CONTROLLER
Sublimity is the controller of the processing operations described in this privacy statement, except where otherwise indicated for a specific processing operation.
PURPOSES OF PROCESSING
Sublimity may process your personal data for the following purposes:
● to enable the use and basic security of our app;
● to receive and make use of the services that we provide to you, which shall include providing your personal data to third party suppliers in order to enter into agreements with them and receive their services;
● to examine how our app is being used, so that we can make improvements where necessary;
● to communicate with you if you contact us;
● to document the agreements and arrangements we made with you;
● to keep records of business transactions in our financial administration;
● to be able to inform you about our business and about products that we offer; and/or
● to be able to transfer our company (including goodwill / customer base) in case of a merger, a takeover or relaunch.
LEGAL GROUNDS FOR PROCESSING AND RETENTION PERIODS
If you are visiting or using our app, use our services or contact us, there are certain personal data that we
need to process about you, in order to be able to respond and provide our services to you. These are
processing operations that we do on the grounds of Article 6 Paragraph 1 (b) and (c) of the GDPR.
If you visit or use our app, we process:
● Your device’s IP address
If you wish to enquire into and/or use our services, we process:
● Name
● Your contact details
● Your communications with us
● Other information that is required by the relevant third party supplier in order to execute and
deliver its services to you
If you reach out to us with questions, comments or requests:
● Name
● Your contact details (according to your choice of communication channel)
● Your communications with us
The personal data contained in our financial records, for instance:
● Your name, address, city and country of residence
● The amounts we charged to you
● The dates on which we have charged amounts to you
● The type of products or services to which the amounts charged relate, so that the correct VAT rate can be determined
● Contact details
● Communications and agreements that pertain to sale of products or services Providing us with these personal data is a prerequisite for entering into a contract with us and us being able to provide our services to you, within the meaning of in Article 13 (2) (e) of the GDPR. We cannot show you our app, provide our services to you and/or communicate with you without processing these personal data.
SHARING OF PERSONAL DATA
We may share your personal data with third parties in the following cases. For some parts of our business activities, we use service providers outside our own organization. If these service providers process personal data for us, they are – in the terms of the GDPR – our “processors”. In such cases, we conclude a processor’s agreement with them, as referred to in article 28 paragraph 3 GDPR. We use the following types of processors:
● Third party suppliers and/or service providers which engage with you directly for the provision of the services and/or delivery of goods
● A provider of software-as-a-service and cloud storage for our email and general office work
● Providers of cloud-based tools for reimbursement of work-related costs and organizing extra benefits for our employees
● Social networking media and a webhosting service for presenting our company online It may happen that a processor collects personal data directly from data subjects on our behalf. In such cases, we instruct our processor to collect only the personal data that is necessary for the provision of the services we have agreed with that processor. If you provide additional personal data to one of our processors (more than is necessary for the service they provide to us), please be aware that you do so of your own volition; in such a case, we are not the controller of those additional personal data. 2 / 5 We chose our processors with care, paying particular attention to data security. We selected providers who help us process personal data within the EEA as much as possible. Nevertheless, it must be noted that our processors may be based in the USA or have parent companies in the USA. Our processor’s agreements with these processors include the Standard Contractual Clauses most recently ratified by the European Commission, in order to safeguard your privacy when we transfer personal data to these processors.
Retention periods Communications:
We save these until they are no longer relevant. When that is, exactly, depends on the subject of the communications. If communications have a legal or financial component, we may be obliged by law to keep them in our records for 10 years after the communications lose their topicality. The retention period for the personal data we process for our financial administration is: ten (10) years after the data has lost its topicality. This means that billing data is destroyed in the eleventh fiscal year after the billing has taken place. If we have an ongoing contract with you or your company, under which we charge, we will retain a copy of that contract for our tax data retention obligations for ten years after the contract ends. In some cases, we may retain the personal data that we mentioned above for a longer period. This is the case if we have reason to believe that retaining the data is necessary for the protection of our legal position in case of a dispute, or if we are required by law to retain certain data for a longer period. For more information about longer retention of personal data in such cases, please refer to the paragraph about ‘legitimate interest’ in this privacy statement.
The Standard Contractual Clauses in themselves cannot always prevent that the USA government may
take access to personal data processed by companies who are subject to legislation like the CLOUD Act
and/or FISA 702. Before contracting with our processors, we assessed the risk of USA legislation being
used to access personal data that we might store with them, and we concluded that the risk is small
enough to decide to use these processors. Nevertheless, we want to warn you: if it is very important to
you that there is zero risk of your personal data being involved in surveillance or investigative actions by
the USA government, you should refrain from applying for a job with us or otherwise sending us your
personal data.
DATA SHARING BASED ON A LEGAL OBLIGATION OR LEGITIMATE INTEREST
Sometimes we are obliged by law to share your personal data with third parties. For example:
● If the police or any other investigative service, the tax authority, a governmental body or any other authority lawfully request personal data from us;
● If a private party has a legitimate claim to receive or access your personal data on the basis of a judicial authorization. If we receive a request from third party to share your personal data with them, we will inform you of this, unless informing you is not permitted by law. We may share your personal data with third parties such as our accountant, lawyer and/or a bailiff, a detective agency, cyber security experts or other types of researchers and/or the police if this is reasonably necessary:
● to keep our financial and fiscal records in accordance with the law;
● to protect rights, property or the safety of our organization, our employees, our customers or the public;
● to protect our organization, our employees, our customers or the public from fraudulent or otherwise unlawful, inappropriate or offensive use of our products, our property or our services;
● to respond to a (current or imminent) liability or other (current or imminent) legal consequences. If we share your personal data on this basis, we will inform you about it if we can. We cannot inform you about sharing your personal data if doing so might interfere with the purpose and effectiveness of the investigation or other measures for which we have to share the data.
