Data Policy

Table of Contents
    Add a header to begin generating the table of contents

    1. PURPOSE

    This Data Protection Policy (hereinafter – the "Policy") outlines the procedures for the collection, access, security, and use of data to comply with Greynut LLC’s (hereinafter – the "Company") obligations under Latvian data protection standards and the EU General Data Protection Regulation (GDPR). The Policy aims to ensure that the Company:

      • Complies with applicable data protection laws and adheres to best practices;
      • Protects the rights of its staff, customers, and partners;
      • Is transparent about its methods for storing and processing personal data; and

    Safeguards itself against risks of data breaches.

    2. SCOPE

    This Policy applies to:

      • All employees and interns of the Company;
      • All contractors working on behalf of the Company.

    3. DEFINITIONS

    For the purposes of this Policy:

      • Company refers to Greynut LLC.
      • Brand refers to Luxafor.
      • Sensitive Data refers to confidential information that must be kept secure and inaccessible to unauthorized individuals unless permission is granted.
      • Personal Data refers to information relating to an identified or identifiable individual, whether through direct identification or in combination with other data.
      • Processing refers to any operation or set of operations performed on personal data, whether by automated means or otherwise, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or destruction.
      • Third Party refers to any natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons under the direct authority of the controller or processor who are authorized to process personal data.
      • Data Subject refers to a natural person whose personal data is processed.
      • Disclosure refers to making personal data accessible to authorized parties.
      • Data Destruction refers to the irreversible process of destroying data stored on electronic media so that it is completely unreadable and cannot be accessed or used for unauthorized purposes.

    4. DATA COLLECTION

    1. Company web page www.luxafor.com:

    a) For user account:

          • E-mail address – mandatory
          • Billing address – optional
          • Shipping address – optional
          • Payment method – optional
          • First and last name – optional

    b) For purchase order processing:

          • First and last name – mandatory
          • Billing address: Country, street, city, ZIP code – mandatory
          • E-mail address – mandatory
          • Means of payment (payment card or PayPal data) – mandatory

    c) For promotions and e-mail subscriptions:

          • E-mail address

    2. Company applications:

    a) Luxafor 2.0 app – app uses personal data to facilitate integration with IFTTT. Specifically, it collects users' email addresses solely for the purpose of authentication during login. Additionally, the application will collect users' email addresses only if they opt-in to receive email notifications from the Company.

    b) Luxafor Smart Button app - app uses personal data to facilitate integration with IFTTT. Specifically, it collects users' email addresses solely for the purpose of authentication during login. Additionally, the application will collect users' email addresses only if they opt-in to receive email notifications from the Company.

    c) Luxafor CO2 Dongle app - app only collects users’ email address.

    d) Luxafor Pomodoro Timer app - no data collected from users.

    e) Luxafor Mute Button app - no data collected from users.

    Our apps have met all the security standards for them to be offered in the Microsoft and Apple app stores. Here you can read more about those:

    In short: We use the permissions to access the email (simply displayed within our app to see who is currently logged in), as well as the current presence status of the logged in user. The only thing we store is the access/refresh tokens, for preserving the logged in user. The tokens are stored and encrypted using Microsoft Authentication Library (MSAL) and are entirely stored in Local AppData. As for presence information, we request the current presence status from Microsoft Graph API, process said presence status to allow our hardware devices to react respectively and discard it afterwards. The mentioned third permission, is an offline_access scope, allowing us to get a refresh token (which allows to renew an access token), meaning that the user doesn't need to manually log into the application every hour. By default, Microsoft provided C# library requests 3 scopes: offline_access openid profile. On top of those, we request 2 additional scopes: user.read presence.read
    https://learn.microsoft.com/en-us/graph/api/conditionalaccessroot-list-policies?view=graph-rest-1.0&t abs=http

    Data collection for purchase order processing follows the following regulations:

    1. European Union: GDPR Article 6(1)(b)
    2. California, USA: CCPA Section 1798.140(o)(2)
    3. Canada: PIPEDA Principle 4.3.2 – Consent
    4. Australia: APP 3 - Collection of Solicited Personal Information
    5. Singapore: PDPA - Key Concepts
    6. United Kingdom: DPA Part 2, Chapter 2, Section 8
    7. Switzerland: FADP Chapter 5
    8. Japan: APPI Chapter 4
    9. New Zealand: Privacy Act 2020, Part 3, Section 22
    10. Qatar: DPL Chapter 3, Article 8

    5. DATA ACCESS

    Access to data within the Company is granted strictly on a need-to-know basis:

      • Employees may only access data if required for their duties.
      • Access requests must be approved by the respective manager.

