Privacy Policy
1. General
This Privacy Policy describes how Doszy processes the Users’ personal information to perform the Services offered in the Website, under the domain www.doszy.com (“Services”).
Users must read and expressly consent to the data treatment referred by this Privacy Policy, before using the Services.
2. Data Controller
The Controller of the data collected through this Website is HELLO UMI, S.L., entity of Spanish nationality with professional address at Barcelona, Av. Josep Tarradellas, 20, Floor 6, CP 08029, provided with Tax Identification Number ESB98767551 (hereinafter “Doszy”).
3. Purposes of the Processing and Legal Basis
Doszy will process the personal data of the User of this Website for the following purposes:
- Enable the maintenance, development and management of the Services, business relationship formalized by contracting products and/or services through this Website, which includes carrying out operations that relate to the management of customers concerning the contracts, orders, deliveries and invoices, and manage the unpaid invoices and possible disputes about the use of our products and services. The data processed for this purpose will be kept as long as said business relationship is maintained and, once it ends, during the periods of conservation and prescription of responsibilities legally established. The legal basis of the treatment is the execution of a contract in which the User is a party.
- Respond to requests for information and/or queries made by the User. The data processed for this purpose will be kept until the request for information and/or consultation has been answered and, after that, during the legally established periods of conservation and limitation of responsibilities. The legal basis of the processing is it is the legitimate interest of Doszy in responding to the User.
- Keep the User informed, including by electronic means, about Doszy products, services and news. The data processed for this purpose will be kept until the moment the User withdraws his consent given to receive said communications and, after that, during the legally established periods of conservation and limitation of responsibilities. The legal basis of the processing is the consent of the User.
If the User does not consent to the processing of your data for this purpose, please inform Doszy in writing, or check the box enabled for this purpose. The advertising exclusion systems set forth on the website www.aepd.es are available to the User.
Failure to accept this Privacy Policy will imply that all the Services rendered and Website content offered by Doszy shall not be made available, and that the system subscription process shall be interrupted or terminated.
4. Categories of data
The User must complete all required field forms with truthful, complete and up-to-date information, except for details where completion is indicated as optional, for being strictly required by Doszy in order to be capable of complying with the beforenamed purposes. Otherwise, Doszy reserves the right to not provide the Services.
Users guarantee that the personal details given to Doszy are true, and are responsible for notifying any modification in these details, by editing the information in the platform or informing Doszy.
The data relating to bank cards are stored no longer than the time necessary to allow the fulfillment of the transaction, except in the case of a recurrent subscription, to facilitate the payment of regular customers. In that case, bank card data will be stored for the whole duration of your subscription and at least until the date at which you carry out your last transaction. Such storage is implemented by Doszy secured payment service providers, Stripe and Braintree. By subscribing to the services offered on the Website, you expressly agree to this storage. Data relating to the visual cryptogram or CVV2 on the back of your bank card are not stored. In the case of a payment by bank card, however, data relating to the bank card may be stored as intermediary archives for evidence purposes regarding the current legal obligations.
5. Automated Decision-Making
Doszy informs the Users that by using the Services they will be object to automated decision-making, including profiling. The aim of this treatment is the adequacy of the listed purposes named herein.
6. Recipients and Personal Data Transfers
The data may be communicated to the following third party recipients:
Public Administrations for the fulfilment of legal obligations and to banking institutions for the management of collections and payments. The data may also be communicated to the following categories of data processors: providers of electronic communications, office automation, hosting, housing, computer maintenance, management, accounting, auditing, consultancy and legal representation. These providers may be located outside the European Economic Area, in which case Doszy will have previously adopted the appropriate safeguards.
7. Rights of the Users
Users are, at any time, entitled to exercise their rights of access, rectification, erasure, restriction of processing, data portability, not to be object to a decision based solely on automated processing, including profiling, and object, by contacting Doszy and sending a written notification to legal@doszy.com, attaching a copy of their National Identity Document or another equivalent identity document identifying them as a User.
The Users have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. The Users also have the right to lodge a complaint with a supervisory authority.
8. Doszy as data processor
In the event that the User purchases a license to use the Services, Doszy will need to process certain personal data on behalf of the licensee (whether the licensee is the User itself or a legal entity represented by the User). For these purposes, the User shall be considered the Data Controller and Doszy shall be considered the Data Processor.
The following clauses constitute the regulation of the relationship between the Controller and the Processor for the purposes of complying with the provisions of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter, “GDPR2) and Article 33 of Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights (hereinafter, “LOPDGDD”).
8.1. Processing of data to be carried out by the Data Processor
The Data Processor shall process the personal data necessary to carry out the Services on behalf of the Controller. The aforementioned processing shall have a duration equal to that of the provision of the Services, in such a way that once the provision of the Services has been completed, the processing shall be deemed to have been completed.
8.2. Identification of the information concerned
For the performance of the Services, the Controller shall make available to the Processor the information described below:
Data of an identifying nature
Personal characteristics data
Data on social circumstances
Academic and professional data
Employment details
Economic, financial and insurance details
Transactions in goods and services data
Health data
Data revealing racial or ethnic origin
Data revealing political opinions
Data revealing religious or philosophical convictions
Data concerning sex life or sexual orientation
8.3. Obligations of the Processor
The Data Processor undertakes to:
a. Use the personal data undergoing processing, or that it collects for the purpose of their inclusion, only for the strict provision of the Services. Under no circumstances may it use the data for its own purposes.
b. Process the data in accordance with the instructions of the Controller. If the Processor considers that any instructions are in breach of the GDPR or any other Union or Member State data protection provisions, the Processor shall immediately inform the Controller thereof.
c. Where applicable, keep a written record of all categories of processing activities carried out on behalf of the Controller, in accordance with Article 30(2) of the GDPR.
