Privacy Statement of Billo Website

Last updated: 25 August, 2022

CONTENTS

1. DEFINITIONS

2. THE PURPOSE OF THE PRIVACY POLICY

3. DATA CONTROLLER AND THE CONTACT DETAILS

4. THE PROCESSING OF PERSONAL DATA, THE PURPOSES, LEGAL BASIS, SOURCES AND TERMS OF STORAGE OF THE DATA:

4.1. The Creator

4.2. The Brand Representative

4.3. The Website visitor (Cookie policy)

4.4. The visitor of Company’s social network accounts (Facebook, Instagram, TikTok, LinkedIn, Twitter)

4.5. The person who submits inquires, request, complaints

4.6. The Supplier’s Representative and/or the representative of another party (legal entity) to the contract concluded by the Company

4.7. The Potential Client (its representative)

5. RECIPIENTS OF DATA

6. RIGHTS OF DATA SUBJECTS

7. QUESTIONS AND DISPUTES

1. DEFINITIONS

1.1. App – mobile app Billo.app;

1.2. Brand – legal entity that creates its account on the Billo.app platform on the Website;

1.3. Brand Representative – a representative of a legal entity that creates its account on the Billo.app platform on the Website, acting in the name and interests of such legal entity (usually, an employee);

1.4. Client – Creators and/or Brands;

1.5. Company – Billo.app, UAB, legal entity code 305403556, registered office address Gediminas str. 22A-14, LT-44319 Kaunas, Lithuania;

1.6. Creator – individual who creates his/her account in the App;

1.7. Direct marketing – activities the purpose of which is to offer goods and services to persons by post, telephone or other direct means and / or to seek their opinion on goods or services offered;

1.8. EEA – European Economic Area;

1.9. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (General Data Protection Regulation);

1.10. LoEC – Law on Electronic Communications of the Republic of Lithuania;

1.11. Personal data, data – any information relating to an identified or identifiable natural person (‘data subject’);

1.12. Privacy Policy – this privacy policy;

1.13. Supplier – a legal entity with which the Company has entered into an agreement on the provision of goods and/or services to the Company;

1.14. Supplier’s Representative – a representative of a legal entity with which the Company has entered into an agreement for the provision of goods and/or services to the Company, acting in the name and interests of such legal entity (usually, an employee);

1.15. Terms of Service – terms of service of the Company, which describe the terms of use of the App and Billo.app platform on the Website, the procedure of providing the Company’s services, the rights and obligations of the Company, the Brand and the Creator [Terms of service];

1.16. Website – Company’s website at https://billo.app.

2. THE PURPOSE OF THE PRIVACY POLICY

This Privacy Policy provides information on how the Company handles personal data when individuals use the Company’s App, register on the Billo.app platform on the Website, visit the Company’s Website as well as the Company’s social network accounts, provide inquiries, complaints, requests to the Company, and when the Company communicates with individuals in other cases.

This Privacy Policy provides information on the processing of data of the following categories of data subjects:(i)the Creator (Section 4.1); (ii) the Brand Representative (Section 4.2); (iii) the Website visitor (Section 4.3);(iv)the visitor of Company’s social network accounts (Section 4.4); (v) the person who submits inquiries, requests, complaints to the Company (Section 4.5); (vi) the Supplier’s Representative and/or the representative of another party (legal entity) to the contract concluded by the Company (Section 4.6); (vii) the Potential Client(its representative) (Section 4.7). Sections 1 – 3 and 5 – 8 of this Privacy Policy apply to all categories of data subjects.

We also inform you that changes in the functionality of the App, Website, Billo.app platform, in technological solutions, as well as in the services provided by the Company can lead to changes in the Company’s data processing activities, therefore the Company may unilaterally renew and change this Privacy Policy. In view of this, we recommend the data subject to periodically review this Privacy Policy, taking notice of the last update, which is stated at the Section 8 of this Privacy Policy.

The Company ensures that any personal data specified in this Privacy Policy is handled in accordance with the highest standards of security and confidentiality, in strict compliance with GDPR requirements.

3. DATA CONTROLLER AND THE CONTACT DETAILS

The data controller – Billo.app, UAB, legal entity code 305403556, registered office address Gediminas str. 22A-14, LT-44319 Kaunas, Lithuania, data about which is stored in the Register of Legal Entities of the StateEnterprise Centre of Registers of the Republic of Lithuania. The contact details: tel. No. +1 650 699 6740, e-mail: [email protected].

The data controller – Billo.app, UAB, legal entity code 305403556, registered office address Gediminas str. 22A-14, LT-44319 Kaunas, Lithuania, data about which is stored in the Register of Legal Entities of the StateEnterprise Centre of Registers of the Republic of Lithuania. The contact details: tel. No. +1 650 699 6740, e-mail:[email protected].

