Privacy Policy

1.1. This Privacy Policy governs the processing of Personal Data by NorthStone NV, a company duly incorporated and existing under the laws of Belgium, with its registered office at 8 Verbrande Poort, 3000 Leuven, Belgium, registered with the Crossroads Bank for Enterprises (hereinafter referred to as the "Company").

1.2. This Privacy Policy applies to the processing of Personal Data in connection with the provision, operation, and use of the Simplify software platform (hereinafter the "Platform"), including associated websites, interfaces, and services.

1.3. The Company acts as Data Controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter "GDPR") with respect to Personal Data relating to its Customers, Users, and visitors.

1.4. Where the Platform is used by Customers to process Personal Data of third parties, the Customer acts as Data Controller and the Company acts solely as Data Processor within the meaning of Article 4(8) GDPR.

2.1. For the purposes of this Privacy Policy, the following definitions shall apply:

1. "Personal Data" — any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR;
2. "Processing" — any operation performed on Personal Data, including collection, storage, use, transmission, or deletion, as defined in Article 4(2) GDPR;
3. "Customer" — any legal or natural person who enters into an agreement with the Company for use of the Platform;
4. "User" — any individual authorized by a Customer to access and use the Platform;
5. "Customer Data" — any data, including Personal Data, submitted to or stored within the Platform by or on behalf of a Customer.

3.1. The Company may process Personal Data necessary for the creation, administration, and operation of accounts, including identification and contact details such as name, email address, account identifiers, and associated account configuration information.

3.2. The Company may process technical and operational data generated through the use of the Platform, including IP addresses, system identifiers, authentication records, timestamps, browser information, and device-related information, insofar as such Processing is necessary to ensure system functionality, integrity, and security.

3.3. The Company may process Personal Data contained in communications between Users and the Company, including support requests, service-related inquiries, and operational correspondence.

3.4. The Platform enables Customers to upload, store, and manage Customer Data, which may include Personal Data of Users or third parties. In such circumstances, the Company processes such data solely on behalf of the Customer and in accordance with the Customer's instructions.

4.1. The Company processes Personal Data exclusively for specified, explicit, and legitimate purposes, including the provision, maintenance, and improvement of the Platform.

4.2. Processing shall be based on one or more of the following legal bases:

1. the necessity of Processing for the performance of a contract to which the Data Subject or Customer is a party, pursuant to Article 6(1)(b) GDPR;
2. compliance with legal obligations to which the Company is subject, pursuant to Article 6(1)(c) GDPR;
3. the legitimate interests of the Company, including ensuring system security, preventing unauthorized access, maintaining service reliability, and protecting its legal rights, pursuant to Article 6(1)(f) GDPR;
4. where applicable, consent of the Data Subject, pursuant to Article 6(1)(a) GDPR.

4.3. The Company shall not process Personal Data for purposes incompatible with the purposes described herein.

5.1. Where Customers use the Platform to process Personal Data of third parties, the Customer shall act as Data Controller and shall remain solely responsible for determining the legal basis and purposes of such Processing.

5.2. The Company shall process Customer Data solely for the purpose of providing the Platform and in accordance with Customer instructions and applicable agreements.

5.3. The Company shall not access Customer Data except where necessary to ensure the proper functioning, security, or maintenance of the Platform, or where required by law.

6.1. The Company may engage third-party service providers acting as Data Processors for the purpose of operating and maintaining the Platform.

6.2. Such service providers include, but are not limited to:

1. infrastructure and hosting providers, including Amazon Web Services, Inc. and HostHatch LLC;
2. network and security service providers, including Cloudflare, Inc.;
3. server management service providers, including RunCloud Sdn Bhd;
4. communication service providers, including Mailgun Technologies, Inc.;
5. artificial intelligence service providers, including OpenAI, L.L.C. and Google LLC.

6.3. The Company shall ensure that such service providers are subject to appropriate contractual safeguards consistent with GDPR requirements.

6.4. Personal Data shall not be sold, leased, or otherwise transferred to third parties for unrelated commercial purposes.

