top of page

PRIVACY POLICY
Sharing 365

(Sharing 365 OÜ)

Version: 17.09.2025

We, Sharing 365 OÜ, a company incorporated and existing under the laws of Estonia, with registration number 14667908, with its registered office at Sepapaja 6, Tallinn 15551, Estonia, represented by Jordy Gerald Ariën Van Bremen, Management Board Member, trading as “Sharing 365” (“Company”, “we”, “our” or “us”) take your privacy very seriously. Please read this Privacy Policy carefully as it contains important information on how and why we collect, store, use and share any personal data relating to you in connection with your use of our services. It also explains your rights in relation to your personal data and how to contact us or a relevant regulator in the event you have a complaint.

 

We collect, use, and are responsible for certain personal data about you. We act as the data controller for personal data obtained when you fill out a form on our website, subscribe to our newsletter, respond to a survey, place an order, or otherwise interact with us. Personal data may also be collected or processed when we provide our services in accordance with our Terms of Business. As the data controller, we are legally responsible for determining how and for what purposes this personal data is used.

When we do so, we act as the data controller and are subject to the EU General Data Protection Regulation (EU GDPR), as well as any applicable national data protection laws within the European Economic Area (EEA), in relation to personal data processed in connection with the services we provide to clients and users within the EEA.

 

This Privacy Policy is divided into the following sections:

  1. Introduction;

  2. Definitions;

  3. Scope (What this policy applies to);

  4. Data protection principles;

  5. Personal data we collect about you;

  6. How your personal data is collected;

  7. Basis for processing personal data

  8. How and why we use your personal data;

  9. Who we share your personal data with;

  10. Marketing;

  11. Where Will We Store the Data;

  12. How long your personal data will be kept;

  13. Documentation and records;

  14. Data subject (individual) rights;

  15. Data subject (individual) obligations;

  16. Information security;

  17. Data breaches;

  18. International transfers;

  19. Training;

  20. Consequences of failing to comply;

  21. Changes to this Privacy Policy;

  22. How to complain;

  23. Consent.
     

1. Introduction

  1. The Company obtains, keeps and uses personal data (also referred to as personal information) for a number of specific lawful purposes, as set out in this Privacy Policy concerning various data subjects.

  2. This Privacy Policy sets out how we comply with our data protection obligations and seek to protect personal data relating to our workforce. Its purpose is also to ensure that our staff and our clients understand and comply with the rules governing the collection, use and deletion of personal data to which they may have access in the course of their work.

  3. We are committed to complying with our data protection obligations, and to being concise, clear and transparent about how we obtain and use personal data relating to our workforce, and how (and when) we delete that data once it is no longer required.
     

2. Definitions

criminal records data

means personal data relating to criminal convictions and offences, allegations, proceedings, and related security measures;

data breach

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data;

data subject

means the individual to whom the personal data relates;

personal data

(sometimes known as personal information) means data relating to an individual who can be identified (directly or indirectly) from that data;

processing data

means obtaining, recording, organising, storing, amending, retrieving, disclosing and/or destroying data, or using or doing anything with it;

special category data

(sometimes referred to as “sensitive personal data” or “sensitive personal information”) means any personal data revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership (or non-membership). It also includes genetic and biometric data used to identify an individual, and data concerning an individual’s health, medical conditions, healthcare history, or mental wellbeing, as well as information about their sex life, sexual orientation, financial situation, creditworthiness, or other financial data.

​

3. Scope (What this policy applies to)
This Privacy Policy applies to the personal data of individuals who interact with our website or our services, including, without limitation, website visitors, individuals who contact us through any communication channels, and those who subscribe to our updates or engage with our services under our Terms of Business.​

 

​​​

4. Data protection principles

  • The Company will comply with the following data protection principles when processing personal data:

  • we will process personal data lawfully, fairly and in a transparent manner;

  • we will collect personal data for specified, explicit and legitimate purposes only, and will not process it in a way that is incompatible with those legitimate purposes;

  • we will only process the personal data that is adequate, relevant and necessary for the relevant purposes;

  • we will keep accurate and up to date personal data, and take reasonable steps to ensure that inaccurate personal data are deleted or corrected without delay;

