1.0 What personal data do 24SO process?
2.0 Data processor and Data Controller
3.0 Why 24SO processes your personal data
4.0 Who owns and controls customer data?
5.0 How does 24SO use account information?
6.0 How does 24SO collect your personal data
7.0 What are my rights?
8.0 What if public authorities want to access your personal data
9.0 Where does 24SO process and store data?
10.0 Use of 3.parties services
11.0 How long does 24SO store data
13.0 California Privacy Rights
14.0 How to contact 24SO?
Scope and Purpose
As a customer of any 24SevenOffice Services (any service provisioned under the 24SevenOffice brand), your security is our top priority. In our Privacy Notice we will explain our policy concerning privacy and processing of personal data. This Privacy Notice will also include the individual’s right in accordance with the regulation under EU Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and the Norwegian "Lov om behandling av personopplysninger (personopplysningsloven)". These regulations applies to all organizations in the EU or territories outside of the EU that have adapted the same regulations (e.g. Norway). It includes all organizations that process personal data for the purpose of offering products or services or to monitor behavior in some way. In this Privacy Notice we will explain 24SevenOffice role as a data processor and your rights to control the information registered about you as an individual. If your company is organized as a sole proprietorship, 24SevenOffice will process your personal data as a corporation.
1. What personal data does 24SevenOffice process?
To understand what kind of data 24SevenOffice stores about an individual we need to define what kind of personal data Is stored.
24SevenOffice acts as a Data Processor when operating data on behalf of its customers. Personal data collected in this process is minimum Account information to provide the Service to its customer, but also information about the customer relationship between 24SevenOffice and you as a customer. This might be information that you have consented to receive from 24SevenOffice based on your own or your employer’s interests, information to provide you with relevant offers, information to prevent abuse or notification about suspected breach.
24SevenOffice defines Customer content as data, images, text, video, audio and ledger information that a Customer or any user connected to the Customer stores and processes in the 24SevenOffice Services. In this Privacy Notice this is described as customer data.
24SevenOffice defines account information as information about a customer or an individual that is collected in the signup service, and later updated by the users themselves. This is basic information necessary to deliver the 24SevenOffice Service. For example, account information includes names, usernames, phone numbers, email addresses and billing information associated with a customer account.
Customers who use the 24SevenOffice Payroll module, have to store additional information about an individual to be able to provide payroll services. This might be, but are not limited to, social security number, bank account number, sick days, and absences. Make sure that you have included permission to process such information through your employee agreements. In the payroll module, you can choose to send paychecks via email. This is not recommended in accordance with applicable laws, so it is recommended that users log in to 24SevenOffice Payroll to retrieve their own paychecks.
Please also note that 24SevenOffice uses platforms for handling documentation submitted to us regarding vacant positions.
24SevenOffice defines Mobile data as information collected from your mobile phone to perform services like time tracking, expenses and trip tracker. These services will need to have access to functions in your mobile phone like e.g. geodata, storage and camera. This access is only used for the purpose to provide these services.
24SevenOffice defines Payment data as information the user provides when making online purchases. This might be information like credit card number, security codes, name and billing address. Payment data is used to complete transactions and to detect and prevent fraud.
Processing of data
Processing means obtaining, recording or holding the information or data or carrying out any operation on the information like using, alteration, updating, retrieval, deletion or destruction of data.
Customer Service data
24SevenOffice defines Customer Service data as information collected when an individual is in contact with 24SevenOffice for help. This might be information you supply in a support request to the 24SevenOffice customer service department or any other results from helping you as a customer. All of the data defined above will include Personal data that is any information related to identifying an individual person.
2. What is a Data Processor and a Data Controller?
A Data Processor is an entity which processes Personal data on behalf of the Data Controller. A Data Controller is the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the relationship between 24SevenOffice and you as a customer of the 24SevenOffice Services, 24SevenOffice is the Data Processor. The Data Processor processes personal data only on behalf of you as an Data Controller. This means that you determines the purposes for which and the means by which personal data is processed.
So as long as you store and process Personal data about e.g. your own customers, you are a Data Controller in relation to information you process about your own customers. What does this mean? You are responsible for all data you are processing in your own company. This includes collecting consent, have the legal ground to process this data etc. If an individual wants knowledge about what kind of information that is registered about him/her, the individual has to contact you and not 24SevenOffice. You are solely responsible for providing this information to your customer, since you are the only one that knows what kind of data you have stored about your own customers.
