Vasco Audience app
Privacy Policy

The Privacy Policy sets out the rules for the processing of personal data in connection with the use of the Vasco Audience mobile application and the related Vasco Audience Service.

1. Definitions

   Capitalized terms have the following meanings:

   1. Application - an integrated technological solution of Vasco, comprising a mobile application and a supporting web interface, constituting a coherent digital environment enabling Account registration, use of the Vasco Audience Service, as well as the use of other functionalities, if available in a given interface.
   2. Vasco / Controller - Vasco Electronics S.A. with its registered office in Krakow, al. 29 Listopada 20, 31-401 Krakow, Poland.
   3. Client - a legal person or an organizational unit without legal personality that purchases hour packages and concludes an agreement for the provision of the Vasco Audience Service.
   4. User - a natural person using the Vasco Audience Service.
   5. Account - a collection of resources and permissions created by the Client in the Application, necessary to use the Application.
   6. Vasco Audience Service - the main functionality of the Application, enabling automatic translation of speech in a one-to-many or few-to-many format in near real-time.
   7. Client Representative - a natural person acting for and on behalf of the Client, authorized to represent them in relations with the Controller, in particular regarding the conclusion, management, performance, and settlement of the agreement for the provision of the Vasco Audience Service.
   8. Privacy Policy - this policy setting out the rules for the processing of personal data by the Controller.
   9. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2. Role of Vasco in the data processing process

   In order to ensure full transparency of personal data processing processes related to the provision of the Application and the Vasco Audience Service, Vasco assumes a dual role under the GDPR:

   1. Vasco as Controller

      Vasco is the Controller with respect to data for which it independently and autonomously determines the purposes and means of processing. This role includes, in particular, personal data processed for the purpose of managing the business relationship and the Client Account, ensuring the security and stability of the Application and the Vasco Audience Service, as well as conducting analytical activities aimed at improving and developing the Vasco Audience Service and the Application.

   2. Vasco as Processor

      Vasco acts as a Processor with respect to data that includes Speaker utterances, translations, transcripts, lists of Participants associated with a specific event, and the content of questions asked by Participants. In this case, the Client acts as the Controller, and Vasco processes data solely on their documented instruction, for the purpose of providing the automatic translation service, on the basis of a separate Data Processing Agreement in accordance with Art. 28 of the GDPR.
      
      The distinguishing criterion is the entity that determines the purposes and means of processing. Vasco acts as the Controller in cases where it independently decides on the purposes and means of processing.

3. Data processed by Vasco as Controller
   1. Data processed for the purpose of concluding and performing the agreement

      Vasco processes personal data of the Client, Client Representatives, and Users for the purpose of concluding and performing the agreement for the provision of electronic services regarding access to the Application, maintaining the Account, and using the Vasco Audience Service.
      
      For this purpose, the Controller processes the following categories of data:

      1. identification data of the Client and Client Representatives - data collected via the application form (name, surname, e-mail address, company name, address), which are necessary for communication and the conclusion of the agreement and its performance;
      2. Client identifier - a unique string of characters assigned to the Client Account for the purpose of managing Account data and administrative and technical support within the provided Vasco Audience Service;
      3. Account identification data - e-mail address and data on how the Account was created;
      4. Account management data - information about Account settings, including the Account name;
      5. Account status data - date and time of Account creation, date of last login;
      6. data on the purchased hour package - including in particular information about the type of package, the number of available and unused hours, the expiration and update dates of packages, and restrictions regarding a given hour package.

      Legal basis for processing: Art. 6(1)(b) of the GDPR, i.e., necessity of processing for the performance of the agreement for the provision of the Vasco Audience Service and maintaining the Account.
      
      Retention period: data processed for the purpose of concluding and performing the agreement are stored for the entire duration of the agreement for the provision of the Vasco Audience Service and possession of an Account in the Application.
      
      After the expiration or termination of the agreement, the identification data of the Client and Client Representatives, as well as data on the purchased package, may be stored for the purpose of defense against claims resulting from business activities. Processing then takes place on the basis of Art. 6(1)(f) of the GDPR.

