Guardsquare Privacy Policy

1. Introduction

1.1 Who We Are

Guardsquare ("we," "our," or "us") is committed to protecting your privacy. This privacy policy (“Privacy Policy”) regulates how we collect, use, disclose, and safeguard your personal data or personal information when you visit our website, guardsquare.com (the “Website”), use our services (the “Services”), or interact with us in other ways. Data processing is handled by Guardsquare NV, located at Tervuursevest 362/1, 3000 Leuven, Belgium, and registered with the CBE (Crossroads Bank for Enterprises) under number BE0550.675.829.

1.2 Scope of This Policy

This Privacy Policy applies to all personal data collected through our Website, Services, or any other interactions with us. By using our Website and/or our Services, you acknowledge that you have carefully read this Privacy Policy and unreservedly agree with it.

While using the Website, you may encounter links to third-party websites. Please be advised that such third-party websites are independent sites, and we assume no responsibility or liability whatsoever regarding privacy matters or any other legal matter with respect to such sites. We encourage you to carefully read the privacy policies and the terms of use or service of such websites.

1.3 Legal Compliance

We comply with relevant data protection laws, including the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), and utilize the Data Privacy Framework (DPF) for service providers that are certified under this mechanism or Standard Contractual Clauses (SCCs) for international data transfers to ensure that personal data is protected when exported outside the European Economic Area (EEA) to countries that are not recognized by the European Commission to offer adequate personal data protection.

Changes to This Privacy Policy

We may update this Privacy Policy occasionally; therefore, please revisit this page frequently. Any changes will be posted on this page with an updated effective date. This Privacy Policy was last updated on 12 December 2024.

2. Data Processing

2.1 Information We Collect

We collect various types of information based on your interactions with our Website and Services:

• Personal Data: This includes your name, email address, phone number, and other contact details.
• Usage Data: Information about how you interact with our Website and Services, such as your IP address, browser type, and activity logs.
• Cookies and Tracking Technologies: Data collected through cookies and similar technologies to improve user experience and website functionality (more information in Article 5 (Cookies).

This Privacy Policy applies to the extent the above listed data constitute personal data (or personal information), defined as data about an identified or identifiable natural person.

2.2 Legal Basis for Processing and Use of Personal Data

We process your personal data based on the following legal grounds and for these purposes:

• Consent: When you have given us explicit permission to process your data (e.g., for marketing communications). You can withdraw your consent anytime, and we will cease processing unless another legal ground applies. The foregoing will, however, not prevent us from retaining any personal data if this is necessary to comply with our legal obligations, in order to file a legal claim or defend ourselves against a legal claim, or for evidential purposes.
• Contractual Necessity: When processing is necessary to fulfill a contract with you, such as providing services or responding to requests, or when you have asked us to take specific steps before entering into a contract.
• Legal Obligation: When processing is required to comply with laws, regulatory requirements, or judicial or administrative orders.
• Legitimate Interests: When processing is necessary for our legitimate interests or those of a third party, such as improving our services or ensuring the security of our platform, provided that these interests do not override your fundamental rights and freedoms.

Data Minimization and Retention: We are committed to data minimization, meaning that we collect and process only the personal data necessary to fulfill the specific purposes outlined in this Privacy Policy. Your personal data will be processed only for as long as necessary to achieve those purposes or until you withdraw your consent. If you have registered on our Website and later remove your profile, we will delete your personal data unless statutory or regulatory obligations require us to retain it.

Please do not provide us with any sensitive information, such as (non-exhaustive list) health information, information pertaining to criminal convictions, or credit card/account numbers.

To the extent that you provide us with any personal data in connection with any third party, you are solely responsible for receiving and hereby represent and undertake to have received the consent, authority, permission, and approval of such person and to have provided them with sufficient disclosures, to allow the use of such personal data, and to allow us to access, store, collect, and process such personal data as detailed herein.

2.3 Data Sharing and Disclosure

We may share your personal data under the following circumstances:

2.3.1 Sharing with Affiliates and Service Providers

We may share your data with our affiliates and third-party vendors who assist in providing our Services. These external processors only process your personal data on our behalf, and we carefully select them to ensure the security and integrity of your personal information.

