Akeero Technologies Ltd. (“Akeero”, “us”, “we”, or “our”) operates the akeero.com website (“Site”) and the Akeero web application (“Service”), collectively known as “Services”.

To support delivery of our Services, Akeero may engage and use data processors with access to certain Customer Data (individually, a “Subprocessor”).
This page provides important information about the identity, location and role of each Subprocessor. Terms used on this page but not defined have the meaning set out in the Terms of Service and Data Processing Addendum.

Third parties

Akeero currently uses third-party Subprocessors to provide infrastructure and security services and to help us provide customer support and email notifications. Prior to engaging any third-party Subprocessor, Akeero performs due diligence to evaluate their privacy, security and confidentiality practices, and executes an agreement implementing its applicable obligations.

Infrastructure Subprocessors

Akeero may use the following Subprocessors to host Customer Data or provide other infrastructure and security functions that help with delivery of our Services:

Other subprocessors

Akeero may use the following Subprocessors to perform other Service functions:

‍

Updates

As our business grows and evolves, the Subprocessors we engage may also change. Please check here regularly for updates.

‍

Controller to Processors

The data exporter and the data importer, as defined under the Akeero Data Processing Addendum, or any other agreement or addendum effectively governing the processing of personal data by the data importer on behalf of the data exporter, including all annexes, exhibits and  appendices thereto (“DPA”), each a “party“; together the “parties“, have agreed on the following  Contractual Clauses (“Clauses“) in order to adduce adequate safeguards with respect to the  protection of privacy and fundamental rights and freedoms of individuals for the transfer by the  data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1 – Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’,  ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive  95/46/EC of the European Parliament and of the Council of 24 October 1995 on the  protection of individuals with regard to the processing of personal data and on the free  movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter  personal data intended for processing on his behalf after the transfer in accordance with  his instructions and the terms of the Clauses and who is not subject to a third country’s  system ensuring adequate protection within the meaning of Article 25(1) of  Directive 95/46/EC;

(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other  subprocessor of the data importer who agrees to receive from the data importer or from  any other subprocessor of the data importer personal data exclusively intended for  processing activities to be carried out on behalf of the data exporter after the transfer in  accordance with his instructions, the terms of the Clauses and the terms of the written  subcontract;

(e) ‘the applicable data protection law‘ means the legislation protecting the fundamental rights  and freedoms of individuals and, in particular, their right to privacy with respect to the  processing of personal data applicable to a data controller in the Member State in which  the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at  protecting personal data against accidental or unlawful destruction or accidental loss,  alteration, unauthorised disclosure or access, in particular where the processing involves  the transmission of data over a network, and against all other unlawful forms of  processing.

Clause 2 – Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable  are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3 – Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i),  Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses  9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e)  and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data  exporter has factually disappeared or has ceased to exist in law unless any successor entity  has assumed the entire legal obligations of the data exporter by contract or by operation of  law, as a result of which it takes on the rights and obligations of the data exporter, in which  case the data subject can enforce them against such entity.

3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e)  and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the  data exporter and the data importer have factually disappeared or ceased to exist in law or  have become insolvent, unless any successor entity has assumed the entire legal  obligations of the data exporter by contract or by operation of law as a result of which it  takes on the rights and obligations of the data exporter, in which case the data subject can  enforce them against such entity. Such third-party liability of the subprocessor shall be  limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other  body if the data subject so expressly wishes and if permitted by national law.

Clause 4 – Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will  continue to be carried out in accordance with the relevant provisions of the applicable data  protection law (and, where applicable, has been notified to the relevant authorities of the  Member State where the data exporter is established) and does not violate the relevant  provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing  services will instruct the data importer to process the personal data transferred only on  the data exporter’s behalf and in accordance with the applicable data protection law and  the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and  organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the  security measures are appropriate to protect personal data against accidental or unlawful  destruction or accidental loss, alteration, unauthorised disclosure or access, in particular  where the processing involves the transmission of data over a network, and against all other  unlawful forms of processing, and that these measures ensure a level of security  appropriate to the risks presented by the processing and the nature of the data to be  protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed  or will be informed before, or as soon as possible after, the transfer that its data could be  transmitted to a third country not providing adequate protection within the meaning of  Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant  to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data  exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the  exception of Appendix 2, and a summary description of the security measures, as well  as a copy of any contract for subprocessing services which has to be made in  accordance with the Clauses, unless the Clauses or the contract contain commercial  information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance  with Clause 11 by a subprocessor providing at least the same level of protection for the  personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5 – Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its  instructions and the Clauses; if it cannot provide such compliance for whatever reasons,  it agrees to inform promptly the data exporter of its inability to comply, in which case the  data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling  the instructions received from the data exporter and its obligations under the contract and  that in the event of a change in this legislation which is likely to have a substantial adverse  effect on the warranties and obligations provided by the Clauses, it will promptly notify the  change to the data exporter as soon as it is aware, in which case the data exporter is  entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in  Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement  authority unless otherwise prohibited, such as a prohibition under criminal law to  preserve the confidentiality of a law enforcement investigation,

(ii) any accidental or unauthorised access, and

(iii) any request received directly from the data subjects without responding to that  request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its  processing of the personal data subject to the transfer and to abide by the advice of the  supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the  processing activities covered by the Clauses which shall be carried out by the data exporter  or an inspection body composed of independent members and in possession of the  required professional qualifications bound by a duty of confidentiality, selected by the data  exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing  contract for subprocessing, unless the Clauses or contract contain commercial  information, in which case it may remove such commercial information, with the exception  of Appendix 2 which shall be replaced by a summary description of the security measures  in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and  obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with  Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses  to the data exporter.

