I. INTRODUCTION
Welcome to https://evalato.com (hereinafter referred to as “Web site” or “Website”) which is operated by “Weemss” Ltd, a Bulgarian company, with UIC: 202592905, having its seat registered at Republic of Bulgaria, Sofia, postal code 1680, “Manastirski livadi” District, 9A “Sinanishko ezero” street, office No. 3.
BY USING OUR WEBSITE YOU ACKNOWLEDGE THAT YOU ARE AWARE OF OUR LEGAL GROUNDS AND METHODS IN CONNECTION WITH THE COLLECTING AND PROCESSING YOUR PERSONAL DATA IN ACCORDANCE WITH OUR PRIVACY POLICY.
PLEASE READ THIS PRIVACY POLICY CAREFULLY BEFORE USING OUR WEBSITE AND IF YOU HAVE ANY QUESTIONS ABOUT THIS PRIVACY POLICY, PLEASE CONTACT US AT: HELLO@EVALATO.COM. IF YOU DO NOT AGREE TO ANY OF THE CONDITIONS CONTAINED IN THIS PRIVACY POLICY, YOU SHOULD NOT USE OUR WEBSITE.
DATA CONTROLLER
“Weemss” Ltd. (hereinafter referred to as “We/Our”) is a Bulgarian company, with UIC: 202592905, having its seat and registered address at Republic of Bulgaria, Sofia, postal code 1680, “Manastirski livadi” District, 9A “Sinanishko ezero” street, office No. 3 and website: https://evalato.com.
SUPERVISORY AUTHORITY
Commission for Personal Data Protection
Address: Republic of Bulgaria, Sofia 1592, 2 Prof. Tsvetan Lazarov Blvd.
Telephone: +3592/91-53-518; +3592/ 91-53-515; +3592/91-53-519
Fax: +3592/91-53-525
Email: kzld@cpdp.bg
Website: www.cpdp.bg
II. PURPOSE AND SCOPE OF THE PRIVACY POLICY
1.1 We understand the privacy concerns of the visitors to this Website (hereinafter referred to as You/Your) regarding the protection of personal data and are committed to protecting their personal data by applying all the standards for the protection of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as “GDPR”). With this Privacy Policy, We respect Your privacy and We undertake every effort to protect Your personal data against unlawful processing by applying technical and organizational measures, which are entirely consistent with state-of-the-art technological developments and provide a level of protection that corresponds to the risks associated with the processing and the nature of the data that should be protected.
1.2 With this Privacy Policy and in compliance with the requirements of the GDPR, We provide information on:
– Information identifying “Weemss” Ltd. and contact details;
– the purpose and scope of Our Privacy Policy;
– the personal data We collect and process;
– purposes of personal data processing;
– period for which the personal data will be stored;
– mandatory and voluntary nature of provision of personal data;
– processing of personal data;
– protection of personal data;
– recipients of personal data;
– Your rights;
– the procedure to exercise the rights;
– other information provided for in Art. 13 of the GDPR.
1.3. In certain cases, We will process Personal Data in different capacities (as a Data Controller and Data Processor). We will process Your Personal Data as a Data Controller when We are in Our capacity as a Provider of Service, as requested by You as a User of the Service. We shall process Personal data as a Data Processor when Participants and/or Customers (with the meaning set out in the Terms of Service) provide You with such Personal data in connection with the Service We provide to You. We process this data only occasionally for the purpose of helping and fulfilling our obligations to you. You manage a program, like compiling analytics data.
1.4 We are a Data Processor on Your behalf as part of the requested Service. This includes the parts of The Service where We facilitate the transmission of emails to The Customer or provide reports and tools that give You valuable insights into the effectiveness of Your marketing efforts. In this case, You are a Data Controller of the Personal Data provided by the Participants and/or Customers. You, in Your capacity as a Data Controller, are responsible for processing such Personal Data lawfully within the regulation set by Applicable Data protection laws.