2.3.2 Public Authorities

Your data may be shared with public authorities or law enforcement agencies when required by law or if requested to make such a disclosure by a court or to protect your rights and interests, ours, or those of another individual. This will only be done to the extent necessary and in compliance with applicable laws.

2.3.3 Business Transfers

In the context of a merger, sale of company assets, or acquisition, your data may be transferred to the acquiring or merging entity, including transfers outside the European Economic Area (EEA) where applicable.

2.3.4 Sharing Anonymized or Aggregated Data

We may transmit anonymized or aggregated data to third parties for purposes such as improving products and services, as well as organizing targeted marketing or sales activities. This data cannot be used to identify you.

We may share your personal data in additional manners with your explicit consent.

2.4 Data Processing Locations and International Transfers

We process personal data both within and outside the European Economic Area (EEA). Our product infrastructure is securely hosted in the European Union (EU) on the Google Cloud Platform (GCP). However, some of our product sub-processors may process data outside the European Economic Area (EEA). Please refer to our Data Processing Agreement (DPA) for detailed information.

2.4.1 Transfers Outside the EEA

For data transfers to countries outside the EEA, including the United States, we rely on the Data Privacy Framework (DPF) for service providers certified under this mechanism, ensuring that your personal data receives the same level of protection as within the EEA. For other service providers not certified under the DPF, we rely on adequacy decisions and Standard Contractual Clauses (SCCs) in conjunction with Transfer Impact Assessments (TIA) to assess and mitigate potential risks. These legal mechanisms ensure the security and integrity of your personal data when processed outside the EEA, meeting GDPR compliance standards.

When personal data or anonymized/aggregated data is transferred outside the EEA, the following protection mechanisms are applied:

2.5 Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law. If you request the deletion of your data, we will comply unless statutory or regulatory obligations require us to retain it.

3. Specific Use Cases for Data Collection and Processing

3.1 Requesting Resources

• What: We collect personal information such as your name, email, company, and country when you request documents or resources.
• Why: To deliver the requested materials to you.
• Legal Ground: Necessary for fulfilling a service request in the execution of a contract, for potentially entering into a contract or consent.
• Retention Time: We remove your data upon request or after 18 months of inactivity with our marketing or sales activities or through our website.
• Third-party recipients: None.

3.2 Requesting Quotes

• What: We collect personal information, including your name, email, company, industry, country, phone number, services of interest, and specific details related to the services to provide you with a quote.
• Why: To tailor the quote to your needs.
• Legal Ground: Necessary for potential agreement preparation.
• Retention Time: We remove your data upon request or after 18 months of inactivity with our marketing or sales activities or through our website.
• Third-party recipients: None.

3.3 Contact Form

• What: We collect information, including your name, email, company, country, phone number, and message content.
• Why: To respond to your inquiry.
• Legal Ground: Necessary for the execution of a contract, for potentially entering into a contract or consent.
• Retention Time:  We remove your data upon request or after 18 months of inactivity with our marketing or sales activities or through our website.
• Third-party recipients: None.

3.4 Direct Marketing

• What:  We collect information, including your name, email, company, country, and phone number.
• Why: To send you relevant product or market information.
• Legal Ground: Your informed consent.
• Retention Time: We remove your data upon request.
• Third-party recipients: None.

3.5 Job Applications

• What: We collect personal data such as your identity, resume, cover letter, and other documents like recommendation letters. Informed consent will be verified before uploading any personal data.
• Why: To consider your application for a job opportunity.
• Legal Ground: Your informed consent, or necessary for potentially entering into a labor agreement. Please note that you cannot apply without giving your consent to process your data for the purpose set out above upon application. Optionally, you can also give your consent for us to store your data for up to 750 days after the end of the recruitment process (we refer to §3.6 ‘Recruitment Reserve’).
• Retention Time: If consent was only given for data processing for purposes of the job application (but not for subsequent recruitment reserve storage), the data will be removed within 4 weeks after the application process concludes.
• Third-party recipients: Recruitment agencies and affiliates, if applicable.

