1. GENERAL PROVISIONS
1.1. This Personal Data Processing Policy (hereinafter referred to as the "Policy") has been developed in accordance with the General Data Protection Regulation of the European Union (hereinafter referred to as GDPR) and the Virgin Islands Data Protection Act (hereinafter referred to as "VIDPA") and sets out the procedure for processing personal data when using the website https://digiu.ai (hereinafter referred to as the "Website").
2. CONTROLLER AND DATA SUBJECTS
2.1. The Controller of personal data is DigiU (hereinafter referred to as the "Controller"), which processes the personal data of users of the Website.
2.2. Data Subjects are individuals who register on the Website (hereinafter referred to as "Users").
2.3. If local legislation requires additional notifications or procedures not covered by this Policy, the Controller undertakes to comply with such requirements in relation to the respective Data Subjects.
2.4. The Controller acts as the sole Processor of Users’ personal data and does not act as a Joint Controller.
2.5. Contact email of the Controller: info@digiu.ai.
3. PURPOSES AND LEGAL BASES FOR PROCESSING
3.1. Personal data is processed for the following purposes:
3.1.1. Identification of Users in order to provide access to the personal account on the Website.
3.1.2. Offer Users services and products, information about which may be available after registration on the Website.
3.1.3. Satisfying the needs of Users in rendering services and purchasing products offered on the Website.
3.1.4. Collecting and analyzing statistical data on visiting and use of the Website by Users.
3.2. The legal basis for processing personal data is:
3.2.1. User’s consent to the processing of personal data in accordance with Article 6(1)(a) of the GDPR and Article 7(1)(a) of the VIDPI.
3.2.2. Conclusion and performance of the contract with the User in accordance with Article 6(1)(b) of the GDPR and Articles 7(2)(a) of the VIDPI.
3.2.3. Compliance with anti-money laundering and counter-terrorist financing legislation in accordance with Article 6(1)(c) of the GDPR and Article 7(2)(f) of the VIDPI.
3.2.4. The pursuit of the legitimate interests of the Controller pursuant to Article 6(1)(f) of the GDPR or for the purpose of taking at the request of the User prior to entering into a contract pursuant to Article 7(2)(b) of the VIDPI.
3.3. The legitimate interest referred to in sub-clause 3.2.4 and pursued by the Controller is business development through targeted marketing communications to Users.
3.4. The legitimate interests of the Controller are pursued in conditions of inadmissibility of speculation and impossibility of direct use of Users' personal data for the purpose of enrichment.
3.5. The measures for concluding a contract provided for in sub-clause 3.2.4 imply sending offers to registered interested Users to enter into a contract.
4. PROCESSED DATA
4.1. The Controller processes the following categories of Users' personal data:
4.1.1. First and last name.
4.1.2. Date of birth.
4.1.3. Identification document details.
4.1.4. Gender.
4.1.5. Country and city of residence.
4.1.6. Phone number.
4.1.7. Email address.
4.1.8. Photo of an identity document.
4.1.9. Photo of the User with an identity document.
4.1.10. User name on the website https://vk.com, https://vk.ru.
4.1.11. User name on the website https://mail.google.com.
4.1.12. Optional (non-essential) analytical cookies: Yandex.Metrica and Google Analytics.
4.1.13. Data of operations performed by the User.
4.2. The Controller does not transfer personal data to third parties and recipients.
4.3. The storage period of personal data depending on the purposes and legal basis of processing and is defined in the table below:
4.4. Features of the personal data processing set forth in line 1 of the table provided for in clause 4.3:
4.4.1. The Controller obtains personal data directly from Users when they register on the Website or from Google and VK services, as detailed in clause 4.7 of the Policy.
4.4.2. The provision of personal data is a requirement necessary to enter into a contract.
4.4.3. The User is obliged to provide the personal data in order to gain access to the personal account on the Website and for further entering into a contract.
