DATA PRIVACY POLICY
This section describes how Megaventory collects, uses, and discloses information obtained about users from its websites, services and other software.
1. Data Protection Officer (DPO)
Megaventory has a dedicated data protection officer (“DPO”). The DPO can be contacted at the compliance@megaventory.com email address.
2. Processed Data
2.1. Definitions
Megaventory stores in its databases
· data provided by clients about themselves and also
· data provided by clients about their customers, suppliers and other relevant entities (collectively referred to as client entities).
Client can refer to prospective, current and past clients. In particular,
· a prospective client is a client of Megaventory in non-paying trial status (evaluating the software)
· a current client is a client of Megaventory in paying status (has purchased the software either in subscription or any other mode)
· a past client is a former prospective or a former current client.
Data are recorded either by client submission or by automatic saving performed by Megaventory.
Each data point is allocated a risk level - either Risk or High Risk.
These data may be shared with
· Third party tools employed by Megaventory
· Members of the Megaventory Partner Network. In particular, the Partner associated with a customer may choose to have access to that customer’s data and only that customer’s data.
2.2. The Data Processed by Megaventory
The data recorded which are requested by Megaventory, refer to the clients themselves and are entered by themselves can include:
· Company name [Risk]
· Address details [High Risk]
· Tax identification number [High Risk]
· Phone [High Risk]
· Logo [Risk]
· Signup email (collected at the initial signup form it is the same as the administrator user email) [High Risk]
· Admin Password [High Risk]
· Employee details [High Risk]
o Username [Risk]
o Password [High Risk]
o Company email [High Risk]
The data recorded which are automatically saved by Megaventory and refer to the clients themselves are:
· Employee activity logs [Risk]
o Username [Risk]
o Activity date and time [Risk]
o Activity type (insert data, edit data, delete data, backup data, log in, log out) [Risk]
o Event Type (which data entity edited, user activity, database operation) [Risk]
o Activity origin (Site, API, file upload) [Risk]
The data recorded which are requested by Megaventory, refer to the client’s entities and are entered by the clients can include:
· Customers [High Risk]
o Physical or Company name [High Risk]
o Address details [High Risk]
o Tax identification number [High Risk]
o Phone [High Risk]
o Email [High Risk]
· Suppliers [High Risk]
o Physical or Company name [High Risk]
o Address details [High Risk]
o Tax identification number [High Risk]
o Phone [High Risk]
o Email [High Risk]
· Contacts
o Physical or Company name [High Risk]
o Address details [High Risk]
o Tax identification number [High Risk]
o Phone [High Risk]
o Email [High Risk]
o Supplier or a Client association [Risk]
· Shipping Providers [Risk]
o Name [Risk]
· Purchase Records (Orders and Documents) [Risk]
o Physical or Company name of Supplier [Risk]
o One or more Addresses of Supplier [Risk]
o Contact name of Supplier [Risk]
· Sell Records (Orders and Documents) [Risk]
o Physical or Company name of Customer [Risk]
o One or more Addresses of Customer [Risk]
o Contact name of Customer [Risk]
Note:
· The information stored in cookies by Megaventory itself is anonymous and documents only the session number and certain preferences regarding presentation of filtered results (such as columns displayed, type of sorting enabled, etc).
· No IP address is stored by Megaventory itself.
2.3. The Data Location
The company data are located in dedicated and exclusively owned and used server hardware in Germany at the premises of Hetzner Online GmbH. In particular, Megaventory’s server is in the data center NBG1-DC2 in Nuremberg.
Data accessed by Megaventory employees are saved locally on company employees’ computers upon access in the form of cookies and/or browser cache memory records.
2.4. People with Access to the Data
All employees, in-house freelance contractors and in-house interns of Megaventory have full access to the Processed Data stored by Megaventory only.
Members of the Megaventory Partner Program may choose to have full access to the Processed Data of their clients stored by Megaventory and in agreement with them.