4.1. The Creator

Categories of personal data processed

1. Data of registration in the App, creation of account in the App and of login to account:

  • identifying information (name, surname, gender, country, date of birth (age));
  • contact details (e-mail address, telephone number);
  • account creation information (e-mail address, login password, photo);
  • personal login settings when the Creator logs in the App using Google, Apple, Facebook logins.

2. Data of using the App:

  • content created by the Creator (including, video material and/or photo, text);
  • individual terms and conditions of the Creator’s agreement with the Company on the use of the App (Terms of Service and other agreements (if any)) and
  • details of their implementation (including, compensations, fees paid; Brand tasks applied by the Creator; content requirements of a specific Brand;
  • accepted and fulfilled tasks of Brands; gift codes provided; products received);
  • PayPal or other provided account number;
  • address (only if product samples are sent to the Creator);
  • clothing, footwear sizes (only if product samples are sent to the Creator);
  • communication with the Creator regarding the use of the App and provision of Company’s services (e.g., selected communication channel (telephone number, e-mail address), content of communication, time of communication).

3. Data that, according to legal acts, are necessary for the fulfillment of the Company’s tax obligations. Data required by law and tax administrator forms, including:

  • identifying information (name, surname, personal identification code);
  • compensations and fees paid by the Company to the Creator;
  • taxpayer identification number (code), VAT payer code, individual activity certificate number, business certificate number;
  • passport series and number, or identity card number, or permanent or temporary residence in the Republic of Lithuaniapermit number in the Republic of Lithuania;
  • address of residence of a non-permanent resident of Lithuania.

Purposes and legal basis of data processing

The Company processes the personal data of the Creator listed above for the following purposes and based on the following legal basis:

1. purpose – to enable the Creator to register in the App, create an account and join it, as well as to enable the Creator to use theApp, also to implement the mutual rights and obligations of the Company and the Creator established in the agreements concluded between the Company and the Creator (including, Terms of Services and other agreements (if any)). The legal basis for data processing for this purpose is the conclusion and performance of a contract with the Creator (Terms of Service and other agreements concluded between the Creator and the Company (if any)) (Article 6 (1) (b) of the GDPR). The contract with the Creator regarding the use of the App is concluded by the Creator agreeing with the Terms of Service during the registration in the App;

2. purpose – improvement and development of the App, its functionalities and Company’s services. By analyzing the data, the Company gains a better understanding of its services, the use of the App, which helps the Company to improve the App and its services. The legal basis for data processing for this purpose is the legitimate interest of the Company to provide relevant, innovative, adapted, modern, secure services (Article 6 (1) (f) of the GDPR);

3. purpose – fulfillment of the Company’s legal obligations, including those related to the payment and administration of taxes, as well as protection of the Company’s legitimate interests. The data of the Creator may be used by the Company to fulfill the requirements imposed on the Company by legal acts, as well as mandatory instructions of the competent state authorities, and to defend Company’s rights and legitimate interests, including reputation, in courts and other competent authorities. The legal basis for data processing for this purpose is the legitimate interest of the Company to comply with the requirements of legal acts and to protect its violated rights and legitimate interests (Article 6 (1) (f) of the GDPR);

4. purpose – sending Company’s direct marketing offers to the Creator. The legal basis for data processing for this purpose is the legitimate interest of the Company to market its goods and services (Article 6 (1) (f) of the GDPR, Article 69 (2) of the LoEC). The data is used for this purpose as long as the Creator expresses its disagreement with the Company for the use of the data for this purpose;

5. purpose – to ensure communication between the Company and the Creator. The legal basis for the processing of the Creator’sdata for this purpose is the conclusion and performance of the agreement with the Creator (Article 6 (1) (b) of the GDPR) and the Company’s legitimate interest in ensuring customer service of appropriate quality (Article 6 (1) (f) of the GDPR);

6. purpose – Company’s advertising, marketing, public presentation (e.g., the use of Creator’s data in presentations of Company’sservices, advertisements, public announcements on the Company’s website, social network accounts). The data of the Creator shall be processed for this purpose only with the separate consent of the Creator (Article 6 (1) (a) of the GDPR).

Data sources

The personal data of the Creator is obtained from the Creator himself/herself and generated for him/her using the App. If the Creator connects to the App using Google, Apple, Facebook logins, the Company will receive data from these companies about the Creator’s login settings.

Data storage period

The Creator’s data is stored for 10 years from the end of the agreement concluded between the Company and the Creator, i. y. since deleting (deactivating) Creator’s account in the App.

This period of data retention may be extended if personal data are used or may be used as evidence or a source of information in a pre-trial or other investigation, including in civil, administrative or criminal proceedings, or in other cases provided for by law, or further storage and processing may be justified by Company’s legitimate interest or another legal basis. In such cases, personal data may be stored for as long as is necessary for those purposes for the processing and shall be destroyed immediately when data is no longer needed.