  • we will keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; and

  • we will take appropriate technical and organisational measures to ensure that personal data are kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
     

5. Personal data we collect about you

The personal data we collect about you depends on the manner in which you interact with our website or with us in connection with the services we provide. We may collect and use the following personal data about you:

  • first name;

  • last name;

  • title;

  • e-mail address;

  • mailing address;

  • information to check and verify your identity, e.g., date of birth;

  • your gender, if you choose to give this to us;

  • phone number;

  • your billing information, transaction and payment card or other payment method information;

  • bank account and payment details;

  • details of any information, feedback or other matters you give to us by phone, email, post or via social media;

  • special category data (as the case may be);

  • information about your computer or device (e.g., device and browser type);

  • information about how you use our website (e.g., which pages you have viewed, the time when you view them and what you clicked on, the geographical location from which you accessed our website (based on your IP address);

  • company name or business name (if applicable);

  • VAT number (if applicable);

  • your use of our services;

  • your personal or professional interests;

  • your professional online presence, e.g., LinkedIn profile;

  • information about the services we provide to you;

  • information about how you use our website and technology systems;

  • your responses to surveys, competitions and promotions.

Sometimes you can choose if you want to give us your personal data and let us use it. Where that is the case, we will tell you and give you the choice before you give the personal data to us. We will also tell you whether declining to share that personal data will have any effect on use of our services.

 

Special category data. Special category data is sometimes referred to as “sensitive personal data” or “sensitive personal information”. We may from time to time need to process special category data. We will only process special category data if:

  1. we have a lawful basis for doing so, e.g., it is necessary for the performance of the contract or to comply with our legal obligations; and

  2. one of the special conditions for processing special category data applies, e.g.:

  • the processing is necessary to provide our services under the Terms of Business, and without such processing it would be impossible to deliver the services;

  • the data subject has given explicit consent;

  • the processing is necessary to protect the data subject’s vital interests, and the data subject is physically incapable of giving consent;

  • processing relates to personal data which are manifestly made public by the data subject;

  • the processing is necessary for the establishment, exercise or defense of legal claims; or

  • the processing is necessary for reasons of substantial public interest.

​​

Special category data will not be processed until:

​

  1. the assessment referred to in this Privacy Policy below has taken place; and

  2. the individual has been properly informed, as set out in this Privacy Policy, of the nature of the processing, the purposes for which it is being carried out, and the legal basis for it.

  • If, however, you inadvertently or intentionally transmit special category data to us, you will be considered to have explicitly consented to us processing that special category data under Article 9(2)(a) of the General Data Protection Regulation and Article 9(2)(a) of the UK GDPR. We will use and process your special category data for the purposes of deleting it.

  • We are committed to protecting the privacy of children online. In accordance with the EU General Data Protection Regulation (GDPR), which requires parental consent for the processing of personal data of children under the age of 16 (or lower where permitted by local law), we do not knowingly collect personal data from persons under this age through our website. The website is not intended to solicit personal information from children. In the event that we become aware that we have inadvertently received personal data from a child below the applicable age threshold, we will take steps to delete such data promptly, unless we are legally required to obtain parental or guardian consent. If you believe that we have collected personal data of a child in contravention of this provision, please notify us immediately at privacy@sharing365.io.


6. How your personal data is collected
We collect personal data from you:

  • directly, when you enter or send us information, such as when you fill in the contact form on our website, signing up to our e-newsletter, communicate with us, contact us (including via email), send us feedback, purchase services via our website or otherwise, post material to our website and complete customer surveys, and

  • indirectly, such as your browsing activity while on our website; we will usually collect information indirectly using the technologies explained in clause 8.3 “Cookies and Similar Technologies” below.

We also may collect personal data about you from other sources, such as by using third-party services.

