SwissFlowIt

Documate Privacy Policy

This Privacy Policy applies to the application Documate (“Application”), developed and provided by SwissFlowIt, S.L. (“SwissFlowIt”). The Application operates within your ServiceNow instance and is designed not to collect personal data. It only processes Service Usage Data necessary to monitor performance, facilitate support, and manage licensing.

Applicability of this Privacy Policy

This Privacy Policy applies to Documate, a ServiceNow application developed and provided by SwissFlowIt. It covers the collection and use of Service Usage Data generated when users access the Application.

This Privacy Policy does not apply to:

  • The SwissFlowIt website (www.swissflowit.com), which has its own privacy policy.
  • ServiceNow platform itself, which is governed by ServiceNow’s privacy policy.
  • Any third-party applications or services that may integrate with Documate.
  • Any other SwissFlowIt products or services not specifically mentioned herein.

Information we collect

Documate collects only Service Usage Data when users access and interact with the Application. Specifically, we collect:

  • User sys_id: A 32-character unique identifier automatically generated by ServiceNow for the user record. On our side, it functions as a pseudonymous reference and is not combined with names, email addresses, or customer content. Within your organisation’s ServiceNow instance, the sys_id may be linkable to an individual via the user record.
  • Instance identifier: The ServiceNow instance in which Documate is being used.
  • Date and time of access: The timestamp of when the Application is accessed.

How we process your information and our legal bases for doing so

SwissFlowIt uses Service Usage Data to operate Documate and our business. If and to the extent Service Usage Data is considered personal data under applicable law, we process it under the lawful bases below.

  • Provide and maintain the Service. We process Service Usage Data to ensure availability and troubleshoot issues. Legal bases: performance of a contract (with the Customer) and our legitimate interests in operating and improving the Service.
  • Security, integrity, and abuse prevention. We use Service Usage Data to monitor service health, detect anomalous or abusive activity, prevent fraud, and protect the Service and our Customers. Legal bases: our legitimate interests in securing the Service and, where applicable, compliance with legal obligations.
  • License and subscription administration. We process instance identifiers and entitlement signals to verify license scope, and support renewals or changes. Legal bases: performance of a contract (with the Customer) and our legitimate interests in administering subscriptions.
  • Service analytics and improvement. We use usage indicators to understand adoption and reliability, prioritise improvements, and plan capacity. Legal basis: our legitimate interests in developing and improving the Service in a manner that does not override individuals’ rights and freedoms.
  • Compliance and legal. We may process limited Service Usage Data to comply with applicable laws, enforce our agreements, and respond to lawful requests. Legal basis: compliance with legal obligations and our legitimate interests in protecting our rights.

Data retention

We retain Service Usage Data only for as long as necessary to fulfil the purposes described in this Privacy Policy, including operating and securing the Service, administering the Customer’s subscription, and complying with legal obligations (if applicable). Because the Service Usage Data we control does not identify individual users and is limited to instance-level identifiers, we generally retain it for the duration of the Customer’s subscription and for a limited period thereafter to support deprovisioning, audit, and dispute resolution.

When retention is no longer necessary, we delete or de-identify Service Usage Data (if any remaining linkability exists). Individuals may request deletion of Service Usage Data that we control; we will honour such requests unless retention is required by law or necessary to establish, exercise, or defend legal claims.

Security

We take the security of data very seriously. We use industry‑standard safeguards and reputable cloud infrastructure providers under written agreements. While no system can be guaranteed 100% secure, we continually work to protect the information we process for Documate against unauthorised access, loss, misuse, or disclosure.

To learn more about our current security practices for Documate, please contact us at info@swissflowit.com.

When you connect to third‑party services or follow links, you may be interacting with services we do not control. Those services are governed by their own terms and privacy policies.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or the features of Documate. When we make changes, we will post the updated Policy with a new effective date and encourage Customers to review it periodically to stay informed.

If a change materially affects privacy rights or how the Application processes information, we will provide additional notice through email to the Customer’s designated contact, before the changes take effect, unless immediate changes are required to meet legal or security obligations.

Your organisation’s continued use of Documate after the effective date of an update constitutes acceptance of the updated Policy to the extent permitted by law. If you do not agree to the updated Policy, you may stop using Documate and request uninstallation, and you may contact us with any questions.

We maintain prior versions of this Policy and will provide them upon request.

Data transfers

We host and process Service Usage Data with trusted cloud infrastructure providers under written agreements in the European Economic Area (EEA). We also operate an internal analytics environment under our control in Switzerland to visualise Service Usage Data for support and operational purposes. Access to this information is restricted to authorised personnel in Spain and Switzerland and is logged, role-based, and limited to the purposes described in this Policy. We do not sell data or share it with third parties for their independent advertising or marketing purposes.

We do not routinely transfer Service Usage Data outside the EEA or Switzerland. If, in the future, a transfer to a country without an adequacy decision becomes necessary, we will implement an approved transfer mechanism, apply appropriate supplementary safeguards, and update this Policy accordingly.

Who may access Service Usage Data

  • Our personnel: Access is limited to authorised employees and contractors who need it to operate the service and are bound by confidentiality obligations.
  • Service providers: We use vetted cloud infrastructure and operational vendors to host and process Service Usage Data on our behalf under written agreements.
  • Legal and safety: We may disclose Service Usage Data if required by law or to protect the rights, property, or safety of our users, customers, or the public.
  • Business transfers: If we undergo a corporate transaction (e.g., merger, acquisition, or reorganisation), Service Usage Data may be transferred as part of that transaction, subject to this Policy.

We do not share Service Usage Data with third parties for their independent marketing purposes.

Identifying the Controller and Processor Roles

  • Customer Content in Your ServiceNow Instance. Your organisation is the data controller of the business content stored in its own ServiceNow instance. SwissFlowIt does not access this content in the ordinary operation of the app; any exceptional access for support or security would occur only upon the Customer’s request, under confidentiality obligations, and within the Customer’s environment, without extracting content. Accountability for any externally embedded content loaded in ServiceNow lies with the customer.
  • Service Usage Data for Documate. SwissFlowIt is the data controller of the Service Usage Data described in this Policy. We engage contracted service providers as processors to host and process that data on our behalf under written agreements that include confidentiality and security obligations.

Your rights

Individuals in the EEA, the United Kingdom, Switzerland, Brazil, and other jurisdictions may have statutory rights in relation to their Personal Data. Documate processes only Service Usage Data. If, under applicable law, Service Usage Data is not considered Personal Data, statutory data‑subject rights do not apply to our processing.

If, however, Service Usage Data is considered Personal Data in your jurisdiction, and subject to any exemptions provided by law, you (or your organisation) may have the right to request access, correction, deletion, restriction, or portability of that information, and to object to processing based on legitimate interests.

Contacting SwissFlowIt

Please also feel free to contact SwissFlowIt if you have any questions about this Privacy Policy or SwissFlowIt’s practices or if you are seeking to exercise any of your statutory rights. We will respond within a reasonable timeframe. You can contact us at info@swissflowit.com or at our postal office at:

SwissFlowIt, S.L.
Calle Gutiérrez Herrero 52
33402, Avilés (Asturias)
Spain