Privacy Notice

Scope and Purpose

As a 24SevenOffice customer, your security is our top priority. In our Privacy Notice we will explain our policy concerning privacy and storage of personal data. This Statement will also cover the individual’s right according to the General Data Protection Regulation (GDPR) dated May 25, 2018. These regulations applies to all organizations in the EU or territories outside of the EU that have adapted the same regulations (e.g. Norway). It cover all organizations that process personal data for the purpose of offering products or services or to monitor behavior in some way. In this Statement we will explain 24SevenOffice role as a data processor and your rights to control the information registered about you as an individual. If your company is organized as a sole proprietorship, 24SevenOffice will process your personal data as a corporation.

1. What personal data does 24SevenOffice process?

To understand what kind of data 24SevenOffice stores about an individual we need to define what kind of personal data Is stored.

Customer data
24SevenOffice acts as a Data Processor when operating data on behalf of its customers. Personal data collected in this process is minimum Account information to provide the Service to its customer, but also information about the customer relationship between 24SevenOffice and you as a customer. This might be information that you have consented to receive from 24SevenOffice based on your own or your employer’s interests, information to provide you with relevant offers, information to prevent abuse or notification about suspected breach.

Customer content
24SevenOffice defines Customer content as data, images, text, video, audio and ledger information that a Customer or any user connected to the Customer stores and processes in the 24SevenOffice Service.

Account information
24SevenOffice defines account information as information about a customer or an individual that is collected in the signup service, and later updated by the users themselves. This is basic information necessary to deliver the 24SevenOffice Service. For example, account information includes names, usernames, phone numbers, email addresses and billing information associated with a customer account.

Payroll information
Customers who use the 24SevenOffice Payroll module, have to store additional information about an individual to be able to provide payroll services. This might be, but are not limited to, social security number, bank account number, sick days, and absences. Make sure that you have included permission to process such information through your employee agreements. In the payroll module, you can choose to send paychecks via email. This is not recommended in accordance with the General Data Protection Regulation (GDPR), so it is recommended that users log in to 24SevenOffice to retrieve their own paychecks.

Job applications
Please also note that 24SevenOffice uses specific platforms for handling documentation submitted to us regarding vacant positions.

Mobile data

24SevenOffice defines Mobile data as information collected from your mobile phone to perform services like time tracking, expenses and trip tracker. These services will need to have access to functions in your mobile phone like e.g. geodata, storage and camera. This access is only used for this purpose.

Payment data
24SevenOffice defines Payment data as information the user provides when making online purchases. This might be information like credit card number, security codes, name and billing address. Payment data is used to complete transactions and to detect and prevent fraud.

Support data
24SevenOffice defines Support data as information collected when an individual is in contact with 24SevenOffice for help. This might be information you supply in a support request to the 24SevenOffice customer service department or any other results from helping you as a customer.All of the data defined above will include Personal data that is any information related to identifying an individual person.

2. What is a Data Processor and a Data Controller?

A Data Processor is an entity which processes Personal data on behalf of the Data Controller. A Data Controller is the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.

What is processing?
Processing means obtaining, recording or holding the information or data or carrying out any operation on the information like using, alteration, updating, retrieval, deletion or destruction of data.

3. Who is the Data Processor?

In the relationship between 24SevenOffice and you as a customer of the 24SevenOffice ERP Service, 24SevenOffice is the Data Processor. But remember that as long as you store and process Personal data about e.g. your own customers, you are a Data Processor in relation to your own customers. What does this mean? If an individual wants knowledge about what kind of information that is registered about him/her, the individual has to contact the Data Processor. If that is one of your customers, they have to make a request to you, not to 24SevenOffice. You are solely responsible for providing this information to your customer, since you are the only one that knows what kind of data you have stored about your own customers.

4. Why 24SevenOffice processes your personal data?
(legal basis for processing)

24SevenOffice collects, uses and shares the data described in this notice as necessary to fulfill the Customer License Agreement (CLA) and to comply with the legal obligations, but also to be able to sell and market services to potential customers.

