Privacy Policy

Last revision published on: 03 November 2024

1. INTRODUCTION

The Company thanks all Users for using the Site as well as the Digital Services. When the User accesses the Site and uses the Digital Services, he entrusts the Company with his Personal Data. Please note that, for the Company, protection and privacy of User’s Personal Data is a fundamental commitment. Therefore, the Company is dedicating all necessary resources and efforts to ensure that any User’s Personal Data is processed in strict compliance with the General Data Protection Regulation and any other applicable legislation.

Transparency is a key principle of this legal framework so this Privacy Policy (hereinafter referred to as the ”Policy”) aims to inform the Users about (a) how, when and why the Site collects, uses, transfers and stores the Users’ Personal Data when interacting with the Site, (b) who is involved in processing such data; (c) how such data is stored; and (d) what rights do the Users have with respect to their Personal Data. This Policy also applies, where relevant, to all User’s Data collected by the Company through the Site and the Digital Services.

1.1. Who we are. Contact details.

Coffee Tap Studio S.R.L. (the ”Company”) is a company established and operating in accordance with the laws of Romania with its registered office in 8 Finlanda Street, 2nd floor, apt. 3, 1st District, Bucharest, Romania, registered with the Romanian Trade Registry under no. J40/5352/2024, having sole registration code 49753478, e-mail [email protected].

For the purposes of Data Protection Legislation, the Company is an operator when processing the User’s Personal Data. Please note that, in accordance with the applicable laws and regulations, the Company is not required to designate a data protection officer, therefore any questions or concerns regarding this Policy or the Company’s practices related to a User’s Personal Data can be addressed by using the contact form available on the Site or by sending an e-mail.

1.2. Acceptance of this Policy

By creating an Account on the Site, the User confirms that he has read, understood, and fully and unconditionally Consented to this Policy. For clarity purposes, when the User is in the process of creating an Account, a pop-up message will appear (including a link to this Policy), and the User will be asked to give his express Consent regarding data processing by the Company. Therefore, the Company encourages all Users to read this Policy carefully, as it is important. Furthermore, for a correct and complete understanding of this Policy, it is recommended to read carefully the definitions contained in Article 1.4. below. Should the User not agree, even partially, with any Article of this Policy, he must not create an Account or discontinue use of the Digital Services and the Site immediately by closing the Account.

1.3. Accessing third party links

This Policy does not cover third-party applications and websites that the User can access from the Site. By accessing the page of a third party, such website may collect or share the Personal Data of the respective User. Please note that the Company does not control and is not responsible for any third-party data processing, privacy, and security policies. Therefore, the Company recommends that Users carefully read the privacy policy of any third party prior to the transmission of any Personal Data.

1.4. Definitions

When used in this Policy, the following terms shall have the following meaning:

• ”Account” – the personal profile created by a User on the Site whose purpose is to allow its holder to access, manage, and use the Services;
• ”Consent” of the User - any freely given, specific, informed and unambiguous indication of the User's wishes by which he, by a statement or by a clear affirmative action, signifies agreement to the processing of any and all Data (including Personal Data) relating to him;
• ”Data” – any information provided by the User to the Site, either directly or through third-party accounts or services linked by the User to the Site, which includes, but is not limited to, the User's email address, Account name/ credentials required for accessing the Site, and any other information necessary for the User to properly use the Digital Services (such as events, dates, descriptions, and additional email addresses or any other third-party information);
• ”Data Protection Legislation” –all applicable privacy and data protection laws and regulations, including without limitation: (i) EU Directive 2002/58/EC (as amended, superseded or replaced) and any applicable national implementations of them; (ii) the General Data Protection Regulation (EU 2016/679) and any national implementing laws, regulations, secondary legislation or mandatory decisions issued by a supervisory authority, in each case, as may be amended and / or updated from time to time;
• ”Data Subject” - an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
• ”Digital Services”- any services that the Company provides without any cost (during the free trial period) or for a fee through the Site to the User (including but not limited to any and all software and its features or other developed computer programs as the Company makes available in conjunction therewith including such patches, updates, upgrades, other modifications and replacements thereof as the Company may from time to time provide);
• ”Feature” — a component, property, or an aspect of the Digital Services;
• ”Notice” –any notice, request or any other document required or permitted to be given to the other Party by and in connection to the provisions of this Agreement;
• ”Personal Data” - any information relating to an identified or identifiable natural person (”Data Subject”);
• ”Personal Data Breach” - a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
• ”Pseudonymisation” - the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person;
• ”User” – any person who created a user account, whether for his own professional interest or on behalf of a legal entity and has access to the digital services (including during the free trial period);
• ”Services” – means collectively: (i) the Digital Services, (ii) any and all Features and other resources or benefits for use in conjunction with the Digital Services, and (iii) the technical support services concerning the foregoing, provided by the Company;

