WEBSITE PRIVACY POLICY

Proenco AS

We ask that you read this privacy policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us.

ProencoAS, as part of the Vela Software group of companies (“Proenco AS,” “we,” “us,” ”our”), are committed to protecting your privacy. There are various ways that you might interact with Proenco AS, and the information you provide when doing so allows us to improve our services.

This website, our related websites and any mobile site or mobile application that link to this Privacy Policy) (collectively, the “Site”, “Sites”) are owned and operated byProenco AS with its principal place of business atVollsveien 2A,1366 Lysaker, Norway.

Proenco AS adheres to EU and Canadian statutes and regulations which govern the protection of personal data. In Canada Vela Software adheres to the Personal data and Protection of Electronic Documents Act (“PIPEDA”). In Europe,Proenco AS adheres to the General Data Protection Regulation (EU) 2016/679 ("GDPR").

About this policy

This Privacy Policy applies when you visit our website. It also applies where we are in contact with you in other ways whether in your capacity as an individual or as director, shareholder, partner, employee or other representative of a company or other organisation.

This Privacy Policy applies toProenco AS and covers our processing activities as a data controller.

Our privacy policy explains:

• What information we collect, and why we collect it;
• How we use that information;
• How we protect that information;
• How you can control your information, including accessing, updating and deleting what we store; and
• How we share information collected.

We do not sell our services to children and the Site is not intended for or directed at children under the age of 16 years. As such, our Sites are designed for adult user interaction. We do not intentionally collect personally identifiable information from children under the age of 16.

Contacting Us

If you have any questions about our Privacy Policy or your information, or to exercise any of your rights as described in this Privacy Policy or under data protection laws, you can contact us as follows:gdpr@proenco.com

Information we collect

Information you give us

We may collect or record basic personal data which you voluntarily provide through completing forms on our Site, through electronic mail you send to us, or through other means of communication between you and us. The categories of personal data you provide may include:

• first and last name;
• job title and company name;
• email address;
• phone number;
• mailing address;
• password to register with us;
• your personal or professional interests;
• any other identifier that permits us to make contact with you.

Information we collect online

We collect, store and use information about your visits to the Sites and about your computer, tablet, mobile or other device through which you access the Sites. This includes the following information:

• general non-personal data pertaining to users of our sites technical information, including the Internet protocol (IP) address, source domain names, specific web pages, length of time spent, and pages accessed, browser type, internet service provider, device identifier, your login information, time zone setting, browser plug-in types and versions, operating system and platform, and geographical location;
• information about your visits and use of the Site, including the full Uniform Resource Locators (URL), clickstream to, through and from our Site, pages you viewed and searched for, page response times, length of visits to certain pages, referral source/exit pages, page interaction information (such as scrolling, clicks and mouse-overs), and website navigation and search terms used.]

We do not generally seek to collect sensitive personal data (e.g. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation) through our Site.

How We Use Information

As a data controller, we will only use your personal data if we have a legal basis for doing so. The purpose for which we use and process your information and the legal basis on which we carry out each type of processing is explained in the table below.

Note that we may process your personal data for more than one lawful ground if the data is used for several purposes. Please Contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

If you do not wish to provide us with your personal data and processing such data is necessary for the performance of a contract with you and to fulfil our contractual obligations to you, we may not be able to perform our obligations under the contract between us.

Where you provide consent, you can withdraw your consent at any time and free of charge, but without affecting the lawfulness of processing based on consent before its withdrawal. You can update your details or change your privacy preferences by contacting us as provided in “Contacting us” above.

Where we rely on legitimate interests as a lawful basis, we will carry out a balancing test to ensure that your interests, rights and freedoms do not override our legitimate interests. If you want further information on the balancing test we have carried out, you can request this from us by Contacting us.

Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.

Third-party marketing

We do not share personal data with any company outside the Proenco ASgroup for marketing purposes.

Opting out

You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by Contacting us at any time.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you in a timely manner and we will explain the legal basis which allows us to do so.

Vela Software as data processor

In certain cases, we also operate as a data processor and we collect and process personal data on behalf of our customers in the provision of our services and products. In these circumstances, Vela Software is acting as a data processor and our customers remain the data controller in respect of personal data they provide to us.

Where we act as a data processor in respect of personal data, the terms of our Data Processor Addendum shall apply to such processing.

Our customer remains the data controllers with respect to any personal data that they provide to us for our provision of services.

To the extent that we are acting as data processor, we act only in accordance with the documented instructions of such customers regarding the collection, processing, storage, deletion and transfer of customer information, as well as other matters such as the provision of access to and rectification of customer. We will only use such personal data for the purposes of providing the services and products for which our customers have engaged us.

Our customers are responsible for ensuring that these individuals’ privacy is respected, including communicating to the individuals in their own privacy policies who their personal data is being shared with and processed by.

