The personal data concerning you shall be processed by us lawfully, fairly and in a transparent manner.
I. Personal Data Controller and Processor
The Personal Data Controller is Icy Coconut OÜ. Please email any requests relating to the processing of any personal data concerning you to firstname.lastname@example.org.
II. Categories of processed data, processing purposes and conditions
The Company shall process the categories of personal data shown below, for the following purposes:
|Purpose||Legal basis||Categories of processed data|
|To enable you to use our services the Company needs certain personal data (e.g. to create or modify your user account, allow you to use the application, send technical information about how the app works, process and reply to any requests, contact our support staff, send you a code to enter at first authentication).||Processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract (art. 6(1)(b) of the GDPR).||Common data: name and surname, email address, telephone number, address, Apple ID, photograph, contacts, chat conversations, bank data used for transactions|
|To let the User fully enjoy the Application’s services and allow the Data Controller to access data contained in “Health”, application automatically installed on iOS devices. Personal data within “Health” app will be processed exclusively for the purpose described in this section, and will not be used (or shared with third parties) for any other purpose or scope.||The legal basis for the processing is consent of the Data Subject (art. 6(1)(a) of GDPR).||Health data, which fall under the special categories of personal data pursuant to art. 9 GDPR. These also include information on User’s weight, height, physical activity (steps walked, calories burnt).|
|To discharge the Company’s legal obligations and any other obligations arising out of the instructions received from the authorities.||Compliance with a legal obligation to which the Data Controller is subject (art. 6(1)(c) of the GDPR)||Common data: name and surname, telephone number, address, Apple ID, photograph, contacts, chat conversations, bank data used for transactions|
If the app needs to access your address book you will be asked to select one of the following options: “access all contacts”, in which case all or a preset list of numbers in your address book will be automatically accessed, or “manually select”, in which case you will be asked to select the single numbers that may be accessed by the app.
Please be reminded that, if the processing requires your consent for one or more processing purposes, you may give your consent only if aged at least 16 years (see art. 8 of the GDPR). If you are aged below 16, the consent must be given by a parent or other holder of parental responsibility (in the latter case, the Data Controller shall make every reasonable effort to verify that consent is given or authorised by the holder of parental responsibility). Should we become aware that we have collected the personal data of a child aged below 16 years without the consent of a parent or holder of parental responsibility, we shall delete the data and close the relevant account forthwith.
III. Methods, timeframe and place of processing
The personal data concerning you may be processed either electronically or on paper.
Icy Coconut OÜ adopts all the technical and organisational measures for preventing the loss, improper use and alteration of personal data under your control, and, in some cases, may also adopt data encryption methods. However, no type of Web transmission or storage of the data may be considered absolutely secure, for which reason we caution you not to send any information you consider confidential and which you would like to keep secret.
The processed data are stored at the Company’s headquarters, in the archives provided by our IT services provider. The data required to discharge any legal obligations, and obligations relating to the use of the app, shall be stored for the time required to perform the purposes for which they were collected and, in any case, for no longer than 10 years after the termination of the contract (or the cancellation of the app registration). At the end of this period of time the data shall either be deleted or pseudonymised.
IV. Mandatory or optional nature of the supply of personal data and consequences of the refusal to answer
It is necessary for you to supply your personal data. Your refusal to supply the requested data, or the supply of inaccurate data, might make it impossible to register with the application and use its services.
V. Entities, or categories of entities, to which any personal data concerning you may be disclosed, or which may acquire your personal data, and scope of disclosure of the data
The personal data supplied by you shall be processed by the following entities:
- the personnel authorised by the Company and belonging to the business units involved in managing the applications, who have received specific processing instructions;
- third parties carrying out activities that are related or instrumental to the Data Controller’s activities, as outsourced data processors engaged by the Company (such as, by way of example only, suppliers providing IT maintenance and development services, IT or filing services providers).
The complete and updated list of the said entities is available for consultation, on request, at the Company’s headquarters.
We shall disclose any data concerning you solely for the purpose of discharging the obligations set out in the applicable laws and/or regulations.
VI. Sharing your personal data with Countries outside the European Economic Area
Any personal data concerning you could also be transferred to third-party entities based outside the EEA, to fulfil the purposes mentioned above.
In these cases the Company undertakes to put into place appropriate measures to ensure adequate protection of those personal data in the place of destination, verifying that the third-party entities are Privacy Shield certified or comply with the group rules laid down by the competent authorities or have entered into specific agreements with the Company, in this respect.
A copy of the appropriate or expedient warranties are available for consultation, on request, at the Company’s headquarters.
VII. Your privacy rights
You may contact the Data Controller, in writing, by means of a registered letter with proof of receipt addressed to the Company’s headquarters, or an email to email@example.com, to exercise your rights to access, modify, delete or object to the processing of your personal data (as set out in the Privacy Provisions), or to obtain:
- confirmation of the existence of any personal data concerning you, even if they have not yet been registered, and its communication in an intelligible form;
- information about the origin of the data, the processing purposes, the categories of the relevant personal data, the Data Controller and processor, the entities, or categories of entities, to which the data may be disclosed or which may acquire the data as data processors or entities engaged and authorised to process your data, and the storage time or, if this is not possible, the criteria for its determination;
- the updating, rectification or completion of the data concerning you, the erasure, the pseudonymisation or blocking of any data processed in breach of the law, including those the storage of which is unnecessary for the purposes for which they were collected or subsequently processed, the certification that the required activities have been notified, also with regard to their contents, to the entities to which the data has been communicated or disclosed, except where this requirement is impossible to perform or entail the use of manifestly disproportionate resources compared to the protected right.
Furthermore, you may also request the restriction of processing of any data concerning you and the transfer of your data to a different controller (the so-called “right to data portability” ) and to object, for legitimate reasons, to the processing of any data concerning you, even if relevant to the collection purposes, or object, in full or in part, to the processing of any personal data concerning you (in relation, inter alia, to any specific means of communication) for the purpose of sending any advertising materials or direct sale or market surveys or commercial communication, subject to the fact that the Company does not intend to process your data for such purposes.
You also have the right to lodge a complaint with the Estonian Data Protection Authority and/or other competent control authorities.
 In particular, you are entitled to the so-called “right to be forgotten”: the right to obtain from the controller the erasure and blocking of any further processing of any personal data concerning you that are no longer necessary for the purposes for which they were collected or otherwise processed, if you withdraw your consent or object to the processing of any personal data concerning you, or if the processing is in breach of the GDPR. The Data Controller undertakes to inform the other data controllers engaged in processing the data concerning you to erase any links to the said data or copies or reproductions of the said personal data, taking into account the available technology and the means available to the Data Controller, including any technical measures.
The further retention of the personal data concerning you is lawful where it is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.
 In particular, you are entitled to receive personal data concerning you in a structured, commonly used, machine-readable format, and to transmit those data to another controller, without hindrance from the Data Controller, where: (i) the processing is based on consent pursuant to point (a) of article 6(1), or point (a) of article 9(2), or on a contract pursuant to point (b) of article 6(1) of the GDPR; and (ii) the processing is carried out by automated means. Where technically feasible, you shall have the right to have the personal data concerning you transmitted directly from one controller to another, without prejudice to the so-called “right to be forgotten” and subject to any other party’s rights and freedoms.