5. Who owns and controls customer content?

24SevenOffice customers maintain ownership of their own Customer content, while 24SevenOffice stores and hosts the content. 24SevenOffice does not access or use customer content for any other purpose than what has been described in this Privacy Notice without the customer’s consent. Customer content is always owned by the company that the 24SevenOffice Service is connected to by its company or organization number, and shall not be confused by who is the invoicing partner. E.g. in circumstances where the customer is invoiced by their accountant or another sales partner, the customer owns the content registered within the 24SevenOffice Service, not the accountant or sales partner. It is required that the customer pays the invoicing part to get access to the Customer content, no matter who is the invoicing partner.

6. How does 24SevenOffice use account information?

Organizational
24SevenOffice is organized in several partly or fully owned companies. Information as mentioned in this Privacy Notice will be shared with these companies to supply the 24SevenOffice Service to you as a customer. In case of a merger or an acquisition, it might be necessary to display data containing some degree of personal information. This will not be shared without a signed non-disclosure agreement between the parties

Business partners and resellers
24SevenOffice may share personal data with business partners in order to fulfill the order and invoicing process in cases where you have purchased the 24SevenOffice through a partner. No other data will be shared.

Third-party Service Providers (for 24SevenOffice)
24SevenOffice may use Third-party Services itself to communicate with you as a customer. This might be information according to the Customer License Agreement (CLA) or promotional information through email or other practical channels. 24SevenOffice may also share personal data with third-party Services to perform payment services, e.g. processing credit card payment or collection services when customers fail to fulfill their payment obligations.

Third-party Service Providers (for Customers)
One of the advantages of using the 24SevenOffice ERP Service is all of the integrations available for the customer, or the open API that can be used to produce new integrations. By accepting Third-party Service Providers, you as a customer also consent that this provider gets access to your data, that might contain personal data. 24SevenOffice is not responsible for third party operating procedures, support, customization or development. It is strongly advised to read and consent to any third party terms and conditions and ask the supplier what kind of personal data they are extracting through the 24SevenOffice API before starting using such an ancillary service.

Communication
24SevenOffice will use your Account information to give you digital information that is relevant for you as a 24SevenOffice customer. This might be, but is not limited to, newsletters, re-targeting ads, information about security and operations, new features in the Service, as well as customer service messages inside the Service.

Statistical purposes
24SevenOffice uses data stored in the 24SevenOffice Service for statistical purposes, without identifying the individual customers.

Development purposes
24SevenOffice store usage patterns to optimize further development of the Service and to give you as an individual user of the 24SevenOffice a greater user experience. This usage is performed without identifying the individual user of the 24SevenOffice Service.

Website, Social Media, Blogs and Customer Testimonial
24SevenOffice posts blogs about Customer testimonials and news that is relevant for the readers of the blogs. Such information may contain information about individuals that can be defined as personal data. 24SevenOffice obtains the consent before posting any information identifying any individuals, or links to the original site as a source. 24SevenOffice also posts content from the website on social media platforms, or posts information only intended for these platforms. The information is displayed for users that are following 24SevenOffice or through advertising tools offered by the single social media platform.

7. How does 24SevenOffice collect your personal data?

The main purpose for 24SevenOffice to collect your personal data is to provide the Service to all customers, and to ensure that it is you and only you that get access to your data. In addition 24SevenOffice wants to give you the best user experience, and uses different tools as described below to give you this experience. By accepting the Customer License Agreement (CLA) you also consent that 24SevenOffice use these tools for collecting described information. As of date 24SevenOffice uses the following tools for this purpose:

Cookies
24SevenOffice has a separate policy for handling cookies. You may give or revoke your consent of what cookies you want to accept in the bottom left side of this webpage.

Internet Protocol addresses
24SevenOffice collects your Internet Protocol (IP) address to track and aggregate personally identifiable information, as well as when the customer logs into the 24SevenOffice ERP Service. This is e.g. used to navigate the visitor to the right region site of the webpage, or to other relevant sites on the same webpage. To perform an identity conformation, the internet protocol address may be used as an identifier.

Marketing Automation Tools
24SevenOffice uses different digital marketing automation tools to recognize a return visitor as a unique user and its activities. When these tools use cookies it is for this specific purpose and does not access, read or modify any other data on your computer. Information collected will be linked to any personal identifiable information you submit while you are visiting 24SevenOffice websites.

24SevenOffice uses Google Analytics to see information about website activities including, but not limited to page views and time spent on a website. Google Analytics Remarketing is another tool that can show you advertisements about the 24SevenOffice ERP Service on other websites after leaving the 24SevenOffice website. This information is used to give you relevant advertisements based on your behavior on the 24SevenOffice website, but is not personally identifiable. 24SevenOffice also use Google AdWords for marketing purposes, and by using this tool it is easier to see which web pages that help a potential customer to contact form submissions. Remarketing is built in both Google Analytics and Google AdWords.

