1. Who is the controller of my Personal Data; definitions
1.1 What is Personal Data?
Personal data is any piece of information relating to an identified or identifiable natural person, e.g. name and surname, email address, IP address, location, data about one’s earnings and the like (hereinafter: Personal Data).
A natural person is identifiable if she or he can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.2 What does the term Controller mean?
Put simply, the Controller is the one in charge of, and responsible for, collection, storing and processing of Personal Data, regardless of whether these operations are conducted by Controller or through third persons on behalf of the Controller.
According to the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC - General Data Protection Regulation (hereinafter GDPR) a controller is a natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of Personal Data.
1.3 What is processing of Personal Data?
Processing of Personal Data means any operation or performed on Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.4 What is processing of Personal Data?
2. Which Personal Data about me is being processed
2.1 App Users
The following Personal Data of every App User is being processed:
- Identification: username and password, email address,
- IP address of the network from which you are accessing the App,
- Data about your device through which you access the App,
- Data about the use of the App:
- Dates and times of using the App,
- Actions taken within the App (challenges taken, challenges accomplished and the date and time thereof),
- Data about App usage:
- Names of groups the User is a member of,
- Group(s) managers,
- Date and time of becoming a group member,
- Date and time of leaving the group,
- Challenges the User has responded to,
- Dates and times of responding to challenges,
- Pictures, videos, messages or other content sent as response to challenges,
- Communication data:
- Date and time of sent email messages,
- Date and time of sent notifications within the App
The following Personal Data of Subscribers are being processed:
- All the data under point 2.1,
- Date and time of subscription (payment of fee),
- Dates and times of any any in-app purchases,
- The paid amounts for subscriptions and in-app purchases,
- The payment method used,
- Numbers and dates of issued invoices,
- Data about App usage:
- Names of all the groups the subscriber manages,
- Challenges created by the Subscriber,
- Response rates for every challenge,
- Users who responded to the challenge,
2.3 No obligation to provide Personal Data
You may freely decide whether you want to provide us your Personal Data or not. There is no obligation on your side to provide it and there are no negative legal consequences if you choose not to provide it. However, not providing certain Personal Data may result in your inability to use the App or to subscribe to the App or to use some of its functionalities.
3. For what purposes is my Personal Data being processed
3.1 To enable the functioning of the App
We need certain Personal Data in order to enable you to use the App, e.g. your email address which is used for logging into the App, the data about the challenges which is used for showing you your progress, the data about the groups to show you which groups you are a member of etc.
3.2 To enter into a contract with you and to fulfill our contractual obligations
We need certain Personal Data (e.g. payment and contact data) in order to enable you subscription to the App, and to enable you the use of the App functionalities you have subscribed to. We also need certain Personal Data to be able to issue and send you an invoice for the purchases, which is a legal obligation on our side.
3.3 To communicate with you
We need certain Personal Data (e.g. your email address) to communicate with you in relation to the App development and functionalities, your purchases, claims, or any questions you may have.
3.4 For statistical and analytical purposes
We use certain Personal Data (e.g. about the use of the App), however in an aggregated and therefore anonymised form, for statistical and analytical purposes, with the aim of improving app functionalities and developing new ones, price optimisation etc.
4. What is the legal grounds for processing my Personal Data
4.1 Contractual relationship with you
4.2 Compliance with a legal obligation to which we are subject
In certain circumstances, we need to process your Personal Data to comply with a legal obligation, e.g. to issue and send you an invoice or to respond to court or law enforcement orders to provide or disclose certain information, e.g. about (credit card) fraud etc.
4.3 Our legitimate interest
In certain cases we rely on our legitimate interest as the legal basis for the processing of your Personal Data. Such cases include:
- Communication related to the App, such as notifications of new functionalities, updates, versions etc.,
- Use of Personal Data for the development, provision, enhancement, and improving the App and your App experience,
- Sending of surveys and polls,
- Sending of promotional messages related to the App (in line with the EU rules on commercial messages based on the ePrivacy Directive / Regulation),
- Prevention and detection of illegal or harmful activities, e.g. by storing your IP addresses and the dates and times of your accessing the App,
- Sale of the App to a third party, mergers and acquisition: in such a case we may transfer your Personal Data to a third party.
We may ask you to consent to:
- Promotional communication not related to the App
- Promotional communication by our partner companies (3rd parties),
- Transfer of your Personal Data to third parties (unless we are obliged by the law to transfer the data or unless some other legal grounds for the transfer exists),
- Transfer of your Personal Data to countries other than the European Economic Area (EEA) members (unless some other legal grounds for the transfer exists).
You have to be at least 15 years of age to be able to give a valid consent.
You may withdraw your consent at any time. Click here for more.
5. How long is my Personal Data being processed (retention period)
We will retain your Personal Data for as long as you maintain an account (regardless of whether you still have the App installed). If you want to delete your account, you may send us an email at email@example.com.
We will also retain certain Personal Data for as long as necessary to comply with our legal obligations, resolve disputes, and enforce the contract. Typically, the retention period for this type of data shall be 5 years from the date of subscription. In case of a dispute, the retention period shall typically be 5 years from the date of the final judgment or other decision or agreement.
