TERMS AND CONDITIONS
The following are terms of accessing and/or using Sleeknote’s website and service (hereinafter “the Service”). By accepting the terms below (hereinafter “the Agreement”) and/or using the Service, you are stating that you agree to be bound by all terms without modification, conditions or notices.
Sleeknote was created by, and is a service of Sleeknote ApS (hereinafter “Sleeknote”)
Sleeknote offers a range of subscriptions and a free trial. At the end of a free trial, you agree to either pay applicable fees at that time or discontinue using the Service. Subscriptions are available on either monthly or annual pre-paid, non-refundable contracts.
All contracts will automatically renew for the same term using the payment method on file unless you change or discontinue the Service. If you are not using the service, we will not consider it as a discontinuance of the service. To discontinue the service, send an email to email@example.com. All upgrades are effective immediately, while downgrades are effective as of the next renewal date.
The price is based on the total available amount of sessions in the selected pricing plan, regardless if any Sleeknotes are active during the period of the subscription.
If you exceed the available amount of sessions in the selected pricing plan, you are obligated to subscribe to a pricing plan with more available monthly sessions.
We will notify you once you have used respectively 80, 90 and 100 % of the total available amount of sessions in your current pricing plan. If you exceed the available amount of sessions in your selected pricing plan once, we will notify you via e-mail and encourage you to change your pricing plan. If you once again, after having received this notification, exceed the available amount of sessions, we will automatically upgrade you to a new pricing plan.
You will not be automatically downgraded to a previous pricing plan, if you do not use all available sessions in your current pricing plan. If you wish to downgrade to a previous pricing plan, you must change the subscription settings on your Sleeknote account.
Sleeknote may change its fee structure and/or provide an upgrade at any time with 14 days notice, in which case new rates will be in effect as of the next renewal period.
In the event you cancel your subscription, you shall receive no refund or exchange for any unused time on a subscription, any license or subscription fees for any portion of the Service, any content or data associated with your account, or for anything else.
To register for the Service, you must complete the registration process by providing Sleeknote with current, complete and accurate information as required by the registration form. You are solely responsible for any use and all activities that occur under your account.
You are responsible for safeguarding the confidentiality of your password(s) and user name(s) issued to you and for any use or misuse of your account resulting from any third-party using a password or user name issued to you. You agree to immediately notify Sleeknote of any unauthorized use of your account or any other breach of security known to you. You agree to let Sleeknote use your organization’s logo in its customer list, at other places on its website and as part of a general list of Sleeknote’s customers for use and reference in corporate, promotional and marketing material.
You agree to indemnify, hold harmless and defend Sleeknote, its contractors, its licensors and their respective directors, officers, employees and agents, at your expense, from and against any and all third-party claims, actions, proceedings and suits, arising from your use of the Service, including but not limited to your violation of this Agreement. You agree to also indemnify the same against any and all expenses connected hereto, including attorneys’ fees.
The Service is provided ‘as is’. Sleeknote and its contractors hereby disclaim all warranties of any kind, expressed or implied, including, without limitation, the warranties of merchantability, fitness for a particular purpose and non-infringement. Neither Sleeknote nor its contractors make any warranty that the Service or website will be error-free, free of viruses or other harmful components, or that access thereto will be continuous or uninterrupted. You understand that the use of the Service is at your own discretion and risk.
Sleeknote will not be liable to you or any third-party claimant for any indirect, punitive, consequential (including, without limitation, lost profits or lost data collected through the Service), or incidental damages, whether based on a claim or action of contract, warranty, negligence, or other tort, breach of any statutory duty, indemnity or contribution, or otherwise. The exclusion contained in this paragraph shall apply regardless of the failure of the exclusive remedy provided in the following paragraph.
Some jurisdictions do not allow the limitation or exclusion of liability to the extent stated above. In such case, Sleeknote and its contractors’ total cumulative liability to you or any other party for any loss or damages resulting from any claims, demands, or actions arising out of or relating to this Agreement shall not exceed the total paid-in fee from you to Sleeknote within the 12 months previous to the date the claim is first brought against Sleeknote.
