Referral Program Terms and Conditions

Introduction

By participating in the Vitals Referral Program, you agree to be bound by these terms and conditions (the "Referral Agreement" or, for its purpose, the "Agreement"), which becomes a part of the Vitals Merchant Agreement. The Agreement is between you, the Partner (as defined below), and APPSOLVE SRL, a company headquartered in Bogdan Voda 14, Bucharest 010936, Romania ([email protected]), registered with Bucharest Trade Registry under no. J40/16347/2017, having sole identification code RO38260784, herein called “Appsolve” or “Vitals”. Each of the Partner and Appsolve is a "Party", and together they are the "Parties".

This Agreement governs your activities as a Partner, including participation in the activities described on the Vitals Referral Program dashboard available here (you need to be logged into Shopify and Vitals to access this link). Be sure to occasionally check back for updates.

Definitions

1. "Partner" refers to a person or entity participating in the Referral Program.
2. "Referral Partner" refers to a Partner who refers a new subscriber to Vitals through the Referral Program.
3. "Customer" refers to a person or entity who subscribes to Vitals as a result of a referral from a Referral Partner.
4. “Referral Link” refers to a personalised link provided by Vitals to Referral Partners, that allows us to track which Customers were referred by which Referral Partners.
5. “Eligible Store” means a store created by a Shopify Merchant that haven’t installed Vitals prior to clicking on a Referral Link received from a Referral Partner. Stores that had already installed Vitals, even if Vitals is not installed at the time a merchant clicks on a referral link, do not qualify as an Eligible Store.

Earning Credits

Referral Partners may refer Customers through a Referral Link. The Referral Partner and Customer may qualify to earn Referral Credits if (the “Qualifying Conditions”):

• The Customer uses the Referral Partner’s Referral Link to subscribe to Vitals, and pays a minimum of one full-priced month of such subscription; and

• The Referral Partner is active on the Vitals platform at the time the Customer subscribes.

If the Qualifying Conditions are met, both the Referral Partner and the Customer will receive a Referral Credit of $15 (the “Referral Credit”).

Referral Credits

Referral Credits will be applied to the Referral Partner’s and Customer’s Vitals subscription fees. The Referral Credit is non-transferrable, non-refundable, and cannot be exchanged for any other form of credit.

Credit Redemption

Referral Credits will be automatically applied towards future Vitals subscription fees. Referral Credits will be applied before any other discounts, promotions, or additional credits. Referral Credits can only be redeemed through the Vitals platform.

Tracking Referrals

Vitals will provide Referral Partners with access to the Vitals Referral Program dashboard, which allows Referral Partners to monitor the status of their referred Customers and the amount of Referral Credits they have earned. The Referral Partner acknowledges and agrees that Vitals’s tracking and determination of the referred Customers and Referral Credits is final and binding.

Changes to the Referral Program

Vitals reserves the right to change, modify, or amend any part of the Referral Program, including these Referral Program Terms, at any time and in its sole discretion. Any changes or modifications will be effective immediately upon posting the revisions to the Referral Program, and the Referral Partner waives any right they may have to receive specific notice of such changes or modifications. The Referral Partner’s continued participation in the Referral Program will confirm their acceptance of such changes or modifications; therefore, the Referral Partner should review the Referral Program Terms and applicable policies frequently to understand the terms and conditions that apply. If the Referral Partner does not agree to the amended Referral Program Terms, they must stop participating in the Referral Program.

Termination or Suspension of the Referral Program

Vitals reserves the right to suspend or terminate the Referral Program or any Referral Partner’s ability to participate in the Referral Program at any time for any reason. We reserve the right to suspend accounts or remove Referral Credits if we notice any activity that we believe is abusive or fraudulent. We reserve the right to review and investigate all referral activities and to suspend accounts or modify referrals as deemed fair and appropriate.

Updates to the Terms

We can update these terms at any time without prior notice. If we modify these terms, we will post the modification on the vitals.co website, which are effective upon posting. Continued participation in the Referral Program after any modification shall constitute consent to such modification.

Contact Us

If you have any questions about these Terms, please email us at [email protected]

Merchant Agreement - General Terms

After signing up with Shopify as a Shopify User-merchant, if you create an account with APPSOLVE to use some of our Services and/or by using any Vitals Services (as defined below), you are agreeing to be bound by this Merchant Agreement consisting of this General Terms and the following terms and conditions applicable to the legal relationship between Appsolve and Shopify Merchants:

• Terms of Service (Terms of use regarding Vitals services)
• Privacy Policy (Data Privacy Notice)
• Data Processing Agreement (between Appsolve and Shopify Merchants)

As made available by Appsolve on its site vitals.co and updated from time to time, forming part of the Merchant Agreement and incorporated herein by reference.

As used in the Merchant Agreement, “we”, “us”, “our”, “Appsolve” and “Vitals” means APPSOLVE SRL, a company headquartered in Bogdan Voda 14, Bucharest 010936, Romania ([email protected]), registered with Bucharest Trade Registry under no. J40/16347/2017, having sole identification code RO38260784, and “you” or “Merchant” means the Merchant under the Shopify Terms of Service, namely the Shopify User (if registering for or using a Shopify Service as an individual), or the business employing the Shopify User (if registering for or using a Shopify Service as a business) and any of its affiliates.

You must read, agree with and accept all the terms and conditions contained or expressly referenced in this Merchant Agreement, before you use any Vitals Service.

This Agreement takes effect (the “Effective Date“) when you create an account and/or CLICK ON THE “INSTALL” BUTTON in order to use any of the Vitals Services. APPSOLVE and Merchant are sometimes referred to individually as a “Party” and collectively as the “Parties.”

BY CLICKING ON THE “INSTALL” BUTTON WHEN YOU CREATE A MERCHANT ACCOUNT, AND/OR USING THE VITALS SERVICES, YOU REPRESENT THAT (1) YOU HAVE READ, UNDERSTAND, AND AGREE TO BE BOUND BY THE TERMS OF THIS MERCHANT AGREEMENT, AND (2) YOU HAVE THE AUTHORITY TO ENTER INTO THIS AGREEMENT ON BEHALF OF THE ENTITY YOU REPRESENT AND THAT IS USING VITALS SERVICES, AND TO BIND THAT ENTITY TO THIS AGREEMENT. IF YOU DO NOT ACCEPT OR UNDERSTAND THIS AGREEMENT, YOU MAY NOT REGISTER FOR OR USE VITALS SERVICES.

Also, by using Vitals Services on Shopify, you agree, declare and undertake that you fulfil and are bound by all Shopify terms and conditions, including Shopify’s Acceptable Use Policy (“AUP”) and Privacy Policy, and, if applicable, the Supplementary Terms of Service for E.U. Merchants ("EU Terms"), the Shopify API License and Terms of Use (“API Terms”) and the Shopify Data Processing Addendum (“DPA”). The terms with caps in this Merchant Agreement not defined herein will have the meaning defined in Shopify applicable terms and conditions.

