of MobiSystems, Inc.
4501 Mission Bay Drive, Suite 3A
San Diego, CA 92109
(the “Data Controller“, “us“, “we“, or “our“)
The Data Controller operates the mobisystems.com, officesuite.com, pdfextra.com and mobidrive.com websites, the OfficeSuite/ Pro/ Trial, MobiDrive, File Commander, PDF Extra, Oxford Dictionary of English and Talk & Translate multi-platform applications, as well as a number of mobile dictionaries and reference sources (the “Service“).
Our Service does not address anyone under the age of eighteen (“Child”). In some countries, we may impose higher age limits as required by the applicable law. We do not knowingly collect Personal Data of and from Children. If you are a holder of parental responsibility (a parent or a guardian) and you become aware that your Child has provided us with Personal Data without your consent or authorization, please contact us. Once we become aware of that, we will delete them.
1. Cookies: means small pieces of data stored on the user’s device.
2. Data Controller: means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the way any personal data are, or are to be, processed.
3. Data Processor or Service Providers: means a natural or legal person, public authority, agency, or other body (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
4. Personal Data: means any information relating to an identified or identifiable natural person (the “Data Subject”) via an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
5. Processing: means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
6. Recipient: means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not.
7. Usage Data: means the data collected automatically either generated using the Service or from the Service infrastructure itself.
8. User: means the individual visiting and using our Service. The User corresponds to the Data Subject.
2.1 The main principles on which the Data Controller bases the processing of personal data are: (i) legality; (ii) good faith and transparency; (iii) minimizing data and limiting the purposes and retention period; (iv) accuracy; (v) integrity and confidentiality; (vi) accountability.
2.1.1 In order for the Processing to be lawful, the Data Controller processes your Personal Data based on legitimate grounds, when necessary, in the context of a contract or with an expressed intention to conclude such.
2.1.2 The principle of good faith and transparency requires the Data Controller to ensure that all information and communication related to the Processing of your Personal Data is easily accessible and understandable, using clear and unambiguous wording. This principle applies to the information that you as a Data Subject receive about the identity of the Data Controller and the purposes of the Processing, as well as to the additional information guaranteeing conscientious and transparent Processing.
2.1.3 Compliance with the third principle, namely to minimize data and limit the purposes and period of storage by the Data Controller, is ensured by collecting only those data that are absolutely necessary for the purposes and activities of the Data Controller and its compliance with the legal requirements, as they are processed only for specific, explicitly stated and legitimate purposes, and are not processed in a way incompatible with these purposes, and are stored for a period not longer than necessary or provided by the law.
2.1.4 The principle of accuracy requires that all Personal Data processed by the Data Controller be accurate and kept up to date, and for this purpose the Data Controller relies on you as a Data Subject, on your correctness and assistance. If it proves impossible to correct inaccurate Personal Data provided by you, the Data Controller shall delete them in a timely manner, considering the purposes for which they are processed.
2.1.5 In accordance with the principle of integrity and confidentiality, the Data Controller processes your Personal Data in a way that ensures an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, applying appropriate technical or organizational measures.
2.1.6 The principle of accountability comes to ensure before you that everything the Data Controller does regarding your Personal Data is subject to control and the Data Controller is responsible for it.
2.2 The Data Controller ensures that all persons involved in the Personal Data processed by it are familiar with the basic principles set out here, this Policy, as well as the applicable legal requirements regarding the protection of your Personal Data.
III. Types of Personal Data collected
3.1 While using our Service, we may ask you to provide us with certain Personal Data. The categories of Personal Data may include, but are not limited to:
- First name and surname
- Country and country code
- Email address
- Phone number (if applicable)
- Habitual residence (if applicable)
- Google, Facebook, Huawei, Microsoft and/ or Apple credentials and profile pictures (if applicable)
- Billing and payment data – credit or debit card number, bank account information (if applicable) and information about payments
- Cookies and Usage Data – device type, device ID and/ or IP address, crash logs data, diagnostic data, music files data and other information as clarified below (if applicable)
- Communications and content, including audio, video, text (typed, inked, dictated, or otherwise), in a message, email, or chat (if applicable).
