Logo Accell

Disclaimer & Privacyverklaring

Privacy Statement Accell Nederland BV

 

The protection of Personal Data is important to Accell Nederland. We are committed to protecting your information and acting in accordance with your rights and privacy laws. Please read this Statement with care. It provides important information about how we use personal data and explains your legal rights.

In this statement, where we say ‘you’ or ‘your’, this means either you, any authorised person acting on your behalf or any beneficiaries and other individuals in your household or organisation. Where we say ‘we’, ‘us’ or ‘our’, this means Accell Nederland BV.

 

Collection of your information and how we use it

The data we collect about you and how we collect it varies depending on how you use our services, interact with us, our website and apps. The personal data we collect or have about you will either be provided by you directly, come from third parties or will be collected from your activity on our website and use of our services.

When purchasing a bicycle or another product, data may be registered with us by the dealer or by yourself. Some products, such as a connected bike, and the use of certain apps, also entail the processing of personal data. Data are also recorded when visiting our (brand) website, such as the IP address, the data of the device used, and the items viewed. Contacting us will also often lead to the processing of personal data. This includes matters such as a request for sending a brochure or submitting a guarantee claim.

 

  1. Buy and use of our products and services

(including https://www.accellnederland.nl and mobile apps)

 

We collect and process the following information about you:

  • contact details including your name, home address, contact number(s), email address,
  • login and account information, including screen name, password, unique ID, emergency contacts, logs of phone calls and all correspondence, payment details, GPS data and system user logs and (contract) identification numbers.
  • personal details including gender, date of birth and purchase history, payment or credit card information
  • data on physical characteristics, including weight and body measurements, fitness activity data provided by you or generated through this App, this includes userlogs, distance, time and GPS location
  • contact details of your emergency and/or insurance contacts if you provide details from other people than yourself. This will include their name, mobile number and email address.
  • we may collect additional data from you to enable particular features within the App, for example your bike route, sensor data if you connect to your own sensor equipment, your contacts to allow you to interact with your friends or your social network credentials to post content from the App to a social network.

We use your information for the following purpose:

  • Contracting, delivery of product and/or service, and administrative processes (including billing and collecting, system provisioning, hardware and software upgrades, credit checks, technical support).
  • Communication and Marketing: We will communicate with you through the App, over the phone, by email and/or by post for (routine) service, maintenance purposes and marketing communication about our products and services, provide information on cycling circumstances such as routing information, or in the event of an emergency trigger. Phone calls (e.g. in- and outbound customer service) may be recorded for documentation, quality and/or training purposes.
  • We may use (aggregated) customer data for performance analysis of our products and services for the purpose of further development of our products and services (including insurance, maintenance and monitoring), optimize our product portfolio and for marketing activities for future customers.
  • To allow you to monitor your bike from your mobile device through this App, this includes for example the userlogs, alertstatus, GPS tracking, Geofencing, log your route, find my bike, interact with other users and schedule your training if we have unlocked these functionalities and you have activated them.
  • Notification records: when you (de)activate your 'alert' notifications, we retain a record, we will contact your emergency contacts if your emergency alert is triggered and we cannot reach you. If you provide us with personal data relating to such people, you represent to us that you have informed them that we will use their personal data for the purposes of having them as your emergency contact, and that it is in your and our legitimate interest for us to process their personal data to the extent permitted by and in compliance with the terms of this privacy statement. After collecting your emergency contacts’ personal data and unless they already have the information about how we process their data, we will provide them with our privacy statement.

Children: we comply with local laws and do not allow children to register on this App independently when they are under the legal age limit, we will ask for parental consent for children participating in our experiences and events.

Our use of your information as described above is permitted by applicable privacy laws and in most instances the processing of your personal data is based on the legal basis of contract (our contractual obligation to provide you with our products and/or services). In some cases it is (partly) based on our Legitimate Interest, your consent or to protect your vital interests.

 

  1. (Online) quote

 

We collect and process the following information about you:

 

  • your name, home address, telephone number, email address, current contract details if you are an existing customer, and a general description of your interests.

