Privacy & Personal Data Protection Policy


Version 1.5 updated 25th May 2023
 
At Global App Testing we believe in the importance of protecting your information and ensuring you have appropriate control over it, we've summarized the key points from within our Privacy & Personal Data Policy ("Policy", "Privacy Policy") - but of course we suggest reading it in full.

Only those within our organization with the appropriate access level are able to view your information & we restrict access on our end. If Privacy Policy does not say otherwise, the vocabulary used in Privacy Policy should be understood as GDPR, The Data Protection Act 2018 (UK)  or other common law regulations say.

If you'd like to unsubscribe, access, amend or delete any information, please contact privacy@globalapptesting.com 

If at any time you are concerned or have questions about how we might be handling your data, please reach out to our Data Protection Officer at dpo@globalapptesting.com

If you do not accept and agree with our Privacy Policy, then you must not access or use the GAT environment or services.

 

General

SPA Worldwide LTD (Company Number: 07606704) trading as Global App Testing ("GAT", "We", "Us" and "Our") remains fully committed to the protection of your and your Users' privacy at all times. The information contained in Privacy Policy has been published to inform you of the way in which any Personal Data (as defined below) you provide us with or we collect from you will be used. Please read this information carefully in order to fully understand how we treat such Personal Data.


Please read Privacy Policy in conjunction with our terms and conditions assigned to a given type of products and services. When you access or use GAT, you agree to our Privacy Policy, and you consent to our collection, storage, use, and disclosure of your Personal Data for the purpose of making GAT and/or the Service available to you, in accordance with Privacy Policy. Any capitalized terms not defined in Privacy Policy shall have the same meanings given to them in terms and conditions.

We will collect, store, use and disclose Personal Data (Personal Information) in accordance with all applicable laws relating to the protection of Personal Data, including the EU Data Protection Directive 95/46/EC, the EU General Data Protection Regulation 2016/679, the EU ePrivacy Directive 2002/58/EC as amended by Directive 2009/136/EC, UK Data Protection Act 2018, The California Consumer Privacy Act ("CCPA") / The California Privacy Rights Act (“CPRA”) as amended or superseded from time to time, and any national implementing legislation ("Data Protection Laws").

For the purpose of Data Protection Laws, in relation to any Personal Data you or any Users submit to our platform, you will be the data controller, and we will be a data processor of such Personal Data.

Privacy principles

We adhere to the principles relating to the processing of Privacy & Personal Data.

 

Lawfulness, fairness and transparency

We collect, process, and share Personal Data fairly and lawfully and for specified purposes. The law restricts our actions regarding Personal Data to specified lawful purposes. These restrictions are not intended to prevent processing, but ensure that we process Personal Data fairly and without adversely affecting the Data Subject.

We provide detailed, specific information to Data Subjects depending on whether the information was collected directly from Data Subjects or from elsewhere. 

We provide the Data Subject with all the information required by the law, including the identity of the Data Controller and Data Protection Officer, how and why we will use, process, disclose, protect and retain that Personal Data.

We check that the Personal Data was collected by the third party in accordance with the law and on the basis that contemplates our proposed processing of that Personal Data.


Purpose limitation

We collect Personal Data only for specified, explicit and legitimate purposes. 

We do not use Personal Data for new, different, or incompatible purposes from that disclosed when it was first obtained unless you have informed the Data Subject of the new purposes, and they have consented where necessary.


Data minimization

We collect Personal Data only for specified, explicit, and legitimate purposes. We do not further process in any manner incompatible with those purposes.

We do not use Personal Data for new, different, or incompatible purposes from that disclosed when it was first obtained unless you have informed the Data Subject of the new purposes, and they have Consented where necessary.


Accuracy

We ensure that Personal Data is accurate and, where necessary, kept up to date. We correct or delete it without delay when inaccurate.


Storage limitation

We store Personal Data only for specified, explicit, and legitimate purposes. They're not further processed in any manner incompatible with those purposes.


Integrity and confidentiality (security)

We secure Personal Data by appropriate technical and organizational methods or measures against unauthorized or unlawful processing and accidental loss, alteration, destruction, or damage.

Accountability

We implement appropriate technical and organizational methods or measures in an effective manner to ensure compliance with data protection principles, according to commonly accepted standards, laws, or internal regulations.

We are able to demonstrate compliance with the data protection principles. We recognize new laws and regulations and adapt our activities to changes in the context or broad-range framework or business environment.

