2. The Types of Personal Data that We Collect
Personal data is information that relates to an identified or identifiable individual, and it could be as simple as a name or a number, or could include other identifiers such as an IP address, a cookie identifier, or other factors.
We collect personal data in order to provide our services to you; maintain communications with you; and/or in order to comply with applicable law. Please note that if we have requested personal data from you and you decide that you do not want to share certain personal data with us, then this may prevent us from: (i) providing our services to you; or (ii) entering into a contract to provide services to you. In these circumstances we will ensure we notify you when reasonably possible to do so.
We collect different types of personal data for different reasons, including:
Most of the personal data we process about you is provided to us directly by you for one of the following reasons:
We may also receive personal data indirectly, from the following sources:
We take reasonable measures to ensure that when we receive personal data indirectly: (i) the third party providing your personal data has the necessary lawful basis to share your personal data with us; and (ii) we use any such data in compliance with terms and conditions set out by the third party providing it to us.
We use your personal data in order to, where applicable:
In all circumstances, we only use your personal data for the purpose it was collected unless we reasonably believe that we need to use such personal data for another, related purpose, and it is legally possible to do so. If we need to use your personal data for any other purpose we will notify you and let you know the lawful basis on which we propose to rely.
Under the General Data Protection Regulation 2018 (“GDPR”), the lawful bases that we normally rely on for processing your personal data, detailed above, are:
We may need to process your personal data in order to comply with applicable laws, in these circumstances we have a legal obligation to process your data, but we will inform you if this is the case.
In the unlikely event we store any Special Category Data (as defined by GDPR) the lawful basis for processing is determined by the category of personal data being processed. In the event this relates to Special Category Data contained in a dataset, we rely on your consent to process such personal data.
Where we undertake direct marketing, all of our direct marketing campaigns are conducted in accordance with applicable law; we only do so with your consent and/or where we have a legitimate interest to do so, but in any event, you have the option to opt out of any direct marketing at any time by clicking the unsubscribe link in our marketing material. Helixa has performed a legitimate interests assessment in respect of its direct marketing activities to former, existing, and prospective customers. In summary, Helixa has a legitimate interest to market its services to existing customers as they already receive services directly from Helixa and may benefit from other services that Helixa provides. Former customers may be likely to purchase Helixa services after receiving marketing materials as they become aware of the additional benefits that other services could bring them. In addition, Helixa has a legitimate interest in marketing its services to prospective customers to promote brand awareness and increase sales.
To the extent that Helixa records any video conferences/calls/meetings of your voice or image (biometric data), Helixa will only do so with your explicit consent before such recordings are made.
Helixa will retain your personal data only as long as necessary for the purposes for which it was collected; to provide you with services in accordance with our contractual obligations to you; and where required or permitted under law. Generally, this means your personal data will be retained until the end of your contractual relationship with us. In addition, such data may also be retained whilst Helixa has a legitimate business need to do so.
When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymise it or, if this is not possible (for example, because your personal data has been stored in backup archives), we will securely store your personal data and isolate it from any further processing until deletion is possible.
In relation to direct marketing, we will retain personal data (only to the extent necessary) in order to ensure we respect your direct marketing opt-out preferences.
No service is completely secure, but we believe the security of your information is a serious issue and we are committed to maintaining commercially reasonable and appropriate security measures to ensure that your personal information is protected both online and offline. Helixa has a dedicated Information Security team that manages our framework, policies and procedures based on ISO27001 principles (with supplementary controls added for NIST framework alignment) to protect your personal information.
The framework includes (but not limited to) the following measures; employees and contractors being subject to background checks and bound by confidentiality, all receive training on data privacy and security. Those responsible for designing, managing and developing software and services do so applying secure development and privacy by design practices. Principles of least privilege are adopted using a role-based model for provisioning access to critical infrastructure and sensitive data. Data is encrypted in transit over public networks using both TLS, data encryption at rest is using Advanced Encryption Standard, pseudonymization. We also take measures to ensure third-party service providers that process personal data on our behalf also have appropriate security controls in place.
While we strive to protect your data, we cannot guarantee that unauthorized access to your data, data loss or a data breach will never occur.
In order to provide our services to you it may be necessary to transfer your personal data to a country that is different to the country in which we collected your personal data, and such country may not apply the same level of data protection.
As we are a global enterprise, and part of the Telmar Group, Helixa may transfer your personal data to Telmar Group companies (see section 17, below) and our third party services providers. To the extent required by applicable data protection law, any personal data that is transferred amongst Telmar Group companies shall be subject to an intra-group data transfer agreement (“IGDTA”) that applies the Standard Contractual Clauses approved by the European Commission, and the UK’s International Data Transfer Agreement and the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses.