We use your information for the following purpose:

  • To provide you with a quote.

Our use of your information as described above is permitted by applicable privacy laws. Our processing of your personal data for providing you with a quote is based on the legal basis of (pre-)contract. 

 

  1. From your use of our website

 

Please see our Cookie Notice for more information about what Personal Data we collect from you when you visit our website or mobile apps. 

 

  1. Marketing

 

We collect and process the following information about you:

  • Your personal details such as your name, home address, telephone number, email address, country of residence;
  • We may also record your interests, information on previous purchases and use of our services as part of our data analytics to help improve the way we run our business and provide a better service;

 

We use your information for the following purpose:

  • We use your personal data to send you direct marketing communication about our products and services. This may be in the form of email, post, SMS, telephone or targeted online advertising.
  • We may use your personal data to send you a survey to improve our services and/or market research purpose. You always have a choice about whether to take part in our market research.

 

Our use of your information as described above is permitted by applicable privacy laws. In most cases our processing of your personal data for marketing is based on our legitimate interest, although in some cases (such as when required by law) it may be based on your consent. 

 

Information we collect from third parties

We receive lead information from third party partner companies, such as:

Maxlead

 

 

 

We will collect and use your lead information to market our services to you where you have not expressly opted out or previously indicated that you do not want to be contacted for marketing purposes. We will provide you with an easy ability to opt out at any point should you change your mind.

 

Dealers
Customers largely purchase our products and services via recognised dealers and other resellers. These dealers and resellers are independent parties. We are not responsible for the handling of customer data by recognised dealers and other resellers. Dealers and resellers do provide us with your personal data in connection with the sale of our products and services under their own responsibility, please read their own privacy statements for further details.

 

Disclosure of your information

Sharing Information

Your Sharing: When you use certain social features on our App, connect with third parties through this App or use the content on third party websites, you can create a public profile that may include information such as your screen name, you can also share content with your friends or the public including information about your Connected Bike activity. If you choose to do so, we are not responsible for the handling of personal data by such third parties, please read their own privacy statements for further details.

Our Sharing: we may share your information with other Accell Group entities, third party service providers processing on our behalf and other third parties to the extent necessary to comply with a government request or court order, prevent illegal use of our products or this App or violations of our App' Terms and Conditions, defend ourselves against third party claims and assist in fraud prevention or investigation (e.g. counterfeiting).

We will also share to other third parties at your request and/or where you have provided your consent. These parties can include suppliers of related products such as bike or health insurance, cycling holidays, en-route maintenance, hotel or catering, wellness arrangements etc.

if we share your information with other Group companies or affiliated companies it is in the context of the provision of our products and services.  As our activities require the skills and resources of other companies, we will further need to share your information with selected recipients, listed below, in order to perform these activities. These companies will have similar legal obligations to us with regards to safeguarding your information. Alternatively, we will remain responsible to you for what they do with your information. The categories of recipients we share your information with include:

  • Cloud storage providers (e.g. Microsoft 365), which store your personal data in EEA to store alarm recordings and the personal data you provide and for disaster recovery services, as well as for the performance of any contract we enter into with you.
  • Customer support providers (e.g. salesforce), which store your personal data in the EEA who we use to assist us with providing you with our forms and invoices, and getting in touch with you.
  • Customer Communications and Telephone system providers (e.g. Emark, Mailplus), which store your personal data in the EEA, who we use to provide you with information and offers by e-mail and/or physical mailings and/or get in touch with you via telephone.
  • Payment services providers (e.g. Ayden), which store your personal data in the EEA, who we use to process your installation and service payments.
  • Financial services providers which store your personal data in the EEA, to whom we may assign claims derived from the contract with you, e.g. in the event of failure of timely payment for products and services.
  • Our local franchisees and partners which store your personal data in the EEA, who we use to provide you with hardware, installation, maintenance and customer service and who we partner with in the sales process and lead management
  • Local authorities such as the police if it is apparent that a crime is being committed or that emergency services need to be contacted or enforcement authorities to assist with debt collection..
  • IT Services providers (e.g. Conneqtech, KCMsurvey, Spheremall, Snakeware)  which store your personal data in the EEA, that provide us with the connected bike app, customer satisfaction survey and website development, who we use to store our customer relationship management information.
  • Analytics and search engine providers (e.g. Google Analytics),  that assist us in the improvement and optimisation of our services and products, the website and/or the Mobile App(s).
  • Marketing and market research providers (e.g. Facebook and Google), who we use for marketing, market research and customer feedback.

