Qustodio Technologies SLU. (the “Company” or “We/us”, with domicile at Passeig de Gracia 18 Planta 2, 08007 Barcelona, Spain; and corporate VAT No: ESB65825523) provides its services to you so you can monitor and control the use of your and your family’s computer devices, with a parental control panel platform which allows you to set the level and degree of monitoring of the devices associated with your User Account (as defined in our Terms of Service). These Services also include optional services for safe navigation and search. The purpose is to enable you to control the use of these devices by their Users (as defined below), when and to the extent that such activity is permitted by applicable law and without infringing the rights of others (including the fundamental rights of Users) or other applicable regulations.
Qustodio processes two types of personal data in relation to the Service: your account and contact data, for which it is responsible (as Data Controller), and your user data, collected from your devices, for which you are responsible.
– Your account and contact data are used for managing our relationship with you, including activation, support, invoicing, and upselling.
– Your user and device information is processed on your behalf, for providing the parental control and monitoring services through the control panel.
You are solely responsible for the configuration and use of the parental control panel and the processing of personal data associated with your account which includes, among others, collecting, storing and analysing personal data from device Users. The Qustodio platform automatically deploys the configuration and the instructions given by you and you are solely responsible for the configuration of this control panel. You can change those configurations at your option and provide instructions to limit and/or erase any data collected.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Data Controller: Qustodio Technologies SLU
Address: Passeig de Gracia 18 Planta 2 08007 Barcelona, Spain
Privacy Manager: firstname.lastname@example.org
1. Data collection by the Company through the Services
The personal data about you or the Users (hereinafter the “Data”) that can be collected by us through the use of the Services are as follows:
- Registration. On registering for Qustodio Services, we will collect the following personal data: name, surname, company/institution, email address and telephone/fax. This data is obligatory and if they are not provided, an account cannot be created.
- Web-forms. If you submit any web form to us (Contacts, comments), we collect the data indicated in the forms indicated in and submitted through these forms by you, including name and email address. Required data in order to send the web form is indicated. This data is used for processing your request and contacting you for further communication.
- Information about your computer. Due to the communications standards on the internet, when you visit our Platform we automatically receive the URL of the site from which you came and the site to which you are going when you leave the site. We also receive the internet protocol (“IP”) address of your computer and the type of web browser you are using. We use this information to analyse overall trends and to help improve the service. This information is not shared with third parties without your permission.
Qustodio Browser Guard and Secure Search. These add-on applications to the Qustodio software, installed at your option, collect certain additional user data, such as search queries or page addresses, performance and other usage information (search term, IP address, browser type, language setting) and install one or more cookies for managing the service. In addition, they periodically contact our servers to request automatic updates to the latest version, and as part of this request sends the unique application numbers along with optional toolbar usage and configuration statistics. These unique application numbers are not associated with any other personally identifying information. Certain optional toolbar features may send the URL address of the site you visit. We will let you know when you are enabling a feature that automatically sends page addresses to us, and you can turn these features off at any time. These URL addresses are not associated with any other personally identifying information.
Your User Data. On your behalf, as a principal function of the service, we collect and process personal data relating to your Users (as defined in the Terms) in accordance with the provisions set out in section 3 below.
We use different methods to collect Account Data from and about you including through:
Direct interactions. You may give us your personal data by registering or contacting us. This includes personal data you provide when you create an account on our website, subscribe to our service or publications, request marketing to be sent to you, or give us feedback.
Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns.
Minors. We do not let minors subscribe to the Qustodio Service
2. Use of Account Data collected by the Company
Please note that this Section does NOT relate to the processing of User Data, which is regulated by Section 3 below and Annex 1 hereto.
General. We are responsible for processing your Account Data, which is solely used for the development of our contract and communications with you and for the provision and management of your Qustodio Account and our Services provided to you (as described in the Terms). It is also used to measure and improve the services and functionality and to provide customer service, send email notifications and (unless no longer in the distribution list) newsletters, or communications, in general, about the Services, products and novelties, and product offers or promotions offered by Us. We will use the Account Data in order for these purposes and to comply with the Terms, applicable law, and other legal notices. Registered users are also sent notification emails about activities of the Service.
Service optimisation. We may process such information on an aggregated non-identifiable basis for establishing user general attributes and profiles and share such anonymous information with third party service providers to help improve or promote our service. We also use your data in a non-identifying and aggregated manner (i.e. dissociated data) to better design our web site, software and services.
