9.3.2 Operations & Support — Legal & Policies — Privacy Policy

The Privacy Policy describes how personal data is collected, used, stored, and protected when users interact with the platform. It is designed to provide clear, accessible information about data practices and user rights while aligning with applicable data protection regulations.

Scope and Applicability

The Privacy Policy applies to all users, tenants, and visitors whose data is processed through the platform.

Applicability rules:

Applies to web, API, and integrated services

Covers both active users and data subjects

Supplements contractual data processing agreements

Categories of Data

The policy outlines categories of personal data that may be processed.

Common categories:

Identity and contact information

Account and access metadata

Usage and analytics data

Support and communication records

Data categories are limited to defined purposes.

Purposes of Processing

Personal data is processed only for explicit and legitimate purposes.

Typical purposes:

Account provisioning and authentication

Service operation and improvement

Support and incident handling

Compliance and security monitoring

Processing beyond stated purposes is not permitted.

Legal Bases

Processing activities rely on lawful bases as defined by applicable regulations.

Common bases:

Contractual necessity

Legal obligation

Legitimate interest where applicable

Consent when required

The applicable legal basis depends on context.

Data Sharing and Disclosure

The Privacy Policy explains when data may be shared.

Sharing principles:

Only with authorized subprocessors

Limited to necessary scope

Governed by contractual safeguards

Unnecessary disclosure is prohibited.

Data Subject Rights

Users and data subjects have rights regarding their personal data.

Supported rights:

Access and rectification

Erasure and restriction

Data portability

Objection to processing

Requests are handled within defined timeframes.

Data Retention

Retention periods are defined per data category and documented transparently.

Retention behavior:

Purpose-limited retention

Automatic deletion after expiration

Auditability of retention actions

Security Measures

The policy references technical and organizational measures used to protect data.

Security measures include:

Encryption at rest and in transit

Access controls and logging

Incident detection and response

Policy Updates

The Privacy Policy may be updated to reflect changes in law or processing activities.

Update handling:

Notice of material changes

Effective date disclosure

Archived prior versions

Disclaimer

This section provides an overview only. The complete Privacy Policy contains legally binding terms and prevails in case of conflict.