Data is a necessary condition for the provision of the Company’s services

The above-mentioned personal data of the Creator is necessary for the Company to be able to provide its services to the Creator in accordance with the Terms of Service and to comply with the related legal acts. Without providing this data, the Creator will not be able to register in the App and/or to use it and receive related Company’s services.

If the Company’s personal data processing activities are not acceptable for the Creator, the Creator must not use the App, immediately delete his/her account from the App and the App itself from his/her mobile device.

Acquaintance with Privacy Policy

By using the App, the Creator acknowledges that he/she has carefully read and understood the Privacy Policy, and that the Creator accepts the processing of his/her personal data by the App.

4.2. The Brand Representative

Categories of personal data processed

1. Contact information required to create the Brand’s account on the Billo.app platform:

  • telephone number of the Brand Representative;
  • e-mail of the Brand Representative.

2. Data of the Brand Representative that is necessary or provided for the proper performance of the contract concluded between the Brand and the Company (Terms of Service and other agreements (if any)) and for the proper provision of Company’s services:

  • identifying information (name, surname);
  • workplace (Brand represented); position;
  • contact details (phone number; e-mail address);
  • signature;
  • the data specified in the power of attorney (if such a document is provided);
  • data related to the provision of services to the Brand or performance of the contract (e.g., content of e-mails, communications);
  • name, surname under which the bank card with which the payment to the Company is made have been issued, as well as other data of such card (number, validity date, CVV code).

Purposes and legal basis of data processing

The Company processes the personal data of the Brand Representative listed above for the following purposes and based on the following legal basis:

1. purpose – to enable the Brand to register on the Billo.app platform, create an account and join it, as well as to enable the Brand touse the Billo.app platform, to implement the rights and obligations between the Company and the Brand, established in the Terms of Service and other contracts (if any). The legal basis for data processing for this purpose is the legitimate interest of the Company (Article 6 (1) (f) of the GDPR): interest – to know the data of a person responsible for concluding and executing the contract concluded with the Brand, to properly perform its contractual obligations to the Brand, and to require the Brand to properly perform its contractual obligations to the Company;

2. purpose – improvement and development of the Billo.app platform, its functionalities, the Website and Company’s services. By analyzing the data, the Company gains a better understanding of its services, the use of Billo.app platform, which helps the Company to improve the Billo.app platform and its services. The legal basis for data processing for this purpose is the legitimate interest of the Company to provide relevant, innovative, adapted, modern, secure services (Article 6 (1) (f) of the GDPR);

3. purpose – fulfillment of the Company’s legal obligations, as well as protection of the Company’s legitimate interests. The data of the Brand Representative may be used by the Company to fulfill the requirements imposed on the Company by legal acts, as well as mandatory instructions of the competent state authorities, and to defend Company’s rights and legitimate interests, including reputation, in courts and other competent authorities. The legal basis for data processing for this purpose is the legitimate interest of the Company to comply with the requirements of legal acts and to protect its violated rights and legitimate interests (Article 6(1) (f) of the GDPR);

4. purpose – to ensure communication between the Company and the Brand. The legal basis for the processing of the BrandRepresentatives data for this purpose is the Company’s legitimate interest to ensure customer service of appropriate quality(Article 6 (1) (f) of the GDPR);

5. purpose – sending Company’s direct marketing offers to the Brand. The legal basis for data processing for this purpose is the legitimate interest of the Company to market its goods and services (Article 6 (1) (f) of the GDPR, Article 69 (2) of the LoEC). TheCompany will consider that when registering on the Billo.app platform and/or communicating with the Company, the BrandRepresentative provides the Company with a non-personal e-mail address, but with the Brand’s contact e-mail address. The data is used for this purpose as long as the Brand, acting through its representative, expresses to the Company its disagreement with the use of the data for this purpose.

Data sources

The data of the Brand Representative is obtained from the Brand Representative himself/herself and the Brand he/she represents, including in cases when the Company receives the data of the Brand Representative from his/her colleagues out-of-office message or other type of automatic reply, indicating the representative as a contact person, or the reply of a colleague with whom the Company has communicated to the Company’s e-mail, accompanied (cc) by the Brand Representative. Data can also be obtained from publicly available sources (e.g., Brand’s websites, LinkedIn accounts).

Data storage period

The Brand Representative’s data is stored for 10 years from the end of the agreement concluded between the Company and the Brand.

This period of data retention may be extended if personal data are used or may be used as evidence or a source of information in a pre-trial or other investigation, including in civil, administrative or criminal proceedings, or in other cases provided for by law, or further storage and processing may be justified by Company’s legitimate interest or another legal basis. In such cases, personal data may be stored foras long as is necessary for those purposes for the processing and shall be destroyed immediately when data is no longer needed.

