Effective as of September, 18 2020
All the terms listed below shall also have meaning assigned to them in GDPR and LGPD.
PERSONAL DATA means data allowing to identify the natural person directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, etc.;
PROCESSING means any operation or set of operations that is performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or destruction;
DATA SUBJECT is an identified or identifiable natural person who can be identified, directly or indirectly, based on particular Personal Data.
1. The ECOMBIX OY shall be considered a data owner and data controller in relationships with Data Subject. We acknowledge the privacy of natural persons and make efforts to protect them against any unlawful Processing by applying relevant technical and organizational measures to protect Personal Data of natural persons in accordance with the effective legislation. Although we will make reasonable efforts to ensure safe Processing, we cannot guarantee it to be 100% secure and risk-free.
2. We process personal data in a way that assures appropriate level of security, including protection against unauthorized Processing, destruction, accidental loss, or damage, while applying suitable organizational and technical measures under industry standards and in compliance with the following principles: (1) lawfully, fairly and transparently; (2) Processing is specified, explicit and only for legitimate purposes; Processing is adequate, relevant and limited to necessary purpose; accurate and kept up to date; limitation of the storage for periods not longer than necessary; Processing is held in a manner that ensures appropriate security of the Personal Data.
3. We Processes Personal Data only when one of the conditions below applies: (1) it is required for the performance of agreement with the Data Subject; (2) it is required for compliance with the law or our legal obligation; (3) Data Subject has provided us with consent for Processing of their Personal Data for one or more specific purposes; (4) Personal data is Processed for our Legitimate Purpose.
4. When it comes to California consumers, we will not discriminate against your rights granted by CCPA. Unless permitted by the CCPA, we will not: (1) reject your request for goods or services on the basis of discrimination; (2) provide to California based consumers different prices for goods or services, including through granting discounts or other benefits; (3) render to California based consumers different level or quality of goods or services in comparison to our other clients.
5. Notwithstanding the aforementioned, we may, at our own discretion, offer California based consumers certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will contain written terms that describe material aspects.
6. We do not knowingly Process Personal Data that related to, or reveal, racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic or biometric data, or data concerning the health, sex life or sexual orientation of the natural person.
7. We apply the following principles in order to protect your privacy: (a) we will not sell or lease your Personal Data to third parties; (b) any Personal Data that you provide to us will be secured with industry-standard safety protocols and technology.
IV. CATEGORIES OF PERSONAL DATA COLLECTED
|Contact data||Email, address and/or mobile phone number|
|Financial data||Bank account and payment card details, tax identifiers (like VAT number)|
|Third-party account data||Third-party account identifiers, third party account login credentials|
|Identity data||First name, last name, username|
|Marketing data||Preferences in receiving marketing from us|
|Communication data||Messages you send to us|
|Technical data||Internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system|
We process Personal Data under the following legal basises:
- On the basis of consent Art. 6 (1) (a) GDPR; Art 7 (I) LGPD.
- For other legitimate interests, unless those interests are overridden by Data Subject’s or fundamental rights and freedoms that require protection of personal data. For example, we rely on our legitimate interest when it comes to (1) diagnostic analytics to assess the number of visitors, posts, page views, reviews for further optimization of our Platform; (2) optimization of our visitors’ experience; (3) fraud prevention; (4) network and information security, (5) analysing customer satisfaction.
