Privacy notice for DocBoss

Also see our GDPR statement here, where we explain our role as a data processor.

This privacy notice explains how we process your personal data, especially in relation to the European General Data Protection Regulation (GDPR) and our role as a controller.

If you have any questions, please reach out to privacy@docboss.com.

Our company details:
Gnaros Inc., dba. DocBoss (the controller, as per the GDPR)
375, 440 10816 Macleod Trail SE, Calgary AB Canada T2J 5N8

Introduction

We typically process personal data on potential and existing clients and employees, as well as various other contacts, like contractors, collaboration partners and sub-processors. And while it’s voluntary to provide us with personal data, if you choose not to, we won’t be able to provide you with our services.

We don’t sell, rent or buy personal data to or from others, use automated decisions or profiling in the processing of your personal data or process special category data (as defined in the GDPR), and our services are not aimed at children (under the age of 18).

As a rule, personal data should not be processed or kept for longer than necessary to fulfil the purpose of such processing. And where we rely on legitimate interest, you can object to such processing at any time. We’ll consider your objection and let you know if it’s accepted or rejected, and provide you with more information as relevant.

If we are involved in a reorganization, merger, acquisition, or sale of our assets, your personal data may be included as part of such an agreement. In that case, we will notify you via email and inform you of any choices you may have regarding your personal data.

Details on how we obtain and process your personal data

Please note that we have tried to accurately describe our processing activities, legal basis, and retention periods below, but if you still have questions on what applies to you specifically, please contact us and we’re happy to explain this in detail.

You visit and use our website at docboss.com

We process personal data on website visitors, depending on what action(s) you (potentially) take. At a minimum though, we process your IP address since we have reCAPTCHA enabled, through the cookie _GRECAPTCHA. The purpose is to distinguish between human and automated access on our website to prevent spam and other up-to-no-good activities.

Please see the section below on cookies for our complete cookie declaration.

You can also reach out to us via our contact form. Since we are in the B2B space, we ask for your name, email address, phone number, company name and contact reason. We process this, as well as the message you send, for the purpose of responding to your explicit inquiry, and the legal basis is your (implied) consent.

Finally, we process your email address if you request access to the results of our survey (Supplier v EPC – Why is Vendor Documentation so Painful?) for the purpose of sharing the download link with you. Then, based on our legitimate interest in following up with interested and potential clients, we contact you by email in case you have any questions and would like to explore the software we created for people like yourself. If you prefer not to have a conversation, you can just let us know and we’ll delete your data.

PS: If you’re a client, you get access to our client portal at system.docboss.com (or a variety of this URL). We process your personal data here as a processor as per the GDPR and you can read more about this in our GDPR statement here.

You communicate with us

Besides submitting a website contact form, you can reach out directly to us by email (info@docboss.com), phone (1-(888) 800-2506, toll-free), via social media etc. and we process the personal data you share. If you contact us online, we also process your IP address and other technical data. We process personal data in our internal systems (including our CRM) for sales, service and support, to share information with other employees (for example to follow up on a support request) and for other standard business operations, based on our legitimate interest in providing excellent service and running our business efficiently. We regularly delete personal data as part of our internal GDPR audit days, but we might keep certain records in case of complaints or legal claims, based on our legitimate interests to defend ourselves in case of complaints or legal claims.

You’re on a trial or become our customer

First, if you enter into a trial of our software, we process your name, job-related information (like company name and title), contact details and correspondence between us. The purpose is to provide you with the opportunity to try out our services and the legal basis is a contract. If you decide not to become a customer after the trial, we store your data for up to 2 years due to the nature of our business, based on our legitimate interest in following up with interested and potential clients. You can reach out to us if you’d rather we delete your personal data.

If you do become our customer, we also process order and payment information and history. The purposes are to fulfil our contractual obligations and deliver the services you’ve purchased based on our contract, as well as manage our client relationship. We base the latter on our legitimate interest in providing excellent service and running our business efficiently.

We process your personal data for the duration of our contract and then for as long after as we have a legal obligation as required or permitted by applicable law. For example, since we’re a Canadian company, we’re required to comply with the national Income Tax Act, including retaining certain data for at least 6 years after a customer relationship.

You receive marketing as an existing client

If we have an existing client relationship with you, we may send you marketing messages (likely via email), where we process personal data like your name, email address, IP address and message content. The purpose is to provide you with excellent client service and the legal basis is our legitimate interest to offer our relevant products and services or your consent.

You can easily opt out of such marketing at any time by clicking the unsubscribe link in any marketing email you receive. We process your personal data for as long as we have a client relationship with you and/or you unsubscribe or withdraw your consent, after which it’ll be deleted.

You apply for a job or work at our company

If you apply for a role at our company, we process personal data such as your name, contact details, CVs, references, and other information relevant to the role. The purpose is to assess your application and the legal basis performance of an employment contract.

