PRIVACY POLICY FOR PORTFOLIOBOX




  • 1. Introduction

    This document summarises Portfoliobox Stockholm AB’s processing of personal data.

    Portfoliobox protects your personal privacy. We always strive for a high level of data protection and aim to comply with the rules and principles in the General Data Protection Regulation.

  • 2. Roles

    In this chapter, we define the roles that are of relevance for the processing of personal data.


    2.1 Controller

    Aktiebolaget Portfoliobox Stockholm AB is the controller.

    Portfoliobox Stockholm AB
    556894-4382
    Abrahamsbergsvägen 84
    168 30 Bromma, Sweden
    Email: info@portfoliobox.net
    Telephone: +46 702 57 90 16


    2.2 Processors

    Any subcontractors who process personal data on behalf of Portfoliobox are referred to as processors. Portfoliobox monitors the processors with regard to security and confidentiality.


    2.3 Supervisory authority and complaints

    At Portfoliobox, all decisions on the processing of personal data are made in the office in Sweden. Accordingly, the Swedish Data Protection Authority is the competent supervisory authority.


    If a data subject is of the view that errors have been made in the processing of his or her personal data, a complaint can be submitted to the Swedish Data Protection Authority.


    Before contacting the Swedish Data Protection Authority, please contact Portfoliobox with any complaints.


    Swedish Data Protection Authority
    www.datainspektionen.se
    Telephone: +46 8 657 61 00
    Email: datainspektionen@datainspektionen.se

  • 3. Basic principles and rights

    3.1. Principles for the processing of personal data

    Portfoliobox complies with the following basic principles:


    • No personal data are collected or processed without a legal basis;

    • Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject;

    • Personal data may only be collected for specified, explicit and legitimate purposes, as listed in Chapter 5 below;

    • Personal data must not be processed in a manner that is incompatible with these purposes;

    • Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

    • The personal data collected must not be processed if they are too old to be relevant for the initial purposes;

    • Personal data shall be correct and kept up to date;

    • Personal data must not be stored for longer than is necessary;

    • Personal data shall be protected, including against unauthorised or unlawful processing and against loss, destruction or damage.


    3.2. The data subject’s rights

    Portfoliobox has procedures for personal data that are consistent with the data subject’s rights:

    Right to information

    • Information on the processing of personal data is provided both at the time of registration and when requested by the data subject;

    • The data subject is informeded in case of any incidents, such as in case of a data breach;

    • The information is provided to the data subject free of charge and in an accessible format.

    Right to rectification

    • The data subject has a right to supplement personal data that are missing or inaccurate.

    Right to erasure

    • The data subject may request that his or her data are erased;

    Right to restriction of processing

    • Restriction means that the data is marked so that in the future, they can only be processed for certain limited purposes.

    Data portability

    • The data subject may request to have his or her personal data exported in a machine-readable format.

    Right to object

    • The data subject has a right to object to the processing of personal data;

    • If an objection is made against direct marketing, the personal data must no longer be processed for such purposes.

    Complaints

    • The data subject has the right to complain about an incorrect assessment. Complaints should primarily be sent to Portfoliobox, but if the data subject remains unhappy with the treatment, a complaint can be submitted to the competent supervisory authority.

  • 4. Procedures

    The general guidelines and principles form the basis for all processing of personal data. Portfoliobox has implemented the following procedures for the processing of personal data:


    4.1. Organisational security measures

    Portfoliobox strives to achieve a good level of security for personal data, including the use of the following security measures:

    • Data minimisation;

    • Password management;

    • Monitoring and training of employees;

    • Encrypted computers equipped with antivirus software;

    • Images of personal data are only used if there is an agreement in place;

    • All customer communication contains a footer with a link to the personal data policy;

    • Anonymisation is applied when personal data are communicated internally (if possible).


    4.2. Technical security measures

    Portfoliobox continuously strives to improve the security of the technical systems, including by using the following measures:

    • Pro-active efforts to prevent data breaches;

    • HTTPS;

    • Two-step authentication, whenever possible;

    • No open APIs;

    • Development and test servers are free from personal data;

    • External services and plug-ins are reviewed;

    • Architects and system developers have received GDPR training.


    4.3. In case of incidents

    According to the data protection reform, a personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss or alteration of the processed personal data.

