Privacy Policy
Effective from: 9th October 2024
Contact email: customer@simpleway.global
This Privacy Policy (“Policy”) applies to all components and actions of the Simpleway CX service available at www.transit.cx (“Website”) that is provided to you, the customer (“Customer”), by Simpleway, Inc., the corporation incorporated and existing under the laws of State of Wyoming, 1621 Central Avenue, Cheyenne, Wyoming, 82001 USA („SW“).
By using the Service, you confirm that you have read, understood, and accepted this Policy. If you are accepting this Policy on behalf of other subject (i.e., as an employee or an agent), you hereby warrant that you are duly authorized to enter into a legally binding contract on behalf of such subject. If you do not agree to this Policy, please cease use of the Service immediately.
1. INTERPRETATION AND APPLICATION
1.1. In this Policy, the following terms shall have the meanings set out in this Paragraph 1.1, unless expressly stated otherwise:
a) “Adequate Country” means a country or territory outside the European Economic Area that the European Commission has deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance with Article 45(1) of the GDPR.
b) “Anonymized Data” means any Personal Data (including Customer Personal Data), which has been anonymized such that the Data Subject to whom it relates cannot be identified, directly or indirectly, by SW or any other party reasonably likely to receive or access that anonymized Personal Data.
c) “Business Day” means any day which is not a Saturday, Sunday or public holiday, and on which the banks are open for business, in Prague, Czech Republic.
d) “Cessation Date” has the meaning given in Paragraph 9.1.
e) “Controller Data” means any Personal Data pertaining to Users or other Customer personnel which is Processed by SW other than for the purpose of providing support services under the Contract, pursuant to the SW Policy at www.simpleway.cloud
f) “Customer Personal Data” means any Personal Data contained in any Content and any other Personal Data pertaining to Users that is Processed by or on behalf of SW on behalf of Customer in the course of providing support services under the Contract (excluding any Controller Data).
g) “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (the “GDPR”) and any implementing legislation or legislation having equivalent effect in the United Kingdom (references to “Articles” or “Chapters” of the GDPR, and any definitions therein, shall be construed accordingly).
h) “Data Subject Request” means the exercise by Data Subjects of their rights under, and in accordance with Chapter III of the GDPR.
i) “Data Subject” means the identified or identifiable natural person located in the European Economic Area to whom Customer Personal Data relates.
j) “Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed, and “Deletion” shall be construed accordingly.
k) “Post-cessation Storage Period” has the meaning given in Paragraph 9.2.
l) “Restricted Country” means a country or territory outside the European Economic Area that is not an Adequate Country.
m) “Restricted Transfer” means:
(i) a transfer of Customer Personal Data from Customer to SW in a Restricted Country; or
(ii) an onward transfer of Customer Personal Data from SW to a Sub-processor in a Restricted Country, (in each case) where such transfer would be prohibited by Data Protection Laws without a legal basis therefor under Chapter V of the GDPR.
n) “Services” means those services and activities to be supplied to or carried out by or on behalf of SW for Customer pursuant to the Contract.
o) “Standard Contractual Clauses” means the standard contractual clauses issued by the European Commission (from time-to-time) for the transfer of Personal Data from Data Controllers established inside the European Economic Area to Data Processors established in Restricted Countries.
p) “Sub-processor” means any third party appointed by or on behalf of SW to Process Customer Personal Data.
1.2. In this Policy:
a) the terms, “Data Controller”, “Data Processor”, “Personal Data”, “Personal Data Breach”, “Process” (and its derivatives) and “Supervisory Authority” shall have the meaning ascribed to the corresponding terms in the Data Protection Laws;
b) unless otherwise defined in this Policy, all capitalized terms shall have the meaning given to them in the Terms and Conditions.
1.3. Customer warrants and represents that it is subject to the territorial scope of the Data Protection Laws as determined in accordance therewith (including pursuant to Article 3 of the GDPR). Customer further agrees that to the extent that it is not in fact subject to the territorial scope of the Data Protection Laws, this Policy shall be deemed automatically void and of no effect without requirement of notice.
2. PROCESSING OF CUSTOMER PERSONAL DATA
2.1. In respect of Customer Personal Data, the Parties acknowledge that:
a) SW acts as a Data Processor; and
b) Customer acts as the Data Controller.
