Privacy Policy

1. Introduction

FirstMate (operating as Desyco BV, a company incorporated as a "besloten vennootschap" under the laws of Belgium, having its registered address at Karel Van Doorslaerlaan 45, 2880 Bornem, Belgium, with VAT number BE0749.429.819 (hereinafter referred to as “Desyco (FirstMate)”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information when you visit our website (https://www.firstmate.io) and use our services.

This Privacy Policy applies to all visitors and users of our website and services, including our FirstMate Configurator for temporary Odoo instances.

Data Controller:

Desyco BV (trading as FirstMate)

Karel Van Doorslaerlaan 45

2880 Bornem, Belgium

Enterprise Number: 0749.429.819

VAT number: BE0749.429.819

Email: info@firstmate.io

2. What Personal Data We Collect

2.1 Information You Provide Directly

When you use our FirstMate Configurator, contact us, and/or create an account on our website we collect:

• Account Information: Full name, email address, company name, VAT number, company address, company URL, and any additional information required to support and enable our services toward you.
• Configuration Preferences: Prompts and preferences you provide regarding your desired Odoo instance setup
• Communication Data: Any information you provide when contacting us via email, contact forms, or other communication channels
• Marketing Preferences: Your consent choices regarding marketing communications

2.2 Information We Collect Automatically

When you visit our website, we automatically collect:

• Technical Data: IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform
• Usage Data: Information about how you use our website, including pages visited, time spent on pages, click patterns, and referring website addresses
• Cookie Data: Information collected through cookies and similar technologies (see Section 10)

2.3 Data Uploaded to Temporary Odoo Instances

• Business Data: Any data, documents, or information you upload to your temporary Odoo instance during the 14-day trial period
• Configuration Data: Settings, customizations, and usage patterns within your temporary instance

3. Legal Basis for Processing Your Personal Data

Under GDPR, we process your personal data based on the following legal grounds:

You have the right to withdraw your consent at any time, though this will not affect the lawfulness of processing based on consent before withdrawal.

4. How We Use Your Personal Data

We use your personal data for the following purposes:

4.1 Service Provision

• To create and manage your account
• To set up and configure your temporary Odoo instance
• To provide technical support and respond to your inquiries
• To host your temporary instance on our chosen private servers [currently; Microsoft Azure]
• To ensure service security and prevent fraud

4.2 Service Improvement

• To analyze usage patterns and improve our AI-driven configuration tools
• To develop new features and services
• To understand our customer base and their needs
• To optimize the FirstMate Configurator functionality

4.3 Communication

• To send you important service notifications and updates
• To follow up regarding your temporary Odoo instance
• To respond to your questions and support requests
• To send marketing communications (only with your explicit consent)

4.4 Legal Compliance

• To comply with legal and regulatory obligations
• To enforce our Terms & Conditions
• To protect our rights and those of our users

5. Data Sharing and Disclosure

We respect your privacy and limit data sharing to the following circumstances:

5.1 Service Providers

We share your data with trusted third-party service providers who assist us in operating our business:

• Microsoft Azure: Cloud hosting services for temporary Odoo instances.
• Odoo SA: Community version software provider (if applicable).
• Email Service Providers: For sending service and marketing communications
• Analytics Providers: For website analytics and service improvement

All service providers are contractually bound to protect your data and process it only according to our instructions and in compliance with GDPR.

5.2 Business Partners

Third-party Partners: If you request additional services beyond the temporary instance, we may share relevant information with our partner network (only with your explicit consent)

5.3 Legal Requirements

We may disclose your personal data when required by law or to:

• Comply with legal processes or governmental requests
• Enforce our Terms & Conditions and other agreements
• Protect the rights, property, or safety of FirstMate, our users, or others
• Prevent fraud or security threats

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you of any such change and your rights regarding your data.

5.5 What We Don't Do

• We never sell your personal data to third parties
• We never share your data for third-party marketing purposes without your explicit consent
• We never share data uploaded to your temporary Odoo instance with anyone except as necessary to provide the service

6. International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA) on Microsoft Azure servers.

If we transfer your data outside the EEA, we ensure appropriate safeguards are in place, including:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Other legally approved transfer mechanisms

Microsoft Azure complies with GDPR requirements and provides appropriate data protection guarantees. 

7. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this Privacy Policy:

After these periods, we will either delete your data or anonymize it so it can no longer identify you.

Earlier Deletion: You can request deletion of your data at any time by exercising your right to erasure (see Section 8).

8. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• 8.1 Right of Access

  You have the right to request a copy of the personal data we hold about you.

• 8.2 Right to Rectification

  You can request correction of inaccurate or incomplete personal data.

• 8.3 Right to Erasure ("Right to be Forgotten")

  You can request deletion of your personal data when:

  • It's no longer necessary for the purposes it was collected
  • You withdraw consent and there's no other legal basis for processing
  • You object to processing and there are no overriding legitimate grounds
  • Your data has been unlawfully processed
  • Deletion is required to comply with a legal obligation

  Note: This right is not absolute. We may retain data if required by law or for legitimate legal purposes.

• 8.4 Right to Restriction of Processing

  You can request that we limit how we use your data in certain circumstances.

• 8.5 Right to Data Portability

  You can request a copy of your data in a structured, commonly used, machine-readable format and transmit it to another controller.

• 8.6 Right to Object

  You can object to:

  • Processing based on legitimate interests
  • Direct marketing at any time
  • Processing for scientific/historical research or statistical purposes

• 8.7 Right to Withdraw Consent

  Where processing is based on consent, you can withdraw that consent at any time.

• 8.8 Right Not to Be Subject to Automated Decision-Making

  You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

  Note: Our AI-driven configurator provides suggestions but does not make automated decisions with legal effects.

• 8.9 Right to Lodge a Complaint

  If you're unhappy with how we handle your data, you have the right to lodge a complaint with: Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données)

  Rue de la Presse 35, 1000 Brussels, Belgium

  Email: contact@apd-gba.be

  Phone: +32 2 274 48 00

  Website: www.dataprotectionauthority.be

You have the right to request a copy of the personal data we hold about you.

9. How to Exercise Your Rights

To exercise any of your rights, please contact us:

Email: info@firstmate.io

Post:

Desyco BV (trading as FirstMate)

Karel Van Doorslaerlaan 45

2880 Bornem, Belgium

VAT number: BE0749.429.819

What We Need From You: To process your request, we need to verify your identity. Please provide:

• Your full name and email address used for your account
• A description of your request
• Proof of identity (copy of ID card or passport) if requesting access or deletion

Our Response Time: We will respond to your request within 31 days of receipt. In complex cases, we may extend this by two additional months (an equivalent of 62 days) and will inform you of the extension and reasons.

No Fee: Exercising your rights is generally free of charge. However, if your requests are manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee or refuse the request. 

10. Cookies and Tracking Technologies

Please refer to our Cookie Policy.

11. Data Security

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it: 

• 11.1 Technical Measures

  • Encryption: Data in transit is encrypted using SSL/TLS protocols (HTTPS)
  • Access Controls: Role-based access controls and multi-factor authentication for internal systems
  • Secure Hosting: Microsoft Azure infrastructure with enterprise-grade security
  • Firewalls: Network security and intrusion detection systems
  • Security Monitoring: Continuous monitoring for security threats and vulnerabilities

• 11.2 Organizational Measures

  • Confidentiality: All employees and contractors sign confidentiality agreements
  • Access Limitation: Personal data is accessible only to authorized personnel on a need-to-know basis

• 11.3 Data Breach Notification

  In the event of a data breach that poses a risk to your rights and freedoms:

  • We will notify the Belgian Data Protection Authority within 72 hours of becoming aware
  • We will notify affected individuals without undue delay if the breach poses a high risk
  • Notifications will include the nature of the breach, likely consequences, and measures taken

• 11.4 Limitations

  While we implement strong security measures, no system is completely secure. We cannot guarantee absolute security, and you use our services at your own risk. Please use strong passwords and keep your login credentials confidential.

12. Children's Privacy

Our services are not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16.

If you are under 16, please do not:

• Use our services
• Create an account
• Provide any personal information through our website

If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information as quickly as possible.

If you believe we have collected information from a child under 16, please contact us immediately at [info@firstmate.io]. 

13. Links to Third-Party Websites

Our website may contain links to third-party websites, services, or resources not operated by FirstMate. This Privacy Policy does not apply to those third-party sites.

We are not responsible for the privacy practices or content of third-party websites. We encourage you to review the privacy policies of any third-party sites you visit.

Examples of third-party links may include:

• Social media platforms
• Partner websites
• Odoo.com documentation
• Service provider websites 

14. Business Data and Data Processing

• 14.1 Your Role as Data Controller

  If you upload personal data of your customers, employees, or other individuals to your temporary Odoo instance, you act as the data controller for that data, and FirstMate acts as your data processor.

