Last Update: Oct 22, 2020.
This document is important and we hope you will take time to read it carefully.
These definitions should help you understand this policy.
“GDPR” refers to the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data.
“including“, “includes” o similar words refer to matters which are included without limitation, in other words, that are not limited to any list provided.
“Personal Data” means any information that identifies or can be used to identify an individual directly or indirectly, including, but not limited to, first and last name, identification number, date of birth, email address, gender, occupation, or other demographic information.
“Website” means all content included in our domain
“Services” means the online WordPress plugins, including Nelio A/B Testing and Nelio Content and any information or support related to them we provide to bloggers and business to improve their website and better promote their content.
“Channels” means the various means by which we may collect information including our Website, the Services, social media pages, HTML-formatted e-mail messages and through offline sales and marketing activities.
“we,” “us,” “our,” and “Nelio” refer to Nelio Software S.L., a company governed by Spanish law (without application of conflict of law rules).
“Website Visitor” refers to anyone visiting our Website.
“User” refers to the person or entity that uses our Services. They may have downloaded and installed a free version of one of our plugins or have subscribed to use a premium version of them in a site.
“you” refers to Website Visitors or Users.
If you have any questions or comments, or if you want to update, delete, or change any Personal Data we hold, or you have a concern about the way in which we have handled any privacy matter, please use our contact form to send us a message. You may also contact us by email at firstname.lastname@example.org or by postal mail to our Business Headquarters address.
Your Personal Data
5. Information We Collect
(a) Information You Explicitly Give Us: We receive and store any information you enter on our Website or give us in any other way through a direct interaction with us which includes:
- Your email when you subscribe to our newsletter.
- Your name and email when you post a comment on our blog posts.
- Your name and email when you contact us through our contact forms.
- Your name, email, postal address, telephone number and your company when you subscribe to our premium Services.
- Your name and email when you download and subscribe to our free services.
- Your name, email, postal address, telephone number and your company when you request to join our Affiliation Programs.
- The Personal Data you provide us when you send us an email or contact our service support.
Note that we do not collect any payment information when you subscribe to one of our services. We have an agreement with FastSpring as reseller of our services. See the section Third-party Providers below for more information.
(b) Information we collect automatically: When you use the Services or browse our Website, we may collect information about your visit to our Website, your usage of the Services, and your web browsing. That information may include:
- Your network routing information (where you come from).
- Your Internet Protocol (IP) address used to connect your computer to the Internet and may identify your general geographic location or company.
- Your computer and connection information such as browser type, version, and time zone setting, browser plug-in types and versions, operating system, and platform.
(c) Publicly available data or data from other sources: We may also store certain information from automated interactions on websites other than Nelio’s or other data you may have made publicly available. This information may include:
- Your name or WordPress username, for example, when you participate in WordPress support forums.
- Your name, your social account, and Personal Data that is public on that account when providing a rate review or participating on social media (for example, the WordPress Plugin Directory, Facebook, Twitter, LinkedIn, Google+, Pinterest or Instagram).
6. How We Use Personal Data
We may use and disclose Personal Data only for the following purposes:
(a) To allow you to subscribe to our services and purchase our products.
(b) To provide, support, and improve the Services we offer, as well as to improve customer relationships. This includes our use of the data that our Users provide us in order to enable our Users to use the Services. This also includes, for example, aggregating information from your use of the Services or visit our Website and sharing this information with third parties to improve our Services. This might also include sharing your information or the information you provide us with third parties in order to provide and support our Services or to make certain features of the Services available to you. When we do have to share Personal Data with third parties, we take steps to protect your information by requiring these third parties to enter into a contract with us that requires them to use the Personal Data we transfer to them in a manner that is consistent with this policy.
(c) To notify you about new product releases and service developments, and to advertise Nelio’s products and services in accordance with this policy. Your website visit, marketing experience, and communications may be tailored to your interests based on your Personal Data. Nelio may also use Personal Data in order to respond directly to your information requests (including newsletter registrations or other specific requests), or pass your contact information to Nelio’s reseller for further follow-up related to your interests.
(e) To post public testimonials on our Website or social networks. If you wish to update or delete your testimonial, you may contact us to the contact address indicated above.
(g) Track and evaluate our marketing campaigns, including online advertising and e-mail marketing campaigns.
(h) To become a member of our affiliation program.