    Employees must keep data secure by adhering to the following guidelines:

      • Use strong, unique passwords that should not be shared.
      • Avoid disclosing personal data to unauthorized individuals.
      • Regularly review and update data to ensure it remains accurate and necessary.
      • Seek assistance from a manager if unsure about data protection responsibilities.
      • Ensure all systems are up to date to comply with the latest security practices.
      • Verify that vendors and partners enforce robust data security standards.

    6. DATA SECURITY

    To ensure the protection of private data:

      • Screens are locked when unattended.
      • Employees do not store copies of personal data on personal devices.

    Secure passwords are used across all platforms, meeting the following criteria:

      • Minimum 8 characters
      • At least 1 uppercase letter
      • At least 1 special character

    This policy aims to protect the Company from data security risks, including breaches of confidentiality, lack of data control, reputational damage, third-party risks, and phishing or social engineering attacks.

    7. DATA USE

    All employees, contractors, and third-party service providers must ensure that data is handled in accordance with this Policy:

      • The operations manager is responsible for ensuring compliance with legal obligations.
      • The operations manager oversees data protection queries, access requests, contract approvals, system security, and third-party service evaluations.
      • The operations manager manages data protection statements, media inquiries, and marketing initiatives.

    8. AUTHORIZATION AND AUTHENTICATION

    Access to data is given only to those employees whose job responsibilities require access to sensitive information. Regular review of authorization occurs annually, or as major changes happen. Authentication to systems is set and maintained at a fitting level of the data within the storage.

    9. COMPLIANCE STANDARDS

    The Company adheres to the following data protection principles, including but not limited to:

      • GDPR Article 5: Ensuring data is processed lawfully, fairly, transparently, for specific purposes, and kept secure.
      • New Zealand Privacy Act Part 3, Chapter 22: Limiting data collection to lawful, necessary purposes.
      • Switzerland’s FADP Article 8: Maintaining appropriate data security measures to prevent breaches.
      • California CCPA: Informing consumers about the categories and purposes of personal data collection and usage and retaining data only as long as necessary. This section outlines the Company’s response to data security incidents to minimize impact and comply with legal requirements. Key steps include:
      • Incident Identification: Continuous monitoring, immediate reporting.
      • Incident Classification: Severity assessment and categorization.
      • Containment: Immediate and long-term containment actions.
      • Eradication: Root cause analysis and threat removal.
      • Recovery: System restoration, verification, and monitoring.
      • Incident Notification: Internal and external notification procedures.
      • Post-Incident Review: Documentation, analysis, and process improvement.
      • Training and Awareness: Regular training and simulated incident response exercises.
      • Compliance and Legal Considerations: Adherence to regulations, with legal counsel as needed.
      • Continuous Improvement: Regular reviews and updates to the incident response process.

    11. DATA DESTRUCTION

    Data destruction will only occur following state and federal legislation, including GDPR Article 17 and CCPA Section 1798.105. Data must not be destroyed if subject to a subpoena, formal access request, or ongoing legal action, even if the minimum statutory retention period has expired. Destruction processes must be overseen by the responsible employee.

    12. DATA STORAGE

    Data storage in the Company complies with the following guidelines:

      • Paper records are to be secured in locked drawers or cabinets when not in use.
      • Printouts are not to be left unattended; unauthorized access should be prevented.
      • Paper documents are to be shredded and securely disposed of when no longer needed.
      • Electronically stored data is protected by strong passwords and stored only on designated drives and approved cloud services.
      • Data is regularly backed up according to the Company’s backup procedures.
      • All servers and computers containing data have approved security software and firewalls installed.

    13. PRIVACY POLICY

    This Policy is applicable in cases when the Company, or the Company together with its Cooperation
    Partners, processes personal data.

    1. Definitions
    Controller is a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data;
    Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
    Third party is a natural or legal person, public authority, agency or body other than the Data Subject, the controller, the processor and persons, who under direct authority by the Controller or the Processor are authorized to process Personal Data;
    Personal data is any information relating to an identified or identifiable natural person (Data Subject);
    Data Subject is an identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, surname, identification number, phone number, e-mail address, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
    Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or being made available otherwise, alignment or combination, restriction, erasure or destruction;
    Customer is any natural or legal person who uses, has used, or has expressed a wish to use any services provided by the Company or is in any other way related to them;

