The privacy of our website visitors is of the utmost importance to us.
We do not track or collect any data that could be used to identify any individuals, unless you give us explicit permission to do so.
As a “Visitor” to the Website, you can be sure that:
• None of your personal information will be collected
• No cookies will be stored in your browser
• None of your personal information is shared with, sent to or sold to third-parties (we don’t collect them)
• No personal information will be shared with advertising companies (again, we don’t collect such data at all)
• We run a privacy-focussed analytics script to collect some anonymous usage data for statistical purposes
• Our goal is to track overall trends about the traffic and usage of the Website, and NOT to track individual visitors
• All the data we collect is aggregate only
• We never collect personal data without your permission
If you decide to create an account (and thus become a “User”), we will only ask for data that is absolutely necessary for the Website, App or Service to function properly and securely.
This Privacy Policy (“Privacy Policy”) relates to the website chromatic.ee and/or any sub-websites and/or associated domains (and/or sub-domains), web and mobile applications (“apps”) and/or software systems (“software”, “systems”) of chromatic.ee (hereinafter referred to as the “Website”), the services provided by Chromatic Europe OU, the owner of the Website, (“We”, “Us”, “Our”, “Ourselves” and/or “Chromatic”) and any related software applications (“Systems”), where Personal Data is processed by the same (via the Website, any of our systems or otherwise) relating to You.
In this Privacy Policy, “You” and “Your” and “User(s)” and “Visitor(s)” refer to an identified or identifiable natural or legal person being the User of the Website(s), app(s) or other software systems and/or client (or prospective client) of any of our services. Our full details, including contact details, can be read below. Although our goal is to always be as clear and transparent as possible, we appreciate that legal documents can sometimes be difficult to read. However, we strongly encourage you to read this Privacy Policy thoroughly.
Please do not hesitate to contact us with any questions you may have. For example, if you need clarification on a specific legal basis we are relying on to process your personal data for a specific processing operation, we will be happy to provide you with any such information.
As an entity established in Estonia, part of the EU, the main privacy laws that are applicable to Us in so far as You are concerned, are as follows: The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of such Data – the “GDPR”.
All the above are referred to together as the “Data Protection Laws” (DPL) and/or the “GDPR”.
“PERSONAL DATA” means any information that identifies You as an individual or that relates to an identifiable individual.
Whenever it is not possible or feasible for us to make use of anonymous and/or anonymised data (in a manner that does not identify any users of the Website or customers of our Services), We are nevertheless committed to protecting your privacy and the security of your personal data at all times.
We collect personal data in various ways both digitally via the website (either when you choose to provide us with certain data or in some cases automatically and/or via third parties) as well as non-digitally (for example when you fill in a physical form to benefit from one or more of our services).
Category of Personal Data | Purpose | Type of data we may collect |
---|---|---|
CONTACT DETAILS | To manage our relationship with you; To be able to provide you information that you requested from us or that we may be authorised by law to provide to you; To manage your subscription to a newsletter or mailing list; To send you text messages and push notifications | Full name; mailing address; telephone or mobile number; email address; collaboration and instant messaging contact details, social media profiles |
REGISTRATION DATA | To make our website(s), apps and other systems usable by enabling basic functions like page navigation and access to secure areas. The website(s), apps, and systems cannot function properly and securely without these details. | Full name; email address; mailing address; business name, address and description; Usernames; Passwords |
MARKETING DATA | To ensure that the content of our website(s)/apps are relevant and engaging for our users and to refine our marketing strategy and tactics. Also, to enable our website(s)/apps to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in. | Full name; Email address; website address; social media profiles; mailing address; demographic and/or business-related information such as postcode, age, position or function within an organisation; links to social media profiles on other platforms; social media profiles; preferences and interests; website usage data, including duration of your visit, visited pages and their order, search queries, links that you have clicked on (including text links, images, graphics, etc.); online identifiers (including IP addresses and information generated via your browser); Devices used during visiting our website |
TRACKING DATA | To ensure the safety and security of our website(s), systems and apps, and to understand how our visitors interact with our website by collecting and reporting information anonymously | IP address, Location Data, Configuration information, Operational logs, Devices used during visiting our website, Location of files; website usage data, including duration of your visit, visited pages and their order, search queries, links that you have clicked on (including text links, images, graphics, etc.) |
FINANCIAL INFORMATION | To process and manage payments transactions (where applicable) | Credit card information, PayPal and/or other payment gateway ID, Bank details |
ADDITIONAL INFORMATION | In some cases, for example, if you are a client or prospective client of our services, or a prospective employee via the website(s), any app or otherwise we may request additional personal data as a means of securely identifying you or for another similar lawful purpose. | More secure identification methods; credentials/references; details of Your next of kin |
SPECIAL INFORMATION | In special circumstances we might need to process special categories of data, such as your health data (e.g. dietary restrictions before attending a meeting with us or one of our events). We only process such sensitive Personal Data with your explicit consent, when it's absolutely necessary and with the strictest safeguards in place. | health conditions/status, dietary restrictions and requirements |
Many of the categories of personal data above are collected directly from you (for example, your contact details and your registration data). However, we may also collect personal data from other sources, including publicly accessible databases, joint marketing partners, social media platforms and other third parties.
