“Data Subject” is a natural person about whom Envoice has got information or data enabling to identify the natural person. Data Subjects are, for example, the Clients or their representatives, Visitors and cooperation partners, as well as the employees or other related persons of the abovementioned who are natural persons and whose personal data are held by Envoice.
“Personal Data” is any information concerning an identified or identifiable natural person.
“Personal Data Processing” is any operation or set of operations which is performed on the Personal Data of a Data Subject, such as collection, recording, organisation, structuring, storage, alteration and disclosure, enabling an access to, retrieval, consultation, use, transmission, cross-checks, alignment or combination, restriction, erasure or destruction of Personal Data, irrespective of the manner of performing these operations or the means exploited.
“Client” is any legal person that uses or has expressed a desire to use the Services of Envoice.
“Agreement” is the Terms of Service (found at https://envoice.eu/en/terms-of-service/), or any other agreement entered into between Envoice and the Client.
“Website” means the website of Envoice https://envoice.eu.
“Software” is the integrated cloud computing solution for providing the Envoice Products, including mobile applications, software, hardware, databases, interfaces, associated media, documentation, updates, new releases and other components or materials provided therewith.
“Visitor” is any person using the Website of Envoice.”
“Services” are any services and products offered by Envoice.
“Cookies” are the data files sometimes recorded in the device of a Visitor of the Website.
“Data Protection Officer” of Envoice is the person who monitors the implementation of the Personal Data Processing principles of Envoice and who can be contacted by the Data Subject in case of a complaint.
“Client Account” is the user account of the Client which primarily provides access to the digital products of Envoice and through which the Clients identify themselves.
2. GENERAL PROVISIONS
- Envoice is the legal person Envoice OÜ, registry code 12749039, registered address Tartu mnt 2, Tallinn, Estonia.
- Envoice may process Personal Data as:
- a controller, while determining the purposes and means of processing;
- a processor in accordance with the instructions from the controller; and
- a recipient to the extent to whom the Personal Data are transferred.
Here you find the principles that are always followed by Envoice while Processing your Personal Data. We Process your Personal Data in a lawful, fair, transparent way. We always have a purpose for such Processing, it is minimal, accurate, reliable, confidential and we always limit the storage of your Personal Data.
- The objective of Envoice is to Process Personal Data responsibly.
- All the processes, guidelines, operations and activities of Envoice that are related to Personal Data Processing are based on the following principles:
- Lawfulness. There is always a legal basis for the Processing of Personal Data, i.e. consent or legitimate interest;
- Fairness. Personal Data Processing shall be fair while providing a Data Subject with sufficient information and communication on how the Personal Data are Processed;
- Transparency. Personal Data Processing shall be transparent for the Data Subject;
- Purposefulness. Personal Data shall be collected for legitimate purposes that have been established precisely and clearly and shall not later be processed in any manner which is in conflict with these purposes;
- Minimisation. Personal Data shall be adequate, relevant and limited to what is necessary for the purpose of Processing the given Personal Data;
- Accuracy. Personal Data shall be correct and shall be updated as necessary, and all reasonable measures shall be taken to ensure that Personal Data which are incorrect in the light of the purpose of Personal Data Processing shall be deleted or corrected without delay;
- Limit of storage. Personal Data shall be stored in the format enabling the identification of Data Subjects only as long as it is necessary to achieve the purpose for which the Personal Data are processed.
- Reliability and confidentiality. Personal Data Processing shall be carried out in a manner ensuring the adequate security of Personal Data;
- Data protection by design and by default. Envoice shall ensure that all the systems used shall meet the required technical criteria. The suitable data protection measures have been planned upon the renewal or design of every information or data system (e.g. the information systems and business processes are constructed using pseudonymisation and encryption).
- Upon Personal Data Processing Envoice shall act with the purpose of always being capable of evidencing the conformity to the aforesaid principles and additional information regarding the conformity to these principles can also be requested from the Data Protection Officer.
4. COMPOSITION OF PERSONAL DATA
Here you find information on how we collect Personal Data and what kind of Personal Data we collect. First and foremost, we collect your Personal Data directly from yourself or from the Client. Other possibilities are valid as well.
