SIA KADAM Privacy and Data Protection Policy

Last updated 26 February 2020


ALL DATA SUBJECTS ARE REQUIRED TO READ THIS PRIVACY AND DATA PROTECTION POLICY TO UNDERSTAND HOW THE COMPANY COLLECTS, USES, PROCESSES, AND STORES PERSONAL DATA WHILE CONDUCTING ITS ACTIVITIES AND WHAT SECURITY MEASURES ARE APPLIED IN THIS REGARD.

1. What is this Policy for?

1.1. Parties to this Policy.

This Privacy and Data Protection Policy (hereinafter referred to as “the Policy”) governs the relationship between SIA KADAM, incorporated under the laws of the Republic of Latvia, located at Avotu 23-3, Riga, Latvia LV-1011 (hereinafter referred to as “the Company”) and YOU regarding the use of your personal data.

This Policy applies to every individual that is a subject of personal data and whose personal data are processed by the Company, including Users, Visitors, Traffic Clients, Company Contractors (including their employees), and other customers (hereinafter referred to as “the Data Subject”).

1.2. The purpose of this Policy.

We want to simplify the understanding of this Policy for our customers and provide you with the possibility to understand in a very clear and accessible way what personal data of yours we collect, why we do so, how we do so, and what the consequences of those actions are.

For the purposes of this Policy, “personal data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a natural person.

2. What happens if You register on the Website?

If you have filled out the registration form and successfully registered on the Company’s website, https://www.kadam.net/, (hereinafter referred to as “the Website”), you become a User.

2.1. Who is a User?

A User is a person that registers on the Website in order to receive the Company’s services to publish advertising content on information resources of other parties and promoting them to specific audience categories (hereinafter referred to as “the Services”).

2.2. User personal data we collect.

The Company collects and processes the following user personal data:

  • a. general information from the registration form: name, e-mail address, password, phone number, ICQ IUN, Skype login, Telegram number;
  • b. information from the registration form regarding VAT (value-added tax) information for providing Services within the European Union:

      for natural persons or individual entrepreneurs:

    • - name and surname;
    • - address of residence (street number, street, apartment, city, country, zip code).

    • for legal entities:

    • - name of the company;
    • - address of location (street number, street, office, city, country, zip code);
    • - company’s VAT number;
    • - company’s registration number
  • c. full User IP address;
  • d. HTTP cookies: browser type and version; operating system type and version; information about websites visited; information on advertising content displayed to User on the Website; clicking on advertising content on the Website.

2.3. Purposes for the collection of Users’ personal data.

The Company collects and processes User’s personal data for such purposes as:

  • a. for calculating and paying VAT and for correct accounting and billing (regarding personal data specified in clause 2.2(b));
  • b. addressing the User by name;
  • c. communication with the client;
  • d. fast and easy User authorization on the Website;
  • e. providing support with authorization, account management, account security, system software errors, services, bans, etc.;
  • f. determination of the User’s country of location in order to understand the scale of distribution of Services;
  • g. executing the agreement between the Company and the User;
  • h. preventing fraud related to the provision of Services or the use of Company systems;
  • i. sending the most relevant advertising content regarding current Services to the User;
  • j. analyzing the quality of Services and forecasting the Users’ needs;
  • k. corporate marketing development.

2.4. Storage of Users’ personal data.

The Company stores the User’s personal data for the entire period of use of the Company’s Services, and no longer than 12 months from the User’s last activity on the Website.

2.5. Who controls the collection of Users’ personal data?

During the collection of Users’ personal data, the Company acts as the Controller of personal data, which means that the Company unilaterally defines the purposes and methods of processing personal data processing (hereinafter referred to as “the Controller”).

2.6. Subsequent collection of missing data.

Users who created accounts before the latest amendments to this Policy were made will be required to provide the personal data specified in clause 2.2(b) before receiving the first payment immediately after the release of the amended version of this Policy.

3. What happens if You just visited the website without registering?

If you simply visited the Website with or without a particular purpose, you automatically become a Visitor.

3.1. Who is a Visitor?

A Visitor is a person who does not use the Company’s Services. If a Visitor wants to use the Company’s Services, he or she must register on the Website and become a User.

3.2. Visitor personal data we collect.

The Company collects and processes such Visitor personal data as:

  • HTTP cookies: browser type and version; operating system type and version; information about websites visited; information on advertising content displayed to User on the Website; clicking on advertising content on the Website.

