PRIVACY POLICY
This Policy defines the Policy of Cart-Power LLP, Stoney Works, 8 Stoney Lane, London, United Kingdom, SE19 3BD (hereinafter referred to as the Administration, the Operator) regarding the processing of personal data and contains information on the requirements for the protection of personal data implemented by the Operator. This Policy applies to all personal data processed through the Website that the Operator receives or may receive from the User. This Policy is an integral part of the Operator’s internal documents that define the Operator’s general policy regarding the processing of personal data and disclose general information on the requirements for the protection of personal data implemented by the Operator.
1. GENERAL PROVISIONS
1.1. The following terms and definitions shall have the following meanings for the purposes of this Policy:
Personal data – any information relating to a directly or indirectly identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as first name, last name, patronymic (if any), banking details, year, month, date and place of birth, address, email address, telephone number, which are transmitted to the Operator in the course of using the Website through software installed on the User’s Device (including location data, HTTP headers, IP address, cookie data, information about the User’s browser, technical specifications of the hardware and software used by the User, date and time of access to the Website, addresses of requested pages of the Website, and other similar information). In addition, for the purposes of this Policy, Personal Data also includes information about the User whose processing is provided for by the Agreement governing the procedure for using the Website. Personal Data constitutes confidential information. The Operator collects only such Personal Data as is necessary for the performance of the Agreement and as is expressly specified in this Policy.
Operator – Cart-Power LLP, Stoney Works, 8 Stoney Lane, London, United Kingdom, SE19 3BD (hereinafter referred to as the Administration), which processes Personal Data, determines the purposes of processing Personal Data, the composition of Personal Data to be processed, and the actions (operations) performed with Personal Data.
User – any natural person (data subject), including one acting on behalf and in the interests of a legal entity, who, in the course of using the Website, may provide their Personal Data to the Operator, and who has independently or through the legal entity they represent expressed consent to the terms set forth in the Agreement, either by signing it or by performing the conclusive actions specified therein aimed at using the Website. For the purposes of this Policy, “User” also includes persons whose Personal Data are processed by the Operator on behalf of the Website user as set forth in the Agreement.
Website – the website on the Internet located at cart-power.com, hd.cart-power.com, owned by the Administration, being a set of computer programs (software) and information processed therewith, constituting a complex object, the creation of which is organized by the Administration. The object includes a set of software code, databases, information, texts, graphic elements, design, images, photographs, audio and video materials, and other results of intellectual activity. Exclusive rights to the Website and any of its components belong to the Administration as the rights holder or licensee on the basis of law, contract, or other transaction.
Agreement – the user agreement between the User and the Operator, governing the procedure for using the Website and containing the User’s instruction to the Operator for the processing of Personal Data, concluded by performing the conclusive actions specified therein aimed at using the Website.
Processing of Personal Data – any action (operation) or set of actions (operations) performed with Personal Data, including collection, recording, systematization, accumulation, storage, clarification (updating, changing), retrieval, use, transfer (distribution, provision, access), anonymization, blocking, deletion, and destruction.
Automated Processing of Personal Data – the processing of Personal Data using computer technology.
Non-Automated Processing of Personal Data, Processing of Personal Data Without the Use of Automation Tools – the processing of Personal Data contained in a Personal Data information system or extracted from such a system in cases where actions with Personal Data, such as the use, clarification, distribution, and destruction of Personal Data in respect of each data subject, are carried out with the direct participation of a human being.
Distribution of Personal Data – actions aimed at disclosing Personal Data to an indefinite circle of persons.
Provision of Personal Data – actions aimed at transferring Personal Data to a specific person or a specific circle of persons.
Blocking of Personal Data – temporary suspension of the processing of Personal Data (except for cases when the processing is necessary for clarification of Personal Data).
Destruction of Personal Data – actions as a result of which it becomes impossible to restore the content of Personal Data in the Personal Data information system and/or as a result of which the physical media of Personal Data are destroyed.
Anonymization of Personal Data – actions resulting in impossibility to determine the owner of personal data without additional information.
