EDGE Empower® Data Privacy Policy

1. INTRODUCTION

1.1 This EDGE Empower® Data Privacy Policy, as amended from time to time, (Data Policy) is dated and effective as of 30 November 2022 (the Effective Date).

1.2 EDGE Strategy’s services, platforms, cloud-based services, or software (collectively Services) are generally provided on the basis of an agreement with Clients.

1.3 In the event of a conflict between the Data Policy and the agreement, the latter shall prevail.

1.4 EDGE Strategy is committed to protect and respect personal data. In this Data Policy, Data Subjects may be Users of one or more of our services, platforms, cloud-based services, or software (collectively our Services), made available by us to the Client, or, as the case may be, Eligible Employees of Client to participate in an anonymous survey.

1.5 As a technology company specializing in the development of tools for data processing, we take the protection of personal data seriously. For this reason, we would like to provide the Client with detailed information about the types of personal data we collect and process in connection with the use of any of our Services, to whom this personal data is transferred, and the rights the Data Subjects have in connection with the processing of this personal data. As an internationally oriented company based in Switzerland, we adhere to the data protection standards of the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR).

1.6 The following must be read carefully to understand our views and practices regarding personal and non-personal data of Data Subjects and the manner we will treat it. If the personal information requested is not provided, we will not be able to provide Clients with Services or respond to any queries Data Subjects may have. By using our Services, Client and Data Subject are accepting the terms of this Data Policy and consenting to the processing of the information as described herein.

1.7 For the avoidance of doubt, “processing” may mean on a computer/handheld device or using or touching information in any way, including, but not limited to, collecting, storing, deleting, using, combining and disclosing information.

2. APPLICABILITY AND SCOPE

2.1 This Data Policy, together with any other terms provided by us and the exceptions expressly set out herein, applies to the use of all our Services, unless a separate policy or legal document applies to a particular service, in which case that policy or legal document applies only.

2.2 This Data Policy describes and sets out the basis for the collection, use, disclosure, storage retention and protection of the personal data provided to us while using any of the Services and applies to all personal data we collect through the use of our Services. We do not endorse, nor do we have influence on the content or policies of third-party services and therefore cannot assume any responsibility for them.

2.3 Before disclosing to us any personal data of another person (including employees and contractors), Clients and Data Subjects must obtain that person’s consent to both the disclosure and the processing of that personal data in accordance with this Data Policy.

3. SERVICE ACCESS

3.1 We only process personal data if this is necessary to provide our Services.

 

3.2 The processing of personal data is only carried out on the following legal bases and purposes:

a) Processing on the basis of the consent to the processing of personal data (art. 6 (1) (a) GDPR),

b) Perform our contractual obligations towards Clients, manage, administer, analyze, enable and improve usage of our Services and enhance their stability,

c) Help us create, develop, operate, deliver, and improve our products, Services, content and advertising, and for loss prevention and anti-fraud purposes,

d) For internal purposes such as auditing, data analysis, and research to improve our products, services, and customer communications,

e)Processing for the performance of a contract to which Clients are parties or in order to take steps at Clients request prior to entering into a contract (art. 6 (1) (b) GDPR),

f) Processing for the purpose of legitimate interests pursued by us or third parties (art. 6 (1) (f) GDPR).

4. STORAGE, RETENTION AND DELETION OF PERSONAL DATA

4.1 Personal data that is collected and processed as described in sections 8 and 10 herein is stored by our hosting provider, Aspectra AG, certified in accordance with the ISO 27001:2013 standard and audited for compliance with the Swiss Financial Market Supervisory Authority Circulars 2008/07, 2008/21 and 2018/03.

4.2 Personal data that is collected and processed as described in section 9 herein is stored by secure facility servers located in the EU.

4.3 We will retain the personal data provided to us for as long as Client uses our Services and for the performance of our contractual obligations, as well as compliance obligations or other purposes pursued with the processing and for a reasonable time thereafter so long as it is necessary and relevant for our business operations and beyond this duration in accordance with legal retention and documentation obligations.

4.4 Notwithstanding other provisions of this Data Policy, we may retain documents, including electronic documents, containing personal data:

a) to the extent that we are required to do so by law or to fulfil our contractual obligations towards the Client,

b) if we believe that the documents may be relevant to any ongoing or prospective legal proceedings relevant to us,

c) in order to establish, exercise or defend our legal rights (including without limitation, collection of any fees owed, resolve disputes, troubleshoot problems, enforce this Data Policy and/or our terms of use or providing information to others for the purposes of fraud prevention and reducing credit risk.

4.5 After it is no longer necessary for us to retain personal data, we dispose of it in a secure manner according to our data retention and deletion policies. The personal data will also be deleted if a statutory storage period expires, unless there is a need for further storage of the data for the conclusion or performance of a contract.