3.2 The Data Controller receives your Personal Data in the following ways: (i) personally from you, when you visit and start using the Service; (ii) from other sources like Google, Facebook, Apple, etc. but only as supplementary information to that, already provided voluntarily by you; and (iii) through so-called Cookies and other unique identifiers.
3.4 Please note that when you provide your credit or debit card number on the Service, this Personal Data is automatically redirected for Processing to our Service Providers of Payments as enumerated in item 9.4 below. We do not process this Personal Data ourselves. We process only a derivative information about your payments (amount paid, date of payment, return, if any, transaction history, etc.).
3.5 Where required by law, we store the data and information we collect from you when you are unauthenticated (not signed in) separately from any Account Personal Data that directly identifies you, such as your name, email address, or other. If we link other data and information relating to you with your Personal Data, we will treat that linked data as Personal Data. Please note that, if you use the unauthenticated version of our Service, you may contact us with a request concerning your rights as Data Subject, but in this case, we may not be able to identify you. If such a situation occurs, please go to your Service settings and explore your options.
3.6 In addition, some of our Service have optional features which, if used by you, require us to collect additional information to provide such features. You will be notified of such collection, as appropriate. If you choose not to provide the information needed to use a feature, you will not be able to use the respective feature. For example, you cannot open files from your device if you don’t grant file access permission to the respective application. Another example is the camera access – we ask for permission to access your device’s camera. If you grant permission, you may be able to take pictures or video within the app experience. Permissions can be managed through your Account settings.
IV. Grounds for Processing
4.1 Once provided, your Personal Data will be processed by us (our authorized employees/ representatives/ Data Processors) on the following grounds: (i) the Processing is necessary for the performance of a contract to which you as Data Subject are party or in order to take steps at your request prior to entering into any such contract; (ii) the Processing is necessary for compliance with a legal obligation to which we as Data Controller are subject; and (iii) the Processing is necessary for the purposes of the legitimate interests pursued by us as Data Controller or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms as Data Subject which require protection of Personal Data, in particular where you are a Child.
4.2 When you have consented to your Personal Data being processed by the Data Controller for direct marketing and remarketing purposes, you have the right to object/ opt out to this at any time in one of the ways described below. Upon receipt of your objection/ opt out, we shall cease the Processing of your Data for these purposes.
V. Purposes of Processing
5.1 The Data Controller processes/ uses your Personal Data and Usage Data for the following purposes:
5.1.1 for provision and maintenance of the Service, its modifications, changes, updates, or enhancements, including but not limited to, provision of interactive features associated with the Service; for Service-related announcements; to detect, prevent and address technical and security issues; for monitoring of the Service usage; for transfer of your Personal Data to our Service Providers/ Data Processors; for measuring effectiveness and analysis; for processing of subscriptions and collection of fees; for execution of distance End-User License Agreements (whether paid or as a free trial); for returns and reimbursements; for management of your account; for measures to protect the Service against fraud, IP rights infringements, cyberattacks and other attempts to harm the rights, property, piracy or safety of the Data Controller and/ or our employees, Users, Children, or the public
5.1.2 for direct marketing and remarketing, including but not limited to, tracking preferences and interests, sending you information about our Services and/ or special offers, participation in promotions, raffles and competitions, filling in and submitting questionnaires and quizzes, conducting surveys, market research, etc.
5.1.3 for customer support, assistance, and solving problems; for investigating and responding to any comments or complaints
5.1.4 for the observance of legal obligations by the Data Controller, including arising from the applicable tax and accounting legislation
5.1.5 for the protection of the legitimate rights and interests of the Data Controller and third parties, in full balance with your interests, fundamental rights and freedoms
5.1.6 for the transfer of your Personal Data to competent authorities; for handling various other risks, as well as any other purposes compatible with the above.
5.2 The Processing of Personal Data for purposes other than those for which they were originally collected is also permitted when the Processing is compatible with the purposes for which they were originally collected. Processing for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes should be considered as compatible lawful processing operations.
