Privacy Policy

PRIVACY POLICY

 

1.      Introduction

AquaVision Engineering Sàrl (“AVE” or “We”) is a Swiss company, which provides a cloud-based Software-as-a-Service (the “Platform”) to professionals and companies and operates rocscor.com (the “Site”). AVE is headquartered in Lausanne, Switzerland.

The Platform consists of two elements: a software platform for numerical computations of rock scour at dams and hydraulic structures, called X_plore, and a database platform for any rock scour cases observed and published worldwide, called X_change. The rock scour software itself is called rocscor®.

2.      Scope of the Privacy Policy

This Privacy Policy describes how Personal Data of every user (“You”) of the Site and/or of the Platform is collected and used.

The provisions of this Privacy Policy apply globally to all Personal Data We process in order to fulfill our role and obligations as Processor and, from time to time, also as Controller, under the circumstances specified in the respective section below.

We care about your Personal Data regardless of where you access and use the Platform and/or the Site from. Therefore, We commit to respect your privacy and comply with the applicable data protection laws globally. In this regard, as AVE is a Swiss based company, our processing activities fall unexceptionally under the scope of the Swiss Federal Act on Data Protection (Bundesgesetz über den Datenschutz, the “DSG”). In parallel, due to our large European customer base, our processing activities fall in different cases also under the scope of the European Union General Data Protection Regulation (the “GDPR”).

In fact, the provisions of the GDPR apply, on the one hand, to all Controllers and Processors established in the European Union (the “EU”) territory and, on the other hand, to non-EU Controllers and Processors, who, either offer goods and services to Data Subjects located in the EU or monitor the behavior of the same. Accordingly, every time We process Personal Data, We make our best efforts to guarantee the highest standards for data protection required by the GDPR and document them throughout this Privacy Policy with specific references to the relevant articles. Lastly, as We operate on a global level, where additional country-specific guarantees are required on a local basis, as for example with the California Consumer Privacy Act (the “CCPA”), We commit to fulfill the additional requirements and abide by the respective applicable data protection laws. A dedicated section about the CCPA can be found at the bottom of this Privacy Policy.

3.      What is Personal Data and Who are the Data Subjects?

According to Art. 4 (1) GDPR, “Personal Data” means any information relating to an identified or identifiable natural person (the “Data Subject”). For the sake of clarity, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

4.      AVE is a Processor, but exceptionally acts as a Controller

The GDPR differentiates between Controllers and Processors. Controllers are those who determine the purposes and means of the processing of Personal Data; whereas Processors are those that process Personal Data on behalf of the Controller.

In the relationship with our customers, We act as Processor. Natural persons and legal entities can purchase a Free-, Starter-, Team- or an Enterprise Plan (the “AVE Plan”). In order to provide our services, We need to collect and use certain Personal Data. We process the Personal Data only on behalf and on instructions of our customers and in accordance with the relevant applicable laws. Our customers who purchase a Plan are primarily responsible for processing the Personal Data of all users accessing the Platform (e.g. employees of the customer and/or other natural persons invited by the customer to use the Platform). In our role as Processor, We redirect any requests We may receive from users of the Platform to the relevant Controller in terms of Art. 28 (3) e GDPR.

Nevertheless, in exceptional circumstances We act as Controller. This occurs in connection to: i) natural persons who materially purchase a Plan and do not sign in the name of a legal entity; ii) visitors of our Site; iii) interested natural persons who consent to provide their Personal Data; and iv) our employees. In this case, every request We may receive from Data Subjects belonging to one of the mentioned categories will be answered directly by our legal team.

5.      AVE Collects Personal Data

Your personal data is collected and processed in one or several of the below cases:

o When you visit AVE headquarters. We will process your personal data to identify you for visitor registration (name, company, position, email, telephone number). The legal basis for these processing activities is the GDPR art. 6(1)(f), as it is in our legitimate interest to control access.

o When you sign up for AVE newsletter. The legal basis for such processing is the GDPR art. 6(1)(a). To the extent you have accepted statistical cookies, information gathered by these will be used for marketing purposes combined with this email marketing permission in accordance with our legitimate interest, cf. the GDPR art. 6(1)(f).