 

7. Basis for processing personal data

In relation to any processing activity we will, before the processing starts for the first time, and then regularly while it continues:

  • review the purposes of the particular processing activity, and select the most appropriate lawful basis (or bases) for that processing, i.e.:

  • that the data subject has consented to the processing;

  • that the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

  • that the processing is necessary for compliance with a legal obligation to which the Company is subject;

  • that the processing is necessary for the protection of the vital interests of the data subject or another natural person;

  • that the processing is necessary for the purposes of legitimate interests of the Company or a third party, except where those interests are overridden by the interests of fundamental rights and freedoms of the data subject.

    • ​except where the processing is based on consent, satisfy ourselves that the processing is necessary for the purpose of the relevant lawful basis (i.e., that there is no other reasonable way to achieve that purpose);

    • document our decision as to which lawful basis applies, to help demonstrate our compliance with the data protection principles;

    • include information about both the purposes of the processing and the lawful basis for it in our relevant privacy notice(s);

    • where special category data is processed, also identify a lawful special condition for processing that data, and document it; and

    • where criminal records data is processed, also identify a lawful condition for processing that data, and document it.​

When determining whether the Company’s legitimate interests are the most appropriate basis for lawful processing, we will:

  1. conduct a legitimate interests assessment (LIA) and keep a record of it, to ensure that we can justify our decision;

  2. if the LIA identifies a significant privacy impact, consider whether we also need to conduct a data protection impact assessment (DPIA);

  3. keep the LIA under review, and repeat it if circumstances change; and

  4. include information about our legitimate interests in our relevant privacy notice(s).


8. How and why we use your personal data​

  1. Use of Website Server Log Information for IT Security Purposes

    • Our website is hosted by Wix.com. You can find Wix’s privacy policy here. When you visit our website, Wix automatically collects certain technical information, such as your IP address, browser type and version, operating system, pages visited, date and time of your visit, and the referring URL.

    • The technical information collected through server logs is processed solely for the purposes of ensuring the security, stability, and proper functioning of the website, including, without limitation, the detection and prevention of unauthorized access, cyberattacks, or other anomalous or suspicious activity. Such technical information shall not be used to identify you personally, and Wix does not disclose any personal data from these logs to us, except for personal data voluntarily submitted by you through the website’s contact forms.

  2. Legal basis for processing

    • Compliance with a legal obligation to which we are subject (Article 6(1)(c) of the GDPR / Article 6(1)(c) of the UK GDPR). This obligation requires us to implement appropriate security measures to protect our systems and data.

    • Legitimate interests (Article 6(1)(f) of the GDPR / Article 6(1)(f) of the UK GDPR). Both we and our hosting provider have a legitimate interest in using this information for security purposes, such as ensuring the integrity of our network and preventing cyber threats.
       

Use of Website Server Log Information to Analyse Website Use

  1. We may use server log information to analyse how visitors interact with our website, including data such as the number of visits, visitor locations, operating systems, and browsers. This analysis helps us improve our website by adjusting content and structure based on user engagement and understanding visitor preferences.

  2. Our third-party hosting provider collects and stores server logs not only to ensure network and IT security but also to help identify and prevent unauthorized access to our network, distribution of malicious code, denial of service attacks, and other cyber threats. The analysis of log files helps detect unusual or suspicious activity, contributing to the ongoing protection of the server and website from potential compromise.

  3. Unless we are investigating suspicious or potential criminal activity, we do not attempt to identify users from the server log information, nor do we allow our hosting provider to do so.

  4. Legal basis for processing:

    • Legitimate interests (Article 6(1)(f) of the GDPR / Article 6(1)(f) of the UK GDPR). Our interest in improving website performance, understanding user preferences, and ensuring the security of our website justifies this processing.

    • Compliance with a legal obligation to which we are subject (Article 6(1)(c) of the GDPR / Article 6(1)(c) of the UK GDPR). This obligation requires us to implement appropriate security measures to protect our systems and data.

 

8.1 Cookies and Similar Technologies

  1. We may use cookies, which are small data files placed on your device (e.g., computer, smartphone, or other electronic device) when you use our website. Cookies help enhance your browsing experience, improve website functionality, and personalise your interactions with our website. They also assist us in remembering and processing items in your shopping cart, saving your preferences for future visits, and compiling aggregate data about site traffic and interactions to improve site experiences and tools.

