Политика в отношении обработки персональных данных
1. Общие положения
Настоящая политика обработки персональных данных составлена в соответствии с требованиями Федерального закона от 27.07.2006. №152-ФЗ «О персональных данных» и определяет порядок обработки персональных данных и меры по обеспечению безопасности персональных данных, предпринимаемые ООО "Технологии обработки данных" (далее – Оператор).
1.1. Оператор ставит своей важнейшей целью и условием осуществления своей деятельности соблюдение прав и свобод человека и гражданина при обработке его персональных данных, в том числе защиты прав на неприкосновенность частной жизни, личную и семейную тайну.
1.2. Настоящая политика Оператора в отношении обработки персональных данных (далее – Политика) применяется ко всей информации, которую Оператор может получить о посетителях веб-сайта http://humanteq.ai.
2. Основные понятия, используемые в Политике
2.1. Автоматизированная обработка персональных данных – обработка персональных данных с помощью средств вычислительной техники;
2.2. Блокирование персональных данных – временное прекращение обработки персональных данных (за исключением случаев, если обработка необходима для уточнения персональных данных);
2.3. Веб-сайт – совокупность графических и информационных материалов, а также программ для ЭВМ и баз данных, обеспечивающих их доступность в сети интернет по сетевому адресу http://humanteq.ai;
2.4. Информационная система персональных данных — совокупность содержащихся в базах данных персональных данных, и обеспечивающих их обработку информационных технологий и технических средств;
2.5. Обезличивание персональных данных — действия, в результате которых невозможно определить без использования дополнительной информации принадлежность персональных данных конкретному Пользователю или иному субъекту персональных данных;
2.6. Обработка персональных данных – любое действие (операция) или совокупность действий (операций), совершаемых с использованием средств автоматизации или без использования таких средств с персональными данными, включая сбор, запись, систематизацию, накопление, хранение, уточнение (обновление, изменение), извлечение, использование, передачу (распространение, предоставление, доступ), обезличивание, блокирование, удаление, уничтожение персональных данных;
2.7. Оператор – государственный орган, муниципальный орган, юридическое или физическое лицо, самостоятельно или совместно с другими лицами организующие и (или) осуществляющие обработку персональных данных, а также определяющие цели обработки персональных данных, состав персональных данных, подлежащих обработке, действия (операции), совершаемые с персональными данными;
2.8. Персональные данные – любая информация, относящаяся прямо или косвенно к определенному или определяемому Пользователю веб-сайта http://humanteq.ai;
2.10. Предоставление персональных данных – действия, направленные на раскрытие персональных данных определенному лицу или определенному кругу лиц;
2.11. Распространение персональных данных – любые действия, направленные на раскрытие персональных данных неопределенному кругу лиц (передача персональных данных) или на ознакомление с персональными данными неограниченного круга лиц, в том числе обнародование персональных данных в средствах массовой информации, размещение в информационно-телекоммуникационных сетях или предоставление доступа к персональным данным каким-либо иным способом;
2.12. Трансграничная передача персональных данных – передача персональных данных на территорию иностранного государства органу власти иностранного государства, иностранному физическому или иностранному юридическому лицу;
2.13. Уничтожение персональных данных – любые действия, в результате которых персональные данные уничтожаются безвозвратно с невозможностью дальнейшего восстановления содержания персональных данных в информационной системе персональных данных и (или) уничтожаются материальные носители персональных данных.
3. Оператор может обрабатывать следующие персональные данные Пользователя
3.1. Фамилия, имя, отчество;
3.2. Электронный адрес;
3.3. Номера телефонов;
3.4. Также на сайте происходит сбор и обработка обезличенных данных о посетителях (в т.ч. файлов «cookie») с помощью сервисов интернет-статистики (Яндекс Метрика и Гугл Аналитика и других).
3.5. Вышеперечисленные данные далее по тексту Политики объединены общим понятием Персональные данные.
4. Цели обработки персональных данных
4.1. Цель обработки персональных данных Пользователя — информирование Пользователя посредством отправки электронных писем; предоставление доступа Пользователю к сервисам, информации и/или материалам, содержащимся на веб-сайте.
4.2. Также Оператор имеет право направлять Пользователю уведомления о новых продуктах и услугах, специальных предложениях и различных событиях. Пользователь всегда может отказаться от получения информационных сообщений, направив Оператору письмо на адрес электронной почты email@example.com с пометкой «Отказ от уведомлений о новых продуктах и услугах и специальных предложениях».
4.3. Обезличенные данные Пользователей, собираемые с помощью сервисов интернет-статистики, служат для сбора информации о действиях Пользователей на сайте, улучшения качества сайта и его содержания.
5. Правовые основания обработки персональных данных
5.1. Оператор обрабатывает персональные данные Пользователя только в случае их заполнения и/или отправки Пользователем самостоятельно через специальные формы, расположенные на сайте http://humanteq.ai. Заполняя соответствующие формы и/или отправляя свои персональные данные Оператору, Пользователь выражает свое согласие с данной Политикой.