o When you enter and browse our website, cookies will be placed in accordance with your cookie consent and the information provided in the cookie-pop-up, which is always available on the website. This may entail the processing of your personal data, hereunder a unique ID number, the IP address, geographical location, the sites you visit, as well as further technical information on your behavior on the website. We rely on the legitimate interest in accordance with the GDPR art. 6(1)(f) for giving you the best possible website experience for the processing of personal data when placing statistical and functional cookies. To the extent you have previously consented to receiving marketing material, we will combine this information with the accepted statistical cookies in accordance with our legitimate interest, cf. the GDPR art. 6(1)(f). We rely on your consent in accordance with the GDPR art. 6(1)(a) for our processing of personal data when placing marketing cookies. We always collect your permission (i.e. cookie consent) in accordance with the applicable cookie legislation prior to the placement of cookies. You prior permission is, thus, a condition for the processing of personal data through cookies.

o When you download our software or applications. The legal basis for such processing is the GDPR art. 6(1)(b).

o When you participate as an external instructor or speaker at webinars, podcasts or courses hosted by AVE. We will process personal data about you when introducing you (name, work email, submitted CV and short biography). The legal basis for such processing is the GDPR art.6(1)(b) and/or (f).

o When you sign up for an event. The legal basis for such processing is the GDPR art. 6(1)(b).

o When you sign up for an online or physical training course or webinar. We will collect personal information about you in connection with your communication and interaction with us. We will only process basic personal data, including name, title or position, email address, telephone and your place and address of employment as well as VAT number. The legal basis for such processing is the GDPR art. 6(1)(b) and/or (f). If you do not wish to receive course invitations in the future, you can unsubscribe at any time by clicking the link at the bottom of the message you receive.

o When you create an account and/or buy products or services at our websites. The legal basis for such processing is the GDPR art. 6(1)(b).

o When you contact us. The legal basis for such processing is the GDPR art. 6(1)(b) and/or (f). The legitimate interest under (f) is for us to be able to respond to your inquiry.

o When AVE provides you or the company you represent with consultancy services. The legal basis for such processing is the GDPR art. 6(1)(b).

o When you participate in voluntary follow-up interviews with the purpose of improvement, quality review, etc. of AVE’s products and services and thus following to the provision of such products and services to you or the company you represent. The legal basis for such processing is the GDPR art. 6(1)(f).

o When you participate in a conference call, video conference or webinar (“online meetings”) using “Teams” and “Zoom”. The Teams service is provided by Microsoft Corporation. The Zoom service is provided by Zoom Video Communications, Inc. and used for webinars, where this service provides features required for the webinar. As online meetings will imply processing of audio and/or video of you, this will entail the processing of your personal data. We require the effective implementation of online meetings in order to fulfil our business purposes. The legal basis for processing is the GDPR article 6(1)(b). In the event we need to record online meetings, we will inform you transparently in advance and – if required – will ask for your consent. If a meeting is being recorded it is visible in the online meeting. In the case of webinars, we may also process the questions asked by webinar participants for the purpose of recording and follow-up of webinars.

o When AVE performs analysis and collection of public data on all technical aspects of scour at dams and hydraulic structures, such as hydraulics, hydrology, geomechanics, bathymetry and topography, etc. for the X_change database, for our own databases and/or on behalf of our customers, AVE may potentially process personal data. We note that all the collected data is publicly available. We may combine these publicly available data with other non-sensitive datasets, whereas our legal basis for such processing is our legitimate interest in accordance with the GDPR art. 6(1)(f).

If you use your email address in more than one of the above cases, your personal data will only be collected and registered in one place. This way your information is already stored when you interact with us.

In the context of providing our services to the users, via the Platform and throughout the Site, we collect the following categories of personal data:

  • General individual information. In order to register for the services available on our Site (e.g. newsletter, webinars, demos, etc.) and/or to sign-up and login to our Platform, current and prospective users of AVE are required to provide certain Personal Data. In particular, the following information must be provided:
    • Name and Surname
    • Email address
    • Company Name
    • Job Title or similar
  • User data. Every user of the Platform, regardless of the specific Plan purchased, has to sign up and login to start collaborating. The provision of the following Personal Data is therefore mandatory:
    • Name and Surname
    • Email address
    • Password
    • IP address
  • Personal Data contained in the assets uploaded on the Platform. The assets that You, as a user, upload to the Platform might contain Personal Data. In this case, the only processing activity We will perform on such Personal Data is hosting. You bear the responsibility to upload such assets exclusively in accordance with the instrumental professional use of the Platform and not for any other purposes. For instance, no assets containing Personal Data of minors and/or other special categories of Personal Data under any applicable data protection law (e.g. such as listed in Art. 9 (1) GDPR) shall be uploaded. You can be held accountable for any misuse or illegal use of our Platform.
  • Billing: A person who is interested in purchasing a Plan must provide credit card information and/or a billing address. We neither collect nor store any credit card information ourselves. The process is completely outsourced to our payment service providers that collect and store this information on our behalf, namely, Stripe.
  • Browser data: We may collect standard website visitor information supplied by your browser (e.g. your operating system, the browser you are using, language settings) to ensure that the use of our Site is without disruption and as user-friendly as possible. This information is dependent on the type of device, browser and the settings You are using.
  • Support: If You send us a request (for example via a support email or via one of our feedback mechanisms), We reserve the right to use this information to respond to your request, as well as, to offer support to other users. We take all reasonable measures to protect your Personal Data against the unauthorized access, use, alteration or destruction.
  • Other usage statistics: Besides browser data, We may collect statistics, usage information and may record user sessions on how registered users interact with our Platform, in order to maintain and improve it. This usage data is collected anonymously, and it does not include user data as described above.
  • Marketing: From time to time, We may send You marketing material. We may do that either if We believe there is a legitimate interest for You to receive it or, in the absence of such legitimate interest, only after receiving your explicit consent. This material may include marketing campaigns, product updates, news about future events and webinars and newsletters. We guarantee that none of your Personal Data will be shared with or sold to third parties and used for their marketing purposes.
    If you are a registered user of our Site or Platform and have supplied your email address, We may occasionally send You an email to inform You about the release of new features, request your feedback, or just keep you up to date about AVE and our services. In order to communicate this type of information, We mainly use our blog. However, You can also subscribe to our monthly newsletter to receive product updates, brand related content, and general insights. If You wish to unsubscribe from the newsletter, You can always do that by using the relevant link included in every email.
  • Personal Data of job applicants: If You apply for a vacancy at AVE, We will collect and process all the information that You voluntarily provide us in connection with a potential employment, as well as information which is publicly available (e.g., your LinkedIn profile). In case We decide not to move further with your application, We’ll make sure to have all your Personal Data deleted in due course, in accordance with internal schedules and procedures.
  • Personal Data of children (under the age of sixteen): Our Platform is not intended for people under the age of sixteen. Therefore, We do not voluntarily collect information from anyone under that age. Additionally, if We learn that We may have received information from someone under the age of sixteen, We will take immediate action and adopt all reasonable measures to remove that information.
  • Exclusion of special categories of Personal Data: In the context of the provision of our services, including those offered through the Site and Platform, We do not need to collect or process in any other way special categories of personal data. Therefore, We never ask our existing and/or prospective customers to provide Personal Data revealing their racial or ethnic origin, their political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. In the event that We accidentally receive any such information from a user and/or customer, We act promptly to inform the latter and remove that information.

 

6.      AVE Processes Personal Data

When processing Personal Data as Controller, We comply with the requirements set by Art. 6 GDPR on the “Lawfulness of Processing”. Specifically, the latter provides that the processing is lawful only if and to the extent that at least one of the following applies:

  • You have given your consent to the processing of your Personal Data for one or more specific purposes.
  • The processing is necessary for the performance of a contract between You and us or in order to take steps at your request prior to entering into a contract.
  • The processing is necessary to comply with a legal obligation to which We are subject.
  • The processing is necessary for the performance of a task carried out in the public interest.
  • The processing is necessary for the purposes of the legitimate interests We might have, except where such interests are overridden by your interests or your fundamental rights and freedoms which require protection of Personal Data.

When We process Personal Data as Processor, We act in full compliance with the provisions of Art. 28 ff. GDPR.

7.      AVE Limits the Processing

We care about your Personal Data, thus We limit the use of the collected information to the extent necessary to provide our services and/or to continuously improve our features. Specifically, We restrict the processing to the following purposes:

  • fulfilling the contract with our customers
  • complying with applicable laws and regulations
  • protecting our rights
  • fulfilling our marketing purposes
  • improving our Platform and our Site

Occasionally, We may release aggregated statistics publicly (e.g. reports on trends concerning the usage of our Site). Nevertheless, any usage information We rely on in order to monitor the usage of our Site and improve our Platform is encrypted, anonymized and aggregated. Additionally, We do not sell any Personal Data to third parties.

8.      AVE Acknowledges and Fulfills Your Rights to Personal Data

We consider of primary importance that You, as a user of our Site and/or Platform, are aware of your rights under the applicable data protection laws. In accordance with Art. 12 ff. GDPR, We acknowledge and safeguard the following rights:

  • the right to refuse to provide Personal Data
  • the right to access and request copies of your Personal Data
  • the right to rectify your Personal Data manually in your account using the account setting in our Platform
  • the right to erasure (“right to be forgotten”) and have your Personal Data deleted
  • the right to limit the processing of your Personal Data
  • the right to data portability and so to request the transfer of your Personal Data.
  • the right to object the processing of your Personal Data
  • the right not to be subject to an automated individual decision-making, including profiling.

Any of the above-mentioned rights can be exercised using the contact details provided in the “Contact” section below; with the caveat that limiting or objecting to some processing activities may prevent You from engaging in certain Site activities or limit your online experience when working with the Platform.

In our capacity as Processor, We will forward all the relevant requests to the respective Controller pursuant to Art. 28 (3) (e) GDPR.

9.      AVE Stores Personal Data

All our customers’ Personal Data are hosted and stored by our trusted sub-processor Infomaniak, Geneva, Switzerland, which offers best in class security services.

10.  AVE Engages with Third Parties

In order to provide parts of the services available on the Platform and/or the Site, We engage with trusted sub-processors. If you are a customer, You can always access the updated list of the sub-processors engaged for services on the Platform in our DPA.

 We also engage with third parties for additional purposes (e.g. billing, recruiting, marketing, etc.) and We mention these in the relevant sections throughout this Privacy Policy.
By using the Site, you also consent to our use of cookies, with the purpose of collecting data on the user’s visits and/or for advertisement purposes. You can find more information in the relevant section below.

The third-party providers We engage with might change from time to time. In that regard, We commit to notify You periodically about any such changes via our main communication channels.

11.  AVE Doesn’t Disclose Personal Data

We aim to provide You with the highest standards of legal protection to Personal Data. Thus, We generally apply a policy of non-disclosure of any Personal Data with the exception of Personal Data which are needed to provide our services to You. Therefore, our employees, affiliates and sub-contractors may have access to and process your Personal Data to the extent this is needed to serve you. All of them are bound by strict confidentiality obligations.
Other than the case described above, We may need to disclose Personal Data in response to a subpoena, court order or other governmental request, or where We believe in good faith that disclosure is reasonably necessary to protect the property or rights of AVE, third parties or the public at large.

12.  AVE Might Change

If AVE or substantially all of its assets were acquired, your information as a user of our Site and/or Platform would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of AVE may continue to use your Personal Data as set forth in this Privacy Policy.

13.  AVE Updates its Privacy Policy

We may update this Privacy Policy from time to time. You can always find the latest version of the Privacy Policy on our Site. Additionally, We inform you about updates of this Privacy Policy via our newsletters and/or emails.

14.  AVE Representative in the EU

To comply with Art. 27 (1) GDPR, AquaVision Engineering Sàrl, Chemin des Champs-Courbes 1, CH-1024 Ecublens,  is the representative of AVE in the EU.

15.  AVE and the California Consumer Privacy Act (CCPA)

If You are a Californian resident and We process your Personal Data, the CCPA might be applicable when We act as Processor. This regulation came into effect on January 1, 2020 and many of its requirements substantially overlap with existing obligations under the GDPR, thus they have been already addressed in the relevant sections of this Privacy Policy. This paragraph supplements the information provided in this Privacy Policy with certain additional rights that Californian residents are specifically entitled to under the CCPA. For clarification purposes here You can find a non-exhaustive list of terms of the CCPA with their meaning related to the GDPR.

GDPR                                                           CCPA

Personal Data                                             Personal Information

Controller                                                    Business

Processor                                                    Service Provider

To be transparent with our Californian customers, we present your additional rights under the CCPA:

  • The right to be informed about the categories of Personal Information and the purpose of collection.
  • The right of access to your Personal Information.
  • The right to request deletion of your Personal Information with specific limitations concerning Personal Information required for providing our services to You, public interest reasons and other legal obligations.
  • The right to non-discrimination if You exercise any of your rights under the CCPA.

As We do not sell Personal Data of our users, We do not provide an opt-out option. Nevertheless, You may submit any request concerning the CCPA using the contact details provided in the “Contact” section below. Once We’ve verified your identity, your request will be answered promptly, within 45 days at the latest.

16.  Contact

Please don’t hesitate to contact our privacy team at support@rocscor.com, in case You have any questions about our Privacy Policy, other privacy-related matters or for any request related to the processing of your Personal Data.