Use of Personal Data – actions (operations) with Personal Data performed for the purpose of making decisions, entering into transactions, or taking other actions that give rise to legal consequences in respect of data subjects or otherwise affect their rights and freedoms or the rights and freedoms of other persons.
Publicly Available Personal Data – Personal Data access to which by an unlimited circle of persons is granted with the consent of the data subject, or to which, in accordance with laws, the requirement of confidentiality does not apply.
Confidentiality of Personal Data – a mandatory requirement for a person who has gained access to Personal Data not to allow their distribution without the consent of the data subject or other lawful grounds.
Statistics – information on User’s using the Website and viewing certain elements of the Website (web pages, frames, content, etc.), collected by means of counters, cookies, web beacons, and other similar technologies.
Cookie, Cookies – a small piece of data sent by a web server and stored on a User’s device. Cookies contain small pieces of text and are used to store information on browser operations. They enable storage and retrieval of identification information and other data on computers, smartphones, phones, and other devices. Cookie specifications are described in RFC 2109 and RFC 2965 documents. Other technologies are used for the same purposes, including data stored by browsers or devices, identifiers associated with devices, and other software. In this Policy, all such technologies are referred to as “cookies”.
Web Beacons – images in electronic form (single-pixel (1×1) or blank GIF images). Web beacons help the Operator recognize certain types of information on the User’s device, such as cookies, the time and date of page viewing, and the description of the page where the web beacon is placed.
Counter – a computer program that uses a piece of code installed on a website, responsible for analyzing cookies and collecting statistical and Personal Data of that website. The collection of Personal Data is carried out in anonymized form.
IP-address – a number from the numbering resource of a data transmission network built on the basis of the IP protocol (RFC 791), which uniquely identifies a subscriber terminal (computer, smartphone, tablet, or other device) or communication means belonging to the information system of the User when providing telematics communication services, including access to the Internet.
HTTP header – a string in an HTTP message containing a colon-separated name-value pair. The format of HTTP headers corresponds to the general format of ARPA text network message headers described in RFC 822.
Token – a unique set of characters identifying the User in accounts of third-party websites. The Token enables authorized connection to the Website using authorization through third-party websites (e.g., social networks, Google Play, Apple AppStore, and others).
1.2. All other terms and definitions appearing in the text of the Offer shall be construed by the Parties in accordance with law, the applicable recommendations (RFCs) of international Internet standardization bodies, and the customary rules of interpretation of the relevant terms as established on the Internet.
1.3. Terms and definitions may be used in either the singular or the plural, with lowercase or uppercase letters, depending on the context.
1.4. The headings (section titles) and the structure of the Offer throughout this Agreement serve for easy reference only and have no literal legal value.
1.5. This policy defines the procedure and conditions of Personal data processing by the Operator, including the procedure Personal Data transfer to third parties, the specifics of non-automated Personal Data processing, the procedure of accessing Personal Data, the Personal Data protection system, the procedure of organizing internal control and liability for violations in the processing of Personal Data, as well as other matters.
1.6. This Policy shall enter into force from the moment of its approval by the Operator and shall remain in effect indefinitely until replaced by a new Policy.
1.7. The Operator has the right to amend this Policy without the consent of the User. All amendments to the Policy are introduced by an administrative act of the Operator.
1.8. This Policy shall apply to all processes of the Personal Data processing carried out on the Website. The Operator does not control and is not responsible for third-party websites to which the User may follow links posted on the Website.
2. GROUNDS FOR PERSONAL DATA PROCESSING
2.1. The processing of the User’s Personal Data is carried out on the basis of and in execution of the Agreement governing the procedure for using the Website and other agreements or contracts concluded between the User and the Operator.
2.2. The processing of the User’s Personal Data may also be carried out on the basis of the User’s separate consent to such processing, which may be expressed directly when using the Website by clicking the appropriate button or by placing a checkmark in the corresponding checkbox. The term of validity of such User consent is specified in the text.
3. PURPOSES OF COLLECTING PERSONAL DATA
3.1. The Operator processes only the Personal Data necessary for the use of the Website or for implementation of transactions, agreements and contracts with the User, except for cases when the applicable legislation provides for the mandatory storage of Personal Data for a period specified by law.
3.2. When processing Personal Data, the Operator does not combine databases containing Personal Data processing of which is carried out for incompatible purposes.
3.3. The Operator processes the User’s Personal Data for the following purposes:
3.3.1. The use of Personal data for the purpose of concluding and implementation of agreements and any other transactions with the Operator;
– categories and list of processed Personal Data – data not falling within special categories or biometric Personal Data, as defined in clause 4.2 of this Policy;
– categories of Personal Data processing subjects – as defined in clauses 4.3.1 and 4.3.2 of this Policy;
– methods of Personal Data processing – the Operator processes Personal Data using both automated and non-automation tools;
– Personal data processing and storage periods – as defined in clause 5.2 of this Policy;
– destruction of Personal Data upon achieving the purposes of its processing or upon the occurrence of other lawful grounds – in accordance with clause 5.1 and Section 8 of this Policy.
3.3.2. The use of personal data for the purposes of ensuring the proper functioning of the Website in accordance with Users’ expectations, in particular for the correct identification of Users or for the proper provision of the Website functionality where the outcome depends on the data provided;
– categories and list of personal data processed – data that do not fall within special categories or biometric personal data, as defined in clause 4.2 of this Policy;
– categories of personal data processing subjects – as defined in clauses 4.3.1, 4.3.2, and 4.3.3 of this Policy;
–methods of Personal Data processing – the Operator processes Personal Data using both automated and non-automation tools;
– Personal data processing and storage periods – as defined in clause 5.2 of this Policy;
– destruction of Personal Data upon achieving the purposes of its processing or upon the occurrence of other lawful grounds – in accordance with clause 5.1 and Section 8 of this Policy.
3.3.3. Placement of personalized advertising and/or other information in any section of the Website and interruption of the use of the Website with advertising information;
– categories and list of processed Personal Data – data not falling within special categories or biometric Personal Data, as defined in clause 4.2 of this Policy;
– categories of Personal Data processing subjects – as defined in clauses 4.3.1 and 4.3.2 of this Policy;
– methods of Personal Data processing – the Operator processes Personal Data using both automated and non-automation tools;
– Personal data processing and storage periods – as defined in clause 5.2 of this Policy;
– destruction of Personal Data upon achieving the purposes of its processing or upon the occurrence of other lawful grounds – in accordance with clause 5.1 and Section 8 of this Policy.
3.3.4. Carrying out marketing programs, various offers, promotions, and advertising activities in connection with the Website;
– categories and list of processed Personal Data – data not falling within special categories or biometric Personal Data, as defined in clause 4.2 of this Policy;
– categories of Personal Data processing subjects – as defined in clauses 4.3.1 and 4.3.2 of this Policy;
– methods of Personal Data processing – the Operator processes Personal Data using both automated and non-automation tools;
– Personal data processing and storage periods – as defined in clause 5.2 of this Policy;
– destruction of Personal Data upon achieving the purposes of its processing or upon the occurrence of other lawful grounds – in accordance with clause 5.1 and Section 8 of this Policy.
3.3.5. Compliance with the mandatory requirements of applicable law; the categories and list of personal data processed – namely, data that are neither special-category data nor biometric personal data;
– categories and list of processed Personal Data – data not falling within special categories or biometric Personal Data, as defined in clause 4.2 of this Policy;
– categories of Personal Data processing subjects – as defined in clauses 4.3.1 and 4.3.2 of this Policy;
– methods of Personal Data processing – the Operator processes Personal Data using both automated and non-automation tools;
– Personal data processing and storage periods – as defined in clause 5.2 of this Policy;
– destruction of Personal Data upon achieving the purposes of its processing or upon the occurrence of other lawful grounds – in accordance with clause 5.1 and Section 8 of this Policy.
3.3.6. Furthermore, statistical and other research regarding the use of the Website may be carried out on the basis of anonymized data.
