Privacy Policy

Annex 1: Policy for the processing of Users' personal data

In accordance with the provisions of Articles 13 and 14 of the GDPR, the purpose of this personal data processing policy is to provide any information referred to in Articles 13 and 14 of the GDPR to any natural person concerned by the processing of their personal data, in particular in the case of:
  • A subscription to any Subscription for the use of the Application Services;
  • A use of their account on the Software;
  • A use of the Application Services.
The main terms used below are defined at the end of this policy for a better understanding of them.

1. Data controller

The “controller” of the personal data processed for the purposes set out below is Rocketmail, a limited liability company, whose registered office is located at 9 rue du Laboratoire, L-1911 Luxembourg, Grand Duchy of Luxembourg, registered in the Trade and Companies Register of the Grand Duchy of Luxembourg under number B157869.

The company can be contacted:

Purpose of the data processing (purposes, legal basis, categories of data processed, categories of persons concerned, retention period):

Why are personal data processed (purpose(s) of processing)?Why are personal data processed (purpose(s) of processing)?What categories of personal data are processed?Who are the persons concerned by the processing?How long is the data kept?
To manage subscriptions made by User(s) to grant access to the Application Services for their Sub-Users.Execution of pre-contractual measures and contract execution
  • Company information details, company billing details
  • Personal identity (last name, first name, e-mail address, message, postal address)
  • Professional life (Company, Function)
  • Subscription data (Date of subscription, Options chosen)
  • Payment data
Sub-UserMaximum 5 years after the end of the Subscription
To invoice the Subscription to the Application Services and keep the accountsLegal obligation
  • Company information details, company billing details
  • Personal identity (last name, first name, e-mail address, message, postal address)
  • Professional life (Company, Function)
  • Subscription data (Date of subscription, Options chosen)
  • Payment data
  • Invoice
Sub-UserAccounting and tax limitation periods
To allow the Sub-User or any individuals to make an appointment with RocketMail employees for questions related to the user of the Application Services or Subscription Consent
  • Personal identity (last name, first name, e-mail address, message, postal address)
  • Professional life
  • Company
  • Date and time of appointment, subject of the appointment
  • Messages exchanged
Sub-UserDuring the Subscription period
To ensure compliance with the GDPR and to ensure the effectiveness of the rights of data subjects in relation to the processing of their personal data and to ensure the identity of data subjects who exercise their rights under the applicable data protection regulations.Legal obligation to ensure compliance with the GDPRPersonal identity (last name, first name, email address and in case of doubt, unique electronic identifier if creating an account or, if impossible, a copy of an identity document)Sub-UserMaximum 12 months from the last contact with the data subject (if a copy of ID is obtained, only for the time of identity verification)
To monitor data breachesLegitimate interestConnection data (connection log, access log)Sub-User12 months
To streamline prospection and manage the customer relationshipLegitimate interest
  • Personal identity (last name, first name, e-mail address, message, postal address)
  • Professional life
  • Company information details, company billing details
  • Subscription data (Date of subscription, Options chosen)
  • Messages exchanged
Sub-UserMaximum 3 years after the last interaction
To provide support to the Sub-Users or any individualsConsent
  • Personal identity (last name, first name, e-mail address, message, postal address)
  • Professional life
  • Messages exchanged
Sub-UsersMaximum 5 years after the end of the technical support

Please note that fields marked with an asterisk in any digital or online form are personal data that must be provided. Failure to respond to the data marked with an asterisk in any form may result in Rocketmail being unable to respond to the individual’s request.

2. Data from individuals using the online appointment scheduling solution through the Users

The use of the Application Services by the Sub-Users, who have access through the Subscription of the User, allows their customers, prospects and in general, any natural person to make an appointment directly with them. The data controller of the data of these persons is the User of the Application Services. Rocketmail only acts as a processor in the sense of Article 28 of the GDPR and therefore only complies with the documented instructions of its Users to whom any request to exercise a right must be addressed.