VI. Retention period
6.2 The Processing of your Personal Data will continue as follows: (i) in cases where you have filled in and submitted incorrect, incomplete or inaccurate data, and there is no way to be corrected or updated by the Data Controller, they will be deleted within one (1) month as of their receipt; (ii) in the case of consent given for direct marketing, until the Data Controller has received your objection/ opt-out to the processing of Personal Data for this purpose; (iii) in cases where the Processing is based on a signed contract – until the final settlement of the legal relationship between you and the Data Controller and five (5) years thereafter, except in cases of legal or enforcement proceedings, tax inspections and/ or audits, as well as when the protection of the legitimate interests of the Data Controller or third parties requires a longer period. All these terms will be valid only on condition that laws or by-laws do not provide for longer or shorter ones. Usage Data is generally retained for short periods, except when this data is used to strengthen the security or to improve the functionalities of our Service, or we are legally obligated to retain this data for longer time periods.
6.4 The Data Controller makes regular checks on the Personal Data processed and stored, and based on the rules contained herein, proceeds with their deletion, destruction, or anonymization for statistical or research purposes. Regarding Personal Data, for the storage of which special laws provide for longer periods, the Data Controller shall take technical and organizational measures for their archiving so that they are not subject to further Processing and cannot be amended.
VII. Transfer of Personal Data. Recipients
7.1 Your Personal Data may be transferred to and processed on computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction. Also, the privacy protections and rights of authorities to access your information may not be equivalent to those in your country. If you are located outside United States and choose to use the Service, please note that your Personal Data are received and processed in the United States. Your Personal Data are stored and kept safe in Google Cloud Platform. More information thereof you can find on the following link: https://cloud.google.com/security/infrastructure.
7.2 We will only transfer your Personal Data when appropriate safeguards are put in place to ensure that they receive adequate protection. Depending on the case, we transfer or may give access to some of your Personal Data to the following categories of Recipients: (i) companies from the group to which the Data Controller belongs; (ii) Service Providers – partners and contractors like courier service providers, payment/ banking service providers, marketing service providers, including digital advertising agencies and market research service providers, IT and hosting service providers, fraud monitoring and prevention service providers, and other companies with which the Data Controller develops joint programs; (iii) public government bodies and organizations, where this is necessary in order to protect the legitimate interests of the Data Controller or third parties, or where it is provided for as a legal obligation.
7.4 If the Data Controller merges with or is acquired by another company, sells a Service, or business unit, or if all or a substantial portion of our assets are acquired by another company, your Personal Data will likely be disclosed to our advisers and any prospective purchaser’s advisers and will be one of the assets that is transferred to the new owner.
VIII. Disclosure for law enforcement
Under certain circumstances, we may be obliged to disclose your Personal Data by law or in response to valid requests by public authorities (e.g., a court or a government authority). Therefore, we may disclose your Personal Data in the good faith belief that such action is necessary to:
- comply with a legal obligation, a subpoena, a court or administrative order or another official act of a competent public or government authority
- protect and defend the rights or property of the Data Controller
- prevent or investigate possible wrongdoing in connection with the Service
- protect the personal safety of our employees, Users, Children, or the public
- respond to an emergency involving the danger of death or serious bodily harm
- protect ourselves against legal liability.
IX. Cookies. Usage Data. Service Providers. Others
- Necessary Cookies: we use Necessary Cookies to operate our Service. They help make the Service usable by enabling basic functions and access to secure areas. The Service cannot function properly without these cookies.
- Preference Cookies: we use Preference Cookies to remember your preferences and various settings. They enable the Service to remember information that changes the way it behaves or looks like your preferred language or the region that you are in.
- Statistic Cookies: we use Statistic Cookies to help us understand how you interact with the Service by collecting and reporting information anonymously.
- Security Cookies: we use Security Cookies for security purposes.
- Advertising Cookies: we use Advertising Cookies to serve you with advertisements that may be relevant to you and your interests.