4. SCOPE AND CATEGORIES OF PROCESSED PERSONAL DATA, CATEGORIES OF PERSONAL DATA SUBJECTS
4.1. The Operator may receive the User’s personal data from various sources, in particular:
4.1.1. from the Website in the course of its operation;
4.1.2. upon User’s use of the Website;
4.1.3. upon User’s contacting the Technical support service;
4.1.4. upon User’s participating in the Operator’s marketing programs, various offers, promotions, and advertising events relating to the Website.
4.2. Personal data that may be processed under this Policy and are provided by Users (natural persons) using the Website, through the completion of the applicable input fields during use of the Website, may include the following:
- Surname, first name, patronymic;
- Email address;
- Phone number;
- Postal address;
- Token;
- Avatar;
- History of interaction with the Website;
- Payment details and User data;
- Information on the performance of civil law obligations to the User;
- History of contacts with the User;
- HTTP headers;
- IP address of the User’s device;
- cookie data;
- data collected by counters;
- data obtained using web beacons;
- information on the User’s browser;
- technical specifications of the device and software;
- technical data on the operation of the Website, including dates and
- times of use and access to the Website;
- addresses of requested web pages;
- geolocation data of the User.
for the duration of the agreement or any other transaction with the Operator for the purposes described in clause 3.3 of this Policy.
4.3. In accordance with this Policy, the Operator processes the personal data of persons belonging to the following categories of personal data subjects:
4.3.1. natural persons using the Website in accordance with the Agreement on its use;
4.3.2. natural persons using the Operator’s services on the basis of the Agreement, other contracts and transactions;
4.3.3. natural persons who do not use the Operator’s services and do not use the Website, but visit the publicly available pages of the Operator’s Website.
4.4. The processing of certain categories of Users’ personal data has the following specific characteristics:
4.4.1. User Information. Certain data is used to provide the functionality of the Website related to the User’s data, in particular, the identifier and email address. The token assigned to the User may be used to send messages and notifications to the User’s device (for example, messages with important alerts). The surname, first name, patronymic, and other data provided by the User on their own initiative may be processed for the purpose of providing technical support for the Website.
4.4.2. Information on the Use of the Website. Such information is processed for the purpose of studying the activity of the Website and its interaction with the User, in particular, how long it took the Website to perform a particular operation in response to the User’s request, which functionality is used by Users more frequently than others, the type of action performed within the Website (click, hover, etc.), and data on the use of the Website interface (opening dialog boxes, navigation, launches, crashes, etc.). Such information helps the Operator resolve issues in the operation of the Website, prevent fraudulent activities, improve the Website, increase its performance, and make it more user-friendly.
4.4.3. Technical Specifications of the User’s Device, including its IP address, and its software. Information such as device type, operating system, IP address, network connection method, and the like may be required to enable the Operator to account for the specificities of the Website operation on various devices and networks, and to ensure its compatibility with third-party software.
4.4.4. Information on the Approximate Location of the User. The Website may collect, both actively and in the background, location data of the User as provided by the hardware of the User’s device, solely for the purpose of providing the User with services and information relevant to their location.
4.5. The Operator does not process biometric personal data (i.e., information characterizing physiological and biological features of an individual, on the basis of which their identity may be established).
4.6. The Operator does not process special categories of personal data concerning race, nationality, political views, religious or philosophical beliefs, or intimate life.
4.7. The processing of personal data that the personal data subject has authorized for dissemination shall be carried out on the basis of the personal data subject’s consent to dissemination, subject to the prohibitions and conditions on the processing of personal data established by the personal data subject.
4.8. Should the personal data subject, in the course of information interaction on the Website, provide personal data in a greater volume than is required by the necessity and functionality of the Website, the Operator shall have the right not to process such personal data. Should the Operator process such personal data, such processing shall be carried out in accordance with the rules set forth in this Policy. Consent to the processing of such data shall be deemed to have been given by the personal data subject and obtained by the Operator at the moment such data is provided.