  2. We may also use essential, functional, analytical, and targeting cookies, and may contract with third-party service providers to help us better understand our site visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.

  3. For further information on how we use cookies, please see our Cookies Policy. You can reject some or all of the cookies we use on or via our website by changing your browser settings or using our cookie control tool. However, doing so may impair your ability to use our website or some or all of its features.

  4. Legal basis for processing:

    • Legitimate interests (Article 6(1)(f) of the GDPR / Article 6(1)(f) of the UK GDPR). Our interest is in improving the functionality of our website and personalising your experience.

​

8.2. Email

  1. When you send an email to the email address displayed on our website, we collect your email address, any other information you provide in that email, and the information contained in any signature block in your email.

  2. Legal basis for processing:

    • Legitimate interests (Article 6(1)(f) of the GDPR / Article 6(1)(f) of the UK GDPR). Our legitimate interest is in responding to enquiries and messages we receive and keeping records of correspondence.

    • Necessary to perform a contract (Article 6(1)(b) of the GDPR / Article 6(1)(b) of the UK GDPR). If your message relates to us providing you with goods or services or taking steps at your request prior to providing such goods and services (for example, providing information about our goods or services), we will process your information to fulfil this purpose.

 

8.3. Contact Form

  1. When you contact us using our contact form, we collect your name, email address, telephone number, company, and website, where applicable. We also collect any other information you provide to us when you complete the contact form, including any optional information.

  2. If you do not provide the mandatory information required by our contact form, you will not be able to submit the contact form, and we will not receive your enquiry. If you do not supply the optional information required by our contact form, we may not be able to respond to your enquiry.

  3. Legal basis for processing:

    • Legitimate interests (Article 6(1)(f) of the GDPR / Article 6(1)(f) of the UK GDPR). Our legitimate interest is in responding to enquiries and messages we receive and keeping records of correspondence.

    • Necessary to perform a contract (Article 6(1)(b) of the GDPR / Article 6(1)(b) of the UK GDPR). If your message relates to us providing you with goods or services or taking steps at your request prior to providing such goods or services (for example, providing information about our goods or services), we will process your information to fulfil this purpose.
       

8.4. Phone Contact

  1. When you contact us by phone, we collect your phone number and any information provided to us during your conversation with us. We do not record phone calls.

  2. Legal basis for processing:

    • Legitimate interests (Article 6(1)(f) of the GDPR / Article 6(1)(f) of the UK GDPR). Our legitimate interest is in responding to enquiries and messages we receive and keeping records of correspondence.

    • Necessary to perform a contract (Article 6(1)(b) of the GDPR / Article 6(1)(b) of the UK GDPR). If your message relates to us providing you with goods or services or taking steps at your request prior to providing such goods or services (for example, providing information about our goods or services), we will process your information to fulfil this purpose.

 

8.4. E-Newsletter Subscription

  1. When you sign up for our e-newsletter on our website or opt to receive news and offers, we collect your name and email address.

  2. Legal basis for processing:

    • Consent (Article 6(1)(a) of the GDPR / Article 6(1)(a) of the UK GDPR).

 

8.5. Contact by Post

  1. If you contact us by post, we will collect any information you provide to us in any postal communications you send us.

  2. Legal basis for processing:

    • Legitimate interests (Article 6(1)(f) of the GDPR / Article 6(1)(f) of the UK GDPR). Our legitimate interest is in responding to enquiries and messages we receive and keeping records of correspondence.

    • Necessary to perform a contract (Article 6(1)(b) of the GDPR / Article 6(1)(b) of the UK GDPR). If your message relates to us providing you with goods or services or taking steps at your request prior to providing such goods or services (for example, providing information about our goods or services), we will process your information to fulfil this purpose.

 

8.6. Information Obtained from Third Parties

  1. We do not generally receive information about you from third parties, except where we need to verify details or obtain missing information to provide services. This information may include name, contact details, or any other details provided.

  2. Legal basis for processing:

    • Necessary to perform a contract (Article 6(1)(b) of the GDPR / Article 6(1)(b) of the UK GDPR) or legitimate interests (Article 6(1)(f) of the GDPR / Article 6(1)(f) of the UK GDPR), depending on the context of the data received.


