Published: 18 October 2019
GENERAL
eXtensi can refer to eXtensi Chudziński Jędryka s.p. j., ul. Rysia 1A / 362, Wrocław, 53-656, Poland, VAT No. PL8943146425, KRS 0000807163,
eXtensi is responsible for the processing of your personal data (the Controller). However, eXtensi may also be processing your personal data in the capacity of a Processor, as further described in the “eXtensi as Processor” section below.
This Privacy Policy applies to visitors to our public websites or the end-user of our public service or the end-user of our product or the legal entity who is the licensee or the user of our product or service — as the case may be. This Privacy Policy describes which of your personal data eXtensi processes, for what purposes and how such data are processed.
By using or registering for any of eXtensi services or products you consent to collecting, transferring, processing, storing and disclosing data and to other uses described in this Privacy Policy. If you disagree with any statement in this Privacy Policy you will need to stop using eXtensi services or products.
eXtensi respects the privacy of users and customers and does not disclose any of the collected personal information. eXtensi may use the collected information to improve its services. Any data provided by users or customers are used only for the purposes indicated within this Privacy Policy. With the exceptions listed below, eXtensi will never disclose any personal information including email address to any third-party.
eXtensi AS A CONTROLLER (Collection of your Personal Data)
This section of the Privacy Policy applies to the information we obtain through your use of our websites or when you otherwise interact with eXtensi representatives or our services or products.
Your rights as a data subject explained
Right of access: You have the right to obtain from us information as to whether we are processing your personal data, and where that is the case, access the personal data and information regarding the processing, for example the purposes of processing and categories of personal data concerned.
Right to rectification: If you believe we store incorrect information about you, you can request that we correct or supplement your data.
Right to erasure: You have the right to request that we delete your personal data. You can make such a request if for example you believe that we no longer need to keep your personal data to fulfil our purposes of processing such information, or if you have withdrawn your consent for us to further use your personal data.
Right to restriction of processing: You have the right to require that we temporarily suspend all our processing of your personal data with the exception of storing them. You can exercise this right if for example we do not agree if your personal data are accurate, or you believe our processing of your personal data is unlawful.
Right to object: You have the right to object at any time to the processing of personal data concerning you, including marketing activities.
You may opt out of receiving promotional communications from eXtensi by using the unsubscribe link within each email or by emailing us to have your contact information removed from our promotional email list or registration database. Although opt-out requests are usually processed immediately, please allow ten (10) business days for a removal request to be processed.
Right to data portability: You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance, where our processing is based on your consent or on a contract and where the processing is carried out by automated means.
Right to lodge a complaint with a supervisory authority: If you are not satisfied with the way eXtensi processes your personal data or responds to your application or request, you have the right to lodge a complaint with a supervisory authority.
PROCESSING OF CUSTOMER AND CONTRACTOR PERSONAL DATA
The administrator of personal data provided in connection with starting collaboration with us, in accordance with the master agreement under which you started the collaboration, is eXtensi Chudziński Jędryka s.p. j., ul. Rysia 1A / 362, Wrocław, 53-656, Poland, VAT No. PL8943146425, KRS 0000807163
Personal data are processed for the purpose of performance under the agreement entered into, for tax or settlement purposes, as well as for direct marketing of our own products and services. Contact information is recorded so that we are able to contact you to inform you of offerings, best practices as well as provide marketing information about our services and products. We may also contact you or your employees via given contact information with request to provide feedback or product requests. Contact information is also stored to provide support, answer your questions or handle issues.
Data are provided to the administrator voluntarily and their processing is conducted on the basis of an agreement, therefore, if you refuse to provide the data, no agreement will able to be concluded or executed.
Personal data will be processed solely for the purposes indicated above and for the period of performance under the agreement; after termination of the agreement, the data will be processed until the expiry of the period of limitation for reciprocal claims and the period of storing of settlement documents required by law.