9.2 Usage Data. We may also collect Usage Data that your browser sends whenever you visit our Service or when you access the Service by or through a computer or a mobile device. This Usage Data may include information such as your computer’s Internet Protocol address (e.g., IP address), browser type, browser version, search terms, entered into a search engine which led you to our Service, types of apps and websites of your interest, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers, and other logs and diagnostic data. When you access the Service by or through a mobile device, this Usage Data may include information such as the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, and other logs and diagnostic data.
9.3 We may employ third party companies and individuals to facilitate our Service (“Service Providers”), to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used. These third parties have access to your Personal Data only to perform the tasks assigned on our behalf and are obligated not to disclose or use them for any other purposes whatsoever.
9.3.1 Service Providers of Analytics Data:
a) Google Analytics and Firebase are web and application analytics services offered by Google that track and report website and applications traffic and information about your device. This information is automatically uploaded to the Google servers and used to provide better services to the Users. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network. For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: https://policies.google.com/privacy
d) We use Adjust in our Android and iOS apps when conducting our marketing campaigns. Adjust may gather some analytics or statistical consumer data on our behalf to help us better understand how Users use our apps, and how our marketing campaigns are performing. For in-depth information about Adjust, see https://www.adjust.com/terms/privacy-policy/. To opt out of tracking by Adjust follow this link https://www.adjust.com/forget-device/.
e) We use AppsFlyer in our Android and iOS apps to gather basic statistical information and user data. This data helps us track the progress of our marketing campaigns and allows us to better understand how Users use our apps. For more information on the data gathered by AppsFlyer, see https://www.appsflyer.com/legal/privacy-policy/. To opt out of tracking by AppsFlyer follow this link https://www.appsflyer.com/legal/opt-out/.
f) We use AdMost in our Android, iOS and Windows apps when conducting our marketing campaigns. AdMost may gather some analytics or statistical consumer data and information on our behalf to help us better understand how Users use our apps, and how our marketing campaigns are performing. For in-depth information about AdMost, see https://resources.admost.com/privacy-policy/.
9.3.2 Service Providers of Advertising Data:
b) Meta Audience Network is used in our Android and iOS apps when conducting our marketing campaigns. They have developed a targeting technology which allows advertisements to reach a specific audience. While posting an ad, an advertiser is provided a set of characteristics that will define his target market. For in-depth information about Meta Audience Network, please see https://www.facebook.com/audiencenetwork/.
c) Google Ads remarketing service is provided by Google Inc. You can opt-out of Google Analytics for Display Advertising and customize the Google Display Network ads by visiting the Google Ads Settings page: http://www.google.com/settings/ads. Google also recommends installing the Google Analytics Opt-out Browser Add-on – https://tools.google.com/dlpage/gaoptout – for your web browser. Google Analytics Opt-out Browser Add-on provides visitors with the ability to prevent their data from being collected and used by Google Analytics. For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: http://www.google.com/intl/en/policies/privacy/.
d) A4G – is an advertising service provider. It manages mobile ad sources in our Android and iOS app by providing full suite of video, rich media, interstitial & native ad formats. For more information on the privacy practices of A4G, please visit: https://a4g.com/privacy.
9.4 Service Providers of Payments. Our Service is provided not only for free but also against monetary consideration. In the latter case, we use payment/ banking service providers who adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express, and Discover. PCI-DSS requirements help ensure the secure handling of payment information. Once collected by us, your credit or debit card number is provided directly to our third-party payment service providers whose use of your Personal Data is governed by their Privacy Policies. They are as follows:
- a) Microsoft Store at https://www.microsoft.com/en-us/store/apps/windows
- b) Huawei App Gallery at https://appgallery.huawei.com/
- c) Apple Store In-App Payments at https://www.apple.com/legal/privacy/en-ww/
- d) Google Play In-App Payments at https://www.google.com/policies/privacy/
- e) Stripe at https://stripe.com/us/privacy
- f) PayPal at https://www.paypal.com/webapps/mpp/ua/privacy-full
b) “Do Not Track” Signals. We do not support Do Not Track (“DNT”). DNT is a preference you can set in your web browser to inform websites that you do not want to be tracked. You can enable or disable it by visiting the Preferences or Settings page of your web browser.