Acquaintance with Privacy Policy

By registering the Brand’s account on the Billo.app platform and submitting his / her personal data during this registration, the BrandRepresentative confirms that he/she has carefully read, understood this Privacy Policy and that the Company’s data processing activities are acceptable to the Brand Representative,

If the Brand Representative is unacceptable about the Company’s personal data processing activities, he/she must provide personalized data when registering a Brand’s account on the Billo.app platform.

Cookies

When a visitor visits the Website, to ensure the quality of the provided content and functionalities, cookies are being used. Cookies are small files which are stored on a user’s computer. They are designed to hold a modest amount of data specific to a particular client and website, and can be accessed either by the web server or the client computer. This allows the Company to recognize you as a Website visitor, save the information and help ensure a faster and more comfortable use of the Website. It also analyzes visitor’s behaviour helping improve the provided services. With the help of cookies, depending on the purpose and functionality of the cookie, data identifying the Website visitor, such as name, surname, e-mail, IP address may also be collected. So please read carefully the following list of cookies used on the Website, their functions and expiration dates.

Mandatory (technical) cookies

Cookie Provider Purpose Validity period
HSID Google / Google Analytics Protects users from false logins, ensures user authenticity. 2 years
SIDCC Google / Google Analytics Ensures user authenticity. 3 months
SID Google / Google Analytics Ensures user authenticity. 2 years
_gid Google / Google Analytics Stores a unique value after each page visit. 1 day
__cfduid Google / Google Analytics Designed to speed up page loading. 3090 days
DSID Google / Google Analytics Stores an encrypted unique identifier. While browsing the site.
intercom-session-pu1mxg2b Intercom Designed to ensure the operation of the Intercom tool. 1 hour
_hjid HotJar Set when a user visits a page, a random number identifying the user is stored. 365 days
_hjAbsoluteSessionInProgress HotJar Designed to provide HotJarfeatures. While browsing the site.
auth0 Auth0 Stores user login information. 3 days
did_compat Auth0 Stores information about the user’s last login activity. 1 year
did Auth0 Stores information about the user’s last login activity. 1 year
auth0_compat Auth0 Stores user login information. 3 days
OptanonAlertBoxClosed Auth0 Stores the date the information message was closed. 1 year
OptanonConsent Auth0 Stores information about consent to the information notification. 1 year
ga_Rollup Auth0 Stores information related to the Auth0 plugin submission. 2 years
__stripe_mid Stripe Stores a unique value associated with the user to ensure Stripe functions. 1 year
__stripe_orig_props Stripe Stores Stripe plugin settings. 1 year
__stripe_sid Stripe Stores a unique value associated with the user to ensure Stripe functions. 1 year
Scfc Stripe Stores information to ensure the operation of the Stripe plugin. 1 year

Analytical cookies

Cookie Provider Purpose Validity period
SAPISID Google / Google Analytics Assists in gathering information about videos uploaded to YouTube. Permanent
SSID Google / Google Analytics Helps gather information about using YouTube and GoogleMaps. Permanent
_ga Google / Google Analytics Designed to uniquely identify different users. 2 years
gtm_id Intercom Links the user to the internal intercom Google Analytics. 2 years
_ga Intercom Links the user to the internal intercom Google Analytics. 2 years
ajs_user_id Hotjar Used by usage analysts online. 365 days
_ga Hotjar Sets Google Analytics, used to differentiate users. 2 years
ajs_group_id Hotjar Used to group visits from different users. 365 days
ajs_anonymous_id Hotjar Randomly generated for anonymous users. 365 days

Functional cookies

Cookie Provider Purpose Validity period
CONSENT Google / Google Analytics Stores user settings for personalized ads. Permanent

Commercial cookies

Cookie Provider Purpose Validity period
__Secure-3PAPISID Google / Google Analytics Creates a user interest profile to display ads 2 years
__Secure-3PSID Google / Google Analytics Creates a user profile to display ads 2 years
NID Google / Google Analytics Holds user settings related to google sites based on recent searches. 6 months
APISID Google / Google Analytics Personalize Google Analyticsads. 2 years
__Secure-3PSIDCC Google / Google Analytics Assists in gathering information related to ad serving. 2 years
ANID Google / Google Analytics Collects information about recently displayed ads based on recent searches. Permanent
1P_JAR Google / Google Analytics Helps show personalized ads on Google sites. 1 week
IDE Google / Google Analytics Designed to make GoogleDoubleClick work. While browsing the site.
_fbp Facebook Designed to provide Facebook advertising services. While browsing the site.

Purposes and legal basis for the use of cookies

The purpose of mandatory (technical) cookies – to help ensure the proper functioning of the Website. These cookies are essential to run the Website successfully and functionally. The legal basis for the use of mandatory (technical) cookies is the Company’s legitimate interest to ensure the functioning of the Company’s Website, ensuring the quality and security of the Website, and the provision of the Company’s services (Article 6 (1) (f) of the GDPR).