   2. Data processed for billing and legal purposes

      Vasco processes data in order to comply with legal obligations, in particular those resulting from tax and accounting regulations, related to the purchase of hour packages by the Client. For this purpose, Vasco processes billing data, identification and address data of the Client and Client Representatives.
      
      Legal basis for processing: Art. 6(1)(c) of the GDPR, i.e., necessity for compliance with a legal obligation to which the Controller is subject.
      
      Retention period: billing data, including identification and address data of the Client and data on purchased hour packages, are stored for 5 years, calculated from the end of the calendar year in which the tax payment deadline for a given transaction expired.

   3. Data processed to ensure the security, stability, and proper operation of the Application and the Service, as well as its improvement and optimization

      Vasco processes data to ensure the security, stability, proper functioning, as well as optimization and development of the Application and the Vasco Audience Service. The categories of data processed by Vasco for this purpose are of the nature of technical data and system logs, and their processing is necessary in particular for diagnosing and removing errors, maintaining business continuity, protecting the service against threats, as well as for analyzing technical performance.
      
      For this purpose, the Controller processes the following categories of data:

      1. technical identifiers - anonymous or pseudonymous identifiers allowing for reporting and tracking errors;
      2. device and software data - this includes detailed information about the device used by the User, the operating system, and details regarding the web browser used to operate the web interface;
      3. data on functionalities and connection status - information on the conditions under which the Application operates. Data includes device operation parameters and network connection data;
      4. location data - approximate location (country, city) of the User based on the IP address at the time of connection;
      5. diagnostic data and event history - a record of recent technical activities and interactions that led to an error, along with precise details of the failure itself, such as the error code or error message.

      Legal basis for processing: Art. 6(1)(f) GDPR (legitimate interest of the Controller). The legitimate interest is ensuring the security, integrity, and availability of the Service, as well as the proper functioning and optimization of the Application and the Vasco Audience Service.
      
      Retention period: data is stored for a period of 90 days from the moment of its collection.

   4. Data processed for the purpose of optimizing translation algorithms and the quality of the Vasco Audience Service

      In order to develop and improve the quality and performance of translation algorithms and to maintain high standards of the provided Vasco Audience Service, Vasco processes the following categories of data:

      1. translation-related metadata, in particular language pairs, duration of the translation session, data regarding translation engines;
      2. metadata regarding translation errors, in particular technical data related to the occurrence of translation problems, data on translation completion;
      3. data on the performance and accuracy of translation engines – metrics used to compare and select the most effective translation models.

      Legal basis for processing: Art. 6(1)(f) GDPR (legitimate interest of the Controller). The legitimate interest is the optimization of translation algorithms, which is fundamental for providing Customers with the high-quality Vasco Audience Service.
      
      Retention period: data is stored for a period of one year from the moment of its collection.

   5. Data processed for the purpose of analyzing Customer needs and development

      Vasco processes data in order to improve and optimize the functionality of the Application and the Vasco Audience Service, as well as to better understand usage patterns and the needs of Customers and Users. Processing is necessary for providing Customers with the high-quality Vasco Audience Service, improving the business model, and further developing the Application and the Vasco Audience Service.
      
      For this purpose, the Controller processes the following categories of data:

      1. system identifiers allowing for the linking and technical identification of the Customer, Account, and mobile device;
      2. data on the use of the Application and the Vasco Audience Service, in particular such as data regarding login frequency, Account functions used, interactions with event settings, event duration, language pairs (speaker's source language and participant's target language), data regarding the method of event configuration;
      3. data on Vasco products used to conduct events;
      4. technical information about the Device, operating system, Application versions;
      5. data regarding the utilization of hour packages and their validity.

      Legal basis for processing: Art. 6(1)(f) GDPR (legitimate interest of the Controller). Data analysis allows Vasco to assess the popularity and utility of individual functions, adapt them to the actual needs of Customers, and further develop the Application and the Vasco Audience Service.
      
      Retention period: data is stored for a period of 3 years. After this time, data is stored exclusively as statistical data (anonymized and aggregated) for the purposes of historical analysis and development of the Application and the Vasco Audience Service.

