Introduction and scope
This Privacy Statement (the “Statement”) applies to the “Escape Game for Microsoft Teams” service (the “Service”), developed and owned by Xylos NV, Noorderlaan 139, B-2030 Antwerp, VAT BE 0877.360.743, hereinafter “Xylos”, “we” or “us”.
XYLOS deems the protection of privacy of the utmost importance and wishes to enable you – as user of its Application – to maintain full control over what happens to your Personal Data and your privacy and to inform you accordingly.
All capitalized terms that are not defined in this Statement shall have the meanings as ascribed to them in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”).
Your Personal Data and your privacy are protected by XYLOS in accordance with Belgian and European regulations on the protection of privacy. Please read this Statement very carefully. The following describes not only your rights, but also the way in which you can exercise these rights.
By using our Application, disclosing your Personal Data, or accepting this Statement, you expressly consent to the manner in which XYLOS collects and Processes your Personal Data as described in this Statement.
Who Processes your Personal Data and how can you contact us?
XYLOS is responsible for the Processing of your Personal Data that you provide through the Application.
XYLOS has appointed a privacy contact, whom you can always contact for questions about your privacy and the Processing of your Personal Data. The privacy contact can be reached at Xylos NV, Noorderlaan 139, B-2030 Antwerp, email: firstname.lastname@example.org
What Personal Data are collected and Processed?
XYLOS processes different types of Personal Data, depending on your use of the Application and as relevant. The following Personal Data might be processed by XYLOS:
- History and logs: Searches carried out on the Application, activity on the Application, date and time when the Application was visited.
- Personal information: UserPrincipleName, Email, Display Name.
- Technical information Telemetry: IP, Country, OS
Where Personal Data of a third party are disclosed via the Application or with a view to use the Application, the person communicating the Personal Data (the data Controller) guarantees that he has informed said third party and that he has received all necessary agreements, consents and/or legal basis to communicate the third party’s Personal Data for the purpose of this application.
What are the purposes and principles of the Processing of your Personal Data?
The purpose and principles of the Processing of your Personal Data mainly depends on the category of Personal Data concerned. Below you will find an overview of the purpose and principles of the various Personal Data that the Digital Studio business of XYLOS Processes.
History and logs
History and logs are collected for statistical purposes, to report your usage of the Application to your employer and to improve the functioning of the Application.
Grounds for Processing
Personal information is collected to create a personal account, to allow you to have access to the Application and to ensure the proper functioning of the Application.
Grounds for Processing
Performance of the agreement
Technical information is collected to enable XYLOS to adapt the Application to your use, for diagnostic purposes and to improve the functioning of Application in the future.
Grounds for Processing
Legitimate interest as a legal basis for the lawfulness of Processing is justified with regard to the Personal Data to improve your user experience, the Application and XYLOS’s product and services. The fact that XYLOS Processes this Personal Data benefits you as a visitor of the Application. Moreover, such Processing of Personal Data shall not create a risk to the fundamental rights and freedoms of you as a visitor of the Application or any other visitors of the Application.
The Processing of certain of the above-mentioned Personal Data by XYLOS and other information you might disclose, is necessary for the performance of the agreement. In the event you refuse to provide these Personal Data, XYLOS will not be able to comply with certain of its obligation to provide you the requested service.
Any consent you provide is always free, and you have the right to withdraw this consent at any time. Withdrawal of consent does not affect the Processing of Personal Data based on a legal requirement or imposed by a court order.
Receiving and sharing Personal Data
XYLOS receives your Personal Data in cases as and when:
- You are registered as a user in the Application
- Your Administrator monitors the use of the Application.
XYLOS will always share your Personal Data in a minimal way. However, to be able to follow through on your request or action on our Application, XYLOS may sometimes need to share Personal Data with the Microsoft – Azure Data Centers in Amsterdam and Dublin. Your Personal Data may also be shared within the XYLOS group. You therefore provide your express consent to share your Personal Data as described in this Statement.
Processors and Subprocessors of XYLOS always act under the responsibility of XYLOS. If XYLOS contracts Processors or Subprocessors, this will always be done in accordance with a Data Processor Agreement that meets the requirements of the GDPR and that protects your Personal Data.
XYLOS may share your Personal Data with third parties, for storing and Processing your Personal Data, responding to your queries, sending content to you, and for optimizing our Application.
XYLOS will never share or sell your Personal Data with or to commercial enterprises.
If you are directed to another application, platform or website through the Application, other terms and conditions and other privacy and cookie policies may apply. You should take into account any such terms and conditions and privacy and cookie policies of such applications, platforms and websites. We encourage you to read these terms and conditions and privacy and cookie policies of the other applications, platforms and websites you visit.
