RAINBOW – data privacy notice
“Affiliates” means any entity which is controlled by, controls or is in common control with ALE.
“ALE” means the ALE Group or any of its Affiliates.
“ALE Group” means ALE and its Affiliates engaged in the Processing of Personal Data.
“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data. In the context of RAINBOW Service, the Data Controller is the End-Customer, except when the User registers to the Rainbow Service directly as a consumer, in which case the Data Controller is ALE.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller. In the context of the RAINBOW Service, Data Processor is any Service Supplier, ALE and ALE sub-contractors which contribute to the delivery of the Rainbow Service. “Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union (“EU”), the European Economic Area (“EEA”) and their member states applicable to the Processing of Personal Data.
“Data Subject” means the individual to whom Personal Data relates. In the RAINBOW service context, the Data Subject is the User using the Service.
End-Customer: means a company or legal entity contracting with the Service Supplier for the purpose of using the Rainbow Service for its own community of Users
“Personal Data” means any information relating to an identified or identifiable person.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).
“Data Breach” is a security incident in which sensitive, protected, personal or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
“Services” means the provision of the RAINBOW service where ALE Processes Personal Data of End-Customers.
“Standard Contractual Clauses” means the agreement executed by and between ALE and some of its sub-contractors, pursuant to the European Commission’s decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
“Service Supplier” means ALE International or an Authorized Reseller from which the End-Customer has purchased the Rainbow Service
“User” means the individual who accesses the Rainbow Service. The User is the Data Subject.
The Service branded as “RAINBOW” is a set of cloud-based collaboration services that enables cross-community interactions and transactions between business users beyond company borders. The Service’s main purpose is to collect identities and link them so as to operate persistent collaborative activities such as messaging, voice or video calls, screen or file sharing, exchanging multimedia data (content) between terminals such as desktop, mobile phones.
ALE has nominated a data protection officer who can be addressed at:
ALE Data Protection Officer
32 avenue Kleber, 92700, Colombes, France
B.The obligations of Data Controller and Data Processor
B.1 Obligation of ALE as a Data Controller
Where it is Data Controller,
ALE is committed to abide by all laws and regulations, in this context, those pertaining to data privacy, personal data protection and security.
ALE will instruct its Data Processors to collect and process personal data in accordance with all the relevant provisions of the applicable data protection laws, in particular, with respect to the security, protection and disclosure of personal data.
ALE will inform the Data Subjects i) of the use of their personal data (see sections C below) ii) of the involvement of data processors to process their personal data and iii) that they personal data may be processed outside the EEA (European Economical Area).
ALE will respond in reasonable time and to the extent reasonably possible to enquiries by Data Subjects regarding the Processing of their Personal Data by the Data Controller, and it will give appropriate instruction to the Data Processor in a timely manner.
ALE will respond in a reasonable time to enquiries from the Data Protection Supervisory authority.
B.2 Obligations of ALE as a Data Processor
Where it is Data Processor:
ALE is committed to abide by all laws and regulations, in this context, those pertaining to data privacy, personal data protection and security.
ALE only processes Personal Data on behalf of and in accordance with Data Controller’s instructions,
Individuals accessing personal data:
ALE ensures that its personnel involved in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality. Such obligations survive the termination of that individual’s involvement with ALE.
ALE shall take commercially reasonable steps to ensure the reliability of any ALE personnel involved in the Processing of Personal Data.
ALE ensures that ALE Group’s access to Personal Data is limited to those personnel who require such access to perform the Service.
Personal data protection and personal data security
ALE maintains highest protection of data, including personal data, and has therefore designed and enforced internal data security policy and procedures for the protection and the security, confidentiality and integrity of Personal Data.
If ALE becomes aware of any unlawful access to any Data Subject’s Personal Data stored on ALE’s equipment or in ALE’s facilities, or unauthorized access to such equipment or facilities resulting in loss, disclosure, or alteration of Data Subject’s Personal Data (Data Breach), ALE will promptly: (a) notify the relevant Data Protection Authority (DPA) and potentially after DPA’s approval, notify the concerned Data Subject and Service provider thereof of the Data Breach, through any appropriate mean; (b) investigate the Data Breach and provide Data Protection Authority and the Data Subject with information about the Data Breach, through any appropriate mean; and (c) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Data Breach.
(i) An unsuccessful Data Breach attempt will not be subject to this Section. An unsuccessful Data Breach attempt is one that results in no unauthorized access to Data Subject’s Personal Data or to any of ALE’s equipment or facilities storing Data Subject’s Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents; and
(ii) ALE’s obligation to report or respond to a Data Breach under this Section is not and will not be construed as an acknowledgement by ALE of any fault or liability with respect to the Data Breach.
