Effective Date: December 1, 2020.
This privacy policy (the “Policy”) is an integral part of the ExtraEssay Terms of Use (the “Agreement”). All the terms used herein have the same meanings as the Agreement provides unless otherwise directly set out hereby.
We are committed to protecting and respecting your privacy. We take your privacy seriously and will use your personal data (the “data”) to administer your account and provide the services only after obtaining your consent to collect and process your data. The Policy explains what data, when, where, and why we collect the data of yours, on what legal basis we process and how we use it, the conditions under which we may disclose the data to others, your rights in respect of your personal information, as well as how we keep it secure.
Since we use tracking technologies on the Website (cookies, web beacons/pixels, etc.), please check our Tracking Technologies Policy, which also describes the purpose and means we use them.
If you have any questions, please contact us at [email protected].
BrainUp Limited, registration number 120371, having its registered office at 5-9 Main Street, Gibraltar.
1. Changes and updates to the Policy
- We may revise the Policy according to new developments or advances in legislation and the broader data protection landscape from time to time, so please check this page to ensure that you’re OK with any changes.
- If we make any material changes, we will notify you by email (to the address associated with your account), or the notification may appear in your account when you next log in to it prior to amendments becoming effective. A notification regarding other changes may be displayed to you at https://extraessay.com/privacy-policy/.
2. Your data controller and data processors, third parties
- First, you should know information about your data controller and processors. The data controller is an entity that determines the purposes and means of data processing. The data processor is an entity that processes the data on behalf of the controller.
- In this current case, your data controller is ExtraEssay, BrainUp Limited, registration number 120371, having its registered office at 5-9 Main Street, Gibraltar.
- When processing your data, we may use the following data processors:
- G-Suite service, which may be represented by Google LLC (California, USA), Google Ireland Limited (the Republic of Ireland), Google Asia Pacific Pte. Ltd. (Singapore), or any other entity that directly or indirectly controls, is controlled by, or is under common control with Google LLC, which is storage place provider, to store the data. Google provides more information on how it processes data in its Privacy Policy.
- AWS service (Amazon Web Services), represented by Amazon Web Services, Inc., with a registered office at 410 Terry Avenue North, Seattle, WA 98109-5210, which is a storage place provider, to store the data. AWS provides more information on how it processes data in its Privacy Policy.
- HotJar service, represented by Hotjar Ltd, a company with its registered number C65490 and its address: Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian’s STJ 3141, Malta, to analyze activity on our Website. HotJar provides more information on how it processes data in its Privacy Policy.
- Fraudshield service, represented by 24metrics GmbH, with its registered office at Tieckstr. 35, 10115 Berlin, Germany, to prevent and detect fraud. Fraudshield provides more information on how it processes data in its Privacy Policy.
- Edu Money service, represented by the entity specified on the service’s website, to find advertisers of our services and receive the data from them so you can use your discount (if a discount is subject to an advertiser’s offer placed on their web sources). Edu Money provides more information on how it processes data in its Privacy Policy.
- One Signal service, represented by OneSignal, Inc., with its registered office at 2850 S Delaware St, Suite 201, San Mateo, CA 94403, to have a technical possibility to contact our users.
- Solid Gate service, represented by GTW Solid Tech Limited, a company with its registered number HE395052 and its address: 9 Vasili Michailidi, Limassol, 3026, Cyprus, to process and receive your payments. Solid Gate provides more information on how it processes data in its Privacy Policy.
- Decta service, represented by both Decta Limited, with its registered address at Suite 3, Third Floor, 62 Bayswater Road, London, W2 3PH, UK, and SIA “DECTA” with its registered address at Duntes Street 6, Riga, LV-1013, to process and receive your payments. Decta provides more information on how it processes data in its Privacy Policy.
- Cloudflare service, represented by Cloudflare, Inc., with its registered address at 101 Townsend St., San Francisco, CA 94107, USA, to protect and provide your safety while using the Website. Cloudflare provides more information on how it processes data in its Privacy Policy.
- Livechat service, represented by LiveChat, Inc., with its registered address at 101 Arch Street, 8th Floor, Boston, MA 02110, USA, to implement, use, and get the support of a live-chat feature into the Website. Livechat provides more information on how it processes data in its Privacy Policy.
