Privacy Statement for Personally Identifiable Information of NAEC
Updated: May 29, 2018
The National Association of Elevator Contractors (referred to as "we", "us", "NAEC" or "Association") is committed to protecting your privacy and processing your personally identifiable information (referred to also as "personal data" or "personal information") with transparency. The personal information we collect and process about you depends on the purpose of your visit, your membership status and the service or services you have purchased or otherwise agreed to receive from us.
This privacy statement:
- provides an overview of how NAEC collects and processes your personal information and informs you about your rights according to relevant laws for the protection of personal information, including the European Union's General Data Protection Regulation (GDPR).
- is addressed to natural persons who are either existing or prospective members of the Association or are authorized representatives / assignees, or the beneficial owners of legal or natural persons who are existing or potential clients of the Company.
- is addressed to natural persons who had a business relationship of this nature with the Company in the past.
- contains information regarding when your personal information will be conveyed to / exchanged with other companies or subcontractors of the Association and other third parties.
For the purposes of this statement, personal information is understood to be any information which is relevant to you, with which your identity is or can be identified and which includes, for example, your name, email address, physical address, VAT number, IP address (only when we have collected it in conjunction with directly identifying information) or the information you submit in your private communications with us.
1. Who are we
The National Association of Elevator Contractors, based in Conyers, Georgia, is a not-for-profit association incorporated under the laws of the State of Georgia and in conformance with IRS Code 501(c)(6) as standard practice in order to be in accordance with IRS requirements with the purpose of promoting the common business interests of those engaged in the elevator industry. The term “elevator industry” includes the installation, servicing, manufacturing and distribution of vertical and horizontal handling equipment and other equipment incident thereto, commonly known as freight or passenger elevators, escalators, dumbwaiters, special purpose personnel elevators, moving walks and similar products.
2. Which personal information do we process, where do we collect it from, and for what purposes:
We collect personal information of our current and prospective clients through our website or at tradeshows and upon registration for an NAEC hosted event. We also collect personal information of members in connection with their application to join NAEC and during the course of their membership.
In order to be able to identity clients and members, and provide relevant services to them, the types of personal information we may collect and process includes the following:
Invoicing information required by law. Local-state/municipality/country tax laws and the European Union's VAT and invoicing directives require us to collect the following personal information: your name, email address, physical address, company name (if applicable), company activity (if applicable), VAT number (if applicable), IP address, country based on your IP address and the User Agent string of the web browser you used when subscribing. This information is used to generate the legally stipulated invoice upon successful payment of your purchase and for proving your country of origin should it be required in accordance to the European Union's VAT directives.
IP address. Your IP address is temporarily collected whenever you are accessing our site in our web server's logs, our security software's logs and security firewall. This information is used to ensure the security of our web site and to prevent abuse. IP address information is not directly identifiable information but if it's stored in conjunction with your member account information it might be an indirect identifier and may be considered personal information.
Contact information. Any information you volunteer by submitting a contact form or application through this web site’s Contact Us page is personal information subject to this policy. We use this information to respond to your requests. We would also use your information, when provided, and send applicable information when working with you on the following:
- All educational and certification programs
- All regional groups that you attend or are a member of
- Event attendance
- Membership information for NAEC members
3. Personal Information of minors
We do not allow minors (persons under the age of 16) to use our site. Any accounts found in violation of this term will be terminated without a refund and all information pertaining to that user account will be erased.
4. Whether you are legally obliged to provide us your personal information
Providing your invoicing information is legally required in accordance to the European Union's VAT directive and its incorporation to local tax laws. It is unlawful for us to let you make a purchase without issuing an invoice which requires this information. Information not printed on the invoice (IP address, country based on your IP address and your User Agent string) is also required for the same reason, to prove your country of origin for purposes of applying the correct VAT rate.
Your IP address in the context of security and abuse prevention is specifically exempt from requiring your consent per the European Union's GDPR.
5. Why we process your personal information and what is the legal basis
We process your personal information with transparency and as such we will only process your personal information consistent with the requirements of the GDPR and any other applicable data protection laws for one of the following reasons:
5.A. Contractual obligations
We process your personal information to provide the software download and support services we have agreed upon when you subscribed to our services.
When logging in we automatically process your personal information to protect you against unauthorized access to your account and ensure your account safety. We also display your parts of your personal information for reasons of personalization of our site's pages and ensuring that it's clear who is the currently logged in user.
When you ask for a username reminder or password reset we automatically process your personal information to provide the service requested.
When downloading our software we are automatically processing your personal information to make sure that you have purchased access to the software you are trying to download and ensure that your account is not being abused.
