- Inicio
- Blog
- Hexagon Match
- Hexagon Match Data Processing Addendum
Hexagon Match Data Processing Addendum
The Data Processing Addendum applies to personal data that Hexagon Data Group processes on behalf of and on behalf of the Customer, by virtue of the use of the Hexagon Match platform (the "Platform"), as set forth in this Agreement, and to the extent applicable (i) the Federal Law for the Protection of Personal Data in Possession of Private Parties and its Regulations ("LFPDPPP") or (ii) any other data protection law identified in this document.
When we refer to "Grupo Hexagon Data", "we", "us" or the "Company" we mean Hexagon Data, S.A.P.I. de C.V., a company incorporated in Mexico, Hexagon Data Colombia, S.A.S., a company incorporated in Colombia, Agradecemos Tu Pago, S.A.P.I. de C.V., a company incorporated in Mexico, and their affiliates, understood as any entity directly or indirectly controlling, controlled or under common control, that processes personal data in accordance with the terms described herein, a company incorporated in Mexico, and its affiliates, understood as any entity that directly or indirectly controls, is controlled or is under common control, that process personal data in accordance with the terms described herein. We have a legitimate interest in protecting the information that our Customers share with us.
The Client agrees and accepts in its own name and on behalf of its principals what has been agreed in this document.
This Data Processing Addendum (the "Agreement" and/or "DPA Match")is part of the Terms of Use of the Platform, and reflects the Agreement between the Parties with respect to the processing of personal data on the Platform. The Parties agree to comply with the following provisions and each agrees to act reasonably and in good faith.
Definitions
- Affiliated: means any entity that directly or indirectly controls, is controlled by, is controlled by, or is in joint control of the Client. "Control" means direct or indirect ownership or 50% control of the entity's equity votes.
- AnonymizationDissociation: and/or dissociation, refers to the procedure by which personal data cannot be associated to the Data Subject or allow, due to its structure, content or degree of disaggregation, the identification of the Data Subject.
- CCPA: means the California Consumer Privacy Act, which regulates data protection for the residents of the State of California, United States of America.
- Client: For the purposes of this Agreement, the term "Client" refers to the individual or legal entity, including its Affiliates, who contracts the use of the Platform.
- Contract: means the document by which Hexagon Data Group grants a License to use the Platform, either directly with Hexagon Data Group or through an authorized Partner. We sign exclusive contracts with each Client to meet specific needs, detailing the terms of the License as well as the duration of the License. This DPA Match is part of the Agreement.
- Customer Data: also referred to as "your Data", means any data and/or information that Customer shares with Hexagon Data Group. It includes personal data of your users and/or consumers and data collected through tags and/or scripts that observe the behavior of your users and/or consumers on your website, APIs, apps and/or newsletters. It includes the databases that the Customer shares with us.
- Personal data: any information concerning an identified or identifiable natural person.
- Sensitive personal data: those personal data that affect the most intimate sphere of its owner, or whose improper use may give rise to discrimination or entail a serious risk for the owner. In particular, data that may reveal aspects such as racial or ethnic origin, present and future health status, genetic information, religious, philosophical and moral beliefs, union membership, political opinions, sexual preference are considered sensitive.
- Data Protection Officers: GDPR requires companies to appoint a person responsible for monitoring how personal data is processed and for informing and advising employees who process data about their obligations. Hexagon Data Group has appointed a Data Protection Officer. The appointed person can be contacted at privacy@hexagondata.io.
- In charge: means the natural or legal person who alone or jointly with others processes personal data on behalf of the Controller.
- First Party Data: The type of data depends on the way in which these data are acquired. First Party Data are those data that are acquired "first hand" from the Customer. That is, it is information that is collected from its own sources, for example through its website, apps, newsletters and/or through direct interaction with its users and/or consumers. It is information from users who have interacted with the Customer, have been interested in the product or service, and have left their data or even are already customers.
- GDPR, by its acronym in English, refers to Regulation (EU) 206/679 of the European Parliament and of the Council of 27 April 2016 on data protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- Data Protection Laws and Regulations: means all laws and regulations applicable to the protection of personal data. In Mexican territory, specifically the Ley Federal de Protección de Datos Personales en Posesión de los Particulares and its Regulations ("LFPDPPP"); for Colombia, in particular Law 1581 of 2012 and Decree 1377 of 2013. Internationally, the leading instruments are the GDPR of the European Union and the CCPA of the State of California, United States of America.