3.3. Purposes for the collection of Visitors’ personal data.

The Company collects and processes Visitors’ personal data for such purposes as:

  • a. providing the Company's Services;
  • b. determining the Visitor’s country of location in order to understand the scale of distribution of Services;
  • c. preventing fraud related to the provision of Services or the use of Company systems;
  • d. sending the most relevant advertising content regarding current Services to the Visitor;
  • e. corporate marketing development.

3.4. Storage of Visitor’s personal data.

The Company stores the Visitor’s personal no longer than 12 months from the last visit by the Website Visitor.

3.5. Who controls the collection of Visitors’ personal data?

During the collection of Visitors’ personal data, the Company acts as the Controller of personal data.

4. What happens if You visit the Website via a link placed on another Website?

When providing Services, the Company may receive and process personal data of Data Subjects that followed the link placed on the website of a Company contractor (hereinafter referred to as “Traffic Clients”).

4.1. Where may such a link be placed?

These links may be located on the website of Publishers that are legal entities, individual entrepreneurs, or individuals that cooperate with the Company on the provision of Services (hereinafter referred to as “Publishers”) and other contractors of the Company or Publishers.

4.2. Traffic Clients personal data we collect.

As part of their cooperation with the Company, Publishers may transfer to the Company such Traffic Client personal data as:

  • a. unique client’s identifier in the Publisher’s corporate system;
  • b. full IP address;
  • c. data related to the IP address (source, website, time, campaign, medium, organization, provider);
  • d. data related to the browser (type, features, version, language, status, tab size);
  • e. data related to clicks (date, time, location, characteristics, URL, ID);
  • f. device charging data (charging & discharging time, level, status);
  • g. data related to the device’s technical specifications (vendor, model, type, OS, engine, graphic card, number of cores);
  • h. data related to the internet connection (downlink channel, effective type, activated modes, distance to person);
  • i. data related to location and time (time zone, city, country);
  • j. data related to notifications (push notifications, connection type);
  • k. data related to the screen (ratio, resolution, orientation, intervals, webview presence);
  • l. data related to the user agent (presence, type, name, vendor, version, model, change data);
  • m. data related to the detection of fraudulent operating systems.

4.3. Purposes for the collection of Traffic Clients’ personal data.

The Company collects and processes Traffic Clients’ personal data for such purposes as:

  • a. providing the Company's Services;
  • b. determining the Visitor’s country of location in order to understand the scale of distribution of Services;
  • c. preventing fraud related to the provision of Services or the use of Company systems (regarding the data specified in clauses 4.2 (d)-(m));
  • d. analyzing the quality of Services and forecasting potential Users’ and/or Visitors’ needs;
  • e. corporate marketing development.

4.4. Storage of Traffic Clients’ personal data.

The Company stores Traffic Clients’ personal data no longer than 12 months from the moment they accessed the Website via the Advertiser’s link.

4.5. Exchange of Traffic Clients’ personal data.

In accordance with the appropriate request, the Company may transfer Traffic Clients’ personal data, except those data specified in clause 4.2 (d)-(m) to the Advertiser so that it can better understand the nature and condition of Internet traffic related to its ads. The Company reserves the right to transfer such data to other contractors in order to provide Services.

The Company uses data specified in clause 4 (2)(d)-(m) exclusively for internal fraud prevention purposes.

The Company receives Traffic Clients’ full IP addresses and transfers them “as-is” in real-time to its contractors. After transferring the data, the Company cuts and hashes the full IP addresses and stores them in that form.

4.6. Who controls the collection of Traffic Clients’ personal data?

During the collection and processing of Traffic Clients’ personal data, Publishers and the Company act as Joint Controllers, which means that they jointly determine the purposes and methods of processing personal data processing (hereinafter referred to as “Joint Controllers”).

In every single situation, every Publisher and other Company contractor guarantees and must receive the consent from its Traffic Client to collect, process, and transmit his or her personal data, including consent to further transfer data by its contractors, as well as to involve other Company partners in processing such data.

4.7. Disclaimer.

The Company does not represent, guarantee, or bear liability for the lawfulness of collecting, processing, using, storing, and other activities related to the personal data of parties who access/were redirected to the Website via a link that was not placed either on the website or any other resource or published by an entity other than the Company’s contractor.

5. What happens if I am the Company’s Contractor?

The Company may collect and process the personal data of its contractors (including their employees).

5.1. Who is the Contractor?

Contractors may refer to:

  • a. Publishers;
  • b. SSP Platforms;
  • c. Advertisers, including DSP Platforms that are legal entities and business contractors of the Company and which may receive Traffic Clients’ data that has been anonymized and encrypted via irreversible hashing in order to fulfill the obligations under the Company’s agreement with this Platform after sending an appropriate request;
  • d. Processors involved by the Company;
  • e. Other contractors involved by the Company to provide Services.