Without affecting any of the provisions of these General Terms, the Terms of Service, Privacy Policy, Cookie Policy and/or the Data Processing Agreement between Appsolve and Shopify Merchants, Parties understand the following:

1. Eligibility criteria that the Merchant must meet prior to the Merchant’s acceptance to use the Application

In order to use the Services, You need to have created an account with Shopify and an online store. You must duly represent a legal entity or act within the scope of a legally organized economic activity and be 18 years or older to use our Services.

2. VITALS Services

The products and services under this Merchant Agreement (Services) may cover any of the products and/or services made available by Vitals on Shopify, for example:

• Recent Sales Notifications
• Pre-Orders
• Backup & Multiple Facebook Pixels
• Volume Discounts
• Instant Search
• Shipping Information
• Spin-the-Wheel Gamified Pop-Up
• Sticky Add to Cart
• Email Collection Bar
• Free Shipping Bar
• Related Products
• Countdown Timer Bar
• Currency Converter
• Product Bundles
• Countdown Timer & Stock Scarcity
• Description Tabs
• All-in-One Chat
• any other products and/or services made available by Vitals on Shopify

3. Warranties and Limitation of Liability special terms

Without affecting the provisions regarding Warranties and Limitation of Liability from the Terms of Service, Parties agree and understand that: i) Merchants cannot hold Shopify responsible for the Application and the responsibility related to the Application and its use is governed by the Terms of Service, ii) Shopify is not liable for any fault in the Application or any harm that may result from its installation and use, iii) except where expressly stated by Shopify, Shopify cannot provide assistance with the installation and use of the Application and iv) Appsolve’s responsibility for any liability which may arise from a Merchant’s access to or use of the Application including a) the development, use, marketing or distribution of or access to the Application or b) Appsolve’s access, use, distribution or storage of Merchant Data, shall be claimed according to and within the limits provided by the Terms of Service.

The Merchant is the sole responsible for the content of its store, the use of cookies in relation to its store, and the processing of personal data belonging to its customers including by using Vitals Services.

4. Remedies in the event of non-payment by Merchant for Vitals Services

Vitals may suspend the Service or terminate the Agreement without notice, without court intervention or any other additional diligence, in the case of non-payment.

Remedies in the event of non-payment by Merchant for Vitals Services also include the withholding of the transfer of ownership of the Development Store or Merchant Store to the Merchant will be enforced by Shopify at its sole discretion

5. Charges associated with the Merchant’s use of the Services

Details regarding billing and charges associated with the Merchant’s use of the Services may be found at:

• https://help.shopify.com/en/manual/your-account/manage-billing/your-invoice/apps
• https://help.vitals.co/category/141-billing-charging

6. Final provisions

No agency, partnership, joint venture, or employment is created as a result of this Agreement and Merchant does not have any authority of any kind to bind Appsolve in any respect whatsoever.

All notices under this Agreement will be in writing, usually by the Merchant Portal or by email to the email addresses mentioned in the Merchant Account and the Merchant Agreement.

All sections of this Agreement which by their nature should survive termination will survive termination, including, without limitation, accrued rights to payment, confidentiality obligations, warranty disclaimers, and limitations of liability.

Appsolve may change these General Terms as well as the Terms of Service, Privacy Policy, Cookie Policy and/or the Data Processing Agreement, at any time and Merchant may access the relevant link in the Appsolve site vitals.co to the then current version. Using the Services after the changes become effective means Merchant agrees to the updated terms and conditions of the Merchant Agreement. If Merchant does not agree to the new terms, it must stop using the Services before changes come into effect.

If you have any questions about the Merchant Agreement, please email us at [email protected].

Updated on January 23, 2023

‍

Data processing agreement

This DPA is deemed incorporated into any agreement that has as scope the services provided by APPSOLVE, a company representing a Shopify partner (hereinafter called the "Company") and the Company is acting as a data processor. By contracting our services, the client agrees to be legally bound by this DPA.

whereas

1. The Company is a Shopify Partner and the Shopify Merchant using Vitals Services is hereinafter called the Client.
2. According to the terms and conditions of the Merchant Agreement (Main Agreement), the Client agrees to buy and the Company agrees to provide access to its own Shopify apps (Services). For the purpose of providing the Services to the Client, the Company may have access to information and personal data ("Client Data")
3. The Client authorizes the Company to purchase or use related services through search engines, social networks, technology providers, publisher websites or automated or similar exchange platforms, cloud providers, including those operated by companies such as Amazon, Google, Facebook or others (collectively or separately referred to as the "Platforms"), these platforms may process the Client's data and / or the Client may be subject to certain obligations in accordance with the standard terms and conditions of the platforms (collectively, the "Platform Agreements" ).

Definitions

Applicable Law

means, as applicable and binding for the Client, the Company, and/or Services:

(a) any law, statute, regulation, or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided or in connection with;

(b) the common law and laws of equity applicable to the parties from time to time;

(c) any binding court order, judgment, decree; or

(d) any applicable regulation, policy, rule, or order that is binding on a Party and that is issued or given by a regulatory body that has jurisdiction over a Party or any assets, resources, or business of that Party;

Client data

means personal data received from or processed in any way on behalf of the Client, directly or indirectly, by the Company or a sub-Processor, in connection with or as part of the provision of the Services under the Main Agreement;

Data path

means the description of the intention (purpose) of the use, processing, and transfer paths of the Client Data during the provision of Services according to the Company's directions

Personal data protection laws

means as applicable and binding for the Client, Company, and/or Services:

(a) in the member states of the European Union: GDPR and all relevant laws or regulations of the member states that implement or correspond to one of them;

(b) any provisions on data protection in the Applicable Law; or

(c) any applicable law of any country that may apply to the provision of the Services which are sent in writing by the Client to the Company in advance

Losses in relation to personal data processing

refers to all liabilities:

(a) costs (including legal costs), claims, actions, settlements, interest, taxes, proceedings, expenses, losses, and damages (in relation to physical damages); and

(b) to the extent permitted by applicable law:

 (i) administrative fines, penalties, sanctions, debts, or other remedies imposed by a supervisory authority;

 (ii) compensation that is ordered by a supervisory authority to be paid to a data subject; and

 (iii) the reasonable costs of complying with investigations by a supervisory authority;

but excluding: any current or anticipated loss of income or profits; loss of contracts; loss of customers or reputation; moral damage; any direct or indirect loss or damage, regardless of its origin and whether caused by tort (including negligence), breach of contract or otherwise, regardless of whether such loss or damage is foreseeable, foreseen or known;

Data subject request

means a request made by a data subject to exercise any rights belonging to the data subject in accordance with personal data protection laws;

GDPR

refers to the general data protection regulation (EU) 2016/679;

