COACHING WRX PRIVACY DESCRIPTION

1 - PURPOSE

Strong values together with high moral and ethics leads all WRX Company operations including Coaching WRX service. The purpose of this privacy description is to describe in detail how we respect the data privacy and security of our users using Coaching WRX service. WRX Company Data privacy and security policy describes the upper level company policy.

We care deeply about the privacy of our users and are committed to the following principles:

1. We value the trust you show by providing us your personal information. We use your personal information in a way that is fair and worthy of your trust.
2. You have the right to know how your personal information is used. We are transparent with what we collect, what we use the data for, who we share it with and who you should contact if you have any questions.
3. If you have any concerns about the use of your personal data, we will work with you to promptly resolve those concerns.
4. We comply with all applicable data protection laws and regulations.
5. We take all reasonable steps to protect your information from misuse and keep it secure.

The coachingwrx.com website, which provides the Coaching WRX service, is operated by WRX Company Ltd (company id: 2844494-9). We are committed to protecting your privacy and ensuring your personal information is protected. This privacy description is a legal document that details how our Coaching WRX service gathers, stores, uses and shares users data. If you choose to use our Service, then you agree to the collection and use of information in relation with this Privacy description. The Personal Information that we collect are used for providing and improving the Service. We will not use or share your information with anyone except as described in this Privacy description.

2 - WHAT DATA IS COLLECTED BY COACHING WRX?

Your privacy is our main concern. In this Privacy description, your “personal information” means information or pieces of information that is related to you. This typically includes information such as your name, address, profile picture, email address, and telephone number, but can also include other information such as IP address. We may collect personal information about you from different sources, including:

• Information you give us in your profile
• Information we collect automatically when you use our Service (Log data and “cookies”)
• Information we receive from other sources. If you login with Facebook, Google of Linked in, you give us permission to use the information they share with us, like your name and email.

2.1 - WHAT INFO AM I PROVIDING WHEN CONNECTING MY CALENDAR?

Coaches and mentors connect their calendars to enable easy online booking, session reminders and cancellation functions. For the Microsoft or Google calendar integration, we request the right to list your calendar names for you, create a event in your calendar, delete the created event and send reminders, in order to enable clients to book, cancel and be reminded of sessions. Coaching WRX reads only the start and end times of the events in your calendar, when coaching or mentoring client is making a booking, from the time period stated by the coach/mentor they are available for bookings, to determine the free/busy information and the id of calendar events, in order to delete cancelled events. We do not read your calendar data.

If you are using Apple’s iCal calendar on your Mac, we use Cronofy service to integrate your iCal calendar data securely. Cronofy reads and copies your calendar data to provide the integration service, they do not have the right to use the data for anything else and have a strict GDPR compliant data protection policy in place.

Coaching WRX service can be used without connecting a calendar, however then the coach or mentor can not:

• Offer online booking for clients with view to free slots, automated preparations instructions and virtual link/address and ability to assure breaks and needed travel time for coach/mentor
• Manage their working hours and availability automatically
• Manage different time zones automatically
• Assure double bookings do not occur
• Manage minimum and maximum notice times
• Benefit from automated cancellation policy
• Receive bookings directly to their calendar
• Receive automated cancellations to their calendar
• Receive event and group session calendar invitations automatically
• Manage the client slots (amount of clients)
• Manage their vacation times
• Manage pre-bookings for full day services

2.2 - WHAT INFO AM I PROVIDING IN THE PROFILE AND WHAT IS IT USED FOR?

Personal data is handled for identifying the user, for enable invoicing of used services, for customer relationship communications, other customer relationship management, business development of the Service and analysis, and statistics purposes.

Your account data	What we need it for	Personal data	Mandatory
Username/Email	To identify you, to allow you to login and to send you needed emails like purchases orders, booking confirmations and calendar invitations with the virtual link or physical address or other relevant to the use of Coaching WRX information. We respect your privacy and do not tolerate spam.	yes	*
First- and lastname	To enable your client/coach to identify you	yes	*
Gender	To provide diversity metrics, statistical info on users and clients and to improve the service	yes
Year of birth	To provide diversity metrics, statistical info on users and clients and to improve the service	yes
Profile picture	To enable your client/coach to identify you	yes
Current position	To enable best match for the client and coach	yes
Company	To enable the invoicing to the right company and to enable best match for the client and coach and to provide statistical info on users and clients and to improve the service	yes	*
Office address, zipcode, city and country	To enable you to book a meeting at your office or calculate travel distance for you, and to provide diversity metrics and statistical info on users and clients and to improve the service	yes	*
Phone number	To enable your client/coach to contact you	yes
Invoice information	To enable the invoicing and payment of coaching services	yes	*
Date format, Time type and timezone	To be able to provide you with the correct calendar invitations and show the dates and time according to your preference. And to provide statistical info on users and clients and to improve the service.	other	*
Your company tax code and company id	To be able to enable the correct tax on the invoices and make your accounting easier.	other

