Effective Date: November 02, 2022
Confidentiality and security are fundamental values of Inbenta. This means that we are committed to guaranteeing the privacy of our clients’ personal data at all times, and to collecting only the information that we need, and nothing else.
Below you can find all the necessary information with regards to the personal data we collect, how we process it, and your rights.
1. Who is responsible for the processing of personal data?
The controller of the processing is Inbenta Holdings Inc. and the companies within. The Holdings Inc. group of companies is composed of:
- Inbenta Holdings Inc. Branch in Spain
- Inbenta Technologies, Inc.
- Inbenta France SARL
- Inbenta Brasil Consultoria E Tecnologia LTDA
- Inbenta Chile SpA
- Inbenta Northern Europe BV
- Inbenta Japan LLC
The data is processed by our representative in Europe:
- Company name: Inbenta Holdings Inc. Branch in Spain
- NIF: W4008344F
- Address: Aribau 64, 08011 – Barcelona, Spain
- Contact: [email protected]
With regards to the interpretation of the present policy, the sharing of data between companies within the group is considered legitimate, insofar as the people responsible are part of a business group and may have a legitimate interest in transmitting personal data within the business group for internal administrative purposes, including processing of personal data of clients or employees.
2. Who watches over your data in INBENTA?
The Data Protection Officer of INBENTA, or DPO, is the guarantor of compliance with the data protection regulations within INBENTA.
You can contact the Data Protection Officer of INBENTA at the following address:
- Email: [email protected]
- Postal mail: Antoni Bell 2, 08174 Sant Cugat del Vallès, Barcelona, Spain
3. Who are the data subject groups?
The personal data collected and processed can come from the following data subjects:
Clients and Prospective Clients regarding the use of the INBENTA website:
People who provided us with their data in the different forms on the website to make inquiries or obtain information about our products and services.
People who applied for a personalized demonstration or a free trial.
People who requested communications about news, products, and services and/or promotions from INBENTA.
Users of the chatbot incorporated in INBENTA’s website
Clients of the INBENTA SaaS Platform:
Administrators and Qualified Users of the INBENTA SaaS platform.
End Users of the Messenger service integrated into the social network page belonging to our Clients.
End Users of the INBENTA products offered by our clients on their own services (including client’s operators of the INBENTA SaaS platform).
People who share with us their data to set up the contract (identification, contact, address, bank account…).
People who sent an application to enter personnel selection processes.
Users of the INBENTA SaaS platform.
Current employees who sent an application for an internal promotion.
People who navigate our website and have accepted analytical cookies.
User of the chatbot incorporated in INBENTA’s website.
People, both from INBENTA and third parties, who report a violation of the law and/or internal policies.
4. For what purposes and legitimacy do we use personal data?
At INBENTA, we process personal data to respond to requests for information, respond to your requests or provide contracted services.
This personal data is processed for the legitimate purposes listed below.
4.1 INBENTA as Data Controller
|Purpose||Data subjects||Categories of data||Lawfulness of processing||Retention Period|
Formalization, development, and execution of the contract
The processing of the personal data of the contact persons of our clients and providers is necessary for the conclusion of the contract between Inbenta and our clients and providers, as well as for the maintenance, development, and execution of the contractual relationship.
Inbenta processes the personal data of our clients and providers’ contact persons, among others, to manage the commercial and mercantile relationship with them. Within the framework of managing the quality of our services, Inbenta may also process your data to carry out statistical, quality, technical analysis studies, or satisfaction surveys.
||As a general rule, customer contract data shall be retained indefinitely for future reference, with the exception of cases in which the data subject exercises his or her right of deletion and where this is duly justified. Such data shall only be accessed by Inbenta’s senior management for consultation purposes.|
Prospecting of possible new clients or upsells to active clients
Inbenta uses the details provided and the conversations held during videoconferences, to prospect on potential clients or upselling to active clients. Inbenta may identify the persons who attend the meeting and process the information provided in such conversations.
Inbenta’s legitimate interest to use the content of the conversations for internal training of the Sales team.