6. Порядок сбора, хранения, передачи и других видов обработки персональных данных
Безопасность персональных данных, которые обрабатываются Оператором, обеспечивается путем реализации правовых, организационных и технических мер, необходимых для выполнения в полном объеме требований действующего законодательства в области защиты персональных данных.
6.1. Оператор обеспечивает сохранность персональных данных и принимает все возможные меры, исключающие доступ к персональным данным неуполномоченных лиц.
6.2. Персональные данные Пользователя никогда, ни при каких условиях не будут переданы третьим лицам, за исключением случаев, связанных с исполнением действующего законодательства.
6.3. В случае выявления неточностей в персональных данных, Пользователь может актуализировать их самостоятельно, путем направления Оператору уведомление на адрес электронной почты Оператора firstname.lastname@example.org с пометкой «Актуализация персональных данных».
6.4. Срок обработки персональных данных является неограниченным. Пользователь может в любой момент отозвать свое согласие на обработку персональных данных, направив Оператору уведомление посредством электронной почты на электронный адрес Оператора email@example.com с пометкой «Отзыв согласия на обработку персональных данных».
7. Трансграничная передача персональных данных
7.1. Оператор до начала осуществления трансграничной передачи персональных данных обязан убедиться в том, что иностранным государством, на территорию которого предполагается осуществлять передачу персональных данных, обеспечивается надежная защита прав субъектов персональных данных.
7.2. Трансграничная передача персональных данных на территории иностранных государств, не отвечающих вышеуказанным требованиям, может осуществляться только в случае наличия согласия в письменной форме субъекта персональных данных на трансграничную передачу его персональных данных и/или исполнения договора, стороной которого является субъект персональных данных.
8. Заключительные положения
8.1. Пользователь может получить любые разъяснения по интересующим вопросам, касающимся обработки его персональных данных, обратившись к Оператору с помощью электронной почты firstname.lastname@example.org.
8.2. В данном документе будут отражены любые изменения политики обработки персональных данных Оператором. Политика действует бессрочно до замены ее новой версией.
8.3. Актуальная версия Политики в свободном доступе расположена в сети Интернет по адресу http://humanteq.ai.
Humanteq ("Humanteq", "we", "us" or "our") provides analytics, attribution and optimization software-as-a-service, which (i) enables analysis and optimization of users' activities and (ii) analyses certain events and actions on mobile applications (respectively the "Apps" and the "SaaS"). The SaaS is available to App developers and/or publishers (collectively, "Customer(s)") through implementation of the Humanteq Software Development Kit ("Humanteq SDK").
Humanteq is fully committed to protect the privacy of our Customers, along with the privacy of their Apps' users ("End Users"), in compliance with applicable privacy and personal data laws and regulations. Customer and End Users are hereby referred to hereunder as "you" or "your".
We take extra care in protecting the personal information that Customers share with us in connection with their use of the SaaS, the Humanteq SDK, including information concerning our Customers Apps' End Users (the "Services").
2. END USER DATA RECEIVED AND PROCESSED BY HUMANTEQ
When a Customer uses the Services, the following End User information may be received and processed by Humanteq (collectively, "End User Data"):
Humanteq SDK collects data about how Users use their Devices, together with the applications and systems on those Devices – this information includes:
● List of applications installed on the Users' Device
● End-User events, pre-defined by the applicable Customer
Humanteq SDK collects technical Information relating to Users' Devices, that includes technical information related to an End User's mobile device such as: device type and model, CPU, system language, memory, OS version, time stamp and zone, device motion parameters and carrier.
Humanteq SDK links the Usage Data and Technical Information it collects listed above to certain device and user identifiers it collects from Users and their Devices, which include:
● Device's unique Advertising ID, such as Google AAID or Apple IDFA.
● IP Address.
● Unique user ID
All User Data we collect is associated with these Identifiers.
User Data includes any other information (including personal data) that may be submitted to us directly (for example, through a User submitted form or survey response).
Our policy towards children
In accordance with applicable European Union guidance on the practice, we do not knowingly collect User Data from children or use any User Data to target adverts to children. Accordingly, we do not collect or use User Data to target children under 16 years old. If you believe we have inadvertently collected User Data from or about a child, please contact us using the details provided under the heading "Contact Us" below.
Please take into consideration that certain portions of such above mentioned information may also be collected from End User devices or software, when the App is running in the background, i.e. when it has been launched but not used.
While End User Data does not generally contain any information that directly identifies an individual, such as names, addresses, credit cards or other similarly regulated financial information, health information, or any other type of sensitive personal information, we acknowledge that under certain jurisdictions the End User Data we do receive when a Customer uses the Services may be deemed personal data as it is associated with a Technical Identifier, and therefore, where applicable, will be treated as such.
3. HOW DATA IS USED
Purpose of Use:
● To create segmentation and separate between users' sessions within the Services.
● To store and process End-User Data for the preparation and delivery of our Services, including compiled analytics Reports to our Customers.
