1. SCOPE OF THIS POLICY
1.1. The following privacy policy (hereinafter: Privacy Policy) applies to all cases where Campy OÜ (hereinafter: Campy) processes personal data of natural persons (hereinafter: Data Subject) as a controller when operating and managing its websites app.campy.eu and campy.eu and mobile application (hereinafter all foregoing referred as: Platform).
1.2. The Platform operated by Campy allows the registered non-business user (hereinafter: End-User) to take part of different campaigns (hereinafter: Campaign) created by the companies registered on the Platform (hereinafter: Company). Within such Campaigns the End-User can complete certain challenge(s), e.g., watch a video, visit a certain location (hereinafter: Challenge) and, in case of a successful completion of a Challenge, receive a reward (hereinafter: Reward), and purchase products uploaded to the Platform by the Company.
1.3. Generally, Campy is not the data controller where Campy processes the personal data of the representatives of the Company or the existing clients of the Company (or natural persons otherwise connected to the Company) who are not End-Users. As such, for such processing this Privacy Policy does not apply. Also, this Privacy Policy does not apply to cases where the Company processes the End-User data as a controller itself (e.g., in order to fulfil the sales agreement entered into between the End-User and the Company).
1.4. Campy is committed to protecting and respecting the Data Subjects’ privacy. Please read this Privacy Policy carefully to understand Campy’s rules and practices regarding processing personal data.
1.5. This Privacy Policy applies from the date as set above. Campy has the right to unilaterally make amendments to the Privacy Policy. In such case the amended Privacy Policy shall be uploaded to the Platform and/or will be sent to the Data Subject by e-mail.
2. DATA CONTROLLER
2.1. For the purpose of clarity, the data controller for the purposes of this Privacy Policy is Campy OÜ, registry code 14840749, registry address Estonia, Rae, Nelgi street 3, 75310. Campy can be contacted any time by writing an e-mail at feedback[at]campy.eu.
3. WHY AND WHAT CATEGORIES OF PERSONAL DATA IS PROCESSED
3.1. Campy collects and processes personal data for the following purposes:
a) providing services (hereinafter: Services) to the End-User via the Platform, which includes communicating with the End-User, providing the End-User customer support. This also includes displaying to the End-User the Campaigns which the End-User may be interested of based on the personal data of the End-User;
b) communicating with a potential End-User in relation to providing the Services in the future if the potential End-User has so requested;
c) sending news, special offers and general information about the Services to the End-User, unless the End-User has opted-out from receiving such information;
d) displaying personalized advertisements (e.g., displaying Campy’s advertisements and offers by Campy’s partners);
e) improving the Platform and the Services;
f) enforcing and defending Campy’s legal rights;
g) complying with legal or regulatory obligations or requests which Campy is subject to.
3.2. Campy may collect and process the following personal data:
a) for provision of the Services (purpose stated in clause 3.1.a):
i. the End-User’s first and last name, birth date, gender, photo, e-mail address, address, phone number, ranking, interests (as chosen by the End-User), location data, payment information (bank account number, billing address etc.), language preference, connection to a Company (e.g., the fact that the End-User is a client of the Company);
ii. data about the Campaigns displayed to the End-User as well as data about the Campaigns in progress or completed or added as a favourite by the End-User – this may include any data submitted or created by the End-User, e.g., submitted photos, answers to questions, also data about the Reward which the End-User receives, etc.;
iii. data about the products sold by the Companies via the Platform to the End-Users (hereinafter: Product), including the name, price, quantity of the Products, delivery address, purchase history;
iv. data about the Campy Credits (hereinafter: CCs) that the End-User has (including amount, transaction history, etc.);
v. technical usage data (e.g., unique device identifiers, browser type and version, device type and operating system);
vi. any information the End-User may voluntarily provide as regards to the Services (e.g., via End-User support);
b) for communicating with the potential End-Users (purpose stated in clause 3.1.b): any data the person makes voluntarily available, usually being first and last name, e-mail address;
c) for sending news, special offers and general information about the Services (purpose stated in clause 3.1.c): the Data Subject’s name, e-mail address, interests, Platform usage history;
d) for personalized advertisements (purpose stated in clause 3.1.d): Data Subject’s Platform usage history, interests;
e) for improving the Platform and the Services (purpose stated in clause 3.1.e): any of the categories of personal data listed above, depending on the exact development works done for the Services and/or the Platform. Usually, the personal data is pseudonymised for development works;
f) for enforcing and defending Campy’s legal rights (purpose stated in clause 3.1.f): any of the categories of personal data listed above, determined case-by-case according to the legal right Campy is entitled to execute;
g) for complying with legal or regulatory obligations or requests (purpose stated in clause 3.1.g): any of the categories of personal data listed above, determined case-by-case according to the obligation or request Campy is subject to.