- Mailchimp service, represented by The Rocket Science Group LLC, with its registered address at 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, Georgia 30308, to have a technical possibility to contact our users. Mailchimp provides more information on how it processes data in its Privacy Policy.
- Matomo service, represented by InnoCraft Ltd., with its registered address at 150 Willis St, 6011 Wellington, New Zealand, to analyze activity on our Website. Matomo provides more information on how it processes data in its Privacy Policy.
- Paymentwall service, represented by Paymentwall, Inc., with its registered address at 255 9th Street, San Francisco, CA 94103, USA, to process and receive your payments. Paymentwall provides more information on how it processes data in its Privacy Policy.
- Where there is a necessity, we may also engage third-party services and share the data with them. That will help us operate, provide, improve, integrate, customize, support, and market our service and the Website. We share the data, in particular, for purposes indicated in section 5 hereof. The types of third parties we share information with include, in particular, cloud storage providers, data analytics providers, measurement partners, marketing partners, payment processing providers, communication services providers, etc. By providing us with the services, those providers will also be your data processors.
- We may also use and disclose the data to enforce the Agreement, to protect our rights, privacy, safety, or property, and/or that of our affiliates, you or others, and to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, or in other cases provided for by law.
- If we transfer personal data originating from the EEA to countries with not adequate level of data protection, we use one of the following legal bases: (i) Standard Contractual Clauses approved by the European Commission (details available here (or any new version of contractual clauses issued by data protection body (if any))), or (ii) the European Commission adequacy decisions about certain countries (details available here).
3. Note about children
- You are prohibited from using the website if you are under 18 or the age of legal majority in your country. We do not knowingly process personal data from persons under 18.
- If a minor submits personal information to us and we learn that it is from a child under the legal age range, we will attempt to delete it as soon as possible. If you believe that we may have any personal information about a child under the legal age range, please contact us at [email protected].
4. Data that ExtraEssay processes. Purposes and legal basis of data processing
- The data is any information relating to you. That alone or in cumulation with other information pieces allows the person who collected and processed such information to identify you as a person. Processing of the data means any action with your data, including, but not limited to, collecting, storing, transferring, etc. We, solely or with the help of data processors, may collect the following data about you:
- 1. The data about you as a viewer of the Website
- Scope of the data:
- The data we collect ourselves: user ID, including third-party ones; duration of a session; the history of the interaction of the Website; data you provided our support team with via contact-us form or a live-chat feature, including email, name, the content of your request; localization of your web browser; type and preferences of your device’s system; your leading URL; your device type.
- The data provided by third parties (our data processors): number of your sessions, session duration, operating systems of your devices, device models, geography, first launch date, and number of the Website uses.
- Cookies and other tracking identifiers, as our Tracking Technologies Policy sets forth (may be collected by us or by our data processors.
- Purposes of processing (and legal basis). We process this data to:
- Make the Website available for your access and provide you with the most relevant services with the Website (performing the contract (the Agreement) with you).
- Provide you with technical/presale support (performing the contract (the Agreement) with you).
- Provide you with our Services and communicate with you regarding your use of the Website (performing the contract (the Agreement) with you).
- Analyze the number of active users, support users from different regions, provide proper work for various versions of the Website, and develop and optimize the Website (our legitimate interest).
- Keep the Website safe and secure, enforce the Agreement, and prevent and combat fraud (our legitimate interest).
- Comply with our legal obligations (our legitimate interest).
2. The data about you as the account registrant (holder) and the consumer of the Services:
- Scope of the data:
- The data we collect ourselves:
- The data specified in section 4.2(a) hereof.
- The history and content of communication with our support team; the history of placed Orders; details of the Orders; files you attached to your Order; survey data; your name, email, and phone number that you indicated when registering/in your account; the history of communication with a writer; your balance; your discounts history; list of your Referrals.
- The payment data includes your balance, discount history, payment details you provided with us, transaction history, the discount amount you received by inviting friends, and refund data.
- The data provided by third parties (our data processors): status of your payments, history of your transactions.
- The data we collect ourselves:
- Purposes of processing (and legal basis). We process this data to:
- Reach purposes specified in section 4.2(a) hereof.
- Manage your account in compliance with your needs and provide you with technical support (performing the contract (the Agreement) with you).
