Last update made 4 June, 2021.
We, Graspic OÜ, a company established and registered under Estonian Commercial Code with registry code 14611405 (hereinafter Graspic, we, us or our), have prepared this privacy and cookies policy (hereinafter the Policy) to inform you about our practices in connection with the collection, use and disclosure of the personal information you make available to us by using our mobile app named Graspic and/or website https://www.graspic.app/ with tools and services we provide you (hereinafter altogether as Services). By using our Services, you accept the privacy practices described in this Policy. If you do not accept our privacy practices, please stop using our Services immediately. This Policy also applies to our marketing leads.
Our Policy is a legal statement that explains how we may collect information from you, how we may share your information, and how you can limit our sharing of your information. Kindly note that this Policy does not apply to the content, communication and other personal information provided and processed by our Users (defined below) using the Services. In such case, the User acts as a Data Controller (defined below) as regards such Personal Data (defined below) and is responsible for the processing thereof and we urge our Users to carefully consider what content and with whom they choose to share with, for example by inviting your family, friends or other Users to see and interact with the content you have provided. We and you cannot control the actions of other individuals with whom you may choose to share your information. Your Personal Data will not be visible to other Users of the Services unless you provide them with access to it.
As we are a company registered in the Republic of Estonia, the processing of your personal data shall be governed by the laws of the Republic of Estonia. The main language governing the Policy shall be English to make sure that any information and communication relating to the processing of your personal information would be easily accessible and easy to understand in clear and plain language.
You will see terms in our Policy that are capitalized. These terms have meanings as described below.
1.1. Data Controller means a natural or legal person who (either alone or jointly or in common with other persons) determines the purposes and the means any Personal Data are, or are to be, processed. For this Policy, Graspic is the Data Controller of your Personal Data.
1.2. Data Processor (or Service Provider) means any natural or legal person who processes the data on behalf of the Data Controller. We may use the services of various Service Providers to process your data more effectively.
1.3. Data Protection Regulations means any applicable laws and regulations regulating the processing of Personal Data, including but not limited to the GDPR.
1.4. Data Subject means any living individual who is the subject of Personal Data.
1.5. GDPR means General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.6. Personal Data means data about a living individual who can be identified from such data (or from such and other information either in our possession or likely to come into our possession).
1.7. Public Area means the Services that can be accessed both by Users and Visitors, without needing to log in.
1.8. Restricted Area means the area of the Services that can be accessed only by Users, and where access requires logging in.
1.9. Usage Data means automatically collected data either generated using the Services or from the Services infrastructure itself (for example, the duration of a page visit).
1.10. User means an individual other than a Visitor, who has the access to the Restricted Area. The User corresponds to the Data Subject.
1.11. Visitor means an individual other than a User, who uses the Public Area and has no access to the Restricted Area. The Visitor corresponds to the Data Subject.
2. Which Personal Data we collect
2.1. Personal Data
While using our Services, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personal Data may include, but is not limited to name, personal identification code, e-mail address, mobile phone number, postal address, IP address, photos, documents and the other data that you enter by using the Services by virtue of the nature of the Services, when any such information is linked to information that identifies a specific individual.
You may provide us with Personal Data in various ways. For example, when you register for an account, use the Services, or send us User service-related requests.
We may use your Personal Data to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. Should we contact you with direct marketing based on our legitimate interest to offer you our Services, we will consider and balance any potential impact on you and your rights under Data Protection Regulations and any other relevant law. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link or instructions provided in any email we send.
2.1.1. Personal Data of Children
As children are less aware of the risks and consequences of sharing their Personal Data and of their rights, they need additional protection. For that reason, our Services are designed for those 16 years of age and older. Our Services is not intended for, and we do not knowingly collect Personal Data from anyone under the age of 16. If we are made aware that we have received such Personal Data, or any information in violation of our Policy, we will use reasonable efforts to locate and remove that Personal Data from our records.
2.2. Usage Data
We may also collect information on how our Services are used. These data are collected and processed anonymously, meaning that non-personalized cookies are used. In addition, we use the Facebook Pixel service, which processes your Usage Data based on cookies and other technologies to offer personalized social media ads after visiting our website.