- Hexagon Match platform: is a platform where the Data Onboarding process is offered. Which consists of finding the coincidence ("match") between the offline data with the Customer's online data.
- Responsible: means the natural or legal person who, alone or jointly, determines the purpose and form of the processing of personal data.
- Sub-managerThe person to whom Hexagon Data Group entrusts the processing of Customer Data and/or the person who provides a service to Hexagon Data Group that is required for the performance of the Services for the Customer.
- Third party information: The type of data depends on the way in which these data are acquired. Third party information are "third hand" data that are acquired from sources entirely external to the Client, usually through data providers and data brokers. These data are aggregated and anonymized, they can be acquired on a large scale already selected, processed and segmented according to the type of audience. The Platform does not accept this type of data, so the Customer agrees not to include this type of data in the use of the Platform.
- Holdermeans the identified or identifiable natural person to whom the personal data pertains.
- Transfermeans any communication of data to a person other than the Controller or Processor.
- Treatment, and/or "processing" in the terms of the GDPR, refers to the collection, use, disclosure or storage of personal data, by any means. Use encompasses any action of accessing, handling, using, exploiting, transferring or disposing of personal data.
All capitalized terms not defined herein shall have the meanings set forth in this Agreement.
Clauses
Processing of Personal Data
1.1 Relationship between the Parties. The Parties agree that in relation to the processing of Customer Data, the Customer is the Controller and Hexagon Data Group is the Processor, who may sub-process Customer Data to third parties on the terms described herein.
1.2 Treatment details. Annex A sets out the subject matter, nature and purpose of the processing by Hexagon Data Group, the duration, the types of data and categories of Data Subjects. Each party will comply with its applicable obligations under data protection laws and regulations and this DPA Match.
1.3 Processing of personal data by the Customer. Before using the Platform, the Customer shall be responsible for informing the Data Subjects of the processing of their data by Hexagon Data Group in its capacity as Data Processor and obtaining their consent. The Client is responsible for the accuracy, quality and legality of the data as well as the means by which the Client acquired this data. In this regard, the Customer undertakes to use only data that he/she has collected himself/herself, i.e. First Party Data.
1.4 Processing of Customer Data. Hexagon Data Group may process personal data on behalf of and at the request of the Customer. We will treat the data as Confidential Information, unless otherwise instructed by the Customer.
1.5 Purposes of processing. Hexagon Data Group only processes Customer Data in accordance with (i) the Customer's written instructions (ii) the terms of this DPA Match, and (iii) the Agreement entered into between the parties. Hexagon Data Group may process certain categories of Personal Data on behalf of Customer for certain defined purposes, in accordance with the Annex A.
2 Right of Owners
The data subjects at all times have the right to modify and/or revoke their consent for the processing of their personal data. They also have the right to be forgotten and other rights that the corresponding regulation grants them. Hexagon Data Group undertakes to comply, and to assist in its compliance, at all times.
In the event that Hexagon Data Group receives a request from a user and/or consumer for whom the Customer is Responsible to exercise their ARCO rights or rights specific to their jurisdiction, Hexagon Data Group will notify the Customer. To the extent permitted by law, Hexagon Data Group will assist the Client with appropriate technical and organizational measures for the fulfillment of the Client's obligation to respond to the Data Subject's request under the Data Protection Laws and Regulations.
If the Customer or any interested third party would like to exercise their rights over personal data for which we are the Controller, they may exercise their rights using the procedure explained in the "MEANS TO EXERCISE YOUR RIGHTS" section of our Privacy Notice.
3 Group Collaborators Hexagon Data
Hexagon Data Group has a team of programmers, analysts and collaborators (the "Collaborators") trained to provide high quality services to our Customers. We are committed to the protection of the data we process, so we implement internal measures for data handling and we also train Employees to process data in accordance with the standards described in this Agreement. The following is a list of security measures designed to protect the security and privacy of our customers:
3.1 Confidentiality. We ensure that Employees engaged in data processing are informed of the confidential nature of Customer Data, receive appropriate training on their responsibilities, and sign written confidentiality agreements. These confidentiality obligations survive the termination of the Employee's contract.
