The TinyMDM Mobile Device Management Service
Personal data means data about a living individual who can be identified from that data (or from that data and other information in our possession or likely to come into our possession).
Usage data is automatically collected data either generated by the use of the Service or from the Service infrastructure itself (e.g. the duration of a page visit).
The Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
Processing means any operation or set of operations performed on personal data, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of personal data. The terms “Process”, “Process” and “Processed” shall be interpreted accordingly.
Data Processor (or Service provider)
Processor (or Service provider) means any natural or legal person who processes data on behalf of the data controller. We may use the Services of various Service providers to process your data more efficiently.
Sub-processor means any subcontractor engaged by us or our affiliates to assist us in fulfilling our obligations in relation to the provision of the Subscription Services under the Contract. Subcontractors may include third parties or our affiliates, but exclude any TinyMDM employee or consultant.
Data Subject (or User)
The data subject is any living person who uses our Service and is the subject of personal data.
Personal Data Breach
Personal Data Breach means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed by us and/or our subsequent subcontractors in connection with the provision of the Subscription Services. Personal data breach” does not include unsuccessful attempts or activities that do not compromise the security of personal data, including unsuccessful login attempts, pings, port scans, denial of service attacks and other network attacks on firewalls or networked systems.
2) What is personal data?
The term “personal data” is the key to the RGPD’s enforcement: it applies whenever a data processing operation involves personal data. Personal data is any information relating to an identified or identifiable natural person (Art.4 RGPD).
Personal information is information that identifies you or that can be combined by us or our Service providers and affiliates with other information to identify you. This information may include your first and last name, email address, home address, telephone number, location data, Internet Protocol (IP) address, cookie ID, image, and may include your age, income and other similar information. information when associated with you. Personal information may also be information containing details of whether you have opened our promotional emails or how you have used our website, if we can associate this personal information with you.
3) The information we collect
We collect personal information from you when you create an account, make a purchase, contact us using our web forms to make a request or ask a question, submit a product review, complete a survey or submit personal information. Below is a detailed list of all the personal data we store, whether provided by the user or collected automatically. Please note that all this information is stored in Europe only.
A. Personal data provided by the user for which TinyMDM is data controller:
- Account information: email, first name, last name, number of licenses, end of subscription, company address, company phone number, company name, company country, email address for accounting, email address for Google API Service.
- Purpose: to provide the Service (login, billing, use of Google APIs).
- Storage period: All personal data is deleted 6 months after the account is deleted in order to be able to reinstate the account in case of error. Primary contact details will be stored for 5 years after account deletion for billing tracking purposes, if applicable.
- Payment method: Type cb / SEPA Debit (last 4 digits).
- Purpose: to manage online payments.
- Storage period: deleted immediately if the Customer deletes the payment method. Deleted 6 months after deletion of the account, or 2 years after the end of the subscription.
B. Personal data collected automatically and for which TinyMDM is data controller:
- Purpose: billing of the Service.
- Storage period: 10 years after deletion of the account, in accordance with the obligations arising from the Commercial Code (Article L. 123-22 paragraph 2 of the Commercial Code), except for other personal data relating to the Customer, which are anonymized after 5 years.
- Stripe reference ID.
- Purpose: billing of the Service and online payment.
- Storage period: 10 years after deletion of the account, except for personal data relating to the Customer, which is anonymised after 5 years.
- Managers: last login time and IP address.
- Purpose: to ensure account security.
- Storage period: deleted immediately if the Customer deletes the Manager. Deleted 6 months after account deletion, or 2 years after subscription ends.
- Dashboard action logs.
- Purpose: to ensure account security.
- Storage period: deleted 6 months after account deletion, or 2 years after the end of the subscription.
- ID of the company using the Google API Service.
- Purpose: to provide the Service (use Google APIs).
- Storage period: deleted 6 months after account deletion, or 2 years after the end of the subscription.
- Devices: manufacturer, technical identifiers, IP, SIM identifiers (iccid, imei, phone number), installed applications, battery status and health, operating system version, pending operating system update, system signature, GPS status.
