2) What is personal data?
3) The information we collect
A. Personal data provided by the user for which TinyMDM is data controller:
B. Personal data collected automatically and for which TinyMDM is data controller:
- Dashboard action logs.
- Purpose: to ensure account security.
- Storage period: deleted 6 months after account deletion, or 2 years after the end of the subscription.
- ID of the company using the Google API Service.
- Purpose: to provide the Service (use Google APIs).
- Storage period: deleted 6 months after account deletion, or 2 years after the end of the subscription.
- Devices: manufacturer, technical identifiers, IP, SIM identifiers (iccid, imei, phone number), installed applications, battery status and health, operating system version, pending operating system update, system signature, GPS status.
- Purpose: to provide the Service (monitoring and management of listed devices).
- Storage period: deleted immediately on effective reset of the device. Anonymized 6 months after account deletion, or 2 years after the end of the subscription (all references to personal data are removed).
- Policies: history of websites visited in the last 15 days (only if the option is enabled by the administrator).
- Purpose: to provide the Service (control and management of listed devices).
- Storage period: automatically deleted after 15 days.
C. Personal data provided by the Customer and for which TinyMDM is a data processor (see our DPA):
- Shared contacts: contact name, email, phone number, note.
- Purpose: to provide an automated directory on managed devices.
- Storage period: deleted immediately if the Customer deletes the shared contact. Deleted 6 months after account deletion, or 2 years after the end of the subscription.
- Shared files: files uploaded by the user.
- Purpose: to allow sharing of files to listed devices.
- Storage period: deleted immediately if the Customer deletes the shared file. Deleted 6 months after account deletion, or 2 years after end of the subscription.
- Managers: manager’s email.
- Purpose: to allow different managers to log in to the account and to ensure account security.
- Storage period: deleted immediately if the Customer deletes the Manager. Deleted 6 months after the account is deleted, or 2 years after the end of the subscription.
- Devices: device name.
- Purpose: to assign a named device to a named user.
- Storage period: deleted immediately upon an effective reset of the device. Anonymised 6 months after account deletion, or 2 years after the end of the subscription (all references to personal data are removed).
- CA certificates.
- Purpose: to allow devices to connect to corporate intranets.
- Storage period: deleted immediately upon deletion of the file. Deleted 6 months after account deletion, or 2 years after the end of the subscription.
- Wi-Fi networks: list of Wi-Fi networks with password, Wi-Fis EAP certificate.
- Purpose: to allow devices to connect to corporate Wi-Fi networks
- Storage period: deleted immediately when the network is deleted. Deleted 6 months after account deletion, or 2 years after end of the subscription.
- Policies: selected and saved configurations for a group of devices.
- Purpose: to ensure control of registered devices.
- Storage period: deleted immediately upon deletion of the policy. Anonymised 6 months after account deletion, or 2 years after end of subscription date (all references to personal data are deleted).
- Users: email, name, directory name, associated device, custom fields.
- Purpose: to assign devices to named users.
- Storage period: deleted immediately if the Customer deletes the user. Anonymised 6 months after account deletion, or 2 years after the end of the subscription (all references to personal data are removed).
- Applications on the TinyMDM Store.
- Purpose: to manage private applications without going through the Google Play Store.
- Storage period: deleted immediately when the application is deleted. Deleted 6 months after account deletion, or 2 years after the end of the subscription.
D. Location data
- We may use and store information about the location of devices (last 50 location points), only if you give us permission to do so. We use this data to provide features of our Service.
- Location tracking Services are designed to be used only on company-owned devices. Indeed, location tracking is not an option for employees’ personal BYOD devices, and is disabled by default for business devices. End users will need to enable Location Services for companies to track devices.
- Storage period: The employer must only store the data collected for as long as is necessary for the processing i.e. as long as it is needed to achieve the purpose of the device. The length of storage therefore varies according to the nature of the information collected and the purpose of the processing. According to the CNIL (FRANCE), in principle, the information obtained by location tracking should not be stored for more than two months. However, it may be stored for one year when it is used to optimize rounds or for the purpose of proving the interventions carried out, when it is not possible to provide this proof by any other means. Finally, they may be stored for five years when used for time tracking. This being said, at TinyMDM, and in accordance with the GDPR, we only store location tracking data for 2 months, and within the limit of 50 location points maximum.
4) Difference between personal and company-owned mobile devices
If you have been invited by your company to add a work profile to your personal device, then WE DO NOT collect any personal information related to the private use of your device (outside of the work profile). You can disable location authorization or not grant it the first time if you do not wish to share location.
5) Purposes of processing personal data
- To provide and improve the Subscription Service
We use your account information and customer data to provide you with products and Services. For example, we use the email address you provide during product registration to create your user account, and we use your payment information to process payments for paid use of the Subscription Service. We collect data about how our products and Services are used by monitoring and tracking users of our products. We use this data to develop and improve our products and Services. For example, we use usage data to evaluate trends and product usage to help us determine new features or integrations that may be of interest to our users.
- To secure and protect our products and TinyMDM users
We use your account information to investigate and help prevent security incidents. We may also use this information to meet legal requirements. We use your information to verify user accounts and new product registrations, and to detect and prevent product abuse.
- To communicate with you about the Services
- To improve our customer relationship management
TinyMDM may monitor and record communications with you (such as telephone conversations and emails) for quality assurance, training, fraud prevention and compliance purposes.
- To facilitate social networking
6) Security measures for personal data
We are committed to maintaining the confidentiality of your information. We provide physical, electronic and procedural safeguards to protect the information we process and store. For example, we restrict access to this information to authorized employees and data processors who need to know that information in order to operate, develop or improve our application. Please note that, although we strive to provide reasonable security for the information we process and store, no security system can prevent all potential security breaches.
We use various security technologies and procedures to help protect your personal data from unauthorized access, use or disclosure. We secure the personal data you provide on computer servers in a controlled and secure environment, protected from unauthorized access, use or disclosure. All personal data is protected by appropriate physical, technical and organizational measures. To learn more about security at TinyMDM, please visit this page.
7) Transfer of data outside the EU
Your personal information may be used or stored by us or our Service providers and affiliates outside the European Economic Area for the purposes described in this Data Processing Agreement (DPA). We require our Service providers and affiliates to protect your personal information. Any transfer of your data will be subject to a contract approved by the European Commission that will protect your privacy rights and provide you with recourse in the unlikely event of a security breach.
8) In the event of a personal data breach
We are also committed to informing our customers of any breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data within 72 hours of becoming aware of it (Art. 33 GDPR), unless the breach is unlikely to result in a risk to the rights and freedoms or individuals.
At your request, we will promptly provide you with the reasonable assistance necessary to enable you to notify relevant personal data breaches to the competent authorities and/or data subjects, if you are required to do so under data protection laws.
Furthermore, in the event that the breach is likely to result in a high risk to the rights and freedoms of an individual, we will communicate the Personal Data breach to the Data Subject as soon as possible, unless we have implemented appropriate technical and organizational protection measures and these measures have been applied to the Personal Data affected by the breach, in particular measures that make the Personal Data unintelligible to any person who is not authorized to access it, such as encoding.
9) Rights of the persons concerned
At any time, at the request of an account holder, tinymdm.net, tinymdm.fr, and other B2B Services of TinyMDM undertake, within 30 days:
- To export their user data.
- Delete the user data.
- Update the user data.
- Delete the account.
According to the GDPR, personal data must be deleted immediately upon request when the data is no longer necessary for its original purpose of processing, or when the data subject has withdrawn consent and there is no other lawful ground for processing (Article 17 of the GDPR).
To delete your account, please visit the TinyMDM administration console, My Account tab and click on Delete my account. To request the deletion of your data, send a written request to rgpd[at]arsnovasystems.com. If no exceptions apply, we will take steps within one month to ensure the deletion of data from both backup and active systems. If we have any doubts about the identity of the person making the request, we are entitled to request further information.
Cookies are small text files that are stored in the browser directory. They allow site owners to understand how visitors use their site, remember user IDs and store user preferences for the site. Cookies are one of the primary tools that enable us to provide secure and efficient Services. Essential cookies are essential to the proper functioning of our Site and Services, ensuring usability and security by enabling basic functions such as navigation and access to secure areas of the site. Preference cookies are used by TinyMDM to remember your preferences and to recognize you when you use our Services again. Statistical cookies allow us to understand how visitors interact with our Services. Finally, Marketing cookies are used to display ads that are relevant to our visitors.
You can disable cookies at any time, except for those cookies that we need to provide you with our Services. If you choose to disable cookies, some features of our Site or Services may not function normally.
The person responsible for processing personal data within our Company is Mr Romain Cousseau, in his capacity as data protection officer (DPO) of Ars Nova Systems.