PRIVACY POLICY

We value your privacy and are committed to protecting your personal information. Therefore, we handle your personal data strictly in accordance with legal regulations, especially the General Data Protection Regulation (GDPR) and the country-specific data protection regulations applicable to XTENSOS SOLUTIONS (referred to as “XTENSOS”, “we”, “us”) and all its subsidiaries. Below, you can find detailed information about the scope and purpose of the collection, use, and processing of your personal data. We also inform you of the rights to which you are entitled.

1. SCOPE

This Privacy Policy applies to personal data. Personal data refers to any information related to an identified or identifiable natural person (“data subject”). An identifiable natural person is someone who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2. CONTROLLER AND CONTACT DETAILS

If you have any questions, concerns, or requests regarding your data privacy or should you wish to claim your rights in one of the named cases, please contact us:

dpo@xtensos.com

Controller for the purposes of the General Data Protection Regulation (GDPR), other data protection laws applicable in Member states of the European Union and other provisions related to data protection is:

XTENSOS SOLUTIONS Ltd.

Alexandra House
3 Ballsbridge Park
Ballsbridge, Dublin
D04 C7H2
Ireland

3. COOKIES

Our Internet page (https://xtensos.com) uses cookies. Cookies are pieces of information (small text files) stored in your computer system via an Internet browser.

Through the use of cookies, we can provide you with more user-friendly services on our website that would not be possible without the cookie setting. By means of a cookie, the information and offers on our website can be optimized with you as the end-user in mind.

You have the option to prevent the usage of non-essential cookies at any time by adjusting the settings in your internet browser and rejecting the use of these non-essential cookies in the pop-up window on our website, thereby denying their placement. Additionally, you can delete already set cookies at any time using your internet browser or other software programs. Please keep in mind that should you choose to disable cookie settings in your internet browser, some functions of our website may not be fully operational. We use a GDPR cookie consent plugin to ensure compliance with GDPR regulations.

4. COLLECTION OF GENERAL DATA AND INFORMATION VIA THE WEBSITE

Our website (https://xtensos.com) collects a series of general data and information when a user or automated system calls up the website. This general data and information are stored in the server log files. Collected may be

the browser types and versions used,
the operating system used by the accessing system,
the website from which an accessing system reaches our website (so-called referrers),
the sub-websites,
the date and time of access to the Internet site,
an Internet protocol address (IP address),
the Internet service provider of the accessing system, and
any other similar data and information that may be used in the event of attacks on our information technology systems.

When using these general data and information, XTENSOS does not draw any conclusions about the data subject. Rather, this information is needed to

deliver the content of our website correctly,
optimize the content of our website as well as its advertisement,
ensure the long-term viability of our information technology systems and website technology,
provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack.

We use anonymously collected data and information statistically to enhance the data protection and security of our enterprise and to ensure that the Services function properly. The anonymous data from the server log files are stored separately from all personal data provided by a data subject.

5. CONTACT POSSIBILITY VIA THE WEBISTE

Our website (https://xtensos.com) provides information for contacting us electronically, including our email address. You can also reach us via our online contact form by providing your personal data (name, email, phone number, location). When you contact us by email or through our contact form, any personal data you share is automatically stored. We keep this data, which you voluntarily provide, solely for the purpose of processing your inquiry or contacting you ‍as requested.

You may request information at any time about the personal data we store about you. Additionally, we will correct or erase your personal data upon your request, provided there are no statutory storage obligations. All our employees are available and trained to assist you with these matters.

6. COMMENTS FUNCTION IN THE BLOG ON THE WEBSITE

We offer users the possibility to leave individual comments on blog posts hosted on our website (https://xtensos.com/blog/).

Our blog is a web-based, publicly accessible portal through which one or more individuals post articles or share thoughts in so-called blog posts. They are open to comments from third parties.

When you leave a comment on the blog published on this website, the comments made along with information on the date of the commentary and the user’s (pseudonym), are stored and published. Additionally, the IP address assigned by the Internet service provider (ISP) to you is logged. This storage of the IP address is conducted for security reasons and in case the rights of third parties are violated or illegal or offensive content is posted through a comment. The collected personal data will not be disclosed to third parties unless such disclosure is required by law or serves the purpose of defending the data controller. We use the spam filtering service Aksimet which is designed to protect websites from unwanted or malicious comments. Akismet is GDPR compliant. You can find more information on how Akismet processes your personal data in its privacy policy: Privacy Policy – Akismet.

7. INTEGRATION OF SOCIAL NETWORKS

We build communities on social networks and adhere to their respective processes. If we use images or photos on our websites, prior consent must be given. Additionally, if voluntarily provided data is used by engaging with our content, it will be processed in accordance with the data privacy policies of the respective social networks. Tracking is performed when users click on links to our social media pages on our website. This tracking information is included under our cookies policy. Users have the option to disagree with this tracking by adjusting their cookie preferences

8. REGISTRATION ON THE XTENSOS PORTAL

The data subject has the possibility to register on the XTENSOS Portal (https://xtensos.plunet.com) with the indication of personal data. Which personal data is transmitted to the controller is determined by the respective input mask used for the registration.

