Effective Date: December 1, 2020
This privacy policy (the “Policy”) is an integral part of the ExtraEssay Terms of Use (the “Agreement”). All the terms used herein are used with the same meanings as the Agreement provides unless otherwise are directly set out hereby.
We are committed to protecting and respecting your privacy, so we take your privacy seriously and will use your personal data (the “data”) to administer your account and to provide the services only after obtaining your consent for the collection and processing of your data as follows. The Policy explains what data, when, where, and why we collect the data of yours, on what legal basis we process and how do we use it, the conditions under which we may disclose the data to others, your rights in respect of your personal information, as well as how we keep it secure.
Since we use tracking technologies on the Website (cookies, web beacons/pixels etc.), please check our Tracking Technologies Policy, where we also describe the purpose and means we do it with.
Whether you have any questions, please contact us at: [email protected].
BrainUp Limited, registratienummer: 120371, statutair gevestigd te 5-9 Main Street, Gibraltar
1. Changes and updates to policy
- We may revise the Policy according to new developments or advances in legislation and the broader data protection landscape from time to time, so please check this page to ensure that you’re OK with any changes.
- If we make any material changes, we will notify you by email (to the address associated with your account) or the notification may appear in your account when you next log in to it prior to amendments becoming effective. A notification regarding other changes may be rendered to you by publishing at https://extraessay.com/privacy-policy.
2. Your data controller and data processors; third parties
- The first you should know is information about your data controller and processors. The data controller is an entity that determines the purposes and means of the processing of the data. The data processor is an entity that processes the data on behalf of the controller.
- In this current case, your data controller is ExtraEssay, BrainUp Limited, Registration number: 120371, having its registered office at 5-9 Main Street, Gibraltar.
- When processing your data, we may use the following data processors:
- G-Suite service which may be represented by Google LLC (California, USA), Google Ireland Limited (the Republic of Ireland), Google Asia Pacific Pte. Ltd. (Singapore), or any other entity that directly or indirectly controls, is controlled by, or is under common control with Google LLC, which is storage place provider, in order to store the data. Google provides more information on how it processes data in its Privacy Policy;
- AWS service (Amazon Web Services) represented by Amazon Web Services, Inc. with a registered office at 410 Terry Avenue North, Seattle, WA 98109-5210, which is storage place provider, in order to store the data. AWS provides more information on how it processes data in its Privacy Policy;
- HotJar service represented by Hotjar Ltd, a company with its registered number C65490 and its address: Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141, Malta, to analyze activity on our Website. HotJar provides more information on how it processes data in its Privacy Policy;
- Fraudshield service represented by 24metrics GmbH, with its registered office at Tieckstr. 35, 10115 Berlin, Germany, in order to prevent and detect fraud. Fraudshield provides more information on how it processes data in its Privacy Policy;
- Edu Money service represented by the entity specified on the service’s website in order to find advertisers of our services and receive the data from them so you can use your discount (if a discount is a subject to an advertiser’s offer that they placed on their web sources). Edu Money provides more information on how it processes data in its Privacy Policy;
- One Signal service represented by OneSignal, Inc., with its registered office at 2850 S Delaware St Suite 201, San Mateo, CA 94403, in order to have a technical possibility to contact our users. One Signal provides more information on how it processes data in its Privacy Policy;
- Solid Gate service represented by GTW Solid Tech Limited, a company with its registered number HE395052 and its address: 9 Vasili Michailidi, Limassol, 3026, Cyprus, in order to process and receive your payments. Solid Gate provides more information on how it processes data in its Privacy Policy;
- Decta service represented by both Decta Limited with its registered address at Suite 3, Third Floor, 62 Bayswater Road, London, W2 3PH, UK and SIA “DECTA” with its registered address at Duntes Street 6, Riga, LV-1013, in order to process and receive your payments. Decta provides more information on how it processes data in its Privacy Policy;
- Cloudflare service represented by Cloudflare, Inc. with its registered address at 101 Townsend St., San Francisco, CA 94107, USA, in order to protect and provide your safety while using the Website. Cloudflare provides more information on how it processes data in its Privacy Policy;
- Livechat service represented by LiveChat, Inc. with its registered address at 101 Arch Street, 8th Floor, Boston MA 02110, USA, in order to implement, use and get support of a live-chat feature into the Website. Livechat provides more information on how it processes data in its Privacy Policy;
- Mailchimp service represented by The Rocket Science Group LLC with its registered address at 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, Georgia 30308, in order to have a technical possibility to contact our users. Mailchimp provides more information on how it processes data in its Privacy Policy;
- Matomo service represented by InnoCraft Ltd. with its registered address at 150 Willis St, 6011 Wellington, New Zealand, in order to analyze activity on our Website. Matomo provides more information on how it processes data in its Privacy Policy;
- Paymentwall service represented by Paymentwall, Inc. with its registered address at 255 9th Street, San Francisco, CA 94103, USA, in order to process and receive your payments. Paymentwall provides more information on how it processes data in its Privacy Policy;
- Where there is a necessity, we may also engage third-party services and may share the data with them. That will help us operate, provide, improve, integrate, customize, support, and market our service and the Website. We share the data, in particular, for purposes indicated in section 5 hereof. The types of third parties we share information with include, in particular: cloud storage providers; data analytics providers; measurement partners; marketing partners; payment processing providers; communication services providers, etc. By providing us with the services, those providers will also be your data processors.
