PRIVACY POLICY

Last updated: March 18, 2020.

I. INTRODUCTION

“Climbro” Ltd. (hereinafter referred to as “Controller”) aims to provide you with the best possible experience when using its website https://climbro.com/  and mobile application Climbro. This is why, the privacy of individuals is taken very seriously by the Controller. Therefore, this Privacy Policy applies to the use of the website and the mobile application Climbro of the Controller.

The website https://climbro.com/ (hereinafter referred to as “website”)  and the mobile application Climbro (hereinafter referred to as “The Application” or “Application”) are operated by “Climbro” Ltd., a Bulgarian company, with UIC: 205622848,  having its seat registered at: Sofia city, postal code 1616, 19 “Iliya Kutev” Street. The Application is intended to be used by individuals who are at least 14 years old. By accepting this Privacy Policy, the individual declares that he/she meets these conditions.

BY USING THE WEBSITE AND THE APPLICATION YOU AGREE TO THE COLLECTION AND PROCESSING OF YOUR PERSONAL DATA IN COMPLIANCE WITH THIS PRIVACY POLICY.

PLEASE READ THIS PRIVACY POLICY CAREFULLY BEFORE USING THE WEBSITE AND THE APPLICATION AND IF YOU HAVE ANY QUESTIONS ABOUT THIS PRIVACY POLICY, PLEASE CONTACT US AT: HELLO@CLIMBRO.COM . IF YOU DO NOT AGREE TO ANY OF THE CONDITIONS CONTAINED IN THIS PRIVACY POLICY, YOU SHOULD NOT USE THE WEBSITE AND THE APPLICATION.

DATA CONTROLLER

“Climbro” Ltd. is a Bulgarian company, with UIC: 205622848, having its seat and registered address at: Sofia city, postal code 1616, 19 “Ilia Kutev” Street and website: https://climbro.com/ .

SUPERVISORY AUTHORITY

Commission for Personal Data Protection

Address: Republic of Bulgaria, Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.

Telephone: +3592/91-53-518; +3592/ 91-53-515; +3592/91-53-519

Fax: +3592/91-53-525

Е-mail: kzld@cpdp.bg

Web-site: www.cpdp.bg

 

II. PURPOSE AND SCOPE OF THE PRIVACY POLICY

1.1 The Controller understands the privacy concerns of the Users of the website and the Application (hereinafter referred to as “individuals”) regarding the protection of personal data and is committed to protect their personal data by applying all the standards for protection of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”). With this Privacy Policy, the Controller respects the privacy of individuals and undertakes every effort to protect the personal data of individuals against unlawful processing by applying technical and organizational measures, which measures are entirely consistent with state-of-the-art technological developments and provide a level of protection that corresponds to the risks associated with the processing and the nature of the data that should be protected

1.2  With this Privacy Policy and in compliance with the requirements of the GDPR, the Controller provides information on:

– the purpose and scope of this Privacy Policy;

– personal data collected and processed by the Controller;

– legal basis for personal data processing;

– purposes of personal data processing;

– period for which the personal data will be stored;

– mandatory and voluntary nature of provision of personal data;

– processing of personal data;

– protection of personal data;

– recipients of personal data;

– rights of individuals;

– procedure to exercise the rights.

III. DEFINITIONS

 2.1 For the purposes of the GDPR and this Privacy Policy, the following terms shall have the following meaning:

1. Personal datameans any information relating to an identified or identifiable natural person (‘individual’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. Restriction of processingmeans the marking of stored personal data with the aim of limiting their processing in the future.
4. Profilingmeans any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
5. Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
6. Processormeans a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
7. Recipientmeans a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
8. Third partymeans a natural or legal person, public authority, agency or body other than the individual, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
9. Consentof the individual means any freely given, specific, informed and unambiguous indication of the individuals’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
10. Personal data breachmeans a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

IV. PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA

3.1 The Controller observes the following principles relating to processing of personal data:

–   The personal data are processed lawfully, fairly and in a transparent manner in relation to the individual (‘lawfulness, fairness and transparency’);

– The personal data are collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

– The personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

– The personal data are accurate and, where necessary, kept up to date (‘accuracy’);

– The personal data are kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);

– The personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

V. PERSONAL DATA COLLECTED AND PROCESSED BY THE CONTROLLER

A. Processing of special categories of personal data (“sensitive data”)

 4.1 The Controller does not collect and record special categories of personal data, such as: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Individuals shall not provide such sensitive data to the Controller. If the individual negligently or intentionally provides sensitive data to the Controller, the Controller undertakes to immediately delete such data.