Explicit and express consent freely given by the data subject before entering the meeting.
|The data will be kept for a maximum period of 180 days from the last communication with the data subject.|
Response to requests for information or contact
At Inbenta we use the contact details provided to respond to your requests and inquiries regarding products and services, either made using the form available on the websites or directed to the contact email addresses that are published.
||It should be retained for as long as necessary to achieve the purpose, but no longer than 1 year from the time of response.|
Sending communications through the newsletter
Inbenta processes the contact data provided to inform subscribers to the newsletters. This information can be about products, services, activities, news, and/or any promotion that may be of interest to them and related to Inbenta’s activity.
||It should be retained for as long as necessary to achieve the purpose, but no longer than 1 year since the last communication, or the revocation of their consent.|
Request for personalized demonstrations
At Inbenta we use the contact information provided by interested parties to schedule a personalized demonstration.
||It should be retained for as long as necessary to achieve the purpose, but no longer than 1 year since the last communication.|
Request for a free trial
At Inbenta we use the contact details provided by interested parties to provide a free trial of our products.
||It should be retained for as long as necessary to achieve the purpose, but no longer than 1 year since the last communication.|
Content download request
At Inbenta we use the contact information provided by interested parties so that they can download some of the content that we make available to users.
||The recommendation is that it should not be kept longer than necessary, but not longer than 1 year or the revocation of the consent.|
At Inbenta we offer a chatbot service to interact with website users who wish to obtain more information about our products and services.
||The recommendation is that it should not be kept longer than necessary, but not longer than 6 months since last communication.|
Website visit analytics
Inbenta uses various techniques to collect information. These techniques can be used to obtain analytical data about visits to and browsing through the pages of our websites.
For more information consult the Cookies Policy.
||Data will be kept in accordance with the terms identified in the cooky policies and the privacy policies of the analytics service providers.|
Process applications to open selection processes
Inbenta processes the personal data of the people who want to apply to the open selection processes at Inbenta, to validate these candidacies against the positions to which they apply.
||1 year shall be the recommended period for the retention of documentation from the end of the processing, subject to the data subject’s express consent.|
Report of violations of the law or internal policies
Inbenta receives any report from employees, collaborators or any third party potentially affected by a violation of a legal requirement or the principles of our Code of Conduct.
You can report any possible violations by sending an email to [email protected].
||The reports will be stored for a period not exceeding that strictly necessary to respond to them and store evidence in case of legal proceedings, until there is a final judgment, with a maximum period of 10 years.|
4.2 INBENTA as Data Processor
|Purpose||Data subjects||Categories of data||Lawfulness of processing||Retention Period|
Processing carried out on behalf of a controller for the provision of services provided to our clients.
The provision of the services that Inbenta (the processor) provides to our clients (the controllers) implies the commission of processing of personal data that are under the responsibility of our clients.
Even in the case that clients integrate the Inbenta technology with third-party applications or social networks, the client is the controller of this processing and Inbenta is the processor of the data that is ingested from these external sources.
Will slightly vary depending of Client’s instructions.
||Data will be kept in accordance with the Inbenta Data Processing and retention Policy, which is published on the website, and is included in the Service Contract.|
5. How long does INBENTA keep the data?
In general, the data is kept for as long as necessary to fulfil the purpose for which the data was collected and determine the possible responsibilities that may arise from said purpose and from the processing of the data.
Among others, it implies that INBENTA keeps the personal data of the data subjects for the duration of their connection with us and, where appropriate, during the period that is necessary for the formulation, exercise or defense of potential claims, or to comply with the legal obligations determined by the applicable legislation.
In particular, retention periods can be consulted on the table above.
6. Who does Inbenta communicate your data to?
Your personal data is not transferred to third parties, unless doing so is necessary to respond to your request, we are required by law, or the data subject has given us their consent.
We may also communicate data to companies that provide us services which are necessary for the ordinary and administrative activity of the company as processors, within the framework of the provision of services such as, but not limited to, providers of email services, web service hosting, server hosting, SaaS application services, cloud file archiving and others.
INBENTA may also make assignments or communications of personal data to meet its obligations with public authorities in the cases that are required in accordance with the legislation in force at all times and, where appropriate, if required by other public bodies in compliance with national security, public order or law enforcement requirements, as long as these requests are endorsed by the judicial bodies under the jurisdiction in which INBENTA operates.