Coach account data	What we need it for	Personal data	Mandatory
Introduction	To enable clients to find and select a coach right for them	yes	*
Coach credential and expire date	To enable you to stand out as a professional and to enable clients to compare coaches	other
Signature image	To enable you to add your signature on certificates you grant clients	yes
Coaching languages	To enable clients to search and select a coach right for them	yes	*
Calendar	To enable your clients to book a session with you online, get session reminders and enable your clients to cancel a session, you can connect your calendar to Coaching WRX.	yes
Credit card details	Applicable for Brand owner only, not individual coaches working in a brand or or Tribe admin. To enable payment of Coaching WRX service. We do not store the credit card details but the credit cards info is safely handled by payment provider Stripe.	yes	*

2.3 - WHAT TYPE OF LOG DATA IS COLLECTED?

Whenever you visit our Service, we collect information that your browser sends to us that is called Log Data. This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser version, pages of our Service that you visit, the time and date of your visit, the time spent on those pages, and other statistics. The information that we collect will be used to improve our service or provide statistical information of users.

2.4 - WHAT ARE COOKIES?

Cookies are files with small amount of data that is commonly used an anonymous unique identifier. These are sent to your browser from the website that you visit and are stored on your computer’s hard drive.

Our website uses these “cookies” to collection information and to improve our Service. You have the option to either accept or refuse these cookies, and know when a cookie is being sent to your computer. If you choose to refuse our cookies, you may not be able to use some portions of our Service.

3 - HOW IS IDENTITY AND ACCESS MANAGENT HANDELED?

Users are identified and authorized with authentication process. User can register or login locally or use OAuth provided by Google or/and Facebook. Access and rights are granted role specifically and users have restricted access according to their roles. Users can only manage and access data that is authorized for that specific role or individual.

Company Tribe login is limited to the domains or emails specified by the tribe admin.

4 - WHO DO WE SHARE YOUR PERSONAL INFORMATION WITH?

We do not sell, give or even think about giving your data and personal information outside of the Coaching WRX service. The information that we collect will be used to identify or contact you, improve our Service or to provide unidentifiable statistical information of users.

4.1 - WHO OWNS THE DATA?

You own your data. In order to fix possible technical problems due to your data or to provide general statistics, we have the right to use, modify, delete, reproduce, display or distribute your data for the purposes of operating and providing the Service. We do not use your data outside of the Coaching WRX service. We have the right to remove data that is not compliant with our user terms or data privacy and security policies.

4.2 - WHO CAN SEE MY PERSONAL DATA?

You can see and manage your own personal data anytime. You are also able to delete your personal data by deleting your user account. If you need any support as data subject on personal data, you can contact Coaching WRX Customer service at support@coachingwrx.com.

As a private client you understand that the admin of the brand you log into and the coach you buy services from, becoming their client, sees your profile data. You also understand that when a session booking is made via Coaching WRX, a calendar invitation is created for you and your coach and stored with your name in both your and coach's calendar.

As a Company Tribe employee client you understand that the admin of the company Tribe, the coach you buy services from and the admin of the coached brand, becoming their client, sees your profile data. You also understand that when a session booking is made via Coaching WRX, a calendar invitation is created for you and your coach and stored with your name in both your and coach's calendar.

As a coach you understand that Coaching WRX is a public service and the profile and service data you make public, may be seen, used or copied by other users. You also understand that when you connect your calendar to Coaching WRX, you are accountable for the data privacy of your calendar content. We always recommend keeping your calendar private to stay GDPR compliant.

As a vendor coach for a Corporate Tribe, you understand that the profile and service data you make public, is visible to the Corporate Tribe admins and employees. You also understand that when you connect your calendar to Coaching WRX, you are accountable for the data privacy of your calendar content. We always recommend keeping your calendar private to stay GDPR compliant.

In a rare case of you having a problem using the service, that can not be solved without your data, Coaching WRX support team can, with your permission, access your personal data.

