Privacy policy

1 Accountability

1.1 One of our top priorities is to protect your personal data and therefore, we have adopted this Privacy Policy to inform you how we protect and process your personal data.

2 Company / Controller

2.1 Company and controller with respect to this Privacy Policy is:

Justface ApS

Odinsvej 23, 8722 Hedensted

CVR-nr. 41878584

(“Justface”, “we”, “us”, or “ours”).

 

E-Mail: compliance@justface.dk

Web: www.justface.io

 

2.2 This Privacy Policy is available on our website: www.justface.io When relevant we include links to the Privacy Policy in our communication with our customers and others, e.g. in our newsletters. 

3 Introduction

3.1 It is important to us that your personal information is kept secure and confidential. We have procedures for collecting, storing, deleting, updating and disclosing personal information to prevent unauthorized access to your personal data and to comply with applicable law.

3.2 When we ask you to make your personal data available to us, we will inform you about the types of personal data we process and for what purposes. You will receive this information when we collect the personal data in question.

3.3 This Privacy Policy describes what types of personal data we collect, how we process the personal data and who you can contact if you have any questions or comments with respect to our processing of personal data. This Privacy Policy has been made with reference to the GDPR (General Data Protection Regulation (EU) 2016/679 ("GDPR")) and the Danish Data Protection Act (Act No. 502 of 23/05/2018) ("Data Protection Act").

3.4 In relation to the processing of personal data carried out by Justface on behalf of the customer (as the customer's data processor), a data processor agreement is entered into between the customer and Justface. Please see section 7.4.

4 Categories of personal data and data subjects

4.1 We typically collect and process the following categories of Personal Data

·          General contact information, including name, telephone number, address, and email

·          Company name and CVR-number if you are a business customer (your workplace or your own business)

·          Payment details and invoice information

·          Information about the products and services you have bought

·          Information regarding your use of our website and/or our profile on social media – please also see section 10.1 of this Privacy Policy

(hereinafter collectively referred to as ”Personal Data”)

4.2 We typically collect and process Personal Data about the following data subject categories:

·          Potential customers

·          Our customers (current)

·          Former customers

·          Contact persons at suppliers, public authorities and other business partners

·          Visitors on Justface website and/or on Justface’s social media profiles, including Facebook, LinkedIn and Instagram.

4.3 We collect and process Personal Data for the following purposes and for use in the following processing activities:

·          To set up, maintain and administrate the products and services we have agreed

·          To promote Justface on our website and on social media

·          To ensure operation, IT-security and maintenance of our website

·          For bookkeeping purposes, including financial reporting

·          To be able to process payments and issue invoices according to our agreement

·          For the establishment, exercise or defence of legal claims

·          To comply with applicable law and other legal obligations

5 Legal basis for processing of Personal Data

5.1 General

5.1.1 Our legal basis for processing Personal information lies first and foremost in our relationship with our customer and in being able to manage the agreement(s) we have entered into. As a rule, we will have the right to process the necessary Personal Data in accordance with Article 6 (1), points a-c and point f, including article 9 (2), points a and f and sections 6 and 7 of the Data Protection Act.

5.1.2 The above provisions govern the basis for processing Personal Data if (i) consent has been provided by the data subject, (ii) the processing is necessary to perform our services under an agreement or to take other actions at the request of the customer prior to the completion of an agreement, (iii) the processing is necessary to comply with a legal obligation, (iv) the processing is necessary to fulfil legitimate interests that exceed the interests of the data subject, or (v) the processing is necessary for a legal claim to be established; claimed or defended. 

5.1.3 It is our assessment that the personal data we process in relation to a customer will largely be based on Article 6 (1), points b and f of the data protection regulation and section 6 (1) under the Data Protection Act.

5.2 Processing of Personal Data in relation to marketing

5.2.1 In connection with marketing purposes, the processing of Personal Data is primarily based on GDPR Article 6, (1) point f and section 6 (1) of the Data Protection Act. We assess from time to time whether it is appropriate to obtain consent, for example, whether it is appropriate to obtain consent in connection with the use of imagery for our website, in newsletters, on social media, etc. If the processing of Personal Data is based on consent, our legal basis in the GDPR is Article 6 (1), point a, and section 6 (1) under the Data Protection Act.

6 Your rights

6.1 You have certain rights with respect to the Personal Data that Justface is processing about you. You have the following rights:

A       Right to insight is the right to know if your Personal Data is processed and, if so, the right to obtain a copy of the Personal Data.

B        Right to data portability is the right to receive Personal Data about yourself that you have given to Justface.

C       Right to rectification is the right to correct wrong Personal Data.

