GDPR Privacy Notice

Introduction

EXELA Technologies as a Group of Companies (hereinafter referred to as ‘EXELA’ or/and ‘We’) takes the privacy of an individual’s data very seriously and is committed to protecting and respecting individual’s privacy. The Data Controller of your personal data is Exela Technologies B.V., Herengracht 576b, 1017 CJ AMSTERDAM - Netherlands –Organisation no :72638974 in conjunction with a Joint Controller of Exela Technologies Inc., 2701 East Grauwyler Road Irving, TX 75061 United States of America – Organisation no: 471347291. In the United Kingdom, Data Controllers appointed its representative - Exela Technologies Ltd, Baronsmeded, The Avenue, Egham, England, TW20 9AB Organisation No.: 01283512.

This Privacy Notice describes how we collect, use and process your personal data through our website, with whom we might share it and how long we usually keep it. This also makes you aware of your rights under the European Economic Area or the United Kingdom data protection legislations. This Privacy Notice applies to the personal data of visitors, registered users and subscribers of DMR product and related websites.

Definitions

Visitor refers to a user who accesses the DMR sites but does not register;

Registered User refers to a user who signs up for an account with the DMR;

Subscriber refers to a Registered User who purchases a subscription plan for the DMR;

DMR refers to Digital Mailrooom product created and is a brand owned by Exela.

What information do we collect ?

We collect, store and use some or all of the below listed personal data:

I. Visitor

for general identification – First name, Last name, email address, phone number – this will be collected if you would like to contact us and for instance get more information about the DMR;
marketing and communications data - includes your preferences in receiving marketing communications from us and your communication preferences.
when you interact with our website, we may automatically collect Technical Data and/or Usage Data, unless you have opted-out or have otherwise refused to provide consent. This has been described in next chapter below.

II. Registered User

if you sign up for a DMR account we may collect additional personal data from you such us: user name, email address,
You have the ability to sign up to the DMR account using your Google account. If you authenticate yourself using this option, you grant Exela access to your email address, and, if available your name, photo, and username associated with Google account.

III. Subscriber

if you subscribe DMR Service, we may collect the type of subscription plan and payment type.

We won’t collect, store and use any of the ‘special categories’ of personal information. We do not intentionally collect information from children under the age of 16. Any linked websites of EXELA will have their own privacy notices, and different rules of collecting and processing personal data.

How do we collect this data?

We collect information directly from you when you visit our website or by filling in online forms or by corresponding with us by post, phone, email, social media or otherwise. It also concerns situations when you decide to sign up for marketing communications to be sent to you.

If you fail to provide certain information when requested, we may not be able to comply with contractual obligations and perform the contract we have entered into with you (such as replying on your request), or we may be prevented from complying with our legal obligations.

When you interact with our website, we may automatically collect Technical Data and/or Usage Data, unless you have opted-out or have otherwise refused to provide consent. Following data may be used:

Technical Data: we may collect information about the device you use to access our website, such as your device's IP address and operating system. Additionally, in the case of mobile devices, your device type, and mobile device's unique advertising identifier . Some technical information about the browser you are using will also be collected
Usage Data: This is data about your browsing activity on our website e.g. information about the pages you visited and when, what items were clicked on a page, how much time was spent on a page etc.;
Location Data: This is non-precise information related to your geography derived from your device’s IP address e.g. computer. This does not reveal your precise geographic coordinates. This helps us to display ads that are relevant to your general location e.g. if we’d like to show ads for people located in the UK only;
Ad Data: This is data about the online ads we have served, or attempted to serve to you e.g. how many times specific ad has been served to you, what page the ad appeared on etc.

In addition, We may receive personal data from third parties which shared with us your data as described situation when you authenticate yourself using Google account. Furthermore, Technical Data from analytics and email subscription providers such as LinkedIn, Pardot, Google Analytics or Facebook can be shared with us too. If we receive such data from our third party providers and We will be considered as Data Controller, each time we will inform you from which source the personal data originates, and provide details in separate privacy notice.

We might aggregate data from different sources (both internally and externally) to have a better understanding of your preference and interests, and be able to provide you more relevant communications.

How do we use personal information?

