PRIVACY POLICY Vasco Connect

This Policy explains how Vasco Electronics (“Vasco” or “Administrator”) processes the data of individuals or entities using the Vasco Connect Application (“User”).

Personal data means any information in electronic or other form that, alone or in combination, can be used to identify an individual, or enables such identification.

Some of the data processed in the Application does not constitute personal data due to the impossibility of identifying the User based on it (general data). Vasco collects statistical data in order to understand how users use its products and services. This allows us to improve our services so that they better meet the requirements of users.

Capitalised terms have the meaning given to them in the Vasco Connect Terms and Conditions available at https://vasco-electronics.co.uk/terms-and-conditions-vasco-connect.

  1. The Administrator's details and contact details of the Administrator's representative

    The administrator of the personal data is Vasco Electronics Góralski Group S.K.A. with its registered office in Kraków at al. 29 listopada 20, 31-401 Kraków, NIP 6772369151, hereinafter referred to as “Vasco”.

  2. Categories of data processed on the Application

    Vasco collects Users' data, including data related to the use of the Application and to the Administrator's Services and services of affiliated entities. At the same time, Vasco Electronics is not responsible for the correctness or legality of the content of the data entered through the use of the Application. The information mentioned constitutes the following categories of personal data:

    1. Information concerning the use of the Application. Data such as access times, number of instances of access, IP address and event information (such as errors, suspensions, restarts and upgrades to new versions) and other diagnostic, technical, error and usage data, e.g. time and duration of use of the Services.
    2. User identification data. The Application enables the connection of an external device (translation buds) with the user's mobile device, through which the user can communicate and exchange information with other people. In this regard, the User's data such as name, e-mail address, nickname and other personal data indicated in the content of the communication or used for validation by external entities may be transferred to Vasco.
    3. Data contained in the content of communications. The data thus obtained through the User's use of the Application may contain information about the User and about other third parties. In the event that third party data is provided in this manner, the User declares that the User is in possession of all consents given by such third parties to the provision of such data, including personal data, and that the User has complied with the information obligation towards them under generally applicable law (e.g. GDPR).
  3. Purposes of personal data processing and legal basis for processing

    Depending on the category of such data, the Application may use Users' personal data for the specific purposes described below:

    1. Purpose — maintenance, analytical processes. For the Categories of personal data indicated in part II, paragraphs 1,2,4:
      1. to provide technical support;
      2. to send the user application updates and notifications of software installations;
      3. to carry out internal audits, data analysis and research;
      4. to analyse the performance of business operations and measure market share and, consequently, improve Vasco's products and services;
      5. to synchronise, share and store the data uploaded or downloaded by the Users and the data necessary to carry out the uploading or downloading operations;
      6. to collect analytical data in order to improve the accuracy of the translations carried out and to adapt the services to the User;

      We process the above data due to the need to fulfil our obligations towards Users, in particular for the purpose of properly delivering the service (article 6(1)(b) GDPR), and because we have legitimate interests in developing and enhancing the security of our services (article 6(1)(f) GDPR).

    2. Purpose — conclusion of the agreement. Category of personal data indicated in part II, paragraphs 3 and 4:
      1. to conclude the agreement for the provision of services with the User;
      2. to support the User;
      3. to carry out accounting and legal processes.

      We process the above data due to the need to fulfil our obligations towards Users, in particular for the purpose of properly delivering the service (article 6(1)(b) GDPR), and because we have legitimate interests in formulating the legal relationship between us and the User (article 6(1)(f) GDPR). The data in the above respect may also be used with the consent of the User who has provided us with their data for processing (article 6(1)(a) GDPR). The above data may also be processed to ensure compliance with the law and legal procedures, including the protection of the Administrator's or User's interests, as well as for accounting purposes (article 6(1)(c) GDPR).

    3. Purpose — provision of Services: performing translations and conducting the communication process. Category of personal data indicated in part II, paragraphs 1–4:
      1. to provide the services of a data administrator and/or third parties, in particular the possibility of performing translations;
      2. to provide all functionalities of the Application;
      3. to prevent losses and fraud;
      4. to protect the legal interest of the Administrator and/or the User;
      5. to fulfil the legal obligations incumbent on the Administrator of the data.