D       Right of deletion / right to be 'forgotten' is the right to have, with certain restrictions, your Personal Data deleted without undue delay.

E        Right to object is the right to object to our processing of your Personal Data.

F        Right to restrict processing of Personal Data is the right to restrict handling of Personal Data, e.g. if a request for deleting of data cannot be granted.

7 General data processing principles

7.1 Data processing principles

7.1.1 We will process the data subject’s Personal Data lawfully, fairly and in a transparent manner.

7.1.2 Our processing of Personal Data is subject to a purpose limitation, which means that Personal Data must be collected for explicitly stated and legitimate purposes. They may not be further treated in a manner incompatible with those purposes.

7.1.3 We process Personal Data based on a principle of data minimization, which means that it must be sufficient, relevant and limited to what is necessary for the purposes for which it is processed.

7.1.4 Personal Data must be processed based on a principle of accuracy, which means that it must be correct and, if necessary, up to date.

7.1.5 We process Personal Data based on a retention-limit principle, which means that Personal Data must be stored in such a way that it is not possible to identify the data subjects for longer than required for the purposes for which the Personal Data is processed.

7.1.6 Personal Data must be processed based on a principle of integrity and confidentiality, which means that it must be processed in a way that ensures adequate security of the Personal Data, including protection from unauthorized or unlawful processing and from accidental loss, destruction or damage, using appropriate technical or organizational measures.

7.2 Risk analysis

7.2.1 In the course of our case process, we must carry out the technical and organisational measures to ensure a level of security that fits the risks specifically associated with our processing of Personal Data. We have therefore carried out a risk analysis which underlies this Privacy Policy.

7.3 Duty to inform

7.3.1 When relevant, we include references to this Privacy Policy in our correspondence with customers, business partners etc. This Privacy Policy is also available on our website: www.justface.io

7.3.2 Justface gladly contributes to the customers’ fulfilment of their information duties towards the customers’ (end) users of the Justface system. However, it is the duty of the customers to make sure that their duty to inform the end users is complied with.

 

7.4 Data Processing Agreements

7.4.1 If we are data controllers and have considered that a data processing structure is available with one of our suppliers, a data processing agreement must be agreed upon. The same applies if Justface is processing personal data on behalf of others, e.g. Justface’s customers (the fitness centers). In such cases Justface will be the data processor, and the customer will be the (dat) controller of personal data. It is our assessment, as Justface is essentially a software supplier, that Justface to a large extent will be processing personal data on behalf of our customers.

7.4.2 The data processing agreement shall comply with the applicable requirements for data process agreements as referred to in Article 28 (3) of the GDPR. This implies drawing up a contract or other legal document binding on the data processor. It is also a requirement that the data processing agreement be in writing, including electronically.

7.4.3 In addition, the GDPR sets several specific requirements for the content of the data processing agreement. The agreement must include information on the status and duration of the processing, the nature and objectives of the processing, the type of Personal Data, categorization of data subjects and our obligations and rights as controller, as well as the duties of the data processor in relation to performing the task. The requirements are specifically described in GDPR Article 28 (3), points a-h.

8 Transfer of Personal Data to third countries

8.1 Justface's processing of of Personal Data will predominantly take place within the EU.

8.2 If it is necessary to transfer Personal Data to a third country or international organization located outside the EU/EEA, we shall ensure prior to the transfer of Personal Data to the third country or international organization that the transfer of Personal Data is carried out in a manner that constitutes sufficient guarantee that the Personal Data is protected, including in certain cases the use of the EU Commission's standard data protection contract provisions. We will, prior to any such transfer, assess if the Personal Data is granted a level of protection essentially equivalent to that guaranteed by the GDPR and the EU Charter of Fundamental Rights – if necessary with additional measures to compensate for lack in protection of third country legal systems.

9 Security measures

9.1 We have taken the necessary technical and organizational security measures to protect your Personal Data from accidental or unlawful destruction, loss or change and from unauthorized public disclosure, misuse or other conduct in violation of applicable law.

9.2 Access to Personal Data is limited to persons who have a need for access to Personal Data. Employees who process Personal Data are instructed and trained to know what to do with Personal Data and how to protect Personal Data.

9.3 Passwords are used to access PCs and other electronic devices with Personal Data. Only the persons who need access will have a code and then only for the systems that he or she needs to use. Persons with access codes must not leave the code to others or leave it for other to see. Check-ups on assigned codes will be carried out regularly.

