Last updated: January 10th, 2023
ShortPixel belongs to ID SCOUT SRL, hereinafter referred to as the "Company" or ”we”. The Company respects your privacy rights and recognizes the importance of protecting the Personal Data (as defined below) provided by you.
The data controller for the processing of personal data through the website ShortPixel.com
(the “Website”) is ID SCOUT SRL
and can be contacted at:
Address: Bucuresti, Str. Transilvaniei nr.2, Camera 5, Bl.5, Ap.19, Sector 1, 010798
1. GENERAL INFORMATION
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - the GDPR
- is the European law that regulates the data protection processing operations performed through the Website. Our Declaration of Conformity can be found here
Terms used in this document:
|the individual or entity who registered on the Website and thus owns a ShortPixel account.
|the individual or entity who visits the Website without creating an account.
|Users that purchased paid plans or installed the product.
|are other companies and the services they provide us.
|any identified or identifiable, directly or indirectly, natural person. The Users and Visitors defined above may act as data subjects should they be an identified or identifiable natural person.
|the entity acting under the authority and instructions of the controller. For example, the Company acts as a processor for our Customers defined supra.
|all information which relates to an identified or identifiable natural person. This includes, e.g., items like the name, postal address, e-mail address or telephone number, but also usage data like your IP address.
|every process carried out with or without automated assistance or every sequence of such processes in connection with personal data, e.g. obtaining, capturing, organizing, ordering, saving, adjusting or modifying, sorting, accessing, using, disclosing by transmission, distributing or any other form of making available, comparing or connecting, limiting, deleting or destroying.
We Process all personal data in accordance with GDPR principles, as follows:
- “Lawfulness, fairness and transparency”: the personal data is Processed fairly in relation to the data subject, based on a legal basis provided by GDPR at art. 6, and the data subject is informed on the Processing as requested by art. 13 and art. 14 GDPR.
- “Purpose limitation”: the purpose for which we Process the personal data is specific, explicit, and legitimate. We do not collect and use data for other purposes than the ones we informed the data subject about.
- “Data minimization”: we Process the minimum amount of personal data we need; the personal data we collect are adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed.
- “Accuracy”: the personal data Processed is accurate and where necessary kept up to date. We do not retain old and outdated data in our system.
- “Storage limitation”: we established and documented the necessary retention period for the personal data we collect and Process for specific objectives. After the retention period is met, the personal data shall be deleted, destroyed, or anonymized.
- “Integrity and confidentiality”: we handle personal data in a manner ensuring appropriate security, which include protection against unlawful Processing or accidental loss, destruction or damage.
- “Accountability”: as data controller, we are responsible for proving compliance with the principles of the GDPR mentioned above.
2. WHAT PERSONAL DATA WE COLLECT, HOW WE COLLECT IT AND WHAT WE DO WITH THE COLLECTED PERSONAL DATA
2.1. Creating your account
When the Visitors of our Website sign-up
for a ShortPixel account, we collect their email, their IP address and store the new generated API keys.
The legal ground for this Processing is the performance of a contract, in accordance with Art. 6 (1) b) GDPR.
2.2. Running the Services
We Process the Personal Data for taking the necessary actions to offer our Customers the Company’s products (e.g. for the proper running of our Web Hosting service and of our image optimization service, to connect our servers to our Customers’ servers, where the images needing compression are hosted, for maintenance and for building appropriate tools for our clients, etc.), pursuant to Art. 6 (1) b) GDPR, for the performance of a contract and Art. 6 (1) f) GDPR, on the basis of our legitimate interest.
From the Users of our WordPress plugins and from those who use our API tools, we Process the following Personal Data: name and surname, identification data, email, processed images and CDN traffic data.
From the Customers of Web Hosting service we Process the following Personal Data: name and surname, identification data, email, domain name.
We also process data regarding the browser, IP address, timestamp, IP location and also operating system when you access ShortPixel Hosting or any web site that is owned by ShortPixel.
