KADAM privacy and data protection policy
Last updated 26 February 2020
ALL DATA SUBJECTS ARE REQUIRED TO READ THIS PRIVACY AND DATA PROTECTION POLICY TO UNDERSTAND HOW COMPANY COLLECTS, USES, PROCESSES AND STORES PERSONAL DATA WHILE CONDUCTING ITS ACTIVITIES AND WHAT SECURITY MEASURES ARE BEING APPLIED.
1. What Is It For?
1.1. Parties to This Policy.
This Privacy and Data Protection Policy (hereinafter referred to as “the Policy”) defines the regulation of the relationship between KADAM SIA, incorporated under the laws of the Latvian Republic, located at Rīga, Avotu 23-3, LV-1011 (hereinafter referred to as “the Company”) and YOU regarding the use of your personal data.
This Policy applies to every individual that is a subject of personal data and whose personal data are processed by the Company including Users, Visitors, Traffic clients, Company’s contractors (including their employees) and other customers (hereinafter referred to as “the Data Subject”).
1.2. Purpose of This Policy.
We want to simplify the understanding of this Policy for our customers and provide You with a possibility to understand in a very clear and accessible way what exact personal data of yours do we collect, why do we do that, in what way do we do that and what are the consequences of those actions.
For the purposes of this Policy, personal data means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with natural person.
2. What Happens If You Registered on the Website?
If you filled in the registration form and successfully registered on the Company’s website https://www.kadam.net/ (hereinafter referred to as “the Website”) you become a User.
2.1. Who Is the User?
It is assumed that User is a person that registers on the Website in order to receive the services of the Company in a field of posting of advertising materials on information resources of other persons and promoting them to specific categories of audience (hereinafter referred to as “the Services”).
2.2. Personal Data of Users We Collect.
- a. Company collects and processes such User’s personal data as: registration form general information: name, email address, password, phone number, ICQ IUN, Skype login, Telegram number;
- b. registration form VAT-related information for providing Services within the EU:
- - name and surname;
- - address of residence (country, city, street, apartments, zip code).
- - name of a company;
- - address of location (country, city, street, office, zip code);
- - company’s VAT number;
- - company’s registration number.
for individuals or individual entrepreneurs:
for legal entities:
- c. full User’s IP address;
- d. HTTP cookies: browser type and version; type and version of the operating system; information about visited websites; information on advertising materials displayed to User on the Website; clicking on promotional materials on the Website.
2.3. Purposes Behind the Users’ Personal Data Collection.
Company collects and processes User’s personal data for such purposes as:
- a. for VAT calculation and payment and for the correct accounting and billing (regard to personal data specified in clause 2.2(b));
- b. polite appealing to the User;
- c. communication with the client;
- d. fast and easy User authorization on the Website;
- e. providing support with authorization, account managing, account security, system software errors, Services, bans etc.;
- f. determination of the User`s country of location in order to understand the scale of Services` distribution;
- g. performing of the agreement between Company and User;
- h. prevention of frauds related to providing of the Services or using systems of the Company;
- i. sending the User the most relevant advertising materials regarding current Services;
- j. analysis of the Services` quality and forecasting of the Users` needs;
- k. corporate marketing development.
2.4. Storage of the Users’ Personal Data.
The Company stores the User’s personal data for the entire period of use of the Company’s Services, as well as no longer than 12 months from the moment of the last User’s activity on the Website.
2.5. Who Controls Collection of the Users’ Personal Data?
In a process of the Users` personal data collection Company acts as the Controller of personal data which means that Company unilaterally defines the purposes and methods of the personal data processing (hereinafter referred to as “the Controller”).
2.6. Subsequent Collection of Missing Data.
Users which created accounts before the last amendments to this Policy were made will be required to provide the personal data specified in clause 2.2(b) before the receiving of the first payment immediately after the release of the amended version of this Policy.
3. What Happens If You Just Visited the Website Without Registration?
If you simply entered the Website with any purpose or without it, you automatically become a Visitor.
3.1. Who Is the Visitor?
Visitor is a person who does not use the Company`s Services. If Visitor want to use the Company’s Services he/she needs to register on the Website and become a User.
3.2. Personal Data of Visitors We Collect.
Company collects and processes such Visitor`s personal data as:
- a. HTTP cookies: browser type and version; type and version of the operating system; information about visited websites; information on advertising materials displayed to User on the Website; clicking on promotional materials on the Website;
3.3. Purposes Behind the Visitors’ Personal Data Collection.
Company collects and processes Visitor`s personal data for such purposes as:
- a. providing the Company`s Services;
- b. determination of the Visitor`s country of location in order to understand the scale of Services` distribution;
- c. prevention of frauds related to providing of the Services or using systems of the Company;
- d. sending the Visitor the most relevant advertising materials regarding current Services;
- e. corporate marketing development.
