General data protection regulation

GDPR

1. Awareness

2. Information we hold

3. Communicating privacy informations

4. Individuals’ right

5. Subject access requests

6. Lawful basis for processing personal data

7. Consent

8. Children

9. Data breaches

10. Data Protection by Design and Data Protection Impact Assessments

11. Contact us

 

GDPR Introduction

The European Union General Data Protection Regulation (GDPR) is a regulation that aims at unifying EU member state data privacy regulations into a single regulation, enforced on the EU single market. This article describes the GDPR compliance status of Omnilinq.

If your company needs to ensure it is GDPR-compliant, it also needs to ensure its providers (ie. Omnilinq) are also GDPR compliant. Omnilinq is GDPR-compliant, and strictly enforces the regulation as to protect the user data we store.

1. Awareness

All employees responsible for software development & infrastructure maintenance of Omnilinq IM SARL, a US limited company (the owner company for Omnilinq) are fully aware of the GDPR requirements.

Also, code reviews are performed by the Data Protection Officers (as listed in this article), before any code deployment to the platform. This ensures security breaches and bad practices are not implemented by eg. a third party temporary contractor or a Omnilinq employee, even if aware of GDPR requirements (this plays as a double human safety check).

2. Information we hold

Omnilinq stores data on 2 kinds of parties

– Our customers (ie. the operators using the Omnilinq Dashboard replying to their users

– Our customers end-users (ie. the users of our customers)

2.1. Information held on our users

Omnilinq collects account information for each user (we refer to them as customers in this article), including:

User first and last name, and profile picture

User payment details (includes invoicing information, eg. company address and country — the credit card number is stored by Stripe)

Browsed pages on the Controller’s website and referring URL
b) date and time of visits to the Controller’s website
c) technical information as screen resolution, operating system, browser type and device type
d) geolocation data (country and city)
e) IP address

2.2. Information held on our users’ end-users

Information held on our users’ end-users include:

  1. End-user email address (if provided by end-user, thus involving a consent)
  2. End-user phone number (if provided by end-user, thus involving a consent)
  3. End-user message exchanges
  4. End-user last activity date and time
  5. End-user profile information (resolved from public data shared by end-user on the Internet, see notice below)
  6. Browsed pages on the Controller’s website and referring URL
  7. date and time of visits to the Controller’s website
  8. technical information as screen resolution, operating system, browser type and device type
  9. geolocation data (country and city)
  10. IP address

Omnilinq resolves end-user identity information (first and last name, avatar, company) from external APIs. Those external APIs sources from public information that the end-user consented to share on a third-party service (eg. on social networks such as LinkedIn or Twitter). This end-user identity information is stored on Omnilinq services, for as long as the Omnilinq customer wishes them to be stored in their Omnilinq CRM database.

The information help on our users’ end-users is solely the responsibility of our users (ie. the individual websites using Omnilinq). It is the responsibility of our users to manage the data they hold in their personal Omnilinq Inbox and CRM, ie. to remove sensitive data if someone may happen to share it with them (eg. Social Security Numbers, etc.). It is our responsibility to secure access to this data (ie. only website operators can access it and have a right to rectification and deletion).

3. Communicating privacy information

Omnilinq customers end-users privacy terms are the sole responsibility of Omnilinq customers. They should be announced on Omnilinq customers website

4. Individuals’ right

  • Right to be informed: we clearly inform our users about the use that will be made of their data
  • Right of access: our users can access all their data, without restriction, from the Crisp apps
  • Right of rectification: it’s as simple as contacting us, we’ll process all your rectification queries
  • Right of erasure: it’s as simple as contacting us, we’ll process all your erasure queries
  • Right to restrict processing: we don’t process the data of our customers (and our customers end-users)
  • Right to data portability: our users may contact usanytime if they wish to get an export of their data (this may take time, however, as the data is fragmented amongst multiple isolated data-stores)
  • Right to object: we handle all requests on this matter from our users and users’ end-users (contact us)
  • Right not to be subject to automated decision-making including profiling: we don’t do that (and never will)

 

5. Subject access requests

Omnilinq replies to all access requests (positively or negatively) under 1 week (the legal limit from GDPR is 1 month).

We offer this free of charge for our customers (paid and free).

6. Lawful basis for processing personal data

Omnilinq stores user data involving a consent (ie. a conversation both parties entered by will, and exchanged eg. emails).

It is the Omnilinq customers responsibility to ensure user data is lawfully collected in the event they use our CRM features. For instance, if the emails that get collected from the Omnilinq chatbox gets re-used for marketing campaign purposes either on Omnilinq or an external system, the Omnilinq customer has to ask for user consent upon collecting this email

7. Consent

Consent is provided by our users explicitly when proceeding an action or task (eg. when they  provide user data).

Omnilinq allows its customers to submit user data in an automated way, via a frontend JavaScript API and backend REST API, for instance assigning an email or avatar or name to a chatbox  session, when the chat  box user is already identified to their customer website account. This data must have been  provided by the customer user in a consensual way, as it will get propagated to Omnilinq in an  automatic way (if the customer implemented such API in their source code)

8. Children

Omnilinq does not offer online services to children, due to the nature of the service provided (business-to-business). Thus, we did not identified it as relevant to control the age of users signing up for services.

Children might still be able to use the Omnilinq chatbox services, from the website or apps of a Crisp customer. To this extent, the Omnilinq customer is responsible for checking against their own users and activities regarding children regulations

9. Data breaches

Our team closely monitors any unauthorized system access, and has put in place multiple preventive measures to reduce the attack surface on our systems and services. In 2 years, Omnilinq has had 0 major security issues, with only a few minor ones, which we fixed the same day they were reported (those would not have allowed a hack or data breach).

Here are a few measures we took to reduce any attack surface:

Aggressive use of firewalls and network isolation in our infrastructure

No access to our server systems is allowed from the public Internet, trusted administrators from the Omnilinq team need to connect via a trusted VPN network

We monitor any security flaw in any library we may use in our running backends, and patch them as soon as an update is issued

Use of 2-Factor-Authentication on all our sensitive accounts (eg. hosting provider, etc.)

Isolate data stores and sensitive backends on different servers

All platform backups are GPG/PGP-encrypted and stored privately, retained for a maximum of 1 week

The points listed above help reduce the probability of a major data breach occurring.

10. Data Protection by Design and Data Protection Impact Assessments

Whenever Omnilinq develops a new system, security comes as a first when designing the architecture of such a system. Our first goal is to protect the integrity of the new production system, and the second goal to protect the user data that’s being stored and used by that system

11. Contact Us

If you have any questions about these Terms, please contact us at  info@sedamit.hr  Please, also read our Cookie Policy and Privacy Policy.

These Terms were published on 28.05.2020.

Omnilinq

Communicate without limitations
and provide the best service you
can for your customers!

Sedam IT d.o.o.
Koledovčina 2, 10 000 Zagreb
tel. + 385 1 2353 777 
email: omnilinq@sedamit.hr

Izrada internetske stranice sufinancirana je sredstvima Europske unije iz Europskog
fonda za regionalni razvoj.

Omnilinq

Communicate without limitations
and provide the best service you
can for your customers!

logo

Sedam IT d.o.o.
Koledovčina 2, 10 000 Zagreb
tel.  +385 1 2353 777
email:  info@sedamit.hr

Follow us

Izrada internetske stranice sufinancirana je sredstvima Europske unije iz Europskog  fonda za regionalni razvoj.