Last Updated: September 2018
The core of vMOX’s services involve the processing of confidential and sensitive information, and/or Personal Data. Such processing requires vMOX to comply with applicable privacy and data protection laws. In particular, when vMOX processes Personal Data of EU citizens, vMOX has a duty to comply with the General Data Protection Regulation (GDPR) established by the EU. The GDPR requires companies to ensure that when Personal Data of EU citizens is transferred out of the EU, it is transferred to a recipient that will adequately protect the Personal Data. To fulfill this obligation, vMOX volunteered to adhere to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks because any company that is certified under these frameworks are deemed as having such adequate protection. These frameworks will be referred to collectively as the “Principles”.
For the purposes of this Policy, vMOX distinguishes between the following categories of individuals that may have their information processed by vMOX:
“Customer” means an entity which engages vMOX for mobile optimization services;
“End User” means any individual who provides data to Customer and is included as an employee or representative with respect to Customer’s account with vMOX;
“Partner” means an individual who has facilitated the relationship between vMOX and Customer, and who may from time to time, with Customer’s consent, access vMOX’s systems to review Customer data; and
“Visitor” means an individual that visits www.vmox.com
vMOX provides mobile optimization services (“Services”) to its customers and utilizes an on-line portal to provide the results from such Services to its customers. All information stored on vMOX’s platform is treated as confidential, is stored securely, and is only accessed by authorized personnel. As a requirement of Privacy Shield, vMOX maintains appropriate technical, security, and organizational measures to protect Personal Data against unauthorized or unlawful processing and use, and against accidental loss, destruction, damage, theft or disclosure.
2. Privacy Shield
2.1 Notice. The U.S. Department of Commerce and the European Commission and the U.S. Department of Commerce and the Swiss Federal Data Protection and Information Commissioner have each agreed on a framework of data protection principles and supplemental principles to enable U.S. companies to provide an adequate level of protection for when Personal Data is transferred from the EEA to the U.S. and from Switzerland to the U.S, respectively. vMOX complies with the Principles regarding the collection, use, and retention of Personal Data from European Union member countries and from Switzerland, respectively. vMOX has certified that it adheres to the Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability as well as the supplemental principles of both frameworks.
 The European Economic Area (EEA) currently includes the following countries: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, United Kingdom, Iceland, Liechtenstein, and Norway.
To learn more about the Privacy Shield programs, please visit https://www.privacyshield.gov or the U.S. Department of Commerce website. A current list of organizations certified under the Privacy Shield framework (“Privacy Shield List”) is available at https://www.privacyshield.gov/list. Should there be any conflict between the Principles and this Policy, the Principles shall prevail. This Policy outlines the general practices for implementing the requirements of the Principles in connection with Personal Data that is transferred from the EEA to the U.S and from Switzerland to the U.S., including the types of information that is collected and transferred; how it is used; and, the choices individuals located in the EEA or Switzerland, have regarding the use of, and their ability to correct, that information.
Whether vMOX collects Personal Data of individuals directly or indirectly, this Policy will inform such individuals about the purposes for which it collects and uses Personal Data about them including any transfer to vMOX in the U.S., the identity of third parties acting as processors to which vMOX discloses such information, the purposes for which it does so, the means in which vMOX limits the use and disclosure of their Personal Data, and about the right of individuals to access their Personal Data. Notice will be provided to Customers or individuals as appropriate before vMOX uses the information for a purpose other than that for which it was originally collected or discloses it for the first time to a third party.
2.2 Choice. vMOX will offer individuals, whether directly or through the Controller of the Personal Data, as applicable, the opportunity to opt-out as to whether their Personal Data is (a) disclosed to a third party acting as a sub-processor, or (b) used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individual. vMOX will provide Controller and individuals, as applicable, with reasonable mechanisms to exercise their choices.
vMOX respects your privacy and has no desire to contact you if you do not wish to hear from us. If, for any reason, you wish to cease receiving messages from vMOX please send an email to vmox.com with a subject line of “Unsubscribe”, including any other details that will help us fulfill your request.