B. Personal data collected directly from individuals in order the Application to be used

5.1 When individuals download and use the Application they voluntarily provide personal information such as: full name, e-mail address, year of birth, gender, weight, height, whether the individual is left-handed or right-handed. The Controller also collects and processes information about the use of the Application.

 

C. Personal data collected directly from individuals when using the website

5.2 Personal data collected directly from individuals when individuals contact the Controller by e-mail: Individuals provide personal data to the Controller when they contact the Controller by sending an e-mail. The e-mail address of the Controller is specified in the Controller’s Identification Information in this Privacy Policy and on the bottom footer of Controller’s website where the contact details of the Controller are provided. When the individual sends an e-mail to the Controller, the Controller collects and processes the the e-mail address of the individual and the other information that the individual provides in the sent message, such as the address. These personal data are processed for the purpose of communication with the individual and record keeping. The processing of these personal data is necessary:

– for the realization of the legitimate interests of the Controller, whose legitimate interests are to reply to the received messages, as well as saving the received messages.

– for actions preceding the conclusion of a contract and undertaken at the request of the individual, namely providing more information on the products and services offered by the Controller in connection with a possible conclusion of a contract with the individual.

5.3 Personal data collected directly from individuals when individuals contact the Controller by sending a message using the Facebook platform: Individuals provide personal data to the Controller when they contact the Controller by sending a message using the Facebook platform via the Facebook messaging service available through the Facebook administrator page at: https://www.facebook.com/ClimbroBoards/. When the individual sends a message to the Controller using the Facebook platform via the Facebook messaging service, the Controller collects and processes the individual’s name, as well as the other information the individual provides in the sent message. This data is processed for the purpose of communication with the individual and record keeping. The processing of such personal data is necessary for the realization of the legitimate interests of the Controller, whose legitimate interests are to reply to the received messages, as well as to keep the received messages. The administrator uses the Facebook services, an independent US service provider, to receive messages via the Facebook platform. This means that the personal data provided will be stored on Facebook servers in the United States. For the transmission of such personal data outside the European Economic Area, appropriate safeguards should be provided in accordance with Article 46 of Regulation (EC) 2016/679. Facebook confirms that it adheres to the principles of the “EU-US Privacy Shield”. Facebook has its own Privacy Policy and individuals are advised to get acquainted with it in order to get more information. The Facebook Privacy Policy is posted at https://www.facebook.com/policy.php .

5.4 Personal data collected directly from individuals when individuals contact the Controller by sending a message using the Instagram platform: Individuals provide personal data to the Controller when they contact the Controller by sending a message using the Instagram platform via the Instagram messaging service available through the Instagram page of the Controller.   When the individual sends a message to the Controller using the Instagram platform via the Instagram messaging service, the Controller collects and processes the individual’s name, as well as the other information the individual provides in the sent message. This data is processed for the purpose of communication with the individual and record keeping. The processing of such personal data is necessary for the realization of the legitimate interests of the Controller, whose legitimate interests are to reply to the received messages, as well as to keep the received messages. The administrator uses the Instagram services, an independent US service provider, to receive messages via the Instagram platform. This means that the personal data provided will be stored on Instagram servers in the United States. For the transmission of such personal data outside the European Economic Area, appropriate safeguards should be provided in accordance with Article 46 of Regulation (EC) 2016/679, and Instagram provides such safeguards and describes in detail in its Privacy Policy. The Instagram Privacy Policy is posted at https://help.instagram.com/519522125107875 .

5.5 Personal data collected directly from individuals when individuals purchase goods from the website: Individuals provide personal data to the Controller when they purchase goods from the Controller’s website. The individual provides the following personal data that the Controller collects and processes, namely: first and last name of the individual and company name /not mandatory/, company VAT number/not mandatory/, e-mail address, phone number, full address and order notes /not mandatory/, as well as the bank account of the individual if the individual decides to pay by direct bank transfer. The collection and processing of this personal data is necessary:

– for concluding or executing a contract for the purchase of goods;
– for fulfilling legal obligations for the purpose of issuing invoices. The data of the individuals are stored on a server of a hosting provider and the server is located in the Republic of Bulgaria.