24SevenOffice also use different re-targeting tools to show you relevant advertisements about the 24SevenOffice Service E.g. Linkedin, Facebook and Bing. By using cookies, these tools can show you advertisements that you might be interested in, based on your previous behavior on the 24SevenOffice website.

24SevenOffice also uses Google Tag-Manager that gives you the ability to add and update your own tags for conversion tracking, site analytics, remarketing. You can prevent the information generated by the Google cookie about your use of our Sites from being collected and processed by Google in the future by downloading and installing Google Analytics Opt-out Browser Add-on for your current web browser.

24SevenOffice uses Intercom for outbound purposes. Outgoing communication with customers, in-app posts, product tour, banners, surveys and email is sent by this tool. Intercom also provides information and statistics about the use of the 24SevenOffice ERP application

Help desk Tools
24SevenOffice uses help desk tools as an integrated customer support and chat tool. All information you register in contact with 24SevenOffice Customer Service through email, phone or chat will be stored in these tools. This being statistics, earlier communication about the same issue or to find other solutions on similar situations.

Mobile
When you download or use the mobile app, 24SevenOffice may receive information about your location and your mobile device, including a unique identifier for your device. 24SevenOffice may use this information to provide you with location-based services. Most mobile devices allow you to turn off location services. For more information see the mobile suppliers websites.

Sales tools
The sales department in 24SevenOffice uses these tools to perform their sales activities. In the sales process they may process data that is defined as personal data and that has come to their attention through the sales process. This is e.g. traditional information you store in a CRM system. This information will be available for other employees in 24SevenOffice. All employees in 24SevenOffice haves signed confidentiality agreements. In cases where 24SevenOffice uses external personnel, they will also sign a confidentiality agreement.

The 24SevenOffice ERP Service
24SevenOffice does not collect data registered within the 24SevenOffice ERP Service for any other purposes than for anonymized statistics. Information that is publicly known or received by 24SevenOffice through any of the other paragraphs in this Privacy Notice is not covered in this paragraph.

8. What are my rights?

As an individual you have the right to access all Personal data that is registered about you in any register. This rights can be categorized as follow:

To give or revoke Consents
You have the right to give or revoke Consent about use of your Personal data. A revocation of Consent may lead to that you will be unable to use the whole or part of the 24SevenOffice ERP Service.

Right to access
You have the right to get access to information about what Personal data has been registered about you.

Correcting and updating
You have the right to require that false or wrongfully information about you is corrected in the register.

Right to be forgotten
You have the right to require that the owner of the register delete Personal data about you in their register.

Right to export of personal data
You have the right to get your personal data transferred in a plain machine-readable format. See Customer License Agreement (CLA) for terms of export of any data.

Right to get information
You have the right to be informed if Personal data about you as an individual is collected. You also have the right to be notified if there has been a data breach at the owner of the register.The owner of the register is obliged to support you in these inquiries about Personal data. Contact the owner of this register directly about these issues. If you are a customer of 24SevenOffice see contact information in the last paragraph. If you are a customer of a company that uses the 24SevenOffice Service, please contact that company directly.

9. What if public authorities want to access your personal data?

When governments or law enforcement make a lawful request for Personal data or any other data processed by 24SevenOffice, we are committed to transparency to what we disclose. 24SevenOffice believes that customers should control their own data, and will not disclose Personal data to a government or law enforcement except when you accept such a request or where required by law. 24SevenOffice may access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) 24SevenOffice may also access, preserve and share information when it is necessary to: detect, prevent and address fraud and other illegal activity; to protect the company, you and others. Information received about you may be accessed, processed and retained for an extended period of time when it is the subject of a legal request or obligation, governmental investigation, or investigations concerning possible violations of 24SevenOffice terms or policies, or otherwise to prevent harm.

10. Where does 24SevenOffice process and store data? (Transfer of data)

Personal data
The physical storage of 24SevenOffice data is located in the EU/EEA for all customers based in this region. Data storage for these customers is not replicated outside of this area.