● To create cumulative statistical data and other cumulative information and/or other conclusive information that is non-personal, in which we might make use, in order to operate and improve our Services;
● To provide Customers with analysis and statistical reports regarding End Users' application habits and preferences.
● To provide our Customers with the SaaS;
● To provide and improve our Services and its various functions and features and to manage our business;
4. SHARING DATA
● Humanteq does not share or disclose Customer Data with any third party, except:Upon our Customer's request;
● To our subsidiaries and global branches as necessary to help us support and maintain the Services provided to Customers;
● When legally required (e.g. court orders or other lawful requests by public authorities), including to meet national security or law enforcement requirements;
● As part of any merger or acquisition of Humanteq, in which case End User Data may be transferred to the surviving or acquiring entity.
5. PROTECTING, TRANSFER AND DATA STORE
Humanteq implements appropriate technical and organizational measures designed to protect against unauthorized access, accidental loss, destruction or damage of Customer Data.
Personal information regarding the Customers, End-Users and Visitors will be maintained, processed and stored by us and our authorized affiliates and service providers in Germany and as necessary, in other territories in secure cloud storage, provided by our third party service provider.
Humanteq may need to transfer Customer Data to countries other than the country from which the Data originated. Any such transfer shall be done in compliance with all applicable laws.
Humanteq will not retain End User Data, Registration Information, Log Data or Platform Data for more time than is needed to serve the legitimate business need for which it was collected. We then either delete such personal information from our systems or anonymize it without further notice.
Specifically, each of our services providers who stores or processes your personal information either, (i) assured us that it provides adequate safeguards to protect your rights to privacy, or (ii) holds and processes such information on our behalf in a jurisdiction which has been determined to ensure an adequate level protection by the EU Commission which if in the US, includes certification under the EU-US Privacy shield framework.
6. RELATIONSHIP, LAWFUL BASIS AND END USER CHOICES
● The right to withdraw any previously provided consent;
● The right to access certain information about you that we process;
● The right to have us correct or update any Personal Information;
● The right to have certain Information erased;
● The right to have us temporarily block our processing of certain Information;
● The right to have Information exported into common machine-readable format;
● The right to object to our processing of Information in cases of direct marketing, or when we rely on legitimate interests as our lawful basis to process your information; and
● The right to lodge a complaint with the appropriate data protection authority.
Where Humanteq is deemed a data processor, End Users should contact our Customers to pursue any such legal data subject rights. Humanteq will cooperate with its Customers to support and comply with any such data subject rights requests.
Where Humanteq is deemed a data controller, End Users may exercise their rights by contacting Humanteq at: email@example.com We will respond to your requests within a reasonable timeframe. Please note these rights may be limited in certain circumstances as provided by applicable law. In any event, Humanteq provides End Users with the ability to opt-out of being measured by the Services by emailing a request to firstname.lastname@example.org You may also send any question regarding your exercise of data subject rights to email@example.com
7. UPDATES AND QUESTIONS
For the purposes of Article 27 of the General Data Protection Regulation, the representative within the EU of Humanteq is EKO Concept GmbH Im Stöckig 8,69427, Mudau, Germany (contact: firstname.lastname@example.org )
Date: February 11, 2020.
Terms and Conditions
1. Scope of Application
1.2 By submitting any individual order ('Order Form') a Customer signifies that he has read and agreed to be bound by the terms and conditions of the Agreement and that he has the full authority to enter into and bind the Customer to the Agreement.
1.3 This Agreement and Conditions apply to any future business transaction between Humanteq and the Customer, even without express reference thereto.
1.4 Humanteq may modify the Agreement from time to time as described herein. The Customer continued use of the Services following such modifications shall constitute his consent to the modified Agreement.
If you do not agree to all of the terms of the Agreement then you may not use the Services.
2. Offer and Conclusion of a Contract
2.1 "Humanteq" means the entity as set forth in Section 12.
2.2 Humanteq shall provide Services to the Customer as set forth in an Order Form.
2.3 This Agreement between Humanteq and the Customer is executed upon signature of an Order Form by Humanteq and the Customer
2.4 The scope of the service, the payment terms and length of the service which Humanteq provides to the Customer according to this Agreement is specified in the Order Form.
2.3 The Customer represents and warrants that all personal information as well as other relevant contractual data provided by the Customer during the conclusion of this Agreement is complete and correct. The Customer is obliged to promptly inform Humanteq about any changes to this data and/or to update altered data.
2.4 The Customer is aware that contractual declarations (e.g. confirmation emails, amendments to this Agreement as well as other notifications) may be sent via email. They are deemed to have been received when they can be retrieved in the email inbox which was specified by the Customer during the registration under normal circumstances.
3.1 With its Services, Humanteq offers the Customer software that provides analytics, attribution and optimization (software-as-a-service), which (i) enables analysis and optimization of users' activities and (ii) analyses certain events and actions on mobile applications (respectively the "Apps" and the "SaaS").
3.2 The SaaS is available to the Customers through implementation of the Humanteq Software Development Kit.
3.3 Humanteq SDK collects data about how Users use their Devices, together with the applications and systems on those Devices ('End User's Data).