Personal data will not be disclosed to any other entities save for those entities commissioned by the Administrator to process such data for the purpose of proper handling of the collaboration processes. However, such entities process the data on the basis of an agreement concluded with the Administrator and solely as instructed by the Administrator, and may not use personal data for other purposes. We work with third party service providers to provide website, application development, hosting, maintenance, back-up, storage, virtual infrastructure, payment processing, analysis and other services for us. These service providers may have access to or process your information for the purpose of providing those services for us. Please be aware that you are providing your Information to these third parties acting on behalf of eXtensi. Therefore, personal data may be transferred to a third country on the basis of standard data protection clauses adopted or accepted by the European Commission.
Personal data will not be used for automated decision-making processes, including profiling.
Each person whose personal data are processed has the right of access, demand rectification, erasure or restriction of processing of personal data, the right to object processing of personal data, the right to transfer personal data, and the right to lodge a complaint with a supervisory authority.
In case of products, in all cases connected with processing personal data by the Administrator, including information about adequate safeguards on protection of personal data applied in connection with providing personal data, please contact the Data Protection Officer at the e-mail address: support@extensi.io.
- Who is the administrator of my personal data?
- For what purposes are my personal data processed?
- What is the legal basis for processing my personal data? Is providing the data voluntary? What are the consequences of failure to provide the data?
- How long will my data be processed?
- To whom do we disclose personal data? Are the data transferred outside the European Economic Area?
- Do we automatically process or profile the data?
- What are my rights in connection with processing my personal data?
- Whom can I contact about processing my personal data?
PROCESSING OF CANDIDATE PERSONAL DATA
The administrator of personal data provided in connection with the conducted recruitment processes, including the personal data contained in the enclosed application documents, in accordance with the application filed and consent granted, is eXtensi Chudziński Jędryka s.p. j., ul. Rysia 1A / 362, Wrocław, 53-656, Poland, VAT No. PL8943146425, KRS 0000807163, or in case of selecting two or three entities, these selected companies jointly as co-administrators.
Personal data are processed solely for the purpose of recruitment.
In the case of job application, data in the scope specified in the Labour Code – the Act of 26 June 1974 (Dz.U. [Polish Journal of Laws] of 1974 No. 24 item 141 as amended) and implementing acts are provided voluntarily and processed on the basis of the above-mentioned laws. Additional data in the application documents, as well as data provided when applying for a collaborator (a civil law contract) are provided voluntarily and processed on the basis of consent which may be withdrawn at any time without affecting the lawfulness of data processing carried out on the basis of the consent before its withdrawal. In both cases, participation in the recruitment process is impossible if the data are not provided.
Candidates’ data – their first and last name and the date of birth – will be processed for 18 months following the completion of the recruitment process in which a given candidate participated. This results from the recruitment policy adopted by our companies which excludes a candidate from participating in another recruitment process in less than 18 months. If a candidate voluntarily consents to participating in future recruitments, his or her personal data will be processed for 18 months following the completion of the recruitment processing which this candidate participated.
Personal data of candidates will not be disclosed to any other entities save for those entities commissioned by the Administrator/Co-Administrators to process such data for the purpose of proper handling of the recruitment processes, e.g. IT services providers. However, such entities process the data on the basis of an agreement concluded with the Administrator and solely as instructed by the Administrator, and may not use personal data for other purposes. Therefore, personal data may be transferred to a third country on the basis of standard data protection clauses adopted or accepted by the European Commission.
Personal data will not be used for automated decision-making processes, including profiling.
Each person whose personal data are processed has the right of access, demand rectification, erasure or restriction of processing of personal data, the right to object processing of personal data, the right to transfer personal data, and the right to lodge a complaint with a supervisory authority.
In all cases connected with processing personal data by the Administrator/Co-Administrators, including information about adequate safeguards on protection of personal data applied in connection with providing personal data, please contact the Data Protection Officer at the e-mail address: support@extensi.io.
- Who is the administrator of my personal data?
- For what purposes are my personal data processed?
