This website is owned and operated by Viewpoint Software for Business Limited, a private limited company incorporated in Hong Kong (registration number 2613425). Our registered office is at 8/F, 299 QRC, 287-299 Queen’s Road Central, Hong Kong.
In this notice, “we”, “us”, “our” and “Viewpoint” refer to Viewpoint Software for Business Limited.
This notice describes our processing of personal data relating to our website visitors and individual staff and representatives of our clients and potential clients in connection with our business activities. We are the controller in respect of this processing, meaning that we determine why and how to carry out this processing.
Please note that where we provide our Viewpoint Software for Business software products to our clients, our clients use those software products to process data, including personal data, for their business purposes. Our clients are the controllers in respect of the processing of that personal data, meaning that they determine why and how to carry out that processing.
We process that personal data as a result of hosting the software services and may also process it in connection with providing clients with set up services, support services and maintenance services. We carry out that processing as a processor, which means that we process this personal data only on the instructions of our clients and do not determine the purposes or legal bases of that processing.
This notice does not describe our processing activities as a processor. Our processing as a processor on behalf of our clients is governed by contracts with our clients. If you think your personal data is processed by one of our clients using our software products, please refer to the privacy notice of the relevant client organisation or contact them directly with any questions about how they use your personal data.
• Business contact data: data relating to our clients’ staff and representatives that we obtain in connection with entering into and performing contracts for the provision of our software products and services to clients, such as names, business email addresses, postal addresses, telephone numbers and job titles. This may be provided by the individuals themselves, by colleagues, or by our resellers. We may also collect similar categories of data of staff or representatives from potential clients or prospects indirectly from publicly available sources such as Linked-in, regulated entity lists and industry bodies.
• Account data: data relating to our clients’ staff that we obtain in connection with setting up accounts to enable them to access and use hosted software services we provide to their organization, which includes their business email addresses. These details are provided to us by our clients or staff members themselves.
• Download request data: data relating to people who request downloadable material from our website, including name, email address, organisation name and country. We obtain this data when people complete and submit download request forms on our website.
• Newsletter data: data relating to people who subscribe to receive our newsletter or other marketing communications, including name, email address, organisation name and country. We obtain this data when people subscribe to receive such communications either through our website or through a link from one of our representative’s emails.
• Correspondence data: information contained in or relating to any communications we receive, including any personal data contained in the communication content, address and contact details and any metadata associated with the communication (such as time and date of sending). We obtain this data when people contact us by email, phone, using our web contact form or any other method of communication. If you use our web contact form, our website will generate the metadata associated with communications made using it.
The purposes for which we normally use personal data in connection with our business activities, the types of personal data we use for those purposes and the legal bases for doing so are set out below.
An explanation of what the different legal bases mean can be found in the Glossary section at the end of this notice.
We send occasional emails containing information about our business and services. We only send these to individuals who are staff representatives of our clients or who have previously enquired or corresponded with us about our services, for example by requesting to download promotional material on our website.
If you do not wish to receive such communications from us, you can tell us by using the unsubscribe link in any email we send to you or emailing firstname.lastname@example.org.
In addition to the purposes described above, we may also process personal data as a controller if and to the extent necessary for the following purposes:
As described in the introduction above, our clients are controllers in respect of the personal data they process using our software products for their business purposes and decide the purposes and legal bases of that processing. If you think your personal data is processed by one of our clients using our software products, please refer to the privacy notice of the relevant client organisation or contact them directly with any questions about the purposes they use your personal data for and their legal bases for doing so.
The personal data described in this notice may be shared with the following categories of recipients, where and to the extent necessary for the purposes described in this notice:
• Group companies: we share IT infrastructure and access to our business databases with other companies within the Viewpoint Group for the purposes of general business administration, marketing and providing support services to clients from our offices around the world.
• Service providers: we use a number of service providers in connection with our website, services, communications and IT infrastructure, which involves those service providers processing some of the personal data described in this notice to the extent necessary to provide the relevant services. We currently use the following providers:
We have contracts with all our service providers to ensure that they treat the personal data they receive in compliance with applicable data protection laws, including that they only process the personal data described in this notice to the extent necessary to provide the services.
• Insurers and professional advisers: such as lawyers, accountants and business and marketing consultants, but only if and to the extent necessary for them to carry out the work we engage them to assist us with, for example in relation to a legal claim made against us, obtaining insurance coverage, or provide marketing and PR services.
• Buyers/prospective buyers: if we propose to sell or do sell any of our business or assets, we may make personal data available to a prospective buyer for the purposes of pre-sale due diligence or to a buyer as information assets transferred as part of the sale – for example a prospective buyer may request details of any outstanding legal claim against us, or a buyer may acquire ownership of our business contacts/client databases.