2.2. SW shall:
a) comply with all applicable Data Protection Laws in Processing Customer Personal Data; and
b) not Process Customer Personal Data other than:
i. on Customer’s instructions (subject always to Paragraph 2.9); and
ii. as required by applicable laws.
2.3. To the extent permitted by applicable laws, SW shall inform Customer of:
a) any Processing to be carried out under Paragraph 2.2(b)(ii); and
b) the relevant legal requirements that require it to carry out such Processing, before the relevant Processing of that Customer Personal Data.
2.4. Customer instructs SW to Process Customer Personal Data as necessary:
a) to provide the Services to Customer; and
b) to perform SW’s obligations and exercise SW’s rights under the Contract.
2.5. Annex 1 (Data Processing Details) sets out certain information regarding SW’s processing of Customer Personal Data as required by Article 28(3) of the GDPR.
2.6. Customer may amend Annex 1 (Data Processing Details) on written notice to SW from time to time as Customer reasonably considers necessary to meet any applicable requirements of Data Protection Laws.
2.7. Nothing in Annex 1 (Data Processing Details) (including as amended pursuant to Paragraph 2.6) confers any right or imposes any obligation on any Party to this Policy.
2.8. Where SW receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, SW shall inform Customer.
2.9. Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing of Customer Personal Data by or on behalf of SW pursuant to or in connection with the Contract:
a) shall be strictly required for the sole purpose of ensuring compliance with Data Protection Laws; and
b) shall not relate to the scope of, or otherwise materially change, the Services to be provided by SW under the Contract.
2.10. Notwithstanding anything to the contrary herein, SW may terminate the Contract in its entirety upon written notice to Customer with immediate effect if SW considers (in its reasonable discretion) that:
a) it is unable to adhere to, perform or implement any instructions issued by Customer due to the technical limitations of its systems, equipment and/or facilities; and/or
b) to adhere to, perform or implement any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).
2.11. Customer represents and warrants on an ongoing basis that, for the purposes of Article 6 of the GDPR, and (where applicable) Article 9 and/or Article 10 of the GDPR, there is, and will be throughout the term of the Contract, a valid legal basis for the Processing by SW of Customer Personal Data in accordance with the Contract (including, any and all instructions issued by Customer from time to time in respect of such Processing).
3. SW PERSONNEL
SW shall take reasonable steps to ensure the reliability of any SW Personnel who Process Customer Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. SECURITY
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk (which may be of varying likelihood and severity) for the rights and freedoms of natural persons, SW shall in relation to Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2. In assessing the appropriate level of security, SW shall take account in particular of the risks presented by the Processing, in particular from a Personal Data Breach.
5. SUBPROCESSING
5.1. Customer authorizes SW to appoint Sub-processors in accordance with this Paragraph 5.
5.2. SW may continue to use those Sub-processors already engaged by SW as at the date of this Policy, subject to SW meeting within a reasonable timeframe (or having already met) the obligations set out in Paragraph 5.3.
5.3. With respect to each Sub-processor, SW shall endeavour to ensure that the arrangement between SW and the Sub-processor is governed by a written contract including terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this Policy (including those set out in Paragraph 4).
6. DATA SUBJECT RIGHTS
6.1. Taking into account the nature of the Processing, SW shall provide Customer with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Customer in fulfilling its obligation to respond to Data Subject Requests.
6.2. SW shall:
a) promptly notify Customer if SW receives a Data Subject Request; and
b) ensure that SW does not respond to any Data Subject Request except on the written instructions of Customer (and in such circumstances, at Customer’s cost) or as required by applicable laws.
7. PERSONAL DATA BREACH
7.1. SW shall notify Customer without undue delay upon SW becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information (insofar as such information is, at such time, within SW’s possession) to allow Customer to meet any obligations under Data Protection Laws to report the Personal Data Breach to:
a) affected Data Subjects; or
b) the relevant Supervisory Authority(ies) (as may be determined in accordance with the Data Protection Laws).
7.2. SW shall at Customer’s sole cost and expense co-operate with Customer and take such reasonable commercial steps as may be directed by Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
8.1. SW shall provide reasonable assistance to Customer, at the Customer's cost, with any data protection impact assessments, and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required of Customer by Article 35 or Article 36 of the GDPR, in each case solely in relation to the Processing of Customer Personal Data by, and taking into account the nature of the Processing by, and information available to, SW.