For employees, we process personal data as mentioned above, in addition to other general employment data (such as payroll, insurances etc.). The purpose is to manage our employment relationship and the legal basis performance of the employee contract. Employee data is deleted when you quit, unless in the unlikely event of a dismissal or dismissal dispute, where it may be necessary to keep the data for a
longer time. Job applicants can ask us to keep their data for other applications in the future, otherwise, it’s deleted when a candidate has been selected.

You supply services to or collaborate with us

When we become partners or you enter into an agreement with us either as a vendor or processor, we process personal data such as your name, contact details and correspondence. The purpose is to enter into a formal business relationship and to communicate with you prior to, during and after this, and the legal basis is primarily our contract or legitimate interest as described above under “When you communicate with us”. We store personal data for as long as we do business together and then for up to 6 years thereafter, in accordance with our legal obligations for accounting, tax etc.

Our website, functionality, cookies and similar technology

Our website is built on WordPress and we use various plugins for general functionality, security and forms. We only use reputable plugin providers and we’ve checked every one of these for GDPR compliance.

We also use a script from Fathom Analytics, a well-known privacy-protecting, cookieless website analytics company, to monitor and understand our website traffic, in the most privacy-friendly way possible. The legal basis is our legitimate interest to continually improve our website and run our business efficiently.

We use the _GRECAPTCHA cookie mentioned above for security purposes and, thus, view it as essential and necessary as per the ePrivacy directive. The legal basis as per the GDPR is our legitimate interest to protect our website and business against malicious actors. We don’t keep any logs for these cookies and you can delete them yourself at any time in the browser setting.

Further, if you want to schedule a call via this page, click on the “select time” button. A Calendly calendar pops up and the following cookies are added to your browser: Calendly cookies are necessary to enable the function and they automatically enable Stripe (payment) cookies since Stripe is integrated from their end. Unfortunately, we cannot disable this from our end. If you don’t want any of these cookies, don’t click on the button and simply contact us via our website form or email. The purpose and legal basis for setting these cookies, after you consent by clicking the “select time” button, is to facilitate easy scheduling for you, based on our legitimate interest in following up with interested and potential clients.

With whom do we share your personal data?

We respect your privacy and when it comes to other parties we share only the personal data necessary
to run our business efficiently and securely. Typically, we share personal data with parties such as:

• Public authorities we are obliged to report to and in case of law enforcement orders
• Our accountant, auditor, lawyer, IT support and others helping us in a professional capacity
• Data processors: providers of services that process your personal data on our behalf

We conduct due diligence on the parties with whom we share data, and agree to data processing terms where necessary/appropriate. We use processors for:

• Email, calendar, online meetings, instant message and cloud storage
• Accounting/bookkeeping, payroll, invoicing and similar
• This website, including hosting and the use of various forms
• Customer relationship management, service and support systems

To protect our business, we don’t publish further details (like names) of our processors. If you’d like to know more about our processing and with whom we share your personal data, please contact us.

Transfers of personal data outside the EU/EEA

Since we’re based in Canada, your personal data is, consequently, transferred outside of the EEA (the EU member states plus the EEA countries Iceland, Norway and Liechtenstein).

Your personal data can also be transferred to other countries, for example when we use processors to manage payments or for online forms. However, we only work with companies we trust, that are well known and where we have data processing terms in place (in line with the GDPR Article 28(3)). We check whether a country outside the EEA offers an adequate level of data protection (has obtained an EU “adequacy decision”) or, if this is not the case, those other necessary safeguards are in place (like the EU standard contractual clauses, “SCCs”). If you want further details on such transfers (and a copy of applicable safeguards), please contact us.

Security and personal data protection

As a software company, we know how crucial it is to maintain exceptional security and we will always do our utmost to protect your personal data. Using strong passwords, a password manager and two-factor authentication, where possible, is given. We employ encryption where possible/logical, have implemented access control, and several other measures to secure our personal data and prevent unauthorized access, alteration and deletion.

We only allow others to access and/or process your personal data in accordance with our instructions, only when strictly necessary. and subject to confidentiality. If we experience a personal data breach, i.e., a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, and it poses a medium to high risk for the people affected, we will notify the national data authority within 72 hours. If the risk is deemed high for the people affected, we will also notify them directly, if possible.

Your data protection rights

Last, but not least, your data protection rights as per the GDPR:

• Access and rectification: You may request access to or a copy of the information we process about you and ask us to rectify incorrect data.
• Erasure or restriction: In some circumstances, you may ask us to delete or restrict our processing of your data, but we cannot delete any data we are required to process (for example where we’re required to keep data for accounting, tax and other business purposes).
• Objection: In some circumstances, you may ask us to stop processing your data.
• Data portability: In some circumstances, you may ask us to transfer your data to you or to another organization.
• Also, if you’re unhappy about how we process your data, you have a right to complain to a national data authority. We hope, however, that you will contact us first so that we can try to resolve the matter for you in a satisfactory way.

Please contact us if you have any questions about or want to exercise one of your rights. You are entitled to a reply (at the latest) within 30 days.

We hope the above provides you with transparent and clear information about how we process your personal data. If you have any questions at all, please don’t hesitate to reach out.

This privacy notice was last updated:
October 12, 2022