PLEDGE ON PRIVACY
INFORMATION WE COLLECT
Information We collect form the service providers
We may collect information from:
service providers that make user-generated content from their service available to others, such as local business reviews or public social media posts;
communication service providers, including email providers and social networks, when you give Us permission to access your data on such third-party services or networks;
partners with which We offer co-branded services or engage in joint marketing activities;
publicly-available sources, such as open government databases; and
non-personally identifiable information.
Information We collect by automated means
If you use the Platform, We may collect the following information by automated means:
The type of device you use and its operating system;
Identification details of your device (e.g., unique device identifier);
Internet protocol (“IP”) address; and
Information about your use of the Platform.
Non- Personal Information
We may de-identify personal information that We have collected from you through the Platform and combine it with de-identified information about other users, information from third parties, and/or publicly available information. We may also collect information other than Personal Information from you through the Platform when you visit and / or use the Platform. Such information may be stored in server logs. This Non-Personal Information would not assist Us to identify you personally. This Non-Personal Information may include:
Your geographic location;
details of your telecom service provider or internet service provider;
the type of browser (Internet Explorer, Firefox, Opera, Google Chrome etc.);
the operating system of your system, device and the website you last visited before visiting the Platform;
Platform visitorship information
We gather information from the Platform activity, such as data on the number of people who visit the Platform, the pages they visit, the duration of their stay, etc. Platform visitorship information includes:
Collected on an aggregate, anonymous basis, which means no personal identifiable information is associated with this data.
Gathered through the use of web server logs and cookies.
You may choose to provide Us with Personal Information through the Platform, like:
Contact information, such as your name, address, telephone number and email address;
Your profile, messages you send on the Platform, searches conducted by you and the reviews submitted by you;
Payment information, such as your payment card details;
Information obtained from the account you use to login to the Platform;
Personal Information in communications and other content you submit or share, such as photographs and video clips;
Information about services received/ rendered on the Platform; and
USE OF INFORMATION COLLECTED
Most of Our services do not require any form of registration, allowing you to visit Our Platform without telling Us who you are. However, some services may require you to provide Us with Personal Information. In these situations, if you choose to withhold any Personal Information requested by us, it may not be possible for you to gain access to certain parts of the site and for Us to respond to your query.
We may collect and use Personal Information to provide you with products or services, to bill you for products and services you request, to market products and services which We think may be of interest to you, or to communicate with you for other purposes which are evident from the circumstances or about which We inform you when We collect Personal Infomation from you.
We are controllers of customer data and may process such data as may be required. We store the information collected from the Platform, which is used to:
Improve Our product;
Enhance the end user experience;
Provide, maintain and protect services, Platform and Our Business;
Communicate with the customers in relation to technical and other administrative matters via emails and other modes of communication;
Personalisation of the product and the services;
Reporting and Business operations;
Conduct and undertake research in order to develop and provide search, learning and productivity tools and additional features to service better experience;
Research wherein We investigate and help prevent security issues and abuse; and
Bill, manage accounts and other administrative matters in order to keep a track of the billings and payments.
The information is processed and analysed by automated means to offer a variety of features that you get from using the Platform. The information will be used for advanced analytics to offer additional insightful features in future. We may also anonymise (de-personalise) your information We collect and combine it with other information sources for the purpose of advanced analytics and future use cases.
STORAGE AND MAINTENANCE OF INFORMATION COLLECTED
Your Communication Preferences: To help Us make e-mails more useful and informative, We often receive a confirmation when you open e-mail from Us if your computer supports such capabilities. If you do not want to receive e-mail or other mail from us, you may adjust your customer communication preferences from the Platform.
We may be required to share the aforesaid information with government authorities and agencies for the purposes of verification of identity or for prevention, detection or investigation, including of cyber incidents, prosecution and punishment of offences. You agree and consent for Goals101 to disclose your information, if so required, under applicable law.
DISCLOSURE OF INFORMATION
Our customer’s privacy is extremely important to us. However, We may disclose certain information obtained due to the following:
To Our employees, in order to diagnose and resolve any problems or to provide support to you.
To any other person, who perform services on Our behalf, including credit-card and billing, survey administration, technical or customer support, shipping, and provision of email and data analytics.
To the business partners, who can alert you about the new services. Upon receipt of any alert if you desire to be removed from such alert list, you may inform the sender or unsubscribe from the list as provided in each mail alert.
