We respect the rights of individuals to know how their personal data is being used, export it or request that it be deleted. We collect data requests via GDPR Page as it adds an extra layer of security by asking you to identify yourself.
Please note that data requests can take up to 30 days to process. In the case that it will take longer than 30 days, we will notify you ASAP.
Third parties seeking access to non-personal data should contact the Data Controller (FirstOfficer's customer) with their request.
We may share data with law enforcement on special conditions, like when fraud or other crime is suspected. However, we require a valid search warrant issued by a court that resides in Finland (EU) and we will always notify our customer, unless we are legally prohibited.
FirstOfficer is committed to the importance of trust and transparency for the benefit of our customers and does not voluntarily provide governments with access to any data for surveillance purposes.
All the personal data that we have on your customers in FirstOfficer is something that you must keep for bookkeeping purposes. GDPR calls it "a lawful basis for processing". Your customers can't just ask you to forget their bills.
However, having personal details like name, email and country in FirstOfficer does not have lawful basis, so if your customer so demands, we will remove them. Your financial metrics remain untouched, just the personal identification data is removed.
We respect your time so we don't send separate email notifications about personal data requests. We don't let the customer know who the Data Controllers (you and other FirstOfficer customers) are.
We delete the name, email and country that we have on record for this user in FirstOfficer and replace the information with unidentifiable placeholders.
You will still see a user in the app, but they show up as "GDPR-blocked" so you can't tell who's who.
We will reply to them using this email template:
You have made a request to export your personal data from FirstOfficer. Here's what we have on record for you:
Your email: [email_address]
Your country: [country]
Your name: [name]
We will only correct personal data, we never change financial data.
We will first reply with this email template:
The personal data that we have on you comes directly from our customers' billing systems. Changing it in FirstOfficer doesn't change it in their systems and we are not allowed to reveal the Data Controller to you.
Are you sure you want us to change this data?
If they want to proceed, we will do the change and reply with this template.
We confirm that the changes you've requested have been made.
We respect the customer by not asking questions or confirmations unless it's absolutely necessary.
If a non-account owner asks to be forgotten, we manually delete the record from the DB and kindly let them know that their access to the application went with it. They need to be invited again to be able to use FirstOfficer again.
If an account owner wants to have their personal data removed we kindly let them know that we need that data for bookkeeping and we have lawful basis for keeping it. However, if they can assign someone else from their company as the new account owner, we can delete their account and the personal data will get deleted as well.
This policy and process was last modified at: May 18, 2018