The registration is used for two purposes:

Signing up new linguists and external resources to apply for work and manage projects as vendors for XTENSOS.

Signing up customers to manage their translation projects as agreed with XTENSOS.

The personal data entered by the data subject is collected and stored exclusively for internal use by us to conduct business transactions. The controller may request transfer to one or more processors (e.g. a payment provider) that also uses personal data for an internal purpose which is attributable to us.

By voluntarily providing your personal data as a customer or prospect during registration, you enable us to offer you content or services. For example, to process an order, we need your correct name, email, address, and payment data. We use your email address to send you requested offers, confirm orders, inform you about order progress, and communicate with you in general. Additionally, your email address is used for identification purposes (login).

By voluntarily providing your personal data as a vendor during registration, you enable us to consider you in our application process. Upon successfully contracting, your personal data (first name, last name, email address, and payment details) are necessary to assign you jobs and process your payments. Additionally, your email address is used for identification purposes (login).

For detailed information on data protection provisions related to the application and use of our XTENSOS Portal (Plunet) and our Payment Provider please refer to section 14 of this policy.

9. DATA PROTECTION FOR APPLICATIONS AND THE APPLICATION PROCESS

We collect and process your personal data when you apply for a position with us, specifically for the purpose of managing the application process. This processing may also occur electronically, especially if you submit your application documents via email, recruitment platforms or recruitment agencies. All our external recruitment providers are carefully selected by us, ensuring they adhere to European data protection standards and work in compliance with GDPR regulations.

If we enter into an employment or framework contract, the personal data provided will be stored to facilitate the employment relationship, ensuring compliance with legal requirements.

If we do not end up entering into such a contract all application documents will be automatically erased every six months after we notify of the refusal decision, unless we have other legitimate interests that oppose erasure. One such legitimate interest could be the need for proof in a case under the General Equal Treatment Act (AGG).

10. EXISTENCE OF PROFILING

As a responsible company, we do not collect data with the purpose of profiling people.

11. PERIOD FOR WHICH THE PERSONAL DATA WILL BE STORED

The criteria used to determine the period of storage of personal data is the respective statutory retention period. After that period’s expiration, the corresponding data is routinely deleted, if it is no longer necessary for the fulfillment of the contract or the initiation of a contract or other legal obligations.

12. LEGAL BASIS FOR PROCESSING

12.1 CONSENT

Art. 6(1) lit. a GDPR serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose, such as signing up on our XTENSOS Portal, reaching out to us via our contact form, email, or another channel, or agreeing to the use of our cookies.

12.2 CONTRACT

When we need to use your personal data to fulfill a contract, such as delivering goods or providing services you requested, we do so under Article 6(1) lit. b of the GDPR. This also covers situations where we need to handle your data before a contract is finalized, like when you inquire about our products or services. The same rules apply to our business relationships with third party suppliers.

12.3 LEGAL OBLIGATIONS

If our company is subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations, the processing is based on Art. 6(1) lit. c GDPR.

12.4 VITAL INTEREST

In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or of another natural person. This would be the case, for example, if a visitor were injured in our company and his name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third party. Then the processing would be based on Art. 6(1) lit. d GDPR.

12.5 LEGITIMATE INTEREST

Finally, we sometimes process data based on what is called “legitimate interest” under the GDPR (Article 6(1) lit. f). This means we may use your information to help us improve our services and understand your needs better, build mutually beneficial business relationships or for security reasons. We make sure to balance these uses with your rights and freedoms, ensuring your data is handled with care and respect. You can inquire about the personal data collected and exercise your right to be forgotten.

13. RIGHTS OF THE DATA SUBJECT

You can contact us at any time on dpo@xtensos.com should you wish to exercise one of the rights below.

13.1. RIGHT OF CONFIRMATION

You have the right to obtain confirmation as to whether personal data concerning you is being processed by us.

13.2. RIGHT OF ACCESS

You have the right to request free information about your stored personal data from us at any time and a copy of this information with access to the following information:

the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from us rectification or erasure of personal data, or restriction of processing of personal data concerning you, or to object to such processing;
the existence of the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.

Moreover, you have the right to know if your personal data is being transferred to a third country or international organization. In such instances, you also have the right to be informed about the safeguards concerning this transfer‍.

13.3. RIGHT TO RECTIFICATION

You have the right to request correction of any inaccurate personal data held by us without delay. Considering the purposes of the data processing, you also have the right to request completion of any incomplete personal data, which may include providing additional information.

13.4. RIGHT TO ERASURE (RIGHT TO BE FORGOTTEN)

You can request the deletion of your personal data at any time provided that the processing is not necessary.