Clause 6 – Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach  of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is  entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph  1 against the data exporter, arising out of a breach by the data importer or his subprocessor  of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter  has factually disappeared or ceased to exist in law or has become insolvent, the data  importer agrees that the data subject may issue a claim against the data importer as if it  were the data exporter, unless any successor entity has assumed the entire legal  obligations of the data exporter by contract of by operation of law, in which case the data  subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order  to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer  referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of  their obligations referred to in Clause 3 or in Clause 11 because both the data exporter  and the data importer have factually disappeared or ceased to exist in law or have become  insolvent, the subprocessor agrees that the data subject may issue a claim against the data  subprocessor with regard to its own processing operations under the Clauses as if it were  the data exporter or the data importer, unless any successor entity has assumed the entire  legal obligations of the data exporter or data importer by contract or by operation of law, in  which case the data subject can enforce its rights against such entity. The liability of the  subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7 – Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary  rights and/or claims compensation for damages under the Clauses, the data importer will  accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable,  by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is  established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive  or procedural rights to seek remedies in accordance with other provisions of national or  international law.

Clause 8 – Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority  if it so requests or if such deposit is required under the applicable data protection law.

2. The parties agree that the supervisory authority has the right to conduct an audit of the data  importer, and of any subprocessor, which has the same scope and is subject to the same  conditions as would apply to an audit of the data exporter under the applicable data  protection law.

3. The data importer shall promptly inform the data exporter about the existence of  legislation applicable to it or any subprocessor preventing the conduct of an audit of the  data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data  exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9 – Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is  established, namely Ireland.

Clause 10 – Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from  adding clauses on business related issues where required as long as they do not contradict the  Clause.

Clause 11 – Subprocessing

1. The data importer shall not subcontract any of its processing operations performed on  behalf of the data exporter under the Clauses without the prior written consent of the  data exporter. Where the data importer subcontracts its obligations under the Clauses,  with the consent of the data exporter, it shall do so only by way of a written agreement  with the subprocessor which imposes the same obligations on the subprocessor as are  imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil

its data protection obligations under such written agreement the data importer shall  remain fully liable to the data exporter for the performance of the subprocessor’s  obligations under such agreement.

2. The prior written contract between the data importer and the subprocessor shall also  provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the  data subject is not able to bring the claim for compensation referred to in paragraph 1 of  Clause 6 against the data exporter or the data importer because they have factually  disappeared or have ceased to exist in law or have become insolvent and no successor  entity has assumed the entire legal obligations of the data exporter or data importer by  contract or by operation of law. Such third-party liability of the subprocessor shall be  limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for subprocessing of the contract referred  to in paragraph 1 shall be governed by the law of the Member State in which the data  exporter is established.

4. The data exporter shall keep a list of subprocessing agreements concluded under the  Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated  at least once a year. The list shall be available to the data exporter’s data protection  supervisory authority.

Clause 12 – Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services,  the data importer and the subprocessor shall, at the choice of the data exporter, return  all the personal data transferred and the copies thereof to the data exporter or shall  destroy all the personal data and certify to the data exporter that it has done so, unless  legislation imposed upon the data importer prevents it from returning or destroying all or  part of the personal data transferred. In that case, the data importer warrants that it will  guarantee the confidentiality of the personal data transferred and will not actively process  the personal data transferred anymore.

2. The data importer and the subprocessor warrant that upon request of the data exporter  and/or of the supervisory authority, it will submit its data processing facilities for an audit  of the measures referred to in paragraph 1.

ANNEX A: FURTHER PROVISIONS

1. General Data Protection Regulation: References throughout these Clauses to Directive  95/46/EC shall be read as references to the General Data Protection Regulation  (2016/679) (the “Regulation”), or, if the data exporter is established in the United Kingdom  (the “UK”), to the Regulation and/or any UK local law which implements or supplements  the Regulation, as applicable from time to time, and in each case references to specific  articles or provisions of the Directive shall be read as references to the equivalent article  or provision in the Regulation or UK local law, where possible and as appropriate.

1. Onward Subprocessing: For the purposes of Clause 11 of these Clauses, the data  exporter hereby consents to the data importer subcontracting any or all of its data  processing operations performed under these Clauses in accordance with the DPA.

1. Data importers established in ‘adequate’ countries: To the extent Akeero Technologies Ltd. is  the recipient and processor of personal data pursuant to these Clauses and is:

(i) established in a jurisdiction recognised by the European Commission (or, if the  data exporter is established in the UK, then recognized by the relevant authorities  in the UK) as providing an adequate level of protection for personal data, the terms  of the DPA concerning transfers of personal data to other countries shall apply,  such that these Clauses will apply solely on onward transfer of the imported data  to monday.com Ltd.’s sub-processors that are located in a jurisdiction not  recognised by the European Commission as providing an adequate level of  protection for personal data; or

(ii) established in a jurisdiction not recognised by the European Commission as  providing an adequate level of protection for personal data, monday.com Ltd. shall  be the data importer for the purposes of these Clauses.

1. Data exporters established outside the European Economic Area: To the extent the  data exporter pursuant to these Clauses is established in a jurisdiction outside the  European Economic Area, these Clauses shall apply solely in respect of transfers of  personal data concerning individuals residing within the European Economic Area. In such  cases, references to “Member State” shall be read as references to the Member State  applicable in respect of the data exporter’s processing activities in relation to these  Clauses which concern personal data of individuals residing within the European  Economic Area.

1. Instructions: For the purposes of Clause 5(a) of the Standard Contractual Clauses, the  processing described in the DPA and any other mutually agreed upon written instrument  by data exporter and data importer constitute as data exporter’s instructions to data  importer at the time of entering the DPA and/or such written instrument, to process  Personal Data on data exporter’s behalf. Any additional or alternate instructions shall be  subject to the terms of the DPA.