- We may also use and disclose the data to enforce the Agreement, to protect our rights, privacy, safety, or property, and/or that of our affiliates, you or others, and to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, or in other cases provided for by law.
- If we transfer personal data originating from the EEA to countries with not adequate level of data protection, we use one of the following legal bases: (i) Standard Contractual Clauses approved by the European Commission (details available here (or any new version of contractual clauses issued by data protection body (if any))) , or (ii) the European Commission adequacy decisions about certain countries (details available here).
3. Note about children
- You are prohibited to use the website where you are under 18 or age of legal majority in your country. We do not knowingly process personal data from persons under 18 years of age.
- If a minor submits personal information to us and we learn that the personal information is the information of a child under the legal age range, we will attempt to delete the information as soon as possible. If you believe that we may have any personal information of a child under the legal age range, please contact us at [email protected].
4. Data that ExtraEssay processes; purposes and legal basis of data processing
- The data is any information relating to you. That alone or in cumulation with other information pieces allows the person who collected and processed such information to identify you as a person. Processing of the data means any action with your data, including, but not limited to, collecting, storing, transferring, etc.We solely or with help of data processors may collect the following data about you:
- 1. The data about you as a viewer of the Website:
- Scope of the data:
- the data we collect ourselves: user id, including, third-party’s ones; duration of a session; the history of the interaction of the Website; data you provided our support team with via contact-us form or a live-chat feature, including, email, name, content of your request; localization of your web browser; type and preferences of your device’s system; your leading URL; your device type;
- the data provided by third parties (our data processors): number of your sessions; session duration; operating systems of your devices, device models; geography; first launches date; number of the Website uses;
- cookies and other tracking identifiers as our Tracking Technologies Policy sets forth (may be collected by us or by our data processors;
- Purposes of processing (and legal basis). We process this data in order to:
- make the Website available for your access as well as provide you with the most relevant services with the Website (performing of the contract (the Agreement) with you);
- provide you with technical/presale support (performing of the contract (the Agreement) with you);
- provide you with our Services and communicate with you regarding your use of the Website (performing of the contract (the Agreement) with you);
- analyze active users’ number, support users from different regions and provide proper work of various versions of the Website as well as to develop and optimize the Website (our legitimate interest);
- keep the Website safe and secure, enforce the Agreement and prevent and combat fraud (our legitimate interest); and
- comply with our legal obligations (our legitimate interest).
