, We use some third-party cookies to report usage statistics of the service, deliver advertisements on and through the service, and so on. We also use a third party application Crazy Egg for tracking and analysing the activities of our website visitors. To find out Crazy Egg ‘s Privacy Practice and data security, please refer to the link here https://www.crazyegg.com/privacy. However, in case you wish to opt-out of the Crazy Egg’s services click on the link provided: https://www.crazyegg.com/opt-out
• How to opt-out: To opt-out from the cookies, you can configure your browser through appropriate settings. However, you will not be able to opt-out from cookies which are “absolutely necessary” for our services.

Links to third-party cookie providers and their privacy/opt-out pages:

• Google Analytics: Google Analytics Cookie Policy
• LinkedIn: LinkedIn Cookie Policy and LinkedIn Ads
• Intercom: Intercom Cookie Policy
• Facebook: Facebook Cookie Policies
• Google AdWords Conversion: AdWords Setting

For Customers in the European Union, our processing (use) of Your personal information is justified on the following legal basis:

• The processing is necessary to perform a contract with You or take steps to enter into a contract at Your request; This is the primary basis of our processing.

Other data

For Customers in the European Union, our processing (i.e use) of Your personal information is justified on the following legal basis:

• the processing is in our legitimate interests, subject to Your interests and rights, and notably our legitimate interest in using applicable data to conduct and develop our business activities; or
• You have clearly consented to the processing of Your personal data for a specific purpose.

We also use “Intercom”, a live chat platform that connects Users with our customer support team and during this process we collect some personal information such as name, email address and contact number with the express consent of the Users in order to start the conversation. The messages and data exchanged are stored within the Intercom application and Freshdesk. For more information on the privacy practices of Intercom and Freshdesk, please visit https://www.intercom.com/terms-and-policies#privacy and https://www.freshworks.com/privacy/1-jan-2020/ respectively.

We are not making use of these messages or data other than to follow up on Users registered issues or inquiries. Your personal data will be processed and transmitted in accordance with applicable regulation and You can also request us to delete the stored data as provided in this Privacy Notice.

 

“DO NOT TRACK” SIGNALS UNDER CALIFORNIA ONLINE PROTECTION ACT (CalOPPA)

Some internet browsers have enabled Do Not Track (DNT) features, which sends out a signal (called the DNT signal) to the website that you visit indicating that you don’t wish to be tracked. This is different from blocking or deleting cookies, as browsers with a Do Not Track feature enabled may still accept cookies. No industry standard currently exists on how companies should respond to Do Not Track signals, although one may develop in the future. Our website is not currently designed to recognize and respond to Do Not Track signals.

 

SECURITY

The nature of our services is such that we share a responsibility with our Customers for the security of data.

We aim to safeguard and protect Your personal data from unauthorized access, improper use or disclosure, unauthorized modification or unlawful destruction or accidental loss, and have adopted reasonable technical and organizational security measures. In line with 42Gears commitment to ensure protection of Your privacy and establish good business practices we have been certified by industry- standards such as ISO 27001:2013.

It is nevertheless important that our Customers recognise their responsibility in maintaining effective security in the use of our services. While we will use all reasonable efforts to safeguard Your personal data, You acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data that transferred from You or to You via the internet.

NOTICE TO END USERS 

Many of our Products or Services are intended to be used by the organization or made available through an organization (eg. your employer), that organisation is an administrator of the Services who is responsible and has control over all the related accounts and/or services. In such a scenario, please direct your data privacy related questions to your administrator, as your use of the services is subject to that organisation’s policies. We don’t hold any responsibility for such privacy or security practices of an administrator’s organisation, which might be different from this Notice.

Administrators are able to:

• require you to reset your account password;

• restrict, suspend or terminate your access to the Services;

• access information in and about your account;

• access or retain information stored as part of your account;

• install or uninstall third-party apps or other integrations

In some cases, administrators can also:

• restrict, suspend or terminate your account access;

• change the email address associated with your account;

• change your information, including profile information;

• restrict your ability to edit, restrict, modify or delete information

Please contact your organization or refer to your administrator’s organizational policies for more information.