1. Suspension of Data Transfers and Termination: If, pursuant to Clause 5(a), the data  exporter intends to suspend the transfer of personal data and/or terminate these Clauses,  it shall provide notice to the data importer and provide data importer with 30 days to cure  the non-compliance (“Cure Period”). If after the Cure Period the data importer has not or  cannot cure the non-compliance then the data exporter may suspend or terminate the

transfer of personal data immediately. The data exporter shall not be required to provide  such notice in instances where it considers there is a material risk of harm to data subjects  or their personal data. Notwithstanding any other terms in this Section F, in the event these  Clauses cease to be an appropriate safeguard for the transfer of the personal data in  accordance with the applicable data protection law by virtue of a binding decision by a  competent supervisory authority, the terms of the DPA concerning modifications  necessary pursuant to legislative and regulatory changes shall apply.

1. Data importer’s assistance: In the event the data exporter seeks to conduct any  assessment of the adequacy of these Clauses for the protection of the personal data being  transferred, the data importer shall provide reasonable assistance to the data exporter for  the purpose of any such assessment.

12. Audit Rights: Data exporter acknowledges and agrees that it exercises its audit right  under Clause 5(f) and Clause 12.2 by instructing data importer to comply with the audit  measures described in the DPA.

1. Transfers from Switzerland: Notwithstanding Section D above, in respect of data  transfers from a data exporter established in Switzerland, these Clauses shall be  interpreted in accordance with the governing law in Switzerland. In such cases, references  throughout these Clauses to Directive 95/46/EC shall be read as references to the relevant  legislation in Switzerland concerning data protection, privacy, data security or the handling  of information about individuals applicable to the data exporter, and defined terms in  Clause 1 shall have the meanings given to them (or reasonably equivalent terms) in such  legislation. References to “Member State” shall be read as references to Switzerland.  Without prejudice to Section A above, the parties further agree that that in respect of data  transfers where, under applicable privacy laws, the definition of “personal data” (or such  reasonably equivalent term) extends to information relating to legal entities, references in  these Clauses to “personal data” shall also include information relating to legal entities.  The parties further agree that, where required by applicable law or upon the request of the  relevant supervisory authority, they will do all such further acts as may reasonably be  required to grant effect to this Section H, including (but not limited to) executing all  documents.

APPENDIX 1 to the Standard Contractual Clauses

Data exporter

The data exporter is the entity identified as “Customer” or “Controller” in the DPA.

Data importer

The data importer is Akeero Technologies Limited, a provider of web services, and/or its subprocessors (as such term is used in the DPA), as determined by Akeero Technologies Limited in accordance with the terms of the DPA concerning cross-border data transfers.

Data subjects

The personal data transferred concern the categories of data subjects as described in the DPA.

Categories of data

The personal data transferred concern the categories of data as described in the DPA.  

Processing operations

The personal data transferred will be subject to the basic processing activities defined in Annex  1 of the DPA.

APPENDIX 2 to the Standard Contractual Clauses

Description of the technical and organisational security measures implemented by the  data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

The technical and organisational security measures implemented by the data importer are as  referenced in the DPA and described in the Akeero Trust Centre.

‍

Data Processing Addendum

This data processing addendum (DPA) generally is a part of the Terms of Service (ToS) between Customer and Processor (Terms of Service). In the absence of an executed Terms of Service this DPA shall act as a standalone data processing agreement. In such a case any reference to Terms of Service in this DPA shall be construed as reference to the existing contractual arrangement that applies between Parties pursuant to which the Service Provider has agreed to process Personal Data on behalf of Customer.

This DPA is effective as of the date last signed.

BETWEEN:

(1) Customer; and

(2) Akeero Technologies Limited, a company incorporated in Ireland with company number 678048 whose registered office is at Suite J, 2100 Avenue 2000, Cork Airport Business Park, Co. Cork, Ireland (hereinafter referred to as Akeero, Processor or Service Provider),

individually referred to as a Party and together as Parties.

WHEREAS:

1. Customer Processes Customer Personal Data as Controller;
2. Customer appointed Processor to provide the services as referred to in the Terms of Service, whereby Processor will Process Customer Personal Data on behalf of Customer;
3. Parties have reached an agreement on the rights and obligations of Customer and Processor, when Processing Customer Personal Data on behalf of Customer and now wish to record these rights and obligations in this DPA.

NOW THEREFORE THE PARTIES AGREE AS FOLLOWS:

Definitions & Interpretation

1.1 In the event of conflict or inconsistency between this DPA and any of the terms and conditions of the Terms of Service, including any in respect of the protection of personal data, this DPA will be given precedence, unless otherwise set out herein.

1.2 In this DPA, unless otherwise defined, all capitalised words and expressions shall have the following meaning:

    Customer Personal Data means any Personal Data Processed by Processor on behalf of Customer pursuant to or in connection with the Terms of Service and this DPA.

1. Data Protection Law means data protection legislation or any statutory equivalent in force applicable to the Processing of Customer Personal Data, including the GDPR and the Irish Data Protection Acts 1988 to 2018 and/or the UK Data Protection Act 2018 (UK GDPR).
2. EEA means the European Economic Area.
3. GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
4. Processor Affiliate means an entity that is controlled by, in control of, or under common control with the Processor;
5. SCCs means the Commission Decision 2010/87 of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in non-adequate countries, as defined under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU) attached as Schedule 1.
6. Personal Data Breach means a Security Incident that has led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed by the Processor.
7. Security Incident means any breach of security measures used by Processor to secure Customer Personal Data.
8. Security Incident Log means the electronic record described in article 4.1 below.
9. Subprocessor means a person or entity subcontracted by Data Processor to Process Customer Personal Data.  

The terms Controller, Processor, Data Subject, Personal Data, Processing, Supervisory Authority shall have the meaning given to them in the GDPR.

• Processing Customer Personal Data

1. 2.1 For the purpose of this DPA, Akeero is the Processor of Customer Personal Data and Customer is the Controller.
2. The subject-matter of Processing of Personal Data by Processor is the performance of the Service pursuant to the Terms of Service. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Annex 1 (Details of the Processing) to this DPA.

1. Additionally, Akeero’s Customer Privacy Policy and Subprocessors pages contain further details about the Processing of Customer Personal Data by Processor and Subprocessors, including the purpose and nature of the Processing and type of Personal Data.

