Privacy Policy

Luware Privacy Policy – Valid from 9th May 2024

 

This Privacy Policy applies to Luware AG (Pfingstweidstrasse 102, 8005 Zurich, Switzerland) and all its worldwide Affiliates (Luware Group Companies) (“we“, “Luware”). It governs the handling of information and personal data we collect from our customers, partners, suppliers and other online users (“you”, “User”) in connection with our business, including the provision of our website https://luware.com/en (“Website”), and our products and services, including in particular our cloud-based hosting services (“Hosted Services”), professional services and support services (together referred to as “Services”).

Luware reserves the right to amend this Privacy Policy anytime at its own discretion. The User will be appropriately notified of such changes by being required to agree to the new privacy policy (opt-in) the next time the Services are used, or the Website is accessed.

Why do we collect Information and Personal Data?

In general, we collect your information and personal data in order to provide our Website and Services in the most consistent, efficient and user-friendly manner possible. Personal data is only processed with the consent of the Users, unless there is another valid lawful basis for processing data.

We collect personal data and information in particular to:

  • fulfill our contractual obligations with you

  • fulfill our obligations regarding our Services

  • provide you with communications such as information about our Services, updates of standard agreements like this privacy policy, the Luware Cloud Services Terms of Use or Luware Cookie Notice, or the status of an order

  • send you payment reminders and receive payments for subscriptions to our Services

  • enable you to communicate with us, respond to your e-mails and deal with other requests

  • process job applications

  • improve the usability of our Website and Services

  • improve and optimize the operation and performance of our Websites and Services

  • diagnose problems, errors and security risks in our Services and on our Website

  • prevent fraud and other abuse of our Services, systems and Website

  • comply with the applicable laws and regulations

When using our Website or Services you generally have choices regarding the information and personal data you wish to share with us. When we ask for such data, you can always decline to provide it. However, parts of our Services or Website require certain personal data for the proper execution and use of the functions of the Services or Website. Therefore, if you refuse to provide us with the necessary information, you will unfortunately not be able to make full use of the Services or Website.

Each time you access our Website, our system automatically collects data and information from the computer system of the accessing computer. Information on this can be found in our Luware Cookie Notice.

Whose Personal Data do we process?

We collect and process Personal Data in particular about the following individuals:

  • Website Users: When browsing or contacting us via our Website

  • Service Users: When using our Services

  • Hosted Service Users: Services may include the processing of our Users data through our Hosted Services (“Hosted Data”). Save for the limited circumstances set out in this Luware Privacy Policy, we are not the data controller of this Hosted Data as we do not determine the purposes or the means of the processing. Should you believe that your Personal Data is being processed  in this manner, you should refer to the privacy notice of the data controller on whose behalf we are acting.

  • Personnel working for customers, partners and suppliers: If the organization you work for uses our Services or otherwise has a business relationship with us, we may process your data, including in particular data included in emails, call communications or data recorded in any related documentation.

  • Event attendees: If you register for or attend one of our events or webinars, we will process personal data about you in connection with your attendance at the event.

  • Recipients of Marketing Communications and Surveys

  • Office Visitors: If you visit our offices, we may have CCTV installed in some locations for security purposes

  • Job Applicants

  • Employees and Contractors

What type of Personal Data do we process?

In general, we may process the following personal data:

  • Email address

  • SIP address

  • IP Address

  • Name

  • Company name and business address

  • Telephone number

  • Billing and payment information

  • Educational background and employment experience for job applications

  • Any other personal data you may choose to provide to us

For more information on the data we process in our Hosted Services please refer to our Whitepapers Luware Recording and Luware Nimbus.

When you visit our Website, we also collect information such as your browser type and access times. For more information on the cookies we use, please visit our Luware Cookie Notice.

When do we collect your Information and Personal Data?