3.4. Хранение Персональных Данных Посетителей.
Компания хранит персональные данные Посетителя не дольше 12 месяцев с момента последнего посещения Посетителем Сайта.
3.4. Storage of the Visitors’ Personal Data.
The Company stores the Visitor`s personal no longer than 12 months from the moment of the last Visitor`s visit of the Website.
3.5. Who Controls Collection of the Visitor`s Personal Data?
In a process of the Visitors` personal data collecting Company act as the Controller.
4. What Happens If You Accessed the Website via the Link Placed on Another Website?
During the providing of Services, the Company can receive and process personal data of Data Subjects that followed the link placed on the website of the Company`s contactor (hereinafter referred to as “the Traffic clients”).
4.1. Where Such Link May Be Placed?
These links could be located on the website of Publishers that are the legal entities, private entrepreneurs or individuals that cooperate with the Company in respect of providing of Services (hereinafter referred to as “the Publishers”) and other Company’s or Publisher’s contractors.
4.2. Personal Data of Traffic Clients We Receive.
By means of cooperation with the Company Publishers may transfer to the Company such personal data of Traffic clients as:
- a. unique client`s identifier in the corporate system of Publisher;
- b. full IP address;
- c. IP address related data (source, site, term, campaign, medium, organization, provider);
- d. browser related data (type, features, version, language, status, tab size);
- e. click related data (date, time, location, characteristics, url, ID);
- f. device charging data (charging & discharging time, level, status);
- g. device technical characteristics related data (vendor, model, type, OS, engine, graphic card, number of cores);
- h. internet connection related data (downlink, effective type, activated modes, distance to person);
- i. location and time data (time zone, city, state);
- j. notifications related data (push-notifications, connection type);
- k. screen related data (ratio, resolution, orientation, intervals, webview presence);
- l. user agent’s data (presence, type, name, vendor, version, model, changeling data);
- m. fraud OS detection data.
4.3. Purposes Behind the Traffic Clients’ Personal Data Receiving.
Company receives and processes personal data of Traffic clients for such purposes as:
- a. providing the Company`s Services;
- b. determination of the Traffic clients` country of location in order to understand the scale of Services` distribution;
- c. prevention of frauds related to providing of the Services or using systems of the Company (regard to data specified in clauses 4.2 (d)-(m));
- d. analysis of the Services’ quality and forecasting of the potential Users` and/or Visitors` needs;
- e. corporate marketing development.
4.4. Storage of the Traffic Clients’ Personal Data.
Company stores personal data of Traffic clients no longer than 12 months from the moment they accessed the Website via the Advertiser`s link.
4.5. Exchange of the Traffic Clients’ Personal data.
According to the appropriate request Company may transfer personal data of Traffic clients, except data provided in of clause 4 (2)(d)-(m), to the Advertiser so that it can better understand the nature and condition of Internet traffic related to its ads. Company has a right to transfer such data to other contractors in order to provide Services.
Company uses data specified in clause 4 (2)(d)-(m) exclusively for internal fraud prevention purposes.
Company receives full IP addresses of Traffic clients and transfers them in “as is” form on a real-time basis to its Contractors. After transferring, Company cuts and hashes full IP addresses and stores them in such form.
4.6. Who Controls Collection of the Traffic Clients’ Personal Data?
During the collecting and processing of the Traffic clients` personal data Publishers and Company act as joint controllers which means that they jointly determine the purposes and methods of the personal data processing (hereinafter referred to as “the Joint Controller”).
In every single situation every Publisher and other Company’s contractor guarantees and must receive a consent from its Traffic client to collect, process and transmit his/her personal data, including consent to the further transfer of data by its contractors, as well as to involve other partners of the Company in processing of such data.
Company does not represent, warrant or is not responsible for the lawfulness of collecting, processing, using, storing and other activities related to the personal data of persons who accesses / were redirected to the Website via the link placed not on the website / any other resource of or placed not by the Company’s contractor.
5. What Happens If I Am the Company’s Contractor?
Company can collect and process the personal data of its contractors (including their employees).
