The basis of effective data protection is comprehensive information about the collection, processing, and use of your data (“data processing”). Therefore, we, Acrolinx GmbH (“Acrolinx”, “we”, “us”, or “our”), would like to inform you:
- When and for which actions we process data;
- Which data we process for which reasons;
- Who receives data;
- Which rights you have related to our data processing.
I. Contact Details
The Acrolinx Platform is provided by:
10557 Berlin, Germany
+49 30 288 848 330
II. General information on data processing
- Acrolinx Managed Cloud;
- Acrolinx On-Premise Solution;
- Acrolinx Integrations;
- Acrolinx Add-on Services;
- Acrolinx Customer Support
(together the “Services”).
2. Legal basis of processing of personal data
The legal bases for the processing of personal data are set out below.
|Processing ground||Legal basis in the GDPR||Explanation|
|Fulfillment of a contract or carrying out precontractual measures||Art. 6, para. 1b)||Processing shall only occur to the extent that it is necessary to establish and fulfill the rights and duties under the contract. Unless specifically stipulated otherwise, we will only process data to this extent.|
|Consent||Art. 6, para. 1a)||Processing will occur to the extent that you have specifically agreed to the type and scope of the data processing. You can withdraw your consent at any time with future effect. However, any processing undertaken up to this point will not be affected.|
|Legal obligation||Art. 6, para. 1c)||Processing will occur to the extent that this is necessary to comply with a German or European legal obligation.|
When using our Services, you are not subject to any decision based solely on automated processing, which produces legal effects concerning them or similarly significantly affects them according to Article 22 GDPR.
3. Data deletion
If you are a Managed Cloud user, we generally delete all your data within 45 days after your contract has ended. On request, we handle data differently, e.g. delete all your data sooner or keep select data for longer periods.
If you are an On-Premise user, your Acrolinx Platform administrator is responsible to delete information in accordance with your company’s policies.
We may store data for a longer period of time to the extent legal bases require such storing, especially to comply with statutory retention requirements.
III. Data processing for the provision of our Services
In order for you to use our Services, it is necessary that we process certain personal data. This is the case when you run Acrolinx On-Premise as well as when you are using our Acrolinx Managed Cloud services. In addition, we offer various functionalities and services, which require further data processing, e.g. Acrolinx Customer Support or Acrolinx Administration and Configuration Assistance.
1. Personal data we process when you use our product
Acrolinx provides its services as data processor in accordance with Art. 28 GDPR on behalf of the client entity that acts as a controller.
When you analyze content using our integrations and plug-ins, the content is sent to the Acrolinx Platform through an encrypted connection. The content is processed by the Acrolinx Platform’s linguistic engine to produce a report and then discarded. We do not permanently store the full content. The report contains content related to suggestions, which is discarded together with the report. During this process the following personal data is processed by the Acrolinx Platform:
- Network Transfer Data (IP-Address)
- HTTP-Header-Data (including User Agent (browser incl. version), OS information etc.)
- Username and Password
- User content submitted for analysis (entire or partial document)
- Debugging logs on client devices
Depending on its settings, the Acrolinx Platform generates and returns reports, including reporting data and scorecards, from checks initiated by the users. Based on your configuration, these contain scores that can constitute personal data, such as:
- spelling, grammar, terminology, style, and clarity metrics and
- data on checked content,
- snippets of user content submitted for analysis,
- guidance and additional user information
related to an identified or identifiable person.
In the case of On-Premise use, Acrolinx Platform processing takes place on computer systems that are completely outside our control, unless you provide us with access. Hence, we generally don’t have any access to the data here described.
In the case of Managed Cloud use, Acrolinx Platform processing takes place on computer systems that are legally under our control, but which we only access with your express permission. Hence, we generally don’t have any access to the data here described.
2. Usage analysis by Heap (currently for beta programs only)
We use the usage analysis service Heap from Heap Inc., 225 Bush St. 2nd Floor, San Francisco, CA 94104, USA to better understand the needs of our users and to optimize the offering on the Acrolinx platform.
Heap’s technology helps us better understand our users’ experiences (e.g., how much time users spend on which pages, which features they use, which links they click) and helps us tailor our offerings and find deficiencies based on user feedback in order to improve the product based on their needs.