As controllers, we may share data among Inbenta affiliates, based on legitimate corporate interest. International transfers among Inbenta affiliates are covered by the guarantee provided by our Standard Contractual Clauses (SCC).
7. How are international transfers treated?
The provision of these services may involve the processing of personal data by companies located in countries outside the European Economic Area (international data transfers). However, it will only be done with countries that offer an adequate level of protection or have made available to us Standard Contractual Clauses (SCC) in accordance with the decision of the European Commission to Data transfers from controllers in the EU to processors established outside the EU.
Specifically, information we collect from you might be processed in the United States, and by using these services you acknowledge and consent to the processing of your data in the United States. The United States has not yet received a finding of “adequacy” from the European Union under Article 41 of the GDPR, which means your data might not receive equal protection under the GDPR.
Please note that transfers to the US are limited, and in particular, transfers from large cloud companies (Google, Youtube, etc.) could be declared illegal in court. Therefore, this paragraph should not be understood as a disclaimer that may protect the company in case of inspection, but rather as a gesture of good faith or transparency that allows users to make a better decision.
Inbenta Technologies Inc. is responsible for the processing of personal data it receives, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. We comply with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
With respect to obligations arising from the Privacy Shield Framework, Inbenta Technologies Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission and/or the U.S. Department of Transportation. In certain situations, Inbenta Technologies Inc. may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. Under certain conditions, more fully described at https://www.privacyshield.gov/, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Prior to the Schrems 2 decision (Case C-311/18), Inbenta relied on the EU-U.S. Privacy Shield Framework as the data transfer mechanism for data transfers from the European Union and Switzerland to the United States. Now that the Privacy Shield is invalidated by the European Courts for transfers from the European Union and Switzerland to the United States, Inbenta relies on Standard Contractual Clauses (SCCs) for said transfers.
Inbenta makes every effort to comply with the legal requirements regarding international transfers. In order to comply with them, a Transfer Impact Assessment (hereinafter, “TIA”) has been internally approved, that documents all of the international data transfers from Inbenta to our international providers. If you consider it necessary to consult our TIA, you can send us an email to [email protected].
8. How can I exercise my rights?
8.1. Your GDPR (European Economic Area – EEA) rights
Anyone has the right to obtain information about what data INBENTA is processing. Here are your rights:
Interested persons have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.
In certain circumstances, the interested parties may request the limitation of the processing of their data, in which case they will only be kept for the exercise or defense of claims.
In certain circumstances and for reasons related to their particular situation, the interested parties may oppose the processing of their data. INBENTA will stop processing the data, except for compelling legitimate reasons, or the exercise or defense of possible claims.
Portability: The interested party shall have the right to receive the personal data that concern them, that they have provided to INBENTA, in a structured format, of common use and mechanical reading when: a) the treatment is based on consent or a contract, and b) the treatment is carried out by automated means.
We inform you of your right to file a claim with the control authority (AEPD) in the event that the exercise of your rights indicated here has not been satisfied.
To exercise the aforementioned rights, you can contact us to [email protected] indicating the following information:
- First name and last name
- ID number (if applicable by country)
- Contact email
- Right you want to exercise
- Data on which you make your request
Within a maximum period of one month we will resolve your request by notifying you to your indicated email.
8.2. Your UK-GDPR Rights (UK)
The current UK GDPR and the Data Protection Act 2018 provides our UK visitors with the same rights as European citizens. If you are a UK citizen, please contact us at [email protected] to exercise the following rights:
- Be informed about how your data is being used
- Access personal data
- Have incorrect data updated
- Have data erased
- Stop or restrict the processing of your data
- Data portability (allowing you to get and reuse your data for different services)
- Object to how your data is processed in certain circumstances
Inbenta is paying close attention to the upcoming ‘Data Protection and Digital Information Bill’ (“DPDI Bill”) and will endeavour to ensure that your UK data protection rights are respected.
8.3. Your CCPA (California Privacy) rights
Under California law, California residents are entitled to ask us for a notice identifying the categories of personal customer information that we share with certain third parties for marketing purposes, and providing contact information for such third parties. If you are a California resident and would like a copy of this notice, please submit a written request to us via email at [email protected]. You must put the statement “Your California Privacy Rights” in your request and include your name, street address, city, state, and ZIP code. We are not responsible for notices that are not labeled or sent properly, or do not have complete information.