4.1 Envoice collects, inter alia, the following types of Personal Data:
- the Personal Data disclosed to Envoice by the Data Subject e.g.:
- contact information such as: name; email address; telephone;
- information on job applicant such as resume;
- work position;
- country of residence;
- the Personal Data disclosed to Envoice by the Client of Envoice about a Data Subject e.g. Personal Data that may be found on receipts, invoices and other documents or input provided by the Client to Envoice;
- the Personal Data generated as a result of the day-to-day communication between the Data Subject and Envoice e.g. email content;
- the Personal Data generated upon consumption of Services and Personal Data generated as a result of visiting and using the Website and Envoice Software e.g.:
- time spent on the Website or applications and the consumption of Services; IP address; the operating system of a device; browser type; language info; access times; addresses of the Websites from which the Data Subject transferred to Envoice Website, network information, time zone settings;
- mobile device identifiers such as unique mobile device ID, hardware type, media access control (“MAC”) address, international mobile equipment identity (“IMEI”), name of the device;
- information about interaction with the services;
- general information about Data Subjects location;
- we might collect certain information Clients, or their representatives have uploaded to their accounting software when any Envoice Service is integrated with that software;
- information stored on users’ devices such as login information, photos, videos or other digital content;
- the Personal Data received from third persons;
- information collected using Cookies or other similar technologies;
- the Personal Data created and combined by Envoice (electronic correspondence or order history in the context of a client relationship).
5. PURPOSES AND BASES FOR PROCESSING OF PERSONAL DATA
Here you find out for which purposes and under which bases we can Process your Personal Data.
We process your Personal Data based on legitimate interest, consent, to perform an agreement, or for the entry into an employment agreement or for performing a legal obligation.
In case Envoice is Processing Personal Data obtained from the Client, the Client warrants that it has obtained the necessary consent of third parties and employees whose Personal Data might be included in the documents which Envoice is granted access to.
5.1 Envoice shall Process Personal Data only on the basis of consent or on other legal bases. Legal bases for Processing of Personal Data include but are not limited to legitimate interests or an Agreement between the Data Subject and Envoice.
5.2 Envoice shall Process Personal Data on the basis of consent precisely within the limits, to the extent and for the purposes determined by the Data Subject. A Data Subject shall give the consent freely, specifically, informedly and unambiguously, for example by ticking a box on the Website.
- Testimonials and Feedback. Envoice does not post any Personal Data relating to its users along with testimonials unless we have been given permission to do so by the user. We get in touch with our Clients to confirm that they are happy for their Personal Data to be posted on our Site before anything is posted to request their permission to do so. Clients may submit or ask us to withdraw a testimonial by contacting email@example.com.
- Envoice activities are not directed to Processing of Sensitive Personal Data. The Client warrants that in a case Envoice is Processing sensitive Personal Data provided by the Client, the Client has obtained a consent from such persons to authorize Envoice to Process such Personal Data for the following purposes:
- for providing Services to the Client;
- for improving Envoice algorithm, for providing more precise services to the Client;
5.3 Upon entry into and performance of an Agreement, Personal Data Processing may be additionally provided for in the specific Agreement, but Envoice may Process Personal Data for the following Purposes:
- in order to take steps at the request of the Data Subject prior to entering into the Agreement;
- to identify the Client to the extent required by due diligence;
- to perform the obligations to the Client regarding the provision of its Services;
- to communicate with the Client this includes sending confirmations, invoices, updates, technical notifications, security alerts, support and administrative messages; Clients will receive an automatic welcome email necessary to complete their registration process;
- to ensure the performance of the payment obligation of the Client;
- to submit, realise and defend claims.
5.4 For the entry into an employment agreement, the Processing of the Personal Data of a job applicant by Envoice based on the entry into the agreement and legitimate interest shall include:
- Processing of the data submitted by the job applicant to Envoice for the purpose of entering into an employment agreement;
- Processing of the Personal Data received from the person indicated as the referee by the job applicant;
- Processing of the Personal Data collected from state databases and registers and public (social) media.
In case a job applicant is not selected, Envoice shall store the Personal Data collected for the entry into an employment contract for two years in order to make a job offer to the job applicant in case a suitable position becomes vacant. When two years have passed after the submission of a job application, the Personal Data of the job applicant who was not selected shall be deleted.