2.3 Accountability for Onward Transfer. vMOX will obtain assurances from authorized third parties that they will safeguard Personal Data consistent with this Policy and will transfer Personal Data only for limited and specific purposes. vMOX recognizes its responsibility and potential liability for onward transfers to unauthorized third parties. Where vMOX has knowledge that a third party is using or disclosing Personal Data in a manner contrary to this Policy and/or the level of protection as required by the Principles, vMOX will take reasonable and appropriate steps to prevent, remediate or stop the use or disclosure.
2.4 Access. Upon request, vMOX will grant individuals reasonable access to Personal Data that it holds about them. In addition, vMOX will take reasonable steps to permit individuals, whether directly or through the Controller of the Personal Data, to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete or has been processed in violation of the Principles. vMOX may limit an individual’s access to Personal Data where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the legitimate rights of persons other than the individual would be violated.
2.5 Security. vMOX will take reasonable and appropriate precautions to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the Personal Data.
2.6 Data Integrity and Purpose Limitation. vMOX will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. vMOX will take reasonable steps to ensure that Personal Data is relevant to its intended use, accurate, complete, and current. vMOX will adhere to the Principles as long as it retains Personal Data received under the respective Privacy Shield framework.
2.7 Recourse, Enforcement and Liability. vMOX utilizes the self-assessment approach to assure its compliance with this Policy. vMOX periodically verifies that this Policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, and in conformity with the Principles. vMOX encourages interested persons to raise any concerns with it using the contact information below. vMOX will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the Principles.
2.8 Limitations. vMOX's adherence to the Principles may be limited (a) to the extent necessary to meet applicable national security, public interest, or law enforcement requirements (i.e. in the course of lawful requests by public authorities) (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of a Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts.
3. Collection and use
3.1 General. The following sections cover the specifics of each of the four groups from which data is collected: Visitors, Partners, End Users and Customers.
3.2 Visitors. If you are a Visitor to our website only, and not an End User or a user of our platform, then this section is relevant for you.
By visiting our website, you consent to the collection and use of your Personal Data as described herein. If you do not agree with the terms set out herein, please do not visit this website or otherwise provide us your Personal Data. If required by applicable law, we will seek your explicit consent to process Personal Data collected on this website or volunteered by you. Any consent you provide will be entirely voluntary. In the event, you do not grant us consent to process your Personal Data, the use of this website may not be possible.
vMOX gathers data about visits to the website, including number of Visitors, Geo-location data, length of time spent on the site, pages clicked on or where Visitors have come. vMOX uses the collected data to communicate with Visitors and to improve its website by analyzing how Visitors navigate its website, so it may also share such information with service vendors or contractors in order to provide a better Visitor experience.
3.3 Partners. Partners should be aware that by utilizing the vMOX platform, they could be disclosing information that could make their Personal Data available to vMOX. vMOX will collect Partner’s data for the purpose of enhancing its customer relationships, improving its Services and website experience, making payment to Partner when applicable, and to inform Partners of any updates regarding vMOX, via newsletters or other means of communication. Partners should be aware that they themselves are responsible for the content they disclose to vMOX. For more detailed information, Partners may contact vMOX at the address below.
3.4 End Users. End Users should be aware that by being employed by Customer, they have or could be disclosing Personal Data. The security and privacy protection implemented on vMOX’s platform covers this type of transfer or disclosure of Personal Data. Nonetheless, End Users providing any Personal Data to its employers should be aware that they are responsible for the uses of such Personal Data and have rights to withdraw their consent for us to process their Personal Data. End Users have a right to contact their employer or the Customer that is providing End User’s Personal Data. It is the Customer’s responsibility to ensure that collection and processing of data is done in accordance with applicable law. Therefore, vMOX will not process Personal Data of End Users for purposes or by means other than instructed by its Customers. If you wish to inquire about your Personal Data that may have been collected while vMOX provides Services to your employer or to our Customer, we recommend that you contact Customer that created or sent your Personal Data. For clarity, vMOX is a Processor with respect to End User Personal Data, so it does not control the Personal Data used or stored in its possession, but rather processes it on behalf of Customer.
3.5 Customers. In order to provide Services to Customers, vMOX needs to collect certain types of data. Most of this data may be deemed Personal Data that Customer collected from its End Users during its ordinary course of business. To be clear, data transferred to vMOX by Customers through direct or indirect means, remains the property of the Customer and will not be shared with a third party by vMOX without express consent from Customer.
3.5.1 Collection of Customer data. Upon Customer’s onboarding process and all throughout the engagement with vMOX, Customers provide data relating to Customer and its End Users, which may include names of employees, company name, email, business address, corporate provided mobile numbers, business telephone numbers, business e-mail, and other relevant data. This information is used by vMOX to identify the Customer and provide them with Services, support, surveys, mailings, sales and marketing actions, billing and to meet contractual obligations. vMOX does not sell, rent, or lease customer lists to third parties.
vMOX Customers may at any time access, create, edit, update or delete their contact details by logging in with their username and password to vMOX’s platform, provided employees of Customer have such permissions. vMOX Customers may create more user accounts with different privilege levels within their account. It is Customer’s responsibility to choose the level of access each user accessing Customer accounts should have. vMOX will not retain Customer data longer than is necessary to fulfill the purposes for which it was collected or as required by applicable laws or regulations. Notwithstanding, vMOX will expunge such data in accordance with its normal operating procedures with respect to data deletion.
3.5.2 Collection of End User data. For purposes of mobile device optimization End User Personal Data used is provided by Customers, so it is the Customer’s responsibility to ensure that collection and processing of data is done in accordance with applicable law. vMOX will not process Personal Data for other purposes or by other means than instructed by its Customers.
The purpose of collecting End User Personal Data is necessary to the purpose of optimizing Customer’s telecom expenses. End User Personal Data is utilized by vMOX to reconcile End User’s telecom usage with Customer’s telecom invoices to determine if Customer, on behalf of the End User was invoiced properly by the telecom providers and whether Customer’s costs can somehow be reduced based on an analysis of usage charges. For these purposes, Personal Data may include, personal contact information such as name, business address, mobile number, email address, business contact details, country of where End User may access vMOX portal, and other sensitive Personal Data .
18.104.22.168 Collection of End User data in EEA or Switzerland. For Customers in the EEA or Switzerland, or for Customers providing Personal Data of End Users who are citizens of the EEA, or Switzerland, the Customer will be the “Controller”, as defined in the Directive and the GDPR. The purpose of processing will consequently be defined by vMOX’s Customer. If you or your organization are required under GDPR to enter into a contract, or other binding legal act under EU or Member State law, with your data processors, then you must review and accept vMOX’s Data Processing Agreement which governs the transfer of data from the E.U. to U.S and from Switzerland to the U.S.
3.6 Security. vMOX secures Personal Data from unauthorized access, use or disclosure. When Personal Data is transmitted to other websites, it is protected through the use of encryption, such as the Secure Sockets Layer (SSL) protocol.
3.7 Geographical location. vMOX’s data center that stores all collected information, whether Visitor, Partner, End User, Customer, is stored in secure hosting facilitates provided by Amazon Web Services located in the United States. No Personal Data is transmitted outside of the U.S, without the proper legal authorization documented by Data Processing Agreements. vMOX has a data processing agreement in place with Amazon Web Services, ensuring compliance with applicable law. All hosting is performed in accordance with the highest security regulations.
3.8 Processing in the EEA and Switzerland. The GDPR (the Regulations (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data) is the prevailing EU law.
3.9.1 What are Cookies? For modern websites to work according to visitors’ expectations, they need to collect certain basic information about visitors. To do this, site create small text files which are placed on visitor’s devices, these files are known as “Cookies”. Cookies are uniquely assigned to each visitor and can only be read by a web server in the domain that issued the Cookie to the visitor. Cookies cannot be used to run programs or deliver viruses to a visitor’s device. Cookies do various jobs which make the visitor’s experience of the internet much smoother and more interactive. For instance, Cookies are used to remember a user’s preferences on sites they visit often, to remember language preference and to help navigate between pages more efficiently. Much, though not all, of the data collected is anonymous, though some of it is designed to detect browsing patterns and approximate geographical location to improve the user experience.
3.9.3 We believe that the user experience of the website would be adversely affected if any users opt-out of the Cookies we use. Nonetheless, users may, at any time, opt-out and prevent the setting of Cookies through our website by means of a corresponding setting of the Internet browser used, and may thus permanently deny the setting of Cookies. Furthermore, already set Cookies may be deleted at any time via an Internet browser or other software programs. This is possible in all popular Internet browsers. If the user deactivates the setting of Cookies in the Internet browser used, not all functions of our website may be entirely usable.
3.9.4 Please be aware that while visiting our site, users can follow links to other sites that are beyond our sphere of influence. vMOX has no control over software, content, promotions, materials, information, goods or services available on these sites. We provide them for your convenience only and you follow them at your own risk because vMOX is not responsible for the content of these other sites. Further, you should be aware that any Personal Data you provide to these sites is no longer governed by this Policy.
3.10 Controller. If you submit Personal Data in conjunction with a resumé or inquiry through the vMOX website, vMOX acts as a Controller in these limited circumstances. Therefore, vMOX will determine how and when to use such data for legitimate business purposes, including, but not limited to research, marketing, and billing purposes
With respect to End User Personal Data, the Customer will be the Controller in accordance with GDPR because Customer determines the purpose of processing End User Personal Data. (i.e. provides the Processor instructions as to how and to what extent it can process).
3.11 Processor. With respect to End User Personal Data, vMOX is the Processor and adheres to the GDPR. vMOX only processes all data in accordance with Controller’s instructions and in accordance with applicable law. vMOX has adopted reasonable physical, technical and organizational safeguards which substantially mirror the EU safeguards against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure, access, use or processing of the Customer’s data in vMOX’s possession. vMOX will promptly notify the Customer in the event of any known unauthorized access to, or use of, the Customer’s data.
4. Retention and Deletion
vMOX will retain data only as long as necessary to fulfill the purposes for which it was collected or as required by applicable laws or regulations.
For End User Personal Data, vMOX’s Customers have control of the purpose for collecting data, and the duration for which the Personal Data may be kept. Customers will therefore have the responsibility to request the deletion of data when required. When a Customer’s account is terminated, all Personal Data collected through the platform that remains active will be deleted, however such information may remain on back-up data for archival purposes. Upon your request to delete Personal Data, we will honor this request unless deleting that information prevents us from carrying out necessary business functions, including, but not limited to billing for our Services, calculating taxes, or conducting required internal audits, in which case we will delete the requested information in accordance with our data retention policy.
5. Acceptance of these Conditions
6. Our Legal Obligation to Disclose Personal Information
We will reveal an End User’s Personal Data without his/her prior permission only when we have reason to believe disclosure of this information is required to establish the identity of, to contact or to initiate legal proceedings against a person or persons who are suspected of infringing rights or property belonging to vMOX or to others who could be harmed by the user’s activities or of persons who could (deliberately or otherwise) transgress upon these rights and property. We are permitted to disclose Personal Data when we have good reason to believe that this is legally required.
7. vMOX’s Data Protection Officer
vMOX has a Data Protection Officer who can be contacted if you have questions or concerns about how we’re processing your Personal Data. vMOX will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with the Principles.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
With respect to unresolved disputed concerning Swiss-U.S Privacy Shield, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel. In the event vMOX or such authorities determine vMOX did not comply with this Policy, vMOX will take appropriate steps to address any adverse effects and to promote future compliance and if necessary take disciplinary action against an employee who violated this Policy. vMOX is also subject to the investigatory and enforcement powers of the Federal Trade Commission, which is the competent supervisory body of Privacy Shield.
8. Further Information
If you have any further questions regarding the data vMOX collects, or how we use it, then please feel free to contact us at:
125 Mineola Avenue, Suite 306
Roslyn Heights, NY 11577
Attn: Chief Privacy Officer