Privacy Policy
These Privacy Policy was adopted by Touchtech AB on 2022-10-24.
Privacy Policy - in short
When you create a user account at the Touchtech platform, we at Touchtech AB (“Touchtech”, “we”, “us” or “our”) and sometimes the companies presenting their brands at the platform (the “Companies”) will process your personal data.
Touchtech (“we” or “us”) cares about your privacy and want to inform you about how we process your personal data when you use our platform (the “Platform”). Since your use of the Platform will be only in your capacity as an employee or representative of a company – the Platform is not provided to consumers – all personal data relates to what you do in that capacity. We want to make sure that you know that neither we nor the Companies have any interest in processing data relating to your everyday life in general.
Why do we process your personal data?
When you visit our Platform as a non-logged-in user, we process your personal data
In order for the Platform to function properly
To improve our Platform by analyzing user data
When you create a user account and use our Platform as a logged-in user, we process your personal data
To provide you, and administrate your, user account in the Platform
For publication of your contributions to the Platform and the Platform
To improve our Platform by analyzing user data
When you need to contact us for any reason, for exaple if you have questions, needs support or have complains, we process your personal data
To stay in touch with you and to administer your support case
Our strongest aim is to not transfer your personal data outside the EU/EEA. For example, we choose storing and processing within the European Union from our suppliers when that option is available. However, your personal data may be transferred outside the EU/EEA if the suppliers we use are based or process your personal data there. You can read more about this below.
Your rights
In the privacy policy, you will find information about your rights. In short you have the following rights:
The right to lodge a complaint with a supervisory authority,
The right to access,
The right to object,
The right to erasure,
The right to restriction of processing, and
Contact us regarding any questions
If you have any questions, or if you wish to exercise any of your rights, please feel free to contact Touchtech or the Company that governs a brand workspace (“Brand Workspace”) that you have visited. You can reach Touchtech at email support@touchtech.com or phone +46 31-75 73 250.
Privacy Policy - The longer version
Data processing can be quite hard to get your head around. In order to be as transparent as possible about how we process your personal data, we provide you the information about our processing in “layers” with the more graspable information first and then some information that goes into further detail. In this part of the privacy policy, you can read more about the following:
Who is responsible for the processing of your personal data?
Who can gain access to your personal data and why?
Where are your personal data processed?
Detailed description on how we process your personal data
Balancing of interests when processing personal data based on the legal basis “legitimate interests”
What are your rights when we process your personal data? Detailed description
Who is responsible for the processing of your personal data?
Touchtech AB, with the Swedish registration number 556749-5006 (“Touchtech”, “we”, “us” or “our”), is responsible for the processing of your personal data when you visit and use the Platform.
Should you have any questions regarding Touchtech’s processing of your personal data, or if you wish to exercise any of your rights under the data protection legislation, please feel free to contact us.
Your use of the Platform generates personal data. Such personal data may be for example information about what items you click on and information about which Companies’ Brand Workspace that you have visited on our Platform. This is further explained below. This kind of personal data we share with the Companies whose Brand Workspace that you have visited. When doing so, those particular Companies will become responsible for the processing of the personal data that we have shared with them and provide you with separate information about their processing. If you have any questions about how a Company’s processes your personal data, please feel free to contact the Company.
Cookies
We will gather personal data by using cookies. How we do this is described in our text about cookies which you find here.
To protect your privacy, we and our suppliers have taken measures to avoid identifying you when you visit the Touchtech Platform.
Who can gain access to your personal data and why?
Your personal data is initially collected and processed by us and we do not sell your personal data to any other parties. This means that your personal data will be processed by our employees, and only personnel who need such access to conduct their work.
To conduct our business, we need to work with suppliers and partners. These suppliers and partners will process your personal data, either to perform services on our behalf or after we have shared personal data with them. We are responsible for any sharing of your personal data to such suppliers or partners and to make sure that your personal data is safe when shared with third parties as set out below.
In summary, we will share your personal data with the following recipients:
Our IT suppliers will process personal data on our behalf and on our instructions to ensure good and secure IT operations. We only share your personal data with our IT suppliers if it is necessary for them to fulfil their obligations towards us according to the contract that we have with them.