2.5. Legal Basis on which Megaventory holds the Data
The data of prospective Megaventory clients are retained on the basis of the contractual obligation between Megaventory and the client so as to allow such clients to fully evaluate all aspects of the Megaventory software.
The data of current Megaventory clients are retained on the basis of contractual obligation between Megaventory and the client so as to allow such clients to fully access all aspects of the Megaventory software for their everyday use as well as less common scenarios.
The data of former Megaventory clients are deleted three (3) months after the respective account expires. The client can also delete all their data at any point, including just before cancelling their subscription. The data of former Megaventory clients are retained on the basis of contractual obligation between Megaventory and the client so as to allow such clients to resume using their account.
The following data of prospective, current and former Megaventory clients are retained indefinitely by Megaventory:
· the Physical or Company name (if it was disclosed)
· the email they signed up with
· a record of their past invoices of payment to Megaventory (if any were issued)
· their browser referral link (if it was successfully tracked)
These data are retained in case of legal or financial dispute between the Megaventory and the client and with the aim of protecting Megaventory’s legal interests.
2.6. Data Storage Expiry and Deletion
The Processed Data are retained for three (3) months after the expiry of the client account, whether it was a paid or free trial account. During that period of three months the data are available in read-only mode.
The databases of accounts which are expired for more than 3 months are deleted.
The Processed Data can also be removed by the clients themselves at any time whenever they perform a Full Reset on their database.
In both of the above cases following the deletion everything in their database is removed apart from the client data below which are retained by Megaventory
· the Physical or Company name (if it was disclosed)
· the email they signed up with
· a record of their past invoices of payment to Megaventory (if any were issued)
· their browser referral link (if it was successfully tracked)
2.7. Other Data Uses
The Processed Data are also used for the following messaging purposes. In particular they are used to:
· proactively and reactively inform all clients and their employees about new Megaventory features.
· invoice current clients for Megaventory usage
· provide support to prospective and current clients
· educate prospective and current clients about how Megaventory operates
All the above uses are in place out of Megaventory’s contractual obligations with the clients so as to properly offer the Megaventory service to the clients.
Processed Data are also used for analytics purposes to identify patterns which enable the improvement of the software solution provided by Megaventory. All client data are processed within the tools available in Section 5.3.
Such data are typically anonymized before further processing in this context so whenever user information is handled it is in aggregate. As such, these analytics processes pose no threat to the clients’ privacy.
In certain cases, it is necessary for analytics purposes to handle such data from individual accounts - ie not in aggregate form. In such cases, no anonymization is possible but the personal client information is not included in any analysis.
3. Third-Party Data
3.1. Stored Data in Third-Party Apps and their Lifecycle
3.1.1 Third-party Apps
Megaventory uses a number of third party services and products - some are purely web-based while others combine web with offline components.
The ones Megaventory uses and shares client data with are the following:
· Stripe.com
· Intercom.com
· Analytics.google.com
· ScheduleOnce.com
· Inlinemanual.com
· Hetzner.de
· Fastmail.com
· Mailchimp.com
· Facebook.com
3.1.2. Data Lifecycle in Third-Party Apps and Services
The Processed Data are used as follows by the third-party apps below:
1. Stripe.com
Data set:
At a minimum, the data transferred are
· the client's e-mail
· the client's payment amounts for Megaventory service,
· the client's credit card information (name, number, expiry date, CVV number)
For more complete and up-to-date information refer to: https://stripe.com/dpa/legal
Data path:
The transfer takes place whenever a client subscribes to Megaventory. The above information can also be transferred to Stripe whenever edited by the client and irrespective of a payment or subscription taking place.
The data are entered in the Megaventory interface in a form generated and provided by Stripe. Note that the above information is not stored in Megaventory nor is it processed by it other than to pass it to Stripe.
Usage:
The data are required to be transferred to Stripe so that it can process the client’s payment to Megaventory.