We will store the data related to security and prevention of illegal or harmful activity (e.g. your IP addresses and the dates and times of your accessing the App) for 6 months.
After the expiry of the retention period, we shall either delete or anonymise your Personal Data.
6. Where is my Personal Data being stored and who has access to it
We keep your Personal Data on servers located in the European Economic Area (EEA) countries. We do not transfer or give access to your Personal Data to persons who would transfer the data outside the EEA.
We only share some of your Personal Data, based on your free and explicit consent (that you can at any time withdraw), with a limited number of partners. The list of our partners, which may be updated from time to time, can be found here. The partners are obliged to only use your Personal Data for the agreed upon purposes.
We use the services of certain 3rd parties which may, in the performance of their services, process your Personal Data or have access thereto. Their processing of your Personal Data is governed by a written agreement entered into between us and such third parties, making sure that they only process your Personal Data for the defined purposes, and never on their own behalf. Such 3rd parties include:
- App hosting and storage providers,
- Email (marketing) providers,
- Digital marketing providers,
- Marketing automation providers,
- Accounting services providers,
- Legal services providers.
Within the Controller, we only grant access to your Personal Data on a strict need-to-have basis, meaning that your Personal Data can only be accessed by those of our employees or other coworkers whose job is to perform operations that include the processing of Personal Data. Even then, access to Personal Data is not general but is limited to certain sets of Personal Data.
7. What are my rights related to my Personal Data and how can I enforce them
You can send any claim or enquiry related to your Personal Data and to the enforcement of your rights related to them to the email address firstname.lastname@example.org. We may request additional data from you if we are unable to identify you based on your email message. We may refuse the execution of your rights if we are unable to identify you.
7.1 Right to information and to access Personal Data
You have the right to obtain confirmation from us as to whether or not your Personal Data is being processed, and, where that is the case, right to access to the Personal Data and the following information: the purposes of the processing, the categories of Personal Data concerned, its users, the period for which the Personal Data will be stored, or the criteria used to determine that period, the right to request rectification or erasure of Personal Data or restriction of or objection to processing of Personal Data, the right to lodge a complaint with a supervisory authority, the source of the data if the data were not collected from you, the existence of automated decision-making, including profiling and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
You may ask for a copy of your Personal Data undergoing processing. For any further copies, we may charge a reasonable fee based on administrative costs. If you make the request by electronic means, and unless otherwise requested, the information shall be provided in a commonly used electronic form.
7.2 Right to withdraw consent
You may withdraw your consent to processing of your Personal Data at any time. The withdrawal of consent only affects those sets of Personal Data that were being processed based on your consent. We may still process other sets of Personal Data based on other legal grounds (click here for more information about legal grounds for processing).
Consent can be withdrawn through a written statement that is sent to the email address email@example.com or (in case of newsletter) by clicking on the unsubscribe link.
Withdrawal of consent bears no negative consequences or sanctions for you. It is however possible that we may not be able to provide some of our services to you after the withdrawal of consent, if such services cannot be performed without the processing of Personal Data in question.
7.3 Right to deletion of Personal Data (right to be forgotten)
You have the right to request us to delete without undue delay your Personal Data when one of the below reasons exists:
- The Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- You have withdrawn your consent, and there are no other legal grounds for further processing;
- You have objected to the processing of your Personal Data, and there are no overriding legitimate grounds for processing;
- Your Personal data has been unlawfully processed;
- Personal data has to be erased for compliance with a legal obligation in the European Union or Member State law;
- the Personal Data has been collected in relation to the offer of information society.
7.4 Right to rectify Personal Data
You have the right to request us to rectify inaccurate Personal Data without undue delay.
7.5 Right to restriction of processing
You have the right to request from us to restrict the processing of your Personal Data where one of the following applies:
- You contest the accuracy of the Personal Data for a period enabling us to verify the accuracy thereof;
- The processing is unlawful, and you oppose the erasure of the Personal Data and request the restriction of their use instead;
- We no longer need the Personal Data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
- You have objected to processing pending the verification whether our legitimate interests override your rights.
7.6 Right to data portability
You have the right to receive the Personal Data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format, and have the right to transmit such data to another controller without hindrance from our side, where:
- The processing is based on consent or on a contract; and
- The processing is carried out by automated means.
In exercising the right to data portability, you have the right to have your Personal Data transmitted directly from us to another controller of your choice, if this is technically feasible.
7.7 Right to object to Personal Data processing
You have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data that is necessary for the purposes of the legitimate interests pursued by us, including profiling based on the Personal Data; we shall no longer process the Personal Data in question unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
Where Personal Data is processed for direct marketing purposes, you have the right to object at any time to processing of your Personal Data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
7.8 Right to lodge a complaint with the supervisory authority
You have the right to lodge a complaint with a supervisory authority, in particular in the European Union Member State of your habitual residence, place of work or place of the alleged infringement.
In Slovenia, you can lodge a complaint to: Informacijski poobščenec, Dunajska cesta 22 1000 Ljubljana, firstname.lastname@example.org.