• 14.2 Your Responsibilities

  As data controller, you are responsible for:

  • Ensuring you have a legal basis to process and share that data with us
  • Obtaining necessary consents from your data subjects
  • Informing your data subjects about how their data will be processed
  • Ensuring compliance with GDPR and other applicable data protection laws

• 14.3 FirstMate's Role as Processor

  When processing your business data, FirstMate will:

  • Process data only according to your instructions
  • Implement appropriate security measures
  • Not use your data for any purpose other than providing the service
  • Delete all data after 14 days as specified in our Terms & Conditions
  • Assist you in responding to data subject requests where reasonably possible

• 14.4 Data Processing Agreement

  For customers requiring a formal Data Processing Agreement (DPA) beyond the 14-day trial period or for enterprise services, please contact us at [info@firstmate.io], with the subject: “Legal - Data Processing Agreement (DPA)”.

15. Marketing Communications

• 15.1 Consent-Based Marketing

  We will only send you marketing communications if you have:

  • Explicitly opted in to receive marketing emails, or
  • Provided your contact information in the context of a sales inquiry (soft opt-in)

  Marketing communications include:

  • Information about our services, insights, and new features
  • Case studies and success stories
  • Industry insights and Odoo best practices
  • Event invitations and webinars
  • Special offers and promotions
  • Other information we deem relevant and applicable to FirstMate’s business goals and services.

• 15.2 Legitimate Interest for Lead Follow-Up

  When you create a temporary Odoo instance, we have a legitimate interest in following up with you about:

  • Your experience with the trial
  • Technical support and assistance
  • Potential conversion to a paid service
  • Relevant service offerings based on your configuration preferences

  This is not considered marketing and is based on our legitimate business interest in developing customer relationships.

• 15.3 Your Choice

  You can opt out of marketing communications at any time by:

  • Clicking the "unsubscribe" link in any marketing email
  • Adjusting your preferences in your account settings
  • Contacting us at [info@firstmate.io]
  • Sending a written request to our postal address

  Important: Opting out of marketing communications does not affect:

  • Transactional emails (account creation, password resets, service notifications)
  • Follow-up communications based on legitimate interest (which you can object to separately)

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

• 16.1 How We Notify You

  When we make changes:

  • We will update the "Last Updated" date at the top of this policy
  • For minor changes, we will post the updated policy on our website

  • For material changes, we will notify you by:

    • Email to your registered email address
    • Prominent notice on our website
    • Request for new consent where required by law

• 16.2 Your Continued Use

  Your continued use of our services after changes to this Privacy Policy constitutes acceptance of the updated policy, unless the changes require new consent under GDPR.

17. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

FirstMate (Desyco BV)

Karel Van Doorslaerlaan 45

2880 Bornem, Belgium

Enterprise Number: 0749.429.819

VAT number: BE0749.429.819

Email: info@firstmate.io

Website: firstmate.io 

Data Protection Officer: Jochen Wilms

18. Specific Information for Temporary Odoo Instances

• 18.1 Data Ownership

  You retain ownership of all data you upload to your temporary Odoo instance.

• 18.2 Data Access

  • You have exclusive access to your instance during the 14-day trial
  • FirstMate has access only for: technical support, service improvement, and security purposes
  • FirstMate staff access is logged and limited to authorized personnel

• 18.3 Data Usage for Improvement

  We may analyze anonymized and aggregated usage patterns from temporary instances to:

  • Improve our AI-driven configuration algorithms
  • Identify common use cases and customer needs
  • Enhance the FirstMate Configurator functionality
  • Develop new features and services

  
  

• 18.4 Automatic Deletion

  All data within your temporary instance will be permanently and automatically deleted after 14 days with no possibility of recovery. This includes:

  • All uploaded documents and files
  • Configuration settings
  • User data entered into the system
  • Customizations and modifications 

19. Glossary

Personal Data: Any information relating to an identified or identifiable natural person.

Data Controller: The entity that determines the purposes and means of processing personal data.

Data Processor: An entity that processes personal data on behalf of the data controller.

Data Subject: The individual to whom personal data relates.

GDPR: General Data Protection Regulation (EU 2016/679).

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Consent: Freely given, specific, informed, and unambiguous indication of agreement to processing of personal data.

Legitimate Interest: A legal basis for processing personal data when the processing is necessary for legitimate interests pursued by the controller or a third party, except where overridden by the interests or rights of the data subject.

By using FirstMate's services, including our website, you acknowledge that you have read, understood, and agree to this Privacy Policy.