Privacy Policy 

At Soprano we respect your privacy and the security of your personal information and data. This General Privacy Policy explains how we collect, hold, handle, share and otherwise process Personal Data in connection with your use of our Services and Sites (as defined below), and how you can exercise your rights. Please carefully read this General Privacy Policy before browsing our Sites and using our Services.  This General Privacy Policy supplements other privacy notices and is not intended to override them.

Soprano Group is made up of different legal entities, details of which can be found in Annex I at the end of this Privacy Policy. This Privacy Policy is issued on behalf of the Soprano Group, so when we mention “Soprano”, “we”, “our” or “us” we are referring to the relevant company in the Soprano Group responsible for processing your Personal Data.  We will let you know which entity will be the Controller of your data when you purchase our Services in the application process.   If you are a Customer or Supplier of more than one Soprano affiliate, the relevant data Controller is the Soprano legal entity retained by you in each particular case.

Soprano Design Pty Ltd, a company located in Australia with head office at Level 15, 132 Arthur St North Sydney NSW 2060 and company number ACN 066 450 397 is a Controller and responsible for this Site.

TABLE OF CONTENTS:

  1. INTRODUCTION
  2. TYPE OF PERSONAL DATA WE MAY COLLECT ABOUT YOU
  3. SOURCES FROM WHICH WE MAY COLLECT YOUR PERSONAL DATA
  4. HOW WE USE YOUR PERSONAL DATA AND LAWFUL BASES FOR PROCESSING
  5. WHEN DO WE DISCLOSE YOUR PERSONAL DATA AND WHY?
  6. INTERNATIONAL TRANSFERS OUTSIDE THE EEA
  7. RETENTION OF YOUR PERSONAL DATA
  8. SECURITY
  9. YOUR LEGAL RIGHTS IN RELATION TO YOUR PERSONAL DATA
  10. CONTACT
  11. CHANGES TO THIS PRIVACY POLICY
  12. ADDITIONAL TERMS FOR CERTAIN REGIONS
  13. DEFINITIONS

ANNEX I – SOPRANO DESIGN GROUP COMPANIES

  1. INTRODUCTION

We are a cloud-based Communications Platform as a Service (CPaaS) provider of mobile messaging technology for our business and government Customers worldwide, and for telecommunication companies and other providers that include our Services in their own offerings. Our omni-channel platform allows our Customers to interact with a variety of communication channels with their end-users (e.g. SMS, WhatsApp, email).

Some data protection laws, such as GDPR, differentiate between controllers (those who determine why and how they process Personal Data) and processors (those who process data on a controller’s behalf). When we process Personal Data in the provision of our Services, we may do it in the role of Controller or Processor, depending on the situation.

When we send communications to our Customers’ end-users (e.g. the Customer’s staff or members of the public), we do it under instructions and on behalf of our Customers for the sole purpose of providing the Services to them. Therefore, when an end-user receives a communication that has been sent by Customer using our platform, we are acting as a Processor. The processing of Personal Data in our role of Processor and service provider on behalf of our Customers is not within the scope of this policy.  Our Customers are solely responsible for complying with the data protection laws that apply to the collection and processing of Personal Data of their end users with whom they interact through the use of our Services. If you’re an end user of one of our Customers, please contact our Customer directly for any requests or questions relating to your Personal Data.

This Privacy Policy only applies in situations where we process data for our own purposes acting as a controller, such as:

  1. When you visit our Sites that link to this policy.
  2. When you use our Services as an authorized user (e.g. as someone engaged by our Customer and has been given access to our platform).
  3. When you interact with our official Social Media profiles.
  4. When you attend or register for our events or webinars.
  5. When you contact us to request information about our Services.
  6. When we seek new business opportunities and collect data to nurture our Customer base.
  7. When you provide your Services or products to us.
  8. When you apply for or invest with Soprano.

If you are a job applicant and apply for a job position with us, please refer to the Candidate Privacy Notice  made available when you apply online for further details as to how your Personal Data is collected, processed and how long it is retained for.

Our Sites and Services may contain links to other third-party web pages and applications. The privacy practices of such other websites, including social media platforms that host our Soprano official profile, are governed by their privacy notices which we encourage you to review in order to understand their information practices.

  1. TYPE OF PERSONAL DATA WE MAY COLLECT ABOUT YOU

Any information or an opinion relating to an identified or reasonably identifiable natural person, directly or indirectly, is “Personal Data”.