Compromise Assessment:
High Risk
Data location:
Personal Data may be stored and processed in any country where Stripe does business or Stripe’s service providers do business.
For reference: https://stripe.com/privacy#international-data-transfers
Contract:
https://stripe.com/dpa/legal
GDPR Compliance:
For reference: https://stripe.com/privacy
Stripe has been certified to the EU-U.S. and Swiss-U.S. Privacy Shield. Please find Stripe’s certification at https://www.privacyshield.gov/participant?id=a2zt0000000TQOUAA4&status=Active.
Data Protection Officer:
For reference: https://support.stripe.com/questions/data-protection-officer
Right to be forgotten:
Users can request their data be removed from Stripe 3 years after last charge. For such requests contact compliance@megaventory.com
2. Intercom.com
Data set:
Client data kept in Intercom may include:
· Conversations Megaventory staff have exchanged in writing with clients
· Contact details such as name, email, phone, Skype id, job title, timezone, social media accounts
· Application access details such as last location, time of first and last seen, of last outbound and inbound contact, of app sign up and number of app sessions
· Browser details such as brand, version, OS, language setting, referral link
· Email notification statuses like unsubscriber, marked as spam, hard bounce etc
· Megaventory billing-related data such as number of users, monthly spend, account expiry date, account email
· Megaventory account data such as number of suppliers, customers, transactions, locations, etc
Data path:
The various types of data are transferred into Intercom as follows:
· Conversations are initiated via a chat application or via email by clients or Megaventory staff. In all cases, a record is kept in Intercom including subsequent replies
· Contact details are either entered by clients themselves, inserted manually by Megaventory staff or automatically populated via Intercom itself
· Application access details are automatically populated via Intercom itself
· Browser details are automatically populated via Intercom itself
· Email notification statuses are automatically populated via Intercom itself
· Megaventory billing-related data are passed by the Megaventory application to Intercom
· Megaventory account data are passed by the Megaventory application to Intercom
Usage:
The various types of data are used as follows:
· Conversations build a historical record of the information passed between the client and Megaventory enabling comprehensive support but also protecting both sides’ interests.
· Contact details allow for seamless communication from Megaventory to the client esp. in cases of critical and/or emergency notifications
· Application access details contribute significantly in Megaventory staff confirming a healthy usage of the application and intervening when that’s not the case to help and correct mistakes.
· Browser details allow for more efficient and faster support in technical issues
· Email notification statuses allow Megaventory staff to ensure only those opting in communication receive non-critical notifications while also making sure critical notifications reach all Megaventory clients.
· Megaventory billing-related data allow for more efficient and faster support in financial disputes and related troubleshooting.
· Megaventory account data allow for more efficient and faster support in business logic questions raised by the customer.
Compromise Assessment:
High Risk
Data location:
All Intercom infrastructure is spread across 3 AWS data centers (availability zones). Amazon does not disclose the location of its data centers. AWS is Privacy Shield certified, so data transfers from the European Economic Area (EEA) are covered by AWS Privacy Shield certifications.
For reference: https://www.intercom.com/legal/security-policy
Contract:
For reference: https://www.intercom.com/legal/service-level-agreement
GDPR Compliance:
Intercom’s privacy policy includes the EU-US and Swiss-US Privacy Shield Policy.