8.7 Consent

  1. Where you have asked a third party to share information about you with us, and the purpose of sharing that information is not related to the performance of a contract or services by us to you, we will process your information on the basis of your consent. You provide this consent by asking the third party in question to pass on your information to us.

  2. Legal basis for processing:

    • Our legitimate interests (Article 6(1)(f) of the GDPR). Where a third party has shared information about you with us and you have not consented to the sharing of that information, we may have a legitimate interest in processing that information in certain circumstances. For example, we would have a legitimate interest in processing your information to perform our obligations under a sub-contract with the third party, where the third party has the main contract with you. Our legitimate interest is the performance of our obligations under our sub-contract.

    • Similarly, third parties may pass on information about you to us if you have infringed or potentially infringed any of our legal rights. In this case, we will have a legitimate interest in processing that information to investigate and pursue any such potential infringement.

​

​

​8.8 Where We Receive Information About You in Error​

  1. If we receive information about you from a third party in error and/or we do not have a legal basis for processing that information, we will delete your information.

​

8.9 Use of Profiling in Marketing Emails

  1. We may use web beacons in our marketing emails to analyse who opens our emails and what actions they take (for example, what they click on). We will only process information from web beacons if you have consented to their use in accordance with our Cookies Policy. By analysing how our email recipients respond to our emails, we are able to improve the content and effectiveness of our emails and gauge who is most interested.

  2. Legal basis for processing:

    • Legitimate interests (Article 6(1)(f) of the General Data Protection Regulation). Legitimate interest: Analysing the level of engagement and effectiveness of our marketing emails and content.

 

9. Who we share your personal data with

Transfer and Storage of Information

  1. Messages submitted via email or contact forms are stored by our third-party service providers, including Microsoft 365 (privacy policy here). We ensure that appropriate safeguards are in place to protect the security and privacy of your information during processing and storage.

  2. For security and competitive reasons, we do not publicly disclose the identities of all our service providers. However, if you have a legitimate reason to request this information, such as where your information has been shared with them, please contact us by email, and we will provide details as appropriate.

Disclosure of Your Information to Other Third Parties

  1. We disclose your information to other third parties in specific circumstances, as set out below.

  2. For example, we share information with third parties like Google Inc., who may collect data via Google Analytics on our website. Google uses this information, including IP addresses and data from cookies, for various purposes, such as improving its Google Analytics service. The information is shared with Google on an aggregated and anonymized basis.

  3. For more details about the information Google collects, how it uses this information, and how to control the data sent to Google, please refer to their privacy policy: Google Privacy Policy.


9.1 Sharing Your Information with Third Parties

We may share your information with third parties who are related to or associated with the operation of our business, where it is necessary to do so. These third parties include accountants, advisors, business partners, independent contractors, insurers etc.

  1. We do not display the identities of all third parties we share your information with publicly for security and competitive reasons. However, if you would like further information, please contact us via email, and we will provide such information where you have a legitimate reason for requesting it (e.g., where your information has been shared with specific third parties).

  2. Disclosure and Use of Your Information for Legal Reasons

    • We may disclose and use your information in various legal contexts, such as when we suspect criminal activity, need to enforce our rights, or comply with legal obligations.

    • If we suspect criminal or potentially criminal conduct, such as fraud or cybercrime, or if we receive threats or malicious communications, we may need to contact the appropriate authority, such as the police. This will generally only apply if you are involved or affected by the incident in some way.

    • We may also need to process your information to enforce our legal rights, including sharing information with debt collection agencies if amounts owed to us are not paid. This can involve both contractual and non-contractual legal rights, such as those under copyright or tort law.

    • In the event of a legal dispute, we may need to use your information to resolve the dispute or as part of any mediation, arbitration, court proceedings, or similar processes.

    • We also use and process your information to comply with legal obligations under applicable EU or Estonian law, such as responding to court orders, regulatory requests, or matters related to suspected financial crime, fraud, or money laundering. This may include disclosing information to competent Estonian authorities, such as the Estonian Financial Intelligence Unit (Rahapesu Andmebüroo), or other relevant EU regulatory or law enforcement bodies, where necessary and permitted by law.
       