1. The Processor will (and will procure that Subprocessors will):
2. have no independent rights in relation to Customer Personal Data and only Process Customer Personal Data on behalf of and for the benefit of Customer, in accordance with the terms of the Terms of Service and this DPA together with Customer’s instructions, unless required to do so by applicable law to which Processor is subject, in which case the Processor shall inform Customer of that legal requirement before the Processing of that Customer Personal Data;
3. immediately inform Customer if, in its opinion, an instruction received from Customer infringes Data Protection Law;
4. not assume any responsibility for determining the purposes for which and the manner in which Customer Personal Data is Processed and not Process Customer Personal Data for purposes not determined by Customer;
5. not carry out any further research, analysis or profiling activity which involves the use of any element of the Customer Personal Data or any information derived from any Processing of such Customer Personal Data outside the scope of the Terms of Service and this DPA;
6. notify Customer promptly in the event that it is unable to comply with this DPA or its obligations under Data Protection Law or if it has reason to believe that the legislation applicable to it is likely to have a substantial adverse effect on the obligations provided under this DPA or otherwise prevents it from fulfilling the instructions received from Customer under this DPA;
7. If it has appointed a data protection officer, the Processor shall communicate the name and contact details of the data protection officer to Customer

1. 2.5 Customer accepts that its reimbursement for all costs accrued by the Processor in the context of its performance of this DPA, shall be considered as an additional expense to be reimbursed.

• 3. Right and obligations of Processor

1. Processor will:
2. keep Customer Personal Data confidential and take appropriate technical and organisational security measures to protect Customer Personal Data against unauthorised or unlawful Processing, accidental loss or damage or destruction. Akeero’s Trust Centre page contains the minimum security measures to be implemented by Processor;
3. only grant access to Customer Personal Data to persons under the Processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need to know basis. The list of persons to whom access has been granted shall be kept under periodic review. Subprocessors listed in Akeero’s Subprocessors page are deemed approved by Customer. On the basis of this review, such access to Personal Data can be withdrawn, if access is no longer necessary, and Personal Data shall consequently not be accessible anymore to those persons;
4. assist Customer by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of Customer’s obligations to respond to requests for exercising the data subject’s rights laid down in Data Protection Law and will inform Customer as soon as possible, and no later than 48 (forty eight) hours, if it receives a complaint or request from a Data Subject in respect of Customer Personal Data. Such assistance will be provided subject to agreement to any reasonable and duly evidenced cost being charged by the Processor for these services;
5. will only hold complaints or requests from Data Subjects seeking to exercise their rights under applicable Data Protection Laws until such time as the records have been securely transferred to Customer. The Processor shall not respond -and shall ensure that Sub-processors do not respond- to requests from Data Subject exercising their rights except on the written instructions of Customer (subject to agreement to any reasonable and duly evidenced cost being charged by the Processor for these services ) or as required by the applicable Data Protection Laws to which the Processor or Sub-processor is subject, in which case the latest shall to the extent permitted by laws, inform Customer of the existence and detailed provisions of that legal requirement before it responds to the request.
6. assist Customer in ensuring compliance with its obligation to carry out an assessment of the impact of the envisaged Processing operations on the protection of Customer Personal Data (a data protection impact assessment) (subject to agreement to any reasonable and duly evidenced cost being charged by the Processor for this assistance) , when applicable, its obligation to consult the competent Supervisory Authority, prior to Processing where a data protection impact assessment, indicates that the processing would result in a high risk;
7. assist Customer in the event of an investigation or audit by a Supervisory Authority, to the extent that such investigation or audit relates to Processor’s Processing of Customer Personal Data and inform Customer as soon as possible if a Supervisory Authority requests an investigation or audit of Processor relating to Processor’s Processing of Customer Personal Data;
8. maintain records of all Processing operations under its responsibility that contain at least the minimum information required by Data Protection Law.

• Security Incidents

1. The Processor (and shall procure that all its Subprocessors) will maintain an up to date electronic record of all discovered Security Incidents (Security Incident Log). The incident log shall contain at least a description of the Security Incident, including the date and time the Security Incident was discovered. If a Security Incident is a Personal Data Breach the log shall also contain an overview of the affected Customer Personal Data and the categories and number of affected Data Subjects.
2. The Processor will (and shall procure that all its Subprocessors will) without delay, but in any event within 36 hours, inform Customer in writing of any actual or suspected Personal Data Breaches. The Processor must take all adequate remedial measures immediately and must promptly provide Customer with all relevant information and assistance as requested by Customer regarding the actual or suspected Personal Data Breaches. The notification of a Personal Data Breach to Customer will include at a minimum:
3. a description of the Personal Data Breach, including the date and time the Personal Data Breach was discovered;
4. an overview of the affected Customer Personal Data and the categories and number of affected Data Subjects;
5. information on the (expected) consequences of the Personal Data Breach; and
6. a description of the measures taken by the Processor to limit the consequences of the Personal Data Breach.

If the Processor is unable to communicate all information relating to the Personal Data Breach simultaneously, the Processor shall provide the information as soon as the information becomes available.

The Processor shall not do any notification, statement, communication, press release or other public announcement relating to a Personal Data Breach without prior consultation and written consent of Customer.

1. In relation to an actual or suspected Personal Data Breach, the Processor shall (and shall procure that all Subprocessors) provide Customer all reasonable assistance, including to minimise the impact of the Personal Data Breach, prevent a similar Personal Data Breach from recurring, effect a reconstruction or recovery of the relevant Customer  Personal Data and to comply with Customer’s obligations under Data Protection Law in relation to the Personal Data Breach.  

• Subprocessors

1. Customer hereby grants the Processor general written authorisation for the engagement of Subprocessors, under the conditions that the Processor shall remain fully liable to Customer as regards the fulfilment of the obligations of the Subprocessor and that the Processor and the Subprocessor have entered into an agreement that imposes obligations on the Subprocessor that are no less restrictive than those imposed on the Processor under this DPA, and provides for sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of Data Protection Laws.
2. Where Sub-processors are engaged, the Processor shall before the Sub-processor first processes Customer Personal Data, carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Customer Personal Data required by this  DPA.
3. The Subprocessors listed in Akeero’s Subprocessors page are hereby approved by Customer.