13.5. RIGHT OF RESTRICTION OF PROCESSING

You can request restriction of processing of your personal data under certain circumstances, including:

When you contest the accuracy of your personal data, allowing us time to verify its accuracy.
If the processing of your data is unlawful, and you oppose its erasure, instead requesting the restriction of its use.
When we no longer need your personal data for processing purposes, but you require it for the establishment, exercise, or defense of legal claims.
If you have objected to processing under Article 21(1) of the GDPR, while we verify whether our legitimate grounds override your objections.

13.6. RIGHT TO DATA PORTABILITY

You have the right to receive your personal data from us in a structured, commonly used, and machine-readable format. You can then transmit this data to another company without hindrance from us, provided the processing is based on consent or a contract, and is carried out by automated means, except when necessary for tasks in the public interest or official authority. Additionally, you can have your data transferred directly from us to another data controller, where technically feasible and without affecting the rights of others.

13.7. RIGHT TO OBJECT

You can object to the processing of your personal data by us at any time including objection to profiling. Upon objection, we will cease processing your data, unless there is legitimate grounds or legal obligation necessitating continued processing.

13.8. AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING

You have the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, under the following conditions:

If the decision is not necessary for entering into or performing a contract between you and XTENSOS.
If the decision is not authorized by Union or Member State law, which also includes suitable measures to safeguard your rights, freedoms, and legitimate interests, or if it is not based on your explicit consent.

If the decision is necessary for entering into or performing a contract between you and XTENSOS, or if it is based on your explicit consent, we will implement suitable measures to safeguard your rights and freedoms, including the right to obtain human intervention from us, express your point of view, and contest the decision.

13.9. RIGHT TO WITHDRAW DATA PROTECTION CONSENT

You have the right to withdraw your consent to the processing of your personal data at any time.

14. EXTERNAL SERVICE PROVIDERS

We may employ third-party companies and individuals to perform our services in accordance with our customers’ requirements. When service providers process data on our behalf, they are carefully selected by XTENSOS, ensuring they adhere to European data protection standards and work in compliance with GDPR regulations. Below is a list of the main third parties we work with, the purpose and data categories processed and the data processing location.

Provider	Purpose & Data Categories Processed	Data Processing Location
Plunet GmbH	Translation project management system processing customer, vendor, payment, project data, and language assets to manage customer language projects as contractually agreed.	Germany
Phrase a.s.	Translation management system processing project data, language assets, and vendor data to facilitate language projects as contractually agreed with our customers.	Ireland (EU-West)
RWS Holdings plc (Trados GroupShare)	Collaborative translation management platform supporting our translation and localization projects by enabling collaboration among translators, managing language assets, project data and vendor data to provide our services as contractually agreed with our customers.	Germany
Microsoft Corporation (Microsoft Azure)	Used for various cloud services, including data storage, application hosting, and database management. This is essential to ensure the reliable and secure operation of our digital infrastructure and technology services that we offer to our customers.	Germany and EU-West
Microsoft Corporation (Microsoft 365)	Used for sending emails, for document and file processing, for calendar management, for managing online meetings, for collaboration and for data storage. This is essential for the efficient operation of our business and the provision of services to our customers.	European Economic Area (EEA)
Hubspot, Inc.	CRM system to manage interactions with customers and prospects. Hubspot processes contact data and communications to uphold effective business relationships. Customer data is processed to fulfill contractual obligations, while prospect data is processed based on consent or legitimate interest.	Germany
DocuSign Inc.	Used for online signature processes for documents and contracts with vendors, applicants, and customers. The processing of contact details and contract information is based on the legal grounds of entering into and fulfilling our contractual and legal obligations.	European Economic Area (EEA)
FINOM Payments BV / PNL Fintech BV	Payment providers for processing payments, managing billing information, and handling transactions securely as part of our business interactions with customers, vendors and employees following legal and contractual obligations.	Germany
WordPress	Used to manage our website content in order to present information to our users, maintain functionality, and facilitate user engagement through contact forms and blog comments. Personal contact data is provided voluntarily by users and processed with their consent, including the use of cookies.	European Economic Area (EEA)
Linguist (Vendor) Pool	We engage a pool of linguist to provide translation and localization services as contractually agreed with our customers. All vendors are bound by confidentiality clauses (NDAs), carefully vetted, and selected, trained, and operate within a strict environment on our systems to ensure compliance with GDPR regulations as outlined in this privacy policy.	European Economic Area (EEA)
Local Payroll Providers	We work with local payroll providers in the countries where our subsidiaries are located to efficiently run our business and to comply with legal and contractual obligations. These providers process personal payroll data in compliance with GDPR and other relevant data protection regulations, ensuring the security and confidentiality of your information.	European Economic Area (EEA)

Your personal data may also be shared with other recipients, such as government authorities or other entities, only when necessary and when there is a legitimate legal basis under GDPR.

For more information on the processing of your personal data, please visit the respective data privacy policies of the sub processors or contact us at dpo@xtensos.com. ‍

As of June 2024