5.2. Contractors personal data we collect.

The Company collects and processes such contractor personal data (including those of their employees) as:

  • a. full name;
  • b. person’s position;
  • c. e-mail address;
  • d. means of communication.

5.3. Purposes for the collection of Contractors personal data.

The Company receives and processes contractors personal data for such purposes as:

  • a. conducting communications regarding the execution of contracts or other financial/legal matters;
  • b. sending advertising offers regarding Services;
  • c. other business purposes specified in the agreement between the Company and contractor;
  • d. corporate marketing development.

5.4. Storage of Contractors personal data.

The Company stores contractors personal data (including those of their employees) no longer than 10 years from the termination of the agreement with that specific contractor.

5.5. Who controls the collection of Contractors personal data?

During the collection and processing of contractors personal data (including those of their employees), the Company acts as a Controller.

6. General provisions.

6.1. Applicable law.

During the collection and use of personal data, the Company becomes subject to various laws that govern the manners in which such activities may be carried out and the safeguards that must be put in place to protect data. The Company adheres to all conditions and requirements stipulated by the current law of the Republic of Latvia, European law, including but not limited to the General Data Protection Regulation (hereinafter, “GDPR), as well as other international laws concerning data protection.

6.2. Subject scope of this Policy.

This Policy applies to all Company employees, independent contractors, Users, interested parties, and all other subjects that directly or indirectly participate in processing personal data, including Data Subjects who visit the website https://www.kadam.net/ as well as its subdomains.

6.3. Data subject consent.

The Company obtains data from a Data Subject with his or her permission and consent or may receive personal data from the Publisher or other Company contractors to whom the Data Subject has given consent to transfer this information to the Company in accordance with this Policy, including his or her consent to the further transfer of data by the Company to its contractors, as well as to involve other Company partners in processing such data.

6.4. Data protection authority (DPA).

Data Subjects have the right to apply to the Company or to the DPA about his or her personal data breach if he/she becomes aware of it before the Company does.

The Data Protection Authority (hereinafter referred to as “the DPA”) is an independent public authority, which was established by a Member-State of the European Union pursuant to the provisions of GDPR. For the purposes of this Policy, the DPA means the Data State Inspectorate of Latvia located at the following address: 11/13-11 Blaumana Street, Riga, Latvia LV-1011 (website: http://www.dvi.gov.lv/lv/).

7. Lawfulness of processing.

7.1. General rules.

The Company processes personal data on the basis of the consent which is provided through the Consent Form.

Along with the Consent Form, the Company provides Data Subjects with the Privacy Notice that contains the information on methods of processing as well as the period for which such personal data shall be stored, including precise information concerning the purposes of processing the data.

The Privacy Notice is to be provided to Users within the Website immediately before they fill out the appropriate registration form.

It is presumed that by giving your consent, you acknowledge and accept all terms and conditions specified in the Privacy Notice and Consent Form as well as all conditions specified in the current Policy.

The Company shall be able to demonstrate that consent was obtained if so required.

7.2. Processing User’s personal data.

The Company begins to collect a User’s personal data when that User registers on the Website.

The Company processes User’s personal data based on the consent provided by the User through the Consent Form before registering.

Consent is considered to be provided after the User presses the “I agree” button at the end of the appropriate User Consent Form on the Website. In the Consent Form, the User may not agree to have his or her personal data processed in order to send him or her the most relevant advertising content and offers concerning the Services based on profiling such information about him or her.

The User confirms that he/she is 18 (eighteen) years of age or older by checking the relevant sentence.

7.3. Processing Visitor’s and Traffic Client’s personal data.

The Company begins to collect a Visitor’s personal data when that Visitor visits the Website.

The Company processes Visitor’s personal data based on the consent provided by the Visitor through a pop-up notification ad. The Company provides the Visitor with this ad when the Visitor visits the Website.

The Company processes Traffic Client’s personal data based on the consent as provided in clause 4.6.

7.4. Categories of personal data that the Company does not process.

The Company does not collect and/or process sensitive data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Furthermore, it does not process genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health. or data concerning a natural person's sex life or sexual orientation (hereinafter referred to as “Sensitive Data”).

The Company does not collect and/or process any other personal data of Data Subjects except the data specified in this Policy. The Company also collects personal data strictly within the amount needed for the processing purposes specified in this Policy.

7.5. Personal data breach.

The Company undertakes to reduce the risks of data breaches that may lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed (hereinafter referred to as a “Personal Data Breach”).

The Company selects contractors with an impeccable reputation and concludes confidentiality agreements with them in this regard.

