Welcome to Nirvana! We hope you will enjoy and appreciate using our services. We want you to know we take your privacy and protection of personal data very seriously. We are providing this privacy notice to tell you about who we are, what personal data we collect from you and about you, what we do with your personal data, your rights under the law, and how you can contact us and the necessary authorities to enforce those rights. Please read it carefully.
Before we get started, here are a few terms we think you should know as you read this notice, because we keep repeating them!
“GDPR” – this is the European data protection law that Nirvana is committed to upholding and complying with. It stands for “General Data Protection Regulation”, and its official name is Regulation (EU) 2016/679 of the European Parliament and of the Council. You can read the whole thing here, but we promise we’ll tell you the important stuff in this notice. For instance, under the GDPR you are called a “data subject”.
“Personal data” – this is information we collect from you or about you and is defined in the GDPR as “any information relating to an identified or identifiable natural person.” It can be as simple as your name or your email, or something more complicated like an online identifier (usually a string of letters and / or numbers) that gets attached to you. For more details about what is personal data, you can read article 4(1) of the GDPR.
About Us and Contacting Us
Under the GDPR, Nirvana is a “Data Controller”. That means we collect personal data directly from you and determine the purpose and means of processing that data. Nirvana is actually Nirvanahq Inc., a duly-incorporated corporation in the country of Canada, in the Province of Quebec. Nirvana is committed to protecting your privacy and conforming to the GDPR.
If you want to ask us anything about what’s in this privacy notice (or anything else privacy- or data- related), you can email firstname.lastname@example.org. Here is our mailing address for you as well:
439 rue Saint-Pierre
If you wish to contact the person responsible for all data matters at Nirvana directly, or make a complaint regarding our data practises, or exercise your rights under the GDPR, please contact our data officer:
(same mailing address as above)
Supervisory Authorities and Complaints
Under the GDPR you have the right to make a complaint to the appropriate supervisory authority. If you are not satisfied with the response received or the actions taken by our data officer, or if you would like to make a complaint directly about Nirvana’s data practises, we invite you to contact the supervisory authority in your country. If you are in the U.K. for example, you should contact the Information Commissioner’s Office who is the supervisory authority. You can reach them in a variety of ways, including by phone (0303 123 1113 in the UK) and mail (Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF). Other countries will have their own supervisory authorities. The full list can be found here.
Your Rights Under the GDPR
You have the following rights regarding your personal data held by Nirvana, and other rights:
- The right to withdraw at any time your consent for Nirvana to process your personal data;
- The right to have your personal data erased from Nirvana’s records;
- The right to have a copy of your personal data given to you in an easy to read format so that you can transfer it to another data processor;
- The right to have your personal data corrected if you believe it is inaccurate;
- The right to restrict the processing of your personal data if it is inaccurate or if our processing of it is against the law;
- The right to access your personal data and any relevant information around its processing; and
- The right to refuse any marketing targeted at you by Nirvana.
Personal Data Collected from You and What We Use It For
In the table below, please find all the personal data we may collect from you directly, what we use it for, and the legal basis for us having and processing this personal data.
|Personal data category||Personal data processed||What we use it for (the “purpose” of processing)||Legal basis for processing|
|Contact information||Name, email address||To communicate with you||Your consent in giving us this information|
|Account information||Name, email address||To create an account for you, to communicate with you, and to identify you for logging in to our online services.||Your consent and performance of a contract between you and us|
|Billing information||Credit card holder name, number, expiration date, CVV number and billing address||To allow you to pay for access to the Pro version of our services.||Performance of a contract between you and us|
Where you have provided personal data further to the contract between you and us, if you fail to provide such data or withdraw your consent to use such data, we will no longer be able to offer you our services.
Personal Data Collected About You from Third Parties and What We Use It For
Nirvana does not collect any information about you from third parties.
Who We Transfer Your Personal Data To
We routinely share some of your personal data with certain types of third parties who are identified in the table below along with what they do with it. Some of those third-party recipients may be based outside the European Economic Area — please see the “Transfer of Your Personal Data Outside of the European Economic Area” further down in this notice for more information including on how we safeguard your personal data when this occurs.
We will share personal data with law enforcement or other authorities if required by applicable law. We will never share your personal data with other third parties except under these circumstances.
|Personal data category||Who we transfer it to||What they do with it|
|Contact information||Companies that provide email services, specifically MailChimp||Send you emails|
|Account information||Companies providing technical infrastructure||Various tasks in providing you our services, specifically providing the infrastructure to support our website and application|
|Billing information||Payment processing companies, such as Recurly||Process your payments for access to our Pro service|
|Advertising identifiers||Companies that provide ad networks, specifically Google||Show you ads for Nirvana when you are on the internet|
|Analytics identifiers||Companies that provide data analytics, specifically Google||Provide us with analytics as to how the services are used, and to trace fraudulent activities|
How We Protect Your Personal Data
We have implemented very strict technical and organisational procedures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed by us. These procedures prevent your personal data from being lost; or used or accessed in any unauthorised way.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable supervisory authority of a suspected data security breach where the GDPR requires us to do so, and within the time frame required by the GDPR.
When you make payments or transfer information through Nirvana, your personal data is transferred with encryption using Secure Sockets Layer (“SSL”), a robust security standard for Internet data transfer and transactions. You can use your browser to check Nirvana’s valid SSL security certificate.
Transfer of Your Personal Data Outside of the European Economic Area (EEA)
We endeavour to keep your personal data inside the EEA. However, certain of our data processors (and Nirvana!) are in other countries where your personal data may be transferred. However, these countries are limited to countries with particular circumstances that protect your data, specifically:
- Canada. Canada has been determined to have an “adequate level of protection” for your personal data under European data protection law.
- The United States. Your personal data is only transferred to companies in the United States that: (1) participate in the Privacy Shield; and / or (2) have signed agreements with us or have informed us that they are GDPR-compliant.
That’s it! You have the right, however, to refuse to have your data transferred outside the EEA. Please contact our data officer to make that request. Please note that if you make this request, we may no longer be able to offer you our services.
Your personal data will only be kept for as long as it is necessary for the purpose needed for that processing. For example, we will retain your account information for as long as you need to have an account with us.
Sometimes, your personal data is automatically backed up and will be kept for longer periods of time until those backups are deleted as well.
Changes to This Privacy Notice
This notice was published on May 25, 2018. Every now and then, we will have to update this notice. You can always find the most updated version at this URL, and we will always post a notice on our website if we make big changes. If you have a Nirvana account, we will also email you to tell you the notice has been updated, at what the important changes are.