Privacy Policy

PRIVACY POLICY FOR SPARTEZ ENTITIES

GENERAL

SPARTEZ can refer to:

(1) SPARTEZ Went i Wspólnicy Spółka Jawna with registered seat in Gdańsk, Na Zboczu 33, Poland, Court Registration Number (KRS) 0000294899, VAT No. PL5833005538, and

(2) SPARTEZ Sp. z o.o. Sp.k. with registered seat in Gdańsk, Norwida 2, Court Registration Number (KRS) 0000572100, VAT No. PL5842727722.

If it is not explicitly stated otherwise in notification, information, agreement or communicated in a similar manner, SPARTEZ shall be understood as the entity indicated in (1).

SPARTEZ is responsible for the processing of your personal data (the Controller). However, SPARTEZ may also be processing your personal data in the capacity of a Processor, as further described in the “SPARTEZ as Processor” section below.

This Privacy Policy applies to visitors to our public websites or the end-user of our public service or the end-user of our product or the legal entity who is the licensee or the user of our product or service — as the case may be. This Privacy Policy describes which of your personal data SPARTEZ processes, for what purposes and how such data are processed.

By using or registering for any of SPARTEZ services or products you consent to collecting, transferring, processing, storing and disclosing data and to other uses described in this Privacy Policy. If you disagree with any statement in this Privacy Policy you will need to stop using SPARTEZ services or products.

SPARTEZ respects the privacy of users and customers and does not disclose any of the collected personal information. SPARTEZ may use the collected information to improve its services. Any data provided by users or customers are used only for the purposes indicated within this Privacy Policy. With the exceptions listed below, SPARTEZ will never disclose any personal information including email address to any third-party.

SPARTEZ AS A CONTROLLER (Collection of your Personal Data)

This section of the Privacy Policy applies to the information we obtain through your use of our websites or when you otherwise interact with SPARTEZ representatives or our services or products.

Your rights as a data subject explained

Right of access: You have the right to obtain from us information as to whether we are processing your personal data, and where that is the case, access the personal data and information regarding the processing, for example the purposes of processing and categories of personal data concerned.

Right to rectification: If you believe we store incorrect information about you, you can request that we correct or supplement your data.

Right to erasure: You have the right to request that we delete your personal data. You can make such a request if for example you believe that we no longer need to keep your personal data to fulfil our purposes of processing such information, or if you have withdrawn your consent for us to further use your personal data.

Right to restriction of processing: You have the right to require that we temporarily suspend all our processing of your personal data with the exception of storing them. You can exercise this right if for example we do not agree if your personal data are accurate, or you believe our processing of your personal data is unlawful.

Right to object: You have the right to object at any time to the processing of personal data concerning you, including marketing activities.

You may opt out of receiving promotional communications from SPARTEZ by using the unsubscribe link within each email or by emailing us to have your contact information removed from our promotional email list or registration database. Although opt-out requests are usually processed immediately, please allow ten (10) business days for a removal request to be processed.

Right to data portability: You have the right to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format and to transmit those data to another controller without hindrance, where our processing is based on your consent or on a contract and where the processing is carried out by automated means.

Right to lodge a complaint with a supervisory authority: If you are not satisfied with the way SPARTEZ processes your personal data or responds to your application or request, you have the right to lodge a complaint with a supervisory authority.

PROCESSING OF CUSTOMER AND CONTRACTOR PERSONAL DATA

  1. Who is the controller of my personal data?
  2. The controller of personal data provided in connection with starting collaboration with us, in accordance with the master agreement under which you started the collaboration, is SPARTEZ Went i Wspólnicy Spółka Jawna in Gdańsk 80-110, St. Na Zboczu 33, KRS 0000294899, NIP 5833005538 or Spartez sp. z o.o. sp. k., in Gdańsk 80-280, St. Norwida 2, KRS 0000572100, NIP 5842727722.

  3. For what purposes are my personal data processed?
  4. Personal data are processed for the purpose of performance under the agreement entered into, for tax or accounting purposes, as well as for direct marketing of our own products and services. Contact information is recorded so that we are able to contact you to inform you of offerings, best practices as well as provide marketing information about our services and products. We may also contact you or your employees via given contact information with request to provide feedback or product requests. Contact information is also stored to provide support, answer your questions or handle issues.