c) Conversion Tracking. We use Facebook Pixel for conversion tracking, which is the measurement of media performance with reference to campaign key performance indicators (KPIs). For more information, please visit this link: https://www.facebook.com/business/learn/facebook-ads-pixel.
d) Sentry.io is used in our Windows apps for error and performance monitoring to help us diagnose, fix, and optimize our applications. For more information, please visit this link: https://sentry.io/privacy/.
e) mconverter.eu is used in our apps and websites as a provider of file conversion related services. For more information on their privacy, please visit this link: https://mconverter.eu/#privacy.
f) Zamzar is used in our apps and websites as another provider of file conversion services. For more information on their privacy, please visit this link: https://developers.zamzar.com/privacy.
g) ABBYY is used in our apps and websites as an automated cloud OCR service that transforms documents into structured, actionable, process-ready content. For more information on their privacy, please visit this link: https://www.abbyy.com/privacy/.
X. Links to other websites
11.1 Some of our Services may require that you create an account with us (“Account“). When you create a personal Account, you will be asked to provide certain Personal Data and we will assign a unique ID number to identify your Account and the associated information. Thus, you become an Account Holder. Signing into your Account enables personalization, consistent experiences across products and devices, permits you to use cloud data storage, allows you to make payments using payment methods stored in your Account, and enables other features such as chats, file sharing and others. We may use the Personal Data provided therein for the purposes as enumerated in item 5.1 above, including but not limited to contact you via email messages regarding your Account and maintenance related issues, newsletters, as well as marketing or promotional information that may be of your interest. You may object/ opt out of receiving any or all these marketing communications from us by following the unsubscribe link or instructions provided in any email we send or by contacting us using the details provided herein.
11.2 Once created, the use of your Account is at your own risk. Please do not buy, sell, transfer, rent, and/ or lease your Account and/ or password to anyone. We will not take any responsibility for the use of your Account by others that is caused by your actions or negligent password keeping.
11.3 Please keep your Personal Data accurate and up to date. Whenever made possible, you can also update your Personal Data directly within your Account settings. If you are unable to do this by yourself, please contact us to make the necessary changes.
XII. Security of Data
12.1 The Data Controller undertakes to apply appropriate technical and organizational measures to ensure an appropriate level of security of your Personal Data. In assessing the appropriate level of security, account shall be taken of the risks associated with the Processing, and in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
12.2 With regard to automated processing, the Data Controller is applying measures aiming at:
12.2.1 control over access to equipment – to deny unauthorized persons access to the equipment used for Personal Data Processing
12.2.2 control of data carriers – to prevent reading, copying, modification or removal of data carriers by unauthorized persons
12.2.3 control over storage – to prevent the entry of Personal Data by unauthorized persons, as well as the performance of checks, modification, or deletion of stored Personal Data by unauthorized persons
12.2.4 consumer control – to prevent the use of automated processing systems by unauthorized persons through the use of data transmission equipment
12.2.5 control over access to data – to ensure that persons who are allowed to use an automated processing system have access only to the Personal Data covered by their access authorization
12.2.6 control over communication – to ensure the possibility of verification and establishment of which persons have been or may be transferred Personal Data, or which persons have access to Personal Data through data transmission equipment
12.2.7 control over data entry – to ensure the possibility for subsequent verification and establishment of what Personal Data have been entered into the automated processing systems, as well as when and by whom they were entered
12.2.8 control over the transfer – to prevent the reading, copying, modification or deletion of Personal Data by unauthorized persons during the transfer of Personal Data or during the transfer of data carriers
12.2.9 recovery – to ensure the possibility of recovery of the installed systems in case of failure of the functions of the systems
12.2.10 reliability – to ensure the implementation of the functions of the system and the reporting of defects in the functions
12.2.11 integrity – to ensure that the stored personal data is not damaged due to improper functioning of the system.