In the event that We engage in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of a part of Our assets or stock, financing, public offering of securities, acquisition of all or a portion of Our business, a similar transaction or proceeding, or steps in contemplation of such activities (such as due diligence), some or all other information may be shared or transferred, subject to standard confidentiality arrangements.
Tto engage third party companies or individuals as service providers or business partners to process other information and support Our business. These third parties may provide virtual computing and storage services. This may be with or without your consent.
With Our with its corporate affiliates, parents and/or subsidiaries with respect to other information provided by the customer;
to protect and defend the rights, property or safety of the Company or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues.
If We are required to do so by law, regulation or legal process, such as a court order or in response to legal requests by government agencies or when We believe disclosure is necessary or appropriate to prevent physical, financial or other harm, injury or loss or in connection with an investigation of suspected or actual unlawful activity.
SECURITY OF DATA
We take security of your data very seriously. We work hard to protect information you provide from loss, misuse, and unauthorised access or disclosure. These steps take into account the sensitivity of your information We collect, process and store, and the current state of technology. We retain the data collected from you for 7 years. In order to build Our Platform and products, We use multiple sources of data however, We do not use any of Your Personal Information for developing Our Platform and products. We maintain commercially reasonabley measures to maintain information security and prevent it from unauthorized access. Given the nature of communications and information processing technology, We cannot guarantee that any information, during transmission through the internet or while stored on Our systems or otherwise in Our care, will be absolutely safe from intrusion by others. Since, no security is fool-proof and in case We become aware of any breach of security of your information, We will notify you using the email address that We have. If you do not agree to the terms discussed above, you should exit Our Platform or stop using the same. When you access Our Platform, you acknowledge that you have read and agreed to abide by the terms described above.
LINK TO THIRD PARTY WEBSITES
Our Platform may contain links to third party websites/ apps, that display interest-based advertising using information you make available to Us when you interact with Our Platform, content, or services. Interest-based ads, also sometimes referred to as personalised or targeted ads, are displayed to you based on information from activities on Our sites, which are not under Our control. (please review this part)
We do not provide any Personal Information to advertisers or to third party sites that display Our interest-based ads. However, advertisers and other third-parties (including the ad networks, ad-serving companies, and other service providers they may use) may assume that users who interact with or click on a personalised ad or content are part of the group, to whom that the ad or content is directed towards. Also, some third-parties may provide Us information about you (such as the sites where you have been shown ads or demographic information) from offline and online sources, that We may use to provide you more relevant and useful information and services.
SOCIAL MEDIA WIDGETS
Individuals located in certain countries, including the European Economic Area, have certain statutory rights in relation to their Personal Information. If you are a resident or a citizen of European Union or the European Economic Area we will collect, store, process and control your information in accordance with our Data Protection Policy (DPA) provided under ‘Annexure A’ hereto. Subject to any exemptions provided by law, you may have the right to request access to information, as well as to seek to update, delete or correct this information. You can contact us for any help regarding the same.
E-mail: firstname.lastname@example.org ; or
Tel: +91 11 – 41112721; or
Physical Address: 217 B, Okhla Phase 3, Second Floor, New Delhi-110020
DATA PROTECTION POLICY
This Data Protection Policy (“DPA”) has been framed in compliance with GDPR issued by the European Parliament and Council. This DPA is applicable on every person that collects data from (“European Union”) EU residents, or processes data on behalf of a data controller, or any person based in the EU and has a contractual relationship with Goals101 Data Solutions Private Limited, a company incorporated under the Companies Act, 2013 having its registered office at 9/5, Nehru Enclave, East Kalkaji South Delhi 110019, India (hereinafter referred to as “Company”/ “We”/ “Us”/ “Our”).
This DPA is incorporated by reference into any and all agreements currently in place between you and the Company (“Agreement”). When you enter into any Agreement with the Company, you accept, without limitation or qualification, the DPA set forth below. You hereby represent and warrant that you have the authority to legally bind yourself and all of Your personnel, representatives and/or Affiliates operating pursuant to any such Agreement referenced herein.
The Company reserves the right to modify or update this DPA at any time and changes will become effective immediately upon posting. You are requested to check for updates to the DPA periodically.
You hereby agree to comply with the following provisions with respect to any Personal Data of one or more Data Subjects located in the European Economic Area Processed in connection with the Agreement. The purposes of the DPA is to ensure such Processing is conducted in accordance with Data Protection Laws, including GDPR and with due respect for the rights and freedoms of individuals whose Personal Data are Processed. References to the Agreement will be construed as including this DPA. To the extent that the terms of this DPA differ from those in the Agreement, the terms of this DPA shall govern.