3. How we use collected Personal Data
3.1. Data protection principles
First and foremost, it is important for us to emphasize that we comply with all relevant Data Protection Regulations and principles when processing Personal Data. These principles relate to:
- Lawfulness, fairness, and transparency – we process your Personal Data lawfully, fairly and in a transparent manner;
- Purpose limitation – we only collect your Personal Data for a specific, explicit, and legitimate purpose and only for as long as necessary to complete that purpose;
- Data minimization – we do ensure that your Personal Data we process is adequate, relevant, and limited to what is necessary in relation to our processing purpose;
- Accuracy – we take every reasonable step to update or remove data that is inaccurate or incomplete. You have the right to request that we erase or rectify erroneous information that relates to you, and we will do so within a month;
- Storage limitation – we delete your Personal Data when we no longer need it;
- Integrity and confidentiality – we keep your Personal Data safe and protected against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate and reasonable technical or organizational measures.
3.2. Purposes and legal basis
We collect several different types of information for various purposes to provide and improve our Services to you. Our legal basis for collecting and using the personal information described in this Policy depends on the Personal Data we collect and the specific context in which we collect it.
Graspic may process your Personal Data because (a) we need to perform a contract with you; (b) you have given us your consent to do so; (c) the processing is in our legitimate interests and it’s not overridden by your rights and/or (d) to comply with the law.
We use the collected data for various purposes:
- to continuously provide the best Services possible;
- to notify you about changes to our Services;
- to gather and analyze valuable information (anonymous data) so that we can improve our Services as a result;
- to provide User support;
- to carry out anonymous usage statistics analyses;
- to detect, prevent and address technical issues;
- according to the legal requirements and supervisory authorities;
- to answer your requests for information;
- to contact you for administrative purposes to address any issues you might have.
We do not use your Personal Data for your profiling and do not allow your personalized profiling to third parties.
3.2.1. Processing based on consent
In case Graspic processes your Personal Data on the basis of consent (e.g. for direct marketing purposes and for carrying out market research, preparing statistical studies and analyses of user groups, preparing and building lookalike audience groups, reporting and risk management in order to better understand the users’ expectations and develop relevant models, products, services and processes), you can withdraw consent at any time by contacting us as set forth in the “Contact Us” section. Please note that withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.
As for direct marketing messages received by e-mail, you can also withdraw consent and opt out of receiving any, or all, of these communications from us by following the unsubscribe link or instructions provided in any email we send.
Please note that if you specifically consent to additional uses of your Personal data, we may use your Personal Data in manner consistent with that consent.
4. How we may share Personal Data
4.1. Transfer of Personal Data
Your Personal Data may be transferred to, and maintained on, computers located outside of your country or other governmental jurisdiction where the data protection laws may differ from those from your jurisdiction. We will comply with GDPR requirements providing adequate protection for the transfer of Personal Data.
We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Policy and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.
Your consent to this Policy followed by your submission of such information represents your agreement to that transfer.
4.2. Data Processors
We may employ third party companies and individuals to facilitate our Services, to provide services on our behalf, to perform related services or to assist us in analyzing how our Services are used – all of which is done using anonymous data. In doing so, Graspic remains fully responsible for your Personal Data. These third parties have access to your Personal Data only to perform these tasks on our behalf as Data Processors and are obligated not to disclose or use it for any other purpose.
4.3. Third parties
The Services may contain features or links to websites, services and social media platforms provided by third parties. Kindly note that if you choose to access these links, then any information you provide on third-party websites, services or platforms is provided directly to the operators of such services and is subject to those operators’ policies, if any, governing privacy and security, even if accessed through the Services. We are not responsible for the content or privacy and security practices and policies of third-party sites or services to which links or access are provided through the Services. We encourage you to learn about third parties’ privacy and security policies before providing them with information.
4.4. Disclosure of Personal Data
Under certain circumstances, we may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency). We also reserve the right to disclose Personal Data or other information that we believe, in good faith, is appropriate or necessary to (i) take precautions against liability, (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity, (iii) investigate and defend ourselves against any third-party claims or allegations, (iv) protect the security or integrity of the Services and any facilities or equipment used to make the Services available, or (v) protect our property or other legal rights, enforce our contracts, or protect the rights, property, or safety of others.
We will notify Users and Visitors of inquiries made by public authorities to the maximum extent permitted by law through our communication channels.
5. Cookies and Tracking technologies
5.1. Purpose of using cookies
We use automatically collected information and other information collected on our Services through cookies and similar technologies to: (i) personalize our Services, such as remembering a User’s or Visitor’s information so that the User or Visitor will not have to re-enter it during a visit or on subsequent visits; (ii) provide a User or Visitor customized advertisements, content, and information; (iii) monitor and analyze the effectiveness of Services and third-party marketing activities; (iv) monitor aggregate site usage metrics such as total number of Visitors and pages viewed.
5.2. Categories of cookies
Cookies we use:
5.2.1. Localization cookies to help us take your location into account in order to provide a personalized User experience. The location is determined anonymously.