3. Why 24SevenOffice processes your personal data? (basis for processing)
24SevenOffice collects, uses and shares the data described in this Privacy Notice as necessary to fulfill the contractual obligations - the Customer License Agreement (CLA), to comply with legal obligations and consent to be able to sell and market services to potential customers.
4. Who owns and controls customer data?
24SevenOffice customers maintain ownership of their own Customer data, while 24SevenOffice stores and hosts this data on behalf of you as a customer. 24SevenOffice does not access or use customer data for any other purpose than what has been described in this Privacy Notice without the customer’s consent. Customer data is always owned by the company that the 24SevenOffice Services is connected to by its company or organization number, and shall not be confused by who is the invoicing partner. E.g. in circumstances where the customer is invoiced by their accountant or another sales partner, the customer owns the data registered inside the 24SevenOffice Services, not the accountant or sales partner. It is required that the customer pays the invoicing part to get access to the Customer data, no matter who is the invoicing partner.
5. How does 24SevenOffice use account information?
24SevenOffice is organized in several partly or fully owned companies. Information as mentioned in this Privacy Notice will be shared with these companies to provide the 24SevenOffice Services to you as a customer. In case of a merger or an acquisition, it might be necessary to display data containing some degree of personal information. This will not be shared without a signed non-disclosure agreement between the parties
Business partners and resellers
24SevenOffice may share personal data with business partners in order to fulfill the order and invoicing process in cases where you have purchased the 24SevenOffice Services through a partner. No other data will be shared.
Third-party Service Providers (for 24SevenOffice)
24SevenOffice may use Third-party Services itself to communicate with you as a customer. This might be information according to the Customer License Agreement (CLA) or promotional information through email or other practical channels. 24SevenOffice may also share personal data with third-party services to perform payment services, e.g. processing credit card payment or collection services when customers fail to fulfill their payment obligations.
24SevenOffice will use your account information to give you digital information that is relevant for you as a 24SevenOffice customer. This might be, but is not limited to, newsletters, re-targeting ads, information about security and operations, new features in the Service, as well as customer service messages inside the Service.
24SevenOffice uses data stored in the 24SevenOffice Services for statistical purposes, without identifying the individual customers.
24SevenOffice store usage patterns to optimize further development of the 24SevenOffice Services and to give you as an individual user of 24SevenOffice Services a greater user experience. This usage is performed without identifying the individual user.
Website, Social Media, Blogs and Customer Testimonial
24SevenOffice posts blogs about Customer testimonials and news that is relevant for the readers of the blogs. Such information may contain information about individuals that can be defined as personal data. 24SevenOffice obtains the consent before posting any information identifying any individuals, or links to the original site as a source. 24SevenOffice also posts content from the website on social media platforms, or posts information only intended for these platforms. The information is displayed for users that are following 24SevenOffice or through advertising tools offered by the single social media platform.
6. How does 24SevenOffice collect your personal data?
The main purpose for 24SevenOffice to collect your personal data is to provide the 24SevenOffice Service to all customers, and to ensure that it is you and only you that get access to your data. In addition 24SevenOffice wants to give you the best user experience, and uses different tools as described below to give you this experience. By accepting the Customer License Agreement (CLA) you also consent that 24SevenOffice use these tools for collecting described information. As of date 24SevenOffice uses the following tools for this purpose:
24SevenOffice has a separate policy for handling cookies. You may give or revoke your consent of what cookies you want to accept on the webpage.
Internet Protocol addresses
24SevenOffice collects your Internet Protocol (IP) address to track and aggregate personally identifiable information, as well as when the customer logs into the 24SevenOffice Services. This is e.g. used to navigate the visitor to the right region site of the webpage, or to other relevant sites on the same webpage. To perform an identity conformation, the internet protocol address may be used as an identifier.
Marketing Automation Tools
24SevenOffice uses Google Analytics to collect information about website activities including, but not limited to page views and time spent on a website. Google Analytics Remarketing is another tool that may show you advertisements about the 24SevenOffice Services on other websites after leaving the 24SevenOffice website. This information is used to give you relevant advertisements based on your behavior on the 24SevenOffice website, but is not personally identifiable. 24SevenOffice also use Google AdWords for marketing purposes, and by using this tool it is easier to see which web pages that help a potential customer to contact form submissions. Remarketing is built in both Google Analytics and Google AdWords.