The purpose of analytical cookies – to gain information and data on how visitors use the Website. The legal basis for the use of these cookies is the consent of the Website visitor (Article 6 (1) (a) of GDPR).

The purpose of functional cookies – to help website visitors use the Website efficiently, effectively and conveniently. These cookies are not necessary, but significantly improve the quality of use of the Website. The legal basis for the use of these cookies is the consent of the Website visitor (Article 6 (1) (a) of GDPR).

The purpose of commercial cookies – advertising by the Company or third parties. The legal basis for the use of these cookies is the consent of the Website visitor (Article 6 (1) (a) of GDPR).

Management of cookies

Most web browsers are set to accept cookies automatically. Website visitors may, at their discretion, block or delete cookies and similar unique identifiers if their browser or device settings allow it.

However, please note that if Website visitor refuses certain cookies, the Company cannot be sure how and whether the Website will work for such visitor at all.

The Website visitor can access, edit and change or cancel his / her selections on cookies at any time. This can be done on your internet browser. More information about cookies and how to manage them is provided on the websitewww.allaboutcookies.org and in the help pages of internet browsers:

  • Google Chrome -https://support.google.com/chrome/answer/95647?hl=en
  • Firefox – https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
  • Opera -https://help.opera.com/en/latest/web-preferences/#cookies
  • Internet Explorer -https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies
  • Safari -https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac

We would like to inform you that if you block certain cookies, the Website might be modified, previously selected parameters deleted, while some parts of the Website might not be functional.

Given that the Company uses third-party cookies on the Website, we provide resources where you can find more information about third-party cookies:

  • „Google Analitics“ – https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage?hl=lt
  • „Google“ – https://policies.google.com/technologies/types?hl=lt
  • Auth0 – https://auth0.com/privacy/
  • Stripe – https://stripe.com/cookies-policy/legal
  • Intercom – https://www.intercom.com/legal/privacy ; https://www.intercom.com/legal/cookie-policy
  • Hotjar – https://www.hotjar.com/legal/policies/privacy/; https://help.hotjar.com/hc/en-us/articles/115011789248-Hotjar-Cookie-Information
  • Facebook – https://www.facebook.com/policies/cookies/, https://www.facebook.com/policy.php

4.4. The visitor of Company’s social network accounts (Facebook, TikTok, LinkedIn, Twitter)

Categories of personal data processed

1. Data of a person who visits social network accounts administered by the Company (Facebook, Instagram, TikTok, LinkedIn, Twitter), taking into account the privacy settings of person’s account and the information provided by such person, including:

  • identifying information (name, surname, photo, IP address);
  • data indicating a person’s joining to a social network account administered by the Company (information about clicks like “follow”, “send a friend request”, “accept a friend request”, “like” and similar joining actions, and other data indicating involvement in the Company’s administrated social network account, information on when the person joined the social network accounts administered by the Company);
  • data showing a person’s involvement in the Company’s social network accounts and its content (e.g., post comments; post shares; information about reactions to posts, information provided; comments, opinions; time of their submission, responses to comments, opinions);
  • person’s social network account data, content (the Company did not store this data in any of its systems, however, when a person joins in to social network accounts administered by the Company, the Company may gain access to data in individuals’ social network accounts);
  • communication data with the Company (e.g., message, time of receipt of the message, content of the message, attachments to the message, reply to the message, time of replying to the message);
  • information on participation in the Company’s events;
  • information on the Company’s valuation.

Purposes and legal basis of data processing

The purpose of processing the data listed above is the administration of the Company’s social network accounts (Facebook, Instagram, TikTok, LinkedIn, Twitter) (including, presentation of the Company, its services to social network users, publication of various messages, information, communication with social network users). The legal basis for the processing of data for this purpose is a consent (Article 6 (1) (a) of the GDPR). We will consider that a visitor to the Company’s social network accounts has given consent to process their data for this purpose when the person visits the Company’s social network accounts, as well as clicks the “like”, “follow”, “send friend request”, “accept friend request” buttons or performs other actions showing his/her will to join to the Company’s social networking account

Data sources

The Company, as the administrator of social network accounts, selects relating settings based on its target audience and its management and promotion objectives. Social network operators (e.g., Facebook, Instagram) may restrict the ability for social network account administrator to change certain, substantial settings and thus the Company cannot influence what information about visitors to the Company’s social network accounts is collected by social network operators (such as Facebook, Instagram). Hence, social network operators act as independent data controllers and have independent data processing purposes, methods, and tools.