Storage and transfer of data
Storage of data is located in the EU/EEA for all customers located in this region. 24SevenOffice uses different sub-processors to provide the whole or part of the service. Information may be disclosed to these third-party service providers for this purpose. Such third parties may include other cloud service providers, administrative services, payment processors, customer satisfaction surveys or other third parties who provide services to and assist 24SevenOffice in the operation of the companies business and website.

24SevenOffice also uses services from suppliers like Google and Microsoft (e.g. email, word processing, spreadsheets and storage). Even if the data is stored at European data centers the ownership of some of these companies may be companies located in third countries. In relation to the Schrems II verdict, 24SevenOffice continuously monitors the outcome and effect this might have on services delivered by third-party sub-processors. 24SevenOffice considers the appropriate safeguards provided by these suppliers according to article 46 in the General Data Protection Regulation (GDPR).

When 24SevenOffice uses third party service providers, agreements to keep your information secure and confidential are in place that ensures that your data is not to be used in other ways than in accordance with our specific instructions.

Financial accounting data
Storage of financial accounting data is following the local laws in the area that this functionality is provided. E.g. storage of Norwegian customers is in Norway. Data is not replicated to other regions than the above mentioned regions. 24SevenOffice will inform customers if there will be a future change of this notice.

11. Use of subcontractors and 3.parties

24SevenOffice use subcontractors for:
24SevenOffice uses subcontractors for IT hosting services like server operation, storage and maintenance of the 24SevenOffice Service

24SevenOffice may use subcontractors for development purposes

24SevenOffice may use 3.parties services to perform processing tasks to supply you as a customer with a fast and reliable service. Personal data is not stored in any 3.party service when performing such tasks

24SevenOffice invoices some 3.parties services, but these Services are clearly marketed as 3.parties services. Their access to personal information from 24SevenOffice is limited to the access that you as a customer grants them to perform the requested service. Subcontractor will not have any access to personal data beyond information that connect you as a customer to an account in the 24SevenOffice ERP Service. When using subcontractors, that process personal data, 24SevenOffice will always enter into a data processing agreement (DPA) in order to protect your privacy rights.


12. How long does 24SevenOffice store data - Deletion of personal data

24SevenOffice processing of data is following the internal retention guideline that states that personal data shall not be processed longer than the law requires or there is a purpose for processing. For customers, 24SevenOffice stores data according to the Term in the Customer License Agreement (CLA). It is the customer's responsibility to store data for the period of time required by laws and regulations. It is the customer's own responsibility to delete Personal data that has no more purpose. Some information (e.g. accounting information) is required to be stored for a period of time by court regulations.Should the Customer License Agreement (CLA) be terminated before the required period of time comes to an end, it is the customers responsibility to agree upon the terms of extended storage with 24SevenOffice, or to export data.Upon expiry or termination of this Agreement, 24SevenOffice shall provide assistance reasonably required by the customer to have the Personal data transferred in a suitable standard format to the Data Controller and/or a third party service provider, where the Data Controller cannot export data themselves. See terms of assistance in Customer License Agreement (CLA) “Export of data at Termination”.24SevenOffice stores data until it is no longer necessary to provide the Services or until your account is deleted – whichever comes first. 24SevenOffice will start the deletion of data processed on behalf of the customer within three months after the termination of the Customer License Agreement (CLA). 24SevenOffice has the right, but not any responsibility to delay deletion of data If the terms of the termination is not fulfilled. That might be, but is not limited to, an open legal issue concerning the customers data.

13. Security. What is important to know about the security of 24SevenOffice?

24SevenOffice is committed to prevent unauthorized access disclosure or other deviant processing of your data. Your data is stored in a secure data operating environment with limited access for employees in 24SevenOffice or our sub-contractor on operations. Access to data is on a need-to-know basis only. The operating environment is certified to conform to the information security management standard ISO27001 and the quality management system standard ISO9001. 24SevenOffice conforms to the information security management standard ISO27001. Bank payments uses industry-standard encryption to provide protection for all information sent over internet.What is the customer's role in securing their customer content?It is important when you as a customer evaluates the security of a cloud solution, understand and distinguish between security measures that 24SevenOffice implements and operates, “Security in the Cloud”, and security measures that customers implement related to internal security of their own data. 24SevenOffice is responsible for the operation and security of the 24SevenOffice ERP Service, while you as a customer are responsible that no unauthorized entity gets access to you or any of your employees login information. That also includes leaving the 24SevenOffice Service logged on while leaving your IT-asset for accessing information. E.g. 24SevenOffice is not responsible for breach of security following customer's improper storage of authentication tools like e.g. passwords and mobile phones.