D. Personal data collected from third parties

 6.1 The Controller usually does not obtain personal data for individuals from third parties. However, in some cases, if the Controller has a reasonable grounds to suspect any individual of infringing Controller’s legal or intellectual property rights, then the Controller will obtain personal data of the suspected individual from public registers or private sources. This data may be processed for the purposes of investigating the infringement and taking legal actions against the infringement. The lawful grounds for processing of the personal data are the legitimate interests pursued by the Controller, which legitimate interests are investigating the infringement and taking legal actions against the infringement.

E. Data collected automatically

 7.1 When an individual uses the Application, the Controller automatically collects the following data, namely:

– The type of device from which the individual uses the Application (for example, a computer, a mobile phone, a tablet, etc.).

– The Internet Protocol (“IP”) address;

– Type of operating system;

– Type of the browser;

– Concrete actions undertaken, including the pages visited, frequency and duration of visits to the website;

– Date and time of visits.

VI. LEGAL BASIS FOR PERSONAL DATA PROCESSING

8.1 The legal basis for collecting processing of the personal data of individuals in most of the cases is one of the following:

– for the realization of the legitimate interests of the Controller such as understanding how individuals use the website and the Application in order to improve the website and the Application. In this case the Controller ensures that the legitimate interests of the Controller are not overridden by the interests of individuals or fundamental rights and freedoms.

– for fulfilling the contractual relationship like providing services and sending the purchased products;

– for fulfilling legal obligations like ensuring that the invoices have been paid.

VII. USE OF COOKIES

9.1 Cookies are small text files that are sent from the Website to the computer or individual’s device and stored in the browser’s file directory that the individual uses. They collect information about how the website is used in order to improve the Website performance. This information most often includes: IP address of the device from which the individual has access to the platform (usually used to determine a country or city); type of device from which the individual accesses the platform (e.g., computer, mobile phone, tablet, etc.); type of operating system; type of browser; concrete actions to be taken, including pages visited, frequency and duration of visits to the website; date and duration of visits. More information about Cookies can be found at: http://www.allaboutcookies.org/.

9.2 The Controller of this Website uses different types of cookies for the following purposes:

• Analyzing how the Website has been used;
• Establishing the number of visitors of the website;
• Establishing the duration of website visits;
• Providing Visitors a better experience.

9.3 Types of cookies: There are two types of Cookies depending on how long they are stored on the device: session cookies and persistent cookies. Session Cookies are temporary Cookies that remain on the device until the browser is closed. Persistent Cookies remain on the device for a longer period of time or until they are deleted.

Cookies can also be the following four types, depending on their function:

Cookies	Purpose
Necessary	These Cookies are necessary for the proper functioning of the Website by allowing the visitor to navigate the website and use its features, such as remembering previous back-to-back actions in the same session. Therefore, visitors cannot deactivate these cookies without affecting the functioning of the website.
Analytics	These Cookies provide information on how the Website is used. This information includes: IP address of the device from which the visitor has access to the platform (usually used to determine a country or city); type of device from which the visitor accesses the platform (e.g., computer, mobile phone, tablet, etc.); type of operating system; type of browser; concrete actions to be taken, including pages visited, frequency and duration of visits to the website; date and duration of visits. From the types of Analytics Cookies we use Google Analytics. In this way we have the opportunity to improve the functionality of the Website in order to provide visitors a better experience.
Performance	These cookies are used in order to enhance the functionality and the performance of the Website.
Advertising	These cookies are used to track visitors to the website and gain an insight into their interests based on the websites they visit, to be able to offer ads that are relevant to the visitor.

9.4 The period for which the information is saved depends on the type of the Cookies. Session Cookies are deleted with closing of the browser, while the persistent ones are valid between two months and several years.

9.5 How to control and delete Cookies?

Browser Controls: The option to control Cookies, including the option to delete Cookies, are available in the browser used by the individual. Different browsers use different ways to disable Cookies, typically in the “options” or “tools” menus. To disable performance Cookies and disable Google Analytics, it is necessary to download an add-on to disable Google Analytics. Individuals can also find out how they can disable Google Analytics Cookies at: https://tools.google.com/dlpage/gaoptout. More detailed information about how to control Cookies for different types of browsers is available at the following addresses: https://www.aboutcookies.org/how-to-control-cookies/ or www.youronlinechoices.com.

