PRIVACY POLICY
  1. General Provisions
  1. For Everprove Solutions Kft. (e-mail: support@everprove.com, company registration no.: 01-09-344699, hereinafter as: Operator) as Controller, a particularly important goal is to protect the personal data provided by visitors of the website www.everprove.com (hereinafter as: Website) which is operated by Operator, the persons who use the services of the Website (hereinafter: Creator User), furthermore the contracting parties defined by the users (hereinafter: Recipient User; Creator User and Recipient User hereinafter together: Users) in the course of using of the service by the Users, providing  the right of informational self-determination, which are provided by Operator according to this Policy.

The Website allows its Users to create documents, and to register the content of these documents onto the Everprove Ledger database. Following the Everprove Ledger registration, the Website creates a unique QR code for the registered document, which will enable the direct download of the document data later from the ledger. The specific content of the document may never be accessed on the public ledger without the individual QR code, as the data is written onto the ledger in a cryptographically secured format. The Website is managed from the territory and applicable law of Hungary.

Operator processes the personal data of the Users completely in accordance with the relevant laws in force which contributes to the secure internet access of the Users.

If the Operator processes the personal data of the Users privately, in accordance with the most strict legal requirements in force – especially the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (27 April 2016; hereinafter as: GDPR) – provides their security, takes all the necessary technical and organizational measures, furthermore forms those procedural rules, which are necessary to comply the relevant legal provisions and other recommendations.

GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. According to the definitions of GDPR as a main rule, Operator does not process the personal data on behalf of the controller and does not provide the means for processing personal data for such personal or household activities.

  1. This Policy summarizes those principles, which determine the policy and daily practice of Operator regarding the protection of personal data, presents those services, which requires the personal data of the Users, furthermore in this Policy Operator declares the purpose and the way it uses this kind of data and how it ensures the trust and protection of the personal data.
  1. Upon the request of the Users Operator is ready to provide full information on the processed personal data, the purpose, reasons and duration of processing, as well as on its activities relating to data processing.

The Operator exclusively processes the personal data where the recording is necessary to monetize the attendance of the Website, to practice its rights and fulfill its obligations in the existing legal relationship with Users, within this framework to communicate with them, furthermore to secure business in relation to the Users.

  1. The main definitions and principles regarding managing personal data
  1. Definitions
  1. Data processing: shall mean any operation or set of operations that is performed upon data, whether or not by automatic means, such as in particular collection, recording, organization, storage, adaptation or alteration, use, retrieval, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and blocking them from further use, photographing, sound and video recording, and the recording of physical attributes for identification purposes (such as fingerprints and palm prints, DNA samples and retinal images);
  1. Disclosure by transmission: shall mean making data available to a specific third party;
  1. Controller: shall mean the natural or legal person, or unincorporated body which alone or jointly with others determines the purposes of the processing of data, makes decisions regarding data processing (including the means) and implements such decisions itself or engages a data processor to execute them;
  1. Data subject: shall mean a natural person who has been identified by reference to specific personal data, or who can be identified, directly or indirectly
  1. Personal data: shall mean any information relating to the data subject, in particular by reference to his name, an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, and any reference drawn from such information pertaining to the data subject;
  1. Personal data breach: unlawful process of personal data, especially unauthorized access, alteration, transmission, public disclosure, deletion or destruction, furthermore accidental deletion or damage.
  1. Profiling: shall mean any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
  1. Rendering anonymous: shall mean the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
  1. Principles
  1. Lawfulness, fairness and transparency

Personal data may be processed only for specified purposes, for the implementation of certain rights or obligations. The recording of personal data shall be done under the principle of lawfulness and fairness.

Personal data may be processed when the data subject has given his consent or when processing is necessary as decreed by law or by a local authority based on authorization conferred by law (hereinafter as “mandatory processing”).

  1. Purpose limitation

The purpose of processing must be satisfied in all stages of data processing operations.

  1. Data minimization

The personal data processed must be essential for the purpose of the data processing, and it must be suitable to achieve that purpose.

  1. Accuracy

The data controller shall carry out data operations in order to secure the accuracy (correctness) of the processed data.

  1. Storage limitation

Personal data may be processed to the extent and for the duration necessary to achieve its purpose.

Personal data shall be erased if processed unlawfully, so requested by the data subject, incomplete or inaccurate and it cannot be lawfully rectified, provided that erasure is not disallowed by statutory provision, the purpose of processing no longer exists or the legal time limit for storage has expired, so instructed by court order or by the competent authority.

