For questions about the privacy settings and practices of a particular Organization, please address your queries to the Customer in charge of the Organization to which you belong. If you have received an invite to an Organization but have not created an account, please contact the Customer who issued the invite for further guidance.
Under data protection regulations applicable in some jurisdictions, there is a distinction made between the "controller" who determines the purposes and means of processing personal data, and the "processor" who processes personal data on behalf of the controller. Typically, the Customer acts as the controller of Customer Content, while EXIN serves as the processor.
TheCustomer, as the controller, utilizes the Services to manage access to an Organization, assign user roles, configure settings, and control the CustomerContent through various actions such as accessing, modifying, exporting, sharing, and deleting data in accordance with their own policies.
EXIN, inits role as the processor, handles Customer Content solely based on theCustomer’s directions and in line with the stipulations of the CustomerAgreement, the Customer's interaction with the Services, and as mandated bylaw. For detailed information on the processing of Customer Content, including the processing of personal data, its purpose, the legal basis for such processing, and the rights of data subjects, reference should be made to the privacy notice provided by the relevant Customer.
For other types of data, as outlined in the third paragraph of the next section, EXIN isthe data controller. Any questions, concerns, or requests pertaining to your personal data can be directed to EXIN by contacting firstname.lastname@example.org.
Your personal data is sourced from your own disclosures, acquired from third-party entities, or generated internally by us through your interaction with the Services.
EXIN gathers and receives data that constitutes CustomerContent as well as other personal information (“Other Data”) through several methods:
Generally, no one is under a statutory or contractual obligation to provide any Customer Content or Other Data (collectively,“Personal Data”). However, certain Personal Data is collected automatically and, if some Personal Data, such as Organization setup details, is not provided, we may be unable to provide the Services.
Customer Content will be used by EXIN in accordance with Customer’s instructions, including any applicable terms in the Customer Agreement andCustomer’s use of the Services, and as required by applicable law.
EXIN uses Other Data for the purposes of our legitimate interests in operating our Services, Websites and business. More specifically, EXIN usesOther Data:
Additionally, it should be noted that EXIN may retain specific kinds of Other Data following an account's deactivation for a timeframe necessary to support EXIN's legitimate business pursuits, conduct audits, adhere to legal responsibilities and demonstrate such adherence, settle disputes, and enforce contractual agreements.
This section outlines the ways in which EXIN may share and distribute personal data, as detailed in paragraph 3. The policies and methods regarding the sharing and disclosure of personal data are determined by theCustomers themselves, and EXIN does not have control over these decisions byCustomers or any other third parties.
EXIN adheres to the instructions provided by Customers for sharing and disclosing personal data, in line with the terms of the CustomerAgreement and how the Services are used, always ensuring compliance with applicable laws. However, for assessment results, EXIN only shares aggregated results with Customers, not individual ones. Additionally, EXIN may share personal data with third parties, but only if explicit consent for such sharing has been obtained.
Customer access. Owners, administrators, Authorized Users, and other Customer representatives and personnel may be able to access, modify, or restrict access to personal data. This may include, for example, your employer using Service features to export logs of your activity or accessing or modifying your profile details.
Subcontractors. We may engage third-party companies or individuals as sub-processors to process personal data. These third parties may, for example, provide virtual computing and storage services, or we may share business information to develop strategic partnerships to support ourCustomers.
Third-Party Services. Customers may enableThird-Party Services. When enabled, EXIN may access and exchange Customer Content with the provider of a Third-Party Service on Customer’s behalf. Third-Party Services are notowned or controlled by EXIN and third parties that have been granted access to personal data may have theirown policies and practices for its collection, use, and sharing. Please check the permissions, privacy settings, and notices for these Third-Party Services or contact the relevant provider with any questions.
Partners. We may share personal data with developers, partners and others we engage to create Astride applications and/or integrating Astride features.
Corporate Affiliates. EXIN may share personal data with its corporate affiliates, parents and/or subsidiaries for business continuity purposes.
