This privacy notice (the “Notice”) applies to the processing of personal data (hereinafter, “Personal Data”) of the users (hereinafter, the “User/s” or the “Data Subject/s”) carried out by Astonly.app owner, based in Estonia (hereinafter, the “Data Controller” or the “Company”) through its applications (the “Apps”), except where a different specific privacy notice applies, in accordance with Regulation (EU) 2016/679 – General Data Protection Regulation or the “GDPR” and other applicable laws, as amended or replaced (jointly, the “Applicable Privacy Laws”).
Personal Data Controller and Processor
The Data Controller is Astonly.app, based in Estonia.
II. Categories of processed data, processing purposes and conditions
The Company shall process the categories of personal data shown below, for the following purposes:
|Purpose||Legal basis||Categories of processed data|
|To enable you to use our services the Company needs certain personal data (e.g. to create or modify your user account, allow you to use the application, send technical information about how the app works, process and reply to any requests, contact our support staff, send you a code to enter at first authentication).||Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract (art. 6(1)(b) of the GDPR).||Common data: IDFA, device model and type, country as set by the user in the device settings, device language, device name, OS version, IP address, app usage (screenshots accessed, buttons pressed, etc.), unique identifier assigned to Users by the Company|
|To carry out activities aimed at improving the User experience and at assessing the expected User use of the Apps (e.g. market researches, statistical analysis, or other researches aimed at improving products and services, as well as for assess customers satisfaction in relation to Apps’ services).||The legal basis for the processing is legitimate interest of the Data Controller (art. 6(1)(f) of GDPR).|
The legitimate interest of the Data Controller is to reach improvements in relation to its products and services.
|Device information and further information collected to improve the App’s functionality (such as the screenshots accessed by the User, options selected).|
|To discharge the Company’s legal obligations and any other obligations arising out of the instructions received from the authorities.||Compliance with a legal obligation to which the Data Controller is subject (art. 6(1)(c) of the GDPR)||Any Information that shall be necessary to ensure the performance of the mentioned purposes.|
When the processing of Personal Data requires the User’s consent, the Data Subject may give his/her consent only if aged at least 16 years (see art. 8 of the GDPR).
The Company’s apps and services are not for children under the age of 16. The Company does not knowingly collect personal data from children. If you believe we have received personal data from children under the age of 16, please email us at firstname.lastname@example.org.
If the Data Subject is under the age of 16, the consent must be given by a parent or other holder of parental responsibility (in the latter case, the Data Controller shall make every reasonable effort to verify that consent is given or authorized by the holder of parental responsibility).
Should the Data Controller realize that some Users are aged below 16 and consents have not been given by parents (or holders of parental responsibility), it shall immediately delete the processed data and close the related account forthwith.
IIII. Data Retention of User’s Personal Data
Personal Data may be processed by both paper and electronic means.
The Data Controller adopts all technical and organizational measures for preventing the loss, improper use, and alteration of Data Subjects’ Personal Data, and, in some cases, may adopt data encryption measures, too. Your Personal Data shall be stored at the Data Controller’s and at its IT services providers’ premises.
Personal Data processed to fulfill legal obligations and obligations related to the use of the Apps (points II.a), and II.c) above) will be kept for a period not exceeding the one necessary for the said purposes and, in each case, for no more than 10 (ten) years from the termination of the agreement (i.e. after the cancellation of the Apps’ account) except for any legal obligation that sets a longer data retention period. At the end of this period, the processed data will be deleted or anonymized.
User’s Personal Data processed for the purpose referred to in point II.b) above will be kept for no more than two years from the termination of the agreement (i.e. after the cancellation of the App’s account) except for any legal obligation that sets a longer data retention period. At the end of this period, the processed data will be deleted or anonymized.
IV. Mandatory or optional nature of the supply of personal data and consequences of the refusal to answer
It is necessary for you to supply your personal data. Your refusal to supply the requested data, or the supply of inaccurate data, might make it impossible to use the App’s services.