We may collect, use, store and transfer different types of Personal Data about you, depending on how you interact with us:

  1. Identity Data includes first and last name, ID number, image, signature, username or similar identifiers.
  2. Contact Data includes registered address, billing address, email address and telephone numbers.
  3. Financial Data includes bank account, payment card details (when you pay for our Services).
  4. Professional Data includes your employer, job title and your role at your company.
  5. Profile Data includes your, your username and password, purchases or orders made by you; your interests, preferences, feedback and survey responses.
  6. Usage Data includes information about how you browse our Sites and use our Services (e.g. what features you use on our platform; time spent; pages visited, etc.).
  7. Traffic Data includes all data processed for the purpose of conveying an electronic communication through your use of our Services or for the billing in respect of that communication, and includes data relating to the routing, duration, type and time of the communication (e.g. Customer end-user’s telephone number or email address, IMEI, IMSI, MSISDN, etc.).
  8. Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, type of computer or device you are using, system configuration information and other technology on the devices you use to access our Sites.
  9. Marketing Data includes your preferences in receiving marketing communications from us.

We also process the contents of the communications you send and receive via our Services, but we do it as a processor and service provider acting on behalf of our Customer.

In addition, we collect, use and share “Aggregated Data” such as statistical or demographic data for any purpose. Aggregated Data could be derived from your Personal Data but is not considered personal information in law, as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific site feature. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Privacy Policy.

We do not collect any sensitive or Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

The relationship between whoever is the data controller and data processor generally needs to be set out in a contract, which includes certain prescribed terms:

  1. the processor may only process data in accordance with documented instructions from the controller; and
  2. the processor must ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and
  3. the processor cannot engage another processor without the authorization of the data controller; and
  4. the processor assists the controller to satisfy its responsibilities in terms of security obligations, data protection impact assessments and Data Breach Notifications.
  5. The controller and the processor must also implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  1. SOURCES FROM WHICH WE MAY COLLECT YOUR PERSONAL DATA

We use different methods to collect Personal Data from you by:

Direct interactions.  We may collect directly from you your identity, contact, professional or Financial Data when you:

  1. apply for or enquire about our Services;
  2. register for an account to access or use our Services, or when you authorize an individual to use our Services in connection with your account;
  3. register for an event or webinar hosted by us;
  4. subscribe to our newsletter or publications;
  5. request marketing communications to be sent to you;
  6. if you contact us or show interest in receiving information about our Services;

It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during your relationship with us.

You represent that you are the owner of the Personal Data you provide to us, or if you provide us with data of other individuals, you represent that you have the authority and necessary consent to do so and acknowledge that it will be used pursuant to this Privacy Policy.

Automated technologies or interactions.  As you interact with our emails, Sites and use our Services, we may automatically collect Technical Data about your equipment, browsing actions and patterns, which help us provide you with a good experience when you browse our Sites and also allows us to improve them. We collect this information by using cookies, web beacons, server logs and other similar technologies. Please read our detailed Cookie Policy at https://www.sopranodesign.com/cookie-policy  for further details.

Third parties or publicly available sources. We may receive Personal Data about you from various third parties and public sources as set out below:

  1. Profile, Technical and Usage Data if you visit other websites employing our cookies
  2. from third party providers including, for example, advertising networks, analytics providers, search information providers, credit reference agencies, data brokers or aggregators.
  3. Identity, contact and Professional Data from publicly-available sources such as LinkedIn or other publicly available sources.
  4. Identity and Contact Data from data brokers, aggregators or marketing mailing lists such as D&B Hoovers or Data HQ, based outside the EU.
  5. We may also process Identity Data you provide when you interact with Soprano using a third party service (“Third Party Platforms”). For example, we may have access to certain information from your corporate authentication service if you log into Soprano using single sign on authentication. Any access that we may have to such information from a Third Party Platform is in accordance with the authorisation procedures determined by that service. By allowing us to connect with the Third Party Platform, you authorise us to access and store your personal information that the third party makes available to us, and to use and disclose it in accordance with this Privacy Policy.
  1. HOW WE USE YOUR PERSONAL DATA AND LAWFUL BASES FOR PROCESSING

We will only use your Personal Data when permitted by the law, and using appropriate technical and organisational measures. Most commonly, we will use your Personal Data in the following circumstances:

  1. Where we need to perform the contract we are about to enter into or have entered into with you.
  2. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  3. Where we need to comply with a legal obligation.
  4. Where you have provided your consent. Your consent is not always required for us to process your Personal Data although we will get your consent before sending marketing communications as set out in section 4.6 below.

We have set out a helpful table below as a summary of the lawful basis for processing, and the ways we plan to use your Personal Data as described in Sections 4.1 to 4.7.  Note that we may process your Personal Data for more than one lawful basis depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal basis we are relying on to process your Personal Data where more than one basis has been set out in the Table below.