2. PURPOSE AND LEGAL BASIS

The legal basis for the processing of Personal Data by the Company is represented by Article 6 (a), (b) of the General Data Protection Regulation. This means, that the Company processes any User’s Personal Data only if the User has given his express consent when creating his Account and to the extent that it is necessary for the performance and delivery of the Digital Services to the User, ensuring the technical functionality and operational continuity of the Digital Services.

Mainly the Company processes User’s Personal Data for the following reasons: (a) to provide the Digital Services; (b) to improve any Features available to the User; (c) to develop new Features; (d) to improve overall service quality; (e) for marketing and communication purposes (e.g. promoting new Features, notice of suspension of Digital Services), and (f) to comply with any applicable law.

The Company can also process User’s Personal Data to defend its legitimate interests, respectively to protect its rights and business and might take measures to (a) protect the Site and Users against cyber-attacks, (b) prevent and detect fraud attempts, or (c) manage various risks. The general basis of these types of processing is the Company’s legitimate interest to defend its business. However, the Company will ensure that all measures to be taken guarantee a balance between its interests and the User’s fundamental rights and freedoms.

The Company will process User’s Personal Data only for the purposes stated above. Should the Company need to process any User’s Personal Data for other reasons, the Users shall be notified in advance of such reason. However, please note that the Company might process Personal Data without informing the User or requesting his Consent where allowed by the law.

As stated in the Terms of Service, the User will be requested to provide certain Personal Data for Subscription reasons as well as for security of the Account directly to third parties. For detailed information regarding the purpose of Data processing by the Company and third parties please see Annex 1 to this Policy.

3. DATA

3.1. What Data is processed and how it is collected?

Depending on the Digital Services or functionalities to which the User subscribes on the Site, the Company must collect, use, store or transfer certain User’s Data, which will generally be, as appropriate, the following, grouped by category:

Generally, the Company collects Data directly from the Users, allowing them to have control over the type of information they choose to provide. This includes Personal Data that the User voluntarily submits or gives access to through registration or interaction with the Site and the Digital Services.

However, the Company can automatically collect certain User Data when the Site or the Digital Services are used, such as IP address, browser type, operating system, usage patterns and device identifiers. This Data is collected through technologies such as cookies, web beacons and similar tracking technologies to monitor and analyse usage, improve service quality, and ensure the functionality of the Site and Digital Services.

The Company might also receive User’s Data from third-party sources, such as social medial platforms, business partners and analytics providers. This can include information regarding the Subscription (such as failure to pay or cancellation of the Subscription), User’s interactions with the Site or other services he might use.

For further details on the methods the Company uses to collect Data related to the Users, please see Annex 2 to this Privacy Policy.

As explained in the Terms of Service, the Site and the Digital Services are only intended for Users who are of legal age (meaning 18 or over). The Company reserves the right, in case it is discovered by any means, that the User who created the Account falsely declared to be of legal age, to terminate such Account.

Moreover, the Company does not want to consciously collect and process any Data related or pertaining to persons under the age of 18. The User who provides any information in violation of the Terms of Services or this Policy, whether for Account creation or the use of the Digital Services, assumes full responsibility for that information.

Please note that the Company may also collect and use for any purpose Aggregated Data that may be derived from the User's Personal Data. These Data are not considered Personal Data in the sense provided by the General Data Protection Regulation, as such Data does not directly or indirectly reveal the identity of the User. For example, such Data might be used to determine the number of Users accessing a particular Digital Service or Feature provided by the Company.

The Company does not collect any sensitive categories of data (details about racial or ethnic origin, political opinions, religious confession, philosophical beliefs or trade union membership and the processing of genetic or biometric data for the unique identification of the User, data on the health of the User, his sexual life or sexual orientation). Also, the Company does not collect data and information about criminal convictions or offenses.

3.2. Social Media Account integration and Data Use

The Site provides the option to register and log in using credentials from third-party social media accounts (such as Facebook or Twitter). Should the User choose this method, the Company will receive specific Personal Data from the social media provider. The information shared with the Company may vary depending on the social media platform but typically includes the User’s name, email address, friends list, profile picture, and any other details that the User chose to make public.

The Company will utilize the information received solely for the purposes outlined in this Privacy Policy or as otherwise required by the applicable laws or regulations. Please be aware that the Company does not control, nor is it responsible for, any additional use of the User’s Personal Data by the social media provider. It is recommended to review the privacy policy of the social media provider for the User to understand how they collect, use, and share his Personal Data, and to manage privacy settings on their platforms.

3.3. Failure to provide Data

When the User is asked to grant access to or enter certain Data, the mandatory information will be marked accordingly, as such information is necessary for the Company to provide the Digital Services or to provide access to certain Features. The User should be aware that if access is not granted or the required information is not provided, it may not be possible to complete Account registration, access the Digital Services or certain Features.

Furthermore, if the User submits a request via email or through the contact form available on the Site, and the Company is unable to verify the User's identity, the Company reserves the right to withhold a response to such request.

3.4. Creation and Use of Data

While providing the Digital Services, the Company might create and process Data related to the Users. This includes records of User’s interactions with the Digital Services and details of his activity on the Site. Specifically, the Company may generate the following types of Data:

(a) Interaction Records. The Company might maintain records of User’s interactions with the Digital Services, including communications and requests he makes, to better understand the User’s needs and preferences.

(b) Usage History. Such Data might be created and used by the Company to enhance service delivery, optimize features, and tailor the experience to the User’s requirements.

(c) Service Provision: The Data generated is utilized to provide and refine the services requested by a User, ensuring they are delivered accurately and effectively.

3.5. Personal Data Retention

The Company takes reasonable measures to ensure that User’s Personal Data is retained only for the minimum duration necessary to fulfil the lawful purposes outlined in this Privacy Policy. The retention period is determined by the following criteria:

(a) Ongoing Relationship. The Company will keep User’s Personal Data in an identifiable form for as long as an ongoing relationship with him exists, such as if the User remains on the Company mailing list without unsubscribing.

(b) Legal Reasons: The Company will retain User’s Personal Data in an identifiable form for as long as it is required for the lawful purposes outlined in this Policy, and the Company has a valid legal basis for processing it (e.g., where legal obligations necessitate the retention of User’s Personal Data). Additionally, the Company will retain User’s Personal Data for the duration of any applicable statutory limitation period, during which a legal claim may be brought against the Company in connection with the User’s Data.

(c) Legal Claims: In the event of any relevant legal claims, the Company will continue to process User’s Personal Data for the additional periods necessary to address such claims.

During these retention periods, the Company will restrict its processing of User’s Personal Data to secure storage and maintaining its confidentiality, unless access is needed for legal claims or to comply with legal obligations. Once the retention periods have concluded, the Company will either permanently delete or destroy the relevant User’s Personal Data or anonymize/ Pseudonymize it, thereby rendering it unidentifiable.

3.6. Data Security

The Company understands how important is the security of User’s Data and is committed to safeguarding such information. For this reason, the Company has implemented the following technical and organizational security measures to protect the integrity and confidentiality of the Data that is processed through the Site:

(a) Specific Policies. The Company has adopted and will review whenever deemed necessary its internal Data processing practices and policies (including physical and electronic security measures) to protect its systems from any unauthorized access or other possible threats.

(b) Data Minimization. The Company takes reasonable measures to ensure that the volume of Data processed is restricted to what is reasonably necessary for the purposes outlined in this Policy.

(c) Restricted Data Access. The Company strives, as much as possible, to restrict access to the Data it processes to the minimum necessary: employees, collaborators, and others who need to access this Data to perform a service. Partners and collaborators are subject to strict confidentiality obligations (statutory and legal).

(d) Specific Technical Measures. The Company uses technologies to ensure the security of its User’s Data and will always try to implement the most optimal solutions for the protection of such Data. Furthermore, the Company makes periodic Data backups to help recover any lost Data in case of an incident or a breach and has implemented periodic audit procedures regarding the security of the equipment used.

(e) Data Accuracy. The Company may occasionally ask the User to confirm the accuracy, timeliness or correctness of the Personal Data provided while using the Site or the Digital Services.

(f) Staff Training. The Company's staff (including collaborators) is permanently trained and tested on the legislation and best practices in the field of Data processing.

(g) Data Anonymity. Where possible, the Company will try as much as possible to anonymize / Pseudonymize the Personal Data processed so that the Users/persons to whom they refer cannot be identified.

These measures are designed to prevent unauthorized access, disclosure, alteration, or destruction of User’s Data (including any and all Personal Data).

Although the Company will make every effort to protect Users’ Data, we cannot guarantee the absolute security of Data transmitted to or from the Site. Any transmission of Data (including any and all Personal Data) is at the User’s own risk, and it is the User’s responsibility to ensure that any such Data sent to the Company is transmitted within a secure environment.

In the event of a Personal Data Breach, the Company will take prompt action to mitigate the impact of the breach and protect affected individuals. The Company will notify the relevant supervisory authorities and, where required by law, inform the affected individuals without undue delay. Such Notice will include information about the nature of the breach, the likely consequences, and the measures the Company is taking to address it. The Company is committed to taking all reasonable steps to prevent future breaches and minimize any harm caused by such incidents.

3.7. Disclosure of Data

The Company may disclose User’s Data to third parties only under specific circumstances and in accordance with the Data Protection Legislation. These circumstances may include, but are not limited to:

(a) Service Providers: The Company may share Data (including any and all Personal Data) with trusted third-party service providers who assist in the operation of the business, delivery of the Services, or support of internal processes, under strict confidentiality agreements.

(b) User Requests. The Company may disclose Data (including any and all Personal Data) to third parties as needed to fulfill User requests for information or services, or to transmit data, in accordance with the User’s explicit Consent and instructions.

(c) Legal Obligations: User’s Personal Data may be disclosed by the Company if and when required to comply with legal obligations, such as responding to a court order, subpoena, or government request.

(d) Business Transfers: In the event of a merger, acquisition, reorganization, or sale of all or a portion of the Company’s assets, User’s Data (including any all Personal Data) may be transferred to the acquiring entity, subject to the terms of this Privacy Policy.

(e) Protection of Rights: The Company may disclose User’s Personal Data when necessary to protect its rights, property, or safety, or that of our Users, employees, or others, or to enforce its legal agreements and policies.

Any disclosure of User’s Data (including any all Personal Data) will be limited to the minimum necessary to achieve the intended purpose, and appropriate safeguards will be applied to ensure the security of such data during the disclosure process.

The Company will take reasonable steps to ensure that the User's Data (including any all Personal Data) remains within the European Economic Area ("EEA"). However, if such Data must be transferred to countries outside the EEA, the Company will ensure that the transfers are lawful and relying on the User's explicit Consent or another valid legal basis.

Any third party is required to adhere to the Company’s security standards applicable to the User's Data and to process such Data in compliance with relevant legal provisions. Third-party vendors are not permitted to use Users' Data for their own purposes. They are authorized to process such Data solely for the specified purposes and in accordance with the Company's instructions.