3.4 Humanteq SDK will record and upload the End Users' Data to our secured servers and cloud servers for the purpose of providing the Customer with access to the SaaS. Humanteq will process and analyze the End User Data using its proprietary software to analyse user activities in order to provide tools for optimised new user acquisitions, increase monetization, and improved communication with End Users, in order to induce further actions by End Users.
4. Customer's Rights and Obligations
4.1 The Customer is entitled to use the Humanteq SDK and the Services provided by Humanteq only for analysis and optimization of (i) users acquisition and (ii) in-app behavior, communication and monetization.
4.2 If the Customer is provided with personal data whilst using the Services, the Customer may only process and use this data as far as this is legally permissible. The Customer also assures that the transfer of personal data from Humanteq to the Customer is legally permissible within the agreed extent.
4.2 The Customer must choose the correct settings for use of the Services and software if their services are directed to children.
4.3 The Customer shall not make the Services provided by Humanteq available to any third parties. In addition, the Customer shall not
● modify, translate, reverse engineer, decompile, disassemble or otherwise create derivative works from the Humanteq software or documentation, of the Services or binary-code part of the Service, or otherwise attempt to discover its underlying code, structure, implementation or algorithms;
● transfer, lend, rent, lease, distribute the software provided by Humanteq or the Services, or use them for providing services to a third party, or grant any rights in and to the Humanteq software or documentation to a third party in any form, without Humanteq's express prior written permission;
● remove, modify or make illegible the labels, markers or designations regarding copyrights and other intellectual property rights of the Humanteq software or documentation or Services.
4.4 Customer may not perform or attempt to perform any of the following in connection with the Services:
● Breaching the security of the Services, identifying, probing or scanning any security vulnerabilities in the Services,
● Accessing data not intended for Customer;
● Interfering with, circumventing, manipulating, overloading, impairing or disrupting the operation, or the functionality of the Services;
● Working around any technical limitations in the Service;
● Using any tool to enable features or functionalities that are otherwise disabled, inaccessible or undocumented in the Service
4.5 The Customer is aware that the product "Psychoprofiling" does not generate completely error-free profiles and segments in all cases. If the Customer transfers a segment generated this way to a chosen advertising partner, the Customer carries the risk that this segment corresponds to content-related to the Customer's expectations. Humanteq is not liable for any defective segments, regardless of whether the error is within the responsibility of Humanteq or not.
4.6 If Humanteq has protected its Services by technical means (e.g. security codes, firewalls, etc.), the Customer is not allowed to circumvent or remove such security measures.
4.7 The Customer is obliged to protect its own data by taking appropriate measures and by regularly making backups of its data.
4.8 The Customer must follow Humanteq's instructions as well as the protocols and specifications as requested by Humanteq with regard to the telecommunication/data transmission.
5. Fees, Payment
5.1 The fees for the Services that the Customer makes use of are set out in the applicable Order Forms. Unless explicitly stated otherwise, all fees are quoted exclusive of the statutory value-added tax (VAT) applicable at the time.
5.2 The Fees may be payable one-time in advance or by recurring monthly or other periodic payments, according to the applicable terms set forth in the Order Form.
5.3 Invoices will be sent to the Customer via mail or in electronic form, unless expressly agreed otherwise.
5.4 The payment of the invoices shall be due within 10 days of the invoice date. Customer is responsible for paying all fees applicable to the subscription to the Services, whether or not Customer actively used, accessed or otherwise benefited from the Service.
5.5 If the Customer's payments are considerably delayed, Humanteq reserves the right to suspend the provision of any further Services, in particular the Customer's access to the Services, at the expense of the Customer until all due payments have been made. In the event of suspended Services, the Customer is nevertheless obliged to pay the agreed fees until the point of suspension.
5.6 Any complaints relating to an invoice must be submitted to Humanteq in writing or by email to email@example.com within four weeks upon receipt of the invoice. If no such complaint has been made within four weeks upon receipt of invoice, the invoice is deemed to be accepted.
6. Grant of Rights, Ownership, Third Party Rights
6.1 Upon execution of this Agreement, Humanteq grants the Customer the non-exclusive, non-transferable and non-sublicensable right to use the Services during the term of this Agreement, insofar as this is necessary to use the Services according to the respective Order Form. The right of use shall expire once the Customer defaults with any payments due.
6.2 Humanteq shall retain all right, title and interest in and to the Codes, Anonymous Aggregated Data and Services and all technology utilized by Humanteq to provide the Services, including any and all patents, copyrights, trademarks, trade names, trade secrets, any other material (e.g. documentations, developments, functions, report templates, preparatory material, etc.) and other intellectual property rights relating to, embodied by, or incorporated in any of the foregoing (the "Humanteq Properties") and including any updates, upgrades, enhancements, modifications or improvements made to, or derivatives of, the Humanteq Properties.
6.2 Humanteq may use Anonymous Aggregated Data for research and analytics purposes and improvement and marketing of the Services. Nothing herein shall be interpreted to provide Customer any rights in the Humanteq Properties except the limited rights explicitly set forth herein.
