CodaBox and the protection of your privacy
This notice explains how, as a data controller, CodaBox NV/SA and Isabel NV/SA (“we”, “us”, “our”) with offices at Diestsepoort 1 – 3000 Leuven (phone: +32 2 880 84 80), processes personal data we collect from you through the codabox.com and Zoomit.be website and CodaBox services.
CodaBox NV/SA is part of Isabel Group which is composed of Isabel NV/SA, CodaBox NV/SA, Clearfacts BV/SRL and Clearnox SAS.
Zoomit is a CodaBox service provided by three parties: the document sender, your bank and CodaBox NV/SA; each party is only controller for some parts of the processing activities performed to provide the Zoomit service.
2 Updates to this Privacy Notice
We reserve the right to modify this notice at any time, but will in any case do so in accordance with the applicable laws and regulations. We will inform you by email, when possible, of any substantial changes to this notice.
This notice was last modified and revised on the 29/04/2021.
3 Information We Collect
3.1 Customer Relationship
When you or your company becomes a customer of Isabel Group or one of its member companies, we collect the following types of personal data about you:
- Identification data: your name, email address, language preference and phone number, we will also assign you or your company a customer number;
- Information about your work: your job title, employer and work address;
- The products you or your company uses and invoicing information.
When you contact us through our website or via email, we collect the following types of personal data about you:
- Identification data: your name, phone number and email address;
- Information about your work: the name of the company you work for;
- The messages you are sending us.
When you give us a bank and teletransmission mandate as basis of the CodaBox services, we collect the following types of personal data about you:
- Identification data: your name, phone number, email address and language preference;
- Information about your work: your job title, employer and work address;
3.2 Services Use
As part of your use of the Zoomit services, we will send you notifications; for this we collect the following types of personal data about you:
- Identification data: your name, email address, IBAN and bank user ID
- Your language preference.
- Information about the documents sent to you: their type and sender, the amount due (when applicable) and the payment date.
When you interact with the Zoomit services, we maintain activity logs; for this we collect your name, email address, IBAN, bank user ID and language preference.
3.3 Customer Support
When we initiate a screen sharing session with your consent, to support you in the use of our products, we collect the following types of personal data about you:
- Identification data: your name and email address;
- Any information shared during the screen sharing session (audio and video).
When you register for and attend an event we organise, we collect the following types of personal data about you:
- Identification data: your name and title, email address and phone number;
- Information relating to your company: your company name;
- Any other information relating to the event.
We also collect personal data about you from other events organisers to which you have provided consent to share those personal data with us.
When you register to our newsletter, we collect the following types of personal data about you:
- Identification data: your name, professional email and language preference;
- Work information: your company name and address;
Your device and usage information are also collected when you read the newsletters.
3.5 Website browsing
While you browse our website, we collect the following types of personal data about you:
- Identification data: your IP address;
- Data relating to security: security logs, connection and activity logs, and the user agent of your web browser;
- When you allow us, we also collect data relating to your use of the website such as the pages you consulted or if you already visited our website in the past.
4 Processing purposes
Your personal data is processed for the following purposes:
- Where it is necessary for the performance of a contract between you and us or in order to take steps, at your request, to enter into a contract:
- To allow you to register for the use of our services.
- To provide you with the services you have registered for or requested.
- To provide you with support when you face issues in your use of the services.
- To manage the relationship between you, our customer, and us and other members of the Isabel Group.
- To provide you with information when you request them and to answer your messages when you contact us.
- To allow you to register to and attend our webinars or our events.
- To obtain and maintain mandate access to banks’ data for your company.
- To obtain and maintain mandates for sending your data to your accounting company.
- Where you have given your consent:
- To allow us to send you promotional offers and information on our and other members of the Isabel Group products, in line with your choices.
- To initiate screen sharing session when you request it to obtain support.
- To place cookies on your browser and perform advanced statistics based on the information Those cookies provide us.
- To allow us to track precisely the information on the unique number of visitors, their sessions and the relevant timestamps.
- Where necessary for our legitimate interests, as listed below, and where not overridden by your interests or fundamental rights and freedoms:
- To keep trace of our business relationships with you, as an Isabel Group existing or prospect customer.
- To send existing customers information on the evolution of Isabel Group and its member companies’ products; you may request these communications to stop at any time through an unsubscribe link present at the bottom of every communication.
- To get non-nominative information on the visitors that consult Isabel Group websites.
- To improve our services and develop new group-wide commercial offers.
- To ensure the security of our and other Isabel Group websites and their database.
- To allow review of past calls for training of agents and for quality control.
- To retain traces of actions taken during screen sharing sessions.