Data breach

relates to any breach of data security resulting in the destruction, loss, alteration, unauthorized disclosure, or access of any Client Data or any other unlawful processing of Client Data;

Confidentiality statements

means the information and consents obtained in a legally correct manner, from the data subjects, regarding the processing of their personal data by the parties and by any Processor, sub-processor, or Controller for the provision of the Services, including in accordance with any data path;

Processing instructions

has the meaning given in clause 2.1.1

Sub-processor

means another processor contracted by the Company to carry out the processing activities of the Client data on behalf of the Client

Supervisory authority

means any local, national, or multinational public authority, regulatory or supervisory authority, or other body responsible for approving and managing data protection laws

Third-party

means any third party involved in the processing of Client Data in connection with the Services which does not include the Client and the Company

Personal Data, Controller, Processor, Data Subject, Processing

have the meaning given to such terms in Personal data protection laws

1. Data Controller and Data Processor

1.1 The parties agree that, for the Client's data, the Client will be the Data Controller and the Company will be the Data Processor, including situations where the Client's data originates from a third party, like a Platform operator and that platform will act as joint controller with the Client with respect to such Client Data. In all cases, the status of the parties will be interpreted in accordance with the Personal data protection laws, but it is acknowledged and agreed that, if processing the Client's data under this Processing   Agreement, the Company will always act as a Data Processor.

1.2 The Company will process the Client's data in accordance with:

  1.2.1 the obligations of the Data Processor under Personal data protection laws regarding the fulfillment of their obligations under this processing agreement; and

  1.2.2 the terms of this Data Processing Agreement

1.3 The Client must comply with:

  1.3.1 all Personal data protection laws in relation to the processing of Client Data, the Services, and the exercise and enforcement of Client rights and obligations under this Data Processing Agreement and any platform agreements, including (without limitation) the retention of all records and notices of relevant regulation according to Personal data protection laws; and;

  1.3.2 the terms of this Data Processing Agreement and any applicable Platform Agreements

1.4 The Client warrants and undertakes that:

  1.4.1 all Client data must comply with Personal data protection laws in all respects, including their collection, storage, and processing (this also means that the Client will provide all correct information necessary for fair processing including obtaining consent necessary, from the Data Subjects), with Personal data protection laws;

  1.4.2 all Client data may be lawfully processed by the Company and any third party used to provide the Services and in accordance with any Data path

  1.4.3 in respect of all Client Data:

     (a) where the Client Data is provided directly by the Client, the Client shall implement and present appropriate mechanisms:

        (i) to ensure that notifications and confidentiality statements are provided and that they are obtained from the data subjects;

        (ii) through which the data subjects can request the modification of their personal data or can request the renunciation of the processing of their personal data;

        (iii) to exclude from its own database, the data of the data subjects who opted for the Client's refusal to process their data, in accordance with point 1.4.3 (a)ii;

        (iv) to ensure that the Client does not issue Processing Instructions for the data subjects who have opted for the Client's refusal to process their data, in accordance with point 1.4.3 (a) iii;

        (v) ensure that the Client Data is up-to-date and accurate and notify the Company of any changes to the Client Data; and

     (b) where the Client Data is not provided directly by the Client, the Client has ensured that the data providers have complied with the Personal Data Protection Laws and that the data provided by the Client can be used by the Company for the provision of the Services

  1.4.4 Client Data shall not include:

     (a) Personal data belonging to underaged data subjects, as defined by any applicable law;

     (b) special categories of personal data; or

     (c) location data,

  unless the legal basis for processing such data in accordance with Personal data protection laws as part of the Services was first established by the Client;

  and

  1.4.5 All instructions that the Client will give to the Company regarding personal data will always comply with the Personal data protection laws.

1.5 The Client shall not unreasonably withhold, delay or withhold consent to any change requested by the Company to ensure that the Services and the Company (and each Sub-Processor, including any Platforms) can comply with the Personal Data Protection Laws.

1.6 The Client agrees to the following:

  (a) Where, as part of the services it provides, the Company is required to:

     (i) to obtain directly from the data subjects personal data or Personal Data belonging to the Client; or

     (ii) obtain consent from any data subjects for any use, further use or use for any additional purpose,

  It is the Client's responsibility to provide all necessary forms for any notices regarding privacy statements regarding the lawful acquisition/acquisition of such Client Data for use by the Company in the delivery of the Services (including but not limited to third-party cookies, tags pixels and other relevant tags used by the Company's suppliers on the Client's websites) and verify that the privacy notices and statements used by third parties to acquire any Client Data and for the Client are satisfactory to ensure compliance with all applicable Personal data protection laws of the Client's personal data and their subsequent use by the Client, the Company or any third party; and

  (b) The Company (including any Sub-Processor) shall not be liable for any loss, delay or damage of any kind caused to the Client, by the Client's failure to fulfill its obligation to provide the Company with any notification or confidentiality statement, requested in due time.

1.7 The Client also agrees that, where as part of the Services provided to the Client, the Client directly accesses the Platforms by means of any authentication credentials, authentication information and/or any other means, technologies, or methods designed to access such Platforms ("Platform Login Credentials") provided to Client by Company, whether such access is read-only or otherwise, Client warrants and agrees that access to and use of such Platforms must comply with this Processing Agreement, the available Platform policies, and applicable law. Without limiting the foregoing, Client shall not in any way misappropriate any part of a Platform or any part thereof or may not modify, disassemble, decompile, reprogram, copy, reproduce or create derivative works from or in connection with a Platform or any part thereof, including without limitation, for the purpose of re-identifying any user.

1.8 The Client undertakes, confirms and guarantees for the following aspects:

  1.8.1 the personal data processing operations carried out by the Company and any Platforms, including any data path, are appropriate for the purposes for which the Client intends to use the Client's Data;

  1.8.2 The Company and any Platforms present sufficient guarantees, expertise and resources to perform the Services in accordance with the requirements of the Personal Data Protection Law.

1.9 It is agreed and acknowledged that the Client is aware of and fully understands the Company's processing operations described in this Data Processing Agreement and any data path.

2. Instructions and details regarding data processing

2.1 For the situations when the Company processes the Client's data on behalf of the Client, the Company:

  2.1.1 unless it is obliged to proceed differently by the applicable Law (and will take measures to ensure that each person acting under its authority will proceed in this way), it will process the Client's data only and only in compliance with the Client's instructions as set out in this clause 2 and Annex 1 (Data Processing Details).