    2. General Provisions
    2.1. This privacy policy, hereinafter - the Privacy Policy, describes the procedure by which the Company handles the personal data that comes into its possession. Depending on the legal basis of the data processing, the Company may be a controller, a processor or a third party;
    2.2 The Company shall ensure the confidentiality of personal data within the framework of applicable laws and regulations and has implemented appropriate technical and organizational measures to protect personal data from unauthorized access, unlawful processing or disclosure, accidental loss, alteration or destruction;
    2.3. In cases where the Company acts as a controller of personal data, it shall determine the purposes and means of personal data processing;
    2.4. In cases where the Company acts as a processor of personal data, the Company shall process personal data on behalf of the controller;
    2.5. In cases where the Company acts as a third party, the Company is authorized to process personal data under the direct supervision of the controller or processor;
    2.6. In cases where the Company processes data, the Company may use approved personal data processors for personal data processing. In such cases, it shall take the necessary measures to ensure that such processors process personal data in accordance with the instructions of the Company and in accordance with applicable laws and regulations and require appropriate security measures to be taken;
    2.7. If the Company updates this Privacy Policy, the current version of the Policy shall be published on the Company's Site, while you may get acquainted with the historical versions of this Policy by contacting the Company and sending an e-mail to: support@luxafor.com

    3. How the Company obtains the data of natural persons
    3.1. The Data Subject submits their data to the Company;
    3.2. The Company receives personal data from its Customers;
    3.3. Company receives personal data from third parties;
    3.4. The Company records your data, which is located in the public space (media, social networks, your workplace website, etc.);
    3.5. You are visiting our website (see Cookie Policy);
    3.6. You participate in corporate events organized by the Company, where you can be photographed or filmed;
    3.7. You participate in our surveys, contests, etc.;
    3.8. You participate in business forums, business networking, your contact information in social networks is created for the exchange of mutual communication, such as LinkedIn, or You follow us on social media, contact us etc.;
    3.9. You visit our office;
    3.10. You add Your data in Company`s systems;
    3.11. You apply for our services using the registration forms posted on our website. In cases where the Company obtains data from the controller, any responsibility for informing the Data Subject shall rest with the relevant controller.
    Company doesn't perform video surveillance in its office.

    4. What personal data may be processed by the Company?
    Depending on the nature of the data processing, the Company may process the following personal data:

      • Personal identification data - first and last name;
      • Personal contact information - address, telephone number, e-mail address;
      • Personal workplace data - workplace;
      • Actions taken on internet websites - IP address, actions taken, date and time;
      • Data published by a person on social networks;
      • Survey and contest data - name or date of the survey or contest, date of the answer, questions/tasks of the survey and answers provided;
      • Photos, videos of corporate events, date, place of the photos;
      • Photos uploaded to Company systems or sent to us via email;
      • Your contact details from social media accounts, which are used for detail exchange, as Linkedin;
      • Communication data, in case of communication between us;
      • Data of various categories, including, in exceptional cases, data of special categories, which the Company processes within the framework of various projects as a controller, processor or as a third party based on the authorization of the Controller.

    Depending on the provided service, the provided product, the nuances of cooperation, your above-mentioned data may be processed to different extents, in different combinations, with different purposes, and on different legal grounds, as mentioned in this privacy policy.

    5. Legal basis for data processing
    5.1. Conclusion and performance of the agreement - for the Company to be able to conclude and perform the agreement concluded with the Customer, providing high-quality services, it must collect and process certain personal data. (GDPR clause 6 part 1, b subsection);
    5.2. Legitimate interests of the Company - to observe the interests of the Company based on compliance with the requirements of applicable laws and regulations and provide high-quality services and timely support to the Customer, the Company may process personal data of the Customer to the extent objectively necessary and sufficient. In addition, the processing of personal data providing information about news in the field in which the Company operates, new development opportunities, including direct marketing, as a result of which the Company can individually address various persons to inform them about news in the field, education and development opportunities, on opportunities to provide a new and/or individually prepared offer of the Company's products and services, shall be considered a legitimate interest. However, the Company respects the wishes of the Data Subject and provides an opportunity to opt out of receiving the above information. (GDPR clause 6 part 1, f subsection);
    5.3. Fulfillment of legal obligations - the Company is entitled to process personal data to comply with the requirements of the laws and regulations, as well as to provide answers to lawful requests of the state and local government authorities. (GDPR clause 6 part 1, c subsection);
    5.4. Consent of the Data Subject. The Data Subjects themselves consent to the collection and processing of personal data for specified purposes. Consent is their free will and an independent decision that can be given at any time, thus allowing the Company to process personal data for specified purposes. The Data Subject may withdraw their prior consent at any time through the specified channels of communication with the Company. The applied changes shall come into effect within three working days. Revocation of consent shall not affect the lawfulness of processing which is based on the consent before revocation. (GDPR clause 6 part 1, a subsection);
    5.5. Protection of vital interests. The Company may process personal data to protect the essential interests of the Customer, Cooperation Partner or other natural person, for example if processing is necessary for humanitarian purposes, monitoring of natural disasters and epidemics caused by human beings and the spread thereof, or in emergency humanitarian situations (acts of terror, in technological disaster situations, etc.) (GDPR clause 6 part 1, d subsection);
    5.6. Exercise of official authority or public interest. The Company may process data to perform a task in the public interest or in the exercise of official authority legally granted to the Company. In such cases the grounds for personal data processing are included in the laws and regulations. (GDPR clause 6 part 1, e subsection);
    5.7. If the Company processes the data as a processor based on a duly concluded agreement with the data controller, the Company shall follow the instructions given by the controller;
    5.8. If the Company performs activities with personal data as a third party since a duly concluded agreement with the data controller, the Company shall comply with the authorization granted by the controller.