All such settings of social network operators affect the processing of personal data of individuals using social media, visiting the Company’s accounts, reading the Company’s messages on social media or communicating with the Company with the help of social networks. Generally, social network operators process personal data (even those collected through the Company’s choice of additional account settings) for their independent purposes in accordance with the social network operators’ privacy policies. However, when using the social network, communicating with the Company through social networks, visiting the Company’s accounts on social networks, monitoring records in them, submitting inquiries to the Company, the Company receives information about such persons. The amount of data received depends on the account settings selected by the Company, agreements with social network operators on ordering additional services, cookies set by social network operators.

Given that social network operators are independent data controllers, please read their privacy policies (pay particular attention to the cookies and similar technologies used by social network operators):

  • Facebook – https://www.facebook.com/privacy/explanation
  • LinkedIn – https://www.linkedin.com/legal/privacy-policy
  • Twitter – https://twitter.com/en/privacy
  • Instagram – https://help.instagram.com/519522125107875
  • TikTok – https://www.tiktok.com/legal/privacy-policy?lang=en

Data storage period.

The data will be processed until a specific social network account of the Company is active, or as long as such data is available to the Company, depending on the settings and functionalities of the specific social network.

This period of data retention may be extended if personal data are used or may be used as evidence or a source of information in a pre-trial or other investigation, including in civil, administrative or criminal proceedings, or in other cases provided for by law, or further storage and processing may be justified by Company’s legitimate interest or another legal basis. In such cases, personal data may be stored for as long as is necessary for those purposes for the processing and shall be destroyed immediately when data is no longer needed.

4.5. The visitor of Company’s social network accounts (Facebook, Instagram, TikTok, LinkedIn, Twitter)

Categories of personal data processed

Data provided by a person who submits inquiries, requests, complaints to the Company, including:

  • identifying data (name, surname; position, organization, legal entity represented);
  • contact details (e.g., e-mail address, telephone number, address, depending on the source and method of communication);
  • the content of the inquiry, request, complaint, the content of the response to them, and the details of further communication
    and actions taken.

Purposes and legal basis of data processing

The purpose of data processing is the management of inquiries, requests and complaints submitted to the Company. The legal basis of

data processing is the Company’s legitimate interest to manage complaints, inquiries, requests submitted to the Company and to carry

out communication with interested parties (Article 6 (1) (f) of the GDPR).

Data sources

A person who submits inquiries, requests, complaints to the Company.

Data storage period.

The data is stored for 3 years from the date of the inquiry, request, complaint resolution.

This period of data retention may be extended if personal data are used or may be used as evidence or a source of information in a pre-trial or other investigation, including in civil, administrative or criminal proceedings, or in other cases provided for by law, or further storage and processing may be justified by Company’s legitimate interest or another legal basis. In such cases, personal data may be stored for as long as is necessary for those purposes for the processing and shall be destroyed immediately when data is no longer needed.

Categories of personal data processed

Data of the Supplier’s Representative and/or the representative of another party (legal entity) to the contract concluded by the Company:

  • identifying information (name, surname);
  • workplace (legal entity represented); position;
  • contact details (phone number; e-mail address);
  • signature;
  • the data specified in the power of attorney (if such a document is provided);
  • data related to the provision of services to the represented legal entity or performance of the contract (e.g., content of e-mails, communications);

Purposes and legal basis of data processing

The Company processes the personal data of the Brand Representative listed above for the following purposes and based on the following legal basis:

1. purpose – conclusion and performance of the Company’s agreements with Suppliers or other legal entities, performance and enforcement of rights and obligations under such agreements. The legal basis for data processing for this purpose is the legitimate interest of the Company (Article 6 (1) (f) of the GDPR): interest – to know the data of a person who is responsible for concluding and performing the contract concluded with the Supplier or another legal entity, in order for the Company to properly perform its contractual obligations to the Supplier or other legal entity and require the Supplier or other legal entity to duly fulfill its contractual obligations to the Company;

2. purpose – fulfillment of the Company’s legal obligations, as well as protection of the Company’s legitimate interests. The data may be used by the Company to fulfill the requirements imposed on the Company by legal acts, as well as mandatory instructions of the competent state authorities, and to defend its rights and legitimate interests, including reputation, in courts and other competent authorities. The legal basis for data processing for this purpose is the legitimate interest of the Company to comply with the requirements of legal acts and to protect its violated rights and legitimate interests (Article 6 (1) (f) of the GDPR);

3. purpose – to ensure communication between the Company and the Supplier or other legal entity with which the contract is concluded. The legal basis for the processing of the Brand Representatives data for this purpose is the Company’s legitimate interest to ensure communication with a contractual party (legal entity) which is represented by natural persons (Article 6 (1) (f) of the GDPR).