5 - SAFEGUARDING YOUR PERSONAL INFORMATION

Personal data protection is very important for us and we value your trust in providing us your Personal Information, thus we are striving to use commercially acceptable means of protecting it. But remember that no method of transmission over the internet, or method of electronic storage is 100% secure, and we cannot guarantee its absolute security.

Personal data of our users is manageable and accessible only via appropriate user access rights. All traffic is secured with SSL (Secure Sockets Layer) -protocol. Access to your personal information is restricted to prevent unauthorized access, modification or misuse and is only permitted among our employees and subcontractors on a need-to-know basis. WRX Company Ltd guarantees by contractual arrangements that personal data is processed in accordance with Personal Data Act and applicable EU regulations. We only employ employees and subcontractor within EU/EEA and have DBA agreements in place with them.

Security is extremely important. We do our part to make your data safe. You also have your responsibilities like: use unique password for the application. Do not share it with anyone. If you forget it, please use the forgot password function or contact our Customer Service at support@coachingwrx.com.

5.1 - DATA RETENTION AND DELETION

Every user creates their own account, and that user may delete their account and personal data. Data is stored in the production server in Helsinki, Finland and its daily backups in Nuremberg, Germany. For the Apple Calendar integration with Cronofy, the calendar data is stored in data center in Frankfurt, Germany.

Once user deletes their account, all personal data is permanently deleted immediately, and backups are deleted within 7 days. Other data still needed is anonymized (like purchase orders and purchase history data) and cannot be linked to user anymore.

Users personal data is stored for 5 years after their last login. Once 5 years has passed the user account is automatically deleted with a monthly clean up process. User is notified by email, a month in advance of the upcoming deletion.

Corporate Tribe admin may ask Coaching WRX support to delete a user account on behalf of their employee. If the Company Tribe account is deleted, all brand data is deleted and none of the user accounts are linked to it anymore.

If federated SSO is used for Corporate Tribe, users can not create their own accounts, but all accounts are created via SSO. If Corporate Tribe account is deleted, all personal data created via SSO will be permanently deleted immediately and backups are deleted within 7 days. Other data still needed is anonymized (like purchase orders and purchase history data) is anonymized and cannot be linked to user nor Tribe anymore.

In very rare cases of client having a production problem that we are not able to reproduce in the test nor development environment and there isn’t any error mentioned on server logs. Our developers may ask users permission to copy the production data to development environment for debugging. This data is deleted as soon as the issue is solved, but no later then within 14 days. Development environment is located in private network and protected by passwords.

5.1.1 - PERSONAL DATA LIFECYCLE

- INPUT:

• Client’s own data input
• Facebook/Google input
• Coach’s input (can add office address or time zone for the client)
• Corporate Tribe SSO input

- USE OF DATA:

• User can login
• User can be identified
• User can use the service for coaching/mentoring/training
  • purchase services
  • have an ongoing process (examples: book a session, store session notes, set actions agreed, chat, enrol to a group session or event, provide attendance data, view materials, do assignments, give feedback and ratings)
• User can view archived service data
• User can receive emails and chat notifications
• User can access certificates, development log or coaching log

- DELETION:

• Delete by user
• Delete by Corporate Tribe using SSO
• Delete by Coaching WRX once over 5 years from last login
• Delete by Coaching WRX support by request from Corporate Tribe
• Delete by Coaching WRX support due to not being compliant with the user terms or data privacy and security policies.

5.1.2 - DATA FLOW MAP

5.2 - DATA INTEGRITY

The controls defined in this description are aiming to ensure the integrity of the data during its lifetime. These include identity and access management, testing of updates, vulnerability scanning, risk management and incident management.

5.3 - PROFILING AND AUTOMATED DECISION MAKING

Users are profiled based on their data. Coaching WRX provides pre-matching functionality for mentoring programs, that matches mentees with suitable mentors based on their data. Profiling data is not used for automated decision making.

5.4 - YOUR PRIVACY RIGHTS AND WHO TO CONTACT

You have the right to correct, update or delete your personal information anytime.

If you have any questions, comments or concerns about how we handle your personal information, then you may contact us at support@coachingwrx.com or by writing to WRX Company Ltd, Urho Kekkosen katu 3A3, 00100 HELSINKI, Finland.