Disclosure. We treat your Account Data with strict confidentiality in accordance with applicable law. However, we shall disclose any information about you or your use of our Services (i) in compliance with a legal obligation, (ii) in order to correctly deliver our Services or perform other obligations in accordance to the applicable regulations and rules set forth in the Terms, (iii) in the event of a sale of change of control of the Company for the purpose of appropriate due diligence; or (iv) to service providers providing us a service in relation to the data. We require all third parties to respect the security of your Account Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Account Data data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Lawful Bases. Below are the lawful bases that we rely on to process your Account Data:
- Performance of Contract: processing your data is necessary for the performance of our contract with you, or to take steps at your request before entering into such a contract.
- Legitimate Interest: we have a legitimate interest to process your Account data for our business, in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us at email@example.com.
- Comply with a legal or regulatory obligation: we may process your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
Generally we do not rely on consent as a legal basis for processing your Account Data other than in relation to sending own marketing communications to you via email or text message. However for transparency and clarity, we ask you to provide this consent, which is given by you on registering your account. You have the right to withdraw consent at any time by contacting us at firstname.lastname@example.org. This will not affect the processing of your Account Data for service provision until you cancel your account.
Data retention. We will only retain your Account Data for as long as necessary to fulfil the purposes we collected it for, including (a) the performance of the contract with registered users and (b) for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Generally speaking, we will retain your Account Data for the period of your subscription (active) and 7 years thereafter (blocked), for legal and administrative purposes.
Statistical use. We may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use and retain this information indefinitely without further notice to you.
3. Processing of User Data on your behalf: the Company as data processor
User Data. In registering for a Qustodio Account, the Services start collecting data from the Devices associated to the Account, which may include personal data relating to you, to the Users of the Devices or to third parties (“User Data”, including information about your Devices, websites and apps that your Users use, contacts, connections, payments, messages and other communications, posted and received content, etc.). In accordance with applicable privacy law, to the extent that it applies to the Services, you are the Data Controller of this User Data and you appoint us as a Data Processor of such data for the purpose of providing the Qustodio Services.
The provisions of Annex 1 of this Policy apply to the processing of User Data.
Warranties. You, as the person responsible for User Data that we process on your behalf as Data Processor for the provision of the Services, represent and warrant to us that
a) You comply with all applicable legislation with respect to the monitoring and control of equipment and devices used by Users within your organisation.
b) You are not in any situation described in the section on “Prohibitions” in the Terms (see clause 1.3 of the Terms)
c) You have all the appropriate informed consents from each and every data subjects whose personal data are submitted to us in the course of the provision of the Services or collected and transmitted to us by the Qustodio Software.
Indemnity. You agree to indemnify and keep us harmless from all claims, damages and losses we may suffer relating to or arising out of the processing of User Data and other third party personal data submitted to our systems during the course of use and provision of the Services.
4. International transfers of data
We use third party technological services for the provision of Services, whose providers may process Account Data and User Data collected in the course of providing us their services indicated below, as sub-processors. These entities may be in jurisdictions that generally don’t provide adequate safeguards in relation to the processing of personal data. However, we have entered into contracts with such entities that do include such safeguards, including the EC model clauses. For more information, please contact email@example.com. In addition, our providers which are in the USA are companies within the EU-US Privacy Shield.
5. Data Security
We have adopted technical and organizational measures to preserve and protect your personal information from unauthorized use or access and from being altered, lost or misused, taking into account the technological state of art, the features of the information stored and the risks to which information is exposed. However, due to the nature of the information and related technology, we cannot ensure or guarantee the security of your personal information and expressly disclaims any such obligation. If we learn of a security breach, then we will attempt to notify you electronically so that you can take appropriate steps.
6. Analytics and other anonymous data use
For the purpose of improving our services and providing sector/segment reports, we anonymise your Account Data and certain generic User Data and store and process this data on an anonymous basis, even after your Account has been closed. The principal purpose is to analyze on an aggregated non-identifiable basis how our Services are used, measuring their effectiveness, and providing general customer service. We may also provide this data (or parts of it) on a fully anonymous aggregate basis to third party business partners, including for conducting academic research and surveys or commercial analytics, and to publish periodic sector or segmented information and reports about behaviour patterns and tendencies.
7. User Rights
Account Data: you have rights under data protection laws in relation to your personal Account Data. You have the right to:
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
To exercise your rights, please contact us at firstname.lastname@example.org or at Passeig de Gracia 18 Planta 2, Barcelona, Spain.
You may address a complaint about the processing personal data to our supervisory authority which is the Spanish Data Protection Agency, at www.agpd.es.