We may also receive personal data about you from third parties when we need to confirm your contact details. Should this be the case, and when acting as a data controller, we will take all measures as required by law to further inform you about the source of such personal data as well as the categories of personal data we collect and process.
There are certain instances at law where we are specifically forbidden from disclosing to you such activity (for example, when carrying out due diligence for anti-money laundering purposes). When acting as a data processor, Chromatic processes personal data on behalf of one or more data controllers. In such cases it is the data controller’s obligation to provide data subjects with the said information. In case of uncertainty over who the data controller is, please contact us.
For a detailed description of the reasons why we process (as a data controller) the categories of personal data above (and any other specific personal data we process), as well as the corresponding legal ground(s) for doing so, please see the ‘What we use your personal data for (Purpose of Processing)’ table below.
For information/personal data that we may collect automatically via the Website, Software or Apps, please see the Cookies section below.
If you choose to connect or share one or more of your social media accounts with us to enable the sharing of personal data via social media platforms, certain categories of personal data relating to you from your social media account(s) may be shared with and processed by us.
As a general rule, when acting as a data controller, we do not collect any personal data, that is, information that identifies you as an individual other than that which you choose to provide to us such as the data (including contact details and registration data) you provide when registering with us (where this is available), when contacting us with enquiries relating to our products and/or services, when subscribing to any service offered by us or via our website, such as any newsletters as may be issued by us from time to time or even when subscribing to any offers we (and/or our affiliates and/or corporate partners) may offer from time to time (see Personal Data We May Collect About You above).
Unless otherwise specified and subject to various controls, as a general rule, we only collect personal data (from you or elsewhere) when we:
• Need to be able to provide you with the products and/or services you request from us
• Are legally required to collect/use and to keep for a predetermined period of time
• Believe to be strictly necessary for our legitimate business interests
For a detailed description of the reasons why we process specific categories of personal data as well as the corresponding legal ground(s) for doing so, please see the ‘What we use your personal data for (Purpose of Processing)’ below.
By providing us with or allowing us to access personal data relating to individuals other than yourself, you are letting us know that you have the authority to send us that personal data or the authority to permit us to access those data in the manner described in this Privacy Policy.
The following table contains the description of what we use your personal data for and the corresponding legal ground(s) we rely on for doing so.
For more detail on what is meant by terms such as ‘contact details’, ‘registration data’ and other categories of personal data used in the tables below, please see the “Personal Data We May Collect About You” section above.
PURPOSE OF PROCESSING | CATEGORIES OF PERSONAL DATA | LEGAL BASIS FOR PROCESSING |
---|---|---|
To register users (directly or through third-parties social signups) | Registration Data | Contractual necessity or Legitimate interest |
To manage our relationship with you | Registration Data, Contact Details | Legitimate Interest |
To be able to provide you with marketing and promotional offers that you may have requested from us or that we may be authorised at law to provide to you | Marketing Data, Tracking Data | Contractual Necessity or Consent |
To establish and investigate any suspicious behaviour in order to protect our business from any risk and fraud | Registration Data, Contact Details | Legitimate Interest (detection and prevention of fraud) |
Subscribing to a newsletter or mailing list | Registration Data, Contact Details | Consent |
Send you text messages and push notifications | Registration Data, Contact Details | Contractual Necessity or Consen |
PURPOSE OF PROCESSING | CATEGORIES OF PERSONAL DATA | LEGAL BASIS FOR PROCESSING |
---|---|---|
Your being able to participate in a survey, feedback, feature demonstration, poll or a discussion across our digital properties | Registration Data, Contact Details | Consent or Legitimate Interest |
Maintain records on our systems | Registration Data, Contact Details, Tracking Data, Profile Data, Financial Information | Contractual Necessity or Legitimate Interest (to ensure we have accurate records) |
Continue to manage our relationship with you | Registration Data, Contact Details, Tracking Data, Financial Information | Contractual Necessity or Compliance with the Legal Obligations |
To process and manage payments transactions (where applicable) | Financial Information | Contractual Necessity |
To be able to provide you with (some or all of) our services | Registration Data, Contact Details, Profile data, Marketing Data | Contractual Necessity |
To comply with legal and regulatory obligations | Registration Data, Contact Details, Tracking data, Financial Information | Legal Obligation |
Subscribing to a newsletter or mailing list | Registration Data, Contact Details | Consent or Contractual Necessity |
To be able to provide you with marketing material that you may have requested from us or that we may be authorised at law to provide to you | Marketing Data, Tracking Data | Consent or Legitimate Interests |
Send you text messages and push notifications | Contact Details, Registration data | Consent or Contractual Necessity |
Please note, that without certain Personal Data relating to you, we may not be able to provide some or all of the information or services you expect or request from us nor guarantee the full functionality of our Website(s), Apps, or Software Systems.
