Castwell OÜ ("we", "us", or "our") acts as a Data Processor for our BusinessHeadshots.com clients, processing personal data on their behalf to provide headshot management and generation services. This Privacy Policy is designed to provide comprehensive information about how we handle personal data under instructions from our clients (Data Controllers), in compliance with global privacy laws, particularly the General Data Protection Regulation (GDPR).

• Personal Data: Information relating to an identified or identifiable natural person (“Data Subject”); includes names, photos, identification numbers, location data, online identifiers of that natural person.
• Data Subject: An individual whose personal data is processed.
• Data Controller: The entity that determines the purposes and means of processing personal data (our clients).
• Data Subprocessor: The entity that Data Processor uses to process personal data on behalf of the Data Controller.
• Processing: Any operation or set of operations performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual.

As Provided by Our Clients (Data Controllers):

• Employee Information: Full names, job titles, professional email addresses, photographs.
• Account Information: Login data, user profile data including preferences, and account settings necessary for our service provision, as well as company details such as business name, address, and contact information.

Automatically Collected:

• Usage Data: IP addresses, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, referring/exit pages, pages visited, search terms used, clickstream data, view length, and other diagnostic data.
• Cookies and Similar Technologies: We use cookies, web beacons, and similar technologies to track user patterns, manage sessions, and enhance user experience (detailed in our Cookie Policy).
• Device Information: Including device type, device ID, model, and other unique device identifiers.

We process personal data solely on behalf of our clients for the following purposes:

• Service Provision: To fulfill, process, and deliver headshot services as instructed by our clients.
• Technical Support: To provide customer support related to our services.
• Security: To protect against, identify, and prevent fraud, unauthorized access, and ensure the security of our systems.
• Compliance: To comply with legal obligations applicable to us as a data processor.
• Analytics: To improve our services, but only where permitted by our clients. This involves anonymizing or pseudonymizing data to ensure no individual is identifiable.

We implement comprehensive security measures to safeguard the data we process:

• Encryption: Data is encrypted in transit (HTTPS) and at rest using industry-standard protocols like TLS and AES-256.
• Access Control: Access to personal data is strictly controlled, with role-based access ensuring only necessary personnel can interact with the data.
• Network Security: Deployment of firewalls, intrusion detection/prevention systems, regular security assessments, and penetration testing.
• Data Minimization: We process only the data necessary for the specified purposes as per our clients' instructions.
• Incident Response: We have a robust incident response plan, ensuring swift action in case of a data breach, including notification to the client within 72 hours, as required by GDPR.
• Physical Security: Data centers are secured with physical access controls, surveillance, and environmental protection.
• Employee Training: Regular training on data protection, security best practices, and compliance with privacy laws.
• Third-Party Security: Our subcontractors (processors) are bound by strict data processing agreements (DPA) ensuring they maintain equivalent security standards.

We use data subprocessors for the purpose of providing the services.
Schedule 1 (the "Approved Subprocessors”) for the purpose of providing the Services under the Principal Agreement.

• Legal Requirements: We may disclose personal data if compelled by law or legal processes, informing our clients of such disclosures where possible.

We acknowledge the rights of data subjects under GDPR:

• Right to Access: Data subjects can request access to their data through our clients.
• Right to Rectification: Correction of data inaccuracies.
• Right to Erasure: Deletion of data, subject to our client's instructions.
• Right to Restrict Processing: Restrict how we process data on behalf of our clients.
• Right to Data Portability: Receive data in a structured, commonly used format.
• Right to Object: Object to processing, where processing is based on legitimate interests.
• Rights in Relation to Automated Decision Making and Profiling: Information and objection rights concerning automated decision-making.

• Retention Policy: We retain personal data as instructed by our clients or as required by law for the provision of our services.
• Data Disposal: Upon termination of our services or client instruction, data is securely deleted or anonymized in line with our data destruction policy.

• Data Transfer: We may transfer personal data internationally as part of our service provision, ensuring that such transfers comply with GDPR through mechanisms like Standard Contractual Clauses.
• Cross-Border Data Protection: Additional safeguards like encryption and pseudonymization are applied to international transfers.

We may update this Privacy Policy from time to time. We will notify our clients of any changes and post the updated policy on this page. For any questions regarding this Privacy Policy or our data processing practices, please contact: info@businessheadshots.com If you have concerns about our data processing, please first contact us (your Data Controller). If unresolved, you can also lodge a complaint with the relevant data protection authority.