User Data: You are Data Controller of your User Data, and you can access, delete, restrict, correct and request a copy of your data at any time. We will assist you in accordance with the functionalities of the Platform and the term of this agreement to attend any end-user request with regard to the processing of their personal data, as provided in Annex 1 hereto.
8. Commercial Communications.
An integral part of our service involves informing you of new options, configurations and service offerings. On registration or contacting us, you expressly consent to receive electronic commercial communications regarding the subject matter of the Services in accordance with applicable law, including alerts, notices, newsletters, offers and promotions. Once opted in, if afterwards you do not wish to receive information from this Platform you can expressly opt out by sending a notification to email@example.com.
Although we have a legal basis other than consent for the processing of the data set out in this form (other than marketing communications), we also would like to ensure that we additionally have your express consent.
By completing the forms of the Qustodio Platform and registering for an Account, you declare to have read and accepted the terms of this Policy. Without prejudice to the generality of the foregoing, you expressly and unequivocally consent to:
- the collection and processing of your personal data by us in accordance with the indicated purposes and this Policy;
- the collection and processing of User Data on your behalf, as indicated herein; and
Your consent to personal data collection and processing may be revoked, without retroactive effects, in accordance with the General Data Protection Regulation. This will not prevent processing of your Account Data for providing you the service, unless you also cancel your account with us.
Annex 1 – Processing of User Data
This Addendum sets out the obligations of the parties in relation to the processing of the User Data by Qustodio on behalf and following the instructions of the client as Data Controller
|Details of Processing|
|Categories of Data Subjects||Users of the Devices which are monitored by Qustodio. Third parties who interact with the users of such devices|
|Type of personal data||All data collected by such devices, including identification and contact data, Internet browsing and content viewing data, behavioural data,|
|Purpose||To provide the parental control and monitoring services of Qustodio|
|Duration||The term of the client contract + 12 months (see below)|
Data removal. During your subscription, we generally retain your User Data on an identifiable basis for 12 month periods, for providing our annual behaviour report. It is then deleted or diassociated for our analytical purposes. In addition, through the Platform control panel, you may delete all historical data saved at any time. This data will no longer be accessible and will be fully removed from our systems on the next back-up, except as indicated below. If you wish to remove all the User Data in your Qustodio Account, please, uninstall Qustodio of your devices, and send an email (as set out below), with a digital copy of your ID or other identification document to prove your identity. Once your identity confirmed, we will immediately remove all Data from our active systems and back-ups within fifteen (15) days from confirmation of identity (except as indicated in section 10 below).
For the purpose of this Addendum, the following terms shall take the meaning set out herein:
- Personal Data: all information about an identified or identifiable individual; An identifiable natural person shall mean any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more identity elements Physical, physiological, genetic, psychological, economic, cultural or social.
- Data Processor: the natural or legal person, public authority or other organisation processing personal data on behalf of the Data Controller.
- Data Subject: is the individual that is identified or identifiable. Data Controller: the natural or legal person, public authority, or other organisation that, alone or jointly with others, defines the purposes and means of the processing.
- Processing: Any operation or set of operations carried out on personal data or personal data sets, whether by automated processes or not, such as collection, registration, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of access, collation or interconnection, limitation, suppression or destruction.
- Security breach of the personal data: any breach of security that results in the destruction, loss or accidental or unlawful alteration of personal data transmitted, preserved or otherwise processed, or unauthorized communication or access to such data.
2. Object and Term
The purpose of this addendum is to regulate the processing of the User Data indicated above. The term of validity of this Addendum is established by virtue of the client subscription with Qustodio.
3. Data Protection Laws Compliance
Each Party shall comply with all applicable laws relating to privacy and data protection, including (without limitation) the EU Data Protection Directive (95/46/EC) up until 25 May 2018 as implemented in each jurisdiction, the EU General Data Protection Regulation (2016/679) on and from 25 May 2018, the EU Privacy and Electronic Communications Directive (2002/58/EC) as implemented in each jurisdiction, and any amending or replacement legislation from time to time (collectively and individually, “Data Protection Laws”).
4. Rights and responsibilities of the Client as Data Controller, Service Configuration
As established in the applicable law, Client shall:
a) Inform and obtain all such necessary consent from the Device users for the processing of their personal data.
b) Implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with applicable legislation.
c) Respond to the legal rights of Device Users established by applicable law on the protection of personal data and comply with the stipulations indicated in clause 6 even if these were originally addressed to the Qustodio.