All reasonable efforts are made to ensure the personal data we hold about you is up-to-date and as accurate as possible. We may periodically ask you to confirm the accuracy of the records we hold, especially if there is a corresponding privacy and/or security risk justifying to do so. Otherwise, we largely rely on you to inform us when your personal data (such as your address or other contact details) change.
We only send email, text messages and other communications relating to marketing where we have the necessary legal grounds to do so. In most cases we rely on your consent.
If, at any time, you no longer wish to receive marketing communications from us, you can exercise this right by clicking the “unsubscribe” or “opt-out” link in the marketing emails we send you or let us know by contacting us at the details below or update your preferences on any of our website(s), apps or software system(s) (where applicable).
In the case of direct marketing sent by electronic communications (where we are legally authorised to do so) you will be given an easy way of opting out (or unsubscribing) from any such communications.
As a general rule, the data we process about you (collected via our website(s), any of our apps or software systems) will be stored and processed within the European Union (EU)/European Economic Area (EEA) or any other non-EEA country deemed by the European Commission to offer an adequate level of protection (the so-called ‘white-listed’ countries listed here).
Please note, that data sent via the Internet may be transmitted across international borders even where both sender and receiver of information are located in GDPR-compliant countries. We cannot be held responsible for any misuse of personal data prior to our receiving it or after our sending it, when the personal data from you to us (or vice versa) is transferred via a non-GDPR-compliant country.
We reserve the right to disclose (and otherwise process) any relevant personal data which we may be processing (including IP addresses, in special circumstances) to authorised third parties in or outside the EU/EEA, if such disclosures are allowed under the Data Protection Laws (whether or not you gave us permission to do so):
1. For the purpose of preventing, detecting or suppressing fraud (for example, if You provide false or deceptive information about Yourself or attempt to pose as someone else, we may disclose any information we may have about you in our possession so as to assist any type of investigation into your actions);
2. In the event of Chromatic being involved in a merger, sale, restructure, acquisition, joint venture, assignment, transfer;
3. To protect and defend our rights (including the right to property), safety, or those of our affiliates, of users of our site or even your own;
4. To protect against abuse, misuse or unauthorised use of our website(s); apps or software systems;
5. For any purpose that may be necessary for the performance of any agreement you may have entered into with us (including the request for provision of services by third parties) or in order to take steps at your request prior to entering into a contract;
6. To comply with any legal obligations such as may arise by way of response to any court subpoena or order or similar official request for personal data;
7. As may otherwise be specifically allowed or required by or under any applicable law (for example, under anti-money laundering legislation).
The personal information which we may hold (and/or transfer to any affiliates/partners/subcontractors as the case may be) will be held securely in accordance with our internal security policy and the GDPR. We take reasonable steps to safeguard the confidentiality of any and/or all personal data that we process.
We regularly review and enhance our technical, physical and managerial procedures to ensure that your personal data is protected from:
• unauthorised access
• improper use or disclosure
• unauthorised modification
• unlawful destruction or accidental loss.
To this end we have implemented security policies, practices, and technical and organisational measures to protect the personal data that we may have under our control. All our members, staff and data processors (including specific subcontractors, including cloud service providers, who may have access to and are associated with the processing of personal data, are further obliged (under contract) to respect the confidentiality of our users’ or clients’ personal data as well as other obligations as imposed by the GDPR. Despite all our efforts, we cannot guarantee that a data transmission or a data storage system can ever be 100% secure. For more information about our security measures, please contact us in the manner described below.