  1. Integrity and confidentiality

Data must be protected by means of suitable measures against unauthorized access, alteration, transmission, public disclosure, deletion or destruction, as well as damage and accidental loss, and to ensure that stored data cannot be corrupted and rendered inaccessible due to any changes in or modification of the applied technique.

If the Users provide personal information to Operator, the Operator shall take all the necessary steps to ensure the security of these data - both at network communication (ie. online data processing) and at data storage and trust (ie. offline data processing).

  1. Accountability

The data subject may request from the data controller i) information when his personal data is being processed, ii) the rectification of his personal data, and iii) the erasure or blocking of his personal data, excluded the mandatory processing.

  1. Operator declares as a general principle, that in every case it requests personal information from the Users, the Users are entitled to freely decide whether or not to provide the requested information after reading and interpreting the required information text. However, it should be noted that if the User does not provide the personal information, that User will not be able to access the registration required services of the Website.

Operator respects the principles of data processing and endeavor to enforce them every time.

  1. The legal basis of the data processing

Operator processes the data set out at Chapter V. referring to the legal basis below.

III.1.         The legal basis of the data processing: the voluntary consent of the concerned person (Article 6. Section (1) Point a) of GDPR), processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6. Section (1) Points b) of GDPR), the lawful interest of the User and Operator (Article 6. Section (1) Points d) and f) of GDPR).

Users give their consent electronically by using the Website by checking the tick box during the process of the registration by Users affirmatively.

According the Article 7. Section (3) and Article 13 Section (2) Point c) of GDPR the withdrawal of the consent does not affect the legality of the prior data processing. Users acknowledge that in case of the withdrawal of their consent, they will not be able to use the services any more, but the documents burned onto the public ledger via the Website previously will remain accessible furthermore, without time limitation, through the generated QR code.

  1. The purpose of the data processing

IV.1.        Operator processes the data set out in Chapter V. in order to (i) provide the services indicated in I.1 above; and to (ii) send direct marketing materials from Operator in connection with the services.

IV.2.        The Users can give their consent electronically separated for each purpose above, by using the Website while signing up, checking the tick box during the process of the registration by User affirmatively to Operator to (i) provide the services indicated in I.1 above; or (ii) contact them in subject of direct marketing or electronic advertisement (newsletter, e-mail) on the provided contacts. The consent can be withdrawn anytime without charges, limitations and justification furthermore the consent can be withdrawn as incidentally set out in the electronic advertisement.  The consent can be also withdrawn with a declaration posted to the registered office of the Operator. According to the Article 7. Section (3) and Article 13 Section (2) Point c) of GDPR the withdrawal of the consent does not affect the legality of the prior data processing.

        Users acknowledge that in case of the withdrawal of their consent in connection with the registrated e-mail address, they will not be able to use the services any more, but the documents they registered on the public blockchain previously will remain accessible furthermore, without time limitation, through the generated QR code. In case of the withdrawal of their consent in connection with the marketing materials only, they will remain able to use the services furthermore.

IV.3.        In every case where Operator intends to use the provided personal data for other purposes that the original purpose of the recording informs the User and receives its prior direct consent, furthermore provide possibility to prohibit the use.

  1. The subject of the data processing

V.1.        Uploading or creating documents on the Website requires registration. Registration requires Creator Users’ e-mail address.

Users acknowledge that Operator does not inspect the content of the uploaded / created documents, thus Operator does not processes any of the personal data contained by these documents.

V.2.        Users under age of 16

To process personal data of users under the age of 16 and to their declarations parental consent is necessary, excluding those parts of the service, where the declaration aims an order common in everyday life and does not requires any particular consideration.

For the validity of the registration by a minor does not require the consent or an ex post approval of the legal representative.

V.3.        The Operator does not collect sensitive data under any circumstances, which refers to personal data revealing racial origin or nationality, political opinions and any affiliation with political parties, religious or philosophical beliefs, health, pathological addictions, or criminal record.

V.4.        The personal and other data provided by Users to Operator, is not completed or linked to data or information from other sources by Operator.

V.5.        A few data of the User, like IP address are recorded in order of monetization the attendance of the Website and the identification of the incidentally bugs and cracks by Operator. These data are processed by Operator only for the necessary time-frame and not linked to those data which are suitable to identify the person of the User (Rendering anonymous). The managing of the data can be performed on foreign servers.

  1. The duration of the data processing
  1. The duration of the data processing:

Operator processes the personal data set out in Section V. for 3 years following the deletion of the registration.

  1. User is entitled to withdraw the consent to the data processing and to request the deletion of the data concerned by the data processing or to modify the data. According to the Article 7. Section (3) and Article 13 Section (2) Point c) of GDPR the withdrawal of the consent does not affect the legality of the prior data processing.

