Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the lawgne domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/kumpri/apps/aphaia-wp3/wp-includes/functions.php on line 6121
Aphaia privacy notice and data processor terms - Aphaia
Chat to a DPO
Chat to a DPO

Aphaia privacy notice and data processor terms

Home
Aphaia privacy notice and data processor terms
Privacy

Aphaia privacy notice
and data processor terms

GENERAL

Aphaia are a group of companies comprising:

  • Aphaia Ltd, Eagle House, 163 City Road, Shoreditch, London EC1V 1NR, United Kingdom,
  • Aphaia B.V., Schiedamse Vest 154, 3011 BH Rotterdam, the Netherlands,
  • Aphaia Europa, SL, Paseo de la Castellana, 194, 28046, Madrid, Spain.

When we mention Aphaia, we, or us, we are referring to the company in the Aphaia group of companies responsible for the processing of your data. Note that Aphaia Ltd, London, Aphaia B.V., Rotterdam, and Aphaia Europa S.L. may be joint controllers.

We are the controller of our clients’ and prospects’ and their staff CRM data, such as names, contact and professional details, financial details, transactions details, correspondence and other interactions. We are also the controller of our website visitors’ data, which may include IP address or other identifiers, browser and device information, interactions with our website, the source of traffic, implied rough geolocation, and cookie information. We further process our employees’ and individual contractors’ data, whereby this notice applies where another notice has not been provided to you.

Where we act as the Data Protection Officer (DPO) for our clients, we are the data processor for the personal data pertaining to their customers, service and website users, employees, job candidates, individual contractors, and other data subjects for whom our clients are data controllers.

WHERE WE ACT AS THE DATA CONTROLLER:

Purposes and bases: we may process your data:

  • for the performance of the contract that you have entered into for the provision of Aphaia services, and/or in order to take steps at your request to enter into the contract,
  • for our legitimate interest of managing our contractual relationships,
  • for our legitimate interest to perform direct marketing activities plus website and social media marketing analytics,
  • to comply with the statutory record keeping requirements,
  • for the performance of other contracts and other legitimate interests such as cybersecurity and fraud prevention.

Where we process your data based on consent or where you wish to object to our use of your data for direct marketing purposes, you should use the opt-out link provided in an email you might have received from us, or contact us at info@aphaia.co.uk

Data sharing: we may share your data with:

  • other Aphaia group companies for administrative and organisational purposes,
  • cloud services for storage, management, analytics, and communications purposes,
  • professional services such as accountancy, legal or debt collection services for compliance, analytics, and claims management purposes.

International data transfers: we may transfer your data outside the UK or the EU based on an adequacy decision, including the EU-US Data Privacy Framework and its UK extension, or standard contractual clauses adopted by the data privacy regulators.

Data retention: we keep your data for as long as this may be justified for the purpose of processing. After the termination of the contract with us, the clients’ and their staff details and correspondence may be kept for a reasonable period time for marketing as well as potential claims purposes. Some data such as invoice data shall be kept for at least as long as required by the statutory retention periods.

Your rights in relation to personal data: you have the right to:

  • access to your personal data that we hold about you (commonly known as a “data subject access request” or DSAR). This enables you to receive a copy of the personal data we hold about you,
  • rectification of inaccurate personal data concerning you, including the right to have incomplete personal data completed e.g. by means of providing a supplementary statement,
  • restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data where the data is wrongfully processed but should not be erased for a reason listed in Article 18 (1) (UK) GDPR,
  • erasure of your personal data where there is no good reason for us continuing to process it,
  • object to processing of your personal data where we are relying on a legitimate interest (or those of a third-party) or where we are processing your personal data for direct marketing purposes,
  • data portability in a common, machine-readable form.

Where another mechanism is not provided, you can exercise the above rights at any time by contacting us at info@aphaia.co.uk If you are unhappy with the way we process your data, you may launch a complaint by contacting the ico.org.uk or another data protection authority that might be competent in your case.

WHERE WE ACT AS YOUR DATA PROTECTION OFFICER (DPO):

Where we act as your Data Protection Officer (DPO), the data of the data subjects controlled by you is processed on your behalf, which makes Aphaia your data processor. Please note that, where we process the data of your staff to manage our business and professional relationship with you, we are the data controller.

Duration and end of processing: the processing shall take place until the end of the contract term as agreed in our Engagement Document. After that, we shall, at your choice, delete or return personal data to you.

Confidentiality: we shall engage in processing of personal data only persons who have committed themselves to confidentiality of data in their contracts with us. They shall at all times adhere the principles of confidentiality and data minimisation when accessing and/or using the data controller by you.

Our additional obligations: in addition, we shall:

  • ensure security of processing in accordance with Article 32 (UK) GDPR;
  • assist you by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III (UK) GDPR;
  • assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 (UK) GDPR, taking into account the nature of processing and the information available to us.

Engaging another processor: you give us your general authorisation to engage another processor subject to the publication of the processor’s details on our website at least one month prior to their actual engagement, giving you the opportunity to object to the appointment. Currently, the following processors may be engaged by us:

  • Atlassian (Trello),
  • Google,
  • Opalstack,

Equivalent data protection obligations to those set out in these Terms should be imposed on other processors by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the (UK) GDPR.

Inspection and audits: we shall make available to you all the information necessary to demonstrate compliance with the obligations laid down in Article 28 (UK) GDPR, and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.