1.1 This document, entitled “Personal Data Processing Policy”, is developed in accordance with the provisions of the current Estonian personal data legislation (hereinafter referred to as “Personal Data Act”) and establishes the rules of personal data processing as well as data protection measures taken by the legal entity Crowdy OÜ (hereinafter referred to as “Operator”).
1.2 The main objective and condition of the Operator’s activity is to respect and observe the rights and freedoms of individuals in the process of processing their personal data, including ensuring the protection of the rights to privacy, as well as personal and family secrecy.
1.3 This Policy applies to all information that the Operator may obtain about users in the course of their use of the www.crowdy.ai website.
2.1 Automated processing of personal data is the process of personal data processing by means of computer equipment.
2.2 Blocking of personal data – temporary termination of personal data processing operations, except for cases when such processing is necessary for data clarification.
2.3 The Website is a set of graphic and informational materials, as well as software and hardware for computers, hosted on a web platform at www.crowdy.ai.
2.4 Personal data information system is a complex of data in databases and technologies ensuring their processing.
2.5 Personal data de-identification is a process that eliminates the possibility of direct identification of the User or other subject without the use of additional information.
2.6 Processing of personal data – a set of operations performed with personal data with or without automation, including collection, recording, systematisation, storage, clarification, specification, extraction, use, transfer, depersonalisation, blocking, deletion and destruction of data.
2.7. Operator – a legal or natural person, state or municipal authority, which organises and (or) carries out the processing of personal data, determining the purposes of this processing, the composition of the data to be processed and the operations performed with personal data.
2.8. Personal Data – information directly or indirectly related to a specific or defined User of the website www.crowdy.ai.
2.9 Personal data, the dissemination of which is authorised by the data subject, is data to which access for an unlimited number of persons is granted upon the consent of the data subject, in accordance with the law.
2.10. User – any visitor of the website www.crowdy.ai.
2.11. Provision of personal data – transfer of data to a certain person or circle of persons.
2.12. Dissemination of personal data – actions to disclose data to an indefinite number of persons, including publication in mass media or providing access in information and telecommunication networks.
2.13. Cross-border transfer of personal data – transfer of data outside the state to authorities, individuals or legal entities of a foreign state.
2.14. Destruction of personal data – processes that result in the destruction of data without the possibility of recovery in the information system or on physical media.
3.1 The Operator shall have the right to:
3.2 The Operator shall:
4.1 Personal data subjects have the right:
4.2 Subjects of personal data are obliged to:
4.3 Persons who have provided the operator with false information about themselves or others without the consent of those persons shall be liable in accordance with Estonian law.
5.1 Surname, first name of the user.
5.2 User’s e-mail address.
5.3 User’s telephone numbers.
5.4 The website collects and processes anonymised visitor data, including the use of cookies through internet statistics services such as Google Analytics and others.
5.5 The above data is hereinafter referred to in the Policy as “Personal Data”.
5.6 The Operator does not process special categories of personal data, which include information about race, nationality, political opinions, religious or philosophical beliefs, intimate life.
5.7 The processing of personal data from among special categories that are authorised for dissemination is permitted, provided that the prohibitions and requirements established by the Personal Data Law are complied with.
5.8 The user’s consent to the processing of his/her personal data authorised for dissemination shall be issued separately from other forms of consent to data processing, subject to the conditions defined by the Law on Personal Data. The requirements for the content of such consent shall be determined by the authorised body.
5.8.1 The User consents to the processing of their personal data authorised for dissemination directly to the operator.
5.8.2 The Operator is obliged to publish information on the conditions of processing, as well as prohibitions and conditions of personal data dissemination within three working days after receiving the consent.
5.8.3 The User may at any time request the termination of the processing of their personal data authorised for dissemination. For this purpose, it is necessary to provide the operator with data, including surname, first name, contact information, and a list of data whose processing should be stopped.
5.8.4 Consent to the processing of data authorised for dissemination is terminated upon receipt by the operator of a corresponding request from the user.
6.1 The processing of personal data shall be carried out on a lawful and fair basis.
6.2 The processing of personal data is strictly limited to the achievement of specific, predetermined and legitimate purposes. Any processing that is incompatible with the original purposes of data collection is inadmissible.
6.3 It is prohibited to merge databases containing personal data if their processing is carried out for purposes that are incompatible with each other.
6.4 Only those personal data that are necessary to achieve the stated purposes of processing are subject to processing.
6.5 The scope and content of processed personal data must strictly comply with the stated purposes of their processing. Processing of data that is redundant in relation to these purposes is inadmissible.
6.6 The processing of data shall ensure their accuracy, sufficiency and relevance in the context of the purposes of processing. The Operator is obliged to take the necessary measures to delete or correct data that are incomplete or inaccurate.