For reference: https://www.intercom.com/legal/privacy
Data Protection Officer:
The Intercom DPO is available at compliance@intercom.com
For reference: https://www.intercom.com/help/en/articles/1689224-how-to-contact-us-with-data-queries
Right to be forgotten:
Users can request their data be removed from Intercom 3 years after their last Megaventory access. For such requests contact compliance@megaventory.com
3. Analytics.google.com
Data set:
Client data passed into Google Analytics directly from Megaventory may include:
· Time of visit
· Pages visited
· Referring site details (such as the URI a user came through to arrive at this site)
· How visitors progress through the site
· How visitors interact with elements on the site (e.g. click, scroll, etc)
· How long visitors spend on the site
· At what stage of a visit users leave the site
· Type of visitor web browser
· Type of visitor operating system
For a more complete list refer to: https://developers.google.com/analytics/resources/concepts/gaConceptsTrackingOverview
Additional Megaventory-specific client data passed into Google Analytics from Megaventory may include:
· Anonymous user-id
· User type (paying vs non-paying user)
· Plan (Megaventory tier if user is paying)
· Monthly spend (if user is paying)
· People (number of users in the account if user is paying)
· Payments (number of users in the account if user is paying)
Data path:
Upon a visitor loading the Megaventory site for the first time, a consent prompt requests permission for the Google Analytics cookie to be saved in the visitor’s browser. If permission is given, the above non-Megaventory-specific data are captured and sent to Google Analytics.
If the visitor proceeds to sign up to start a trial account and / or subscribe to a paying tier, the Megaventory-specific client data is also passed into Google Analytics.
If no consent is provided, no information is captured and sent to Google Analytics.
Usage:
The anonymized data stored are used in aggregate to improve upon how the information is served by the Megaventory website and application to the visitors.
Such optimizations may include
· technical improvements such as reducing loading times
· informational adjustments such as offering content that is most helpful to users and
· commercial such as implementing new application features to enrich the user offering
Compromise Assessment:
Risk
Data location:
There are multiple data centers globally. For more information refer here: https://www.google.com/about/datacenters/locations/
Contract:
For reference: https://marketingplatform.google.com/about/analytics/terms/us/
Data Protection Officer:
Emil Ochotta is the Data Protection Officer of Google LLC and its subsidiaries. For reference: https://cloud.google.com/security/gdpr#tab6
Right to be forgotten:
Users
can request their data be removed from Google Analytics. For such requests
contact compliance@megaventory.com
4. ScheduleOnce.com
Data set:
Client data passed into Schedule Once directly from Megaventory may include:
· Name
· Phone
· Timezone
Data path:
Users enter the above data in the form they use to schedule a call with Megaventory Inc.
Usage:
The information requested is the absolute minimum to schedule a call with existing and potential clients.
Compromise Assessment:
Risk
Data location:
The ScheduleOnce data are hosted on Microsoft Azure and Amazon AWS data centers hosted in the USA. For reference, see here: https://www.oncehub.com/trustcenter/security
Contract:
For reference, see here: https://www.oncehub.com/trustcenter/legal/msa?hsLang=en and here:
https://www.oncehub.com/trustcenter/legal/dpa?hsLang=en
Data Protection Officer:
The appointed person 4may be reached at privacyoffice@oncehub.com
Right to be forgotten:
Users
can request their data be removed from ScheduleOnce. For such requests contact
compliance@megaventory.com
5. Inlinemanual.com
Data set:
Client data passed into InlineManual may include general information such as:
· Cookies
· Usage Data
· Company
· Email address
· Username
Client data may also optionally include Inline Manual Analytics data such as:
· IP address
· Browser headers
· Timestamp
· URL location
· Inline Manual related data:
o Topic start/end
o Step shown
o Search keywords
o Events
Client data may also optionally include Inline Manual Segmentation data such as:
· Roles
· Group
· Plan
· Created
· Updated
· Custom fields/data
For reference see: https://inlinemanual.com/legal/privacy/
Data path:
If a Megaventory visitor proceeds to sign up to start a trial account, the above client data is passed into InlineManual.
No information is transferred to InlineManual for non-logged-in visitors.
Usage:
The data stored are used in aggregate to improve upon how the information is served by the Megaventory website and application to the visitors.
