Version 2.1 - 4th October 2024
Asite Solutions Limited Data Privacy Policy
Change log:
4th October 2024
- 10.2.6.1 Co-controllers – removal of 3DRepo and Asite Solutions B.V (Holland)
- 10.2.6.2 Sub-processors within the EU/UK space – update AWS regions (UK and EU)
- 10.2.6.3 Sub-processors outside the EU/UK space – removal of nCircle (India); update AWS regions, update BIOSME/STC and BIOSME/Mobily (KSA), adding Google Cloud (KSA), adding Gong for US (Sales and marketing)
1. Introduction
1.1 Asite Solutions Limited and its relevant subsidiaries and affiliates (“we”, “our”, “us”, “Company”) are global leaders of a cloud-based construction management platform that enables organisations to come together, plan, design and build with seamless information. Our comprehensive range of solutions enable organisations to build together and build resilience.
1.2 This Data Privacy Policy (“Policy”) sets out how we, and our relevant subsidiaries (including Asite Solutions Limited (UK), Asite 3D Repo Ltd (UK), Asite Solutions PVT Ltd (India), Asite LLC (USA), Asite Solutions PTY Limited (Australia), Saudi Asite Company for Communications and Information Technology (KSA), Asite Solutions DMCC (UAE), Asite Solutions (HK) Limited (China) and Asite Solutions B.V (Holland) (“subsidiaries”) handle, collect, share and process the Personal Data of our customers, suppliers and other third parties. Please be aware that the data privacy laws can vary in different jurisdiction where we operate. Some jurisdictions may also apply any federal, state, or local laws.
2. Scope
2.1 This Policy applies to all Personal Data we Process regardless of the media on which that data is stored or whether it relates to past or present customers, clients or supplier contacts, website users, or any other Data Subject. We are committed to protecting your privacy and the confidentiality of your Personal Data. Our Policy is not just an exercise in complying with the law, but a continuation of our respect for you and your Personal Data.
2.2 We recognise that protecting the confidentiality of Personal Data is an integral and critical responsibility that we take seriously at all times.
2.3 The Data Protection Officer is responsible for overseeing the matters relating to this Policy and any applicable policies and guidelines.
That post is held by Mr Tiago Rosado, and can be reached at dataprivacy@asite.com alternatively at, Asite Solutions Limited, 7th Floor, Leconfield House, Curzon Street, London, W1J 5JA.
2.4 The Company and the Data Protection Officer are registered with the UK ICO bearing registration number as Z8249786.
2.5 Please contact the DPO with any questions about the operation of this Policy or if you have any concerns that this Policy is not being or has not been followed. In particular, you must always contact the DPO in the following circumstances:
- 2.5.1 if you are unsure of the lawful basis on which you are relying to process Personal Data (including our legitimate interests);
- 2.5.2 if you are unsure about the retention period for the Personal Data being Processed;
- 2.5.3 if you are unsure what security or other measures you need to implement to protect Personal Data;
- 2.5.4 if there has been a Personal Data Breach;
- 2.5.5 if you are unsure on what basis to transfer Personal Data outside the UK;
2.6 This Policy does not apply to the extent where we process Personal Data while acting as a processor or service provider on behalf of our customer; under such circumstances we only process Personal Data on behalf of and in accordance with the instructions from our customer. Accordingly, please note that the privacy practices of our customers may differ from those explained in this Policy.
3. Definitions
- 3.1 Consent: agreement which must be freely given, specific, informed and be an unambiguous indication of the Data Subject’s wishes by a statement or by a clear positive action, signify agreement to the processing of Personal Data relating to them.
- 3.2 Cookies: are small text files that are placed on a computer’s hard drive by the web browser when a website is visited. They allow information gathered on one web page to be stored allowing a website to provide with a personalised experience and the website owner with statistics about how the users behave at the website.
- 3.3 Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the UK GDPR and the EU GDPR and further in line with various data privacy laws in the jurisdictions where we operate. In this instance, the Company is the controller of the Personal Data.
- 3.4 Co-controller: means our subsidiaries.
- 3.5 Data Subject: a living, identified or identifiable individual about whom the Company holds Personal Data. Data Subjects have legal rights regarding their Personal Data. In this Policy, Data Subjects are referred to as “you”, “yours”.
- 3.6 ISO 27001: the international standard to manage information security, which was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again revised in 2022.
- 3.7 ISO 27701: the privacy extension to ISO/IEC 27001.
