Effective June 1st, 2022
Data Collected and Received by GarageApp
Definition of Information Processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Identification Information
We may collect personal identification information from Users in a variety of ways, including, but not limited to, when Users visit our Sites, register on the Sites, and in connection with other activities, Services, features or resources we make available on our Sites. Users may be asked for, as appropriate, name, email address, and billing information. We will collect personal identification information from Users only if they voluntarily submit such information to us, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Users can always refuse to supply personally identification information, except that it may prevent them from engaging in certain Sites-related activities. Real names and billing information are encrypted on SDC Marketing Inc’s servers. We will never sell your personal information to third parties and we won’t use your name or company name in any marketing statements without obtaining your permission in writing.
Non-Personal Identification Information
We may collect non-personal identification information about Users whenever they interact with our Sites and applications. Non-personal identification information may include the browser name, the type of computer and technical information about Users' means of connection to our Sites, such as the operating system and the Internet service providers utilized and other similar information.
Services Metadata – when Users interact with our Services, metadata is generated to help provide additional context regarding how Users interact with our Sites.
Log Data – Our services will automatically collect information when Users and Site Administrators access or use our Sites or Services and record it in log files. Log data may include IP address (or a shortened version of it), previously visited web page addresses, browser type and settings, time and date when Services were used, browser configurations and plugins, language and cookie data.
Device Information – GarageApp collects information about your computer, phone, tablet, or other devices you use to access our Services. This device information includes your connection type and settings when you install, access, update or use our Services. We also collect information through your device about your operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. We use your IP address and/or country preference in order to approximate your location to provide you with a better Service experience. How much of this information we collect depends on the type and settings of the devices you use to access the Services.
Location information – GarageApp will receive this information from Users during our Account Registration as well as from the Users' devices should the ‘Location Services’ setting be turned on.
Personal information – GarageApp is an interactive community site and app, therefore any User-generated data by use of our Services will be collected and stored by SDC Marketing Inc. Collected data includes, but not limited to, data that Users post, send, receive or share. These include any files or links that User upload to our Services, including pictures and videos (public and/or private). It also includes all forms of personal information given by the User in their User profile. Personal data will only be accessible through authorized and limited Administrator accounts or Users designated account and can only be viewed, or altered, by Users belonging to such accounts. SDC Marketing Inc will never share, sell, or exploit any Personal information unless specifically requested by the User through written consent. Any advertising targeted to the Users will be done in an anonymized manner. Users will also be able to request the log data of their account accesses to see what potential Administrator users accessed.
Web Browser Cookies
How GarageApp Uses Collected Data
Users are the primary Controllers of User Data. GarageApp is a processor of User Data and Controller of other certain data. SDC Marketing Inc will never remove Users from GarageApp unless specifically instructed by the User or if the User transgresses the Terms of Service or the User failed to provide payment for GarageApp's services (see Terms of Service for additional information).
GarageApp collects and uses Users personal information for the following purposes:
- To personalize User experience and improve our Sites and applications.
- We may use information in the aggregate to understand how our Users as a group use the services and resources provided on our Sites.
- We continually strive to improve our website offerings based on the information and feedback we receive from you. Your information helps us to more effectively respond to your customer service requests and support needs.
- To administer a content, promotion, survey or other Sites features, through explicit consent (see below for Consent Requirements).
- To send Users information they agreed to receive about topics we think will be of interest to them, in the form of newsletters, alerts or other ‘push’ technologies.
- We may also use your email address to deliver information that, in some cases, is targeted to your interests, such as banners and promotions, through explicit consent (see below for Consent Requirements).
- We also send you periodic informational updates via email, through explicit consent (see below for Consent Requirements).
- The email address Users provide will only be used to respond to their inquiries, and/or other requests or questions. If a User decides to opt-in to our mailing list, they will receive emails that may include company news, updates, related product or service information, etc, through explicit consent (see below for Consent Requirements). If at any time the User would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email.
- As required by applicable law, legal process or regulation.
- For Billing, account management and other administrative matters, accessed only by designated specific SDC Marketing Inc billing managers.
- For investigative and preventive measures against Site abuse. Accesses by GarageApp will be logged in the User log file and said log file can be requested and contested at any time.
- We use information about Users when granted consent for a specific purpose not listed above. For example, we may publish testimonials or feature customer stories to educate, entertain, promote our Services. - We will always ask for consent prior to posting any information for promotional or media purposes.