We may process personal information for the following reasons:

send you technical notices, updates, security alerts and support and administrative messages;
provide you a DMR service including opening an account;
respond to your comments, questions and requests and provide customer service;
communicate with you about products, services, offers, promotions, rewards and events offered by us;
assessment and screening of potential clients, business partners or other person with a business relationship with us;
monitor and analyze trends, usage and activities in connection with our services;
to improve the services, website, products, online services, mobile applications and communications we provide towards you or others;
comply with legal obligation, protect of our interests/assets and defense of legal claims.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which we are using that allows us to do so. When required, we will ask your consent before starting among other marketing activities. Please note that even if you opt out from receiving marketing communications, you might still receive administrative, service or other important notices.

What legal basis do we have for processing your personal data?

As a rule our legal basis for the processing of personal data are:

your consent;
performance of a contract;
legal obligation; and
our legitimate business interest.

This legal basis have been defined in the GDPR. We describe each of these below.

Consent

Should we want or need to rely on consent to lawfully process your data, we will request your written consent for the specific activity we require consent for and record your response on our system. Where consent is the lawful basis for our processing you have the right to withdraw your consent to this particular processing at any time (as set out below).

You have the right to withdraw your consent at any time and we will cease to carry out the particular activity that you previously consented to unless we consider that there is an alternative reason to justify our continued processing of your data for this purpose in which case we will inform you of this condition.

Performance of a contract

We will rely on performance of a contract to provide you the services and manage relationships.

Legal Obligation

We will rely on legal obligation, if we are legally required to hold information on you to fulfil our legal obligations – including where you are placed in a role in a regulated environment. This would include the requirement to obtain and hold data regarding criminal convictions.

This also concerns if EXELA would like to establish or defend it’s legal claims:

Sometimes it may be necessary for us to process personal data and, where appropriate and in accordance with local laws and requirements in connection with exercising or defending legal claims or in case of carrying out other EXELA’s obligations;
This may arise, for example; where we need to take legal advice in relation to legal proceedings or are required by law to preserve or disclose certain information as part of the legal process.

Our Legitimate Business Interests

Our legitimate business interest means processing of personal data is necessary to enable EXELA to conduct its business e.g. matters related to the protection of property, employees and matters related to providing security to persons present at premises. We never override fundamental rights and freedoms of our employees which require protection of personal data.

Local Legislations and Regulations

In certain cases, employment, financial (i.e. anti-money laundering) and other local legislation may require that we collect information that is considered to be ‘delicate’. In these circumstances we will ensure that only the minimum required is collected, and that it is securely stored and that it is deleted when no longer required.

Below you can find examples of legal basis per type of processing which we may undertake:

Type of processing	Legal basis
Maintain an account and/or provide customer service;	Performance of a contract
Communicate with you about products, services, offers, promotions, rewards and events offered by us (marketing activity)	Consent
Give an option to accept or reject cookies on our website	Legal obligation
Monitor and analyze trends on our website	Legitimate interest

When do we share personal data?

EXELA being an international company processes data in locations both in the EEA or the UK and outside the EEA or the UK. We share your personal information with other entities of EXELA as part of our regular reporting activities on company performance, in the context of a business reorganization or restructuring exercise, for system maintenance support and hosting of data. Several support services such as finance are centralized and located outside of the EEA or the UK. We transfer the personal information we collect about you to EXELA entities within EEA, UK and in USA and India.

We may share your personal information with

different governmental authorities, institutions, agencies (or similar), or insurance companies where required by law for the purpose of their regulatory tasks; and
other Exela subsidiaries

Where we do share your data with 3rd parties or other EXELA’s entities, the shared data will be limited to that which is required by the 3rd party or other EXELA’s entity to provide the required processing. In such cases your personal data are safeguarded by Data Processing Agreements, committing outsourced service providers to process your personal data for specified purposes and in accordance with our instructions, comply with the GDPR and/or the UK-GDPR and apply appropriate security measures to protect your personal information in line with our policies. All transfers outside EEA made to countries which are considered by the European Commission, or by UK government relating to the transfers outside UK, to not provide an adequate level of protection of personal information are safeguarded with agreements based on Standard Contractual Clauses approved by European Commission, and/or UK government realting to the transfers outside UK. Where data is being transferred to USA, we have established appropriate impact assessments to verify whether importers of data located in USA conform European data protection legislation.