    6. Purposes of data processing
    The following purposes of data processing are distinguished:
    6.1. General management of relations with the Customer and provision and administration of access to products and services, in order to enter into and execute an agreement with the Customer; deliver the purchased service or product, verify the availability and quality of the service or product, to fulfill the obligation imposed by law, provide reports and declarations, calculate and pay taxes, to ensure high quality, timely service and cooperation during the term of the contractual relationship; to ensure the timeliness and accuracy of the data by checking and supplementing the data;
    6.2. The Company shall process personal data for email marketing purposes and customer relationship management using third-party services to manage email subscriber lists and send emails to our Customers;
    6.3. Create a corporate link between the Company, Customers;
    6.4. Find out the opinion of the Customers and others about the work of the Company, necessary improvements;
    6.5. Defend Company's legal rights;
    6.6. The Company is entitled to process the data for the above, as well as for other purposes, if there is a legal basis for it.

    7. Rights of the Data Subject
    The Data Subject has the following rights with regard to the processing of their data:
    7.1 If the Company receives personal data from the Data Subject, the Company shall provide all the following information to the Data Subject during the acquisition of personal data:
    7.1.1. registration number and legal address, contact information of the Company;
    7.1.2. the contact details of the data protection specialist, if any;
    7.1.3. the purposes of processing for which the personal data is intended, as well as the legal basis for the processing;
    7.1.4. legitimate interests if the processing is based on Article 6 (1) (f) of the Regulation;
    7.1.5. recipients or categories of recipients of personal data, if any;
    7.1.6. whether the data shall be transferred to a third country or international organization, if so, the relevant information in accordance with the requirements of applicable laws and regulations.
    7.2. In addition to the above, during the collection of personal data the Company shall show the Data Subject this Policy, which ensures fair and transparent processing, i.e.:
    7.2.1. the Data Subject has the right to be informed of the period for which his or her personal data will be stored or, if that is not possible, the criteria used to determine that period;
    7.2.2. the Data Subject has the right of access to his or her data, i.e. the right to rectify, erase, object to the processing as well as the right to data portability;
    7.2.3. where processing is based on Article 6 (1) (a) or Article 9 (2) (a) of the Regulation, the right to withdraw consent shall be without prejudice to the lawfulness of the processing based on which the consent was given before the withdrawal;
    7.2.4. the Data Subject has the right to submit a complaint to the supervisory authority;
    7.2.5. The Data Subject has the right to know whether automated decision-making, including profiling, exists.
    7.3 If the Company has personal data that is not obtained from the Data Subject, in cases where the Company is the controller, the Company, in addition to the above, shall inform the Data Subject about the source from which the personal data has been received;
    7.4 If the controller intends to further process personal data for a purpose other than the purpose for which the personal data were obtained, the Company shall inform the Data Subject of such other purpose before further processing and provide it with all relevant additional information, unless the provision of such information requires a disproportionate effort;
    7.5. In cases where the Company is a processor or a third party, the Company shall act in accordance with the task or authorization of the controller; in the case of a request from the data subject, the controller of the request received shall be informed immediately.
    7.6. You have the right, by contacting us, to receive information about what your data is, in what amount, on what legal basis, for how long, etc. are processed, depending on the nuances of our cooperation.

    8. Retention period
    Personal data is only processed for as long as necessary for achieving the purpose of processing. The retention period may be based on the concluded agreements, the Company's legitimate interests or applicable laws and regulations.