14. California Privacy Rights

Applicability
This section applies only to California consumers. For purposes of this section "Personal Information" has the meaning given in the California Consumer Privacy Act (“CCPA”). It describes how 24SevenOffice collects, uses, and shares California consumers' Personal Information in our role as a business, and the rights applicable to such residents. The California Consumer Privacy Act ("CCPA") requires businesses to disclose whether they sell Personal Information. 24SevenOffice is a business, and does not sell Personal Information. The company may share Personal Information with other companies that 24SevenOffice has any ownership, our subcontractors or partners needed to fulfill the contractual obligations (e.g. payments, collection, accounting and auditors) towards the customers.

How 24SevenOffice collects, uses, and share your Personal Information?
24SevenOffice have collected the following statutory categories of Personal Information in the past twelve (12) months:

* Identifiers, such as name, e-mail address, mailing address, and phone number.
* Information about browsing and search history and geolocation data such as IP addresses.
* Financial information, such as Payment Information, account numbers, and other information necessary to maintain your subscription.
* Commerce information, in instances when you interact with us online, by phone or mail in the context of receiving help through our help desks or other support channels; participation in customer surveys or contests; or in providing the Subscription Service.

24SevenOffice collects this information directly from you, your device or from third party sources. The business and commercial purposes for which we collect this information are described in this Privacy Notice.

24SevenOffice may also process Personal Information on your behalf as part of delivering the Service. (e.g. payroll or HR data). This might be sensitive categories of data, dependent on your data input. 24SevenOffice personell has no access to your data without you specific have given consent to share data for eg. support purposes.

Your California Rights
You have certain rights regarding the Personal Information we collect or maintain about you. Please note these rights are not absolute, and there may be cases when we decline your request as permitted by law.

The right of access means that you have the right to request that we disclose what Personal Information we have collected, used and disclosed about you in the past 12 months. You also have the right to ask us to correct inaccurate Personal Information. The right of deletion means that you have the right to request that we delete Personal Information collected or maintained by us, subject to certain exceptions.

The right to non-discrimination means that you will not receive any discriminatory treatment when you exercise one of your privacy rights.

24SevenOffice does not sell Personal Information to third parties (pursuant to California Civil Code §§ 1798.100–1798.199, also known as the California Consumer Privacy Act of 2018).

How to exercise your California Rights?
You can exercise your rights yourself or you can alternatively designate an authorized agent to exercise these rights on your behalf. Please note that to protect your Personal Information, we will verify your identity by a method appropriate to the type of request you are making. We may also request that your authorized agent have written permission from you to make requests on your behalf, and we may also need to verify your authorized agent's identity to protect your Personal Information. Please send an email to privacy (a) 24SevenOffice.com or call us +1 646 751 8800 if you would like to access this policy in an alternative format, exercise your rights, designate an authorized agent to make a request on your behalf or learn more about your rights or our privacy practices.

15. How to contact 24SevenOffice?

If you have questions about personal data registered at a company that is a customer of 24SevenOffice, you have to contact this company. 24SevenOffice cannot access information registered about you in one of our customer's registers. If you have questions or complaints about personal data registered on you as an individual by 24SevenOffice or any of its subsidiaries, contact privacy[@]24SevenOffice.com

Changes to 24SevenOffice Privacy Notice

Last review: 03.05.2022

Log:
03.05.2022 - Included paragraph covering compliance to California Consumer Privacy Act ("CCPA").

07.03.2022 - Updated information about cookies as a consequence of the implementation of the new cookie policy. Removed information that no longer is relevant under "How 24SevenOffice collects your personal data". Updated information about sub-processors and ownership of supplier that falls under the Schrems II verdict. Move some parts to other sections where they are more natural.

23.04.2021 - In connection with the introduction of 24SevenOffice Payroll module, a new section under 1. What data do 24SevenOffice process is included. This section regulates what type of data that 24SevenOffice process to deliver payroll functionality to its customers.

02.10.2020 - Contact information email adress is updated

03.05.2018 - First edition of revised Privacy Notice after the changes in the laws and regulation regarding processing of personal data, known as General Data Protection Regulation (GDPR)