PRIVACY POLICY FOR GRIPP APPLICATIONS

Effective Date: February 2025

Gripp.com B.V. (Gripp), a company registered in The Netherlands with registration number 27225823 whose registered office is at Burgemeester Stekelenburgplein 199 Unit 2.1, 5041SC Tilburg, The Netherlands, understands the importance of protecting and safeguarding your privacy and the security of your (business) data when you use our application (“Gripp Applications”).

When we refer to personal data in this Privacy Policy (“Privacy Policy”), we mean any information relating to an identified or identifiable natural person: an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity (“Personal Data”). When we refer to data, we mean any type of data that is stored, used, and processed when using Gripp Applications (“Data”). Personal Data is included in the term Data. A reference to “Gripp” in this Privacy Policy has the meaning given to it in the Agreement (the “Agreement” is defined below in paragraph 1).

This Privacy Policy informs you under which conditions we process Personal Data and what measures we have implemented to protect Personal Data in our Gripp Applications.

WHEN DOES THIS PRIVACY POLICY APPLY?

This Privacy Policy applies to Gripp Applications offered by Gripp that refer to or incorporate this Privacy Policy. Gripp Applications may enable you to purchase, subscribe to or use other products and online services from third parties with different privacy practices; these other products and online services will be governed by their respective terms and conditions and policies. Furthermore, this Privacy Policy does not apply to any other services offered by other companies or individuals, including products or sites that may be displayed in search results, sites that may include Gripp Applications, or other sites linked to our products and services. Gripp’s marketing sites and other public websites associated with our services and products are governed by the gripp.com Privacy Statement which you can find at privacy statement.

This Privacy Policy is specific to Personal Data that we process solely on your behalf as part of Gripp Applications.

1. YOUR PERSONAL DATA

Your Personal Data in the Gripp Applications

Before purchasing, registering to, or using Gripp Applications you should read the respective agreement and terms and conditions for those Gripp Applications (together: the “Agreement”) carefully; these describe your and Gripp’s rights regarding the collection and use of Your Personal Data. In order to deliver the Gripp Applications we collect, store, use and process Your Personal Data as further described in this Privacy Policy and the Agreement.

After entering into the respective Agreement for the Gripp Application, you can always choose not to provide Your

Personal Data to Gripp. In this case, Gripp cannot guarantee the performance of Gripp Applications to you as stated in the Agreement since Your Personal Data may be required to provide you with all the different functionality of the Gripp Applications.

Which Data does Gripp collect and for what purpose is it used?

You are the data controller for the processing of your Personal Data. Gripp acts as a data processor on your behalf and in accordance with your instructions, unless required otherwise by applicable law to which Gripp is subject; in such a case, Gripp shall inform you of that legal requirement before processing, unless that law prohibits such notice.

Since you are controller for the processing of the Personal Data, Gripp is not responsible for the lawfulness of the data processing we perform on your behalf. The responsibilities and liabilities for Personal Data are set out in the Agreement. In case of conflict with any stipulation in the Agreement, this Paragraph 1 shall prevail.

Your Personal Data is collected through multiple channels. We collect Your Personal Data when you register to the Gripp Applications, purchase, or use the Gripp Applications. This may include Personal Data that has been provided to us by a reseller  of the Gripp Applications, or Personal Data that we have been provided with by your employer, for example to set up your account or to integrate Gripp Applications with other products. Your Personal Data is classified in the following categories.

• Contact Data: When you purchase the Gripp Applications it may be necessary to provide us with your Contact Data such as your name, email address, physical address, and telephone number. We use your Contact Data to establish and fulfil our contract with you and to communicate with you, e.g., sending you service-related messages. In addition, we may use your Contact Data to send direct marketing communications in relation to other products and services provided by us, where you give us consent. You will always be able to opt-out of electronic direct marketing by following the instructions in the relevant communication.
• User data: User data refers to the information that is required to register a user within Gripp Applications and must be provided to Gripp by you. This includes, name, email address and telephone number.
• Browser Data: We log your IP-address and unique device-ID and may assign other electronic identifiers in order to properly deliver the Gripp Applications or for security purposes.
• Metadata: When you upload files, such as photos and videos, to Gripp Applications the information with these files, the metadata, is processed. Metadata takes different forms depending on the type of data they relate to, such as the creation and modification date of a file, the title and description of an image, the length and format of a video, or the location data of a photo.
• Support Data: In the event you submit a support request we may need to collect the relevant Support Data to fulfil your support request. This Support Data can consist of contact or authentication Data and chat session personalisation or any other Data which we need to solve your support request. For some Applications we may register usage data to assist us with your support request.
• Business Data: Business Data is data that you enter into the application yourself (manually or via integrations with third-party products and services) and you find necessary to make use of the Gripp Application according to your needs. This data can be names, user names, email address, telephone numbers, working hours, salary information, bank account details etc.
• Payment Data: To complete the financial transactions, we need your bank details, organisational tax ID, business address or any other relevant Data.
• Usage Data: We may process statistical information about your use of the Gripp Applications to facilitate our service provision, in particular to improve the user experience, to identify performance issues or other service malfunctions, as well as to pursue our legitimate interests.
• Cookies: Gripp uses cookies and tracking technologies to deliver the Gripp Applications and for other purposes detailed in the cookie banner when you visit our Gripp website . Where required, Gripp will ask for consent to place cookies on the user’s device.