Companies who are our customers and who owns and administrate Brand Workspaces on our Platform will access certain personal data through the Platform and will then become responsible for that personal data. However, we only share data to a particular Company that relates to your visit of that Company’s Brand Workspace.
The categories of personal data that we will share with other Companies, including the one you are working for, are:
Information about how you use the Platform, for example what items you have clicked on
If you are a logged in user, we will also share to the Companies:
Information that you provide to the Platform, for example comments and other content
Your name, contact details and IP address to identify you
nformation about your use of the Platform, such as your location and the time when you clicked on a certain item
If you have any questions regarding how we share your personal data or want to know more about who we share your personal data with, please feel free to contact us.
Where are your personal data processed?
Our strongest aim is to not transfer your personal data outside the EU/EEA. For example, we choose storing and processing within the European Union when that option is available. However, your personal data may be transferred outside the EU/EEA if the suppliers we use are based or process your personal data there. For example, when we use Cloudflare and SendGrid, your personal data will be transferred to the US. You can access the terms for Cloudflare’s processing of data here, and the terms for SendGrid’s processing of personal data here.
We and our suppliers rely on the Standard Contractual Clauses for the transfer of personal data outside of the EU/EEA. The use of Standard Contractual Clauses is an effort to provide a safe transfer of your personal data.
If you want to know more about where your personal data will be processed, please feel free to contact us.
Detailed description on how we process your personal data
When you visit the Platform
When you visit the Platform, we will gather your personal data from your device.
For the functionality of the Platform
The processing we perform
To technically make the Platform work, e.g. remember your previous choices. To do this we use Cloudflare and other third party providers, who gathers information about e.g. your IP-address and location.
Third party providers such as Cloudflare help us with the monitoring of the Platform, to ensure that they are not overloaded as well as to avoid security breaches and attacks. (However, we will not connect the information to you as an individual or other information that we have.)
The personal data we process
IP address
Technical information about e.g. your device and browser (which area in the country you use the Platform from and which screen resolution you have)
Information about your previous choices, e.g. choice of language
The lawful basis for our processing
Legitimate interest (The processing of personal data is necessary as regards our legitimate interest to make the Platform work properly.)
Storage period: We will use your personal data during the time you visit our Platform.
To analyze how the Platform is used and improve the Platform
The processing we perform
Gathering information that is necessary in order to improve the Platform and the Service. To do this we use our own analytical tools.
Analysing the data by keeping logs of which elements and features on the Platform you have clicked on. (However, we do not track user patterns of you as an individual user. The purposes of the logs are only to understand which elements that are popular.)
Optimising the functions on the Platform and to adapt them to suit the needs of users in general.
Sending reports and copies based on our logs to our customers, as part of providing the Platform to them as well as to improve our Platform.
The personal data we process
Information about events on the platform, e.g. that you have clicked on an item on the Platform, when you clicked on it and that you have visited a certain Brand Workspace
The lawful basis for our processing
Legitimate interest (The processing of personal data is necessary as regards our legitimate interest to improve the Platform by handling and compiling statistics based on your use.)
Storage period: We will use your personal data during 12 months from the time you visit our Platform.
When you create a user account and use the Platform
If you want to create a user account and use our Platform, we will need certain personal data about you in order to administrate your user account. We collect your personal data directly from you when you create your account or while you use the Platform.
To provide and administer your user account
The processing we perform
Administrate your user account.
Communicate with you regarding your user account, e.g. send updated information about the terms for the Platform and to send you any updates to this privacy policy.
Communicate with you when you contact us related to your account in, and your use of, the Platform, e.g. for support matters.
Enable you to securely identify yourself as a user.
The personal data we process
Name
E-mail address
Any additional information you provide to us, e.g.:
Your trusted devices and browser for such device
Information regarding your support case
The lawful basis for our processing
Performance of contract (The processing is necessary for us to fulfil the contract concerning your membership in the Service.)
Storage period: We will store your profile information and related activity data for as long as you are an active user. If you have been a passive user for 24 months, we will check if you want to keep your account in the Platform and remove your account if you do not respond or if you want us to do so.
For the functionality of the Service when you have logged in
The processing we perform
To technically make the Platform work, e.g., remember your previous choices. To do this we use Cloudflare and other third party providers, who gathers information about e.g. your IP-address and location.