Such optimizations may include
· technical improvements such as reducing loading times
· informational adjustments such as offering content that is most helpful to users and
· commercial such as implementing new application features to enrich the user offering
Compromise Assessment:
Risk
Contract:
For reference see here: https://inlinemanual.com/legal/terms-of-service/ and here: https://inlinemanual.com/legal/privacy/
Data Protection Officer:
For
reference, please contact: support@inlinemanual.com
6. Hetzner.de
Data set:
Hetzner is the hosting company for the physical servers of Megaventory.
Compromise Assessment:
High Risk
Data location:
Germany
Contract:
For reference see here:https://www.hetzner.com/rechtliches/agb/ and here: https://www.hetzner.com/rechtliches/datenschutz/?country=mt
Data Protection Officer:
Margit Müller is the data protection officer, data-protection@hetzner.com.
7. Fastmail.com
Data set:
Fastmail is the webmail host of Megaventory. Client data kept in Fastmail include all the conversations Megaventory staff exchange in writing with clients.
Data path:
Any email sent to Megaventory employee addresses as well as role-based addresses is transferred in full to Fastmail (including header and content of the email exchange).
Usage:
Fastmail is the core method of communication with Megaventory clients.
Compromise Assessment:
High Risk
Data location:
Fastmail servers are located in the USA. For reference check here: https://www.fastmail.help/hc/en-us/articles/1500000280221
Contract:
For reference check here: https://www.fastmail.com/about/privacy/ and here: https://www.fastmail.com/about/dpa/
Data Protection Officer:
The
Data Protection Officer can be contacted at
dataprotection@fastmailteam.com.
8. Mailchimp.com
Data set:
Client data kept in Mailchimp may include:
· Information directly entered by clients such as name, email address, address, or telephone number.
· Information automatically collected by Mailchimp itself such as IP address, operating system, browser ID, and other information about the connection. Also usage data may be collected such as email campaigns accessed, app browsing activity, email deliverability etc.
· Information automatically collected by Mailchimp from other sources such as social media platforms.
For reference: https://mailchimp.com/legal/privacy/#1._The_Basics
Data path:
The client data is manually entered by the clients themselves in the Megaventory homepage only.
Usage:
The email of the visitors is used to communicate new features and other marketing information to those who have expressly given their permission to Megaventory to follow up with them.
Compromise Assessment:
Risk
Data location:
Mailchimp data centers are located around the United States. For reference: https://mailchimp.com/about/security/
Contract:
For reference check here: https://mailchimp.com/legal/ and here: https://mailchimp.com/legal/data-processing-addendum/
GDPR Compliance:
Mailchimp is certified with the EU-U.S./Swiss-U.S. Privacy Shield Frameworks to protect EEA, UK, and Swiss data in compliance with the Privacy Shield Principles. The Privacy Shield certification is available here: https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active
Data Protection Officer:
Please contact dpo@mailchimp.com
Right to be forgotten:
Users
can request their data be removed from Mailchimp. For such requests contact
compliance@megaventory.com
9. Facebook.com
Data set:
Facebook collects a broad range of data. For reference see here: https://www.facebook.com/about/privacy/update
Data path:
Upon a visitor loading the Megaventory site for the first time, a consent prompt requests permission for the Facebook cookie to be saved in the visitor’s browser. If permission is given, the above non-Megaventory-specific data are captured and sent to Facebook.
If no consent is provided, no information is captured and sent to Facebook.
Usage:
Facebook features such as Boosted Posts are used to communicate new features and other marketing information to those who have expressly given their permission to Megaventory to pass their information to Facebook.
Compromise Assessment:
Risk
Data location:
Facebook operates a global infrastructure and processes data in both EU and US-based servers.
Contract:
For reference see here: https://www.facebook.com/business/gdpr
GDPR Compliance:
Facebook, Inc. (“Facebook”) has certified to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. See more here: https://www.privacyshield.gov/EU-US-Framework
Data Protection Officer:
To submit a request to the Facebook Data Protection Officer (DPO), please complete this form: https://www.facebook.com/help/contact/540977946302970