SHI Privacy Statement

Summary

You will find below our full privacy statement regarding the way we collect and process your personal data, and your rights regarding this personal data. We have tried to draft this document in an easily understandable way, but it remains a legally binding document with technical terms, which is why we are providing you with the following short, non-binding summary of this document.

We collect some personal data automatically, only for statistical purposes; otherwise, all of your personal data is given directly to us by you when you fill out our registration, order or contact forms. We process this information only in compliance with the principles outlined in the General Data Protection Regulation ("GDPR") (Regulation (EU) 2016/679 of April 27, 2016), which has been implemented via our Data Retention, Destruction and Archiving Policy ("Data Retention Policy"). We only transfer this information to our parent company in the U.S. and to third parties who take part in our services (for example, our delivery or payment partners).

You may exercise several rights under the GDPR by contacting us, including the right to access your personal data (i.e. receive a copy of the information we have), the right to portability of your data (transfer your data to someone else), the right to rectify any mistake in your data, and, under certain conditions, the right to erase your data, and the right to object to or to restrict the processing of your personal data.

We remain available to answer any questions you may have regarding this Privacy Statement, which may be directed to Privacy@shi.com, and invite you to read the full, binding statement below.

1. PURPOSE OF THE PRIVACY STATEMENT

This document constitutes a binding agreement (hereafter the "Privacy Statement") regarding the collection and processing of personal data by means of the website accessible via the domain name shi.com (hereafter the "Website") between SHI International Corp. and its affiliates (hereafter "us" or "SHI") and any visitor and/or user of the Website (hereafter "you" or the "User"). Throughout this Privacy Statement, the expression "personal data" refers to any information relating to an identified or identifiable natural person, as defined by the GDPR.

The Privacy Statement aims to inform you of the conditions under which your personal data is collected and processed by us and the rights that you have regarding this data.

In order to operate the Website and provide our services, we collect and process specific personal data, solely for the purposes detailed hereafter. We will not sell, share, or rent this information to others in ways different from what is disclosed in this statement.

2. PERSONAL DATA WE COLLECT AND PROCESS

2.1. Information Automatically Collected

When you visit our Website (regardless of whether you create a User profile), the following information about your visit is automatically collected by us, as it is sent by your browser when you access any webpage:

  • your computer's or mobile device's operating system;
  • the application or software that you used to access our Website;
  • the time you accessed our Website;
  • your browser type, language configuration, clicks, and page views;
  • the terminal with which you accessed our Website; and
  • the websites you visited before accessing our Website.

This information is logged automatically and is stored for 7 years, in compliance with our Data Retention Policy, other than your Internet Protocol address, which is stored for up to three (3) months. In accordance with Article 5(1)(e) of the GDPR, data should not be stored for longer than necessary, in relation to the purpose for which it is being processed. Seven years is the minimum period required to fulfil the purpose stated, as follows. The aim of this automatic collection and processing is to obtain visit statistics in order to improve our Website and your experience as a customer. In particular, we use IP addresses to analyze trends, administer the Website and gather broad demographic information for aggregate use.

This processing is lawful since it is necessary for the provision of our services in accordance with our Terms and Conditions, which you agreed to when visiting this Website.

2.2. Registration and User profiles

In order to use certain features of this Website (i.e. placing an order, or viewing information related to an account), a User must register for a User profile and be granted a username and password to access customized content. The following information is collected to constitute this User profile:

  • the name of the company on behalf of whom such User is accessing the Website, and
  • the User's name and contact information, including their phone number and email address.

In order to secure your profile, we also collect a password, which is protected by a cryptographic one-way hash function before being stored; and a security question and the answer to this question, both of which are encrypted,in order to enable you to recover your account should you forget your password.

The User may also opt to disclose additional information including default shipping addresses, organization codes, or cost centers to facilitate ordering and reporting.

This information is stored until you request the deletion of your profile, provided that there is no legal requirement for its retention, or until the profile is erased by SHI. The profile will be erased after 7.5 years of inactivity, in compliance with Article 5(1)(e) of the GDPR.

This processing is lawful since it is necessary for the provision of our services in accordance with our Terms and Conditions, which you agreed to when visiting this Website.

2.3. Orders

When you use the applicable form to order a product on the Website, we request the following information:

  • shipping address (including recipient name and phone number, street, city, state/province, ZIP code and country);
  • billing address, if different from the shipping address (which requires the same information as for the shipping address); and
  • credit card information.

This information is used for billing purposes, reporting, and to process your order/s.

