WEBSITE PRIVACY TERMS AND DATA PROCESSING AGREEMENT
1. Apparatus Limited
Apparatus Limited is a UK based company, located at Darwen House, Bolton le Sands, Lancs LA5 8DN, United Kingdom . Our business operations are located in the UK and we store our data on servers in the European Economic Area (EER). These servers are provided by our approved 3rd party partners and are all secure and GDPR compliant.
Apparatus Limited is committed to comply with all applicable UK and European data protection laws and regulations.
Apparatus Limited uses and maintains these terms for privacy (“Privacy Terms”) that summarizes when and how your Personal Information is collected, used, safeguarded and disclosed in connection with your access to, and use of, websites operated by Apparatus Limited and any micro-sites, mobile site or subdomains of such sites (collectively, the “Website”) and all features, functions, software and services offered through the Website. The Website and the features, functions, software and services offered through the Website collectively constitute the “Service.”
If you would like to make use of the Service, you will have to enter into an agreement with Apparatus Limited for use for the Service. After you have entered into the agreement (the “Agreement”) you are a customer of Apparatus Limited (“Customer”).
2. Data processing agreement
These Privacy Terms apply to the Service. By entering into the Agreement the Customer accepts these Privacy Terms. In this respect these Privacy Terms serve as a (one sided) data processing agreement between the Customer and Apparatus Limited.
We reserve the right to change the provisions of these Privacy Terms from time to time. If we make changes, we will notify Customer in advance. Customer will have to explicitly accept the amended Privacy Terms.
We encourage you also to periodically review the latest Privacy Terms.
Definitions will be defined in this agreement. If a definition is not defined in this agreement, the definition will be defined by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and appealing Directive 95/46/EC (the “GDPR”).
4. What is Personal Information?
“Personal Information” means any information relating to an identified or identifiable natural person (“data subject”) according to the definition of personal data as set out in GDPR.
An identifiable person is someone who can be identified, directly or indirectly, in particular by reference to a name, an identification number, location data, an online identifier or to one or more factors specific to his physical, physiological, genetic, mental, economic, cultural or social identity.
“Personal Information” is information that identifies an individual (such as a name, address, telephone number, mobile number, e-mail address, or other account number), and all information about that individual’s location or activities, such as information about his or her use of the Service, IP-addresses or mobile device identifiers, when this can be linked to any Personal Information.
“Personal Information” also includes demographic information such as date of birth, gender, geographic area and preferences when this information can be linked to any other Personal Information.
“Personal Information” does not include “aggregate” information, which is data about a group or category of products, services or users, when this “aggregate” information cannot be linked to any Personal Information. Aggregate data helps us understand trends and our Customers’ needs so that we can better consider new features and functions, or otherwise tailor our Services. These Privacy Terms do not restrict or limit our collection and use of “aggregate” information.
5. What Personal Information do we collect?
A. Active Collection
Personal Information may be collected in a number of ways when Customer uses our Service.
When Customer registers we will collect the registration information provided to us. This contains the name, address, e-mail address, user name and other contact and demographic information when Customer registers for our newsletter. From time to time we may change the information requested upon registration or with respect to certain features or Service. Apparatus Limited will inform Customer of such change.
If Customer contacts us by e-mail or other means, we may collect the content of the messages, e-mail address and our response.
The registration of Customer and/or correspondence with us via e-mail constitutes a commercial relationship and implies the Customer’s consent for us to communicate to Customer about our Service.
Personal Information and demographic information may also be collected if Customer provides such information in connection with creating a profile or group, leaving comments, posting content, sending an e-mail or message to another user or participating in any interactive chat rooms, forums or features on the Website and when Customer uses our Service.
In addition, from time to time we may collect demographic, contact or other Personal Information Customer provides in connection with Customer’s voluntary participation in surveys, sweepstakes, promotional offers, and other activities.
