(“Replicon” or “we”, “us”, “our”, etc.)
Effective Date: May 25, 2018
Last Updated: April 25, 2018
Replicon is committed to maintaining the privacy of individuals and protecting Personal Information in its custody or control in accordance with privacy legislation applicable to Replicon. This Policy is intended to comply with the requirements of Alberta’s Personal Information Protection Act (“PIPA”). However, in certain circumstances, other legislation may be applicable.
This Policy describes the practices of Replicon and its affiliates with respect to our collection, use and/or disclosure of Personal Information on www.replicon.com (the “Website”) and through the services, features, content or applications we offer to our customers (collectively with the Website, the “Services”). This Policy does not apply to employees and individual contractors of Replicon who are subject to a separate policy. Employees of Replicon dealing with Personal Information are expected to be familiar with this Policy. This Policy does not apply to non-personally identifiable information, anonymous information, or aggregate information that does not identify any specific individual.
- Section 1 – About Us
- Section 2 – Definitions
- Section 3 – Subjects and Sources of Personal Data
- Section 4 – Personal Information We Collect
- Section 5 – Disclosure of Personal Information
- Section 6 – Why We Collect, Use And Disclose Personal Information
- Section 7 – Notification and Consent
- Section 8 – Exceptions to the Requirement for Consent
- Section 9 – Legal Basis for Processing Personal Information (EEA Visitors Only)
- Section 10 – Retention and Destruction of Personal Information
- Section 11 – Third Party Websites and Third Party Services
- Section 12 – Customer Data
- Section 13 – Anonymous and Aggregate Data
- Section 14 – Outsourcing and Data Hosting Outside of Canada
- Section 15 – Security
- Section 16 – Notification of Loss or Unauthorized Access or Disclosure
- Section 17 – Your Rights: Requests for Access
- Section 18 – Your Rights: Responses to Requests
- Section 19 – Your Rights: Requests for Correction
- Section 20 – Rights of European Data Subject
- Section 21 – Amendments to This Policy
- Section 22 – Contacting Replicon
1. ABOUT US
Replicon is a software company registered in Calgary, Canada. Replicon’s cloud-based platform (the “Platform”) provides our users with workforce, project and time management solutions.
a) “Personal Information” can be defined as follows:
Personal Information means information about an identifiable individual who can be directly or indirectly identified, which does not include information of an aggregate or anonymous nature where a specific individual or individuals cannot be identified.
b) Information about a corporation, firm, trust, union or other non-individual entity is not Personal Information.
3. SUBJECTS AND SOURCES OF PERSONAL INFORMATION
Replicon generally collects, uses, and discloses Personal Information about the following types of individuals:
a) Replicon’s customers, including employees and contractors of our customers;
b) Prospective or potential customers of Replicon or their employees;
c) Subscribers to Replicon newsletters, white papers or similar types of information;
d) Other individuals who may voluntarily choose to provide Replicon with Personal Information.
4. PERSONAL INFORMATION WE COLLECT
a) OUR WEBSITE
i. Information that we collect automatically: We automatically collect certain information when you visit our Website. This may include information like your IP address, device type, unique device identification numbers, browser-type, broad geographic location (e.g. country or city-level location) and other technical information. We may also collect information about how your device has interacted with our Website, including the pages accessed and links clicked. In some countries, including countries in the European Economic Area, this information may be considered Personal Information. Collecting this information enables us to better understand the visitors who come to our Website, where they come from, and what content on our Website is of interest to them. We use this information for our internal analytics purposes and to improve the quality and relevance of our Website to our visitors.
5. DISCLOSURE OF PERSONAL INFORMATION
a) It is the general policy of Replicon to not disclose Personal Information in its custody or control except with the consent of the individual and then only for identified purposes. However, individuals should be aware that there are exceptions to the above;
b) We may disclose your Personal Information to the following categories of recipients:
ii. to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
iv. to any other person with your consent to the disclosure.
c) Alberta law permits us to collect, use or disclose Personal Information about an individual in some circumstances without the individual’s consent and/or knowledge. Such circumstances include (but are not limited) to where:
i. the collection, use or disclosure is clearly in the interests of the individual and consent cannot be obtained in a timely way;
ii. collection, use, or disclosure is reasonable for the purposes of an investigation or proceeding;
iii. the Personal Information is available to the public from a prescribed source; or
iv. the collection, use, or disclosure is required or authorized by a statute or regulation of Alberta or Canada.
d) Replicon will in all cases disclose Personal Information as required or permitted by applicable law;
e) Replicon does not disclose, trade or sell its customer or contact lists.