24SevenOffice also use different re-targeting tools to show you relevant advertisements about the 24SevenOffice Service E.g. Linkedin, Facebook and Bing. By using cookies, these tools can show you advertisements that you might be interested in, based on your previous behavior on the 24SevenOffice website.
24SevenOffice also uses Google Tag-Manager that gives you the ability to add and update your own tags for conversion tracking, site analytics, remarketing. You can prevent the information generated by the Google cookie about your use of our Sites from being collected and processed by Google in the future by downloading and installing Google Analytics Opt-out Browser Add-on for your current web browser.
24SevenOffice also uses other tools for outbound purposes. Outgoing communication with customers, in-app posts, product tour, banners, surveys and email is sent by this tool. These tools also provides information and statistics about the use of the 24SevenOffice Services.
Help desk Tools
24SevenOffice uses help desk tools as an integrated customer support and chat tool. All information you register in contact with 24SevenOffice Customer Service through email, phone or chat will be stored in these tools. This being statistics, earlier communication about the same issue or to find other solutions on similar situations.
When you download or use the mobile app, 24SevenOffice may receive information about your location and your mobile device, including a unique identifier for your device. 24SevenOffice may use this information to provide you with location-based services. Most mobile devices allow you to turn off location services. For more information see the mobile suppliers websites.
The sales department in 24SevenOffice uses tools to perform their sales activities. In the sales process they may process data that is defined as personal data and that has come to their attention through the sales process. This is e.g. traditional information you store in a CRM system. This information will be available for other employees in 24SevenOffice. All employees in 24SevenOffice haves signed confidentiality agreements. In cases where 24SevenOffice uses external personnel, they will also sign a confidentiality agreement.
The 24SevenOffice Services
24SevenOffice does not collect data registered within the 24SevenOffice Services for any other purposes than for anonymized statistics. Information that is publicly known or received by 24SevenOffice through any of the other paragraphs in this Privacy Notice is not covered in this paragraph.
All applications used as tools are listed in the 24SevenOffice sub-processor list.
7. What are my rights?
As an individual you have the right to access all Personal data that is registered about you in any register. This rights can be categorized as follow:
To give or revoke Consents
You have the right to give or revoke Consent about use of your Personal data. A revocation of Consent may lead to that you will be unable to use the whole or part of the 24SevenOffice Services.
Right to access
You have the right to get access to information about what Personal data has been registered about you.
Correcting and updating
You have the right to require that false or wrongfully information about you is corrected in the register.
Right to be forgotten
You have the right to require that the owner of the register delete Personal data about you in their register.
Right to export of personal data
You have the right to get your personal data transferred in a plain machine-readable format. See Customer License Agreement (CLA) for terms of export of any data.
Right to get information
You have the right to be informed if Personal data about you as an individual is collected. You also have the right to be notified if there has been a data breach at the owner of the register. The owner of the register is obliged to support you in these inquiries about Personal data. Contact the owner of this register directly about these issues. If you are a customer of 24SevenOffice see contact information in the last paragraph. If you are a customer of a company that uses the 24SevenOffice Services, please contact that company directly.
8. What if public authorities want to access your personal data?
When governments or law enforcement make a lawful request for Personal data or any other data processed by 24SevenOffice, we are committed to transparency to what we disclose. 24SevenOffice believes that customers should control their own data, and will not disclose Personal data to a government or law enforcement except when you accept such a request or where required by law. 24SevenOffice may access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) 24SevenOffice may also access, preserve and share information when it is necessary to: detect, prevent and address fraud and other illegal activity; to protect the company, you and others. Information received about you may be accessed, processed and retained for an extended period of time when it is the subject of a legal request or obligation, governmental investigation, or investigations concerning possible violations of 24SevenOffice terms or policies, or otherwise to prevent harm.
9. Where does 24SevenOffice process and store data? (Transfer of data)
24SevenOffice uses sub-processors for IT hosting services like server operation, storage and maintenance of the 24SevenOffice Services. 24SevenOffice may also use sub-contractors for development purposes. 24SevenOffice uses different sub-processors to provide the whole or part of the service to supply you as a customer with a fast and reliable service. When 24SevenOffice uses sub-processors, agreements to keep your information secure and confidential are in place that ensures that your data is not to be used in other ways than in accordance with our specific instructions. 24SevenOffice enter into a data processing agreement (DPA) with these sub-processors in order to protect your privacy rights.