3. Recipients

Rocketmail only communicates personal data to authorized and designated recipients. The recipients concerned are, internally, the internal departments of Rocketmail and, depending on the personal data concerned, externally:

Persons concernedPersonal data concernedRecipients
  • Sub-Users
  • Individuals that either booked a meeting through the Lodago Software or that were added to a meeting that was booked through the Lodago Software
Data related to the Application ServicesData hosting Amazon EU
  • Sub-Users
  • Individuals that either booked a meeting through the Lodago Software or that were added to a meeting that was booked through the Lodago Software
Company details and billing information
  • Adyen banking service
  • External accounting Zoho EU
  • Tax administration
Sub-UsersData related to the customer and IT supportFreshworks CRM
Sub-UsersData related to the Subscription and the history of the relationship between RocketMail and Sub-UsersHubSpot CRM

4. Data security

In compliance with the provisions of Article 32 of the GDPR, Rocketmail undertakes to implement appropriate technical and organizational measures to ensure a level of security that is appropriate to the risk, taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, the degree of likelihood and severity of which varies, to the rights and freedoms of natural persons.

Particular account shall be taken of the risks to which the processing gives rise, resulting in particular from the destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed, whether accidental or unlawful. Rocketmail has implemented the following security measures:

Staff authenticationEncrypted HTTP authentication
Server securityRedundant servers and load balancing
Security of software or applications
  • Firewall protection against intrusion
  • Vulnerability scanners
  • Pentests
Realization of backupsDaily backup on remote data centre
Data encryptionsha256

5. Transfer outside the EU

No data is transferred outside the EU.

 

6. Rights

What are the rights of the User or individuals whose data is processed by Rocketmail as a data controller?

  • Right to withdraw data collected on the basis of consent.

Where the processing is based solely on the consent of the data subject, the data subject may withdraw consent at any time by simple request sent to Rocketmail by email to dpo@rocketmail.lu or by post to 9 rue du Laboratoire 1911 Luxembourg, Grand Duchy of Luxembourg.

  • Right to Information

The purpose of this policy is to provide any data subject whose data is being processed with any information referred to in Articles 13 and 14 of the GDPR.

  • Right of access

The data subject has the right to obtain from Rocketmail confirmation as to whether or not personal data relating to them is being processed and, where it is stored. The data subject has the right to access to such personal data and the information provided for in Article 15 of the GDPR.

  • Right of rectification

The data subject shall have the right to obtain from Rocketmail as soon as possible:

  • The rectification of personal data concerning them that are inaccurate;
  • In view of the purposes of the processing, they can also request that incomplete personal data be completed, including by providing an additional declaration.
  • Right to be forgotten

Where one of the reasons referred to in Article 17.1 of the GDPR applies, and except for the cases referred to in Article 17.3 of the GDPR, the data subject shall have the right to obtain from Rocketmail the erasure of personal data concerning them as soon as possible.

  • Right to limitation of processing

The data subject has the right to the restriction of processing where one of the grounds under Article 18 of the GDPR applies.

  • Right to object

The data subject shall have the right to object under the conditions set out in Article 21 of the GDPR at any time on grounds relating to their particular situation to the processing of personal data concerning them.

  • Right to data portability

Where processing is based on the consent or legitimate interest of the controller or a third party, the data subject shall have the right to receive the personal data concerning them that the data subject provided to Rocketmail in a structured, commonly used and machine-readable format, and shall have the right to transmit such data to another controller.

  • Absence of any automated individual decision

Rocketmail does not carry out any decision-making exclusively based on automated processing, including profiling, that produces legal effects on the data subject to the processing of their data or significantly affects the data subject in a similar way.

  • For data subjects residing in the European Union, a right to define directives regarding the fate of the data after their death.

A data subject who is a resident of the European Union and whose data is being processed has the right to define directives regarding the retention, erasure, and disclosure of their personal data after their death.

7. How to exercise your rights?

The rights can be exercised by simple mail sent to Rocketmail by post at the address 9 rue du Laboratoire l-1911 Luxembourg or by email at the email address: dpo@rocketmail.lu. In case of reasonable doubt(s) about the identity of the person concerned, Rocketmail may request a copy of an identity document in order to ensure the exact identity of the person making any request and to avoid communication of data to an illegitimate third party.