Notification(s) of Data Breaches, if any, will be delivered to the Data Subjects by any means ALE selects, including via email. It is the recipient’s sole responsibility to ensure it maintains accurate contact information in the Rainbow Service at all times.
Additional terms for personal data transfers out of the EU/EEA and Switzerland:
ALE has implemented the appropriate guarantees in order to ensure existence of an adequate level of protection of Personal Data upon export to territories deemed not having such adequate level of protection by EU (list of territories with adequate level of protection). This means that ALE has concluded contracts with those of its sub-contractors that may be importer of Personal data out of the EU/EEA in the form of European Standard Contractual Clauses approved by the European Commission. Such clauses include the technical and organizational measures taken by the sub-contractor to protect personal data.
Engaging another Data Processor
ALE’s Affiliates may be retained as Data Processors; and
ALE and ALE’s Affiliates respectively may appoint sub-contractors in connection with the provision of the Services.
Any such sub-contractor will be permitted to obtain Personal Data only for the purpose of delivering the services for which ALE has appointed them, and they are prohibited from using Personal Data for any other purpose.
ALE will be liable for the acts and omissions of its sub-contractors to the same extent ALE would be liable if performing the services of each sub-contractor.
ALE will assist the User and the Data Controller by using appropriate technical and organizational measures, insofar as this is commercially possible, for the fulfillment of the Users’ rights (as Data Subjects) or for the fulfillment of its obligations as per the applicable Personal Data Protection laws and regulations.
To the extent the User or its Data Controller, in its use or receipt of the Services, does not have the ability to correct, amend, block or delete Personal Data, as required by Data Protection Laws, ALE will assist to facilitate such actions to the extent ALE is legally permitted to do so and to the extent such activity is commercially reasonable.
ALE shall, to the extent legally permitted, promptly notify the Data Controller if it receives a request from a Data Subject for access to, correction, amendment or deletion of that User’s Personal Data. ALE shall not respond to any such Data Subject request without Data Controller’s prior written consent except to advise the Data Subject that such request must be addressed to the Data Controller. ALE shall provide the Data Controller with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request for access to that User’s Personal Data, to the extent legally permitted and to the extent the Data Controller does not have access to such Personal Data through its use or receipt of the Services.
Personal data retention:
ALE retains Personal Data for as long as it is needed to fulfill the purpose for which it was collected and within the limit of compliance with laws and regulations.
C.Personal Data ALE collects and uses to deliver the Rainbow Service
ALE will obtain from and concerning the User, at minima the User’s email address, for the purpose of registration of the User to the Service and its usage thereof.
ALE may also obtain other information from and concerning the User which the User optionally enters in order to deliver a better Service experience. Such optional information includes: first name, last name, nickname, job title, other title, photo, phone numbers, other email addresses (together “Registration Information”).
Such Personal Data shall not be used for other purposes than those set forth in the paragraphs below. below.
ALE uses Registration Information to enroll the Users in the Service, to operate the Rainbow Service, to display the identity of the Users to other Rainbow Users, to notify Users about new or enhanced features and updates of the Service.
ALE may also identify or collect the End-Customer company name with the Users’ email address termination in order to (a) propose to Users additional contacts within the End-Customer’s company and (b) offer directly to the End-Customer’s company additional Rainbow Services.
ALE does not use Personal Data to send commercial or marketing messages without User’s consent except as part of a specific program or feature regarding the Rainbow Service for which the User has the ability to opt-in.
ALE may also use Users’ Personal Data for non-marketing or administrative purposes such as, without limitation, for notifying Users of major changes made to the Rainbow Service or for maintenance and technical service purposes if any provided to the Users.
User generated information
ALE stores User generated information (information that the Users upload, provide or create while using the Service. This includes:
Conferences: in the Service, all discussions, be they supported by text, voice or video, between 2 or n Users, are considered as conferences. Hence all content exchanged in any conversation is considered as User generated information and is stored (to the limit of the retention period described in below section).
Bubbles: Activity recorded in the bubbles (such as joining or leaving), including activity related to third-party integrations, together with the date, time, Users involved in the activity, and other participants in the bubble
Messages: Message content, sender and recipients, date, time, and read receipts
Content shared: Files and file names, sizes, and types
Audio conferencing: Call participants, date, time, duration, and quality ratings that you provide. We route audio and video call content and screen sharing content between call participants but we do not retain nor store the content. Such connection information is also described as CDR (call details records).
Presence: Status information, for example whether and when you are active, out of office, or have turned on Do Not Disturb, is displayed to other users.