In addition to the IGDTA, Helixa performs transfer impact assessments (each a “TIA”) in respect of the transfer of personal data outside the European Economic Area to “third countries”. In this context, “third countries” are countries that the EU has not issued recognition of a country's adequacy of its data protection laws to ensure that a data subject gains a similar level of protection that a person would receive under GDPR. The purpose of a TIA is to evaluate whether the legislation in the third country might prevent the non-EU Data importer of personal data from complying with GDPR requirements – especially regarding potential data access rights of intelligence agencies. A TIA requires a diligent assessment of all circumstances of the transfer in question, the laws and practices of the third country of destination and any relevant contractual, technical or organizational safeguards put in place.
Collection of Personal Information
When we act as a “Service Provider” (as defined in the CCPA) or a "Processor" (as defined in applicable US state privacy laws), we may process “Personal Information” or "Personal Data" on behalf of our customers or dataset providers. In such case, we will provide reasonable assistance to that customer or dataset provider as necessary to enable them to respond to your requests for the exercise of your privacy rights - you should therefore submit your request directly to the relevant customer or dataset provider.
"Personal Information" is defined as information as information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. We shall refer to such information as "Personal Information" throughout this Section.
In accordance with applicable US state privacy laws, Personal Information does not include:
Section 2 above (titled "The Types of Personal Data that We Collect") describes the types of Personal Information that we collect. We have collected within the last 12 months the following categories of Personal Information:
We may use, process and disclose de-identified or aggregated and other non-identifiable information including related to our business and our services for quality control, analytics, research, development and other purposes. Such information will not identify you individually.
Where we use, disclose or process de-identified data (data that is no longer reasonably linked or linkable to an identified or identifiable natural person, household, or personal or household device) we will maintain and use the information in de-identified form and not to attempt to re-identify the information, except in order to determine whether our de-identification processes are reasonable and adequate pursuant to applicable privacy laws.
Sources of Personal Information
Section 3 above (titled "How do we obtain Your Personal Data") describes the sources of Personal Information that we collect.
Purposes of Processing Personal Information
Section 4 above (titled "Why do we Have Your Personal Data") describes the purposes of our use or processing of Personal Information.
Notwithstanding the purposes described above, we do not use or disclose of sensitive personal information beyond the purposes authorized by applicable law (including the CCPA). Accordingly, we only use and disclose sensitive personal information as reasonably necessary (i) to perform our services requested by you, (ii) to help ensure security and integrity, including to prevent, detect, and investigate security incidents, (iii) to detect, prevent and respond to malicious, fraudulent, deceptive, or illegal conduct, (iv) to verify or maintain the quality and safety of our services, (v) for compliance with our legal obligations, and (vi) to our service providers who perform services on our behalf.
Disclosure of Personal Information
Section 5 above (titled "Sharing Your Personal Data") describes the categories of recipients with whom we disclose Personal Information.
Certain US state privacy laws (such as the CCPA) define a "sale" as disclosing or making available to a third-party personal information in exchange for monetary or other valuable consideration, and also define “sharing” broadly, including as disclosing or making available personal information to a third party for purposes of cross-context behavioral advertising.
As mentioned above, we are in most cases a Service Provider or a Processor to a business that has provided your Personal Information to us for processing. Accordingly, we do not “sell” or “share” (as defined by applicable laws) such Personal Information to any third party.
Where we determine the purposes and means of the processing that we perform, for example when you provide the information directly to us or on our website, we are a "Business" (as defined in the CCPA) or a "Controller" (as defined in applicable US state privacy laws). In such case, we may disclose certain identifiers and Internet and electronic network activity usage information to advertising and data analytics partners and social networks. We may do so for the purposes described in Section 4 above (titled "Why do we Have Your Personal Data"), including (i) to provide, analyse and improve our website, products, and other services and (ii) develop and manage our relationships with you and our business partners.
In this circumstance, we rely on such laws' marketing exemption allowing us to: (i) store marketing information on third party systems, provided applicable terms are in place with our service provider; (ii) provide opt-outs from marketing communications, as opposed to requiring an opt-in; and (iii) follow applicable cookie consents on our website.
We do not sell or share sensitive personal information, nor do we sell or share any Personal Information about individuals who we know are under sixteen (16) years old.
Do Not Track Browser Settings
California law requires us to let you know how we respond to web browser "Do Not Track" ("DNT") signals. Because there currently isn’t an industry or legal standard for recognizing or honoring DNT signals, we do not respond to them at this time. For more information on DNT signals, visit http://www.allaboutdnt.com.
