Privacy Policy

ThingsRecon is responsible for the processing of personal data as outlined in this Privacy Policy. ThingsRecon therefore acts as data controller within the General Data Protection Regulation (“GDPR”). The Website is owned and operated by ThingsRecon.

In providing the Website, our Solution and in relation to applicants, we may process the following personal data:
‍

We may only process your personal data if we have a valid legal ground to do so. The GDPR specifically states these legal grounds. In the case of ThingsRecon these are usually: performance of a contract, legitimate interest, compliance with a legal obligation and sometimes consent.  

‍

We processes personal data of customers with contracts primarily for the purpose of providing our Solution on the basis of performance of a contract or our legitimate interests to conduct a normal business.  

‍

We will only process personal data based on legitimated interest if our interests outweigh the privacy interests of the person to whom the data relates. In that case, the legitimate interests of ThingsRecon correspond to the purposes set out below. For further information on the balancing of interests in a specific case, please contact us using the contact details at the bottom of this Privacy Policy. It may also be the case that ThingsRecon has to process personal data to comply with an applicable legal obligation, for example to meet applicable minimum retention periods. 

‍

It may also be necessary in exceptional cases to process personal data to protect someone's vital interests. This may be the case, for example, in the unlikely event that someone falls unconscious at the ThingsRecon office and health data must be provided to a care provider. If ThingsRecon cannot rely on one of the aforementioned bases, consent must be obtained for the processing of personal data.

‍

ThingsRecon will inform you in a specific situation if providing personal data is a legal or contractual obligation or necessary condition for entering into an agreement. It will also inform you of the possible consequences of not providing the data. 

‍

ThingsRecon processes the personal data included in subsection 3 for the following purposes and on the basis of the relating legal grounds:
‍

We obtain your personal data in various ways:

• Provided by you. Some personal data we receive straight from you. For example, if you fill out a contact form on the Website or if you apply  for a job position.  

• Through the use of the Website or our Solution. For example, we may process your IP address or data about your use of our application (log data). Sometimes we process personal data not on our own initiative, but to comply with a legal obligation incumbent on us. This is the case, for example, when we retain personal data for a longer period in order to comply with a legal retention obligation. 

• Obtained from third parties. We could also obtain personal data about you from other persons or external parties. In principle, we only make use of this possibility in two scenarios:
  
  • Website visitors: we may receive information about you from third parties, in the context of the cookies and similar technologies we use. Further information on this is included in our Cookie Statement.
  • Applicants: we may obtain information from a referral included by you in your application.

• Derived. Certain personal data we do not receive directly, but can be derived from the information already in our possession. For example, information about your preferences and interests.

• Public sources. We may also receive personal data through public sources, such as information from a public LinkedIn profile or a website.

We only share your personal data with third parties if:

• This is necessary for the provision of a service or the involvement of the third party. Sub-contractors, for example, will in principle only get access to the personal data that they require for their part of the service provision.

• The persons within the third party that have access to the personal data are under an obligation to treat the personal data confidentially. Where necessary this is also contractually agreed upon.

• The third party is obliged to comply with the applicable regulations for the protection of personal data, for instance because we have concluded an agreement with this party. This includes that the party is obliged to ensure appropriate technical and organizational security measures, and that any transfer of personal data to countries outside the European Economic Area (“EEA”)is adequately legitimized.

We could share your personal data on a need-to-know basis with the parties mentioned below. In this context, "need-to-know" means that a party only gets access to personal data if and insofar as this is required for the professional service provided by this party.

• Authorized persons, employed by ThingsRecon, who are involved with the processing activity concerned. Such as, the members of the customer support team you are in contact with.

• Authorized persons, employed by service providers / sub-contractors engaged by ThingsRecon, who are involved with the processing activity concerned.  

• Authorized persons, employed by parties in the private sector with whom we may share certain personal data.

• Authorized government institutions. Such as, courts, police, and law enforcement agencies. We may release information about our Website visitors, including IP address, when legally required to do so, at the request of governmental institutions conducting an investigation or to verify or enforce compliance with the policies governing the our website and applicable laws. We may also disclose such user information whenever we believe disclosure is necessary to protect the rights, property or safety of ThingsRecon, or any of our respective business partners, customers or others.

• Aggregate Information. We may also disclose non-identifying, aggregated user statistics to third parties for a variety of purposes, including describing our Solution to prospective partners and other third parties. Examples of such non-personal data include the number of users who visited the Website during a specific time period.

• Mergers and acquisitions. We may transfer or provide your personal data to a buyer or potential buyer in the event of a merger or acquisition (potential or prospective) of all or part of our business or assets. In the event of such a transfer, we will take all steps reasonably expected of us to ensure that the receiving party processes your information in accordance with this Privacy Policy. 

‍

If necessary, we may transfer personal data to third parties (e.g. our cloud service provider) located outside the EEA.  