AUTOMATIC DECISION-MAKING AND/OR PROFILING
Sublimity does not make use of automated decision-making or profiling that will produce any legal effects or that might otherwise significantly affect you. Please note that if you consent to the use of tracking and marketing cookies on our website, some profiling may happen for the purpose of personalizing content to your preferences. Also, please be aware that if you visit our pages on networking media (LinkedIn, Facebook or such), those media may take their own actions to track you and perhaps engage in profiling. Such actions are not in our control. Please inform yourself about the privacy policy of any third party media where you may want to look us up.
TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)
We process personal data within the EEA as much as we can. Even when we use processors who are based outside of the EEA, we choose regionalized settings to keep our data on servers in the EEA wherever we can. If we have to process personal data outside the EEA, we will try to this in a country that offers an adequate level of personal data protection within the meaning of Article 45 GDPR. If we would ever need to process personal data in a country that is not covered by an adequacy decision within the meaning of Article 45 GDPR, we will make use of standard contractual clauses made or ratified by the European Commission (within the meaning of Article 46 paragraph 2 under c and d), to ensure that our processor offers adequate safeguards for your privacy. We already explained this further in the paragraph about sharing your personal data with our processors.
THIRD PARTY WEBSITES AND SERVICES
Our website or app may link to websites of other companies, or include links to online services by other parties. If you decide to visit websites or services by other companies, the data processing policies of that other company applies. Sublimity is not the controller for personal data processed by third party websites or services. Be sure to inform yourself about the applicable data processing policies on such websites or services before you decide to provide your personal data through them. Sublimity is active on certain social media, like Facebook and LinkedIn. If you visit our pages there, or contact us through such media, the companies behind those media may also process certain information about you. Sublimity is not the controller for personal data processed by such social media. Please be sure to inform yourself about the applicable data processing policies on social media before you use them to visit or contact us.
SECURITY OF YOUR PERSONAL DATA
Sublimity takes the appropriate technical and organizational measures to secure your personal data. We will ensure that our measures are appropriately updated to remain in line with the state of the art regarding data security. Currently, we apply (at least) the following types of security measures:
● We have taken physical measures in our business premises to ensure that unauthorized persons cannot access our documents, workstations and servers
● Our company regulations contain behavioral rules to prevent unauthorized access to and/or loss of personal data
● All our employees are contractually bound to confidentiality
● We use SSL (Secure Socket Layer) technology where appropriate to encrypt sensitive information and personal data (such as account passwords and other identifying information) during transmission
● Sensitive information is stored in encrypted form, in so far as is reasonably possible within our company’s activities
● Back-ups of personal data are made to the reasonably possible extent
● Vulnerabilities in our software are always addressed as quickly as possible Insofar as we use the services of third parties, who act on our behalf as processors of personal data, these processors are contractually obliged to take appropriate technical and organizational measures to protect the personal data. Although we do our best to ensure good security, we must point out that absolute security when storing personal data and sending data over the Internet can never be guaranteed.
YOUR RIGHTS
For all processing operations that we carry out on the basis of your consent, you have the right to withdraw your consent at any time. We will then discontinue the processing operations in question. Please note that the processing operations that already took place on the basis of your granted consent will not become unlawful with retroactive effect. You have the right to object against processing operations that we carry out on the basis of a legitimate interest, on grounds relating to your particular situation. In all cases, you have the right to request access to the personal data we process about you, the right to have inaccuracies in your personal data corrected (‘right to rectification’) and the right to have your personal data erased if their processing is not/no longer based on a valid legal ground. If there is no longer a valid legal ground for our processing of your personal data, but you do not want to have the data removed immediately, you can also make use of the right to ‘restriction of processing’. Restriction of processing means that we retain your personal data for you, but do not use it for any other purpose. In some cases, you may have the right to data portability. Data portability means that you can receive your personal data from us in a structured, commonly used and machine-readable format, or have it transferred to a new service provider (where technically feasible). This right only applies to personal data that you have provided directly to us and that we process on the basis of your consent, or because it is necessary for the performance of our contract with you.
Your right to lodge a formal complaint
If you are dissatisfied with anything related to our processing of your personal data, please discuss it with us so that we can try to resolve it. You can contact us for this purpose using the contact details below. If we are unable to resolve your objection within a reasonable period of time, you have the right to lodge a complaint with the supervisory authority for the protection of personal data, either:
● In the EU member state where you live or habitually reside
● In the EU member state where you work
● In one of the EU member states where Sublimity has its offices (the Netherlands)
Contact us about your privacy
For questions or comments on our processing of personal data, or to exercise your rights, please contact us at:
privacy@sublimitylifestyle.com Updates to this privacy statement Our privacy statement may be changed or updated from time to time. We can do this unilaterally, by amending this page.
This document was last updated on 09-09-2024 (version v1.0).