7.1. Personal Data may be transferred to service providers located outside the European Economic Area where necessary for the provision of the Platform.

7.2. Where such transfers occur, the Company shall ensure appropriate safeguards in accordance with Chapter V GDPR, including the use of Standard Contractual Clauses or equivalent legal mechanisms.

8.1. The Company implements appropriate technical and organizational measures designed to ensure a level of security appropriate to the risks associated with the Processing of Personal Data.

8.2. Such measures include, where appropriate, access controls, encryption of data in transit, authentication safeguards, infrastructure protection mechanisms, and monitoring of system integrity.

8.3. Access to Personal Data shall be limited to authorized personnel and service providers strictly on a need-to-know basis.

9.1. Personal Data shall be retained only for as long as necessary to fulfill the purposes for which it was collected and processed, including compliance with legal obligations and contractual requirements.

9.2. Upon termination of the Customer relationship, Personal Data may be deleted, anonymized, or retained as required by applicable law or legitimate business interests.

10.1. The Platform integrates with Google APIs to provide calendar synchronization, document management, and video conferencing features. When a User connects their Google account, the Platform may access the following Google user data:

1. Google Calendar data — calendar events, availability information, and scheduling details, used to synchronize scheduling, prevent double-booking, and display availability within the Platform;
2. Google Drive data — file metadata, file contents, and folder structure for documents that Users explicitly choose to link or import into the Platform;
3. Google Meet data — meeting links and conferencing details, used to create and join video meetings from within the Platform;
4. Basic profile information — name, email address, and profile picture, used for account identification and display purposes.

10.2. Use of Google user data. Google user data accessed through Google APIs is used solely to provide and improve the Platform features described in this Privacy Policy. Specifically, the Platform uses Google user data to:

1. display and synchronize calendar events and availability;
2. enable Users to browse, link, and manage documents from Google Drive;
3. create and manage video conferencing sessions;
4. authenticate and identify Users who sign in with their Google account.

10.3. Storage of Google user data. The Platform stores Google user data only to the extent necessary to provide the services described above. Calendar event data and Drive file metadata may be cached to enable offline access and faster performance. Users may revoke access at any time through the Platform settings or through their Google Account permissions page, after which cached data will be deleted within 30 days.

10.4. Sharing of Google user data. The Company does not sell, rent, or share Google user data with third parties except as necessary to provide the Platform (e.g., infrastructure providers listed in Article 6) or as required by law. Google user data is never used for advertising purposes.

10.5. Google API Services User Data Policy. The Platform's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. The Platform:

1. only uses Google user data to provide or improve user-facing features that are prominent in the requesting application's user interface;
2. does not transfer Google user data to third parties unless necessary to provide or improve user-facing features, required for security purposes, or required by law;
3. does not use Google user data for serving advertisements;
4. does not allow humans to read Google user data unless the User has provided affirmative consent, it is necessary for security purposes, or it is required by law.

11.1. Data Subjects shall have the rights provided under GDPR, including:

1. the right to access Personal Data;
2. the right to rectify inaccurate Personal Data;
3. the right to request erasure of Personal Data;
4. the right to restrict Processing;
5. the right to data portability;
6. the right to object to Processing.

11.2. Requests relating to such rights may be submitted in writing to the Company using the contact details set forth in Article 15.

12.1. The Company reserves the right to amend this Privacy Policy from time to time.

12.2. Updated versions shall become effective upon publication and shall apply to all subsequent Processing activities.

13.1. This Privacy Policy shall be governed by and construed in accordance with the laws of Belgium.

13.2. Any dispute arising in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the competent courts of Leuven, Belgium.

14.1. Data Subjects have the right to lodge a complaint with the competent supervisory authority, namely:

Gegevensbeschermingsautoriteit / Autorité de protection des données
Drukpersstraat 35 / Rue de la Presse 35
1000 Brussels, Belgium

15.1. Any questions, requests, or notices regarding this Privacy Policy shall be addressed to:

NorthStone NV
8 Verbrande Poort
3000 Leuven
Belgium

Email: privacy@onebonsai.com