• Audit Rights

1. Upon Customer’s written request, the Processor will provide Customer, with the results of the most recent data security compliance reports or any audit performed by or on behalf of the Processor that assesses the effectiveness of the Processor’s information security program, system(s), internal controls, and procedures relating to the processing of Customer Personal Data.
2. Upon reasonable advance written notice to the Processor, Customer may, on reasonable notice of not less than thirty days and no more than once in a calendar year, during normal business hours, audit the Processor’s facilities, Processor’s Security Incident Log, networks, systems, procedures, Processing and maintenance of Customer Personal Data, and its compliance with its obligations under this DPA. Notwithstanding the foregoing, Customer will be permitted to exercise such audit right any time a Security Breach has occurred. The Processor will cooperate with such audit by providing reasonable access to knowledgeable personnel, physical premises as applicable, documentation, infrastructure, and any application software that Processes Customer Personal Data. Customer will be responsible for the costs and expenses of such audit (or the fees and costs of the third party performing the audit).

• Data transfers

1. The Processor will abide by the requirements under Data Protection Law regarding the transfer of Customer Personal Data from the EEA to countries outside the EEA. Unless otherwise provided for in Annex 1, the Processor shall not transfer or process any of Customer Personal Data outside of the territory of the EEA or outside the territories defined in Annex 1 without the explicit prior written consent of Customer. If the Processor obtains such consent, the Processor shall ensure that such transfer/access is only implemented provided that the transfer is covered by:
2. binding corporate rules approved by a competent Supervisory Authority in accordance with Article 47 GDPR;
3. an approved code of conduct or certification mechanism pursuant to Article 46 GDPR;
4. standard data protection clauses adopted by the European Commission pursuant to Article 46 GDPR.
5. an adequacy decision of the European Commission pursuant to Article 45 GDPR.
6. To the extent that a Subprocessor is based in a third country that does not provide an adequate level of protection, and the transfer of Customer Personal Data is not covered by one or more safeguards listed in 7.1(a), 7.1(b) or 7.1 (d) Parties hereby agree to enter into the SCCs, attached as Schedule 1 to this DPA for the transfer of Customer Personal Data from Customer to the Processor and subject to the Controller confirming that, in its opinion, the transfers will meet the requirements set out by the Court of Justice of the European Union in the Schrems II case.
7. If the Processor intends to transfer Personal Data to an engaged Sub-processor located outside of the EEA and the Processor opts to have such transfer covered by the SCCs, the Company hereby authorizes the Processor to enter into such SCCs in the Company’s name and on its behalf.
8. At Customer’s request, the Processor shall provide a copy of any document evidencing the implementation of any of the above-mentioned measures to cover the transfer/access of Customer Personal Data.

• Termination and erasure and return of data

1. On termination of the Terms of Service, or earlier as obliged by contract with Customer, the Processor will destroy, or at Customer’s election and in accordance with any instructions from Customer will deliver to Customer, or enable Customer to do so by means of the functionality provided by the Services, all Customer Personal Data in its possession, custody and control, except for such information as must be retained under applicable law and insofar as is technically possible.
2. To the extent that the Processor retains any such Customer Personal Data beyond termination or expiration of the Terms of Service or as earlier requested by Customer because such retention is required under applicable law, this DPA will remain in full effect and the Processor will immediately destroy all such Customer Personal Data so retained once such retention is no longer required under applicable laws insofar as is technically possible. At Customer’s request, the Processor will provide Customer with a written log evidencing the destruction of Customer Personal Data.
3. At such time when Customer Personal Data is either returned or destroyed in full, this DPA will expire automatically.

• Liability

1. Notwithstanding provisions of the Terms of Service, the Controller remains liable for any direct and/or indirect damages arising out of or in connection with a breach of this DPA, or Customer’s instructions under this DPA, by the Processor, Processor Affiliates or any Subprocessor, their directors, officers, employees or other individuals working under their control and/or supervision.
2. Notwithstanding provisions of the Terms of Service, the Controller shall , indemnify and hold the Processor harmless for any costs, claims, losses, damages, liabilities and expenses (including legal expenses) resulting from any data breach or Customer’s instructions under this DPA by Processor or any Subprocessor, their directors, officers, employees or other individuals working under their control and/or supervision.

• Applicable law and forum

1. This DPA and any dispute or claim arising out of it or in connection with it, its subject matter or formation shall be governed by and construed in accordance with the laws of Ireland.
2. Any dispute, controversy or claim arising out of or in connection with this DPA, its subject matter or formation shall be submitted to the exclusive jurisdiction of the competent Courts of Ireland.

• Annex 1 – Details of the Processing

• Nature and Purpose of Processing

• Providing the Service to Customer;
• Performing the Terms of Service, this DPA and/or other contracts executed by the Parties;
• Acting upon Customer’s instructions, where such instructions are consistent with the terms of the Terms of Service;
• Providing support and technical maintenance, if agreed in the Terms of Service;
• Preventing, mitigating and investigating the risks of data security incidents, fraud, error or any illegal or prohibited activity;
• Resolving disputes;
• Enforcing the Terms of Service, this DPA and/or defending Processor’s rights;
• Complying with applicable laws and regulations;
• All tasks related with any of the above.

• Duration of Processing

Subject to any Section of the DPA and/or the Terms of Service dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Processor will Process Personal Data pursuant to the DPA and Terms of Service for the duration of the Agreement, unless otherwise agreed upon in writing.

• Type of Personal Data

Customer may submit Personal Data to the Service, the extent of which is determined and controlled by Customer in its sole discretion.