When using our support ticket system we process your personal information to reply to your request. We also automatically process your personal information to send you automated email notifications about the handling of your request.
When using our contact form we process your personal information to reply to your request. We also automatically process your personal information to send you automated email notifications about the handling of your request.
When you are a subscriber we automatically process your personal information send you automated transactional emails, i.e. reminders about your subscription expiration and any changes in your subscription's status with us.
5.B To comply with a legal obligation
There are certain obligations in accordance to local and international laws, as well as Directives issued by the European Union, such as the tax laws previously mentioned. These legal obligations require the processing of your personal information. In other cases, we may receive a court order or otherwise be legally obliged to process or convey your personal information to third parties.
When you are subscribing we automatically process your personal information to issue the legally required invoice and send you automated emails with the invoice and information about your purchase. The invoicing information is also sent to our Accountants and Auditors to comply with local tax regulations.
5.C To protect our interests
We process your personal information to protect the legal interests of us and others. A legal interest exists when we have a business or commercial reason to use your information. Even then it must not be against what is fair to you and your best interests. Examples of such processing are as follows:
In case of a suspected abuse or an attempt to compromise, deteriorate, disrupt or otherwise interfere with of our services we may process personal information to identify the perpetrator and pursue redress. Such steps may for example (not an inclusive list) include contacting the suspected offender or pursuing the matter legally.
In rare occasions we may send you a personal, manual email to address a concern regarding your subscription e.g. if there is an unexpected problem with your payment as we are notified by the company processing the payment.
In case of a serious security issue in our software where a public announcement is deemed inadequate we may send you an email informing you of the situation, the risks and what you can do.
5.D Because you have given your consent
If you have explicitly provided your consent the processing of your personal information draws its legality upon your explicit consent. You have the right to withdraw your consent at any time. However, any processing which took place before your consent's withdrawal is not affected.
6. Who are the recipients of your personal information
While fulfilling our contractual or legal obligations your personal information may be conveyed to our partners and subcontractors. These providers and suppliers are in contract with NAEC with which they are obliged to uphold the confidentiality and protection of your personal information in accordance to local data protection laws and the GDPR.
The recipients of your personal information are as follows.
- Hannush Enterprises, LLC. The co-developer of our software, www.hannush.com. They have access to member information that is provided in the database that supports you. They also provide backups to that data which is held for 30 days internally and via a secured Dropbox cloud hosting account.
- Purplecat Networks. This is the contact Info for that host. https://www.purplecat.net/contact/ They have access to member information that is provided in the database that supports you. They also provide full website backups.
- YourMembership (9620 Executive Center Dr. N #200, St. Petersburg, FL 33702, United States,), a third-party membership database that you will soon be able to log into and update, add to or delete membership information.
- Abila Freestone™ Learning Management System (LMS) is a vendor we use to deliver online education, and is located at 10800 Pecan Park Blvd., Suite 400, Austin, Texas 78750.
- Google, Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Provides analytics for our site. Only anonymized information is sent to Google. To the best of our knowledge and technical ability we do not send any personally identifiable information to Google.9. Google, Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Provides analytics for our site. Only anonymized information is sent to Google. Evan as such, it's unclear whether they should be listed as a data processor. The only way to resolve ambiguity is to list them here but clearly state that to the best of knowledge and technical ability we do not send any personally identifiable information to them.
7. Remittance of your personal information to third-parties in other countries
Your personal information may be transferred to third parties in countries outside the European Economic Area or Switzerland (including as described in section 6 above, which do not have data protection laws equivalent to the standards of the European Union and the GDPR.) This may also apply to payments made using a non-EEA payments processing company or support provisioning by our non-EU subcontractors, or whenever this is mandated by law or if you have explicitly consented. All the third parties with whom we share are obliged to comply and conform to the European Union's data protection norms and provide appropriate assurances regarding the remittance of your personal information according to Article 46 of the GDPR.
8. To which extent is there automated decision making, including profiling
In general, in the course of the creation and carrying out of a business relationship we do not use automated decision making. The only automated actions are as follows:
- Application of the correct VAT rate. This is legally mandated and it's based on your country of origin. This does use your personal information (IP address and country kept in your user profile).
- Application of early renewal discounts. If you are renewing an existing subscription before it expires we will apply a discount automatically. However, this does not use your personal information, just the fact that you have an active subscription with us.
In general, we do not perform any kind of automated profiling of our clients and website visitors. We provide the same service to everybody. In case of an abnormally high number of downloads, support tickets or other signs of potential abuse we may process your personal information on file to create a profile of your usual behavior to determine if there is a potential problem with your account.