      We process the above data due to the need to fulfil our obligations towards Users, in particular for the purpose of properly delivering the service (article 6(1)(b) GDPR), and because we have legitimate interests in developing and enhancing the security of our services (article 6(1)(f) GDPR). The data in the above respect may also be used with the consent of the User who has provided us with their data for processing (article 6(1)(a) GDPR). The above data may also be processed to ensure compliance with the law and legal procedures, including the protection of the Administrator's or User's interests (article 6(1)(c) GDPR).

    4. Purpose — marketing. Category of personal data indicated in part II, paragraphs 1–3:
      1. to provide advertising and marketing services;
      2. to conduct promotional activities and discount campaigns;
      3. to send commercial information, offers, price lists and services of the Administrator.

      We process the above data with the consent of the User who has provided us with their data (article 6(1)(a) GDPR). The processing of data for the above purposes regarding display may also take place due to legitimate interests (article 6(1)(f) GDPR).

  4. Information on recipients of personal data or on categories of recipients, if any

    We do not share personal data with other entities or individuals except as described below:

    1. Sharing with consent: upon receiving consent to share personal data, Vasco will share with certain other companies or categories of other companies the information to which the consent relates.
    2. Sharing of personal data under applicable law: we may share information to the extent required by applicable law for the purposes relating to the settlement of legal disputes or at the request of administrative authorities and the judiciary, in accordance with applicable law.
    3. Sharing of data with affiliates: information about Users may be shared with affiliates (employees, associates) only for clearly described and lawful purposes, and such sharing is limited to information required in relation to specific services, e.g. to provide Services to the User.
    4. Sharing with business partners: the Services are delivered to Users directly or indirectly by our partners, through which some of the Services are provided. Vasco may share Users' data with such partners, and they in turn may use the data to perform translations and deliver them to Users.
    5. Sharing with service providers: we may also share users’ data with companies that provide us with services related to the day-to-day operations of the company. Examples of such service providers include companies, consultants, accountants, lawyers, programmers, etc.

    We ensure the lawfulness of data sharing and sign strict confidentiality agreements or data processing clauses with companies, organizations and individuals with whom we share personal data, making sure that both parties comply with the provisions of this Declaration and that appropriate measures are taken to ensure confidentiality and security during data processing.

    The User may also make their personal data or the personal data of third parties available to other parties in the course of communication via the Application. In this respect, the Administrator's responsibility is limited only to the processing of such data in the scope of the translation carried out. Due to the technological process of the translations, we do not recommend the inclusion of contents in the communication that may contain personal data of the User or other third parties. If the User enters such data, they shall be aware of the scope and purpose of its processing and, as far as third-party data is concerned, they declare to have the legally required consent for its disclosure and further processing.

    The application may contain links to third-party websites, products and services. All links to third-party websites, products and services are provided solely as a convenience to users. The manner and terms of their use must be determined by the user. Before providing the user's personal data to other companies, the user is expected to read their privacy policies.

  5. Information about the intention to transfer personal data to a third country or international organization

    Some of our service providers (translation engines) are based outside the European Economic Area, but due to the nature of their services and global scope of operation, they apply the highest world-class standards. With all service providers, we ensure the legality of data sharing and sign strict non-disclosure agreements or data processing clauses, making sure that appropriate standards are adhered to by both parties to the agreement. The above applies to entities in the Google, Meta, Rollbar capital groups.

  6. Information on appropriate security measures

    In order to protect the data and to prevent unauthorised access to it or its disclosure, exploitation, modification, damage or loss, Vasco undertakes the following measures:

    1. We take reasonable and feasible measures to collect only the smallest possible amount of personal data relevant and necessary for the purposes for which they are processed. We retain Users’ personal data only for as long as necessary for the purposes stated in this Policy, unless an extension of the retention period is required or permitted by law.
    2. We use a range of technologies, such as cryptographic techniques, to ensure the confidentiality of data during its transmission. We implement proven security mechanisms to protect data and the servers on which it is stored from attacks.
    3. We use access control mechanisms to ensure that only authorised employees have access to personal data. In addition, we limit the number of authorised employees and apply hierarchical rights management to them, depending on the requirements of the employee's position and level.
    4. We carefully select business partners and service providers and integrate personal data protection requirements into commercial contracts, audits and evaluation activities.
    5. We organize security and privacy training, testing and educational activities to raise awareness of personal data protection among our employees.

    Despite great care taken to protect personal data, no security measures are perfect and no products, services, websites, data transmissions, computer systems or network connections are 100% secure.

