QUSTODIO PROFESSIONAL PRIVACY POLICY

Qustodio Technologies SL (“Qustodio”, the “Company”, or “we/us”) is committed to respecting and protecting the privacy of the entity that subscribes to Qustodio Professional through the website dev.qustodio.com (the “Entrepreneur”, or “you”) and that of the users of the Monitored Devices which data are collected and processed. 

This Privacy Policy explains our practices regarding the use of personal data collected and processed through our Service Qustodio Business (the “Service”). This Privacy Policy integrates our conditions of use of our Service.

A. DATA PROCESSED BY QUSTODIO AS DATA CONTROLLER

Please note that this Section does NOT regulate the processing of user data from the Monitored Devices (“User Data”) by Qustodio in its capacity as Processor, which is regulated by Section B attached.

  1. Data Controller

The Data Controller is Qustodio Technologies SL, Roger de Flor 193, Bajos, 08013, Barcelona, Spain. 

You can contact the Data Protection Officer to send any suggestions, queries, doubts or complaints regarding persona data by writing to: dpo@qustodio.com 

 

  1. Data collection by the Company through the Services

Data Collection. Qustodio will collect and process as data controller the following personal data of the Entrepreneur (or the contact persons thereof, in case of creating a business account) through the Services:

  • Registration Data. On registering for Services, we will collect the following personal data of the Entrepreneur or the person appointed as contact person of the Entrepreneur: name, surname, email address and telephone. This data is mandatory and if it is not provided, an account cannot be created.
  • Payments. Our payment provider (Braintree, a  division of Paypal, Inc. and Cleverbridge, Inc.) collects certain payment data which is processed according to their terms and privacy policy which is provided to you during the payment process. You can visit https://www.braintreepayments.com/en-es/legal and https://www.cleverbridge.com/corporate/privacy-policy/ for further information. We may contract additional payment gateways, and their conditions will be provided to you during the payment process.
  • Information about your computer. Due to the communications standards on the internet, when you visit our platform we automatically receive the URL of the site from which you came and the site to which you are going when you leave the site. We also receive the internet protocol (“IP”) address of your computer and the type of web browser you are using. We use this information to analyse overall trends and to help improve the service. This information is not shared with third parties without your permission.
  • Form and electronic communications. If you fill in any webform or you contact us sending an email, we collect and process the personal data you provide us with, including your name and email address. The data that must be mandatorily provided in indicated, it will be used for contacting with you. 

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Purposes for processing. The personal data we collect about you are used for performing our contract and communications with you, for managing your Qustodio Account and for providing our Services to you (as described in the Terms). The data we collect are also used to measure and improve the Service and its functionality and to provide customer service, send email notifications and (if you gave your consent) newsletters, or communications, in general, about the Services, products and novelties, and product offers or promotions offered by Us. We will use your data also for granting compliance with the Terms, the applicable laws, and other legal obligation we are subject to.

Legal Basis for processing. Below are the lawful bases that we rely on to process your data:

  • Preparation and performance of Contract: processing your data is necessary for the performance of our contract with you, or to take steps at your request before entering into such a contract.
  • Legitimate Interest: we have a legitimate interest to process your Registration Data for our business, in conducting and managing our business to give you the best service/product and the best and most secure experience. We consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interest and we do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). 
  • Comply with a legal or regulatory obligation: we may process your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

Service optimization. We process information derived from your personal data on an aggregated non-identifiable basis for establishing user’ and clients’ general attributes and profiles and share such anonymous information with third-party service providers to help improve or promote our Service. We also use your data in a non-identifying and aggregated manner (i.e. dissociated data) to better design our web site, software and services.

Data deletion. Through the Platform Control Panel, the Entrepreneur can delete all historical information from the account, and when a profile is deleted (Monitored Device), the data associated with that profile is deleted, except for those data required for legal or administrative purposes (basic subscription and billing data, see below). This information will no longer be accessible and will be completely deleted from our systems at the time of the next backup within 30 days. In the event that we terminate the Services without prior notice due to your breach of these Terms, you must provide us with proof that this situation exists – within 3 days of our termination of the contract – and you will have an additional 5 days to obtain this data. 