We have adequate resources and controls in place to ensure and to document the law compliance including:

  • appoint a suitably qualified Data Protection Officer accountable for data privacy;
  • implement Privacy by Design, Privacy by Default and complete data protection risk assessment as part of Data Protection Impact Assessment (DPIA) where processing presents a high risk to rights and freedoms of Data Subjects;
  • integrating data protection into internal Information Security & Privacy Management System and documents;
  • regularly train our personnel on the Privacy and Personal Data;
  • periodically test the privacy measures implemented and conduct periodic reviews and audits to assess compliance, including using results of testing to demonstrate compliance improvement effort.
  • We keep and maintain accurate records reflecting our processing, including records of Data Subjects' Consent and procedures for obtaining Consent. These records include, at a minimum, contact details of the Data Controller and the Data Protection Officer, descriptions of the Personal Data types, Data Subject types, Processing activities, Processing purposes, third-party recipients of the Personal Data, Personal Data storage locations, Personal Data transfers, the Personal Data's retention period and a description of the security measures in place.

We ensure that all personnel have undergone adequate training to enable them to comply with data privacy laws. We regularly test our systems and processes to assess compliance with all of the regulations.

We do not share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place. We share the Personal Data internally if the recipient has a job-related need to know the information.

 

Information Collection


Services

"Personal Data" means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

We may obtain and use the following Personal Data and Sensitive Data about you and anyone you chose to add to our platform:

  • Any correspondence we have with you and your Users should you or your Users contact us.
  • Data you or your Users provide when you fill out forms on our Website, including but not limited to data you provide when you register to become a user of the Service.
  • Data and information, you or your Users submit or upload to GAT or the Service, including employee data (which may include, among other things, apps, beta versions of your apps, user information, etc.).
  • Details of transactions made by you through the Website.
  • Responses to optional research surveys we ask you or Users to complete.
  • Details of your or your Users' visits to our Website, which includes without limitation location and traffic data, weblogs, resources you access, and other communication data.
  • We may obtain Personal Data concerning our customers and prospects (contact and business details, our communications with such customers and prospects, correspondences, call and video recordings, transcriptions and analyses thereof, any needs, preferences, attributes and insights relevant to our potential engagement).

We do not intentionally collect data that is, by its nature, particularly sensitive (e.g., genetic data, biometric data, data revealing racial or ethnic origin, political opinions, sex life, sexual orientation, religion or other beliefs, data concerning health, criminal background or trade union membership). All responsibility for providing data as above does not belong to GAT. Providing such data by our partners and other third parties or their processing in our services or infrastructure is considered unintentional, and we exclude all legal liability.

You represent and warrant that you:

  • have the right to transfer Personal Data to us for the purpose of receiving the Service;
  • are solely responsible for obtaining all required consents, authorizations, and permissions from data subjects and third parties and providing all required notifications to such Users and third parties (where applicable) to enable you to provide such information to us and to grant to us the rights set forth in this Privacy Policy and terms and conditions.
  • In processing, you comply with the law and all standards and practices whose purpose is to protect the rights of the person adequately.
  • You will inform us of any abuse, mistake, or unlawful act of which you have been a witness or victim against the processing of Personal Data in a malicious manner.
  • It is your responsibility to ensure that all data subjects and third parties are aware of and accept the terms of Privacy Policy and that you have obtained explicit and informed consent of data subjects to our processing any of their Personal Data in accordance with this Policy and terms and conditions. You may not provide us with any Data or other information containing Personal Data of Users or third parties unless and until you have obtained all necessary consents, authorizations, and permissions to do so.

To process test services, you could obtain Testers Personal Data and potentially Sensitive Personal Data. For processing Sensitive Personal Data, the data subject has to give you explicit consent to the processing of those Personal Data for one or more specified purposes. Regardless of the legal or factual relationship between two independent entities, GAT disclaims its liability for any non-compliance of standards, law, or GDPR resulting from a violation by independent entities. GAT reserves that it is not a participant in the relationship regarding the consent to the processing of sensitive data by either party. Nor shall it be liable for negligence, disclosures, or infringements even if they were caused by unintentional negligence in implementing GAT infrastructure security mechanisms, enabling the provision of data processing services. In this regard, you must carefully read our Policy, understand it, accept it, and follow the rules.

You agree to indemnify us for any claims made by any data subjects arising from any unauthorized access or accidental loss, damage, corruption, or disclosure of Client Data arising from or in connection with your and/or our use or disclosure of data. You are strongly required to have appropriate recognition, orientation, and knowledge of the law if your professional activities are related to the processing of Personal Data or Sensitive Data that may violate someone's rights, regulations, standards, good and reasonable practices, or personal/human rights. In case of any doubts or hesitations, you must contact us and clarify them.  

 

Website


Cookies and IP Addresses

We may obtain information about your and your Users' device, which includes your and your Users' public IP address, browser type, and operating system where available. This accumulation of data is used to assist system administration.

We may also collect information regarding your or your Users' browsing activity and interests through the use of a cookie file. This cookie file is stored on the hard drive of your or your Users' device and contains information that is transferred to your or your Users' computer's hard drive. We use the collection of this data to help us improve the experience of users on our Website and Service, and to deliver a more personalized service with more relevant content. The collection of this data allows us to:

  • store data indicative of your or your Users' preferences, allowing us to adjust our Website to appeal to your individual interests;
  • estimate the size and usage patterns of our audience;
  • record the details of any transactions carried out by you through our Website;
  • identify you or your Users upon your/their return to our Website; and/or
  • increase the speed of your or your Users' searches.