Sharing and Disclosure of Information
GarageApp and SDC Marketing Inc will only disclose or share User information for the following purposes:
- User’s Request: GarageApp will share all User Data based on User’s request and instructions (see below for more details).
- Media Collaboration: Users can create content, which may contain information about themselves or other Users, and grant permission to others to see, share, edit, copy and download that content. Some of the collaboration features of the Services display some or all of your profile information to other Service Users when you share or interact with specific content. Similarly, when Users join a Service, your nickname, profile picture and other information will be displayed in a list for other site members so they can find and interact with you. This excludes any use and sharing of that information by other members to a third party.
- Legal Compliance: If requested by legal Authority, SDC Marketing Inc may disclose User information that we determine to be in accordance or required by any applicable law.
- Enforcement: SDC Marketing Inc also reserves the right to disclose User information to investigate, prevent, or take action against illegal activities, suspected fraud, or situations involving physical threat to any such persons.
- Consent: SDC Marketing Inc may share User information with other 3rd parties in instances when we have Users’ consent to do so.
- One-time consent is also required in the following individual scenarios (consent needs to be given only once per User account): When the User builds a new profile; When the User logs in after June 1st, 2022; When the User changes some personal information on their profile; When the User will want to use the Sites' Messenger capabilities; When the User will want to receive the GarageApp Newsletter; When the User will want to receive GarageApp Promotions; When the User will want to receive GarageApp third party offers; When the User will want to share their content.
Third Party Service Providers and Partners: SDC Marketing Inc works with third-party service providers and partners to provide website and application strategy, product management, development, hosting, maintenance, backup, storage, virtual infrastructure, payment processing, analysis and other services for GarageApp, which may require them to access or use User information. If a service provider needs to access information about Users to perform services on SDC Marketing Inc's behalf, they do so under instruction from SDC Marketing Inc, including abiding by policies and procedures designed to protect User information. To SDC Marketing Inc's knowledge, our third party Service Providers and Partners are in compliance with GDPR.
Amazon Web Services (servers and infrastructure) – GDPR info
Google Analytics (data collection) – does not contain personal information, but there may be provisions to strip the last digits of the Users' IP address.
Operational Partners: SDC Marketing Inc works with 3rd parties who provide billing, support technical services to deliver and implement solutions to our Users. SDC Marketing Inc may share User information with these 3rd parties in connection with their services, such as to assist with billing cycles, to provide localized support, and to provide customizations work. SDC Marketing Inc may also share information with these 3rd parties where Users have granted Consent to share any information, for example, technical or customer support services.
Links to 3rd Party Sites: GarageApp's Services may include links that direct you to other websites or services whose privacy practices may differ from ours, like Content Providers. What you submit to these 3rd party sites are governed under their Privacy Policies and are not covered by SDC Marketing Inc Privacy Policies.
The operations of SDC Marketing Inc require our employees to have access to systems which store and process User Data. This primarily serves the purpose of problem diagnostic or troubleshooting. For example, in order to diagnose a problem Users may have with GarageApp services, our Employees may need access to your User Data. All employees and affiliated subcontractors are prohibited from viewing User Data for any reasons unless absolutely necessary to do so.
If Users requires deletion of their data, we require Users to delete their account. When Users delete their account or decide to no longer participate in the Services, the following is how data deletion will be treated: Majority data deletion will occur upon User consent. Complete data deletion will occur post 90 days. Please see “Data Retention” below for additional details regarding 90-days data retention.
Users, at any time, may request a deletion of their personal data. If such request is made, the account will be disactivated and will remain in backups and life-cycle we maintain to ensures we do not store data inside backups more than 90 days. Users may email firstname.lastname@example.org to request data deletion, cancel their User account or fill out the GDPR User Rights form on the site. If Users fail to make payment for any paid plans, GarageApp will remove all paid features and return Users to the Free / Trial Plan. Please see our ToS for User inactivity under the Free Plan. If GarageApp deletes an account due to inactivity, the above scenarios will apply.
Information storage and security
SDC Marketing Inc uses data hosting service providers in the United States to host collected information, and we use technical measures to secure all data. Despite the thorough security measures and safeguards that GarageApp implements to protect data, no security system is impenetrable and due to the inherent nature of the Internet, SDC Marketing Inc cannot guarantee that data, during transmission through the Internet or while stored on our systems or otherwise in our care, is absolutely safe from intrusion by others. SDC Marketing Inc has policies in place in case of such situations and will respond to requests about this within a reasonable timeframe. Please contact email@example.com for more information.