All the information that is so collected is used for secure logging & website data analytics and preventing fraud.
2.2.1. Google Drive optimization app
This service is curently in beta testing.
We offer our users the possibilty to optimize their images stored in Google Drive, from their personal space on our website.
In order to optimize these images, the user needs to create an account with ShortPixel.com. Then the ShortPixel website Google Drive optimization application needs to be allowed access to the users Google Drive in order to view, download, upload, modify, add files as a different file type at your request or overwrite files.
In order to aquire this permission, upon the first usage, the logged-in ShortPixel user will be asked to connect their account to the Google Drive Account, using Google OAuth 2.0 (note that the email used to register the ShortPixel account can be different from the one of the Google Account).
Since optimization may take a while, the app needs offline access to your Google Drive Account, and, as consequence, it requests your consent for Refresh Token, which allows the app to continuously access your Google Drive Account while you are not present in the app. After the authorization, ShortPixel will only store the Refresh Token (provided by Google OAuth 2.0) in order to communicate with Google OAuth 2.0 and access users files from Google Drive.
After user grants access to the application, the user can browse the content of their Google Drive from their private space on ShortPixel.com and select the folder for optimization by using the contextual menu of the app. When the user selects a folder for optimization, the name and ID of that folder are stored in the ShortPixel's optimization queue to be processed in the background.
Upon optimization, the application first downloads the content of the Google Drive folder to the ShortPixel servers, filtered by accepted file types and starts optimizing them. "Filtered by accepted file types" means only files of the following types will be downloaded: JPEG, PNG, GIF, BMP, TIFF, PDF. After the optimization is complete on ShortPixel's cloud, the application uploads the optimized files back to Google Drive, overwriting the old files or adding it as a different file type at your request. Files are then deleted from ShortPixel servers and the user receives an email - at their address from their ShortPixel account - letting them know that the optimization is done.
The statistics of the folder optimization (folder name, number of files - total, optimized, already optimal, failed - and the optimization percent) are kept in ShortPixel's database and used for future reference.
Please be aware that Refresh Token allows the app to continuously access your Google Drive Account while you are not present in the app and it expires after 6 months. If you don’t want to permit the app to access your Google Drive after optimization, you must revoke the access here or delete your ShortPixel account.
2.3. Customer Support
The Personal Data is also Processed for offering support to Customers, at their request, pursuant to Art. 6 (1) b) GDPR for the performance of a contract and to Art. 6 (1) f) GDPR, on the basis of our legitimate interest. In order to help our Customers, we need to use their Personal Data for user identification, for debugging reasons and in order to communicate with the Customers that need assistance.
For this purpose, we use a feature called Beacons
for helping the Users of our ShortPixel services. This feature is made by HelpScout
, a Third Party service provider we use for customer support. Through this feature we gather the following Personal Data: name, e-mail address, other information provided by clients during the support operations.
We also added the Beacon feature to our Website (ShortPixel.com and sub-domains). This info helps us understand the issues of our Users.
We will communicate with you in response to your inquiries, to provide the products and services you request, and to manage your account. We will communicate with you by e-mail, live chat or telephone, in accordance with your wishes.
We offer our Users the possibility to easily formulate their requests to the Company or regarding the Company’s products. Quriobot built and maintains a chatbot tool that we are using to offer customer support to our Users.
The Personal Data Processed for the above scopes consists of: name, e-mail address, domain name and other information provided by the Customer.
2.4. Marketing information
For transmission of commercial communications by electronic means, we use our servers, a customer communication platform. In this regard, the following data may be Processed: name and surname, e-mail address.
We also send newsletters to our Users about deals and promotions. Our marketing campaigns could promote other services as well, if we believe that they are compatible with our service, and that they could be useful for our Users. We try to keep these types of messages at a maximum of two emails per user/ each month.