POLICY TOWARDS MINORS OR CHILDREN

We do not knowingly collect or solicit personal information from anyone under the age of 18 or knowingly allow such persons to register for the Services. It has also been provided in our Terms and Conditions for using our website.

 

OUR ONGOING EFFORTS TO BE TRANSPARENT

We continue to make available necessary information to help our Users better understand 42Gears processing of personal information and how to exercise choices regarding the use of Your personal information through various channels including this Privacy Notice and any other relevant information that may be made available timely on our website or on Your devices.

 

FURTHER INFORMATION

This Privacy Notice applies to all the products/services offered by us. Each of our third-party service providers have their own privacy policies/notice. You acknowledge that Your visit to any third-party service provider website will solely be at Your own discretion and risk. We do not claim knowledge of or ownership of any content in any third-party websites nor do we endorse any third-party website.

 

UPDATES TO THIS NOTICE

This Privacy Notice may be updated from time to time to bring in new security measures (if required) or to comply with applicable laws . You should review  this page periodically to ensure that You accept and are compliant with the amended Privacy Notice. Your continued use of this website will constitute Your agreement to this Privacy Notice and any amendments thereto. Changes to this Privacy Notice are effective when they are posted on this Page.

We value your privacy and your rights as a data subject and have therefore appointed Osano as our privacy representative and your point of contact.

Osano International Compliance Service Limited
ATTN: 8T2B
25/28 North Wall Quay
Dublin 1, D01 H104
Ireland

To Exercise your data subject rights or privacy related rights, please fill the subject access request form.

Further, 42Gears has appointed IPTECH LEGAL CONSULTANCY LIMITED COMPANY as our turkey representative as per Turkish Data Protection Law. We have been officially published at VERBIS- Data Controller Registry Information System, refer the following link for your perusal: https://verbis.kvkk.gov.tr/Query/Detailsq=RGDZ8czL0IwKmqW%2BU2XXfg%3D%3D&isNeviChange=duu6TOm7jzzm1f64DfpShw%3D%3D” 

If  You have any questions or concerns about this Privacy Notice, please feel free to email us at privacy@42gears.com.

 

version: 3.4

Last Updated: March 10, 2022

GDPR

GDPR STATEMENT

The European Union (EU) General Data Protection Regulation (GDPR), enforceable as of May 25, 2018, imposes additional requirements upon companies to enhance the protection of personal data of EU residents. 42Gears Mobility Systems has a dedicated, core-functional team overseeing 42Gears’ GDPR readiness. We discuss our efforts and commitment to GDPR below.

 

42GEARS’ COMMITMENT TO GENERAL DATA PROTECTION REGULATION

GDPR regulates the governance of personal data for European Union citizens with a prominence on data security and data privacy. The GDPR not only applies to companies that operate in the European Union (EU) but also impacts companies operating outside of the EU, if they process any personal data of any of its customers in the EU.

42Gears has established its information security and data privacy principles to protect the privacy and information rights of its customers. We are strenuously committed to GDPR compliance.

 

LEGITIMATE INTEREST FOR COLLECTION AND PROCESSING

Data collected from website users

For Customers in the European Union, our processing (i.e use) of Your personal information is justified on the following legal basis:

• the processing is necessary to perform a contract with You or take steps to enter into a contract at Your request; this is the primary basis of our processing.
• the processing is in our legitimate interests, subject to Your interests and fundamental rights, and notably our legitimate interest in using applicable data to conduct and develop our business activities; or
• You have clearly consented to the processing of Your personal data for a specific purpose.

Data collected through the use of our products and services

For Customers in the European Union, our processing (use) of Your personal information is justified on the following legal basis:

• the processing is necessary to perform a contract with You or take steps to enter into a contract at Your request; This is the primary basis of our processing.

To be able to process the data, we may rely on different legal bases including Your consent, contractual necessity, comply with the legal obligations, necessity to respond to Your requests etc.

 

USE OF PERSONAL INFORMATION

What follows is an overview of the purposes for which we use the personal information we collect.