Heap works with cookies and other technologies to collect information about the behavior of our users and their end devices (in particular device type, operating system). Heap stores this information in a pseudonymized user profile. The information is neither used by Heap nor by us to identify individual users nor is it combined with other data about individual users.
3. Customer support
For Acrolinx Customer Support, customers can submit information to firstname.lastname@example.org or directly create a ticket in Zendesk. We use the information the customer submits to reply to support requests. Information typically included in support requests is:
- Email Address
- Software version information
- Software configuration files
- Software log-files
- Test document
Acrolinx support scans the log-files to pinpoint the exact issue reported. The support team uses the additional supplied configuration and version information to reproduce the customer environment. Acrolinx support may request and use a test document to further troubleshoot the issue and provide a workaround and/or solution. Test document data is deleted within three months of completion of troubleshooting processes, unless Acrolinx is legally required or allowed to keep the data for other purposes.
IV. How we safeguard personal data
Acrolinx undertakes to implement and comply with the technical and organizational measures required by Article 32 of the GDPR to protect your personal data: Acrolinx provides a level of confidentiality, integrity, availability, and resilience of processing generally appropriate in relation to the nature, scope, context, and purposes of processing by implementing appropriate technical and organizational security measures, so risks are permanently reduced.
Your instance is hosted on Amazon Web Services (AWS) EC2. Amazon Web Services adhere to specific security processes that are documented here and are ISO 27001 certified.
V. Recipient of data
Some of the processing of your personal data is carried out by Acrolinx affiliates or other subprocessors, e.g. AWS. Those are commissioned exclusively on the basis of an agreement about the commissioned data processing, in accordance with Art. 28 para. 3 GDPR. For a list of subprocessors Acrolinx uses, please refer to your data processing agreement with Acrolinx or contact email@example.com.
Customers may choose to add Acrolinx Addons to use with the Acrolinx Platform: SDL Reuse generally runs as part of Acrolinx On-Premise. Marketmuse parses content in the Marketmuse cloud.
VI. Data transfer to third countries
Some of our service providers or partners are located in a country outside the European Economic Area (EEA). We have concluded the standard contractual clauses with these suppliers. However, depending on customer requirements, servers are used within the EU (e.g., in Dublin, Ireland).
VII. Right to object and right to withdraw consent
If the data processing is based on your consent or our legitimate interest, you have the right to object to the processing or to withdraw your consent at any time. Your objection or withdrawal only has an effect for the future. To contact us at any time to exercise your right of objection or revocation, please send an email to firstname.lastname@example.org. If you object to processing based on our legitimate interest, we may nevertheless continue processing if we can prove compelling reasons worthy of protection, which outweigh your related interests, rights, and freedoms.
VIII. Rights of data subjects
If your personal data is processed, you are a data subject within the meaning of Art. 4 No. 1 GDPR. As data subject, you have the following rights regarding your personal data. To exercise these rights, please contact us using the contact details above.
Right of access by the data subject according to Art. 15 GDPR
You have a right of access concerning your personal data processed by us. This includes the mandatory information set out in Art. 15 GDPR.
Right to rectification according to Art. 16 GDPR
You have the right to request the immediate correction of inaccurate personal data and the completion of incomplete personal data.
Right to erasure according to Art. 17 GDPR
You have the right to request the erasure of your personal data if one of the grounds mentioned in Art. 17 GDPR applies; in particular, if there is no longer a legal basis for the processing.
Right to restriction of processing according to Art. 18 GDPR
You have the right to request the restriction of the processing of your personal data if one of the grounds mentioned in Art. 18 GDPR applies; in particular, at your request instead of deleting the data.
Right to data portability according to Art. 20 GDPR
In accordance with the provisions of Art. 20 of the GDPR, you have the right to request the personal data concerning you that you have provided to us in a structured, common, and machine-readable format and to transfer this data to another controller without hindrance from the controller to whom the personal data was provided.
Right to lodge a complaint with a supervisory authority according to Art. 77 GDPR
According to Art. 77 GDPR, you have the right to file a complaint with the supervisory authority responsible for you.