We use the following cookies:

  • Strictly necessary cookies. These are cookies that are required for the operation of our Website and Service. They include, for example, cookies that enable you or your Users to log into secure areas of our Website or Service.
  • Analytical/performance cookies. They allow us to recognize and count the number of visitors and to see how visitors move around our Website and Service when they are using it. This helps us to improve the way our Website and Service works.
  • Functionality cookies. These are used to recognize you and your Users when you/they return to our Website. This enables us to personalize our content for you and your Users, greet you and your Users by name and remember your/their preferences.
  • Targeting cookies. These cookies record your and your Users' visit to our Website, the pages you and your Users have visited and the links you and your Users have followed. We will use this information to make our Website and the advertising displayed on it (if any) more relevant to your and your Users' interests. We may also share this information with third parties for this purpose.
  • You can find more information about some of the individual cookies we use and the purposes for which we use them below.

Example of cookies used by the Service:

  • Tool Cookies Purposes
  • We would like to inform you that any action using external services excludes GAT's liability for the violations and rights described in this Policy.
  • We use the services of many providers of data analysis solutions, below we indicate the most important ones. 


HubSpot

We use Hubspot for marketing purposes enabling us to tailor content and how we communicate with site visitors and subscribers. The cookies are used to collect information about how visitors use our site. This information is used to compile reports and help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. GAT may also collect Personally Identifiable Information when you use certain services, through the use of the Site or when you enter promotions or contests offered by GAT on and through the Site. For example, if you choose to register for a service, white paper, or subscribe to any of our newsletters, we are able to identify when you click through to our website and the pages you visit. This information is stored securely in Hubspot. For more information on Hubspot cookies, please review the Hubspot Privacy Policy.


Social Media And Advertising Cookies e.g. Facebook / LinkedIn / Twitter

We use Facebook and LinkedIn's 3rd-party audience data such as age, gender, and interests to better understand the behavior of our customers and work with companies that collect information about your online activities to provide advertising targeted to suit your interests and preferences. For example, you may see certain ads on this Website or other websites because we contract with Facebook and other similar companies to target our ads based on information they or we have collected, including information that was collected through automated means (such as cookies and web beacons). These companies also use automated technologies to collect information when you click on our ads, which helps track and manage the effectiveness of our marketing efforts.


Google Analytics / AdWords / Security

We use Google Analytics' / Adwords' 3rd-party audience data such as age, gender, and interests to better understand the behavior of our customers and work with companies that collect information about your online activities to provide advertising targeted to suit your interests and preferences. For example, you may see certain ads on this Website or other websites because we contract with Google and other similar companies to target our ads based on information they or we have collected, including information that was collected through automated means (such as cookies and web beacons). These companies also use automated technologies to collect information when you click on our ads, which helps track and manage the effectiveness of our marketing efforts.

You may opt-out of the automated collection of information by third-party ad networks for the purpose of delivering advertisements tailored to your interests, by visiting the consumer opt-out page for the Self-Regulatory Principles for Online Behavioral Advertising at http://www.aboutads.info/choices/ 

Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies. You and your Users remain entitled to refuse cookies by adjusting your browser settings accordingly. Doing so, however, may restrict your and your Users' access to certain areas within our Website or Service. Unless you or your Users adjust your/their browser settings to refuse cookies, our system will issue cookies when you/they log on to our Website. 

We use Google security service reCAPTCHA that protects our Website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep automated software from engaging in abusive activities on our site. This Google security service is used under Google privacy policy. You could read it here: https://policies.google.com/privacy?hl=en. 


Auth0

We use Auth0 service for authentication users into the GAT Platform. https://auth0.com/privacy


Hotjar

We use Hotjar to record users' live playbacks on our websites, e.g., recordings of each visit, including the clicks, mouse movements, U-turns, and rage clicks. 


Children

We care about the safety and privacy of children online. Our Website and services are not designed or directed at children. We do not intentionally collect any personal information from persons under the age of 16 years of age. If we become aware that we have inadvertently received personal information from a user under the age of 16, we will delete the information from our records according to the law (e.g., GDPR, CCPA/CPRA, or Children's Online Privacy Protection Act of 1998 ("COPPA"). If any of the laws is more severe, we will comply with it.

 

Use of Information


Why we use information

The rules for the processing of Personal Data, protection of privacy and freedom for private persons are clear to us, known and communicated to all our employees. We use information for ethical and legitimate purposes, legal and responsible business conduct.