10. Marketing

  1. We may use your personal data to send you updates (by email, text message, telephone or post) about our services, including exclusive offers, promotions or information on new products and/or services.

  2. We have a legitimate interest in using your personal data for marketing purposes. This means we do not need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, we will ask for this separately and clearly.

  3. You have the right to opt out of receiving marketing communications at any time by:

  • contacting us at privacy@sharing365.io;

  • using the “unsubscribe” link in emails; or

  • updating your marketing preferences on our website (if applicable).

    • We will always treat your personal data with the utmost respect and never sell or share it with other organisations for marketing purposes.

    • For more information on your right to object at any time to your personal data being used for marketing purposes, see section “Data subject (individual) rights” below.


11. Where Will We Store the Data?

  1. Personal data (and special category data) will be kept securely in accordance with this Privacy Policy.

  2. Personal data (and special category data) that is no longer required will be deleted permanently from our information systems and any hard copies will be destroyed securely.


12. How long your personal data will be kept

  1. Personal data (and special category data) should not be retained for any longer than necessary. The length of time over which data should be retained will depend upon the circumstances, including the reasons why the personal data was obtained.

  2. Different retention periods apply for different types of personal data. All data retention practices will comply with GDPR and UK GDPR requirements.

  3. The following retention periods shall apply:

  • Server log information – Retained for 72 months.

  • Correspondence and enquiries – Retained for as long as necessary to respond to and resolve the enquiry, plus 72 months, after which it will be deleted.

  • E-newsletter subscriptions – Retained for as long as you remain subscribed. If you unsubscribe or we discontinue the e-newsletter service, your information will be deleted.

    1. In all other circumstances, we will retain your information for no longer than necessary, considering:

  • the purpose(s) and future use of your information (e.g., if it is needed to fulfil contractual obligations or for future communication);

  • any legal obligations requiring us to retain data (e.g., record-keeping requirements);

  • any legal basis for processing (e.g., your consent);

  • the value of the information, both now and in the future;

  • industry practices regarding data retention;

  • the risks, costs, and liabilities associated with continued retention;

  • the difficulty of keeping the information accurate and up to date;

  • any other relevant circumstances, including the nature and status of our relationship with you.

 

13. Documentation and records

We will keep written records of processing activities which are high risk, i.e., which may result in a risk to individuals’ rights and freedoms or involve special category data or criminal records data, including:

  1. the purposes of the processing;

  2. a description of the categories of individuals and categories of personal data;

  3. categories of recipients of personal data;

  4. where possible, retention schedules; and

  5. where possible, a description of technical and organisational security measures.

  6. As part of our record of processing activities we document, or link to documentation, on:

  7. information required for privacy notices;

  8. records of consent;

  9. controller-processor contracts;

  10. the location of personal data;

  11. DPIAs; and

  12. records of data breaches.

  13. If we process special category data or criminal records data, we will keep written records of:

    • the relevant purpose(s) for which the processing takes place, including (where required) why it is necessary for that purpose;

    • the lawful basis for our processing; and

    • whether we retain and erase the personal data in accordance with our policy document and, if not, the reasons for not following our policy.

We will conduct regular reviews of the personal data we process and update our documentation accordingly.

 

14. Data subject (individual) rights

You (in common with other data subjects) have the following rights in relation to your personal data:

  1. to be informed about how, why and on what basis that data is processed;

  2. to obtain confirmation that your data is being processed and to obtain access to it and certain other information, by making a data subject access request;

  3. to have data corrected if it is inaccurate or incomplete;

  4. to have data erased if it is no longer necessary for the purpose for which it was originally collected/processed, or if there are no overriding legitimate grounds for the processing (this is sometimes known as “the right to be forgotten”);

  5. to restrict the processing of personal data where the accuracy of the data is contested, or the processing is unlawful (but you do not want the data to be erased), or where the employer no longer needs the personal data but you require the data to establish, exercise or defend a legal claim; and

  6. to restrict the processing of personal data temporarily where you do not think it is accurate (and the employer is verifying whether it is accurate), or where you have objected to the processing (and the employer is considering whether the organisation’s legitimate grounds override your interests).