In addition to the purposes mentioned above, we use Your Personal Data for compliance with applicable laws and protection of Gripp’s legitimate business interests and legal rights, including, but not limited to, use in connection with legal claims, compliance, regulatory, investigative purposes (including disclosure of such information in connection with legal process or litigation).

Sharing and transfer of Your Personal Data

We do not share or sell your Personal Data. We may involve sub-processor in the provisioning of Gripp Applications. For more information about sub-processor, see the relevant section below.

As a result, your Personal Data may be processed outside the European Economic Area (“EEA”). Where personal data is transferred outside the EEA, we will ensure that it is protected to the same extent as within the EEA. We will transfer personal data to countries with privacy laws that provide the same protection as the EEA, as determined by decision of the European Commission, or we will ensure that appropriate Standard Contractual Clauses are in place for those countries with privacy laws that do not provide adequate protection. We may rely on the approved binding corporate rules of our suppliers as an appropriate safeguard. To obtain a copy of the relevant transfer mechanism or additional information on transfers, please send your request using the contact details set out in this Privacy Policy

Retention of Your Personal Data

Gripp will keep Your Personal Data for the duration of any contractual relationship you or your employer has with us, and, to the extent permitted, after the end of that relationship for as long as necessary to perform the purposes set out in this Privacy Policy. Laws may require Gripp to hold certain Personal Data for specified minimum periods. For example, payment transactions in relation to the Gripp Applications you use are retained for seven years based on applicable tax legislation. In other cases, Gripp may retain Your Personal Data for an appropriate period of seven years after any contractual relationship with you ends to protect itself from legal claims, or to administer its business.

All Business Data entered and processed by you in the Gripp Applications will be stored and retained for the duration of the Agreement. After termination of the Agreement your Business Data may be retained for an additional period depending on your Agreement. During this period the contract can be re-activated without losing Business Data or you may choose to have your Business Data transferred back to you. After the period the Business Data will be permanently removed from storage. For the avoidance of doubt, we have no retention or storage obligations in relation to any Business Data you store ‘on premise’ while using the Gripp Applications.

Your Rights in relation to Your Personal Data

You have several rights relating to your personal data. You have the right to request access to your Personal Data, correct your Personal Data, delete, or restrict its processing, or ask us to transfer some of Your Personal Data to other organisations. You may also have the right to object to certain processing activities, and to the extent that we have asked you for consent to process your data, you have the right to withdraw this consent. Our commercial communications (such as our newsletters) contain the “unsubscribe” link or a similar way to unsubscribe from these communications.

These rights may be limited in certain situations, for example where we can demonstrate that we are legally obliged to process your data. If you wish to exercise your rights, you can contact us using the contact details set out in this Privacy Policy.

Automated decision-making and Your Personal Data

We do not use automated decision-making to enter into the Agreement with your company. We may use automated decision-making without human intervention, which is permitted by law. Such decisions are solely based on a fully automated process, without any human intervention. If in the future we would switch to automated decision-making that has legal consequences for you or concerns you to a large extent, we will inform you in advance.

Restrictions on Gripp’s access and use of your Business Data

Gripp is not involved in any way with the nature or content of Business Data. The data entered may be added, edited or deleted at any time by the Controller. Our personnel are forbidden to access your Business Data unless you have given us your permission for this and/or this access by our personnel (such as customer support, consultants, and administrators) is necessary to operate the Gripp Services, or to improve, analyse or support your use of the Gripp Services. When permission to access is granted, this access is carefully controlled and logged, and our personnel are obliged to follow our internal security policy regarding the handling of your Business Data. The operational processes and controls which govern access and use of Business Data in the Gripp Services by our personnel are rigorously maintained and regularly verified by accredited audit firms.

How can you manage the access and use of your Business Data?