California has passed a law called the California Consumer Privacy Act (CCPA). If the CCPA is applicable to you, you have the right to:
- know the categories of personal information collected about you in the prior 12 months and its sources and business purpose;
- know whether your personal information is sold or disclosed, and to whom, in prior 12 months;
- if “sale” of info, right to opt out of the sale of your personal information;
- access and then delete your personal information (subject to exceptions); and
- equal service and price (non-discrimination) if you exercise your privacy rights.
“Personal Information” is defined to include information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household. This includes (among other types of personal information) IP addresses, geolocation data, biometric information, and “unique identifiers” such as device and cookie IDs, Internet activity information like browsing history, commercial information such as products or services purchased or consuming histories or tendencies, and characteristics concerning an individual’s race, color, sex (including pregnancy, childbirth, and related medical conditions), age (40 or older), religion, genetic information, sexual orientation, political affiliation, national origin, disability or citizenship status.
Inferences drawn from personal information “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” are also considered “personal information.”
Contact us at [email protected] to exercise your CCPA rights.
Request for Erasure. For identity verification purposes, Inbenta requires anyone submitting an erasure request to submit the subject’s full name, email address, and home address related to the subject’s Inbenta account or Inbenta communications. Inbenta will submit a verification email to the requestor who will be required to re-authenticate the request for erasure. Inbenta relies upon this information to ensure the information on the correct individual is removed.
Do Not Sell My Information. We take your privacy seriously. We do not sell our members’ information. We are not a data broker. You will not need to opt-out of the sale because there shall be no sales made on INBENTA’s behalf.
Minors Personal Information. INBENTA’s services are not aimed to, nor intended to be used by, individuals under the age of 18, or the equivalent minimum age. INBENTA guarantees that, in the unlikely event that INBENTA’s Client collects minors’ information, no information shall be sold to third-parties.
If you are a California resident, you can request information regarding the disclosure, if any, of your personal information by Inbenta to third parties for the third parties’ direct marketing purposes. To make such a request, please send an email to [email protected], subject line: CCPA Request.
8.4. Your Nevada rights (Nevada, US)
You may review and request changes to your information or opt-out of the sale of your personal information at [email protected].
8.5. Your LGPD rights (Brazil)
The Lei Geral de Proteção de Dados or General Data Protection Law in English (LGPD) is a legal framework to regulate the collection and use of personal data of Brazilian residents. If the LGPD is applicable to you, you have the right to:
- confirm that your personal data is being processed;
- access your personal data;
- correct incomplete, incorrect or out-of-date personal data;
- have anonymized, blocked, or deleted any unnecessary, excessive, or non-compliant personal data;
- request that a data controller moves your personal data to another service or product provider (data portability);
- delete your personal data (with exceptions);
- be given information on public or private entities with whom, and how your personal data has been shared;
- be given information about your rights to not give consent to process your personal data, and consequences of refusal; and
- revoke consent to process your personal data.
Contact us at [email protected] to exercise your LGPD rights.
You can lodge a complaint regarding any of the above mentioned rights with Brazil’s National Data Protection Agency (ANPD), as well as with the appropriate Consumer’s rights authorities (PROCON) of your Brazilian state of residence.
8.6. Your Data Subject Rights (Japan)
If requested by a principal, Inbenta must disclose in writing and without delay to the principal, the principal’s personal data held by it, unless the principal has agreed to receive it by other means (e.g. as electronic data). Access can be refused if it would result in:
- injury to life or bodily safety, property or other rights and interest of the principal or any third party;
- a material interference with the Inbenta’s business operations; or
- a violation of other Japanese laws prohibiting disclosure.
Principals also have the right to revise, correct, amend, or delete their personal data, and to request the cessation of use of their personal data if it is used for a purpose other than the one originally stated, or if it was acquired by fraudulent or other unlawful means. If a principal requests a Inbenta to cease using their personal data, the Inbenta must do so unless the request is unreasonable, or the cessation would be costly or would otherwise be difficult (e.g. the recall of books already distributed). In this case, Inbenta must take alternative measures to protect the rights and interests of the principal. Inbenta must notify the principal without delay of whether the requested action has been taken, and, if not taken, must endeavour to explain the reasons why. A principal can enforce its rights to require revision, etc. of its personal data by civil action if such a request is not complied with within two weeks of being made.