Individuals also have the opportunity to delete all the Cookies that are saved on the device. More detailed information on how to delete Cookies for different types of browsers is available at: https://www.aboutcookies.org/how-to-delete-cookies/#gchromex.

Additionally, for the convenience of individuals, direct links are provided that inform how cookies can be deleted from the most popular browsers:

For individuals using the browser Mozilla Firefox: https://support.mozilla.org/bg/kb/delete-cookies-remove-info-websites-stored

For individuals using the browser Internet Explorer: https://support.microsoft.com/bg-bg/help/278835/how-to-delete-cookie-files-in-internet-explorer

For individuals using the browser Google Chrome: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DDesktop&hl=bg

For individuals using the browser Safari:

– for a computer: https://support.apple.com/guide/safari/sfri47acf5d6/mac

– for a tablet or a mobile phone: https://support.apple.com/HT201265

Individuals should keep in mind that controlling and deleting Cookies may affect some of the functions of the website.

VIII. PURPOSES OF PERSONAL DATA PROCESSING

 10.1 The Controller collects and processes the personal data of individuals for the following purposes, namely:

– to provide the services that the Controller offers;

– to identify individuals (future and current clients);

– for the execution of an obligation of the Controller, stipulated by law;

– to contact the individual via e-mail in order to respond to the received inquiries;

– for sending the products purchased by the individual;

– accounting purposes;

– to accept and process payments;

– communicate with individuals.

10.2 The Controller collects and processes the personal data of individuals who are automatically collected for the following purposes, namely:

– improving the efficiency and functionality of the website and the Application;

– preparing anonymous statistics on how the website and the Application have been used;

The Controller may not use the personal data of individuals for purposes other than those specified in this section of this Privacy Policy.

IX. PERIOD FOR WHICH THE PERSONAL DATA WILL BE STORED

A. Period for which the personal data will be stored

11.1 Inquiries and correspondence by email, Facebook: The Controller stores the personal data and the communication received by e-mail and messages sent by Facebook for a period necessary to answer to the received message and to satisfy individual’s request, as well as for one calendar year after the Controller has answered to the received message and satisfied individual’s request.

11.2 Personal data of individuals who have ordered products: The Controller stores personal data of the individuals who have purchased goods for a period of ten years, which is the term stipulated by law for storing invoices for clients.

11.3 Personal data of individuals who have ordered services: Upon stopping using of the Application, the Controller will minimize the personal data and will keep only such a data which is required to keep to comply with laws. In such cases, the Controller will store the personal data of the individuals who have used the Application and stopped used the Application for a period of ten years after they have stopped using the Application, which is the term stipulated by law for storing invoices for clients.

11.4 Unless otherwise specified, the Controller retains information as long as it is necessary to achieve the purpose described above.

B. Criteria for determining the period for which the personal data will be stored

11.5 In other situations, not specified above, the Controller will store the personal data of the individual for no longer than needed considering the following criteria, namely: – if the Controller is obliged by a legal norm to continue with the processing of the personal data of the individual; – purpose for storing of the personal data both currently and in the future; – purposes for using of the personal data currently and in the future; – if it is necessary to contact the individual in the future; – if the Controller has any legal ground to continue to process the personal data of the individual; – any other sufficient grounds, like the character of the relationship with the individual.

X. MANDATORY AND VOLUNTARY NATURE OF PROVISION OF PERSONAL DATA

 12.1 The personal data required to be provided by the individuals are in accordance with the services offered by the Controller. The provision of personal data by individuals is voluntary. In the event that the individual refuses to provide the personal data:

– the individuals will not be able to use the Application provided by the Controller;

– the Controller will not be able to deliver the products purchased by the individual;

– the individual will not be able to contact the Controller.

XI. PROCESSING OF PERSONAL DATA

13.1 The Controller processes the personal data of individuals by means of a set of actions that can be performed by automatic and non-automatic means.