4.4.4. In case of failure to provide such data, the User will not be able to be identified, gain access to the personal account and enter into a contract with the Controller.
4.5. Features of the personal data processing set forth in line 2 of the table provided for in clause 4.3:
4.5.1. The Controller obtains personal data directly from Users when they complete the KYC verification in their personal account on the Website, as well as when the Users perform operations.
4.5.2. The provision of personal data is a statutory and contractual requirement.
4.5.3. The User is obliged to provide the personal data in accordance with the requirements of anti-money laundering and anti-terrorist financing legislation and for the conclusion and execution of the contract.
4.5.4. In case of failure to provide such data, the User will not be able to complete the KYC verification and enter into a contract with the Controller.
4.6. Features of the personal data processing set forth in line 3 of the table provided for in clause 4.3:
4.6.1. The Controller obtains personal data when the User visits the Website with their consent.
4.6.2. The provision of personal data is not a statutory and contractual requirement.
4.6.3. The User is not obliged to provide the personal data.
4.6.4. In case of failure to provide such data, certain features of the Website may not be available to the User, such as automatic language detection.
4.7. The controller may obtain personal data set forth in line 1 of the table provided for in clause 4.3 from the following third parties, each of which is a separate controller and receives data directly from Users:
4.7.1. VK – V KONTAKTE LIMITED LIABILITY COMPANY, OGRN 1227700045880 dated January 10, 2007, address: 1-N, bld. 12-14, Lit. A, Khersonskaya st., St. Petersburg, Russia, 191024, website https://vk.com, https://vk.ru.
4.7.2. Google – GOOGLE LIMITED LIABILITY COMPANY, registration number 3582691 dated October 22, 2002, address: Google, Google Data Protection Office, 1600 Amphitheatre Pkwy, Mountain View, California 94043, USA.
4.7.3. Personal data is obtained from third parties on the basis of agreements in accordance with the privacy policies developed and applied by such third parties.
4.7.4. All other personal data not covered by this clause may be obtained by the Controller exclusively from Users.
4.8. Except as expressly stated in the Policy, the Controller does not use any other sources of personal data, including publicly accessible sources.
4.9. When processing personal data, the Controller does not use automated decision-making, including profiling.
4.10. Registration via the Website and analytics using cookies are automated processing, but are not subject to the provisions of Article 22 of the GDPR.
4.11. The controller does not process special categories of personal data.
5. CROSS-BORDER TRANSFER
5.1. The Controller does not carry out and does not intend to carry out cross-border processing of personal data.
6. USER RIGHTS
6.1. Right of access to personal data:
6.1.1. The User has the right to obtain from the Controller information about the processing of their personal data, and the Controller is obliged to provide such information together with the information set out in the Policy, as well as a copy of the User's personal data being processed.
6.1.2. A request for access to personal data may be sent by email to the address referred to in clause 2.5 of the Policy.
6.1.3. The response to a request for access to personal data shall be provided by email within thirty days of receipt of such request from the User.
6.1.4. The period referred to in the previous sub-clause may be extended by a further thirty days in case of a complex request or a large number of requests.
6.2. Right to rectifiation personal data:
6.2.1. The User has the right to obtain from the Controller the rectification of inaccurate personal data.
6.2.2. The request for the rectification of personal data may be sent by e-mail to the referred to in clause 2.5 of the Policy.
6.2.3. The controller is obliged to rectify personal data without undue delay.
6.3. Right to erasure personal data («right to be forgotten»).
6.3.1. The User has the right to obtain from the Controller the erasure of personal data concerning him or her, and the Controller is obliged to execute the specified request if there are legal grounds set out in Article 17(1) GDPR.
6.3.2. A request for erasure of personal data may be sent by e-mail to the address referred to in clause 2.5 of the Policy.