- What is the legal basis for processing my personal data? Is providing the data voluntary? What are the consequences of failure to provide the data?
- How long will my data be processed?
- To whom do we disclose personal data? Are the data transferred outside the European Economic Area?
- Do we automatically process or profile the data?
- What are my rights in connection with processing my personal data?
- Whom can I contact about processing my personal data?
SUPPLEMENTARY INFORMATION ON PROCESSING PERSONAL DATA
We collect Information under the direction of our customers and often have no direct relationship with the individuals whose personal data we process. If you are providing information (including personal data) about someone else, you must have the authority to act for them in relation to the collection and use of their personal data as described in this Privacy Policy.
Web and product logs: Are gathered for the purpose to understand effectiveness of our website pages and usability of our products. We gather certain information and store it in log files when you interact with our websites or products. This information includes internet protocol (IP) addresses as well as browser type, URLs of referring/exit pages, operating system, date/time stamp, information you search for, locale and language preferences.
Analytics Information: Are recorded for the purpose to understand effectiveness of our website pages and products. We collect analytics information when you use our websites or products to help us improve our products and services.
Product errors: eXtensi products have a mechanism which sends logs to our servers in the case of serious error detection. These data contain information on error details, information on the product structure at the moment of error occurrence. These data may also include SEN and Server ID for JIRA licenses, the first and last name (if the latter is provided) of a technical contact person of Users as well as their email address.
Mailing lists and privacy contact: If one consented for receiving marketing information via email, we may use the first and last names of users as well as email address to maintain mailing lists and send out product and marketing information. You can unsubscribe from product or marketing information by sending us notice to support@extensi.io
Cookies: We use cookies to improve and customise eXtensi websites and your experience and to understand which areas and features of the Websites are most popular. eXtensi may use cookies to collect information. Cookies are small data files stored on your hard drive or in your device memory. You can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from websites you visit. However, if you do not accept cookies, you may not be able to use all aspects of our Websites.
General Uses: We use the Information we collect about you (including personal data to the extent applicable) to provide, operate, maintain, improve, and promote our websites and products; to monitor and analyse trends, usage, and activities in connection with our websites; to investigate and prevent unauthorised access to our websites and other illegal activities.
The use of Information collected is limited to the purposes disclosed in this Privacy Policy.
Testimonials: We may display personal testimonials of satisfied customers on the eXtensi products. With your consent, we may post your testimonial along with your name. If you wish to update or delete your testimonial, you can contact us at support@extensi.io
Compliance with Laws and Law Enforcement Requests; Protection of Our Rights: We may disclose your Information (including your personal data) to a third party if
(a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request,
(b) to enforce our agreements, policies and terms of service,
(c) to protect the security or integrity of our products and services,
(d) to protect eXtensi, our customers or the public from harm or illegal activities, or
(e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.
For how long do we keep your personal data?
In general terms, we don’t keep your personal data longer than necessary for the purposes for which the personal data are processed. After such time, we will either delete or anonymise your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible.
SECURITY
eXtensi provides the following security statement with a promise to adhere to the highest effective industry standards. We implement appropriate technical safeguards as HTTPs and organizational measures to guard your personal data, however, no security system is impenetrable and due to the inherent nature of the Internet as an open global communications vehicle, we cannot guarantee that information, during transmission through the Internet or while stored on our systems or otherwise in our care, will be absolutely safe from intrusion by others, such as hackers.
Data Storage
In relation to the Jira Cloud plugins' performance eXtensi does not store any critically vulnerable user or client data. Nevertheless due to the nature of Jira API we might store e.g. userKeys to provide product functionalities.
People and Access
Only authorized eXtensi employees have access to the application data. Jira Cloud plugins created by eXtensi are designed to allow application data to be accessible only with appropriate credentials. Users and clients are responsible for maintaining the security of their own login information.