5.1. Who Is the Contractor?
Contractors should be understood as:
- a. Publishers;
- b. SSP Platforms;
- c. Advertisers, including DSP Platforms which are the legal entities and business contractor of the Company who can receive anonymized and encrypted by the method of irreversible hashing Traffic clients` information in order to fulfill obligations under the Company’s agreement with this Platform after sending an appropriate request;
- d. Processors involved by the Company;
- e. Other contractors involved by the Company in order to provide Services;
5.2. Personal Data of Contractors We Collect.
Company collects and processes such personal data of the contractors as:
- a. full name;
- b. position of a person;
- c. email address;
- d. means of communication.
5.3. Purposes Behind Contractors’ Personal Data Collection.
Company receives and processes personal data of the contractors for such purposes as:
- a. conducting of conversation regarding the implementation of contracts either regarding other financial/legal matters;
- b. sending of promotional offers regarding the Services;
- c. other business purposes specified in the agreement between Company and contractor;
- d. corporate marketing development.
5.4. Storage of Contractors’ Personal Data.
Company stores personal data of the contractors (including their employees) no longer than 10 years from the moment of termination of the agreement with such contractor.
5.5. Who Controls Collection of Contractors’ Personal Data?
In a process of collecting and processing of personal data of the contractors (including their employees) Company act as the Controller.
6. General Provisions.
6.1. Applicable Legislation.
While collecting and using of the personal data the Company becomes a subject to various legislation that governs the matters of how such activities may be carried out and the safeguards that must be put in place to data protection. The Company adheres all conditions and requirements stipulated by the current legislation of the Latvian Republic, European legislation including but not limited to the General Data Protection Regulation as well as other international legislative acts concerning data protection.
6.2. Subject Scope of this Policy.
This Policy applies to all Company’s employees, independent contractors, Users, interested persons and all other subjects that directly or indirectly participate in the personal data processing, including Data Subjects who visit the website https://www.kadam.net/ as well as its subdomains.
6.3. Data Subject Consent.
The Company obtains data from Data Subject with his/her permission and consent, or may receive personal data from the Publisher or other Company’s contractors to whom Data Subject has given consent to transfer this information to the Company in accordance with this Policy, including consent to the further transfer of data by Company to its contractors, as well as to involve other partners of the Company in processing of such data.
6.4. Data Protection Authority (DPA).
The Data Subjects have a right to apply to the Company or to the DPA about his/her personal data breach if he/she becomes aware of it earlier than the Company.
Data Protection Authority (hereinafter referred to as “the DPA”) means an independent public authority which is established by a Member State pursuant to the provisions of GDPR. For the purposes of this Policy the DPA means the Data State Inspectorate of Latvia that is located at the following address: Blaumana Street 11/13-11, Riga, LV-1011, Latvia (website: http://www.dvi.gov.lv/lv/).
7. Lawfulness of Processing.7.1. General Rules.
The Company processes personal data on the basis of the consent which is provided through the Consent Form.
Along with the Consent Form, the Company provides Data Subject with Privacy Notice which contains the information on methods of processing as well as on the period for which such personal data are to be stored including the precise information concerning the purposes of processing
Privacy Notice is to be provided to the Users within the Website right before the appropriate registering form is filled in.
It is presumed that by giving the consent You acknowledge and accept all terms and conditions specified in the Privacy Notice and Consent Form as well as all conditions specified in the current Policy.
Company shall be able to demonstrate that consent was obtained for the processing operation if required.
7.2. Processing of Users’ Personal Data.
Company starts to collect personal data of Users when a particular User is registering on the Website.
The Company processes personal data of Users on the basis of the consent which is provided by User through the Consent Form before registration.
The consent is considered to be provided after the User has pressed the “I give consent” button in the end of the appropriate User Consent Form through the Website. In the Consent Form the User may not agree with processing his/her personal data for sending him/her most relevant advertising material and offers concerning Services based on the profiling such information about him/her.
The User confirms that he/she is eighteen (18) years of age or older by putting a tick in front of relevant sentence.
7.3. Processing of Visitors’ and Traffic clients’ Personal Data.
Company starts to collect personal data of the Visitors when the particular Visitor enters the Website.
The Company processes personal data of Visitors on the basis of the consent which is provided by Visitor through pop-up notification ad. Company provides Visitor with this ad at the moment Visitor enters the Website.
The Company processes personal data of Traffic clients on the basis of the consent as provided in clause 4.6.
7.4. Categories of Personal Data Company Does Not Process.
The Company does not collect and/or process the sensitive data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (hereinafter referred to as “the Sensitive Data”).
The Company does not collect and/or process any other personal data of Data Subjects except the data determined under this Policy. The Company also collects personal data strictly within the amount needed for the purposes of processing specified herein.