If you wish to exercise any of the rights in paragraphs 14.1.3 to 14.1.6. please contact us at privacy@sharing365.io.


15. Data subject (individual) obligations

  • Individuals are responsible for helping the Company keep their personal data up to date. You should let us know if the data you have provided to the Company changes.

  • You may have access to the personal data of other members of staff and suppliers of the Company in the course of your engagement. If so, the Company expects you to help meet its data protection obligations to those individuals.

  • If you have access to personal data, you must:

    • only access the personal data that you have authority to access, and only for authorised purposes;

    • only allow other Company staff to access personal data if they have appropriate authorisation;

    • only allow individuals who are not Company staff to access personal data if you have specific authority to do so from us;

    • keep personal data secure (e.g., by complying with rules on access to premises, computer access, password protection and secure file storage and destruction;

    • not remove personal data, or devices containing personal data (or which can be used to access it), from the Company’s premises unless appropriate security measures are in place (such as pseudonymisation, encryption or password protection) to secure the data and the device; and

    • not store personal data on local drives or on personal devices that are used for work purposes.

You should contact us at privacy@sharing365.io if you are concerned or suspect that one of the following has taken place (or is taking place or likely to take place):

  1. processing of personal data without a lawful basis for its processing or, in the case of special category data, without one of the conditions in paragraph 5.3.2 being met;

  2. any data breach as set out in this Privacy Policy and applicable laws;

  3. access to personal data without the proper authorisation;

  4. personal data not kept or deleted securely;

  5. removal of personal data, or devices containing personal data (or which can be used to access it), from the Company’s premises without appropriate security measures being in place;

  6. any other breach of this policy or of any of the data protection principles set out in paragraph 4.1 above.

 

16. Information security

The Company will use appropriate technical and organisational measures to keep personal data secure, and in particular to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage. These may include:

  • making sure that, where possible, personal data is pseudonymised or encrypted;

  • ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

  • ensuring that, in the event of a physical or technical incident, availability and access to personal data can be restored in a timely manner; and

  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;

  • pseudonymisation and encryption of personal data;

  • ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

  • ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

  • ensuring protection of personal data during transmission;

  • ensuring protection of personal data during storage;

  • ensuring physical security of locations at which personal data are processed;

  • ensuring access controls, including role-based access and least privilege principles;

  • ensuring secure disposal of personal data and equipment used to process personal data;

  • conducting personnel training and awareness programs on data protection and security;

  • ensuring third-party compliance with data protection standards when personal data is shared or processed by subcontractors;

  • encryption of backups and their secure storage;

  • monitoring and responding to unauthorized access attempts and anomalies in data processing;

  • implementing data minimization principles, ensuring only necessary data is collected and processed;

  • maintaining up-to-date software and applying security patches promptly;

  • securing endpoints, including laptops, mobile devices, and other portable media;

  • ensuring network security, including firewalls, intrusion detection/prevention systems, and secure network architecture;

  • segregation of duties to prevent conflicts of interest and reduce the risk of unauthorized access;

  • ensuring secure configuration and management of cloud services used to process personal data;

Where the Company uses external organisations to process personal data on its behalf, additional security arrangements need to be implemented in contracts with those organisations to safeguard the security of personal data. In particular, contracts with external organisations must provide that:

  • the organisation may act only on the written instructions of the Company;

  • those processing the data are subject to a duty of confidence;

  • appropriate measures are taken to ensure the security of processing;

  • sub-contractors are only engaged with the prior consent of the Company and under a written contract;

  • the organisation will assist the Company in providing subject access and allowing individuals to exercise their rights in relation to data protection;

  • the organisation will assist the Company in meeting its obligations in relation to the security of processing, the notification of data breaches and data protection impact assessments;

  • the organisation will delete or return all personal data to the Company as requested at the end of the contract; and

  • the organisation will submit to audits and inspections, provide the Company with whatever information it needs to ensure that they are both meeting their data protection obligations, and tell the Company immediately if it is asked to do something infringing data protection law.
     