  5. What is the legal basis for processing my personal data? Is providing the data voluntary? What are the consequences of failure to provide the data?
  6. Data are provided to the controller voluntarily and the processing is conducted on the basis of an agreement, therefore, if you refuse to provide the data, no agreement will able to be concluded or executed.

  7. How long will my data be processed?
  8. Personal data will be processed solely for the purposes indicated above and for the period of performance under the agreement; after termination of the agreement, the data will be processed until the expiry of the period of limitation for reciprocal claims and the period of storing of accounting documents required by law.

  9. To whom do we disclose personal data? Are the data transferred outside the European Economic Area?
  10. Personal data will not be disclosed to any other entities save for those entities commissioned by the Controller to process such data for the purpose of proper handling of the collaboration processes. However, such entities process the data on the basis of an agreement concluded with the Controller and solely as instructed by the Controller, and may not use personal data for other purposes. We work with third party service providers to provide website, application development, hosting, maintenance, backup, storage, virtual infrastructure, payment processing, analysis and other services for us. These service providers may process your information for the purpose of providing those services for us. Therefore, personal data may be transferred to a third country on the basis of standard data protection clauses adopted or accepted by the European Commission or on the basis of Privacy Shield participation clause. Customer’s or Contractor’s data may be also disclosed to authorized entities as long as it is required by the generally applicable law.

  11. Do we automatically process or profile the data?
  12. Personal data will not be used for automated decision-making processes, including profiling.

  13. What are my rights in connection with processing my personal data?
  14. Each person whose personal data are processed has the right of access, demand rectification, erasure or restriction of processing of personal data, the right to object processing of personal data, the right to transfer personal data (data portability), and the right to lodge a complaint with a supervisory authority.

  15. Whom can I contact about processing my personal data?
  16. In case of products, in all cases connected with processing personal data by the Controller, including information about adequate safeguards on protection of personal data applied in connection with sharing personal data with third parties, please contact the Data Protection Officer at the e-mail address: privacy@spartez.com.

  17. Sharing data between controllers
  18. In case of add-on products developed by Spartez Went i Wspólnicy Spółka Jawna in Gdańsk and purchased via Atlassian Marketplace , some data (including without limitation, your name, company name (if any), addresses (including e-mail address) and phone number) was shared by Atlassian Pty Ltd, an Australian corporation (ABN 53 102 443 916) on the basis of your consent granted by acceptance of Atlassian Marketplace Terms of Use.

PROCESSING OF CANDIDATE PERSONAL DATA

  1. Who is the controller of my personal data?
  2. The controller of personal data provided in connection with the conducted recruitment processes, including the personal data contained in the enclosed application documents, in accordance with the application filed and consent granted, is Spartez Went Wspólnicy Sp. j., Na Zboczu 33, 80-110 Gdańsk, Spartez sp. z o.o. sp. k., Norwida 2, 80-280 Gdańsk, or in case of selecting both, these selected companies as independent controllers.

  3. For what purposes are my personal data processed?
  4. Personal data are processed solely for the purpose of recruitment.

  5. What is the legal basis for processing my personal data? Is providing the data voluntary? What are the consequences of failure to provide the data?
  6. In the case of job application, data in the scope specified in the Labour Code – the Act of 26 June 1974 (Dz.U. [Polish Journal of Laws] of 1974 No. 24 item 141 as amended) and implementing acts are provided voluntarily and processed on the basis of the above-mentioned laws. Additional data in the application documents, as well as data provided when applying for a collaborator (a civil law contract) are provided voluntarily and processed on the basis of consent which may be withdrawn at any time without affecting the lawfulness of data processing carried out on the basis of the consent before its withdrawal. In both cases, participation in the recruitment process is impossible if the data are not provided.

  7. How long will my data be processed?
  8. Candidates’ data – their first and last name and the date of birth – will be processed for 18 months following the completion of the recruitment process in which a given candidate participated. This results from the recruitment policy adopted by our companies which excludes a candidate from participating in another recruitment process in less than 18 months. If a candidate voluntarily consents to participating in future recruitments, his or her personal data will be processed for 18 months following the completion of the recruitment processing which this candidate participated.

  9. To whom do we disclose personal data? Are the data transferred outside the European Economic Area?
  10. Personal data of candidates will not be disclosed to any other entities save for those entities commissioned by the Controller to process such data for the purpose of proper handling of the recruitment processes, e.g. IT services providers, business consultants. However, such entities process the data on the basis of an agreement concluded with the Controller and solely as instructed by the Controller, and may not use personal data for other purposes. Therefore, personal data may be transferred to a third country on the basis of standard data protection clauses adopted or accepted by the European Commission.

