Privacy Policy (Add-in)

GENERAL PRINCIPLES

What is Personal Data?
Personal Data is “any information relating to an identified or identifiable natural person. This includes, for example, name or address data, telephone number, mobile number, or online identifiers such as your device id and your IP address.

What is processing?
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means. The term is broad and covers virtually any handling of data.

Who is responsible for data processing?
The responsible party for data processing is Apps Do Wonders LLC, a Dallas based limited liability company (“Apps Do Wonders”, “we”, “us”, or “our”). If you have any questions or if you wish to exercise your rights, please contact us by email using support@appsdowonders.com or our Contact Form if you have any questions.

What law applies?
Our use of your Personal Data is subject to the Texas Data Privacy and Security Act (“TDPSA”),
and the EU’s General Data Protection Regulation (“GDPR”), and of course we process your Personal Data accordingly.

What are the Legal Bases for processing Personal Data
In accordance with the TDPSA and the GDPR, we
have to have at least one of the following legal bases to process your Personal
Data: a) you have given your consent, b) the data is necessary for the
fulfillment of a contract / pre-contractual measures, c) the data is necessary
for the fulfillment of a legal obligation, or d) the data is necessary to
protect our legitimate interests, provided that your interests are not
overridden.

How long and where will you keep my data?
We process and store your Personal Data only for
the period of time required to achieve the respective processing purpose or for
as long as a legal retention period exists (in particular commercial and tax
law in accordance with Texas’ Commercial Law and Fiscal Code). Once the purpose
has been achieved or the retention period has expired, the corresponding data
is routinely deleted. In general, your data is saved and stored using the
services of Amazon (AWS) S3 server in Amazon’s RDS Database.

WHAT PERSONAL DATA DO WE PROCESS?

Downloading our add-ins
Our add-ins can be downloaded from Microsoft AppSource a service offered by Microsoft. Downloading it may require prior registration with Microsoft and/or installation of the respective Microsoft software.

Installing our add-ins
As far as we are aware, Microsoft collects and processes the following data: License check, network access, network connection, and location information. However, it cannot be ruled out that Microsoft also transmits the information to a server in a third country. We cannot influence
which Personal Data Microsoft processes with your registration and the provision of downloads in Microsoft AppSource. The responsible party in this respect is solely Microsoft as the operator of Microsoft AppSource.

Device information
Microsoft may collects information from and about the device(s) you use to access our add-ins, including hardware and software information such as IP address, device ID and type, device-specific and add-ins settings and properties, crashes, advertising IDs (AAID), information about your wireless and mobile network connection such as your service provider and signal strength; information about device sensors.

Contacting us and contracting with us
You can contact us in various ways
and data is always collected in the process. You provide us with most of the
data that we process when you contact us such as your name, and email address.
This data is collected and processed exclusively for the purpose of contacting
you and processing your request and then deleted again, provided that there is
no legal obligation to retain it.

We process the Personal Data that arises when you use our add-ins in order to provide our contractual services. In particular, this includes our support, correspondence with you, invoicing, fulfillment of our contractual, accounting and tax obligations. Accordingly, the data is processed on the basis of the fulfillment of our contractual obligations and our legal obligations.

Lastly, we process data in the context of administrative tasks as well as organization of our operations, financial accounting and compliance with legal obligations, such as archiving. In this regard, we process the same data that we process in the course of providing our contractual services. The purpose and our interest in the processing lies in the administration, financial accounting, office organization, archiving of data, i.e., tasks that serve the maintenance of our business activities, performance of our tasks and provision of our services.

The legal basis for processing the above is our legitimate interest, the provision or initiation of a contractual service and your consent.

Payment Data
If you make a purchase, your payment data will be processed via our payment service providers Stripe or PayPal. Payment data will solely be processed through the by you selected payment service provider, and we have no access to any payment data you may submit. The legal basis for the provision of a payment system is the establishment and implementation of the contract.

When using our add-ins
We recognize that you own your service data. We provide you complete control of your service data by providing you the ability to (i) access your service data, (ii) share your service data through supported third-party integrations, and (iii) request export or deletion of your service data.

We process various service data in the context of the provision of add-ins. In principle, you become the data controller and we become the data processor. Where we process Personal Data as data processor or in other words on behalf of you, we will process the Personal Data involved in your use of our services in accordance with your instructions and shall use it only for the purposes agreed between you and us.

We ensure that access by our employees to your data is only available on a need-to-know basis, restricted to specific individuals, and is logged and audited. We communicate our privacy and security guidelines to our employees and enforce privacy and protection safeguards strictly.

Some jurisdictions may require you to disclose your use of our services as your processor in your privacy policy and/or data processing agreement as applicable. For this purpose all Personal Data processed by us will be processed using OpenAI, MailChimp, Appzi, Inc, MaxMind, Jira Atlassian, Amazon Web Services (AWS), Sentry, Azure OpenAI, Anthropic AI as sub processor and take appropriate legal precautions and corresponding technical and organisational measures to ensure the protection of service data and Personal Data in accordance with the TDPSA and GDPR. For further information please also refer to our Data Processing Addendum.

Further and if you are providing us with Personal Data relating to a third party, you agree a) that you have in place all necessary appropriate consents and b) that such third party has read this Privacy Policy. You agree to indemnify us in relation to all and any liabilities, penalties, fines, awards, or costs arising from your non-compliance with these requirements.

Support ticket
If you create a support ticket, we will request Personal Data and, where applicable, non-Personal Data in accordance with your request, this may include your name, email address and other order related data you voluntarily provide. The data provided is not shared with third parties and cannot read your data when it is entered. If you submit a support ticket, we process the data for the purpose of processing and handling your ticket.

Our employees will also have access to data that you knowingly share with us for technical support or to import data into our services. We communicate our privacy and security guidelines to our employees and enforce privacy safeguards strictly. The legal basis of the data processing is our obligation to fulfil the contract and/or our legitimate interest in processing your support ticket.

Data Management
For optimal customer support and data management, we use the same data that we process in the course of providing our contractual services and store it in our proprietary customer support platform supported by HelpScout. This data processing is based on our legitimate interest in providing our customer service.

DATA SHARING

In certain cases, it is necessary to transmit the processed Personal Data in the course of data processing. In this respect, there are different recipient bodies and categories of recipients.

Internal
If necessary, we transfer your Personal Data within Apps Do Wonders. Of course, we comply with the associated legal framework and ensure that your data is processed properly. Access to your Personal Data is only granted to authorized employees who need access to the data due to their job, e.g., to provide our services or to contact you in case of queries.

We may also share your Personal Data with our Business Partners for the purposes described in this Privacy Policy, including (but not limited to) conducting the services you request, or customizing our business to better meet your needs.

External bodies
Personal Data is transferred to our service providers in the following instances:

• in the context of fulfilling our contract with you,
• to use marketing services and to advertise our services online,
• to communicate with you,
• to provide our add-ins, and
• to state authorities and institutions as far as this is required or necessary.
  

International transfers
We may transfer your Personal Data to other companies as necessary for the purposes described in this Privacy Policy. In order to provide adequate protection for your Personal Data when it is transferred, we have contractual arrangements regarding such transfers. We take all reasonable technical and organizational measures to protect the Personal Data we transfer.

SECURITY OF YOUR DATA

In order to protect the data stored with us in the best possible way against accidental or intentional manipulation, loss, destruction or access by unauthorized persons, we use appropriate technical and organizational security measures. The security levels are continuously reviewed in cooperation with security experts and adapted to new security standards.

Nevertheless, internet-based data transmissions can always have security gaps, so that absolute protection cannot be guaranteed. And databases or data sets that include Personal Data may be breached inadvertently or through wrongful intrusion. Upon becoming aware of a data breach, we will notify all affected individuals whose Personal Data may have been compromised as expeditiously as possible after which the breach was discovered.

YOUR RIGHTS AND PRIVILEGES

Privacy rights
Under the TDPSA, you can exercise the following rights:

• Right to know
• Right to rectification
• Right of deletion
• Right of non-discrimination
• Right to opt-out of sale

Under the GDPR, you can exercise the following rights:

• The right to access;
• The right to rectification;
• The right to erasure;
• The right to restrict processing;
• The right to object to processing;
• The right to data portability;

Update your information and withdraw your consent
If you believe that the information we hold about you is inaccurate or request its rectification, deletion, or object to legitimate interest processing, please do so by contacting us.

Access Request
In the event you want to make a Data Subject Access Request, please contact us. We will respond to requests regarding access and correction as soon as reasonably possible. Should we not be able to respond to

What we do not do

• We do not request Personal Data from minors and children;
• We do not process special category data without obtaining prior specific consent;
• We do not use automated decision-making, including profiling; and
• We do not sell your Personal Data.

Right to complain
You have the right to complain about our processing of Personal Data to a supervisory authority responsible for data protection. However, we would appreciate the opportunity to address your concerns before you contact any supervisory authority.

Data Breaches and Notification
Databases or records containing Personal Data may be breached accidentally or through unlawful intrusion. As soon as we become aware of a data breach, we will notify all affected individuals whose Personal Data may have been compromised, and the notification will be accompanied by a description of the measures that will be taken to repair the damage caused by the data breach. Notifications will be sent as soon as possible after the violation is discovered.

USA SPECIFIC PROVISIONS

The following applies to users located elsewhere in the United States. While we understand and appreciate that privacy and consumer data protection laws differ as they are subject to each state’s legislature and that no data protection framework similar to the EU’s GDPR exists on a federal level, we are committed to follow and apply the for your state relevant privacy rules and regulations.

As of the day of drafting, the following states had enacted privacy and consumer data protection laws: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Utah, and Virginia. Under consideration of the similarities of the above provisions, no conflict should arise pursuing a uniform approach in granting all users in the USA the same rights and privileges as set out above. However, should ambiguity occur, the most stringent provision is chosen to ensure the most comprehensive approach when it comes to protecting your Personal Data.

Further, the following also apply

1. “Shine the Light”
   “Shine the Light” law (Civil Code Section 1798.83) requires us to respond to requests from California asking about the business’s practices related to disclosing Personal Data to third parties for the third parties’ direct marketing purposes. You may make a request about our collection and disclosure of your Personal Data using the contact details provided.
2. COPPA (Children Online Privacy Protection Act)
   When it comes to the collection of Personal Data from children under the age of 13 years old, the Children’s Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, United States’ consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children’s privacy and safety online. We do not specifically market to children under the age of 13 years old.
3. CAN SPAM Act
   The CAN-SPAM Act is a law that sets the rules for commercial email, establishes requirements for commercial messages, gives recipients the right to have emails stopped from being sent to them, and spells out tough penalties for violations. To be in accordance with CAN SPAM, we agree to the following: If at any time you would like to unsubscribe from receiving future emails, you can email us, and we will promptly remove you from ALL correspondence.
4. Telephone Consumer Protection Act (TCPA)
   If we process your Personal Data for the purpose of sending you SMS marketing communications, you may manage your receipt of marketing and non-transactional communications from us by replying or texting ‘STOP’ if you receive our SMS communications. In this respect, the data processing is carried out solely on the basis of our consent in personalized direct advertising per SMS.
5. Controls For Do-Not-Track Features
   Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track (‘DNT’) feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, our website does not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this policy.
6. Right to complain
   Finally, and in regard to the right to complain to a supervisory authority. You have the right to lodge a complaint about our processing of Personal Data with a supervisory authority responsible for data protection. Users based in the above mentioned States may lodge a complaint with the relevant district attorney or attorney general office.However, we would appreciate the opportunity to address your concerns before you contact any supervisory authority.