6.7 Personal data shall be stored in a form that allows identification of the data subject for no longer than is necessary for the purposes of their processing, unless the data retention period is specified by the laws of the Republic of Estonia or a contract. Once the purposes of processing have been achieved or no longer necessary, the personal data shall be destroyed or anonymised, unless otherwise provided for by Estonian law.
7.1 The processing of the User’s personal data shall be carried out for the following purposes:
7.2 The Operator has the right to use the User’s contact details to inform about new products, services, special offers and events. The User has the opportunity to refuse to receive such information by sending a request to the e-mail address [email protected] indicating the wish to stop receiving notifications.
7.3 The anonymised user data collected via Internet statistics services is used to analyse user activity on the website, which helps to improve the functionality and content of the website.
8.1 The processing of personal data by the operator is based on the following legal documents:
8.2 The Operator starts processing the user’s personal data only after the user fills in and submits his/her data via special forms on the website www.crowdy.ai or by e-mail. By submitting his/her data, the user confirms his/her consent to the data processing policy.
8.3 The Operator may also process anonymised user data if such processing is permitted by the user’s browser settings, including the use of cookies.
8.4 The User decides independently on the provision of his/her personal data and consents to its processing freely, of his/her own free will and in his/her own interest.
9.1 The processing of personal data is carried out on the basis of the data subject’s consent.
9.2 The processing of personal data is required for the fulfilment of the purposes specified in an Estonian international treaty or legislation, as well as for the fulfilment of the operator’s functions and obligations under the law.
9.3 The processing of personal data is necessary to ensure justice, execution of judicial acts, acts of other authorities or officials, which are subject to execution in accordance with the Estonian law on enforcement proceedings.
9.4 The processing of personal data is necessary for the performance of a contract in which the data subject is a party, beneficiary or guarantor, as well as for the conclusion of a contract at the initiative of the data subject or a contract in which the data subject will be a beneficiary or guarantor.
9.5 The processing of personal data shall be carried out for the protection of the legitimate interests of the operator or third parties, or for the achievement of socially important purposes, provided that this does not infringe the rights and freedoms of the data subject.
9.6 Processing of publicly available personal data to which access is not restricted to the data subject or at his/her request.
9.7 Processing of personal data that must be published or disclosed in accordance with the laws of the Republic of Estonia.
10.1 The Operator guarantees the security of personal data by applying the necessary legal, organisational and technical measures in accordance with the requirements of the legislation in the field of personal data protection.
10.2 The personal data of the User will not be passed on to third parties, except in cases provided for by law or when the User has expressly consented to this.
10.3 The User has the right to update his/her personal data by sending a corresponding request to the operator to the e-mail address [email protected], indicating the need to update the data.
10.4 The retention period of personal data is determined by the purposes of its collection and may be changed in accordance with legal or contractual requirements.
10.5 The Operator is not responsible for processing of personal data by third parties, including payment systems and other service providers who act in accordance with their user agreements and privacy policies.
10.6 The prohibitions established by the data subject on the transfer or processing of his/her personal data shall not apply if the data are processed in accordance with public, community or other legitimate interests provided for by law.
10.7 The Operator undertakes to ensure confidentiality of personal data in the process of its processing.
10.8 Personal data shall be stored in a form that allows identification of the data subject for the time necessary to fulfil the purposes of processing, unless another period is specified by law or contract.
10.9 The processing of personal data shall be terminated upon achievement of the purposes of processing, expiry of the consent period, revocation of consent by the data subject or in case of detection of unlawful processing of data.
11.1 The Operator carries out the following operations with personal data:
11.2 The processing of personal data is carried out automatically with the possibility of using information and telecommunication networks or without using them, depending on the goals and objectives set for the operator.
12.1 Before commencing a cross-border transfer of personal data, the operator is obliged to ensure that the foreign state to whose territory the transfer is intended ensures an adequate level of protection of personal data.
12.2 Cross-border transfer of personal data to countries that do not ensure an adequate level of data protection is allowed only with the written consent of the data subject for such transfer or within the framework of the execution of a contract in which the data subject is one of the parties.
13.1 The Operator as well as any other persons who have access to personal data are obliged to keep the data confidential. It is prohibited to disclose or distribute personal data to third parties without obtaining the prior consent of the data subject, except in cases expressly provided for by Estonian law.
14.1 Users have the right to contact the Operator for clarification on the processing of their personal data via e-mail [email protected].
14.2 Any changes to the Personal Data Processing Policy will be reflected in this document. The policy is valid indefinitely until it is replaced by a new version.
14.3 An up-to-date version of the policy is always available for consultation on the Internet at www.crowdy.ai.