6.3 The Customer undertakes to not violate any applicable laws, in particular third party rights (e.g. copyrights, personality rights, intellectual property rights) or the terms of this Agreement while using the Services. Insofar, the Customer shall indemnify and hold Humanteq harmless from any and all third party claims (including but not limited to all costs and expenses, incl. reasonable attorney's fees) that are being asserted against Humanteq upon first request.
6.4 Unless otherwise agreed between the Parties, Humanteq is entitled to refer to the collaboration with the Customer and the contractual product and to depict the Customer's logo for self-promotional purposes.
7.1 Humanteq shall be responsible that the Services correspond to their intended use. Humanteq does not assume any liability for any damages resulting from a usage other than the intended use. The same applies to any damages resulting from a usage that is not in accordance with Humanteq's instructions and recommendations or any other unauthorized usage.
7.2 Humanteq will not be liable for any indirect, special, punitive, consequential or incidental damages, or for any lost profits or loss of revenue, whether based on a claim or action of contract, warranty, negligence, strict liability, or other tort, breach of any statutory duty, indemnity or contribution, or otherwise, even if Humanteq has been advised of the possibility of such damages. In any event, Humanteq's total cumulative liability to you or any other party for any loss or damages resulting from any claims, demands, or actions arising out of, or relating to, this Agreement shall not exceed the amount paid by you for the Service in the 12 (twelve) months preceding the applicable claim, in the aggregate.
7.3 Humanteq does not assume any liability for any disturbances, limitations, interruptions or disruptions of the Services which are caused by circumstances beyond Humanteq's area of responsibility.
7.4 Humanteq shall only be liable for any damages which can be attributed to a willful or gross negligent violation of a duty by Humanteq, its legal representatives or employees, as a result of grave organizational neglect or which are based on defects of a warranted quality of the Services, pursuant to the statutory provisions. This limitation shall not apply to any damages resulting from injury of life, body or health.
7.5 Any claims for damages arising from a slight negligence by Humanteq shall become time-barred within one year upon occurrence of the damage. This limitation shall not apply to any damages resulting from injury of life, body or health. All other claims for damages shall become time-barred within the statutory period.
7.6 The Customer is obliged to indemnify Humanteq from any third-party claims that may have arisen as a result of the Customer unlawfully using the data provided by Humanteq. The indemnity obligation does not apply insofar as the claim is based on a gross negligent or intentional breach of a duty by Humanteq.
8. Term, Termination
8.1 The terms of this Agreement shall be in force for as long as an Order Form is in effect.
8.2 At the end of the Subscription Package term specified in your Order Form, your Subscription Package under such Order Form will automatically renew pursuant to the same terms and conditions, unless otherwise explicitly stated in an Order Form or if either party provides the other with written notice 15 (fifteen) days prior to the end of the then applicable Order Form term.
8.3 Each party may terminate the Agreement upon written notice if the other party is in material breach of the terms of the Agreement, and such breach is not cured within 30 (thirty) days from the receipt of written notice of such breach. Furthermore, Humanteq shall have a right to immediately suspend the Services in the event of non-payment;
8.4 Upon termination of this Agreement, the Customer is obliged to delete all copies of the codes that were provided by Humanteq.
8.5 The notice of termination is excluded prior to the end of the Term. If the Customer terminates this Agreement disregarding such exclusion, then the Customer shall be subject to a contractual penalty in the amount of the outstanding payments.
9.1 The parties shall keep all documents, information and data which have been disclosed during the course of the cooperation strictly confidential during the term of this Agreement and for 3 years thereafter. All such documents, information and data shall be used exclusively to perform the contractual services.
9.2 These confidentiality obligations also apply to documents, information and data that relate to companies affiliated with the parties, other cooperation partners or contractors and to documents, information and data about customers and sales representatives of the parties. Humanteq's Confidential Information includes, without limitation, the pricing of this Agreement.
9.3 These confidentiality obligations do not apply to documents, information and data that are in the public domain or later become part of the public domain through no breach of contract by a party, is required to be disclosed by operation of law, court or administrative order or that has been subsequently exempted from this confidentiality obligation by an agreement in writing, per fax or via email.
9.4 The Customer will not disclose any information regarding the results of any testing or evaluation of the Services to any third party without Humanteq's prior written consent. The non-disclosure and non-use obligations set forth in this Section 9 shall survive the termination or expiration of this Agreement for a period of 5 (five) years.
10. Data Protection
10.1 The Customer is obliged to comply with the applicable data protection law when using the Services and software and any requirements provided by Google Play Store.
10.2 Pursuant to art. 28 European General Data Protection Regulation ("GDPR") the Customer hereby commissions Humanteq to process personal data on its behalf in accordance with the scope and the conditions of the annex "Contractual Terms and Conditions for Data Processing".
10.3 The Customer is responsible to obtain and maintain valid consents from all their end-users, as may be necessary (if at all) under applicable law (including data protection or data processing laws and regulations) to process their personal data in the manners and for the purposes set forth in this Agreement.