Authorised third parties, and external/third party service providers, with permitted access to your information (as explained in this Privacy Policy) are specifically required to apply appropriate technical and organisational security measures that may be necessary to safeguard the personal data being processed from unauthorised or accidental disclosure, loss or destruction and from any unlawful forms of processing.
These service providers (our data processors) are also bound by a number of other obligations in line with the GDPR (in particular, Article 28 of the GDPR). For the avoidance of all doubt, these are the same obligations that we are bound by when acting as data processor on behalf of one or more data controllers.
Relevant data will also be disclosed or shared as appropriate (and in all cases in line with the GDPR) to/with members and staff of Chromatic, to/with affiliated entities and/or subcontractors if pertinent to any of the purposes listed in this Privacy Policy (including to/with our services providers who facilitate the functionality of the site and/or any service you may require).
Personal information will only be shared by us to provide the services you request or for any other lawful reason (including authorised disclosures not requiring your consent). Any such authorised disclosures will be done in accordance with the GDPR (for example all our processors are bound by the requirements of GDPR, including a strict obligation to keep any information they receive confidential and to ensure that their employees/personnel are also bound by similar obligations).
The said service providers (our processors) are also bound by a number of other obligations (in particular, Article 28 of the GDPR). Your personal data will never be shared with third parties for their marketing purposes (unless you explicitly authorise us to do so). The list of third parties to whom we may disclose to and/or share your personal data with is available on request.
We will retain your personal data only for as long as is necessary (taking into consideration the purpose for which it was originally obtained). The criteria we use to determine what is ‘necessary’ depends on the particular personal data in question and the specific relationship we have with you (including its duration).
Our normal practice is to determine whether there is/are any specific EU and/or Estonian law(s) (for example tax or corporate laws) permitting or obliging us to keep certain personal data for a certain period of time (in which case we will keep the personal data for the maximum period indicated by any such law).
For example, any data that can be deemed to be ‘accounting records’ must be kept for at least six years (plus current year). We would also have to determine whether there are any laws and/or contractual provisions that may be invoked against us by you and/or third parties and if so, what the prescriptive periods for such actions are (this is usually 6 years, plus current year). In the latter case, we will keep any relevant personal data that we may need to defend ourselves against any claim(s), challenge(s) or other such action(s) by you and/or third parties for such time as is necessary.
Where your personal data is no longer required by us, we will either securely delete or anonymise the personal data in question.
We use research and statistics data based on user or client information to better understand our users’ and clients’ needs, to develop and improve our services, our marketing and other operational activities. We will always make sure to obtain any consent we legally require from you. We will also ensure to implement all appropriate safeguards to keep your data secure.
Links that we provide to third-party websites are clearly marked and we are not in any way whatsoever responsible for the content of such websites (including any applicable privacy policies or data processing practices). We suggest that you read the privacy policies of any such third-party websites.
When you visit our website, use our apps or software systems, we collect certain categories of personal data automatically through the use of cookies and similar tracking technologies.
For more detailed information, including what cookies are and how and why we process such data in this manner (including the difference between essential and non-essential cookies) please read our Cookie Policy.
Our website(s), apps and services are not intended to be used by any persons under the age of eighteen (18) and therefore we will never intentionally collect any personal data from such persons. If you are under the age of consent, please consult and get your parents' or legal guardians' permission to use the website, apps to use any of our services.
Before addressing any of your requests, we may first need to verify your identity. In all cases we will try to respond to your request as timely as reasonably possible. As explained in the Retention Periods section above, we may need to keep certain personal data for compliance with our legal retention obligations, but also to complete transactions that you have requested prior to the change or deletion that you requested.
Please note that when acting as a data processor, Chromatic processes personal data on behalf of one or more data controllers. In such cases queries will generally be directed to our client(s) or partner(s) – the data controller(s).
When we act as a data controller, your various legal rights include:
You may request us to confirm whether or not we are processing your personal data and, if we are, you have the right to access that personal data and to the following information:
• What personal data we hold,
• Why we process them,
• To whom we disclose them,
• For how long we intend to keep them,
• Whether we transfer them abroad and the safeguards we take to protect them,
• What your relevant rights are,
• How you can make a complaint,
• From where we obtained your personal data,
• Whether we have carried out any automated decision-making (including profiling) based on the related information.
Upon request, we shall (without adversely affecting the rights and freedoms of others, including our own) provide you with a copy of your personal data within one month of receipt of your request, which period may be extended by two months where necessary, taking into account the complexity and number of the requests. We will inform you of any such extension and the reasons for the delay within one month of receipt of the request.