3.3. If the entry of any other personal data has been made mandatory upon account registration (e.g., entering e-mail) or after registration when using the functions of the Platform, then the submission of the respective personal data is required for concluding the agreement between Campy and the End-User or for performing the respective agreement. As such, in these cases the submission of personal data is mandatory and if it is not submitted, it is impossible either to enter into this agreement or perform this agreement. If the entry of personal data has not been made mandatory on the Platform and the submission of personal data is not required from the Data Subject in any other way, the submission of personal data is voluntary and non-submission does not have any direct adverse consequences for the Data Subject. However, failure to provide personal data may limit the use of the Platform functions and available Campaigns.
3.4. Generally, the Data Subject’s personal data is collected from the Data Subject himself/herself (e.g., Data Subject himself/herself gives his/her name, e-mail address, etc. to Campy). However, Campy may receive the fact that the End-User is connected to a Company from the Company which the End-User is connected to (e.g., the fact that the End-User is the Company’s client). Also, if the Data Subject uses Google or Apple (or any other) account for logging in, then the respective entity submits to Campy the Data Subject’s name and possibly e-mail address, profile picture and language preference.
4. LEGAL BASIS FOR PROCESSING PERSONAL DATA
4.1. Campy processes personal data because it is necessary for the fulfilment of a contract concluded between Campy and the End-User for provision of the Services (clause 3.1.a)); or for taking steps at the End-User’s request prior to entering into a contract (clause 3.1.b)). In such a case the legal basis for processing data is the contract concluded between Campy and the End-User; or the End-User’s request prior to entering into a contract.
4.2. Where Campy processes personal data for sending news, special offers and general information about the Services (clause 3.1.c)), the legal basis is Campy’s legitimate interest to keep the End-User in loop of any information, advancements or offers available regarding the Services. The End-User has always the possibility to opt-out from receiving such data (e.g., unsubscribe button below each e-mail). If the End-User opts-out, Campy shall no longer send such information.
4.3. In case where Campy processes personal data for displaying personalized advertisements (clause 3.1.d)), the legal basis is a prior consent given by the Data Subject. If the Data Subject does not give a consent for collecting the respective cookies for displaying the personalized advertisements, Campy shall not process personal data for that purpose and personalized advertisements are not shown. The Data Subject may at any time withdraw consent by sending a respective notice to Campy’s e-mail address feedback[at]campy.eu. Withdrawal of the consent shall not affect the right to use the Platform and receive the Services.
4.4. If Campy processes personal data to improve the Platform and the Services (clause 3.1.e)), the legal basis for processing personal data is Campy’s legitimate interest to improve and develop functioning of the Platform, provision of the Services and its quality. Campy cannot provide the best and most modern Platform and Services without doing any development works.
4.5. Campy processes personal data also for enforcing and defending Campy’s legal rights under the legitimate interest pursued by Campy (clause 3.1.f)). It is Campy’s legitimate interest to enforce and defend its legal rights if Campy sees it as necessary.
4.6. Where Campy processes personal data for complying with legal or regulatory obligations or requests, the legal basis is the necessity to comply with the legal obligations to which Campy is subject to (clause 3.1.g)).
5. PERSONALISED EXPERIENCE
5.1. Based on the filters chosen by the End-User and the information collected about the End-User (e.g., age, location, etc.), each End-User may be shown different available Campaigns. The objective of this is to show each End-User a tailor-made selection of Campaigns which the particular End-User is interested in and thereby fulfil the contract entered into between the End-User and Campy for the use of the Platform. In any case, Campy assures that such activity does not entail any legal or otherwise significant effects concerning the End-User. Especially taking into account that generally the End-User can delete the applied filters and see all the available Campaigns.
