Policy for fulfilling the GDPR (General Data Protection Regulation)
This version of this document is active as from January 22, 2018. Please note that some of the content is only for customised business versions of our apps, connected or not connected to our database HSEQ Reports while some is only related to our free stand-alone apps (Expenses+, HSEQ+ and Timesheets+) and/or our regular website.
Your personal data is processed in accordance with the Norwegian implementation of the European Union (EU) General Data Protection Regulation (GDPR) from May, 2018.
About this document
The GDPR gives instructions that the policy must be easy to understand and in a language all involved people can read. Since we have clients all over the globe and our international business language is English, we have decided to only post this as only that. If you need a translated version of this policy, you may use one of the several free translation services online or simply copy it and have it translated to your own local language. Thank you for your understanding.
Protecting your privacy is a core part of our mission. You trust us to take care of your data, and we strive to be worthy of that trust.
We pledge to:
- Be transparent about how we collect, use and store your data.
- Use your data only for the purpose for which we have collected it.
- Not to collect or process more personal data that we need in order to provide you with our services and continue to develop those services for your benefit.
- Design our apps/systems to inherently protect your privacy (privacy by design).
- Not to store personal data for longer than needed or instructed by you.
- Enable you to delete and correct personal data that is wrong or you do not wish to keep.
- Ask for your permission before we share your data with third parties, and only to share your data when it benefits you as a customer.
- Use the best available security practices and tools to protect your data.
By using any app or system from Mellora, you agree to allow us to collect and process information as described below.
What data we may collect in mellora.no, our database HSEQ Reports and in apps
Our free app HSEQ+ collects information about you as the user. This information is your name, email. No cookies are used in the app to track your location or similar data.
None of our professional company apps have any cookies or collect any personal information, but your user details (name and email) are logged if you use a professional company version of the app that our connected to our database, HSEQ Reports. This is for you to be able to log in and use the app/system. We have Data Processing Agreements with all companies who have professional company versions of our system and your user details are covered by this.
How we use the data from mellora.no and HSEQ Reports
The information we collect may be used to provide, develop and improve services from Mellora, including information necessary to improve our service and safety features. We or our partners may use your contact details to send you information, or to ask you to participate in surveys about your Mellora use.
We may also use this information in an aggregated, non-identified form for research purposes and to help us make decisions on the direction of sales, marketing, product development and business activities.
We may use service providers to perform some of these functions. Those service providers are restricted from sharing your information for any other purpose.
We use industry-standard methods to keep this information safe and secure while it is transmitted over your network connection and through the Internet to our servers. Depending on your location and type of data, Mellora may process your personal information on servers that are not in your home country.
The information collected through HSEQ Reports is stored until you no longer have use the system.
Roles and purpose
If your company/employer is using a customised version of HSEQ+ and have it connected to our Processing Database, HSEQ Reports, Mellora is the DATA PROCESSOR for your data, including any personal data you provide. In case your employer has ordered the Mellora services for you as an end-user (“business end-user”), your employer, by your Managing Director, is the DATA CONTROLLER.
Data Processor Agreement
We have signed or will sign a Data Processor Agreement with all companies that have customised versions of our products, but we have no opportunity to sign individual agreements with each user. By reading this GDPR information from us as a Saas (Software as a Service) supplier and then using one of our Products, you will either accept the contents of the data processing agreement we have or will have with your employer or the general content provided in this page. If you are an employee using a company specific version of our products and you have any questions or complaints, you will need to contact your employer. If you are a user of one of our free, common products, you simply need to uninstall and not use the product if you disagree with the content written in this policy.
The purpose of processing your personal data is to digitalize different tasks in your workday. What that means in terms of what data we collect and process, how and where we process it, and for how long, is described below.
It is important that you read this, as you by taking any Mellora product into use, gives us (and your employer, in case you are a business end-user) your consent to process your personal data.
Legal basis for the processing
The legal basis for the processing of personal data is your consent and data protection law. In case you are a business end-user, part of the processing is required in order to fulfil the agreement we have with your employer (the data controller).
Your personal data is processed in accordance with the Norwegian implementation of the European Union (EU) General Data Protection Regulation (GDPR) from May, 2018. This give you strong rights as a data subject. Hereunder you have the right to:
- have your personal data deleted,
- have any incorrect data corrected
- information from the data controller (your employer) regarding the data processing
Norwegian law applies.