- Provide Services (performing the contract (the Agreement) with you).
- Communicate with you regarding your use of the Website Services, update you on Services, the status of your Orders, information, and our products (performing the contract (the Agreement) with you).
- Process and acquire payments from you, notify you of the status of your transactions (performing the contract (the Agreement) with you).
- Notify you of any crucial information or changes within the Website or the Services that may affect you (performing the contract (the Agreement) with you).
- Generate statistical studies of the market (our legitimate interest).
3. We may also process the statistical data:
- Scope of the data: data about how you found us; devise and location data: language settings, IP address, time zone, type and model of a device, device settings, operating system, Internet service provider, mobile carrier, hardware ID, country, region, city; history of use of the Website.
- Purposes of processing. We process this data to analyze active users’ numbers, support users from different regions, provide proper work on various versions of the Website, develop and optimize the Website, and generate statistical market studies.
- Please be advised that we collect such data anonymously, so they fall outside the general definition of personal data because we are unable to identify any person.
- Scope of the data:
- We may also send you news and information about the Website and Services that you either request from us or we believe may interest you. In most cases, we will contact you via email and may send you a message on your account on the Website. As part of our marketing efforts, we may combine information about you from third-party sources with information we hold about you due to your use of the Website to make your use of the Services more profitable for you.
- Please note that when data is collected for marketing purposes, you will be asked to consent to such processing. Furthermore, you can withdraw your consent free of charge at any time by clicking on a separate “Unsubscribe” button in the email sent.
5. Duration and location of processing
- Your data will be processed within the term of your use of the Website or Services (whichever is longer) and up to termination of such use (or the Agreement), which means the deletion, blocking, or suspension of your account on the Website and restriction of your further use of the Website; we shall terminate the processing of your personal information unless the special retention period for the storage of such data is set by the relevant legislation.
- You are entitled to restrict us from processing your data by sending us a data erasure request or a notice of prohibition to process your data. Please be warned that such action prohibits us from processing your data and/or makes us delete your data, so you will lose your access to the Website and Services.
- If your account is blocked, banned, or otherwise disabled due to any violation, you will be prohibited from creating a new account on the Website and using the Services again. Accordingly, we will be bound by the Agreement to keep on processing data on UDID, IP address, and other device details (the “technical data”) to prevent your further registration and potential violations. Please note that the technical data is not subject to erasing under Article 17 of GDPR; hence, we will process it based on our legitimate interest, which is a separate ground of processing.
- Please note that our legitimate interest does not outweigh your right to privacy because how we use the technical data does not significantly impact your privacy, and we have a compelling reason to do so (recital 47 to GDPR). This is to restrict you from breaching one more obligation under the Agreement and potentially harming us or our users. Moreover, please note that the technical data is anonymized, so there is no real possibility to identify you as a person by that data.
- Our servers are based in the USA, so your data will generally be processed and hosted outside the EU. Thus, the place of your data collection is the USA.
6. Tracking technologies
We use cookies and other tracking technologies to improve your user experience and obtain data about how the website is being used. This data enables us to develop and optimize the Website and make your use of the Services more comfortable. Please read our Tracking Technologies Policy to find out more.
7. Your data subject’s rights
- Being a data subject, you have the following rights:
- A right to request us to access your data: you can ask us what personal information is being processed and for clarifications on the information described above, i.e., the purpose of collecting and processing, period of processing, and third parties that have access to information. To exercise your right to do so, please contact us at [email protected].
- A right to request us to rectify your personal information: you can ask for all the inaccurate personal information concerning you to be corrected. You can also complete the personal information if you feel there is a need to do so. To exercise your right to do so, please contact us at [email protected] or use a specific area of your account on the Website.
- A right to request us to erase personal information: you can request us to erase such data if its processing is no longer necessary for the purposes for which it was collected and if there are no legal grounds for the processing. In most cases, we will erase it unless otherwise will be required by legislation. To exercise your right to do so, please contact us at [email protected].
- A right to request us to restrict the processing of your data: for example, if you contest the accuracy of your data being processed or if we will not be interested in processing your personal information any longer, but you will want us to do this on different reasons, for example, to bring some claim for somebody and instead of the erasure of information its processing will be just restricted. To exercise your right to do so, please contact us at [email protected].
