GDPR Compliance Policy

This Policy on the General Data Protection Regulation (GDPR), applies to only those Users based in the European Union (EU) member states and the United Kingdom, or who are subject to EU law in relation to personal data we collect from them.

For the avoidance of doubt, for Users based in the EU member states and the United Kingdom, or who are subject to EU law in relation to personal data we collect from them, this GDPR Compliance Policy is an extension of the Terms and Conditions and the Privacy Policy, however, in the event of any contradiction between this GDPR Compliance Policy and either or both the Terms and Conditions and the Privacy Policy, the GDPR Compliance Policy shall prevail to the extent of such inconsistency. All capitalised terms not otherwise defined in this GDPR Compliance Policy shall have the same definitions ascribed to them in the Privacy Policy.

The GDPR is the new comprehensive EU legislation on the protection of personal data and its free movement, which came into effect on May 25, 2018. The law intends to create uniform data privacy and protection laws throughout the EU member states and clarify, strengthen and elevate the rights of EU citizens and residents in relation to protecting their personal information. The GDPR applies to us in relation to any offers of products and services we make to you and any personal data we collect from you.

The information that is protected by the GDPR is “personal” and “sensitive personal” data. Personal data includes information such as your name, mailing address, e-mail address, financial information, photos and videos and online identifiers such as IP address and cookies.

GDPR requires that we follow privacy principles outlined in Article 5 of the GDPR and comply with at least one of the personal data processing conditions (see Privacy Principles and Personal Data Processing Conditions, below).

We generally do not collect sensitive personal data which includes, without limitation, information such as racial or ethnic origin, political opinions, religious, or philosophical beliefs, trade union membership, genetic, biometric and health data. GDPR requires that if we did or if we do, we should follow privacy principles outlined in Article 9 of the GDPR and comply with at least one of the personal data processing conditions relevant to sensitive personal data.

Privacy Principles

The six (6) privacy principles we must comply with in relation to your personal data are: (i) the collection must be processed lawfully, fairly and in a transparent manner; (ii) collection of personal data must be for specific, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes; (iii) collected personal data must be minimised to that which is adequate and relevant for the purpose for which it is processed; (iv) collected personal data must be accurate, and where necessary, kept up to date; (v) the personal data collected must be kept only for as long as is necessary for the purpose for which the data collected are processed, and removed thereafter; and (vi) the personal data collected must be processed in a manner that ensures appropriate security of the personal data.

Personal Data Processing Conditions

Personal data processing under the GDPR must satisfy at least one of the following conditions: (i) your consent must be obtained; (ii) the personal data must be necessary for the performance of a contract to which you are a party or as a preparatory step prior to entering into the contract; (iii) the personal data processing is necessary for compliance with a legal obligation; (iv) the personal data processing is necessary to protect your vital interests or of another person; (v) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us; and (vi) processing is necessary for the purpose of legitimate interest pursued by us or a third party, except when such interests are overridden by your rights and freedoms.

Data Controller

As your personal data controller, we are required to conduct data privacy impact assessments, obtain appropriate consent from you (which consent you may withdraw at any time) before collecting your personal data, implement privacy by design (as explained below), and to respect the eight (8) rights of users.

Data Privacy Impact Assessments

In order to continually safeguard the protection of your data, when necessary, as determined at our discretion, we will conduct data processing impact assessments to evaluate our data protection processes and systems with an outlook toward perpetual improvement.

Appropriate Consent

Going forward, in such situations where we shall be requesting (i) your personal data such as your name, e-mail address or date of birth, afresh or for the first time, we shall request your clear, unambiguous affirmative consent beforehand, and (ii) your sensitive personal data afresh or for the first time, we shall request your explicit consent.

Privacy By Design

We undertake to continuously make the effort to implement and satisfy the requirements of privacy by design, by (i) being proactive about preventing data breaches, (ii) placing the highest premium on maintaining the privacy of your personal data, (iii) integrating privacy as a key component of future designs and updates, (iv) placing the highest premium on the privacy of your personal data, (v) implementing full lifecycle protection for your collected data, (vi) being open and transparent with you about our Privacy Policy and legal agreements, and (vii) placing you first in respect of your personal data.

Your Data Rights

The eight (8) rights that you as the user have under the GDPR with regards to when your personal information is collected, include, the right (i) to receive transparent information about data processes; (ii) of access to one’s own personal data; (iii) of correction and amendment of personal data; (iv) to expunge personal data; (v) to curtail and restrict personal data processing; (vi) to use personal data for other purposes; (vii) to objection of the processing of personal data; and (viii) in relation to protection of personal data from automation processes.

Data Processor Requirements Under the GDPR

We utilise the services of certain data processors such as Google Analytics. In some respects, we may be considered as acting as a data processor. The GDPR recognises the responsibility of data processors to maintain, secure and process collected personal data. Going forward, our data processors will be required to (i) keep and maintain written records for such data processing they carry out for us, (ii) put in place appropriate security measures in relation to the protection of your personal data, and (iii) notify us as soon as possible of any data breaches that occur, which information we are in turn required to pass on to you. To the extent that, at any time or from time to time, we may be considered to be acting as data processors, we shall endeavour to comply with this requirement.

In case you have any questions regarding your personal data and the application of the GDPR, please contact us [email protected] and we shall be happy to assist you.