Please note that this list is not exhaustive and can vary over time.

If we or substantially all of our assets are acquired by a third party, then your information will be transferred to the new owner. The new owner will be subject to the same laws concerning your information as we are. If we sell any business or assets to a third party, in which case we will disclose your data to the prospective buyer of such business or assets.

 

Transfers of your information abroad

We store your information within the European Economic Area (EEA) or countries that have an adequate level of data protection. These countries have equivalent laws to those of The Netherlands.

Where we share your information with companies based outside (i) the EEA or (ii) countries with an adequate level of data protection, we contractually require these companies to handle your information on a similar basis to us. In those cases, we will ensure that the transferred information is protected. Further details of any transfer including copies of the safeguards we use are available from us on request.

 

How long do we retain personal data?

We process data for as long as necessary for the purpose for which the data are listed in this statement. This may depend on registration by you, such as for an account, newsletter or app. When we no longer need your personal data, we will securely dispose of it in accordance with our Data Retention Policy. In some circumstances when you opt-out of marketing, we may suppress your information so that we know not to contact you in the future.

 

How do we secure consumer data?

Data security is an important part of our business operations. Various security measures are implemented in order to guarantee this. This includes the following matters:

 

Organizational security

Accell IT has implemented the following organizational measures to safeguard the information of Accell Group and his subsidiaries:

  • Every employee signs a contract of which a Non-Disclosure-Agreement is a part of.
  • The Corporate Information Security Officer role is assigned, and security is an important topic on several management-meetings.
  • There is a procedure for data breaches. The procedure includes the forming of a crisis team, in which coordination about mitigation, service restore, communication, and legal is done.
  • Employees have different authorization levels according to their role. These authorization levels limit the rights on operating systems, databases, software-modules, network configuration.
  • Administrator actions on our networks and systems are logged both locally, as in a central system (Splunk).
  • Inactive accounts will be locked automatically after a fixed period.
  • A central identity platform is used for authentication of all internal systems and software that is capable of delegation of authentication. New employees need to be authorized by the IT manager to be added to the identity platform.
  • Our incident, change and configuration processes are based on ITIL. We have ITIL process managers who monitor if and ensure that employees follow the right procedures.
  • Accell IT uses cybersecurity expertise from external companies to keep up with the latest security threats and privacy requirements.

Accell IT has documented these measures amongst others in an Information Security Policy document, signed by CEO of Accell and distributed amongst the Managing Directors for adherence.

 

Physical security

Accell IT has a main and secondary equipment room. Both are inside buildings with limited access.

  • During office hours a reception desk checks access to the building, and a list of visitors is being kept.
  • After office hours we safeguard the buildings by a combination of guards, surveillance services, fences, electronic doors, electronic alarms.
  • The building is guarded by surveillance cameras.
  • The technical rooms are protected by electronic doors, and need a second level of clearance. Only employees of Accell IT have access after authorization of the IT director.
  • Access to the technical rooms is reviewed once a month.
  • The technical rooms are protected against power failure by a UPS and a power generator 24/7.
  • The power generator will auto start on power failure, and will run each month in a test.
  • An Argon fire extinguisher is protecting the technical room for fire 24/7.