To comply with laws. If we receive a request for personal data, we may disclose personal data if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation, or legal process.
To enforce our rights, prevent fraud, and for safety.To protect and defend the rights, property or safety of EXIN, its users, or third parties, including enforcing its contracts or policies, or in connection with investigating and preventing illegal activity, fraud, or security issues, including to prevent death or imminent bodily harm.
Our Services may contain links to websites and services operated by third parties. If you follow a link to any of these websites, please note that these websites have their own privacy notices and terms and conditions. Further, we have no responsibility for, or control over, the information collected by any third-party website and we cannot be responsible for the protection and privacy of any information which you may provide to these websites. You should read the relevant privacy notices and terms and conditions before using their websites or services.
For individuals in the European Union, the following additional terms apply:
GDPR refers to the General Data Protection Regulation(Regulation 2016/679), a law enacted by the European Parliament and Council onApril 27, 2016. It focuses on the protection of natural persons concerning personal data processing and the unrestricted movement of such data, superseding Directive 95/46/EC.
Member State denotes a country that is a member of the European Union.
In instances where your personal data is transferred to our group companies or third-party entities outside of the European Economic Area, we implement measures to ensure your data remains protected. This includes using Standard Contractual Clauses approved by the European Commission (as perArticle 46(2)(c) of the GDPR) to maintain data security.
When we act as the controller of your personal data, you are entitled to specific data protection rights under the GDPR. While these rights are comprehensive, they are not without legal limitations and exemptions. We commit to addressing any request to exercise your rights within a month.However, this period may be extended under certain conditions, in which case you will be informed within one month of your request. If we find your request to be unfounded or excessive, we reserve the option to charge a reasonable feeor decline the request. To exercise your GDPR rights, you can contact us by emailing email@example.com.
Access your personal data. You are entitled to ask us if we are processing your personal data and, if we are, you can request access to your personal data. This enables you to receive a copy of the personal data we hold about you.
Request erasure (deletion) of your personal data. You are entitled to ask us to delete or remove personal data in certain circumstances. There are certain exemptions where we may refuse a request for erasure. For example, where the personal data is required for compliance with law or in connection with legal claims. Where we rely on an exemption, we will inform you about this.
Request the correction or updating of your personal data.This enables you to have any incomplete or inaccurate data we hold about you corrected.
Request the restriction of our processing of your personal data in some situations. If you request this, we can continue to store your personal data but are restricted from processing it while the restriction is in place.
Object to our processing of your personal data where we are relying on legitimate interests. You also have a right to object where we are processing your personal data for the purposes of direct marketing or profiling. You can object at any time and we shall stop processing the information you have objected to, unless we can show compelling legitimate grounds to continue that processing.
Withdraw your consent. Where you have provided your consent to our processing of your personal data, you can withdraw your consent at any time. If you do withdraw consent, it will not affect the lawfulness of what we have done with your personal data before you withdrew consent.
Lodge a complaint at a supervisory authority. We will do our best to resolve any complaints you may have. However, if you feel we have not resolved your complaint, you have a right to lodge a complaint with a supervisory authority in the country where you live, where you work, or where an alleged infringement of the applicable data protection law took place.
If you exercise the rights above and there is any question about who you are, we may require you to provide information in order to satisfy ourselves as to your identity.
If you are based in the United Kingdom, the following provisions apply:
UK GDPR means the Retained Regulation 2016/679 of theEuropean Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
If we share your personal data with our group company(ies)or third parties located outside the United Kingdom, we take steps to ensure that appropriate safeguards are in place to guarantee the continued protection of your personal data, such as by entering into the international data transfer addendum to the European Commission’s Standard Contractual Clauses, adopted by the UK Government under section 119A of the Data Protection Act 2018..
In relation to your data subject rights, paragraph 11(d)above applies, except that references to the "GDPR" will be read asreferences to the "UK GDPR", and in case wish to lodge a complaint with a supervisory authority, you may direct your complaint to the UKsupervisory authority, the Information Commissioner’s Office.