10.4 The Customer must choose the correct settings for use of the Services and software if their services are directed to children. Specifically, the Customer must limit the collection and processing of personal data regarding children and obtain any necessary consent where required by law including art. 8 GDPR and the US Children's Online Privacy Protection Act ("COPPA").
11. Miscellaneous; Applicable Law and Venue.
11.1 Place of performance and exclusive place of jurisdiction for all disputes between the parties shall be Berlin if the Customer is a merchant, a legal entity under public law or a special fund under public law. Berlin shall also be the exclusive place of jurisdiction if the Customer does not have a general place of jurisdiction in Germany, if the Customer, once it has concluded the contract, moves its domicile out of Germany or whose domicile is unknown at the time the lawsuit is filed.
11.2 If any provision of this Agreement or part thereof is invalid or becomes invalid at a later time, the validity of the remaining provisions shall remain unaffected. The relevant provision shall be replaced by a provision that as closely as possible reflects the economic purpose of the invalid provision. The foregoing shall apply analogously if any provision has inadvertently been omitted.
11.3 Unless expressly agreed otherwise, the legal relationship between Humanteq and the Customer shall be governed by and construed in accordance with German law.
11.4 Humanteq has the right within the scope of the contractual purpose to process the data that was provided in accordance with applicable data protection law, or to commission third parties.
11.5 In case of a merger or acquisition, the Customer is nevertheless obliged to fulfil all of its obligations under this Agreement. Termination shall only be possible in accordance with section 8 of this Agreement.
12. Humanteq Entity
The Humanteq entity with which you are contracting under this Agreement or any Order Form depends on where you are domiciled. Unless otherwise indicated in an Order Form: (i) if you are domiciled in Russia Federation then you are contracting with OOO "TOD", located a Leninsky pr, 51/1, 25, 119991, Moscow, Russia; and (ii) if you are domiciled in any country other than the Russian Federation then you are contracting with Eko Concept GmbH Located at Im Stockig 8, 69427, Mudua, Germany, HRB 724533, Germany. It is further clarified that any Affiliate of Humanteq may provide certain services to support the provision of Services under this Agreement, including billing and payment collection services.
Annex "General Terms and Conditions for Data Processing"
1. Scope of Application
The Contractual Terms for Data Processing ("Contractual Terms") contain the Parties' obligations with regard to data protection, which arise in connection with the commission of Humanteq (hereinafter "Processor") by the contracting party (hereinafter "Controller") pursuant to article 28 Regulation (EU) 679/2016 ("GDPR"). The scope covers all tasks pursuant to the service description of these Contractual Terms during which the Processor's employees or third parties commissioned by the Controller come into contact or could come into contact with personal data.
2. Service Description
2.1. The Processor processes data on behalf of the Controller. Data Processing is the collection, use, retention, alteration, transmission, blocking or deletion of Personal Data by the Processor on behalf of the Controller.
Contractual Terms shall only apply with respect to Personal Data obtained by Processor as a result of Controller's implementation and use of the software development kit provided by Processor (the "Humanteq SDK") in accordance with Processors written instructions.
2.2. The purpose of the collection of this data is the processing of data for analyzing the user activities thus optimizing marketing and advertising campaigns of the Controller as well as for optimizing design of the mobile application.
The Data Processing includes the following data:
● List of applications installed on the Users' Device
● App End-User events
● IP addresses
● Unique user ID
● Device IDs including all advertising IDs
● HTTP Header including Processor's SDK version and user agent (country, language, local settings, (version of the) operating system) as well as the app-version
The Controller may send additional data about its customers and users to the Processor.
3.1. The group of data subjects affected by the processing of their data within this commission includes in particular the users who visit the Controller's app, the employees of the Controller who make use of the Services set out in the Service Agreement.
3.2. The Controller shall be solely responsible for compliance with the applicable data protection laws, in particular regarding the data transfer to the Processor and the data processing. Due to this responsibility, the Controller shall be entitled to request the deletion or return of the data during and after the term of the agreement.
4. Controller's Rights and Obligations
4.1. The Controller and the Processor are each responsible for compliance with the applicable data protection laws regarding the data to be processed.
4.2. The Controller shall promptly inform the Processor if he discovers any errors and/or irregularities with regard to the applicable data protection laws during his control of the results of such data processing.
4.3. The Controller has audited the proper processing of his data as well as the technical and organizational measures taken by the Processor on site, and shall continue to audit the compliance of such measures and document the results of such audits in writing during the term of the agreement. Proof of such measures, which concerns not only the specific contract, may be provided by certificates, reports or report extracts of independent instances (e.g. auditor, revision, data protection officer, IT security department, data protection auditors, quality auditors) or by a suitable certification by IT security or data protection audits.
4.5. Upon the expiration of the agreement, the Controller shall be obliged to decide whether the data is to be returned or deleted within a reasonable time period set by the Processor.
4.6. The Controller shall be obliged to keep a record of processing activities in accordance with art. 30 GDPR with Processor mentioned as the recipient of data set forth in 2.2, 2.3. and/or 2.4.
