2. Data Controller
Amity has also appointed Amity Europe S.r.l. as Representative in the EU according to Article 27, GDPR. It has been duly authorized to represent the Controller for issues relating to compliance with the GDPR, including dealing with any EU supervisory authority and data subjects. Therefore, if you are an EU citizen you may also contact the Representative to receive further information on the processing of your personal data and rights under the GDPR.
3. Types of Personal Data Processed
When we talk about personal data, we refer to all the information relating to an identified or identifiable natural person. Therefore, when we refer to your personal data, we refer to any information that allows us to identify you, directly or indirectly (the “Personal Data”).
We collect the following categories of Personal Data through your use of our Services or when you are surfing our Website:
- first and last name;
- email address;
- phone number;
- geographic position;
- job title
- birthday date (optional)
- usage data, which are collected automatically through the Services, and can include: IP addresses or domain names, uniform resource identifier, features of the browser and operating system utilized, user’s country of origin.
4. How we Collect Your Personal Data
We collect your Personal Data either when you provide it voluntarily (for instance, when you fill-in a form on our Website to file a request) or automatically, while you are using our Services (for instance, when using our chat tool).
For some of our Services, you will be invited to access and use them by an organization (e.g. your employer or another third party), which acts as a customer of the Controller (the “Customer”). In these cases, you will be an authorized end user (“Authorized End User”) and your Personal Data will be provided to us by the Customer in order to allow you to use our Services.
Unless otherwise specified, we only collect the Personal Data that are necessary to provide our Services. Therefore, unless differently stated, all the information requested when using the Services are mandatory, and the failure to provide them may make it impossible for the Services to function. When it is specifically stated that some data are not mandatory, you are free to decide not to share them with us without any consequence on the availability or functioning of the Services.
5. Purposes of Data Processing and Legal Basis
Amity processes your Personal Data for the purposes and according to the legal bases described below.
- Execution of the Contract and Performance of the Services
The Controller processes your Personal Data to allow you to use our Services.
Depending on whether you have a direct contractual relationship with Amity or you have been provided access to our service by a Customer, the legal basis for these processing activities is the necessity to perform an existing agreement and/or for any pre-contractual obligations with you (Art. 6, par. 1, let. c), GDPR) or the legitimate interest of the Controller to execute the agreement concluded with the Customer (Art. 6, par. 1, let. f), GDPR).
Please find below more detailed information on how we process your Personal Data depending on the different type of Service you are requesting.
Eko offers a virtual workspace helping teams to stay connected while working remotely.
To offer this service, the Controller processes your Personal Data that can be provided by the Customer that gives you access to Eko’s platform (for instance, your employer) or by yourself. These Personal Data include your name, user profile, and conversations.
Third Party Products.
A Customer can choose to permit or restrict Third Party Product for its workspace. Typically, Third Party Products are software that integrates with our Services, and a Customer can permit its Authorized End Users to enable and disable these integrations for its workspace.
Eko Services may also connect with a Third Party Product. Once enabled, the provider of a Third Party Product may share certain information with Eko to facilitate the integration.
You should check the privacy settings and notices in these Third Party Products to understand what data may be disclosed to Eko.
We do not receive or store passwords for any of these Third Party Services when connecting them to the Services.
Third Party Products Data.
Eko may receive data about organizations, industries, lists of companies that are customers, Website visitors, marketing campaigns and other matters related to our business from parent corporation(s), affiliates and subsidiaries, our partners, or others that we use to make our own information better or more useful.
This data might include aggregate-level data, such as which IP addresses correspond to zip codes or countries.
- Marketing and Advertising
Amity may contact you at your business email or phone number to introduce you to our products and Services and offer you our support to your business.
The Controller will contact you only when we reasonably believe our Services may support your goals or you may be interested based on the industry you are operating in. Moreover, we will contact you with marketing and advertising emails and calls if you have asked for information or begun a search for a service or product we provide.
The legal basis for this processing activity is the legitimate interest of the Controller to conduct direct marketing activities (Art. 6, par. 1, let. f), GDPR and Recital 47, GDPR).
Object to Processing of Personal Data for Direct Marketing.
You always have the right to object to the processing of your Personal Data for Direct Marketing activities at any moment contacting the Controller or replying to our emails.
- Management of the Websites
Amity runs all the Websites for the several companies of the Group, which you may find listed below. To operate these websites and offer you all the connected services, the Controller processes the Personal Data whose transmission is implicit in the use of Internet communication protocols. These data include IP addresses, domain names of your device, the timing and method of your request, the file transmitted, and information on your operative system and device.
These data are also anonymized and used to have statistical information on the use of the Websites to ascertain their correct functioning and the possibility of cyber crimes.
