At HacknPlan, we really care about the privacy and security of your data. Our mission is to be completely transparent about how we collect, share and use your personal information. This document covers the following topics:
- Responsibility for the processing of personal data
- Processing of personal data through HacknPlan by Mad Cactus Digital as data controller
- Purpose and legal basis for processing personal data
- Data retention period
- Data Processors
- International Transfers
- Rights of the Data Subject with Mad Cactus Digital
- Data processing by Mad Cactus Digital as Processor
- Modification of this policy
HacknPlan: a web SaaS (Software As A Service) project management tool for video game industry professionals, accessible from the browser and allowing collaborative project planning with other members, with access to different functionalities and/or services depending on the subscription plan contracted and provided through the website https://app.hacknplan.com/.
Mad Cactus Digital: the company that owns HacknPlan and whose data is stated below.
User: a natural or legal person who registers on HacknPlan to create or collaborate/participate in one or more Projects.
Owner: User who creates Projects and manages User teams using HacknPlan.
Project/s: the project/s that the Owner registers on HacknPlan so that invited Users can collaborate on it based on the permissions granted to each of them.
GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
1. Responsibility for the processing of personal data:
The responsibility for processing your personal data lies with the business entity Mad Cactus Digital, S.L., with registered address at c/ de la Alameda nº 22, 28014, Madrid (Spain), with NIF: B10709020, if you register as a User on HacknPlan or if you provide your data in any other direct way, such as through a form or by email.
Hereinafter, Mad Cactus Digital.
2. Processing of personal data through HacknPlan by Mad Cactus Digital as data controller:
Mad Cactus Digital, as the data controller, since it decides how and for what purposes the data it collects are processed, will carry out the following processing:
2.1. On the occasion of your request to register on HacknPlan as a User:
a) If you register with your email:
A username (which is not already registered on HacknPlan), your full name, an email address, and a password, which will be stored encrypted, will be requested.
In that case, we will send you an email to the address provided with a link, so that you can verify it, activating your account by clicking on said link.
Your access keys to HacknPlan will be your username or email address and password.
b) If you register using “social logins”:
You can register using your account on the social network or platform whose social login is active in HacknPlan for this purpose (for example, Google or Github).
In that case, it will be the corresponding platform that will provide us with your email address, profile photo, and name with a unique identifier associated with your User profile in HacknPlan.
To do this, you must log in to that social network or platform and accept the permissions that you grant Mad Cactus Digital through it, which will allow the HacknpPlan application to access the aforementioned information in order to provide the contracted service.
Permissions may vary depending on the social login of the platform or social network through which you register on HacknPlan.
c) If you contract any payment service:
To contract payment services, once registered as a User, you will have to provide your billing data (full name, fiscal address, and tax identification number) as well as data relating to the payment method used.
Payment method data will never be stored by Mad Cactus Digital.
2.2. In case of requesting information:
If you contact Mad Cactus Digital to request information through the contact form, you will need to provide your name and email address.
2.3. To leave a comment on the HacknPlan blog:
If you want to leave a comment on the HacknPlan blog, you will need to provide a name, your email address, and your website (optional).
3. Purpose and legal basis for processing personal data:
Below are the purposes of processing your personal data as a “Data Subject”, understood as a natural person who provides information that identifies or makes you identifiable to Mad Cactus Digital, as well as the legal basis that legitimizes such processing.
3.1. Data of the User in HacknPlan:
Your data as a User in HacknPlan are collected to enable the provision of the contracted service and to send notifications related to the service, as well as to manage, if applicable, the billing and payment of the service.
The legal basis for the processing of your data for the provision of the service, billing management, payment, and notification delivery related to the service is the execution of a contract or pre-contract in which you are a party as a Data Subject.
We may also process your personal data for sending commercial communications about the services of Mad Cactus Digital, provided that you have given informed, free, unambiguous, and specific consent on the legal basis of the provision of that consent, and through a clear affirmative action, such as checking a box.
We remind you that you have the right to revoke that consent at any time.
The legal basis for sending commercial communications about Mad Cactus Digital services is the aforementioned consent.
3.2. Processing of contact data:
If you request information through any of the means that HacknPlan makes available to you (chat, forms, etc.), your data will be processed in order to attend to your request, based on Mad Cactus Digital’s legitimate interest in responding to the questions you raise.
We will send you commercial communications, provided that you have given informed, free, unambiguous, and specific consent on the legal basis of the provision of that consent, and through a clear affirmative action, such as checking a box.
3.3. Processing of data when commenting on a HacknPlan blog post:
If you want to leave a comment on any of the posts on the HacknPlan blog, your data will be processed to moderate and publish your comments with your name. Under no circumstances will your email address be published in your comment.
The legal basis for such processing is Mad Cactus Digital’s legitimate interest in attending to your request to publish your comment on the blog.
4. Data retention period:
The personal data provided will be kept as long as there is a mutual interest in maintaining the purpose of the processing and during the period in which liabilities may arise from the services provided to the Data Subject.
