Product Privacy
The basis of effective data protection is comprehensive information about the collection, processing, and use of your data (“data processing”). Therefore, we, Acrolinx GmbH (“Acrolinx”, “we”, “us”, or “our”), would like to inform you:
- When and for which actions we process data;
- Which data we process for which reasons;
- Who receives data;
- Which rights you have related to our data processing.
This Privacy Policy only governs the use of personal data by using our Acrolinx platform or contacting Acrolinx support. For further Acrolinx Privacy Policies, please refer to our web page at acrolinx.com.
You can retrieve, print, or download this Privacy Policy permanently and at any time at https://www.acrolinx.com/product-privacy.
I. Contact Details
Responsible for data processing within the meaning of the General Data Protection Regulation (GDPR):
Acrolinx North America Inc.
2352 Main Street, Suite 303
Concord, MA 01742
+1 866 749 3700
Internet: www.acrolinx.com/
Email: gdpr@acrolinx.com
Internet: www.acrolinx.com
You can contact our Data Protection Officer at dataprotection@acrolinx.com.
II. General information on data processing
1. Scope of this Privacy Policy
This Privacy Policy aims to explain how Acrolinx processes and protects personal data. Therefore, this Privacy Policy applies to the following services:
- Acrolinx Private Cloud;
- Acrolinx On-Premise Solution;
- Acrolinx Integrations;
- Acrolinx Addon Services;
- Acrolinx Customer Support
(together the “Services”).
2. Legal basis of processing of personal data
The legal bases for the processing of personal data are set out below.
Processing ground | Legal basis in the GDPR | Explanation |
Fulfillment of a contract or carrying out precontractual measures | Art. 6, para. 1b) | Processing shall only occur to the extent that it is necessary to establish and fulfill the rights and duties under the contract. Unless specifically stipulated otherwise, we will only process data to this extent. |
Legitimate interest | Art. 6, para. 1f) | Processing will occur to the extent that we have a legitimate interest and there is no overriding interest of the data subject. The specific interest is explained in this Privacy Policy in relation to the processing statement. |
Consent | Art. 6, para. 1a) | Processing will occur to the extent that you have specifically agreed to the type and scope of the data processing. You can withdraw your consent at any time with future effect. However, any processing undertaken up to this point will not be affected. |
Legal obligation | Art. 6, para. 1c) | Processing will occur to the extent that this is necessary to comply with a German or European legal obligation. |
When using our Services, you are not subject to any decision based solely on automated processing, which produces legal effects concerning them or similarly significantly affects them according to Article 22 GDPR.
3. Data deletion
If you are a Private Cloud user, we generally delete all your data within 45 days after your contract has ended. On request, we handle data differently, e.g. delete all your data sooner or keep select data for longer periods.
If you are an On-Premise user, your Acrolinx Platform administrator is responsible to delete information in accordance with your company’s policies.
We may store data for a longer period of time to the extent legal bases require such storing, especially to comply with statutory retention requirements.
III. Data processing for the provision of our Services
In order for you to use our Services, it is necessary that we process certain personal data. This is the case when you run Acrolinx On-Premise as well as when you are using our Acrolinx Private Cloud services. In addition, we offer various functionalities and services, which require further data processing, e.g. Acrolinx Customer Support or Acrolinx Administration and Configuration Assistance.
1. Personal data we process when you use our product
For the performance of the Services contract or entering into a Services contract within the meaning of Art. 6 para. 1 lit. b) GDPR, we are storing personal data when you use our Services.
When you analyze content using our integrations and plug-ins, the content is sent to the Acrolinx Platform through an encrypted connection. The content is processed by the Acrolinx Platform’s linguistic engine to produce a report and then discarded. We do not permanently store the full content. The report contains content related to suggestions, which is discarded together with the report. During this process the following personal data is processed by the Acrolinx Platform:
- Network Transfer Data (IP-Address)
- HTTP-Header-Data (including User Agent (browser incl. version), OS information etc.)
- Username and Password
- User content submitted for analysis (entire or partial document)
- Debugging logs on client devices
Depending on its settings, the Acrolinx Platform generates and returns reports, including reporting data and scorecards, from checks initiated by the users. Based on your configuration, these contain scores that can constitute personal data, such as:
- spelling, grammar, terminology, style, and clarity metrics and
- data on checked content,
- snippets of user content submitted for analysis,
- guidance and additional user information
related to an identified or identifiable person.
In the case of On-Premise use, Acrolinx Platform processing takes place on computer systems that are completely outside our control, unless you provide us with access. Hence, we generally don’t have any access to the data here described.
In the case of Private Cloud use, Acrolinx Platform processing takes place on computer systems that are legally under our control, but which we only access with your express permission. Hence, we generally don’t have any access to the data here described.
2. Anonymous statistics
We create anonymous statistics on your use of the Acrolinx Platform. In order to do so, we anonymize personal data and send anonymized data only if and after obtaining specific consent in accordance with Art. 6 para 1 lit a) GDPR.
The anonymized data allows us to draw conclusions about certain uses of the Acrolinx Platform to improve our services for you. We collect and transmit anonymized data to the Acrolinx Platform Special Statistics server. We collect this data at certain click events (e.g. an “Open Sidebar”-, “Check”-, “Options”- or “Add to Dictionary”-button is clicked).