There may also be circumstances in which we need to share personal data with other organisations or individuals, such as where disclosure is necessary for the purposes set out in the ‘Other processing purposes’ section above, including complying with legal obligations to disclose information.
In all cases, we will only share personal data with such recipients where and to the extent reasonably necessary for the relevant processing purpose and in accordance with applicable data protection law.
The personal data we process is hosted and stored in Microsoft Azure data centres within the EEA.
As we are based in Hong Kong and share IT infrastructure and access to our business databases with other companies within the international Viewpoint Group, although the data is hosted and stored within the EEA, staff of Viewpoint and other Viewpoint group companies may access it from various countries around the world in which our group companies’ offices are situated (see our ‘Contact us’ website page for a list of our offices around the world). Not all of these offices are situated in countries that have an adequacy decision. (See here for a list of countries that have an adequacy decision: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.) However, we and our group companies do not transfer personal data from the EEA to outside the EEA as none of us is based within the EEA.
Any transfers of personal data that we receive from our clients based in the EEA that we process as a processor on their behalf are subject to controller-to-processor Standard Contractual Clauses that form a part of our contracts with those clients.
Our use of Google Analytics involves a transfer of usage data to Google LLC in the U.S.A. and to its sub-processors in the U.S.A. and elsewhere. Google LLC processes usage data as a processor on our behalf. Google LLC participates in the Privacy Shield and its registration can be viewed here: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active
In addition to the known transfers described above, it may become necessary to transfer personal data described in this notice to organisations based in various countries around the world in connection with the purposes described in the ‘Other processing purposes’ section above, such as to comply with a legal obligation or defend or bring a legal claim. If this happens, we would ensure that such a transfer complies with the conditions for transfers stipulated by applicable data protection law.
We take data security very seriously and use appropriate technical and organisational precautions to secure the personal data we process and prevent accidental or unlawful destruction, loss or alteration and unauthorised disclosure of, or access to, that personal data.
Our Security Statement details the security measures we apply, both to the personal data we process as a controller and the personal data we process as a processor.
We will notify affected individuals and any applicable regulator of any personal data breach where we are legally required to do so.
We will only retain the personal data described in this notice for as long as necessary to fulfil the processing purposes described in this notice.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means, and applicable legal requirements.
We will apply the following general retention periods and/or retention criteria to the personal data described in this notice:
• Usage data: the statistical reports provided to us by Google are retained by us for 3 years.
• Business contact data: we keep this for the duration of the relevant client contract and for a period of 6 years after termination or expiry of the contract and in respect of business contact data for prospects, we keep this for 6 years.
• Account data: we keep this for the duration of the relevant client contract and for a period of 6 years after termination or expiry of the contract.
• Download and newsletter request data: we keep this for a period of 6 years after receiving the download submission form or newsletter subscription request. We may keep this data after that period for the purposes of sending marketing emails unless/until we receive an ‘unsubscribe’ request (in which case we will retain the details on a suppression list to ensure no further emails are sent) or until we receive an ‘undeliverable’ response (in which case we will delete the details from our records).
• Correspondence data: we keep this for a period of 1 year after receiving the email or web contact form submission.
These retention periods are subject to any longer retention periods that may be necessary for compliance with a legal obligation, protecting a person’s vital interests or the establishment, exercise or defence of legal claims.
We use a small number of cookies on this website.
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by our web server to your web browser when you visit our website and is stored by your browser. The identifier is then sent back to our server each time your browser requests a page from our server.
Cookies are either “persistent” cookies or “session” cookies: a persistent cookie will be stored by your web browser and remain valid until its set expiry date, unless deleted by you before the expiry date; a session cookie, on the other hand, will expire when you close your web browser.
Cookies do not typically contain any information that personally identifies a website user, but we might theoretically be able to identify individuals by linking any personal data we already have with information stored in and obtained from cookies.
Please see below for a list of cookies that we use on this website.
Most computers and mobile devices automatically accept cookies by default, but you can change your browser settings to refuse to accept cookies, delete cookies or notify you when cookies are set. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:
• Internet Explorer
You can learn more about cookies by visiting www.allaboutcookies.org, which includes useful information on cookies and how to block them using different types of browser.
You can block Google Analytics by downloading and installing the Google opt-out browser add-on available here https://tools.google.com/dlpage/gaoptout or by blocking third party cookies in your browser options.
Please note that if you block all cookies including those necessary to enable you to use and navigate the website, you may not be able to use all the features on our website.