6.3.3. The controller is obliged to erase personal data without undue delay.
6.4. Right to restriction of processing of personal data:
6.4.1. The User has the right to obtain from the Controller the restriction of processing of his or her personal data, and the Controller is obliged to execute the specified request if there are legal grounds established in Article 18(1) GDPR.
6.4.2. Where the Controller imposes a restriction on processing, personal data shall be processed in accordance with the requirements of Article 18(2) GDPR.
6.4.3. The request to restrict the processing of personal data may be sent by e-mail to the address referred to in clause 2.5 of the Policy.
6.4.4. The response to a request to restrict the processing of personal data shall be provided by email within thirty days of receipt of such a request from the User.
6.4.5. The period referred to in the previous sub-clause may be extended by a further thirty days in case of a complex request or a large number of requests.
6.5. Right to object to processing of personal data:
6.5.1. The User has the right to object to the Controller to the processing of his or her personal data, which is carried out on the ground of sub-clause 3.2.4 of the Policy.
6.5.2. The User may exercise such right by instantly unsubscribing by clicking the appropriate button in an e-mail containing marketing materials received from the Controller, or by sending an e-mail to the address referred to in clause 2.5 of the Policy.
6.5.3. If the right is exercised by sending an e-mail, the Controller's response to the objection to the processing of the User's personal data shall be provided within thirty days of receipt of such a request from the User.
6.5.4. The time limit referred to in the preceding sub-clause may be extended for a further thirty days in case of a complex request or a large number of requests.
6.6. Right to data portability:
6.6.1. The User has the right to obtain from the Controller the personal data concerning him or her, as referred to in sub-clauses 4.1.6 and 4.1.7 in a structured, commonly used and machine-readable format, and to transmit those data to another controller without hindrance from the Controller to which the personal data have been provided.
6.6.2. Requests for personal data may be sent by e-mail to the address referred to in clause 2.5 of the Policy.
6.6.3. The response to a request for personal data shall be provided by email within thirty days of receipt of such a request from the User.
6.6.4. The period referred to in the previous sub-clause may be extended by a further thirty days in the case of a complex request or a large number of requests.
6.7. Right to withdraw consent to the processing of personal data:
6.7.1. The User has the right to withdraw consent to the processing of personal data referred to in sub-clause 4.1.12 (cookies).
6.7.2. The right to withdraw consent to the processing of personal data is exercised by changing the settings for processing cookies through the banner available on the first visit to the Site or by clearing cookies in the User's browser.
6.7.3. The provisions of this clause do not apply to cookies not directly named in sub-clause 4.1.12, which cannot be disabled because they are mandatory and ensure the Website performance.
6.8. Right to lodge a complaint:
6.8.1. The User has the right to lodge a complaint with the authorized supervisory authority of the User's place of residence, the User's place of work or the place of alleged violation of the User's rights, if the User believes that the processing of personal data concerning the User violates the requirements of this Policy, GDPR, VDPI or other legislation.
6.8.2. Contacts for European Union supervisory authorities are available on the website of the European Data Protection Board (EDPB): https://edpb.europa.eu.
6.8.3. Contacts for the British Virgin Islands supervisory authorities are available on the British Virgin Islands Government website: https://bvi.gov.vg.
6.8.4. Contacts of supervisory authorities in other jurisdictions are determined in accordance with the requirements of the legal regulations governing the processing of personal data in such jurisdictions.
6.9. When Users exercise their rights under this section, the Controller shall have the right to request additional information from the User (e-mail address, telephone number or document) to verify their identity and protect them from abuse.
7. NOTIFICATION OF CHANGES
7.1. The Controller has the right to make changes to the Policy.
7.2. In case of material changes, the Controller undertakes to notify Users of this fact before such changes take effect in one of the following ways:
7.2.1. Publication of the relevant notice on the website.
7.2.2. Sending an appropriate notification to users' e-mail addresses.
7.2.3. In other ways not prohibited by law.
If you have any questions about the processing of personal data, you could contact us at: info@digiu.ai.
