BIS CRM โ€ข DPOSaaS Solutions

Privacy Policy

GDPR โ€” European Union

BIS CRM Tecnologia Ltda. is committed to protecting personal data and ensuring transparency in how personal data is processed.

This Privacy Policy describes how personal data is collected, used, stored, and protected in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

This Policy applies to individuals located in the European Economic Area (EEA) who access BIS CRM services, including: GDPR Training App, DPOSaaS Academy, DPOSaaS DPO App, DPOSaaS Authority, and related websites and digital services.

1. Introduction

BIS CRM Tecnologia Ltda., a company established in Brazil, acts as the Data Controller for the processing of personal data described in this Privacy Policy.

For any data protection-related inquiries: dpo@dposaas.com.br

2. Data Controller

BIS CRM Tecnologia Ltda., a company established in Brazil, acts as the Data Controller for the processing of personal data described in this Privacy Policy.

๐Ÿ“ง dpo@dposaas.com.br

3. Categories of Personal Data

Depending on how users interact with our services, BIS CRM may process the following categories of personal data:

  • Identification data (name, email address)
  • Contact details
  • Professional information (organization, role, department)
  • Account and usage data (login records, training progress, certifications)
  • Transaction and billing data, where applicable
  • Technical data (IP address, device information, browser type, access timestamps)

BIS CRM does not intentionally process special categories of personal data (Article 9 GDPR), unless strictly necessary and subject to appropriate safeguards.

4. Purposes of Processing

Personal data is processed for the following purposes:

  • Creation and management of user accounts
  • Provision of training, certifications, and platform functionalities
  • Management of subscriptions, licenses, and organizational access
  • Processing payments and fulfilling contractual obligations
  • Delivery of service-related and operational communications
  • Providing technical support and responding to inquiries
  • Ensuring platform security, integrity, and fraud prevention
  • Maintaining compliance documentation, logs, and audit records
  • Sending training updates, regulatory information, and educational communications where consent has been provided

Personal data is not processed for purposes incompatible with those described above.

5. Legal Bases for Processing (Article 6 GDPR)

BIS CRM processes personal data in accordance with Article 6 of the GDPR, based on the following legal grounds:

Account creation and access to services

  • โ†’ Article 6(1)(b) GDPR โ€” Performance of a contract

Payment processing and billing obligations

  • โ†’ Article 6(1)(b) GDPR โ€” Performance of a contract
  • โ†’ Article 6(1)(c) GDPR โ€” Compliance with legal obligations

Platform security, fraud prevention, and system monitoring

  • โ†’ Article 6(1)(f) GDPR โ€” Legitimate interests

User support and service communication

  • โ†’ Article 6(1)(f) GDPR โ€” Legitimate interests

Compliance records, audit logs, and governance documentation

  • โ†’ Article 6(1)(c) GDPR โ€” Legal obligation
  • โ†’ Article 6(1)(f) GDPR โ€” Legitimate interests

Training updates, compliance insights, and informational communications

  • โ†’ Article 6(1)(a) GDPR โ€” Consent

Where processing is based on legitimate interests, BIS CRM conducts appropriate balancing assessments to ensure that such interests do not override the rights and freedoms of data subjects.

6. Consent (Articles 4(11) and 7 GDPR)

Where processing is based on consent:

  • Consent is freely given, specific, informed, and unambiguous
  • It is obtained through a clear affirmative action (e.g., submitting an email address in a subscription form)
  • Users may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal

Unsubscribe mechanisms are provided in all relevant communications.

7. Data Sharing

Personal data is shared only where necessary and proportionate with:

  • Cloud hosting and infrastructure providers
  • Payment service providers
  • Technology partners essential to service delivery
  • Public authorities, where required by law

BIS CRM does not sell personal data.

8. Data Processing Agreement (Article 28 GDPR)

When providing services to organizational clients, BIS CRM may act as a data processor.

In such cases:

  • A Data Processing Agreement (DPA) is made available in accordance with Article 28 GDPR
  • The DPA defines: subject matter and duration of processing, nature and purpose of processing, types of personal data and categories of data subjects, obligations and rights of the controller

BIS CRM commits to:

  • Processing personal data only on documented instructions
  • Ensuring confidentiality of authorized personnel
  • Implementing appropriate technical and organizational measures
  • Supporting the exercise of data subject rights
  • Assisting controllers with compliance obligations

Requests for access to the DPA may be sent to: dpo@dposaas.com.br

9. International Data Transfers (Articles 44โ€“49 GDPR)

As BIS CRM is established in Brazil, personal data may be transferred outside the European Economic Area.

In such cases, BIS CRM implements appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Equivalent legal mechanisms ensuring an adequate level of data protection

10. Data Retention

Personal data is retained only for as long as necessary to:

  • Fulfill the purposes described in this Policy
  • Comply with legal and contractual obligations
  • Maintain compliance evidence and audit records

Retention periods are determined based on regulatory requirements and operational necessity.

11. Data Security (Article 32 GDPR)

BIS CRM implements appropriate technical and organizational measures, including:

  • Role-based access controls
  • Encryption of data in transit and at rest
  • System monitoring and audit logging
  • Secure infrastructure and vetted service providers

12. Data Subject Rights (Articles 12โ€“22 GDPR)

Individuals have the right to:

  • Access their personal data
  • Rectify inaccurate or incomplete data
  • Request erasure of personal data
  • Restrict processing
  • Object to processing based on legitimate interests
  • Request data portability
  • Withdraw consent at any time

Requests can be submitted to the DPO.

13. Contact

For any request or inquiry regarding personal data:

๐Ÿ“ง dpo@dposaas.com.br

Please include sufficient information to enable identification and processing of your request.

14. Commitment to GDPR-Aligned Practices

BIS CRM designs its platforms and services to be aligned with GDPR principles, including:

  • Data minimization
  • Purpose limitation
  • Accountability and auditability
  • Risk-based security measures

Our solutions are built to support organizations in achieving and demonstrating compliance, particularly in cross-border contexts involving GDPR and LGPD.

15. Updates to This Policy

This Privacy Policy may be updated to reflect legal, regulatory, or operational changes. The most current version will always be available on this page.

16. Final Provisions

By using BIS CRM services, users acknowledge that they have read and understood this Privacy Policy.

BIS CRM processes personal data in a lawful, transparent, and accountable manner in accordance with the GDPR.

Have a question about how BIS CRM processes personal data or need help exercising your rights? Our DPO team is available to support you.

Contact the DPO โ†’