5. Processor's Obligations
5.1. The Processor shall process data only within the scope of the Controller's instructions as contractually agreed (art. 28 para. 3 GDPR). Instruction shall mean the written instruction issued by the Controller to the Processor that directs the Processor to perform a specific action with regard to personal data. Such instructions are specified within the scope of these Contractual Terms and can thereafter be modified, amended or substituted by the Controller by separate written instructions ("Individual Instruction"). Verbal instructions are immediately confirmed by the Controller (at least in text form).
5.2. Where a data subject directly addresses the Processor, the Processor shall immediately forward this request to the Controller. Insofar as it is included in the scope of services, the erasure policy, 'right to be forgotten', rectification, data portability and access shall be ensured by the Processor in accordance with documented instructions from the Controller without undue delay.
5.3. Processor shall promptly inform the Controller pursuant to art. 28 para. 3 subpara. 2 GDPR if he believes that an Instruction is in violation of data protection law.
5.4. The Processor shall design its internal corporate organization to ensure compliance with the specific requirements of data protection within the Processor's area of responsibility and the protection of the rights of the data subjects affected. In particular, the Processor shall implement the technical and organizational measures as stipulated in Section 6 herein to adequately protect the data from misuse and loss in accordance with art. 28 para. 3, art. 32 GDPR.
5.5. The Processor has chosen a data privacy officer, who carries out its activities pursuant to art. 38 and 39 GDPR. All inquiries should be addressed to firstname.lastname@example.org
5.6. The Processor and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Controller, which includes the powers granted in this contract, unless required to do so by law.
5.7. The Processor shall promptly inform the Controller in the event of a serious interruption of the operating schedule, suspicion of data protection breaches or any other irregularity related to the processing of the Controller's data.
5.8. The Processor and the Controller shall cooperate with the supervisory authority on request in carrying out their tasks. Insofar as the Controller is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a data subject or by a third party or any other claim in connection with the order or contract data processing by the Processor, the Processor shall make every effort to support the Controller.
5.9. All data carriers provided to Processor as well as any copies thereof remain the Controller's property. The Processor shall store such data carriers with diligence and protect them against unauthorized access by third parties. The Processor shall be obliged to inform the Controller about its data and records at any time.
5.10. The Processor shall be obliged to delete any test and scrap material in accordance with the applicable data protection laws upon an instruction issued by the Controller on a case-by-case basis. In specific cases the Processor shall hand over such material to the Controller or store on the Controller's behalf upon request of the Controller.
5.11. Upon the expiry of this agreement, the Processor shall be obliged to hand over to the Controller all personal data that was provided with regard to the commission that has not been processed or deleted yet or to provide proof of their proper deletion.
5.12. The Processor shall assist the Controller in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in articles 32 to 36 of the GDPR. These include ensuring an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events, the obligation to report a personal data breach immediately to the Controller, the duty to assist the Controller with regard to the Controller's obligation to provide information to the Data Subject concerned and to immediately provide the Controller with all relevant information in this regard, supporting the Controller with its data protection impact assessment, supporting the Controller with regard to prior consultation of the supervisory authority.
5.13. The Processor may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of the Processor.
6. Technical and Organizational Measures
6.1. The Processor shall establish the security in accordance with art. 28 para. 3 point c, and art. 32 GDPR in particular in conjunction with art. 5 para. 1, 2 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of art. 32 para. 1 GDPR must be taken into account.
6.2. The technical and organizational measures are subject to technical progress and further development. In this respect, it is permissible for the Processor to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented. The technical and organizational measures to adequately protect the Controller's data include:
a) Confidentiality (art. 32 para. 1 point b GDPR)
· Physical access control: The prevention of unauthorized parties gaining access to personal data processing systems. These measures include an electronic access control system with protocols and a documented key allocation to employees.
· Logical access control: Measures that prevent the unauthorized use of the data processing systems. A password protected access is used that only authorized personnel can use.
· Data access control: Measures that ensure that people entitled to use the data processing systems can solely access data that they are entitled to access in accordance with their access rights, and that during the course of processing, use and after storage, personal data cannot be read, copied, modified or deleted without authorization.
· Separation control: Measures that ensure that data that was collected for different purposes can be processed separately. The data is physically or logically stored separately from other data and the data backups are made on systems that are logically and/or physically separate.
· Pseudonymisation (art. 32 para. 1 point a GDPR; art. 25 para. 1 GDPR) The processing of personal data in such a method/way, that the data cannot be associated with a specific data subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures.
b) Integrity (art. 32 para. 1 point b GDPR)
· Data transfer control: Measures that ensure that during electronic transmission, transport or storage on data carriers personal data cannot be read, copied, modified or deleted without authorization, and that it can be established and verified to which entities a transfer of personal data by means of data transmission facilities is planned. All employees have undertaken to comply with the principle of data secrecy and there are capacities for encrypted data transmissions. Furthermore, the data is deleted in accordance with data protection laws after the end of the commission.