(i) To contact third parties referred by you through our affiliation program. If you select to use our affiliation program to inform a third-party about our Services, we will then send the third party a one-time contact related to your referral request. We only use the Personal Data you provide us in this situation to send the one-time contact and tracking the success of our affiliation program. The third party may contact us through their inquiry form to be removed from the affiliation program.
(j) To communicate with you about a conference or event hosted, co-sponsored or participated by us, including information about the event’s content, logistics, payment, updates, and any additional meetings, special demonstrations or other customer facilitation. After the event, we may contact you about the event and related products and services, and may share information about your attendance with your company (if any).
(k) To share Personal Data with third parties who provide services to us, provided that the third party has executed any data processing documentation required by law.
(l) To meet legal requirements, including complying with court orders, valid discovery requests, valid subpoenas, and other appropriate legal mechanisms.
7. What Personal Data We Share and Disclose to Third Parties
We do not sell your Personal Data to anyone. We may share your Personal Data with our third party Service Providers, who help us provide and support our Services, such as credit card processing services, order fulfilment, analytics, event or campaign management, website management, information technology and related infrastructure provision, customer service, e-mail delivery, auditing, and other similar services. In this case, we require by contract from our services providers to use your Personal Data only for the purpose of providing services to us and subject to terms consistent with this policy.
We may disclose your personal data as we believe to be necessary or appropriate:
- under applicable law, including laws outside your country of residence;
- to comply with legal process;
- to respond to requests from public and government authorities, including public and government authorities outside your country of residence;
- to enforce Nelio’s terms and conditions, which are subject to this private policy; and
- to allow us to pursue available remedies or limit the damages that we may have.
Additionally, in the event of a reorganization, merge, sale, joint venture, assignment, transfer, or other disposition of all or any portion of Nelio’s business, assets or stock (including in connection with any bankruptcy or similar proceedings), we may transfer the Personal Data it has collected to the relevant third party.
8. Public Information and Third Party Websites
(a) Blog. We have a public blog on our Website. Any information you include in a comment on our blog may be read, collected, and used by anyone. If your Personal Data appears on our blog and you want it removed, contact us here. If we are unable to remove your information, we will tell you why.
(b) Social media platforms. We maintain presences on social media platforms including Facebook, Twitter, and Instagram. Any information, communications, or materials you submit to us via a social media platform is done at your own risk without any expectation of privacy. We cannot control the actions of other users of these platforms or the actions of the platforms themselves. Your interactions with those features and platforms are governed by the privacy policies of the companies that provide them.
Cookies and Other Tracking Technologies
- your display preferences, including your selected language,
- if you have already replied to a survey pop-up that asks you to subscribe to our Newsletter (so you won’t be asked again),
- the service you subscribe to perform the checkout with our reseller.
10. What Types of Cookies Do We Have?
Depending on who sends the cookies and treats the data obtained, the cookies we use may be:
(a) Own Cookies: These are cookies sent to your terminal from a computer or domain managed by us (and from which the service requested by you is provided). For example, we have defined and own certain cookies that are used to run A/B tests and heatmaps experiments and to track visitor information. See the Nelio A/B Testing Cookies section for further details.
(b) Third party cookies: These are cookies sent to your terminal from a computer or domain that is not managed by us, but by another entity that processes data obtained through cookies. For example, we use Google Analytics cookies to measure the traffic in our Website or MailChimp cookies to see the openings and clicks of our Newsletter emails, or YouTube cookies to record user viewing preferences. See the Third Party Service Providers section below for more details.
11. How You Can Control or Delete Cookies
This web includes a system of configuration of cookies so that in the first visit to the web you can explicitly accept or reject the use of own and third party cookies.
You can control and/or delete cookies as you wish – for details, see aboutcookies.org. You may delete all cookies that are already in your computer and you may set most browsers to prevent cookies from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.
Browser manufacturers provide help for cookie management in their products. Please see below for more information.
- Google Chrome
- Internet Explorer
- Mozilla Firefox
- Safari (Desktop)
- Safari (Mobile)
- Android Browser
- Opera Mobile
For other browsers, please consult the documentation that your browser manufacturer provides.
12. Data Collected for and by You
As you use our Services or post on our Channels you may write information you have collected from any individuals. We have no direct relationship with them other than you, and for that reason, you are responsible for making sure you have the appropriate permission for us to collect, post, and process information about these individuals. Consistent with the uses of Personal Data covered in Section 7, we may transfer Personal Data of you or these individuals to companies that help us provide or support our Services. All third Service Providers enter into a contract with us that protects Personal Data and restricts their use of any Personal Data consistent with this policy.