Shipping and billing addresses are stored until you request the deletion of your profile, provided that there is no legal requirement for its retention, or until the profile is erased by SHI, as stated above in section 2.2. Unless you explicitly opt in for your credit card information to be kept longer (i.e. until you delete your profile), this data is only kept for the duration of the transaction.

This processing is lawful since it is necessary for the provision of our services in accordance with our Terms and Conditions, which you agreed to when visiting this Website.

2.4. Contact form

You may use the contact form to send a message to SHI, register for events, or request information, including in order to exercise your rights as detailed in this Privacy Statement. When filling out the contact form, we may request the following information:

  • first name,
  • last name,
  • company/organization name,
  • email,
  • phone number,
  • state,
  • country,
  • type of assistance required, and
  • your message (via a free-form field).

This information is required in order to process your message and answer your request, and is stored only as long as necessary in order to fully process your request.

When filling out the form and clicking the "submit" button, you expressly consent to this processing of your personal data, therefore making the processing lawful.

2.5. Newsletter

We propose two monthly newsletters, the SHI Microsoft Monthly Newsletter and the SHI Solutions Monthly Newsletter. We request User consent prior to sending you any of these newsletters, and you may choose whether you subscribe to only one or both newsletters.

Consent may either be given by the User upon registration for a User profile by expressly opting in to receive any or both of the newsletters, or at any time by visiting the Newsletter subscription webpage. Reception of the newsletter is opt-in only, and the User must communicate an email address to subscribe to the chosen newsletter.

The User's email address is required in order to receive the newsletter, and is stored for as long as the User remains subscribed to the Newsletter, or until SHI removes the User from the subscription list, at its sole discretion. You can chose to unsubscribe at any time, either by clicking on the link provided at the bottom of your newsletters, or by updating your preferences on the Update Newsletter Subscriptions webpage on our Website.

This processing is expressly consented to by the User when subscribing to the newsletter.

3. COOKIES

A cookie is a piece of data stored on the User's hard drive containing information related to the User's visit to our Website.

SHI only uses cookies to indicate:

  • User identity, in the form of unique identifiers recognized only by our system;
  • User authentication status, so we know if the User is currently logged in or not (as being logged in is a distinct concept from thinking we know who the User is);
  • an identifier for which server is handling this session, to facilitate interactive reports;
  • a token identifying the user's session, used in order to prevent certain types of security breaches; and
  • transient information relating to the state of the current session.

SHI only uses these cookies to facilitate the operation of the site; they are not and will not be used for any other purpose, and no data related to those will be made available to any third party now or in the future. These cookies do not allow the tracking of the User in any way, and are only necessary for the operation of our Website.

You may, at any time, modify, delete or block the cookies stored on your device by SHI. This may affect your usage of or access to the Website. Please refer to your browser's documentation to learn how to proceed.

The storage duration of these cookies differs depending on the cookie, but is never longer than ninety (90) days. By visiting the Website without disabling this function, you accept the use of these cookies.

4. PERSONAL DATA SHARING AND TRANSFER

4.1. Internal transfers

We inform you that the personal data we collect may be transferred to our parent company, SHI International Corp., located in the United States of America. These transfers are necessary for the execution of our Terms and Conditions, which you agreed to when you navigate on our Website. In particular, all of our servers are located in the United States of America. As a consequence, the processing of your orders and subscriptions requires your personal data to be transferred to the United States.

In order to ensure the lawfulness of these transfers, we have executed and implemented the European Commission Standard Contractual Clauses for controller-to-controller transfers set by Decision 2004/915/EC. The Standard Contractual Clauses provide for adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights, and are fully implemented by SHI and its local European affiliates.

4.2. Sharing with third parties

We inform you that we share aggregated demographic information with our partners and advertisers. The information we shared does not contain any information that would allow any User to be identifiable.

We also outsource certain activities such as order shipments, marketing assistance, postal and email delivery, customer service, and data analysis, and use a credit card processing company to bill users for goods and services. These companies do not retain, share, store or use personal data for any secondary purposes and are not allowed to use personal data, except for the purpose of providing these services. We have also ensured that our agreements with these third parties contain data protection clauses that guarantee appropriate safeguards to the User.

These transfers are required for the performance of our obligations under our Terms and Conditions, which you agreed to when visiting this Website or placing an order with us.

5. LINKS

This Website contains links to other sites. Please be aware that SHI is not responsible for the privacy practices of such other sites. We encourage our Users to be aware when they leave our site and to read the privacy statements of each and every Website that collects personal data. This privacy statement applies solely to information collected by this Website.