3.6 Recruitment Reserve

• What: For past applicants who may be a fit for future opportunities, we retain their data as obtained pursuant to §3.5 based on the consent they have provided (as per §3.5 ‘Job Applications’). 
• Why: To consider you for future job opportunities.
• Legal Ground:  Your informed consent.
• Retention Time:  Data will be retained for 750 days after the end of the application process. 
• Third-party recipients: Recruitment agencies and affiliates, if applicable.

3.7 Guardsquare Products User Registration and Usage Data

• What: Refer to the appropriate (i.e., depending on the product in scope) Data Processing Agreement Annex.
• Why: To provide access to software, services, and manuals, enable usage of our products and services, and communicate essential product and service information.
• Legal Ground: Necessary for delivering a product license or service in the execution of a contract.
• Retention Time: Refer to the appropriate Data Processing Agreement Annex.
• Third-party recipients: Refer to the appropriate Data Processing Agreement Annex.

3.8 Cookies

• As per Article 6 (Cookies) below.

4. Your Rights

Under the GDPR and the Data Privacy Framework, you have the following rights:

• Right to be informed: The right to be informed about how we will collect, use, and share your personal data in a concise, transparent, intelligible, and easily accessible format, written in clear and plain language. This information is set out in this Privacy Policy, and additional information can be requested in accordance with Article 7.1 (Contact Us).
• Access: The right to request a copy of the personal data we hold about you (provided that this does not adversely affect the rights and freedoms of others), together with information regarding how your personal data is being used, which information you also find in this Privacy Policy.
• Rectification: The right to have your personal data rectified or, taking into account the purposes of the processing, completed if it is inaccurate or incomplete. If we have disclosed the relevant personal data to any third parties, we will take reasonable steps to inform those third parties of the rectification where possible.
• Erasure (Right to be Forgotten): The right to request the deletion of your personal data when any of the conditions outlined in Article 2.2 (Legal Basis for Processing) apply, such as when the data is no longer necessary, you withdraw consent, or the data was unlawfully processed. You acknowledge that this is not a blanket right to require all of your personal data to be erased. We will carefully consider each request in accordance with the requirements under applicable law.
• Restriction: The right to request to restrict the processing of your data in certain circumstances.
• Data Portability: The right to request transfer of your data to another entity under the legally defined conditions.
• Objection: The right to object to processing based on legitimate interests or for direct marketing purposes. If you so object, we will cease to process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of a legal claim.
• Withdraw Consent: You can withdraw your consent at any time.

You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

5. Security Measures

We take data security seriously and have implemented technical and organizational measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction. These measures include encryption, access controls, and regular security audits. Please visit our Security Standards page for more detailed information on our security practices.

6. Cookies

We use cookies and similar technologies to enhance your experience on our website. For more information on how we use cookies, please refer to our Cookie Policy.

7. Dispute Resolution and Contact Information

If you have any concerns or complaints regarding our adherence to applicable data protection law, please contact us. We are committed to resolving disputes in a timely manner.

For GDPR-related complaints, you have the right to lodge a complaint with your local data protection authority. Since Guardsquare is headquartered in Belgium, you may contact the Belgian Data Protection Authority (Autorité de protection des données / Gegevensbeschermingsautoriteit):

Belgian Data Protection Authority
Rue de la Presse 35, 1000 Brussels
Phone: +32 (0)2 274 48 00
Email: contact@apd-gba.be
Website: www.dataprotectionauthority.be

Contact details for data protection authorities in the EEA are available here.

If a complaint cannot be resolved through our internal processes, we will comply with the dispute resolution procedures established under GDPR.

7.1 Contact Us

If you have any questions about this Privacy Policy or want to exercise your rights under the GDPR, please contact us with the specific right you wish to exercise (e.g., access, rectification, erasure, data portability). We may need to verify your identity before processing your request. If your request is valid, we will respond as quickly as reasonably possible and no later than 30 days from the date of your request.

• Company Name: GuardSquare NV
• Address: Tervuursevest 362/1, 3000 Leuven, Belgium
• Email: privacy@guardsquare.com
• Phone: +32 (0)16 920 646