Disclosure. We treat your personal data with strict confidentiality in accordance with applicable law. However, we disclose any information about you or your use of our Services: (i) in order to comply with legal obligations we are subject to, (ii) in order to correctly deliver our Services or perform other obligations in accordance to the Terms, (iii) in the event of a sale or change of control of the Company for the purpose of appropriate due diligence actions; or (iv) to our service providers that provide us a service in relation to the data. 

We require all third parties to respect the security of your personal data and to process it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process it data for specific purposes and in accordance with our instructions.

Qustodio in case you are monitoring Monitored Devices running iOs. Upon installation of Qustodio Software for Monitored Devices with iOS operating system, due to the technical configuration of the system, all data transmitted to and from the Device is channeled through our servers, in such a way we are visible to a third party such as your Internet access provider and the owner of the IP address from which communications originate. Although we are NOT an Internet access provider, due to this configuration we may receive notifications (“Notification”) from third parties regarding the User’s online behaviour, including but not limited to downloading and/or viewing online content, posting online content, opening online accounts, and/or using third party applications and programs. If we receive such a Notice stating your User engages in any activity that is or may be illegal or violate the rights of third parties, or if we believe (in our reasonable judgment) that any activity by your Users is or may be detrimental to the provision of the Services, we will notify you. We reserve the right to (and will, if we are obliged to by court or applicable law or to protect our interests and business, and in particular, but without limitation, if we receive a Notice from a third party or if user activity on a device is or may, in our opinion, be detrimental to the provision of the Services): (a) suspend or block access to your Device(s) to the Internet or to certain websites/internet services; and (b) provide any party providing the Notification to us or a Court or public authority with your name and contact details and/or (c) terminate your Account. 

Data retention. We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including (a) the performance of the contract with registered users and (b) for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Generally speaking, we will retain your personal data for the period of your subscription (in active format) and 5 years thereafter (blocked), for legal and/or administrative purposes.

Anonymised data for statistical purposes. For the purpose of improving our services and providing sector/segment reports, we may anonymise your Registration Data and certain generic User Data and store and process this data on an anonymous basis, even after your Account has been closed, indefinitely. The principal purpose is to analyse on an aggregated non-identifiable basis how our Services are used, measuring their effectiveness, and providing general customer service. We may also provide this data (or parts of it) on a fully anonymous aggregate basis to third party business partners, including for conducting academic research and surveys or commercial analytics, and to publish periodic sector or segmented information and reports about behaviour patterns and tendencies.

  1. International transfers of data

We use third party technological services for the provision of our Qustodio Services, whose providers may process your personal data as sub-processors. These entities may be in jurisdictions that generally don’t provide adequate safeguards in relation to the processing of personal data. These entities may be in jurisdictions that generally do not provide adequate safeguards in relation to the processing of personal data. For all entities outside the Economic European Area, we have entered contracts with such entities that do include such safeguards, including the EC model clauses:

For more information about our service providers that carry out international data transfers, please contact dpo@qustodio.com

  1. Data Security

We have adopted technical and organizational measures to preserve and protect your personal information from unauthorized use or access and from being altered, lost or misused, taking into account the technological state of art, the features of the information stored and the risks to which information is exposed. In case of a security breach, we will take the appropriate measure and will notify you electronically in a timely manner. 

 

  1. Data subject’s rights

In accordance with the applicable data protection law, you have the right to:

  • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you or to a third party (known as “data portability”). We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
  • File a complaint to the supervisory authority. You have the right to file a complaint to the Agencia Española de Protección de Datos (AEPD), in Calle Jorge Juan,6, 28001 Madrid (www.aepd.es) if you consider that we are violating the data protection and privacy applicable laws. Before contacting with the AEPD, please do not hesitate to contact with us at dpo@qustodio.com, we will be happy to discuss our data protection practices with you and clarify any doubts you may have.