- A right to withdraw your consent for the collection and processing of your data by us at any time, without affecting the lawfulness of processing based on consent before its withdrawal. To exercise your right to do so, please contact us at [email protected].
- A right to lodge a complaint with a supervisory authority.
- A right to data portability. To exercise your right to do so, please contact us at [email protected].
- We will provide information on action taken on your request related to your rights specified above within one month of receipt of the request for the longest. That period may be extended by two further months if we are overwhelmed by the number of requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
8. Protection of data
We take technical and organizational measures to ensure the information is processed in a manner that ensures appropriate security of information, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. For example, we use verified contractors that might have access to the data as specified in section 4 hereof, with which the relevant data processing agreements are signed.
9. Notice to California residents
-
- California Civil Code Section 1798.83, also known as the “Shine The Light” law, grants our users who are California residents some rights. This Section 10 applies solely to California consumers. This section also provides additional details about how we process the personal data of California consumers and the rights available to them under the California Consumer Privacy Act (“CCPA”).
- We do not sell your data so no opt-out choice is necessary. It means that we do not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate in any way your data to another company for monetary or other valuable consideration.
- You have the right to request, twice in a 12-month period, the following information about the data we have collected about you during the past 12 months:
- The categories and specific pieces of data we have collected about you.
- The categories of sources from which we collected it.
- The business or commercial purpose for which we collected the data.
- The categories of third parties with whom we shared the data.
- The categories of data about you that we sold or disclosed for a business purpose and the categories of third parties to whom we sold or disclosed that information for a business purpose.
- You have the right to request that we delete the data collected from you. If you choose to exercise any of your rights under the CCPA, you have the right not to receive discriminatory treatment.
- To submit an access or deletion request, contact us at [email protected]. To help protect your privacy and maintain security, we take steps to verify your identity before granting you access to your data or complying with your request. To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.
10. Notice to UK residents (and visitors from the UK)
- This Privacy Notice is set up for our users from the UK only in compliance with the UK Data Protection Act 2018 (DPA) and post-Brexit privacy laws (if any). Please be advised that you may not rely upon this Privacy Notice or otherwise enforce it when you are not a UK resident.
- UK Representative. First, please acknowledge that you may contact our UK Data Protection Representative anytime you have any questions about how we process your personal data or comply with the DPA. If you have any complaints, you are also welcome to reach out by sending an email to [email protected].
- Your data subject rights and how to exercise them. Being a data subject, you have the following rights provided by the DPA, and you may exercise them as below:
- A right to receive transparent information about how we process your data. You may access such information by reading this Privacy Policy. If you still have any questions, please contact us via email at [email protected].
- A right to request that we access your data. You can ask us what personal information is being processed and for clarifications on the information described above, i.e., the purpose of collecting and processing, the period of processing, and third parties that have access to information. To exercise your right to do so, please contact us at [email protected].
- A right to request us to rectify your personal information: you can ask for all the inaccurate personal information concerning you to be corrected. You can also complete the personal information if you feel there is a need to do so. To exercise your right to do so, please contact us at [email protected].
- A right to request us to erase personal information: you can request us to erase such data if its processing is no longer necessary for the purposes for which it was collected, as well as if there are no legal grounds for the processing. In most cases, we will erase it unless otherwise will be required by legislation. To exercise your right to do so, please contact us at [email protected].
- A right to request us to restrict the processing of your data: for example, if you contest the accuracy of your data being processed or if we will not be interested in processing your personal information any longer, but you will want us to do this on different reasons, for example, to bring some claim for somebody and instead of the erasure of information its processing will be just restricted. To exercise your right to do so, please contact us at [email protected].
- A right to withdraw your consent for the collection and processing of your data by us at any time, without affecting the lawfulness of processing based on consent before its withdrawal. To exercise your right to do so, please contact us at [email protected].
- A right to data portability. You may request a portable copy of your personal data in an accessible format. To exercise your right to do so, please contact us at [email protected].
- A right to lodge a complaint with supervisory authority. You have the right to complain to the Information Commissioner’s Office (ICO) if you have any grievance against the way we collect, use, or share your data.
11. Reach us out
We will be glad to hear something from you. If you have any questions regarding this Policy, please contact us at [email protected].