4.9. The Operator does not engage in cross-border transfer of personal data.
5. PROCEDURE AND CONDITIONS OF PERSONAL DATA PROCESSING
5.1. The Operator processes the User’s personal data via theWebsite, both by means of automation and without the use of automation, in compliance with the regulatory legal acts of applicable legislation that set forth the requirements for ensuring the security of personal data during their processing and for safeguarding the rights of personal data subjects. Operations with personal data such as use, updating, dissemination, and destruction of personal data with respect to the User are performed with the direct participation of the Operator’s personnel.
5.2. The Operator processes and stores the User’s personal data for the period determined in accordance with the Agreement on the Use of the Website, the Contract, or for the period of which the Operator has informed the User upon obtaining the User’s consent to the processing of their personal data by other means (in a checkbox, in a text message, in an email, etc.). Unless otherwise established by the Parties, the Operator processes and stores personal data throughout the entire term of performance of obligations under the Contract, as well as during the term of the Agreement.
5.3. The confidentiality of the User’s personal data is maintained, except for cases when the User voluntarily provides information on themselves for general access to an unlimited circle of persons.
5.4. The Operator shall have the right to transfer the User’s personal data to third parties in the following cases:
- the User has given consent to such actions, expressed in accordance with the terms of the Agreement on the Use of the Website;
- the User has applied to the Operator with a request for such transfer;
- the transfer is necessary for the User to utilize certain functionality of the Website (e.g., for authorization via social network accounts) or for the performance of a specific agreement, contract, or transaction with the User;
- the transfer is required by the legislation or other applicable law within the framework of the procedure established by such legislation;
- in the event of the assignment of rights to the Website, the transfer of personal data to the assignee is necessary simultaneously with the transfer of all obligations to comply with the terms of this Policy with respect to the personal data so acquired;
- in cases where it is necessary to ensure the protection of the rights and legitimate interests of the Operator or third parties, in the event of the User’s breach of this Policy or the Agreement on the Use of the Website;
- in other cases provided for by law.
5.5. In the event of loss or unauthorized disclosure of personal data, the Operator shall notify the User of such occurrence.
5.6.The Operator shall implement the necessary organizational and technical measures to protect the User’s personal data against unlawful or accidental access, destruction, alteration, blocking, copying, dissemination, as well as against other unlawful actions of third parties.
5.7. The Operator, in cooperation with the User, shall take all necessary measures to prevent losses or other adverse consequences arising from the loss or unauthorized disclosure of the User’s personal data.
5.8. The Operator shall be entitled to transfer personal data to the bodies of preliminary investigation and inquiry, as well as to other authorized state bodies, on the grounds prescribed by the applicable legislation.
5.9. Should a personal data breach pose a high risk to the rights and freedoms of natural persons, the Operator shall, without undue delay, notify the User of such breach. Notification to the data subject shall not be required if any of the following conditions are satisfied: (a) the Operator has implemented appropriate technical and organizational protective measures, and such measures have been applied to the personal data affected by the breach, including measures that render the personal data unintelligible to any person not authorized to access them, such as cryptographic protection; (b) the Operator has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; (c) it would require disproportionate effort. In such cases, a public communication or equivalent measure shall be made instead, whereby data subjects are informed in an equally effective manner.
The processors may include, without limitation, a cloud solution provider, a website hosting services provider, and other legal entities and individual entrepreneurs designated as such on the Website. When collecting personal data, the Operator records, systematizes, accumulates, stores, updates (refreshes, modifies), and retrieves the personal data of Users who are citizens of the relevant country, using databases located in the territory of such country or another country, if this is permissible under applicable law.
The Operator shall cease processing the User’s personal data that is processed on the basis of the User’s consent upon the expiration of the User’s consent to such processing or upon the withdrawal of the User’s consent to the processing of their personal data, as well as in the event of detection of unlawful processing of personal data or liquidation of the Operator.
6. PROCEDURE FOR COLLECTING PERSONAL DATA USING COOKIES, WEB BEACONS, AND COUNTERS
6.1. Cookies and data from counters transmitted from the Operator to the User’s device and from the User to the Operator may be used by the Operator for the purposes of processing personal data in accordance with the Privacy Policy and Personal Data Processing Policy.
