Privacy policy

Annex II: Privacy Policy

Version 2.2 of 09/15/2023

 

This document outlines the personal data processed by xpath.global for its clients, explaining how and where it is used, the protective measures in place, access to it, sharing practices, and correction procedures in compliance with EU Regulation 2016/679 (GDPR).

As xpath.global operates as a B2B marketplace and B2B case management system, the majority of the data processed is company-related. However, personal data of employees of the parties, affiliates, commercial partners, consultants, etc., may also be used on the Platform for Beneficiaries. In strict compliance with GDPR, xpath.global treats all information that may identify a physical person as personal data and ensures appropriate protection.

 

This Privacy Policy applies to the personal data processed by xpath.global as a data controller on its website and Platform for its clients. This document does not cover:
•  Any personal data exchanged between the Client and the Service Provider for the provision of Services or the fulfillment of Orders;
•  Any personal data processed by platform Beneficiaries. Such data processing is governed by the Data Processing Agreement in Annex 1 (Data Protection Annex) to the Terms and Conditions for the Use of xpath.pro Service and xpath.global marketplace.

All definitions found in the Terms and Conditions are applicable to this document and are supplemented with definitions from GDPR regulations.

1. Data Collection
When clients register on the website, whether as a platform Beneficiary, a Client, or a Service Provider, xpath.global requests representative company data. This may include basic personal data of the company, such as name, telephone number, or email address.

Clients may also create accounts on the xpath.global Platform for any of their expatriates, assignees, remote workers, foreign recruits and business travelers irrespective of their specific contractual relationship with the Client, such as employees of the parties, affiliates, commercial partners, consultants, etc. In these cases, data similar to the ones mentioned above may be required, and additional relevant information for using the Platform may also be requested.

Data may also be collected from clients when using interactive website tools like customer reviews, posts, or other materials, or during contact through email, telephone, postal mail, or any other communication method, including online communication tools and social media.

For website visitors, technical data necessary for proper website usage is collected, unless specific consent is given for other services (e.g., subscribing to the newsletter or contacting xpath.global).

2. Data Use
The data collected, as described above, is used for the following purposes:

2.1. Providing Services to the Company Represented by the Client
As explained, xpath.global manages a multi-service provider marketplace, listing services from various Service Providers, also known as suppliers. As a marketplace, xpath.global provides a platform for Clients to purchase services from Service Providers. Additionally, a specialized ERM software service is offered to xpath.pro Beneficiaries.

2.2. Contact and Support
Clients may be contacted via phone or email to resolve or process a technical issue, request feedback, or discuss any review, post, or similar communication made on the site. If a Client has inquired about a particular service or added it to My Favorites or their Cart, xpath.global may send relevant information about that particular service via email or another mode of contact. For instance, if a Client showed interest in a specific product and a new similar product is listed on the website, xpath.global may email to inform about the new product. Clients who have previously “opted out” of receiving emails will not receive any. Clients will always have an opportunity to opt out of such emails before they are sent.

2.3. Newsletter
Clients who subscribe to the newsletter or blog updates will receive regular updated information via email. Clients can unsubscribe at any time.

2.4. Technical Data

•  IP Address: IP addresses are processed to identify and prevent fraud. Specific IP addresses may be blocked if they are associated with spam or other harmful activities.
•  Cookies: Cookies are small text files placed on the Client’s computer by the websites they visit. They are widely used to make websites work more efficiently and to provide information to the site owners. Most web browsers allow some control over cookies through browser settings, which is the safest way to manage them. The majority of cookies used are first-party cookies added and managed by xpath.global and serve
functional purposes.
•  Third-Party Cookies: In some cases, xpath.global uses cookies provided by trusted third parties. Details about these third-party cookies are outlined in the following section.

The xpath.global Platform uses Google Analytics, a trusted analytics solution, to understand how clients use the site and to improve their experience. These cookies track information such as time spent on the site and the pages visited to produce engaging content.

Cookies from Hubspot are used to enable the chat function/contact form in specific parts of the website.

Several partners advertise on behalf of xpath.global, and affiliate tracking cookies help determine if clients have reached the site through one of the partner sites, enabling appropriate crediting
and providing any bonuses if applicable.

Social media buttons and/or plugins on the website allow clients to connect with their social network. To make these features work, social media sites including Facebook, LinkedIn, and Instagram may set cookies through the site, enhancing profiles on their platforms or contributing to the data they hold for various purposes outlined in their respective privacy policies.

Disabling Cookies: Clients can change their cookie settings by adjusting browser settings (see the browser’s Help section for instructions) or use a plugin to manage cookies. However, disabling first-party cookies may affect website functionality, including login capabilities.

To opt out of being tracked by Google Analytics across all websites, visit: http://tools.google.com/dlpage/gaoptout.

3. Legal Basis
Below is a summary of the legal basis for each activity. A “Legitimate Interests Assessment” has been conducted for any process where Legitimate Interests are listed as the legal basis for
processing such data.

