This Policy details Meliora Ltd’s commitment to protecting the privacy of users who sign up to use the products (“Service”) Meliora Ltd offers (“Testlab Users”), users who use support services of Meliora Ltd (“Support Users”), and individuals who make the commitment to Meliora Ltd as a customer (“Customer”, “Contact Person”). For the purposes of this policy, the term “Testlab User” shall refer to an individual who uses the Meliora Testlab product as a Service from .melioratestlab.com domain.
In this policy, personal data means any information relating to a natural person directly or indirectly such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, economic, cultural or social identity of that natural person. As a clarification, no sensitive data such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, is handled or stored by Meliora Ltd. The use of personal data collected through services offered shall be limited to the purpose of providing the services for which the users have engaged to.
In the context of using our Services, users may encounter links to other websites or services and the content of such other websites or services are governed by the privacy policies of such other websites or services. We encourage you to review the privacy policies of any such other websites or services to understand their data processing practices.
Obligations of Meliora Ltd regarding Personal Data
Meliora Ltd as a Data Processor
This policy does not apply to our practices, including how we protect, collect, store and use the electronic data, text, messages or other materials submitted and stored to Services by you (“Service Data”). These practices are detailed in and governed by the Service Agreement, available here, or such other separate applicable agreement between you and Meliora Ltd. As a clarification, a clear distinction is made between the personal data of individuals we collect or process in terms of providing the Service, and the Service Data entered and owned by the Customer. In accordance with GDPR, all possible personal data entered as Service Data by you is your responsibility as a Data Controller. As we provide the Service for you to store your data in to, we will act as a Data Processor on your behalf.
Meliora Ltd as a Data Controller
Personal Data we collect (See 3. Data provided to us or collected by us) to provide you the Service, or fulfill our obligations of Service Agreement to you, is our responsibility as a Data Controller.
Data provided to us or collected by us
For all users using Meliora Testlab as a Service, a user account is stored with:
- User ID – The unique User ID of the user account,
- Name – Full name of the user such as “John Smith”,
- E-mail – E-mail address of the user, such as “email@example.com”,
- Avatar picture – a small avatar-like picture depicting the user (optional).
Please note, that all user accounts created to the service, or granted access to the service by for example integrating your Testlab with external user repository, by you, is regarded as Service Data. This means that in accordance with GDPR – if it applies to you – these user accounts as Personal Data are in your responsibility as a Data Controller.
For users who register to our support services, a user account is stored with a full name of the user and an e-mail address.
For users who enroll in our Service as a paying Customer, in addition to the user account created to the Service (See “Testlab Users” above), billing information is stored with:
- Full name of the contact person,
- E-mail address of the contact person,
- phone number of the contact person (optional).
If credit card billing is used (in terms of Testlab Self-service), the needed billing information such as credit card number and billing address is collected. Other payment methods might require other billing related information to be collected. If such information is collected, it is handled in accordance with this Policy.
Cookies and other tracking technologies
Logs with Personal Data
The servers used to provide the Service gather certain information about the traffic and store it in log files. This information includes:
- audit trail log for SAML 2.0 based logins with date and time, User ID and E-mail address of the logged in user,
- a registration log of new Testlab instances which includes the information of registered contact person and initial administrator account details (see 3.1.1 and 3.1.3 above).
The servers used to provide the Service gather certain anonymous information about the traffic and store it in log files. This information includes:
- the IP address, user-agent (browser type and operating system), date and time and URL addresses of the requested pages or endpoints and
- statistical information such as duration of back-end service calls with date and time.
Occasionally, we might connect personal information to anonymous information gathered in our log files to improve and maintain the quality of the Service. Also, for the purposes of tracing possible errors or anomalies in the Service, we might occasionally raise the levels of logging to resolve such problems. In these cases, we treat the combined and/or logged information in accordance with this Policy.
We use analytics services to track the use of the Service to help us improve and maintain the quality of the Service. The analytics data gathered is anonymous and contains no personal or sensitive data.
The use of Personal Data
The Personal Data we collect about you as an individual is used
- to provide, maintain, improve and support the Service,
- to provide access to the Service for you,
- to send messages to you from the Service,
- to process transactions and handle invoicing for the Service,
- to investigate and prevent fraudulent transactions, unauthenticated access to the Service or activities against the Service Agreement and
- if you are the Contact Person as defined in this Policy, to send communications to you such as news and information about our products and services, features, surveys, offers, and promotions and
- for other purposes for which we obtain your consent.
We collect Personal Data from you only where: (a) we have obtained consent from you to do so, (b) we need the information for making and maintaining a contract with you (such as providing the Service for you and handling billing – Contractual necessity), (c) fulfill the business-related legal obligations such as accounting (Compliance with legal obligations).
Sharing of the Personal Data
We share Service related information, including Personal Data, with our third-party service providers. The service providers are used for hosting, maintaining (such as storing and backing up the data), payment processing, analytics, and other operative services. The list of third parties in question is provided below (see 6. Subprocessors). We use processes, such as encryption, to minimize the exposure of Personal Data to third parties. Still, these service providers may have access to the personal data for the purpose of providing these services. We do not permit our service providers to use the personal data for any other purposes than to provide the sub-contracted service for us.