Data sources

The data is obtained from the data subject and from the Supplier or other legal entity he / she represents, including cases when the Company receives the data of the Supplier’s or other legal entity’s representative from an out-of-office message or other type of automatic reply by colleague with whom the Company has communicated, indicating the representative as a contact person, or the reply of a colleague with whom the Company has communicated to the Company’s e-mail letter, accompanied (cc) by a data subject. Data can also be obtained from publicly available sources (e.g., websites, LinkedIn accounts).

Data storage period.

The data of Supplier’s Representative or the representative of another legal entity shall be stored for 10 years from the end of the contracts concluded with the Supplier or other legal entity represented by such representative.

This period of data retention may be extended if personal data are used or may be used as evidence or a source of information in a pre-trial or other investigation, including in civil, administrative or criminal proceedings, or in other cases provided for by law, or further storage and processing may be justified by Company’s legitimate interest or another legal basis. In such cases, personal data may be stored for as long as is necessary for those purposes for the processing and shall be destroyed immediately when data is no longer needed.

4.7. The Potential Client (its representative)

Categories of personal data processed

1. Data published on public Instagram accounts of the potential Creator:

  • data that is publicly available on Instagram account, depending on the potential Creator’s settings;
  • e-mail address (if the potential Creator has provided e-mail address for contact);
  • communications, including e-mail correspondence, data with the potential Creators.

2. Data of the potential Brand Representative:

  • identifying information (name, surname) (publicly available or provided by the potential Brand or its other representative);
  • e-mail address (publicly available or provided by the potential Brand or its other representative);
  • position (publicly available or provided by the potential Brand or its representative);
  • represented legal entity;
  • communications, including e-mail correspondence, details;
  • other data provided or publicly available by the potential Brand Representative.

Purposes and legal basis of data processing

The Company processes the personal data listed above for the following purposes and based on the following legal basis:

1. purpose – search for the potential Clients (presentation of Company’s services). For this purpose, personal data is processed on the following legal basis: (i) the consent of the data subject (Article 6 (1) (a) of the GDPR), where such consent is required by law(e.g., Article 69 (1) of the LoEC) (EU subjects), or (ii) the Company has a legitimate interest in marketing its services (Article 6 (1)(f) of the BDAR, paragraph 47 of the preamble), where the law does not require the consent of data subjects;

2. purpose – fulfillment of the Company’s legal obligations, as well as protection of the Company’s legitimate interests. The data may be used by the Company to fulfill requirements imposed on the Company by legal acts, as well as mandatory instructions of competent state authorities, and to defend its rights and legitimate interests, including reputation, in courts and other competent authorities. The legal basis for data processing for this purpose is the legitimate interest of the Company to comply with the requirements of legal acts and to protect its violated rights and legitimate interests (Article 6 (1) (f) of the GDPR).

Data sources

The source of data of the potential Creator – his / her Instagram account profiles if, depending on their privacy settings, they are public. The source of data of potential Brand Representative – (i) data posted on Brand’s websites; (ii) data posted on Brand’s social network accounts (e.g., LinkedIn); (iii) data posted to the LinkedIn account of the potential Brand Representative; (iv) e-mail address search databases, including those where potential e-mails are generated from publicly available data; (v) out-of-office or other automatic response of a colleague with whom the Company has communicated, with a data subject as the contact person; (vi) the response of a colleague with whom the Company has communicated to the Company’s e-mail letter, accompanied (cc) by a data subject.

Data storage period.

The data is stored during the communication period with the potential Creator or the potential Brand Representative.

This period of data retention may be extended if personal data are used or may be used as evidence or a source of information in a pre-trial or other investigation, including in civil, administrative or criminal proceedings, or in other cases provided for by law, or further storage and processing may be justified by Company’s legitimate interest or another legal basis. In such cases, personal data may be stored for as long as is necessary for those purposes for the processing and shall be destroyed immediately when data is no longer needed.

5. RECIPIENTS OF DATA

Recipients of data are those persons, legal entities, authorities, institutions who/that may gain access to personal data processed by the Company. The Company’s priority is to process personal data in the Company and not to provide unnecessary and unreasonable access to personal data to persons outside the Company. However, there are cases when such granting of access is necessary for the Company to ensure the proper provision of services, protection of its legitimate interests or such transfer of data is an obligation under the law. In this regard, in addition to the specific cases set forth above in this Privacy Policy, access to personal data processed by the Company will (may be) granted to the following categories of data recipients:

  • the Company uses data processors who perform certain tasks or provide services to the Company and thus gain access to personal data processed by the Company (e.g., IT specialists providing services to the Company, data centers, hosting and cloud service providers, accounting companies).In each case, only as much data is provided to the data processor as is necessary to fulfill a specific order of the Company or to provide a specific service. Data processors employed by the Company may process personal data only in accordance with the Company’s instructions. In addition, they must ensure data security in accordance with applicable legislation and agreements with the Company;
  • persons or legal entities with whom the Company has entered into an agreement, and such data transfer is in the Company’s legitimate interests, where the data subject’s right to privacy does not prevail (e.g., lawyers; consultants; Company partners and service providers who provide and maintain apps and/or Websites; auditors; postal companies; courier companies);
  • state institutions in accordance with their competence, as well as other persons, insofar as such provision of data is established by the requirements of legal acts;
  • courts and other bodies investigating disputes or conducting investigations, law enforcement institutions, insofar as such transfer of data is necessary for the protection of the rights and legitimate interests of the Company;
  • the Creator’s data (name) as well as content created (including video material, photo, text), are transferred to the Brands, to whose task is applied by the Creator and/or whose task was executed by the Creator. Due to the fact that the content created by the Creator (including video and/or photo, text) transmitted to the Brand will be published on the Brand’s social network accounts or other sources accessible to an indefinite circle of persons, the Creator’s created content will become publicly available to an indefinite circle of persons;
  • in case of reorganization of the Company, transfer of business and other similar cases, the data may be transferred to the successors in title, business acquirers;
  • other persons and/or entities with the consent of the data subjects, if such consent is obtained in the specific case.

Please note that in all cases where personal data may be processed in countries where the level of personal data protection may be lower than in the European Union, the Company takes additional measures to achieve an adequate level of data protection: (i) data is transferred to countries where the European Commission has decided that they provide an adequate level of protection (Article 45 (1) of the GDPR), or (ii) the recipient is contracted in accordance with standard contractual clauses approved by the European Commission or the StateData Protection Inspectorate (Article 46 (2) (c), (d) of the GDPR), or (iii) this results in the separate consent of the data subject (Article 49 (1) (a) of the GDPR) or such transferred is based on another condition established in article 49 (1) of the GDPR.

Given the fact that the data of the Creator, including the created content, may be transferred to non-EEA Brand whose tasks are applied by the Creator himself, as well as the fact that the content created by the Creator(including video material, photo, text) transferred to the Brand will be published in public sources and such content will be made publicly available to an indefinite number of persons, including those operating/residing in non-EEA countries, such data transfer is based on Article 49 (1) (b) of the GDPR.

The data servers used by the Company are located in the US Central 1 (Iowa) region. Server is provided byGoogle LLC (United States). The safeguard measure implemented – a contract has been concluded in accordance with the standard contractual clauses approved by the European Commission (Article 46 (2) (c) of the BDAR).

You can also are welcome to contact the Company for more information on data recipients.

6. RIGHTS OF DATA SUBJECTS

Please be informed that data subjects have the following rights guaranteed by the GDPR in relation to the processing of their data:

  • the right to receive confirmation from the Company that the personal data of the data subject is processed, and the right to request that the data subject be provided with information about what personal data is being processed by the Company and for what purposes it processes it;
  • the right to obtain from the Company without undue delay the rectification of inaccurate personal data concerning him/her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed;
  • the right to obtain from the Company erasure of personal data concerning him/her (“right to be forgotten”);
  • the right to obtain from the Company restriction of processing;
  • the right to object to the processing of personal data when (i) the personal data is processed on the basis of the legal interests of the Company or third parties; (ii) personal data are processed for direct marketing purposes;
  • he right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her;
  • the right to receive the personal data concerning him/her, which he/she has provided to the Company in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where technically feasible;
  • the right to withdraw consent to the processing of data where the processing of personal data is based on consent. Please note that the withdrawal of consent does not affect the lawfulness of consent-based processing of personal data carried out before the withdrawal of consent.

We would like to point out that the legislation establishes certain conditions, restrictions and procedures for the implementation of each of these rights. Taking this into account, at the request of the data subject, the Company will exercise these rights when all the conditions for the implementation of these rights established in legal acts and the procedure and terms established by legal acts exist.

Requests for the exercise of rights must be submitted to the Company in writing (including in electronic format)by the contacts specified in Section 3 “Data controller and the contact details” of this Privacy Policy.

7. QUESTIONS AND DISPUTES

The Company believes that any questions, misunderstandings or disputes regarding the processing of personal data can best be resolved through a dialogue between the Company and the data subject, therefore, if you have any questions, observations or concerns about your personal data processed by the Company, you can always contact the Company by the contacts referred to in Section 3 of this Privacy Policy “Data controller and contact details”.

Please be informed that you also have the right to complain about the Company’s actions (inaction) to the StateData Protection Inspectorate of the Republic of Lithuania (more information and contacts: L. Sapiegos str. 17, Vilnius, Lithuania; https://vdai.lrv.lt/; e-mail ada@ada. (tel .: (+370 5) 271 28 04, (+370 5) 279 1445) and to the court in accordance with the procedure established by legal acts, as well as to appeal to the court against the actions(inaction) of the State Data Protection Inspectorate of the Republic of Lithuania.