 

  PURPOSE TYPE OF DATA LAWFUL BASIS FOR PROCESSING RETENTION PERIOD
I.

 

To register you as a new Customer, create a Customer Account, communicate with you, and enable you to use our Services.

 

a)    Identity

b)    Contact

Performance of a contract with you. 12 months after end of Contract.
II.

To process and deliver your order including:

a)    Manage payments, fees and charges

b)    Collect and recover money owed to us

 

a)    Identity

b)    Contact

c)    Financial

d)    Traffic

e)    Marketing

a)    Performance of a contract with you

b)    Necessary for our legitimate interests (Eg. to recover debts due to us and reconciling invoices with MNOs/aggregators)

12 months after end of Contract (except data we must keep to  settle our payments to MNOs or aggregators,  or to comply with tax or data retention laws)
III.

 

To manage our relationship and communicate with you as our Customer which will include:

a)    Provide our Services to you.

b)    Providing you with Customer care and technical support.

c)    Notifying you about changes to our terms or privacy policy.

d)    Asking you to leave a review or take a survey.

 

a)    Identity

b)    Contact

c)    Profile

d)    Traffic

e)    Usage

f)     Marketing

a)    Performance of a contract with you

b)    Necessary to comply with a legal obligation

c)    Necessary for our legitimate interests (Eg. to keep our records updated and to study how Customers use our Services).

1 month after end of Contract (except data we must keep to comply with tax or other applicable laws until the relevant limitation period expires)
IV. To manage your registration request and facilitate your attendance to our events or webinars.

a)    Identity

b)    Contact

c)    Profile

d)    Usage

e)    Marketing

 

a)    Consent

b)    Necessary for our legitimate interests (Eg. to study how Customers use our products/Services, to develop them and grow our business.)

 

12 months after end of the event or webinar.

V. To administer and protect our business and Sites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) and investigate fraudulent activities in connection with our Sites and Services.

a)    Identity

b)    Contact

c)    Technical

d)    Traffic

a)    Necessary for our legitimate interests (Eg. for running our business, provision of administration and IT Services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

b)    Necessary to comply with a legal obligation.

 

2 years  month (except data we must keep to comply with applicable laws until the relevant limitation period expires)
VI.

To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising and content we serve to you.

 

a)    Identity

b)    Contact

c)    Profile

d)    Usage

e)    Marketing

f)     Technical

 

Necessary for our legitimate interests (Eg. to study how Customers use our products/Services, to develop them, to grow our business and to inform our marketing strategy). 12 months
VII. To use data analytics to improve our Sites, Services, marketing, Customer relationships and experiences.

a)    Technical

b)    Usage

 

Necessary for our legitimate interests (Eg. to define types of Customers of our products and Services, to keep our Sites updated and relevant, to enhance our Services, to develop our business and to inform our marketing strategy) 12 months
VIII. To look for new business opportunities and make suggestions and recommendations to you about products or Services that may be of interest to you.

a)    Identity

b)    Contact

c)    Technical

d)    Usage

e)    Profile

f)     Marketing

Necessary for our legitimate interests (Eg. to develop our products/Services and grow our business) If no Contract, 12 months from our last communication.
IX. To provide you with the requested information about our Services, answer your questions, provide Customer support or otherwise communicate with you.

a)    Identity

b)    Contact

a)    Necessary for our legitimate interests (Eg. to develop our products/Services and grow our business)

b)    Performance of a contract with you.

 1 month after end of Contract.

If no contract, 12 months from our last communication.

X.

 

To manage our relationship with our Suppliers.

 

a)    Identity

b)    Contact

c)    Professional

Performance of a contract with you. 1 month after end of Contract. (except data we must keep to comply with applicable laws until the relevant limitation period expires)

 

4.1 When you buy Services from us.

If you sign up for our Services we’ll need to collect, either directly from you or via your organization, certain contact fata (e.g. phone number, email address), Professional Data (e.g. your business role, company name) and  Technical Data (e.g. login details such as your user name, password or API key) in order to create your “Customer Account”, and enable you to use our Services and communicate with us, and for us to communicate with you, through the account portal. We may also use your Contact Data to ask you to take surveys on the quality of our products or the Customer care and technical support provided by our teams and relating to the Services you’ve purchased. We will also collect Financial Data (e.g. billing address, prepaid or post-paid subscription or other data required by local applicable laws) so that you can pay for our Services, and we may conduct credit checks from time to time. The lawful bases upon which we process such data are set out in Sections I., II. and III. in the Table above.