6. WHY WE COLLECT, USE AND DISCLOSE PERSONAL INFORMATION
Replicon generally collects, uses, and discloses Personal Information for the following purposes:
a) Customers, employees of and contractors to customers:
To establish, maintain, manage and terminate a relationship with a customer. We may also use Personal Information for our legitimate business interests, for example, to improve our Services.
b) Prospective or potential customers or their employees:
To attempt to establish a relationship with a customer. We may also use Personal Information for our legitimate business interests, for example, to market additional products or services which we think may be of interest to you.
c) Subscribers to Replicon newsletters, white papers or similar types of information:
To provide services, information or documentation and to solicit business.
d) Individuals who may voluntarily choose to provide Replicon with Personal Information:
To fulfill the purposes for which such information was provided.
e) Other individuals:
Personal Information from other individuals may be collected, used or disclosed when such individuals contact Replicon for a variety of reasons personal to them. For example, if an individual contacts us with an inquiry, we will use the information provided to assist us in responding to that individual and communicating with them. Generally, such information is used to contact or reply to individuals who have contacted us where such contact or reply is reasonable in the circumstances, or is subject to deemed consent, or is legally required.
f) Telephone Conversations:
Please refer to the more comprehensive section on telephone conversations in this Policy.
g) Personal Information may also be used to fulfill our legal obligations.
7. NOTIFICATION AND CONSENT
Subject to this Policy and applicable legislation, Replicon will identify the purposes for collection, use and disclosure of Personal Information in advance of collection, and will notify the individual of the purposes for collection, use or disclosure of Personal Information at or before the time of collection.
a) Replicon may obtain consent from individuals by receipt of consent from their employers or contractors where such employers or contractors have entered into an agreement with Replicon pursuant to which the employer or contractor, as agent for the individual, or with their authority, provides Replicon with consent to collect, use and disclose Personal Information regarding such individuals for the purposes of providing services or products to their employer or party to which they are contracted;
b) There are a number of exceptions to the above provisions in that in some circumstances, such as with certain Personal Information related to employees, Replicon does not require consent to collect, use or disclose Personal Information but is required to provide notification in advance;
c) In certain circumstances, specifically those set out in applicable legislation, the law does not require that Replicon obtain consent or provide notification. Replicon reserves all its rights to rely on any available statutory exemptions and exceptions.
8. EXCEPTIONS TO THE REQUIREMENT FOR CONSENT
Replicon may collect and use Personal Information without consent in circumstances that include but are not limited to the following:
a) Where a reasonable person would consider that the collection of the information is clearly in the interests of the individual and consent of the individual cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;
b) Where the collection of the information is pursuant to a statute or regulation of either Alberta or Canada that authorizes or requires the collection;
c) Where the collection of the information is from a public body and that public body is authorized or required by an enactment of Alberta or Canada to disclose the Personal Information to Replicon;
d) Where the collection of the information is reasonable for the purposes of an investigation or a legal proceeding;
e) Where the information is publicly available;
f) Where the collection of the information is necessary in order to collect a debt owed to Replicon or for Replicon to repay to an individual money owed by Replicon;
g) In addition to the above, the law generally provides that an individual is deemed to consent to the collection, use or disclosure of Personal Information about that individual for a particular purpose if the individual voluntarily provides the information for that purpose, and it is reasonable that a person would voluntarily provide that information. If an individual provides Personal Information to us voluntarily, we will rely on deemed consent and consider that the individual consents to our collection, use or disclosure of their Personal Information as necessary to carry out the purposes for which they provided the information;
h) Where a new purpose for the use or disclosure of Personal Information previously collected arises, Replicon will contact the individual in question to obtain any required consent or to provide any required notification for use and/or disclosure for such new purpose or purposes;
i) Where practical, Replicon will try to collect Personal Information directly from the individual. Where necessary, Replicon will collect Personal Information from other sources. When Replicon collects Personal Information about individuals directly from them, except when their consent to the collection is deemed or has otherwise been previously and lawfully obtained, or is not required, we will tell them the purpose for which the information is collected, and, if reasonable to do so, the name of a person who can answer questions about the collection;
j) Replicon will in all cases use Personal Information only as permitted or required by applicable law.