The legal basis for this Processing is your consent, according to Art. 6 (a) GDPR and your legitimate interest, in accordance with Art. 6 (f) GDPR.
If you no longer wish to receive the Company's promotional communications, you may "opt-out" from receiving them by following the instructions included in each communication. Please note that the withdrawal and ensuing changes are valid only for the future and will be effective or, as it may be, implemented by no later than 48 hours from withdrawal. This is for reasons of a technical nature, which do not permit faster implementation.
2.5. Functional communications
We send emails to inform our Users about new features, service changes, interruptions of our service, possible errors or bugs. These messages are an important part of our communication with our Users.
The Company may, but is not obliged, to send you strictly service-related announcements on rare occasions, when it is necessary to do so. For example, if our service is temporarily suspended for maintenance, we might send you an e-mail.
The legal basis for this Processing is the performance of the contract (consisting of the Website and Services Terms & Conditions) according to Art. 6 (1) b) GDPR and our legitimate interest to organize the requests (Art. 6 (1) f) GDPR).
Generally, you may not opt-out of these communications since they are not promotional in nature. If you do not wish to receive them, you may have the option to deactivate your account.
2.6. Blog management
We also Process Personal Data when we communicate with our blog readers and give them the opportunity to express certain points of view/ questions. In this regard, we are using the services of WebHostFace for hosting our blog (blog.shortpixel.com), as well as Disqus platform.
For this scope, the following data may be Processed: name and surname (if available), profile picture (if available), comment content. The legal basis for this Processing lays in the performance of our Website's Terms and Conditions (Art. 6 (1) letter b) GDPR), and in our legitimate interest to communicate, interact and receive feedback from you (Art. 6 (1) letter f) GDPR).
2.8. Accounting records
For keeping our accounting records and complying with accountability and fiscal legislation, we collect your name, address, purchased services and payment data.
The legal basis for this Processing is the performance of the contract (consisting of the Website and Services Terms & Conditions) according to Art. 6 (1) b) GDPR and our legitimate interest to organize our acconting records (Art. 6 (1) f) GDPR).
2.9. No sell or share
We will never sell your data and share your data for marketing purposes or for any purpose. Also we will always keep your personal data and website data secure.
The data that we collect from you is stored in Germany and Romania and will be processed by staff operating inside Europe who work for us or for one of our suppliers. Our staff may be engaged in, among other things, the fulfilment of your order and the provision of support services. Your website data will be kept until it is no longer required for the purpose of its collection.
2.11. Data retention
We will keep your website data saved during using of ShortPixel Hosting for maximum 90 days after you have cancelled your account as a backup measure in case you want to come back , or we can delete all data on the spot if you ask us to. There are cases when we remove this data much faster if we do usual maintenance work to save disk space. Your hosting account is created once you purchase your hosting plan and add your domain on the Hosting page afterwards.
3. DATA RECIPIENTS AND DATA TRANSFERS
3.1. Data recipients
Services providers: We may employ third party companies and individuals to perform service-related activities. These Third Parties may access your Personal Data only to perform these tasks on our behalf and are compelled not to disclose or use it for any other purpose.
Also, where these recipients qualify as data processors, they will be contractually bound to respect the same obligations in what regards the protection of Personal Data as that incumbent to us and shall implement adequate technical and organizational measures for the protection of Personal Data, at least at the same level as those implemented by the data controller.
Third parties: Your Personal Data may be provided to governmental and regulatory agencies (e.g. tax authorities), courts or other governmental authorities, in accordance with the provisions of the applicable legislation and in line with art. 6 (1) (c) GDPR, as well as to external consultants acting as data controllers (e.g. lawyers, accountants, auditors, etc.), based on art. 6 (1) (f) GDPR.
3.2. Data transfers
We may transfer your Personal Data abroad, both to countries located within the EU/EEA and to countries outside EU/EEA.
For some of these countries located outside EU/EEA, the transfer of data is recognized by the European Commission as ensuring an adequate level of protection for the Personal Data, in accordance with art. 45 GDPR.
