Customer Privacy Notice for Archon Systems Inc.

 

  1. Overview AND CERTAIN DEFINITIONS

    1. OVERVIEW
      1. This privacy notice is the customer privacy policy (“notice” or “privacy policy”) of Archon Systems Inc. (“Archon”), the owner and operator of inFlow®, an inventory management system used by businesses.
      2. This privacy policy sets out:
        1. what personal data we might collect about you;
        2. how we might use that personal information;
        3. what personal data we might share with others; and
        4. your rights relating to the personal information we process.
      3. Archon is committed to protecting the privacy and security of personal data.
      4. This notice covers personal information held by Archon. You should consider this notice applies to you if you are a licensee or subscriber of services related to inFlow® or an Authorized User of a licensee or subscriber. It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information.
      5. By using Archon’s software and services, you are agreeing to (i) the collection and use of personal information as detailed below, (ii) the installation on your devices by us or third parties of the apps (software) necessary to interact with our services, and (iii) receiving service related notices by email, text or other means from Archon and possibly third parties.
      6. Archon gathers and stores all information that our users input in the course of registering to use our products and services.  This includes all information that is required to register to use and pay for our Services, and all optional, voluntary submissions that you input into our websites and into our Services.  We maintain records of your contact with us, including customer support interactions.
      7. The users of the inFlow Cloud™ Services control the data that they include in their respective databases.  Each user’s data is processed according to the user’s chosen settings within the inFlow Cloud™ Services.  Archon has carefully controlled and restricted access to data, including personal information, in a user’s database in the event that the user needs support for their data or in order to comply with regulatory or legal requirements applicable to Archon.
      8. This notice does not apply to products or services offered by, or the information practices of, other enterprises or individuals, that may be displayed or offered in the use of our products, services and websites, or other websites linked to our services and websites (e.g., Shopify, Worldline, Quickbooks). Therefore, you should review their policies to understand their practices before linking to, or transacting business with, them through our products or services. We are not responsible or liable for such parties’ use of data or personal information.
    2. DEFINITIONS
      1. Any references in this privacy policy to “we” or “us” and/or “our” are to Archon.
      2. personal information” (sometimes referred to in this notice and in legislation as “personal data”) means information or data relating to an identified or identifiable natural person (i.e., an individual). A natural person is considered identifiable if they can be identified directly, or indirectly, or by one or more factors that can indicate their identity.
      3. In certain jurisdictions, business contact information is not considered personal information for the purposes of data protection and/or privacy legislation.  In those circumstances “business contact information” means any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their business or profession such as the individual’s name, position name or title, work address, work telephone number, work fax number or work electronic address.
      4. An Authorized User, licensee or subscriber may be referred to interchangeably as “Individuals” and/or “Data Subjects” in connection with their specific rights under Data Protection Laws.
      5. Data Protection Laws” means with respect to Individuals that are the subject of the Data Protection Laws:
        1. any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated, or re-enacted from time to time) which relates to the protection of individuals within the EEA and UK with regard to the processing of their personal data to which a party is subject, specifically:
          1. the Data Protection Act 2018;
          2. the UK GDPR;
          3. the EU GDPR; and
        2. any code of practice or guidance published by a regulatory body related to the Data Protection Laws from time to time. The terms “controller”, “data subject”, “personal data”, and “processing” shall have the meanings given to them in Data Protection Laws.

  2. Scope of personal data processed

    1. This Section describes the scope of the personal data processed by Archon under this notice.
      Relating to:Description of Personal Data Processing
      Persons trialling Archon’s inFlow Cloud® Services and inFlow® On-Premise.
      • contact details consisting of name, email address.
      Persons subscribing to Archon products and services such as inFlow Cloud™ Services.
      • Account Administrator(s) contact details consisting of:  name, email address, job title/role.
      • Email, name, phone number and job title/role of each Authorized User of an account.
      • Any other information an Authorized User may voluntarily submit in the registration form including last name, company logo, company name, company address, business phone numbers, company email address and company website
      • Geographical location and/or place of work.
      • Payment details including credit card information.
      Grandcustomers (i.e., customers of customers and inFlow Cloud™ Showroom)
      • name and email address.
      • Any other information an Authorized User may voluntarily submit when placing an order including a personal phone number and address.
      All users
      • Information related to the usage of the inFlow® platform and services.
      • Any sales made.
      • Complaints handling including contact details such as name; email; phone number, shipping address, any contact with Archon, correspondence and Customer support interactions.
      Website users
      • IP address
      • Geographic location
    2. For more information on the cookies that are used on our websites please see our Cookie Policy.
    3. Please note that to the extent your data processed and or stored on Archon products and services in your database includes personal data related to your customers, employees and others (including any uploads on inFlow Cloud™ via any third party data sharing integration, client applications or services), Archon does not hold that personal data as a controller in that you determine the purpose for which you have included the personal information in your database. You are deemed as controller for this processing and are solely responsible for complying with any laws and regulations that apply to any processing including your collection and use of the data.

  3. Sources of personal data

    1. We typically collect personal data about you and your customers directly from you.
    2. The individual who sets up the company account – the initial Account Administrator – must provide the following for each Authorized User of that account:  email, first name, phone number and job role.
    3. We may also collect publicly available information that you post online on social networking regarding our services and products.
    4. We may collect your personal data from a relevant third party such as referral arrangements and any integrations that you have chosen.

  4. Purposes and legal basis for the processing of personal data

    1. This Section describes the purposes and legal bases for the processing of personal data by Archon under this notice.
    2. For the purposes of providing our services to you, Archon may process personal information under contract or consent.
    3. For the purposes of complying with Canadian international sanctions legislation (including the United Nations Act, the Special Economic Measures Act and the Justice for Victims of Corrupt Foreign Officials Act, and their respective regulations) Archon may process this data under a legal obligation.
    4. Archon may process personal information for the purposes of operating and managing the Archon business, including identifying, investigating, preventing and taking any action relating to any fraudulent activity and to comply with rules and processes including relating to physical safety, terms and conditions in our services and user agreements and related policies; communication with you and complaints handling; asserting and defending our legal rights, research, analysis, insights, statistics and management information. Archon may process this personal data where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
    5. Where a purpose of processing is required for pursuing a legitimate interest of Archon or any third party, then Archon will make the balancing test of the underlying interests available upon a request, a copy of which can be obtained from the contact listed below.
    6. We sometimes send emails or post notices in your account about new product features, promotional communications or other news about inFlow® and/or Archon.  These are marketing messages so you can control whether or not you receive them.  For the purposes of marketing such as emails or post notices about new product features, promotional communications or other news about inFlow® and/or Archon, Archon processes this data under consent.
    7. Generally, we will only use your personal information for the purposes for which we collected it. If over time we consider that we have a different purpose we will ensure (i) the reason is compatible with the original purpose, or (ii) where appropriate and/or permitted, seek your consent.  We will update this notice.

  5. Sharing of the personal data

    1. This Section describes the sharing and transfers of personal data processed by Archon under this notice.
      Third PartiesData Sharing
      Communication and marketing providers including Aircall, Drip, Google, HubSpot, Partnerstack, SendGrid, Shopify, Custify, ProductBoard, Zoom and IT service providers.Archon engages third party communication service providers for the purpose of processing sales, security, enabling correspondence (related to complaints and prizes for example); video calls, marketing, appointments including provision of support and general contact with customers, grandcustomers and vendors.
      For payment of fees, StripeArchon has engaged Stripe to process subscription and services fees payable to it from customers.
      Gifts and Rewards, Blackhawk Network (Canada) Ltd.To provide customer gifts or rewards.
      Cookie management, Osano, Inc.Archon uses Osano Cookie Consent to manage visitors’ and users’ consent and choices regarding cookies.
      Integration partners including Quickbooks, Online, WooCommerce, Extensive Integration Manager, Shopify, Amazon, Stripe, Xero, EasyPost, Worldline, and Zapier.Where you chose to enable integrations with other services, we may share your personal information for the purposes of synchronisation of sales and purchases, payment processing including billing and support services, to enable automations triggered by account events.
      Professional advisors and consultants.