2. The data about you as the Account registrant (holder) and the consumer of the Services:
- Scope of the data:
- the data we collect ourselves:
- the data specified in section 4.2(a) hereof; and
- the history and content of communication with our support team; the history of placed Orders; details of the Orders; files you attached to your Order; survey data; your name, email, phone number that you indicated when registering/in your account; the history of communication with a writer; your balance; your discounts history; list of your Referrals;
- the payment data: your balance; your discounts history; your payment details you provided with us; history of your transactions; a discount amount that you received by inviting friends; data on refunds;
- the data provided by third parties (our data processors): status of your payments, history of your transactions;
- the data we collect ourselves:
- purposes of processing (and legal basis). We process this data in order to:
- reach purposes specified in section 4.2(a) hereof;
- manage your Account in compliance with your needs and provide you with technical support (performing of the contract (the Agreement) with you);
- provide you with Services (performing of the contract (the Agreement) with you);
- communicate with you regarding your use of the Website, Services, update you on Services, status of your Orders, information, and our products (performing of the contract (the Agreement) with you);
- process and acquire payments from you, notify you status of your transactions (performing of the contract (the Agreement) with you);
- notify you of any crucial information or changes within the Website or the Services which may affect you (performing of the contract (the Agreement) with you); and
- generate statistical studies of market (our legitimate interest);
3. We may also process the statistical data:
- scope of the data: data about how you found us; devise and location data: language settings, IP address, time zone, type and model of a device, device settings, operating system, Internet service provider, mobile carrier, hardware ID, country, region, city; history of use of the Website;
- purposes of processing. We process this data in order to analyze active users’ number, support users from different regions and provide proper work of various versions of the Website as well as to develop and optimize the Website and generate statistical studies of market;
- please be advised that we collect such data anonymously so they fall outside the general personal data definition because of inability to identify any person.
- Scope of the data:
- We may also send you news and information about the Website and Services that you either request from us, or we believe may interest you. In most cases, we will contact you via email as well as send we may message you in your account on the Website. As part of our marketing efforts, we may combine information about you from third party sources with information we hold about you due to your use of the Website to make your use of the Services more profitable for you.
- Please note, when the data is collected for marketing purposes you will be additionally asked for such processing. Furthermore, you will at any time have the possibility to withdraw your consent free of charge by the clicking on a separate “Unsubscribe button” in the email sent.
5. Duration and location of processing
- Your data will be processed within the term of your use of the Website or Services (which is longer) and up to termination of such use (or the Agreement) which means the deletion, blocking or suspending of your account on the Website and restrict your further use of the Website; we shall terminate the processing of your personal information unless the special retention period for the storage of such data is set by the relevant legislation then.
- You are entitled to restrict us to process your data by sending to us a data erasure request or a notice of prohibition to process your data. Please be warned that such action prohibits us to process your data and/or makes us delete your data so you will lose your access to the Website and Services.
- In the event when your account is blocked, banned or otherwise disabled due to any violation, you will be prohibited from further creation of a new Account on the Website and use the Services again. Accordingly, we will be bonded by the Agreement to keep on processing data on UDID, IP address, and other device details (the “technical data”) in order to prevent your further registration and potential violations. Please note that the technical data is not subject to erasing under article 17 of GDPR; hence we will process it on the basis of our legitimate interest, which is a separate ground of processing.
- Please note that our legitimate interest does not outweigh your right to privacy because the way that we use the technical data does not significantly impact your privacy, and we have a compelling reason to do so (recital 47 to GDPR). This reason is to restrict you from breaching one more obligation under the Agreement and potentially harm us or our users. Moreover, please note that the technical data is anonymized, so there is no real possibility to identify you as a person by that data.
- Our servers are based in the USA, so your data will generally be processed and hosted outside the EU. Thus, place of your data collection is the USA.
6. Tracking technologies
We use cookie and some of others tracking technologies to improve your user experience and obtain data about how the website is being used. This data enable us to develop and optimize the Website and make your use of the Services more comfortable for you. Please read out Tracking Technologies Policy to find out more.
7. Your data subject’s rights
- Being a data subject, you have the following rights:
- A right to request us to access to your data: you can ask us what personal information of yours is being processed as well as for the clarifications on the information described above, i.e. purpose of collecting and processing, period of processing, third parties that have access to information. To exercise the right please contact us at [email protected];
- A right to request us to rectify your personal information: you can ask all the inaccurate personal information concerning you being corrected. You can also complete the personal information if you feel there is a need to do so. To exercise the right please contact us at [email protected] or use a specific area of your account on the Website;
- a right to request us to erase personal information: you can request us to erase such data if its processing is no longer necessary in relation to the purposes for which it was collected as well as if there are no legal grounds for the processing. In most cases we will erase it unless otherwise will be required by legislation. To exercise the right please contact us at [email protected];
- A right to request us to restrict the processing of your data: for example if you contest the accuracy of your data being processed or in case we will not be interested to process your personal information any longer, but you will want us to do this on different reasons, for example, to bring some claim for somebody and instead of the erasure of information its processing will be just restricted. To exercise the right please contact us at [email protected];
- A right to withdraw your consent for the collection and processing of your data by us at any time, without affecting the lawfulness of processing based on consent before its withdrawal. To exercise the right please contact us at [email protected];
- A right to lodge a complaint with supervisory authority; and
- A right to data portability. To exercise the right please contact us at [email protected].