- Purpose: to provide the Service (monitoring and management of listed devices).
- Storage period: deleted immediately on effective reset of the device. Anonymized 6 months after account deletion, or 2 years after the end of the subscription (all references to personal data are removed).
- Policies: history of websites visited in the last 15 days (only if the option is enabled by the administrator).
- Purpose: to provide the Service (control and management of listed devices).
- Storage period: automatically deleted after 15 days.
C. Personal data provided by the Customer and for which TinyMDM is a data processor (see our DPA):
- Shared contacts: contact name, email, phone number, note.
- Purpose: to provide an automated directory on managed devices.
- Storage period: deleted immediately if the Customer deletes the shared contact. Deleted 6 months after account deletion, or 2 years after the end of the subscription.
- Shared files: files uploaded by the user.
- Purpose: to allow sharing of files to listed devices.
- Storage period: deleted immediately if the Customer deletes the shared file. Deleted 6 months after account deletion, or 2 years after end of the subscription.
- Managers: manager’s email.
- Purpose: to allow different managers to log in to the account and to ensure account security.
- Storage period:deleted immediately if the Customer deletes the Manager. Deleted 6 months after the account is deleted, or 2 years after the end of the subscription.
- Devices: device name.
- Purpose: to assign a named device to a named user.
- Storage period: deleted immediately upon an effective reset of the device. Anonymised 6 months after account deletion, or 2 years after the end of the subscription (all references to personal data are removed).
- CA certificates.
- Purpose: to allow devices to connect to corporate intranets.
- Storage period: deleted immediately upon deletion of the file. Deleted 6 months after account deletion, or 2 years after the end of the subscription.
- Wi-Fi networks: list of Wi-Fi networks with password, Wi-Fis EAP certificate.
- Purpose: to allow devices to connect to corporate Wi-Fi networks
- Storage period: deleted immediately when the network is deleted. Deleted 6 months after account deletion, or 2 years after end of the subscription.
- Policies: selected and saved configurations for a group of devices.
- Purpose: to ensure control of registered devices.
- Storage period: deleted immediately upon deletion of the policy. Anonymised 6 months after account deletion, or 2 years after end of subscription date (all references to personal data are deleted).
- Users: email, name, directory name, associated device, custom fields.
- Purpose: to assign devices to named users.
- Storage period: deleted immediately if the Customer deletes the user. Anonymised 6 months after account deletion, or 2 years after the end of the subscription (all references to personal data are removed).
- Applications on the TinyMDM Store.
- Purpose: to manage private applications without going through the Google Play Store.
- Storage period: deleted immediately when the application is deleted. Deleted 6 months after account deletion, or 2 years after the end of the subscription.
D. Location data
- We may use and store information about the location of devices (last 50 location points), only if you give us permission to do so. We use this data to provide features of our Service.
- Location tracking Services are designed to be used only on company-owned devices. Indeed, location tracking is not an option for employees’ personal BYOD devices, and is disabled by default for business devices. End users will need to enable Location Services for companies to track devices.
- Storage period: The employer must only store the data collected for as long as is necessary for the processing i.e. as long as it is needed to achieve the purpose of the device. The length of storage therefore varies according to the nature of the information collected and the purpose of the processing. According to the CNIL (FRANCE), in principle, the information obtained by location tracking should not be stored for more than two months. However, it may be stored for one year when it is used to optimize rounds or for the purpose of proving the interventions carried out, when it is not possible to provide this proof by any other means. Finally, they may be stored for five years when used for time tracking. This being said, at TinyMDM, and in accordance with the GDPR, we only store location tracking data for 2 months, and within the limit of 50 location points maximum.
4) Difference between personal and company-owned mobile devices
If you have been invited by your company to add a work profile to your personal device, then WE DO NOT collect any personal information related to the private use of your device (outside of the work profile). You can disable location authorization or not grant it the first time if you do not wish to share location.
5) Purposes of processing personal data
- To provide and improve the Subscription Service
We use your account information and customer data to provide you with products and Services. For example, we use the email address you provide during product registration to create your user account, and we use your payment information to process payments for paid use of the Subscription Service. We collect data about how our products and Services are used by monitoring and tracking users of our products. We use this data to develop and improve our products and Services. For example, we use usage data to evaluate trends and product usage to help us determine new features or integrations that may be of interest to our users.