9. LEGAL BASIS FOR PROCESSING PERSONAL INFORMATION (EEA VISITORS ONLY)
a) If you are a visitor from the European Economic Area, our legal basis for collecting and using the Personal Information described above will depend on the Personal Information concerned and the specific context in which we collect it;
b) We will normally collect Personal Information from you only where we have your consent to do so, where we need the Personal Information to perform under a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect Personal Information from you or may otherwise need the Personal Information to protect your vital interests or those of another person;
c) If we ask you to provide Personal Information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your Personal Information is mandatory or not (as well as of the possible consequences if you do not provide your Personal Information);
d) Similarly, if we collect and use your Personal Information in reliance on our legitimate interests (or those of any third party), we will make clear to you at the relevant time what those legitimate interests are;
e) If you have questions about or need further information concerning the legal basis on which we collect and use your Personal Information, please contact us using the contact details provided below.
10. RETENTION AND DESTRUCTION OF PERSONAL INFORMATION
a) We retain Personal Information we collect from you in accordance with applicable law and where we have an ongoing legitimate business need to do so (for example, to provide you with a Service you have requested or to comply with applicable legal, tax or accounting requirements). Alberta law allows us, for legal or business purposes, to retain Personal Information for as long as is reasonable. Upon expiry of an appropriate retention period, bearing in mind reasonable legal and business requirements, Personal Information will either be destroyed in a secure manner or made anonymous;
b) Should consent to our collection, use, disclosure or retention of Personal Information be revoked by the individual in question, the law also allows us to continue to retain the information for as long as is reasonable for legal or business purposes. In the event that revocation of consent may have consequences to the individual concerned, we will advise the individual of the consequences of revoking their consent where it is reasonable in the circumstances to do so. When we collect, use or disclose Personal Information, we will make reasonable efforts to ensure that it is accurate, up to date, and complete.
11. THIRD PARTY WEBSITES AND THIRD PARTY PLATFORMS
a) Please note that our website may contain links to other websites which are provided as a convenience for visitors to our website only, in addition to third party services, applications, and widgets that may be bundled into, included in, or provided in connection with our services;
b) Any third party websites, third party services, applications and widgets will have their own privacy policies and practices, and we cannot be responsible for such third parties, their websites, services, applications, widgets, or their privacy practices. Where “Third Party Services” (as defined in our Terms & Conditions) are provided or made available to you, you consent to your name, email address and any other reasonably required information being sent to the applicable third party to enable such third party to make its Third Party Services available or to provide you with its Third Party Services as required or requested by you, and to authenticate or validate you as a customer of Replicon that is entitled to such Third Party Service.
12. CUSTOMER DATA
Data and information provided or created by our customers in the course of using our products or services (“Customer Data”) remains the property of our customers and is not used or disclosed by us except as reasonably required to provide our products or services, or as otherwise set out in this Policy.
13. USE DATA, ANONYMOUS DATA AND AGGREGATE DATA
a) We may derive and create data and information about the use of the Services by our customers (“Use Data”) which may be disclosed to third party service providers in order to improve our Services;
b) We may derive anonymous data from Customer Data or Use Data and eliminate Personal Information from such Customer Data and Use Data so that such derived data cannot be used to identify a customer or its individual users (“Anonymous Data”);
c) We may then combine Anonymous Data with similar anonymous data from other customers or users, and derive Aggregate Data and then license or sell such Aggregate Data. “Aggregate Data” shall mean anonymous data combined from various sources which cannot be used to identify any customer or user;
d) We may also derive Anonymous Data for the purposes of creating statistics and analytics data, which will be used by Replicon for its own business purposes, including maintaining and improving the Services.
