Effective Date: 15th of May, 2018
The terms below apply to data processing of data subjects from EU and EEA.
Amendments to this Policy will be posted to this URL and will be effective when posted. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on this Website prior to the change becoming effective. You can choose to discontinue use of the Websites or Products, if you do not accept the terms of this Policy, or any modified version of this Policy.
The Company does not knowingly collect any personal information from children under the age of 16. The Company’s Websites and Products are not offered to individuals under the age of 16. You should not use the Websites and the Products in you are below 16. If you are under the age of 16, please do not submit any personal information through our Websites or Products. If you are under 16 and want to use our Websites and Products please contacts us to settle this matter individually.
Tapcore B.V. also acts as a representative of Airpush, Inc. in EU and EEA.
The terms related to the users of our Products shall be effective only upon signing Data Processing Agreement (the “DPA”) with us. Please contact us for details but we may refuse signing the DPA for any reason unilaterally.
Collection and Use
We may use the personal information collected from within the Websites or when you use the Products on the basis of legitimate interest to:
- Send you promotional and marketing communications.
- Facilitate your transactions with other persons when you use our Products.
- Analyze user experience with the Websites and the Products.
- Analyze your data for the purpose of fraud detection.
We may use the personal information collected from within the Websites or when you use the Products as it’s required for performance or entering an agreement with us:
- Enter the agreement on the use Products by you and administering your account.
- Provide you with the Products and Websites’ content.
- Send you service messages related to the Websites or Products.
We obtain consent from the customers (“End Users”) of our Users for the following purposes:
- Delivering targeted ads based on End Users’ profiles.
Each data subject has the right to withdraw previously provided consent or object to processing under specific circumstances.
Provision of personal data with our Websites is required for proper aligning of the Websites features to your preferences and entering an agreement with you on the use of Website and the Products. Inability to process this data will result in inability to provide proper access to our Websites and ability to use our Products.
Processing of personal data with our Products is our contractual obligation. It is required to show you ads based on your personal features (including language) instead of random contextual ads.
Your profiles may be combined with the data collected by our Products and received from third parties. Further your data may be combined with other sets of data recognized as related to you. Such profiles help to align ad targeting based on the profile features chosen by advertisers.
The data collected is being processed for 2 years unless otherwise required by a lawful purpose.
Conditions of Processing
The Company warrants that data processing will take place only if and to the extent that at least one of the following applies in case if the Company acts as a data controller:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the Company is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest;
- processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child;
- the Company took reasonable measures to ensure that no data of children below 16 is processed;
- processing of personal data revealing racial or ethnic origin, criminal offences, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is not conducted by the Company.
- the identity and the contact details of the controller and the controller’s representative;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- where the processing is based on legitimate interests stipulated by applicable, such legitimate interests pursued by the controller or by a third party;
- the recipients or categories of recipients of the personal data;
- the fact that the controller intends to transfer personal data to a third country and the existence or absence of an adequate data protection;
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the right to lodge a complaint with a supervisory authority;
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
Each User is restricted from collecting and processing the following information:
- data related to children below 16, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric and health data or data concerning a person’s sex life or sexual orientation.
We may transfer personal information to our affiliated companies and sub-contractors that involved in provision the Products and Websites. The Company may exercise cross-border transfer of your data provided that the recipient signs a DPA with us which provides suitable safeguards for your personal data.
Categories of controllers we share your data with:
- Advertisers, advertising networks, advertising data brokers.
Categories of processors we share data with:
- Hosting services providers, fraud detection service providers, advertising statistics and tracking service providers.
Data Subjects’ Rights
As a data subject you have the following rights:
- Right to access allows you to request the if its data is processed, to request the data itself and information related to purpose, data categories, recipients (or categories) including their countries, storage period or criteria to determine the storage, existence of right to rectification/erasure/restriction/objection, the right to lodge a complaint to supervisory authorities, data source, existence of profiling including logic and consequences, safeguards of transfer to third countries.
- Right to rectification is the right to correct incorrect data and the right to complete incomplete data.
Right to erasure (to be forgotten) means that the data subject may request erasure if the data is:
- no longer needed for the purposes of processing,
- consent is withdrawn and no other grounds apply
- data subject object processing
- processing was unlawful
- the data is related to a child and was processed in the context of offering a service directly to a child
Right to restriction means that processing shall be restricted if:
- the user claims that the data is inaccurate and controller needs to verify if it’s really inaccurate
- processing is unlawful but the data subject want it to be restricted rather than erased
- processing is no longer required for its purposes but the data subject requires it for legal defense
- processing is under objection but the controller need to verify if objection is not overridden by legitimate interest of controller.
- Right to notification means that the controller shall communicate the request to erasure/rectification/restriction to each recipient unless it proves that it will take disproportionate effort. The controller shall inform the user about those recipients by request.
