This Privacy Policy (“Policy”) addresses the natural persons whose Personal Data may be received or otherwise processed by Business Management Systems, Inc. (“BMS”, “we”, “us”, or “our”) in our cloud-based employee scheduling software solution, Snap Schedule 365. With respect to the Personal Data processed in Snap Schedule 365 software-as-a-service (“Services”), we act as a data processor and the organization or the natural person who subscribes to use the Services (“Account Owner”) is the data controller in the scope of Europe’s General Data Protection Regulation (GDPR).
This Policy does not apply to our publicly accessible websites, such as www.snapschedule.com or www.snapschedule365.com, BMS employees, or to any personal data we collect outside of the Services.
1 Personal Data and How We Use It
Personal Data means any information that identifies, or can be used to identify an individual that is stored, processed, or transmitted in connection with, or as a result of, providing the Services or as otherwise meeting the definition of “personal data” as defined in Article 4 of the GDPR or specified in applicable state or federal Privacy/Data Protection Laws.
1.1 Data Subjects and Types of Personal Data
The Services process Personal Data of any individual in the Account Owner’s organization accessing and/or using the Services through a Snap Schedule 365 account to schedule employees (“Users” or “Schedulers”); and any member of the Account Owner’s workforce: (i) whose information is stored on or submitted via the Services, or (ii) to whom Schedulers schedule, engage, or communicate with via the Services (collectively, “Employees”). The Service is a closed system and only Users and Employees can access and use the Services.
Generally, Snap Schedule 365 is designed to process basic contact information of Employees (such as name, email, and phone number), photographic images (such as profile pictures), position, skills and certifications, location data, and data that pertain to an Employee’s schedule and attendance. It also provides user-customizable data fields, which can be configured to collect and store any type of Personal Data that a User decides to store. Users can enter the data using the Snap Schedule 365 apps. The data is used by Users of the Services to schedule Employees, track attendance, manage leave and time off, and generate reports. Snap Schedule 365 has no responsibility over any information that a User stores through a user-customizable data field.
1.2 Cookies and Other Tracking Technologies
The Services use cookies. Cookies are small text files that the Services send to your computer or Internet-connected device to store information or settings in your browser to make interactions with the Services easy and meaningful. Some of these cookies enable the Services to remember data you have entered or choices you have made and to recognize you, as you move from one page to another within the application. Each time you log into the Services, a cookie containing a unique identifier that is tied to your account is placed on your computer. These cookies allow us to uniquely identify you when you are logged into the Services and enable us to provide you with the best user experience. Since cookies are essential to the operation of the Services, you cannot opt out of these cookies without compromising the intended functionality of the Services.
Scripts helps us collect and store information locally on your device using mechanisms such as browser web storage (including HTML 5) and application data caches to provide you a customized experience. Like cookies, scripts cannot be disabled without compromising the intended functionality of the Services.
Like most online applications, our servers automatically create server logs to record the page requests made when you visit our sites. These server logs typically include your web request, Internet Protocol (IP) address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser. When you log in to use the Services, we may collect and use IP addresses as part of the identity confirmation process and security features.
1.3 Third Party Cookies
The Services use analysis cookies that collect data about how people use our web applications, including which pages are visited most often, how fast they load, and other statistical information. These cookies do not collect data that individually identifies a visitor, aside from an IP address. These cookies collect data which is only used to tell us how the Services are used, so that we can optimize the user experience.
2 Lawful Basis of Processing
If you are an Account Owner, we process your Personal Data based on your consent, and based on the need to perform the obligations of our contract for the Services with you. If you are a member of the Account Owner’s workforce, or if you use the Services or an Account Holder submits your Personal Data to the Services, we will process such Personal Data based on the documented instructions of the Account Holder – the data controller.
3 Purpose of Processing
We collect and use Personal Data for the purposes of providing the Services to our Account Holders and their workforce, processing Personal Data on behalf of our Account Holders, providing information on the Services to Account Holders’ workforce, improving the Services, and conducting related tasks for legitimate business purposes.
4 Sharing of Personal Data with Third Parties
We share Personal Data with our subprocessors who are authorized by the Account Owners to further process such Personal Data on our behalf, per our instructions. We require our subprocessors to maintain at least the same level of data protection, security, and confidentiality that we maintain for such Personal Data. Such data subprocessors include:
- cloud computing platform, hosting, and storage service provider;
- voice and short text service provider; and
- email service providers.
We may be compelled to disclose your Personal Data when required by law, such as in response to a subpoena, judicial proceeding, court order, or legal process by law enforcement agencies and courts in the United States and other countries where we operate. We also reserve the right to use or disclose information if we reasonably believe that use or disclosure is necessary to affect the sale or transfer of business assets, to enforce our rights, protect our property, or protect the rights, property or safety of others, or as needed to support external auditing, compliance and corporate governance functions.
5 Data Protection and Security
We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect Personal Data from unauthorized processing such as unauthorized access, disclosure, alteration, or destruction. To help protect against the threat of malicious activity, we use data encryption of the database, associated backups, and data “at rest”.
6 Data Retention
We will retain Personal Data we process on behalf of Account Owners for as long as needed to provide the Services or to comply with our legal obligations, resolve disputes, prevent abuse, and enforce our agreements. Note that we keep backup copies of our databases for a limited period of time as part of our disaster recovery/business continuity plans, and it may not be reasonably possible for us to delete data from such backups.
7 Access to Your Personal Data
Account Owners can log into their accounts at any time to access and update their User’s or organization record.
If you are a natural person whose Personal Data was submitted to the Services by a User or an Account Owner, you may have a right to request access to, and the opportunity to update, correct, or delete, such Personal Data. To submit such requests or raise any other questions, you must contact the User and/or Account Owner who provided your Personal Data to us.
8 Privacy of Children and Children Online Privacy Protection Act
The Services are not directed at, or intended for use by, children under the age of 13. If you believe that Personal Data pertaining to your under-13-year-old child has been submitted to the Services, and you would like to exercise your rights with regards to such Personal Data, please contact the User or Account Holder who provided the Personal Data to us.
9 Changes to This Policy
We may update this Policy from time to time by posting a new version on our website. When we make a material change to the Policy, we will update the Last Updated date to reflect the effective date of the most recent version of the Policy.
10 How to Contact Us
If you have any questions or comments about our privacy practices or this Privacy Statement, please reach us online at Privacy@SnapSchedule.com or via postal mail to:
Business Management Systems, Inc.
PO Box 17188
Anaheim, CA 92807 USA.
We will respond to your inquiry within four weeks of receipt.
Effective Date: 05/25/2018