- To secure and protect our products and TinyMDM users
We use your account information to investigate and help prevent security incidents. We may also use this information to meet legal requirements. We use your information to verify user accounts and new product registrations, and to detect and prevent product abuse.
- To communicate with you about the Services
- To improve our customer relationship management
TinyMDM may monitor and record communications with you (such as telephone conversations and emails) for quality assurance, training, fraud prevention and compliance purposes.
- To facilitate social networking
6) Security measures for personal data
We are committed to maintaining the confidentiality of your information. We provide physical, electronic and procedural safeguards to protect the information we process and store. For example, we restrict access to this information to authorized employees and data processors who need to know that information in order to operate, develop or improve our application. Please note that, although we strive to provide reasonable security for the information we process and store, no security system can prevent all potential security breaches.
We use various security technologies and procedures to help protect your personal data from unauthorized access, use or disclosure. We secure the personal data you provide on computer servers in a controlled and secure environment, protected from unauthorized access, use or disclosure. All personal data is protected by appropriate physical, technical and organizational measures. To learn more about security at TinyMDM, please visit this page.
7) Transfer of data outside the EU
Your personal information may be used or stored by us or our Service providers and affiliates outside the European Economic Area for the purposes described in this Data Processing Agreement (DPA). We require our Service providers and affiliates to protect your personal information. Any transfer of your data will be subject to a contract approved by the European Commission that will protect your privacy rights and provide you with recourse in the unlikely event of a security breach.
8) In the event of a personal data breach
We are also committed to informing our customers of any breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data within 72 hours of becoming aware of it (Art. 33 GDPR), unless the breach is unlikely to result in a risk to the rights and freedoms or individuals.
At your request, we will promptly provide you with the reasonable assistance necessary to enable you to notify relevant personal data breaches to the competent authorities and/or data subjects, if you are required to do so under data protection laws.
Furthermore, in the event that the breach is likely to result in a high risk to the rights and freedoms of an individual, we will communicate the Personal Data breach to the Data Subject as soon as possible, unless we have implemented appropriate technical and organizational protection measures and these measures have been applied to the Personal Data affected by the breach, in particular measures that make the Personal Data unintelligible to any person who is not authorized to access it, such as encoding.
9) Rights of the persons concerned
At any time, at the request of an account holder, tinymdm.net, tinymdm.fr, and other B2B Services of TinyMDM undertake, within 30 days:
- To export their user data.
- Delete the user data.
- Update the user data.
- Delete the account.
According to the GDPR, personal data must be deleted immediately upon request when the data is no longer necessary for its original purpose of processing, or when the data subject has withdrawn consent and there is no other lawful ground for processing (Article 17 of the GDPR).
To delete your account, please visit the TinyMDM administration console, My Account tab and click on Delete my account. To request the deletion of your data, send a written request to rgpd[at]arsnovasystems.com. If no exceptions apply, we will take steps within one month to ensure the deletion of data from both backup and active systems. If we have any doubts about the identity of the person making the request, we are entitled to request further information.
Cookies are small text files that are stored in the browser directory. They allow site owners to understand how visitors use their site, remember user IDs and store user preferences for the site. Cookies are one of the primary tools that enable us to provide secure and efficient Services. Essential cookies are essential to the proper functioning of our Site and Services, ensuring usability and security by enabling basic functions such as navigation and access to secure areas of the site. Preference cookies are used by TinyMDM to remember your preferences and to recognize you when you use our Services again. Statistical cookies allow us to understand how visitors interact with our Services. Finally, Marketing cookies are used to display ads that are relevant to our visitors.
You can disable cookies at any time, except for those cookies that we need to provide you with our Services. If you choose to disable cookies, some features of our Site or Services may not function normally.
The person responsible for processing personal data within our Company is Mr Romain Cousseau, in his capacity as data protection officer (DPO) of Ars Nova Systems.