Third party providers such as Cloudflare help us with the monitoring of the Platform and the Service, to ensure that they are not overloaded as well as to avoid security breaches and attacks.
The personal data we process
IP address
Technical information about e.g., your device and browser (which area in the country you use the Platform from and which screen resolution you have)
Information about your previous choices, e.g. choice of language
The lawful basis for our processing
Legitimate interest (The processing of personal data is necessary as regards our legitimate interest to make the website work.)
Performance of contract (The processing is necessary for us to fulfil the contract concerning your membership in the Service.)
Storage period: We will store your profile information and related activity data for as long as you are an active user. If you have been a passive user for 24 months, we will check if you want to keep your account in the Platform and remove your account if you do not respond or if you want us to do so.
To analyze how the Service is used, improve the Service and share personal data with Companies
The processing we perform
Gathering information that is necessary in order to improve the Platform, both for our customers and for you as a user. For example, we are able to show you more content that is relevant to you. To do this we use our own analytical tools.
Analysing the data by keeping logs of which elements and features on the Platform you have clicked on.
Optimising the functions on the Platform and to adapt them to suit the needs of users in general.
Sending reports and copies based on our logs to our customers, as part of providing the Platform to them as well as to improve our offer.
The personal data we process
IP-address
Name
Email address
Information about your device/browser (which area in the country you use the Service from and which screen resolution you have)
Information that you provide to the Platform, for example comments and other content
Information about your events on the Platform, e.g., what action you have performed, that you have clicked on an item, time of the event and your location data
The lawful basis for our processing
Legitimate interest (The processing of personal data is necessary as regards our legitimate interest to improve the Service by handling and compiling statistics based on your use.)
Performance of contract
(The processing is necessary for us to fulfil the contract concerning your use of the Service.)
Storage period: We will store your profile information and related activity data for as long as you are an active user. If you have been a passive user for 24 months, we will check if you want to keep your account in the Platform and remove your account if you do not respond or if you want us to do so.
Sharing of personal data: We share the personal data relevant to this section (e.g. related to items you have clicked on and Brand Workspace that you have visited) with the Companies owning that Brand Workspace that you have interacted with. For information about how these Companies process your personal data and for how long they process it, please see the information provided by each individual Company.
When you need to contact us
To provide support and handle any questions, complaints or other concerns of our users
The processing we perform
If you have any questions, if you want to make a complaint or if you wish to discuss anything when you have used the Platform, we will process your personal data to handle the question or complaint. We will collect your personal data directly from you.
The personal data we process
Information from your user account in the Platform
Information from our communication with you in relation to the question
The lawful basis for our processing
Legal obligation (The processing may in some situations be necessary to act according to legal obligations to which we are subject according to the GDPR. In these cases, you need to provide your personal data to us since we otherwise will not be able to comply with your rights under the GDPR.)
Legitimate interest
(The processing of personal data is necessary as regards our legitimate interest to process your personal data to answer your questions or manage your complaints.)
Storage period: We will store your personal data from the time the question or the complaint was initiated and for 24 months.
Balancing of interests when processing personal data based on the legal basis “legitimate interests”
As stated above, we sometimes process your personal data because it is necessary as regards our legitimate interest, which is related to the purpose of the processing. By carrying out a balancing of interests assessment concerning our processing of your personal data, we have in these cases concluded that our legitimate interest for which we processes your personal data outweighs your interests or rights not to have your personal data processed.
If you want more information in relation to our balancing of interests assessments, please do not hesitate to contact us.
What are your rights when we process your personal data? Detailed description
You have certain rights that you can exercise to affect how we process your personal data. You can read a more detailed description about what those rights are below.
If you want to know more about your rights or if you want to exercise any of your rights, please contact us and we will help you.
Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
You have the right to lodge a complaint with a supervisory authority.
The supervisory authority in Sweden is the Swedish Authority for Privacy Protection(Integritetsskyddsmyndigheten, the IMY)
In detail: Your right to complain exists without prejudice to any other administrative or judicial remedy. You have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work or place of where the alleged infringement of applicable data protection laws has allegedly occurred.
The supervisory authority has an obligation of informing you on the progress and the outcome of the complaint, including the possibility of a judicial remedy.
Right to withdraw consent (Article 7.3 GDPR)
You have the right to withdraw your consent at any time by contacting us.