6. USER'S RIGHTS

You have the following rights regarding your personal data that is collected and processed by us.

We will attempt to notify each recipient to whom your personal data has been disclosed (unless this proves impossible or involves disproportionate effort) when you notify us of a rectification or erasure of your personal data or a restriction of processing.

6.1. Right of access

You may request access to your personal data that we collect and process. Should you request such access, we will provide you with a copy of all your personal data in our possession as well as all legally required information, including:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients to whom the personal data have been or will be disclosed;
  • the duration of storage of the personal data; and
  • further information on your rights regarding your personal data.

6.2. Right to data portability

You have the right to data portability of your personal data. This right differs from your right to access since it only relates to the personal data you provided us with (for example, automatically collected data is not included). This right allows you to receive this personal data in a structured, commonly used and machine-readable format in order for you to be able to transfer this personal data to another data controller or processor.

6.3. Right to rectification

You may, at any time, request that we rectify inaccurate or incomplete personal data concerning you, and we will proceed accordingly and promptly.

6.4. Right to erasure ('right to be forgotten')

You may request the erasure of your personal data provided that one of the following conditions apply:

  • your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • you withdraw your consent for the processing and there is no other legal ground for the processing (this only relates to the personal data collected via the contact form or for our newsletter purposes);
  • you exercise your right to object to the processing of your personal data, as detailed in section 6.5;
  • your personal data was unlawfully processed; or
  • your personal data has to be erased to comply with a legal obligation to which we are subject.

6.5. Right to object

Where your personal situation justifies it, you may object to the processing of your personal data by us when this processing is carried out in our legitimate interests.

You may also, at any time, object to the processing of your personal data by us when this processing is carried out for marketing purposes.

6.6. Right to restriction of processing

You may ask for the restriction of the processing of your personal data when one of the following applies:

  • where you contest the accuracy of your personal data, you can request the restriction of the processing of your personal data for the period required to verify your claim;
  • where the processing is unlawful, you may choose to request the restriction of the use of your personal data instead of requesting its erasure;
  • if we no longer need your personal data for the purpose of the processing, but you require this data for the establishment, exercise or defense of legal claims; or
  • where you objected to the processing of your personal data carried out in our legitimate interests, you may request the restriction of this processing while we investigate your claim.

7. SECURITY

We have implemented appropriate security measures in order to protect our Users' information, both online and off-line.

All access to the Website is, by default, encrypted and protected. SHI supports TLS 1.1 and TLS 1.2 encryption, and recommends use of TLS 1.2 encryption.

All User data is stored in database servers that cannot route traffic outside our internal network, and that have no access to the public Internet. Physical access to our servers is restricted; the servers are located in a datacenter that is only accessible to designated IT staff and is properly locked and off-limits to visitors.

All User passwords are stored using a one-way hash function. It is impossible for us to see what these passwords are; we can only verify that the hash value of what the user has entered matches the stored value. As a result we are unable to retrieve lost passwords under any circumstances. To facilitate the verification of User's identity by our employees, we also store a verification question and answer entered by the User. This information is encrypted to protect against theft, but is revealed selectively to SHI employees when such verification is necessary.

8. NOTIFICATION OF CHANGES

If we decide to change our Privacy Statement, we will post those changes on our Website, accessible from the home page and elsewhere, so our Users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. A banner informing our Users of the change in this Privacy Statement will be displayed for two weeks after the change.

If at any point we decide to use personal data for purposes incompatible with those stated at the time it was collected, we will notify Users by way of an email whenever possible, or by displaying a banner requesting Users' consent to this change for two weeks before the change takes place. Users will have the option to refuse the change and request the deletion of their User profile and of their personal data.

9. NON-PERSONAL DATA

This Privacy Statement discloses the treatment of any personal data revealed by our Users on the SHI.com web sites. The treatment of any non-personal data is discussed in the site's Terms and Conditions.

10. CONTACTING US AND EXERCISING YOUR RIGHTS

Should you have any question regarding this Privacy Statement or wish to exercise one of the rights detailed above, you may contact us at Privacy@shi.com.

An identity verification document will be required should you wish to exercise one of your rights, in order to ensure that no third party can gain access to your personal data.

Should a disagreement arise (including where a dispute is not solved by an amicable settlement), the User can always contact the competent personal data protection authority to lodge a complaint. In the European Union, the Website targets France and the United Kingdom, whose data protection authorities are the following:

  • in France, the CNIL, whose website is accessible at the following address: https://www.cnil.fr/;
  • in the United Kingdom, the ICO, whose website is accessible at the following address: https://ico.org.uk.