6.2. The Operator uses various types of cookies and Counters on the Website, which serve different purposes and, depending on their purpose, may be classified into one of the following categories:
6.3. “Strictly Necessary” – cookies and Counter data that are strictly necessary for the operation of critical components of the Website, identification of the technical characteristics of the User’s device and the software used, as well as for user authentication and making payments by the User;
6.4. “Analytical” – cookies and Counter data that enable the Website to recognize Users, count their number, and collect information about the operations performed by them on the Website, including information about actions taken on the Website;
6.5. “Technical” – cookies and Counter data that enable collection of information on User interaction on the Website for the purposes of identifying errors and testing new features to improve the performance of the Website;
6.6. “Functional” – cookies and Counter data that enable the User to access specific features of the Website, interact with the Website interface and utilize its functionalities, record information about actions performed on the Website, and configure the Website in accordance with the User’s preferences for the purpose of remembering information provided by the User, storing preferred language, location, and similar settings;
6.7.”Third-Party” – cookies and Counter data that collect information on the User, traffic sources, User activities, and advertisements displayed to the User, as well as advertisements with which the User has interacted on the Website, for the purpose of displaying advertising that may be of interest to the User based on the analysis of the information collected. Such cookies and Counter data are also used for statistical and research purposes.
6.8. The Operator does not explicitly seek consent when using strictly necessary cookies and receiving mandatory data from Counters. Should the User not wish their personal data to be collected via strictly necessary cookies, they may disable their transmission to the Operator in the software (browser) on their device. However, the User will no longer have access to the Website functionality associated with strictly necessary cookies, which may result in the Website becoming completely inoperable or operating incorrectly. Disabling mandatory Counters is technically infeasible, as they form an integral part of the Website software code.
6.9. The Operator may use functional and analytical cookies solely with the User’s consent, which, as a general rule, is expressed through the acceptance of the Agreement and the commencement of use of the Website. Should the User not wish to consent, they shall be entitled to decline the use of such cookies by disabling them in the Website settings without prejudice to the Websites functionality. Disabling of Counters that collect functional and analytical data is technically unfeasible, as they constitute an integral part of the Website software code.
6.10. The User acknowledges that their devices and software used to access the Website may, depending on their version and configuration, either support or not support the function of blocking cookie operations for any or specific websites and applications, as well as the function of deleting previously received cookies (e.g., private browsing mode).
6.11. The Operator reserves the right to require that the User’s device mandatorily permit the acceptance and receipt of cookies due to security considerations.
6.12. The structure, content, and technical parameters of cookies are determined by the Operator and may be amended without prior notice to the User. The User shall be entitled to obtain all necessary information regarding cookies by submitting a request to the Operator in accordance with the procedure set forth in the Privacy and Personal Data Processing Policy.
6.13.Counters installed by the Operator on the Website may be utilized by the Operator for the purpose of analyzing cookies and collecting personal data concerning the use of the Website, with a view to improving the quality of the Website, enhancing its user-friendliness, and further developing the Website. The technical parameters of the Counters are determined by the Operator and may be amended without prior notification to the User.
6.14.The Operator may employ web beacons either independently or in conjunction with cookies to gather information regarding the use of the Website. The User shall be entitled to block web beacons when using the Website by disabling image loading in the settings of their software (browser).
Only employees of the Operator and/or the Processor who are authorized by virtue of their job duties to handle the User’s personal data shall have access to such data, in accordance with the list of persons authorized to process personal data, which is approved by the Operator and/or the Processor.
7. ACCESS TO PERSONAL DATA
7.1. Only employees of the Operator who are authorized by virtue of their assigned official duties to handle the User’s personal data shall be granted access to such data, in accordance with the list of persons authorized to process personal data, which is approved by the Operator.
7.2.The Operator shall keep the list of employees who have been granted access to personal data current and up to date.
7.3. Access to the User’s personal data by third parties who are not employees of the Operator without the User’s consent is not permitted.