5.5 Legitimate interest means the interest of Envoice in the management and direction of its business in order to be able to offer the best possible Services on the market and improve the Products of Envoice. In particular, Personal Data Processing may take place on the basis of a legitimate interest for the following purposes:
- as Envoice clients are only legal persons Envoice sends occasionally Marketing and products emails based on legitimate interest ground (see GDPR article 47). Envoice sends marketing and products emails only to the Clients. One has a right to opt-out;
- for improving Services and Products e.g. for the Envoice algorithm development when Client has ordered SmartExtract or SmartRecord service (see for more information section 12). Development necessary to provide more precise Services for the Client;
- for ensuring a trust-based relationship with a client, e.g. using Personal Data Processing that is strictly necessary to determine the ultimate beneficiaries or to prevent fraud;
- for the administration and analysing the client base to improve the availability, selection and quality of Services and products, and to make the best and more personalised offers to the Client upon the Client’s consent;
- for the identifiers and Personal Data collected upon the use of Websites, mobile application and other Services. Envoice shall use the collected data for web analysis or for the analysis of mobile and information society services, for ensuring and improving the functioning, for statistical purposes and for analysing the behaviour and user experience of Visitors and for providing better and more personalised Services;
- for the organisation of campaigns, including organisation of personalised and targeted campaigns, carrying out Client and Visitor satisfaction surveys, and measuring the effectiveness of the performed marketing activities;
- for monitoring of the service. Envoice may record the messages and instructions given in its premises as well as by means of communication (email, telephone, etc.), as well as information and other operations carried out by Envoice, and shall use those recordings as needed to evidence instructions or other operations;
- for network, information and cyber security considerations, for example for fighting against piracy and for ensuring the security of the Websites, as well as for the measures taken for making and storing backup copies;
- for corporate purposes, in particular for financial management;
- for receiving feedback;
- for targeted advertising online, a form which Data Subject can opt-out (see section 13: Important Documents, Guidelines and Procedures);
- for the establishment, exercise or defence of legal claims.
5.6 For performing a legal obligation, Envoice shall Process Personal Data to perform the obligations set forth by law or to exercise the uses permitted by law. Legal obligations derive, for example, from adhering to the rules of payment processing and prevention of money laundering.
5.7 In case Personal Data Processing is carried out for a new purpose, different from those for which the Personal Data were originally collected, or is not based on the consent given by the Data Subject, Envoice shall carefully assess the permissibility of such new Processing. In order to determine whether the Processing for the new purpose is in compliance with the purpose for which the Personal Data were originally collected, Envoice shall take into consideration, inter alia, the following:
- any link between the purposes for which the Personal Data were collected and the intended further purposes Processing;
- the context of collecting the Personal Data, in particular regarding the relationship between the Data Subject and Envoice;
- the nature of the Personal Data, in particular, whether any special categories of Personal Data or Personal Data related to criminal convictions and offences are processed;
- possible consequences of the intended further processing for the Data Subjects;
- existence of appropriate protection measures which may consist in, for example, encryption and pseudonymisation.
6. DISCLOSURE AND/OR TRANSFER OF PERSONAL DATA TO THIRD PERSONS
Here you find information on when we may transfer your Personal Data to our cooperation partners or other third parties. The cooperation partners may be for example marketing partner or IT partners. We value your privacy and will always assure that such Processing performed by these partners if lawful.
- Partners. Envoice cooperates with persons, to whom Envoice may transfer data regarding the Data Subjects, including their Personal Data, in the context and for the purposes of co-operation.Such third persons may be the advertising and marketing partners, companies carrying out client satisfaction surveys, debt collection agencies, credit registers, IT partners, persons, authorities and organisations intermediating or providing (electronic) mail services, provided that:
- the respective purpose and the Processing are lawful;
- the Personal Data Processing is carried out in accordance with the guidelines of Envoice and on the basis of a valid agreement;
- the data regarding the respective processors are disclosed to the Data Subjects.
- Other Users in Client’s Company Account. If a Data Subject is using any Envoice Services that has been made available to them by a service provider who has signed as our Client (e.g., your accountant or bookkeeper), then all Personal Data uploaded by such Data Subjects will be available to that Client and its authorised employees and agents who have access to the relevant Client Account.
- Corporate restructuring. Envoice may share Personal Data when we do a business deal, or negotiate a business deal, involving the sale or transfer of all or a part of our business or assets. These deals can include any merger, financing, acquisition, or bankruptcy transaction or proceeding.