Sleeknote does not guarantee the Service will be operable at all times or during any down time, including but not limited to Internet Service Provider outages, equipment failures, scheduled maintenance or force majeure.
The Service, including any content on the Service and all underlying technology (including all intellectual property rights embodied therein), is and shall remain the sole and exclusive property of Sleeknote and shall be protected in accordance with applicable copyright laws and other legislation. No license to any underlying technology is granted. You will not, nor will you allow any third party to reverse engineer and/or create derivatives of the Service using any method possible. You will not, nor will you allow any third party to modify the Service in any way. You will use the Service solely for your commercial use and will not make the Service available for any type of external service such as, but not limited to, an application service provider.
If you provide feedback, ideas or suggestions regarding the Service, Sleeknote is free to fully exploit such feedback.
Sleeknote may terminate the Service and/or access to the Service at any time and for any reason without notice.If you wish to terminate this Agreement or your service, you may simply stop using the Service. However, although this Agreement may terminate between the Service and you, some provisions of this Agreement shall still be in effect, including, without limitation, warranty disclaimers, indemnity, limitations of liability and proprietary rights.
Sleeknote reserves the right at its sole discretion to modify or replace any part of these terms. Sleeknote will on its website give you prior notice if changes are made to the Agreement. Your continued use of the Service or access to the Sleeknote website following the changes in these terms constitutes acceptance of those changes.
Sleeknote shall be excused from performance hereunder to the extent that performance is prevented, delayed or obstructed by causes beyond its reasonable control. This Agreement represents the complete agreement between you and Sleeknote concerning its subject matter and supersedes all prior statements, agreements and representations between the parties.
You may not assign or otherwise transfer any of your rights under the Agreement without Sleeknote’s prior written consent and any such attempt is void.
Sleeknote is entitled to assign and/or transfer any of its rights or obligations under the Agreement to any third party. Sleeknote shall notify you of such transfer.
The relationship between Sleeknote and you is not one of a legal partnership relationship, but is one of independent contractors. This Agreement will be binding upon and will inure to the benefit of the parties, their successors and assigns of the parties hereto.
If any provision of this Agreement is held to be unenforceable for any reason, such provision shall be reformed to the extent necessary to make it enforceable to the maximum extent possible so as to affect the intent of the parties, and the remainder of this Agreement shall continue in full force and effect.
These terms and conditions may be amended or updated by Sleeknote from time to time. Your use of the Service after any such amendment or update of these terms and conditions shall signify your acceptance of the revised terms and conditions. As a consequence, you are responsible for visiting and reviewing these terms and conditions periodically.
This Agreement shall be governed by and construed under the laws of the state of Denmark without reference to its conflict of law principles. In the event of any conflicts between foreign law, rules, and regulations, and Danish law, rules, and regulations, Danish law, rules, and regulations shall prevail and govern. Each party agrees to submit to the exclusive and personal jurisdiction of the courts located in Aarhus, Denmark. The United Nations Convention on Contracts for the International Sale of Goods and the Uniform Computer Information Transactions Act shall not apply to this Agreement. A waiver of any default is not a waiver of any subsequent default. Last updated 02-02-2022 (DD-MM-YYYY) Added DPA
BACKGROUND AND PURPOSE
The Controller has subscribed to the services provided by the Processer. The Service is used for interacting with visitors on the Controller’s website(s) using pop-ups for the purpose of increasing customer base and/or sales. The Controller’s use of the services is governed by the Processor’s subscription terms and conditions (the “Main Agreement”).
When providing services to the Controller, the Processor processes personal data for which the Controller is responsible (hereinafter “Personal Data”), thus the Processor processes Personal Data on behalf of the Controller.
This Agreement forms an integral part of the Main Agreement. In the event of conflicts between the agreements this Agreement shall take precedence.
The Parties have entered into this Agreement order to fulfil the requirement of a written agreement between a data controller and a data processor of personal data as set out in section 28(3) of the EU General Data Protection Regulation 2016/679 (the “GDPR”), and to ensure the Parties’ compliance with the GDPR as well as any relevant, applicable data protection legislation.
PROCESSING OF DATA
The Processor shall only process Personal Data for the purpose of performing its obligations under the Main Agreement, this Agreement or as otherwise instructed by the Controller in writing. The Processor is not entitled to process Personal Data for its own purposes.
The Controller’s instructions are set forth in the Main Agreement and Appendix 1. The categories of Personal Data processed by the Processor is specified in Appendix 1.
The Controller may activate a third party integration partner, which enables the Controller to retrieve Personal Data collected by the Processor as well as transfer such Personal Data to a third party. The Processor is not responsible or liable for the Controller’s use of, or the transfer of Personal Data through, any such third party integration partners.
The Processor must delete Personal Data, copies and records thereof when it is no longer reasonably necessary to process in order for the Processor to perform its obligations under the Main Agreement. In any case the Processor deletes the Personal Data collected on behalf of the Controller in accordance with the following
Submitted Personal Data is deleted 3 months after submission from the data subject.
Analytic Personal Data is deleted 12 months after the expiry of the Main Agrement. The purpose if the Processor’s processing of this Personal Data after the expiry of the Main Agreement is to enable to Controller to, within this 12-month period, easily sign up to the Service again without loss of valuable data.
The Processor will always delete Personal Data upon request from the Controller.
ASSISTANCE TO THE CONTROLLER
The Processor is obligated to, to the extent possible, assist the Controller in fulfilling its legal obligations under the applicable data protection legislation, including but not limited to the Controller’s obligation to respond to request from data subjects wishing to exercise their rights. Any requests from the Controller in this regard must be made in writing to firstname.lastname@example.org.
Upon the Controller’s specific request and taking into account the agreed level of technical and organizational security measures as well as the character of the processing and the information available to the Processor, the Processor will assist the Controller with its obligations in connection to the processing of Personal Data under this Agreement, including:
implementing suitable technical and organizational measures to ensure a level of security appropriate to the risks involved with the processing of the Controller’s Personal Data,notifying the relevant supervisory authority of data security breaches,notifying data subjects of data security breaches,implementing impact assessments, cf. GDPR art. 35 andperforming preceding consultations with supervisory authorities, cf. GDPR art. 36.
If the Processor finds that Controller’s requests made in accordance with section 3.2 exceeds a reasonable level of cost-free assistance, the Processor is entitled to invoice the Controller for such assistance in accordance with the Processor’s hourly wages as applicable from time to time. The Processor is obligated to notify the Controller hereof, before the Processor provides assistance, for which the Processor finds that the Processor is entitled to receive payment.
The Controller is obligated to comply with the applicable data protection legislation. The Controller is responsible for and warrants that:
the Controller will only make the Processor process Personal Data similar to categories listed in Appendix 1, that the Controller will not make the Processor process special categories of Personal Data, and that the Processor can act in accordance hereto when taking technical and organizational security measures,the Controller ensures the lawfulness of processing,the Controller will determine the basis for processing of the Personal Data in question prior to the collection of Personal Data intended for processing by the Processor, andthe Controller will notify the Processor immediately if a data subject, whose Personal Data the Processor processes, revokes his/her consent (where the basis for processing is such) or exercises his/her right to objection, restriction, rectification or erasure.
USE OF SUB PROCESSORS
The Processor is not entitled to disclose Personal Data to any third parties without the Controller’s prior, written consent. The Processor is therefore only entitled to use sub processors when this is authorized by the Controller.
By signing this Agreement, the Controller authorizes the Processor to use the sub processors listed in Appendix 1.
Before the Processor engages a new sub processor, the Processor shall notify the Controller thereof and provide information about the new sub processor’s name and location for processing. If the Controller has a reasonable basis to object to the Processor’s use of a new sub processor and therefore wishes to terminate this Agreement and the Main Agreement, the Controller shall notify the Processor within 10 business days after receipt of the Processor’s notice.
The Processor does not use sub processors established outside the EU/EEA.
The Processor ensures, that any sub processor engaged by the Processor to carry out specific processing activities on behalf of the Controller is bound by data protection obligations no less stringent than the ones set forth in this Agreement. If the sub processor fails to fulfil its data protection obligations, the Processor is liable to the Controller for the performance of the sub processor’s obligations.