11. Information Pertaining to Children
Our website and our service are not intended for users under the age of 13, and we do not knowingly collect personal information relating to children, as defined by the U.S. Children’s Online Privacy Protection Act (“COPPA“) in a manner that is not permitted by COPPA. If a parent or guardian learns that a child has provided us with personal information, that child’s parent or guardian should email us at email@example.com.
When you subscribe to our services, you trust us with certain personal data. We understand that it is essential we work hard to protect your personal data and provide you with the access you need to feel in control of your personal data you provide to us.
In accordance with the applicable data protection laws in the European Union, you have the following rights with respect to your personal data, depending on the circumstances:
You are not required to pay any charge for exercising your rights. If you do make a request, we will respond to you within one month. Please contact us by email at firstname.lastname@example.org.
Subject to certain limitations and exceptions under applicable law, verified residents in certain U.S. states (including California) may have, pursuant to applicable law, the following additional privacy rights with respect to their personal information:
Right to Know. You have the right to ask us to disclose to you (i) the categories of personal information that we collect, (ii) the categories of sources from which the personal information is collected, (iii) the business or commercial purpose for collecting, selling, or sharing personal information, (iv) the categories of third parties to whom we disclose personal information, and (v) a copy of the specific pieces of personal information we have collected about you.
California’s “Shine the Light” law (Civil Code Section § 1798.83) also permits California residents to request, once a year and free of charge, certain information regarding our disclosure of personal information to third parties for their direct marketing purposes in the preceding calendar year.
Please note that the rights described above are not absolute, and where an exception under applicable law applies, we may be entitled to refuse requests in whole or in part. You may exercise any of the above privacy rights by contacting us by email at email@example.com.
We will take steps to verify your request by matching the information provided by you with the information we have in our records. In particular, your request must:
Please note, in some cases, we may request additional information in order to verify your request or where necessary to process your request.
Authorized agents may initiate a request on behalf of another individual through one of the above methods; authorized agents will be required to provide proof of their authorization and we may also require that the relevant consumer directly verify their identity and the authority of the authorized agent.
If you are resident in the European Economic Area or the United Kingdom our contact details are as follows:
via Arcivescovo Calabiana 6 Milano, 20139, Italy.
If you are resident anywhere other than the European Economic Area or the United Kingdom our contact details are as follows:
75 Varick Street - New York NY 10013
+1 212 725 3000
If you have any concerns about our use of your personal data, you can make a complaint to us by email at firstname.lastname@example.org or at:
For the attention of: Legal Team,
Fora, 35-41 Folgate Street,
You can also complain to the ICO if you are unhappy with how we have used your personal data.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
We have set out below the Telmar Group Entities that we share personal data with in accordance with our intra-group data transfer agreement, further described in Section 9 above.
Helixa, Inc., a company incorporated in Delaware, with offices located at 75 Varick Street, 3rd Floor, New York, NY 10013.
Helixa SRL, a company incorporated in Italy, with offices located at via Arcivescovo Calabiana 6 Milano, 20139.
Telmar Group, Inc., a company incorporated in Delaware, with offices at 75 Varick Street, New York, NY 10013.
Telmar Information Services Corp., a company incorporated in New York, with offices at 75 Varick Street, New York, NY 10013.
Telmar HMS Limited, a company incorporated in Canada, with offices at 151 Yonge Street, Suite 1100, Toronto, Canada.
Telmar Europe Limited, a company incorporated in England and Wales, with offices at Fora, 35-41 Folgate Street, Spitalfields, London, E1 6BX.
Telmar Communications Limited, a company incorporated in England and Wales, with offices at Fora, 35-41 Folgate Street, Spitalfields, London, E1 6BX.
Telmar Peaktime SAS, a company incorporated in France, with offices at 15, place de la République, 3ème étage, 75003 Paris, France.
Telmar Peaktime B.V., a company incorporated in the Netherlands, with offices at Strawinskylaan 3051, 1077 ZX, in Amsterdam.
Telmar (Asia) Limited, a company incorporated in Hong Kong, with offices at Unit 46-106, 46/F, Lee Garden One, 33 Hysan Avenue, Causeway Bay, Hong Kong.
Telmar Software (Shanghai) Limited, a company incorporated in China, with offices at Unit Q-148, Room 501, 5/F, 700 Liyuan Road, Huangpu District, Shanghai, China.
Telmar Media Systems (Pty) Ltd, a company incorporated in South Africa, with offices at Building 26, 1st Floor, The Woodlands Office Park, Western Service Road, Woodmead, South Africa, 2196.