When no longer necessary for such purposes, they will be deleted with adequate security measures to guarantee the pseudonymization of the data or their total destruction.
A recipient is understood as a natural or legal person, public authority, service, or other entity to whom personal data is disclosed, whether or not they are a third party.
Your data will not be disclosed to any third party outside of Mad Cactus Digital unless there is a legal obligation or you have expressly authorized it.
6. Data Processors:
There are data processors, understood as entities that process personal data on behalf of Mad Cactus Digital, following its instructions, as service providers necessary for the provision of the service requested by the Data Subject, with whom Mad Cactus Digital has a data processing agreement in accordance with the provisions of the GDPR.
7. International Transfers:
International data transfers involve the flow of personal data from the Spanish territory to recipients located in countries outside the European Economic Area (the countries of the European Union plus Liechtenstein, Iceland, and Norway).
Mad Cactus Digital carries out international data transfers in its processing activities, but only to countries that have an adequate level of protection based on the corresponding decision of the European Commission.
8. Rights of the Data Subject with Mad Cactus Digital:
As a Data Subject, you have the following rights that the data protection regulations recognize, in accordance with the provisions therein:
- Right to revoke at any time the consent given for the processing of such data when the legal basis for the processing is based on that consent.
- Right of access to your personal data processed by Mad Cactus Digital.
- Right to request the rectification of your personal data that is inaccurate and processed by Mad Cactus Digital.
For the updated maintenance of your personal data, you have the possibility to modify or rectify them through your User profile or by contacting Mad Cactus Digital.
- Right to request the erasure of your data when, among other reasons, they are no longer necessary for the purposes for which Mad Cactus Digital collected them.
- Under certain circumstances, you may request the restriction of the processing of your data, in which case Mad Cactus Digital will only retain them for the exercise or defense of claims.
- Under certain circumstances and for reasons related to your particular situation as a Data Subject, you may exercise the right to object to the processing of your data. In such a case, Mad Cactus Digital will stop processing such data, unless there are compelling legitimate grounds or for the exercise or defense of possible claims.
- Under certain circumstances and for reasons related to your particular situation as a Data Subject, you may request the right to data portability. This is a complementary right to the right of access, as it allows you to obtain the data provided to Mad Cactus Digital in a structured, commonly used, and machine-readable format, which can be transmitted directly to another entity upon the request of the Data Subject.
You may exercise these rights through any means that provide evidence of the sending and receipt thereof, clearly expressing your will in this regard and, if necessary, proving your identity by contacting the email or postal address indicated above.
Furthermore, if you believe that any of your data protection rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), located at C/ Jorge Juan, 6, 28001-Madrid, Spain: https://www.aepd.es/ or through the electronic headquarters of the AEPD: https://sedeagpd.gob.es/sede-electronica-web/.
9. Data processing by Mad Cactus Digital as Processor:
9.1. Purpose of the processing assignment:
By registering on HacknPlan and/or hiring the services of HacknPlan, Mad Cactus Digital is authorized to process on behalf of the User and exclusively for the provision of such services, those personal data that are the responsibility of the User as the controller of such data (hereinafter, the Controller), as long as he/she decides how and for what purpose such data are processed.
9.2. Identification of the affected information:
By registering and using HacknPlan as an Owner, Mad Cactus Digital may have access to the email address of the person(s) to whom he/she will send an invitation to participate in his/her Project/s through HacknPlan. In this case, the Owner guarantees that he/she is authorized to provide that email address, having requested, where appropriate, the relevant authorizations and assuming responsibility for the non-compliance with this requirement.
Likewise, Mad Cactus Digital will store any other personal data contained in the information that any User stores in the Projects in which he/she participates, registered on HacknPlan.
It could be possible for Mad Cactus Digital to have access to such personal data on the occasion of some occasional support action requested by a User.
For its part, Mad Cactus Digital holds, with respect to such personal data, the status of processor (hereinafter, the Processor), insofar as it will process such data by reason of the requested service provision and following the instructions of the Controller.
Therefore, the terms of service of HacknPlan include the clauses related to the relationship between the Controller and Mad Cactus Digital as Processor detailed below:
Access to personal data under the responsibility of the Controller will occur as long as the contracting of HacknPlan services is in force. At the end of the service for any reason, HacknPlan will delete such personal data that it processes as Processor.
9.4. Obligations of Mad Cactus Digital as Processor:
Mad Cactus Digital and all its staff are committed to:
a. Use the personal data subject to processing, or collected by the Data Controller through HacknPlan, solely for the purpose of the contracted service. In no case may the data be used for Mad Cactus Digital’s own purposes.
b. Process the data in accordance with the instructions of the Data Controller in accordance with the functionalities offered by HacknPlan.
If Mad Cactus Digital considers that any of the instructions infringes any provision on data protection of the Union or of the Member States, it will immediately notify the Data Controller.
c. Keep a written record of all categories of processing activities carried out on behalf of the Data Controller, which includes:
- The name and contact details of Mad Cactus Digital and each controller on whose behalf it acts.
- The categories of processing carried out on behalf of each controller.