12.3 Through measures under the previous point, the Data Controller is aiming to ensure the protection of Personal Data at the design stage, considering the achievements of technical progress, implementation costs and the nature, scope, context, and objectives of Personal Data Processing, as well as risks to the rights and freedoms of individuals.
12.4 We follow generally accepted standards to protect the Personal Data submitted to us during Processing including HTTPS. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we do not guarantee the Personal Data absolute security.
XIII. Your rights as Data Subject. General Standards
The Data Controller respects your privacy no matter where your habitual residence is. We hereby provide you with the right to request access, correction, completion, update, and/ or erasure of your Personal Data. We will aim to address all you request, complaints and/ or worries within reasonable time as of their receipt by being compliant with our high standards for Personal Data protection and the applicable legislation.
XIV. Your rights as Data Subject in case you have habitual residence in EU. GDPR Compliance
14.1.1 Right of access: you have the right to obtain from the Data Controller confirmation as to whether or not Personal Data concerning you are being processed, and, where that is the case, access to the Personal Data and the following information: (a) the purposes of the Processing; (b) the categories of Personal Data concerned; (c) the Recipients or categories of Recipient to whom the Personal Data have been or will be disclosed, in particular Recipients in third countries or international organizations; (d) where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the Data Controller rectification or erasure of Personal Data or restriction of Processing of Personal Data concerning you or to object to such Processing when it is marketing purposes; (f) the right to lodge a complaint with a supervisory authority; (g) where the Personal Data are not collected from you, any available information as to their source; (h) the existence of automated decision-making, including profiling or at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for you and (i) other processing-relevant information.
14.1.2 Right to rectification: you shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate Personal Data concerning you – right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
14.1.3 Right to erasure (“to be forgotten”): you have the right to request the Data Controller to delete without undue delay the Personal Data that concern you, when they are no longer needed for the purposes for which they were collected and/ or processed; when you withdraw your consent, on which their processing is based and there is no other legal basis for it; when you object to their Processing for the purposes of direct marketing and there are no legitimate grounds for processing to take precedence; when your Personal Data is processed in violation of the principles outlined above; when it must be deleted in order to comply with a legal obligation for the Data Controller or the Personal Data have been collected in relation to the offer of information society services. This right shall not apply to the extent that Processing is necessary: (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller; (c) for reasons of public interest in the area of public health; (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right is likely to render impossible or seriously impair the achievement of the objectives of that Processing; or (e) for the establishment, exercise or defense of legal claims.
14.1.4 Right to restriction of Processing: the Data Controller restricts the processing of Personal Data without deleting them when: (i) the accuracy of the Personal Data is disputed by you as a Data Subject and this cannot be verified, or (ii) Personal Data must be kept for evidentiary purposes.
14.1.5 Right to data portability: you have the right to receive the Personal Data concerning you, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from the Data Controller to which the Personal Data have been provided, when the Processing is based on a contractual obligation and is performed in an automated manner. This right of yours cannot adversely affect the rights and freedoms of others.
14.1.6 Right of objection: If you have consented to the Processing of your Personal Data for the purposes of direct marketing, you have the right to object to this Processing at any time, including when it involves profiling. In any such case, the Processing of your Personal Data for the purposes of direct marketing is suspended.
14.1.7 In addition you have the right not to be the subject of a decision based solely on automated processing, including profiling, which has legal consequences for you and affects you significantly. In case you exercise this right, the Data Controller is obliged to apply appropriate measures to protect your rights, freedoms, and legitimate interests, ensuring human intervention and giving you the right to express your point of view and challenge its decision.
14.2 As a Data Subject, you may exercise the rights above by submitting a written application to the Data Controller. The application can be submitted by mail (at the address of the Data Controller or by e-mail). The application must contain: (i) name, surname, habitual residence, IP address (if applicable); (ii) a description of the request; (iii) a preferred form of obtaining information in the exercise of rights; (iv) signature, date of filing of the application. When the Data Controller has reasonable concerns, it may request additional information needed to verify your identity. The Data Controller satisfies your requests completely free of charge within (1) month of receipt. The period may be extended by two (2) months when this is necessary due to the complexity or number of requests. Where requests from a Data Subject are manifestly unreasonable or excessive, in particular because of their recurrence, the Data Controller may: (i) charge a fee commensurate with the administrative costs of providing the information or correspondence, or of acting on the request, or (ii) refuse to act on the request. Each time the Data Controller refuses to accept an application submitted by you for the exercise of the rights above, you will receive a written refusal, as well as the reasons for it. In these and other cases, the Data Controller will also inform you of your right to appeal or seek a court redress.
14.3 A register that contains information on submissions, considerations, and responses to all Data Subjects` requests will be kept by the Data Controller.
14.4 In case of the Personal Data breach, and provided that, it is likely to result in a high risk to your rights and freedoms, we will notify you thereof without undue delay and describe in clear and plain language the nature of the Personal Data breach, the likely consequences of it and the measures taken or proposed to be taken by us to address it, including, where appropriate, measures to mitigate its possible adverse effects. In some cases the communication shall not be required, especially when: (i) we have implemented appropriate technical and organizational protection measures, and those measures were applied to the Personal Data affected by the Personal Data breach, such as encryption; (ii) we have taken subsequent measures which ensure that the high risk to your rights and freedoms is no longer likely to materialize; (iii) it would involve disproportionate effort, in which case, you will be informed in an equally effective manner like via a public communication or other.
14.5 In case of a violation of your rights under GDPR you have the right to refer to the competent supervisory authority at your habitual place of residence within six (6) months as of the violation discovery, but not later than two (2) years from its occurrence. You have an additional opportunity to file a claim against us before the competent court. In this proceeding you can seek compensation for the damages suffered by you as a result of illegal Processing of your Personal Data.
XV. Your rights as Data Subject in case you are a California resident. CCPA Compliance
15.1 WE DO NOT SELL OR RENT ANY COLLECTED PERSONAL DATA AND INFORMATION WITH ANY THIRD PARTY. However, while providing you with the Service, we may share some personal information about you with third parties with which the Data Controller develops joint programs or uses as Service Providers. Such information sharing may be considered a “sale” under the California Consumer Privacy Act of 2018, as amended (“CCPA“).
15.2 The CCPA defines Personal Information as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, inter alia, (i) identifying information, such as real name, postal address, unique personal identifier, IP address, email address, account name, social security number, passport number, driver’s license number, or other similar identifiers; (ii) commercial information, including records of personal property, products, or services purchased; purchases considered; or other purchasing histories; (iii) browsing history, search history, and information regarding a consumer’s interaction with a website or advertisement; (iv) geolocation data; (v) education information; (vi) inferences drawn from this information, such as personal characteristics, predispositions, intelligence, aptitude, etc. Therefore, if you are a California resident and a User of our Service, please be advised of the additional rights for California consumers, which are summarized below.
15.2.1 Right of access: you have the right to request (and receive) disclosure from us regarding: (i) specific pieces of Personal Information collected about you; (ii) categories of Personal Information collected; (iii) categories of the sources from which the information was collected; (iv) categories of Personal Information that we share or disclosed for a business purpose; (v) categories of third parties with whom the Personal Information was shared or disclosed; and (vi) the business or commercial purpose for collecting or sharing Personal Information. This disclosure is limited to information collected, sold, or disclosed in the past 12 months and does not cover sensitive information like consumer’s social security number, driver’s license number, account password or financial account numbers. In addition, we are not required to search for Personal Information if we: (i) do not maintain the Personal Information in a searchable or reasonably accessible format; (ii) maintain the Personal Information solely for legal or compliance purposes; (iii) do not sell the Personal Information and do not use it for any commercial purpose; and (iv) describe to you the categories of records that may contain Personal Information that we did not search because it meets the three conditions stated above.