Data Collected from Website users

• conduct and develop our business with You and with others.
• engage and update You about events, promotions, the websites and our products and services including software updates.
• provide You with documentation or communications which You have requested.
• correspond with Users to resolve their queries or complaints.
• provide You with any Services You request.
• send You marketing communications, where You have subscribed and consent to receive such marketing communications or where it is lawful for us to do so;

Data collected through the use of our products and services

• conduct and develop our business with You and with others.
• process, evaluate and complete certain transactions involving our products and services.
• maintain our internal business and accounting records.
• provide You with any Services You request.
• manage, protect against and investigate fraud, spam filtering, risk exposure, suspected illegal activity, claims and other liabilities, including but not limited to violation of our contract terms or laws or regulations.

Other data

• operate, evaluate, maintain, improve and develop our products and services or our websites (including by monitoring and analyzing trends, access to, and use of the website for advertising and marketing);
• customize our websites, products or services to users’ needs;

 

RETENTION OF PERSONAL DATA

We retain Your personal data for as long as required to fulfill the purposes for which it was collected.  A summary of our approach to retention is outlined below:

Data Collected from website users

We retain this information for the duration of our relationship with the Customer. Once You have initiated and, where appropriate consented to our communication, You have the right to request us to stop communication (see the ‘Rights’ tab on this privacy page).

Data collected through the use of our products and services

At the outset of User to unsubscribe or non-renewal or termination of active license the data remains for 6 months on our live system and subsequently the data is retained for further 3 months in the secured AWS(Amazon Web Services) backup system which gets permanently deleted therefore. Apart from AWS we store data in MongoDB, Atlas and Google Cloud Platform(GCP)

In case the User initiates request for the deletion of the active license, we delete all the data held within two weeks of obtaining the request until and unless to the extent required by any applicable law to retain some or all of the data for further period. Further, We retain this data for 3 months in the secured and encrypted backup system which gets permanently deleted thereafter. Active license herein includes both the trial and paid licenses.

However, data relating to our commercial arrangement (billing information) will be held as long as necessary for us to fulfil our statutory record-keeping obligations.

Other data

We store other data for as long as needed to fulfil its purpose. We have a default retention period defined and take what we consider are reasonable measures to remove the data once this has expired.

In some circumstances, we may retain personal data for other periods of time, for instance where we are required to do so in accordance with legal, tax and accounting requirements, or if required to do so by a legal process, legal authority, or other governmental entity having authority to make the request, for so long as required.

In specific circumstances, we may also retain Your personal data for longer periods of time corresponding to a statute of limitation, so that we have an accurate record of Your dealings with us in the event of any complaints or challenges. However, the actual retention periods may vary significantly in context of different products and their underlying purpose.

When we have no on-going legitimate business need to process Your personal data, we will either securely destroy, erase or delete it, or if this is not possible (because Your personal data has been stored in backup archives), then we will securely store Your personal data and isolate it from any further processing until deletion is possible.

However, we continue to evolve our controls, schedules and practices for information and records retention and destruction which apply to Your personal information.

 

INTERNATIONAL TRANSFERS

We will take reasonable steps to ensure the security of your Personal Data in accordance with applicable data protection laws. We will comply with our legal and regulatory obligations in relation to your Personal Data, including having a lawful basis for transferring Personal Data and putting appropriate safeguards in place to ensure an adequate level of protection for the Personal Data when making any transfers of Personal Data from the EEA, Switzerland and the UK to countries which do not have the same data protection laws as the EEA, Switzerland and the UK.

When transferring Your Personal Data outside the EEA, Switzerland and the UK, we will, where required by applicable law, implement at least one of the safeguards set out below:

Adequacy decisions: We may transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the UK and/or European Union authorities. For further details, see https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

Model Clauses: Where we use certain service providers we may use specific contracts approved by the UK and/or European Authorities which give Personal Data the same protection it has in the UK and the EEA. For further details, see https://ec.europa.eu/info/law/law-topic/data-protection/data- transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en. Further details can be found at: https://aws.amazon.com/compliance/eu-us-privacy-shield-faq/ and https://aws.amazon.com/compliance/gdpr-center/ However, where You are using 42Gears UEM SureMDM – Software as a Service solutions, You can select whether processing of device specific information takes place in the EU or in the United States when You first register for such service. Your consent to this Privacy Notice followed by Your submission of such information represents Your agreement to that transfer.