The legal basis for this processing activity is the legitimate interest of the Controller to manage the Websites and protect you from possible cyber crimes (Art. 6, par. 1, let. f), GDPR).
List of Websites:
- Managing Your Requests
You can contact the Controller through the specific form in our Websites or our phone numbers.
To manage your requests, the Controller needs to process the provided Personal Data such as your name, contacts and the content of your message. Accordingly, we suggest you provide us only the information that we need to comply with your request.
The legal basis for this processing activity is the legitimate interest of the Controller to comply with your requests (Art. 6, par. 1, let. f), GDPR).
- Compliance with Legal Obligations
The Controller may need to process your Personal Data to comply with legal obligations connected to its activities and/or the Services provided to you and the Customer.
The legal basis for this processing activity is the necessity to comply with legal obligations (Art. 6, par. 1, let. c), GDPR).
6. How we Process Your Personal Data
We take security of Personal Data very seriously. Hence, we have taken appropriate security measures to prevent unauthorized access, disclosure, modification, or destruction of Personal Data, please have a look at our GDPR commitment.
7. Who Processes Your Personal Data
To carry out the processing activities described in previous paragraph 5), your Personal Data will be accessed by the necessary employees and collaborators of the Controller.
Moreover, your Personal Data will be shared with other companies that support Amity to provide the Services. These companies include the other companies of the Group that offer the requested service; companies that support the Controller to set up and manage the ICT infrastructure; companies supporting Amity for archiving purposes; mail carriers; hosting providers; communications agencies; subjects that provide legal and/or tax consultancy.
Moreover, Amity uses Amazon Web Services’ cloud platform to securely store your Personal Data. In particular, we asked Amazon to store your Personal Data in servers located in your country.
Where required by the applicable legislation, these companies have been appointed data processors by the Controller in compliance with Article 28 GDPR to guarantee that your Personal Data are protected also when processed by third parties.
You are entitled at any time to request the Controller an updated list of all such third parties that process your Personal Data.
8. International Data Transfer
Amity is the parent company of a multinational Group of companies. Hence, it operates in several countries and your Personal Data may be transferred where the Controller has its operating offices as well as in foreign countries where the companies of the Group and / or third party providers are located.
To ensure that your Personal Data receive always the same degree of protection, when they are processed outside the UK and the EU/European Economic Area (EEA), Amity ensures that the receiving companies are bound by the Standard Contractual Clauses, which establish similar obligations to that imposed by the UK Data Protection Act 2018 and the GDPR.
You are entitled at any time to request the Controller an updated list of all the countries where your Personal Data may be transferred as well as the safeguards established by Amity.
9. Retention time
Amity processes and stores your Personal Data only as long as required by the purpose they have been collected for.
Accordingly, depending on the processing activity, your Personal Data will be deleted within 10 years from:
- the end of the contractual relationship with you or our Customer;
- your decision to opt-out to our marketing activities. In any case, upon your opting-out, we will immediately stop sending you marketing communications and we will retain your data only when necessary to comply with a legal obligation or perform a contract;
- the end of your surfing session on our Websites;
- our compliance with your requests.
The Controller may be obliged to retain your Personal Data for a longer period whenever required to do so for the performance of a legal obligation or upon order of an Authority.
Once the retention period expires, Personal Data will be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.
10. Your Rights as Data Subject
You may exercise certain rights regarding your Personal Data processed by the Controller. In particular, you have the right to:
Withdraw Consent at Any Time. You have the right to withdraw the consent you have previously given to the processing of your Personal Data.
Object to Processing of Personal Data. You have the right to object to the processing of your Personal Data if the processing is carried out on a legal basis other than consent.
Access Your Personal Data. You have the right to learn if the Controller is processing your Personal Data, to obtain disclosure regarding certain aspects of the processing and to obtain a copy of the Personal Data undergoing processing.
Verify and Seek Rectification. You have the right to verify the accuracy of your Personal Data and ask for them to be updated or rectified.
Restrict the Processing of Personal Data. You have the right, under certain circumstances, to restrict the processing of your Personal Data. In this case, the Controller will not process that Personal Data for any purpose other than safely storing it.
Have Personal Data Deleted or Removed. You have the right, under certain circumstances, to obtain the erasure of your Personal Data.
Receive Personal Data and Transfer Them to Another Controller. You have the right to receive your Personal Data in a structured, commonly used and machine readable format and, if technically feasible, to have it transmitted to another controller without any hindrance.
Lodge a Complaint. You have the right to bring a claim before their competent Data Protection Authority. For the controversies arising directly in the UK, the competent Data Protection Authority is the Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
- Amity Technologies UK Ltd.
- Amity Technologies (Thailand) Co., Ltd.
- Amity North America Inc.
- Amity Europe S.r.l.