9.4 If sensitive Personal Data or Social Security number is sent by email over the Internet, such emails must be encrypted. If you send Personal Data to us by email, please be aware that this is not secure if your emails are not encrypted. We advise you to not send us confidential or sensitive Personal Data by email unless this is specifically agreed in advance so that we can ensure the necessary level of security.

9.5 In connection with the repair and service of data equipment containing Personal Data and when data media is to be sold or discarded, we take the necessary measures to ensure that the Personal Data cannot come to the attention of unauthorised persons. For example, by using declarations of confidence.

9.6 When using an external data processer to process Personal Data, a written agreement is signed between us and the data processor, which also imposes a duty on the data processor to carry out the necessary technical and organisational security measures to protect your Personal Data.

9.7 Justface takes backup of all databases and files on shared drives. Backup is stored on an external server.

9.8 Security measures in Justface’s biometric scanning software

9.9 As previously described, this Personal Data Policy primarily concerns Justface's processing of personal data as data controller. However, Justface would like to contribute to the customers 'fulfilment of their obligations towards end users and has therefore in the following section described the security measures used in Justface's biometric scanning software (the "Future Recognition Platform").

9.10 In the following sections, we describe the anonymization technique that is part of our standard biometric scanning setup. For the sake of good order, however, we point out that what is described below may vary from the specific solution that the customer has agreed with Justface. For example. it may be agreed that Justface processes data about only its employees or members, which is not fully in anonymised form. In that case, such processing of personal data takes place only with the data subjects’ express consent.

9.11 Security measures regarding ”input data”

9.11.1 In Justface, we have built several complex and advanced security measures into our biometric scanning software.

9.11.2 The system ensures that all input data and output data are anonymised, so that the information collected cannot be used to identify a specific natural person. To ensure anonymity in connection with the collection of information via biometric scanning, we have developed a digital platform ("Future Recognition Platform"). The platform makes it possible to perform biometric scanning etc. in such a short time (between 22 - 150 milliseconds) that no images of individuals can be recognized. Thus, at no time does the platform store personal information on an electronic medium from which identifiable natural persons can be derived.

9.11.3 To protect the transfer of images between the camera and our system, and to best protect the rights of individuals, we use the HTTPS protocol. The HTTPS protocol is a protocol that is used by online banks, debit card and credit card payments via the Internet and / or registration, where the CPR number must be provided.

9.11.4 In connection with the storage of the image in the application memory (but only in the server's RAM, not in the server's hard drive), we deliberately use data fragmentation. The data fragmentation ensures that the image data in the memory is divided into many small pieces, which cannot be collected or recreated in a way so that natural persons can be deduced.

9.12 Security measures regarding “output data”

9.12.1 By output data is meant any result we create with our electronic data processing, which can subsequently be read using our system.

9.12.2 In connection with securing output material, we have implemented the anonymisation technique generalization. The technique must help to ensure that any data set that we present to the user has irrevocably removed the identification of individuals, so that individuals can neither be separated nor deduced from the data set itself or by interconnection with other data sets.

9.12.3 In the results, we have changed the relative order of the data sets that we presented to the user at any given time. In this way, there are several people associated with the same data set, and thus it becomes less likely that individuals can be designated. We generalize inside for the following classes: gender, age groups, ethnicities, mood and weather status.

10 Retention periods and deletion

10.1 When do we delete your Personal Data?

10.1.1 Upon termination of the contractual relationship with a customer, we will generally delete the Personal Data from the customer relationship as soon as it is no longer necessary to retain the applicable Personal Data.

10.1.2 However, several considerations and special rules mean that Personal Data cannot or should not always be deleted before a certain time has passed.

10.1.3 Therefore, we always carry out a specific evaluation to determine how long Personal Data should be stored before being deleted.

10.1.4 Bookkeeping rules mean that Personal Data related to a payment must be stored for 5 years + the current calendar year after the end of the financial year.

10.1.5 The fact that we may protect your or our interests through possible liability may involve the retention of Personal Data for 3 years (or in exceptional circumstances for a longer period) after the end of our relationship with the customer or supplier. However - to ensure the logical synergy with the financial processing of information - the customer’s basic data is stored for up to 5 years after the end of the customer relationship.

10.1.6 If Personal Data is obtained based on your consent, we will in principle delete the Personal Data obtained based on consent immediately after you withdraw your consent. However, we are obliged to keep the documentation, stating that we lawfully asked for your consent, for 2 years from the latest marketing material sent to you. Generally, a recall of consent does not affect our processing of Personal Data, which is based on grounds other than your consent, e.g. if the continued processing of the Personal Data is necessary in order for us to comply with legal obligations, to which Justface is subjected.