7.5. Personal Data Breach.
The Company undertakes to reduce the data breach risks that may lead to the breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (hereinafter referred to as “the Personal Data Breach”).
Company selects contractors with an impeccable reputation and concludes confidentiality agreements with them in this regard.
8. Data Subject Age.
8.1. The Company collects the personal data on the basis of consent obtained from the Data Subjects who have reached the age of 18 years.
8.2. After registering on the Website and giving the consent to Company, the appropriate Data Subject acknowledges that he/she reached the age of 18 years and has all rights to provide the Company with the consent for his/her personal data processing.
8.3. If you know that the Company processes data of person under 18 years old, please inform us about this by writing to e-mail address: email@example.com.
9. Withdrawing of Consent.9.1. General Information.
Data Subject is entitled to withdraw the consent at any time he/she wishes.
9.2. Request Submitting.
The withdrawal of the consent is considered to be properly made after the Data Subject has sent such letter of withdrawal to the following e-mail address: firstname.lastname@example.org.
Data Subject likewise can use Opt Out form on the Website to withdraw the consent.
9.3. Withdrawal Procedure.
The appropriate request for withdrawing of the consent shall be examined within 72 hours since a moment the respective form of withdrawal is received, and the adequate decision shall be made by the Company.
The Data Subject is entitled to withdraw the consent at any time in its own account at the Website by deleting it. Through its personal account on the Website Data Subject can withdraw the consent for sending most relevant advertising material and offers concerning Services based on the profiling of such information about Data Subject.
10. Personal Data Storage.
10.1.After expiration of the period of storage, the Company is obliged to delete the personal data or ask the Data Subject to provide the Company with a new consent if the necessity of processing remains relevant for the Company or another purpose of processing appears.
10.2.The Company is entitled to stop storing in future and delete the earlier collected Data Subjects` personal data at any time if such personal data are not needed anymore. Herewith, the Company is obligated to notify the respective Data Subject that his/her personal data are deleted.
10.3.The Company may keep storing the personal data if a subsequent processing is foreseen by law and is deemed relevant for a purpose which is not compatible with the original purpose of processing stated in this Policy. Herewith, the incompatible purposes mean the purposes concerning archiving in the public interest, scientific, statistical or historical use.
11. Processing.11.1. General Rules.
Every Processor without exception has to be involved by the Company under the same conditions as other and has to act only according to the Company`s instructions and within the scope of the appropriate agreement they concluded.
The Company is responsible for the proper processing of the Data Subjects’ personal data under the GDPR. Herewith, each Processor is responsible for the adherence of the GDPR as well as for other legislative actions concerning data protection while processing the Data Subjects’ personal data.
The Processors are not entitled to define any additional purposes for the personal data processing.11.2. Who Is the Processor?
During the processing of personal data of Users, Visitors, Traffic clients, contractors (including employees) and other Data Subjects Company may involve individual or legal entity, state authority, agency or any other entity that processes personal data on behalf of the Controller (hereinafter referred to as “the Processor”).
11.3. Who Can Be the Processor?
On the basis of the appropriate User`s Agreement Company may involve ADV BIZ LTD as a Processor.
If necessary, Company may involve other Processors. Other Company`s contractors could act as the Processors in case they provide support with authorization, account managing, account security, system software errors, Services, bans etc.
12. Data Subjects’ Rights.12.1. List of Rights.
This Policy provide all Data Subjects with opportunity to exercise any of the following rights:
- a. right to access. The Data Subjects have a right to know whether their personal data are being processed and if so, access such data.
- b. right to rectification. If the personal data are inaccurate, the respective Data Subject is entitled to ask the Company to correct them indeed.
- c. right to erasure or right to be forgotten. The Data Subjects have a right to obtain from the Company the erasure of the Data subjects’ personal data without undue delay and the Company has the obligation to erase such personal data without undue delay.
- d. right to restriction of processing. The Data Subjects have a right to limit processing of their personal data with several exceptions under the scope of the GDPR.
- e. right to be informed. The Company is obliged to inform Data Subjects of what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties. This information must be communicated concisely and in plain language.
- f. right to data portability. The Data Subjects are permitted to obtain and reuse their personal data for their own purposes across different services. This right only applies to personal data that Data Subject has provided the Company with by way of the consent.
- g. right to object. The Data Subjects can object to the processing of personal data that are being processed by the Company. The Company must stop processing of personal data unless the Company can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is undertaken for the establishment or exercise of defense of legal claims.