XII. PROTECTION OF PERSONAL DATA

14.1 The Controller undertakes the appropriate technical and organizational measures to protect the personal data against accidental or unlawful destruction, or against accidental loss, unauthorized access, alteration or dissemination, as well as against other unlawful forms of processing, including the following:

– using only secure and protected servers and folders for storing of the personal data;

– verifying and confirming the identification of the individual inquiring access to his/her personal data before granting access to such personal data.

14.2  In case you would like to receive detailed information about the technical and organizational measures, please do not hesitate to contact us at hello@climbro.com .

XIII. RECIPIENTS OF PERSONAL DATA

15.1 The Controller does not share the personal data of individuals publicly.

15.2 The Controller has the right to disclose the personal data processed to the following categories of persons, namely:

• to Individuals to whom the data relate when they exercise the right of access the personal data relating to him/her.
• to state bodies if provided for in a legal act;
• to data processors providing services in favor of the Controller’s business activities, such as accountant of the Controller, companies processing payments for administration of receivables/payables and the hosting company, which are subject to a confidentiality obligation, and they have provided sufficient assurance of enforcement appropriate technical and organizational measures in such a way that the processing proceeds in accordance with the requirements of the Regulation and ensures the protection of the rights of individuals.
• to courier organizations in order to deliver the ordered products.

15.3 The mentioned in the previous paragraph categories of persons will only have access to such information that is necessary to perform their functions on behalf of the Controller and are required to protect and secure the information.

15.4 The Controller does not sell personal data provided by the individual to third parties.

XIV. RIGHTS OF INDIVIDUALS

Right of access by the individual:

16.1 The individual has the right to obtain from the Controller confirmation as to whether or not personal data concerning him or her are being processed. If the Controller processes personal data of the individual the Controller shall provide a copy of the personal data undergoing processing.

Right to rectification:

16.2 The individual has the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the individual has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (‘right to be forgotten’):

16.3 The individual has the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller has the obligation to erase personal data without undue delay where one of the stated in article 17 of the GDPR grounds applies.

Right to restriction of processing:

16.4 The individual has the right to obtain from the Controller restriction of processing where one of the stated in article 18 of the GDPR grounds applies. If the processing has been restricted, such personal data shall, with the exception of storage, only be processed with the individual’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. The Controller informs the individual who has obtained restriction of processing before the restriction of processing is lifted.

Right to data portability:

16.5 The individual has the right to receive the personal data concerning him or her, which he or she has provided to the Controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller without hindrance from the Provided to which the personal data have been provided, if the processing is based on consent or on a contract.

Right to object:

16.6 The individual has the right to object on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. According to Article 21, Paragraph 4 of the GDPR the right to object shall be explicitly brought to the attention of the individual and shall be presented clearly and separately from any other information. For compliance of this obligation, more information about the right to object, can be found in the section below titled “Right to object to processing of personal data”.

Right of withdrawal of consent:

16.7 The individual has the right at any time to withdraw the consent he has given. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The order for withdrawal of the consent is specified in Section XIV of this privacy policy. The individual may either withdraw the given consent by choosing the “unsubscribe” option when receiving a newsletter.

Profiling rights:

16.8 The individual has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Right to be informed about the personal data breach:

16.9 The individual has the right to be informed without undue delay about the personal data breach when the personal data breach is likely to result in a high risk to the rights and freedoms of individual.

Right to judicial and administrative protection:

– Right to lodge a complaint with a supervisory authority

16.10 Without prejudice to any other administrative or judicial remedy, the individual has the right to lodge a complaint with the supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the individual considers that the processing of personal data relating to him or her infringes the GDPR.

– Right to an effective judicial remedy against a supervisory authority

16.11 Without prejudice to any other administrative or non-judicial remedy, the individual or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

– Right to an effective judicial remedy against the Controller or processor

16.12 Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, the individual has the right to an effective judicial remedy where he or she considers that his or her rights under the GDPR have been infringed as a result of the processing of his or her personal data in non-compliance with the GDPR. Proceedings against the Controller or a processor shall be brought before the courts of the Member State where the Controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the individual has his or her habitual residence.

Right to compensation and liability:

16.13 Individual who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the Controller or processor for the damage suffered. Court proceedings for exercising the right to receive compensation shall be brought before the courts of the Member State where the Controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the individual has his or her habitual residence.