Transfer of Personal Data to countries outside the European Economic Area (EEA)
In principle, XYLOS does not transfer your Personal Data to countries outside the EEA. It is, however, possible that XYLOS – through its Processors or Subprocessors – does transfer your Personal Data to countries outside the EEA. Should a less strict protection for Personal Data apply in a specific country than within the EEA, you are entitled to conduct an audit in order to evaluate that the same level of protection is achieved.
How will my Personal Data be retained?
XYLOS applies the following retention periods for your Personal Data:
- History and logs: Maximum one (1) year after the last registered use of the Application.
- Personal information: Maximum one (1) year after the last registered use of the Application.
- Technical information: Maximum 90 days after the date of the last user session.
XYLOS retains your Personal Data in its own databases and/or in the databases of its Processors or Subprocessors. You may ask XYLOS to provide a copy of the list of these Processors and Subprocessors at any time.
How are my Personal Data safeguarded?
XYLOS has developed appropriate technical and organizational measures, safeguards and assurances to Process your Personal Data in accordance with applicable Belgian and European regulations, in particular to protect your Personal Data against loss, misuse, or unauthorized alteration.
XYLOS makes all reasonable and appropriate efforts to protect the confidentiality of your Personal Data.
XYLOS understands the importance of secure processes and secure environments to safeguard the confidentiality, integrity and availability of your Personal Data. As such, it is dedicated to improve its security posture on a continuous basis, not only internally but even more so in relation to customer data. Your Personal Data is at all times stored in secure purpose-built and controlled environments under very tight access controls and monitoring while preserving its availability, and in line with industry good practices. Improvements and evolutions are introduced on a regular basis as part of XYLOS’ strategical choice towards security and the protection of assets and data. XYLOS is happy to provide more information on its current security posture e.g. by completing questionnaires.
What rights do I enjoy?
If and in as far as provided for in the applicable Belgian and European regulations, you have the right:
- to receive confirmation as to whether XYLOS Processes your Personal Data and, where this is the case, to access the Personal Data that XYLOS Processes.
- to corrections by XYLOS, without undue delay, of any inaccurate or incomplete Personal Data;
- to have your Personal Data deleted by XYLOS;
- to obtain your Personal Data and to transfer them to another Controller or Processor;
- to obtain a limitation of the Processing of your Personal Data from XYLOS, to the extent possible subject to applicable Belgian and European regulations;
- to receive your Personal Data in a structured, common and machine-readable format;
- to prevent the Processing of your Personal Data and the use of your Personal Data for direct marketing purposes.
You may exercise these rights by contacting the privacy contact at the address specified in clause 2 above and providing him or her with a copy of your identity card (e.g. no identification number may be visible).
If and to the extent provided for in the applicable Belgian and European regulations, you have the right to file a complaint with the competent supervisory authority should the Processing of your Personal Data violate the applicable regulations in case you feel XYLOS has not provided an adequate response to your requests. In Belgium, this is the Data Protection Authority (“Gegevensbeschermingsautoriteit”) https://www.dataprotectionauthority.be.
Amendments to this Statement
XYLOS may amend this Statement at any time. The date of the most recent version is shown in the top right-hand corner of the Statement. Amendments are posted on the Application to keep you informed at all times of the information that XYLOS collects and of how it uses and shares this information.
Amended versions of this Statement take effect ten (10) days after their publication on the Application. Where required they will always be submitted for approval.
Consent for disclosure
You acknowledge, confirm, and expressly consent that we may disclose your Personal Data if this is required by law, or if XYLOS determines in good faith that such disclosure is required in order:
- to comply with any pending judicial inquiry, judicial order or litigation pertaining to the Application;
- to ensure observance of the general terms and conditions of XYLOS on www.xylos.com;
- to respond to claims against XYLOS regarding Personal Data that violate any rights of third parties;
- to safeguard the rights, property and safety of XYLOS, its employees, users, and the general public.
XYLOS may disclose your Personal Data to competent police or judicial authorities or other official government authorities if XYLOS is required as such for the investigation of fraud, intellectual property infringement or any other harmful activity, or if XYLOS reasonably suspects that such activity may expose XYLOS or you to any liability.
XYLOS is also not liable when third parties Process or use your Personal Data illegitimately and XYLOS has taken the appropriate technical and organizational measures to go against such illegitimate Processing or use.
XYLOS is in any case only liable for the damage caused by Processing of Personal Data if it did not comply with its specific obligations of GDPR.
XYLOS shall in no event be liable for any special, incidental, indirect or consequential losses or damages.
Applicable law and competence clause
This Statement shall be governed, interpreted, and implemented in accordance with Belgian law, which applies exclusively in the event of any dispute.
The Antwerp Courts, Antwerp division are exclusively competent to decide on any dispute that may arise from the interpretation or implementation of this Statement, without prejudice to the consumer’s right to present a dispute before the competent court on the basis of a mandatory statutory provision.