Users acknowledge that in case of the withdrawal of their consent in connection with the registrated e-mail address, they will not be able to use the services any more, but the documents they saved on the Website previously will be available furthermore, without time limitation, through the generated QR code. In case of the withdrawal of their consent in connection with the marketing materials only, they will remain able to use the services furthermore.

  1. Exercising the rights of the data subject
  1. In case if any User in accordance with Point VII.2., request the Operator to delete personal data from Operator’s database, Operator performs  this without any delays in the way that it deletes from its database the data prior declared by User.
  1. The request on deletion / to be forgotten can be filed in electronic way through the e-mail address at the Website or in paper format posted to the registered office of the Operator.

In case of request on deletion (withdraw of consent to data processing) the data managed by the Operator cannot be managed from the date of the receiving of the request.

In case of request to be forgotten the Operator shall delete from its database all the links with the lawfully managed data prior to the receiving of the request, the profile of the User and automatic decision.

Users acknowledge that in case of the withdrawal of their consent in connection with the registrated e-mail address, they will not be able to use the services any more, but the documents they burned onto the public ledger with the Website previously will be available furthermore, without time limitation, through the generated QR code. In case of the withdrawal of their consent in connection with the marketing materials only, they will remain able to use the services furthermore.

  1. In case if the managed data was changed, the User is entitled to request the modification of it in the database. The request on modification can be filed in electronic way through the e-mail address at the Website or in paper format posted to the registered office of the Operator.
  1. Personal data shall be blocked instead of deletion by Operator if so requested by the User, or if there are reasonable grounds to believe that erasure could affect the legitimate interests of the User. Blocked data shall be processed only for the purpose which prevented their erasure. Restricted data may be handled only with the consent of the User or the submission, validation or protection of legal claims, or the protection of other rights of a natural or legal person, or in the public interest (Right to Restriction of Data Processing).
  1. If the Operator refuses to comply with the User’s request for rectification, blocking or deletion, the factual or legal reasons on which the decision for refusing the request for rectification, blocking or erasure is based shall be communicated in writing within 25 days of receipt of the request. Where rectification, blocking or erasure is refused, the data controller shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the authority.
  1. The User shall have the right to object to processing of the related data:

a) if processing or disclosure is carried out solely for the purpose of discharging the Operator’s legal obligation or for enforcing the rights and legitimate interests of the controller, the recipient or a third party, unless processing is mandatory;

b) if personal data is used or disclosed for the purposes of direct marketing, public opinion polling or scientific research; and

c) in all other cases prescribed by law.

In the event of a User's objection, the Operator shall not be entitled to further data processing unless it proves that data processing is justified by compelling legitimate reasons that prevail over the interests and rights of the User or are related to the submission, validation or protection of legal claims.

Regarding the data managed on the legal basis of Article 6. Paragraph (1) Points d) and f) (lawful interest) instead of request of deletion / to be forgotten User is entitled to object to the processing of its data.

In the event of objection, the Operator shall investigate the cause of objection within the shortest possible time inside a 15 days period, adopt a decision as to merits and shall notify the User in writing of its decision.

  1. Users are entitled to request for information regarding the processing of their personal data. The request for information can be filed in electronic way through the e-mail address at the Website or in paper format posted to the registered office of the Operator.

Upon the User’s request the Operator shall provide information concerning the data relating to the User, the sources from where they were obtained, the purpose, grounds and duration of the processing, the name and address of the recipients and on every activities regarding the data processing.

Operator shall comply with requests for information and provide the information requested in an intelligible form within the shortest possible time but at latest in 25 days, in writing at the User’s request.

The information of the concerned person shall be provided free of charge for any category of data.

The Operator may refuse to provide information to the data subject in the cases defined by law. Where information is refused, the Operator shall inform the User in writing as to the legal provision serving grounds for refusal. Where information is refused, the Operator shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the competent authority.

  1. Data portability

According to 20. § of GDPR the User shall have the right to receive the provided data concerning User in a structured, commonly used and machine-readable format and have the right to transmit those data to another data manager.

In exercising his or her right to data portability pursuant to paragraph 1, the User shall have the right to have the personal data transmitted to another data manager, where technically feasible.

The request on data portability can be filed in electronic way through the e-mail address at the Website or in paper format posted to the registered office of the Operator.

If the Operator refuses to comply with the Users’s request on data portability, the factual or legal reasons of the refusal shall be communicated by Operator in writing within 30 days of receipt of the request. Where the request on data portability is refused, the data controller shall inform the data subject of the possibilities for seeking judicial remedy or lodging a complaint with the authority.