‍

Transfers outside the EEA. The transfer of personal data to a third party outside the EEA can in the first place be legitimized based on an adequacy decision of the European Commission, in which it is decided that the (part within the) third country in question ensures an adequate level of data protection. On the website of the European Commission, you can find an overview of the adequacy decisions that have been taken.

‍

If personal data is transferred to a country outside the EEA for which there is no adequacy decision, we agree on the applicability of the relevant version of the Standard Contractual Clauses with the relevant party. This is a standard contract to safeguard the protection of personal data, which is approved by the European Commission, in which the parties fill out the appendices. Where appropriate, additional safeguards are taken.

‍

You can contact us if you want additional information about the way in which we legitimize the transfer of personal data to countries outside the EEA. Our contact details are stated at the bottom of this Privacy Policy.

‍

Protecting your privacy and personal data is very important to us. Therefore, ThingsRecon has implemented appropriate technical and organizational measures to protect and secure the personal data we process, in order to prevent violations of the confidentiality, integrity and availability of data.  

‍

ThingsRecon has internal processes according to which we safeguard an appropriate level of technical and organisational security. That includes ensuring only authorised personnel have access to that personal data and taking reasonable steps to prevent data breaches.

In relation to the processing of your personal data by ThingsRecon, you have the following privacy rights:

1. Right of access. This concerns the right to request access to your personal data. This enables the you to receive a copy of the data we hold about you (but not necessarily the files themselves). We will then also provide further specifics of our processing of the personal data. For example, the purposes for which we process the data, where we got it from, and with whom we share it. 

2. Right to rectification. This concerns the right to request rectification of the data that we hold about you. This enables you to have any incomplete or inaccurate data corrected.  

3. Right to erasure. This concerns the right to request erasure of the data. This enables you to ask us to delete or remove personal data where: (i) the data is no longer necessary, (ii) the processing activities have been objected to, (ii) the data has been unlawfully processed, (iv) the data has to be erased on the basis of a legal requirement, or (v) where the data has been collected in relation to the offering of information society services. However, we do not have to honour such request in all cases.  

4. Right to object. This concerns the right to object to the processing of personal data where we are relying on legitimate interest as processing ground (see above). Insofar as the processing of the data takes place for direct marketing purposes, we will always honour an objection. For processing for other purposes, we will also cease and desist processing, unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms or that are – for example - related to the institution, exercise or substantiation of a legal claim. If such is the case, we will inform on our compelling interests and the balance of interests made. 

5. Right to restriction. The right to restriction of processing means that ThingsRecon will continue to store personal data at the request of you but may in principle not do anything further with it. In short, this right can be exercised when ThingsRecon does not have (or no longer has) any legal grounds for the processing of the data or if this is under discussion.  

6. Automated decision-making. This concerns the right not to be subject to a decision based solely on automated processing, which significantly impacts you. In this respect, please be informed that when processing your data, we do not make use of automated decision-making. 

7. Right to withdraw consent. This concerns the right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

8. Right to complaint. This concerns the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or where an alleged infringement took place. Please be referred to the website of the European Data Protection Board (“EDPB”) for an overview of the supervisory authorities and their contact details. However, we would appreciate the chance to deal with any concerns before the supervisory authority is approached, so please contact us beforehand. 

You can exercise the privacy rights above free of charge by e-mail via the contact details displayed below. If requests are manifestly unfounded or excessive, in particular because of the repetitive character, we have the right to either charge a reasonable fee or refuse to comply with the request. In addition, we may request specific information to help us confirm your identity before we further respond to a privacy request. Finally, we will provide information about the follow-up of the request without undue delay and in principle within one month of receipt of the request. Depending on the complexity of the request and on the number of requests, this period can be extended by another two months. 

In general, ThingsRecon does not keep personal data for longer than is necessary in relation to the purposes for which we process the personal data. There could, however, be exceptions applicable to the general retention terms. In view hereof, shorter retention periods could apply: if an individual exercises certain privacy rights, it is possible that we retain it for a shorter period of time. Longer retention periods could also apply. In certain situations, we process personal data of individuals for a longer period of time than what is necessary for the purpose of the processing. This is for instance the case when we have to process personal data for a longer period of time:  

• Retention obligation - to comply with a minimum retention period or other legal obligation to which ThingsRecon is subject based on EU law or the law of an EU member state;  

• Procedure - personal data which is necessary in relation to a legal procedure;  

• Freedom of expression - when further processing of personal data is necessary in order to exercise the right to freedom of expression and information.  

• Consent - for example: With the job applicant's consent, we retain their data for one year as of finalization of the application procedure instead of 4 weeks.  

If you have any questions regarding this Privacy Policy, or data collection by ThingsRecon in particular, please contact us at privacy@thingsrecon.com or by using the contact information below: 

ThingsRecon B.V.

Herengracht 346G

1016 CG Amsterdam

The Netherlands

Occasionally, we may need to update or change this Privacy Policy. In case of important changes, we will inform you in an appropriate manner and ask you to take note of the changes made. The latest version of the Privacy Policy is always available on our Website.