5.5 - LINKS TO OTHER SITES

Our Service may contain links to other sites. If you click on a third-party link, you will be directed to that site. Note that these external sites are not operated by us. Therefore, we strongly advise you to review the Privacy Policy of these websites. We have no control over, and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

5.6 - CHILDREN’S PRIVACY

Our Services do not address anyone under the age of 18. We do not knowingly collect personal identifiable information from users under 18. In the case we discover that a user under 18 has provided us with personal information, we immediately delete this from our servers. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us, support@coachingwrx.com, so that we will be able to do necessary actions.

6 - CHANGES TO THIS PRIVACY DESCRIPTION

We may update our Privacy description from time to time. Thus, we advise you to review this page periodically for any changes. We will notify you of any changes by posting the new Privacy description with update date, on this page. These changes are effective immediately, after they are posted on this page.

7 - CONTACT US

If you agree with the Terms of Use you agree with this privacy description and the way data privacy and security is handled. If you disagree with our terms please do not click the “I agree” check box in the Terms of Use.

If you have any questions or suggestions about our Privacy description, do not hesitate to contact us at support@coachingwrx.com.

WRX COMPANY POLICY – DATA PRIVACY AND SECURITY

1 - SCOPE AND PURPOSE

1.1 - Scope

In WRX Company we recognize that privacy is important to our customers and we are committed to respect and safeguard our customers’ data privacy and security.

This company policy relates to data privacy and security and applies to WRX Company. WRX Company will strive to fully adopt these principles in all operations in which WRX Company has management control. We will also use our influence to promote the principles in other companies where WRX Company has ownership interests.

1.2 - Purpose

Strong values together with high moral and ethics leads all WRX Company operations both in business and individual level. WRX Company encourages all employees, subcontractors and coaches using Coaching WRX service, to serve their customers in a responsible, sustainable and ethical way with personal commitment and focus in impact and outcomes.

The purpose of this policy is to set high and consistent WRX Company standards to respect data privacy and security of our customers.

2 - PRIVACY MANAGEMENT SYSTEM

2.1 - Implementation actions

2.1.1 - Meetings

To assure this privacy and security policy is being implemented in each part of the organization and accountability is taken, privacy and security topic is addressed monthly in a meeting with all employees and subcontractors. Each participant is obliged to share any concerns on possible data privacy or security violations.

2.1.2 - Reporting

Possible privacy and security concerns, violations and taken actions are reported to the board monthly.

2.1.3 - Training

Regular mandatory training is provided to all employees and subcontractors and related material is made available. To measure the overall effectiveness of the training, participants need to pass a Privacy test.

2.1.4 - Continuous development

Data privacy and security policy is regularly re-evaluated, developed, updated, communicated and implemented, enforcing mitigation of risk and ensuring, not only risk reduction, but also ongoing compliance with applicable laws, regulations, standards, and policies.

2.1.5 - Roles and responsibilities

Each Board Member and Senior Partner is responsible for making sure this company policy is communicated and implemented and that the employees within his/her area of responsibility are familiar with and comply with this data privacy and security policy.

All company employees and subcontractors are individually responsible for reading, understanding and following this company policy when it applies to their area of work responsibility. Each employee and subcontractor is also obliged to speak up and raise concerns about actual or possible violations of this company policy.

3 - SUB-PROSESSORS

3.1 - Standards

We only work with employees and subcontractor who are located within EU/EEA and have high ethical standards, understanding of data privacy and security and are compliant with all applicable data protection laws and regulations. We always have a Data Processing Agreement (DPA) in place with them.

3.2 - Our selection process

When selecting a potential subcontractor or partner who will be a sub-processor of our client’s personal data, we follow these steps:

1. Review their company Data privacy and security policies
2. Check they have employees and subcontractors only within EU/EEA
3. Interview with the potential subcontractor or partner to identify
   1. their data privacy and security knowledge, understanding and approach
   2. compliance with all applicable data protection laws and regulations
   3. values, moral and ethics
4. Check references and examples of data privacy and security implementation
5. Check with current Corporate Tribe clients for any conflicting issues for selecting this subcontractor or partner
6. Agree on regular security and privacy reviews
7. Sign a DPA

4 - HANDLING PERSONAL DATA BREACHES

In rare case of a personal data breach, we notify the data subject or Corporate Tribe admin without delay and no later than within 48h of possible personal data breach.

4.1 - Personal data breach can be related to

- Confidentiality breach

• When wrong people have had access to data they should not have access to
• When email is sent to a wrong person containing some data they should not see

- Availability breach

• When user will have limited access to the personal data they need to see

- Integrity breach

• When data has somehow been corrupted or changed