V. Recipients of Personal Data
Personal Data may be disclosed to the following categories of recipients:
- public, judicial or police authorities, within the limits established by applicable laws and regulations;
- third parties carrying out activities that are related or instrumental to the Data Controller’s activities, as outsourced data processors duly appointed in writing by the Company in accordance to the Applicable Privacy Laws or acting as autonomous data controllers (such as, by way of example only, suppliers providing IT maintenance and development services, IT or filing services providers, suppliers of mobile marketing services, in case this Notice refers that marketing activities are performed).
The complete and updated list of such entities is available for consultation upon request at the Company’s headquarters or by sending an email to email@example.com.Users’ data will not be disclosed for any reason other than those stated above nor disseminated, unless such disclosure is deemed necessary for the fulfillment of legal obligations and/or regulations.
VI. Transfer of Personal Data outside EEA
The Company may also transfer personal data of the Data Subjects to countries located outside the European Economic Area (EEA). In such cases, the Company will make sure that such transfer is based on appropriate safeguards listed in the GDPR, including (a) the standard contractual clauses developed by the European Commission; (b) the decisions of the adequacy of the European Commission concerning the States in which the addressees are based; (c) binding corporate rules adopted by the Company and approved by the competent authorities or that are parties of agreements with the Company in this regard.
Copies of appropriate warranties are available for consultation upon request at the Company’s headquarters or by sending an email to firstname.lastname@example.org.
VII. Rights of the Data Subjects
The Users, at any time and free of charge, can have and/or exercise the following rights, as specified in the GDPR:
- the right to be informed on the purposes and methods of the processing;
- the right of access;
- the right to obtain a copy of the data held overseas and obtain information concerning the place in which such data are kept;
- the right to ask for updating, rectification or integration of the data;
- the right to request the cancellation, anonymization or blocking of the data;
- the right to restrict the processing;
- the right to object to the processing, wholly or partly, also where it is carried out through automated individual decision-making, including profiling;
- the right to withdraw the consent to the processing of the data freely and at any time – in such a case, the processing carried out before withdrawal of consent shall remain valid;
- the right to data portability (i.e. to receive an electronic copy of User’s personal data, if the User would like to port his/her personal data to himself or a different provider);
- the right to limitation of the processing.
Data Subjects also have the right to lodge a complaint before the competent national data protection or judicial authority.
For the exercise of their rights, Users may contact the Data Controller, in writing by sending a letter with proof of receipt to the Company’s headquarters, or by sending an email to email@example.com.
If a Data Subject is under the age of 18, in certain circumstances, he/she may request and obtain removal of Personal Data or content shared by him/her and posted on the Apps. To make any request pursuant to California privacy law, please send an email to firstname.lastname@example.org. Please be aware that such a request does not ensure complete or comprehensive removal of the content or information posted on the Apps by the User and that there may be circumstances in which the law does not require or allow removal even if requested.
VIII. Automated decision-making
No entirely automated decision-making is carried out within the processing of the Users’ Personal Data (there included profiling under Article 22(1) and 22(4) of GDPR).
IX. Third party websites and apps
The Apps may include links to other websites or apps operated by third parties. The practices described in this Notice do not apply to data gathered through these third party websites and apps. The Company has no control over and is not responsible for, the actions and privacy policies of third parties and other websites and apps.
X. Changes and updates of this Notice
The Company may modify, integrate and/or update, in whole or in part, this Notice, also in view of future changes that may involve the Applicable Privacy Laws and in case of new apps that shall be considered processing personal data as described by this Notice. It is understood that any modification, integration, or update will be communicated to the Data Subjects promptly and on time via email or at the time of the start of the Apps. In this regard, it could be required for the User to read the new version of the Notice and to accept it before continuing to use the Apps.
Date of last amendment: August 14, 2020