9. DELETION OR RETURN OBLIGATIONS
9.1. Subject to Paragraphs 9.2 and 9.5, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), SW shall immediately cease all Processing of the Customer Personal Data for any purpose other than for storage.
9.2. Subject to Paragraph 9.5, to the extent technically possible in the circumstances (as determined in SW’s sole discretion), on written request to SW (to be made no later than fifteen (15) Business Days after the Cessation Date (the “Post-cessation Storage Period”)), SW shall:
a) Remove or return a complete copy (if applicable) of all Customer Personal Data within SW’s possession to Customer by secure file transfer, promptly following which SW shall Delete all other copies of such Customer Personal Data; or
b) Delete all Customer Personal Data then within SW’s possession.
9.3. SW shall comply with any written request made pursuant to Paragraph 9.2 within fifteen (15) Business Days of the Cessation Date.
9.4. In the event that during the Post-cessation Storage Period, Customer does not instruct SW in writing to either Delete or return the Customer Personal Data pursuant to Paragraph 9.2, SW shall promptly after the expiry of the Post- cessation Storage Period either (at its option):
a) Delete; or
b) irreversibly render Anonymized Data,
c) all Customer Personal Data then within SW’s possession to the fullest extent technically possible in the circumstances.
9.5. SW and any Sub-processor may retain Customer Personal Data where required by applicable law, for such period as may be required by applicable law, provided that SW and any such Sub-processor shall ensure:
a) the confidentiality of all such Customer Personal Data; and
b) that such Customer Personal Data is Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.
10. AUDIT RIGHTS
10.1. SW shall make available to Customer on request such information as SW (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this Policy.
10.2. Subject to Paragraphs 10.3 and 10.4, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by SW pursuant to Paragraph 10.1 is not sufficient in the circumstances to demonstrate SW’s compliance with this Policy, SW shall allow for and contribute to audits, including on-premise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by SW.
10.3. Customer shall give SW reasonable notice of any audit or inspection to be conducted under Paragraph 10.1 (which shall in no event be less than fifteen (15) business Days’ notice unless required by a Supervisory Authority pursuant to Paragraph 9.4(f) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies SW in respect of, any damage, injury or disruption to SW’s premises, equipment, personnel, data, and business (including any interference with the confidentiality or security of the data of SW’s other customers or the availability of SW’s services to such other customers) while its personnel and/or its auditor’s personnel (if applicable) are on those premises in the course of any on-premise inspection.
10.4. SW need not give access to its premises for the purposes of such an audit or inspection:
a) to any individual unless he or she produces reasonable evidence of their identity and authority;
b) to any auditor whom SW has not given its prior written approval (not to be unreasonably withheld);
c) unless the auditor enters into a non-disclosure agreement with SW on terms acceptable to SW;
d) where, and to the extent that, SW considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of SW’s other customers or the availability of SW’s services to such other customers;
e) outside normal business hours at those premises; or
f) on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits or inspections which Customer is required to carry out by Data Protection Law or a Supervisory Authority, where the Customer has identified the relevant requirement in its notice to the Supplier of the audit or inspection.
10.5. Customer shall bear any third-party costs in connection with such inspection or audit and reimburse SW for all costs incurred by SW and time spent by SW (at SW’s then-current professional services rates) in connection with any such inspection or audit.
11. RESTRICTED TRANSFERS
11.1. Subject to Paragraph 11.3, to the extent that any Processing by either SW or any Sub-processor of Customer Personal Data involves a Restricted Transfer, the Parties agree that:
a) Customer – as “data exporter”; and
b) SW or Sub-processor (as applicable) – as “data importer”,
c) shall enter into the Standard Contractual Clauses in respect of that Restricted Transfer and the associated Processing in accordance with Paragraph 11.3.
11.2. In respect of any Standard Contractual Clauses entered into pursuant to Paragraph 11.1:
a) Clause 9 of such Standard Contractual Clauses shall be populated as follows:
b) “The Clauses shall be governed by the law of the Member State in which the data exporter is established.”
c) Clause 11(3) of such Standard Contractual Clauses shall be populated as follows:
d) “The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.”
e) Appendix 1 to such Standard Contractual Clauses shall be populated with the corresponding information set out in Annex 1 (Data Processing Details); and
f) Appendix 2 to such Standard Contractual Clauses shall be populated as follows:
g) “The technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are those established and maintained under Paragraph 4 of the Policy.”