In this DPA, the following terms shall have the meanings set out below:
“Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with a party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
“Contracted Processor” means the duly appointed Data Processor or a Sub- processor;
“Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including the GDPR;
“Data Subject” means the individual to whom the Personal Data relates;
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;
“Security Breach” has the meaning set forth in Clause 7 of this DPA;
“Standard Contractual Clauses” means standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission Decision C (2004) 5271;
“Sub-processor” means any Processor or sub-processor engaged by the Data Controller for the Processing of Personal Data;
“Supervisory Authority” has the meaning set forth in Article 51 of the GDPR;
“Term” has the meaning set forth in Clause 12.1 of this DPA; and
The terms “Controller”, “Personal Data”, “Processor,” “Processed” and “Processing,” have the meanings given to them in applicable Data Protection Laws.
PROCESSING OF PERSONAL DATA
The parties to the Agreement hereby agree that they are independent Controllers with respect to the processing of the Personal Data. To the extent that the data protection legislation of another jurisdiction is applicable to either party’s processing of data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that data. Both the parties shall keep a record of all Processing activities with respect to Personal Data as required under GDPR.
Each party will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data, including but not limited to: (i) providing accurate and up-to-date contact details of either party’s data protection officer to the other party; and (ii) providing reasonable information and assistance to the other party: (a) conducting data protection impact assessments as required under the Data Protection Laws; and (b) regarding consultations between that party and a Supervisory Authority.
The Data Processor shall Process the Personal Data in accordance with the requirements of the Data Protection Laws.
The Data Processor shall not Process any Personal Data other than with the written instructions of the Data Controller.
The Data Controller:
shall instruct the Data Processor and its Affiliates (and instruct the Data Processor and its Affiliates to instruct each Sub- Processor) to:
Process the Personal Data; and
in particular, transfer the Personal Data to any country or territory,
as reasonably necessary and consistent with the Agreement.
hereby warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instructions set out in clause 2.5.1 above on behalf of its Affiliates.
The information regarding Processing of Personal Data is set out under ‘Annexure 1’ of this DPA. The parties shall incorporate the terms of ‘Annexure 1’ as a part of the Agreement and such terms shall form an integral part of this DPA.
DATA SUBJECT RIGHTS
Each party is separately responsible for honouring Data Subject access requests under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) and responding to correspondence, inquiries and complaints from Data Subjects. Each party shall provide reasonable and timely assistance to the other party as necessary to help facilitate compliance with this Clause 3.
Both the parties shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/ access the relevant Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Data Protection Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
The Data Controller hereby authorises the Data Processor to appoint Sub- processors in accordance with this Clause and any restrictions in the Agreement.
The Data Processor may continue to use those Sub- processors already engaged by the Data Processor as at the date of the Agreement, subject to the Data Processor as soon as practicable meeting the obligations set out in Clause 5.4 below.
The Data Processor shall neither appoint, nor disclose any Personal Data to the proposed Sub-processor except with the prior written consent of the Data Controller.
With respect to each Sub-processor, the Data Processor shall:
before the Sub- processor first Processes the Personal Data, carry out adequate due diligence to ensure that the Sub- processor is capable of providing the level of protection for the Personal Data required by the Agreement; and
ensure that the arrangement between the Data Processor and the Sub- processor is governed by a written contract including terms which offer at least the same level of protection for Personal Data as those set out in this DPA.
SECURITY AND AUDIT RIGHTS
The Data Controller shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data it Processes under this DPA and the Agreement. The Data Controller will implement and maintain technical and organizational measures to protect such Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
Both the parties will (taking into account the nature of the processing of Personal Data under the Agreement) cooperatively and reasonably assist each other in ensuring compliance with any of each other’s respective obligations with respect to the security of Personal Data and Personal Data breaches under this DPA, including (if applicable) any obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) in the case of the Data Controller, implementing and maintaining appropriate security measures; and (b) complying with the terms of Clause 7 of this DPA.
Each party shall make available to the other party all information necessary to demonstrate compliance with the DPA and each Party may (or if mandated by a Supervisory Authority, will) allow for an audit by a mutually agreeable firm. To request an audit, the requestor must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. The auditor must be approved in advance by both the parties (such approval may not be unreasonably withheld) and execute a written confidentiality agreement acceptable to both the parties before conducting the audit. The audit must be conducted during regular business hours, subject to both the parties’ company policies, and may not unreasonably interfere with either company’s business activities. Any such audits shall be conducted at the expense of the party making the request for such audit. Both the parties agree to share information with the other regarding any non-compliance discovered during the course of an audit.