Your Data Protection Rights
13. How You May Exercise Your Rights
You may send a written communication to our Business Headquarters, through the contact forms in our Website, or to the e-mail address indicated in the heading of this legal notice, including in both cases a photocopy of your ID card or other similar identification document, to request the exercise of the following rights:
- Right to request access to any Personal Data we may have about you.
- Right to request rectification (if incorrect) or deletion of Personal Data.
- Right to request limitation of their treatment, in which case they will only be kept by Nelio for the exercise or defense of claims.
- Right to object to processing. Nelio will no longer process the Personal Data in the way you indicate, unless for compelling legitimate reasons or the exercise or defense of possible claims have to be further processed.
- Right to data portability. In the event that you wish your Personal Data to be processed by another company, Nelio will provide you with the portability of your data to the new data controller.
We will give you access to any Personal Data we hold about you within 30 days of any request for that information. Individuals may request to access, correct, amend, or delete information we hold about them through our contact form or email at email@example.com. Unless it is prohibited by law, we will remove any Personal Data about an individual from our servers at your or their request. There is no charge for an individual to access or update their Personal Data.
Models, forms, and more information about your rights: Official website of the Spanish Data Protection Agency.
Possibility of withdrawing consent. In the event that you have given your consent for a specific purpose, you have the right to withdraw it at any time, without it affecting the lawfulness of the processing based on the consent prior to its withdrawal.
How to complain to the Control Authority. If you consider that there is a problem with the way in which Nelio is handling your Personal Data, you may address your complaints to Nelio (indicated above) or to the corresponding Data Protection Authority, being the Spanish Data Protection Agency the one indicated in the case of Spain.
14. Accuracy and Data Retention
We take reasonable business measures in compliance with laws to keep your Personal Data accurate and up to date, to the extent that you provide us with the information we need to do so. If your Personal Data change (for example, if you have a new email address), then you are responsible for notifying us of those changes.
We will retain the following data:
(a) Disaggregated data: Disaggregated data data will be retained without a deadline for deletion.
(b) Subscribers data: During the time your account is active or as long as needed to provide you with our Services in accordance with our Terms and Conditions. In any case, it will be the minimum necessary from time to time, currently subject to certain statutes of limitation terms:
- 4 years: Law on Infringements and Sanctions in the Social Order (obligations regarding affiliation, registration, cancellation, contribution, payment of salaries…); Art. 66 ff. General Tax Law (Accounting Books…);
- 5 years: Art. 1964 Civil Code (personal actions without special time limit)
- 6 years: Art. 30 Commercial Code (Accounting Books, invoices…)
- 10 years: Art. 25 of the Prevention of Money Laundering and Financing of Terrorism Act.
(c) Newsletter subscribers’ details: From the moment the user subscribes to the newsletter until the subscription is ceased.
(d) User data uploaded by Nelio to pages and profiles on social networks: From the moment the user offers consent until it withdraws it.
15. Children’s Privacy
Our Services are not directed at nor targeted to children. If you have not reached the age of majority or are not able to enter into legally binding agreements in your country, you may not use our Services unless supervised/accepted by an adult, as applicable.
Our goal is to comply with applicable laws and regulations relating to collection and use of information from children as such term is defined by applicable laws. If you believe that we have received information from a child or other person protected under such laws, please notify us immediately by postal mail or to the e-mail address indicated in the heading of this legal notice, and we will take reasonable steps to remove that information from our databases.
16. Notice of Breach of Security
We take reasonable and appropriate measures to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the Personal Data. If a security breach causes an unauthorized intrusion into our system that materially affects you, then we will notify you as soon as possible (in the event of a breach being detected, Nelio undertakes to inform users within 72 hours) and later report the action we took in response.
We use FastSpring as the reseller of our services. Therefore, all payments for the services will be done through FastSpring. FastSpring, uses security measures to protect your information both during the transaction and after its completion. They are a United States-based seller of digital goods specialized in safe and secure Internet sales, compliant with PCI and that employs Verisign SSL Certificates.
We only use service providers that enter into agreements with us whereby the service provider commits to take the appropriate measures to protect Personal Data and be compliant with GDPR.
Third Party Service Providers
To be transparent and provide you with the maximum information about who our third party service providers are, we list below the ones that may keep Personal Data, what information they keep, and how we ensure the GDPR compliance through their contracts.