8. Data subject age.

8.1.The Company collects personal data based on consent obtained from Data Subjects who have reached 18 years of age.

8.2. After registering on the Website and giving his or her consent to the Company, the appropriate Data Subject acknowledges that he or she reached 18 years of age and has all rights to provide the Company with consent for the process of his or her personal data.

8.3. If you know that the Company processes data of a person under 18 years of age, please inform us about this by writing to the e-mail address support@kadam.net.

9. Withdrawing consent.

9.1. General information.

A Data Subject is entitled to withdraw his or her consent at any time.

9.2. Submitting a request.

The withdrawal of the consent is considered to be properly made after the Data Subject has sent a letter regarding the withdrawal of consent to the e-mail address support@kadam.net.

A Data Subject may also use the Opt-Out form on the Website to withdraw his or her consent.

9.3. Withdrawal procedure.

A duly submitted request to withdraw consent shall be examined within 72 hours from the time said request to withdraw consent is received, and the Company shall make an appropriate decision.

9.4. Alternatives.

The Data Subject is entitled to withdraw his or her consent at any time in his or her account on the Website by deleting it. In his or her personal account, the Data Subject may withdraw his or her consent for sending the most relevant advertising content and offers concerning Services based on the profiling of such information about the Data Subject.

10. Personal data storage.

10.1.After the storage period has expired, the Company is obliged to delete the personal data or ask the Data Subject to provide the Company with new consent if the Company still needs to process personal or another purpose of processing appears.

10.2.The Company is entitled to stop storage in the future and delete previously collected personal data on a Data Subject at any time if such personal data are no longer needed. Furthermore, the Company is obligated to notify the respective Data Subject that his or her personal data have been deleted.

10.3.The Company may continue to store personal data if subsequent processing is provided for by law and is deemed relevant for a purpose that is incompatible with the original purpose of processing stated in this Policy. Furthermore, “incompatible purposes” imply the purposes of archiving data in the public interest, as well as for scientific, statistical, or historical use.

11. Data processing.

11.1. General rules.

Every Processor without exception must be engaged by the Company under the same conditions as other Processors and must act only according to the Company’s instructions and within the scope of the appropriate agreement concluded between the Processor and the Company.

The Company is responsible for the proper processing of the Data Subjects’ personal data under the GDPR. Furthermore, each Processor is responsible for its adherence to the GDPR as well as to other laws concerning data protection when processing Data Subjects’ personal data.

Processors are not entitled to define any additional purposes for processing personal data.

11.2. Who is a Processor?

During the processing of personal data of Users, Visitors, Traffic Clients, contractors (including those of their employees), and other Data Subjects, the Company may involve natural persons or legal entities, government authorities, agency, or any other entity that processes personal data on behalf of the Controller (hereinafter referred to as a “Processor”).

11.3. Who can be a Processor?

The Company may engage ADV BIZ LTD as a Processor based on the corresponding User Agreement.

If necessary, the Company may engage other Processors. Other Company contractors may act as Processors if they provide support with authorization, account management, account security, system software errors, services, bans, etc.

12. Data Subjects rights.

12.1. List of rights.

This Policy provides all Data Subjects with the opportunity to exercise any of the following rights:

  • a. The right to access. Data Subjects have a right to know whether their personal data are being processed and, if so, access such data.
  • b. The right to rectification. If the personal data are inaccurate, the respective Data Subject is entitled to ask the Company to correct them.
  • c. The right to erasure or the right to be forgotten. Data Subjects have a right to obtain from the Company the erasure of the Data Subjects personal data without undue delay, and the Company is obliged to erase such personal data without undue delay.
  • d.The right to restriction of processing. Data Subjects have a right to limit the processing of their personal data with several exceptions under the scope of the GDPR.
  • e. The right to be informed. The Company is obliged to inform Data Subjects of what data is being collected, how they are being used, how long they will be stored, and whether they will be shared with any third parties. This information must be communicated concisely and in plain language.
  • f. The right to data portability. Data Subjects are permitted to obtain and reuse their personal data for their own purposes across different services. This right only applies to personal data that the Data Subject has provided the Company through his or her consent.
  • g. The right to object. Data Subjects may object to the processing of their personal data by the Company. The Company must stop processing such personal data unless the Company can demonstrate compelling legitimate grounds for processing that overrides the interests, rights, and freedoms of the individual or if the processing is undertaken to establish or provide for the defense of legal claims.
  • h. The right not to be subject to a decision based solely on automated means. Data Subjects have a right to object to any automated profiling, which means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyze or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior (hereinafter referred to as “Profiling”) without his or her consent. Furthermore, Data Subjects have a right to request that their personal data be processed with human involvement.