- 3.8 Personal Data: any information identifying you directly or indirectly from that data alone or in combination with other identifiers. Personal Data can be factual (e.g., a name, an email address, location, date of birth in) or an opinion about that person’s actions or behaviour. Personal Data includes sensitive personal data such as revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data.
- 3.9 Processing or Process: any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including (but not limited to) organising, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
- 3.10 Processor: Is a natural or legal person that processes Personal Data on behalf of the controllers. The UK GDPR places specific legal obligations for controllers such as maintaining records of Personal Data and processing activities.
- 3.11 EU GDPR: the General Data Protection Regulation (European Union) 2016/679 as defined in the Data Protection Act 2018.
- 3.12 UK GDPR: the retained European Union law version of the EU GDPR.
4. Data we process
4.1 We may collect, use, store and transfer various kinds of Personal Data about you, which we have collated into the following groups :-
Categories of Identifiers |
Examples |
Contact Details
|
First name |
Last name |
|
Title |
|
Date of Birth |
|
Unique personal identifier |
|
Internet protocol address |
|
Email address |
|
Account name |
|
Other identifiers you may have provided to us at some time |
|
Contact Information |
Billing address |
Delivery address |
|
Email address |
|
Telephone number |
|
And any other information you have provided to us for the purpose of communicating or meeting |
|
Activity- based Contact Data |
First visit |
Last visit |
|
Number of days active |
|
Number of events |
|
Time on site |
|
Device |
Most recent browser version |
Browser name |
|
Operating system |
|
Internet or other similar Network Activity |
Interactions with our websites, applications, systems, and advertisements |
Usage Data |
Web page Interactions |
Referring webpage/source through which you accessed the product |
|
Statistics associated with the interactions between device or browser and the products |
|
Commercial Information |
Vertical of the company |
Products or services purchased or obtained |
|
Any historical purchase or consumption |
|
Size of the company |
|
Marketing Information |
Marketing preferences |
Communication preferences |
|
Responses and actions in relation to your use of our services |
|
Financial |
Banks account and payment card details |
Payment history |
|
Tax information |
|
Details about payments or communications to and from you and information about products and services you have purchased from us |
|
Technical Data |
Internet protocol (IP) address |
Browser type and version |
|
Time zone and settings |
|
Location |
|
Browser plug-in types and versions |
|
Operating system |
|
Others |
Receiving help through our customer support channels |
Participation in customer surveys or contests; and |
|
Audio/video recordings (e.g., recorded meetings and webinars) CCTV footage, photographs. |
|
Facilitation in the delivery of our products and to respond to their inquiries. |
5. Sources of Personal Data
- 5.1 We collect information about you and how you interact with us, in several ways, including:
- 5.1.1. Information you provide to us directly:- We collect the information you provide to us directly. This includes instances when you register and communicate with us directly through our digital properties, when you send emails, letters or faxes to us (or by any other means of communication) when you visit any of our offices, when you participate in our events, or when you participate in our marketing and outreach activities (including surveys, contests, promotions, sweepstakes, conferences, webinars, and events).
- 5.1.2. Information automatically collected or inferred from your interactions with us:- We automatically collect technical information about your interactions with our digital properties (such as IP address, browsing preferences, and interaction history).
- 5.1.3. Information from public sources:- We may collect information from government entities from which public records are obtained and information you submit in public forums, including information made publicly available on social media networks.
- 5.1.4 Information from other third parties:- We receive information about you from other third parties, such as third party service and content providers, entities with whom we partner to sell or promote products and services, telephone and fax companies, authentication service providers, data brokers, etc.
- 5.1.5. Information about your actual location:- We do not automatically collect information about your actual location, other than an approximate location (usually no more precise than city level), which can be determined from your IP address. In certain instances, our customers who are using the platform may explicitly ask you to provide location information and this data will be stored in accordance with the way Personal Data is stored on our website. In certain instances, we may use cookies and similar technologies to store and access information we collect through our service.
- 5.2 To the extent permitted by applicable law, we may combine information that we receive from the various sources described in this Policy, including third-party sources and public sources.
6. Where the Personal Data is stored?
6.1 The information we collect directly from you, about how you use our services may be transferred to, stored at, and processed on our secure systems.
7. Purpose for which we will use your Personal Data
- 7.1 We will normally collect Personal Data from you only where we have your consent to do so, where we need the Personal Data to perform a contract with you, or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some instances, we may also have a legal obligation to collect Personal Data from you or may otherwise need the Personal Data to protect your vital interests or those of another person.