- Transfers. Envoice shall transfer Personal Data outside the European Union only if there is sufficient protection in the respective country; if protection measures have been agreed upon (e.g. standard data protection clauses); the Data Subject has given a clear and informed consent for such transfer; the transfer is clearly required by an agreement entered into with the Data Subject; the transfer is not repeated, it concerns only a limited number of Data Subjects; it is necessary for protecting the legitimate interests of Envoice which are not overridden by the interests, rights or freedoms of the Data Subject, and if all the circumstances related to the transfer has been assessed and suitable protection measures have been established to protect the Personal Data, or if there is some other legal basis therefor.
7. SECURITY OF PERSONAL DATA PROCESSING
Here you find a description of how we will protect your Personal Data and where you can find information on the storage periods of Personal Data.
We store your Personal Data only for the minimum period required. For documents you have uploaded to our Products, the storage period is 1 year.
- Envoice shall store the Personal Data strictly only for the minimum period required. For Personal Data related to the items you have submitted into the systems of Envoice, the Client as the controller shall determine the exact dates for Processing. If the Client deletes the Client Account, Envoice shall store the documents, which shall include Personal Data, for an additional 1-year period to fulfil the obligations deriving from the applicable law, especially bookkeeping and accounting rules.
- The Personal Data with an expired storage period shall be destructed.
- Clients are responsible for keeping their password secret and should be careful to log out of their Client Accounts after they have finished any given session, especially if they are using a public computer.
- If a Client has any reason to believe that their interaction with us is no longer secure (for example, if they feel that the security of their Client Account might have been compromised), they should notify us of this problem immediately by contacting us via firstname.lastname@example.org.
- In case of an incident related to Personal Data, Envoice shall take all necessary measures to mitigate the consequences and hedge any relevant risks in the future. Inter alia, Envoice shall register all the incidents and shall inform the Data Protection Inspectorate and the Data Subject directly (e.g. by email) or in public (e.g. via the news) in prescribed cases.
8. PROCESSING OF PERSONAL DATA OF CHILDREN
The Services of Envoice are not targeting children.
- The Services of Envoice, including the information society services, are not targeting children i.e. a person under the age of 18.
- Envoice does not knowingly collect any information on children, and in case of any respective informed activity, we shall act on the basis of the request of a parent or guardian.
9. RIGHTS OF DATA SUBJECTS
Your Personal Data belongs to you, and here you can find information on the rights you have in order to protect your Personal Data.
You have various rights and you may perform them at any time.
- Rights related to consent:
- A Data Subject will always be entitled to inform Envoice about his or her wish to withdraw consent for the Personal Data Processing.
- A Data Subject has also the following rights upon Personal Data Processing:
- Right to receive information i.e. the right of a Data Subject to receive information regarding the Personal Data collected about him or her.
- Right of access to data which, inter alia, includes the right of a Data Subject to a copy of the Processed Personal Data.
- Right to rectification of inaccurate Personal Data. A Data Subject will be able to request the correction of inaccurate data or correct it via its Client Account, but Envoice may retain a copy of the unrevised information.
- Right to erasure of data i.e. in certain cases a Data Subject will be entitled to demand the deletion of Personal Data, for example, if the Processing is carried out only on the basis of consent; Client may also request that their Client Account be deleted or deactivated by sending an email to email@example.com.
- Right to demand a restriction of Personal Data Processing. This right is created, inter alia, in case the Personal Data Processing is not permitted under law or if the Data Subject challenges the accuracy of the Personal Data. A Data Subject will be entitled to demand the restriction of the Personal Data Processing for a period enabling the processor to check the accuracy of the Personal Data or if the Personal Data Processing is unlawful, but the Data Subject does not request the deletion of the Personal Data.
- Right to data portability i.e. a Data Subject shall have, in certain cases, the right to receive the Personal Data in a machine-readable format and to take these data along or transfer them to another controller.
- Rights related to automated Processing mean, inter alia, that a Data Subject will have the right to object, on grounds relating to his or her particular situation, at any time to Processing of Personal Data concerning him or her, based on automated decision-making;
- Right to the assessment of a supervisory authority on whether the Processing of the Personal Data of the Data Subject is lawful;
- Compensation for damage when there has been a violation of Data Subject’s rights for which Envoice is liable.
10. EXERCISING OF RIGHTS AND FILING OF COMPLAINTS
Here you find information on how to receive explanations or how and to where a complaint can be filed.
- Exercising of rights. A Data Subject will be entitled to address Envoice or the Data Protection Officer of Envoice using the contact details set out in section 14 in case of any question, request or complaint related to Personal Data Processing.