Privacy
eXtensi understands the importance of ensuring privacy of the personally identifiable user and client information. We do not share any kind of private information regarding users or clients, nor their activity.
eXtensi AS A PROCESSOR
eXtensi provides services to various customers. If you are an end-user of eXtensi products as a customer, then eXtensi may be processing your personal data in the capacity of a Processor, in which case the customer (your employer/principal) acts as the Controller of your personal data processing. Our customers determine the purposes of personal data processing by adapting and configuring the products. Such processing carried out by eXtensi is regulated by data processing agreements with customers, whereby eXtensi only processes personal data on documented instructions from the Controller. If you have any questions or requests with respect to such processing, you should contact your employer/principal. If you are an employee of one of our customers and would no longer like us to process your information in connection with eXtensi services please contact your employer.
If you are a Controller and believe eXtensi is processing your personal data in the capacity of a Processor, you may request signing Model Data Processor Agreement for eXtensi Add-On Customers (DPA) as provided below in Addendum 1. In that case please let us know at support@extensi.io.
ADDENDUM: DATA PROCESSOR AGREEMENT
FOR eXtensi ADD-ON CUSTOMERS
This agreement regarding processing of personal data (the “Data Processor Agreement”) regulates eXtensi Chudziński Jędryka s.p. j., ul. Rysia 1A / 362, Wrocław, 53-656, Poland, VAT No. PL8943146425, KRS 0000807163 (the “Data Processor”) the processing of personal data on behalf of the customer (the “Data Controller”) and is attached as an addendum to the EULA in which the parties have agreed the terms for the Data Processor’s delivery of services to the Data Controller.
The Data Processor Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation (the “Applicable Law”), including in particular The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
The purpose of processing under the EULA is the provision of the Services by the Data Processor as specified in the EULA. In connection with the Data Processor’s delivery of the Services to the Data Controller, the Data Processor will process certain categories and types of the Data Controller’s personal data on behalf of the Data Controller.
”Personal data” includes “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (1) (the ”Personal Data”). The categories and types of Personal Data processed by the Data Processor on behalf of the Data Controller are:
The Data Processor processes the following types of Personal Data in connection with its delivery of the Services under EULA:
- email, IP, name and surname, license number, Atlassian user key, user language, user browser information (browser, version, locale, operating system, user agent, timezone).
The Data Processor processes personal data about the following categories of data subjects on behalf of the Customer:
- Tech contacts, billing contacts, partners, end-users (e.g. customer employees using our applications or contacting us via the support channel)
The Data Processor only performs processing activities necessary and relevant to provide the Services. The categories and types of Personal Data processed by the Data Processor shall be updated whenever changes occur that require an update.
The Data Processor may only act and process the Personal Data in accordance with the documented instruction from the Data Controller (the “Instruction”), unless required by law to act without such instruction. The Instruction at the time of entering into this Data Processor Agreement (DPA) is that the Data Processor may only process the Personal Data with the purpose of delivering the Services as described in the EULA.
The Data Controller guarantees to process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. The Data Controller will be solely responsible for the accuracy, quality, and legality of Personal Data and the means by which they were obtained.
The Data Processor will inform the Data Controller of any instruction deemed to be in violation of the Applicable Law and will not execute the instructions until they have been confirmed or modified.
Confidentiality
The Data Processor shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the EULA or DPA, unless the Data Controller has agreed to same in writing.
The Data Processor’s employees shall be subject to the confidentiality obligation to ensure that they treat all the Personal Data under this DPA with strict confidentiality.
Personal Data will only be made available to that personnel which require access to such Personal Data for the purpose of providing Services under EULA and this Data Processor Agreement.
Security
The Data Processor shall implement the appropriate technical and organizational measures as set out in this Agreement and in the Applicable Law, including GDPR, article 32. The security measures are subject to technical progress and development. The Data Processor may update or modify the security measures from time to time provided that such updates and modifications do not result in degradation of the overall security. The Data Processor shall provide documentation for the Data Processor’s security measures if requested by the Data Controller in writing.