If the response provided by Rocketmail is not satisfactory to the person concerned, the latter is hereby informed that they may submit a complaint to the National Commission for Data Protection, Complaints Department, 15 Boulevard du Jazz, L-4370 Belvaux or https://cnpd.public.lu/en/particuliers/faire-valoir/formulaire-plainte.html.

8. Definition(s)

For a proper understanding of this privacy policy:

Application Services: refers to the services offered in SaaS mode (“Software as a Service”) by Rocketmail allowing the use of the Software by the User and by which a personal, non-exclusive, and non-transferable right of use of the Application Services is granted to the User under these General Terms and Conditions. The Application Services include:

  • A right of access to Rocketmail’s servers under the conditions defined below;
  • A limited, non-exclusive, and non-transferable right to use the Application Services in return for payment of the Royalty;
  • A set of services defined hereafter, namely data hosting, maintenance of the Application Services and technical assistance in the use of the Software.

Data controller: means the company Rocketmail, whose contact details are detailed in this policy.

Data subject: means any identified or identifiable individual concerned by the processing of their personal data.

Personal data: means any information relating to an identified or identifiable natural person. An “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

Processor: means the natural or legal person, public authority, department or other body that processes personal data on behalf of the data controller.

Processing or Processing(s): means any operation or set of operations, whether or not carried out using automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, limitation, erasure or destruction.

Recipient: means the natural or legal person, public authority, service or any other organization that receives communication of personal data, whether or not it is a third party.

Software: means the software developed by RocketMail, which has several functionalities related to appointment scheduling and marketed under the name of Lodago, as well as the documentation associated with it, its interfaces and its possible parameters.

Sub-User: means any physical person designated by the User who benefits, through the User’s Subscription, from the Application Services. A Sub-User can be an employee, a contractor, an agent and/or any person involved in general business operations of the User, such as its Affiliates’ for their own general business operations. The Sub-User must be at least 18 years old on the date they benefit, through the User’s Subscription, from the Application Services.

Subscription: means any personalized quote issued by Rocketmail or any subscription made by the User directly online on the website of the company Rocketmail on the page dedicated to subscription or by exchange of emails with Rocketmail and allowing the User to benefit from the Application Services under the terms of these General Terms and Conditions in return for the payment of a royalty for use at the rate and terms of payment provided in the quote or online.

User: refers to the Subscriber’s legal entity of a Subscription, who is granted access and right of use of the Application Services under the terms of these General Terms and Conditions.

Annex 2: Personal data processing when Rocketmail acts as a data processor

Within the framework of their contractual relations, the Parties undertake to comply with the applicable regulations in force applicable to the processing of personal data and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 Applicable as of 25 May 2018.

Rocketmail, a personal data processor, is Authorized to process on behalf of the User, the data controller, the personal data necessary to provide the services referred to in this Agreement in the article “Purpose” of the General Terms and Conditions.

In accordance with the provisions of Article 28 of the GDPR, the purpose of this agreement is to define the conditions under which Rocketmail undertakes to carry out on behalf of the User the processing operations of personal data in the context of the use of the Application Services.

1. Definitions

The terms below shall have in these general terms and conditions the meaning given by their following definition (regardless of whether the word is singular or plural):

Application Services: refers to the services offered in SaaS mode (“Software as a Service”) by Rocketmail allowing the use of the Software by the User and by which a personal, non-exclusive, and non-transferable right of use of the Application Services is granted to the User under these General Terms and Conditions. The Application Services include:

  • A right of access to Rocketmail’s servers under the conditions defined below;
  • A limited, non-exclusive, and non-transferable right to use the Application Services in return for payment of the Royalty;
  • A set of services defined hereafter, namely data hosting, maintenance of the Application Services and technical assistance in the use of the Software.

GDPR: refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 applicable as of 25 May 2018.

Parties: refers to Rocketmail and the User.

Rocketmail: refers to the company Rocketmail, a limited liability company, whose registered office is located at 9 rue du Laboratoire, L-1911 Luxembourg, Grand Duchy of Luxembourg, registered in the Trade and Companies Register of the Grand Duchy of Luxembourg under number B157869. It is a “subcontractor” within the meaning of Article 4.8 of the GDPR.