To exercise your rights, please contact us at dpo@qustodio.com or sending a letter at Qustodio Technologies SL, Roger de Flor 193, Bajos, 08013, Barcelona, Spain.

If you contact us to exercise your rights, we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

  1. Commercial Communications.

As a user of Qustodio’s services you will receive electronic commercial communications in accordance with applicable law, including alerts, notices, newsletters, offers and promotions, related to Qustodio’s services. If you do not wish to receive such information you can expressly opt out by our commercial communications by clicking “unsubscribe” in one of our emails or by sending a notification to dpo@qustodio.com

  1. General

We may amend this Privacy Policy as required to adapt it to future legislative or case law developments. We will notify you by posting a clear notice of these changes on our website, platform and in this Privacy Policy.

Unless a specific local regulation of mandatory application provides otherwise, the Privacy Policy is governed by the laws of Spain.

B. QUSTODIO PROCESSING USER DATA AS DATA PROCESSOR

When registering and creating an Account, Qustodio starts collecting data from the Devices associated to the Account, which may include personal data relating to the Users of the Devices or to third parties related with the Users in the context of your account (“User Data”, including information about your Devices, websites and apps that your Users use, contacts, connections, payments, messages and other communications, posted and received content, etc.). 

You are the Data Controller of these data and appoint us, as data processor, to process User Data your instruction, for providing the Service. This means that you are in control of this data: you have control over this data, as well as determine what data is collected and how it is used for monitoring purposes within a company. Data on your behalf is governed by the terms of this Section B.

  1. Object and Term. 

The purpose of this Section B is to regulate the processing of the User Data indicated in Appendix A, that the Entrepreneur makes available to Qustodio for the purpose of providing the Service.  The term of validity of this Section B is established by virtue of the client subscription with Qustodio.

  1. Compliance with data protection laws

Both Qustodio and the Entrepreneur shall comply with all applicable laws relating to privacy and data protection, including the EU General Data Protection Regulation (2016/679) and any legislation that may amend or replace it from time to time (collectively and individually, “Data Protection Laws”).

  1. Obligations and rights of the Entrepreneur as the Controller

In accordance with the provisions of current Data Protection Laws, the Subscribing Entrepreneur to the Service shall:

  1. Obtain the consent of the Users to carry out the processing of their data by virtue of the provision of the contracted Services.
  2. Apply appropriate technical and organisational measures in order to guarantee and be able to prove that the processing is in accordance with the legislation in force.

 

  1. Rights and responsibilities of Qustodio as Data Processor.

As established in the applicable laws and regulations, the Qustodio shall:

  1. a) Process User Data only on the basis of documented instructions from the Entrepreneur, including transfers of User Data to a third country or international organization, unless otherwise required to do so under Union law or applicable Member State law; In such case, Qustodio will inform the Entrepreneur of that legal requirement prior to the processing, unless otherwise prohibited by such law or in the public interest.
  2. b) Ensure that the persons authorised to process User Data have undertaken to respect confidentiality or are subject to an obligation of confidentiality of a statutory nature.
  3. c) Take all appropriate technical and organisational measures to ensure a level of safety appropriate to the risk of processing.
  4. d) Respect the conditions for having recourse to another data processor, as established in the current legislation on protection of personal data.
  5. e) Assist the Entrepreneur, taking into account the nature of the processing, through appropriate technical and organisational measures, whenever possible, so that it can comply with its obligation to respond to requests for the exercise of the rights of the data subjects, here the Device users.
  6. f) Assist the Entrepreneur in ensuring that Entrepreneur complies with its obligations, taking into account the nature of the processing and the information that is available to Qustodio.
  7. g) At the choice of the Entrepreneur, either destroy or return all personal data once the processing services have been completed and destroy any existing copies unless the retention of personal data is required under Union or applicable Member State law.
  8. h) Make available to the Entrepreneur all information necessary to demonstrate compliance with the obligations established in herein, as well as to allow and contribute to the performance of audits, including inspections, by the controller or other authorised auditors for the Entrepreneur.
  9. i) Process the User Data placed at the disposal of Qustodio in a way that ensures that the personnel in charge follows the instructions of the Entrepreneur.
  10. j) Ensure that the Privacy Manager is involved in an adequate and timely manner in all matters relating to the protection of User Data.
  11. k) Adhere to a Code of Conduct that is approved by the European Commission or other competent authority, if applicable.
  12. I) Keep a record of processing activities in the case of processing personal data that may pose a risk to the rights and freedoms of the data subject and / or in a non-occasional manner, or which involves the processing of special categories of data and / or data relating to convictions and infractions.