What purpose we use Privacy Information (regarding to CCPA/CPRA) or Personal Data (regarding to GDPR)

We The Personal Data we hold about you and your Users may be used in any of the following ways:

  • To provide you and your Users with the Service, including administration and management of your account.
  • To allow you to upload, store, and access Client Data.
  • To enable Users to access certain aspects of GAT and limited Client Data pertinent to themselves.
  • To provide you and Users, our service support.
  • To moderate your account.
  • To improve the quality of our user communication and support.
  • For research and analytics purposes (for example, to improve the quality of the Service).
  • To ensure security for you, the Users, our staff, and other users of the Service.
  • To comply with applicable Laws, court orders, government and law enforcement agencies' requests.
  • To provide you and Users with online personalized services and targeted advertising.
  • To send you further information about our services for which we think you may have an interest. This information will be supplied only where you have given consent.
  • To send you further information about our services based on a request we have received from you.
  • To fulfill the obligations, we have in relation to any contracts we have in place with you (including, without limitation, terms and conditions).
  • To provide you with notification about any changes to the Service.


By using our services, you agree to the above processing. We will never supply your or your Users' Personal Data to third parties unless under the conditions stated beneath this section of our Privacy Policy. Notwithstanding the foregoing, you acknowledge and agree that we may aggregate and anonymize you and your Users, Personal Data, and use and share such aggregated and anonymized Personal Data with third parties for statistical purposes and for the purpose of data analytics, product development, and/or Service improvement.

We may also use your Personal Data to protect against and prevent fraud, claims, and other liabilities and to comply with or enforce applicable legal requirements, industry standards, and our policies and terms. We use Personal Data for these purposes when it is necessary to protect, exercise, or defend our legal rights, or when we are required to do so by applicable law.


Storing Information

The Personal Data we obtain from you and your Users (including, without limitation, Client Data) may be moved to and stored at a destination within the European Economic Area ("EEA") and according to point 13 of Privacy Policy could be processed outside EEA, especially in the UK depending on the purpose of processing.

Staff members operating in the UK and within the EEA who work for or on behalf of us may process this information. Such staff members may, among other things, be involved in the processing of payment details, the provision of support services, and the delivery of your and your Users' request(s) for us to provide the Service.

Without limiting the foregoing, you agree that Personal Data we obtain from you and your Users (including, without limitation, Client Data) may be processed by our service providers based in countries outside of the EEA, especially in the UK for the purposes of providing you with the Service. Such countries may not have laws offering the same level of protection for Personal Data as those inside the EEA.

We store the Personal Data you and your Users provide us with on our secure servers. In the event of us giving you or your Users (or you/they choosing) a password that grants you/them access to specific areas within our Website or Service, it remains your/their responsibility to maintain the confidentiality of this password. This includes the obligation to refrain from sharing your/their password with other parties. As the transmission of data via the Internet cannot be assumed completely secure, we cannot guarantee the security of any of your or your Users' data transmitted to our Website or Service; you are therefore responsible for any risk associated with such transmission. We will however at all times take all reasonable steps to ensure the transmission of your and your Users' data is executed as securely as possible, and upon receipt of your/their data, we will continue at all times to enforce strict security procedures and features in an attempt to prevent any unauthorized access. 


Data Retention

We process your Personal Data for the least amount of time necessary to our business and service needs, contractual requirements, in accordance with our data retention policies and applicable law. We do not collect more Personal Data than is necessary to fulfil our obligations to you or at law or for purposes stated in Privacy Policy.


Information Sharing and Disclosure

Disclosure of your and your Users' Personal Data (including, without limitation, Client Data) to third parties will only occur in any of the following events:

  • If we sell or purchase any business or assets. In such a case, we may authorize the disclosure of your Personal Data to prospective sellers or buyers of such business or assets.
  • All or the substantial majority of our assets are sold to a third party. In such a case, your Personal Data may be one of the transferred assets.
  • We are required to disclose you or your Users' Personal Data in order to fulfil any legal obligation, to enforce our terms and conditions, or to protect the property, rights, or safety of GAT, users of our services, or others. In such a case, information may be exchanged with third-party companies or organizations in order to prevent fraud or reduce credit risk.

You acknowledge and agree that we may also disclose Personal Data (including, without limitation, Client Data) with: 

  • our service providers involved in the provision, distribution, delivery, and support of the Service, including the storage of any Client Data; 
  • fraud prevention agencies; 
  • law enforcement agencies, regulators, courts and public authorities; and 
  • emergency services.
  • Our service providers have to follow our express instructions when processing the Personal Data you or your Users provide and must have in place appropriate technical and organizational security measures to safeguard such Personal Data, and we do not allow them to use this information for their own commercial purposes.

If we do not process your Personal Data in accordance with our legitimate interest or based on a contractual obligation we have with you, we may share or disclose your Personal Data if you provide us with your affirmative consent.


