This Privacy Notice is effective as of 18/12/2017
Introduction/Who are we?
Syx Automations, with headquarters in Ypres (Belgium) and offices in the Netherlands, Germany, the United Kingdom, Dubai, India and Austria, has been providing ticketing and leisure management solutions for visitor attractions, the arts and cultural sector and leisure industry customers for the last 30 years.
Your privacy is very important to us, which is why we wrote this privacy notice. The purpose of this notice is to describe how Syx Automations collects and uses personal data.
Unless otherwise stated, Syx Automations is the data processor of the personal data collected under this privacy notice. A data processor is a person who processes data on behalf of a data controller. A data controller decides the purpose and manner to be followed to process the data, while data processors hold and process data, but do not have any responsibility or control over that data. The governance of this data processing is covered legally in the data processing agreement between Syx Automations and the data controller.
Regardless of which personal data we process or when and how we process your personal data, we will always follow the following principles:
- Personal data must be fairly and lawfully processed;
- Personal data must be processed for specific purposes only and not for anything else;
- Personal data must be adequate, relevant and not excessive;
- Personal data must be accurate and up to date;
- Personal data must not be kept for longer than it is needed;
- Personal data must be processed in line with individuals’ rights;
- Personal data must be kept secure;
- Personal data must not be transferred to other countries without adequate protection.
How do we receive & process your information?
We collect information about you from a variety of sources, including:
- information we collect directly through your use of our software products
- information we collect about you when you visit our website and social media pages, use our services or view our online advertisements.
Which data do we collect?
When you use our software products as a visitor, we collect your personal data. Which personal data is collected depends on your specific situation and use of our software. We can collect the following personal information:
- Contact information such as name, first name, gender, address, telephone, when provided by you when you register your profile online (through our web or cloud applications) or when you provide this information directly to a venue for CRM/membership/invoicing purposes.
- Other visitor related information can be collected for specific leisure use cases:
- electronic ID, when a visitor is requested to present his/her e-ID to a card reader to register as a customer;
- family relationships, in case of purchasing memberships;
- purchase transactions when purchasing tickets, memberships or products through our different points of sale;
- medical information in case of childcare registrations;
- course or activity registration history in case of registering for courses, sport activities or other events;
- visit information, when you scan tickets, memberships for venue entry.
- Visitor analytics data using cookies and google analytics/tag manager, retrieving browser type and version, operating system type and version, IP address, web pages viewed, links clicked.
When you use our software products as an operator, we can collect the following personal data:
- Contact information such as name, first name, gender, address, telephone, when provided by you when you register your profile online (through our web or cloud applications) or when you provide this information directly to a venue for CRM/membership/invoicing purposes;
- Time & attendance information;
- Access information, time when you visited a certain infrastructure, room;
- Planning & task information;
- Purchase transactions when purchasing tickets, memberships or products at employee discounts through our different points of sale
- Uniform measurements, in case this is managed by the venue with our software.
Why do we need your data?
We use the data we collect,
- to provide end-to-end leisure services for visitors, understanding who the visitor is and whether he/she is allowed to enter a certain room or event;
- to deliver more personalised visitor experiences, based on personal preferences or historic actions;
- to automate leisure operations, eg. allowing visitor access at a certain time;
- to send communications, eg. marketing campaigns, promotions, reminders on membership expirations;
- to collect statistical data for anonymised visitor analytics, eg. understand the demographic distribution of visitors.
Personal data can evidently be processed for legitimate reasons only.
We use and share your personal data with your consent. Whenever the processing is based on your consent, you are entitled to withdraw your consent. If you want to do so, please contact us.
Who do we share personal information with?
All personal data that is processed by our software products is stored in our product databases, only accessible to the authorised venue staff and authorised Syx staff for service and maintenance.
Venues can request Syx Automations to share personal data by exchanging data by file or webservices to other systems. Examples of such system integrations are:
- A CRM system like SalesForce or Dynamics, that is master of all visitor information;
- A marketing automation or mailing system like Mailchimp to inform visitors on promotions or engage them to come back to the venue;
- Invoicing systems to send invoices to pay for the leisure services consumed.
The usage of your personal data is always covered legally in this case, as each integration requires both the venue and the integrator to sign our API license agreement, which covers how personal data may or may not be used, also in the context of GDPR compliance.
We currently do not share personal information to third parties for commercial purposes. It is possible we may set up such services with anonymised visitor data, eg. to provide market research data on leisure visitors. We will never share personal data in this case or data which can be traceable to an individual. When we launch such a service, it will be part of our terms and conditions and require your consent.
Only if we are required to do so by law, your personal information may be provided to supervisory agencies, fiscal authorities and investigative agencies.
Where do we process and store your data?
Personal data collected by us may be stored and processed in our datacenter in Belgium, our data center with our partner in The Netherlands or in case of using our cloud applications, stored in the cloud with data storage configured within the EU.
We do not intend to transfer personal data from the European Economic Area to other countries. In case of system integration with other parties that use personal data, the exchange of the data will always be approved by our customers in the context of the API license agreement.
How long do we keep your data?
We will retain your data for the period necessary to fulfill the purposes detailed in this Privacy Notice. We will retain and use your data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
How do we secure your data?
Your personal information is treated as strictly confidential and we have taken the appropriate technical and organisational security measures. We implement reasonable physical, administrative and technical safeguards to help us protect your personal information from unauthorised access, use and disclosure. We also require that our processors protect such information from unauthorised access, use and disclosure.
Syx Automations is ISO27001 certified and continuously improves security to adhere to ISO27001 and the different security standards in the markets we are active in.
What are your rights?
We adhere to the European and national data protection law applicable in Belgium, which includes the following rights:
- If the processing of personal data is based on your consent, you are entitled to withdraw your consent for future processing at any time;
- You are entitled to request access to and rectification of your personal data. You can send us a request using the contact details mentioned under point 12 of the present privacy notice;
- You are entitled to object to the processing of your personal data, including the right to object to direct marketing;
- You are entitled to restrict processing;
- You are entitled to lodge a complaint with a data protection authority;
- You are entitled to erasure, also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable you to request the deletion or removal of personal data, provided there is no compelling reason for its continued processing.
Can minors use our services ?
It is not our policy to actively collect information about anyone under the age of 16. Information collected about minors will always be the consequence of parental consent given in the light of a purchase transaction initiated on our platform. We do not use this information about minors for other purposes than to execute the transaction on our platform.
Questions or complaints?
If you are not satisfied with our response or believe that we are not processing your personal data in accordance with the applicable law, you can file a complaint with the Privacy Commission. All information can be found at: https://www.privacycommission.be/en.
How do we deal with updates to this notice?
We may modify or amend this notice from time to time at our discretion. Hence, we encourage you to periodically review this privacy notice to keep abreast of how we protect your personal data.