V. PURPOSE OF PROCESSING
|Purpose/ Activity||Type of data||Lawful basis for Processing|
|To register Data Subject account||Identity data, contact data, third party account data||to perform our contractual obligations with you|
|To provide our services||Identity data, contact data, financial data, marketing data, communication data||(1) to perform contract with Data Subject;
(2) as necessary for our legitimate interest in recovering debts
|To manage our relationship with Data Subject||Identity data, contact data, profile data, marketing data||(1) to perform our contract with You;
(2) as necessary to comply with our legal obligations
|To deliver relevant content/advertisements to Data Subject and measure or understand the effectiveness of our advertising||Identity data, contact data, profile data, marketing data, technical data||(1) as necessary for our legitimate interests in studying how customers use our products/services, to develop them;
(2) to grow our business and to inform Data Subject about our marketing strategy
|To use data analytics to improve our platform, services, marketing, customer relationships and experiences||technical data||to keep our PLATFORM updated and relevant, to develop our business and to inform our marketing strategy|
|To make suggestions and recommendations about goods or services that may be of interest to Data Subject, including promotional offers||Identity data, contact data, technical data, profile data||as necessary for our legitimate interests to develop our products/services and grow our business|
VI. DISСLOSING OF PERSONAL DATA
We may disclose Personal Data to the following categories of persons:
|Service providers||acting as data processors or data controllers/joint data controllers based in the EEA but also around the world who provide software development services, marketing services, IT and system administration services. This includes following categories:
1. Hosting services providers
2. Payments processors
3. Analytics Services providers
4. E-mail campaigns automation services providers
5. Affiliates tracking services providers
|Professional advisors||acting as data processors or data controllers/joint data controllers including lawyers, bankers, auditors and insurers based in the EEA but also around the world, who provide consultancy, banking, legal, insurance, and accounting services|
|Tax services, regulators and other authorities||acting as processors or joint controllers based in the EEA who require reporting of Processing activities in certain circumstances|
|Third parties||third parties, who may or whom we may purchase. We may share your Personal Data as part of change in control, merge or sale, or in preparation for any of these events.|
|Others||market researchers, fraud prevention agencies|
When service providers are located outside EEA, we either enter into a data processing agreement with standard (“model”) contractual clauses, or ensure that the transfer is pursuant to another valid mechanism under GDPR.
You retain at all times the possibility to object replacement of data controller, contractors or subprocessors that handle your personal data or to terminate the contract with us.
VII. GDPR DATA SUBJECTS RIGHTS EXECUTION (EEA BASED ONLY)
A. Rights of the data subject
1. Right to rectification. Data Subject has the right to request to rectify, without undue delay, any incorrect data pertaining to the respective Data Subject.
2. Right to limitation of processing. Data Subject can limit the use of Personally Data collected.
3. Right of access. User may request a copy of Personal Data collected during the use of Platform.
4. Objecting to or restricting the use of Personal Data. Data Subject can ask to stop using all or some portion of Personal Data or limit the use thereof by requesting its erasure as described above or sending a request at firstname.lastname@example.org.
5. The right to lodge a complaint with a supervisory authority. User has the right to lodge a complaint with a competent data protection supervisory authority, in particular in the EU Member State where Data Subject resides, work or where the alleged infringement has taken place.
6. The right to data portability. Data Subject can receive Personal Data in a machine-readable format by sending a respective request at email@example.com.
B. Execution of rights
1. Upon Data Subject request we will provide the information free of charge. However, we may charge a reasonable fee if the Data Subject request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with the Data Subject request in these circumstances.
2. Data Subjects exercise their rights by filing a written request containing as a minimum the following information: (1) name, postal address, email address and other data allowing identification of the respective natural person; (2) description of the request; (3) signature, date, correspondence address and mobile number.
3. The filing of the request is free of charge.
4. Upon the filing of a request by an authorized person, the notarised power of attorney must be attached to the request.
5. In case of death of the natural person, his / her heirs exercise his / her rights and the certificate of heirs shall be attached to the request.
6. We will review and pronounce on the request within 1 month as of its filing. This period may be extended by further two months, if necessary, for example, if Data Subject request is particularly complex or when Data Subject has made a number of requests. We will inform Data Subject as to any such extension within 1 month as of receipt of the request, stating the reasons for the delay.
7. We will provide an answer to the requesting person taking into account their preferred form for the provision of the information (orally or in writing – as a hard copy of electronically).
8. Where data do not exist or law forbids their provision, access to the requesting party to such data is refused.
9. If the requesting party is not satisfied with the response received and/or believes that their rights related to Personal Data protection were violated, they are entitled to exercise their right to defense.
VIII. EXECUTION OF RIGHTS BY CALIFORNIA BASED CONSUMERS
A. Access to Specific Information and Data Portability Rights
1. California Consumers have the right to request information about what information was Processed over the past 12 months. Once we receive your request and confirm that you are consumer, we will disclose to you:
- The categories of sources for Personal Data we collected about you.
- The Personal Data we collected about you (also called a data portability request).
2. All other information is already disclosed herein. For the avoidance of doubts, we do not sell California based consumers Personal Data.