In addition to datacenters in Norway, 24SevenOffice uses sub-processors like Google, Microsoft and AWS. Even if the data is stored at European data centers the ownership of some of these companies may be companies located in third countries. In relation to the Schrems II verdict, 24SevenOffice continuously monitors the outcome and effect this might have on services delivered by third-party sub-processors. 24SevenOffice considers the appropriate safeguards provided by these suppliers according to article 46 in the General Data Protection Regulation (GDPR).
Information may be disclosed to these third-party service providers for this purpose. Such third parties may include other cloud service providers, administrative services, payment processors, customer satisfaction surveys or other third parties who provide services to and assist 24SevenOffice in the operation of the companies business and website. See the list of sub-processors for more information about storage locations and safeguards of data.
Financial accounting data
Storage of financial accounting data is following the local laws in the area that this functionality is provided. E.g. storage of Norwegian customers is in Norway. Data is not replicated to other regions than the above mentioned regions. 24SevenOffice will inform customers if there will be a future change of this notice.
10. Use of 3.parties services (by customers)
One of the advantages of using the 24SevenOffice Services is all of the integrations available for the customer, or the open API that can be used to produce new integrations. These 3.party services suppliers access to personal information from 24SevenOffice Services is limited to the access that you as a customer grants them to perform the requested service. By accepting 3.party service providers, you as a customer also consent that this provider gets access to your data, that might contain personal data. 24SevenOffice is not responsible for third party operating procedures, support, customization or development. It is strongly advised to read and consent to any third party terms and conditions and ask the supplier what kind of personal data they are extracting through the 24SevenOffice API and how they use this before implementing such an third-party service. Some services is clearly marketed as 3.parties services and provided by 24SevenOffice. These may be invoices separately.
11. How long does 24SevenOffice store data - Deletion of personal data
24SevenOffice processing of data is following the internal retention guideline that states that personal data shall not be processed longer than the law requires or there is a purpose for processing. For customers, 24SevenOffice stores data according to the Customer License Agreement (CLA).
You as a customer has the responsibility to not processing data where there is no longer any basis for processing. Deleting of your own data is your responsibility. Some information (e.g. accounting information) is required to be stored for a period of time by court regulations. It is your responsibility to store data for the required time by laws and regulations, not 24SevenOffice. Should the Customer License Agreement (CLA) be terminated before the required period of time comes to an end, it is the customers responsibility to agree upon the terms of extended storage with 24SevenOffice, or to export data. Upon expiry or termination of Customer License Agreement (CLA), 24SevenOffice shall provide assistance reasonably required by you as a customer to have the Personal data transferred in a suitable standard format to the Data Controller and/or a third party service provider, where the Data Controller cannot export data themselves. See terms of assistance in the Customer License Agreement (CLA) “Export of data at Termination”. 24SevenOffice stores data until it is no longer necessary to provide the services or until your account is deleted – whichever comes first. 24SevenOffice will start the deletion of data processed on behalf of the customer within three months after the termination of the Customer License Agreement (CLA). 24SevenOffice has the right, but not any responsibility to delay deletion of data If the terms of the termination is not fulfilled. That might be, but is not limited to, an open legal issue concerning the customers data.
12. Security. What is important to know about the security of 24SevenOffice?
24SevenOffice is committed to prevent unauthorized access disclosure or other deviant processing of your data. Your data is stored in a secure data operating environment with limited access for employees in 24SevenOffice or our sub-processors. Access to data is on a need-to-know basis only. The operating environment is certified to conform to the information security management standard ISO 27001 and the quality management system standard ISO 9001. The 24SevenOffice organization is certified on the information security management standard ISO 27001. Bank payments uses industry-standard encryption to provide protection for all information sent over internet. What is the customer's role in securing their customer content? It is important when you as a customer evaluates the security of a cloud solution, understand and distinguish between security measures that 24SevenOffice implements and operates, “Security in the Cloud”, and security measures that customers implement related to internal security of their own data. 24SevenOffice is responsible for the operation and security of the 24SevenOffice Services, while you as a customer are responsible that no unauthorized entity gets access to you or any of your employees login information. That also includes leaving the 24SevenOffice Services logged on while leaving your IT-asset for accessing information. E.g. 24SevenOffice is not responsible for breach of security following customer's improper storage of authentication tools like e.g. passwords and mobile phones.