III. DEFINITIONS
For the purposes of the GDPR and this Privacy Policy, the following terms shall have the following meaning:
1. Personal data means any information relating to an identified or identifiable natural person (‘individual’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
2. Processing of personal data means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
4. Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
5. Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
6. A processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
7. Recipient means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
8. Third-party means a natural or legal person, public authority, agency, or body other than the individual, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
9. Consent of the individual means any freely given, specific, informed, and unambiguous indication of the individual’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
10. A Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
IV. PRINCIPLES RELATING TO PROCESSING OF PERSONAL DATA
1. We observe the following principles relating to the processing of personal data:
– The personal data are processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’);
– The personal data are collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
– The personal data are adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed (‘data minimization);
– The personal data are accurate and, where necessary, kept up to date (‘accuracy’);
– The personal data are kept in a form that permits Your identification for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
– The personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (‘integrity and confidentiality).
V. PERSONAL DATA COLLECTED AND PROCESSED BY US
A. Processing of special categories of personal data (“sensitive data”)
1. We do not collect and record special categories of personal data, such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. You shall not provide such sensitive data to Us. If You negligently or intentionally provide sensitive data to Us, We undertake to immediately delete such data.
B. Personal data that We collect directly from You
Personal data is collected directly from You when You contact Us using the Direct messaging System
1. You provide personal data to Us when You contact Us by sending a Direct message using the Direct Messaging System on Our website. When You send Us a message using the Direct Messaging System on Our Website, We collect and process the information that You have provided in the sent message, such as name, email address, telephone number, etc. This personal data is processed for the purpose of communication with You and record keeping. The processing of this personal data is necessary for actions preceding the conclusion of a contract and undertaken at Your request, namely providing more information on the services We offer in connection with a possible conclusion of a contract with You. Also, the processing may be necessary for the performance of a contract under You are a party.
Personal data is collected directly from You when You contact Us by email.
2. You provide personal data to Us when You contact Us by sending an email. Our email address is specified in the Our Identification Information in this Privacy Policy and in the Contacts menu, accessible via the “Contacts” button located at the bottom left corner of the Website where Our contact details are provided. When You send an email to Us, We collect and process Your email address and the other information that You provide in the sent message, such as the address, your names, etc.. This personal data is processed for the purpose of communication with You and record keeping. The processing of this personal data is necessary for actions preceding the conclusion of a contract and undertaken at Your request, namely providing more information on the services We offer in connection with a possible conclusion of a contract with You. Also, the processing may be necessary for the performance of a contract under You are a party.
Personal data is collected directly from You when You contact Us by sending a message using platforms to contact Us (such as Facebook, Instagram, etc.) and email.
3. You provide personal data to Us when You contact Us by sending a message using the platforms to contact us (such as Facebook, Instagram, etc.) via the messaging service available through the respective platform. When You send a message to Us using the platform via the messaging service, We collect and process Your name, as well as the other information You provide Us in the sent message. This data is processed for the purpose of communication with You and record keeping. The processing of such personal data is necessary for the realization of Our legitimate interests, whose legitimate interests are to reply to the received messages.
Personal data is collected directly from You when You send Us a message on one of the above mentioned social media platforms.
4. You provide personal data to Us when You register on Our website. When making a registration, You provide the following personal data that We collect and process, namely: Your first and last name, your email address, the password you choose for your account, your phone number, the name, the type, and the country of the organization you work for, the types of programs You are managing, as well as other personal data You provide us with. The collection and processing of this personal data are necessary:
– for the realization of Our legitimate interests, which legitimate interests are enabling You to maintain a registered profile on Our website in order to retain services You preferred or You to request the preferred services;
– for concluding or executing a contract for the provision of service.
Personal data is collected directly from You when You register and request a service on Our website.
5. You provide Your personal data to Us when You have requested a service to be provided by Us from Our website. You provide the following data and personal data that We collect and process, namely: Your first and last name, email address, telephone, billing information, Payment method and any other information related to the Payment. The collection and processing of this personal data are necessary:
– for concluding or executing a contract for the request of a service;
– for fulfilling Our legal obligations for the purpose of issuing invoices.
Personal data is collected directly from You when You request a service from Our website.
C. Personal data collected from third parties
6.1 We usually do not obtain personal data from third parties. However, in some cases, if We have reasonable grounds to suspect there is an infringement of Our legal or intellectual property rights, then We will obtain personal data from public registers or private sources. This data may be processed for the purposes of investigating the infringement and taking legal actions against the infringement. The lawful grounds for the processing of the personal data are the legitimate interests pursued by Us, which legitimate interests are investigating the infringement and taking legal actions against the infringement.