- 7.2 We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
- 7.3 Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Purpose/Activity
Type of data
Lawful basis for processing including basis of legitimate interest
To register you as a new customer
(a) Identity
(b) Contact
Performance of a contract with you
To process and deliver your order including:
(a) Manage payments, fees and charges
(b) Collect and recover money owed to us
(a) Identity
(b) Contact
(c) Financial
(d) Transaction
(e) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to recover debts due to us)
To manage our relationship with you which will include:
(a) Notifying you about changes to our terms or privacy policy
(b) Asking you to leave a review or take a survey
(a) Identity
(b) Contact
(c) Profile
(d) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To enable you to partake in a prize draw, competition or complete a survey
(a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
(a) Identity
(b) Contact
(c) Technical
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you
(a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(f) Technical
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
(a) Technical
(b) Usage
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you
(a) Identity
(b) Contact
(c) Technical
(d) Usage
(e) Profile
(f) Marketing and Communications
Necessary for our legitimate interests (to develop our products/services and grow our business)
8. Communicating with us
8.1 When you contact us by any means, we collect the data you have given to us in order to reply with the information you need thereby increasing the efficiency of our business. We keep personally identifiable information associated with your message, such as your name and contact details so as to be able to track our communications with you to provide a high-quality service.
9. Cookies
9.1 These are small files that we send to and store on your computer so that we may recognise it is a unique machine the next time you visit our site. Following are the reasons we do this:- (a) to keep a track of your information for your convenience; (b) to help us optimise your online experience by altering our content depending upon your particular needs or browsing patterns; and (c) to help us understand the size of our audience and their traffic patterns within our site. Cookies do not typically contain any information that personally identifies a user, but any Personal Data that we store bout you, may be linked to the information stored in and obtained from such cookies.
9.2 You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly. For more information about the cookies we use, please see our cookies policy at https://www.asite.com.
10. Transfer limitation
10.1 The UK GDPR and the EU GDPR restricts data transfer to countries outside the United Kingdom and the European Union. Our website is hosted the United States of America. We may also use outsourced services in countries outside the European Union from time to time in other aspects of our business. Accordingly, data obtained within the UK could be processed outside the UK or the EU.
10.2 We use the following safeguards with respect to data transferred outside the United Kingdom or the European Union:
- 10.2.1 The processor is within our corporate group structure and abides by the same binding corporate rules regarding data processing;
- 10.2.2 Pursuant to any approved Standard Contractual Clauses (as adopted by the European Commission) and as approved by the Binding Corporate Rules (BCR) or any other current or future appropriate safeguards, from time to time;.
- 10.2.3 We comply with a code of conduct approved by a supervisory authority in the European Union.
- 10.2.4 We are certified under an approved certification mechanism pursuant to Article 42 of the EU GDPR.
- 10.2.5 We are certified under the ISO 27001 and are also implementing ISO 27701 standards.
- 10.2.6 We use the following sub-processors and co-controllers to store/transfer/process any Personal Data in the following countries/regions:
- 10.2.6.1.Co-controllers
Countries
Co-controllers
India
Asite Solutions PVT Ltd
USA
Asite LLC
Australia
Asite Solutions PTY Limited
KSA
Saudi Asite Company for Communications and Information Technology
UAE
Asite Solutions DMCC
China
Asite Solutions (HK) Limited
UK
Asite Solutions Limited (UK)
- 10.2.6.2 Sub-processors within the EU/UK space
Microsoft Office 365 (eMail, Teams)
Keeper Security (Secure password sharing, API Key Sharing, PAM)
Microsoft Azure – UK and EU(Netherlands) (Client Data)
AWS – UK and EU(Netherlands) (Client Data)
Trello (SaaS KanBam board)
DocuSign (Document and contract e-signature)
Mimecast (eMail security)
ISMS.online (ISPIMS)
Jumpcloud (Device Management)
Countercept (EDR/XDR)
Salesforce (Sales & marketing, Professional Services, Support, Invoicing)
BreathHR (HR Data )
Cyber Ark (Privileged Access Management)
KnowBe4 (Phishing training)
- 10.2.6.3 Sub-processors outside the EU/UK space
Name
Details
Namescan
Sanctions & PEP scans, KYC (Australia)
Asite Solutions PVT Ltd (India)
Support (India)
Google Cloud
For clients with data in KSA
Microsoft Azure
For clients with data in UAE, Hong Kong, China, Gov Cloud USA, USA, Canada, Australia
Amazon Web Services (AWS)
For clients with data in USA, Gov Cloud USA, Canada, UAE, Hong-Kong, China; Australia
Adobe
Document Signing (USA)
HubSpot
Sales & Marketing contacts, Website (USA)
Trinet
HR,Wage, Benefits (USA)
Cognism Gong
Sales & Marketing (USA)
Atlassian JIRA
Support Tickets (USA)
Atlassian JIRA, Confluence, Bitbucket
Tickets, Documentation, Code repository (USA)
Expensify
Expenses (USA)
GitHub
Code Repository (USA)
BIOSME/STC
For clients with data in KSA (Saudi Arabia)
BIOSME/Mobily
For clients with data in KSA (Saudi Arabia)
- 10.2.6.1.Co-controllers
11. Complaints
11.1 If you are in any way dissatisfied about how we process your Personal Data, you may contact us via email at dataprivacy@asite.com.