9. How we deal with your personal information for marketing purposes and whether we use profiling for such activities
In general, we do not base our marketing activities on the personal information we have collected from our clients. We do not perform personalized marketing and we do not make use of profiling for marketing purposes. Instead we use anonymized and/or aggregate information, which is not personal information.
To improve the quality of our marketing activities, no personal information or pseudonymized information will be used for these activities.
If we want to conduct a marketing campaign which includes your personal information, e.g. naming you as the recipient of a raffle, we will seek your explicit consent. In this case you have the right to withdraw your consent at any time. Any processing taking place or marketing campaigns launched before your consent withdrawal shall not be affected.
10. How long do we keep your personal information
We retain your personal information for as long as we have a business relationship with you as evidenced by the existence of an active subscription or a log in to your account.
We are legally required to retain your invoicing information, both as an off-line backup and in the custody of our auditors, for a period of up to TEN (10) years after your purchase.
Within a reasonable time after the termination of our business relationship (explicitly: the expiration of your last subscription with us or your last log in to our site, whichever comes later) the following actions will be taken:
- Your user account will be pseudonymized and locked to make logging in impossible.
- Your private tickets will be permanently removed and you will forever lose access to them. Please note that your public tickets remain intact. Moreover, your ticket system signature is removed.
- Any record of your downloads history is removed from our site (as long as the downloads took place while you were logged in; or downloads and updates obtained using a valid at the time Download ID).
Other logs which may contain personal information such as server access logs and security logs are kept for up to FOURTEEN (14) months.
We may retain your personal information longer than that for regulatory, technical or legal reasons.
Your information may be stored longer than that in encrypted backups. However, we have technical means in place to remove your personal information upon restoring those backups unless otherwise legally required, e.g. in assisting a criminal investigation.
11. Your data protection rights
You have the following rights with regards to the personally identifiable information we keep on file for you:
- Request the correction of the personal information we keep on you. This allows you to correct incomplete or inaccurate information we keep on file for you. This can be done from the My Profile menu item on our site after logging into our site. Please note that correcting your invoicing information is only possible when purchasing a subscription and the correction is only applied to newly issued invoices only. This is a legal requirement.
- Ask for the deletion of your personal information (a.k.a. "right to be forgotten"). This lets you request that we delete your personal information when there is no real reason for us to process it. Kindly note that this is impossible for 60 days since your last purchase for taxation reporting reasons.
- Object to processing your personal information (a.k.a. "right to objection") when we base our processing on protecting our interests bit there is something special in your situation which makes you want to object to the processing for this reason. If you object we will no longer process your personal information unless we can prove pressing legal reasons for the processing which trump your interests, rights and freedoms. Please note that this is largely inapplicable to our business relationship since our processing is done either on a legal basis, your explicit consent or is exempt from the GDPR protections (e.g. keeping an IP log for security reasons).
- Ask the limitation of the processing of your personal information. This allows you to ask us to limit the processing of your personal information, that is to use it only for specific cases, if:
- they are inaccurate;
- they have been used illegally but you do not wish us to delete them;
- they are no longer necessary but you want us to retain them for their use in potential legal demands;
- you have asked us to stop using your personal information but you are waiting us to confirm if we have legal reasons to use them.
- Ask for a copy of the personal information pertaining to you in a structured, commonly used and machine-readable format, and to convey this information to other organizations. You may also request that we directly convey that file to another organization of your choice. This is also known as "data portability right".
- Withdraw your consent regarding the processing of your personal information at any time. Please note that withdrawal of your consent at any time does not invalidate the legality of the processing based on your consent before that was revoked or withdrawn by you.
According to the GDPR, we will reply to your requests promptly and within 30 days. If you have not received a reply from us for over three weeks (21 days) please retry contacting us with alternate means; most likely your request never reached us. Kindly note that we reserve the right to direct you to our site's tools and / or this Privacy Statement if your concern is readily addressed by it. Per the law, we reserve the right to not reply to your requests if they are too often or are otherwise in abuse of the provisions of the law and may in some cases where permitted need to charge a fee, which we will notify you of if applicable.
Right to file a complaint
12. Changes in this Privacy Statement
We may periodically modify or amend this privacy statement.
When this happens, we will change the date on the top of the page and keep a change log at the end of this page. We do not have the technical means to notify our clients about any changes. We recommend that you re-examine this statement periodically so that you are always updated on the way we process and protect your personal information.
13. Cookies Policy
Our site uses small text files, known as Cookies, to enhance your experience and work better.