D. Data collected automatically
1. When You visit Our Web site, We automatically collect the following data, namely:
– The type of device from which You access the platform (for example, a computer, a mobile phone, a tablet, etc.);
– Internet Protocol (IP) address of the device from which You access Our website (usually used to determine the country or city from which You access the website);
– Type of operating system;
– Type of the browser;
– Concrete actions undertaken, including the pages visited, frequency and duration of visits to Our website;
– Date and time of visits.
VI. USE OF COOKIES
1. You can obtain more information about how We use cookies on the Cookies Policy which is published on Our website.
VII. PURPOSES OF PERSONAL DATA PROCESSING
1. We collect and process Your personal data that You have provided directly to Us solely for the following purposes, namely:
– to provide the services that We offer, namely the services for creating and managing Award-winning Programs and to identify You (future and current clients);
– to contact You via email in order to respond to the received inquiries;
– for the execution of obligations of a contract to which You are a party, and for actions at Your request and preceding the execution of a contract;
– for the execution of Our obligations, stipulated by law;
– for the provision of the services which You have requested;
– for sending You useful information about the new functionalities of Our services and improvements of Our services;
– for accounting purposes;
– for statistical purposes.
2. We collect and process Your personal data that is automatically collected for the following purposes, namely:
– improving the efficiency and functionality of Our website;
– preparing anonymous statistics on how the website has been used;
– providing better services;
– administering the website;
– adapting Our website to Your preferences.
We may not use Your personal data for purposes other than those specified in this section of this Privacy Policy.
VIII. PERIOD FOR WHICH THE PERSONAL DATA WILL BE STORED
A. Period for which the personal data will be stored
1. Inquiries and correspondence by email, and platforms: We store the personal data and the communication received by email and messages sent by platforms for a period necessary to answer the received message and to satisfy Your request, as well as for one calendar year after We have answered to the received message and satisfied Your request.
2. When You have requested a service, regarding the accounting records and financial statements, including documents for tax control, audit and subsequent financial inspections: We store Your personal data when You have requested service for a period of ten years with effect from 1st of January of the accounting period following the accounting period to which they relate, which is the term stipulated by law for such personal data.
3. When We and You have contracts concluded: 5 years from the date of termination of the contract, unless a longer retention period is provided for by law.
4. When You have registered on Our Website: We store Your personal data when You have registered on Our Website until You delete the profile from the Website.
B. Criteria for determining the period for which the personal data will be stored
1. In other situations, not specified above, We will store Your personal data for no longer than needed considering the following criteria, namely:
– if We are obliged by a legal norm to continue with the processing of Your personal data;
– if appropriate industry rules exist on the period for which Your personal data shall be stored;
– purpose for storing of Your personal data both currently and in the future;
– if We, in Our capacity as a Service Provider, and You, in Your capacity of Service User, have concluded an agreement and We are obliged to continue to process Your personal data in order to comply with the obligations under the agreement;
– purposes for using of personal data currently and in the future;
– if it is necessary to contact You in the future;
– if We have any legal ground to continue to process Your personal data;
– any other sufficient grounds, like the character of the relationship with You.
IX. MANDATORY AND VOLUNTARY NATURE OF PROVISION OF PERSONAL DATA
1. The personal data We require You to provide Us is in accordance with the services We offer. The provision of Your personal data is voluntary. In the event that You refuse to provide the personal data:
– We will not be able to provide the service You have requested;
– You will not be able to create a profile on Our website.
X. PROCESSING OF PERSONAL DATA
1. We process Your personal data using a set of actions that can be performed by automatic or non-automatic means.
XI. PROTECTION OF PERSONAL DATA
1. We undertake appropriate technical and organizational measures to protect Your personal data against accidental or unlawful destruction, or against accidental loss, unauthorized access, alteration or dissemination, as well as against other unlawful forms of processing, including the following:
– use only secure and protected servers and folders for storing Your personal data hosted by cloud computing company DigitalOcean, Inc..
– verifying and confirming Your identification and inquiring about access to Your personal data before granting access to such personal data.
– web-based information systems have the prefix “https:” instead of “http:”. In this way, Your information is protected and unchanged and unread by third parties, and for this purpose, We use an SSL certificate with 128-bit encryption to protect all data. Your browser bar indicates the transmission of encrypted data with a closed padlock symbol visible in the status bar.