SECURITY BREACH MANAGEMENT AND NOTIFICATION
If either party becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on the other party’s equipment or facilities under this DPA (“Security Breach”), such party will promptly notify the other party of the Security Breach. Notifications made pursuant to this section will take place within a reasonable time and certainly no longer than 3 (three) business days after discovery and shall describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and any recommended steps that either or both parties should take to address the Security Breach. Each party will promptly investigate the Personal Data Breach if it occurred on its infrastructure or in another area it is responsible for and will assist the other party as reasonably necessary for both parties to meet their obligations under Data Protection Laws.
Both the parties agree that an unsuccessful Security Breach attempt will not be subject to this Clause 7. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Personal Data processed pursuant to this DPA or to any of either party’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
Notifications of Security Breaches, if any, will be delivered to one or more of the other party’s business, technical or administrative contacts by any reasonable means, including via email. It is each party’s responsibility to ensure it keeps the other party updated with accurate contact information.
Any notification of or response to a Security Breach under this Clause 7 will not be construed as an acknowledgement by either party of any fault or liability with respect to the Security Breach.
The Data Controller shall implement reasonable technical and organizational security measures to provide a level of security appropriate to the risk in respect to the Personal Data. As technical and organisational measures are subject to technological development, either party is entitled to implement alternative measures provided they do not fall short of the level of data protection set out by Data Protection Laws.
RETURN AND DELETION OF PERSONAL DATA
Both the parties will comply with instructions from the other party to delete certain Personal Data as soon as reasonably practicable and within a maximum period of 30 (thirty) days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.
On expiry of the Agreement, both parties hereby instruct the other to delete all Personal Data (including existing copies) from their respective systems and discontinue processing of such Personal Data in accordance with Data Protection Law as soon as reasonably practicable and within a maximum period of 60 (sixty) days, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage. This requirement shall not apply to the extent that the Personal Data has been archived on back-up systems so long as such Personal Data is isolated and protected from any further processing except to the extent required by applicable law.
Neither party shall transfer any Personal Data (nor permit any Personal Data to be transferred) to a territory outside of the European Economic Area (“EEA”) unless it has taken such measures as are necessary to ensure the transfer is in compliance with the Data Protection Laws.
Except with regard to the Personal Data transferred from one party to the other party in reliance on the appropriate transfer mechanism specified in Clause 9.1 above, the Standard Contractual Clauses shall apply to the recipient’s processing of Personal Data in countries outside the EEA that do not provide an adequate level of data protection. To the extent that the parties transfer Personal Data in reliance on the Standard Contractual Clauses, the Standard Contractual Clauses shall be deemed completed and signed by the parties by the execution of the Agreement.
Both parties agree that their respective liability under this DPA shall be apportioned according to each parties’ respective responsibility for the harm (if any) caused by each respective party as may be determined by the parties mutually.
Liability Cap Exclusions. Nothing in this Section 10 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).
GOVERNING LAW AND JURISDICTION
The parties shall submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
This DPA will take effect on the date of execution of the Agreement (the “Effective Date”) and will remain valid until the deletion of all Personal Data under the Agreement by both the parties (“Term”).
Nothing in this DPA shall impact either party’s intellectual property rights with respect to Personal Data provided by either party under the Agreement except to the extent required by applicable law.
Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to the Agreement.
DETAILS OF PROCESSING OF THE PERSONAL DATA
Subject matter and duration of Processing of the Personal Data
The subject matter of the processing under the agreement is the Personal data. The duration of the processing under the agreement is as set forth in this Agreement.
The nature and purpose of Processing of the Personal Data
Goals101 or it’s sub processors are providing personalized offers to Customers. These services may include the processing of Personal Data by Goals101 or it’s sub processors on system which may contain personal data. The purpose of the processing under the Agreement is to execute intelligent, personalized campaigns for the customers of Goals101.
The types of Personal Data to be Processed
Cookie data, Social media data, IP addresses and emails
The categories of Data Subject to whom the Personal Data relates
Data relating to individuals provided to Goals101 via it’s services or by end users
The rights and obligations of the Data Controller
The rights and obligations of the Data Controller and its Affiliates shall be as set forth under the Agreement.