· Entry control: Measures that ensure the establishment of an audit trail to document whether and by whom personal data have been entered into, modified in or removed from the data processing systems.
c) Availability and Resilience (art. 32 para. 1 point b GDPR)
· Availability control: Measures that ensure that personal data are protected against accidental destruction or loss. Backup and recovery procedures with a daily mirroring of the data have been implemented. The technical availability is ensured by hard disk mirroring. In addition, there is uninterruptible power supply and a firewall system as well as port regulations are in place.
· Rapid Recovery (art. 32 para. 1 point c GDPR) Processor creates continuous backups, which are also continuously transferred to a remote site. With this back-up, the Processor can restore data. There is a regular check to see if recovery works this way.
d) Procedures for regular testing, assessment and evaluation (art. 32 para. 1 point d GDPR; art. 25 para. 1 GDPR)
· Data protection management: All employees are demonstrably committed to data secrecy and receive training at least once a year.
· Incident response management: In the event of a data loss, notification to the relevant data protection authority will be happening immediately. In addition, the management, the CTO and the data protection officer are informed immediately. Users and others may report any loss of data to email@example.com
· Data protection by design and default (art. 25 para. 2 GDPR): The Processor only collects data that is mandatory to promote their product.
· Control of instructions: Measures that ensure that personal data that are being processed on behalf of the Controller are processed solely in accordance with the Controller's instructions. The employees are instructed on the relevant data protection law on a regular basis, and they are familiar with the procedural requirements and user guidelines for data processing. The unambiguous wording of the contract ensures that the data may only be processed in accordance with the instructions issued by the Controller.
7. Correction, Blocking and Deletion of Data
7.1. Copies or duplicates of the data shall never be created without the knowledge of the Controller, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.
7.2. After conclusion of the contracted work, or earlier, upon request by the Controller, at the latest upon termination of this agreement the Processor shall hand over to the Controller or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner.
7.3. If a data subject contacts the Processor directly to request the correction or deletion of his data, the Processor shall promptly forward this request to the Controller. If, under the provisions of the data protection law, the Controller is obliged to provide an individual with information on the collection, processing or use of the personal data, the Processor shall assist him in the provision of this information provided the Controller has requested the Processor to do so in writing and shall reimburse the Processor for the costs incurred.
7.4. Documentation which is used to demonstrate orderly data processing in accordance with the order or contract shall be stored beyond the contract duration by the Processor in accordance with the respective retention periods. It may hand such documentation over to the Controller at the end of the contract duration to relieve the Processor of this contractual obligation.
8. Controller's Right of Inspection
8.1. Upon prior timely notification, the Controller shall be entitled to assure himself of the adequateness of the technical and organizational measures taken by the Processor on the Processor's premises during the regular business hours and without interrupting the business operations.
8.2. The Processor shall ensure that the Controller is able to verify the compliance of the Processor with the obligations pursuant to art. 28 GDPR. The Processor undertakes to give the contracting authority the necessary information on request and, in particular, to demonstrate the implementation of the technical and organizational measures. The Processor is entitled to claim compensation for the possibility of inspections by the Controller.
9.1. Subcontracting for the purpose of this agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Processor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Controller's data, even in the case of outsourced ancillary services.
9.2. The Processor shall be entitled to subcontract the Processor's obligations to third parties. The Processor must inform the Controller prior to each deployment of a subcontractor and any intended change in relation to the involvement or replacement of any subcontractors. The Controller then has the right to oppose the use of such subcontractors within three weeks.
9.3. If the Processor engages subcontractors, the Processor is obliged to pass on the contractual obligations hereunder to such subcontractors. In particular, the contract with the subcontractor shall include audit and inspection rights for the Controller in accordance with the terms of this agreement. Upon the Controller's written request, the Controller shall also be entitled to receive information about the essential terms of the contract and the implementation of the data protection obligations by the subcontractor, e.g. by reviewing the relevant agreement.
9.4. The transfer of personal data of the Controller to the subcontractor and its first-time action are only permitted if all the prerequisites for subcontracting are met. The term of this agreement as well as the right of termination are determined by the agreement between the parties pursuant to Humanteq SDK Terms and Conditions and the respective Order Form.
The term of this agreement as well as the right of termination are determined by the agreement between the parties pursuant to Humanteq SDK Terms and Conditions and the respective Order Form.
The compensation for all services to be rendered pursuant to these Contractual Terms is included in the compensation agreed upon between the parties within the offer and/or the assignment. The parties agree that the provisions on the limitation of liability as included in Humanteq SDK Terms and Conditions shall analogously apply.
12.1. In the event that the Controller's data is endangered due to a levy of execution or confiscation, insolvency proceedings or any other events and/or third party measures, the Processor shall promptly notify the Controller. The Controller shall promptly notify all people who are responsible in this context of the Controller having retained ownership of these data.
12.2. If any provision of these Contractual Terms is invalid, the validity of the remaining provisions shall remain unaffected.
12.3. The legal relationship between the Controller and the Processor shall be governed by and construed in accordance with German law. Exclusive place of jurisdiction shall be the Processor's domicile to the extent permitted by law.