For these purposes, we have conducted a balancing test, as the law requires, and have determined that, taking into account the limited personal data collected, the processing performed and your reasonable expectations, our legitimate interest in conducting this processing is not overridden by your interests or fundamental rights and freedoms.
- Where it is necessary for us to comply with our legal obligations.
5 Disclosure and Transfer of personal data
In order to deliver our services to you and for the above purposes, we need to share your personal data with:
- CodaBox NV/SA and Isabel Group personnel with access on a “need to know” basis and to contractors who have signed a confidentiality agreement with us.
- Your accountant.
- Third party processors, located in Belgium, who support us in the processing of your personal data only on our instructions and who are subject to appropriate confidentiality clauses:
- Isabel NV/SA, who maintain our group-wide customer relationship and webinar tooling, organise events, and maintain our website.
- Twikey, who provides us a solution for digital signature of mandates.
- Third party processors, located in the European Economic Area, who support us in the processing of your personal data only on our instructions and who are subject to appropriate confidentiality clauses:
- Microsoft, who provides and maintains our customer relationship and screen sharing solutions.
- Google Analytics, who provides us with simple statistics on the number of unique visitors on our website.
- Amazon Web Services (AWS), who is responsible for hosting our website.
- SurveyAnyplace, who provides us with a survey solution.
- Twilio Ireland limited, who is responsible for sending out two-factors authentication SMSs.
- Third party processors located in the United States of America, who support us in the processing of your personal data only on our instructions and who are subject to appropriate confidentiality clauses:
- Mailchimp, who provides us with a newsletter solution.
- Mailgun, who provides us an emailing service.
- Freshdesk, who provides us with a ticketing system.
We have signed European Standard Contractual Clauses with these third-party processors, which is a mechanism to comply with data protection requirements when transferring personal data from the European Union to the other countries.
- Independent controller, such as accounting software, that will connect to our API and for which you have provided your consent for us to share your personal data.
- YouTube, an independent controller, located in Ireland, who provides services to display videos on our website.
- Government institutions or regulatory bodies in compliance with our reporting obligations.
6 Data Security and Retention
Your personal data is and will be kept strictly confidential.
We take all reasonable steps to protect your personal data. This includes setting up processes and procedures to minimise the unauthorised access to, or disclosure of your personal data. We ensure that the third parties we share your personal data with also have adequate security measures in place.
We will store your personal data for as long as it is necessary to achieve the purposes defined in section 4 (Processing Purposes), with maximum retention periods as defined below:
- Customer data and billing information will be kept for 10 years after the end of our contractual relationship.
- Data collected when you purchase services from us will be kept for 10 years after the end of the contract, as required by Belgian law.
- Data relating to mandates will be kept for 10 years after the end of our contractual relationship.
- Data relating to Zoomit email notifications and activity will be kept for 6 months.
- Data collected when you contact us for questions or support will be kept for 10 years after the last contact or after the end of the contract. .
- Data collected to allow you to register and attend our webinars will be kept for 12 months.
- Data collected to allow you to register and attend our events will be kept for 1 month after the events take place.
- Calls and screen sharing recording will be kept for 1 month.
- Technical logs will be kept for a maximum of 6 months.
- Data backups, created for security reasons, are kept for 4 weeks;
- Data collected for statistics purposes will be kept for 14 months.
- Data collected for marketing purposes will be kept for as long as we have your consent.
Users of CodaBox services must be at least 18 years old.
8 Automated decision-making and profiling
No automated decisions will be taken about you nor will profiles be made as part of the processing described in this notice.
You have the right to ask us for a copy of your personal data, to ask us to correct, delete or restrict (stop any active) processing of your personal data and to obtain the personal data you provided us in a structured, machine-readable format. In addition, you can object to the processing of your personal data in some circumstances (in particular when we do not have to process your personal data to meet a contractual or other legal requirement).
Where we have asked for your consent, you may withdraw this consent at any time; however, this will not affect processing that has already taken place before the withdrawal. You may withdraw your consent by deleting the cookies linked to our domain.
You may exercise the above-mentioned rights by contacting us as described in the “Contact us” section below.
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information that we are required to keep by law or that we have a compelling legitimate interest to keep.
If you have unresolved concerns, you have the right to complain to the Data Protection Authority: https://www.dataprotectionauthority.be/.
If you have any questions about this Privacy Notice or wish to contact us for any reasons in relation to the processing of your personal data, please contact our Data Protection Officer, by sending an email to email@example.com, or by sending a dated and signed request to CodaBox, Diestsepoort 1 – 3000 Leuven, Belgium.