ALE uses this information to provide the User an enhanced experience of the Service, including a persistent history of its interactions with other Users. It should be noted that all messages and content the User shares, including personal information about itself or others, will be available to all other participants of the discussion/call/shared folder, including participants who join the discussion/call/shared folder after the User has shared messages or content.
If the User shares a discussion with another User who is not already in the discussion, when that User joins the discussion he or she will be able to see the list of other Users in the discussion as well as past messages exchanged before he/she has joined the discussion.
When the User is connecting to the Service, connection information generated consists of: IP address, date, time & technical details that are needed to support billing calculation.
Special note concerning Rainbow mobile application:
When the User installs the Rainbow mobile application on its mobile device, the Rainbow mobile application will ask the User permission to access its address book or contact list from its mobile device.
D.When Personal Data is disclosed to others
Registration Information and User Presence
When a User voluntarily (i) joins its End-Customer’s private Rainbow membership or (ii) joins a “Rainbow bubble” (dedicated group of users) or (iii) accepts to be part of another User’s contact list, then the User’s Personal Data and Presence is displayed on the Rainbow Service to (i) other End-Customer’s members, (ii) to other Users in the Rainbow bubble, or (iii) to the other User whose contact list the User has accepted to join, respectively.
Service operation and improvement:
ALE may provide and share the User’s Personal Data with its affiliated companies, subsidiaries or sub-contractors acting as Data Processors on a need to know basis to support ALE for any of the usage purposes set forth in paragraph Registration Information above. The User’s Personal Data is communicated to such entities in accordance with applicable Data Protection law i.e. under agreements ensuring the security and confidentiality of User’s Personal Data. See data transfer paragraph below for more information.
The Service does not operate and can’t be accessed unless the minimum personal data is provided by the User as listed in Registration Information section above. The Service cannot operate the main purpose of the Service (as described in section A above) without such personal data input. This makes the main purpose be a legitimate interest such that no further consent is needed from the User to allow the Data Controller to collect and process such personal data.
The User or the End-Customer may contact ALE if it: (i) wishes to be provided with access to the Personal Data that ALE has collected about a given User, (ii) wishes to review and update an User’s Personal Data or requests deletion of any and all of its Personal Data at any time, (iii) objects, for legitimate reasons, to the processing of its Personal Data ; furthermore upon any questions or comments about this Rainbow Data Privacy Notice, the User or the End-Customer may contact ALE via email at: firstname.lastname@example.org or via Emily agent while connected in Rainbow Services.
F.ALE’s Commitment to Data Security
ALE intends to protect the personal information entrusted to ALE and treats it securely in accordance with this Data Privacy Notice. ALE implements physical, administrative, and technical safeguards designed to protect any personal information from unauthorized access, use, or disclosure. ALE contractually requires that ALE’s sub-contractors protect such information from unauthorized access, use, and disclosure. The Internet, however, cannot be guaranteed to be 100% secure, and ALE cannot ensure or warrant the security of any personal information Users provide to ALE.
ALE recommends not using unsecured wifi accesses or other unprotected networks to connect, use or submit messages through the Rainbow Service. ALE makes reasonable efforts to ensure the security of its systems and uses state of the art high level encryption to protect data in transit.
Media encryption is used to protect the audio and video (if any) that Users transmit during a call. When Users make a call, media is encrypted from User’s device to the other participant devices without going through ALE’s servers. ALE does not store any audio or video call on its servers.
Transport encryption is used to protect all connections to and from the Service and between audio or video call participants. When the User registers to the Service, sends messages, shares Contents, or otherwise connects to the Service, ALE always uses transport encryption. Note that push notifications sent to iOS Users via the Apple service or to Android Users may not be encrypted and are not under ALE’s responsibility.
Should a User or an End-Customer become aware of a Data breach affecting its Rainbow Service account, then such User or End-Customer must notify ALE immediately using email@example.com
G.Special Note to EU End-Users
The Rainbow Service is hosted in data centers in different geographies. Please refer to our data location policy available at https://support.openrainbow.com. Furthermore, we have the necessary contractual material in place with the Data Center providers to ensure that the level of data protection is adequate in the sense of the GDPR. Finally, ALEI is operating the Rainbow Service instance across all the Data Centers of Rainbow Service network in a uniform manner, compliant with the “adequate” level of data protection expected by the GDPR.
The designer and developer of the Rainbow Service concerning the processing of Users’ Personal Data is ALE International, a French corporation formed as a “Société par Action Simplifiée” with registered office address at 32, Avenue Kléber 92700 Colombes, France, registered at the Nanterre Commerce and Companies Registry under number 602 033 185 RCS Nanterre; more information available at https://www.al-enterprise.com .