When you log in to your Customer Account, we also gather some information automatically such as Technical Data (e.g. your IP address, routing information) and activity logs, in order to understand who is accessing our Services, investigate fraudulent activities and prevent security incidents.  We will do so because it is our legitimate business to ensure the security of our network or because it might be necessary to comply with a legal obligation (Table’s Section V.)

When you use our Services, we will also collect Traffic Data either automatically (e.g. data generated during the process of conveyance of a message) or directly from you (e.g. Customer’s end user’s phone number or email address) in order to provide our Services and therefore because it is necessary to perform our Customer agreement. We also process Traffic Data for the purposes of addressing security network issues as set out in Section V. of the Table, and for payment operation purposes such as calculating charges, as described in Section II. We may also need to retain Traffic Data to the extent required by applicable national laws and share it upon request of public authorities.

Finally, when you use our account portal, we automatically collect the Usage Data you generate while interacting with our platform in order to understand your business needs and the features that should be enhanced, as well as to improve your navigation experience and the execution of our Services when you send messages to your end users through our portal. The lawful basis for this processing is set out in Sections III. and VII of the Table above.

Where we need to collect Personal Data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with Services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

  • When you request information or support from us

If you contact us for support or to learn more about our Services, we will collect some basic identity and Contact Data and any other information you decide to send us or share while communicating with us.  We will keep a record of the information you provide in the course of our communications, so even if we have put in place security measures to protect your data, you should not disclose personal or sensitive data irrelevant to your request.

We will collect this information directly from you when you submit it through our web forms or when you share it on our online chatbot channel. We also collect this information directly from you when you interact with us outside our Sites, for example, when you provide it to us during in-person meetings or events, when your share it with our sales representative on the phone or when you send us any written communication (whether by email or post).

We will process your data to provide you with the requested information about our products and Services and to respond to your questions, pursuant to the lawful bases in section IX of the table.  We may also send you email or otherwise get in touch with you to follow up on our discussions, but you can always object to such processing by simply sending an email to [email protected]  if you no longer want to be contacted by us.

  • When we look for new potential Customers and business opportunities

We continuously search for new Customers that may be interested in our Services. We may gather your identity, contact and Professional Data indirectly through publicly-available sources such as LinkedIn, or we may also obtain your information from third party providers such as data brokers or marketing mailing lists, for the purposes of helping us build new business relationships and find potential buyers that could benefit from our Services. We also collect business Contact Data through direct interactions with prospective Customers during meetings or events.

As set out in section VIII of the table, it is in our legitimate interests as a company to process your data for the above-mentioned purposes. If you no longer want to hear from our marketing or sales team, you have the right to object and opt-out or withdraw your consent at any time by sending an email to [email protected].

If you show interest in contracting our Services, we will process your data for the purposes of taking steps to engage with you as a Customer, at your request, before entering into such a contract.

  • When you sign up to attend an event or webinar.

If you sign up for a Soprano event or webinar we’ll ask you to provide some basic Identity and Contact Data (name, email, country) as well as some Professional information such as your company name, business role and industry for the purposes of processing your registration request.

When you register to attend an event, your data will also be processed by Soprano to manage any travel or hotel accommodation reservations you may need to attend our event, to handle any changes or cancellations, to provide you with all necessary information and documentation to attend such event, to develop our events based on Customer preferences, to analyse and prepare statistics and studies on the events attended by our Customers or prospective Customers and to design advertising strategies.   During our events, we may collect photo and video material that might depict our event participants, and we will use it for PR and illustration purposes.

It is in the legitimate interest of our business to send you invitations to webinars or events where we believe this may be of your interest. When you submit your Personal Data through our online registration forms we will rely on your consent by adopting this communication to process your Personal Data, but you have the right to withdraw such consent at any time by sending an email to marketing to [email protected]  .

  • When you visit our Sites.

When you browse our Sites, we automatically collect certain Usage and Technical Data by placing tracking technologies (e.g. cookies, web beacons) on your browser, in order to understand how visitors use our Sites and improve their browsing experience.

When you first visit any of our Sites you’ll be able to block the installation of any type of cookies, with the exception of the technical ones, which are required for proper functioning of the Sites. You can also set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our Sites may become inaccessible or not function properly. For more information about the cookies we use, please see out Cookie Policy.

  • When we send marketing communications.

If you sign up to receive marketing communications from us or you have given your consent by ticking the box provided for this purpose on the relevant form, we will process your Personal Data in order to send you, on an ongoing basis, information of the Soprano Group’s products and Services, special promotions, surveys, and invitation to events or webinars that may be of interest to you. Accordingly, with this consent, Soprano may contact you about such products, Services, promotions or events by electronic messages (e.g. email, SMS, direct messaging or social networks) and by telephone call. You will always have the right to opt-out for further communications by contacting us at [email protected]   or using the opt-out link provided at the end of any marketing email you receive from us. It may take up to 3 days (72h) days to remove your contact information from our marketing communications lists, so please note that you may receive communications from us within this time interval.