14. OUTSOURCING AND DATA HOSTING OUTSIDE OF CANADA
a) We may use third party service providers, or provide or bundle in with our services software or services provided by third parties, to process or deal with records, documents, data and information on our behalf, or on your behalf, and such records, documents, data and information may include Personal Information;
b) Therefore, your Personal Information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective);
c) In order to protect the confidentiality and security of Personal Information processed on our behalf by our service providers, we use contractual and similar measures with such service providers, including contractual non-disclosure provisions. These include implementing the European Commission’s Standard Contractual Clauses for transfers of personal information between our group companies, which require all group companies to protect personal information they process from the EEA in accordance with European Union data protection law. Our standard Data Processing Agreement is available here replicon.com/resource/dpa/. We have implemented similar appropriate safeguards with our third party service providers and partners and further details can be provided upon request;
d) We may use “cloud computing” third party service providers, and those providers may be either in or outside Canada, and the data housed, hosted and processed by such providers may reside in or outside of Canada, and may include Personal Information. Replicon currently utilizes the following third party service providers to house, host and process Personal Information:
i. Amazon Web Services, Inc.,
ii. Bell Canada, Co-location Services.
e) Individuals providing us with their Personal Information are notified by this Policy about such service providers outside of Canada, and such individuals may, on request as set out in this Policy, obtain access to written information about our policies and practices with respect to service providers outside of Canada and the name or title of a person who can answer any questions about the collection, use, disclosure or storage of Personal Information by any service providers outside Canada.
a) We recognize our legal obligations to protect the Personal Information we have gathered about individuals. We have therefore implemented appropriate technical and organizational measures to secure against unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction of Personal Information;
b) These arrangements may include physical security measures, network security measures, and organizational measures such as non-disclosure agreements and need-to-know access.
16. NOTIFICATION OF LOSS OR UNAUTHORIZED ACCESS OR DISCLOSURE
a) In accordance with applicable law, we will notify the appropriate data protection authorities and affected individuals where an incident occurs involving the accidental or unlawful destruction, alteration, loss of or unauthorized access to or disclosure of Personal Information under our control. Where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure, we will, without unreasonable delay, provide notice to the Information and Privacy Commissioner for Alberta of the incident, including any information required by law at the time to be provided to the Commissioner;
b) While Alberta law provides that the Commissioner has the authority to require us to notify individuals of the unauthorized access or disclosure, we may elect to immediately do so in the event we consider it reasonable in the circumstances.
17. YOUR RIGHTS: REQUESTS FOR ACCESS
Alberta law permits all individuals regardless of their geographic locations to submit written requests to us to provide them with:
a) access to their Personal Information under the custody or control of Replicon;
i. Where Replicon derives the custody or control of the Personal Information through its customer, the customer will be the Data Controller and all requests for access to Personal Information should be forwarded through such Data Controller to Replicon.
b) information about the purposes for which their Personal Information under the custody or control of Replicon has been and is being used and the names of organizations or persons to whom and the circumstances in which Personal Information has been and is being disclosed by Replicon. Requests for access are subject to the following:
i. Any requests must be in writing;
ii. We do not accept such requests or respond to such requests via e-mail;
iii. In order to receive a response to such a request, the individual must provide us with sufficient information to locate their record, if any, and to respond to them;
iv. We will respond to requests in the time allowed by Alberta law, which is generally 45 days. In certain circumstances, we may have a right to extend this period of time and will advise in writing if we are doing so;
v. We will make a reasonable effort to assist applicants and to respond as accurately and completely as reasonably possible;
vi. All requests may be subject to any fees and disbursements the law permits us to charge;
vii. Where appropriate to do so, we may require advance payment of a deposit or the entire costs of responding to a request for access to Personal Information;
viii. Please note that an individual’s ability to access his or her Personal Information under our control is not an absolute right;
ix. Alberta law provides that Replicon must not disclose Personal Information where:
1. the disclosure could reasonably be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request;
2. the disclosure would reveal Personal Information about another individual; or
3. the disclosure would reveal the identity of an individual who has in confidence provided us with an opinion about another individual and the individual providing the opinion does not consent to the disclosure of his or her identity.
x. Alberta law also provides that Replicon may choose not to disclose Personal Information where:
1. the Personal Information is protected by any legal privilege;
2. the disclosure of the information would reveal confidential commercial information and it is not unreasonable to withhold that information;
3. the Personal Information was collected by Replicon for an investigation or legal proceeding;
4. the disclosure of the Personal Information might result in similar information no longer being provided to us when it is reasonable that it would be provided;
5. the Personal Information was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he or she was appointed to act under an agreement, under an enactment, or by a court; or
6. the Personal Information relates to and may be used in the exercise of prosecutorial discretion.
xi. Replicon reserves all its rights under the above.