We will protect the personal information in accordance with this Privacy Notice. We take appropriate contractual or other measures to protect the personal information in accordance with the applicable laws pertaining to Data Protection and ensure that no transfer of Your personal information will take place to an organization or a country unless there are adequate controls in place including security of Your data and other personal information.

With respect to Personal Data received or transferred to the United States, 42Gears Mobility Systems Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

In certain conditions. we may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements but the same shall be subject to the strictest confidential terms agreed.

With respect to Personal Data subject to LGPD’s jurisdiction, We will also accomplish LGPD’s requirements for transfers of Personal Data to countries which do not have the same data protection laws.

Data Processing Addendum: To enable You to be compliant with the data protection obligations under the GDPR, we have an updated Data Processing Addendum which now includes Standard Contractual Clauses (SCCs) which You agree and sign at the time of logging in our SureMDM Product.

 

TIME LIMIT TO RESPOND

We try to respond to all legitimate requests within one month. Occasionally it takes us longer than a month if Your request is particularly complex or You have made several requests. In this case, We will notify You and keep You updated.

If You are a European Customer and You are unhappy with our response to a query or You have a further complaint, the Information Commissioner’s Office can be contacted at https://ico.org.uk.

If You have any questions in respect to this Privacy Notice, or would like to exercise Your right please write to us at privacy@42gears.com.

other Data Protection laws

2020 has witnessed some new data protection legislations across the globe which has evolved from the world’s strongest set of data protection rules known as GDPR (General Data Protection Regulation).

Almost every country has enacted some sort of data privacy laws to regulate how information is collected and used, how data subjects are well informed and what level of control a data subject has over his data being shared or transferred to the organisation(s).

Some of these enactments are :

1. California Consumer Privacy Act (CCPA)

If You are a California resident, You are entitled to certain rights with respect to personal information that We collect about You. Learn more about these rights and how to exercise them in our California Privacy Notice.

2. Lei Geral de Proteção de Dados (LGPD)

LGPD is a new Brazilian data protection law that will come into effect on 15th August 2020 echoing the new principles similar to GDPR and CCPA provisions.
This new data privacy legislation having an extraterritorial scope will apply to all the global businesses dealing with personal data of Brazil citizens regardless where the organisations are located.

This new Brazilian law requires the organisations to be more responsible and accountable while collecting and processing all or any personal data of Brazilian citizens.

LGPD requirements are significant and we confidently meet these upcoming compliance standards having robust privacy and security protections embedded in our products and services offerings.

3. The Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA is a Canadian Federal Privacy law that regulates how private sector organizations handle personal information related to Canadian citizens when engaging “commercial activity”.

This law has expanded its scope to include the organisations which have a real and substantial connection with the citizens of Canada.

PIPEDA provisions allow individuals the right to know why their personal data is being collected, how it will be used, and to whom it will be disclosed and all the rights ranging from access to the deletion.

All our instituted policies and security measures mentioned in our Privacy Notice are in compliance with PIPEDA legislation.

4. Personal Data Protection Act (PDPA) Thailand

The Personal Data Protection Act, B.E. 2562 (2019) (‘PDPA’) which is Thailand’s first consolidated data protection law, was published in the Thai Government Gazette on 27 May 2019 and will take effect on 27 May 2020.

The legislation aims to guarantee protection for individuals and their personal data with imposing similar obligations on businesses when collecting, using, and disclosing personal data.

Further, once the data protection authority i.e. the Personal Data Protection

Committee (‘PDPC’) is established, further sub-regulations and guidance on the PDPA will be issued and updated by us accordingly.

In addition, the PDPA mirrors the GDPR’s extraterritorial applicability and applies to data controllers and data processors outside of Thailand if they process personal data of data subjects in Thailand and offer goods and services to, or monitor behaviour of the data subjects.