If you are a Customer of Soprano or make a request to receive information about our Services, such as a Soprano whitepaper, we may use your Personal Data, where permitted by applicable national laws, to send you customized communications based on the products or Services requested, or based on the information we may obtain from your browsing, interest in certain content, or reaction to our communications, among others. You may object to any of the above processing and elect to opt-out or withdraw your consent at any time, without any consequences for your status as a Customer or contact of Soprano, by simply sending an email to [email protected]  or by clicking the unsubscribe link at the bottom of our marketing messages. Please note than even if you opt-out from receiving marketing messages from us, if you are our Customer, you will continue to receive transactional communications related to your existing relationship with us (such as messages about your account, security information or changes on our Service Terms).

  • When you supply goods or Services to us

If you are our Supplier we will collect Identity, Contact and Professional Data of the persons or representatives signing our supply agreement and of those employees or collaborators that will participate in the execution of such agreement, for the purposes of managing our relationship with you and complying our obligations under the supply agreement. We may also collect certain Financial Data such as your bank account details or other information required by local laws, in order to fulfil our payment obligations.

The lawful basis to process your data is the performance of a contract with you, as set out in Section X of the above Table.

Your data will be kept for the retention period established by applicable laws (e.g. tax and financial regulations) and, in any case, until the conclusion of the last limitation period of criminal and civil actions, as well as administrative sanctions. During this period of time, your data will be duly blocked and adequately stored, insulated from other processing systems and with access restricted to those persons within Soprano that require access on a need-to-know basis in order to deal with administrative or legal proceedings.

The data and information you’ve shared with our support or Customer care teams through our ticketing system will be kept by for a period of 1 month after the end of our supply agreement.

  1. WHEN DO WE DISCLOSE YOUR PERSONAL DATA AND WHY?

We may share your Personal Data with the parties set out below for the purposes set out in the Table above.

5.1 Intragroup transfers

We may share your Personal Data with other companies in the Soprano Group acting as processors who are based in Australia, New Zealand, Europe, North America, South America, and Southeast Asia. Our Soprano affiliates may undertake leadership reporting and provide IT and system administration, marketing, accounting, legal, technical operations and Customer support Services.  We will only share your data to the extent necessary to fulfil a request you have submitted through our Sites or other online forms, or for technical, marketing, Customer support or account management purposes.

Depending on the circumstances, the Soprano affiliates may act as joint controllers. For example, if you register for an event or webinar via our website online forms, we may share your Personal Data with the affiliate in charge of the event, who will act as a separate Controller and will process your information in accordance with this Privacy Policy.

The intercompany processing of Personal Data will be governed by our Intra-Group Data Processing Agreement, as set out in section 6 below.

5.2 Transfers to external third parties

We will not transfer, sell, rent or otherwise make your Personal Data available to any third party, except to those providing Services to Soprano to the extent strictly necessary for them to provide such Services (i.e. archival, auditing, accounting, Customer contact, legal, business consulting, banking, payment, mailing, delivery, data processing, data analysis, document management, information broking, research, share registry, investigations, insurance, website and technology Services), but in no case for their own purposes. These are the type of recipients with whom we may share your Personal Data:

  1. Service providers acting as processors based in UK, EU and USA who provide Data Centre and Infrastructure Services.
  2. Customer relationship management software platform provider based in USA.
  3. Service provider acting as processor based in USA who provides broadcast email management Services and a distribution platform, which we use to send and manage emails to customers about any service issues.
  4. Service provider acting as processor based in USA who provide trouble ticketing tools, which we use to provide our Customers with support relating to the Services.
  5. Service provider acting as processor based in USA who provide email verification Services, which we use for the purposes of validating email addresses.
  6. Marketing automation platform provider based in USA, which we use for sending marketing messages, website traffic analytics and CRM purposes.
  7. Other trusted third-party providers based in the US who provide technology Services, such as our website interactive chat-box function, our enterprise communication, collaboration and productivity tools and our project management and task tracking software.
  8. Mobile Network Operators, aggregators and other Communications Providers when necessary for message switching and routing. Our communications platform is connected to MNO’s and other Communications Providers worldwide, in order to enable the transmission of the messages sent by our Customers to their End-Recipients. We are connected with AT&T, BT, Vodafone and Orange, among other providers.
  9. Professional advisers acting as processors, including lawyers, bankers, auditors and insurers based in the countries in which we have a Soprano legal entity, who provide consultancy, banking, legal, insurance and accounting Services.
  10. Any Stock Exchange Eg. continuous disclosure or listing rules equivalent provisions.
  11. Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this privacy policy.

