1. Who we are and how to contact us
Graasp is developed and maintained by the Graasp Association and supported by the École Polytechnique Fédérale de Lausanne (EPFL), a public university of science and technology in Switzerland. Graasp complies with the privacy policies of EPFL, the Swiss Federal Act on Data Protection (FADP), and with the European GDPR.
You can contact Graasp at the following email address: email@example.com
2.1 User’s obligations
As user, you agree:
- that you bear all responsibility for the Uploaded Data (see Section 4.4) in Graasp. Graasp does not check users’ uploaded/created content for appropriateness, violations of privacy rights or Intellectual Property Rights. You are responsible for the content that you upload, because you are the data manager over your Uploaded Data;
- that you will comply at all times with relevant professional and business secrecy obligations if applicable;
- that Graasp only acts as a data manager regarding the storage and use of your Uploaded Data. Graasp only provides storage spaces and central processing units;
- that you are aware of the technical and organizational security measures implemented in Graasp;
- that you will promptly notify Graasp about:
- any legally binding request for disclosure of the Personal data by a law enforcement authority unless otherwise prohibited;
- any accidental or unauthorized access to proprietary, Personal or Uploaded Data, if technical assistance is required.
- to deal promptly and properly with all inquiries relating to the processing of the Personal Data as requested by applicable laws.
2.2 Obligations of Graasp
- that Graasp keeps detailed and updated records of all management activities carried out on the Personal and Uploaded Data;
- to guarantee the confidentiality of your Personal and Uploaded Data if they are configured as private;
- promptly comply with any request from users requiring Graasp to amend, transfer, delete, or otherwise dispose of the Personal and Uploaded Data, or to cease, mitigate, or remedy any authorized processing;
- that Graasp will not process Personal or Uploaded Data for Graasp‘s own commercial benefit or that of any third party;
- notify the users without undue delay of any suspected or actual data breach involving their Personal or Uploaded Data;
- to notify the user immediately if Graasp receives any complaint, request, or other communication concerning the processing of the Personal or Uploaded Data.
- to assist users with appropriate measures and by providing information for the fulfillment of your obligations under the applicable law.
3. How Graasp uses your Personal and Uploaded Data
3.1 Manage your account
3.2 Provide our services
3.3 Ensure the functionalities and understand the use of Graasp
3.4 Compliance with the law
Graasp may process Personal and Uploaded Data, in case of suspected or actual criminal or administrative proceedings led by competent authorities (see Section 4.4). The legal basis for this processing is necessary to carry out a legal obligation.
3.5 Research purposes
Graasp may collect and use your Personal and Upload Data for research purposes. Published scientific results only contain anonymized data.
4. Data collected
Graasp may collect all the following Personal data (referred to as the « Personal Data »).
4.1 Account Data
In order to manage the account of a user, Graasp needs to process the following Personal Data (« Account Data »):
- email address
- full name
- User ID
- Other log information
- IP address
- timestamps of access to Graasp
- logs of consents
In order to provide Graasp services, the information that is collected from your activities in Graasp is required. For instance, collecting provenance of the data (where this data comes from, how it was created) and its lineage (who is using the data and how). Provenance information is not collected automatically without the user’s knowledge, its creation and subsequent collection is subject to a User’s deliberate action using Graasp.
4.3 Operational Data
In order to ensure the operational functioning of Graasp and to understand its use, Graasp needs to process the following Personal Data (« Operational Data »):
- User IP addresses
- User ID
- Telemetry data, i.e. system data, used to get a pulse of the system, how hardware resources are used, by whom and understand why things fail, so that the Graasp team can troubleshoot them, or provide user support
- Logs from the firewall service
- Other logs required to ensure the functionalities of Graasp
- The number and duration of your visits
- Information about what parts of Graasp you visited
4.4 Uploaded Data
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. When you access the Graasp platform, the installation of cookies on your devices is possible according to your settings, which will allow Graasp to recognize your browser, during the validity time of the cookies. The cookies that Graasp generates allows:
- to prepare statistics including frequency of access, the use and performances of websites;
- to store preferences and parameters (authentification)
- to enable you to access reserved or personal content on the Graasp platform
- to improve our communication and services.
Most web browsers automatically accept cookies but provide controls that allow you to block or delete them. Please refer to your browser’s privacy or help documentation to find instructions for blocking or deleting cookies. For examples: Edge, Safari, Chrome, Firefox
- Cookies that are strictly necessary, which are necessary for navigation, along with your authentication token after logging in, and to secure Graasp;
- Functionality cookies, which are collecting some of your surfing preferences such as language preferences;
- Graasp does not use advertising cookies
6. How Graasp retain your data
Graasp stores your Personal and Uploaded Data as long as your account exists. In order to fulfill our legal obligations or to fulfill our purpose described in Section 4.3, the Operational Data may be anonymized and/or may be kept for a longer period.
Your Personal Data is stored on secure servers at our Service Provider’s premises in continental Europe (Germany and Switzerland).
7. Data Sharing
Graasp is sharing your Personal Data with the following recipients exclusively:
- Authorized employees and Graasp managers
- Our Service Providers
8. Service Providers and Transfers
8.1 Amazon Web Services (Main service provider)
Graasp uses the services of AWS (Amazon Web Services). No international transfers are foreseen, but their privacy framework can be consulted here.
8.2 Other service providers
Graasp uses anonymised Google Analytics services and Google ReCaptcha services to secure and understand usage of the platform.
Anonymised data is also shared with Sentry.io for debugging and troubleshooting purposes in order to ensure a smooth and stable experience to our users.
All your Personal and Uploaded Data is hosted by AWS, in Continental Europe (Germany and Switzerland). Copy of the data might be temporarily stored in the Graasp premises for quality insurance purposes.
Graasp has put in place appropriate security measures pursuant to the acknowledged state of the art. Please note however that Graasp cannot guarantee an absolute security for your Personal and Uploaded Data, to the extent that the data retention and electronic transmission involves certain risks.
10. Your Rights
The user has a number of rights according to the data protection legislation. These rights can be limited in particular when they affect rights and freedom of others. Graasp will inform you of applicable exceptions in our answer to your potential request.
These rights include:
- right of access: You have the right to know what Personal Data Graasp hold about you and to ask, in writing, to see your Personal Data. You can directly have this information by contacting the data controllers: firstname.lastname@example.org
- right to withdraw consent: Graasp processes your Personal Data and Uploaded Data on the basis of your consent; you can withdraw that consent at any time.
- right of erasure: In some cases, you have the right to have your Personal and Uploaded Data to be deleted.
- right of rectification: If you believe your Personal Data is inaccurate you have the right to ask for their update.
- right to file a complaint: If you are unhappy with the way in which Graasp have handled your Personal or Uploaded Data, you have the right to file a complaint with the Federal Data Protection and Information Commissioner (FDPIC) or with the supervisory authority of your country or residency.
Graasp reserve the right to refuse any abusive request or one which is contrary to applicable laws.
12. Final provisions
12.1 Applicable law and jurisdiction
Swiss material laws are applicable. The place of execution and of jurisdiction is in Valais.