  2.1.2 where applicable laws require it to process Client data other than in accordance with processing instructions must notify Client of any such requirement prior to processing Client data (unless applicable law prohibits this information for reasons of important public interest);

  2.1.3 informs the Client if the Company becomes aware of a Processing Instruction that, in the Company's opinion, violates Personal data protection laws, noting that:

     (a) the provisions of points 1.3 and 1.4 apply accordingly;

     (b) to the maximum extent permitted by law, the Company shall have no liability, whether arising in contract or in tort (including negligence) or otherwise, for any losses, costs, expenses or liabilities (including losses of data protection) from or in connection with any processing of personal data carried out in accordance with the Client's Processing Instructions;

  2.1.4 assumes no responsibility to determine the purposes for which and how the Client's data is processed

3. Technical and organisational measures

3.1 The Company implements and maintains, at its cost and expenses, the technical and organizational measures:

  3.1.1 regarding the processing of Client data by the Company, as provided in Annex 2 (Technical and organizational measures); and

  3.1.2 taking into account the nature of the processing, to assist the Client as much as possible in fulfilling the Client's obligations to respond to requests coming from the persons concerned, requests related to the Client's Data.

3.2 Considering the state of the art and the cost of their implementation and maintenance, the Client and the Company agree that the "Technical and Organizational Measures" provided in Annex 2 are able to ensure a level of security corresponding and adequate to the risks represented by the processing provided for in annex 1 and the nature of the data to the client and any additional technical and organizational measures, will be subject to an additional written agreement between the Client and the Company and at the cost and expense of the Client.

4. Using personnel and other sub-processors

4.1. The Company will not employ any Sub-Processor to carry out any activities regarding the processing of the Client's data without his authorization (the authorization must not be withheld, conditioned or delayed), taking into consideration that the Client hereby authorizes the appointment:

  (a) to all sub-processors identified in any data path; and

  (b) to any company acting as Sub-Processor for the purpose of delivering the Services.

With respect to this clause 4.1, the Client acknowledges and agrees that, given the specific mode of delivery of the Services, an exact list of such Sub-processors, data providers, subcontractors and website publishers used to provide the Services may be provided on the Company website/page and will be provided at the Client request.

4.2 If the Client wishes to object to the appointment of any Sub-Processor at any time, the Client shall notify the Company accordingly within 1 working day, and the Company, in the absence of such notification, may appoint that Sub-Processor. If the Parties, acting reasonably, will not agree to the appointment of the proposed Sub-processor, the Company has the right to unilaterally terminate or terminate the Main Agreement with immediate effect, insofar as it relates to the services that require the use of the proposed sub-processor.

4.3. The Company appoints sub-processors in principle under agreements containing the same obligations as clauses 1-11 (inclusively), except for the situations acknowledged and agreed by the Client that some operators, agents or sub-agents appointed to provide the Services, including, most of the Platforms and certain multinational service providers will provide their services on non-negotiable terms (collectively called "Providers"), these terms being established, in the agreements published on the Platforms or in the general terms and conditions of data processing, ("Provider Terms" ). In such circumstances:

  4.3.1 The Company will notify the Client of such providers;

  4.3.2 in the absence of any objections from the Client, the Providers can be used to provide their Services;

  4.3.3. Subject to the provisions of paragraph 4.3.2, the Providers and Provider Terms shall be deemed to be selected, approved, and authorized by the Client, and the Client is responsible, as the Data Controller, to determine and be aware of the Provider Terms at all times; and

  4.3.4. The Company will make reasonable efforts to assist the Client in understanding the Providers Terms

4.4 Without prejudice to clause 10.2, if the Services are provided in accordance with the Providers Terms, the Company will not be liable for any loss or damage generated by the processing of personal data, resulting from the actions, omissions or violations direct or indirect of such a provider and that exceed any limit of liability assumed by the Terms and conditions of the respective provider.

4.5 The Client acknowledges and agrees that these providers may appoint processors and Sub-processor in the delivery of the Services in accordance with the Providers Terms without notice and under obligations substantially different from those set forth in this Agreement and the Company shall have no obligations to the Client in respect to the processors and Sub-processors appointed by these providers.

4.6 The Company ensures that all Company personnel authorized to process the Client's data are subject to a contractual obligation with the Company to maintain the confidentiality of the Client's data (unless disclosure is required under applicable law, in which case the Company, if possible and not (is prohibited by applicable law, shall notify the Client of any such requirement, prior to such disclosure).

5. Assistance with regard to the support given in order for the Client to comply with the obligations imposed by the relevant legislation, including with regard to the rights of the data subjects

5.1 The Company sends the Client all the requests it receives from the data subjects within three working days of receiving  the request.

5.2 The Company will provide the Client with the assistance that the Client reasonably requests (taking into account the  nature of the processing and the information available to the Company) to ensure compliance with the Client'sobligations under the Personal data protection laws regarding:

  5.2.1 Data processing security;

  5.2.2 data protection impact assessments (as defined in the Data Protection Act);

  5.2.3 prior consultation with a supervisory authority regarding high-risk processing; and

  5.2.4 notifications addressed to the Supervisory Authority and / or communications to the data subjects by the Client,

in response to any data breach, provided that the Company has the right to charge appropriate remuneration for such assistance in the event that such involvement would materially exceed what may reasonably be considered by the Company to be part of the services provided by the Company as a professional under the Main Agreement.

6. International data transfers

6.1 The Client agrees that the Company may transfer Client data to countries outside the European Economic Area (EEA) or any international organization (an International Recipient), provided that all Transfers by the Company of Client Data to an International Recipient) (in extent required by Personal data protection laws) to be carried out through appropriate security measures and in accordance with Personal data protection laws. The provisions of this Processing Agreement constitute the Client's instructions regarding transfers in accordance with clause 2.1.

7. Records, information and auditing

7.1 The Company will keep, in accordance with Personal data protection laws binding on the Company, written records of all categories of processing activities carried out on behalf of the Client.

7.2 In accordance with the Personal data protection laws, the Company makes available to the Client the information it considers reasonably necessary to demonstrate the Company's compliance with the obligations of the data processors, in accordance with the Personal data protection laws and to allow participation in audits (once a year at the most and subject to Company’s confidentiality undertakings), by Client (or other auditor mandated by the Client) for this purpose, subject to the guarantee of the Client who undertakes:

  7.2.1 To give the Company, in advance, a notification regarding the request for information, the audit and / or the inspection requested by the Client;

  7.2.2 Ensure that all information obtained or generated by the Client or its auditors in connection with requests, inspections, and audits of such information is strictly confidential (except as disclosed by the Supervisory Authority or in accordance with applicable law);

  7.2.3 Ensuring that this audit or inspection is carried out during normal business hours, with minimal disruption to the Company's business, the Sub-processors’ business, and other Company's clients; and

  7.2.4 Pay the Company's reasonable costs of assisting in the provision of information and in permitting and contributing to inspections and audits.

8. Notifications in case of data breaches

8.1 With regard to any security breach regarding the processing of the Client's personal data, the Company will

intervene, without delay:

  8.1.1 to notify the Client about data breaches regarding the processing of personal data; and

  8.1.2 to provide the Client with details regarding the security data breach regarding the processing of personal data.