Privacy Practices of Third Parties

We share the Personal Data we hold with third parties, according to our internal Supplier Security Policy and supplier security and privacy risk assessment, such as our service providers if:

  • they have a need to know the information for the purposes of providing the contracted services;
  • sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject's Consent has been obtained;
  • the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;
  • the transfer complies with any applicable cross border transfer restrictions; 
  • the transfer complies with any law regulations or restrictions, especially for the authorized bodies or regulators.
  • a fully executed written contract that contains the law approved third party clauses has been obtained.


Your Rights


The right to be informed

You have a right to know about how we're processing your Personal Data. Anything You should know is contained in the Privacy Policy. You may also email us at dpo@globalapptesting.com to request additional information about how we're processing your Personal Data.  

 

The right of access

You may email us at dpo@globalapptesting.com to request a copy of the Personal Data we currently store.

The right to rectification

You can correct what Personal Data We currently contain by emailing us at dpo@globalapptesting.com. To request that we correct or rectify any Personal Data that you have provided to us.  We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect. Where applicable, we will ensure such changes are shared with trusted third parties.  


The right to erasure

If you should wish to cease use of our services and have your Personal Data deleted, then you may submit a request by emailing us at dpo@globalapptesting.com. Upon receipt of such a request for erasure, we will confirm receipt and will confirm once your Personal Data has been deleted.  Where applicable, we will ensure such changes are shared with trusted third parties. 


The right to restrict processing

When applicable, you may restrict the processing of your Personal Data by submitting a request via email to dpo@globalapptesting.com In your email, please explain how you wish us to restrict the processing of your Personal Data. When such restrictions are not possible, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Policy, to include withdrawing your consent to the processing of your Personal Data. Where applicable, we will ensure such changes are shared with trusted third parties.

The right to data portability

Upon request and when possible, we can provide you with copies of your Personal Data. You may submit a request via email to dpo@globalapptesting.com When such a request cannot be honored, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Policy, to include withdrawing your consent. Where applicable, we will ensure such changes are shared with any trusted third parties.

The right to object

When applicable, you have the right to object to the processing of your Personal Data by submitting a request via email to dpo@globalapptesting.com When such objections are not possible, we will advise you accordingly.  You can then choose to exercise any other rights under this Privacy Policy, to include withdrawing your consent to the processing of your Personal Data. Where applicable, we will ensure such changes are shared with trusted third parties.


The right to consent

At any time, you may withdraw your consent to our processing of your Personal Data through our Websites by notifying us via email at dpo@globalapptesting.com  Upon receipt of such a withdrawal of consent, we will confirm receipt and proceed to stop processing your Personal Data.  Where applicable, we will ensure such changes are shared with trusted third parties.


Rights in relation to automated decision making and profiling

At any Profiling is any form of automated processing of Personal Data consisting of the use of Personal Data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling and automated decision-making are used in an increasing number of sectors, both private and public. Profiling and automated decision-making can pose significant risks for individuals' rights and freedoms, which require appropriate safeguards. Profiling and automated individual decision-making are also covered by Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. GAT does not currently use profiling mechanisms. GAT is not responsible for profiling data obtained from GAT into a legal manner and consent to Privacy Policy. We do not use your Personal Data to automated decision making and profiling in accordance with GDPR Article 22 (automated individual decision-making, including profiling, with legal or similarly significant effects).

Exercising my right

You can exercise any of your rights by contacting via email to dpo@globalapptesting.com.

We may need to request specific information from you to reasonably confirm your identity and verify you are the Person Data belongs to. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request and to exercise your rights.

 

Fees

You will not have to pay a fee to access your Personal Data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

 

Accountability and governance


Contracts

Whenever we use a processor, there must be a written contract in place. If a processor uses another organization (i.e., a sub-processor) to assist in its processing of Personal Data for a controller, it needs to have a written contract in place with that sub-processor.

What we set up in the contract:

  • the subject matter of the processing;
  • the duration of the processing;
  • the nature and purpose of the processing;
  • the type of Personal Data involved;
  • the categories of the data subject;
  • the controller's obligations and rights;
  • the privacy & security requirements;
  • the right to audit (if applicable).

 

Documentation

What is our documentation of processing activities:

  • we document all the applicable information under Article 30(1) of the GDPR;
  • we record all the applicable information under Article 30(2) of the GDPR.

If we process a special category we document:

  • the condition for processing we rely on in the Data Protection Act 2018;
  • the lawful basis for our processing; 
  • whether we retain and erase the Personal Data in accordance with our internal documentation.

When preparing to document our processing activities we:

  • undertake information audits to find out what Personal Data our organization holds;
  • distribute questionnaires and talk to staff across the organization to get a complete picture of our processing activities; 
  • review our policies, procedures, contracts, and agreements to address areas such as retention, security, and data sharing.

As part of our record of processing activities we document, or link to documentation, on:

information required for privacy notices;
  • records of consent;
  • controller-processor contracts;
  • the location of Personal Data;
  • Information Security & Privacy Policies and Procedures;
  • Information & Privacy Risk Assessment;
  • Data Protection Impact Assessment; 
  • privacy & information security audit reports;
  • records of Personal Data breaches.