    If a personal data breach is discovered, it is reported to the product owner or to an employee who is considered to have a good overview of the system in question. This person is then responsible for notifying the breach within 72 hours. Thereafter, the incident shall be archived and added to the archive of historic incidents in this document (Appendix 1).


    4.4. Special rules for children

    Children under the age of 16 are not allowed to use Portfoliobox and the Data Protection Regulations concerning enhanced protection of children's personal data is therefore not actualized.

    If Portfoliobox would let children under the age of 16 create an account, we would also need to obtain consent from a parent or guardian. This is considered risky and complex and would require considerable administrative work to ensure the accuracy of the certificate. For this reason, we are introducing an age limit on all of Portfoliobox’s services.

  • 5. Risk analysis

    Portfoliobox continuously reviews the risk of storing and processing data. The following risks are considered to be the greatest:


    Risks Descriptions & consequences
    Hacking

    All computer systems with internet access are at risk of hacker attacks. Portfoliobox is constantly working on the security of our computer systems, implementing the latest security procedures and updating vulnerable software.

    Portfoliobox does also not store sensitive data or data that might be considered attractive to a hacker. For example, we do not store any personal or sensitive data, credit card details or personal identity numbers or decrypted passwords.

    Passwords According to research, the most common reason for a data breach is inadequate password management. Accordingly, proper password management is the single most important factor to prevent data theft. Portfoliobox uses secure procedures for passwords.
    External software External plug-ins and services used by the company are reviewed to ensure that they do not entail security risks or place the processing of personal data at risk.
    Computer breaches Employee computers are equipped with antivirus software.
    Lack of knowledge and carelessness Training on GDPR is provided to our employees.
  • 6. List of personal data and processing

    This chapter contains a list of all personal data held by Portfoliobox and the processing of such personal data.


    6.1. Portfoliobox

    Portfoliobox is an online service that can be used by people to create their own websites. The user registers at www.portfoliobox.net and creates the website directly in the web browser.

    Location for storage

    • All text-based data added by the user is stored in Portfoliobox’s database, which is located in Ireland. Images and files that are uploaded are stored on the file server that is closest to the customer. If the customer is located in the EU, the files are stored in Ireland. If the customer is located in the US, the files are uploaded there. Possible locations for file storage include the west coast of the US, the east coast of the US, Sao Paolo, Ireland, Singapore, Tokyo and Sidney. Portfoliobox also uses a CDN network, which means that data is cashed (stored temporarily) for 30 days in Amazon’s cloud. The location of this temporary file cannot be specified.

    Time limit

    • As data is used continuously for the customer’s website, it will not be removed unless erased by the customer. Customers are in control of their own data and can edit most of data in the administration interface. If a customer erases his or her entire account, all information is erased (except receipts). Portfoliobox caches the data in a CDN network, which means that a temporary file is stored in Amazon’s cloud. This file is always erased automatically after 30 days. This means that if a customer erases a file, it takes 30 days before it is completely erased from the CDN network.

    Legal basis

    • When the user creates an account, the person accepts that Portfoliobox stores and processes personal data according to the information stated below.


    Upon registration

    The user creates an account, using his or her email address

    Purpose
    The user wants to create a website

    Data
    Customer ID, reference URL, reference partner, first name, last name, country, email address, password (encrypted), user name, IP (Facebook-ld, Facebook-AccessToken), (Flickr-ld, Flickr-oauth-token, Flickr-user-name)

    Legal basis
    Agreement (Legitimate interest in case the user is a legal entity)

    The user creates a student account

    Portfoliobox offers a special student account, which can be opened by students from our partner schools.

    Purpose
    The user wants to create a website and use the student discount

    Data
    The name of the school, the end date of the education, and other data according to the above.

    Legal basis
    Agreement

    A person registers a partner school

    Students can only create student accounts with Portfoliobox if their school is registered as a partner school.

    Students and teachers may notify their interest in registering their school. Portfoliobox will then contact the teacher in charge for further processing.

    Purpose
    Register a new partner school

    Data
    The name of the school, the teacher's name, the teacher's email address, the teacher's telephone number (optional)

    Legal basis
    Agreement with a school
    (A legitimate interest in processing contact information)

    Regular website creation

    The user creates a website

    Portfoliobox is like an empty box that can be filled with content by the user. The user may add text, images, links, PDF files and other files. Portfoliobox has no control over the stored data. The user is responsible for the contents on his or her website.