In general, we may ask for information and personal data when you:

  • use our Website

  • use our Services

  • request quotes, Services, support, downloads, upgrades, trials or general information

  • place orders for Services

  • are working for one of our customers, partners or suppliers

  • make payments

  • register for / attend events

  • subscribe to newsletters, programs, promotional emails, or other marketing collateral

  • apply for a job or submit your CV

  • visit our offices

  • contact us in general

How do we keep your Personal Data safe?

For Users of our Hosted Services, the Whitepapers Luware Recording and Luware Nimbus apply.

We take all reasonable steps to protect your information and personal data from misuse, interference and loss, as well as unauthorized access, modification or disclosure. The ways we do this include:

  • encryption when collecting or transferring sensitive personal data

  • limitation of physical access to our premises and devices

  • limitation of access to the information we collect about you

  • limitation of access on a strict need-to-know basis

  • maintenance of appropriate security safeguards

  • deletion or anonymization of personal data where required by law or by you (where permitted by the applicable law)

  • signature of strict confidentiality agreements with all employees, partners and third parties we may disclose your personal data to

  • encryption, wherever possible, if personal data is transferred outside the EEA, Switzerland or the UK

This list is not exhaustive. The current technical and organizational measures of Luware can be found under Luware Technical and Organizational Measures and in the Luware Recording and Luware Nimbus Whitepapers.

If you wish to receive more information about the data security measures at Luware please contact compliance@luware.com to the attention of the Luware Data Protection Officer with the subject “TOM Information Request”.

Luware AG holds the ISO 9001 and ISO 27001 certifications. More information can be obtained by contacting compliance@luware.com to the attention of the Luware Data Protection Officer with the subject “ISO Certification Information”.

Who may we disclose your Personal Data to?

General. We do not share your personal data with third parties, unless this is necessary to fulfil the purpose for which the data was collected, for example to fulfil contractual obligations, to respond to your enquiries, for our professional or legitimate business purposes or because of legal requirements. Personal data may be disclosed to or processed by the third parties listed below, where strictly necessary, for the purposes set out above and in accordance with applicable data protection laws. This list is non-exhaustive and there may be circumstances where we need to share personal data with other third parties.

  • Luware Affiliates. Luware AG and its Group Companies may share information and personal data with each other. This relationship and the handling of personal data is governed by the Luware intercompany agreement which provides for compliance with the legal requirements of the applicable laws. The sharing of data may occur for purposes of User support, marketing, technical operations, account management or organizational matters.

  • Luware Employees. All Luware employees including, if applicable, third party contractors, are bound by strict confidentiality undertakings as part of their contract. This includes relevant internal policies such as Personnel Regulations, IT-Security Regulations or Remote Working Policies.

  • Luware Certified Resellers. Luware’s authorized resellers have entered into a reseller agreement with Luware which includes strict confidentiality undertakings and the requirement to adherence to the applicable data protection laws. These resellers may perform onboardings, issue offers to customers and provide any further support needed to use our Services.

  • Third Party Suppliers. Third party suppliers assist Luware with its general internal business operation or the provision of aspects of the Services. Our suppliers are given access to User information and personal data only as reasonably necessary to provide the Services and will be subject to confidentiality obligations in their service agreements. Some of our main current third party suppliers are:  Microsoft (collaboration tool, customer relationship management and hosting infrastructure); Salesforce (cloud-based CRM system; https://www.salesforce.com/de/company/privacy/); DocuSign (cloud-based electronic document signature service; https://www.docusign.de/unternehmen/datenschutz); Freshdesk (cloud-based customer support services; https://www.freshworks.com/privacy/); Totango (cloud-based customer success platform; project tracking; https://www.totango.com/privacy-policy); Chargify (cloud-based subscription management payment solution; https://www.chargify.com/privacy-policy/).

  • External recruiters, and related organizations such as third-party providers that undertake employee background checks on our behalf and on behalf of other entities within our Group Companies.