  11. Do we automatically process or profile the data?
  12. Personal data will not be used for automated decision-making processes, including profiling.

  13. What are my rights in connection with processing my personal data?
  14. Each person whose personal data are processed has the right of access, demand rectification, erasure or restriction of processing of personal data, the right to object processing of personal data, the right to transfer personal data, and the right to lodge a complaint with a supervisory authority.

  15. Whom can I contact about processing my personal data?
  16. In all cases connected with processing personal data by the Controller, including information about adequate safeguards on protection of personal data applied in connection with providing personal data, please contact the Data Protection Officer at the e-mail address: privacy@spartez.com.

SUPPLEMENTARY INFORMATION ON PROCESSING PERSONAL DATA

We collect Information under the direction of our customers and often have no direct relationship with the individuals whose personal data we process. If you are providing information (including personal data) about someone else, you must have the authority to act for them in relation to the collection and use of their personal data as described in this Privacy Policy.

Web and product logs: are gathered for the purpose to understand effectiveness of our website pages and usability of our products. We gather certain information and store it in log files when you interact with our websites or products. This information includes internet protocol (IP) addresses as well as browser type, URLs of referring/exit pages, operating system, date/time stamp, information you search for, locale and language preferences.

Analytics Information: are recorded for the purpose to understand effectiveness of our website pages and products. We collect analytics information when you use our websites or products to help us improve our products and services.

Product errors: SPARTEZ products have a mechanism which sends logs to our servers in the case of serious error detection. These data contain information on error details, information on the product structure at the moment of error occurrence. These data may also include SEN and Server ID for JIRA licenses, the first and last name (if the latter is provided) of a technical contact person of Users as well as their email address.

Mailing lists and privacy contact: If one consented for receiving marketing information via email, we may use the first and last names of users as well as email address to maintain mailing lists and send out product and marketing information. You can unsubscribe from product or marketing information by sending us notice to marketing@spartez.com

Cookies: We use cookies to improve and customise SPARTEZ websites and your experience and to understand which areas and features of the Websites are most popular. SPARTEZ may use cookies to collect information. Cookies are small data files stored on your hard drive or in your device memory. You can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from websites you visit. However, if you do not accept cookies, you may not be able to use all aspects of our Websites.

General Uses: We use the Information we collect about you (including personal data to the extent applicable) to provide, operate, maintain, improve, and promote our websites and products; to monitor and analyse trends, usage, and activities in connection with our websites; to investigate and prevent unauthorised access to our websites and other illegal activities.

The use of Information collected is limited to the purposes disclosed in this Privacy Policy.

Testimonials: We may display personal testimonials of satisfied customers on the SPARTEZ products. With your consent, we may post your testimonial along with your name. If you wish to update or delete your testimonial, you can contact us at support@spartez.com.

Compliance with Laws and Law Enforcement Requests; Protection of Our Rights: We may disclose your Information (including your personal data) to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request, (b) to enforce our agreements, policies and terms of service, (c) to protect the security or integrity of our products and services, (d) to protect SPARTEZ, our customers or the public from harm or illegal activities, or (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.

For how long do we keep your personal data?

In general terms, we don’t keep your personal data longer than necessary for the purposes for which the personal data are processed. After such time, we will either delete or anonymise your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible.

SECURITY

SPARTEZ provides the following security statement with a promise to adhere to the highest effective industry standards. We implement appropriate technical safeguards as HTTPs and organizational measures to guard your personal data, however, no security system is impenetrable and due to the inherent nature of the Internet as an open global communications vehicle, we cannot guarantee that information, during transmission through the Internet or while stored on our systems or otherwise in our care, will be absolutely safe from intrusion by others, such as hackers.

Data Storage

In relation to the Jira Cloud plugins' performance SPARTEZ does not store any critically vulnerable user or client data. Nevertheless due to the nature of JIRA API we might store e.g. userKeys to provide product functionalities.

People and Access

Only authorized SPARTEZ employees have access to the application data. Jira Cloud plugins created by SPARTEZ are designed to allow application data to be accessible only with appropriate credentials. Users and clients are responsible for maintaining the security of their own login information.

Privacy

SPARTEZ understands the importance of ensuring privacy of the personally identifiable user and client information. We do not share any kind of private information regarding users or clients, nor their activity.

