Newsletter sign up

Subscribe

Logo

// 01

Terms and Conditions

 

This Data Protection Policy (also referred to as the “DPP”) shall be read in conjunction with the General Terms and Conditions (the “GTC”), the respective Product Specific Terms (the “PST”), and the Privacy Policy (the “PP”) of Theia Ltd located at www.theia.me. Unless otherwise defined in this DPP, capitalised terms shall have the meaning attributed to them in the GTCs and/or PSTs respectively.

Any reference to “you, your, yours” shall refer to the Data Subject whose personal data is being processed by Theia Ltd in accordance with the GTCs, PSTs, PP and this DPP.

I. NAME AND ADDRESS OF CONTROLLER

The controller, in accordance with the General Data Protection Regulation (EU) 2016/679 of 27 April 2016 (the “GDPR”) and other national data protection laws of the member states as well as other data protection regulations, is: Theia Ltd 11, Agias Zonis street, SAFEBRIDGE TOWER, Agia Zoni, 3027, Limassol, Cyprus info@theea.me www.theea.me

II. DATA PROTECTION OFFICER 

accordance with the provisions of Article 37 of the GDPR Theia Ltd (the “Controller”) is not currently under an obligation to appoint a Data Protection Officer (“DPO”). The Controller shall proceed with the immediate appointment of a DPO upon change of the current status of its obligations under GDPR and inform you without undue delay.

III. RIGHTS OF THE DATA SUBJECT 

If your personal data is processed by the Controller, you are affected within the meaning of the GDPR and you are entitled to the following rights:

1. Right to information

1.1. You can ask the Controller to confirm whether personal data concerning you has been or will be processed; and, if such processing has taken place, you can request the following information from the Controller:

1.1.1. the purpose of processing of your personal data;

1.1.2. the categories of personal data being processed;

1.1.3. the individual recipients or categories of recipients to whom the personal data have been or continue to be disclosed;

1.1.4. the planned duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage time;

1.1.5. the existence of a right to have personal data concerning you rectified or deleted; of a right to restrict the processing of personal data by the Controller; of a right of objection to processing; or of a right to withdraw consent at any time;

1.1.6. the existence of a right of complaint to a supervisory authority;

1.1.7. any available information on the origin of the data if the personal data are not collected from the person concerned;

1.1.8. the existence of automated decision-making, including profiling in accordance with Art. 22 Paragraphs 1 and 4 GDPR and - at least in such cases - sound information on the logic involved as well as the scope and intended effects of such processing for the person concerned.

1.2. Further to the above, you have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of appropriate guarantees according to Art. 46 GDPR related to the transmission. 

2. Right to rectification

2.1. You have a right of rectification and/or completion of personal data if the personal data processed concerning you are incorrect or incomplete. Upon exercising this right, the Controller shall make correction without undue undelay.

3. Right to restriction of processing 3.1. You can request the restriction of the processing of personal data concerning you under the following conditions:

3.1.1. you contest the accuracy of personal data concerning you; this will result to the restriction of processing of personal data for a period of time that enables the Controller to verify the accuracy of the personal data;

3.1.2. the processing is unlawful and you oppose to the erasure of the personal data and request that the processing of the personal data be restricted instead;

3.1.3. the Controller no longer needs the personal data for the purposes of the processing; however, you do need them to establish, exercise or defend legal claims; or

3.1.4. if you have objected to processing pursuant to Art. 21.1 GDPR and you request restriction of processing pending the verification whether the legitimate grounds of the controller override your reasons.

3.2. Where processing of personal data concerning you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims and/or for the protection of the rights of another natural or legal person and/or for reasons of important public interest of the Union or of a Member State.

3.3. If the restriction of processing has been restricted according to the above conditions, you shall be informed by the controller before the restriction of processing is lifted.

4. Right to erasure

4.1. Obligation to delete: You shall have the right to obtain from the Controller the erasure of personal data concerning you without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

4.1.1. the personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed; or

4.1.2. you withdraw the consent on which the processing is based, pursuant to Article 6.1(a) or Article 9.2(a) GDPR, and there is no other legal ground for the processing; or

4.1.3. you object to the processing pursuant to Article 21.1 GDPR and there are no overriding legitimate grounds for the processing; or you object to the processing pursuant to Article 21.2 GDPR; or

4.1.4. the personal data concerning you have been unlawfully processed; or

4.1.5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; or

4.1.6. the personal data have been collected to offer ‘information society services’ as referred to in Article 8.1 GDPR.

