Our Commitment to GDPR and Data Privacy

Borneosoft is committed to data protection and respecting the privacy of our users. We adhere to the principles of the General Data Protection Regulation (GDPR), which provides a strong framework for data privacy in the European Union.

This page is for informational purposes only and does not constitute legal advice. We advise you to seek professional legal advice to find out whether GDPR applies to your business.

1. What is GDPR?

The EU General Data Protection Regulation ("GDPR") is a comprehensive privacy law that came into effect on May 25, 2018. It provides individuals in the European Union (EU) with enhanced rights and control over their personal data.

2. Does the GDPR apply to me?

The GDPR applies to you and your business if you have an operation in the European Union (EU) or if you process and monitor the personal data of individuals located in the EU, regardless of where your business is located.

3. Our Commitment to GDPR Compliance

As a company that processes data on behalf of our users, we have implemented measures to ensure that our services and practices are compliant with the GDPR. We have designed our services to give you full control over the data you collect, and we are committed to upholding the privacy and security standards required by the regulation.

4. Our Role: Controller vs. Processor

• You are the Data Controller: When you use Zapof to collect data from your users (e.g., through forms), you are the Data Controller. This means you determine the purpose and means of the data processing. It is your responsibility to ensure you have a lawful basis for collecting data, to obtain consent where necessary, and to honor the rights of your users.
  
  
• We are the Data Processor: For the data you collect via Zapof forms, Borneosoft Pty. Ltd. acts as the Data Processor. We process the data solely on your behalf and according to your instructions as defined in our Terms of Service and Data Processing Agreement. We do not own the data you collect.
  
  
• Borneosoft as Controller: For the personal information we collect directly from you as our customer (e.g., your name, email, and billing address), Borneosoft Pty. Ltd. acts as the Data Controller. This data is processed in accordance with our Privacy Policy to provide and manage your account.
  

5. The Data Processing Agreement (DPA)

The GDPR requires a written agreement between a Data Controller and a Data Processor. Our Data Processing Agreement is incorporated into our Terms of Service. It outlines our obligations as a Data Processor and ensures that we handle your data in a compliant manner. By using our services, you agree to the terms of this DPA.

6. Data Processing and Security Measures

We employ appropriate technical and organizational measures to protect the personal data we process. This includes:

• Encryption: Data is protected with encryption in transit (e.g., using TLS) to our servers.
• Access Controls: Access to data is strictly limited to authorized personnel and is protected by strong security protocols.
• Sub-processors: We use reputable third-party services as sub-processors to provide our services. Your data is primarily hosted on secure servers in Canada.

7. How do I create a GDPR-compliant form?

As the Data Controller, it is your responsibility to ensure your forms and data collection methods are GDPR-compliant. Here are some key steps you should take:

• Obtain Explicit Consent: If you are collecting personal data, you must get clear and freely given consent. You can do this by adding a non-pre-checked checkbox to your form.
• Explain Your Use of Data: Near the consent checkbox, clearly state why you are collecting the information and how you intend to use it.
• Provide a Privacy Policy: You must have a publicly available privacy policy that gives more detailed information about your data management practices. We recommend placing a link to your privacy policy near the consent checkbox.
• Honor Data Subject Rights: Zapof provides tools to help you honor the rights of your users. You can access, edit, or permanently delete submitted forms and other data you collect directly from your account dashboard.

8. International Data Transfers

Our company is based in Australia, but your data is stored on servers in Canada. We take specific measures to ensure that your data remains protected, even when it crosses international borders.

• Data in Canada: The European Commission has issued an "adequacy decision" for Canada, which means that the legal framework for data protection is considered sufficient under GDPR.
• Access from Australia: When our Australian-based support team needs to access your data for troubleshooting purposes, this constitutes a data transfer. To ensure this is compliant with GDPR, we are bound by the Standard Contractual Clauses (SCCs), which are a legally recognized mechanism for safeguarding international data transfers.

9. Your Rights Under GDPR

As a Data Controller, you have the necessary tools within our services to fulfill the rights of your end-users, including the right to:

• Access: The right to obtain a copy of the personal data processed.
• Rectification: The right to correct inaccurate personal data.
• Erasure: The right to have personal data deleted ("the right to be forgotten").
• Data Portability: The right to receive a copy of personal data in a structured, machine-readable format.

10. Contact Us

If you have any questions about this GDPR statement or our data protection practices, please contact us at support@zapof.com.