d. Not to communicate the data to third parties, except with the express authorisation of the Data Controller, in the legally admissible cases.The Data Processor may communicate the data to other data processors of the same Data Controller, in accordance with the instructions of the latter. In this case, the Data Controller shall identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied in order to proceed with the communication.If the Controller must transfer personal data to a third country or to an international organisation, pursuant to Union or Member State law applicable to it, it shall inform the Controller of this legal requirement in advance, unless such law prohibits it for important reasons of public interest.
e. Not to subcontract any of the services that form part of the Services and involve the processing of personal data.If it is necessary to subcontract any processing, the Controller must be given prior written notice of this fact, at least 20 calendar days in advance, indicating the processing to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details. Subcontracting may be carried out if the Controller does not express its opposition, in writing, within the established period. The subcontractor, who shall also have the status of data processor, is also obliged to comply with the obligations established herein for the Data Processor and the instructions issued by the Data Controller. It is the responsibility of the initial processor to regulate the new relationship in such a way that the new processor is subject to the same conditions (instructions, obligations, security measures, etc.) and with the same formal requirements as the initial processor, with regard to the proper processing of personal data and the guarantee of the rights of the data subjects. In the event of non-compliance by the subcontractor, the initial Processor shall remain fully liable to the Controller for compliance with the obligations.The Controller authorises the Processor to carry out the following subcontracting necessary to provide the Services: see list of suprocessors.
f. Maintain the duty of secrecy with respect to the personal data to which it has access by virtue of the provision of the Services, even after the provision of the Services has ended.
g. To ensure that persons authorised to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.
h. Keep at the disposal of the Data Controller the documentation accrediting compliance with the obligation established in the previous section.
i. Guarantee the necessary training in the protection of personal data for the persons authorised to process personal data.
j. Assist the Controller in responding to the exercise of the rights of:
1. Access, rectification, erasure and object;
2. Limitation of processing;
3. Data portability;
4. Not to be subject to automated individualised decisions (including profiling).
When the data subjects exercise their rights of access, rectification, erasure and object, restriction of processing, data portability and the right not to be subject to automated individualised decisions before the Data Controller, the latter must communicate this by e-mail to the Data Controller. The communication must be made immediately and in no case later than the working day following receipt of the request, together, where appropriate, with other information that may be relevant for resolving the request.
k. Notify the Controller without undue delay and, in any event, no later than 48 hours by e-mail of any breach of security of the personal data under their responsibility of which they become aware, together with all relevant information for the documentation and communication of the incident. Notification shall not be required where such a breach of security is unlikely to constitute a risk to the rights and freedoms of natural persons.
If available, at least the following information shall be provided:
1. A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of personal data records concerned.
2. The name and contact details of the data protection officer or other point of contact from whom further information may be obtained.
3. A description of the possible consequences of the personal data breach.
4. Description of the measures taken or proposed to be taken to remedy the personal data breach including, where appropriate, measures taken to mitigate the possible negative effects.
If it is not possible to provide the information simultaneously, to the extent that it is not possible to provide the information simultaneously, the information shall be provided in a gradual manner without undue delay.
l. Support the Controller in carrying out data protection impact assessments, where appropriate.
m. Support the Controller in carrying out prior consultations with the supervisory authority, where appropriate.
n. Make available to the Controller all information necessary to demonstrate compliance with its obligations, as well as for the performance of audits or inspections carried out by the Controller or any other auditor authorised by it.
o. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as risks of varying likelihood and severity to the rights and freedoms of natural persons. In any case, it shall put in place mechanisms to:
1. Ensure the continued confidentiality, integrity, availability and resilience of processing systems and services.
2. Restore availability and access to personal data in a timely manner in the event of a physical or technical incident.
3. Regularly verify, evaluate and assess the effectiveness of the technical and organisational measures implemented to ensure the security of the processing.
4. Pseudonymise and encrypt personal data, where appropriate.
p. Appoint a Data Protection Officer and communicate his or her identity and contact details to the Controller, where appropriate.
q. Once the Services have been provided, the Data Controller shall have a maximum period of 30 calendar days to access the Doszy Platform and download all its information stored therein. Once this period has elapsed, the Data Controller shall delete the information stored on the Doszy Platform. In any case, the Data Processor may keep a copy, with the data duly blocked, for as long as liabilities may arise from the performance of the service.
r. Comply with the other obligations that the GDPR, the LOPDGDD and its implementing regulations establish for the Data Processor.
8.4. Obligations of the Data Controller
The Data Controller has the following obligations:
a. To provide or allow access to the data specified above by the Data Controller.
b. Carry out an assessment of the impact on the protection of personal data of the processing operations to be carried out by the Data Controller, where applicable.
c. Conduct prior consultation as appropriate.
d. Ensure, prior to and throughout the processing, compliance with the GDPR, the LOPDGDD and its implementing regulations by the Data Processor.
e. Supervise the processing, including carrying out inspections and audits.
f. Facilitate the right to information at the time of data collection.
g. Comply with the rest of the obligations that the RGPD, the LOPDGDD and its implementing regulations establish for the Data Controller.
9. Security and Protection of Data
Doszy has adopted the Data protection security legally required, and strives to adapt additional technical measures and means within its scope to avoid the loss, misuse, alteration, unauthorised access to and theft of the personal details provided. Doszy agrees to use all of the details sent by registered Users with the utmost confidentiality and resilience.
Doszy use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
10. Changes to this Privacy Policy
Doszy reserves the right to amend this policy in order to adapt it to new regulations, case laws and industrial and/or commercial practice.
If Doszy decides to change its Privacy Policy, it will post those changes on this page. This Privacy Policy was last modified on 22/12/2023.