We document our processing activities in a granular way with important links between the different pieces of information.

We conduct regular reviews of the Personal Data we process and update our documentation accordingly.

We document our processing activities in writing and electronic form so we can add, remove, and amend information easily.

We share the results of processing your data, but we do not provide the above documents. 


Data protection and privacy “by design” and “by default”

We consider data protection issues as part of the design and implementation of systems, services, products, and business practices.

We make data protection an essential component of the core functionality of our processing systems and services.

We anticipate risks and privacy-invasive events before they occur and take steps to prevent harm to individuals.

We only process the Personal Data that we need for our purposes(s) and that we only use the data for those purposes.

We ensure that Personal Data is automatically protected in any of our IT system, Service, product, and/or business practice so that individuals should not have to take any specific action to protect their privacy.

We provide contact information of those responsible for data protection both within our organization and to individuals.

We offer strong privacy defaults and controls.

We only use data processors that provide sufficient guarantees of their technical and organizational measures for data protection by design.

When we use other systems, services, or products in our processing activities, we make sure that we only use those whose designers and manufacturers take data protection issues into account.


Data protection risk & impact assessment

Our information security & privacy risk assessment and Data Protection Impact Assessments (DPIA) process is based on international standards and best practices.


Data protection officers

Upon request and when possible, we can provide you with copies of your Personal Data. You may submit a request via email to dpo@globalapptesting.com When such a request cannot be honored, we will advise you accordingly. You can then choose to exercise any other rights under this Privacy Policy, to include withdrawing your consent. Where applicable, we will ensure such changes are shared with any trusted third parties.

The right to object

We have appointed a Data Protection Officer (DPO) based on their professional qualities and expert knowledge of data protection law and practices.

Our DPO reports directly to our highest level of management and is given the required independence to perform their tasks.

We involve our DPO, in a timely manner, in all issues relating to the protection of Personal Data.

We ensure that any other tasks or duties we assign our DPO do not result in a conflict of interest with their role as a DPO.

Our DPO is tasked with monitoring compliance with the GDPR and other data protection laws, our data protection policies, awareness-raising, training, and audits.

We take account of our DPO's advice and the information they provide on our data protection obligations.

When carrying out a DPIA, we seek the advice of our DPO, who also monitors the process.

When performing their tasks, our DPO has due regard to the risk associated with processing operations and takes into account the nature, scope, context, and purposes of the processing.

Our DPO is easily accessible as a single point of contact for our employees, individuals, partners, contractors, third parties and the regulator. 

Security

We develop, implement and maintain Information Security & Privacy Management System aligned with ISO 27001 standards and safeguards appropriate to our size, scope, and business, our available resources, the amount of Personal Data that we own or maintain on behalf of others and identified risks (including use of encryption and Anonymization where applicable). We regularly evaluate and test the effectiveness of those safeguards to ensure the security of our processing of Personal Data. We exercise particular care in protecting Sensitive Personal Data from loss and unauthorized access, use, or disclosure.

We maintain data security by protecting the confidentiality, integrity, and availability of the Personal Data, defined as follows:

Confidentiality means that only people who have a need to know and are authorized to use the Personal Data can access it.
Integrity means that Personal Data is accurate and suitable for the purpose for which it is processed.
Availability means that authorized users are able to access the Personal Data when they need it for authorized purposes.
We comply with and not attempt to circumvent the administrative, physical, and technical safeguards we implement and maintain in accordance with the law and relevant standards to protect Personal Data.


Incident response and breach reporting

We have put in place procedures to deal with any suspected security incident and Personal Data Breach and will notify Data Subjects or any applicable regulator where we are legally required to do so.

If you know or suspect that a security incident or Personal Data Breach has occurred, immediately contact us via email to security@globalapptesting.com. You should preserve all evidence relating to the potential security incident and Personal Data Breach


International Transfers of Personal Information

Information we collect from you will be processed mainly in EEA, and the UK, but could be processed outside EEA and UK, depending on the purpose of processing. Whenever Personal Data is transferred outside the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:Information we collect from you will be processed in EEA and could be processed outside EEA, depending on the purpose of processing. Whenever Personal Data is transferred outside the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission. 
You can check how the EU determines if a non-EU country has an appropriate level of data protection by clicking the link: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en .

To the extent permitted by applicable data protection laws, Personal Data may be transferred between various locations of GAT insofar as reasonably necessary for the purposes set out in this Privacy Policy and within the scope of legitimate interest of GAT. In any case, they are processed under the terms of Standard contractual clauses and Internal corporate rules adopted by all companies of GAT. 

If Personal Data is transferred outside the EU for doing business by GAT in other law jurisdictions, then EU law and law of the relevant jurisdiction apply jointly. If they are divergent, that stringent are used.