18. YOUR RIGHTS: RESPONSES TO REQUESTS
Our responses to requests for access to Personal Information will be in writing and will confirm:
a) whether we are providing all or part of the requested information, whether or not we are allowing access or providing copies, and, if access is being provided, when and how that will be given;
b) If access to information or copies are refused by us, we will provide written reasons for such refusal and the section of PIPA (the Personal Information Protection Act, Alberta) on which that refusal is based. We will also provide the name of an individual at Replicon who can answer questions about the refusal, and particulars of how the requesting individual can ask the Information and Privacy Commissioner of Alberta to review our decision. In order to receive a response to such a request, the individual must provide us with sufficient information to locate their record, if any, and to respond to them.
19. YOUR RIGHTS: REQUESTS FOR CORRECTION
a) Alberta law permits all individuals regardless of their geographic location to submit written requests to us to correct errors or omissions in their Personal Information that is in our custody or control. If an individual alleges errors or omissions in the Personal Information in our custody or control, we will either:
i. correct the Personal Information if reasonable to do so, and if not contrary to law, send correction notifications to any other organizations to whom we disclosed the incorrect information; or
ii. decide not to correct the Personal Information but annotate the Personal Information that a correction was requested but not made.
b) Corrections or amendments will not be made to opinions as opposed to factual information, although we reserve the right to modify opinions where changes in the facts upon which those opinions are based occur.
20. RIGHTS OF EUROPEAN DATA SUBJECTS
In addition, if you are a resident of the European Union, you have the following data protection rights:
a) If you wish to access, correct, update or request deletion of your Personal Information, you can do so at any time by contacting us using the contact details provided under the “how to contact us” heading below;
b) You can also object to processing of your Personal Information, ask us to restrict processing of your Personal Information or request portability of your Personal Information. Again, you can exercise these rights by contacting us using the contact details below;
c) Where Replicon derives the custody or control of the Personal Information through its customers, the customer will be the Data Controller and all requests for access to Personal Information should be forwarded through such Data Controller to Replicon;
d) You have the right to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us using the contact details provided below. For Canadian citizens, in accordance with Canada Anti-Spam Legislation, if you wish to receive marketing communications from us, you have the right to opt-in at the time of signing up for the services on our website;
e) Similarly, if we have collected and process your Personal Information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Information conducted in reliance on lawful processing grounds other than consent;
f) You have the right to complain to a data protection authority about our collection and use of your Personal Information. For more information, please contact your local data protection authority. (Contact details for data protection authorities in the European economic area, Switzerland and certain non-European countries (including the US and Canada) are available here);
g) We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
21. AMENDMENTS TO THIS POLICY
Replicon may amend this Policy from time to time as required and without notice, in order to better meet our obligations under the law. When we update the Policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make. All updates and amendments are effective immediately upon notice, which we may give by any means, including, but not limited to, by posting a revised version of this Policy or other notice on the Website. We will obtain your consent to any material changes if and where this is required by applicable data protection laws. You can see when this Policy was last updated by checking the “last updated” date displayed at the top of this Policy.
22. CONTACTING REPLICON
a) If you have any questions with respect to our policies concerning the collection, use, disclosure or handling of your Personal Information, or if you wish to request access to, or correction of, your Personal Information under our care and control, or if you are dissatisfied with how we handle your Personal Information, please contact our Privacy Contact, Alfred Wong (email: email@example.com OR Tel: 403-262-6519 ext. 7298).
b) If you remain dissatisfied after our Privacy Contact has reviewed and responded to your concern, or have other concerns or questions, you have the right at any time to contact the Office of the Information and Privacy Commissioner at:
410, 9925 – 109 Street
Edmonton, AB T5K 2J8
Telephone (780) 422-6860 or Fax (780) 422-5682