Software: means the software developed by RocketMail, which has several functionalities related to appointment scheduling and marketed under the name of Lodago, as well as the documentation associated with it, its interfaces and its possible parameters.

Subprocessor: refers to all subcontractors of Rocketmail.

Sub-User: means any physical person designated by the User who benefits, through the User’s Subscription, from the Application Services. A Sub-User can be an employee, a contractor, an agent and/or any person involved in general business operations of the User, such as its Affiliates’ for their own general business operations. The Sub-User must be at least 18 years old on the date they benefit, through the User’s Subscription, from the Application Services.

User: refers to the Subscriber`s legal entity of a Subscription, who is granted access and the right of use of the Application Services under the terms of these General Terms and Conditions. The User has the quality of “data controller” in the sense of the provisions of article 4.7 of the GDPR.

2. Purpose

Rocketmail is authorized to process the personal data necessary to provide the services that are the subject of the contractual relationship between the Parties on behalf of the User, namely: the use by the User of the Application Services.

3. Duration

This agreement comes into force between the Parties when the User subscribes to a Subscription and lasts during the User’s Subscription to the Application Services.

4. Nature and purpose(s)

The nature of the operations performed on the data is the collection, transmission and storage of data for the following purposes:

  • To allow the Sub-Users to book meetings with any third party by providing the Application Services,
  • To allow third party to book meetings with Sub-Users by providing the Application Services,
  • To allow the Sub-Users to synchronize their calendar with the Application Services,
  • To update the Sub-Users calendars,
  • To allow the Sub-Users to have an history of their appointments and meeting details,
  • To allow Sub-Users to provide support to their Sub-Users and third parties booking appointments with Sub-Users,
  • To monitor email openings,
  • To backup and host data contained in the Application Services,
  • To secure exchange,
  • To assist the Controller to detect breaches and act upon it,
  • To help the data controller to ensure compliance with the GDPR and to ensure the effectiveness of the rights of data subjects in relation to the processing of their personal data and to ensure the identity of data subjects who exercise their rights under the applicable data protection regulations.

5. Type of data and categories of persons concerned

The type of data processed mainly concerns data related to appointment making (identity of the persons, email address, date and time of the meeting, purpose of the meeting) and depends on the data transmitted by the User and the Sub-Users.

The categories of persons concerned are the Sub-Users, the recipients of the Users and Sub-Users and, in general, any natural person whose data is processed by the User and Sub-Users on behalf of the User, the controller, and provided to Rocketmail, the processor.

6. Obligations and rights of the User

The User undertakes to:

  • Make available all information and data necessary for the execution of Rocketmail’s missions to Rocketmail;
  • Document in writing any instructions given to Rocketmail regarding the processing of data;
  • Ensure that Rocketmail complies with its obligations under the GDPR before and during the processing;
  • Supervise the processing;
  • Provide information to the persons concerned by the processing operations at the time of the collection of the data, in accordance with the provisions of articles 13 and 14 of the GDPR and in particular of the fact that their data may be collected by Rocketmail.

In accordance with Article 28.3 of the RGPD, it is recalled that the data controller is responsible for the processing of personal data and has the rights defined in Article 28 of the above-mentioned Regulation.

7. Commitments of Rocketmail

Rocketmail undertakes to:

  • Process data only for the purposes for which it is outsourced and not use it for any other purpose;
  • Process data in accordance with the User’s documented instructions.
  • If Rocketmail considers that an instruction constitutes a violation of the GDPR or any other provision of EU or Member State law relating to data protection, it will immediately inform the User;
  • If Rocketmail is required to transfer data to a third country or international organization under European Union law or the law of the Member State to which it is subject, it shall inform the User of this legal obligation prior to processing, unless the law concerned prohibits such information on important public interest grounds.
  • Guarantee the confidentiality of personal data processed under this agreement;
  • Ensure that the persons authorized to process personal data under this Agreement:
    • Are committed to confidentiality or are subject to an appropriate legal duty of confidentiality;
    • Receive the necessary training in the protection of personal data;
    • Consider the principles of data protection by design and data protection by default in its tools, products, applications or services;
  • Assist the User as far as possible in fulfilling its obligations under Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to Rocketmail.