    Purpose
    The user creates a website

    Data
    Text, images, files, films with or without personal.

    Legal basis
    The user is personally responsible for the content of his/her website. (In case Portfoliobox is processing data, the legal basis is the agreement with the user.)

    Changes and regular erasure

    The user can change and remove content.

    Removed data is deleted from the database and any files are removed from the server.

    Purpose
    The user wants to make changes to the website

    Data
    -

    Legal basis
    Agreement

    The account is erased

    The customer can erase the account from the administration interface. The account will then be marked for erasure and all data will be erased after a number of days.

    Purpose
    The user wants to remove the website

    Data
    -

    Legal basis
    Agreement

    Logs

    Portfoliobox logs technical errors and certain types of POST request that are sent to the server. This is important for the discovery of technical errors and security threats, such as DDOS attacks. The logs are erased after a short time.

    Purpose
    Security and product improvement

    Data
    IP, error data, POST data

    Legal basis
    Agreement

    Payments

    Generation of receipts

    For every payment received, a receipt is generated. The receipt is saved as a PDF file on Portfoliobox's server. The information on the receipt will also be saved in Portfoliobox's database.

    Purpose
    Used as supporting documentation for the accounting

    Data
    Customer ID, Order ID, link to the PDF file, price, customer country, customer IP, ePay ID, the customer's incomplete credit card number

    If the customer is a company, the following data is also saved:
    Company name, address, VAT number

    Time limit
    The receipt is saved in accordance with the prevailing regulations and laws governing accounting.

    The user purchases a PRO subscription

    The user upgrades his or her account and registers a payment card for future payments of subscriptions.

    The user makes a credit card payment via Portfoliobox's payment solution, ePay. Portfoliobox does not administer, and has no ability to receive, information on the credit card data. If the payment succeeds, a unique subscription number is sent to Portfoliobox.

    This unique subscription number will be used when Portfoliobox charges the customer for the next subscription period.

    Purpose
    To receive the benefits of the Portfoliobox PRO

    Data stored in Portfoliobox's database
    A receipt is generated (see above) ePay subscription ID, incomplete credit card number, credit card expiry date, date of payment

    Data saved by ePay
    Order ID, card type (e.g. Mastercard), amount, transaction ID, date

    Legal basis
    Agreement

    Payment of subscription

    When the subscription period is to be renewed, the user's subscription ID is used to process a payment via ePay.

    Purpose
    The customer wants to keep his or her PRO account for another subscription period

    Data
    A receipt is generated (see above)

    Legal basis
    Agreement

    The user downgrades to the free version

    All information about the customer's credit card is removed and the subscription is erased from ePay.

    Purpose
    The user no longer needs an upgraded account.

    Data
    -

    Legal basis
    V

    Alternative payment via PayPal

    The customer wants to pay via its PayPal account.

    Purpose
    The customer wants to buy a Portfoliobox service but prefers paying by PayPal.

    Data
    A receipt is generated (see above)

    Data saved by PayPal
    Name, address, country, telephone number, amount, date, email address, email

    Legal basis
    Agreement and balancing legitimate interests

    Alternative payment by bank transfer

    The customer wants to pay by bank transfer.

    Purpose
    The customer wants to buy a Portfoliobox service but prefers paying by bank transfer.

    Data
    A receipt is generated (see above)

    Data saved by SEB
    Name, address, amount, date

    Legal basis
    Agreement

    List of external services used in Portfoliobox

    Amazon AWS

    Portfoliobox uses Amazon's cloud services for its infrastructure. Amazon provides servers, file servers, databases and other server services.

    Purpose
    Running Portfoliobox

    Data
    All programmes, files and data

    Legal basis
    Agreement

    Physical location
    Cloud service

    Namecheap

    Portfoliobox purchases domain names for our customers via the Namecheap service.

    Purpose
    Purchasing and managing customer domain names

    Data
    Domain name only

    Legal basis
    Agreement

    Physical location
    Cloud service

    Loopia

    Portfoliobox previously purchased domain names for our customers via the Loopia service. This service has now been replaced by Namecheap, but old domain names are still stored by Loopia.