Other than in the cases referred to above we will not disclose your Personal Data to third parties except where such disclosure is required by regulations, by court order or by the public authorities.

 

  1. INTERNATIONAL TRANSFERS OUTSIDE THE EUROPEAN ECONOMIC AREA

We share your Personal Data within the Soprano Group. This will involve transferring your data outside your jurisdiction, in countries that may impose privacy obligations less stringent than those established by the privacy regulations in your jurisdiction, such as in the European Economic Area (EEA).

Some of our external third parties may be located in Australia, the United Kingdom, Spain, the Netherlands, Belgium, Romania, the United States, Brazil, Colombia, Chile, Singapore, Malaysia, the Philippines, New Zealand and other countries. This means that the processing of your Personal Data by our service providers may involve a transfer of data outside the EEA.

Whenever we transfer your Personal Data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission. For further details, see European Commission: Adequacy of the protection of Personal Data in non-EU countries.
  • Where your Personal Data is transferred to other companies within Soprano, then this processing is governed by an Intra-Group Data Processing Agreement that incorporates the EU Standard Contractual Clauses, which provide sufficient guarantees to ensure that the processing complies with the requirements established by the GDPR.
  • Where we use certain service providers, we may also use the EU Standard Contractual Clauses approved by the European Commission which give Personal Data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of Personal Data to third countries.

Where we use providers based in the US, we may transfer Personal Data to them if they are committed to an Agreement with us that incorporates the EU Standard Contractual Clauses, which requires them to provide similar protection to Personal Data shared between Europe and the US. For further details, see the link: https://gdpr-info.eu/issues/third-countries/

Please contact us if you want further information on the specific mechanism used by us when transferring your Personal Data out of the EEA.

In the absence of an adequacy decision or appropriate safeguards such as those outlined above, overseas transfers are also permitted in very specific situations. An example is where an individual explicitly consents to the proposed transfer after they have been provided with certain information about the possible risks associated with the transfer.

6.1 Australian Privacy Act

Before we disclose personal information collected or held in Australia to another country, we will take reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles (“APPs”) in relation to the information (exceptions apply). We remain accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APPs (exceptions apply).

 

  1. RETENTION OF YOUR PERSONAL DATA

We will only retain your Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting and record retention requirements. We may retain your Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for Personal Data, we consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements (e.g. applicable statutes of limitation).

Details of retention periods for different aspects of your Personal Data are set out in the Table above. For more information on our data retention policy please contact us by using the contact details in section 10 below.

 

  1. SECURITY

Soprano Designs takes reasonable steps to protect and ensure the security, confidentiality, accuracy availability and integrity of your personal information once it is in our possession in our systems and platforms, through appropriate organizational and technical measures consistent with applicable privacy and data security regulations. However, we cannot guarantee the security of your data transmitted to us via the internet, telecommunications service, or by other electronic means as currently available security measures are not infallible.

If you have any questions on the security measures that we use to protect your personal information, you may contact us at [email protected] .

8.1. Data Breach

A Personal Data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. Breaches of Personal Data will be reported to Soprano’s privacy representatives and be dealt with according to the Soprano Design Security Incident Management Policy.

It is mandatory to report certain types of data breaches including if the breach is likely to result in a real risk of serious harm to you. If there is a data breach, and you are affected you will be notified within 72 hours unless technological safeguards such as encryption have been applied that render the data useless to an attacker. Soprano will also notify the relevant privacy authority in the country in which the breach occurred, or countries affected by the breach.

 

  1. YOUR LEGAL RIGHTS IN RELATION TO YOUR PERSONAL DATA

9.1 Your Rights

You may have certain rights in relation to your Personal Data depending on the local Data Protection Laws that apply to the processing of your data. These rights may include:

  1. Request access to your Personal Data (commonly known as a “data subject access request”). This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.
  2. Request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  3. Request erasure of your Personal Data. This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  4. Object to processing of your Personal Data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your Personal Data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  5. Request restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios:
  6. If you want us to establish the data’s accuracy.
  7. Where our use of the data is unlawful but you do not want us to erase it.
  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
  1. You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  2. Request the transfer or portability of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  3. Withdraw consent at any time where we are relying on consent to process your Personal Data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or Services to you. We will advise you if this is the case at the time you withdraw your consent.