We’re using minor IT SaaS services located in the US to support our business. Also in exceptional situations (breakdowns, interruption of continuity), we can use servers located in the US as an alternative and backup solution. Our partners in the US are obliged to ensure the highest standards of security of the processed data.


Links to Other Sites

We may, at times, provide links on our Website to third party websites, including without limitation those owned or managed by our partner networks, affiliates, or advertisers. These websites have separate privacy policies, and we, therefore, cannot accept any responsibility for the content. As such, choosing to follow these links is a choice you make at your own risk, and we advise that you check these websites' individual privacy policies before submitting any Personal Data.


California Residents – The Privacy Rights (CCPA/CPRA Privacy Notice)

This section describes how we collect, use, and share Personal Information of users that are California residents in connection with our services in our capacity as a “business” under the California Consumer Privacy Act (“CCPA”) / The California Privacy Rights Act (“CPRA”) and their rights with respect to that Personal Information. For purposes of this section, the term “Personal Information” has the meaning given in the CCPA/CPRA but does not include information exempted from the scope of the CCPA/CPRA. This section only applies to California residents. The rights discussed in this section do not extend to individuals who are not California residents. 


Right to Know/Right to Access General Collection and Use of Personal Information

If you are a California resident, you have the right to request that we disclose what information we have collected, used, disclosed, or sold over the past 12 months. Once we receive and confirm your verifiable request, we will disclose to you, based on your specific request:

  • The categories of personal information we collected about you over the past 12 months.
  • The specific pieces of personal information we have collected about you over the past 12 months.
  • The categories of sources from which the personal information is collected over the past 12 months.
  • The business or commercial purpose for collecting or selling that personal information over the past 12 months.
  • The categories of third parties with whom we shared your personal information over the past 12 months.

If we disclosed your personal information for a business purpose, the personal information categories that each category of recipients obtained. If we sell your personal information for a business purpose, the personal information categories that each category of recipients purchased.


Do Not Sell My Personal Information - Exercising Your Right to Opt-Out of Sale of Personal Information

If you are a California resident and are 16 years old or more, you have the right to direct businesses that sell personal information to not sell your personal information.

For California residents to exercise the right to opt-out if we engage in selling your personal information, you or your authorized agent may submit a request via email ccpa@globalapptesting.comor by clicking the link: "Do Not Sell Or Share My Personal Information".

We will act upon your request to opt-out within 30. (thirty) days of receiving the request. We will instruct the third parties to whom the information has been sold in the 30 days prior to your request not to further sell the information, and we will notify you when this instruction has been completed.

We will not act upon a request from authorized agents if the agent does not submit proof that the agent has been authorized by you to act on your behalf. We will not act upon a request if we believe it is fraudulent. 

How We Verify California Residents' Requests to Know/Requests for Access and Requests for Deletion
We will not respond to requests to know/requests for access or requests for deletion unless we can verify your identity to a reasonable degree of certainty. To verify your identity, when feasible, we will use information about you that we already have; however, we may need to request additional information, which we will use only for the purposes of verification. We may also use a third-party identity verification service. The information we need to verify your request will depend on the nature and scope of your request. Upon receipt of your request, we will notify you if we need additional information from you to verify your request.

Right to Opt-In to Sales of Personal Information for Minors Under 16

We do not intentionally process personal information of children under 16 years old.

Exercising your right to limit the use of your Sensitive Personal Information. 

You can request to limit the use of your Sensitive Personal Information here: Limit The Use Of My Sensitive Personal Information. 

 

Right to Non-Discrimination

You are entitled to exercise the rights described above free from discriminatory treatment as prohibited by the CCPA/CPRA. Specifically, if you exercise your rights under the CCPA/CPRA, we will not deny you goods or services, charge you different prices or rates, provide you with a different level of service or quality of goods or services, or suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services, except as permitted by the CCPA/CPRA.

Exercising Your Right to Know

If you are a California resident, you can exercise the right to know/right to access information. You or your authorized agent may submit a verifiable request via email ccpa@globalapptesting.com.

You may only make a verifiable request to know or request for access twice within a 12-month period. The verifiable request must include information that allows us to reasonably verify you are the person about whom we collect personal information or an authorized representative and describe your request in enough detail that we can properly understand, evaluate, and respond to it.

If we are able to verify your request, we will make our best effort to respond within forty-five (45) days of our receipt of your request. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing. We will not disclose information to you if we cannot verify your identity.

You will not have to pay a fee to access your Personal Data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.


Exercising Your Right to Request Deletion

If you are a California resident, you can exercise the right to request deletion. You or your authorized agent may submit a verifiable request via email ccpa@globalapptesting.com.

If we are able to verify your request, we will make our best effort to respond within forty-five (45) days of our receipt of your request. If we require more time (up to 45 additional days), we will inform you of the reason and extension period in writing. In our response, we will specify the manner in which we have deleted your personal information. We will not delete information if we cannot verify your identity.