11.3. The Standard Contractual Clauses shall be deemed to come into effect under Paragraph 11.1 automatically upon the commencement of the relevant Restricted Transfer provided that Paragraph 11.1 shall not apply to a Restricted Transfer unless its effect is to allow the relevant Restricted Transfer and the associated Processing to take place without breach of applicable Data Protection Laws.
11.4. In respect of any Standard Contractual Clauses entered into with a Sub-processor in accordance with 10.1, Customer hereby appoints SW as its agent for the limited purpose of enabling SW to enter into such Standard Contractual Clauses in its name and on its behalf.
12. ANONYMOUS DATA
Customer acknowledges and agrees that SW shall be freely able to use and disclose Anonymized Data for SW’s own business purposes without restriction.
13. NO SPECIAL CATEGORIES OF PERSONAL DATA
13.1. Customer warrants and represents on an ongoing basis, and further undertakes that it shall not (and shall ensure that its Personnel shall not) cause SW or its Sub-processors to Process any:
a) Special Categories of Personal Data referred to in Article 9(1) of the GDPR; or
b) any Personal Data relating to relating to criminal convictions or offences.
13.2. Customer will indemnify and hold harmless SW and its employees, officers, directors and agents from and against any and all liabilities, losses, damages, costs, fines and other expenses (including legal costs and fees) arising from or relating to any breach by Customer of this Paragraph 13.
13.3. Any and all limitations on liability set out in the Contract shall not apply to liability arising under or in connection with the indemnity set out in Paragraph 13.2.
14. CHANGE IN LAWS
14.1. In the event that there is a change in the Data Protection Laws that SW considers (acting reasonably) would mean that SW is no longer able to provide the Services (including any Processing and/or Restricted Transfer(s) of Customer Personal Data) in accordance with its obligations under Data Protection Laws, SW reserves the right to make such changes to the Services and to amend any part of this Policy as it considers reasonably necessary to ensure that SW is able to provide the Services in accordance with Data Protection Laws.
14.2. In the event that Customer considers (acting reasonably) that any required changes made either to the Services and/or this Policy pursuant to Paragraph 14.1 will cause material and irreparable harm to Customer may terminate the Contract in its entirety upon written notice to SW with immediate effect.
15. CONTROLLER DATA
15.1. Customer acknowledges and agrees that (as between the Parties) SW shall be freely able to use and disclose (without restriction) the Controller Data for any such purposes as SW may in its sole discretion determine.
15.2. To the extent that any Controller Data constitutes Personal Data for the purposes of the Data Protection Laws, SW:
a) shall be an independent Data Controller in respect of such Controller Data;
b) may independently determine the purposes and means of its Processing of such Controller Data.
16. ORDER OF PRECEDENCE
16.1. This Policy shall be incorporated into and form part of the Contract.
16.2. In the event of any conflict or inconsistency between:
a) this Policy and the Terms and Conditions or the Service Level Agreement, this Policy shall prevail; or
b) any Standard Contractual Clauses entered into pursuant to Paragraph 11 and this Policy, those Standard Contractual Clauses shall prevail.
Annex 1 - Data Processing Details
This Annex 1 to the Policy includes certain details of the Processing of Customer Personal Data: as required by Article 28(3) GDPR; and (where applicable in accordance with Paragraph 11) to populate Appendix 1 to the Standard Contractual Clauses.
SW’s activities:
Billing, Marketing, User Registration, Authentication and Authorization
Subject matter and duration of the Processing of Customer Personal Data:
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Terms and Conditions and the Policy.
The nature and purpose of the Processing of Customer Personal Data
Billing, Marketing, User Registration, Authentication and Authorisation in the course of, and for the purpose of, providing the Services to Customer.
The types of Customer Personal Data to be Processed:
Personal Data: any Personal Data contained in any Content and any other Personal Data pertaining to Users that is Processed by or on behalf of SW on behalf of Customer in the course of providing support services under the Contract (excluding any Controller Data).
Special Categories of Personal Data (if any): None.
The categories of Data Subject to whom the Customer Personal Data relates:
Data Subjects whose Personal Data is contained in any Content.
Users of the Service.
The obligations and rights of Customer
The obligations and rights of Customer are set out in the Terms and Conditions and the Policy.