- We will provide information on action taken on your request related to your rights specified above within one month of receipt of the request for the longest. That period may be extended by two further months if we are overwhelmed by the number of requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
8. Protection of data
We take technical and organizational measures to ensure the information is processed in a manner that ensures appropriate security of information, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. For example, we use verified contractors that might have access to the data as specified in section 4 hereof with which the relevant data processing agreements are signed.
9. Notice to California residents
-
- California Civil Code Section 1798.83, also known as the “Shine The Light” law, grants our users who are California residents some rights. This section 10 applies solely to California consumers. This section also provides additional details about how we process personal data of California consumers and the rights available to them under the California Consumer Privacy Act (“CCPA”).
- We do not sell your data so no opt-out choice is necessary. It means that we do not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate in any way your data to another company for monetary or other valuable consideration.
- You have the right to request, twice in a 12-month period, the following information about the data we have collected about you during the past 12 months:
- The categories and specific pieces of data we have collected about you;
- The categories of sources from which we collected it;
- The business or commercial purpose for which we collected the data;
- The categories of third parties with whom we shared the data; and
- The categories of data about you that we sold or disclosed for a business purpose, and the categories of third parties to whom we sold or disclosed that information for a business purpose.
- You have the right to request that we delete the data we have collected from you. If you choose to exercise any of your rights under the CCPA, you have the right to not receive discriminatory treatment.
- To submit an access or deletion request, contact us at [email protected]. To help protect your privacy and maintain security, we take steps to verify your identity before granting you access to your data or complying with your request. To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.
10. Notice to UK residents (and visitors from UK)
- This Privacy Notice is set up for our users from UK only in compliance with the UK Data Protection Act 2018 (DPA) and Privacy laws post Brexit (if any). Please be advised that you may not rely upon this Privacy Notice or otherwise enforce it when you are not a UK resident.
- UK Representative. Firs of all, please be acknowledged that you may contact our UK Data Protection Representative anytime you have any questions about how we process your personal data or comply with the DPA. If you have any complaints, you are also welcomed to reach him out by sending an email to [email protected].
- Your Data Subject Rights and How to Exercise Them. Being a data subject, you have the following rights provided by the DPA and you may exercise them as below:
- A right to receive transparent information about how we process your data. You may access such information by reading this Privacy Policy. Whether you still have any questions, please contact us via email [email protected];
- A right to request us to access to your data: you can ask us what personal information of yours is being processed as well as for the clarifications on the information described above, i.e., purpose of collecting and processing, period of processing, third parties that have access to information. To exercise the right please contact us at [email protected];
- A right to request us to rectify your personal information: you can ask all the inaccurate personal information concerning you being corrected. You can also complete the personal information if you feel there is a need to do so. To exercise the right please contact us at [email protected];
- A right to request us to erase personal information: you can request us to erase such data if its processing is no longer necessary in relation to the purposes for which it was collected as well as if there are no legal grounds for the processing. In most cases we will erase it unless otherwise will be required by legislation. To exercise the right please contact us at [email protected];
- A right to request us to restrict the processing of your data: for example if you contest the accuracy of your data being processed or in case we will not be interested to process your personal information any longer, but you will want us to do this on different reasons, for example, to bring some claim for somebody and instead of the erasure of information its processing will be just restricted. To exercise the right please contact us at [email protected];
- A right to withdraw your consent for the collection and processing of your data by us at any time, without affecting the lawfulness of processing based on consent before its withdrawal. To exercise the right please contact us at [email protected];
- A right to data portability. You may request a portable copy of your personal data in an accessible format. To exercise the right please contact us at [email protected];
- A right to lodge a complaint with supervisory authority. You have the right to complain to the Information Commissioner’s Office (ICO) if you have any grievance against the way we collect, use or share your data.
11. Reach us out
We will be glad to hear something from you. If you have any questions regarding this Policy, please contact us at [email protected].