XV. PROCEDURE TO EXERCISE THE RIGHTS

17.1 The individual exercises his or her right to withdraw the given consent, right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object and profiling rights, by submitting a written request to the Controller (either by post at the address specified in the identification of the Controller above or by e-mail), which should contain the following information:

1. the name, address, and other data necessary for identifying the respective individual;
2. a description of the request;
3. signature, date of submission of the request and e-mail address.

 17.2 The request shall be filed personally by the individual. The Controller keeps the requests filed by the individuals in a separate register.

 17.3 When the individual exercises the right of access to the personal data relating to him or her the Controller shall verify the identity of the individual before responding to the request. This is necessary to minimize the risk of unauthorized access and identity theft. If the Controller cannot identify the individual from the collected information, then the Controller has the right to require a copy of individual’s documentation (such as ID card, driving license, other documents containing personal data that identify the individual) in order to verify the individual’s identity.

 17.4 The Controller considers the request and provides the information on action taken on the request of the individual within two months of receipt of the request. This period may be extended by one further month where necessary, taking into account the complexity and number of the requests.

17.5 The Controller informs the individual of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the individual makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the individual.

 17.6 In case the Controller does not take action on the request of the individual, the Controller informs the individual without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

17.7 The Controller shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller informs the individual about those recipients if the individual requests it.

XVI. RIGHT TO OBJECT TO PROCESSING OF PERSONAL DATA

 18.1 The individual has the right to object on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her. According to Article 21, Paragraph 4 of the GDPR the right to object shall be explicitly brought to the attention of the individual and shall be presented clearly and separately from any other information. For compliance of this obligation, more information about the right to object, will be provided in this section of the Privacy Policy.

18.2 The individual has the right to object on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller or processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individual which require protection of personal data, in particular where the individual is a child, including profiling based on any of these provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the individual or for the establishment, exercise or defense of legal claims. The individual can exercise this right by submitting a written request to the Controller, either by post at the address specified in the identification of the Controller above or by e-mail.

18.3 Where personal data are processed for direct marketing purposes, the individual has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the individual objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. The individual can exercise this right by submitting a written request to the Controller, either by post at the address specified in the identification of the Controller above or by e-mail requiring to stop sending him or her marketing information or by clicking the unsubscribe link contained at the bottom of the e-mail the Controller sends to the individual.

XVII. BUTTONS, TOOLS AND CONTENT FROM OTHER COMPANIES

19.1 The Website contains buttons, which connect to other third party websites such as „Facebook“ button, „LinkedIn” button, “YouTube” button and “Instagram” button. All websites of such companies that can be accessed through this website are independent and the Controller assumes no responsibility for any damages and losses incurred as a result of the use of these sites. Individuals use these sites on their own responsibility and it is recommended that they familiarize themselves with the relevant Privacy Policy of the respective company for more information.

XVIII. THIRD PARTIES SERVICE PROVIDERS

20.1 The Application uses third party services, which may collect information used to identify the individual. These third parties have their own Privacy Policies and it is recommended that individuals familiarize themselves with the relevant Privacy Policy of the respective company for more information.

Such third parties are:

Google Play Services

Analytics

• Facebook Analytics for Apps
• Google Analytics for Firebase (Google LLC)

Hosting and backend infrastructure

• Firebase Cloud Storage (Google LLC)
• Firebase Cloud Functions (Google LLC)
• Firebase Cloud Firestore (Google LLC)

Infrastructure monitoring

• Firebase Performance Monitoring (Google LLC)
• Firebase Crash Reporting (Google Inc.)
• Firebase Crashlitycs

Managing contacts and sending messages

• Firebase Cloud Messaging (Google Inc.)
• Firebase Notifications (Google LLC)

Registration and authentication

• Facebook Authentication (Facebook, Inc.)
• Firebase Authentication (Google Inc.)
• Google OAuth (Google Inc.)

XIX. CHANGES TO THE PRIVACY POLICY

21.1 This Privacy Policy may be updated at any time in the future. When this happens, the Controller will notify the individuals. It is therefore advisable to carefully read such notice to make sure that you are familiar with any changes of the Privacy Policy. Using the website and the Application after publishing or sending a notice about the updated Privacy Policy, means that you will be deemed to agree with the changes made.

XX. CONTACTS

22.1 If you have additional questions about this Privacy Policy, please do not hesitate to contact the Controller at: hello@climbro.com .