  • Auditors, lawyers, accountants and other professional advisers who advise and assist us in relation to the lawful and effective management of our organization and in relation to any disputes we may become involved in.

  • Law enforcement or other government and regulatory agencies and bodies or other third parties as required by, and in accordance with, applicable laws or regulations. In certain situations, Luware or its Group Companies may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

  • Other third party providers as set out in our Luware Cookie Notice

We do not permit our third party providers to use the personal information that we share with them for their marketing purposes or for any other purpose other than in connection with the services they provide to us.

Where do we keep your Personal Data?

Luware Locations. Data is generally processed by Luware Group Companies within the EEA, Switzerland and the UK. Switzerland and the UK have been approved by the EU Commission as countries countries which ensure an adequate level of protection according to Art. 45 GDPR.

Data on Hosted Services. Data we process in connection with our Hosted Services is stored and processed in the Microsoft Azure Cloud. The location of the Microsoft Azure Cloud instance can be chosen by the User. We currently offer the locations Switzerland, Germany and the UK. The Luware Group Companies, Luware UK Limited, Luware Deutschland GmbH and Luware Poland Sp. z o.o may process data to provide support, troubleshooting and maintenance services to our Users. More information on the processing of Hosted Data within our Hosted Services can be obtained in our Luware Recording and Luware Nimbus Whitepapers.

Third Country Transfers. When making any transfers of personal data from the EEA to countries which do not hold a valid adequacy decision by the EU Commission, we will comply with our legal and regulatory obligations in relation to your personal data, including having a lawful basis for transferring personal data and putting appropriate safeguards in place to ensure an adequate level of protection for the personal data. We will take reasonable steps to ensure the security of your personal data in accordance with applicable data protection laws.

How long do we keep your Personal Data for?

General. The personal data of Users will be deleted when the original purpose of the processing no longer exists. Luware will retain personal data as long as necessary (i) to comply with applicable legal obligations, (ii) for legal and litigation purposes, (iii) to maintain accurate financial records and other records, (iv) to deal with complaints, and (v) to enforce contractual agreements. Personal data will be deleted as soon as these retention requirements cease to apply.

Hosted Services. Hosted Data in our Hosted Services is deleted per default after 30 days of termination of a subscription to the Services unless otherwise agreed between you and Luware or unless Luware is obliged to retain the data for a longer period of time in accordance with applicable law and the retention rights set out above.

What are your rights?

Right to be Informed and Right of Access. You have the right, at any time, to request information about the personal data we keep of you. You have the right to request information on your personal data available to us in electronic form and, where necessary, request rectification should your personal data not be up to date or inaccurate.

Right to Rectification. You have the right to request the rectification of your personal data if it is inaccurate or incomplete.

Right of Erasure. You have the right, at any time, to request that we securely and permanently delete your personal data available to us. Please note that if you request deletion of personal data that is required to provide the Website or Services then you may not be able to use the Website or Services. If your personal data is not strictly necessary for the provision of the Website or Services, you may request that such personal data be permanently and securely deleted.

Right to Restrict Processing. You can ask us to “block” or suppress the processing of your personal data available to us in certain circumstances such as where you contest the accuracy of that personal data or you object to us processing it for a particular purpose. This may not mean that we will stop storing your personal data but, where we do keep it, we will tell you if we remove any restriction that we have placed on your personal data stopping us processing it further.

Right to Data Portability. You have the right to receive the personal data concerning you, which you have provided us, in a structured, commonly used and machine-readable format, where the processing is based on consent or on the performance of a contract and the processing is carried out by automated means. You can ask us to transmit this data directly to another controller, where technically feasible.

Right to Object. You can ask us to stop processing your personal data, and we will do so, if we are (i) relying on our own or someone else’s legitimate interest to process your personal data, except if we can demonstrate compelling legal grounds for the processing, or (ii) processing your personal data for direct marketing purposes.