9. Deletion or returning Client Data and copies

9.1 The Company:

  9.1.1 upon the Client's written request, return all originals or provide the Client with a copy of all Client data in the form the Client requests;

  9.1.2 will delete all copies of the Client Data (unless applicable law requires the storage of any data, and if so the Company will inform the Client of any such requirements) except that the Company will not be obliged to delete the copies kept in backup systems used exclusively for disaster recovery systems, given the onerous nature of such deletion  exercises, within a reasonable time, at the earliest:

     9.1.2.1 after the provision of the relevant services related to the processing has ended; or

     9.1.2.2 once the Company's processing of any Client data is no longer necessary for the Company's fulfillment of its relevant obligations under this data processing agreement and / or Main Agreement and/ or applicale laws.

10. Liability, Indemnities and Claims

10.1. The Company shall be liable and indemnify the Client for losses arising from the breach of the provisions regarding the processing of Client Data (however caused, regardless of contract, tort (including negligence) or otherwise) under or in connection with this Data Processing Agreement:

  10.1.1. only to the extent that any loss is caused by the processing of Client data under this Processing Agreement and directly results from the Company's breach of clauses 1-11 (inclusive); and

  10.1.2. in no event to the extent that any losses arising from the breach of the Data processing provisions (or the circumstances giving rise to them) are caused by any breach of this Agreement by the Client (including in accordance with clause 2.1.3(b)).

10.2. The Company makes no statements or guarantees regarding its suppliers, providers or regarding the Personal Data processing activities by the suppliers and will not compensate the Client for any data processing activities carried out by the suppliers.

10.3. The Client shall be liable and shall indemnify the Company in respect of all losses arising from the breach of the provisions regarding the processing of personal data suffered by the Company and any Sub-processor in connection with the following:

  10.3.1. Non-compliance by the Client with the Personal data protection laws of this Contract or the Terms and Conditions of the Providers;

  10.3.2. processing carried out by the Company or a Sub-processor in accordance with any Processing Instruction in breach of any Personal data protection laws; or

  10.3.3. violation of any Personal data protection laws or any contractual obligation by an Operator, Authorized or Sub-authorized third parties, approved by the Client for the delivery of services.

  10.3.4. breach by the Client of any of its obligations in accordance with clauses 1-11 (inclusive), except where the Company is liable under clause 10.1.

10.4. If a party receives a claim for indemnification from an individual relating to the processing of Client Data, it will promptly provide the other party with full notice and particulars of such claim. The party leading the action must:

  10.4.1. not to make any admission of liability and not to accept any settlement agreement or settlement of the such claim without the prior written consent of the other party (the answer shall not be unreasonably delayed); and

  10.4.2. to consult fully with the other party in connection with any such action, but the terms of any settlement or settlement of the claim shall be solely the decision of the party responsible for paying and supporting the compensation

10.5. The parties agree that the Client shall not be entitled to claim from the Company any part of any compensation paid by the Client in relation to such damages to the extent that the Client is obliged to indemnify the Company by clause 10.2.

10.6. This clause 10 envisages the sharing of responsibility for the losses generated by non-compliance with the provisions relating to data processing between the parties, including with regard to the compensation of the data subjects, without prejudice to the provisions of the Personal data protection laws, except:

  10.6.1. the situation in which it is not permitted by the applicable legislation (including Personal data protection laws)

and

  10.6.2. the fact that it does not impact the liability of either party in front of the data subject

11. Survival of Personal Data Protection Provisions

11.1. Clauses 1-11 (inclusive) shall survive termination (for any reason) or expiration of this Data Processing

Agreement and shall continue:

  11.1.1. indefinitely in the case of clauses 9-11 (inclusive); and

  11.1.2. up to 12 months from the date before termination or expiry of this Data Processing Agreement in the case of clauses 1-8 (inclusive), provided that any termination or expiration of clauses 1-8 (inclusive) shall not affect either party's rights and remedies under such clauses at the time of termination or expiration.

11.2. In the event of a conflict between the terms of this Data Processing Agreement and the Main Agreement or any other agreement governing the relationship between the parties, the terms of this Data Processing Agreement shall prevail.

12. Term and Termination of Services

12.1. This Data Processing Agreement expires at the latest on:

  12.1.1. Termination or expiration of the Main Agreement or

  12.1.2. Cessation of any processing of Client data by the Company on behalf of the Client in accordance with the provision of the Services.

12.2. The Client and the Company have the right to suspend and/or terminate this Data Processing Agreement at any time by giving three months' notice to the other party.

13. Applicable Law

13.1. This Data Processing Agreement and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the choice of law specified in the Main Agreement.

13.2. The parties irrevocably agree that the courts specified in the Main Agreement shall have exclusive jurisdiction to resolve any dispute or claim arising out of or in connection with this Data Processing Agreement or its subject matter or form (including non-contractual disputes or claims).

‍

ANNEX 1. INSTRUCTIONS FOR DATA PROCESSING

Appsolve will process the Client Data as a Data Processor for the purpose of providing the Services in accordance with these documented instructions from the Client:

As the Client decides how the personal information of its customers will be used, the Client shall make sure its customers understand how the Client (and we on the Client's behalf) collect and process their personal information, by, at a minimum, posting a privacy policy on Client store that describes the information merchants collect, how it is used and who is shared with, including without limitation details regarding cookies.

Client's written requests should be sent to us through Shopify tools like the Privacy Portal. In the specific case of Shopify end customers' data, GDPR compliance is honored as enabled by virtue of the implementation of Shopify's data protection mechanisms.

‍

ANNEX 2. TECHNICAL AND ORGANISATIONAL MEASURES

Information security policy

The Company will put in place a fully documented and internally approved information security policy based on best practices and international security standards (eg. ISO 27001, NIST, etc.), indicating management direction and support for information security.

This information security policy will be reviewed and updated on a yearly basis.

Security of Personnel

Contractual agreements with employees and contractors will include their responsibilities for information security.

All employees, contractors, and third-party users are asked to agree to terms and conditions reflecting the organization's policies for information security (e.g. confidentiality or non-disclosure agreements).

Management behavior and policies drive, require, and encourage all employees, contractors, and 3rd party users to apply security in accordance with established policies and procedures.

All employees, contractors, and 3rd party users undergo regular security awareness training appropriate to their role and function within the organization.

A process is in place to ensure all employees and external users return the organization's assets on termination of their employment, contract, or agreement.

Access Controls

The Company will ensure that only identified, authenticated and authorized users gain access to information, operational applications, Services, and information systems. Obsolete access rights are removed in the timeliest manner possible, in order to prevent unauthorized access and potential misuse.

The Company will apply the 'least privileges' and 'need-to-know' principles and ensure where appropriate segregation of duties.

All user accounts will use 2-factor authentication (if supported by the platform).

Infrastructure access will be provided only to specialized employees and restricted to read-only access granted via VPN connections and 2-factor authentication.

All exceptions (including service accounts or functional accounts) must be risk assessed, justified, and periodically reviewed.