    9. Technical and organizational requirements for data protection
    9.1. The Controller shall ensure, review on a regular basis and improve the personal data protection measures to protect personal data of the Data Subject from unauthorized access, accidental loss, disclosure or destruction. To ensure this, the Company shall use modern technologies, technical and organizational requirements, including appropriate software, using firewalls, intrusion detection, analysis software and data encryption, as well as physical data protection (access code at the front door), alarm;
    9.2. The Company shall carefully inspect all service providers who process personal data on behalf and upon instruction of the Company, as well as assess whether cooperation partners (processors of
    personal data) apply appropriate security measures to ensure that personal data is processed in accordance with the Company's delegation and requirements of the laws and regulations;
    9.3. The Company shall regularly train its employees and ensure their qualifications are maintained;
    9.4. The Company shall not be liable for any unauthorized access to personal data and/or loss of personal data if it is beyond the Company's control, for example due to the fault and/or negligence of the Customer or the Data Subject.

    10. Processing area
    10.1. Personal data may be processed worldwide with its headquarters in Latvia, EU.
    10.2. The transfer and processing of personal data outside the EU/EEA may take place if there is a legal basis for doing so, namely, to fulfill a legal obligation, enter into or perform an agreement, or in accordance with the Customer's consent, and appropriate security measures have been taken. The European Commission has recognized which countries provide a level of personal data protection that corresponds to the relevant level of data protection in the European Union (Article 45 of the Regulation "Transmission based on a decision on the adequacy of the level of protection"). On the other hand, if the Company transfers personal data to countries for which the EC decision on the adequacy of the level of protection has not been adopted, the Company performs additional supervision over the implementation of relevant protection measures. For example, according to Article 46 of the Regulation "Shipping based on appropriate guarantees". Ensuring the appropriate guarantees by including the requirements for the personal data protection framework in a legally binding document (agreement, agreement, etc.) for both parties (both the sender of personal data and the recipient of personal data), clearly indicating the procedure for implementing the data subject's rights and the legal remedies available to the data subject means of protection;
    10.3. Upon request, the Customer can receive more detailed information on the transfer of personal data to countries outside the EU/EEA.

    11. Contact
    The Data Subject may contact the Company regarding any matter, withdraw their consent, make requests for information, use Data Subject rights and submit complaints on the processing of personal data.

    > SOFTWARE APPLICATIONS
    Data Collection and Use
    When using Luxafor’s software applications, we may collect analytics data to maintain and improve the performance, stability, and functionality of our software. Additionally, our software may collect certain data from third-party integrations to ensure that the necessary features and integrations work seamlessly. This information helps us enhance the user experience and provide ongoing support.
    Data Retention
    We retain collected data for as long as it is necessary to maintain the functionality of integrations and fulfill the purposes described in this policy. The data will be stored only as long as required by our operational needs or as stipulated by applicable law.
    Data Deletion
    Users have the right to request the deletion of their data collected through our applications. If you would like your data to be deleted, please contact our support team, who will guide you through the deletion process and address any other related concerns.
    Data Sharing
    Luxafor respects your privacy and does not share data collected through our software applications with third parties, except as required by law or to comply with legal obligations. We do not sell or disclose your data to other companies or organizations.

    14. COOKIE POLICY

    Cookie is a small text file sent to a user's computer or mobile device when a user visits the website. The website stores This text file on the user's computer or mobile device when the user opens the site. At each subsequent visit, cookies are sent back to the home site or another site that recognizes the cookie. Cookies act as a memory of the specific site, allowing this site to remember the user's computer or mobile device in the next few visits. Cookies can remember user settings and make the site more convenient.

    The Controller is a physical or legal person who, alone or jointly with others, determines the purposes and means of personal data processing.

    Cookies are needed to make it more convenient for you to use our digital services: we collect information on how you use our website and how to improve our services. Cookies are also used to provide you with customized information about our products and services. We use different types of cookies placed by default (such as Required cookies), but we ask your consent for individual cookies used for analytical and targeting purposes. By consenting to the cookie bar that appears when you visit the website, you choose whether to allow specific cookie categories.

    We also use third-party cookies. Regarding these third-party cookies, we suggest you learn more about their cookie policies and make your own decision on how your data is processed.

    You can set your browser to refuse cookies from websites or to remove cookies from your hard drive, but if you do, you will not be able to access or use portions of the Site. We have to use cookies to enable you to select products, place them in an online shopping cart, and purchase those products. If you do
    this, we will keep a record of your browsing activity and purchases.

    Footnote:
    The Company reserves the right, at its sole discretion, to modify this Policy at any time by posting the updated Policy on the Site. Your continued use of the Service after such changes constitutes your acceptance of the new Policy.