As a data processor, we may share personal data where instructed by our customer. Where authorized by the customer, we may also share personal data with third party service providers who work for us and who are subject to security and confidentiality obligations.

Where Vela Software is acting as a data processor, we will refer any request from an individual for access to personal data which we hold about them to our customer. We will not respond directly to the request.

We will retain personal data which we process on behalf of our customers for as long as needed to provide services and products to our customers and in accordance with any agreement in place with our customers.

Disclosure of Your Personal Data to Third Parties

We will not sell, rent, lease or otherwise share your personal data other than as outlined in this Privacy Policy or without obtaining your consent beforehand.

Internal third parties

We may share your personal data with our group companies, affiliates, subsidiaries or contractors as necessary to carry out the purposes for which the information was supplied or collected (i.e. to provide the services and products you have requested from us).

External third parties

Personal data will also be shared with our third party service providers and business partners who assist with the running of the Sites and our services and products including hosting providers, and email and marketing service providers.

Our third party service providers and business partners are subject to security and confidentiality obligations and are only permitted to process your personal data for specified purposes and in accordance with our instructions.

We may also post links to third party websites as a service to you. These third party websites are operated by companies that are outside of our control, and your activities at those third party websites will be governed by the policies and practices of those third parties. We encourage you to review the privacy policies of these third parties before disclosing any information, as we are not responsible for the privacy policies of those websites.

In addition, we may disclose information about you when we believe, in good faith, that such use or disclosure is reasonably necessary to:

• comply with law
• enforce or apply the terms of any of our user agreements
• protect our rights, property or safety, or the rights, property or safety of our users, or others
• in the event that we become involved in a business divestiture, change of control, sale, merger, or acquisition of all or a part of our business, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
• if all or substantially all of our assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets;
• if we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation;
• if necessary to protect the vital interests of a person; and
• to enforce or apply our terms and conditions or to establish, exercise or defend the rights ofProencoAS, our staff, customers or others.

International Transfers

If you are based in the EU or EEA

We share your personal data within the Vela Software Group. This will involve transferring your data outside the European Economic Area (EEA) to Canada and the USA. Canada has been deemed by the EU as having an adequate level of protection for personal data.

Many of our external third party service providers and business partners are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.

Where personal data is transferred to and stored outside the EEA, we take steps to provide appropriate safeguards to protect your personal data, including:

• transferring your personal data to a country, territory, sector or international organisation which the European Commission has determined ensures an adequate level of protection, as permitted under Article 45(1) GDPR;
• entering into standard contractual clauses approved by the European Commission, obliging recipients to protect your personal data as permitted under Article 46(2)(c) GDPR;
• under the EU-U.S. Privacy Shield Framework which enables U.S. business to self-certify as a means of complying with EU data protection laws;

In the absence of an adequacy decision or of appropriate safeguards as referenced above, we will only transfer personal data to a third country where one of the following applies (as permitted under Article 49 GDPR)):

• the transfer is necessary for the performance of our contractual engagement with you;
• the transfer is necessary for the establishment, exercise or defence of legal claims; or
• you have provided explicit consent to the transfer.

If you want further information on the specific mechanism used by us when transferring your personal data out of the EEA, please contact our Privacy Manager using the details set out above.

You can contact us as provided in “Contacting us” above if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Security of Your Personal Data

The security of your personal data is important to us. We follow generally accepted industry standards to protect the personal data submitted to us, both during transmission and once we receive it.

We use appropriate measures to safeguard personally identifiable information, which measures are appropriate to the type of information maintained, and follows applicable laws regarding the safeguarding of any such information under our control. In addition, in some areas of our Sites, we may use encryption technology to enhance information privacy and help prevent loss, misuse, or alteration of the information under our control. We also employ industry-standard measures and processes for detecting and responding to inappropriate attempts to breach our systems.

No method of transmission over the Internet, or method of electronic storage, can be 100% secure. Therefore, we cannot guarantee the absolute security of your information. The Internet by its nature is a public forum, and we encourage you to use caution when disclosing information online. Often, you are in the best situation to protect yourself online. You are responsible for protecting your username and password from third party access, and for selecting passwords that are secure.

If you have any questions about security on our Site, you can contact us as provided in “Contacting us” above.

Data Retention: How Long We Keep Your Personal Data

When you contact us, we may keep a record of your communication to help solve any issues that you might be facing. Your information may be retained for as long as necessary to fulfilthe purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirement.