Specific computerized authentication systems based on strong authentication techniques (jointly use at least two different authentication techniques) are implemented for Applications processing Traffic and Judicial Data. This must be applied to all personnel, including the technical staff (application manager, system administrators, network administrators, and database managers) irrespective of the specific access mode (local/remote) to the processing system in question.

The Access Control Policy is based on need-to-know, role-based access and segregation of duties principles.

An Appointed Responsible Manager formally approves access to Information Systems, including checks to verify identity, segregation of duties, and/or checks to verify sensitive access requirements have been addressed before granting access.

All user access-related requests will be logged for all merchant operations, assessed, approved, and implemented in accordance with defined user access management processes. The allocation and use of privileged access rights will be controlled and restricted to the minimum.

Asset owners will review users' access rights at regular intervals. The access rights of all employees and external party users to information and information processing facilities will be removed upon termination of their employment, contract, or agreement, or adjusted upon role change.

Operational security

Data will be backed up on a regular basis, protected from unauthorized access or modification during storage, and available to be recovered in a timely manner in the event of an incident or disaster.

All data at rest shall be protected by appropriate security mechanisms, including cryptographic and access controls (as appropriate).

Information about technical vulnerabilities of information systems will be obtained in a timely fashion, exposure to such vulnerabilities is evaluated on a daily basis and appropriate measures are taken to mitigate the associated risk.

Where the Services infrastructure is managed and/or hosted by Company, subject to the Agreement between the Client and Company:

• proper segregation of duties will be ensured to mitigate the risk of fraud. Regular review of the application of the segregation of duty controls will be applied.
• logs will be completed by Company for all systems accessing or storing the Client assets to include all alerts, maintenance, and intervention activity, such as:
• User actions on Services infrastructure
• Administrator and operator activities
• Faults
• Changes to security and system configuration parameters
• Changes to application software
• Use of privileged functions

Proper protection and availability of the logs will be ensured. Logs should be kept for a period of at least twelve (12) months or longer if legally required

The development, test, and operational environment will be separated

Any data provided by the Client will be securely deleted after its agreed period of use or at any first written request of the Client

The Company will implement proper procedures to anticipate capacity needs, back up all information, and protect the Services infrastructure against malicious code will be ensured.

Communication security

The Company will implement secure and reliable networks for accurate and prompt data transmission, to avoid communication disruptions, and to guarantee confidentiality and integrity as these could have a material adverse impact on the Client's business and reputation.

Network architecture will be managed and controlled to protect the information in systems and applications against emerging security threats.

Appropriate security mechanisms (cryptographic and access controls) will be established and implemented to ensure the security of data in transit through private and public networks and the protection of IT Services from unauthorized access.

System Acquisition, Development, and Maintenance

The Company will ensure that information security is addressed within information systems across the entire lifecycle to reduce risks of vulnerabilities introduced during the system acquisition, development, and maintenance.

The Company will adopt secure coding standards when developing products and services.

Information security-related requirements will be embedded in the planning stage for new information systems or enhancements to existing information systems.

The Company will protect the systems' development environments and integrates efforts that cover the entire system development lifecycle.

Security rules for the development of software and systems will be established and applied to developments within the organization. If development is outsourced, the Company will obtain assurance that the external party complies with these rules.

Acceptance testing programs and related criteria will be established for new information systems, upgrades, and new versions. Test data will be carefully selected, protected, and controlled.

The code developed by Company will be free of malicious code and commonly recognized security defects. In addition, the Company will ensure its systems are tested for vulnerabilities before and after each major release.

Security Incident Management

The Company will ensure a consistent and effective approach to the management of information security incidents, including communication with the Client.

Management responsibilities and procedures will be established to ensure a quick, effective and orderly response to information security incidents

Knowledge gained from analyzing and resolving information security incidents will be used to reduce the likelihood or impact of future incidents.

Business Continuity

The Company will develop and implement business continuity plans, disaster recovery plans, and a crisis management framework, based on international standards, to avoid an interruption of the Services exceeding an acceptable period of time, or where a specific Service Level has been defined, exceeding the relevant Service Levels.

The Company will maintain and update its plans and procedures on a regular basis (at least once a year).

The Company will define clear and understood procedures for activation, escalation, and control over its incident response.

Cloud-based services

In addition to the requirements above Company will:

• Inform the Client of the country and region that the Services are provided from and where databases are hosted and accessed from.
• Make features available, to allow tracking of access to and usage of the cloud infrastructure, including fine-grain auditing of access to data within the databases and execution of administrative procedures.

Specific control measures

The business should ensure a formal methodology that defines its approach to system development.

The business should ensure that all requests for changes, system maintenance, and provider maintenance are documented. All implemented changes are traceable.

Implementation of identification, authentication, and authorization mechanisms to access systems and applications.

The business should establish procedures to ensure timely action relating to requesting, establishing, issuing, suspending, and closing of user accounts.

In the specific case of Shopify end customers' data, GDPR compliance is honored as enabled by virtue of the implementation of Shopify's data protection mechanisms.

The business should define and implement a problem management and escalation procedures system to ensure that all operational events which are not part of the standard operation (incidents, problems, and errors) are recorded, analyzed, and resolved in a timely manner.

Physical and network security and related controls should contribute to security maintenance and availability of systems and applications.

‍

General Privacy Policy

Who we are

APPSOLVE (“Company”), having its registered headquarters at 14 Bogdan Voda Str., Bucharest 010936, Romania, processes personal data in compliance with the applicable legal regulations on the protection of natural persons with regard to the processing of personal data.

Introduction

This General Privacy Policy describes why and how we process personal data in different situations and provides you with information about your rights only when our Company acts as a personal data Controller.

We may process personal data in relation to:

• merchants using Shopify and their representatives, customers, and users
• other partners and (potential) clients
• visitors to Appsolve websites and pages or anyone contacting us

This Privacy Policy will help you better understand how we collect, use, and share personal data. If we change our privacy practices, we may update this privacy policy.

General information on processing personal data

Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Recipient means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not.

The main data/categories of data processed by the Company

The main data/categories of data processed by the Company depend, as the case may be, on the purposes associated with the processing, and include data such as:

• identity data (such as name, surname)
• contact details (such as email address, mobile telephone number, instant messaging accounts)
• data related to you being a representative of an entity / legal person that enters/has a legal relation (such as position held, place of work, signature)
• data obtained when accessing the Company’s pages/site (such as the online identifier of the persons accessing one or more of the Company’s site or pages, identifier processed for the purposes mentioned in the Cookies Policy related to that page/site)
• data obtained when accessing the Company’s products, services, and/or online platforms; we may process the data, content, other user/mobile account information, and other information you provide when you use our products, services, and/or online platforms and/or information which is provided about you by social networking platforms and other engagement channels providers according to your settings preferences within such engagement channels (such as your username, hometown, age range, likes, other data you set in you profile to be public or to be provided to others by that channel provider).

