Who are we and what is the purpose of this Notice?
Zafin and its group of companies (“Zafin”, “we”, “us” or “our”) are committed to protecting the privacy and security of Personal Information and handling it in accordance with data protection and privacy laws.
Table of contents:
- Personal Information we collect and how we Use it
- Will we share your Personal Information?
- Security and Retention of Personal Information
- Rights Regarding Personal Information
- Children’s Privacy
- Governing Law
- Changes to this Notice
- Contact Us
- Notice for individuals in the UK and EEA
- California Consumer Privacy Act Notice
We have included the following definitions to help you understand the contents of this Notice:
“CCPA” means the California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 (Cal. Civ. Code 1798.100 et seq) and their regulations.
“Collection” occurs when Zafin finds itself in custody or control of personal information. Note that this includes information that Zafin receives even when the data was not requested.
“Consent” is an individual’s freely given, specific and informed agreement to the processing of their personal information.
“EEA” means Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
“GDPR” means the General Data Protection Regulation (EU) 2016/679.“Personal Information” means information about an identifiable individual and includes the term “Personal Data” under the GDPR and UK GDPR.
“PIPEDA” means Canada’s federal Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5.
“Process” is an operation or set of operations performed upon Personal Information.
“UK GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679 as it forms part of domestic law in the United Kingdom by virtue of section 3 of the EU (Withdrawal) Act 2018 (including as further amended or modified by the laws of the United Kingdom or a part of the United Kingdom from time to time).
“Use” means the process of collecting, accessing, storing, reading, modifying, analyzing, or changing Personal Information. This includes when Zafin uses a service provider or vendor to carry out these tasks on its behalf.
Personal Information we collect and how we Use it
Zafin’s primary source of information for processing is de-identified Personal Information provided to us by our customers. They remove direct identifying attributes from data sets by excluding them or replacing them with random data ‘tokens’. Zafin delivers data analytics and related services on this de-identified data. Zafin does not attempt to re-identify individuals in these data sets. Notwithstanding this, Zafin’s policy protects these data as Personal Information.
Personal Information means information about an identifiable individual. In other words, Personal Information is data about you that a person may use to identify you. We take steps designed to ensure that only those who need access to your Personal Information to fulfill their employment duties can access it. We have set out below where we collect your Personal Information, what we collect, and how we Use it. We have also provided links to more detail specific to your region, to help you to understand Use of your Personal Information.
How we collect and use your Personal Information when you visit and use our Website
We will use this information:
- To operate, maintain, enhance, and provide all features of our Website;
- To understand which parts of the website are visited and how frequently;
- To provide access to desirable content based on your preferences
- To provide support to users of the Website;
If you choose to withhold any Personal Information requested by us for the purpose of providing a service, it may not be possible for you to gain access to certain parts of the Website or use the requested service.
How we collect and use Personal Information for marketing purposes
When you fill in a form
If you fill in a form on our website, on an advertiser platform (e.g. LinkedIn), or at an event, we will collect the information you include on the form such as your name, contact details (telephone number, mailing address and email address), business contact details (job title, business email address, business telephone number) and details of the organization you work for. We will also capture your areas of interest, types of communications you would like to receive, and marketing preferences.
We will use this information:
- To fulfil your request;
- To send you information about our products and solutions;
- To provide access to content (e.g. whitepapers, case studies);
- To administer subscriptions to Zafin publications and newsletters;
- To organize events;
- To respond to questions about Zafin;
- To provide support to visitors of our Website
When we collect and Use publicly available Personal Information
We may collect information such as your name, business contact details (job title, business email address, business telephone number) and details of the organization you work for, using publicly available information, such as social network profiles (e.g. LinkedIn).
We will use this information:
- To design marketing campaigns;
- To market our products and services;
- To organize events;
- To tailor our marketing and sales activities to your company’s interests;
How we collect and use your Personal Information when the organisation you work for is a prospective, current or former customer
If you work for an organization that is a prospective, current or former customer, we will collect your name, contact details (telephone number, mailing address and email address), business contact details (job title, business email address, business telephone number), and details of the organization you work for. We will Use this information:
- To organize a demonstration of our products and services;
- To provide a quotation if requested;
- To negotiate and conclude contracts;
- To set up and administer the commercial arrangement;
- To set you up with a login on our systems;
- To provide data analytic and related services to the organisation you work for;
- To administer contracts;
- To process and manage invoices and payments;
- To resolve disputes;
- For the purposes of any company acquisition or disposal, for compliance with legal obligations, for law enforcement and any other purpose required by law.
