Privacy is important

---

Scan4People takes privacy and GDPR questions very seriously. This is why we have all aspects of our application reviewed by a leading  Legal Counsel in EU GDPR  law with  IAPP Certification in Data Privacy (GDPR). Our solution is fully compliant with EU privacy law. There are three distinct users of the application:

1. The people who sign up to the conference/trade show and receive a beacon. We call this user "Beacon user".
2. The people how using the Scan4People app at the conference/trade show. We call this user a "Scanning user". (This user may also be a "Beacon holder" at the same time. )
3. The Admin of the Scan4People working at the conference/trade show. We call with user an "Admin user."

The Scan4People app   may process a combination the following for the "Beacon user":

• Information about you that comes from the registration at the event – for example first and last name, nationality, company you work for, role at company, interest at the conference, type of company, picture. 
• We do not collect or distribute any email or telephone number.
•  All this data will be deleted within 1 week after the conference has been completed. 
• We will not share any of this data to anyone outside of the conference/trade show. 
• It is not mandatory to register or carry the beacon. A visitor to the conference/ trade show may chose to return the beacon at any point during the event. 

The Scan4People app   may process a combination the following for the "Scanning user":

• Information about you that comes from the registration at the event – for example first and last name, nationality, company you work for, role at company, interest at the conference, type of company, picture. 
• Contact information – in some cases, for example, we may receive your email, address, or phone number.
• You will be assigned a password to access the application. 
• Online information – for example cookies and IP address, location (your computer’s internet address), if you use our websites. 
•  All this data will be deleted within 1 week after the conference has been completed. 
• We will not share any of this data to anyone outside of the conference/trade show. 
• Your personal notes made in the application will be sent to you via email at the end of the event and thereafter deleted. 

The Scan4People app   may process a combination the following for the "Admin user":

• Contact information – in some cases, for example, we may receive your email, address, or phone number.
• You will be assigned a password to access the application. 
• Online information – for example cookies and IP address, location (your computer’s internet address), if you use our websites. 
•  All this data will be deleted within 1 week after the conference has been completed. 
• We will not share any of this data to anyone outside of the conference/trade show. 
• Contractual information – for example details about the privacy policy you assign in the application, terms and conditions with Scan4People. 

Why do we use this data: 

We use your personal data primarily only to the extent that it is necessary for the purposes of conducting our business, and only for the purpose for which it was originally collected and any other permissible, related purpose. We may use your personal data for a number of reasons:

• Providing our services and fulfilling our contractual obligations to clients and other third parties
• Conducting data analysis, which helps improve our services
• Assessing, improving and developing our services
• Fulfilling legal or regulatory obligations and protecting the data from leaking to third party. 

Scan4People adheres to the principle of purpose limitation and only processes data for purposes related to those specified when personal data were collected. Processing for secondary purposes only takes place where we have a legal basis such as the consent of the data subject. To assess our adherence to this principle Scan4People considers the relationship between the purposes for which the data have been collected and the purposes of further processing, the context in which the data have been collected, the reasonable expectations of the data subjects, the nature of the data and the impact of the further processing on the data subjects in full compliance with current GDPR law. 

Our employees have access to and process personal data based upon the "need to know" principle. In other words they have access to personal data where this is necessary in order to do their job. We regularly check who has access to our systems and data.

We do not sell personal data.

Data may be exported to further countries in line with legal requirements and the required measures to ensure protection of the data. This is particularly the case where personal data needs to be processed by internal services teams or by third parties in other Scan4People  locations and outside the EU or Switzerland. We make sure adequate safeguards such as binding contracts are in place with those internal and external parties.

 We keep your personal information in compliance with applicable retention periods and for as long as necessary for the purpose for which it was collected, and to comply with our legal and regulatory requirements. This may include keeping your information for a reasonable period of time after your relationship with us or our client has ended. We securely destroy personal data when they are no longer needed for the relevant purposes and its retention period has expired. In some circumstances we retain aggregated or anonymised data which can no longer be associated with you and is therefore not considered personal data. If you need more information about the retention or deletion of your personal data, please see also the section on your privacy rights below and contact us using the details provided at the end of this document. 

Your privacy rights

We recognise that you may have rights with regard to our processing of your data. While the nature and extent of these rights will differ from location to location, we have processes in place that allow us to respond in a timely manner to any valid request to:

• Access - You may have the right to find out what personal information we hold about you (this includes what category of personal data and/or specific personal data)
• Rectification - If any of your details are incorrect, inaccurate or incomplete you can ask us to correct them or to add information.
• Portability - In some circumstances you can ask us to send an electronic copy of the personal information you have provided to us, either to you or to another organisation.
• Object - You have the right to object to any processing done under legitimate interests.  We will then re-assess the balance between our interests and yours, considering your particular circumstances.  If we have a compelling reason, we may still continue to use your information.
• Prevent marketing - You have a specific right to object to our use of your information for direct marketing purposes, which we will always act upon.
• Restrict processing - If you are uncertain about the accuracy or our use of your information, you can ask us to stop using your information until your query is resolved.  We will inform you of the outcome before we take any further action in relation to this information.
• Erase - You can ask us to delete your personal information if deleting your data is not in conflict with our legal and regulatory obligations.  If we are using consent to process your information and you withdraw it, you can ask us to erase your information.

If you are unhappy with how we process your personal data, you may have the right to complain to a data protection regulator or supervisory authority. We encourage you to contact us first so we can address your concerns.

 We have instituted a comprehensive, global data protection compliance framework in order to fulfill our responsibilities to protect personal data and to respect privacy rights in compliance with data protection and privacy laws and regulations around the world, including but not limited to the Swiss Data Protection Act, the European Union’s General Data Protection Regulation (GDPR), UK Data Protection Act.

Scan4people is fully compliant with the General Data Protection Regulation (GDPR) and takes the protection and privacy of our users' personal data very seriously. All data collected and stored on our Application is securely encrypted and stored in an encrypted database in Amazon Web Services (AWS). We assure that no personal data such as email addresses or phone numbers will be shared with any third party, or with other users of the Application. Additionally, we would like to assure that Bluetooth Beacons used in the Application do not carry or transmit any personal data. Furthermore, we would like to assure that all database and application data of attendees will be deleted one day after the event has finished. We are committed to ensuring that all personal data is handled and stored in accordance with the highest standards of security and data protection.  

In addition to the measures outlined above, we also respect the right of attendees to opt out of using or carrying the beacon. Attendees have the option to return the beacon to the conference at any time.

We also understand that attendees may want to have control over their personal data stored in the Application and in our encrypted database in AWS. Therefore, we allow any attendee to request the deletion of their personal data stored in our system at any time. To do so, they only have to send an email to info@scan4people.com requesting the deletion of their personal data. We will process the request and delete the data promptly. We are committed to providing all attendees with full control over their personal data and respecting their privacy choices.

About AWS:  At Amazon, security remains the highest priority, AWS constantly continues to innovate and invest in a high bar for security and compliance across all global operations. Amazon’s industry-leading functionality provides the foundation for our long list of internationally-recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27001 for technical measures, ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and EU-specific certifications such as BSI’s Common Cloud Computing Controls Catalogue (C5). AWS continues to pursue the certifications to assist the customers.