Information from merchants

Privacy matters! If you are a merchant, your customers need to understand how you (and how APPSOLVE) collect and process their personal information. Accordingly, you agree to post an up-to-date and accurate privacy policy on your storefront that complies with the laws applicable to your business. You also agree to obtain consent from your customers for the use and access of their personal information by APPSOLVE and other third parties.

What information do we collect from merchants and why?

• We collect your name, email address, and phone number.
• We use this information to provide you with our Service; for example, to confirm your identity, contact you, provide you with advertising and marketing, and invoice you. We also use this information to make sure that we comply with legal requirements.
• We collect data about the APPSOLVE websites that you visit. We also collect data about how and when you access your account and the APPSOLVE platform, including information about the device and browser you use, your IP address, and information about how you browse through the APPSOLVE interface.
• We use this information to give you access to and improve our Services; for example, to make our platform's interface easier to use. We also use this information to personalize the Services for you. Finally, we may use this information to provide you with advertising or marketing.
• We collect personal information about your customers that are shared by you via Shopify's API. In order to deliver the Service, you provide us with access to your orders. The access is granted when you install the app and give us permission to access your orders. We use this information only to provide you with our Service.

Information from customers

• We collect our merchants' customers' ID, name, email, phone number, shipping and billing address.
• We only use this information to provide our merchants with the Service. For our merchants' customers, we process your information solely as a data processor on behalf of our merchants.
• APPSOLVE never shares your customers' information with third parties

Information from APPSOLVE website visitors and support users

What information do we collect and why?

• As you visit or browse the APPSOLVE websites, we collect information about the device and browser you use, your network connection, your IP address, and information about the cookies installed on your device. We also collect personal information submitted by you via any messaging feature available from any of our websites (“Messaging Feature”).
• We may also receive personal information when you contact us via any of our websites.
• From chat support users, we collect your name, email address, information about the device and browser you use chat transcript, and other personal information you provide us during our chat.

Information from cookies and similar tracking technologies

What is a cookie? A cookie is a small amount of data, which may include a unique identifier. Cookies are sent to your browser from a website and stored on your device. We assign a different cookie to each device that accesses our website.

Data is processed for the purposes mentioned in the Cookies Policy related to that page/site.

Sources from which we collect personal data and, if the case may be, publicly available sources

We generally collect personal data directly from you when you are in a legal relationship with our Company or you are the representative of an organization that is in legal relationship with the Company.

In other cases, we may process personal data collected from other sources such as Merchants, suppliers or partners, publicly available sources, Shopify, and other channels/platforms providers, according to your settings preferences within such channels/platforms.

Types of data processing

Our company processes personal data for the purposes stated in this Privacy Policy and for each purpose one or more data processing operations may be used such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. This Privacy does not cover any processing carried out by our Company in the name of its clients.

Purposes for which personal data are processed

The Company processes personal data for multiple purposes. The methods of processing, the legal basis for processing, retention periods, and other such aspects may be different, depending on each purpose.

We may use personal data for one or more of the purposes described in this Privacy Policy. If the Company will subsequently process personal data for a purpose other than that for which you have already been informed and which is not compatible with the purposes you were informed of/for which the data were initially collected, the Company will provide information on that additional purpose and any relevant related information.

We process personal data mainly for the following purposes:

• Carrying out the activity of the Company, providing products and providing services related in particular to the main scope of work of the Company, respectively Vitals Services
• Managing our relationships with customers, suppliers, and professionals in various fields of activity, correspondence, offers, negotiations, contracts, and account management.
• Improving the activity and services of the Company in relation to our customers and partners
• We process personal data in order to fulfill our contractual obligations and commitments
• Managing the risks related to our activity, meaning that we take security measures to protect personal data, measures that involve the detection, investigation, and resolution of security threats.
• In accordance with applicable law, we use the contact details to directly or indirectly provide information that we believe is of interest to you
• In case of visiting our sites or our pages on social networks, it is possible to process some information for the purposes mentioned in the Cookies Policy  
• Compliance with legal and/or regulatory requirements, such as those of a fiscal nature or those requested by special normative acts that regulate our object of activity or, as the case may be, archiving
• Economic-financial-administrative management
• Exercising or defending our legal rights in court
• Statistics

Legal basis on which data processing is based

The legal bases of the processing take into account the provisions of the applicable normative acts regarding the processing of personal data and the provisions of the applicable legislation in the Company’s field of activity.

The processing is based on at least one of the following conditions of the legality of the processing:

• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the Company as controller is subject;
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party,
• the data subject has given consent to the processing of his or her personal data for one or more specific purposes, only when mandatory under the law;
• for the management of our relations with potential customers and clients or our partners, including,
• for managing the risks related to our activity
• managing the notifications/complaints in connection with our services
• to improve our products and/or services,
• to ascertain the exercise or defense of our rights in court

How long do we keep personal data

We retain the personal data we process only for as long as is necessary for the purpose for which it was collected (including in accordance with applicable law or regulations), such as:

• During the execution of the contract / legal relation for the personal data necessary for its conclusion/ for its execution,
• During the period provided by law in situations where there are normative acts applicable in this regard (e.g. in the case of mandatory accounting records and supporting documents underlying the financial records)
• During the management period of the relationship with potential clients/clients/beneficiaries of our services/partners of the Company and their representatives, respectively until the exercise of opt-out for the data used for the purpose of transmitting commercial communications containing information and offers regarding services and/or products,
• Until the withdrawal of consent for the processing of personal data based exclusively on consent
• For the archiving period mentioned by law or by the applicable policies of the Company, as the case may be, for the data contained in the documents for which the law or the Company provided for the archiving
• In any other case and/or in the absence of specific legal, regulatory or contractual requirements, our reference period for keeping personal data is at least 3 years from the date of termination of relations / last contact between the Company and the data subject

Any data may be retained by the Company, except from the foregoing provisions where applicable, until the expiry of the limitation period, in respect of situations in which the Company would have a legitimate interest in retaining certain personal data in connection with potential litigation that may arise between the parties.

In any case, except for the situations provided by the applicable legislation, we delete your data at the time you request such deletion. The applicable exceptional situations will be communicated to the data subject through the response submitted by our company in connection with the request to delete the data.

Your rights and how to exercise them

Our company is responsible for facilitating the exercise of your rights mentioned below.

Any of these rights may be exercised by sending an e-mail to us, or you can submit/send it to our headquarters address.

For the protection of your data, in order to prevent the abuse of malicious people who would follow the access to your data, if we receive a request from you regarding the exercise of the below-mentioned rights, we may ask you for additional information to verify your identity before acting on your request.

If you submit an application in electronic format for the exercise of your rights, the information will be provided by our company also in electronic format where possible.