From time to time we post customer testimonials/comments/reviews on our Website which may contain personally identifiable information. We will obtain the Customer’s written consent via e-mail prior to posting the testimonial to post their name along with their testimonial.
B. Log Files
When Customer uses the Service, some information of Customer is also automatically collected, such as its: Internet Protocol (IP) address, operating system, the browser or mobile device type, the address of a referring website, Customer’s activity on the Website and regarding the use of the Service.
IP addresses are collected as a part of demographic and profile data known as traffic data so that data can be sent to Customer.
We treat this information as Personal Information if this information can be linked to any Personal Information mentioned above. Otherwise, it is used in the aggregate only.
By using the Website Customer agrees that we may automatically collect certain information through the use of “cookies”.
Cookies are small data files that are stored on a user’s hard drive at the request of our Website which enable us to recognize Customers who have previously visited the Website. Furthermore, the Cookies allow us, in conjunction with our web server’s log files, to calculate the aggregate number of people visiting our Website and which parts are most popular. This helps us gather feedback to improve our Website and better serve our Customers.
Cookies do not allow us to gather any Personal Information about Customer and we do not intentionally store any Personal Information that your browser provided us in your Cookies.
If Customer wishes to block, erase, or be warned of cookies, please refer to your browser or mobile device’s instructions or help screen to learn about these functions. However, if a browser or mobile device is set not to accept cookies or if a user rejects a cookie, some portions of the Website and Service may not function properly. For example, Customer may not be able to sign in and may not be able to access certain Website features or Service.
We may also use third parties to serve ads on our Website. These third parties may place cookies, clear gifs or other devices on your computer to collect information, and information provided by these devices may be used, among other things, to deliver advertising targeted to your interests and to better understand the usage and visitation of our Website and the other site Websites tracked by these third parties. If you wish to not have this information used for the purpose of serving you targeted ads, you may opt-out by clicking here www.youronlinechoices.eu. Please note this does not opt you out of being served advertising. You will continue to receive generic ads. Please note that we have no access or control of any third party tracking technologies. If you wish to block third party cookies, please refer to your browser instructions or help screen to learn about these functions.
D. Device Identifiers
When Customer accesses the Service by or through a mobile device (including but not limited to smartphones or tablets), we use one or more “device identifiers,” such as a universally unique identifier (“UUID”). Device identifiers are small data files or similar data structures stored on or associated with Customer’s mobile device, which uniquely identify its mobile device.
A device identifier may be data stored in connection with the device hardware, data stored in connection with the device’s operating system or other software, or data sent to the device by us. A device identifier may convey information to us about how Customer browses and uses the Service. A device identifier may remain persistently on your device, to help you log in faster and enhance your navigation through the Service. Some features of the Service may not function properly if use or availability of device identifiers is impaired or disabled.
E. User Identifiers
When Customer accesses the Service, we use one or more “user identifiers.” User identifiers are small data files or similar data structure assigned to a Customer that will be used to enable Customer to continue to use the Service. A user identifier may convey information to us about how Customer browses and uses the Service. A user identifier may remain persistently on Customer’s device or computer, to help Customer log in faster and enhance Customer’s navigation through the Service. Some features of the Service may not function properly if use or availability of user identifiers is impaired or disabled.
F. Location Data
When Customer accesses the Service by or through a mobile device, we may access, collect, monitor and/or remotely store “location data,” which may include GPS coordinates (e.g. latitude and/or longitude) or similar information regarding the location of your mobile device. Location data may convey to us information about how you browse and use the Service. Some features of the Service, particularly location-based services, may not function properly if use or availability of location data is impaired or disabled.
6. Controller of Personal Information
Customer will at all times be the data controller of the Personal Information for purposes of the Service and these Privacy Terms. Apparatus Limited shall at all times remain the data processor. If Apparatus Limited nevertheless processes Personal Information for its own purposes, Apparatus Limited will be deemed to be a (joint) data controller with regard to the Personal Information. A ‘data controller’ and ‘data processor’ shall have the same meaning as in the GDPR.