If you choose to withhold any Personal Information requested by us for the purpose of providing a service you may not be able to access or use the requested service. If you have any concerns about whether you need to provide the Personal Information, please contact the Privacy Office.
Will we share your Personal Information?
In some cases, we may share Personal Information with trusted service providers for processing and to help us provide, maintain, and improve our services. We remain accountable for that Personal Information’s privacy and security and use contractual or other means to ensure that service providers meet our privacy and security requirements.
We may make certain automatically collected, aggregated, or otherwise non-personally identifiable information available to third parties. . We do not sell any Personal Information to any third party so that they can send you their marketing material.
Who do we share your Personal Information with?
We have set out below the third parties we may share your Personal Information with. If we do this, we will put in place a contract with them which controls how your Personal Information may be used and which requires that your Personal Information is treated in accordance with relevant data protection laws.
- With companies who provide support for our internal IT systems: We use reputable third parties to provide us with our IT systems (including our Website’s hosting service provider) and support for them. They may access your Personal Information to the extent that they need to in order to provide their services and deal with any issues.
- With companies who provide marketing services: We may make certain automatically-collected, aggregated, or otherwise non-personally identifiable information available to third parties for various purposes, including, to assist such parties in understanding your interests, habits, and usage patterns for programs, content, services, and functionality available through the Website.
- With companies who support our products and services: We use reputable third parties to assist with sales and marketing (including customer service and incident management), product engineering and design tools (including software issue tracking), and identity services (including identity federation for single sign on and authentication). They may access your Personal Information to the extent that they need to in order to provide their services and deal with any issues.
- With a company that we merge with or transfer our business assets to: In the event that we sell all or part of our business, or merge with another company, we may transfer Personal Information that we have collected as described in this Notice, along with our other business assets, to the company that we are selling to or merging with.
- For Compliance with employment, reporting or other obligations
- With entities, organisations or individual for legal reasons: We will share your Personal Information with entities, companies or individuals where this is strictly necessary to comply with any law, rule, regulation, governmental request or legal procedure that is applicable to us.
- With entities, companies or individuals to obtain advice: We will share your Personal Information with external professional advisors such as lawyers or accountants in order to take advice and for the purposes of legal and tribunal proceedings or enforce the terms of our agreements.
We will only disclose such Personal Information to any third party as is necessary to enable them to carry out the function or purpose for which it is disclosed. If you would like further information on the third parties we may share your Personal Information with and our legal basis for sharing your Personal Information with third parties, please contact the Privacy Office.
Security and Retention of Personal Information
Zafin has implemented various physical, administrative, and technical safeguards designed to protect Personal Information from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed. These safeguards include security reviews and controls such as limiting access to your Personal Information to those employees and other third parties who have a business need to know, and who are subject to a duty of confidentiality. However, no security measures are absolute or wholly guaranteed. You agree to be responsible for all activities conducted on the Website.
We will only keep your Personal Information for as long as reasonably necessary to fulfil the relevant purposes set out in this Notice and to comply with our legal and regulatory obligations.
If a dispute arises between us, we will keep your Personal Information for the purposes of responding to and dealing with this dispute and this may mean that we keep your Personal Information for longer. If you would like further details, please contact the Privacy Office.
Rights Regarding Personal Information
- Access copies of the Personal Information we hold about you;
- Request that any necessary corrections be made, where applicable, as authorized or required by law; and
- Request deletion of your Personal Information, where applicable, as authorized or required by law.
The Website is not directed to children under the age of 16, and we do not knowingly collect Personal Information from children under the age of 16 without obtaining parental consent. If you are under 16 years of age, please do not use or access the Website at any time or in any manner. If we learn that Personal Information has been collected via the Website from persons under 16 years of age and without verifiable parental consent, then we will take the appropriate steps to delete this information. If you are a parent or guardian and discover that your child under 16 years of age has provided Personal Information, then you may alert us as set forth in the “How to Contact Us” section and request that we delete that child’s Personal Information from our systems.
This website and Zafin are based in Canada and are governed by the applicable privacy and data protection laws in Canada. Your Personal Information may be stored or processed in any country in which Zafin or its service providers have facilities, and by using this Website or applicable Zafin services, you agree to the transfer of your information to countries outside your country of residence, which may have different data protection rules than in your country. While such information is outside of Canada, it is subject to the laws of the country in which it is held. It may be subject to disclosure to the governments, courts, law enforcement, or regulatory agencies of such another country, pursuant to such a country’s laws.