In this regard, we ensure to provide Thailand residents with several privacy rights, including the right to erasure, the right to be informed, the right to object, the right to data portability, and the right to access etc as outlined in our Privacy Notice and other similar provisions in order to comply with this landmark legislation.

 

Protecting our customers information and their users privacy is extremely important to us.
We continually monitor compliance and controls to ensure ongoing data security as per the applicable laws in relation to the collection, use, disclosure, and protection of personal information.

For more details regarding what, why and how we collect and process your data, please refer to our PRIVACY NOTICE.

Please be assured that all the commitments and principles embodied in our Privacy Notice with respect to  the transparency and the data subject legally ascribed rights applies to Brazil, Canada and Thailand citizens in its entirety.

Service Providers

DISCLOSURE OF PERSONAL DATA TO SERVICE PROVIDERS

We engage third parties to support the services we deliver to You. These third parties assist us in providing information, products or services to You, in conducting and managing our business, or in managing and improving our products/Services or our websites.

We share Your personal data with these third parties to render services for which they have been engaged by us to perform on our behalf, subject to appropriate contractual restrictions and security measures, or if we believe it is reasonably necessary to prevent harm or loss, or we believe that the disclosure will further an investigation of suspected or actual illegal activities or if required to do so by law or in response to a valid requests by public authorities (eg. a court or a government agency)

In addition , we reserve the right to transfer your personal information we hold about you to the relevant third parties in the event of actual or potential sale or transfer for all or portion of our business or assets including the event of merger, acquisition, joint venture, reorganization, dissolution, liquidation or other business related transaction.

The third parties may include:

• Cloud infrastructure providers such as Amazon Web Services (AWS).
• Cloud application and productivity providers to support our internal office operations such as email and document management.
• Administration and support: to enable customer support and assist in sales management.
• Marketing and Newsletter: To manage our email communication with our Customers for marketing purpose such as newsletters etc.
• Payment Gateways: We work with commercial payment gateways such as PayPal, Stripe, Chargify and BlueSnap. Customers can select the payment gateways, upon selection You are transferred to systems controlled by these service providers to complete the payment. The payment gateways render the payment services as a data controller and comply with all the obligations for processing the data under the applicable data protection laws and their respective Privacy Notice. We do not store or collect Your payment card details in any manner whatsoever.

That information is provided directly to our third-party payment processors whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

The payment processors we work with are:

• Stripe
• Their Privacy Policy can be viewed at https://stripe.com/us/privacy
• PayPal: https://www.paypal.com/en/webapps/mpp/ua/privacy-full
• Plimus: https://home.bluesnap.com/privacy-policy/

We do not share, sell, rent, or trade any of Your personal information to third parties, other than as necessary to deliver the services we provide You or to administer our business. These third parties don’t have any independent right to share or sell any of Your personal information.

For the further details please refer our sub-processor’s list here: https://www.42gears.com/list-of-sub-processors/

Rights

YOUR RIGHTS

For Customers in the European Union, Your rights under the GDPR are outlined below. For Customers outside the European Union, You may have some or all of the following rights available to You in respect of Your personal data, depending on the reason for processing this data:

Right to be informed

You have the right to obtain a copy of Your personal data together with information about how and on what basis that personal data is processed.

We do not sell your data to any third party. You can request for a copy of your PII processed with us through DSAR FORM (https://www.42gears.com/legal-and-privacy/privacy-policy/subject-access-request-form/). The said information provided to you after placing this request through the DSAR Form serves as an evidence of how we process your PII data and legal purposes for which your PII data is processed by us.

Right of access

You have the right to access Your personal data and supplementary information that we hold about You at minimal or no cost in accordance to the applicable laws and guidelines issued in this regard. In certain circumstances, and depending on applicable laws, we may not be able to provide access to the personal data that we hold about you if:

• access may adversely affect the rights and freedoms of others.
• would likely reveal personal data about a third-party;
• would reveal 42Gears or third-party confidential information;
• could reasonably be expected to threaten the life or security of another individual ; or
•  Includes information that was processed in relation to the investigation of a breach of an agreement or a contravention of a law.

In order to safeguard your personal data from unauthorized access, we may ask that you provide sufficient information to identify yourself prior to providing access to your personal data.