You have the right to rectify your personal data. You can ask us to rectify inaccurate personal data and to complete your incomplete personal data. We may seek to verify the accuracy of the data before rectifying it.
You have the right to ask us to delete your personal data and we shall comply without undue delay but only where:
• The personal data are no longer necessary for the purposes for which they were collected; or
• You have withdrawn your consent (in those cases where we process on the basis of your consent) and we have no other legal ground to process your personal data; or
• You shall have successfully exercised your right to object (as explained below); or
• Your personal data have been processed unlawfully; or
• There is a legal obligation to which we are subject; or
• Special circumstances exist in connection with certain children’s rights.
Please note, that we are not legally bound to comply with your erasure request if the processing of your personal data is necessary:
• for compliance with a legal obligation to which we are subject (including but not limited to our data retention obligations); or
• for the establishment, exercise or defence of legal claims.
There are other legal grounds entitling us to refuse erasure requests, although the two instances above are the most likely grounds that may be invoked by us to deny such requests.
You have the right to ask us to restrict the use of your personal data (i.e. keep, but not further process) but only where:
• The accuracy of your personal data is contested (see the right to data rectification above), for a period enabling us to verify the accuracy of the personal data; or
• The processing is unlawful and You oppose the erasure of your personal data; or
• We no longer need the personal data for the purposes for which they were collected but You need the personal data for the establishment, exercise or defence of legal claims; or
• You exercised your right to object and verification of our legitimate grounds to override your objection is pending.
Following your request for restriction, except for storing your personal data, we may only process your personal data:
• Where we have your consent; or
• For the establishment, exercise or defence of legal claims; or
• For the protection of the rights of another natural or legal person; or
• For reasons of important public interest.
You have the right to ask us to provide your personal data (that you shall have provided to us) to you in a structured, commonly used, machine-readable format, or (where technically feasible) to have it transferred directly to another data controller, provided this does not adversely affect the rights and freedoms of others.
In those cases, where our legal basis to process your data is your explicit consent, you have the right to withdraw your consent at any time and in the same manner as you have provided it to us. Should you exercise your right to withdraw your consent (by writing to us at the physical or email address below), we will determine whether at that stage an alternative legal basis exists for processing your data (for example, on the basis of a legal obligation to which we are subject) where we would be legally authorised or required to process your personal data without needing your consent and if so, notify you accordingly.
When we ask for such personal data, you may always decline, however should you decline to provide us with that necessary data we require to provide the services you require, we may not necessarily be able to provide you with such services (especially if consent is the only legal ground that is available to us).
We only process your personal data when this is
1.) necessary for the performance of a task carried out in the public interest or
2.) when processing is necessary for the purposes of the legitimate interests pursued by us or by a third party. You have the right to object to processing of your personal data by us.
Where an objection is entered, the processing of data shall cease, unless we as data controller provide compelling and legitimate grounds requiring the continuation of the data processing which outweigh the objections you may have raised. When your data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data, which includes profiling to the extent that it is related to such direct marketing.
Please note, that this general right to object does not subsist when we process your personal data because it is necessary for the performance of a contract, when necessary for legal compliance or when processing of the data is necessary to protect your vital interests or those of another natural person.
You also have the right to lodge complaints with the appropriate Data Protection Supervisory Authority. The competent authority in Estonia is the Data Protection Inspectorate ('DPI'). You can contact them to make a complaint here.
We kindly ask that you please attempt to resolve any issues you may have with us first. Even though, as stated above, you have a right to contact the competent authority at any time.
As one of the security measures we implement, before being able to legally help you exercise your rights as described above, we may need to verify your identity to ensure that we do not disclose to or share any personal data with any unauthorised individuals.
We reserve the right, at our complete discretion, to change, modify, add to and/or remove portions of this Privacy Policy at any time. If you are an existing client with whom we have a contractual relationship, you will be informed by us of any changes made to this Privacy Policy (as well as other terms and conditions relevant to the use of our Website(s), Apps or Software Systems. We will also archive and store previous versions of the Privacy Policy for your review.
As a user of the Website with whom we have no contractual relationship or lawful way of tracing, it is in your interest to regularly check for any updates to this Privacy Policy (which are usually deemed to be effective on the date they are published on the website), in case our attempts to notify you of such updates do not succeed.
If you have any questions/comments about privacy or should you wish to exercise any of your individual rights, please contact us by writing to: dpo (at) chromatic.ee or the Data Protection Officer at Chromatic Europe OU, Estonia, Tallinn, Kotkapoja tn 2a-10, 10615.