If you are an individual in the United Kingdom (UK) or European Economic Area (EEA), see the UK/EEA Notice. If you are a resident in California, see the California Consumer Privacy Act (CCPA) Notice.
Changes to this Notice
We may change this Privacy Notice. Changes to this Notice become effective when posted on our website, please note the “Last Updated” date. Your continued use of the website after the revised Notice has become effective indicates that you have read, understood, and agreed to the current version of the Notice.
If you have any questions or comments about this Notice or your Personal Information, to make an access or correction request, to exercise any applicable rights, to make a complaint, or to obtain information about our policies and practices, our Privacy Office can be reached using the following information:
|401 W. Georgia St., Suite 1701|
Vancouver, British Columbia
Attention: Privacy Office
Notice for individuals in the UK and EEA
If you are based in the UK or EEA, please note that the term Personal Information used in this Notice is equivalent to the term “personal data” under the GDPR and other applicable European data protection laws. Canada’s laws have been determined to be ‘adequate’ by the Commission of the European Union, which means that we are providing equivalent protection to you by complying with Canadian law.
Personal Information we collect, how we Use it and our lawful basis
How we collect and use your Personal Information when you visit and use our Website and our lawful basis
We have explained in the above section the Personal Information we will collect about you and how we Use it when you visit our Website. Full details can be found here.
This Use is on the legal basis that it is in our legitimate interests as a business to be able to respond to inquiries that we receive and ensure that our Website is operational, functional and maintained. We have considered our legitimate interests carefully and have balanced our legitimate interests against your rights under data protection law. We consider that this Use is proportionate because we will only Use the Personal Information we get from you to respond to your inquiry and it is in your reasonable expectations that we would need to Use your Personal Information to be able to respond to you and ensure our Website is operational and functional.
For details about what cookies we Use on our Website and our legal basis for them click here.
How we collect and use your Personal Information when you have agreed that we can market to you and our lawful basis
We will collect your Personal Information to send you information about our services, events and news. Full details can be found here.
Under data protection law we must have a legal basis to Use your Personal Information. Where we Use your Personal Information for marketing, we do this on the basis that you have consented to us sending you marketing. You have the right to change your mind about this at any time. There will be unsubscribe links in all the marketing emails that we send you, and you can also contact us at any time to ask us to stop sending marketing to you. If you wish to do this please contact the Privacy Office.
How we collect and use your Personal Information when the organisation you work for is a prospective, current, or former customer and our lawful basis
We will collect and Use your Personal Information to provide the quotation, negotiate and conclude contracts, and set up our customer arrangement with the organisation you work for. Full details of what is collected in each of these categories can be found [here].
The legal basis for using your Personal Information in this way is that it is in our legitimate interests as a business to be able to contact you to provide a quote and to manage and assist with the conclusion and ongoing performance of a contract with your organisation. We have considered our legitimate interests carefully and have balanced our legitimate interests against your rights under data protection law. We consider that this Use is proportionate because it is relevant and appropriate to our relationship with you, it is in your reasonable expectations that we would need to Use your Personal Information to contact you in this way and we only Use your business contact details for matters which relate directly to our relationship with the organisation you work for.
Do we Use your Personal Information to make automated decisions?
Automated decision-making takes place when an electronic system uses Personal Information to make a decision without human intervention. You have the right not to be subject to automated decisions that will create legal effects or have a similar significant impact on you, unless (i) you have given us your consent (ii) it is necessary for a contract between you and us, or (iii) is otherwise permitted by law. You also have certain rights to challenge decisions made about you. We do not currently carry out automated decision-making in connection with your Personal Information.
Will we transfer your Personal Information outside the UK/EEA?
We will only transfer your Personal Information outside the UK/EEA as follows:
- To our IT systems based in Canada;
- To companies who support our products and services (in Canada and the United States, as applicable)
- Where our third-party service providers who we share Personal Information with (such as cloud service providers) are based outside the UK and/or EEA, have support services located outside the UK and/or EEA or host Personal Information outside the UK and/or EEA.
We only transfer your Personal Information outside the UK/EEA where we have a legal basis for doing so and where we ensure that your Personal Information is protected to the same standard as it would be protected in the UK/EEA. As Canada has a finding of adequacy with the UK and EU, your Personal Information is held to the same level of protection as if it were in the UK and EEA.
Where appropriate, we enter into data sharing agreements with the recipients of your Personal Information based outside the UK/EEA which comply with the EU Commission’s standard clauses and the UK addendum to the standard clauses (if applicable), or the UK Information Commissioner’s International Data Transfer Agreement for the transfer of Personal Information. We also have carried out any requisite transfer risk assessments or transfer impact assessments.