5. Rights and responsibilities of Qustodio as Data Processor
As established in the applicable laws and regulations, the Qustodio shall:
a) Process User Data only on the basis of documented instructions from the Client, including transfers of User Data to a third country or international organization, unless otherwise required to do so under Union law or applicable Member State law; In such case, Qustodio will inform the Client of that legal requirement prior to the processing, unless otherwise prohibited by such law or in the public interest.
b) Ensure that the persons authorised to process User Data have undertaken to respect confidentiality or are subject to an obligation of confidentiality of a statutory nature.
c) Take all appropriate technical and organisational measures to ensure a level of safety appropriate to the risk of processing.
d) Respect the conditions for having recourse to another Data Processor, as established in the current legislation on protection of personal data.
e) Assist the Client, taking into account the nature of the processing, through appropriate technical and organisational measures, whenever possible, so that it can comply with its obligation to respond to requests for the exercise of the rights of the data subjects, here the Device users.
f) Assist the Client in ensuring that Client complies with its obligations, taking into account the nature of the processing and the information that is available to Qustodio.
g) At the choice of the Client, either destroy or return all personal data once the processing services have been completed, and destroy any existing copies unless the retention of personal data is required under Union or applicable Member State law.
h) Make available to the Client all information necessary to demonstrate compliance with the obligations established in herein, as well as to allow and contribute to the performance of audits, including inspections, by the controller or other authorised auditors for the Client.
i) Process the User Data placed at the disposal of Qustodio in a way that ensures that the personnel in charge follow the instructions of the Client.
j) Ensure that the appointed Data Protection Officer (if applicable) or, in his / her absence, the Privacy Officer is involved in an adequate and timely manner in all matters relating to the protection of User Data.
k) Adhere to a Code of Conduct that is approved by the European Commission or other competent authority.
l) Keep a record of processing activities in the case of processing personal data that may pose a risk to the rights and freedoms of the data subject and / or in a non-occasional manner, or which involves the processing of special categories of data and / or data relating to convictions and infractions.
m) Respond to the legal rights established by applicable law and comply with the stipulations indicated in clause 6 even if these were originally addressed to the Client.
6. Data subjects’ exercise of their rights
If the Data Subjects (Device users) address a request or exercises any of the rights established in the General Data Protection Regulation, the Client and / or Qustodio must provide the information requested and perform any required actions, without delay and, at the latest, within one month from receiving the request, which may be extended for a further two months if necessary, taking into account the complexity of the application and the number of applications.
Similarly, in the event that the Client and / or Qustodio do/es not proceed with the request of the Device user, he/she shall inform the latter without delay, and no later than one month after receipt of the request, shall provide the Device user with the reasons why he/she/they has/ve not acted and inform the Device user of his/her right to file a complaint before a competent authority and to file a judicial appeal. The response to the Device user’s request shall be made in the same format as that used by the person concerned, unless he/she requests that it be done otherwise.
8. International transfer of data
International transfers of User Data may only be performed if the requirements of national or Community laws and regulations that regulate them, are met. If Qustodio carries out an international transfer of data without the other party’s consent, the latter shall be exempted from any liability that may arise as a result of or in connection with such transfer. Qustodio uses third party technological services for the provision of Services, whose providers may process User Data collected in the course of providing us their, as sub-processors. These entities may be in jurisdictions that generally don’t provide adequate safeguards in relation to the processing of personal data. However, we have entered into contracts with such entities that do include such safeguards, including the EC model clauses. For more information, please contact firstname.lastname@example.org. Our providers which are in the USA are companies within the EU-US Privacy Shield.
9. Security breach of the personal data
Insofar as there exists an instruction from a competent supervisory authority, a development of a national legislation or a delegated act, in the event of a security breach of the personal data, the Client and/or Qustodio shall notify the competent supervisory authority of such breach without undue delay, and if possible, no later than seventy-two (72) hours after it happened.
10. Termination, resolution and expiration
In the event of termination, resolution or expiration of the contractual relationship for the provision of services hereunder between the Client and Qustodio, the latter shall not keep the User data unless otherwise legally required or advisable to do so. Otherwise, upon termination, resolution or expiration, or when no longer legally required to keep the data, Qustodio shall destroy or return to the Client all personal data and any copies of it, as well as any support or other document containing any personal data. This is without prejudice to the right of Qustodio to continue process User Data where such data is being processed by Qustodio or for the defense of its legal interests.
11. Governing law
This Annex shall be governed by and construed in accordance with the laws of Spain and shall be subject to the exclusive jurisdiction of the Courts of Barcelona, Spain.