12. Your Legal Rights and Requests
12.1 In this section we have summarised the rights you have under data protection laws. Some of the rights are complex while others are simple. We may have not included all the details of such rights in our summary below, and invite you to read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.
12.2 Subject to any applicable data protection legislations, you may have the following rights:-
- 12.2.1 Right to know:- You have the right to know and understand what Personal data we collect and how we process it;
- 12.2.2 Right to access:-You have the right to request access to any Personal Data concerning you, subject to limited exceptions that may be prescribed by applicable law;
- 12.2.3 Right to correct:-We aim to ensure that all of your Personal Data is correct. You are entitled to have any inadequate, incomplete or incorrect Personal Data corrected;
- 12.2.4 Right to withdraw Consent:-In the event your Personal Data is processed on the basis of your consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- 12.2.5 Right to data portability:-Where we rely upon your consent as the legal basis for processing, or the fact that the processing is necessary to perform a contract/agreement to which you are party or to take steps at your request prior to entering a contract, and the Personal Data is processed by automated means, you have the right to receive all such Personal Data which you have provided to us in a machine-readable format;
- 12.2.6 Right to erase:-You are entitled to have your Personal Data erased under specific circumstances, such as where you have withdrawn your consent, where you object to processing based on legitimate interests and we have no overriding legitimate grounds or where Personal Data is unlawfully processed;
- 12.2.7 Right to restrictions of Processing:-You have the right to restrict the processing of your Personal Data in the following circumstances:- (a) where you contest the accuracy of the Personal Data, until we have taken sufficient steps to correct or verify its accuracy; (b) where the processing is unlawful but you do not want us to erase the Personal Data; (c) where we no longer need your Personal Data for the purposes of the processing, but you require such Personal Data for the establishment, exercise or defence of legal claims; or (d) where you have objected to processing on legitimate interest grounds, pending verification as to whether we have compelling legitimate grounds to continue processing
- 12.2.8 Right to lodge a complaint:-You may lodge a complaint with the supervisory authority of your habitual residence, place of work or place of alleged infringement. The list of the European Data Protection Board which brings together the national supervisory authorities of the countries in European Economic Area can be accessed at the following link https://edpb.europa.eu/about-edpb/about-edpb/members_en
13. Miscellaneous
13.1 Compliance with the law
- 13.1.1 Our Policy has been compiled to comply with the law of every country or jurisdiction in which we conduct or business or aim to conduct our business.
If you think it fails to satisfy the law of your jurisdiction, we would like to hear from you.
However, ultimately it is your choice as to whether you wish to use our website or services.
13.2 Review of this privacy policy
- 13.2.1 We may change, update or adjust this Policy from time to time as necessary.
The terms that apply to you are those posted here on our website on the day you use our website.
We encourage you to read and return to this Policy regularly to make sure you are upto date with the latest version published.
13.3 Data Retention
- 13.3.1 We will retain your Personal Data for as long as we have an ongoing business relationship with you or our business needs tend to do so (i.e., to comply with any applicable law, any statutory requirements, or in connection with the enforcement of our agreements).
- 13.3.2 When we have no ongoing legitimate business need to process your Personal Data, we may either delete or de-identify it, or, if this is not possible (because your Personal Data has been stored in backup archives), then we will securely store your Personal Data and isolate it from any further processing until deletion is possible.
If we collect or use de-identified information, we will not attempt to re-identify it.
If you have any questions about privacy, including any requests to exercise your legal rights, please contact us at dataprivacy@asite.com.