5.2. The End-User may at any time indicate via the App that the End-User is no longer interested in certain type of products in which case the Campaigns related to such type of products are no longer displayed.
6. DISCLOSING PERSONAL DATA
6.1. Campy shall not transfer the Data Subject’s personal data to third parties except for the following cases:
a) to the Companies where necessary for the respective Company to fulfil its obligations arising from the sales agreement entered into with the End-User;
b) to companies which provide cloud computing services in which Campy stores and processes personal data (e.g., Hetzner Online GmbH, registered in Germany);
c) to companies which provide software development services (e.g., Owlab OÜ, a company registered in Estonia);
d) to Google where submitting data related to displaying personalised advertisements (to Google Ireland Limited and its affiliates; where data is sent outside of the EEA, Standard Contractual Clauses adopted by the European Commission are applied to safeguard the data processing).
6.2. All authorized third-party processors to whom Campy transmits personal data shall ensure the protection of personal data as required by the legislation regulating the protection of personal data.
6.3. Furthermore, Campy shall send personal data to a relevant institution requiring personal data, if Campy is under a duty to disclose or share such personal data in order to comply with any legal or regulatory obligation or request deriving from the law.
6.4. Also, where the End-User adds another End-User as its friend in the App, then some of the personal data of the End-User is displayed to his/her friends in the App – e.g., name, profile picture and data which Campaigns were participated.
7. HOW LONG IS PERSONAL DATA PROCESSED
7.1. Campy only processes and stores the personal data for as long as it is necessary to fulfil the purpose for which it is processed – once the purpose has ceased, the personal data will be erased or anonymised.
7.2. The personal data will be processed:
a) up to 30 days after the deletion of the End-User’s account, where Campy processes personal data in relation to providing the Services (clause 3.1.a));
b) up to 30 days after the last contact with the potential End-User, where Campy processes personal data in relation to providing the Services in the future (clause 3.1.b));
c) up to 30 days after the deletion of the End-User’s account or until opt-out (whichever happens earlier), where Campy processes personal data regarding sending news, special offers and general information about the Services to the End-User (clause 3.1.c));
d) up to 6 months from receiving the consent (or less, if the consent is withdrawn), where Campy processes personal data for displaying personalized advertisements (clause 3.1.d));
e) up to 30 days after the deletion of the End-User’s account, where Campy processes personal data regarding improving the Platform and the Services (clause 3.1.e));
f) up to 3 years after the deletion of the End-User’s account, where Campy processes personal data regarding enforcing and defending Campy’s legal rights (clause 3.1.f));
g) up to 3 years after the deletion of the End-User’s account, where Campy processes personal data regarding complying with legal or regulatory obligations or requests (see clause 3.1.g)).
7.3. Personal data contained in any accounting documents shall be stored for 7 years from the end of the last financial year they relate to.
8. DATA SUBJECT’S RIGHTS
8.1. The Data Subject has the right to contact Campy by writing an e-mail at feedback[at]campy.eu. to exercise the Data Subject’s rights concerning processing of personal data. Such rights include the:
a) right to request access of personal data;
b) right to request rectification of personal data;
c) right to request erasure of personal data;
d) right to request restriction of processing of personal data;
e) right to object to processing of personal data;
f) right to request portability of personal data;
g) right that decisions are not taken concerning the Data Subject which are based on automated decision-making;
h) right to withdraw a consent;
i) right to lodge a complaint with a supervisory authority (Estonian Data Protection Inspectorate – https://www.aki.ee/en).
8.2. Where Campy processes personal data based on its legitimate interest, the Data Subject has a right to request information from Campy about the applicability of the legitimate interest, including the explanation about the balancing of interests between the Data Subject and Campy.
9. THIRD PARTY SITES
9.1. The Platform may, from time to time, contain links to and from the websites of Campy’s partner networks, advertisers and affiliates (including, but not limited to, websites on which Campy and the Platform are advertised). If the Data Subject follows a link to any of these websites, it must be considered that these websites and any services that may be accessible through them have their own privacy policies and that Campy does not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services. Campy recommends checking these policies before submitting any personal data to these websites or using any of these services.