      Archon may engage certain third parties for the provision of advice, such as legal advisors and tax advisors.

      This includes where Archon may be involved in a sale, acquisition, merger, financing, insolvency or bankruptcy.

      Public and regulatory bodies.In rare circumstances, where there is a legal requirement or binding request to do so, Archon may share your personal data including to meet national security or law enforcement requirements.
    2. We do not collect your personal information to sell it to third parties.  We transfer it to provide you with our services for which you have subscribed and we use it to improve our products and services.
    3. All third parties to whom Archon provides your personal data are permitted to process your personal data for specified purposes only and in accordance with our/your instructions. We do not allow third parties to use your personal data for their own purposes.
    4. Third parties engaged by Archon shall only process your personal information where they have agreed to treat the information confidentially and to keep it secure.
    5. When you add a user to your account or you issue an invoice through our services, you are processing personal data as a controller and as a result have direct obligations to ensure that you act in compliance with applicable laws and regulations.

    Please note that the Online Showroom feature of Archon’s inFlow Cloud™ Services, allows users to publish their product information online for their customers or public.  Archon does not filter or monitor any personal information in relation to this activity.  You are deemed an independent controller for this activity and any sharing with third parties and/or the public.

  6. international transfers outside CANADA, the UK and EU/EEA

    1. Archon is incorporated pursuant to and governed by the laws of the Province of Ontario and the laws of Canada applicable in that province.
    2. Many of our external third parties service providers and processors are based outside Canada, primarily in the United States of America (“US”), but also in the UK or European Economic Area (EEA) or elsewhere, so their processing of your personal data will involve a transfer of data to/from Canada, the US, UK and/or EEA, as applicable.
    3. In particular, Archon uses Microsoft Azure to host its inFlow® software and services and for storage of all of Archon’s own data, specifically in Microsoft’s North Central US Azure Region which is located in Illinois.  Accordingly, your personal information that Archon processes is stored on servers in the US.
    4. Whenever we transfer your personal data we make sure that there are appropriate safeguards in place to protect it.
          With respect to transfers to/and from the UK and EEA,

       

      1. out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
        1. We may transfer your personal information to countries that have been deemed under UK law to provide an adequate level of protection for personal data. A list of locations that the UK currently has adequacy regulations in relation to is available here;
        2. We may use specific contracts approved as a matter of UK law as providing adequate safeguards in respect of the level of protection for personal data. For further details see ICO: International Data Transfer Agreement and Guidance;
      2. out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
        1. we may transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information by the European Commission. For further details, see European Commission: Adequacy of the protection of personal information in non-EU countries;
        2. We may use specific contracts approved by the European Commission to provide adequate safeguards in respect of the level of protection for personal information. For further details, see European Commission: Model contracts for the transfer of personal information to third countries.

  7. Data security

    1. We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These include secured and encrypted version of the HTTP transportation protocol; Hashing of passwords with salts; IP-based firewall whitelist for all direct database access and storing of user data in its own individual silo.
    2. We use reputable service providers. In addition, we limit access to your personal information to our employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information for specified purposes and they are subject to a duty of confidentiality.
    3. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

  8. Your data access rights

    1. We have set out below a summary of your rights with respect to the processing of your personal data by Archon.  Individuals who are the subject of Data Protection Laws have certain additional rights (subject to certain conditions and exceptions) relating to the processing of their personal data as noted below. Such Individuals can exercise any of these rights by contacting the relevant Archon contact using the details provided in section 10 of this notice.
      1. Rights
      1. What does this mean?
      The right to be informedYou have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we are providing the information in this notice.
      The right of access.You have the right to obtain a copy of your personal data processed by Archon, provided it does not adversely affect the rights and freedoms of others. This is so individuals are aware and can check that we are using your personal information in accordance with data protection / privacy law.
      The right to rectification.