How long we keep information
How long we keep the information we collect about you depends on the type of information, as described in further detail below. After such time, we will make every effort to delete your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible.
User Account information: We retain User information until User delete their account(s), which then we will continue retaining the data for up to 90 days after account deletion. In particular: Email, Admin Notes, IPs, Access History, Payment History and Nickname. GarageApp maintains this practice due to the following reason:
In the event that User’s account has been compromised and purposely deleted. GarageApp will help maintain and restore data once the situation is rectified.
An account was mistakenly deleted by Users. In such an event, GarageApp will be able to restore data for Users.
Various data storage systems and backups have different lifecycle policies which are held for a maximum of 90 days. For example, our database backups are encrypted, incremental and full re-cycle in 30 days. It is impossible to erase User data inside encrypted incremental backups in real-time.
SDC Marketing Inc may also retain some of the User data as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations and to continue to develop and improve our Services. Where we retain information for Service improvement and development, we take steps to eliminate information that directly identifies any specific Users, and we only use the information to uncover collective insights about the use of our Services, not to specifically analyze personal characteristics about any Users. The information you share on the Services: If User’s account is deactivated or disabled, some of the User information and the content that Users have provided will remain in order to allow other members or other Users to make full use of the Services. For example, we continue to display comments and content you provided to forums. SDC Marketing Inc will hold User data up to 90 days after account cancellation in case Users will renew again within that time frame.
Marketing and Promotional information: If Users have elected and provided consent to receive marketing and promotional emails from GarageApp, we retain information about Users’ marketing preferences unless asked specifically to delete such information. GarageApp retains information derived from cookies and other tracking technologies for a reasonable and specific period of time from the date such information was created.
We take the security of your data very seriously at SDC Marketing Inc. As transparency is one of the principles on which our company is built, we aim to be as clear and open as we can about the way we handle security.
SDC Marketing Inc has further committed to refer any unresolved privacy complaints for our EU Users to an independent dispute resolution mechanism, JAMS Privacy Shield Program. Please note that if complaints cannot be resolved through the channels listed here, a binding arbitration option may be available before a Privacy Shield Panel.
Users have certain statutory rights in relation to their personal data. The rights to data subject access include the following:
- Know whether a data controller holds any personal data about them.
- Receive a description of the data held about them and a copy of the data.
- Be informed of the purpose(s) for which that data is being processed, and from where it was received.
- Be informed whether the information is being disclosed to anyone apart from the original recipient of the data; and if so, the identity of those recipients.
- The right of data portability. Data subjects can ask that their personal data be transferred to them or a third party in machine readable format (Word, PDF, etc.). However, such requests can only be fulfilled if the data in question is: 1) provided by the data subject to GarageApp, 2) is processed automatically and 3) is processed based on consent or fulfilment of a contract.
If the data is being used to make automated decisions about the data subject, to be told what logic the system uses to make those decisions and to be able to request human intervention.
SDC Marketing Inc must provide a response to data subjects requesting access to their data within 30 calendar days of receiving the Data Subject Access Request unless local legislation dictates otherwise. Users may also have the option of modifying or deleting their personal information from the GarageApp database. Please contact SDC Marketing Inc's Data Protection Officer for assistance or any inquiries related to personal data: firstname.lastname@example.org or call Helpdesk at 1 866 417-9956. In order to establish the correct User identity, SDC Marketing Inc may require the User to provide official government-issued proof of identity or require a secondary digital validation.
In the event that GarageApp becomes aware that site security is compromised or nonpublic user information has been disclosed to unrelated third parties as a result of external activity, including but not limited to external security attacks, SDC Marketing Inc shall take reasonable measures which it deems appropriate, including but not limited to internal investigation and reporting, and notification to and cooperation with law enforcement authorities, notwithstanding other provisions of this Privacy Statement. If you become aware of such a breach, please fill in the appropriate form on the website, or email email@example.com or create an emergency support ticket. If GarageApp becomes aware that a user’s personal information provided to SDC Marketing Inc has been disclosed in a manner not in accordance with this Privacy Statement, GarageApp shall make reasonable efforts to notify the affected user, as soon as reasonably possible and as permitted by law, of what information has been disclosed, to the extent that SDC Marketing Inc knows this information.