- h. right not to be subject to a decision based solely on automated processing. The Data Subjects have a right to object to any automated profiling which means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyses or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior (hereinafter referred to as “the Profiling”), that is occurring without consent. Herewith, the Data Subjects have a right to request their personal data are to be processed with the human involvement.
12.2. How Data Subjects May Exercise These Rights.
The User can exercise its right to access and right to restrict the processing in its own account on the Website. The User has the opportunity at any time to withdraw consent to his/her personal data processing for purposes of direct marketing in its own account on the Website.
The User can exercise right to erasure by deleting its own account on the Website.
The Data Subject has the opportunity at any time to withdraw consent to his/her personal data processing for purposes of displaying to him/her the most relevant advertising material and offers concerning Services based on the profiling of such information about Data Subject by using option “Opt-out” at the Website (https://www.kadam.net/ru/opt-out).
The Data Subject can exercise any of described above rights by sending request to the e-mail address: email@example.com. Data Subject request must include name, contact information of the Data Subject, right which Data Subject wants to exercise, personal data processed by the Company, details and reason/justification of such request.
12.3. Period of Rights’ Exercising.
These are the timescales within which the Data Subjects may exercise its rights stated above (the period starts from the moment the Company receives the request):
- a. Right to be informed - when data is collected;
- b. Right to access - 2 weeks;
- c. Right to rectification - 2 weeks;
- d. Right to erasure - without undue delay;
- e. Right to restrict processing - without undue delay;
- f. Right to data portability - 2 weeks;
- g. Right to object - on receipt of objection;
- h. Rights in relation to automated decision making and profiling - 2 weeks.
13. Data Protection Officer.
The information about Data Protection Officer of the Company is as follows: Dmitry Vasnin (firstname.lastname@example.org).
14.1. The Company is responsible for ensuring that any personal data that Company holds and for which it is responsible, is kept securely and is not under any conditions disclosed to any persons unless that persons has been specifically authorized by Company to receive that information and has entered into a confidentiality agreement.
14.2. All personal data should be accessible only to those who need to use it. The personal data shall be treated with the highest security and must be kept encrypted.
15. Data Breach Notification.
15.1. Assessment of Risks.
The Company takes all reasonable steps to minimize the risk of the personal data breach while processing the personal data.
The risk assessment the Company has to carry out have to determine whether the risk to the rights and freedoms of the Data Subjects affected is judged to be sufficiently high to justify notification to them.
15.2. Obligation of Company If Data Breach Occurred.
In the case of a personal data breach, the Company shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the DPA, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the Data Subjects.
Also, in the case of a personal data breach, which is likely to result in a high risk to the rights and freedoms of the Data Subjects, the Company shall without undue delay notify the appropriate Data Subject the personal data of which were breached.
If measures have subsequently been taken to mitigate the high risk to the Data Subjects, so that it is no longer likely to happen, then communication with the Data Subject is not required by the GDPR.
The Company documents all personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the DPA to verify compliance with the GDPR.
16. Data Transfer.
16.1. The Company stores personal data in the Netherlands.
16.2. The Company does not sell or trade personal data to any legal persons or individuals.
16.3. The Company may transfer the personal data to its contractors, specified in this Policy. It is recognized that the Company transfers the personal data based on GDPR and adequacy decision if needed.
16.4. The personal data are being transferred for the purposes and by using the methods defined by this Policy.
17. Non-Discrimination.17.1. General Information.
Company hereby assures and warrants that it does not involve any discrimination of Data Subjects because of the Data Subjects` exercising of any of their rights, including, but not limited to, by:
- a. Denying goods or services to Users;
- b. Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties, except as provided under this Policy;
- c. Providing a different level or quality of goods or services to Users;
- d. Suggesting that Users will receive a different price or rate for goods or services or a different level or quality of goods or services, except as provided under this Policy.
Notwithstanding the clause 17 (1), after a prior notification, Company may offer a different price, rate, level, or quality of goods or services to Users if that price or difference is directly related to the value provided to Data Subjects by the Data Subjects` data.
Company`s denial of Data Subjects for reasons permitted by the applicable laws shall not be considered discriminatory.
18. Additional Conditions.
18.1. A current version of this Policy is available to all subjects concerned on the Website.
18.2. The Company may revise this Policy from time to time but no less than once at every 12 months. If the Company makes material changes to this Policy, it will notify the Data Subjects by e-mail or by posting a notice on the Website prior to the effective date of the changes. By continuing to access or use the Website after those changes become effective, Data Subjects agree with the revised Policy.