  7. The period for which personal data will be retained and, where this is not possible, the criteria for determining this period

    We process the data for the period of time necessary for the provision of the services and use of the Application and for the period of time necessary to secure claims relating to the performance of our obligations. Personal data processed for the purpose of concluding or performing the agreement and fulfilling the Administrator's legal obligation, i.e. on the basis of article 6(1)(b) and (c) GDPR, will be stored for the duration of the agreement and thereafter for the period necessary for:

    1. post-sales support for users (e.g. complaints handling) – the period of the warranty or guarantee law – from 2 to 3 years, depending on the User's country of origin and the mandatory legal regulations;
    2. securing or asserting possible legal claims to which the Administrator or the User is entitled (for a period of 3 years /businesses/ or 6 years /consumers/ from the date of termination of the agreement – until the end of the calendar year);
    3. fulfilling the Administrator's legal obligation (e.g. arising from tax or accounting regulations);
    4. statistical and archiving purposes – to a limited extent taking into account data minimisation.

    Personal data processed on the basis of legitimate legal interest, i.e. on the basis of article 6(1)(f) GDPR, will be processed until the data subject raises an objection, unless the Administrator is able to find a lawful justification for this process.

    Personal data processed on the basis of a separate consent will be stored until such consent is revoked.

    For the purposes of transparency and accountability, i.e. to prove compliance with the provisions relating to the processing of personal data, the Administrator will store the data for the period during which the Administrator is required to retain the data or the documents containing the data in order to document compliance with legal requirements and enable the control of compliance by public authorities.

  8. Data relating to children

    The application is intended for adults. If personal information about children is collected based on the consent of persons with parental responsibility, we only use or disclose this information in a manner consistent with the law, expressly authorized by persons with parental responsibility or necessary to protect the rights and freedom of children. Persons with parental responsibility who wish to access, modify or delete the personal data of their children or persons in their legal custody may contact us via the contact details provided in this Policy or on our website.

    If we become aware of any processing of children's personal data without obtaining the consent from persons who can prove parental responsibility, we shall delete such data immediately.

  9. Information about the right to request from the administrator access to, rectification, erasure or restriction of processing of personal data concerning the data subject, or about the right to object to the processing, as well as about the right to data portability

    The User has the right of access to the content of the data, the right to request rectification, erasure, restriction of processing, the right to data portability and the right to object to the processing of the data.

    The User may request the exercise of these rights:

    1. by sending an email to the following address - gdpr@vasco-electronics.com
    2. by sending a letter to the following address – al. 29 listopada 20, 31-401 Kraków, Polska

    In the request, please provide details that will allow us to uniquely identify you.

    Users may update their personal data directly in the Application, but this does not affect the lawfulness of the processing.

    There are certain circumstances in which the Administrator is not obliged to comply with the User's request. The Administrator should only delete the data in accordance with the request when:

    1. the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
    2. the data subject has withdrawn the consent on which the processing is based pursuant to article 6(1)(a) GDPR or article 9(2)(a) GDPR and there is no other legal basis for the processing;
    3. the data subject objects under article 21(1) GDPR to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects under article 21(2) GDPR to the processing;
    4. the personal data has been unlawfully processed;
    5. the personal data must be erased in order to comply with a legal obligation under the law of the European Union or the law of a Member State to which the administrator is subject.

    It may be that despite the grounds for erasure of personal data as requested by the data subject, further processing of the data to some extent will be necessary to achieve the purposes that justify the refusal of erasure. These include cases where the data is necessary:

    1. to exercise the right to freedom of expression and information;
    2. to comply with a legal obligation requiring the processing under the law of the European Union or the law of a Member State to which the administrator is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the administrator;
    3. for reasons of public interest in the field of public health in accordance with article 9(2)(h) GDPR and (i) and article 9(3) GDPR;
    4. to establish, assert or defend claims.
  10. Information on the right to lodge a complaint with the supervisory authority

    In the event that the processing of data is deemed to be unlawful, the User has the right to lodge a complaint with the supervisory authority dealing with the protection of personal data, i.e. the President of the Personal Data Protection Office (contact details of the Office available at https://uodo.gov.pl/p/kontakt).

  11. Changes to the Privacy Policy

    In order to update the information contained in this Privacy Policy and to comply with applicable law, this Privacy Policy may be amended. The User will be notified of any change to the policy by a notice posted on the Application or on the Administrator's website. In order to obtain information on how to protect personal data, the Administrator recommends that Users regularly read this Privacy Policy.