– Data can only be accessed by a few members of Our support team who have level 3 access, which allows us to provide You with outstanding customer support. Additionally, all members of Our support team are carefully selected, after passing a thorough background check.
– We never send correspondence, including electronically, requiring a username and password to access Your Account.
– We provide You with a secure and encrypted connection when sending personal data.
– We provide You with a secure and encrypted connection when You are logging into Your Account on the website.
– We do not store the payment data of Your customers or process any payments. No amount of money goes through the platform, Your customers pay You directly and the money goes in Your merchant account with the payment processor You are using. All payment processors integrated are cherry-picked for being market leaders and for maintaining the highest security standards.
2. In case You would like to receive detailed information about the technical and organizational measures, please do not hesitate to contact Us at hello@evalato.com.
XII. RECIPIENTS OF PERSONAL DATA
1. We have the right to disclose the personal data processed to the following categories of persons, namely:
- to You when You exercise the right to access the personal data relating to You.
- to state bodies if provided for in a legal act, for example, state bodies (NRA, Patent Office, Commercial Register, etc.).
- to data processors providing services in favor of Our business activities, such as accounting service providers, hosting service providers and website traffic analysis providers, which are subject to a confidentiality obligation, and they have provided sufficient assurance of enforcement of appropriate technical and organizational measures in such a way that the processing proceeds in accordance with the requirements of the Regulation and ensures the protection of the rights of individuals.
- to providers providing electronic and banking payment services.
2. We have the right to disclose Your name and email with Our sub-processors, Segment for customer data infrastructure, customer feedback platform Wootric, and customer messaging platforms Intercom and HubSpot, for the sole purpose of providing You with outstanding customer support.
3. We do not sell Your personal data to third parties.
XIII. YOUR RIGHTS
Right of access:
1. You have the right to obtain from Us confirmation as to whether or not Your personal data is being processed. If We process Your personal data We shall provide a copy of Your personal data undergoing processing.
Right to rectification:
2. You have the right to obtain from Us without undue delay the rectification of Your inaccurate personal data. Taking into account the purposes of the processing, You have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Right to erasure (‘right to be forgotten’):
3. You have the right to obtain from Us the erasure of Your personal data without undue delay and We have the obligation to erase Your personal data without undue delay where one of the stated in article 17 of the GDPR grounds applies.
Right to restriction of processing:
4. You have the right to obtain from Us restriction of processing where one of the stated in article 18 of the GDPR grounds applies. If the processing has been restricted, such personal data shall, with the exception of storage, only be processed with Your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. We will inform You before the restriction of processing is lifted.
Right to data portability:
5. You have the right to receive the Your personal data, which You have provided to Us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Data Controller without hindrance from the Provided to which the personal data have been provided, if the processing is based on consent or on a contract.
Right to object:
6. You have the right to object on grounds relating to Your particular situation, at any time to the processing of Your personal data. According to Article 21, Paragraph 4 of the GDPR the right to object shall be explicitly brought to Your attention and shall be presented clearly and separately from any other information. For compliance with this obligation, more information about the right to object can be found in the section below titled “Right to object to the processing of personal data”.
Right of withdrawal of consent:
7. You have the right at any time to withdraw the consent You have given. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. The order for withdrawal of the consent is specified in Section XIV of this privacy policy.
Profiling rights:
8. You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning You or similarly significantly affects You.
Right to be informed about the personal data breach:
9. You have the right to be informed without undue delay about the personal data breach when the personal data breach is likely to result in a high risk to Your rights and freedoms.
Right to judicial and administrative protection:
– Right to lodge a complaint with a supervisory authority
10. Without prejudice to any other administrative or judicial remedy, You have the right to lodge a complaint with the supervisory authority, in particular in the Member State of Your permanent address, place of work or place of the alleged infringement if You consider that the processing of Your personal data infringes the GDPR.
– Right to an effective judicial remedy against a supervisory authority
11. Without prejudice to any other administrative or non-judicial remedy, You (whether an individual or legal entity) have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning You. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.
– Right to an effective judicial remedy against the Controller or processor
12. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, You have the right to an effective judicial remedy where You consider that Your rights under the GDPR have been infringed as a result of the processing of Your Personal Data in non-compliance with the GDPR. Proceedings against Use or a Data processor, acting on Our behalf, shall be brought before the courts of the Member State where We or the Data processor have an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where You have a permanent address.