12.2. How Data Subjects may exercise these rights.

The User can exercise his or her right to access and right to restrict processing in his or her account on the Website. The User may withdraw at any time through said account his or her consent to the processing of his or her personal data for the purposes of direct marketing.

The User may exercise his or her right to erasure by deleting his or her account on the Website.

The Data Subject may withdraw consent at any time to the processing of his or her personal data for the purposes of displaying to him or her the most relevant advertising content and offers concerning Services based on the profiling of such information about the Data Subject by using the Opt-Out option on the Website (https://www.kadam.net/ru/opt-out).

The Data Subject may exercise any of the rights described above by sending a request to the e-mail address support@kadam.net. The Data Subject’s request must include his or her name, contact information, the right the Data Subject wishes to exercise, personal data processed by the Company, details, and/or an explanation for said request.

12.3. Period to exercise rights.

These are the timescales within which Data Subjects may exercise the rights stated above (the period starts from the moment the Company receives the request):

  • a. Right to be informed: when data is collected;
  • b. Right to access: 2 weeks;
  • c. Right to rectification: 2 weeks;
  • d. Right to erasure: without undue delay;
  • e. Right to restrict processing: without undue delay;
  • f. Right to data portability: 2 weeks;
  • g. Right to object: upon receipt of objection;
  • h. Rights in relation to automated decision-making and profiling: 2 weeks.

13. Data Protection officer.

The Company’s Data Protection officer is Dmitry Vasnin (dpo@kadam.net).

14. Security.

14.1. The Company is responsible for ensuring that any personal data in the Company’s possession and for which it is responsible is stored securely and is not, under any conditions, disclosed to any parties unless a party has been specifically authorized by the Company to receive that information and has entered into a confidentiality agreement.

14.2. All personal data shall be accessible only to those who need to use it. The personal data shall be treated with the highest security and must be kept in encrypted storage.

15. Data breach notification.

15.1. Assessment of risks.

The Company takes all reasonable steps to minimize the risk of a personal data breach when processing personal data.

The risk assessment the Company must perform should determine whether the risk to the rights and freedoms of the Data Subjects affected is judged to be sufficiently high to justify notifying them of the breach.

15.2. The Company’s obligations if a data breach occurs.

In the event of a personal data breach, the Company shall without undue delay and, where feasible, no later than 72 hours after having become aware of it, report the personal data breach to the DPA, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of Data Subjects.

In addition, in the event of a personal data breach that may result in a high risk to the rights and freedoms of Data Subjects, the Company shall, without undue delay, notify the appropriate Data Subject whose personal data were breached.

If measures have subsequently been taken to avoid high risk to Data Subjects to the degree that such risk is no longer likely to occur, communication with the Data Subject is not required by the GDPR.

The Company documents all personal data breaches, including facts related to the personal data breach, its effects, and remedial actions taken. This documentation shall enable the DPA to verify compliance with the GDPR.

16. Data transfer.

16.1. The Company stores personal data in the Netherlands.

16.2. The Company does not sell or trade personal data to any legal entities or natural persons.

16.3. The Company may transfer personal data to its contractors specified in this Policy. It should be understood that the Company transfers personal data in accordance with the GDPR and appropriate measures if needed.

16.4. Personal data are transferred for the purposes and through the methods defined by this Policy.

17. Non-Discrimination.

17.1. General information.

The Company hereby assures and guarantees that it in no way discriminates against Data Subjects based on the Data Subjects’ exercise of any of their rights, including but not limited to, by:

  • a. Denying goods or services to Users;
  • b. Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties, except as provided under this Policy;
  • c. Providing a different level or quality of goods or services to Users;
  • d. Suggesting that Users will receive a different price or rate for goods or services or a different level or quality of goods or services, except as provided under this Policy.

17.2. Exception.

Notwithstanding clause 17.1, after prior notification, the Company may offer a different price, rate, level, or quality of goods or services to Users if that price or difference is directly related to the value provided to Data Subjects by the Data Subjects’ data.

17.3. Disclaimer.

The Company’s denial of Data Subjects for reasons permitted by applicable laws shall not be considered discriminatory.

18. Additional conditions.

18.1. The current version of this Policy is available to all subjects concerned on the Website.

18.2. The Company may revise this Policy from time to time, but no less than once every 12 months. If the Company makes content changes to this Policy, it will notify Data Subjects by e-mail or by posting a notice on the Website prior to the effective date of the changes. By continuing to access or use the Website after those changes become effective, Data Subjects agree to the revised Policy.