Definitions

To assist in your understanding of this policy, we explain the usage of the definitions listed here in accordance with the international regulations of data processing. We use the following definitions:

“GDPR” means the European General Data Protection Regulation, which is applicable as of May 25th, 2018 in all member states to harmonize data privacy laws across Europe.

“Data Controller” means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is processed.

“Data Processor” means the natural or legal person who processes personal data on behalf of the data controller.

“Data Subject” is any living individual who is using our websites or products.

“Personal data” means any information relating to you and helping identify you (directly or indirectly) such as your name, nickname, last name, email data or data provided in CVs.

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Joint controllers” means two or more controllers jointly determining the purposes and means of processing.

Why we collect your data

We collect your personal data through the websites and the social media accounts as a data controller, while you are visiting our websites and social media pages in such cases:

● you are a visitor, when you merely surf our web sources

● you are a lead client’s representative, when you submit your contact details through our web sources contact forms or via provided contact details leave any query to ask questions regarding our services and products, get quote calculations

● you are a prospective service supplier, when you submit personal data, including commercial offers, through the web sources contact forms to offer your services and knowledge to us

● you are a current or prospective employee, when you submit personal data, including CVs, through our websites or social media pages to offer your services and knowledge to us

When you submit your personal data to the contact forms through our websites, you will be asked to express consent to our collection and processing of your personal data as explained in this policy to enable us to provide you with the information or service requested, if no other legal ground can be used.

We collect your personal data only for the purposes listed below:

● to customize our websites, products, and services according to your online behavior and personal preferences

● to process clients’ queries

● to send users promotional emails, surveys and participate in other types of marketing research

● to process CV applications

We do NOT collect or process personal data of children.

We do NOT collect or share sensitive personal data.

We do NOT sell personal information.

We do NOT use automated decision-making and profiling.

What user data we collect

As a Data Controller Xpand may collect, store and use in our operational activities the following kinds of personal information about individuals who visit our websites as well as use our products and services:

● Information you supply to us. You may supply us with information about you by filling in forms on our website. This includes information you provide when you request a quote, contact our team, apply for a vacancy, request support etc. The information you give us may include:

o your name

o e-mail address

o partner/customer/company representatives’ contacts, you may provide us with through the message field of the “Contact us” form

o your personal information submitted via applicant’s CV, you may provide us with through the attachment to the “Apply” form

o permission to associate your social network account (such as Facebook, Google, Microsoft or Disqus) with an account you use within our web-based products and/or when commenting/sharing our “Blogs” pages

● Information our websites and products automatically collect about you. With regard to each of your visits to our websites or when you use our products or services, we may automatically collect information including the following:

o technical information, including a truncated and anonymized version of your Internet protocol (IP) address

o browser type and version

o operating system and platform

o information about your visit, including what pages you visit, when you signed in, how long you are on the site, how you got to the site (including date and time)

o page response times

o length of visit

o what you click on

o documents downloaded

o download errors

Below you can find detailed information on the types and purposes of personal data we collect:

Cookies

Our websites, as well as web-based products, use cookies.

“Cookies” are small data files that are transferred to your computer that allow us to remember certain information about you. We use them to distinguish you from other users when you browse our websites or use our products, to enhance your user experience and provide a significant level of protection to your personal data.

We need your consent for use of cookies before you can visit our websites for the first time. You can choose not to allow some types of cookies or cancel/adjust your cookies selection at any time under settings of our Cookies Consent Form . However, please mind that blocking necessary cookies may damage your experience on the website (some features will not be available or will not work properly). Also please note that cookies don't allow us to gain control of your computer in any way. They are strictly used for performance, readability, and experience purposes as well as to monitor which pages you find useful and which you do not, so that we can provide a better experience for you.

You can find more detailed information on the categories of cookies we use in our Cookies Policy.

Please mind that our websites may contain links to and from third-party websites. If you follow a link to any of such websites, please note that they have their own privacy and cookies policies and that we do not accept any responsibility or liability for them. Please check the third-party websites’ policies before you submit any personal data to them.

Grounds for processing

We collect and process your personal data in accordance with the provisions of the GDPR (more information can be found here https://gdpr.eu/). GDPR provides an exclusive list of bases allowing us to process your personal data, namely:

● Article 6.1(a): consent

We only collect the information you choose to give us, and we process it under your consent. We require the minimum amount of your personal data that is necessary to fulfil the purpose of your interaction with our website (provide you with quote, look through the CV, send you an offer or newsletter, etc.).

You may withdraw the consent to the processing of your personal data at any time by sending us an email at compliance@xpandsoftware.com or by filling in the Request and Complaints Form.

Please remember that the withdrawal of consent does NOT automatically mean that the processing before the withdrawal is considered unlawful.

● Article 6.1(b): performance of a contract

When you send us your CV or use the feedback form to get in contact with us to discuss our services you’d be interested in buying, this can be deemed the request of the data subject to form a contract. However, we may ask you to give us a clear consent in case of doubt.

● Article 6.1(c): legal obligation

We process your personal data to fulfil the applicable legal obligations arising mainly from the GDPR.

In the event of you sending us the request to fulfil the rights granted by the GDPR, we may ask you for some personal data we already have to identify you and achieve compliance with the applicable law.

● Article 6.1(f): legitimate interests

We process your personal data to prevent any fraudulent actions and to provide you with the desired information and services. Also, we need some data to enable our website to run smoothly and give you a pleasant user experience. We use only strictly necessary data.

Data Security and Retention

We have implemented organizational, technical, administrative, and physical security measures that are designed to protect your personal data from unauthorized access, disclosure, use, and modification. We regularly review our security procedures to consider appropriate new technology and methods.