Any surrender of data is voluntary, but some basic information is needed to enable the products supplied by Mellora to operate.
What data we collect in general
- Information when you register as a customer or user. When you first take any Mellora product into use, you will be asked to enter information such as your name, e-mail, signature and the name and of your employer. A special module for fulfilling specific regulations some companies have, also require details about your birth date. However, this is not information gathered unless your company use our product for the specific task that the mentioned module is designed for. Please communicate directly with your employer if in doubt.
- Data entered by you for instance travel information, receipts, HSE- and inspection-reports etc.
- IP addresses, log data and other diagnostic data. This is logged for diagnostic and security purposes.
- All data registered into HSEQ Reports belong to our client / your company
- All information and all files uploaded to Mellora are encrypted upon uploading to the servers, currently operated by Uniweb and Digiplex.
Where we process your data
The personal data we collect from you is transferred to our Norwegian data processing centre. Currently this data centre is operated by Digiplex through Uniweb. Digiplex is renowned for its industry leading security and performance (ww.digiplex.no). The company is certified according to ISO 9001/14001/18001/27001.
We take great efforts in securing your data and have implemented internal mechanisms in order to prevent misuse of the data. SSL encryption is used on data registered to HSEQ Reports. Only you as the customer, or those with access to the registrations made, will be able to view your personal information. In addition, certain Mellora employees or approved third party suppliers will need access to the information order to provide support and failure search etc. However, this will only be for a limited time and all third party suppliers have signed confidentiality agreements with us to avoid misuse of any sensitive data.
All apps and databases are password protected and no other but those with the correct credentials and access rights can look into the system. Admin in your company can give login details to those he/she needs to according to the setup of your organisation. Mellora do not control these accesses.
Risk Assessments have been conducted and are part of our internal quality- and risk management system. All deviations or suspicions about security breaches and discrepancies are reported into our own version of HSEQ Reports and processed according to laws and regulations.
Mellora do not share personal information for any commercial or marketing purpose unrelated to the delivery of Mellora products and services without asking you first.
The following are the limited situations where we may share personal information:
With your explicit consent: We may share personal information when we have your consent. One example of this would be if you sign up for additional programs offered by our partners. If you do this, we may share certain information with the partner.
For external processing: We have vendors, service providers, and partners who may help with some of our data processing and storage, including customer support services at our partners. They may also assist with monitoring our servers for technical problems. These vendors (as well as Mellora’s personnel) can access certain information about you and your account in order to carry out their work. They are not allowed to use this data for non-Mellora purposes and the access to your data is always on a limited time basis.
As part of business transitions: Upon the sale or transfer of the company and/or all or part of its assets, your personal information may be among the items sold or transferred. We will request a purchaser to treat our data under the privacy statement in place at the time of its collection.
For legal reasons: We may provide information to a third party if we believe in good faith that we are required to do so for legal reasons. For example, to respond to legal process, or comply with EU law.
We may share non-personal information (for example, aggregated or anonymized customer data) publicly and with our partners. For example, we may publish research on, or help us generally improve our system. We may also share non-personal information with our partners, for instance if they are interested in offering other services. We take steps to keep this non-personal information from being associated with you and we require our partners to do the same.
Your personal information may be collected, processed and stored by Mellora or its service providers within the European Union, the EEA, or locations regulated by EU style privacy regulations. As a result, your personal information may be subject to legal requirements, including lawful requirements to disclose personal information to government authorities, in those jurisdictions.
How long we store your information
Mellora generally stores your personal information on our provider’s servers for as long as you or your employer remain an Mellora customer. This is needed in order for your company to be able to use the registrations you make (various HSEQ reports etc.). To the extent there are legal requirements for duration of storage, such as for accounting purposes, we may store data for up to 10 years.
You can contact the DATA CONTROLLER, your employer by the Managing Director, if you desire to access all information related to you, stored in the system.
For information about which data Mellora may have stored that can be connected to you, please use the contact details below. We will be glad to be of any assistance regarding e.g. deleting information about you we may have stored and to give you more details on how we may use the stored information.
If you desire to get in touch with us, our contact information is as follows:
Tel. +47 412 76 710