Type of Activity

•  Receiving data as a representative of the platform, Beneficiaries, Clients, or Service Providers – the legal basis for this action is Legitimate Interests, and individuals have the right to object to this processing based on legitimate interests.
• Sending emails about similar products and services to your professional email address provided at registration – the legal basis for this action is Legitimate Interests, and individuals have the right to object to this processing based on legitimate interests, including objecting to direct marketing.
•  Subscribing to the newsletter or other updates – the legal basis for this action is Beneficiary consent, and individuals have the right to withdraw their consent, for example, using the unsubscribe option.
•  Processing technical data (including Beneficiary IP addresses) – the legal basis for this action is Legitimate Interests in order to prevent fraud.

Additionally, no data is used for decisions based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects individuals.

4. Transferring Your Data
In providing the xpath.global Platform and services, xpath.global cooperates with third-party service providers who act as data processors to assist in providing marketplace services. These service providers include software companies or cloud platforms where client data may be stored. All necessary contracts and agreements are in place with these providers to ensure compliance with legal and privacy protection requirements.

Essentially, xpath.global will not reveal any personal data about its users to third parties, except as mentioned in the exceptions below.

Exceptions include:
•  Disclosure of personal data to competent authorities upon their legal request and in accordance with applicable laws, or whenever necessary to protect the rights and interests of clients and xpath.global.
•  Possible transfer of data outside the EEA (European Economic Area), primarily when using a service provider from the marketplace located outside the EEA. Some countries offer similar privacy protection to EEA countries, while others do not. In cases where data needs to be transferred to a country without similar protection, reasonable efforts will be made to ensure the recipient of the data complies with the highest international privacy standards. This may include being located in a country offering an adequate level of personal data protection according to European Union standards (art 45 GDPR) or other
appropriate safeguards, including Standard Contractual Clauses (art 46.2 GDPR).

5. Storing Data
Data will be retained only for as long as necessary for its intended purpose and/or as legally required.

•  Account-related personal data will be retained for the entire period while the Beneficiary, or Client account is open and for 3 (three) years after its closure. This is to ensure proper fulfillment of the contract between the involved companies or for the establishment, exercise, or defense of legal claims between the parties.
•  Other data, such as support activities, will be kept for a period of up to 5 (five) years from the date and time the support activities were provided, unless the conditions mentioned in the preceding paragraph apply.
•  Legitimate interest-based communication data will be stored until an objection is raised or interest is no longer shown in the products and services, unless the conditions mentioned in the first paragraph of this section apply.
•  If data is collected based on consent, it will be kept until consent is withdrawn or interest is no longer shown in the products and services.

In all the aforementioned cases, log data and other metadata might be retained for unsubscribing or data deletion, in the event a complaint is received or for the establishment, exercise, or defense of legal claims.

If an individual is provided with a username, a password, or any other piece of information as part of the security procedures, they must treat such information as confidential and not disclose it to any other person.

6. Rights of the Client Under GDPR
The General Data Protection Regulation (GDPR) provides the client, as a Beneficiary, with various legal rights, many of which have been outlined in previous sections. Here are additional rights explained in detail.

•  Right of Access: The client, as a beneficiary, holds the right to request a copy of the personal information held by xpath.global at any time. This includes verifying the lawful processing of this data.
  Right of Rectification: Should the personal information held by xpath.global be inaccurate, outdated, or incomplete, the client has the right to request rectification or completion.
• Right of Erasure: Under specific circumstances, the client can request the erasure of personal information held by xpath.global (e.g., when the information is no longer necessary for the purposes for which it was collected or processed).
•  Right to Object or Restrict Processing: In certain situations, the client can object to xpath.global’s processing of their personal information. For example, if xpath.global processes the client’s information based on legitimate interests and there are no compelling legitimate grounds that override the client’s rights and interests.
•  Right of Data Portability: In certain instances, the client is entitled to receive any personal information held by xpath.global in a structured, commonly used, and machine-readable format.
•  Right to Withdraw Consent: In limited circumstances (e.g., newsletter subscription) where the client provided consent for the collection, processing, and transfer of their personal information for a specific purpose, they have the right to withdraw their consent for that specific processing at any time. To exercise this right, the client can contact xpath.global at office@xpath.global.

Exercising These Rights
The client can exercise their right to withdraw consent and any other rights granted by GDPR by notifying xpath.global via email at office@xpath.global. Alternatively, the client can write to xpath.global at the provided address or inform xpath.global if they prefer to communicate via telephone or other means.

The client also possesses the right to file a complaint with a competent supervisory authority or lodge a complaint in a competent court of law. This Privacy Policy was adopted on the date indicated in the document’s title and will be revised whenever necessary without prior or subsequent notice of the changes. The new version will take effect upon publication on the website and will be appropriately marked. The current document is accessible at https://xpath.global/terms-of-use-privacy-policy/