Data protection & Privacy policy

1.              Introduction

1.1    This data protection and privacy policy (the “Policy”) describes how we collect and process your personal data when you use or app.

 

1.2    The Policy is prepared and made available to provide you with information about the processing in a concise, transparent, intelligible and easily accessible form, using as clear and plain language as possible, as it is required from the general data protection regulation (2016/679 of 27 April 2016) (the “GDPR”).

2.    Collecting personal data with cookies
2.1    When you use our app, small text files called cookies are placed on your device. Some of these cookies are necessary for the app to function while others are used to improve our services. Cookies that are not necessary for the app will only be placed on your device if you have given your consent to such placement in accordance with section 3 of the Danish Cookie Order (No. 1148 of 9 December 2011).

2.2    If you wish to limit or decline the cookies placed on your device when visiting our app, you can do so at any time by changing the settings on your device. However, you should be aware that if you decline or reject cookies it may impact the functionality of the app, which means that you may not be able to use some or all parts of the app

 

2.3    If you have consented to the placement of cookies that are not strictly necessary for the functionality of the app, we will disclose and/or share data collected from such cookies with the following companies:
(a)    “Google LLC” and sub-processors to provide the Google Analytics tool, which is used for anonymization and aggregation of data to create insight for the improvement of the app.

(b)    “Facebook Ireland Limited” and sub-processors to provide matching, measurement and analytics services.
Such cookies can be used to gather information about your device for a maximum of (a) two years in the case of Google Analytics and (b) 3 months in the case of Facebook, since the last time you used the app. If you use the app again without such period, the expiry date is then prolonged for another two years or three months, respectively.

3.    Types of personal data processed
3.1    We process personal data about you when this is necessary and in accordance with the applicable legislation. Depending on the specific circumstances, we pro-cess the processed personal data include the following types of personal data:

 

(i)    Basic personal data (for example place of birth, street name and house number (address), postal code, city of residence, country of residence, mo-bile phone number, first name, last name, initials, email address, gender, date of birth), including basic personal data about family members and children

(ii)    Authentication data (for example username, password or PIN code, security question, audit trail)

(iii)    Contact information (for example addresses, email, phone numbers, social media identifiers, emergency contact details)

(iv)    Pseudonymous identifiers

(v)    Commercial Information (for example history of purchases, special offers, subscription information, payment history)

(vi)    Location data (for example, Cell ID, IP address, geo-location network data, location by start call/end of the call. Location data derived from use of Wi-Fi access points)

(vii)    Photos, video and audio

(viii)    Internet activity (for example browsing history, search history, reading, tele-vision viewing, radio listening activities)

(ix)    Device identification (for example IMEI-number, SIM card number, MAC ad-dress)

 

4.     Purposes for processing the personal data
4.1    We only process personal data for legitimate purposes in accordance with the GDPR. Depending on the circumstances, the personal data is processed only (a) to provide the app, and (b) for our own and our data processor’s legitimate busi-ness operations, each as detailed and limited below.

Processing to provide the app
For the purposes of the Policy, “to provide” the app consists of:

•    Delivering the app, including providing personalized user experi-ence
•    Troubleshooting (preventing, detecting, and repairing problems)
•    Ensuring compliance with the obligations pursuant to articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available
•    Ongoing improvements (installing the latest updates and making improvements to user productivity, reliability, efficacy, and security), including anonymizing personal data and using the anonymized da-ta to create statistics and other types of insights into the use of the app in order for us and our data processors to improve our/their services and products

Processing for legitimate business operations
For the purposes of the Policy, our and the data processor’s “legitimate business purposes” consist of the following, each as incident to delivery of the app: (1) billing and account management; (2) compensation (e.g. calcu-lating employee commissions and partner incentives); (3) internal reporting and modelling (e.g. forecasting, revenue, capacity planning, product strate-gy); (4) combatting fraud, cybercrime, or cyber-attacks that may affect the data processor or the data processor’s services and products; (5) improving the core functionality of accessibility, privacy or efficiency; and (6) financial reporting and compliance with legal obligations.

 

5.        Legal basis for processing personal data 
5.1    We only process your personal data when we have a legal basis to do so in ac-cordance with the GDPR. Depending on the specific circumstances, the pro-cessing of personal data is done on the following legal basis:  

(i)    When asking for your consent for the processing of personal data, the legal basis for such processing is a consent in accordance with article 6(1)(a) of the GDPR. Consent can always be withdrawn by contacting us via the con-tact details provided at the end of the Policy without affecting the lawful-ness of processing based on consent before the withdrawal, and, if the consent is withdrawn, the personal data processed on the basis of consent is deleted, unless it can or must be processed, for example to comply with legal obligations. 

(ii)    The processing may be necessary for the performance of the contract con-cluded with you or to take steps at your request prior into entering a con-tract, cf. article 6(1)(b) of the GDPR. 

(iii)    The processing may be necessary for compliance with legal obligations, cf. article 6(1)(c) of the GDPR. 

(iv)    The processing may be necessary for the purposes of the legitimate inter-ests  as specified in section 4.1, which is pursued by us, our data processor or other third parties, except where such interests are overridden by your in-terests or fundamental rights and freedoms which require protection of per-sonal data, cf. article 6(1)(f) of the GDPR. 