For Security measures applied to our products please refer to our product documentation pages: https://confluence.spartez.com/

SPARTEZ AS A PROCESSOR

SPARTEZ provides services to various customers. If you are an end-user of SPARTEZ products as a customer, then SPARTEZ may be processing your personal data in the capacity of a Processor, in which case the customer (your employer/principal) acts as the Controller of your personal data processing. Our customers determine the purposes of personal data processing by adapting and configuring the products. Such processing carried out by SPARTEZ is regulated by data processing agreements with customers, whereby SPARTEZ only processes personal data on documented instructions from the Controller. If you have any questions or requests with respect to such processing, you should contact your employer/principal. If you are an employee of one of our customers and would no longer like us to process your information in connection with SPARTEZ services please contact your employer.

If you are a Controller and believe SPARTEZ is processing your personal data in the capacity of a Processor, you may request signing Model Data Processor Agreement for SPARTEZ Add-On Customers (DPA) as provided below in Addendum 1. In that case please let us know at privacy@spartez.com.

ADDENDUM: DATA PROCESSOR AGREEMENT

FOR SPARTEZ ADD-ON CUSTOMERS

This agreement regarding processing of personal data (the “Data Processor Agreement”) regulates SPARTEZ Went i Wspólnicy Spółka Jawna in Gdańsk, Na Zboczu 33, Poland, registration number (KRS) 0000294899, VAT No. PL5833005538 (the “Data Processor”) the processing of personal data on behalf of the customer (the “Data Controller”) and is attached as an addendum to the EULA in which the parties have agreed the terms for the Data Processor’s delivery of services to the Data Controller.

The Data Processor Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation (the “Applicable Law”), including in particular The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

The purpose of processing under the EULA is the provision of the Services by the Data Processor as specified in the EULA. In connection with the Data Processor’s delivery of the Services to the Data Controller, the Data Processor will process certain categories and types of the Data Controller’s personal data on behalf of the Data Controller.

”Personal data” includes “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (1) (the ”Personal Data”). The categories and types of Personal Data processed by the Data Processor on behalf of the Data Controller are:

The Data Processor processes the following types of Personal Data in connection with its delivery of the Services under EULA:

  • email, IP, name and surname, license number, Atlassian user key, user language, user browser information (browser, version, locale, operating system, user agent, timezone).

The Data Processor processes personal data about the following categories of data subjects on behalf of the Customer:

  • Tech contacts, billing contacts, partners, end-users (e.g. customer employees using our applications or contacting us via the support channel)

The Data Processor only performs processing activities necessary and relevant to provide the Services. The categories and types of Personal Data processed by the Data Processor shall be updated whenever changes occur that require an update.

The Data Processor may only act and process the Personal Data in accordance with the documented instruction from the Data Controller (the “Instruction”), unless required by law to act without such instruction. The Instruction at the time of entering into this Data Processor Agreement (DPA) is that the Data Processor may only process the Personal Data with the purpose of delivering the Services as described in the EULA.

The Data Controller guarantees to process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. The Data Controller will be solely responsible for the accuracy, quality, and legality of Personal Data and the means by which they were obtained.

The Data Processor will inform the Data Controller of any instruction deemed to be in violation of the Applicable Law and will not execute the instructions until they have been confirmed or modified.

Confidentiality

The Data Processor shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the EULA or DPA, unless the Data Controller has agreed to same in writing.

The Data Processor’s employees shall be subject to the confidentiality obligation to ensure that they treat all the Personal Data under this DPA with strict confidentiality.

Personal Data will only be made available to that personnel which require access to such Personal Data for the purpose of providing Services under EULA and this Data Processor Agreement.

Security

The Data Processor shall implement the appropriate technical and organizational measures as set out in this Agreement and in the Applicable Law, including GDPR, article 32. The security measures are subject to technical progress and development. The Data Processor may update or modify the security measures from time to time provided that such updates and modifications do not result in degradation of the overall security. The Data Processor shall provide documentation for the Data Processor’s security measures if requested by the Data Controller in writing.

If the Data Processor’s assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments in accordance with GDPR, article 35, along with any prior consultation in accordance with GDPR, article 36.

Rights of the data subjects

If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor’s assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.

If the Data Processor receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Controller, the Data Processor must immediately forward the request to the Data Controller and must refrain from responding to the person directly.