We will try to respond promptly to any request from you and, in any case, within the time limits expressly mentioned by the applicable legal provisions (usually 30 days from the registration of the request). In certain situations, expressly provided by the applicable legislation, we may charge an access request which will take into account the administrative costs necessary to fulfill the request.

In the event that, as a result of the application of legal provisions, our company cannot comply, in whole or in part, with a request received from you as a data subject, then the applicable exceptional situations will be communicated to you by means of the reply submitted by our company in connection with the request in question.

The right to access your personal data

You have the right to access your data we process as controller, respectively to obtain from the Company a confirmation whether it processes personal data concerning you and, if so, the following information:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or are to be disclosed, in particular recipients from third countries or international organizations;
• where possible, the period for which personal data are expected to be processed or, if this is not possible, the criteria used to establish the retention period;
• the existence of the right to request the rectification or deletion of personal data or the restriction of the processing of personal data or the right to oppose the processing;
• the right to lodge a complaint with a supervisory authority;
• if personal data are not collected from you, any available information on their source;
• the existence of an automated decision-making process including profiling, as well as, at least in those cases, relevant information on the logic used and on the importance and expected consequences of such processing for the data subject.

If you fall under the protection of GDPR and your personal data are transferred to a third country or an international organization, you have the right to be informed of the appropriate safeguards.

The right to rectification of data

You have the right to obtain from the Company, without undue delay, the rectification of inaccurate personal data concerning you. Taking into account the purposes for which the data were processed, you have the right to obtain the completion of personal data that are incomplete, including by providing an additional statement. When possible or necessary we will make corrections (as appropriate) based on updated information and inform you about this if necessary.

The right to delete data

You have the right to obtain from the Company the deletion of personal data concerning you, without undue delay, except for certain cases provided by the law, if one of the following reasons applies:

• personal data are no longer necessary for the purposes for which they were collected or processed;
• you withdraw your consent on the basis of which the processing takes place insofar as the processing is based exclusively on the consent and there is no other legal basis for the processing;
• you object to the processing carried out for the purpose of public interest or for the purpose of the legitimate interests pursued by the Company or a third party and there are no legitimate reasons to prevail over your interests / fundamental rights and freedoms regarding the processing
• personal data have been processed illegally;
• personal data must be deleted in order to comply with a legal obligation incumbent on the Company under the law governing it and/or its activity;
• other situations provided by the applicable legislation insofar as they are applicable

The right to restrict processing

You have the right to obtain a restriction on processing in the following cases:

• you contest the accuracy of the data, for a period that allows the Company to verify the accuracy of the data;
• the processing is illegal, and you object to the deletion of personal data, requesting in return the restriction of their use;
• the company no longer needs the personal data for the purpose of processing, but you request them for the ascertainment, exercise or defense of a right in court; or
• you have objected to the processing in processing for the purpose of the legitimate interests pursued by the Company or by a third party, for the period during which it is verified whether the legitimate rights of the controller prevail over those of the data subject.

The right to data portability

You have the right to receive your personal data which you have provided to the Company, in a structured, commonly used format that can be read automatically and when transmitted to another controller, without obstacles on the part of the Company, if (i) the processing is based on consent or contract and (ii) processing is carried out by automatic means.

In case of exercising the right to portability of personal data, they may be transmitted directly from the Company to another controller expressly indicated by you, where this is technically feasible.

The right to opposition

When the processing is carried out for the purpose of the legitimate interests pursued by the Company or by a third party. At any time you have the right to object, for reasons related to your particular situation, to the processing carried out for the purpose of public interest or for the purpose of the legitimate interests pursued by the Company or a third party, including the creation of profiles. In this case, the Company will no longer process your personal data, unless it demonstrates that it has legitimate and compelling reasons justifying the processing and prevailing over your interests, rights, and freedoms or that the purpose is to establish, exercise, or defend a right in court.

The right to object to processing for direct marketing purposes

When the processing has direct marketing as scope, you have the right to object at any time to the processing of personal data concerning you for this purpose, including the creation of profiles, insofar as it is related to that direct marketing. We inform you that the Company may send you offers, information, and other types of communications in the light of situations such as following your participation in an event organized by the Company as a main organizer or as a partner, the fact that you have agreed to receive commercial communications from us.

If you object to the processing for direct marketing purposes, personal data will no longer be processed for this purpose.

The right to withdraw consent

If the processing is based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal. The assumption of withdrawal of consent is not applicable in cases where the basis for processing is not consent.

The right to submit a complaint

If you want to complain about the use of your personal data, please send an e-mail /letter with the details of your complaint to us. We will analyze and respond within the legal deadlines to any complaint we receive. You also have the right to file a complaint with the competent data protection supervisory authority.

Recipients or categories of recipients of personal data

The company may transmit/grant access / disclose personal data mainly to the following categories of entities:

• public authorities and entities (such as tax authorities, etc.)
• service providers (like Cloud providers)
• persons who process personal data in the name of the Company and/or under the authority of the Company, in accordance with the instructions received from us and comply with this Privacy Policy, data protection laws, and any other appropriate confidentiality and security measures (like software developers and IT&C service providers)

Especially for data subjects who fall under the protection of GDPR, the Company’s cloud hosting provider, Amazon Web Services (AWS), has a POP in the United States, and transfers are made to entities outside the European Union. If you fall under the protection of GDPR and the Company transfers your personal data to a third country or to an international organization, we will ensure that it is adequately protected, ie that we transmit the data in a country that provides an adequate level of protection as assessed by the competent entities or, if the country is considered not to have laws equivalent to GDPR data protection standards, we will ask the third party to conclude a legally binding contract/agreement/instrument that reflects the latter standards or provides other appropriate guarantees in this sense.

Consequences of refusal of the provision of personal data

If personal data is collected directly from you, we inform you that, as a rule, you are not obliged to provide your personal information to the Company, unless their provision constitutes a legal or contractual obligation or an obligation /is necessary for concluding a legal relationship/contract. Thus, to the extent that you opt to enter into a legal relationship with the Company or otherwise benefit from our services/product, the provision of personal data is a necessity from the perspective of legal requirements and/or the legal relationship with us, because this information is necessary to honor the obligations undertaken by the Company in relation to you or to provide services and/or products to you. So, in these situations, depending on the data you refuse to provide, it is possible that:

• our company is unable to conclude the contract or to continue the contractual relationship with you
• it may be impossible to partially / fully fulfill our obligations and to provide our services

If you consider that the information contained herein is ambiguous or contains ambiguities, you can request clarifications in this regard from us.

Our contact information for data protection purposes

Email: [email protected]

Address: Bogdan Voda 14, Bucharest 010936, Romania

This Privacy Policy may change from time to time. You have the opportunity to read the up-to-date policy here before you choose to continue using our products and/or services.

Through this Privacy Policy, you have read the information provided by APPSOLVE with regard to personal data processing, and you have been informed about the rights conferred to you.

Date of Last Revision: January 23, 2023

‍