According to our internal policies, the retention period of the following types of personal data makes 12 months:

● personal data, provided via the “Contact us” and “Apply” forms

● browser data and usage data

Your comments, reactions, reposts and messages left within the social media platforms and Disqus tool will be kept visible as long as the privacy policies of these platforms promise you.

We will store and process your personal data until we do not need it for any of the purposes defined in this policy, unless longer storage is required or permitted by law. We may not delete or anonymize your data if we are compelled to keep it under the applicable law.

Data Sharing and Disclosure

We do not intentionally share or sell any personal information, that we collect via our websites or social network pages. We use it strictly for the purposes of our business operations. We may share your personal data with the third parties only, where at least one applies:

• you give us the explicit consent to such disclosure

• the disclosure of your personal data is required by the appropriate laws

• the disclosure secures our legitimate interests that do not override your rights and freedoms

• the disclosure of your personal data is necessary for the public authorities to fulfil their official obligations and duties

Sharing personal data with other Joint Data Controllers

Sometimes we can be considered as joint controllers. As we are determined to provide you with the variety of possibilities to discover our services and share your experience, we use the products of the third parties, acting as controllers. For example, when you use social media buttons to share our blog post or see the targeted advertisement when scrolling your newsfeed, we may become joint controllers with the social media you use. Usually, you may make Facebook, Instagram, LinkedIn, YouTube our joint controllers by using their “Like” and “Share” buttons.

We may share your personal data to such Joint Data Controllers:

• Microsoft Corporation: as our operations use licensed Microsoft 365 software applications for communication and data storage. You may familiarize with its Privacy Policy here.

• Google, LLC: to use data analytics to improve our website and your experience as well as deliver the functionality of the website. You may familiarize with its privacy policy here.

• Social Media Networks: to allow users to contact us in the social media or share any news of the Company at their pages. You may familiarize with most common social media platforms’ Privacy Policies here: LinkedIn, Facebook and Instagram, YouTube.

Sharing personal data with the Data Processors

There are a lot of features necessary to provide you with the service that we may not complete ourselves, thus we use the third-party help and may grant access to your personal data, in full or in part, to such third-parties as Data Processors to perform the necessary services for us under the contracts with obligatory signing of non-disclosure clauses. We have supplier assessment procedures in place to ensure we choose trusted partners and we have implemented a need-to-know approach to range the scope of access granted to each category of sub-processors depending on the operations they ensure and purposes they need the personal data for.

We may share your personal data to such Data Processors:

• Disqus, Inc to improve your experience in the blog at the website as well as deliver the functionality of the blog. You may read its Privacy Policy here.

• Hurma System to automate CVs processing for recruiting purposes. You may read its Privacy Policy here.

• Service suppliers to perform websites’ processing operations: to improve our website and your experience as well as deliver the functionality of the website.

Your rights

You may exercise the following rights under the General Data Protection Act (GDPR) by contacting us through compliance@xpandsoftware.com or by filling in the Request and Complaints Form:

• right of access means that you may ask us to send you the copy of your personal data collected together with information regarding the nature, processing and disclosure of that personal data.

• right to rectification means that you may ask us to update and correct the false data, missing or incomplete personal data.

• right to erasure (to be “forgotten”) means that you may ask us to delete your personal data collected, except insofar it is prohibited by appropriate laws. Normally, we delete your personal data right after your request. We may either anonymize or retain your personal data for a bit longer after the request for deletion.

• right to restriction of processing means that you may ask us to restrict processing where:

1) your personal data is not correct or outdated 2) the processing is unlawful

• right to object to the processing means that you may raise objections on grounds relating to your particular situation.

• right to data portability means that you may ask us to transfer a copy of your personal data to another organization or to you.

• right to withdraw the consent when your personal data processed upon in (see section Grounds for processing).

• right to lodge a complaint with the supervisory data protection authority pertaining to the processing of your personal data (you may submit the complaint to the Supervisory Data Protection Authority stated in this Policy).

Data protection authority

Our organization is established in Ukraine. Thus, any privacy violations are subject to Ukrainian data protection law. Considering, that data processing by our company does not consist of the processing of special categories of personal data on a large scale, we decided not to appoint a Data Protection Officer - the responsibilities of the DPO at Xpand are carried out by Compliance Officer (contact email: compliance@xpandsoftware.com).

However, we have also appointed our EU representative located in Belgium to make it possible to handle complaints lodged against violations of the General Data Protection Regulation within the EU and the relevant national laws (according to the requirements of Chapter 4 Article 27 of GDPR: Representatives of controllers or processors not established in the European Union).

In the event of personal data breach (if a risk to data subjects is likely), the company reports the personal data breach to the supervisory authority without undue delay, and not later than 72 hours. The breach notification can be made by email, phone, or letter.

If the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, the company notifies the data subjects affected immediately by email.

Changes to the privacy policy

We may change this policy from time to time due to the implementation of new technologies, laws’ requirements or for other purposes. We will send notice to you if these changes are dramatic and where required by applicable laws, we will obtain your consent. Such notification may be provided via your email address, post in our social media accounts or announcement on the website and/or by other means, consistent with applicable law. Also, we encourage you to regularly review this policy to check for any changes.

Contacts

Please contact us if you have any questions on your personal data or any specific data protection concerns, complaints or wish to withdraw your personal information. Do not hesitate to contact us directly at e-mail address compliance@xpandsoftware.com or by filling in the Request and Complaints Form. Information in answer to such requests must be provided by the company without undue delay within at most 30 days from the date the appropriate request is received.

Last update: February 28, 2023