Upon the Controller’s request, the Processor must provide the Controller with sufficient information to ensure the Controller, that the sub processors engaged by the Processor have taken the necessary technical and organizational security measures.
Upon written request from the Controller, the Processor must present the necessary documentation proving that the processing of Personal Data is carried out in accordance with the applicable data protection legislation, thus the Processor must keep records of its processing activities in accordance with GDPR art. 30.
The Processor will, at the Processor’s expense, provide an annual audit report in the form of an ISAE 3000 audit statement. The first audit report will be available in the first half of 2021.
If the Controller finds, that the ISAE 3000 audit statement provided by the Processor is inadequate, and can point to objective reasons for such inadequacy, the Controller is entitled to, at its own expense, take proportionate and commercially reasonable measures to validate the Processor’s compliance with this Agreement, either by itself or by using a third party to conduct the audit.
If the Controller takes on a third party to conduct the audit on behalf of the Controller, the Controller must ensure that the third party carrying out the audit enters into a non-disclosure agreement and that such third party takes necessary security measures when conducting the audit.
The Processor undertakes to provide the Controller with reasonable assistance during the audit.
Audits must be conducted during the Processor’s business hours and the Processor must be notified of planned audits within reasonable time prior to the audit. The audit shall not grant the Controller access to the Processor’s trade secrets or proprietary information.
The Processor is not entitled to transfer or hand over Personal Data to third parties or sub processors established in countries outside the EU/EEA without prior written instruction hereto from the Controller unless such transfer or handing over is provided by law.
The Processor does not transfer Personal Data to countries outside the EU/EEA.
The Processor must take the necessary technical and organizational security measures to ensure a level of security in accordance with the GDPR and appropriate to the risk associated with the processing and the nature of the Personal Data to be protected, taking into account the state of the art and the cost of implementation.
The measures shall comply with the requirements set out in article 32 of the GDPR and include but not be limited to
safeguarding Personal Data against being destroyed accidentally or illegally,lost, altered, damaged, or made known to unauthorized persons, misused or inany other way illegally processed,taking measures to prevent transfers to any unauthorized person or entity,ensuring that records are maintained of access to Personal Data, andtaking measures to ensure Personal Data remains available.
The measures taken by the Processor is stated in Appendix 2. The Parties agree that the measures taken sufficiently ensures the level of security appropriate to the risks associated with the processing activities in question.
The Processor periodically assesses the level of security and ensures that any further, necessary technical and organizational security measures are taken.
Upon the Controller’s request, the Processor must provide the Controller with sufficient information to ensure the Controller, that the Processor has taken the necessary technical and organizational security measures.
The Processor shall ensure that access to Personal Data is restricted to those of the Processor’s employees who require access to Personal Data in order to fulfill the Processor’s obligations under this Agreement and the Main Agreement.
The Processor must ensure that those of the Processor’s employees, who process Personal Data, are bound by adequate confidentiality obligations.
BREACH OF DATA SECURITY
The Processor must notify the Controller of any Personal Data security breaches, operational malfunctions or suspected security breaches relating to the processing of Personal Data without undue delay and within 24 hours after the security breach has been discovered.
Unless the Controller has provided the Processor with an e-mail address, to which the Processor specifically can forward notices of data security breaches, all such notices will be forwarded to the e-mail address connected with the account. If the Controller wishes to change, or provide the Processor with, an e-mail address for this purpose, the Controller must notify the Processor’s customer service hereof.
The notification in clause 10.1 must (if relevant) contain:
A description of the data security breach including the categories andapproximate amount of Personal Data and data subjects concerned,the name and contact details of the Processor’s data protection officer,a description of the likely consequences of the data security breach, anda description of the measures taken or proposed to be taken by theController to address the data security breach, including, whereappropriate, measures to mitigate its possible adverse effects.
Where and in so far as it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
The Processor shall document any data security breaches. The documentation shall only include information necessary for the Controller to verify compliance with the applicable data protection legislation to the relevant supervisory authority.