In normal circumstances we will fully support and facilitate the exercise of your rights. However, these rights are not absolute and there may be some lawful reasons to deny these requests such as the regulations to which we are subject in the provision of electronic communications Services. If your request is denied, we will provide you with reasons to explain the denial. In some cases, the exercise of these rights may make it impossible for us to fulfil the purposes listed in Section 2 of this Privacy Policy and provide our Services effectively.

9.2 How to exercise your rights

If you would like to exercise any of said rights please send an email to [email protected]   with “Exercise of Rights” as the subject of the email, including your name and purpose of the request. We may ask you for documentation proving your identity to meet your request if this is required by local regulations.

Finally, we inform you that you have the right to file a complaint with the competent Supervisory Authority if you believe that Soprano has processed your data in violation of this Privacy Policy or any other prevailing and applicable regulations in force.

  • If you are a resident in the EEA you may contact your local Data Protection Authority (https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080 ) or the Spanish Data Protection authority where our EEA headquarters are based.
  • In the UK, you may contact the Information Commissioner’s Office at ico.org.uk and on 0303 123 1113.
  • In Australia, you may contact the Office of the Australian Information Commissioner at oaic.gov.au and on 1300 363 992.
  • In New Zealand, you may contact the Office of the New Zealand Privacy Commissioner at privacy.org.nz and on 0800 803 909.
  • In Singapore you may contact the Personal Data Protection Commission at https://www.pdpc.gov.sg/ and on 6377 3131.

 

  1. CONTACT

If you have any questions about your rights and other privacy concerns about our handling of your personal information, or wish to make a complaint, please contact our Data Privacy Team at [email protected]   or write to us by post at:

 

EU

Soprano Design España S.L.U.
Legal Department
ATT: Data Privacy Team
C/ Balmes 65, 4º, 2ª
08007, Barcelona (Spain)

 

REST OF THE WORLD

Soprano Design Pty Ltd
Legal Department
ATT: Data Privacy Team
Level 15, 132 Arthur St
North Sydney NSW 2060 (Australia)

 

  1. CHANGES TO THIS PRIVACY POLICY

This Privacy Policy may change over time to reflect changes in applicable regulations or in our data processing practices, so we encourage you to visit this page regularly to see the latest version. Previous versions can be obtained by contacting us.

Any modification to this privacy Policy will be posted on our website with an updated revision date. We will take reasonable steps to notify you of any material changes to this Privacy Policy by way of a Policy on our Sites, our Service portal or via our agent.

This version was last updated on 05 July 2021.

 

  1. ADDITIONAL TERMS FOR CERTAIN REGIONS

US: California Consumer Privacy Act 2018

For the purposes of the California Consumer Privacy Act, we do not sell personal information of any individual.

If you are a resident of California, you have the following legislative rights:

Right to Know – what personal information a business collects, and how it is used and stored. You may request the business disclose:

  • The categories of personal information collected
  • Specific pieces of personal information collected
  • The categories of sources from which the business collected personal information
  • The purposes for which the business uses the personal information
  • The categories of third parties with whom the business shares the personal information
  • The categories of information that the business sells or discloses to third parties
  • Businesses must provide you this information for the 12-month period preceding your request. They must provide this information to you free of charge.

Right to Delete – your personal information collected unless an exception applies (Eg. Legal obligations to retain data for set periods).

Right to Opt-Out of the sale of your data to third parties – consumers please click on the link [email protected] and insert “Do Not Sell My Personal Information” in the email pop-up Subject header to opt-out.

Right to non-discrimination – in the exercise of your rights.

Right to be Notified – before or at the time of collection of your personal information a notice at collection must list the categories of personal information businesses collect about consumers and the purposes for which they use the categories of information. If the business sells consumers’ personal information, then the notice at collection must include a Do Not Sell link. The notice must also contain a link to the business’s privacy policy, where consumers can get a fuller description of the business’s privacy practices and of their privacy rights.

If you have any questions or comments about this policy, the ways in which Soprano collects and uses your information described here, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at [email protected]

 

California Regulator:

CONSUMER COMPLAINT AGAINST A BUSINESS/CORPORATION

STATE OF CALIFORNIA DEPARTMENT OF JUSTICE

PUBLIC INQUIRY UNIT (916) 210-6276/ (800) 952-5225 Toll Free – CA only TTY/TDD (800) 735-2929 (California Relay Service) For TTY/TDD outside California contact your state’s relay service number at http://www.fcc.gov/cgb/dro/trsphonebk.html AG Web Site: http://www.ag.ca.gov/

Mail Form to: Public Inquiry Unit Office of the Attorney General P.O. Box 944255 Sacramento, CA 94244-2550 SECTION 1 – Your Information First Name Middle Name Last Name

 

  1. DEFINITIONS

Communications Provider means any individual or legal entity that provides electronic communications Services or an electronic communications network.