3.2 Limitation of access. Access to Customer Data is limited to Collaborators performing services pursuant to the Agreement. In addition, each Collaborator is provided with a computer for the exclusive use of their collaboration with Hexagon Data Group. Any work they perform in connection with the Customer Service will be on Hexagon Data Group-owned equipment.
3.3 Data Protection Delegate. Hexagon Data Group has appointed a data protection officer. The appointed person can be contacted at privacy@hexagondata.io.
4 Sub-managers
Customer agrees and consents that Hexagon Data Group may engage third parties (the "Providers") in connection with the provision of the Services, who shall be categorized as Sub-providers in accordance with this DPA Match. Hexagon Data Group enters into a written agreement with each Sub-provider that contains obligations with respect to the protection of personal data no less protective than those in this DPA Match. The list of Sub-agents can be found in Annex B.
In the event Hexagon Data Group wishes to make a change of Sub-Supplier, it will notify Customer and must obtain Customer's consent to make such change effective. Customer may object to Hexagon Data Group's use of a new Supplier within 5 (five) days of notice of the change. If Customer fails to respond within that period and continues to act in accordance with the Agreement, the proposal shall be deemed accepted.
When contracting with Suppliers, we commit to:
a. hire recognized, market-leading companies that implement security measures no less protective than those set forth in this Agreement to comply with data protection, to the extent applicable to the nature of the services provided by such Sub-provider;
b. restrict the Sub-provider's access to Customer Data only to what is necessary to maintain the services or to provide the services to the Customer;
c. Hexagon Data Group is responsible for the performance of the obligations of this Agreement and for any act or omission by the Sub-Intendants that breaches any of the obligations set forth herein, except as otherwise provided.
5 Security
Hexagon Data Group will implement appropriate technical and organizational measures for the protection of the security, confidentiality and integrity of Customer Data.
5.1 Safety measures. We establish and maintain administrative, technical and physical security measures to protect personal data against damage, loss, alteration, destruction or unauthorized use, access or processing. We do not adopt lesser security measures than those we maintain for the management of our information.
Security measures include: (a) restricting access to the Platform; (b) protecting the security of your information during transmission to or from Hexagon Data Group websites, applications, products or services through the use of encryption software and protocols; (c) creating specific access keys for each actor involved in data processing; (d) adopting internal measures for data handling by collaborators; and (e) ensuring that our Suppliers comply with the highest standards of data security and privacy, in compliance with applicable Laws.
a. Restriction of access to the Platform. Access to the Platform is restricted by means of authentication elements. Once the Customer Registration process is completed, Hexagon Data Group will create an exclusive profile for the Customer who will have a User and Password account. The password that Hexagon Data Group creates is temporary, so the Customer must change it upon his first login to the Platform. Please read the Platform Terms of Use for more information.
5.2 Confidentiality. At all times, Hexagon Data Group will treat Customer Data as Confidential Information and ensures that all personnel responsible for processing Customer Data sign confidentiality agreements, which will govern the access, use and processing of Customer Data.
5.3 Management and notification of security incidents. In the event of security incidents, Hexagon Data Group will notify Customer as soon as it becomes aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including anonymized data, transmitted, stored or otherwise processed by Hexagon Data Group or its Sub-agents.
Hexagon Data Group will use reasonable efforts to identify the cause of such incident and will take such steps as it deems necessary and reasonable to remedy the cause to the extent remediation is within Hexagon Data Group's reasonable control. The obligations set forth herein shall not apply to incidents caused by Customer or Customer's users.
6 Data transfer
We transfer data as little as possible. If we do so, it will be to our Providers, who are Sub-providers under the terms described in the corresponding section of this DPA Match. The transfers we will make are only those permitted by applicable Data Protection Laws and Regulations. We also ensure that they are to jurisdictions where they meet the same or higher security standards as described in this Agreement.
7 Data deletion
During the contractual relationship with the Customer, we may store Customer Data in any of our databases. We undertake to store only the data strictly necessary and to delete them within 3 months after the termination of the use of the Platform or until the legal limitation period. We also undertake, where possible and upon request, to return Customer Data by transferring the data in physical form via a CSV file.
8 Additional information for certain jurisdictions
We provide additional information about the privacy, collection and use of personal information of current and prospective Hexagon Data Group customers located in certain jurisdictions.