Data Subject Access Request Procedure
Data Subject Access Request (“DSAR”)
A Data Subject Access Request (DSAR) is any request made by an individual or an individual’s legal representative for information held by the Company about that individual. The Data Subject Access Request provides the right for data subjects to see or view their own personal data as well as to request copies of the data.
A Data Subject Access Request must be made in writing. In general, verbal requests for information held about an individual are not valid DSARs. In the event a formal Data Subject Access Request is made verbally to a staff member of the Company, further guidance should be sought from Data Protection Officer, who will consider and approve all Data Subject Access Request applications.
A Data Subject Access Request can only be made via any of the following methods: email, post, or corporate website. DSARs made online must be treated like any other Data Subject Access Requests when they are received, though the Company will not provide personal information via social media channels.
Requirements for a valid DSAR
In order to be able to respond to the Data Subject Access Requests in a timely manner, the data subject should:
- Submit his/her request using a Data Subject Access Request Form.
- Provide SDC Marketing Inc with sufficient information to validate his/her identity (to ensure that the person requesting the information is the data subject or his/her/their authorized person).
Subject to the exemptions referred to in this document, SDC Marketing Inc will provide information to data subjects whose requests are in writing (or by some other method explicitly permitted by the local law), and are received from an individual whose identity can be validated by SDC Marketing Inc. Requests are more likely to be successful where they are specific and targeted at particular information.
Factors that can assist in narrowing the scope of a search include identifying the likely holder of the information (e.g. by making reference to a specific department), the time period in which the information was generated or processed (the narrower the time frame, the more likely a request is to succeed) and being specific about the nature of the data sought (e.g. a copy of a particular form or email records from within a particular department).
An individual does not have the right to access information recorded about someone else, unless they are an authorized representative, or have parental responsibility.
SDC Marketing Inc is not required to respond to requests for information unless it is provided with sufficient details to enable the location of the information to be identified, and to satisfy itself as to the identity of the data subject making the request.
In principle, SDC Marketing Inc will not normally disclose the following types of information in response to a Data Subject Access Request:
- Information about other people – A Data Subject Access Request may cover information which relates to an individual or individuals other than the data subject. Access to such data will not be granted, unless the individuals involved have previously given consent to the disclosure of their data in one of the scenarios detailed above, such as communications from other users.
- Repeat requests – Where a similar or identical request in relation to the same data subject has previously been complied with within a reasonable time period, and where there is no significant change in personal data held in relation to that data subject, any further request made within a three month period of the original request will be considered a repeat request, and SDC Marketing Inc will not normally provide a further copy of the same data.
- Publicly available information – The Company is not required to provide copies of documents which are already in the public domain, such as stories, forum contributions, and other User-generated content.
- Opinions given in confidence or protected by copyright law – SDC Marketing Inc does not have to disclose personal data held in relation to a data subject that is in the form of an opinion given in confidence or protected by copyright law.
- Privileged documents – Any privileged information held by SDC Marketing Inc need not be disclosed in response to a DSAR. In general, privileged information includes any document which is confidential (e.g. a direct communication between a client and his/her lawyer) and is created for the purpose of obtaining or giving legal advice.
Data Subject Access Request Refusals
There are situations where individuals do not have a right to see information relating to them. For instance: If the information is kept only for the purpose of statistics or research, and where the results of the statistical work or research are not made available in a form that identifies any of the individuals involved.
Requests made for other, non-data protection purposes can be rejected.
If the responsible person refuses a Data Subject Access Request on behalf SDC Marketing Inc, the reasons for the rejection must be clearly set out in writing. Any individual dissatisfied with the outcome of his/her Data Subject Access Request is entitled to make a request to the Data Protection Officer to review the outcome.
No Guarantees for Factors Beyond SDC Marketing Inc's Control
While this Privacy Statement expresses SDC Marketing Inc's standards for maintenance of private data, it is not in a position to guarantee that the standards will always be met. There may be factors beyond SDC Marketing Inc's control (e.g., “script kiddies, crackers and other malcontents, hurricanes, tornados, acts of God, loss of power, diseases, loss of mind, body and soul”) that may result in disclosure of data. As a consequence, SDC Marketing Inc disclaims any warranties or representations relating to maintenance or nondisclosure of private information.
Data Protection Officer