    Purpose
    Domain name management

    Data
    Domain name only

    Legal basis
    Agreement

    Physical location
    Cloud service

    ePay

    Portfoliobox uses ePay's payment solution to accept payments.

    Purpose
    Accepting payments

    Data
    Order ID, card type (e.g. Mastercard), amount, transaction ID, date, Customer ID

    Legal basis
    Agreement

    Physical location
    Cloud service

    PayPal

    Portfoliobox uses PayPal's payment solution to accept payments of customers who do not want to pay by credit card.

    Purpose
    Accepting payments

    Data
    Name, address, telephone number, amount, date, email address

    Legal basis
    Agreement/balancing legitimate interests

    Physical location
    Cloud service

    Stripe

    Portfoliobox uses Stripe's payment solution to accept payments of customers who do not want to pay by credit card.

    Purpose
    Accepting payments

    Data
    Name, address, telephone number, amount, date, email address

    Legal basis
    Agreement/balancing legitimate interests

    Physical location
    Cloud service


    6.2. Find Creatives

    Find Creatives is a listing service that connects creatives with end customers. Members create a profile and complete it with the amount of personal data they see fit.


    Other sub-services are included in Find Creatives. These may have their own names, brands and domains. It is clearly stated in these sub-services that they belong to Find Creatives.


    List of sub-services:

    - Sök Fotograf - www.sokfotograf.se


    The user creates a Find Creatives account, using an email address or Facebook account

    Purpose
    The user wants to create a profile

    Data (sign up data*)
    Customer ID, reference IRL, reference partner, first name, last name, country, email address, password (encrypted), user name, IP, in some cases also telephone number

    (Facebook-ld, Facebook-AccessToken)

    Legal basis
    Agreement

    The user creates and edits their profile

    Find Creatives is like an empty box that can be filled with content by the user. The user can add text, images, links and video clips. Portfoliobox has no control over the stored data. The user is responsible for the contents on his or her website.

    Purpose
    The user creates a profile to market his or her services

    Data
    Text, images, video clips, address, first name, last name, professional title, GPS coordinates, links, education, exhibitions, work experience.

    Legal basis
    The user is personally responsible for the content of his/her profile. (In case Portfoliobox is processing data, the legal basis is the agreement with the user.)

    The account is erased

    A member may erase the account from the administration interface. The account will then be marked for erasure and all data will be erased after a number of days.

    Purpose
    The user wants to erase the account

    Data
    -

    Legal basis
    Agreement

    Logs

    Technical errors and certain types of POST request that are sent to the server are logged. This is important for the discovery of technical errors and security threats, such as DDOS attacks. The logs are erased after a short time.

    Purpose
    Security and product improvement

    Data
    IP, error data, POST data

    Legal basis
    Agreement


    6.3. Email

    Both Portfoliobox and Find Creatives send email messages to customers for the various reasons described below.


    Automatically processed customer emails

    These emails alternate depending on the status of the website. For example, a specific message may be sent to people who have uploaded over 30 images, and a different message may be sent to people who have not yet created any content.

    Purpose
    Portfoliobox offers customers assistance to get started with their websites

    Data
    -

    Legal basis
    Agreement; the customer may opt out from the emails

    Manually processed customer emails

    Portfoliobox regularly reviews its customers' websites and sends emails depending on the subjective status of the website. For example, an offer of assistance is sent to paying customers who have not yet managed to complete their websites.

    Purpose
    Portfoliobox offers customers assistance to get started with their websites

    Data
    -

    Legal basis
    Agreement; the customer may opt out from the emails

    Automatic campaign emails

    Various campaign messages are sent by the system.

    These emails alternate depending on the status of the website. For example, an offer may be sent to customers who have uploaded more than 30 images.

    Purpose
    Encouraging the customer to upgrade.

    Data
    -

    Legal basis
    Agreement; the customer may opt out from the emails

    Manual campaign emails

    Portfoliobox regularly reviews our customers' websites and sends them offers and discounts based on subjective assessments. For example, customers who created particularly interesting websites may be offered a discount on an upgrade.

    Purpose
    Offer the customer discounts and other deals.

    Data
    -

    Legal basis
    Agreement; the customer can opt out from the emails

    Newsletters with or without campaigns

    Roughly once a month, a newsletter is sent to all customers, with information on changes to Portfoliobox. The newsletter may also include campaigns, advice and other information.