8.1 European Union: GDPR
Hexagon Data Group processes personal data, to the extent possible, in accordance with the requirements of the GDPR directly applicable to the provision of its Services and as provided by its Customers. Customer specifically acknowledges that its use of the Platform will not violate the rights of any Data Subject subject to the protection of the GDPR.
8.2 CCPA
Hexagon Data Group processes personal data, to the extent possible, in accordance with the requirements of the CCPA directly applicable to the provision of its Services and as directed by its Customers. Within or by virtue of our services, we do not sell databases or personal data of the Customer or its users and/or consumers. Customer specifically acknowledges that its use of the Platform does not violate the rights of any Data Subject who has opted not to sell or disclose their personal data, to the extent applicable under the CCPA.
9 Miscellaneous
9.1 Modifications. We are constantly updating our policies to provide the best possible protection. Hexagon Data Group reserves the right to make changes and adjustments to this Agreement. The new version will become effective on the date indicated at the beginning of this Policy. In the event that we believe there are material changes we will notify you by posting a prominent notice on our website or by any available means of communication. Entry into force will be deemed to be accepted by you. We encourage you to constantly review our website during the term of our relationship.
9.2 Validity. This Agreement remains in force during the contractual relationship with the Client and/or as long as the Client, by itself or its Users, makes use of the Platform. Any obligation or liability accrued up to the time of termination shall remain valid until fulfilled.
This Agreement shall be legally binding at the time it is made available to the Client. It will be understood that the Client consents to the processing of his data, when having made this Agreement available to him, he does not express his opposition and continues his use of the Platform.
Annex A
Treatment Details
1.1. Nature of the treatment
Hexagon Data Group processes personal data to offer its Products and Services within the Platform and as directed by the Customer.
In the event that, under the Agreement, it is agreed that a cloud-based service is provided by a Provider (Amazon Web Services, Google or other), the parties acknowledge that any personal data processed within the cloud service will be governed solely by the terms and conditions of the cloud service as stipulated and amended from time to time by the Provider.
1.2. Purpose of treatment
The purpose of processing Customer Data may include any of the following:
- Store contact data in one place
- Generate anonymous audiences
- Generate a "match table" (match table)
- Improve Platform efficiency
- Transfer the audiences to the sources indicated by the Customer
- ID Synchronization ("ID Syncing")
Duration of Treatment
As provided in the section on the term of the DPA Match, Hexagon Data Group processes Customer Data for the duration of the contractual relationship with the Customer and/or for as long as the Customer, by itself or through its Users, uses the Platform.
Types of Personal Data
The data we process are from two sources:
- Data that Customer, by itself or by its Users, uploads to the Platform. Data types may include, but are not limited to:
- Zip Code
- Country code in two characters
- E-mail address
- Address
- Age
- Marital status
- Genre
- First and last name
- Number of children
- Age range
- Data that Hexagon Data Group may collect on behalf of the Customer through tags and/or scripts directly embedded in the Customer's website, APIs, apps and newsletter. By means of the tag, Hexagon Data Group may create a Unique ID to collect the data that it will use in the match; at no time will match between data from different Clients. The type of data that can be included, but not limited to, are:
- Customer ID
- Mobile Advertising ID
- Cell phone
When the Client uploads its Data to the Platform, a data source is generated within the Platform; the Client may choose to encrypt (anonymize) the data, otherwise the data will not be anonymized, and among those data some may be personal data. Regardless of the Customer's choice, when the data is transferred to the sources indicated by the Customer it will be anonymized. The data processed is at the sole discretion of the Client to fulfill the intended use of the Platform.
1.5. Categories of Data Subjects
The personal data are First Party Data that the Customer collects on its own. The Customer Data is related to the following categories of owners:
- Consumers
- Users
1.6. Special category of data
Sensitive personal data. Hexagon Data Group does not process sensitive data within the Platform.
Third party information. The data we process is Customer Data collected by the Customer or on behalf of a third party, but for which the Customer is "Responsible". The Platform is not designed to process third party information other than that collected by the Client.
Annex B
Sub-managers
- Amazon Web Services, Inc.
- Oracle Corporation
- Facebook, Inc.
- Google LLC.
- Linkeldn Corporation
- Lotame Solutions, Inc.
- Salesforce.com, Inc.
- TikTok Pte. Ltd.