 

Network security

Accell IT has a dedicated team of network engineers who are actively maintaining a high level of security on the network. Among the measures they take are the following:

  • Network segmentation into multiple zones by a combination of Vlan’s Access Control Lists (ACL) and firewalls of two different brands.
  • Production-network is separated from the other networks, like the guest-, quarantine, and facilities network.
  • Production network access is granted only for devices authorized by Accell IT.
  • Device authorization is done by a combination of signed digital certificates, Active Directory domain membership, MAC-address combined with device profiling-techniques.
  • Remote access to the production network is granted using authenticated Ipsec VPN, or SSL-VPN only.
  • Remote access authentication is always protected by 2-factor, using either an installed signed digital certificate or a user bound software token, besides a strong password.
  • On the internet-perimeter all traffic is inspected by a combination of application inspection, cloud inspection and email-inspection.
  • Our websites and web services are segmented into different segments, separated by firewalls and VLANs. Examples are DMZ, Frontend Linux, backend SQL.
  • Network-access between servers is authorized and registered in a registration tool.

 

Device security

To secure the devices employees work with, Accell IT has taken the following measures:

  • Only authorized devices have access to the servers.
  • All devices have anti-virus/anti-malware software installed, centrally managed.
  • The storage-devices of all laptops are encrypted.
  • A device based firewall is active on public networks.
  • Access to the device is based on an encryption and a domain password.
  • Local system rights are controlled using a central policy.
  • Every month Accell IT releases security patches, which will be installed automatically on the laptops.

 

Server security

All servers are being updated regularly to ensure the servers are on the latest OS, and security-patches. 

Only operation system versions that are supported by the vendors are used.

Central policies limit the rights administrators and software have on these servers. There is a strict policy for system-accounts. These rights are being audited regularly, and system accounts only are enabled after authorization of the IT Director.

The servers facing internet, or related to internet services, are protected using an extra set of measures. These include, but are not limited to:

  • System hardening, like removal of unused services or unused default users.
  • Front-end functionality on separate servers from backend servers (database servers)
  • Strong password policy.
  • Automated configuration management and provisioning
  • Weekly patch-policy for software updates.
  • Patches for Zero-days are applied within hours.
  • SSL/TLS configuration applied with the latest encryption standards.
  • Audit server events, like  logon's, user commands, software installation and system changes to our SIEM-environment (splunk)
  • Limit the servers email-capability to trusted secure relay servers only.

 

Logical access control

Accell IT constantly strives to have access to all systems, software, networks, databases centrally managed.

There are two central systems that provide these central authentication functions. An internal (Ms Active Directory), and a cloud based identity system from our IDAAS-provider (Okta). Both grant access to different systems, either internal systems of cloud applications.

For systems not capable of delegated authentication, local accounts are used. The use of a password manager generating strong passwords is mandatory.

 

Data availability

The most important servers (Virtual Machines) are replicated near real time. In case of a hardware failure, these VM’s are automatically switched to hardware on the backup location.

Besides this, all servers are being back upped every day. Backup is being done on logical disks. Backup tapes are being made every month and every year for archiving purposes.

Tapes are stored in a different secured area in a safe.

The two datacenters both have an internet connection, in case of an emergency on the main datacenter, the servers are automatically being made available from the backup datacenter.

For development of our software and software from a third party on the infrastructure, we make use of OTAP-procedures. Development is being done on development-servers, not on production servers.

If you have any questions in this regard or you suspect abuse, you can send an e-mail to security@accell-it-services.com

 

Your rights

You have a number of rights in relation to your personal data.

You have the right to access your data, correct any mistakes in our files, the right to have your personal data erased and to restrict or object to processing. You also have the right to withdraw your consent, opt-out of receiving future marketing, and in some circumstances, you have the right to have your information transferred to you or a third party, and the right to object to profiling and automated decision making.

You can also lodge a complaint about our processing of your personal data with your Supervisory Authority https://www.autoriteitpersoonsgegevens.nl 

Contact and Complaints

The primary point of contact for all issues from this statement, including request to exercise data subject rights, is our Data Protection Officer. The Data Protection Officer can be contacted in the following way:

privacy@accell.nl

If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible.

Status of this privacy statement

The Privacy Statement was updated in September 2019. We reserve the right to amend it from time to time.