• Categories of Data Subjects

Customer may submit Personal Data to the Service which may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:

• Employees, agents, advisors, freelancers of Customer (who are natural persons)
• Prospects, customers, business partners and vendors of Customer (who are natural persons)
• Employees or contact persons of Customer’s prospects, customers, business partners and vendors
• Any other third party individual with whom Customer decides to communicate through the Service.

‍

Akeero uses certain monitoring and tracking technologies, such as cookies, beacons, pixels, tags,  and scripts (collectively, “Cookies”). These technologies are used in order to provide, maintain, and  improve our website and platform (the “Services”), to optimise our offerings and marketing activities,  and to provide our visitors, customers and users (“you”) with a better experience (for example, in order  to track users’ preferences, to better secure our Services, to identify technical issues, and to monitor and  improve the overall performance of our Services).

This page contains information on what Cookies are, the types of Cookies used on our Services, how to  switch Cookies off in your browser, and some useful links for further reading on the subject. If you are  unable to find the information you were looking for, or you have any further questions about the use of  Cookies on our Services, please email privacy (at) akeero.com.

For more information about our general privacy practices, please visit our Privacy Notice.

What are Cookies?

Cookies are small text files that are stored through the browser on your computer or mobile device (for  example, Google Chrome or Safari). They allow websites to store information like user preferences. You can think of Cookies as providing a so-called memory for the website, so that it can recognise you when you come back, and respond appropriately. Cookies are typically classified as either “session cookies” which are automatically deleted when you close your browser or “persistent cookies” which will usually remain on your device until you delete them or they expire.

How do we use Cookies?

Akeero uses several different types of Cookies on our website and platform:  

Performance Cookies

This type of Cookie helps us to secure and better manage the performance of our Services, and remembers your preferences for features found on the Services, so you don’t have to re-set them each time you visit.

Analytics Cookies

Every time you visit our Services, the analytics tools and services we use generate Cookies which can tell us (so long as they are allowed and not deleted) whether or not you have visited our Services in the past, and provide additional information regarding how visitors and users use our Services (such as how many visitors we have on a certain landing page, how often they visit, or where users tend to click on our Services). Your browser will tell us if you have these Cookies and, if you don’t but do allow new Cookies to be placed, we will typically generate and place new ones.  

Registration Cookies

When you register and sign into our Services, we generate Cookies that let us know  whether you are signed in or not, and maintain your login session.

Our systems use these Cookies to work out which account on our Services you are signed into and if you are allowed access to a particular area or feature on such account.

While you are signed into our Services, we combine information from your Registration Cookies with Analytics Cookies, which we could use to learn, for example, which pages you have visited.

Marketing & Advertising Cookies

These Cookies allow us to know whether or not you’ve seen an ad or a type of ad online, how you interacted with such an ad, and how long it has been since you’ve seen it.

We also use Cookies to help us with targeted advertising. We may use Cookies set by another organisation, so we can more accurately target advertisements to you.

We also set Cookies on certain other sites that we advertise on. If you receive one of those Cookies, we may use it to identify you as having visited that site and viewing our ad there, if you later visit our Services. We can then target our advertisements based on this information.

Third-Party Integration Cookies

On some pages of our Services, other organisations may also set their own Cookies. They do this to enable and improve the performance and interoperability of their applications, features or tools that are integrated with our Services, to track their performance, or to  customise their services for you.

How can you turn Cookies off (or remove them)?

All modern web browsers allow you to change your Cookie settings. You can usually find these settings in the ‘Options’ or ‘Preferences’ menu of your browser. In order to understand these settings, the following links to ‘cookies’ help pages may be helpful or you can use the ‘Help’ option in your browser for more details.

• Internet Explorer
• Chrome
• Mozilla Firefox
• Safari (Desktop)
• Opera

In addition, on your mobile device (e.g., iPhone, iPad or Android phone), you can change your device settings to control whether you see online interest-based ads.

Useful links

To find out more about Cookies and their use on the Internet, you may find the following websites useful:

www.allaboutcookies.org
https://www.youronlinechoices.com

“Do Not Track” Signals

Some web browsers may transmit “Do Not Track” signals to websites with which the browser  communicates, telling the website not to follow its online movements. Because of differences in how web browsers interpret this feature and send those signals, and lack of standardisation, it is not always clear whether visitors and users intend for these signals to be transmitted or whether they are even aware of them. Therefore, as many other reputable websites and online platforms, we currently do not respond to such “Do Not Track” signals.

‍

Akeero Technologies Ltd. (“Akeero”, “us”, “we”, or “our”) operates the akeero.com website (“Site”) and the Akeero web application (“Service”), collectively known as “Services”.

This page informs you (“You”, “Visitor” or “User”) of our policies regarding the collection and use of personal data when you use our Services and the choices you have associated with that data.

We use your data to provide and improve the Services. By using the Services you agree to the collection and use of information in accordance with this notice. Unless otherwise defined in this Privacy Notice, terms used in this Privacy Notice have the same meanings as in our Terms of Service (ToS) and Data Processing Addendum (DPA).

Types of Data Collected

Personal Data

While using our Services, we may ask you or your data controller to provide us with certain personally identifiable information that can be used to contact or identify you (“Personal Data”). Personal Data may include, but is not limited to:

• First name
• Last name
• Email address
• Location
• Contact phone number
• Profile photo – if you decide to upload to the application
• Cookies and Usage Data

Usage Data

We may also collect information that your browser sends whenever you use our Services (“Usage Data”).

This Usage Data may include information such as your computer’s Internet Protocol address (i.e. IP address), browser type, browser version, the pages of our Services that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.

When you access the Services by or through a mobile device, this Usage Data may include information such as the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers and other diagnostic data.

Cookies and Tracking Technologies

We and some of our Service Providers use cookies and similar tracking technologies for performance, tracking, analytics and personalisation purposes.

Our Site and Service (including some of our Service Providers) utilise “cookies”, anonymous identifiers, container tags and other technologies in order for us to provide our Service and ensure that it performs properly, to analyse our performance and marketing activities, and to personalise your experience. Such cookies and similar files or tags may also be temporarily placed on your device. Certain cookies and other technologies serve to recall Personal Data, such as an IP address, previously indicated by a User. To learn more about our practices concerning cookies and tracking, please see our Cookie Policy.