Regarding the data managed on the legal basis of Article 6. Paragraph (1) Points d) and f) (lawful interest) User is not entitled to the data portability.

  1. Data storage, process and forwarding

VIII.1.        Data storage

Operator stores the managed data on a storage based on virtual server.

Name of the storage provider: AMAZON WEB SERVICES EMEA SOCIÉTÉ À RESPONSABILITÉ LIMITÉE
Address of the storage provider: 38 AVENUE JOHN F. KENNEDY, L-1855 LUXEMBOURG
E-mail address of the storage provider: awsLUX-receivables-support@email.amazon.com

 

VIII.2.        Data process

To improve your experience on the site, we use technologies from third-parties. These technologies help us understand what’s working well and what needs to be improved on the site.

Google Analytics:

Our website uses Google Analytics, a service which transmits website traffic data to Google. Google Analytics does not identify individual users or associate your IP address with any other data held by Google. We use reports provided by Google Analytics to help us understand website traffic and webpage use. You can read more about this here. You can also read about how Google complies with GDPR.

Hotjar:

Hotjar helps us better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices (in particular device's IP address (captured and stored only in anonymized form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and preferred language used to display our website). Hotjar stores this information in a pseudonymized user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user. If you would like to read about how Hotjar complies with GDPR.

You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by following this opt-out link.

Mailchimp:

We use Mailchimp's service to deliver you occasional email updates if you choose to opt-in for our newsletter. Mailchimp collects certain device and usage information using cookies and similar tracking technologies. This information is used to measure the performance of email campaigns and to provide analytics information. You may read Mailchimp's Privacy Policy for more information. Each of the emails we send contain an unsubscribe option if you wish to stop receiving promotional messages.

VIII.3.        Data forwarding

Operator does not forward any of the data to third party.

VIII.4.        Safeguards provided by the Operator

The Operator undertakes an unconditional and irrevocable obligation to ensure the protection of the personal data of the User. The Operator is responsible for ensuring the compliance of the partners involved in the further controlling and processing of personal data, thereby ensuring the required protection of personal data.

  1. Data security measures, Data Protection Officer

IX.1.        Data security measures

Regarding the processing of personal data provided by Users, the Operator shall act with utmost care. In the field of IT security, the Operator uses the most effective, most modern tools and procedures reasonably available.

Operator plans and implements the data processing operations to protect the privacy of the affected Users. Operator ensures the security of the data, and takes the technical and organizational measures and established the procedural rules to enforce the provisions of all privacy and data protection rules.

Electronic messages transmitted over the Internet independently from protocols (e-mail, web, ftp, etc.) are vulnerable to network threats that may lead to fraudulent activity or disclosure or modification of information. In order to protect such threats, the Operator shall take all precautionary measures that may be expected from it. Operator monitors the systems in order to capture all security dangers and provide evidence of any security incident. However, the Internet is not known - as is well known to the Users - to be 100 percent secure. The Operator shall not be liable for any damages caused by the unavoidable attacks carried out despite the expected maximum care.

VIII.2.        Data Protection Officer

Operator declares to not being obliged to have a data protection officer, therefore Operator does not have a data protection officer.

  1. Rendering anonymous, statistics

Operator may use the data for statistical purposes only after a rendering anonymous. The aggregated, statistical use of the data cannot be contained in any form the personal data of the User concerned, or any other identifiable data.

  1. Automatic decision making and profiling

The Operator does not use any automatic decision making or profiling.

  1. Consumer complaints

XII.1.        The customer service of Operator receives complaints and user inquiries related to the Operator's service on e-mail for this at the support@everprove.com email address.

Operator does not process personal data on any of the operated social media platforms, as Facebook Page (https://www.facebook.com/everprove/), Twitter account (https://twitter.com/everprove_app), and LinkedIn profile (https://www.linkedin.com/company/everprove), the User questions in posts / comment section does not considered as official complaints.

XII.2.        Users can make complaints in connection with the data processing based on this Policy at the competent data processing authority of Hong Kong, or their residence as well.

  1. Execution of official requests

XIII.1.        The Operator may be contacted by court, public prosecutor, investigating authority, offense authority, administrative authority, data protection commissioner or other authorities authorized by law in subject of information request, disclosure and handing over of data, furthermore providing documents.

XIII.2. The Operator - provided the authority has declared the exact purpose and the scope of the data - issues personal data only to the extent that it is indispensable to achieve the purpose of the request.

In case if you do not agree with the above, please do not use the Website.

If you have additional questions regarding data protection, please contact our colleague.

This Policy is public at the Website from the date below from which date it is effective.

Budapest, 8 April 2020