In detail. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right to access (Article 15 GDPR)
You have the right to obtain confirmation as to whether we are processing personal data concerning you or not. You can make a request by contacting us. If we do process your personal data, you also have a right to obtain a copy of the personal data processed by us as well as information about our processing of your personal data.
In detail. The information we provide includes the following:
the purposes of the processing,
the categories of personal data concerned,
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations,
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period,
the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing,
the right to lodge a complaint with a supervisory authority,
if the personal data are not collected from you, we provide you with available information about the source of the personal data;
the existence of automated decision-making, including profiling, referred to in Articles 22.1 and 22.4 GDPR and, in those cases, meaningful information about the logic involved, as well as the significance and the predicted consequences of such processing; and
where your personal data are transferred to a third country or to an international organization, you have the right to information regarding the appropriate safeguards, pursuant to Article 46 GDPR, put in place for the transfer.
For any further copies of the personal data undergoing processing requested by you, we may charge a reasonable fee based on administrative costs. If you have made the request by electronic means the information will be provided to you in a commonly used electronic form, unless otherwise requested by you.
Your right to obtain a copy referred to above shall not adversely affect the rights and freedoms of others.
Right to object (Article 21 GDPR)
You have the right to object to our processing of your personal data at any time.
In detail: Your right to object applies as follows:
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Article 6.1 e or 6.1 f GDPR, including profiling based on those provisions. We shall no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, you have an unconditional right to have the processing of your personal data for such purposes ceased.
In the context of the use of information society services, and regardless of Directive 2002/58/EC (ePrivacy Directive, or ePD), you may exercise your right to object by automated means using technical specifications.
Right to erasure (“the right to be forgotten”) (Article 17 GDPR)
You have the right to ask us to erase your personal data.
In detail: We have the obligation to erase your personal data without undue delay where one of the following grounds applies:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
you withdraw your consent on which the processing is based, and there is no other legal ground for the processing;
you object to the processing pursuant to Article 21.1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21.2 GDPR;
the personal data have been unlawfully processed; or
the personal data have to be erased for compliance with a legal obligation in Union or Member State law that applies to us.
Where we have made the personal data public and are obliged in accordance with the rights stated above to erase the personal data, we shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform other controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
We will notify any erasure of personal data carried out in accordance with your rights stated above to each recipient to whom the personal data have been provided to, unless this proves impossible or involves disproportionate effort. If you want information about those recipients, you are more than welcome tocontact us.
Please note that our obligation to erase and inform according to above shall not apply to the extent processing is necessary according to the following reasons:
for exercising the right of freedom of expression and information;
for compliance with a legal obligation which requires processing by Union or Member State law which applies to us; or
for the establishment, exercise or defence of legal claims.
Right to rectification of processing (Article 16 GDPR)
You have the right to obtain, without undue delay, the rectification of inaccurate personal data concerning you.
In detail: Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
We will communicate any rectification of personal data to each recipient to whom the personal data have been provided to, unless this proves impossible or involves disproportionate effort. If you want information about those recipients, you are more than welcome to contact us.
Right to restriction of processing (Article 18 GDPR)
You have the right to obtain from us restriction of the processing of your personal data.
In detail: Your right applies if:
the accuracy of the personal data is contested by you, during a period enabling us to verify the accuracy of the personal data,
you have objected to processing pursuant to Article 21.1 GDPR pending the verification whether our legitimate grounds override yours,
the processing is unlawful, and you oppose the erasure of the personal data and instead request the restriction of their use, or
you need the personal data for the establishment, exercise or defence of legal claims even though we no longer need the personal data for the purposes of the processing.
Where the processing has been restricted according to above, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
We will notify each recipient to whom the personal data has been provided to about any restriction of processing according to above, if this do not occur to be impossible or entails a disproportionate effort. If you want more information about these recipients, you are welcome to contact us.
Right to data portability (Article 20 GDPR)
You have the right to receive your personal data from us in a structured, commonly used and machine-readable format and, where technically feasible, have your personal data transferred to another data controller (“data portability”).
In detail: The right applies if:
the processing is based on the lawful basis consent or on a contract, and
the processing is carried out by automated means.
The exercise of the right to data portability shall be without prejudice to the right to erasure, i.e. Article 17.
Your right to data portability shall not adversely affect the rights and freedoms of others.