3.8. International Transfer of Data

The Company may transfer User’s Data to countries outside of the EEA, including in the United States. These countries may not have the same level of data protection as within the EEA. However, where such international transfers are necessary, the Company will ensure that appropriate safeguards are in place to protect all User’s Data, in accordance with applicable data protection laws.

By creating an Account on the Site, the User expressly Consents to the transfer of their Data (including any all Personal Data) to third parties, including those based in the United States, for the purposes of storage and processing as stated in this Policy. The Company ensures that any international transfers are conducted in compliance with legal requirements and that User’s Data is treated securely in line with this Policy. Each time the Company transfers any User’s Data outside the EEA, it will ensure that there is a similar level of protection through one of the following safeguard mechanisms:

(a) Data will be transferred to countries where it has been demonstrated by the European Commission that an adequate level of security for Personal Data is provided. For more information the User can access the following link.

(b) If the Company engages with specific service providers, it might use contractual agreements that have been approved by the European Commission, which are designed to ensure that Personal Data receive the same level of protection as it would within the EEA**. For further details please see the following link.

(c) When the Company engages with suppliers based in the United States, Data may only be transferred if those suppliers provide protection standards comparable to those required for data transfers between the EU and the US, similar to those in the EU. Although the EU-US Privacy Shield is no longer valid, the Company takes all reasonable steps to ensure that its partners comply with the necessary conditions to keep User data secure. For more information, please visit the following link.

(d) For data transfers to the UK, the Company will rely on the standard contractual clauses. A User can learn more about these clauses by accessing the following link.

Should the User have any questions about the specific mechanism used by the Company when transferring Data outside the EEA, he can send a message using the contact form available on the Site.

4. USER’S RIGHTS

Under the General Data Protection Regulation, Users have the following rights regarding the processing of their Personal Data by the Company:

(a) Right of access. The User has the right to inquire and receive confirmation from the Company regarding whether or not any of his Personal Data is being processed. If such processing is taking place, the User is entitled, upon request, to access that data and obtain a copy. The Data stored and processed by the Company can be viewed by accessing the Account. However, should a User have questions regarding their Personal Data, including the data held, its purposes, the recipients of such data, any transfers of data abroad and the measures taken to protect it, the retention period, the User's rights, the process for filing a complaint, and the source of the data, to the extent that such information has not already been communicated through this Policy, please refer to the contact details provided at Article 1.1. of this Policy.

(b) Right to rectification. The User has the right to request the rectification of inaccurate Personal Data held by the Company.

(c) Right to erasure ("Right to be Forgotten"). The User has the right to request the erasure of his Personal Data where one of the following grounds applies: (i) the Personal Data are no longer necessary for the purposes for which it was collected or processed; (ii) the User has withdrawn his Consent and the Company does not have a legal ground for processing; (iii) the User exercises a legal right to oppose; (iv) the User’s Personal Data have been unlawfully processed; (v) the Company has a legal obligation in this regard. Please note that the Company is not required to comply with such request if the processing of the User's Personal Data is necessary, among other things, for compliance with a legal obligation or for the establishment, exercise, and defence of legal claims.

(d) Right to restriction of processing. The User has the right to request the restriction of processing in the following cases: (i) contests the accuracy of the Personal Data, for a period enabling the Company to verify the accuracy of such data; (ii) the processing is unlawful and the User opposes the erasure of the Personal Data and requests the restriction of their use instead; (iii) the Company no longer needs the Personal Data for the purposes of processing, but the User requests the data for the establishment, exercise or defence of legal claims; (iv) the User opposes the processing of his Personal Data for marketing purposes, for a period enabling the Company to verify whether the legitimate grounds of the Company override those of the User.

(e) Right to data portability. The User has the right to receive, upon request, his Personal Data in a structured, commonly used, and machine-readable format, and to request that this data be transmitted to another data controller, in the following cases: (i) the processing is based on Consent; (ii) the processing is carried out by automated means.

(f) Right to object. The User has the right to object to the processing of Personal Data, particularly when processing is based on legitimate interests or for direct marketing purposes. In such cases, the Company will no longer process the User’s Personal Data, unless the Company can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the Data Subject or for the establishment, exercise, or defence of legal claims.

(g) Automated individual decision-making. The User has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or similarly significantly affects him. This right has the following limitations: (i) the automated decision is necessary for entering into, or performance of, an agreement between the Company and the User; (ii) the decision is authorized according to legal norms; (iii) the Company has the User’s explicit Consent. In such cases, the User can send to the Company a request for his Personal Data to be manually processed.

(h) Right to withdraw Consent: Where processing is based on Consent, the User has the right to withdraw Consent at any time without affecting the lawfulness of processing based on Consent before its withdrawal.

However, if the Users withdraws Consent for the processing of Personal Data certain Features of the Digital Services may no longer function as intended. This is because some functionalities of the Digital Services rely on the processing of Personal Data, and the withdrawal of Consent may limit or prevent the ability to provide these features. The User will be informed of the potential impact on their use of the Digital Services at the time of Consent withdrawal.

Regarding direct marketing communications, the User has the right to unsubscribe via the unsubscribe link in the sent email or through the notification section available in the Account.

5. NOTICES. REQUESTS. COMPLAINTS.

Should a User have any questions regarding this Policy or his rights under the General Data Protection Regulation, or to raise any concerns or complaints regarding data handling practices, contact can be made directly via [email protected] or through the contact form provided on the Site.

To exercise any of their rights referred to in Art. 4 above, Users may contact the Company through the provided contact details. Please note that the rights listed above are not absolute. There are certain exceptions, which is why each request shall be reviewed to determine whether it is founded or not. To the extent that the User’s request is founded, the Company will facilitate the exercise of his rights. Should the request be unfounded, the Company will reject it. However, the User will be notified of the reasons for refusal and the right to lodge a complaint with the National Authority for Consumer Protection and to address the law.

The Company will try to respond to such requests within 30 days. Please note that the deadline might be extended depending on various aspects, such as the complexity of the request, the large number of the requests received, or failure to identify the User within a proper time limit. To respond to a User’s request, it is possible for the Company to require additional information to confirm his identity. If although the Company makes every effort, it fails to identify the User and he does not provide additional information when requested in order to identify him, the Company is not required to comply with the request.

The User does not have to pay any tax to exercise his right to access (or any other legal right). However, the User might have to pay a reasonable fee if his request is clearly unfounded, repetitive, or excessive. Alternatively, in these circumstances, the Company may choose not to comply with this request.

Furthermore, if it is believed that a User’s rights under the GDPR have been violated, a formal complaint may be submitted to the competent supervisory authority. In Romania, the appropriate authority is the National Authority for Consumer Protection (”ANPC”), which can be reached through its official website or by other means provided by ANPC.

6. MISCELLANEOUS

6.1. Amendments

The Company reserves the right, at its own discretion, to amend, modify, or supplement this Policy at any time for any reason, especially to comply with the relevant legislation. Such and any changes will be: (a) incorporated into this Policy, and (b) effective immediately upon posting the revised Policy on the Site, unless otherwise specified.

In case of significant changes to this Policy, the Company shall notify the Users by posting a Notice on the Site or by other appropriate means, such as email. However, it is the User’s responsibility to regularly review this Policy for updates.

By continuing to access the Account or use the Digital Services after the revised Policy has been posted, the User will be deemed to have been made aware of and have given his express Consent with this Policy. If the User does not agree to the revised Agreement, he must discontinue use of the Services immediately.

In the event of any conflict between this Policy and any supplemental terms, the supplemental terms shall take precedence with respect to the specific terms to which they apply.

6.2. Language

This Policy has been drafted in Romanian and English. The interpretation and application of the Agreement shall be made according to the Romanian law. In case of any contradictions between the Romanian version and English version, the Romanian version shall prevail.

Annex 1

Annex 2