Principals do not have any of the rights above if:
- the personal data will be deleted within six months of collection; or
- if the principal or other person comes to know that there is such personal data held by Inbenta which might result in:
- injury to the life or bodily safety, property or other rights and interest of the principal or any third party;
- encouraging illegal or unjust acts;
- endangering national security, damage a trusted relationship with a foreign country or international organisation;
- disadvantage the country’s negotiation with a foreign country or international organisation; or
- present an obstacle to the prevention, suppression, or investigation of crimes or otherwise impairing public safety and order.
2020 Amendments: Under the 2020 Amendments, the following provisions relating to principal rights will also apply:
- principals will have the right to access to a Inbenta’s record of data transfers to third parties;
- personal data which Inbenta will delete in six months will no longer be exempted from the principals’ right to access;
- a principal will have the right to require Inbenta to cease using personal data or to cease transferring personal data to third parties if Inbenta no longer needs to use the data, a data breach has occurred, or there is a likelihood of infringement of the principal’s rights or lawful interests due to Inbenta’s handling of the personal data; and
- pseudonymously processed information is not subject to the principal’s right to access or cessation of use.
Right to be informed
Collection & use of personal information:
- not collect personal information by fraudulent or other unlawful means; and
- notify the principal of the purpose of utilisation prior to the collection of the personal information unless it has published the purpose of utilisation in advance in a manner readily accessible by the principal.
2020 Amendments: It is clarified that a purpose of utilisation must be specified in a manner not abstract or general but detailed enough to reasonably enable the Data Subjects to anticipate how and for what purposes their personal information will be used. In light of this, it is also clarified as an example that if Inbenta analyses the data Subjects’ behaviour or interests, such as history of their online browsing or purchases, for marketing, it must be stated as a purpose of utilisation.
Public announcements: Inbenta must make the following items readily accessible to each principal:
- name of Inbenta;
- purpose of utilisation of personal information retained;
- the procedure for the principal to require access, correction, etc. of their personal data; and
- where to complain about the PIHBO’s handling of personal data.
The following items are added:
- address of Inbenta;
- name of the representative person of Inbenta; and
- data security measures taken by Inbenta
The following descriptions are indicated by the PPC as examples of data security measures which satisfy the requirement (the PPC also indicates that the level of security measures can be relaxed for ‘small or medium sized business operators,’ as described below):
- establishment of basic principles concerning compliance with applicable laws, handling enquiries and complaints, etc.;
- establishment of rules on the manner of data processing, staff in charge, their responsibilities, etc. on each of step of collection, use, storage, transfer, deletion of personal data;
- organisational security measures: appointment of staff in charge, their responsibilities, reporting line, external audit system, etc.;
- staffing security measures: staff training, confidentiality obligations of staff, etc.;
- physical security measures: room access control, access authorisation control, restriction of bringing out devices or personal data, etc.; and
- technological security measures: access control, firewall from unauthorised access, etc.
Right to access
There is no specific right for a data subject to access its personal information; see the opening paragraph re disclosure of personal information held.
Right to rectification
Please see section on data subject rights above.
Right to erasure
Please see section on data subject rights above.
Right to object/opt-out
Please see the right to request cessation of use outlined in section on data subject rights, above and the right to opt out in section on data transfers.
Contact us at [email protected] to exercise your Data subject Rights.
9. How is my data secured?
The security and confidentiality of your personal information is very important to INBENTA. We have implemented commercially reasonable technical and organizational safeguards to appropriately protect your personal information against accidental, unauthorized, or unlawful access, use, loss, destruction or damage. The measures that we utilize are administrative, such as the training of employees on privacy and information security-related activities, technical, such as pseudonymization, encryption techniques, and network firewalls, and physical, such as physical access control. For more detailed information on our technical and organizational measures (TOMs) please visit Security and Privacy – Inbenta.
Still, no system can be guaranteed to be 100% secure. If you have questions about the security of your personal information, or if you have reason to believe that the personal information that we hold about you is no longer secure, please contact us immediately as described in this Privacy Notice.
10. Changes to this Policy
We encourage you to periodically review this page for the latest information on our privacy practices.