In what regards the recipients located in other countries, by executing Data Transfer Agreements based on Model Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries), in accordance with art. 46 (5) GDPR or by using other adequate means for the transfer of Personal Data, we ensured that all such recipients offer an adequate level of protection for the Personal Data and that adequate technical and organizational measures have been implemented for the protection of Personal Data against unlawful destruction, loss, alteration or unauthorized disclosure.
4. HOW LONG DO WE KEEP YOUR PERSONAL DATA?
The Personal Data provided by you to us is only stored for as long as it is required to perform the respective purpose for which you have transmitted your data, or inasmuch as it is required for conformity with statutory or official requirements.
Your Personal Data for taking the necessary actions to offer Customers the Company’s products are kept by us for additional 3 years as of the termination of our contractual relation.
As regards your website data saved during using of ShortPixel Hosting, we will keep this data for maximum 90 days after you have cancelled your account as a backup measure in case you want to come back, or we can delete all data on the spot if you ask us to. There are cases when we remove this data much faster if we do usual maintenance work to save disk space.
According to Romanian law (art. 25 para. 1 of Law no. 82/1991), your Personal Data proccessed for the scope of keeping accounting records are kept by us for 10 years as of the end of the financial year in which the invoices have been issued.
We also keep your Personal Data for the duration of our contractual relation for providing you support services and for the purpose of offering you the possibility to formulate your requests to the Company or regarding the Company's products.
For commercial communications transmitted by electronic means, we keep your Personal Data until the moment of transmission of the communication or until you withdraw your consent, in case the request for transmission of commercial communications concerned recurrent communications.
We keep your Personal Data in relation to blogging activities during the existence of the blog or until the deletion of the comment by you.
5. LINKS TO OTHER WEBSITES
We are not responsible for the collection, usage and disclosure policies and practices of other organizations, such as Facebook, Twitter, Google, or any other developer, provider, social media platform, operating system provider, wireless service provider, including any personal information you disclose to other organizations through or in connection with our social media functionalities, therefore we recommend you examine the privacy statements for all Third Party websites, to understand their procedures for collecting, using, and disclosing your Personal Data.
6. DATA SECURITY
We have taken appropriate technical and organizational measures to guarantee data security, in particular to protect your Personal Data against access by Third parties, as well as accidental or intentional modification, loss or destruction. The Company stores the information it collects on computers located in a controlled, secure facility, protected from physical or electronic unauthorized access, use, or disclosure.
The Personal Data are kept in safe conditions in accessible electronic format, using the authentication systems of the internal domain, access rights for each User for the allocated resources and in printed format.
The Company protects the privacy and integrity of the information it collects by employing appropriate administrative protocols, technical safeguards, and physical security controls, designed to limit access, detect and prevent the unauthorized access, improper disclosure, alteration, or destruction of the information under its control. The Company transmits the information used by its external service providers for the specific outsourced operations listed above, across public and private networks via recognized encryption technologies, such as by using Secure Sockets Layer (SSL) software, which encrypts the information you input.
7. RIGHTS OF OUR USERS REGARDING THE PERSONAL DATA
Pursuant to the legal requirements established by GDPR, Data Subjects have specific legal rights relating to the personal data we collect from them, as follows:
• Right to withdraw consent
: Where you have given consent for the Processing of your Personal Data, you may withdraw your consent at any moment.
• Right to rectification
: You may obtain from us rectification of Personal Data concerning you. We make reasonable efforts to keep Personal Data in our possession or control which are used on an ongoing basis, accurate, complete, current, and relevant, based on the most recent information available to us.
• Right to restriction
: You may obtain from us restriction of Processing of your Personal Data, if you contest the accuracy of your Personal Data and the legal requirements for the exercising of this right are met.