- Filing of complaints. A Data Subject will be entitled to address a complaint to Envoice (firstname.lastname@example.org), to the Data Protection Officer of Envoice (email@example.com), to the Data Protection Authority or to a court (e.g. the contact details of Data Protection Authority are available at https://aki.ee).
11. COOKIES AND OTHER WEB TECHNOLOGIES
Here you find information on the types of Cookies or other technologies we use and how you can control the use of such technologies.
- Envoice may collect data regarding the Visitors of the Websites and other information society services by using Cookies for this purpose (i.e. small pieces of information stored by the Visitor’s browser on the hard disk of the computer or any other device of the Visitor) or other similar technologies (e.g. IP address, equipment information, location information) and process these data.
- Envoice uses the collected data to enable the provision of the Service in accordance with the habits of a Visitor or Client (and its users); to ensure the best Service quality; to inform the Visitor and Client about the contents and give recommendations; to update advertisements and make marketing efforts more efficient; and to facilitate logging in and protection of data. The collected data shall also be used for counting the Visitors and recording their using habits.
- Envoice uses Session Cookies, Persistent Cookies and Advertising Cookies. A session Cookie is deleted automatically after every visit; persistent Cookies shall remain upon repeated use of the Website, and advertising Cookies and third-party Cookies are used by the Websites of the partners of Envoice which are connected with the Website of Envoice. Envoice does not control the generation of those Cookies, therefore information on these Cookies can be obtained from third persons. Further information on Cookies is available in the explanatory materials (see section 13: Important Documents, Guidelines and Procedures).
- Most of the web browsers allow Cookies. Without fully allowing Cookies, the functions of the Website are not available to a Visitor. The allowing or prohibiting Cookies and other similar technologies shall be under the control of a Visitor via the settings of the Visitor’s own web browser, settings of the information society service and platforms for making such privacy more efficient (see section 13: Important Documents, Guidelines and Procedures).
12. SPECIAL PROVISIONS FOR ENVOICE PRODUCTS
We have different products. Here you can find adequate information on specific products, of which Personal Data Processing constitutes a significant part.
- Collect & verify. This is the first step of Envoice products, which entails the submitting of the documents or other items and forwarding to the Envoice system. In such a case, Envoice is Processing Personal Data as a processor, by obtaining access to the information presented on such documents. The Client warrants that the employees or other relevant persons have provided consent for the Client to process such Personal Data as a controller. In addition to the Personal Data contained in the documents, Envoice is also Processing Personal Data of the Clients and their representatives submitting the documents or other items to the system.
- SmartExtract. In this step, Envoice will use an algorithm to extract the relevant information from the items the Client or its representatives have submitted into the system. Envoice will have access to all the Personal Data shown on the documents. In case there are issues with the algorithm, Envoice will use the documents, which contain the Personal Data, to overlook the issues and improve the Services.
- ExactExtract. In this step, in addition to the activities of SmartExtract, a real person, i.e. employee of Envoice shall supervise the final decisions taken by the algorithm and verify whether the information extracted from the documents is accurate.
- SmartRecord. This is the step where the information extracted is given accounting meaning to. Envoice will access the Personal Data contained in the documents the Client has uploaded.
- Approval Workflow. This is the step where the designated users of the Client approve the previous steps and by approving forward the information, including the Personal Data, to secure storage.
- Secure Storage. This is where Envoice stores the Personal Data contained in the documents which the Client has uploaded or otherwise forwarded to Envoice. In Secure Storage, we Process the Personal Data in accordance with the guidelines provided by the Client as the controller. From Secure Storage the Personal Data is forwarded if applicable to the relevant accounting software. This is done only upon the exact orders of the Client.
13. IMPORTANT DOCUMENTS, GUIDELINES and PROCEDURES
Here we set out the documents, through which you will be able to exercise your rights in the best way.
- Here you can find links to the following webpages Your Online Choices; About Ads; Network Advertising i.e. the platforms of controlling and monitoring of cookies and other web technologies, where Data Subjects themselves can change and control how their Personal Data are used and collected.
- Server location. All the Personal Data shall be stored in Google provided servers are located within the European Union.
14. CONTACT DETAILS AND INFORMATION
Here you can find our contact details.
- Regarding Personal Data issues, Envoice can be contacted via email firstname.lastname@example.org.
- The Data Protection Officer of Envoice can be contacted by email email@example.com.
15. OTHER TERMS AND CONDITIONS
- Publication: June 15, 2019
- In force for Visitors and Clients: June 15, 2019