 

  1. Retention

We store the User Data until you close your Account. After that period of time, we disassociate the personal data from the individual it refers to, and use such disassociated data for internal research and analysis purposes.   

  1. Data subjects’ exercise of their rights. 

If the Data Subjects (Users) address a request or exercises any of the rights established in the General Data Protection Regulation, the Entrepreneur and / or Qustodio must provide the information requested and perform any required actions, without delay and, at the latest, within one month from receiving the request, which may be extended for a further two months if necessary, taking into account the complexity of the application and the number of applications.

Similarly, in the event that the Entrepreneur and / or Qustodio do/es not proceed with the request of the User, he/she shall inform the latter without delay, and no later than one month after receipt of the request, shall provide the Device user with the reasons why he/she/they has/ve not acted and inform the Device user of his/her right to file a complaint before a competent authority and to file a judicial appeal. The response to the User’s request shall be made in the same format as that used by the person concerned, unless he/she requests that it be done otherwise.

  1. Subcontracting

Qustodio may subcontract its obligations and/or give access to User Data to third party service providers, if it is necessary for the proper provision of the Service. For this purpose, the Client hereby expressly authorises Qustodio to subcontract the entities indicated in Appendix 1. Qustodio ensures a contract exists with each third-party subcontractor, that is sufficient to require the subcontractor to process User Data in accordance with the applicable data protection laws and the Entrepreneur’s instructions. 

 

  1. International transfer of data. 

International transfers of User Data may only be performed if the requirements of national and/or European laws and regulations that regulate them, are met. Qustodio uses third party technological services for the provision of Services. These entities may be in jurisdictions that generally do not provide adequate safeguards in relation to the processing of personal data. For all entities outside the Economic European Area, we have entered contracts with such entities that do include such safeguards, including the EC model clauses. For more information, please contact dpo@qustodio.com.

 

  1. Security breach of the personal data. 

Insofar as there exists an instruction from a competent supervisory authority, a development of a national legislation or a delegated act, in the event of a security breach of the personal data, Qustodio shall notify the Entrepreneur and the competent supervisory authority of such breach without undue delay, and if possible, no later than seventy-two (72) hours after it happened.

 

  1. Termination, resolution and expiration.

 In the event of termination, resolution or expiration of the contractual relationship for the provision of services hereunder between the Entrepreneur and Qustodio, the latter shall not keep the User data unless otherwise legally required or advisable to do so. Otherwise, upon termination, resolution or expiration, or when no longer legally required to keep the data, Qustodio shall destroy or return to the Client all personal data and any copies of it, as well as any support or other document containing any personal data. This is without prejudice to the right of Qustodio to continue process User Data where such data is being processed by Qustodio or for the defense of its legal interests.

 

Appendix 1

Details of Processing

Categories of Data Subjects

Users of the Devices which are monitored by Qustodio. Third parties who interact with the users of such devices

Type of personal data

All data collected by such devices, including identification and contact data, Internet browsing and content viewing data, behavioural data,

List of third parties accessing the User Data

  • Amazon Inc. provides Qustodio the service of data hosting outside the European Economic Area (USA).
  • ZenDesk Inc. provides Qustodio with support services outside the European Economic Area (USA).
  • The third parties indicated in section A.3 for the provision of their services.

Date: 06/07/2021