Last modified: 4 May 2023
Pawn AS (org. No. 931 316 753) (“Pawn” or the “Provider” or “we”/”us”) cares about individuals’ privacy and is committed to process personal data in compliance with the locally applicable laws and regulations.
Who is the data Controller?
Personal data, purpose and legal basis for processing
The Provider processes among others personal data relating to contact persons at its customers, service providers and business partners, users, potential candidates and others who contact the Provider or visit our webpage.
We may process your personal data in connection with the following processing activities:
- Contractual relationship: In a contractual relationship between the Provider and individuals, personal data may be necessary to the execution or the performance of the contract (GDPR Article 6 (1) (b)), such as contact information and other personal data necessary to fulfill the contract.
- Contract management and business relationship: In connection with the administration and management of contracts with the Provider’s customers, business partners etc. and for business and partner relationship purposes, we may process personal data such as contact information of contact persons at such customers, business partners, in addition to personal data contained in contracts, ongoing commercial correspondence, invoices, minutes of meeting etc. The legal basis is the Provider’s legitimate interest in entering into business relationships, fulfilling contracts and administering such relationships (GDPR Article 6 (1) (f)).
- Use of the Provider’s website, application, Service: We may process personal data about visitors to/users of our website, application and Service. This may include data that is submitted by the visitors/users, or data that is collected using cookies and other information gathering methods to enhance the user experience and optimize the methods, where personal data as IP address may be collected. The legal basis for such processing is the Provider’s legitimate interest in providing and maintaining the webpage, application, Service, and collect statistics (GDPR Article 6 (1) (f)).
- Maintaining and improving the Service. We may process data in order to maintain or improve the Service. This may include accessing or migrating data in order to find and fix errors, or develop new features. The legal basis for such processing is the Provider’s legitimate interest in providing and maintaining the Service (GDPR Article 6 (1) (f)).
- Marketing, newsletters etc.; If you have signed up for marketing or our newsletter, we may process your name, contact information etc. in order to submit such materials to you. Such processing is based on your consent (GDPR Article 6 (1) (a)).
- Recruitment: If you apply to a position at the Provider, we may process your personal data in order to assess your application such as CV, application, certificates, references and other information you may provide or which we need to verify to assess your application. The legal basis for such processing is normally that it is necessary in order to take steps at the request of the candidate prior to (potentially) entering into an employment contract. The processing may also be based on our legitimate interest in finding the best candidate for the position (GDPR Article 6 (1) (f)), or your consent (GDPR Article 6 (1) (a)).
- Ensuring compliance and legitimate interests: The Provider may also process personal data in order to comply with statutory obligations to which the Provider is subject, and to safeguard our or third parties’ legitimate interests, e.g. in relation to establishing a legal claim or preventing unauthorized access to or disclosure of personal data GDPR Article 6 (1) (f)).
- Legal obligations. We may process personal data due to legal obligations applicable to the operation of the Service (GDPR Article 6 (1) (c)), such as accounting obligations.
We may, on a case-by-case basis, process personal data for other purposes and rely on different legal grounds, such as consent or legitimate interests or in accordance with applicable data protection law, as set forth in an applicable privacy notice.
We will only disclose your personal data to third parties to the extent we have a legal basis for such disclosure.
We may share data with third parties in the following situations:
- Data that is submitted with an intent to share, collaborate or communicate with other users, may be shared with those users.
- Data that is used to create a research dialog, including profile information about the creator, is made publicly available when the dialog is published.
- Data that is submitted in a research dialog, may be shared with the Customer who created that Dialog.
- Data is shared with Sub-Processors when needed in order to perform their sub-processing functions. (See the Sub-Processor section below for more info.)
- Data may be shared with Public Authorities, when it is necessary to comply with law, prevent or investigate potentially unlawful behavior, or to resolve disputes.
- If the Provider engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of Provider’s assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence), some or all data may be shared or transferred, subject to standard confidentiality arrangements.
We may process and store your personal data outside the EU/EEA. All processing in a third country will be subject to mechanisms ensuring sufficient security for your personal data, such as EU Standard Contractual Clauses or an adequacy decision from the EU Commission, in addition to all necessary required steps under applicable law in order for such transfer of your personal data to be compliant with applicable law. To see the data processing locations of our sub-processors, view the Sub-Processor section below.
Data retention and deletion
We store data for as long as it is necessary to fulfill the purposes for processing as defined above. Please note that continued storage may be necessary due to statutory obligations to which Staffers are subject to e.g. statutory rules related to storage for accounting purposes, or due to Staffers' legitimate interests, e.g. for the purpose to establish, exercise or defend a legal claim.
When the Agreement is terminated, or we receive a deletion request:
- We delete data within 30 days.
- Within 30 days of deletion, our database backups will also be deleted, and the data will become unrecoverable.
- To see the data retention policies of our sub-processors, view the Sub-Processor section below.
To support delivery of our Service, we may engage and use data processors with access to certain data (each, a "Sub-Processor").
- Our Sub-Processors are listed under Sub processors below, including their processing function, location, and data retention policies.
- Customers receive a minimum 7 days advance notice of changes to our use of Sub-Processors.
- Customers may reasonably object to changes in our use of Sub-Processors, by emailing [email protected] with the subject line “Object”.
Pawn values your privacy rights and has taken reasonable steps to protect the users' privacy, including by implementation of physical, technical and organizational measures, to prevent loss, alterations, theft and unauthorized access to information stored and otherwise processed.
To ensure data availability:
- Our systems are run on multiple instances and servers.
- Database backups are made automatically on a daily basis.
To ensure data confidentiality and integrity:
- Only relevant personnel can access the data.
- Our personnel are bound by Non-Disclosure-Agreements in their work contracts.
- Data is encrypted with Transport Layer Security (TLS) in transit between research dialogs and our systems.
- Research data is encrypted at rest in our databases.
To ensure physical security:
- We require two-factor authentication to our systems
- We require password, code or biometric identification to access our devices
- We require a keycard to access our headquarters
To ensure accountability:
- We keep an audit log for deployments of changes to source code.
- We keep a 30-day audit log for events happening in service
- None of these logs contain personal data.
To ensure transparency and intervenability:
- To access, rectify, delete, block or object to processing of data, the Customer may submit a request by emailing [email protected]. We will respond to such requests within 30 days.
Your data rights
As a data subject, you are entitled to request access to the personal data we process about you, request that we update or correct your personal data, and/or withdraw any consent to processing. In some circumstances, you are also entitled to request that your personal data be erased, request restriction of processing or object to processing, and/or request data portability.
To make a request to exercise any of these rights, email us at [email protected]. We will respond to the request directly within 30 days.
You are also entitled to lodge a complaint with a supervisory authority if you believe that our processing of your personal data is contrary to relevant data protection laws.
If we make changes in the processing of personal data, this policy will be updated, and the change will be notified on the webpage, in the Service, or by use of your contact information.
To contact us about data processing, email [email protected].
Last modified: 4 May 2023
To support delivery of our Service, the Provider may engage and use data processors with access to certain data (each, a "Subprocessor").
Google Cloud EMEA Ltd, 70 Sir John Rogerson's Quay, Dublin 2, Ireland.
Data processing function: To host and run our Service Data processing location: Europe Data processing policies: According to their Data processing and security terms, “as soon as reasonably practicable and within a maximum period of 180 days, unless European Law requires storage longer.”
Please refer to: https://mailchimp.com/legal/data-processing-addendum/