5. TRANSFER OF PERSONAL DATA

5.1 In the context of our business activities and in line with the purposes of the data processing set out herein, we may transfer personal data to third parties, insofar as such a transfer is permitted and we deem it appropriate, in order for them to process data for us or, as the case may be, for their own purposes. In particular, the following categories of recipients may be concerned:

a) Affiliate companies of EDGE Strategy LTD,

b) Service providers and subcontractors such as law firms, banks, insurance companies and cloud infrastructure providers,

c) Business partners,

d) Courts, authorities, and arbitral tribunals.

5.2 Certain data recipients may be within Switzerland, but they may be located in any country worldwide. In particular, data may be transferred to countries, in which our Organization, their affiliates, or business partners are located as well as countries in which service providers are located or where Organization and affiliate companies are involved in business. If we transfer data to a country without adequate legal data protection, we ensure an appropriate level of protection as legally required by way of using appropriate contracts or binding corporate rules or we rely on the statutory exceptions of consent, performance of contracts, the establishment, exercise or enforcement of legal claims, overriding public interests, published personal data or because it is necessary to protect the integrity of the persons concerned.

6. DISCLOSURE OF PERSONAL DATA

6.1 We may use and disclose personal data as we deem necessary:

a) Under applicable law, or payment method rules,

b) To enforce any applicable terms of use or rights,

c) To protect our rights, data, safety or property, and/or that of our affiliates, Client or others,

d) to respond to requests from courts, law enforcement agencies, regulatory agencies, stock exchanges and other public and government authorities, which may include authorities outside Client’s country of residence.

6.2 We may disclose some or all of the personal data we collect when our Services are used to some third parties, including but not limited to mobile applications, websites and third-party integration on or using our Services, partners or collaborators. Information collected by these third-party apps, websites or integrated services is subject to their own terms and policies.

6.3 We may disclose personal data to any of our affiliates.

6.4 We may disclose personal data to third parties:

a) in the event that we sell or buy any business or assets, in which case we may disclose personal data to the prospective seller or buyer of such business or assets,

b) if our company or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets,

c) if we are under a duty to disclose or share personal data in order to comply with any legal or regulatory obligation or request,

d) with our trusted services providers who work on our behalf, do not have an independent use of the information we disclose to them, and have agreed to adhere to the rules set forth hereunder,

e) when we believe in good faith that disclosure is necessary to protect our rights, property or safety of our customers or protect Users’ safety or the safety of others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction, or respond to a government request, inter alia,

f) in order to enforce or apply any applicable terms of use and other agreements or to investigate potential breaches.

7. RIGHTS AS DATA SUBJECTS

7.1 If personal data concerning are processed, Data subjects have the following rights:

a) the right to be informed when personal data are collected from the Data subjects,

b) the right to be informed when personal data have not been obtained from the Data subjects,

c) the right of access by the Data subjects,

d) the right to rectification,

e) the right to erasure (‘the right to be forgotten’),

f) the right to restriction of processing,

g) the notification obligation rectification or erasure of personal data or restriction of processing,

h) the right to data portability,

i) the right to object,

j) the right not to be subject to a decision based solely on automated processing, including profiling.

8. CREATION OF AN EDGE EMPOWER ACCOUNT

8.1 To get access to and make use of our Services, Users may be required to have an user account (EDGE Empower ID). In order for us to create an EDGE Empower ID, Users may be asked to provide us with the following personal data (Account Information) relating to them: first name and last name, e-mail address and company name.

8.2 The collection and processing of Account Information are carried out with the purpose of identifying Users as the unique holder of their respective account and the EDGE Empower ID, enable features, prevent fraud, perform Client support, and to ensure that personal data can only be viewed by the respective Users. To further enhance the security and the integrity of personal data, we expressly reserve the right to collect additional registration information.

8.3 Since the collection of the personal data described here is necessary to fulfil our contractual obligations, the processing is based on Art. 6 (1) (b) GDPR.

9. COLLECTION OF DEVICE AND LOCATION INFORMATION

9.1 Each time Users use one of our Services, and/or log in with their EDGE Empower ID, we may automatically collect the following data about Users and/or their respective device, which may be linked to their Account Information (Usage Information) in order to enable the use of such Services:

a) technical information, including the type of device used, a unique device identifier, respective Users EDGE Empower ID, network information, operating systems, the type of browser uses, time zone setting, etc.,

b) details of the use of and interaction with any of our Services which may include, but is not limited to, functions use, traffic data, location data, and any crash data and logs, weblogs and other communication data, whether this is required for our own purposes or otherwise and the resources that the Users access or usage trends.

9.2 The collection and processing of Usage Information are carried out with the purpose for us to optimize our Services and to ensure the security of our information technology systems. The data is not evaluated for marketing purposes in this context. Since we have a legitimate interest in providing a functional website, Art. 6 (1) f) GDPR serves as the legal basis for processing personal data.