- Where applicable, transfers of personal data to a third country or international organization, including the identification of that third country or international organization and, in the case of transfers referred to in Article 49(1), second paragraph, of the GDPR, documentation of appropriate safeguards.
- A general description of technical and organizational security measures relating to:
- The pseudonymization and encryption of personal data.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to personal data quickly in the event of a physical or technical incident.
- The regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the security of processing.
d. Not communicate the data to third parties, unless it has the express authorization of the Data Controller, in the cases legally admissible.
Mad Cactus Digital may communicate the data to other processors of the Data Controller, in accordance with the instructions of the latter. In this case, the Data Controller will identify, in writing and in advance, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied for the communication.
If Mad Cactus Digital must transfer personal data to a third country or international organization, under Union or Member State law applicable to it, it will inform the Data Controller of that legal requirement in advance, unless prohibited from doing so by that law on important grounds of public interest.
e. The Data Controller expressly and generally authorizes Mad Cactus Digital to subcontract to a third party (subprocessor) the carrying out of any data processing that it has entrusted to it by reason of the contracted services.
Mad Cactus Digital, in the event of resorting to a subprocessor for carrying out certain processing activities on behalf of the Data Controller, will impose on it, by signing the corresponding data processing agreement, the same obligations as those stipulated in this document, and in particular, the provision of sufficient guarantees of application of appropriate technical and organizational measures so that the processing is in compliance with the provisions of the GDPR. If the subprocessor fails to fulfill its data protection obligations, Mad Cactus Digital shall remain fully liable to the Data Controller with regard to the subprocessor’s obligations.
f. Maintain the duty of confidentiality regarding the personal data to which it has had access by virtue of the provision of the service, even after its termination.
g. Ensure that persons authorized to process personal data undertake, in writing, to respect confidentiality and comply with the corresponding security measures, of which they must be duly informed.
h. Keep documentation attesting to compliance with the obligation set out in the previous section at the disposal of the Data Controller.
i. Ensure that persons authorized to process personal data receive the necessary training in data protection.
j. Assist the Data Controller in responding to requests for access, rectification, erasure, opposition, limitation of processing, data portability, and the right not to be subject to automated individual decision-making (including profiling), when individuals exercise such rights.
k. Mad Cactus Digital shall notify the Data Controller, without undue delay, and in any case before the maximum period of 72 hours by email, of breaches of the security of the personal data under its responsibility of which it becomes aware, together with all relevant information for the documentation and communication of the incident. Notification will not be necessary if it is unlikely that such a breach of security constitutes a risk to the rights and freedoms of natural persons. If available, the following information will be provided at a minimum:
- Description of the nature of the breach of security of personal data, including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records affected.
- The name and contact details of the data protection officer or another contact point where further information can be obtained.
- Description of the possible consequences of the breach of security of personal data.
- Description of the measures taken or proposed to remedy the breach of security of personal data, including, where appropriate, the measures taken to mitigate any negative effects.
If it is not possible to provide the information simultaneously, and to the extent that it is not possible, the information will be provided gradually without undue delay.
It is the responsibility of the Data Controller to communicate breaches of the security of the data to the Data Protection Authority and the data subjects when it is likely that the breach poses a high risk to the rights and freedoms of natural persons.
l. Provide support to the Data Controller in making prior consultations with the supervisory authority, where appropriate.
m. Make available to the Data Controller all information necessary to demonstrate compliance with its obligations, as well as for the conduct of audits or inspections carried out by the Data Controller or another auditor authorized by it.
n. In any case, Mad Cactus Digital will implement mechanisms to:
- Ensure the permanent confidentiality, integrity, availability, and resilience of the processing systems and services.
- Restore the availability and access to personal data quickly in the event of a physical or technical incident.
- Regularly verify, assess, and evaluate the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
- Pseudonymize and encrypt personal data, where appropriate.
o. Once the service has been provided, cease access to the data and, if applicable, return the personal data and media on which they are recorded to the Data Controller, with complete erasure of the existing data on the computer equipment used by Mad Cactus Digital. However, Mad Cactus Digital may retain a copy, with the data duly blocked, as long as liabilities may arise from the execution of the service.
9.5. Obligations of the User as Data Controller:
It is the responsibility of the Data Controller to:
- Make available to Mad Cactus Digital the data necessary for the provision of the contracted service.
- Provide the right to information at the time of collection of the Brand’s data.
- Carry out, where appropriate, an impact assessment on the protection of personal data for the processing operations to be carried out by Mad Cactus Digital, as well as any prior consultations with the relevant supervisory authority.
- Ensure, prior to and throughout the processing, compliance with the GDPR by Mad Cactus Digital.
- Supervise the processing, including carrying out inspections and audits.
Mad Cactus Digital has adopted all necessary technical and organizational measures to ensure the security of the personal data provided, in order to prevent their alteration, loss, unauthorized access or processing, as required by the regulations, although absolute security does not exist.
The personal data processed by Mad Cactus Digital will be treated with the utmost confidentiality by all personnel involved in any phase of the processing.
12. Modification of this policy: