GDPR Personal Request
We respect the rights of individuals to know how their personal data is being used, export it or request that it be deleted. We collect data requests via GDPR Page as it adds an extra layer of security by asking you to identify yourself.
Please note that data requests can take up to 30 days to process. In the case that it will take longer than 30 days, we will notify you ASAP.
Requests for non-personal data by individuals
Third parties seeking access to non-personal data should contact the Data Controller (FirstOfficer's customer) with their request.
Requests for non-personal data by legal authority
We may share data with law enforcement on special conditions, like when fraud or other crime is suspected. However, we require a valid search warrant issued by a court that resides in British Columbia, CANADA and we will always notify our customer, unless we are legally prohibited.
FirstOfficer is committed to the importance of trust and transparency for the benefit of our customers and does not voluntarily provide governments with access to any data for surveillance purposes.
Requests for non-personal data by a Customer
We kindly ask you to sign in and serve yourself at FirstOfficer's Data Export Page or export data through the FirstOfficer's API.
What we do if your customer asks us to delete/export or stop processing their personal data?
All the personal data that we have on your customers in FirstOfficer is something that you must keep for bookkeeping purposes. GDPR calls it "a lawful basis for processing". Your customers can't just ask you to forget their bills.
However, having personal details like name, email and country in FirstOfficer does not have lawful basis, so if your customer so demands, we will remove them. Your financial metrics remain untouched, just the personal identification data is removed.
We respect your time so we don't send separate email notifications about personal data requests. We don't let the customer know who the Data Controllers (you and other FirstOfficer customers) are.
End-user wants to stop processing or delete data
We delete the name, email and country that we have on record for this user in FirstOfficer and replace the information with unidentifiable placeholders.
You will still see a user in the app, but they show up as "GDPR-blocked" so you can't tell who's who.
End-user wants to export data
We will reply to them using this email template:
You have made a request to export your personal data from FirstOfficer. Here's what we have on record for you:
Your email: [email_address]
Your country: [country]
Your name: [name]
End-user wants to change data
We will only correct personal data, we never change financial data.
We will first reply with this email template:
The personal data that we have on you comes directly from our customers' billing systems. Changing it in FirstOfficer doesn't change it in their systems and we are not allowed to reveal the Data Controller to you.
Are you sure you want us to change this data?
If they want to proceed, we will do the change and reply with this template.
We confirm that the changes you've requested have been made.
What we do if FirstOfficer's customer makes a personal data request?
We respect the customer by not asking questions or confirmations unless it's absolutely necessary.
If a non-account owner asks to be forgotten, we manually delete the record from the DB and kindly let them know that their access to the application went with it. They need to be invited again to be able to use FirstOfficer again.
If an account owner wants to have their personal data removed we kindly let them know that we need that data for bookkeeping and we have lawful basis for keeping it. However, if they can assign someone else from their company as the new account owner, we can delete their account and the personal data will get deleted as well.
This policy and process was last modified at: Jan 6, 2020