5.2    We may process your personal data for one or more of the following purposes, if and only to the extent that you have consented hereto: (1) GPS tracking; (2) dis-closure of personal data to third-parties in order for the third-parties to use the personal data for marketing activities on their own behalf; (3) integration of per-sonal data collected from different sources; (4) analysis of individual user or users’ personal preferences and/or behavior with the purpose of using such analysis for marketing, sales or similar commercial activities; and (5) direct marketing, including by emails.

 

6.    Disclosure and transfer of personal data
6.1    We only pass on personal data to others when the law allows it or requires it, in-cluding transfer of personal data to the following types of recipients from the EU/EEA: (1) Tax authorities (for example in connection with accounting); (2) banks (for example in connection with payments; (3) data processors; (4) suppliers; and (5) other data controllers, including group companies.

6.2    From time to time we use external companies as suppliers to deliver assist us in delivering our services. The external suppliers will not receive or process personal data unless the applicable law allows for such transfer and processing. Where the external parties are data processors, the processing is always performed on the basis of a data processing agreement in accordance with the requirements hereto under the GDPR. Where the external parties are data controllers, the processing of personal data will be performed on the legal basis specified in their data privacy policy, which the external parties are obligated to inform about unless the appli-cable legislation allows otherwise.

6.3    We transfer personal data to countries or international organizations outside the EU/EEA as specified in the following: 

(i)    Personal data is transferred to the USA. Such transfers are based on the recipients’ self-certifications under the “EU-U.S. Privacy Shield” for the recip-ients that are self-certified under the framework. For the recipients that are not self-certified the transfer is based on the standard contractual clauses of the European Commission. 

(ii)    Personal data may be transferred to Argentina, Canada, Israel, Japan and/or Switzerland. The basis for such transfers is adequacy decisions by the European Commission deeming the general provision of adequate data protection through legislation or through other measures in such countries.

 

(iii)    Personal data may also be transferred to countries where Google and Fa-cebook or any of their sub-processors maintain facilities as specified in the applicable terms (currently for Google https://www.google.com/about/datacenters/locations/index.html and https://privacy.google.com/businesses/subprocessors/ and for Facebook https://www.facebook.com/about/privacy/). Currently this includes the follow-ing countries in addition to those specified in section (i) and (ii) above: Aus-tralia, Brazil, Chile, Columbia, Philippines, United Arab Emirates, India, Ken-ya, Malaysia, Mexico, Peru, Singapore, United Kingdom, South Africa, Tai-wan and Turkey. Such transfers are based on the standard contractual clauses about data protection made or approved by the EU Commission and possibly approved by a national supervisory authority, ensuring a suffi-cient level of protection. 

6.4    If you have any questions about our use of data processors, cooperation with other data controllers, including subsidiary companies, or transfers of personal da-ta to third countries, please contact us for more information or documentation of our legal basis for said transfers.

 

7.    Erasure and retention of personal data
7.1    We ensure that the personal data is deleted when it is no longer relevant for the processing purposes as described above. We also retain personal data to the ex-tent that it is an obligation from applicable law, as is the case with for example ac-counting and bookkeeping materials and records. If you have any questions about our retention of personal data, please contact us via the contact details provided at the end of the Policy.

8.    Data subject rights
8.1    You have several rights that we can assist with. Such rights include: 

(i)    The right of access: You have the right to ask for copies of the information that we process about you, including relevant additional information. 

(ii)    The right to rectification: You have the right to ask for rectification of your personal data if it is inaccurate. 

(iii)    The right to erasure: In certain situations, you have the right to obtain the erasure of your personal data before the time when erasure would normally occur. 

(iv)    The right to restrict processing: In certain situations, you have the right to have the processing your personal data restricted. When you have such a right, your personal data shall, with the exception of storage, only be pro-cessed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest in the European Union or of a European member state. 

(v)    The right to object: In certain situations, you have the right to object to the legal processing your personal data. Objection can also be to the pro-cessing of personal data for the purpose of direct marketing. 

(vi)    The right to data portability: In certain situations, you have the right to re-ceive your personal data in a structured, commonly used and machine readable format and the right to transmit those data to another data con-troller without hindrance from the data controller to which the personal data has been provided. 

8.2    More information about data subject rights can be found in the guidelines of the national data protection authorities. In Denmark, such guidelines are available at www.datatilsynet.dk. If you want to make use of any of the rights listed above, we ask that you contact us via the contact details provided at the end of the Policy.

 

8.3    We strive to do everything that we can to accommodate your wishes regarding our processing of your personal data, including your rights as a data subject. If you or others despite our endeavors want to file a complaint, this can be done by con-tacting the national data protection authorities. In Denmark, this can be done via the website listed in section 8.2. 

9.    Changes to this Policy
9.1    We reserve the right to update and amend this Policy. If we do, we correct the date and the version at the bottom of this Policy. In case of significant changes, we will provide notification in the form of a visible notice, for example on our web-site or by direct message.

 

10.    Contact
10.1    If you have any questions or comments or if you would like to invoke one or more data subject rights, please contact us at support@myloyal.dk.