Depending on the circumstances and subject to applicable laws, we may deny processing your request if:

• we are unable to verify and authenticate your identity;

• it is unreasonably repetitive or automated; or

• it would be overly broad, ill-defined, or require disproportionate effort which renders the request manifestly excessive.

You have the right to request for restriction on processing of your data by us through DSAR Form (https://www.42gears.com/legal-and-privacy/privacy-policy/subject-access-request-form/). In any event, we may need to process your data for purposes of storage in accordance with our internal Retention policy and/or in compliance with applicable law or court orders, we may reject your request for restriction of processing of your data.

Right of Rectification

You have the right to update or rectify inaccurate personal data (including the right to have incomplete personal data completed) that we hold about You .
We have a full right to consider the request in the context in which it is made and can deny if found manifestly unfounded or excessive.

Right to Erasure

 You have the right to request that we delete the  personal information we hold about You.
Upon Your written request and to the extent authorised by the applicable law, we will erase your personal data using the reasonable technical measures (except on the grounds mentioned in this Privacy Notice or unless a lawful basis exist to retain it ) when:

• you withdraw your consent to Processing unless some other lawful basis exists for us to continue to Process your personal data;
• It is no longer necessary to Process your personal data
• you object to the Processing and no overriding legitimate grounds exist for us to Process your personal data;
• the personal data has not been lawfully Processed by us; or
• You have a legal obligation imposed under applicable data privacy law to which we might be subject to.

Right to data portability

You have the right to transfer Your data in machine-readable format to a third party  when we justify our processing on the basis of Your consent or the performance of a contract with You;

Right to Object

You have the right to object, on grounds relating to Your particular situation, at any time to any processing of Your personal data by us. You also have the right to object at any time to any processing of Your personal data for direct marketing purposes, including profiling for marketing purposes.

Right to lodge a complaint to Your local Data Protection Authority

You may have the right to lodge a complaint with Your National Data Protection Authority or Equal Regulatory Body.

In some cases, We may demonstrate that We have compelling legitimate grounds to process Your information which overrides Your rights and freedom.

Automated decision making

We do not employ solely automated decision making, as a matter of course, that results in automated decisions being taken (including profiling) that legally affect You or similarly significantly affect You. Automated decisions mean that a decision concerning You is made automatically on the basis of a computer determination (using software algorithms), without our human review. If You are to be subjected to automated decision making, We will make it clear at that time and You have the right to contest the decision, to express Your point of view,and to require a human review of the decision.

Rights where 42Gears acts as a Data Processor

We provide many services that are used by our customers to collect or direct us to collect personal information about You. If that is the case, we are processing such information only on behalf of our customers and if You seek to exercise Your rights should first direct Your query to our customers (the “Controller”)

You have the right to terminate the contract in the event that an objection request raised by you with respect to your Rights as elaborated here and through DSAR (https://www.42gears.com/legal-and-privacy/privacy-policy/subject-access-request-form/), that have not been resolved satisfactorily within a reasonable time period provided by us. However, we reserve the right to reject the objection(s) raised by you if such request is in violation of applicable law, court orders etc.

EU Representative

We value your privacy and your rights as a data subject and have therefore appointed Osano as our privacy representative and your point of contact.

Osano International Compliance Service Limited
ATTN: 8T2B
25/28 North Wall Quay
Dublin 1, D01 H104
Ireland

To Exercise your data subject rights or privacy related rights, please fill the subject access request form.

CONTACT DETAILS

• We recognize that You may have questions on how we process Your data, or You may want to change either the data we hold or how we communicate with You in the future.
• You may unsubscribe from receiving marketing or commercial communications about 42Gears or 42Gears products and services by clicking the unsubscribe link at the end of the marketing or commercial communication from 42Gears or by writing us at privacy@42gears.com apprising us what particular types of marketing or commercial communications You no longer wish to receive.
• If You have any questions or concerns about this Privacy Notice, please feel free to email us at legal@42gears.com.
• 42Gears has appointed Ms. Uma Anand, as its ISMS manager and she can be reached at uma.anand@42gears.com