17. Data breaches

A data breach may take many different forms, for example:

  1. loss or theft of data or equipment on which personal data is stored;

  2. unauthorised access to or use of personal data either by a member of staff or third party;

  3. loss of data resulting from an equipment or systems (including hardware and software) failure;

  4. human error, such as accidental deletion or alteration of data;

  5. unforeseen circumstances, such as a fire or flood;

  6. deliberate attacks on IT systems, such as hacking, viruses or phishing scams; and

  7. “blagging” offences, where data is obtained by deceiving the organisation which holds it.

  8. The Company will:

    • make the required report of a personal data breach to the Estonian Data Protection Inspectorate without undue delay and, where possible, within 72 hours of becoming aware of it, if it is likely to result in a risk to the rights and freedoms of individuals; and

    • notify the affected individuals if a data breach is likely to result in a high risk to their rights and freedoms and notification is required by law.
       

18. International transfers

  1. The Company may transfer personal data from the EEA to countries, territories, or organisations outside the EEA on the basis that that country, territory, or organisation is designated as having an adequate level of protection by the European Commission, or that the organisation receiving the data has provided adequate safeguards, such as binding corporate rules, standard data protection clauses adopted by the European Commission, or compliance with an approved code of conduct.

  2. In certain circumstances, such as compliance with legal obligations (e.g., responding to a court order), we may be required to transfer personal data to a country outside the EEA or to an international organisation. In such cases, we will ensure that appropriate safeguards and protections are in place to uphold the security and integrity of the data.

  3. ​Additionally, personal data collected through services such as Google Analytics (e.g., IP addresses and website interaction data) may be transferred and stored outside the EEA, including in the United States. While the U.S. is not subject to an adequacy decision by the European Commission, Google has self-certified its compliance with the EU-U.S. Privacy Shield framework, which provides an approved certification mechanism under the GDPR. Further details on Google’s data protection practices can be found in its privacy policy.

​

19. Training

The Company will ensure that staff are adequately trained regarding their data protection responsibilities. Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.
 

20. Consequences of failing to comply

The Company takes compliance with this policy very seriously. Failure to comply with the policy:

  1. puts at risk the individuals whose personal data is being processed; and

  2. carries the risk of significant civil and criminal sanctions for the individual and the Company; and

  3. may, in some circumstances, amount to a criminal offence by the individual.

  4. Because of the importance of this policy, an employee’s failure to comply with any requirement of it may lead to disciplinary action under our procedures, and this action may result in dismissal for gross misconduct. If a non-employee breaches this policy, they may have their contract terminated with immediate effect.
     

21. Changes to this Privacy Policy

We may change this Privacy Policy from time to time at our sole and absolute discretion. The up-to-date version will be available on our website, and the date of the version will be included in the notice at the beginning of the Privacy Policy published on the website.

 

22. How to contact us and how to complain

  1. If you have any questions or concerns about anything in this policy, do not hesitate to contact us at privacy@sharing365.io.

  2. You can contact the data controller by writing to Sharing 365 OÜ, Sepapaja 6, Tallinn 15551, Estonia or by sending an email to privacy@sharing365.io.

  3. You also have the right to lodge a complaint with the relevant data protection supervisory authority in the EEA state of your habitual residence, place of work, or of an alleged infringement of data protection laws in the EEA.

  4. For general guidance, you can consult the Estonian Data Protection Inspectorate at https://www.aki.ee/en.

  5. For a list of EEA data protection supervisory authorities and their contact details see here.


23. Consent

By accessing or using our website(s) or services, you agree to the terms outlined in this Privacy Policy. Your use of our website(s) or services signifies your acceptance of the policies and practices described herein. If you do not agree with any part of this Privacy Policy, please discontinue use of our website(s) or services. Your continued use of our website or services constitutes your acceptance of any changes or updates to the Privacy Policy.

365.png

Sharing 365 OÜ
Sepapaja 6, Tallinn 15551, Estland

Opgericht: 22 February 2019
Registratienummer: 14667908

registratiegegevens

Voor vragen of aanvullende ondersteuning kunt u contact opnemen met onze consultant via:

jordy@sharing365.io

bottom of page