    Purpose
    Informing our customers of changes and special campaigns.

    Data

    Legal basis
    Agreement; the customer can opt out from the emails

    Automatic email notices

    Portfoliobox may also send automatic emails to notify members of various events and warnings. For example, a notice may be sent that says how many visitors the user's profile has had.


    6.4. Customer relations and communication

    Portfoliobox offers support, customer care and debugging. This work is processed in several different systems. Stored data and the processing of data varies between systems, see the table below. All systems are online-based “cloud services”.


    Gmail

    The customer contacts us with a request.

    Purpose
    Support and customer communication

    Data
    Email, name and content, depending on the issue

    Legal basis
    Balancing legitimate interests/information in the email footer

    FreshDesk

    A ticketing system used for customer support.

    Purpose
    Support and customer communication

    Data
    Email, name, Customer ID and content, depending on the issue

    Legal basis
    Balancing legitimate interests/information in the email footer

    Facebook

    The customer contacts us on Facebook with a request.

    Purpose
    Support and customer communication

    Data
    Name, Facebook account and content, depending on the issue.

    Legal basis
    Balancing legitimate interests

    Sprout Social and other social media

    The customer contacts us with queries from various social media sites (such as Twitter, Facebook Instagram)

    Purpose
    Support and customer communication

    Data
    The customer's social media account and content, depending on the issue.

    Legal basis
    Balancing legitimate interests

    Skype

    The customer contacts us with a request.

    Purpose
    Support and customer communication

    Data
    Name, Skype account and content, depending on the issue.

    Legal basis
    Balancing legitimate interests/information in the email footer

    Calendly

    To book meetings with customers

    Purpose
    The customer wants to book a meeting with our support team

    Data
    Name, data, contact details depending on how the person wants to be contacted.

    Legal basis
    Balancing legitimate interests/information in the email footer

    Mindomo

    The customer reports a bug. Portfoliobox stores information about the bug in Mindomo.

    Purpose
    Debugging

    Data
    Customer ID, email address, URL and content, depending on the report

    Legal basis
    Balancing legitimate interests/information the email footer

    TypeForm

    The customer responds on a feedback form

    Purpose
    Collection of feedback

    Data
    IP, responses to queries

    Legal basis
    Balancing legitimate interests/information in the email footer

    Mailblast

    Mailblast is used to distribute newsletters and "mass emails" to many users at the same time.

    Purpose
    Newsletter

    Data
    First name, last name, email address, user name

    Legal basis
    Agreement

    HotJar

    A programme is activated in the customer's admin panel. This program records how the customer uses the product.

    Purpose
    Improving the product's usability

    Data
    The finalised video clip can be likened to a "screen recording", but only depicts the admin panel. Passwords and sensitive input fields are anonymised

    Legal basis
    This programme is generally not activated in Portfoliobox. If there is a reason to activate it, the customer is informed before the recording begins. The customer approves of the recording after clear information. The legal basis for this process is therefore agreement.


    6.5 Cookies

    A cookie is a text file that is stored in the web browser. Portfoliobox och Find Creatives use several different cookies:


    Session cookies are temporary cookies that cease to exist when the web browser is closed.

    Persistent cookies are stored in the web browser for a specific number of days.

    Third party cookies are added by third party websites (such as Google analytics)

    The cookies stored by Portfoliobox in the web browser are fundamental for the functionality of the service. For example, there are no "save buttons" in Portfoliobox. Instead, the content is saved in a cookie until it is sent to the database for permanent storage.

    The third party cookies used by Portfoliobox are from well-established services, such as Google Analytics. These cookies save comprehensive information on how the website is used.

    Purpose
    Technology that is required for the functioning of the programme and for general analyses


    -

    Legal basis
    Agreement

  • 7. GDPR for our users

    Portfoliobox is a service that can be used to private individuals and companies to create their own websites. The service can be compared to a “regular web hotel”, but with more advanced interfaces.


    Just like with a regular web hotel, customers are responsible for the content on their own websites. Accordingly, it is up to the users to ensure that they comply with the data protection reform and do not store or process personal data in a manner that is inconsistent with the Regulation.


    Portfoliobox cannot be held liable for any incorrect processing of personal data on the customers’ websites.

  • 8. Appendices

  • 9. Historic personal data incidents

    No incidents have occurred.