B. Deletion Request Rights
1. California Consumers have the right to request the deletion of Personal Data Processed, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete Personal Data from our records, unless Personal Data is necessary for us or our service provider(s) to (1) complete the transaction for which we collected the Personal Data, provide a good or service that Consumer requested, take actions reasonably anticipated within the context of our ongoing business relationship with Consumer, or otherwise perform our contract; (2) detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities; (3) debug products to identify and repair errors that impair existing intended functionality; (4) exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law; (5) comply with a legal obligation; make other internal and lawful uses of that information that are compatible with the context in which Consumer provided it.
C. Exercising Access, Data Portability, and Deletion Rights
1. To exercise the access, data portability, and deletion rights described above, you should submit a verifiable consumer request to firstname.lastname@example.org. Only consumers based in California, or a person registered with the California Secretary of State that Data Subject authorize to act, may make a verifiable consumer request related to Personal Data.
2. Consumer can make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must: (1) provide sufficient information that allows us to reasonably verify the consumer is the person about whom we collected Personal Data; and contain description allowing us to properly understand, evaluate, and respond to it.
3. We cannot respond to the request or provide the consumer with Personal Data if we cannot verify the consumer identity or authority to make the request and confirm the relation of Personal Data.
D. Response Timing and Format
1. The verifiable consumer request shall be responded within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing. The responding is free of charge unless it is excessive, repetitive, or manifestly unfounded.
IX. EXECUTION OF RIGHTS BY BRAZILIAN DATA SUBJECTS
1. If you are Data Subject from Brazil, according to Art 18 of LGPD we allow you exercise the following rights:
A. The right to confirmation of the existence of the processing;
B. The right to access the data;
C. The right to correct incomplete, inaccurate or out-of-date data;
D. The right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD;
E. The right to the portability of data to another service or product provider, by means of an express request;
F. The right to delete personal data processed with the consent of the data subject;
G. The right to information about public and private entities with which the controller has shared data;
H. The right to information about the possibility of denying consent and the consequences of such denial; and
I. The right to revoke consent.
2. You can execute your rights by sending email to email@example.com.
3. We will provide you with a response within:
A. Response to the right of access request will be provided within 15 days from the moment we received your request and verify your identity.
B. Other requests will be executed within reasonable time, but not more than 30 days from the moment we received your request and verified your identity.
4. Upon Data Subject request we will provide the information free of charge. However, we may charge a reasonable fee if the Data Subject request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with the Data Subject request in these circumstances.
5. Upon the filing of a request by an authorized person, the notarised power of attorney must be attached to the request.
6. In case of death of the natural person, his / her heirs exercise his / her rights and the certificate of heirs shall be attached to the request.
Personal Data is processed at our operating offices and in any other places where the parties involved in the processing are located. It may be necessary to transfer collected Personal Data to countries outside of the European Union for Processing purposes.
XI. RETENTION TIME
Personal Data shall be processed and stored for as long as required by the purpose they have been collected for. Personal Data collected for purposes related to the performance of a contract shall be retained until such a contract has been fully performed. Personal Data collected for the purposes of our legitimate interests shall be retained as long as needed to fulfill such purposes. Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after the expiration of the retention period.
XII. AGE LIMITATION
We do not knowingly Process any Personal Data from persons under 18 years of age. If you learn that anyone younger than 18 has provided us with Personal Data, please contact us at firstname.lastname@example.org.
XIII. THIRD-PARTY LINKS
XIV. INFORMATION FOR DATA SUBJECT
XV. COOKIES POLICY
Cookies are small text files sent by us to your computer or mobile device. They are unique to your account or your browser. Session-based cookies last only while your browser is open and is automatically deleted when you close your browser. Persistent cookies last until you or your browser deletes them or until they expire. To find out more about cookies, visit http://www.allaboutcookies.org/
See below for the types of cookies we use and their respective purposes.
|Functionality cookies (Necessary cookies)||We use functionality cookies that support certain functionalities of our website, prevent failures and errors.|
For this purpose we use:
|Statistics cookies||Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We use Statistic cookies to recognize visitors who chat with us, identify user’s device, identify what information has been seen by the user, minimize the blocking of legitimate users.
For this purpose we use:
Some people prefer not to allow cookies, which is why most browsers give you the ability to manage cookies to suit you. In some browsers, you can set up rules to manage cookies on a site-by-site basis, giving you more fine-grained control over your privacy. What this means is that you can disallow cookies from all sites except those that you trust. By doing so, you may not be able to access all or parts of our website.