Customer shall be responsible for compliance with its obligations as data controller under the applicable data protection law, in particular for justification of any transmission of Personal Information to Apparatus Limited and for the decision concerning the processing and use of the Personal Information. This shall include providing any required notices and obtaining any required consents. If Apparatus Limited is deemed to be a (joint) data controller in relation to the Personal Information, it shall also be responsible for compliance with its obligations as data controller under the applicable data protection law.
7. Purposes of processing Personal Information
Apparatus Limited shall process Personal Information as stated in these Privacy Terms solely for the reasons mentioned below. Each reason has been categorized on its legal basis. Apparatus Limited shall not otherwise
(1.) process and use Personal Information of Customer for purposes other than set forth in the terms of service for the Service and the Privacy Terms, or as instructed by the Customer, or
(2.) disclose Personal Information to third parties other than the Subprocessors for the below mentioned purposes, or as required by law.
Processing for which the Customer has to give consent:
(1.) to analyze user characteristics and usage patterns in order to better understand how our Service is used and market it more effectively;
(2.) to request feedback and to enable us to develop, customize and improve the Service and our publications and products;
(3.) to inform Customer about other information, events, promotions, products or services we think will be of interest to Customer;
If Customer refuses consent for processing its personal information for the in this subsection mentioned purposes, Customer will not be hindered in its use of the Service. Refusing or withdrawing consent thus has no negative effects on Customer’s use of the Service.
Processing necessary for the performance of a contract and providing the Service
(4.) for the provision of the Website and the provision of the Service according to our Terms of Service;
(5.) to process and/or respond to Customer’s requests, submissions, comments, complaints and any transactions;
(6.) to provide Customer with information or services requested;
(7.) to provide technical support and ensure the continued and smooth operation of the Service;
(8.) to facilitate Customer’s use and our operation of the Service; (9.) for the purpose for which the information was provided;
Processing necessary for compliance with a legal obligation (10.) facilitate our administration of the Service;
(11.) to prevent or investigate actual or suspected fraud, hacking, infringement, or other misconduct involving our Services or Website.
8. How long do we store Personal Information?
We store Personal Information for as long as is required to provide the Service. Below you will find a specification of how long Personal Information is stored and processed.
a) Name – For as long as Customer makes use of the Service, up to one year after the Agreement and/or Service has come to an end and/or as long as a legal obligation requires Archers @ Red Bank Farm Limited to store the Personal Information (e.g. tax related laws);
b) Address – For as long as Customer makes use of the Service, up to one year after the Agreement and/or Service has come to an end and/or as long as a legal obligation requires Apparatus Limited to store the Personal Information (e.g. tax related laws);
c) E-mail address – For as long as Customer makes use of the Service;
d) Username – For as long as Customer makes use of the Service and two months after the Agreement and/or the Service has come to an end;
e) Contact information – For as long as Customer makes use of the Service, up to one year after the Agreement and/or Service has come to an end and/or as long as a legal obligation requires Apparatus Limited to store the Personal Information (e.g. tax related laws);
f) E-mail address – For as long as Customer makes use of the Service and up to two months after the Agreement and/or the Service has come to an end;
g) Demographic information and location data – For as long as Customer makes use of the Service, up to one year after the Agreement and/or Service has come to an end and/or as long as a legal obligation requires Apparatus Limited to store the Personal Information (e.g. tax related laws);
h) Content of messages of Customer contact – For two months after the question and/or complaint and/or any other reason for contact has been dealt with;
i) Customer testimonials, comments and/or reviews – For the specified period Customer gave permission to post the testimonials, comments and/or reviews online. If Customer did not give permission for a specified amount of time, the testimonials, comments and/or reviews will be stored for as long as the testimonials, comments and/or reviews are posted on the Website.
j) IP address – For up to one year after the IP address has been collected.
k) Device identifiers – For as long as Customer makes use of the Service and two months after the Agreement and/or the Service has come to an end;
l) User identifiers – For as long as Customer makes use of the Service and two months after the Agreement and/or the Service has come to an end.
9. Subprocessors and sharing of Personal Information
Apparatus Limited may engage subcontractors in accordance with the Agreement to assist in the provision of the Service and which may, as part of their role in delivering the Service, process Personal Information of users of the Service. In this respect a subcontractor of Apparatus Limited is hereinafter referred to as ‘Subprocessor’. Apparatus Limited will inform Customer of its intention to engage a Subprocessor. Customer may object within one week after receiving the notification to the intention of Apparatus Limited. If not being able to engage with a Subprocessor due to Customer’s objection is unreasonably onerous for Apparatus Limited, Apparatus Limited has the right to end the Agreement and this data processing agreement with Customer without being liable towards Customer.
Apparatus Limited maintains a list of all Subprocessors that may process Personal Information of users of the Service.
Apparatus Limited has concluded data processing agreements with all Subprocessors in which they are required to abide by substantially the same obligations as Apparatus Limited under these Privacy Terms.
Unless otherwise described elsewhere in these Privacy Terms, we do not disclose, sell or trade any Personal Information about our visitors and users to any third parties.
We may share Personal Information with Subprocessors such as the credit card processor working with us in connection with the operation of the Website and/ or the Service and who need access to such information to carry out their work for us. Any credit card details collected are simply passed on in order to be processed as required. We never permanently store complete credit card details.
In some cases, the Subprocessor may be directly collecting the information from you on our behalf. If Subprocessor provides Personal Information to Apparatus Limited, Apparatus Limited shall mention what Personal Information that Subprocessor provides to Apparatus Limited on the list that Apparatus Limited keeps of its Subprocessors. We inform Subprocessors that they are not permitted to use Personal Information they obtain from us other than to provide the Service for us. We are not responsible for any additional information you provide directly to these Subprocessors. Please become familiar with their practices before disclosing any Personal Information directly to such Subprocessors.
From time to time, we may also share Personal Information with third parties when you give us your consent to do so. For example, we may enter into relationships with other parties to make specific services or offers available directly to our users. If a user opts-in to these third party services or marketing offers, we may share the Personal Information you provide at the time of sign-up or such other Personal Information, such as your name or other contact information, that we deem reasonably necessary or appropriate for our business partner to provide these services or offers or get in contact with you.
We may disclose Personal Information in the good faith belief that we are lawfully authorized or required to do so, or that doing so is reasonably necessary or appropriate to comply with the law or with legal process or authorities, respond to any claims, or to protect the rights, property or safety of Apparatus Limited, our users, our employees or the public, including without limitation to protect Apparatus Limited or our users from fraudulent, abusive, inappropriate or unlawful use of the Service. Apparatus Limited will promptly notify Customer of any request of an executive or administrative agency or other governmental authority that it receives and which is related to Personal Information of Customer, unless prohibited by applicable law. Apparatus Limited will provide Customer with reasonable information in its possession that may be responsive to the request as stated above, and any assistance reasonably required for Customer to respond to the request in a timely manner. Customer acknowledges and agrees that Apparatus Limited has no responsibility to interact directly with the entity making the request.
Please note that nothing herein restricts the sharing of aggregate information, which may be shared with third parties without your consent.
10. Customer’s instructions
Customer may provide Apparatus Limited written instructions in addition to those specified in the terms of service and these Privacy Terms with regard to the processing of Personal Information. Apparatus Limited will comply with all such instructions without additional charge to the extent necessary for Apparatus Limited to comply with laws applicable to Apparatus Limited as data processor in the performance of the Service. Customer and Apparatus Limited will negotiate with respect to any change in the Service and / or fees resulting from such instructions.
11. Protection of Personal Information
Apparatus Limited shall ensure it implements and maintains compliance with appropriate technical and organizational security measures for the processing of Personal Information. We follow generally accepted standards to protect the Personal Information submitted to us, both during transmission and once we receive it.
We have put in place physical, electronic, and managerial procedures that are designed to prevent unauthorized access, loss, or misuse.
We use SSL (secured socket layer) technology to encrypt your transmission of sensitive information to us, such as account passwords, credit card numbers and other payment-related identifiable information).
We restrict internal access to Personal Information to employees who need the information to perform their duties. The unauthorized access or use of such information by an employee is prohibited and constitutes grounds for disciplinary action. Employees of Apparatus Limited are bound to a confidentiality clause.
Our information management systems are configured in such a way as to block or inhibit employees from accessing information that they have no authority to access.
You should note that our Subprocessors may be responsible for processing, handling or storing some of the Personal Information that we receive. They are not authorized to market to you independently. These Subprocessors are contractually by means of a data processing agreement with Apparatus Limited required to safeguard and secure the Personal Information they received from us.
No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security.
Apparatus Limited shall ensure it has a procedure to periodically test and evaluate its technical and organizational security measures for the processing of Personal Information.
12. Cooperation and notification obligations
Apparatus Limited and the Customer will – to the extent possible – co-operate with each other to promptly and effectively handle enquiries, complaints, and claims relating to the processing of Personal Information from any government official or authority (including but not limited to any data protection legislation enforcement agency), third parties or individuals (including but not limited to the data subjects).
Apparatus Limited and the Customer are aware that applicable data protection legislation may impose a duty to inform the competent authorities or affected data subjects in the event of a data breach. Data beaches should therefore be notified by Apparatus Limited to the Customer within 24 hours after they have been discovered, regardless of their origin. This also applies to serious operational faults or where there is any suspicion of an infringement of provisions relating to the protection of Personal Information or other irregularities in the handling of Personal Information belonging to the Customer. In consultation with the Customer, Apparatus Limited shall take appropriate measures to secure the Personal Information and limit any possible detrimental effect on the data subjects. Where obligations are imposed on the Customer as a data controller under applicable data protection legislation, Apparatus Limited shall fully and at its own expense assist in meeting them.
13. Records of data processing activities
Apparatus Limited and the Customer maintain records of their data processing activities and are aware that they are responsible for the integrity of their own record. The record contains the name and contact information of Apparatus Limited, the Customer, their representatives and, if applicable, their data protection officers. The record also contains the categories of processing activities that have been executed by Apparatus Limited on behalf of the Customer, as well as a general description of the technical and organizational measures that have been undertaken to protect the data. If applicable, the record also contains information regarding to which foreign country or which international organization data has been passed on.
14. What choices does Customer have regarding the use of its Personal Information?
Before sharing your Personal Information with third parties in ways not covered by these Privacy Terms, including any use for direct marketing purposes, you will be notified and required to opt-in to such sharing at the point at which such information is collected.
Apparatus Limited may send you marketing and promotional postal mail about our products and services.
If you no longer want your information to be used by Apparatus Limited for direct marketing sent by postal mail please contact us at firstname.lastname@example.org
You can also opt-out by following the unsubscribe instructions included in each promotional e-mail. This shall not affect our ability to send you service and account related e-mails or to use your Personal Information as otherwise described in these Privacy Terms.
We will comply with the request of Customer as soon as possible after receipt. 15. How can Customer review, update, correct, or delete Personal Information
Customer may review, update, correct or delete its Personal Information collected through the Website and Service by e-mailing us at email@example.com.
Note that the deletion of Customer information data may lead to the termination of the Account of Customer and the use of the Service.
To have access to your Personal Information, you must provide sufficient proof of identification as we request, and we reserve the right to deny access to any user if we believe there is a question about your identity. We will respond to all access requests within 4 weeks.
Customer can request us to limit or stop the processing of its Personal Information in the future. We will meet the request of Customer, but Customer may be hindered in its use of the Service or may no longer be able or allowed to use the Service, as stated in Article 4 of these Privacy Terms.
Customer can request us with reasonable intervals to transfer the Personal Information we process about him or her to him or her or another third party as specified by Customer, as long as the requested information does not include Personal Information of other natural persons and as long as the requested information has been processed based on the legal grounds of Customer permission or necessity for providing the Service and performing the contract. We will meet the request of Customer within 4 weeks after we have received the request.
Customer has the right to file a complaint to the competent privacy authority. For the UK, this authority is the Autoriteit Persoonsgegevens, which can be reached at https://autoriteitpersoonsgegevens.nl/.
If a data subject contacts Apparatus Limited directly with a request as stated before, we will redirect the data subject to Customer and only after permission of the Customer shall we provide an overview of Personal Information of that data subject.
We reserve the right to retain your information in our files if we believe it is necessary or advisable to resolve disputes, enforce applicable terms of service, and for technical and legal requirements and constraints related to the Service.
16. Audit Rights
Customer may audit Apparatus Limited’s compliance with the terms of these Privacy Terms up to one per calendar year, unless the applicable data protection laws provide the right to perform a more frequent audit of the Service. Customer must give Apparatus Limited at least 4 weeks’ notice of any audit. Any audits are at the Customer’s expense. Any request for Apparatus Limited to provide assistance with an audit is considered a separate service if such audit requires the use of different or additional resources. Apparatus Limited will seek the Customer’s written approval and agreement to pay any related fees.
The audit must be conducted during regular business hours in the UK at the facility of Apparatus Limited. If a third party is to conduct the audit, the third party must be mutually agreed to by Apparatus Limited and Customer.
17. Incident Management
Apparatus Limited shall evaluate and respond to incidents that create suspicion of unauthorized access to or handling of Personal Information. The response will be to restore confidentiality, integrity and availability of the environment of the Service. Furthermore Apparatus Limited shall establish root causes and remediation steps.
Apparatus Limited shall inform Customer within 24 hours after a data breach has been noticed. Apparatus Limited shall provide Customer with a description of the data breach, the type of data / Personal Information that was the subject of the breach and steps taken in order to cure the data breach and prevent further consequences of the breach. Apparatus Limited will provide further information upon request of Customer. Apparatus Limited and Customer shall coordinate in good faith any related (public) statements and / or notifications to any privacy authority and/or affected data subjects / persons.
Apparatus Limited will inform the Customer immediately after it has become aware of the fact that (i) Apparatus Limited and/or its personnel infringe applicable data protection legislation or obligations under this privacy statement, (ii) third parties have unauthorized or unintended access to the Personal Information.
Apparatus Limited will keep the Customer duly informed on any new developments in relation to a data breach. All notifications of data breaches by Apparatus Limited to the Customer will be made in writing. If time and circumstances do not permit a written notification, Apparatus Limited may notify the Customer through other means, provided that such notification is followed up by a written confirmation by Apparatus Limited as soon as possible thereafter.
18. Return / deletion of Personal Information upon termination
At the moment the agreement for making use of the Service is terminated for any cause, Apparatus Limited will make available for retrieval all Personal Information of Customer. Following the return of the Personal Information, or as agreed to otherwise by Apparatus Limited and Customer, Apparatus Limited will promptly permanently delete or otherwise render inaccessible all copies of the Personal Information of Customer, except as may be required by law.
This data processing agreement between Customer and Apparatus Limited shall automatically terminate at the moment the agreement for making use of the Service is terminated. However, the terms of this data processing agreement shall continue to apply for as long as Apparatus Limited possesses Personal Information of Customer.
20. Governing Law
This data processing agreement shall be governed exclusively by the law of the UK, unless mandatory law dictates otherwise.
If you have any questions, concerns, or comments regarding these Privacy Terms, please contact us via e-mail at privacy firstname.lastname@example.org