- Right to data portability means that data subject may request the controller to provide collected data in structured and readable form if the processing is based on consent or for the purpose of contract performance/conclusion.
- Right to object means that the data subject based on its personal circumstances may override legitimate interests of the controller which are the basis for processing. This right shall be communicated at the time of first communication with the user separately from other information.
- The data subject has the right not to be subject to profiling which significantly affects him or her.
- The data subject has the right to lodge a complaint to supervisory authorities at any time.
Correction or Removal
If you would like to request your information to be removed from our database, please contact us. The Company acknowledges that you have the right to access your personal information. The Company collects information on behalf of our Users as a joint controller, and has no direct relationship with the individuals with whom our Users may interact using the Products. If you are an End User and would no longer like your data to be processed in the current manner, please contact the User that you interact with directly. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data or apply with other request should direct his query to the User. If technically possible, the Company may provide you with the details of such User and assist in your request provided directly to the Company.
Retention of Personal Information
We retain personal data we process for as long as needed to provide the Products and Websites and as long as you use the Products and Websites. If you wish to request that we no longer use your data, please contact us. We will retain your data as necessary to comply with our legal obligations, maintain accurate financial and other records, resolve disputes, and enforce our agreements.
Processing Personal Information on the Websites
We are the data controller in respect of information provided from our Websites for the purposes of the General Data Protection Regulation (“GDPR”) and the Swiss Federal Act on Data Protection.
We may collect the following information from you within the Websites:
Contact Information, such as name, IM username, email address, mailing address, phone number and billing information.
When you use our Website, we automatically collect information on the type of device you use, operating system version, and the device identifier to ensure you receive proper notifications and proper settings of the Websites.
Processing Personal Information on the Products
We are the joint controller in respect of the information provided from our Users in the course of using the Products.
Our Users are responsible to inform the individuals using the Products on the Users’ properties with all necessary information and obtain necessary consent for any personal information that is collected through the Products.
We may collect the following information from you when you use our Products:
- application id
- publisher id
- android id
- SDK version
- application source
- device id/IMEI
- device model
- device specifications
- OS type/version
- IP address
- local time
- device location
- network type
- user agent
Records of Processing
The Company maintains a record of processing activities under its responsibility. The record shall contain all of the following information:
- the name and contact details of the data controller;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed;
- transfers of personal data to a third country, including the identification of that third country and suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures in respect of processed data.
Protection of Information
The Company performs the following measures on protection of personal data to prevent the data breaches, misuse and the violation of rights of data subjects:
- Providing this Policy for review to any person or entity which is about to process the personal data to/from the Company.
- Keeping the Company’s officers and contractors responsible for proper data processing conducted by such officers and contractors.
- Providing prior examination of the source and destination of personal data in respect of possible violations of data processing.
- Providing advice to any officer, data subject or partner on the subject of compliance with this Policy.
- Making sure no access to personal data is provided to unauthorized parties.
- Using only reliable and tested software for processing or personal data.
- Assuming technical and organizational risks of data processing before such processing takes place.
- Ensuring that all actions in respect of the data are exercised by protected accounts to access the data and all data storages are available only to a limited number or persons on a password basis.
- Ensuring that Company is able to suspend data processing or withdraw any piece of data from processing if we believe that such processing may violate applicable law.
- In case of change in any business process the Company will determine whether such change is data-related and check if such change falls in line with this Policy.
- Providing that each location and device where personal data may be stored is a safe environment.
- Utilizing firewall to minimize the risk of unauthorized access to the hosting infrastructure.
- Where necessary use third-party vendors to perform security assessments to identify issues with its data security that could result in security vulnerabilities.
- Providing encryption of most valuable personal data.
- Ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- Providing the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- Processing regular testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the data processing.
The Company continuously reviews its internal processes and external relations in respect of compliance with this Policy. If a present or potential violation is detected the Company shall investigate the reasons and decide if the violation may be cured. The Company shall assign officers to manage the violation or terminate the relations with the respective partner or data subject which will result in suspension of data processing.
In case of a personal data breach, the Company shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
The notification shall at least:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
The Company shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority by request.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Company shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall describe in clear and plain language the nature of the personal data breach and contain at least the information on taken measures.
The communication to the data subject shall not be required if any of the following conditions are met:
- the Company has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- the Company has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
- it would involve disproportionate effort - in such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
We may disclose your personal data as required by applicable law, in response to lawful requests by public authorities, including meeting national security or law enforcement requirements and when we believe that disclosure is necessary to protect our rights and/or to comply with a judicial proceeding, court order, or other legal process served on us. Your personal data will also be shared between our affiliated companies for the activities permitted under this Policy.