      You are entitled to have your personal information corrected if it is inaccurate or incomplete.

      It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us. You are able to view and update most of the information, including your personal information, in your account(s).

      The right to erasure.This enables an Individual to request the deletion or removal of their personal data where there is no compelling reason for Archon to keep using it.
      The right to restrict processing.Each Individual has the right to ‘block’ or suppress further use of their personal data processed by Archon. When processing is restricted, Archon can still store the Individuals personal data, but may not use it further. Archon maintains lists of Individuals who have asked for further use of their personal data to be ‘blocked’ to make sure the restriction is respected in future.
      The right to data portability.Each Individual has the right to receive their personal data in a structured, commonly used and machine-readable format and to request that this data is transmitted to another party/controller where this is technically feasible. This right only applies to personal data the Individual has directly provided to Archon (not any other information).
      The right to lodge a complaint.You have the right to lodge a complaint about Archon’s handling or processing of your personal information to data protection/privacy regulators. This can vary depending on where you are geographically based – please see paragraph 10 and Appendix 1 as a guide.
      The right to withdraw consent.Where you have given consent to Archon for the processing of any personal data, you have the right to withdraw your consent at any time (although this does not mean that any processing of personal information carried out by the Archon with your consent up to that point is unlawful). Please note that this may impact Archon’s ability to provide you with some of its Services.

  9. Data retention

    1. Archon may retain personal data of individuals only for as long as needed or permitted considering the purpose(s) for which it is being processed, in line with this notice and consistent with applicable Data Protection Laws and privacy laws, including
      1. to comply with our legal and regulatory obligations;
      2. to enable fraud monitoring, detection and loss prevention activities; and
      3. to comply with our tax, accounting, and financial reporting obligations.
    2. To determine the appropriate retention period for personal data, we consider:
      1. the amount, nature and sensitivity of the personal data, and the potential risk of harm from unauthorised use or disclosure of your personal data;
      2. the purposes for which we process your personal data and whether we can achieve those purposes through other means;
      3. if the individual has made a request to have their personal data deleted (See paragraph 8 of this notice);
      4. guidelines issued by relevant privacy protection authorities; and
      5. legal obligation(s) under applicable law to retain data for a certain period of time.
    3. In some circumstances we may anonymize your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
    4. In some circumstances such as archived data, Archon may isolate personal information from further processing until deletion is possible.
    5. Where appropriate, Archon shall destroy your personal data in accordance with applicable Data Protection Laws and privacy laws and their respective regulations.

  10. Our Contact information

    1. To exercise your rights or to contact us with any questions about this notice or how we handle your personal information, please contact our Privacy Officer at privacy@inflowinventory.com.

  11. Changes to this privacy notice

    1. Archon reserves the right to modify and/or update this notice at any time. We may modify this notice to ensure it is accurate and up to date and to reflect changes in the law, the practice of the competent data protection authority, business needs and any new activity involving personal data processing. We will notify you when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.
    2. Upon request of an individual, the Archon will send a copy of the latest updated version of this notice to the relevant individual.
    3. This policy was last updated 2023-06-30

Appendix 1
List of Supervisory Authorities

Information and Privacy Commissioner of Canada – website: www.priv.gc.ca
Information and Privacy Commissioner of Alberta – website: www.oipc.ab.ca
Information and Privacy Commissioner of British Columbia – website: www.oipc.bc.ca
Commission d’accès à l’information du Québec – website: www.cai.gouv.qc.ca
For UK Individuals:  United Kingdom – Information Commissioner’s Office (ICO) – website: www.ico.org.uk
For EU Individuals: Portugal’s Comissão Nacional de Proteção de Dados website:  www.cnpd.pt