   6. Handling complaints and satisfaction guarantees

      Vasco processes personal data for the purpose of properly accepting, considering, and responding to complaints, as well as for verifying the conditions for the Customer's use of the satisfaction guarantee.
      
      For this purpose, Vasco processes the following categories of data:

      1. identification data - e-mail address assigned to the Account, and in the case of necessity to verify the right to use the satisfaction guarantee – also data regarding the use of the Vasco Audience Service by the Customer;
      2. contact data - e-mail address and other contact data indicated in the report, necessary to provide a response;
      3. content of correspondence - content of complaint correspondence and correspondence regarding the use of the satisfaction guarantee.

      Legal basis for processing: Art. 6(1)(b) GDPR. Processing is necessary for Vasco to fulfill obligations resulting from the Terms and Conditions, including in the scope of considering complaints and implementing the refund procedure under the satisfaction guarantee.
      
      Legal basis for processing: Art. 6(1)(f) GDPR. Archiving of correspondence for the purpose of defense against potential future claims.
      
      Retention period: data is stored for the period necessary to consider the complaint, complete the warranty procedure or satisfaction guarantee procedure, and subsequently archived for the purpose of defense against potential future claims.

   7. Establishment, exercise, and defense of claims

      Vasco processes personal data to protect its legitimate interests, including in the scope of establishing, exercising, and defending against claims that may arise in connection with the performance of agreements with Customers and Users. This applies both to claims of Vasco against Customers and defense against claims directed at Vasco.
      
      Legal basis for processing: Art. 6(1)(f) GDPR; processing is necessary for the realization of the legitimate interest of Vasco, consisting in the possibility of effectively asserting rights and defending against unjustified claims, which is fundamental for conducting business activity.
      
      Retention period: data necessary for evidentiary purposes is stored until the limitation period for potential claims expires in accordance with applicable laws.

4. Data recipients

   The Provider may disclose personal data to the following categories of recipients:

   1. hosting providers and IT infrastructure providers - entities providing server infrastructure and technical maintenance services necessary for the operation of the Application and the Vasco Audience Service;
   2. IT system providers - companies providing customer relationship management software, Account data management systems, billing systems, as well as e-mail and internal communication services;
   3. accounting firms and legal advisors - entities processing identification and transaction data of Customers in order to fulfill the legal obligations of Vasco (financial settlements, taxes) and to defend against claims;
   4. providers of analytical, diagnostic, and monitoring services;
   5. public authorities under applicable laws (e.g., courts, police, tax authorities).
5. Transfer of data outside the EEA

   The Controller may use the services of entities located outside the European Economic Area (EEA), which is necessary to provide the Vasco Audience Service (e.g., in the case of using cloud, analytical, or diagnostic service providers).
   
   In the case of a transfer of personal data outside the EEA, the Provider ensures that the transfer takes place with appropriate safeguards under Art. 44 GDPR and is based on one of the following mechanisms:

   1. adequacy decision - the transfer takes place to third countries for which the European Commission has issued a decision confirming an adequate level of protection (e.g., Canada, Japan, New Zealand);
   2. appropriate safeguards - the transfer is based on Standard Contractual Clauses (SCCs) approved by the European Commission;
   3. EU-US Data Privacy Framework - the transfer is made to entities in the United States that have certified their participation in the EU-US Data Privacy Framework and are listed on the US Department of Commerce list.
6. Profiling

   Vasco does not use automated decision-making, including profiling, within the meaning of Art. 22 GDPR, that would produce legal effects concerning Clients or Users or similarly significantly affect them.
   
   Analysis of Application usage patterns is conducted solely for the purpose of technical optimization, development of the Application and the Vasco Audience Service, and is not used for automated decision-making regarding specific Clients or Users.

7. Rights of data subjects

   Natural persons whose data is processed by Vasco acting as the Controller have the right to:

   1. Access their data;
   2. Rectification of data;
   3. Erasure of data ("right to be forgotten");
   4. Restriction of processing;
   5. Data portability;
   6. Object to data processing based on legitimate interest;
   7. Lodge a complaint with a supervisory authority.

   To exercise the above rights, please contact the Controller via email at: gdpr@vasco-electronics.com