What is the GDPR?

The General Data Protection Regulation (the “GDPR”) is a European data protection and privacy law adopted April 14, 2016, which became officially enforceable beginning on May 25, 2018. The two (2) year delay between adoption and enforcement was intended to give organizations time to prepare before enforcement.

The GDPR is an ambitious attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and erase personal data. It replaced a prior European Union privacy directive known as Directive 95/46/EC (the “Directive”), which had been the basis of European data protection law from 1995 to early 2018. Unlike its predecessor, the GDPR applies immediately throughout the European Union (“EU”) across all member states without the need for further member state legislative action.

Since mid-May 2018, the GDPR has been in force and there is no further “grace period.” It is important that organizations impacted by the GDPR are now compliant with its provisions.

How does the GDPR work?

There are many principles and requirements introduced by the GDPR, so it is important to review the GDPR in its entirety to ensure a full understanding of its requirements and how they may apply to your organization. While the GDPR preserves many principles established by the Directive, it introduces several important and ambitious changes. Here are a few that we believe are particularly relevant to PandaDoc and our customers:

1. Expansion of scope: The GDPR applies to all organizations established in the EU or processing data of Data Subjects, thus introducing the concept of extraterritoriality, and broadening the scope of EU data protection law well beyond the borders of just the EU.

2. Expansion of definitions of personal data and special categories of data.

3. Expansion of individual rights: Data Subjects have several important rights under the GDPR, including the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability. Your organization must ensure that it can accommodate these rights if it is processing the personal data of Data Subjects.

• Right to be forgotten: An individual may request that an organization delete all data on that individual without undue delay.
• Right to object: An individual may prohibit certain data uses.
• Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.
• Right of access: Individuals have the right to know what data about them is being processed and how.
• Right of portability: Individuals may request that personal data held by one organization be transported to another.

4. Stricter consent requirements: Consent is one of the fundamental legal bases of the GDPR, and organizations must ensure that consent is obtained in accordance with the GDPR’s requirements. Your organization will need to obtain consent from its subscribers and contacts for every usage of their personal data unless it can rely on a separate legal basis. The route to compliance is to obtain explicit consent. Keep in mind that:

• Consent must be specific to distinct purposes.
• Silence, pre-populated boxes, or inactivity do not constitute consent; data subjects must explicitly opt-in to the storage, use, and management of their personal data.
• Separate consent must be obtained for different processing activities, which means your organization must be clear about how the data will be used when consent is obtained.

5. Strict processing requirements: Individuals have the right to receive “fair and transparent” information about the processing of their Personal Data, including:

• Contact details for the data controller.
• Purpose of the data: This should be as specific (“purpose limitation”) and minimized (“data minimization”) as possible. Your organization should carefully consider what data it is collecting and why, and be able to validate that to a regulator.
• Retention period: This should be as short as possible (“storage limitation”).
• Legal basis: An organization cannot process personal data just because it wants to. It must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented (see consent requirements above), or the processing is in the organization’s “legitimate interest.”

Definitions

SERVICE means the https://crove.app/ website operated by Real Craft Tech Pvt Ltd.

PERSONAL DATA means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).

USAGE DATA is data collected automatically either generated by the use of Service or from Service infrastructure itself (for example, the duration of a page visit).

COOKIES are small files stored on your device (computer or mobile device).

DATA CONTROLLER means a natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. For the purpose of this Privacy Policy, we are a Data Controller of your data.

DATA PROCESSORS (OR SERVICE PROVIDERS) means any natural or legal person who processes the data on behalf of the Data Controller. We may use the services of various Service Providers in order to process your data more effectively.

DATA SUBJECT is any living individual who is the subject of Personal Data.

THE USER is the individual using our Service. The User corresponds to the Data Subject, who is the subject of Personal Data.

Types of information we collect

The following provides examples of the type of information that we collect from you and how we use that information.

Personal Data

While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you (“Personal Data”). Personally identifiable information may include, but is not limited to:

0.1. Email address

0.2. First name and last name

0.3. Phone number

0.4. Address, Country, State, Province, ZIP/Postal code, City

0.5. Cookies and Usage Data

We may use your Personal Data to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link.

Personal Data

We may also collect information that your browser sends whenever you visit our Service or when you access Service by or through any device (“Usage Data”).

This Usage Data may include information such as your computer’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When you access Service with a device, this Usage Data may include information such as the type of device you use, your device unique ID, the IP address of your device, your device operating system, the type of Internet browser you use, unique device identifiers and other diagnostic data.

Location Data

We use IP information to 1). Ensure the legality of our documents (under eSignature law); 2). Understand how user behavior varies in different locations in order to improve our software; 3.) Depending on location, provide a better support and success service.

We have a legitimate interest in ensuring that our product/service is legal and providing tailored services based on the location (Country) – such as appropriate 1) Support, 2) Contract content, and 3) Templates. IP information will not be used for behavioral purposes absent explicit consent.

Tracking Cookies Data

We use cookies and similar tracking technologies to track the activity on our Service and we hold certain information.

Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies are also used such as beacons, tags and scripts to collect and track information and to improve and analyze our Service.

We have a legitimate interest in understanding our users and providing tailored services. Non-essential/non-service provider cookies will not be deployed until opt-in consent is obtained. You can also instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

Website interactions

We use technology to monitor how you interact with our website. This may include which links you click on, or information that you type into our online forms. This may also include information about your device or browser.

We have a legitimate interest in understanding how you interact with our website to better improve it and to understand your preferences and interests in order to select offerings that you might find most useful. We also have a legitimate interest in detecting and preventing fraud.

Use of Data

In addition to the purposes and uses described above, we use information in the following ways:

0.1. to provide and maintain our Service;

0.2. to notify you about changes to our Service;

0.3. to allow you to participate in interactive features of our Service when you choose to do so;

0.4. to provide customer support;

0.5. to gather analysis or valuable information so that we can improve our Service;

0.6. to monitor the usage of our Service;

0.7. to detect, prevent and address technical issues;

0.8. to fulfil any other purpose for which you provide it;

0.9. to carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection;

0.10. to provide you with notices about your account and/or subscription, including expiration and renewal notices, email-instructions, etc.;

0.11. to provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information;

0.12. in any other way we may describe when you provide the information;

0.13. for any other purpose with your consent.

Retention of Data

We will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

We will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.

Transfer of Data

Your information, including Personal Data, may be transferred to – and maintained on – computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.

Our company operates globally and has a global infrastructure. We utilize cloud computing which means your personal data may be transferred to a country with data protection laws not as strong as where you reside. We will transfer your Personal Data to countries deemed having adequate levels of data protection as determined by the European Commission.
Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.
If we share your personal information with entities located in the United States or other non-EEA jurisdictions which, according to the European Commission and the Court of Justice of the European Union through its Schrems II decision, do not offer an adequate level of protection to personal information, the GDPR authorizes other solutions to address lawful cross-border transfers. Crove may rely on data processing agreements (DPAs) with attached standard contractual clauses (SCCs) approved by the European Commission or other appropriate solutions to address cross-border transfers as required or permitted by Articles 46 and 49 of the GDPR. Where required by such laws, you may request a copy of the suitable mechanisms we have in place by contacting us. For further information, see our GDPR Compliance Addendum.

Real Craft Tech Pvt Ltd will take all the steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and no transfer of your Personal Data will take place to an organisation or a country unless there are adequate controls in place including the security of your data and other personal information.

Security of Data

We implement security measures designed to protect your personal information from unauthorized access. We apply these tools based on the sensitivity of the personal information we collect, use, and store, and the current state of technology. We protect your personal information through technical and organizational security measures to minimize risks associated with data loss, misuse, unauthorized access, and unauthorize disclosure and alteration. We periodically review our information collection, storage and processing practices, including technical and organizational measures, to guard against unauthorized access to systems. Your account is protected by your account password and we urge you to take steps to keep your personal information safe by not disclosing your password and by logging out of your account after each use.

Because the internet is not a completely secure environment, Crove cannot warrant the security of any information you transmit to Crove or guarantee that information on the Website may not be accessed, disclosed, altered and/or destroyed by breach of any of our physical, technical and/or managerial safeguards. In addition, while we take reasonable measure to ensure that service providers keep your information confidential and secure, such service provider’s practices are ultimately beyond our control.

We are not responsible for the functionality, privacy and/or security measures of any other organization. By using our Website, you acknowledge that you understand and agree to assume these risks. You may ask for a list of technical and organizational measures taken to protect your personal data by e-mailing us at: help@crove.app.

Your Data Protection Rights Under General Data Protection Regulation (GDPR)

If you are a resident of the European Union (EU) and European Economic Area (EEA), you have certain data protection rights, covered by GDPR.

We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.

If you wish to be informed what Personal Data we hold about you and if you want it to be removed from our systems, please email us at help@crove.app.

In certain circumstances, you have the following data protection rights:

0.1. the right to access, update or to delete the information we have on you;

0.2. the right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete;

0.3. the right to object. You have the right to object to our processing of your Personal Data;

0.4. the right of restriction. You have the right to request that we restrict the processing of your personal information;

0.5. the right to data portability. You have the right to be provided with a copy of your Personal Data in a structured, machine-readable and commonly used format;

0.6. the right to withdraw consent. You also have the right to withdraw your consent at any time where we rely on your consent to process your personal information;

Please note that we may ask you to verify your identity before responding to such requests. Please note, we may not able to provide Service without some necessary data.

You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA).

Contacting us

For questions or complaints, please contact us at: help@crove.app or Real Craft Tech Pvt Ltd registered office at House no 3355, top Floor Sector-37-D, Chandigarh, India.