The Controller is responsible for notifying the relevant supervisory authority about the data security breach.
The Parties’ liability inter partes is governed by the Main Agreement. The Parties’ liability towards third persons are governed by GDPR art. 82.
The Parties are each liable for any penalties imposed on them, and a Party cannot claim that such penalty is payed or compensated by the other Party, unless the penalty is a result of the other Party’s gross or willful negligence.
The Processor’s cumulative liability to the Controller or any other party for any loss or damages resulting from claims, demands or actions arising out of this Agreement shall not exceed the total paid-in fee from the Controller to the Processor within the 12 months previous to the date the claim is first brought against the Processor.
If the Controller, against the prohibition set forth in Appendix 1, collects special categories of Personal Data and thus assigns the Processor to process special categories of personal data without the Processor’s knowledge, the Controller undertakes to indemnify and hold the Processor harmless for any and all damages and losses, including attorney fees, incurred by the Processor in connection hereto.AMENDMENTS
Any amendments to this Agreement must be made in writing and signed by the Parties in order to be binding.
TERM AND TERMINATION
This Agreement shall enter into force on the date of signing and shall remain in force for as long as the Processor processes Personal Data on behalf of the Controller.
Upon effective termination of the Main Agreement, this Agreement will be terminated accordingly.
Upon termination of this Agreement, the Processor is obligated to delete all Personal Data and copies thereof, unless the Processor is legally obligated to continue the processing of the Personal Data or parts thereof. Due to the Processor’s back up procedures the Controller must allow for a period of 90 days in order for the Processor to complete the full deletion of submitted Personal Data, as well as the Processor in accordance with section 2.4.2 will process analytic Personal Data for a period of 12 months after the expiry of the Agreement.GOVERNING LAW AND DISPUTES
Any disputes arising out of or in connection to this Agreement must be resolved and governed as agreed in section 13 of the Main Agreement.
The Personal Data processed by the Processor on behalf of the Controller concerns the following categories of data subjects:
Visitors on the Controller’s website
CATEGORIES OF PERSONAL DATA
The Processor processes the following categories of Personal Data on behalf of the Controller:
Data submitted by data subjects: Submitted data is Personal Data, and other information, that is submitted by data subjects through a Sleeknote campaign on the Controller’s website. The Controller determines the categories of Personal Data that the Controller wishes for the data subject to submit. Submitted data may thus include, but is not limited to the following categories:
Contact informatione-mail addressesfirst and last namesaddress and phone
Segmentation / targetingage, date of birthgendersize (Clothes)preferences (information, products)
The Controller is prohibited from using Sleeknote campaigns to collect special categories of personal data, cf. GDPR 9-10.
Analytic data: Analytic data includes Personal Data for analytic purposes related to the data subject’s behavior details. Analytic data may include but is not limited to:
behavior details(including URL’s visited, events triggered on defined actions such as page loads, clicks, log-ins, time spent on page or site),geo-location data (aggregated estimate based on collected IP-address)Sleeknote specific events(newsletter sign-up, contact details submitted, redirection to other pages or sites, Sleeknotes shown/closed).
The following processing activities will be carried out by the Processor on behalf of the Controller:
Collection of data on the Controller’s websites via direct submissions from visitors on the Controller’s websites (submitted data),
Storing of data via sub processors and thus transferring data to sub processors.