10. COMPLETION OF AN ANONYMOUS SURVEY

10.1 As the case may be, we may collect, on behalf of Clients, personal data of Eligible Employees, such as e-mail address or technical information, including a unique device identifier or network information.

10.2 The collection and processing of data are carried out with the sole purpose of identifying participants as unique individual participants.

10.3 We will take reasonable technical and organizational precautions to prevent the possibility to link individual participants with the answers given to the anonymous survey.

10.4 Since the collection of the personal data described here is necessary to fulfil our contractual obligations, the processing is based on Art. 6 (1) (b) GDPR.

11. NON-PERSONAL DATA OWNERSHIP AND LIABILITY

11.1 When our Services are used, we may collect data in a form that does not, on its own, permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal data for any purpose. Data subjects retain the property rights in and to the personal data processed by us, uploaded, transmitted, stored or located in or provided to us while using or arising out of the use of our Services. Users hereby grant us an irrevocable, perpetual and unconditional right to use, reproduce, distribute, or prepare derivative works based on any such non-personal data, on an anonymized way. We shall keep at all times any and all right, title and interest in and to any such derivative works.

11.2 Users shall be at all times fully responsible for all the data and content collected through, uploaded into, stored or transmitted by means of our Services either by themselves or any third party using or with access to our Services, lawfully or unlawfully, based on the Agreement.

12. RESPONSIBILITIES

12.1 We act solely on the instructions of Clients as far as the creation of an EDGE Empower ID is concerned, and, as the case may be, personal data of Eligible Employees. This means that we qualify as a processor within the meaning of the GDPR.

12.2 We determine the purposes and means of the processing of the Usage Information. This means that we qualify as controller within the meaning of the GDPR.

12.3 As controller, we are committed to ensure that privacy and personal data is protected and that personal data is only used in accordance with this Data Policy. For any inquiries regarding our use of personal data, Data Subjects can contact us as follows:

a) by post to the following address: EDGE Strategy LTD, Neuhofstrasse 4, 6340 Baar, Switzerland,

b) by email, using the following address: .

12.4 We will take all steps reasonably necessary to ensure that personal data is treated securely and in accordance with this Data Policy.

13. THIRD-PARTY DATA PRACTICES

13.1 This Data Policy addresses only the use and disclosure of information we collect, process from Clients and Data Subjects or that has been provided while using our Services. If Data Subjects disclose information to others, their particular policies and practices shall apply.

14. GAINSIGHT

14.1 Our Services use the Customer Success and Support Platform Gainsight. Gainsight is operated by Gainsight Inc., a software company with headquarters at Bay Street 50, Suite 100, San Francisco, CA 94133, USA.

14.2 We use Gainsight to process with Usage Information in order to better understand the respective Users experience and therefore their needs so that we can optimize our Services experience. Gainsight also enables us to make Users’ experience more interactive by implementing features including user guides, dialogues and surveys (Engagements). Some Engagements may be configured to appear to meet certain criteria (e.g., has visited the Services at least twice). However they are never configured to target individual holders of an account.

14.3 For more information, please refer to the Gainsight privacy policy: https://www.gainsight.com/policy/services-privacy-notice/.

15. INSIDED

15.1 Our Services use the Customer Success Community Platform inSided. inSided is operated by inSided B.V., a software company with headquarters at Singel 118a, 1015 AE, Amsterdam, The Netherlands.

15.2 InSided collects and processes personal data only to provide the publicly viewable community or information about community activities, to evaluate respective Users’ activities, to provide the gamification offer and to forward any inquiries to us.

15.3 For more information, please refer to the inSided Data Processing Addendum: https://www.insided.com/docs/data-processing-addendum.

16. CALIFORNIA PRIVACY DISCLOSURES

16.1 Californian consumers have a right to knowledge, access, and deletion of their personal data under the California Consumer Privacy Act. California consumers also have a right to opt out of the sale of their personal data by a business and a right not to be discriminated against for exercising one of their California privacy rights. We do not sell the personal data of California consumers and do not discriminate in response to privacy rights requests.

16.2 This Data Policy includes what personal data is collected, the source of the personal data, and the purposes of use, as well as whether we disclose that personal data and if so, the categories of third parties to whom it is disclosed.

17. CHANGES TO THE DPA

17.1 This Data Policy may be updated from time to time for any reason at our sole discretion. We will notify the respective Users of any changes to our Data Policy by posting the new Data Policy and/or informing then when they next start using or log onto one of the Services. They are advised to consult our Data Policy regularly for any changes, as continued use is deemed approval of all changes. The new terms may be displayed on-screen, and respective Users may be required to read and accept them to continue the use of certain of the Services.

18. TRANSLATIONS

18.1 As an international company, we may make available certain translations of this Data Policy for convenience only. The English version of this Data Policy shall be the legally binding and controlling version in all respects, and shall prevail in the event of any conflict, inconsistency or discrepancy between the English and any translated version of this Data Policy.