• Right to access
: You may ask from us information regarding Personal Data that we hold about you, including information as to which categories of Personal Data we have in our possession or control, what are used for, where we collected them, if not from you directly, and to whom they have been disclosed, if applicable. We may have to charge you with a reasonable fee should you request further copies of your Personal Data.
• Right to portability
: You have the right to receive your Personal Data that you have provided to us, and, where technically feasible, request that we transmit your Personal Data (that you have provided to us) to another organization,
• Right to object
: You may object, at any time, to the Processing of your Personal Data due to your particular situation, provided that the Processing is not based on your consent but on our legitimate interests or those of a Third Party. In this event we shall no longer Process your Personal Data, unless we can demonstrate compelling legitimate grounds and an overriding interest for the Processing or for the establishment, exercise or defense of legal claims.
• Right to erasure
: You have the right to request that we delete the Personal Data we Process about you. Please note that the deletion of Personal Data can lead to the termination of the service we provide due to technical reasons.
• The right to fill a complaint with the national authority
: For us, your Personal Data is important, and we try to take all the necessary steps to protect it and to respect your rights. You have the right to fill a complaint at the National Authority for the Supervision of Personal Data Processing (Romanian: Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal), also known as ANSPDCP
If you have any questions about the Company's security on its Website, please feel free to contact us using the contact page on the Website.
8. INTERNET FRAUD
The Company has a ZERO TOLERANCE policy for Internet fraud or any attempt to access or acquire Customer or other information on its Website via illegal or surreptitious means. The Company works with local, national, and international fraud investigation agencies and employs a variety of electronic and other means to discourage, detect, and intercept fraudulent activities.
9. CHILDREN’S PRIVACY
The Company's Website is not intended for or directed to persons under the age of 16. The Company does not buy or sell products or services from or to children. Any person who provides their information to the Company through the Company's Website attests that they are 18 years of age or older.
If we become aware that a child under the age of 18 has provided us with personally identifiable data, we will delete such information from our servers/databases.
10. CHANGES TO THIS PRIVACY STATEMENT
Data subject’s use of the Website after such changes have been made constitutes his agreement to such changes.
Last updated: 26.12.2022
APPENDIX 1. - SHORTPIXEL DATA PROTECTION ADDENDUM
This Data Processing Addendum ("DPA") is concluded between you ("Customer") and ShortPixel ("Company") and it regulates the data processing activities performed within your use of ShortPixel Services. Unless otherwise defined in this DPA or in other applicable agreements (i.e. Terms & Conditions – the "Agreement"), all capitalised terms used in this DPA will have the meaning given to them in Section 2 of this DPA.
This DPA applies to the processing operations performed on Customer data for the provision of ShortPixel Services, as detailed in Appendix 1 below. In this context, ShortPixel will act as a data processor to Customer.
This DPA serves as an amendment to the Terms and Conditions - the Agreement.
In this DPA the bolded terms which are not otherwise defined shall have the meaning described to them below:
"Services" means all the Services provided through ShortPixel, as detailed at Section 4 of the Terms and Conditions;
"Personal Data" means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
"Processor" or "the Company" or "ShortPixel" means the entity acting in the name of the Controller;
"Controller" or "the Customer" means the entity determining the purposes and means of the Personal Data processing;
"Processing" shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
"Subprocessor" or "Partner" or "Subcontractor" means a third party, partner of ShortPixel, designated to provide the Services or part of the Services and / or processing of Customer’s Personal Data;
"Purpose of Processing" means the reasons for which the Personal Data are being processed or the goal to be achieved through the Processing;
"Data Subjects" mean the natural persons using the Services and the Customers of any of the Customer’s websites hosted through the Services provided by ShortPixel.