You have a number of different rights you might be able exercise against us in relation to personal data about you that we process as a controller. These are rights to:
• access your personal data
• obtain rectification or erasure of your personal data
• restrict and/or object to processing of your personal data
• have your personal data ‘ported’ to you or another organisation
• complain to a supervisory authority about our processing of your personal data
• withdraw consent to our processing of your personal data (where you have given consent)
The availability of these rights varies depending on the legal basis that we rely on for processing the relevant personal data. Below we have summarised these rights and explained how you can request to exercise them.
Please note that our clients are controllers in respect of personal data that they process for their business purposes using our software products and are responsible for responding to requests from individuals to exercise their rights in respect of that processing. If you want to request to exercise your rights in respect of that processing, please contact the relevant client organisation directly with your request. Our clients may ask us to assist them in responding to such requests as their processor, but the legal responsibility for responding to such requests remains with them as the controllers.
Access: You have the right to confirmation as to whether we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned and the recipients of the personal data. Providing that the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee.
Rectification: You have the right to have any inaccurate personal data about you corrected and, taking into account the purposes of the processing, to have any incomplete personal data about you completed. We may need to verify the accuracy of the new data you provide to us.
Erasure: You have the right to the erasure of your personal data without undue delay where the personal data are no longer necessary in relation to the purposes for which we collected or otherwise processed them, you successfully object to our processing, you object to our use of your personal data for direct marketing purposes, we have processed your personal data unlawfully, or an applicable law requires the relevant personal data to be erased. However, there are exclusions to the right to erasure, including where we have overriding legitimate grounds to continue processing the relevant personal data or are required to do so by applicable law or where we need it to establish, exercise or defend a legal claim.
Restriction: You have the right to restrict our processing of your personal data where you contest the accuracy of the personal data, our processing is unlawful, we no longer need the personal data for our purposes but you require it to establish, exercise or defend a legal claim, or you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it to establish, exercise or defend a legal claim, to protect the rights of another natural or legal person or for reasons of important public interest or with your consent.
Object: You have the right to object to our processing of your personal data where we rely on legitimate interests as the legal basis for the processing. If you make such an objection, we will cease to process the personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
Object to processing for direct marketing purposes: You have the right to object to our processing of your personal data for direct marketing purposes (including profiling for direct marketing purposes).
Data portability: where processing of your personal data is based on performance of a contract or your consent and is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
Complain to a supervisory authority: If you consider that our processing of your personal data infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.
Withdraw consent: where any processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
How to exercise these rights against us: You can exercise any of your rights in relation to your personal data that require any action by us by emailing your request to email@example.com, in addition to any other contact methods specified in this notice. Please be aware that if your request relates to any processing that we carry out as a processor for one of our clients, we will inform you of this and advise you to make the request to the relevant client as the controller in respect of that processing.
How to complain to a supervisory authority: To make a complaint to a supervisory authority, you may contact the supervisory authority of your choice using contact details made available by that supervisory authority. See here for a list of European supervisory authorities and contact details: https://edpb.europa.eu/about-edpb/board/members_en. Relevant contact details for the UK supervisory authority, the ICO, can be found here: https://ico.org.uk/concerns/.
For enquiries relating to this notice or our processing of personal data, please contact firstname.lastname@example.org.
We may update this notice from time to time by publishing a new version on our website and, where any changes materially affect you, we will also make reasonable efforts to notify you.
It is only lawful to process personal data if there is a legal basis for doing it. Below is an explanation of the legal bases referred to in this notice.
Legitimate interests: processing of personal data is necessary for the purposes of the legitimate interests of us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individuals to whom the personal data relate
Consent: the data subject has given consent to their personal data being processed for one or more specific purposes (a ‘data subject’ is an individual who can be identified from the data being processed)
Compliance with a legal obligation: processing of personal data is necessary for compliance with a legal obligation imposed by law
Protection of vital interests: processing of personal data is necessary in order to protect the vital interests of any individual
Privacy Shield: this is an adequacy decision of the European Commission in respect of the transfer and subsequent processing of personal data to and by organisations in the U.S. who self-certify their compliance with the Privacy Shield Framework Principles contained in Annex II to the European Commission Implementing Decision (EU) 2016/1250 of 12 July 2016. Further information can be found on the Privacy Shield website: https://www.privacyshield.gov/welcome and in the ICO guidance: https://ico.org.uk/media/for-organisations/documents/2014413/data-transfers-to-the-us-and-privacy-shield.pdf.
Adequacy decision: this means an official decision adopted by the European Commission that a country (or a territory or specified sector within a country) or international organisation ensures an adequate level of protection for personal data.
Standard contractual clauses: these are standard data protection clauses for data transfers between EU and non-EU countries adopted by the European Commission pursuant to a decision of the European Commission that those clauses provide an adequate level of protection for personal data transferred between the parties to those clauses. See the Europa website for more information on, and links to, the standard contractual clauses: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en