Deleting collected data after 90 days of first registration
Collect behavioral analytics tracking related to “pop-ups” on the Controller’s website (analytic data),
Anonymization of analytic data by geo-location code
Systematization and analysis of data (analytic data),
Presentation of analytic data in dashboards available for Controller
Deletion of analytic data
Analysis and reporting and access by the Processor for the purpose of maintenance, global analytic or support to the Controller
Deleting data on request
PRE-APPROVED SUB PROCESSORS
The following sub processors used by the Processor are pre-approved by the Controller:
Entity name and address Entity type Entity Country
Amazon Web Services Hosting provider Ireland, Germany
Google Cloud Platform Hosting provider Germany,Belgium, Finland
The processing of personal data by the Processor on behalf of the Controller will take place in the following location:
For the Processor: DenmarkFor the pre-approved sub processors: Ireland, Germany, Finland, BelgiumAPPENDIX 2
The Parties have agreed to the following security measures to be taken in connection with the Processor’s processing of Personal Data on behalf of the Controller:
PHYSICAL ACCESS CONTROL
Measures to prevent physical access of unauthorized persons to IT systems that handle Personal Data:
Buildings and systems used for data processing are safe. Data processing media is stored properly and is not available to unauthorized third parties, thus such media is kept locked when unattended. The Processor only uses high-quality hard- and software and continues to update these if relevant
SYSTEM ACCESS CONTROL
Measures to prevent unauthorized persons from using IT systems:
The Processor maintains an authentication system for accessing personal data processing systems. Employee accounts are not shared and inactive sessions are terminated after 30 minutes. The Processor keeps network logs and a log of detection of intrusion.
DATA ACCESS CONTROL
Measures to ensure that the Processor’s employees only have access to the Personal Data pursuant to their access rights:
The access to personal data is role based. Data can only be accessed by the Processor or the Controller. Access to databases are IP restricted. The Processor has also introduced log-in and password procedures ensuing that only employees with access rights have access to personal data. The Processor keeps a list of employees that have access to the Controller’s data, and only key employees have access to databases.
TRANSMISSION ACCESS CONTROL
Measures to ensure that Personal Data cannot be read, copied, altered or deleted by unauthorized persons during electronic transmission or during transport or storage on data media and that those areas can be controlled and identified where transmission of Personal Data is to be done via transmission systems:
All data submitted by the Controller is transferred to the Processor encrypted, if the Controller’s website is running on a secure HTTPS connection. All data is encrypted on storage.
ENTRY CONTROL AND TRACEABILITY
Measures to ensure that it can be subsequently reviewed and determined if and from whom Personal Data was entered, altered or deleted in the IT systems, as well as measures to ensure the accountability and traceability of the processing of Personal Data:
The Processors applies a log monitoring solution to collect and compare logged events. The Processor keeps network logs and a log of detection of intrusion. All services provided by the Processors are thus being logged and stored for 15-30 days. The logs contain information on who accessed data, from which IP address the data was access, which data were accessed and when data was accessed. The Processor performs internal audits to ensure, that all security measures stated in this Appendix are taken and that each new feature or amendment to services provided by the Processor live up to these standards.
Measures to ensure that personal data is protected against accidental destruction or loss:
The Processor has set up and maintained web application firewall and anti-virus software as well as back-up procedures as layers of security. The service provided by the Processor runs on a combination of load balanced servers and CDN. The CDN is the Amazon Web Services Cloudfront, which runs at the capacity of 40 Gbps and a 100.000 requests pr. second. The service provided by the Processor runs in a load balanced environment, thus more capacity can be added on demand. The Processor maintains recovery processes to allow for continuation of data processing and to provide and effective and accurate recovery of personal data.
Measures to provide a description of any procedures established to ensure an adequate level of transparency to the Controller regarding the Processor and sub processors processing of Personal Data:
The Controller will always be able to access data submitted the Processor as well as the Controller will be able to download. Analytics data will be viewable in the Sleeknote Dashboard provided by the Processor.
Measures to ensure that the Controller is allowed to access, rectify, delete, block and manage objections to the processing of Personal Data:
The Controller is able to download data submitted by visitors on the Controller’s website in CSV format through the Sleeknote Dashboard provided by the Processor. If the Controller wishes to rectify, delete or block data or in any other way wishes to manage objections to the processing of personal data, the Processor must notify the Processor of such wishes by contacting the Sleeknote Customer Success Team. The Sleeknote Customer Success Team will validate the ownership of data and perform the requested actions. The Processor does not enable editing of personal data. Incorrect Personal Data will thus be deleted and must be resubmitted in its correct form by the data subject.
Measures to ensure the portability of Personal Data, if the migration of data is requested by the Controller or data subjects:
Data submitted by the data subjects (visitors on the Controller’s websites) will be downloadable through the Sleeknote Dashboard provided by the Processor