Depending on your consent and the use of our platform, additional information can be sent. This information can include
- document length,
- word count,
- check mode information (entire document or part thereof),
- host part of the URL of the web page where the plugin is used, and
- the dictionary name. (What’s a dictionary? Some writers can add words to a user-specific dictionary. Those words are stored with your user name in a document-specific dictionary or with the document name or a writing guide dictionary. We transmit the name, not the content, of such a dictionary.)
You can withdraw your consent at any time: Go to “Options” -> “User Profile” -> “Advanced” and adjust “Send anonymous usage statistics”.
3. Customer support
For Acrolinx Customer Support, customers can submit information to support@acrolinx.com or directly create a ticket in Zendesk. We use the information the customer submits to reply to support requests. Information typically included in support requests is:
- Name
- Email Address
- Organization
- Software version information
- Software configuration files
- Software log-files
- Test document
Acrolinx support scans the log-files to pinpoint the exact issue reported. The support team uses the additional supplied configuration and version information to reproduce the customer environment. Acrolinx support may request and use a test document to further troubleshoot the issue and provide a workaround and/or solution. Test document data is deleted within three months of completion of troubleshooting processes, unless Acrolinx is legally required or allowed to keep the data for other purposes.
IV. How we safeguard personal data
Acrolinx undertakes to implement and comply with the technical and organizational measures required by Article 32 of the GDPR to protect your personal data: Acrolinx provides a level of confidentiality, integrity, availability, and resilience of processing generally appropriate in relation to the nature, scope, context, and purposes of processing by implementing appropriate technical and organizational security measures, so risks are permanently reduced.
Acrolinx does not have access to the infrastructure that is used to run your Private Cloud instance. Management is performed by our partner Rackspace, who is ISO 27001 certified. We liaise with Rackspace to update or change the Services.
Rackspace hosts your Private Cloud instance on Amazon Web Services (AWS) EC2. Amazon Web Services adhere to specific security processes that are documented here and are ISO 27001 certified.
V. Recipient of data
Some of the processing of your personal data is carried out by Acrolinx affiliates or other subprocessors, e.g. Rackspace or AWS. Those are commissioned exclusively on the basis of an agreement about the commissioned data processing, in accordance with Art. 28 para. 3 GDPR. For a list of subprocessors Acrolinx uses, please refer to your data processing agreement with Acrolinx or contact gdpr@acrolinx.com.
Customers may choose to add Acrolinx Addons to use with the Acrolinx Platform: SDL Reuse generally runs as part of Acrolinx On-Premise. Marketmuse parses content in the Marketmuse cloud.
VI. Data transfer to third countries
Some of our service providers or partners are located in a country outside the European Economic Area (EEA). Therefore, we want to inform you of the implications of such circumstances within the Privacy Policy.
Rackspace and Amazon Web Services are located in the USA (a “third country” pursuant to Art. 44 GDPR). These businesses are certified under the Data Privacy treaty “EU-US Privacy Shield”, which guarantees adherence to a European data privacy protection standard. However, depending on customer requirements, servers are used within the EU (e.g. in Dublin, Ireland).
VII. Right to object and right to withdraw consent
If the data processing is based on your consent or our legitimate interest, you have the right to object to the processing or to withdraw your consent at any time. Your objection or withdrawal only has an effect for the future. To contact us at any time to exercise your right of objection or revocation, please send an email to gdpr@acrolinx.com. If you object to processing based on our legitimate interest, we may nevertheless continue processing if we can prove compelling reasons worthy of protection, which outweigh your related interests, rights, and freedoms.
VIII. Rights of data subjects
If your personal data is processed, you are a data subject within the meaning of Art. 4 para. 1 GDPR. As data subject, you have the following rights regarding your personal data. To exercise these rights, please contact us using the contact details above.
Right of access by the data subject according to Art. 15 GDPR
You have a right of access concerning your personal data processed by us. This includes the mandatory information set out in Art. 15 GDPR.
Right to rectification according to Art. 16 GDPR
You have the right to request the immediate correction of inaccurate personal data and the completion of incomplete personal data.
Right to erasure according to Art. 17 GDPR
You have the right to request the erasure of your personal data if one of the grounds mentioned in Art. 17 GDPR applies; in particular, if there is no longer a legal basis for the processing.
Right to restriction of processing according to Art. 18 GDPR
You have the right to request the restriction of the processing of your personal data if one of the grounds mentioned in Art. 18 GDPR applies; in particular, at your request instead of deleting the data.
Right to data portability according to Art. 20 GDPR
You have the right to request all personal data stored by us about you in a structured, commonly used, and machine-readable format. You have the right to transmit this data to another controller without obstruction by the controller to whom the personal data was made available.
Right to lodge a complaint with a supervisory authority according to Art. 77 GDPR
According to Art. 77 GDPR, you have the right to file a complaint with the supervisory authority responsible for you.
IX. Changes to this Privacy Policy
We may adapt the Privacy Policy from time to time for various reasons, including to reflect improved privacy practices, changes to our Services, or to better comply with relevant laws.