As an example we have listed on table below several categories of personal data which We may share with other entities of EXELA and selected third parties:

Third Party	Categories of personal data shared	Comments
EXELA India	internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website.	Acts as a Data Processor - Website updating and technical deployments.

More details about sharing data can be obtained from contact point specified in point 12.

How do we secure personal data?

Once We have received your information, we will use strict procedures and security features to prevent unauthorised access. All information you provide to us is stored securely on our servers. We have in place the following measure to ensure that confidentiality, integrity and availability of the personal data we hold on you.

Facilities are in place to ensure that data is backed up in the case of accidental or deliberate loss, and that the system can be recovered with minimal interruption in case of a loss of service;
Access to the data is tightly controlled and only authorised users are permitted access. We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality;
All staff are given training in the requirements of the GDPR and data security;
Transfer of personal data from one location to another is via secure links that use cryptography to ensure the security of the data being transferred;
We have in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We are avoiding personal data collection and usage in paper format. If required, the paper documents and copies will be always stored in locked-up premises with very restricted access to the limited members of staff in line with our internal policy.

How long do we keep your personal data for?

We understand our legal duty to retain accurate data, that’s why we will only retain your personal data as long as we have consent from you.

Regardless of the above, every 2 years we will send you a communication where we will ask you to re-authorise your consent for marketing communications, if you signed up.

If you are Registered user or Subscriber, you personal data will be stored as long as you maintain an account and use our service.

If you consent to receiving our Newsletter, you revoke consent at any time by clicking the ‘unsubscribe’ button on our Newsletter communication or by contacting us at any time. All paper records will be deleted by secure shredding of the paper files electronic copies will be deleted by secure erasure in accordance with applicable laws and regulations.

Details about retention schedule can be obtained from contact point specified in point 12.

Your rights in relation to personal data

Under the GDPR you have the right to:

Request access to your personal information which involves confirming with us whether we are processing your personal data and if we are, to request access to that personal data including the categories of personal data processed, the purpose of the processing and the recipients or categories of recipients. We do have to take into account the interests of others though, so this is not an absolute right;
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected or deleted;
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes. To stop receiving marketing communications from us or change your preferences please contact us on our local email address / contact details;
Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
Request the transfer of your personal information to another party in certain formats, if practicable.
Withdraw consent to processing at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. To withdraw consent please contact; Local contact details with details of what information is to be provided.

If you wish to exercise any of the rights set out above, please contact thel contact with details of what information is to be provided.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights), however, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances;
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response;
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated;
In certain circumstances we may need to limit the scope of the data subject’s rights e.g. where a request is made to delete data that has to be retained for legal or regulatory reasons, or where fulfilling the request may expose the personal data of another data subject.

Use of automated decision-making and profiling

We don’t undertake automated decision making, however we use profiling through our CRM systems. We do use our computer systems to search and identify personal data in accordance with parameters set by a person. A person will always be involved in the decision making process.

Changes to our Privacy Notice

If any changes we would make to our Privacy Notice in the future, we will inform you by placing the appropriate information on our website.

How to contact us?

Questions, comments and requests regarding this Privacy Notice are welcomed and should be addressed to:

EXELA TECHNOLOGIES

Phone number: 1-844-XELATEC,

EEA address: Herengracht 576b, 1017 CJ AMSTERDAM, The Netherlands

UK address: Exela Technologies Ltd, Baronsmeded, The Avenue, Egham, England, TW20 9AB

Email: emeamarketing@exelatech.com

You have the right to make a complaint at any time to the Local Supervisory Authority We would however, appreciate the chance to deal with your concerns before you approach the Local Supervisory Authority so we encourage you to contact us in the first instance:

Exela’s Lead Supervisory Authority in the EEA:

Autoriteit Persoonsgegevens

Bezuidenhoutseweg 30

2594 AV DEN HAAG

+31 (0) 70-8888 500

Exela’s Lead Supervisory Authority in the UK:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

How do we use cookies ?

A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies. We use both session and persistent cookies on our website. The cookies we use and their purpose can be found HERE.