Privacy Policy (Personvernerklæring – mobilvennlig)

This Privacy Policy constitutes an agreement between the Service Provider and the Customer and is incorporated into and governed by the Terms of Service. Privacy Policy describes what information we collect and use about you and what information is shared with third parties. Protecting the privacy and integrity of your personal data is our top priority.

1. Information we may collect about you

1.1. We collect different types of information to provide you with the Services reliably and securely.

• Personal Data — information relating to an identified or identifiable natural person. 
• Your account information — When you use the Services, we collect and associate with your User Account the information you provide us like your first and last name, email address, mobile phone number, personal code, address, credit card and/or other billing information, mobile device information (if the mobile app is used). We are acting as a Data Controller for this information. All this information is stored and processed within the European Union/European Economic Area (EU/EEA). We process this data to provide you with Services on the basis of the agreement, and for legal purposes (to handle your requests related to personal data, to provide information to law enforcement or other state institutions, to defend the rights and interests of Dokobit).
• Your uploaded data (Customer Data) — Any data uploaded or provided by the Customer. To provide the Services, we store, process and transmit your uploaded documents and information related to them. This data is processed solely by the directions provided by you (Customer or User). We are acting as a data processor for this information. All this information is stored and processed within the European Union/European Economic Area (EU/EEA).
• Your usage information — We collect information on how you use the Services. We may collect information like IP addresses, the type of browser, the device, the operating system you use, or the actions you take when using our Services. We use this information in our legitimate interest to monitor the availability and quality of our services and individual features, improve our Services, develop new products, features, and functionality, and ensure the security of your account and your data. Should this purpose require us to process Customer Data, the data will only be used in anonymised or aggregated form. 
  We may also use third-party tools to collect visitor behaviour and demographic information on our Services. If we have your consent, we also use this information to better tailor our website and the advertising we show you to your interests. If you give us your permission to send you marketing emails, we also use this information to send you personalised marketing emails. 
  For further details, see the section Cookies, Analytics, Marketing and Interest-based Advertising of this policy. We are acting as a Data Controller for this information.
• Other information — We may receive information about you, including your Personal Data, from third parties we are working closely with (like Qualified Trust Service Providers, other Service Providers integrated into our Services, business partners, subcontractors, payment service providers, credit rating agencies) on the basis of agreement or from cookies on the basis of consent. We will treat this information as Personal Data in accordance with this Privacy Policy. We are acting as a Data Controller for this information.
• Contact information — To answer your questions and feedback, we process personal data that you provide us when using contact forms on our websites and mobile app, such as name and surname, email address, phone number, organisation, message contents and other data that you provide. We are acting as a Data Controller for this information.

2. Disclosure of your information

2.1. We do not share any personal information with third parties unless one of the following circumstances applies:

• With Account Administrators — in case your User Account is managed for you by an Account Administrator, this Account Administrator will have full access to your User Account. The Account Administrator is able to access all your uploaded data (Customer Data), suspend or terminate your User Account access and obtain your usage information.
• For processing within the companies in our group and affiliates — we may share your information with other companies related to us. A company is related to us if it is directly or indirectly owned by our parent company Signicat AS. As part of this sharing of information with our parent company, subsidiaries and affiliates, this means that once you provide us with information, any one of our related entities may use your information including for marketing purposes, pursuant to the terms of this Privacy Policy and intercompany agreements.
• For external processing — we may provide the Personal Data to our trusted business partners (which may include service providers, accountants, advisors and other authorised partners) to process it for us, based on our instructions and in compliance with this Privacy Policy.
• Lawful requests — we may disclose Personal Data when we have a good belief that access, use, preservation or disclosure of such information is necessary to:
  • satisfy any applicable law, regulation, legal process or enforceable governmental request;
  • satisfy applicable laws especially subject to financial entities that have additional obligations for audits;
  • enforce our Terms of Service, including investigations of potential violations;
  • protect against imminent harm to our rights, property or safety, or that of our users or public as required or permitted by law.
• Business transfers — we may share and/or transfer your Personal Data if we become involved in any merger, acquisition, reorganisation, sale of assets, or bankruptcy.

3. Information security

3.1. All our Services have been designed from the ground up to be secure.

3.2. We have implemented an Information Security Management System (ISMS) according to ISO/IEC 27001 which covers a variety of privacy and security policies, processes and procedures, including administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of your Personal and Customer Data.

3.3. Our ISMS is audited every year and is certified by accredited auditors with the certification scope of “cloud-based services for e-signing, e-sealing, e-identification, validation of e-signature and e-seal, and related software development, delivery and support”.

3.4. Services are provided through 256-bit encryption TLS connection. All data is stored in data centres that comply with ISO 27001, ISO 27017, ISO 27018 and PCI DSS Level 1 standards. All Customer Data is encrypted using the AES-256 encryption algorithm.

4. Retention policy

4.1. Once you delete your User Account from the Services, the content (Customer Data) is deleted within 7 days of the date of closure. Your account information and billing information are retained for a period of 10 years in accordance with Lithuanian accounting and taxation laws. 

4.2. We retain information about your activity (the actions you take when using our Services) in system logs to ensure our Services are provided reliably and securely. Such information related to your activity may contain Customer Data and/or Personal Data. This information is stored in our backups for 90 days.