Please note that we do not change our practices in response to a “Do Not Track” signal in the HTTP header from a browser or mobile application, however, most browsers allow you to control cookies, including whether or not to accept them and how to remove them. You may set most browsers to notify you if you receive a cookie, or to block or remove cookies altogether.

Use of Data

The legal basis for the processing of the above information is consent. Akeero uses the collected data for various purposes:

• To provide and maintain our Services.
• To notify you about changes to our Services.
• To allow you to participate in interactive features of our Services when you choose to do so.
• To provide customer support.
• To gather analytics information so that we can improve our Services.
• To monitor the usage of our Services.
• To detect, prevent and address technical issues.

Statistical Data Use

Akeero does not claim ownership of the Customer Data or personally identifiable data provided during the operation of the Services. Akeero may, however, utilise anonymous usage statistics and performance metrics to improve and administer the Services, for Akeero’s internal use and other lawful purposes. Such data may include, without limitation, the number of records held in the Services, the number and types of transactions, configurations, reports processed in the Services and the performance results for the Services. Nothing herein shall be interpreted as prohibiting Akeero from utilising the aggregated statistics for the purposes of operating Akeero’s business, provided that Akeero’s use of aggregated statistics will not reveal the identity, whether directly or indirectly, of Customer, any individual or any specific data entered by Customer or any individual into the Services.

Communications

We engage in service and promotional communications through e-mail, phone, SMS and notifications.

Service Communications

We may contact you with important information regarding our Service. For example, we may send you notifications (through any of the means available to us) of changes or updates to our Service, billing issues, service changes, log-in attempts or password reset notices, etc. Please note that you will not be able to opt-out of receiving certain service communications which are integral to your use (like password resets or billing notices).

Promotional Communications

We may also notify you about new features, additional offerings, events and special opportunities or any other information we think our Users will find valuable. We may provide such notices through any of the contact means available to us (e.g. phone, mobile or e-mail), through the Service, or through our marketing campaigns on any other sites or platforms. If you do not wish to receive such promotional communications, you may notify Akeero the time by following the “unsubscribe”, “stop”, “opt-out” or “change e-mail preferences” instructions contained in the promotional communications you receive.

Protection of the data we collect

Security is at the heart of Akeero. We have applied organisational and technical security measures to safeguard and prevent unauthorised access to your data, and take all steps reasonably necessary to protect your data in accordance with the GDPR, other applicable laws, and security best practice. You can read more about this on our Trust Centre.

Disclosing and transfers of your personal data

Akeero may disclose your personal data to the following categories of third party recipients:

• Regulatory authorities
• Akeero’s subprocessors

When we transfer personal data from the EEA to other countries, we rely on the lawful transfer mechanisms in the GDPR, such as the “adequacy decisions” made by the European Commission (e.g. the decisions deeming the UK and Israel as providing an adequate level of protection to personal data originating from the EEA), and the EC Standard Contractual Clauses.

Retention Location and Retention

We store your data in multiple locations around the world, for as long as necessary in accordance with our reasonable business needs (as necessary for the performance of our Services or for supporting and exercising our legitimate interests); and in accordance with our legal obligations.

Data Location

We and our authorised Service Providers (defined below) maintain, store and process Personal Data in Ireland and the United States, and other locations as reasonably necessary for the proper performance and delivery of our Services, or as may be required by law.

Akeero is headquartered in Ireland. While privacy laws may vary between jurisdictions, Akeero and its Service Providers are each committed to protect Personal Data in accordance with this Privacy Policy, customary industry standards, and such appropriate lawful mechanisms and contractual terms requiring adequate data protection, regardless of any lesser legal requirements that may apply in the jurisdiction from which such data originated.

Notwithstanding the foregoing, Personal Data may only be processed in such locations as permitted in our Data Processing Addendum and any other commercial agreements with a Customer.

Data Retention

We will retain your Personal Data for as long as it is reasonably necessary in order to maintain and expand our relationship and provide you with our Service and offerings; in order to comply with our legal and contractual obligations; or to protect ourselves from any potential disputes (i.e. as required by laws applicable to log-keeping, records and bookkeeping, and in order to have proof and evidence concerning our relationship, should any legal issues arise following your discontinuance of use), all in accordance with our data retention policy.

Please note that except as required by applicable law or our specific agreements with you, we will not be obligated to retain your Personal Data for any particular period, and we are free to securely delete it or restrict access to it for any reason and at any time, with or without notice to you. If you have any questions about our data retention policy, please contact us by email at privacy (at) akeero.com.

Data Sharing

We share your data (and your feedback) with our Service Providers; within our group; in accordance with legal compliance and amongst Users on your projects.

Legal Compliance

In exceptional circumstances, we may disclose or allow government and law enforcement officials access to your Personal Data, in response to a subpoena, search warrant or court order (or similar requirement), or in compliance with applicable laws and regulations. Such disclosure or access may occur if we believe in good faith that: (a) we are legally compelled to do so; (b) disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing; or (c) such disclosure is required to protect the security or integrity of our products and services.

Service Providers

We may engage selected third party companies or individuals to perform services complementary to our own. Such service providers may include providers of Third Party Solutions (as defined in the Terms of Service) such as hosting and server co-location services, communications and content delivery networks (CDNs), data and cyber security services, billing and payment processing services, fraud detection and prevention services, web analytics, e-mail distribution and monitoring services, session or activity recording services, remote access services, performance measurement, data optimisation and marketing services, social and advertising networks, content providers, e-mail, voicemails, support and customer relation management systems, resellers, distributors and providers of professional services related to our Service, and our legal, compliance and financial advisors (collectively, “Service Providers“).