 

Verification of your Requests; Authorized Agents. 

We cannot process your request if you do not provide us with sufficient detail to allow us to understand and respond to it. We will need to verify your identity to process your information, access and deletion requests and reserve the right to confirm your California residency. To verify your identity, you will need to provide us with the following information about you: Full name, e-mail and links to social media handles. Depending on the nature and scope of your request, we may also need to request additional information from you, which we will use only for the purposes of verification. Upon receipt of your request, we will notify you if we need additional information from you to verify your request. We do not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Your authorized agent may make a request on your behalf upon our verification of the agent’s identity and our receipt of a copy of a valid power of attorney given to your authorized agent pursuant to California Probate Code Sections 4000-4465. If you have not provided your agent with such a power of attorney, you must provide the information we request to verify your identity and provide us with confirmation that you have given the authorized agent permission to submit the request.

Personal information that we collect, use and disclose. 

The chart below summarizes the Personal Information we collect by reference to the categories of Personal Information specified in the CCPA (Cal. Civ. Code §1798.140) and describes our practices currently and during the 12 months preceding the effective date of this User Privacy Policy. The terms in the chart refer to the categories of information, sources, purposes and third parties described above in this User Privacy Policy in more detail. Information you voluntarily provide to us, such as in the content of your posts, content from chats you engage in with our customers or others, or data input into free-form webforms, may contain other categories of personal information not described below.

Statutory category / Personal information we collect in this category Source of PI Business/commercial purpose for collection Categories of third parties to whom we “disclose” PI for a business purpose Categories of third parties to whom we “sell” PI
Identifiers

Identification data

Contact details

You

Third-party sources

Service delivery

Compliance & protection

With your consent

Service providers

Professional advisors

Authorities and others

Business transferees

Others, with your consent or at your direction

 

California Customer Records
(as defined in California Civil Code §1798.80)

Identification data

Professional contact data

Audio & Video calls records

 

You

Third-party sources

Service delivery

Compliance & protection

With your consent

Service providers

Professional advisors

Authorities and others

Business transferees

Others, with your consent or at your direction

 
Internet or other similar network activity

Information on a consumer’s interaction with a website,

Application, or advertisement.

You

Third-party sources

Service delivery

Compliance & protection

With your consent

Service providers

Professional advisors

Authorities and others

Business transferees

Others, with your consent or at your direction

 

 

Your California privacy rights. 

Under California’s Shine the Light law (California Civil Code Section 1798.83), California residents may ask companies with whom they have formed a business relationship primarily for personal, family or household purposes to provide the names of third parties to which they have disclosed certain personal information (as defined under the Shine the Light law) during the preceding calendar year for their own direct marketing purposes and the categories of personal information disclosed. You may submit requests to exercise your right to information, access or deletion by calling us toll free at +1 855 905 5918, or via email to ccpa@globalapptesting.com. In your request, you must include the statement “Shine the Light Request," and provide your first and last name and mailing address and certify that you are a California resident. We reserve the right to require additional information to confirm your identity and California residency. Please note that we will not accept requests via telephone, mail, or facsimile, and we are not responsible for notices that are not labeled or sent properly, or that do not have complete information. 

 

UK Data Protection Act

Our company is subject to the EU's GDPR and the Data Protection Act 2018 (UK) and is compliant with those laws, and rules, standards and guidelines issued by The Information Commissioner's Office (ICO), The European Data Protection Board (EDPB) and local personal data protection supervisory authority. 

 

EU representative 

Our subsidiary in the EU (GAT HUB SRL, company number J12/4395/2016, C.U.I.: RO36846338, address: P-ța. Unirii nr. 4-5, et. 1, ap. 7, Cluj-Napoca, Cluj, Romani) is responsible for contacting personal data protection supervisory authority in any matter regarding the protection of personal data in accordance with the GDPR.

 

Periodic review, changes to this Policy or procedures related to the Policy

We conduct periodic, not less than every 12 months Policy and Information Security & Privacy System Management and documentation reviews. Review is mandatory after changes to the nature, scope, context, or purposes of the processing of Personal Data. In all aspects of this Policy, the reviewer must demonstrate independence, knowledge, and experiences according to Personal Data protection.

We are updating the Policy every 12 months and anytime if there are any material changes to the nature, scope, context, or purposes of the processing.

If at any time we make a change to this Policy, we will update this page to reflect such change. If we make material changes to how we treat your Personal Data, we will notify you by email. Through a notice on this page, however, we recommend you review this page periodically to ensure you remain happy with the latest version.

The date the Policy was last revised is identified at the top of the page. You are responsible for ensuring we have an up-to-date active and deliverable email address for you.

 

Contact Us

We welcome any questions or comments in relation to this Privacy Policy, and advise you to send any such communication privacy@globalapptesting.com or dpo@globalapptesting.com.