13. California Privacy Rights
This section applies only to California consumers. For purposes of this section "Personal Information" has the meaning given in the California Consumer Privacy Act (“CCPA”). It describes how 24SevenOffice collects, uses, and shares California consumers' Personal Information in our role as a business, and the rights applicable to such residents. The California Consumer Privacy Act ("CCPA") requires businesses to disclose whether they sell Personal Information. 24SevenOffice is a business, and does not sell Personal Information. The company may share Personal Information with other companies that 24SevenOffice has any ownership, our subcontractors or partners needed to fulfill the contractual obligations (e.g. payments, collection, accounting and auditors) towards the customers.
How 24SevenOffice collects, uses, and share your Personal Information?
24SevenOffice have collected the following statutory categories of Personal Information in the past twelve (12) months:
* Identifiers, such as name, e-mail address, mailing address, and phone number.
* Information about browsing and search history and geolocation data such as IP addresses.
* Financial information, such as Payment Information, account numbers, and other information necessary to maintain your subscription.
* Commerce information, in instances when you interact with us online, by phone or mail in the context of receiving help through our help desks or other support channels; participation in customer surveys or contests; or in providing the Subscription Service.
24SevenOffice collects this information directly from you, your device or from third party sources. The business and commercial purposes for which we collect this information are described in this Privacy Notice.
24SevenOffice may also process Personal Information on your behalf as part of delivering the Service. (e.g. payroll or HR data). This might be sensitive categories of data, dependent on your data input. 24SevenOffice personell has no access to your data without you specific have given consent to share data for eg. support purposes.
Your California Rights
You have certain rights regarding the Personal Information we collect or maintain about you. Please note these rights are not absolute, and there may be cases when we decline your request as permitted by law.
The right of access means that you have the right to request that we disclose what Personal Information we have collected, used and disclosed about you in the past 12 months. You also have the right to ask us to correct inaccurate Personal Information. The right of deletion means that you have the right to request that we delete Personal Information collected or maintained by us, subject to certain exceptions.
The right to non-discrimination means that you will not receive any discriminatory treatment when you exercise one of your privacy rights.
24SevenOffice does not sell Personal Information to third parties (pursuant to California Civil Code §§ 1798.100–1798.199, also known as the California Consumer Privacy Act of 2018).
How to exercise your California Rights?
You can exercise your rights yourself or you can alternatively designate an authorized agent to exercise these rights on your behalf. Please note that to protect your Personal Information, we will verify your identity by a method appropriate to the type of request you are making. We may also request that your authorized agent have written permission from you to make requests on your behalf, and we may also need to verify your authorized agent's identity to protect your Personal Information. Please send an email to privacy (a) 24SevenOffice.com or call us +1 646 751 8800 if you would like to access this policy in an alternative format, exercise your rights, designate an authorized agent to make a request on your behalf or learn more about your rights or our privacy practices.
14. How to contact 24SevenOffice?
If you have questions about personal data registered at a company that is a customer of 24SevenOffice, you have to contact this company. 24SevenOffice cannot access information registered about you in one of our customer's registers. If you have questions or complaints about personal data registered on you as an individual by 24SevenOffice or any of its subsidiaries, contact privacy[@]24SevenOffice.com
19 January 2024
Reviews 27 January 2023
Edited: April 14, 2023
- Updated definition about Data Processor and Data Controller
Edited: February 17, 2023
- Removed dubble sentence in paragraph about "Storage and Transfer"
Edited: May 3, 2022
- Included paragraph covering compliance to California Consumer Privacy Act ("CCPA").
Edited: March 7, 2022
Edited: April 23, 2021
- In connection with the introduction of 24SevenOffice Payroll module, a new section under 1. What data do 24SevenOffice process is included. This section regulates what type of data that 24SevenOffice process to deliver payroll functionality to its customers.
Edited: October 2, 2020
- Contact information email adress is updated
Edited: May 3, 2018
- First edition of revised Privacy Notice after the changes in the laws and regulation regarding processing of personal data, known as General Data Protection Regulation (GDPR)