10.1.7 Contact information in our CRM-system is deleted and updated on an ongoing basis. However, emails which may be relevant to the determination of a legal claim are stored for up to 3 years and then deleted unless there is an obvious risk that a legal claim will be filed against or is considered being filed by Justface.

10.2 How do we delete your Personal Data?

10.2.1 Deletion of Personal Data means that Personal Data is irrevocably removed from all storage media on which it has been stored and that Personal Data cannot be restored in any way.

10.2.2 Alternatively, Personal Data can be completely anonymized with the effect that it can no longer be assigned to a person. In that case, the regulation of Personal Data does not Apply at all and complete anonymization is therefore an alternative to deletion.

11 Cookies and use of our website

11.1 We collect various pieces of information about you in connection with the operation of our website: www.justface.io We collect information about you and your use of our website through the so-called “cookies”.

11.2 What are “cookies”?

11.2.1 Cookies are small bits of information that Justface places on your computer's hard drive, on your tablet or on your smart phone. Cookies contain information that Justface uses to streamline communication between you and your web browser.

11.2.2 There are two types of cookies - session cookies and persistent cookies. Session cookies are bits of information that are erased when you close your web browser. Persistent cookies are bits of information that are stored on your computer until they are erased. Persistent cookies erase themselves after a certain period of time but are renewed each time you visit Justface. Justface uses both temporary and persistent cookies.

11.3 Consent to our use of cookies on Justface’s website

11.3.1 When visiting our website e for the first time, you will receive information on our use of cookies and asked whether you wish to consent to the use of cookies on our website. If you have provided your consent, you can always withdraw your consent and delete the cookies already saved on your device via the settings in your web browser.

11.4 What type of cookies do we use and for what purposes?

11.4.1 We use cookies:

-   for necessary purposes; Some cookies are necessary for the website to work at all. Necessary cookies can e.g. help enable the website to navigate and maintain selected settings as long as you use the website. Necessary cookies are typically session cookies that are deleted when you close your browser.

-   to enhance functionality: improve the functionality and optimize your experience of Justface and help you remember your username and password so you do not have to log in again when you return to Justface.

-   for statistics, ie: measuring traffic on Justface, including the number of visits to Justface, what domains visitors come from, what pages they look at on Justface and what general geographic area the user is in.

11.4.2 Justface provides access for its third party’s suppliers to inspect the contents of the cookies that are set by Justface. This information shall be used exclusively on behalf of Justface and must not be used for the third party's own purposes.

11.5 How to delete cookies

11.5.1 You always have the option to erase cookies stored on your computer. You can erase cookies from your hard drive, block all cookies or receive a warning before a cookie is stored via your browser settings. You must be aware that in such case services and features cannot be used by you because they require cookies to remember choices you make. We hope that you will allow the cookies we set as they help us improve Justface’s website.

11.5.2 You can always delete cookies that you have accepted when you wish. If you have a computer with a newer browser, you can quickly do so by using the shortcut keys CTRL + SHIFT + Delete.

11.5.3 On the website www.minecookies.org you can see how to delete cookies depending on which browser you use.

11.5.4 In order to erase cookies from Google Analytics you can use the link: https://tools.google.com/dlpage/gaoptout.

11.6 Your use of the Justface website

11.6.1 Our primary purpose of the website is to show and tell about the services that Justface offers.

11.6.2 Via the website, Justface can be contacted and customers can get general information about Justface. Attempts are made to update the website as changes occur.

11.6.3 It is voluntary to use the website. Copying of text and images from the website may in no case be done without the consent of Justface. You may only link to the website and text from the website may only be quoted with indication of source reference and by prior agreement with Justface.

11.6.4 Justface's website may contain links to other websites on the Internet. Justface does not take responsibility for these websites, including the website providers' use of cookies and / or the processing of personal data. The websites of such third parties may thus use cookies and process personal data in a different way than that described in this Privacy Policy. If you click on a link to access these pages, it is at your own risk. Justface does not endorse or endorse any products or information offered on websites to which you are redirected from this website.

12 Changes to this Privacy Policy

12.1 Justface may change this Privacy Policy at any time and without notice and with future effect. In the event of such changes, our users are informed on our website.

13 Contact information

13.1 If you have any questions about this Privacy Policy, our processing of Personal Data, rectification or your relationship with us in any other way, you may contact us at the following email address: compliance@justface.io and via the contact form on our website.

14 Data Protection Agency

14.1 You can complain to the Danish Data Protection Agency (in Danish: “Datatilsynet”) regarding Justface's processing of your Personal Data. Please refer to the website of the Danish Data Protection Agency: www.datatilsynet.dk