The user management of the Gripp Applications, including providing access and granting and revoking of permissions within your area of the Gripp Applications, is your own responsibility. The Gripp Applications may provide certain functionalities for creating and deactivating users and setting permissions to ensure support of segregation of duties. Log-in details are personal to the individual user and must not be shared with other users.

Providing assistance

At your request and at reasonable expense, we will assist you with your obligation as a data controller using the Gripp Applications to respond to requests from data subjects seeking to exercise their rights under applicable data protection laws (to the extent that you cannot already deal with such requests through the Gripp Applications). In addition, and at your request and at reasonable expense, taking into account the nature of processing and the information available to Gripp, we will assist you with your obligations in relation to data protection impact assessments and prior consultation procedures with competent data protection authorities.

Sub-processors

You consent to Gripp hiring sub-processors to deliver (parts of) the Gripp Applications and to process your Personal

Data. Such sub-processors are prohibited from using Personal Data for any other purpose than stated in the Agreement and Gripp contractually ensures that the sub-processors and their employees will maintain confidentiality regarding the Personal Data and will comply with the necessary instructions and security measures as determined in this Privacy Policy.

A list of current sub-processors is available on our website. Gripp may update this list and appoint new sub-processors, provided that you are given notice and you do not a legitimate objection to such changes. Legitimate objections must contain reasonable and documented grounds relating to a sub-processor’s non-compliance with applicable data protection legislation. If, in Gripp’s reasonable opinion, such objections are legitimate, Gripp shall refrain from using such sub-processor in the context of the processing of your Personal Data. In such cases, Gripp may use reasonable efforts to make a change in the Gripp Applications available to you to avoid the processing of your Personal Data by the disputed sub-processor. If Gripp is unable to make available such change within a reasonable period of time, you may, as your sole and exclusive remedy and by providing written notice to Gripp, terminate your use of the affected Gripp Applications in accordance with the Agreement or after full payment of a mutually agreed termination fee.

Location of Business Data

Depending on the Gripp Applications you use, your Personal Data may be stored on servers of our sub-processors, which are located in different datacentres. By entering into the Agreement, you consent to your Personal Data being stored on the servers of our sub-processors as set out in this Privacy Policy and/or the Agreement. Please note that, depending on your Gripp Services, these servers may be located outside of the EEA. A list of locations is on our website.

Gripp’s infrastructure is configured in a redundant configuration. The Personal Data is stored in a multi-tenant environment and all datacentres guarantee a high availability. To protect your Personal Data and for improved availability and continuity of our Gripp Applications, we may transfer your Data to other Datacentres within the EEA.

Applications developed by other companies 

Gripp Applications provide various possibilities to integrate or connect Gripp Applications with products and services of third parties for improved user experience. Any third-party applications which connect to Gripp Application on your behalf will handle and process Personal Data. It is your responsibility to ensure compliance to applicable laws and regulations by you and by the third parties who operate these applications. When applications are developed by Gripp, this Privacy Policy applies.

Security breaches

To protect Personal Data from unauthorised access, use, modification or accidental loss and destruction, Gripp has taken technical and organisational measures to secure the processing of your Personal Data (see paragraph 2). Should any security breach occur that impacts Personal Data you will be notified without undue delay once the breach has been determined. The term “security breach” shall be understood to mean: any breach of the security measures, as set out in the section “Security measures to protect Personal Data” in paragraph 3, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Business Data transmitted, stored, or otherwise processed.

Once we notify you of any security breach we shall cooperate with you regarding such incidents, to enable you to investigate the incident. To the extent such security breach was caused by a violation of the requirements of the Agreement and/or this Privacy Policy by us, we shall make reasonable efforts to identify and to take suitable further steps in respect of the security breach.

Any notifications in connection with a security breach shall be addressed to your contact person as stated in the Agreement.

2. ADDITIONAL STIPULATIONS

Support in the case of termination of the Agreement

If the Agreement is terminated, you have the right to have your Data transferred back to you. Depending on your Agreement, you may do this until the last day of your Agreement or the agreed upon additional period. You may choose to do this yourself by downloading all Data from Gripp Applications. These Datafiles are provided in open format and are accessible with free tools. In addition, various export formats (csv and xml) as well as API’s may be available to export Data.

Data protection legislation

Protecting the privacy and security of Personal Data is of the highest importance to us, and we are committed to compliance with all applicable data protection laws that apply to the Gripp Applications and processing of your Data, as agreed upon in the Agreement.

Law enforcement requests

We will not disclose Personal Data to a third party (including law enforcement, other government entities or civil litigants) except as described in this Privacy Policy and in the section “Sub-processors” above, as you direct us or as required by law, an ordinance, or a court order. 