"Data Protection Authority" or "DPA" means a supervisory authority controlling the processing of personal data because: (a) the Controller or Processor is established on the territory of the Member State of that supervisory authority; (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the Processing; or (c) a complaint has been lodged with that supervisory authority;
"Data Protection Officer" or "DPO" means the person designated by the Controller or the Processor in compliance with Article 37 of the GDPR;
"Transfer of Personal Data" means any transfer of Personal Data from an entity to another entity. A transfer can be carried out via any communication, copy, transfer or disclosure of Personal Data through a network, including remote access to a database or transfer from one medium to another, whatever the type of medium (for instance from a computer hard disk to a server).
"GDPR" means Regulation (EU) 2016/679 dated April 27, 2016, as amended from time to time.
"Relevant Data Protection Legislation" means the relevant Romanian data protection legislation, as amended from time to time.
III. OBLIGATIONS OF THE PROCESSOR
3.1. General obligations
- comply with all obligations incumbent upon the data processors, as provided by the GDPR and the Relevant Data Protection Legislation;
- comply with the documented Customer’s instructions, in particular without limitation those instructions which are necessary to ensure the Customer is in compliance with the GDPR and the Relevant Data Protection Legislation;
- process the Personal Data solely in order to perform its obligations under the T&C for provision of the Services, only pursuant to the terms and conditions of this Agreement and/or in accordance with the instructions of the Customer, except where ShortPixel is required to have a specific conduct pursuant to GDPR or the Relevant Data Protection Legislation. In such a case, ShortPixel shall inform the Customer of the relevant legal requirement before Processing unless the relevant law prohibits such notification on important grounds of public interest;
- promptly inform the Customer i) of its inability to comply with the provisions of this DPA and/or ii) if, in its opinion, an instruction of the Customer infringes the GDPR or any other Relevant Data Protection Legislation; and
Any notification related to protection of Personal Data under this DPA shall be send to: email@example.com
3.2. Security and Confidentiality Obligations
ShortPixel shall preserve the security and confidentiality of the Personal Data and implement all adequate measures to ensure the level of security of the Customer’s Personal Data are appropriate.
The Company undertakes to implement all reasonably necessary and appropriate technical and organizational measures using generally accepted technology to protect the Personal Data it processes under the T&C for providing the Services and this DPA against unauthorized or accidental access, alteration, transmission, disclosure, deletion or destruction.
ShortPixel shall review and adapt such measures regularly to comply with the state of the art and applicable regulations, namely security measures necessary to ensure the conservation and integrity of the Personal Data processed during the performance of the Agreement (for instance to secure the access to computers, to install antivirus, to perform regular backups on removable media and to increase the employees and suppliers’ awareness to security measures);
Without limiting the generality of the foregoing, the Company shall comply with the following obligations and shall ensure that its employees and/or its suppliers / Partners will also comply with them:
- ShortPixel shall process the Personal Data only in accordance with the Customer’s instructions and to the extent such processing is necessary to carry out the Company’s obligations in connection with the performance of the Services;
- ShortPixel will not use the Personal Data for any other purposes, nor will retain this data for any longer than required by the Customer;
- ShortPixel will use personnel who: (i) has a need to process the Personal Data in order to fulfill the Company’s obligations in relation to the Services, (ii) has entered into confidentiality agreement; (iii) has received adequate training regarding the protection of Personal Data and (iv) has been informed of any special data protection requirements arising from this DPA and of the limitation of the use of the Personal Data for specific purposes as instructed;
- The Personal Data shall not be disclosed to any third party, whether individual or legal person, public or private entity without prior approval of the Customer;
- ShortPixel shall not sell, assign, rent and more generally transfer the Personal Data for any reason without the prior written approval of the Customer;
- ShortPixel shall not make copies or duplicate of the Personal Data without the prior written consent of the Customer, unless such copies or duplicates are necessary for the fulfillment of its obligations in relation to the Services.
3.3. Personal Data Breach Notification
The Company shall notify the Customer of any Personal Data Breach without undue delay and in writing after it becomes aware of such Personal Data Breach. Such notification shall at least contain the following information:
the nature of the Personal Data Breach including where possible, the data categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned;
the name and contact details of the contact point where additional information can be obtained;
a description of the likely consequences of the Personal Data Breach;
a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide the relevant information at the same time, the information may be provided in phases as soon as possible.