Right to compensation and liability:
13. If You have suffered material or non-material damage as a result of an infringement of the GDPR, You have the right to receive compensation from Us or Data processor, acting on Our behalf, for the damage suffered. Court proceedings for exercising the right to receive compensation shall be brought before the courts of the Member State where We or the Data processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where You have permanent address.
XIV. PROCEDURE TO EXERCISE THE RIGHTS
1. You can exercise Your right to withdraw the given consent, right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object and profiling rights, by submitting a written request to Us (either by post at the address specified in Our identification above or by email), which should contain the following information:
1.1. Your name, address, UIN and other data We need to identify You;
1.2. a description of the request;
1.3. the preferred form for obtaining information when exercising rights;
1.4. a signature, date of submission of the request, and email address or other address for correspondence.
2. The request shall be filed by You personally. We keep the requests filed by the individuals in a separate register. Where a request is made by a proxy, the power of attorney shall be attached to the request.
3. When You exercise the right of access to Your personal data We shall verify Your identity before responding to the request. This is necessary to minimize the risk of unauthorized access and identity theft. If We cannot identify You from the collected information, then We have the right to require a copy of Your documentation (such as Your ID card, driving license, and other documents containing personal data that identify You) in order to verify Your identity.
4. We consider Your request and provide You with the information on action taken on Your request within one month of receipt of the request. This period may be extended by two more months where necessary, taking into account the complexity and number of the requests.
5. We shall inform You of any such extension within one month of receipt of the request, together with the reasons for the delay. Where You make the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by You.
6. In case We do not take action on Your request, We shall inform You without delay and at the latest within one month of receipt of the request of the reasons for not taking action and the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
7. We shall communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort. We shall inform You about those recipients if You request it.
XV. RIGHT TO OBJECT TO PROCESSING OF PERSONAL DATA
1. You have the right to object on grounds relating to Your particular situation, at any time to the processing of Your Personal Data. According to Article 21, Paragraph 4 of the GDPR the right to object shall be explicitly brought to Your attention and shall be presented clearly and separately from any other information. For compliance with this obligation, more information about the right to object will be provided in this section of the Privacy Policy.
2. You have the right to object on grounds relating to Your particular situation, at any time to the processing of Your personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Us or processing is necessary for the purposes of Our legitimate interests or by a third party, except where such interests are overridden by the Your interests or fundamental rights and freedoms which require protection of Your personal data, in particular where You are a child, including profiling based on any of these provisions. We shall no longer process Your personal data unless We demonstrate compelling legitimate grounds for the processing which override Your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. You can exercise this right by submitting a written request to Us, either by post at the address specified in Our identification above or by email.
3. Where personal data are processed for direct marketing purposes, You have the right to object at any time to the processing of Your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where You object to processing for direct marketing purposes, Your personal data shall no longer be processed for such purposes. You can exercise this right by submitting a written request to Us, either by post at the address specified in Our identification above or by email requiring Us to stop sending You marketing information or by clicking the unsubscribe link contained at the bottom of the email We send You.
XVI. BUTTONS, TOOLS AND CONTENT FROM OTHER COMPANIES
1. Our Website contains buttons, which connect to other third-party websites. All websites of such companies that can be accessed through Our website are independent and We assume no responsibility for any damages and losses incurred as a result of the use of these sites. You shall use these sites on Your own responsibility, and it is recommended that You familiarize Yourself with the relevant Privacy Policy of the respective company for more information.
XVII. CHANGES TO THE PRIVACY POLICY
1. This Privacy Policy may be updated at any time in the future. When this happens, the revised Privacy Policy will be posted on Our Website with a new “Last Updated” at the top of this Privacy Policy and will be in force from the date of publication. We will also inform You of such changes via email and in-app message, please make sure You have read the latest update. It is therefore advisable to periodically check this Privacy Policy to make sure that You are familiar with any changes. By using the Website after publishing the updated Privacy Policy, You will be deemed to acknowledge the changes made.
XVIII. CONTACTS
1. If You have additional questions about this Privacy Policy, please do not hesitate to contact Us at: hello@evalato.com.
Last updated: 9 April 2024