Confidentiality

Gripp shall treat all Personal Data as strictly confidential and shall inform all its employees, agents and/or sub-processors engaged in processing the Personal Data of the confidential nature of such Personal Data. Gripp shall ensure that all such persons or parties are bound by similar confidentiality obligations.

Security measures to protect Personal Data 

Gripp shall take technical and organisational measures to secure the processing of the Personal Data. These measures include, but are not limited to:

• the prevention of unauthorised persons from gaining access to data processing systems (physical access control);
• the prevention of processing systems being used without authorisation (logical access control);
• ensuring that persons entitled to use a data processing system gain access only to such Personal Data as they are entitled to access in accordance with their access rights, and that, in the course of processing or use and after storage, Personal Data cannot be read, copied, modified, or deleted without authorisation (Data access control);
• ensuring that Personal Data cannot be read, copied, modified, or deleted without authorisation during electronic transmission, transport, or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (Data transfer control);
• ensuring that measures are implemented for subsequent checking whether Personal Data have been entered, changed, or removed (deleted), and by whom (input control);
• ensuring that Personal Data are processed solely in accordance with the instructions (control of instructions);
• ensuring that Personal Data are protected against accidental destruction or loss (availability control);
• ensuring that Personal Data collected for different purposes can be processed separately (separation control).

Transferring Personal Data over the internet is at your own risk and you should only enter the Gripp Applications or transfer Personal Data to and within the Gripp Applications by using a secure environment.

Gripp strongly recommends that you to connect to the Gripp Applications via secure and encrypted channels (https). The channels are secured based on current best practices and can be verified on https://www.ssllabs.com/ssltest/analyze.html. All recommendations for increasing the security or mitigating security issues will be promptly investigated and implemented if appropriate. You should ensure the URL used for the Gripp Applications is the correct one and the certificate is valid and assigned to Gripp.

Despite the above-mentioned measures, you are solely responsible for implementing appropriate security measures for Personal Data processed when using the Gripp Applications in accordance with data protection laws applicable to them.

Changes

Gripp reserves the right to change this Privacy Policy. Any amendments to this Privacy Policy are effective upon posting on this website and/or in our customer portals and we will revise the “effective date” at the top of this Privacy Policy. You should check this website and our customer portals frequently for recent amendments. Your continued use of the Gripp Services will be deemed as acceptance of any amended Privacy Policy. 

Audit and Documentation

The availability and security of the Gripp Applications will be audited by independent auditors annually and an Information Security Management System has been put in place to manage defined risks in these areas. Gripp complies with the ISO27001 standard; our certification and related documentation is available here.

You have the right to audit Gripp’s compliance with Paragraph 1, no more than once per contractual year and at your own cost, only if you have reasonable grounds to believe that Gripp has violated a material obligation of this Paragraph 1, or if a competent data protection authority requests this. Subject to a justified written proposal from you and the approval of Gripp, such an audit will be performed either i) by Gripp or ii) by a qualified, independent third-party security auditor (the “Auditor”) who possesses the necessary professional qualifications and is bound by a duty of confidentiality. During such an audit, the Auditor may enter Gripp’s facilities during normal business hours and examine Gripp’s work routines, set ups and technical infrastructure provided this does not have unreasonable impact on Gripp’s business in general and on the IT security of Gripp in particular.

At Gripp’s discretion or at your specific written request, Gripp may provide evidence of the suitability of the technical and organisational measures described in this Privacy Policy. For this purpose, Gripp may also present up-to-date attestations, reports or extracts thereof from independent bodies (e.g., external auditors, internal audit, the data protection officer, the IT security department, or quality auditors). 

3. ENQUIRIES AND COMPLAINTS

If you have any questions or complaints about how we handle the processing of Personal Data or about this Privacy Policy you can address these through the contact details set out below. You always have the right to lodge a complaint with your local data protection authority.

4. Data Protection Officer

Gripp.com is an Exact Group B.V. (“Exact”) subsidiary. Exact Group B.V. is a limited liability company in the Netherlands, registered in the Commercial Register of the Chamber of Commerce under number 27225828, with its registered office at Molengraaffsingel 33, 2629 JD Delft, The Netherlands.  Exact has appointed a Data Protection Officer for you to contact if you have any questions or concerns about Exact’s personal data policies or practices, please send Us an email at dpo@exact.com.

Address: Molengraaffsingel 33, 2629 JD Delft, The Netherlands

Telephone number: +31(0)15 711 51 00

5. CONTACT US

Gripp Contact Form           https://www.gripp.com/contact/

Gripp Support     support@gripp.com.

By Phone

You can reach us by telephone on +31 (0)85 065 5432