The criteria we use for retaining different types of personal information, includes the following:

• General queries - when you make an enquiry or contact us by email or telephone, we will retain your information for as long as necessary to respond to your queries. After this period, we will not hold your personal information for longer than one year if we have not had any active subsequent contact with you;
• Direct marketing - where we hold your personal information on our database for direct marketing purposes, we will retain your information for no longer than two years if we have not had any active subsequent contact with you.
• Legal and regulatory requirements - we may need to retain personal information for up 7 years after we cease providing services and products to you where necessary to comply with our legal obligations, resolve disputes or enforce our terms and conditions.

Your rights

Subject to certain limitations, you have rights under data protection laws in relation to your personal data. These rights include the rights to:

• Request access to your personal data - (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. Note that we may refuse to comply with a request for access if the request is manifestly unfounded or excessive, or repetitive in nature.
• Request correction of your personal data - this enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. Note that we may refuse to comply with a request for correction if the request is manifestly unfounded or excessive, or repetitive in nature.
• Request erasure of your personal data - this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note that we may refuse a request for erasure, for example, where the processing is necessary to comply with a legal obligation or necessary for the establishment, exercise or defence of legal claims.
• Request restriction of processing your personal data - this enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. Note that we may refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, or repetitive in nature.
• Request transfer of your personal data - we will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies where your personal data is processed by us with your consent or for the performance of a contract and when processing is carried out by automated means.
• Right to withdraw consent - you can withdraw your consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.

Your Right to Object

Direct marketing

You have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Where we process your information based on our legitimate interests.

You also have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on our legitimate interests. Where you object on this ground, we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Exercising Your Rights

If you wish to exercise any of the rights set out above, including withdrawing consent, please contact us giving us specific details regarding which right you choose to exercise.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Use of Cookies, IP Addresses and Aggregate Information

Cookies

In order to improve the Sites, we may use small files commonly known as “cookies”. Cookies are a technology that can be used to help personalize your use of a website. A cookie is a small amount of data which often includes a unique identifier that is sent to your computer or mobile phone (your “device”) from the Sites and is stored on your device’s browser or hard drive. The cookies we use on the Sites won't collect personally identifiable information about you and we won't disclose information stored in cookies that we place on your device to third parties.

To enable us to assess the effectiveness and usefulness of this Site, and to give you the best user experience, we collect and store information such as pages viewed by you, your domain names and similar information. Our Site makes use of anonymous cookies for the purposes of:

Completion and support of Site activity;

• Site and system administration;
• Research and development; and
• Anonymous user analysis, user profiling, and decision-making.

By continuing to browse the Sites, you are agreeing to our use of cookies.

If you don't want us to use cookies when you use the Sites, you can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it or decline at any time. However, if you block cookies some of the features on the Sites may not function as a result.

You can find more information about how to do manage cookies for all the commonly used internet browsers by visiting www.allaboutcookies.org. This website will also explain how you can delete cookies which are already stored on your device.

Links

The Sites may, from time to time, contain links to and from the websites of our business partners, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Social Media and Online Engagement

We occasionally use a variety of new technologies and social media options to communicate and interact with customers, potential customers, employees and potential employees. These sites and applications include popular social networking and media sites, open source software communities and more. To better engage the public in ongoing dialog, certain of our businesses use certain third-party platforms including, but not limited to, Facebook, Twitter and LinkedIn. Third-Party Websites and Applications (TPWA) are Web-based technologies that are not exclusively operated or controlled by us. When interacting on those websites, you may reveal certain personal data to us or to third parties. Other than when used by our employees for the purpose of responding to a specific message or request, we will not use, share, or retain your personal data.

• The Facebook privacy policy is available at:http://www.facebook.com/policy.php
• The Twitter privacy policy is available at:http://twitter.com/privacy
• The LinkedIn privacy policy is available at:http://www.linkedin.com/static?key=privacy_policy

Complaints

For Norway: You have the right to make a complaint at any time with a supervisory authority, in particular in the EU (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in Norway is The Norwegian Data Protection Authority (DPA) who may be contacted at postkasse@datatilsynet.no or telephone +47 22 39 69 00.

If we receive formal written complaints, we will follow up with the person making the complaint. We work with the appropriate regulatory authorities to resolve any complaints that cannot be resolved directly. We would, however, appreciate the chance to deal with your concerns before you approach the DPA so please contact us in the first instance.

Changes to this Policy

We regularly review our compliance with our privacy policy. We also adhere to several self-regulatory frameworks in addition to complying with applicable law.

We may change this privacy policy from time to time. If this privacy policy changes, the revised privacy policy will be posted at the “Privacy Policy” link on the Site’s home page. In the event that the change is significant or material, we will notify you of such a change by revising the link on the home page to read “Newly Revised Privacy Policy.” Please check the privacy policy frequently. Your continued use of the Site constitutes acceptance of such changes in the privacy policy, except where further steps are required by applicable law. This privacy policy was last updated on the date set out at the end of the policy.

LAST UPDATED: 9 May 2018