FastSpring is a United States-based seller of digital goods specialized in safe and secure internet sales, compliant with PCI and that employs Verisign SSL Certificates. FastSpring is operated by Bright Market, LLC, the data of which are in About FastSpring. FastSpring is registered with the EU through a special scheme set up for companies outside the EU. FastSpring’s VAT number is EU826012240 (it begins with EU because FastSpring is located in the United States, not in a European Union member state).
As an additional means of meeting the adequacy and security requirements under the GDPR, a data-processing clause is included in our agreement with them.
Our Website features TLS v.1.2 SSL encryption which allows the secure sending of personal data through standard contact forms, are stored in self-hosted SiteGround instances of WordPress. Any Personal Data that you publish when writing a post or making comments on our Websites is stored in our database hosted in SiteGround.
We explicitly ask you to accept that we store that information before you contribute to our Website.
SiteGround in Spain is operated by SiteGround Spain S.L., the data of which are in Siteground Data Centres. SiteGround is fully committed to GDPR compliance as described on their website and they are working on a certification under the EU-US and Swiss-US Privacy Shield with the Department of Commerce that they adhere to the Privacy Shield Principles regarding the collection, use, and retention of personal information from European Union member countries and Switzerland, respectively, so they can lawfully host EU client’ data on their US servers when that’s needed. They are moving it forward as a second-tier compliance mechanism after the Standard Contractual Clauses. As an additional means of meeting the adequacy and security requirements of the GDPR, we have signed a Data Processing Addendum with SiteGround.
We use G Suite (Gmail, Docs, Drive, and Calendar for business), for communication, storage, and collaboration. We also use Google App Engine platform, the Google cloud service, as the backend of the Nelio A/B Testing service. Personal Data related to some of our services (except for payment details, see FastSpring above) is kept in Google’s systems. In addition, on our Website, we use Google Analytics to analyze their use and optimize their performance.
Google is a US company the data of which are in Google Cloud Locations. As described in their Privacy Shield certification, they comply with the EU-US and Swiss-US Privacy Shield as set forth by the US Department of Commerce regarding the collection, use, and retention of Personal Data from European Union member countries and Switzerland, respectively.
Google is fully committed to GDPR compliance as described on their Commitments to GDPR that articulate the commitments with us. For all the previous services, as a commitment to privacy and security, we have signed the following documents: Data Processing Security Terms (Customers) contract, G Suite Standard Contractual Clauses, Data Processing Amendment to G Suite, and a EU Model Contract clauses.
We use Amazon Web Services (AWS), the Amazon cloud computing platform, as the backend of the Nelio Content service. Personal Data related to this service (except for payment details, see FastSpring above) is kept in Amazon’s systems.
Amazon.com, Inc. is a US company, the data of which are in AWS Global Infrastructure . As described in their legal policies, participates in the EU-US and Swiss-US Privacy Shield Framework regarding the collection, use, and retention of Personal Data from European Union member countries and Switzerland, respectively. They have certified with the Department of Commerce that they adhere to the Privacy Shield Principles.
Amazon is fully committed to GDPR compliance as described on their Compliance to GDPR that articulate the commitments with us. As an additional means of meeting the adequacy and security requirements of the GDPR, we have signed a Data Processing Addendum with Amazon.
We use Mailchimp to deliver our newsletters and other email communications. Therefore, MailChimp, with servers located around the US, keeps Personal Data about your name and email and gathers statistics about email opening and clicks as part of its service.
Mailchimp is a registered trademark of The Rocket Science Group, a US company, the data of which are in US and has certified they comply with the US-EU Safe Harbor Framework and the US-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data from European Union member countries and Switzerland.
As described in their knowledge base, they are committed to achieving compliance with the GDPR and is mindful of your compliance efforts. We have already signed a Data Processing Addendum as an additional means of meeting the adequacy and security requirements of the GDPR. For more information about the way in which MailChimp is committed to achieving compliance with the GDPR in 2018, see About the General Data Protection Regulation.
We use Freshdesk by Freshworks, Inc. as our ticketing service and help desk software. Freshdesk keeps Personal Data about your name and email, as well as any other information you may have disclosed while interacting with us to receive support.
Freshworks Inc. is a US company, the data of which are in Freshworks Data Hosting. As described on their website they are fully committed in being compliant with the GPDR and confirm that they comply with the US-EU Safe Harbor Framework and the US-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data from European Union member countries and Switzerland.
In addition, we have already signed a Data Processing Addendum as an additional means of meeting the adequacy and security requirements of the GDPR.