15.2.2 Right to request deletion: you also have a right to request your Personal Information to be deleted. In this case, we will: (i) permanently and completely erase your Personal Information on existing systems and direct our partners and/ or Service Providers to do so, provided that, no exceptions are in place, or de-identifying the information or otherwise modifying it to make it unreadable or undecipherable through any means, and notify you that your Personal Information have been backed up or archived and will be deleted when those systems are next accessed. Neither we, nor our Service Providers are required to comply with your deletion request, if the Personal Information is necessary to: (i) complete a transaction for which the Personal Information was collected, provide a good or service requested by you, or otherwise perform a contract between us and you; (ii) detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity (or prosecute those responsible); (iii) debug to identify and repair errors that impair existing intended functionality; (iv) exercise or ensure the right of another to exercise free speech or another legal right; (v) comply with a legal obligation; or (vi) otherwise use the information internally in a lawful manner compatible with the context in which you have provided it.
15.2.3 Right to opt-out of the sale of personal information. CCPA Regulations require us to treat your user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal your choice to opt-out of the sale of your Personal Information as valid opt-out requests. We must comply with it as soon as feasibly possible, but at least within 15 days from receiving the request. Please be advised that in practice the following scenarios involving transfers of Personal Information between entities are potentially excluded from the scope of a “sale”: (i) the linking, at the consumer’s request, of one online account to another; (ii) sharing a particular device identifier with vendors to give effect to a consumer’s opt-out request; (iii) standard relationships with third party vendors or service providers who process data, provided appropriate contractual restrictions are in place; or transfers of data on a merger, acquisition or insolvency event.
15.2.4 Right to opt-out of receiving electronic communications from us. If you no longer want to receive marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails. We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, we may still send you other messages in connection with providing our Service.
15.3 Upon verifying your identity, we will notify you that your request has been received and is being processed. We will respond within 45 days after verification to any of your access requests and deletion requests. The 45-day response time can be extended but only with appropriate notice and explanation. The Data Controller maintains records of your requests.
15.4 To meet CCPA requirements under item 15.2.3, provide links to the relevant opt out methods of our Service Providers as per item 9.3 above.
15.5 Non-discrimination: the CCPA provides that you may not be discriminated against for exercising the above rights. You can also designate an authorized agent to exercise these rights on your behalf. We may require that you provide the authorized agent with written permission to act on your behalf and that the authorized agent verify their identity directly with us.
15.6 In addition to the above, we comply with the requirements of the Privacy Rights for California Minors in the Digital World Act (“the Eraser Law”) as far as it is applicable to our Service. This law provides additional protections to individuals under the age of 18 in California, including a right to be forgotten, which enable minors to remove their own posts (but not republications of their posts or posts about them by others). The Eraser Law also prohibits companies who operate websites or online services directed at minors from using the minor’s personal information to market or advertise certain enumerated products and services deemed potentially harmful for them.
15.7 Data Breach Notification under Cal. Civ. Code §§1798.29, 1798.82 and 1798.84. We will notify you in due time of any unauthorized acquisition of unencrypted computerized data that contains your Personal Information. This is in addition to any other specific notification obligations for data breaches contained in other statutes.
XVI. Your rights as Data Subject in case you are a Virginia resident. VCDPA Compliance
The Virginia Consumer Data Protection Act (the “VCDPA”) takes effect on January 1, 2023, and affects companies and organizations that do business in Virginia or that deliver products or services to residents of Virginia. The VCDPA requires companies and organizations to adhere to several duties when processing consumers data. In a nutshell, what the VCDPA requires from companies and organizations to do is to discover what personal data is processed, map out how and to whom they share personal data, and manage how personal data is stored, as well as protect personal data from breaches and abuse. By being in compliance with the GDPR and the California’s CCPA/CPRA, MobiSystems also complies with the VCDPA and commits to address all requests of consumers from Virginia within 45 days as of their receipt.
XVII. Amendments and supplements
Please do not hesitate to contact our Data Protection Officer (DPO) Mr. Stoyan Gogov at [email protected] in case you need assistance or clarification, want to exercise your legal rights, or file a complaint.