Rights Relating to Automated Decision Making and Profiling. You have the right to object to decisions based solely on automated processing and to question the decision made about you by a computer. You can have any decisions explained to you and also ask for a person to be involved in the decision making, particularly if the decision has a significant effect on you. You cannot object to automated decision making, including profiling, if it is required for a contract you have entered into, it is required by law or you have given explicit consent.

Right to Withdraw Consent. If we have collected and processed your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.

Legal Restrictions. In some cases, your ability to access or control your personal data will be limited, as required or permitted by the applicable law.

Complaint. You have the right to lodge a complaint with the competent supervisory authority:

Requests

Data Subject Requests. If you wish to receive information on the personal data we keep of you, or would like any actions performed in accordance with your rights set out above, please send an email to compliance@luware.com to the attention of the Luware Data Protection Officer with the subject “Data Subject Request” as well as your company reference and/or name. Your request will be dealt with in due course and in any case within one month of receipt of such a request. Should Luware only be the data processor of your personal data, then Luware will forward your request to the data controller as soon as reasonably practicable.

Hosted Data Requests. Some of our Services include the processing of our customer’s data through our Hosted Services. Save for the limited circumstances set out in this Privacy Policy, we are not the data controller of this Hosted Data as we do not determine the purposes or the means of the processing. If you wish to access, correct, update, modify or delete Hosted Data or if you would no longer like to be contacted by one of our customers you should direct your query to the entity which, is the data controller of your data. Should you ask us to process a request, we will respond within a reasonable timeframe. If you are a customer of our Services and wish to raise a request on behalf of data subjects in connection with Hosted Data, you may raise a ticket on the support portal of the relevant Service.

Concern Requests. If you have any other concern about any aspect of our privacy practices, including the way we have handled your personal data, you may send an email to compliance@luware.com to the attention of the Luware Data Protection Officer with the subject “Data Subject Request – Concern” or by post to Luware AG, Data Protection Officer, Pfingstweidstrasse 102, 8005 Zürich Switzerland (reference “Data Subject Request – Concern”).

Trusted Function. You are able to raise a concern about (i) a breach of the applicable laws and regulations, (ii) a suspected breach of the applicable laws and regulations, or (iii) any other matters or concerns that you would like to raise with us and for which you would not like to use other existing reporting channels. For this purpose, you may contact Luware’s Trusted Function via compliance@luware.com to the attention of the Luware Trusted Function with the subject “Trusted Function – Concern”. The Report should, where possible, contain (i) a description of the concern, (ii) the event, the breach and/or the suspected breach, (iii) the date of occurrence and/or timeframe of occurrence, (iv) the involved parties, and (v) any other information such as communications etc. that may be helpful in order to address the case.

Anonymous Requests. Concerns and requests via the Trusted Function may be raised anonymously. For this purpose, please ensure that you do not use an email address that may in any way personally identify you and avoid using your real name when lodging the request.

Representatives

EEA Representative (Art. 27 GDPR): Luware Deutschland GmbH, Schlossstrasse 70, 70176 Stuttgart, Germany; Contact Person: Sabrina Deakin, Managing Director of Luware Deutschland GmbH.

UK Representative: Luware UK Limited, 5 Prescot Street, London E1 8AY, United Kingdom; Contact Person: Alexander Grafetsberger, Executive Director at Luware UK Limited.

CH Representative: Luware AG, Pfingstweidstrasse 102, 8005 Zurich, Switzerland; Contact Person: Sabrina Deakin, COO at Luware AG.

Applicable Law and Jurisdiction

Subject to mandatory legal provisions, this Privacy Policy shall be governed by the substantive laws of Switzerland without further reference to its conflicts of law rules and to the exclusion of all and any international conventions. Any dispute arising out of or with respect to this Privacy Policy shall be subject to the jurisdiction of the competent courts in the canton of Zurich, Switzerland.

Download

Privacy Policy (PDF | 1st of September 2023)
Privacy Policy (PDF | 7th of November 2022)