The Company also undertakes to provide the Customer with reasonable assistance and co-operation to notify the Personal Data Breach to the competent Data Protection Authority and to communicate such Personal Data Breach to the Data Subjects, in compliance with Articles 33 and 34 of the GDPR and any Relevant Data Protection Legislation.
The Company shall design and implement procedures for managing and reporting such Personal Data Breach to the Controller.
3.4. Exercise of Data Subjects’ rights
ShortPixel shall provide the Controller, taking into account the nature of the Processing, with reasonable assistance and co-operation, to allow the Customer to respond (i) to requests presented by Data Subjects for exercising their rights, or (ii) to requests of the competent Data Protection Authorities in relation with the Processing of Personal Data. In particular, the Company shall implement appropriate technical and organisational measures in order to promptly satisfy, within 5 working days, any request for information from the Customer.
ShortPixel may only grant access to, correct, delete, block, restrict the Processing of, or communicate to the Data Subject the Personal Data processed on behalf of the Customer in a structured, commonly used and machine-readable format, when instructed to do so by the Controller.
If a Data Subject would apply directly a request or a complaint to the Company, ShortPixel shall forward this request or complaint to the Customer without undue delay, at the contact email provided by the Customer.
ShortPixel may disclose, assign, or otherwise communicate Personal Data to any subcontractor (whether located within the EU or outside the EU) when neccessary for providing the Services for the Customer.
The Customer gives its consent for ShortPixel to disclose, assign, or otherwise communicate Personal Data to its subcontractors.
The Company shall impose on its subcontractor by way of a contract or other legal act, the same legal requirements as the Company itself undertakes under the DPA, in particular the obligation to provide sufficient guarantees in relation with the Processing by implementing appropriate technical and organizational measures. Where the subcontractor fails to fulfil its data protection obligations, the Company shall remain fully liable towards the Controller for the performance of that subcontractor’s obligations.
3.6. Data transfers
ShortPixel may transfer Personal Data abroad, both to countries located within the EU/EEA and to countries outside EU/EEA.
In what regards the recipients located in other countries, by executing Data Transfer Agreements based on Model Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries), in accordance with art. 46 (5) GDPR or by using other adequate means for the transfer of Personal Data, the Company ensures that all such recipients offer an adequate level of protection for the Personal Data and that adequate technical and organizational measures have been implemented for the protection of Personal Data against unlawful destruction, loss, alteration or unauthorized disclosure.
IV. OBLIGATIONS OF THE CONTROLLER
The Customer undertakes to comply to its obligations as Controller under GDPR. The Customer shall ensure that the Data Subjects have consented to any disclosure of Personal Data to the Company. Also, the Customer shall provide on request all justification for each transmission of such Personal Data and its decisions regarding Processing of such Personal Data on its behalf.
V. AUDIT RIGHTS OF THE CONTROLLER
Under a prior written notice sent to the Company, the Customer may request to perform an audit of the technical and organizational measures implemented by the Customer in order to verify whether the Company complies with the provisions of this Agreement.
Any issues, errors or irregularities that are identified, and brought to the Company's attention, will be promptly remedied by the Company without delay.
The Customer undertakes to comply with any confidentiality provisions, policies and/or rules the Company may notify to the Customer in the context of the audit.
The Company will assist the Controller with any data protection audits or controls enforced by a Data Protection Authority or other competent public authority if these audits or controls concern data Processing within the scope of the DPA.
VI. RETENTION, RETURN OR DELETION OF DATA
During the execution of the Agreement, the Company shall implement adequate technical and organizational measures to comply with data retention periods applicable to Customer’s Personal Data processed under the Agreement where requested by the Customer.