Personal Data Breaches

The Data Processor shall give immediate notice to the Data Controller in the event of any breach which can lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed with reference to the Personal Data processed on behalf of the Data Controller (a “Personal Data Breach”).

The Data Processor shall make reasonable efforts to identify the cause of such a breach and take such steps as are deemed necessary to establish the cause, and to prevent such a breach from reoccurring.

Documentation of compliance and Audit Rights

Upon request by a Data Controller, the Data Processor shall make available to the Data Controller all relevant information necessary to demonstrate compliance with this DPA, and shall allow for and reasonably cooperate with audits, including inspections by the Data Controller or an auditor mandated by the Data Controller. The Data Controller shall give notice of any audit or document inspection to be conducted and shall make reasonable endeavours to avoid causing damage or disruption to the Data Processors premises, equipment and business in the course of such an audit or inspection. Any audit or document inspection shall be carried out with reasonable prior written notice of no less than 90 days, and shall not be conducted more than once a year.

The Data Controller may be requested to sign a non-disclosure agreement reasonably acceptable to the Data Processor before being furnished with the above.

Data Transfers

Ordinarily, the Data Processor will not transfer your data to countries outside the European Economic Area. In some cases, personal data will be saved on storage solutions that have servers outside the European Economic Area (EEA), [for example, Amazon Web Services or Google Drive]. Only those storage solutions that provide secure services with adequate relevant safeguards will be employed.

Sub-Processors

The Data Processor is given general authorisation to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from the Data Controller, provided that the Data Processor notifies the Data Controller via SPARTEZ website or e-mail, in-app notification about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub-Processor, the Data Controller shall give notice hereof in writing within ten (10) business days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed consent to the relevant Sub-Processor.

In the event the Data Controller objects to a new Sub-Processor and the Data Processor cannot accommodate the Data Controller’s objection, the Data Controller may terminate the Services by providing written notice to the Data Processor.

The Data Processor shall complete a written sub-processor agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to the Data Processor, including the obligations under this Data Processor Agreement. The Data Processor shall on an ongoing basis monitor and control its Sub-Processors’ compliance with the Applicable Law. Documentation of such monitoring and control shall be provided to the Data Controller if so requested in writing.

The Data Processor is accountable to the Data Controller for any Sub-Processor in the same way as for its own actions and omissions.

The Data Processor is at the time of entering into this Data Processor Agreement using the Sub- Processors listed in sub-appendix A. If the Data Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in sub-appendix A.

Remuneration and costs (Optional)

The Data Controller shall upon request remunerate the Data Processor based on the time spent to perform the obligations regarding ‘Data protection impact assessments and prior consultation’, ‘Rights of the data subjects’, ‘Personal Data Breaches’, and ‘Documentation of compliance and Audit Rights’ of this Data Processor Agreement based on the Data Processor’s hourly rates.

Limitation of Liability

The total aggregate liability towards the Customer, of whatever nature, whether in contract, tort or otherwise, of the Data Processor for any losses whatsoever and howsoever caused arising from or in any way connected with this engagement shall be subject to the “Limitation of Liability” clause set out in the EULA.

Nothing in this DPA will relieve the processor of its own direct responsibilities and liabilities under the GDPR.

Duration

The Data Processor Agreement shall remain in force until the support service is provided under EULA.

Data Protection Officer

The Data Processor will appoint a Data Protection Officer where such appointment is required by Data Protection Laws and Regulations.

Termination

Following expiration or termination of the DPA, the Data Processor will delete the Data Controller’s all Personal Data in its possession except to the extent the Data Processor is required by the Applicable Law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to such Personal Data.

Contact

The contact information for the Data Processor is provided in the EULA.

Sub-appendix A

  1. APPROVED SUB-PROCESSORS
  2. The following Sub-Processors shall be considered approved by the Data Controller :

    • Amazon Web Services, Inc.
    • Google, Inc.
    • Atlassian Corporation Plc.
    • Salesforce.com, Inc.
    • Bugsnag Inc.
    • Papertrail, Inc.
    • HEG US Inc.
    • Calendly LLC,
    • The Rocket Science Group, LLC
    • Hotjar Limited,
    • ObjectLabs Corporation,
    • Piotr Stefaniak Kąpany
    • BZTI Bartłomiej Zięba
    • Video Communication Services AS

    For product specific sub-processors please refer to documentation: https://confluence.spartez.com/