8. Recruitment of other subcontractors

Rocketmail may use another processor, the Subprocessor, to carry out specific processing activities. In this case, it shall inform the User in advance and in writing of any changes envisaged regarding the addition or replacement of other subcontractors. This information shall clearly indicate the processing activities subcontracted, the identity and contact details of the subsequent subcontractor and the dates of the subcontract. The User shall have a period of fifteen (15) calendar days from the date of receipt of this information to present his/her objections. This subcontracting may only be carried out if the User has not raised any objections within the agreed period.

Rocketmail undertakes to sign a written contract with its subsequent Subcontractor imposing on it the same personal data protection obligations as those provided for in this agreement, in particular as regards presenting sufficient guarantees as to the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR.

Rocketmail remains fully responsible to the User for the performance by the subsequent Subcontractor of its obligations.

9. Assistance

To the possible extent, Rocketmail undertakes to assist the User:

  • In fulfilling its obligation to comply with requests to exercise the rights of data subjects: the right of access, rectification, erasure and objection, the right to restrict processing, the right to data portability, the right not to be subject to an automated individual decision (including profiling) and the right to set out instructions regarding the fate of data after the death of the data subject. Where data subjects make requests to Rocketmail directly to exercise their rights, Rocketmail will send such requests upon receipt by email to the User.
  • In conducting any data protection impact assessment;
  • When carrying out the prior consultation with the supervisory authority.

10. Notification of security breach

RocketMail undertakes to notify the User of any breach of personal data as soon as possible and at the latest within a maximum of 48 hours of becoming aware of it and by email to the email address communicated by the User when subscribing to the Subscription. This notification shall be accompanied by any useful documentation to enable the User, if necessary, to notify the competent supervisory authority of the breach.

11. Security measures

In compliance with the provisions of Article 32 of the GDPR, Rocketmail undertakes to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, which vary in probability and severity, to the rights and freedoms of natural persons.

Particular account shall be taken of the risks to the processing, in particular those arising from the destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed, whether accidental or unlawful. Rocketmail has implemented the following security measures:

Staff authenticationEncrypted HTTP authentication
Server securityRedundant servers and load balancing
Security of software or applications
  • Firewall protection against intrusion
  • Vulnerability scanners
  • Pentests
Realization of backupsDaily backup on remote data centre
Data encryptionsha256

12. End of the service

At the end of the Subscription, or upon termination of this Agreement, Rocketmail undertakes to cease any processing of the User’s and/or Sub-users’ Personal Data in accordance with the User’s instructions, destroy and/or return all personal data processed as a subcontractor by any appropriate means agreed with the User no later than two (2) weeks after termination or end of this Agreement and provide a statement confirming such deletion, destruction or erasure has been effected.

13. Register

Rocketmail declares that it keeps a written record of all categories of processing activities carried out on behalf of the User including:

  • The name and contact details of the controller on whose behalf it is acting, of any subcontractors and, where appropriate, of the data protection officer;
  • The categories of processing carried out on behalf of the controller;
  • Where applicable, transfers of personal data to a third country or to an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the European Data Protection Regulation, the documents attesting to the existence of appropriate safeguards;
  • To the extent possible, a general description of the technical and organizational security measures, including inter alia, as appropriate:
    • Pseudonymization and encryption of personal data;
    • Means to ensure the continued confidentiality, integrity, availability, and resilience of processing systems and services;
    • Means to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
    • A procedure to regularly test, analyze and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.

14. Documentation

Rocketmail shall make available to the User the documentation necessary to demonstrate compliance with all of its obligations and to enable audits to be carried out in relation to the applicable personal data protection provisions, including inspections, by the User or another auditor appointed by the User and at the User’s expense, and to assist in such audits which may only be carried out in compliance with business secrecy and intellectual property law (and therefore will not allow access to the source code of the Application Services under any circumstances).

Need help?
Contact us now!