These Service Providers may have access to your Personal Data, depending on each of their specific roles and purposes in facilitating and enhancing our Service, and may only use it for such limited purposes as determined in our agreements with them. When our Service Providers contact you in order to offer or promote our Service, they may additionally interest you in their own services. Should you decide to engage in such activities with Akeero’s Service Providers, please note that such engagement is beyond the scope of Akeero’s Terms of Service, and Privacy Policy, and will therefore be covered by our Service Provider’s terms and privacy policies.

Our Service Providers shall be deemed as ‘Data Processors’ in circumstances where Akeero assumes the role of ‘Data Controller’; and where Akeero acts as the Data Processor for our Customer, the Service Provider shall be deemed our ‘Sub-Processor’ (as further described below). A list of Akeero’s Sub-Processors is available here.

Third Party Websites and Services

Our Services may also include links to third party websites, and integrations with Third Party Services (as defined in the Terms). Such websites and Third Party Services, and any information you process, submit, transmit or otherwise use with such websites and Third Party Services, are governed by such third party’s terms and privacy practices and policies, and not by this Privacy Policy. We encourage you to carefully read the terms and privacy policies of such websites and Third Party Services.

Sharing Personal Data with our Customers and other Users

We may share your Personal Data with the Customer owning the Account to which you are subscribed as a User (including data and communications concerning your User Profile). In such cases, sharing such data means that the Account’s Admin(s) may access it on behalf of the Customer, and will be able to monitor, process and analyse your Personal Data. This includes instances where you may contact us for help in resolving an issue specific to a team of which you are a member (and which is managed by the same Customer).

Any other Customer Data or other content submitted by you to Projects may still be accessed, copied and processed by the Customer’s Admin(s). Your User Profile and User Data will also be made available to all the authorised Users who can view the same Project(s) as you. Please note that Akeero is not responsible for and does not control any further disclosure, use or monitoring by or on behalf of the Customer, that the Customer itself acts as the “Data Controller” of such data.

If you register or access the Service using an e-mail address at a domain that is owned by your employer or organisation (our Customer), and another team within such Customer’s organisation wishes to establish an account on the Service, certain information about you including your name, profile picture (if supplied), contact info and general use of your account may become accessible to the Customer’s Admins and Users.

Sharing your Feedback or Recommendations

If you submit a public review or feedback, note that we may (at our discretion) store and present your review to other users of our Sites and Service (including other Customers). If you wish to remove your public review, please contact us or contact your Customer Success representative.

Community Forum

Our Sites include public blogs or forums, such as Akeero Community. Any information you submit on these forums, blogs and communities – including profile information associated with the Account you use to post the information – may be read, collected, and used by others who access these Sites. Due to the nature of such public forums, your posts and certain profile information may remain visible to all even after you terminate your Account. To request removal of your information from publicly accessible Sites operated by us, please contact us or contact your CUstomer Success representative. In some cases, we may not be able to remove your information, in which case we will let you know if we are unable to and why.

Protecting Rights and Safety

We may share your Personal Data with others if we believe in good faith that this will help protect the rights, property or personal safety of Akeero, any of our Users or Customers, or any members of the general public.

Further Uses

For the avoidance of doubt, Akeero may share your Personal Data in additional manners, pursuant to your explicit approval, or if we are legally obligated to do so, or if we have successfully rendered such data non-personal and anonymous. We may transfer, share or otherwise use non-personal data at our sole discretion and without the need for further approval.

Your Rights

Individuals have rights concerning their Personal Data. You may exercise your rights by contacting us or your Customer Success representative.

You may exercise any of the rights described in this section by emailing privacy(at)akeero.com or your Customer Success representative. We endeavour to respond to all requests as quickly as possible, however, it may take up to 30 calendar days from your initial communication for our team to process your request completely.

Right to access

You have a right to get access to the personal data that we process about you and receive more information about the processing of your data. This also enables you to receive a copy of the personal data we hold about you.

Right to withdraw consent

Where processing is based on consent please note that you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

Right to rectification

You have a right to rectification of inaccurate personal data and to update incomplete information.

Right to restriction of processing

You have a right to request us to restrict the processing of your personal data.

Right to erasure (“right to be forgotten”)

You have the right, under certain circumstances, to request the deletion or removal of your information from our systems

Right to data portability

You have a right to data portability. You can request to transfer the personal data to a third party you have chosen in a structured, commonly used, machine-readable format. This right only applies to automated information for which you initially provided consent.

Right to object

You also have the right to object to certain types of processing, for example when the legal ground for the processing of your personal data is our legitimate interest.

Additional Notices

Updates and Amendments

We may update and amend this Privacy Policy from time to time by posting an amended version on our Service. The amended version will be effective as of the “effective date” it is published, seen at the bottom of this Privacy Notice. When we make material changes to this Privacy Policy, we’ll provide Users with notice as appropriate under the circumstances, e.g., by displaying a prominent notice within the Service or by sending an email. Your continued use of the Service after the changes have been implemented will constitute your acceptance of the changes.

External Links

While our Services may contain links to other websites or services, we are not responsible for their privacy practices. We encourage you to pay attention when you leave our Services for the website or application of such third parties, and to read the privacy policies of each and every website and service you visit. This Privacy Policy applies only to our Services.

Our Service is not designed to attract children under the age of 16

We do not knowingly collect Personal Data from children and do not wish to do so. If we learn that a person under the age of 16 is using the Services, we will attempt to prohibit and block such use and will make our best efforts to promptly delete any Personal Data stored with us with regard to such child. If you believe that we might have any such data, please contact us by email at privacy (at) akeero.com.

Questions, concerns or complaints

If you have a question, comment or concerns about this privacy policy or any of our personal data protection practices, please contact Akeero’s Privacy Offer by sending an email to privacy(at)akeero.com.

Although we hope you will give us the chance to listen and address your concerns before you approach a data protection authority, if you are a GDPR-protected individual, you have the right to make a complaint regarding Akeero’s processing of your personal data to the Irish Data Protection Commissioner, or your local Data Protection Authority.

‍