If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments in accordance with GDPR, article 35, along with any prior consultation in accordance with GDPR, article 36.
Rights of the data subjects
If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.
If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor must immediately forward the request to the Data Controller and must refrain from responding to the person directly.
Personal Data Breaches
The Data Processor shall give immediate notice to the Data Controller in the event of any breach which can lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed with reference to the Personal Data processed on behalf of the Data Controller (a “Personal Data Breach”).
The Data Processor shall make reasonable efforts to identify the cause of such a breach and take such steps as are deemed necessary to establish the cause, and to prevent such a breach from reoccurring.
Documentation of compliance and Audit Rights
Upon request by a Data Controller, the Data Processor shall make available to the Data Controller all relevant information necessary to demonstrate compliance with this DPA, and shall allow for and reasonably cooperate with audits, including inspections by the Data Controller or an auditor mandated by the Data Controller. The Data Controller shall give notice of any audit or document inspection to be conducted and shall make reasonable endeavours to avoid causing damage or disruption to the Data Processors premises, equipment and business in the course of such an audit or inspection. Any audit or document inspection shall be carried out with reasonable prior written notice of no less than 90 days, and shall not be conducted more than once a year.
The Data Controller may be requested to sign a non-disclosure agreement reasonably acceptable to the Data Processor before being furnished with the above.
Data Transfers
Ordinarily, the Data Processor will not transfer your data to countries outside the European Economic Area. In some cases, personal data will be saved on storage solutions that have servers outside the European Economic Area (EEA), [for example, Amazon Web Services or Google Drive]. Only those storage solutions that provide secure services with adequate relevant safeguards will be employed.
Sub-Processors
The Data Processor is given general authorisation to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Data Controller, provided that the Data Processor notifies the Data Controller via eXtensi website or e-mail, in-app notification about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub-Processor, the Data Controller shall give notice hereof in writing within ten (10) business days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed consent to the relevant Sub-Processor.
In the event the Data Controller objects to a new Sub-Processor and the Data Processor cannot accommodate the Data Controller’s objection, the Data Controller may terminate the Services by providing written notice to the Data Processor.
The Data Processor shall complete a written sub-processor agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to the Data Processor, including the obligations under this Data Processor Agreement. The Data Processor shall on an ongoing basis monitor and control its Sub-Processors’ compliance with the Applicable Law. Documentation of such monitoring and control shall be provided to the Data Controller if so requested in writing.
The Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.
The Data Processor is at the time of entering into this Data Processor Agreement using the Sub- Processors listed in sub-appendix A. If the Data Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in sub-appendix A.
Remuneration and costs (Optional)
The Data Controller shall upon request remunerate the Data Processor based on the time spent to perform the obligations regarding ‘Data protection impact assessments and prior consultation’, ‘Rights of the data subjects’, ‘Personal Data Breaches’, and ‘Documentation of compliance and Audit Rights’ of this Data Processor Agreement based on the Data Processor’s hourly rates.
Limitation of Liability
The total aggregate liability towards the Customer, of whatever nature, whether in contract, tort or otherwise, of the Data Processor for any losses whatsoever and howsoever caused arising from or in any way connected with this engagement shall be subject to the “Limitation of Liability” clause set out in the EULA.
Nothing in this DPA will relieve the processor of its own direct responsibilities and liabilities under the GDPR.
Duration
The Data Processor Agreement shall remain in force until the support service is provided under EULA.
Data Protection Officer
The Data Processor will appoint a Data Protection Officer where such appointment is required by Data Protection Laws and Regulations.
Termination
Following expiration or termination of the DPA, the Data Processor will delete the Data Controller’s all Personal Data in its possession except to the extent the Data Processor is required by the Applicable Law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to such Personal Data.
Contact
The contact information for the Data Processor is provided in the EULA.
Sub-appendix A
- APPROVED SUB-PROCESSORS
The following Sub-Processors shall be considered approved by the Data Controller:- Mailjet
- iFirma S.a.