Transfer of Personal Data
- All data centers used for providing the Service are located in European Economic Area (EEA). This means, that Personal Data of 3.1 Testlab Users (and as a clarification, also Service Data), is not transferred outside EEA.
- For providing support services, the Personal Data of 3.2 Support Users may be transferred outside EEA and handled in US (see 2. in 6. Subprocessors).
- For handling credit card payments for customers in Testlab Self-service, the Personal Data of 3.3 Customers may be transferred outside EEA (see 3. in 6. Subprocessors).
Meliora Ltd uses a number of subprocessors to provide the Service and fulfill the obligations of the Service Agreement. Whenever we share Personal Data originating from EEA with a Subprocessor outside the EEA, we make every effort to ensure the Subprocessor is in compliance with GDPR.
- For hosting the Service, Meliora Ltd uses services of
- Hetzner Online Gmbh with servers located inside the EEA and
- UpCloud Oy with servers located inside the EEA.
- For providing support services, Meliora Ltd uses services of
- For handling credit card transactions, Meliora Ltd uses services of Stripe.
With Zendesk, Inc., who subprocesses the personal data of data subjects engaged in support processes, we have signed a separate Data Processing Agreement with the EU Commission’s “Controller-to-Processor Model Clauses” in place (annexed to EU Commission Decision 2010/87/EU).
- For hosting the Service, Meliora Ltd uses services of
How long will we retain your Personal Data
The Personal Data will be retained for as long as is needed to fulfill the purposes described in this Policy. The Data can also be retained for longer if that is required by the law (for example accounting, tax or other similar business-related legal requirement). When the Personal Data is no longer needed to fulfill the obligations, it is either deleted or permanently anonymized.
The data retention policy of the Customer’s Service Data is described in Service Agreement.
Your rights to your Personal Data
For the Personal Data, which Meliora Ltd collects about you as a Data Controller, in addition to the rights described in this Policy, you have the following rights:
- Right of rectification: You are entitled to require us to rectify any errors in your Personal Data. To do this, we suggest you to first use the tools we have provided for you to do this directly (such as account information stored in you Testlab instance) and second, request us to do this for you by contacting us at firstname.lastname@example.org.
- Right to erasure: You have a right to request erasure of your Personal Data from our Services. To do so, contact us at email@example.com.
- Right to object to processing or, restrict processing of your Personal Data: You can always request for us to stop or restrict the processing all or some of your Personal Data. To do so, contact us at firstname.lastname@example.org.
- Right to data portability: You have a right to request to have your Personal Data provided to you in a structured and commonly used format. To do so, contact us at email@example.com.
We consider all requests in accordance with applicable laws. Please note, however, that some Personal Data might be required to provide the Service for you and to fulfill the obligations of the Service Agreement to you as a Customer. Also, for record-keeping purposes, some Personal Data might be needed to comply with our legal obligations. If your request related to the rights explained above is in conflict with the obligations of ours, we will communicate these conflicts with you before proceeding with the request. We will process all requests within 30 days of receiving the request.
You also have the right to make a complaint to a Data Protection Authority about our use of your Personal Data. For more information, please contact your local DPA.
Security and data breaches
Meliora Ltd handles all Personal Data with strict confidence and processes which are in compliance with the applicable laws. In accordance with GDPR,
- if a data breach involving Personal Data which Meliora Ltd collects as a Data Controller should occur, we are committed to informing supervisory authority within 72 hours of the breach. If the investigation of the breach requires more time, we are committed to providing a reasoned justification for the delay for the supervisory authority.
- If a data breach involving Personal Data which Meliora Ltd collects as a Data Processor for you should occur, we are committed to informing you as a Data Controller, as soon as it is deemed appropriate considering the investigation of the breach. Keep in mind that if you as a Data Controller are obliged by GDPR, it might be in within your responsibility to notify the supervisory authority within 72 hours as well as in some cases, affected individuals too.
The impact of every breach of Personal Data is analyzed. If the breach is unlikely to result in a risk for the rights and freedoms of natural persons, we reserve the right to not do the notifications explained above.
We may assign or transfer this Policy, as well as your Personal and Service Data, to any person or entity that acquires all or substantially all of our business, stock or assets, or with whom we merge as a business.
Changes to this Policy
We reserve the right to make cosmetic changes to this Policy without prior notification. These changes do not change the actual content of this Policy and are in line with changes such as updating hyperlinks, stylizing of the text, correcting typographical errors, clearing up the terminology or similar.
In case of any discrepancies between different language versions of this Policy (if any), the English version shall prevail.
For any questions or requests regarding this Policy, please contact us by e-mail at firstname.lastname@example.org. You can also send us a postal letter to the current operative address of Meliora Ltd by addressing the letter to “Legal Department”.