If you would like further details about our transfer of your Personal Information outside the UK/EEA or details of the safeguards put in place in relation to your Personal Information please contact the Privacy Office.
Your Privacy Rights
As an individual in the UK/EEA, you have certain rights regarding our processing of your Personal Information. This is set out in more detail below. If you wish to exercise any of these rights, you have the right to make a complaint to the supervisory authority in your country. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority and so, if you are happy to do so, please contact the Privacy Office.
- Right to object: You can object to our processing of your Personal Information where we are relying on a legitimate interest (or those of a third party) or profiling activities, and there is something about your particular situation which makes you want to object to processing on this basis. Please contact us as noted above, providing details of your objection.
- Access to your Personal Information: You can request access to a copy of your Personal Information that we hold, along with information on what Personal Information we Use, why we Use it, who we share it with, how long we keep it for and whether it has been used for any automated decision making. You can request access free of charge. Please make all requests for access in writing to the Privacy Office.
- Consent: Most of the time, we won’t need your consent to Use your Personal Information as we will be using it only to fulfil our contract with you as one of our clients or it is in our legitimate interests. This legitimate purpose includes Personal Information required to create, maintain, and terminate the commercial relationship. There are limited circumstances where we may ask for your consent to process your information. Where you have given us your consent to Use your Personal Information, you can withdraw your consent at any time by contacting the Privacy Office at [email protected].
- Rectification: You can ask us to change or complete any inaccurate or incomplete Personal Information held about you. If we choose not to do so, we will provide you with a written statement explaining why the request could not be met.
- Erasure: You can ask us to delete your Personal Information where it is no longer necessary for us to use it, you have withdrawn consent and we have no other legal basis to keep your Personal Information, you have asked us to review and explain our legitimate interests to you and we don’t actually have a valid legitimate interest for keeping it, our Use of your Personal Information is illegal, or we have to delete your Personal Information to comply with our legal obligations. Please be aware that we may have legal obligations to retain records for a certain period after the commercial relationship ends. Where we are required by law to keep certain information, we will be unable to delete such information.
- Portability: You can ask us to provide you or a third party with the Personal Information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred where we are using your Personal Information on the basis of your consent or on the basis that it is necessary to perform a contract with you and the Use of your Personal Information is carried out by automated means.
- Restriction: You can ask us to restrict the Personal Information we Use about you where you don’t think the Personal Information we have about you is correct, so that we can check if it is correct, what we are doing with your Personal Information is illegal but you would rather we stop using your Personal Information rather than delete it, we don’t need your Personal Information anymore, but you need us to keep it so that you can exercise any legal rights, or you have asked us to review and explain our legitimate interests to you, so that we can check whether we actually have a valid legitimate interest to do what we are doing.
California Consumer Privacy Act Notice
This California Consumer Privacy Act Notice (“CCPA Notice”) is provided by us and provides specific notice in respect of specific provisions of the CCPA that are not already provided by this Notice or that need to be clarified in respect of the CCPA.
The Notice above explains how we collect, Use, and disclose Personal Information, including the Personal Information of California residents. The rights for individuals to request information about what Personal Information about them has been collected, as well as the right to request the deletion of Personal Information about them are also set out above and include California residents.
The CCPA only applies to information about residents of California. If you are not a resident of California, you may submit a request and we will process it, as described above.
Under the CCPA, “Personal Information” is information that identifies, relates to, or could reasonably be linked with a particular California resident or household.
Categories of Personal Information that we may collect, Use, or disclose.
The following table is categorized according to the classifications of the CCPA, and does not indicate a difference in the personal data identified in the Notice above:
|Category||Description||Third Party that may recieve|
|Personal Identifiers||Personal unique identifiers, such as full name and federal or state issued identification numbers and Social Security Number|
|Personal Information||Personal Information, including contact details such as telephone number and address, financial information such as account number and balance, as well as medical and health insurance information|
|Purchase Information||Purchase information, such as products and services obtained and transaction histories|
|Internet or Online Information||Internet or online information such as browsing history, and information regarding interaction with our websites, applications, or advertisements|
|Geolocation Data||Geolocation data, such as device location|
|Audio and Visual Information||Audio, electronic, visual, thermal, olfactory, or similar information, such as call and video recordings|
|Employment Information||Professional or employment-related information, such as work history and prior employer|
|Education Information||Education information, such as school and related information; and|
|Inferences||Inferences based on information about an individual to create a summary about, for example, an individual’s preferences and characteristics|