4.3. The abovementioned information will be removed from our data backups within one week after the end of the retention period.

4.4. Free user accounts are deleted after two years of inactivity in accordance with our Terms of Service.

5. Data Controller

5.1. You’re acting as a Data Controller for your uploaded data (Customer Data) that contains Personal Data. We are not responsible for any Personal Data stored at the discretion of our Customers, including but not limited to Address Book entries, Invitations or Documents.

5.2. We are neither responsible for the manner in which our Customers collect, handle, disclose, distribute nor otherwise process such data.

5.3. The terms for such data processing are defined in the Data Processing Agreement.

6. Cookies, analytics, marketing and interest-based advertising

6.1. We use cookies in all our services and on our website. Detailed information about our use of cookies is available at Cookie policy.

6.2. We may use third-party analytical technology services to monitor the availability and quality of our services or individual features, as well as to better understand our users’ needs and to optimise our service and your experience with us (e.g. which features they tend to use, how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and provide tools for targeted communication based on user behaviour. The data collected is used to create custom reports and measure user engagement and retention, also to define service-related communication based on factors like your engagement with our website, location, or account information, so we could tailor our service suggestions for you to ensure the optimal and user-oriented service experience and to better respond to the needs of our users.

6.3. Analytical technology uses cookies, backend event listeners, and other methods to collect data on service usage and our users’ behaviour and their devices. We will ask for your consent if an analytical or performance cookie is to be placed in the storage of your device. 

6.4. Analytical technology allows us to collect and evaluate personal data, for example, user activity (including account type, preferred authentication method, pages which have been visited and elements which have been clicked on; time the user spends on pages; the preferred language used to display our website etc.) and device and browser information (in particular, the IP address, device ID and operating system, device screen size, device type, unique device identifiers, browser information, geographic location).

6.5. We use third-party services to deliver personalised ads and content, measure ad and content engagement, and get insights about the audience and product development.

In order to show ads more relevant to you based on your interests, our ad partners use various cookies and mobile trackers. We will ask for your consent if a targeting cookie is to be placed in the storage of your device. Upon receiving your consent, we allow them to show personalised ads as well as to use cookies associated with personalised ads. Third-party advertising cookies and mobile trackers may be used for the purposes of the activation of contextual advertising or targeting campaigns. 

Based on your permission to place cookies on your device, we also evaluate user profiles under a pseudonym. In this case, no personal identification is possible. These third-party tracking technologies and their use are not controlled by us. Our ad partners are subject to confidentiality agreements with us and/or other legal restrictions. Third-party cookies are covered by the third parties’ privacy policies. We transfer information about your consent or refusal regarding the use of cookies and the associated processing of personal data for the purpose of ad personalisation to our ad partners.

7. Data location

7.1. We process your personal data within the EU/EEA. When selecting our partners, we make sure they provide us with the possibility to limit data processing to the EU/EEA, if possible. In the event that your data is transferred outside of the EU/EEA by one of our partners, we ensure in our agreements that this happens in accordance with applicable data protection law. Under no circumstances will we transfer your Customer Data outside of the EU/EEA.

8. Your rights

8.1. Under the GDPR, data subjects have the following rights (that might be subject to conditions, limitations, and exceptions established by statutory data protection provisions):

• The right to be informed of the data we collect and use and the right to access personal data held about them or demand a copy of the data.
• The right to object on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions (the collection and use are based on a task carried out in the public interest or the exercise of official authority vested or legitimate interest). You also have a right to object to the processing of your personal data for direct marketing purposes.
• The right to receive the data you have provided in a structured, current, and machine-readable form and to transfer this data to another data controller or, where technically feasible, to have it transferred by Dokobit (subject to the statutory criteria being met).
• The right to withdraw at any time any permission you have provided to us. You can withdraw your permission for us to send you our newsletter by adjusting your Dokobit account settings.
• The right to object to automated decision-making.
• The right for the personal data to be updated in case of inaccurate data and, subject to the nature of the collection and use, the completion of incomplete data (right to rectification).
• The right to demand restriction of the collection and use of your data, provided the statutory criteria are met (right to restrict processing).
• The right to be forgotten (demand deletion of your data), subject to a just cause.
• The right to complain to a supervisory authority about processing carried out by the data controller, regardless of any other legal remedy.

8.2. You may exercise any of your rights in relation to your personal data by submitting a request to our Data Protection Officer by email at dpo@dokobit.com.

8.3. Your request must provide sufficient information that allows us to reasonably verify you are the person or an authorised representative of a person whose personal data we have collected (name, surname, your e-mail, other information we may request for verification purposes), describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it, provide a confirmation under a penalty that you are the individual whose personal data is the subject of the request.

If your request is submitted by an authorised agent, written permission and information that verifies the identity of the agent must be enclosed with the request.

We cannot provide you with the information or exercise your other right if we cannot verify your identity or authority to make the request and confirm the information relating to you. 

9. Changes and updates

9.1. We may revise this Privacy Policy from time to time and will post the most current version on our website. If a revision results in meaningful changes, we will notify you. 

10. Contact us

10.1. If you have any questions, concerns or complaints about this Privacy Policy, you may contact our Data Protection Officer by email at dpo@dokobit.com.