Contract means the written or electronic agreement between Soprano and Customer for the provision of the Services.

Controller means an individual or legal entity which, alone or jointly, determines the purposes and means of the processing of Personal Data

Customer/s means the individual or legal entity that has applied to receive our Services and has entered into a contract with us, or has or had discussions with us to receive our Services (whether or not a Contract was put in place).

EEA means the European Economic Area;

End-Recipient means an individual or legal entity to whom you send or try to send messages via the Services.

GDPR means Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Lawful basis for processing means the following basis provided in article 6.1 GDPR:

  • Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your Personal Data for our legitimate interests. We do not use your Personal Data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
  • Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
  • Comply with a legal obligation means processing your Personal Data where it is necessary for compliance with a legal obligation that we are subject to.

Mobile Network Operator or MNO means a telecommunications service provider which provides wireless communication Services or mobile voice and data Services and that owns or controls all the elements necessary to sell and deliver messages to End-Recipients.

Personal Data means any information or an opinion about an individual from which that person can be identified (“data subject”) or is reasonably identifiable. An identifiable individual is one who can be identified either directly (e.g. by their name or ID) or indirectly (e.g.  by reference to one or more factors to the physical, genetic, economic or cultural identity of that individual).

Processor means an individual or legal entity which processes Personal Data on behalf of the Controller.

Services means Soprano’s cloud-based enterprise messaging products and Services that we market for subscription.

Site/s means this website www.sopranodesign.com and other websites, microsites and Service portals owned and managed by the Soprano Group and that link to this Privacy Policy.

Soprano Group means Soprano Design Pty Ltd (ACN 066 450 397) and its affiliates.

Supplier means any individual or legal entity that provides products or Services to Soprano.

User/s means anyone who visits our Sites.

 

ANNEX I

SOPRANO DESIGN GROUP COMPANIES:

ASIA PACIFIC

WORLDWIDE HEADQUARTERS:
SOPRANO DESIGN Pty Ltd (Australia)
ACN 066 450 397
Level 15, 132 Arthur St North Sydney NSW 2060, Australia

Regional Offices:
Soprano Design Sdn Bhd (Malaysia)
670331-X
No. 7 (1st Floor), Jalan Pesta 1/1,  Taman Tun Dr. Ismail 1, Jalan Bakri,  Muar, Johor

Orange Gum Pte Ltd (Singapore)
200007651N
8 Eu Tong Sen Street, #15-85, The Central, Singapore 059818

SOPRANO DESIGN LIMITED (New Zealand)
5065442
NZBN: 9429041152157
Suite 7708, 17b Farnham Street, Parnell, Auckland 1052 New Zealand

Redcoal Pty Ltd (Australia)
ACN 090 244 590
Level 15, 132 Arthur St North Sydney NSW 2060, Australia

 

EUROPE

EU REGIONAL HEADQUARTERS:
SOPRANO DESIGN ESPAÑA S.L.U. (Spain)
CIF: B59585935
Calle Balmes Núm. 65, Planta 4, Puerta 2, 08007 Barcelona, Spain.

Regional Offices:

SIT WORLD WIDE S.L.U. (Spain)
CIF: B-65186165
Calle Balmes Núm. 65, Planta 4, Puerta 2, 08007 Barcelona, Spain.

SC Soprano Design SRL (Romania)
21571220
41A Alexandru Vlahuta St., Cluj-Napoca, Romania, Cluj county, Romania

SOPRANO DESIGN (UK) LIMITED (United Kingdom)
Company number 11577396
Adress: 71-75 Shelton Street, Covent Garden London, WC2H 9JQ

 

AMERICAS

Regional Office:

SOPRANO DESIGN LIMITED (United States)
Tax identification number 4879314
501 Silverside Road, Suite 105, Wilmington, Delaware 19809

 

LATIN AMERICA

Regional Offices:

SOPRANO DESIGN CL SpA (Chile)
76.034.185-1
Avenida Nueva Providencia N° 1363, Office N° 1104, borough of Providencia, RM, Santiago, Chile.

Sitmobile Colombia S.A.S. (Colombia)
Tax Identification Number: 900 430 915-3
Carrera 10 B 22 30 APTO.1102, MEDELLÍN, ANTIOQUIA, COLOMBIA

SIT Brasil Comunicaçöes LTDA (Brasil)
Cadastro Nacional de Pesoas Jurídicas, CNPJ/MF nº 11.164.528/ 0001-12
Avenida Paulista, 726 / Suite 1105, 11th floor 01310-100, Bela Vista, São Paulo/SP – Brazil