7.4. An employee’s access to the User’s personal data shall cease as of the date of termination of the employment relationship, or as of the date on which the employee loses the right of access to the User’s personal data due to changes in their job responsibilities, position, or other circumstances in accordance with the procedure established by the Operator. In the event of termination of employment, all media containing the User’s personal data that were in the possession of the departing employee of the Operator shall be transferred to a superior employee in accordance with the procedure prescribed by the Operator.
8. UPDATING, CORRECTION, DELETION AND DESTRUCTION OF PERSONAL DATA
8.1. The User may, at any time, amend, update, supplement, or delete the personal data provided by them, or any part thereof, by sending a written request to the email address [email protected].
8.2. Should the Operator independently discover that the User’s personal data is incomplete or inaccurate, the Operator shall take all reasonably possible measures to update such personal data and make the requisite corrections.
8.3. Where it is not possible to update incomplete or inaccurate personal data of the User, the Operator shall take measures to delete such data.
8.4. Upon the discovery of unlawful processing of the User’s personal data, the Operator shall cease such processing, and the personal data in question shall be subject to deletion.
8.5. In the event that the Website interface is non-functional or lacks the necessary functionality for the User to change, update, supplement, or delete their personal data, as well as in any other circumstances, the User shall be entitled to submit a written request demanding that the Operator clarify, block, or destroy their personal data if such data is incomplete, outdated, inaccurate, unlawfully obtained, or no longer required for the stated purpose of processing.
8.6. The Operator shall make the necessary amendments to personal data that is incomplete, inaccurate, or outdated within a period not exceeding seven business days from the date on which the User provides information confirming that the personal data is incomplete, inaccurate, or outdated.
8.7. The Operator shall destroy unlawfully obtained personal data or personal data that is no longer necessary for the stated purpose of processing within a period not exceeding seven business days from the date on which the User provides information confirming that such personal data was unlawfully obtained or is not necessary for the stated purpose of processing.
8.8. The Operator shall inform the User of the changes made and measures taken, and shall take reasonable steps to notify third parties to whom the User’s personal data has been disclosed.
8.9. The User’s rights to change, update, supplement, or delete personal data may be restricted in accordance with the requirements of applicable law. Such restrictions may, in particular, include the Operator’s obligation to retain the personal data modified, updated, supplemented, or deleted by the User for a period prescribed by law and to transfer such personal data to state authorities in accordance with the established procedure.
9. RESPONSES TO USER REQUESTS FOR ACCESS TO PERSONAL DATA
9.1. The User shall be entitled to obtain from the Operator information concerning the processing of their personal data, including information containing:
- confirmation of the fact of processing of personal data by the Operator;
- the legal grounds and purposes of the processing of personal data;
- the purposes and methods of processing personal data employed by the Operator;
- the name and registered address of the Operator, as well as information on persons (other than the Operator’s employees) who have access to personal data or to whom personal data may be disclosed on the basis of an agreement with the Operator or in accordance with law;
- the personal data processed that relate to the relevant User, and the source from which they were obtained, unless a different procedure for providing such data is prescribed by law;
- the periods of processing of personal data, including the periods for their storage;
- information regarding any cross-border data transfer that has been carried out or is contemplated;
- the name or surname, first name, patronymic, and address of the person processing personal data on behalf of the Operator, where processing has been or will be entrusted to such person;
- other information provided for by law.
9.2. The Operator shall provide, free of charge, the ability to review the personal data processed and stored in the Operator’s information system upon the User’s request, within ten business days from the date of receipt of the User’s written request. This period may be extended, but by no more than five business days, in the event that the Operator sends a reasoned notice to the personal data subject indicating the reasons for extending the period for providing the requested information.
9.3. Should the Operator refuse to provide information on the existence of personal data concerning the User or to provide the personal data to the User upon their application or upon receipt of the User’s request, the Operator shall provide a written reasoned response setting forth the grounds for such refusal, within a period not exceeding ten business days from the date of the User’s application or from the date of receipt of the User’s request. This period may be extended, but by no more than five business days, in the event that the Operator sends a reasoned notice to the personal data subject indicating the reasons for extending the period for providing the requested information.