5.2.2. Plausible. We use this anonymous online analytics service to collect data about how Users and Visitors use our service. Graspic uses this information for compiling reports and improving the Service. The data collected using these cookies cannot be personalized.
5.3. Expiration time of cookies
You can read more about the expiration time and deletion of Facebook Pixel´s cookies here.
6. Rights of Users and Visitors
You, as an individual whose Personal Data is processed as described in this Policy, have several rights which are summarized in broad terms as laid down in the following list.
- Right to withdraw consent: if you have given your consent for any personal data processing activities as described in this Policy, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to withdrawal of the consent.
- Right of access: you have the right to obtain confirmation as to whether or not your Personal Data is processed, and, if so, to request access to such personal data as well as other information about such processing that are also contained in this policy.
- Right to rectification: you have the right to have inaccurate personal data about you rectified or completed if it is incomplete.
- Right to erasure (‘right to be forgotten’): you have the right to request that we erase your Personal Data. If Personal Data is erased at your request, we will only retain such copies of the information as are necessary to protect our or third party legitimate interests, comply with governmental orders, resolve disputes, troubleshoot problems, or enforce any agreement you have entered into with us.
- Right to restriction of processing: you have the right to request from us that we limit the way we use your personal data.
- Right to data portability: you have the right to receive the personal data you provided, in a structured, commonly used and machine-readable form and to transmit that data to another controller or to have it transmitted directly from us to another controller.
- Right to object: you have the right to object, on grounds relating to your particular situation, at any time, to the processing of your Personal Data and we may have to stop processing your data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defense of legal claims.
- Right to lodge a complaint: You have the right to complain to our Data Protection Officer by sending your complaint to email@example.com or to Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA). The Estonian Data Protection Inspectorate (registered offices at Väike-Ameerika 19, 10129 Tallinn, tel. +372 627 4135, e-mail firstname.lastname@example.org) is the lead data protection supervisory authority for Graspic as being an Estonian Data Controller.
Please note that exercising these rights is subject to certain requirements and conditions as set forth in Data Protection Regulations.
If you wish to access Personal Data about you or exercise any of the rights listed below, please submit a request to us, by using the contact details identified in the “Contact us” section below.
Please note that we will ask you to verify your identity before responding to such requests.
We are committed to ensuring that your Personal Data is secure. In order to prevent accidental or unlawful destruction or accidental loss, misuse, unauthorized access, disclosure, alteration or destruction, and against any other unlawful form of processing of Personal Data as defined by applicable Data Protection Regulations, we have put in place, and required that any third-party services providers and/or processors processing Personal Data on our behalf and under our instructions put in place, appropriate and reasonable technical, organizational and physical measures to safeguard and secure the personal data we collect and process online or otherwise in the context of your use of this Services. This includes, for example, firewalls, encryption technology, secure servers, password protection and other access and authentication controls. In addition, as our Services are meant for Users whose age is over 16, we have implemented age verification measures.
However, please note that no electronic transmission or storage of information is 100% secure. Therefore, despite the security measures that we have put in place to protect Personal Data about you, we cannot guarantee that loss, misuse, or alteration of data will never occur. If you believe your Personal Data has been compromised, please contact us as set forth in the “Contact Us” section.
If we learn of a security systems breach, we will inform you and the authorities of the occurrence of the breach in accordance with applicable law.
8. How long we may keep Personal Data
Your personal data will not be kept for longer than necessary for the purposes identified herein, or as required to comply with our legal obligations under applicable law, resolve disputes, and enforce our legal agreements and policies. We only retain the Personal Data collected from a User for as long as the User´s account is active or other or a limited period of time as long as we need it to fulfill the purposes for which we have initially collected it, unless otherwise required by law.
We will retain data as follows:
- the contents of closed accounts are deleted immediately on the date of closure and can´t be recovered later;
- documents submitted for account verification purposes are deleted on the date of account closure;
- backups of our Services are kept for 3 months.
9. Contact Us
If you wish to exercise your rights and request the Personal Data we have on you or you have any questions about this Policy or any other question related to privacy at Graspic, please send an e-mail to our Data Protection Officer email@example.com.
10. Change to this Policy
We may update our Policy from time to time. We will let you know via email and/or a prominent notice on our Services, prior to the significant change becoming effective and update the “last updated date” at the top of this Policy.
You are advised to review this Policy periodically for any changes. Changes to this Policy are effective when they are posted on this page and should you continue to use or access our Services after such changes have been made, you give your consent to the changes.