VII. LIABILITY AND INDEMNIFICATION
Pursuant to the provisions of Article 82 of the GDPR, Company shall indemnify the Customer from the claims asserted by Data Subjects, Data Protection Authority and third parties with respect to a breach of the Company’s obligations under this DPA.
The Company shall be exempt from liability under paragraph 1 if it proves that it is not in any way responsible for the event giving rise to the damage.
This Agreement shall automatically terminate upon the termination of the Services.
The Company shall continue to process the Personal Data for an additional period of 90 days after termination. During this period, the Company shall keep a copy of the Customer’s data for security purposes as back up.
Processing of these data by the Company is considered to be compliant to Customer’s instructions.
The Company shall erase all Personal Data processed on behalf of the Customer for providing ShortPixel Hosting not later than 90 days following expiry or termination, subject however to any regulatory obligations concerning the retention of the Personal Data applicable to the Company. In such a case the Company shall inform the Customer about such obligations.
BY ADHERING TO THE PROVISIONS OF THE AGREEMENT, the terms of this DPA are also deemed accepted by the Controller and will regulate the data processing activities performed for the scope of the Agreement.
APPENDIX 1 - Personal Data Processing activities
Purpose(s) of Processing
Provision of hosting for the benefit of the Customer.
Category/ies of Personal Data:
- Name and surname, e-mail address, domain name, IP, chat logs, support requests, server logs: connections, autentications, access, errors, timestamp, IP location and also operating system when you access ShortPixel Hosting or any web site that is owned by ShortPixel, address, purchased services and payment data.
- Data stored and processed by the Customer as: sourse code, WordPress database, site backups, and folders and files in server directories, CDN etc.
Category/ies of Data Subjects:
- Customers and users of the Customer services.
Provision of image optimisation services for the benefit of the Customer.
Category/ies of Personal Data:
- Name and surname, e-mail address, images to be processed, IP, timestamp, IP location and also operating system when you access ShortPixel Image Optimizer or any web site that is owned by ShortPixel, address, purchased services and payment data.
Category/ies of Data Subjects:
Duration of Processing operations of ShortPixel Services.
- Data stored and processed by the Customer during using ShortPixel Hosting are kept by us during the term of the Agreement but not later than 90 days following expiry or termination, subject however to any regulatory obligations concerning the retention of the Personal Data applicable to the Company. In such a case the Company shall inform the Customer about such obligations.
- Personal Data proccessed for the scope of keeping accounting records are kept by us for 10 years as of the end of the financial year in which the invoices have been issued.
- Personal Data for taking the necessary actions to offer Customers the Company’s products are kept by us for additional 3 years as of the termination of our contractual relation.
- Personal Data for providing you support services and for the purpose of offering you the possibility to formulate your requests to the Company or regarding the Company's products are kept by us for the duration of our contractual relation.
- Personal Data for commercial communications transmitted by electronic means, are kept by us until the moment of transmission of the communication or until you withdraw your consent, in case the request for transmission of commercial communications concerned recurrent communications.
- Personal Data in relation to blogging activities are kept during the existence of the blog or until the deletion of the comment by you.
APPENDIX 2 - Summary of the Technical and Organizational Security Measures in order to ensure protection of Personal Data
1. Information Security Program. The Company will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorised access to the ShortPixel Network, and (c) minimise security risks.
2. Designated Information Security Person: The Company will designate a designated person to coordinate and be accountable for the information security program.
3. Main points of the information security measures:
- Customer access management: Access to Personal Data is only provided to those employees and contractors who have a legitimate business need for such access privileges.
- Network Security: ShortPixel network will be electronically accessible to employees, contractors, and any other person as necessary to provide the services under the Agreement.
- Physical security: Acces control procedures implemented to prevent unauthorised entrance to Processor’s facilities.
- Continued Evaluation: The Company will conduct periodic reviews of the security of its network and adequacy of its information security program as measured against industry security standards and its policies and procedures.
4. Other measures described within the content of the DPA.