10. INFORMATION ON IMPLEMENTED REQUIREMENTS FOR PROTECTION OF PERSONAL DATA
10.1. The security of personal data during their processing in the personal data information system is ensured through a personal data protection system designed to neutralize existing threats.
10.2. The Operator applies a personal data protection system that incorporates legal, organizational, technical, and other measures to ensure the security of personal data, determined in light of current threats to the security of personal data and the information technologies employed within the information systems.
10.3. With regard to personal data for which the User has provided consent to their processing by a Processor, the Operator shall be entitled to engage a Processor on the basis of a contract, provided that such Processor ensures the security of such personal data during their processing in the information system.
10.4. In the course of processing personal data within its information system, the Operator ensures:
- implementation of measures aimed at preventing unauthorized access to the User’s personal data and/or their disclosure to persons not entitled to access such information;
- timely detection of instances of unauthorized access to personal data;
- prevention of interference with the technical means used in the processing of personal data that could result in the impairment of their functionality;
- the capability for immediate restoration of personal data that has been modified or destroyed as a consequence of unauthorized access;
- continuous monitoring of the maintenance of the required level of security of personal data.
10.5. In order to comply with security requirements and implement a personal data security system, the Operator has implemented a private threat model for the personal data information system.
10.6. The Operator has determined the level of protection of personal data during its processing in the personal data information system owned by the Operator.
10.7. Based on the results of determining the level of protection of personal data during its processing in the personal data information system, the Operator has developed and implemented a set of measures for the protection and security of personal data.
10.8. The Operator uses technical means and software for processing and protection of personal data, and maintains an electronic log of personal data protection tools.
10.9. The Operator maintains an electronic log for registration and storage of removable storage media containing personal data (if any).
10.10. The technical means ensuring the operation of the personal data information system are located in premises owned by the Operator by right of ownership or other proprietary right (lease, gratuitous use, etc.).
10.11. All employees of the Operator who are authorized to work with personal data, as well as those involved in the operation and technical maintenance of the personal data information system, have been familiarized with the Operator’s internal documents regulating the procedure for working with personal data.
10.12. The Operator has organized training for employees on the procedure for using personal data protection tools operated by the Operator. The training is provided to employees who have permanent access to personal data, as well as employees involved in the operation and technical maintenance of the personal data information system and personal data protection tools.
10.13. The Operator’s internal documents establish that employees are obliged to immediately notify the relevant official of the Operator of the loss, damage, or shortage of storage media containing personal data, as well as of any attempts of unauthorized access to personal data, its causes and circumstances.
11. CONSENT TO THE PROCESSING OF PERSONAL DATA
11.1. The User makes a decision to provide their personal data and gives consent to its processing freely, of their own will, and in their own interest.
11.2. The consent to the processing of personal data provided by the User is freely given, specific, informed, conscious, subject-specific, and unambiguous.
11.3. In the event that the User’s personal data are processed on the basis of their separate consent to such processing, expressed directly when using the Website by clicking the appropriate button or by checking the indicator of the corresponding check-box, such consent to the processing of personal data is provided by the User in the form of an electronic document signed with a simple electronic signature in accordance with the Agreement governing the procedure for using the Website.
11.4. Consent to the processing of personal data may be withdrawn by the User in accordance with the procedure established by law.
12. FINAL PROVISIONS
12.1. The User’s commencement of use of the Website signifies their acceptance of the terms of this Policy. In the event that the User disagrees with the terms of this Policy, use of the Website must be immediately terminated.
12.2. This Policy is permanently and publicly available on the Operator’s Websites.
12.3. The User has the right to send any suggestions or questions regarding this Policy to the Operator’s User Support Service by sending an electronic message to the following email address: [email protected].
13. CONTACT DETAILS
Cart-Power LLP
Stoney Works, 8 Stoney Lane, London, United Kingdom, SE19 3BD
[email protected]
https://cart-power.com/
https://hd.cart-power.com/