4.2. Information to third parties: Where the controller has made the personal data related to you public and is obliged pursuant to Article 17.1 GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers who are processing the personal data that you, as person concerned, have requested the erasure of any links to, or copy or replication of, those personal data.

4.3. Exceptions: The right to erasure shall not apply to the extent that processing is necessary:

4.3.1. for exercising the right of freedom of expression and information;

4.3.2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

4.3.3. for reasons of public interest in the area of public health in accordance with Article 9.2(h) and (i) as well as Article 9.3 GDPR;

4.3.4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89.1 GDPR, in so far as the right referred to in Section 4.1 of this document is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

4.3.5. for the establishment, exercise or defence of legal claims.

5. Right to notification

5.1. If you have exercised your right against the controller to have the processing corrected, deleted or restricted, the Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

5.2. The Controller shall inform you about those recipients if you request it.

6. Right to data portability

6.1. You shall have the right to receive the personal data concerning you and which you have provided to a controller, in a structured, commonly used and machine-readable format. Further you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

6.1.1. the processing is based on consent pursuant to Article 6.1(a) or Article 9.2(a) GDPR or on a contract pursuant to Article 6.1(b); and

6.1.2. the processing is carried out by automated means.

6.2. In exercising this right, you shall also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The right shall not be exercised if it adversely affects the rights and freedoms of others.

6.3. The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

7. Right to object

7.1. You shall have the right to object to the processing of your personal data, being processed in accordance with the provisions (e) or (f) of Article 6.1 GDPR, at any time on grounds relating to your particular situation, which includes profiling based on those provisions.

7.2. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedom or the processing serves as the assertion, exercise or defence of legal claims.

7.3. Where personal data concerning you are processed for direct marketing purposes, you shall have the right to object at any time to the processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

7.4. Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

7.5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications. 8. Right to revoke the data protection declaration of consent

8.1. You are entitled to revoke your consent to the contents of this data protection declaration at any time. The revocation of consent shall not affect the legality of the processing carried out on the basis of your consent until revocation.

9. Automated individual decision-making, including profiling

9.1. You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision:

9.1.1. is necessary for entering into, or the performance of, a contract between you and the controller; or

9.1.2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedom and legitimate interests; or 9.1.3. is based on your explicit consent.

9.2. These decisions shall not be based on special categories of personal data referred in Article 9.1 GDPR, unless provisions (a) or (g) of Article 9.2 GDPR apply and suitable measures to safeguard your rights and freedom and legitimate interests are in place.

9.3. In the cases referred to in 9.1 and 9.3, the controller shall implement suitable measures to safeguard your rights and freedom and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your own point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

10.1. Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

10.2. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art.78 GDPR.

IV. GENERAL INFORMATION ON DATA PROCESSING

1. Scope of processing of personal data

1.1. We only process personal data of users if this is necessary to provide a functional website as well as our Service(s) and functionality of our Application(s). The processing of personal data of our users takes place only after the express consent of the user. An exception applies in those cases where prior consent cannot be obtained and the processing of the data is permitted by law.

2. Legal basis for the processing of personal data

2.1. Provided we obtain the consent of the data subject for the processing of personal data, Art.6.1(a) GDPR serves as the legal basis.

2.2. For the processing of personal data required for the performance of a contract to which the data subject is a party, Article 6.1(b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.

2.3. Insofar as the processing of personal data is required to fulfil a legal obligation to which our company is subject, Article 6.1(c) GDPR serves as the legal basis.

2.4. In the event that vital interests of the data subject or another natural person require the processing of personal data, Article 6.1(d) GDPR serves as the legal basis.

2.5. If processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Article 6.1(f) GDPR serves as the legal basis for processing. 2.6. If processing is necessary to protect a legitimate interest of the controller or a third party and if the interests, fundamental rights and freedom of the data subject do not outweigh the former interest, Article 6.1(f) GDPR serves as the legal basis for processing.

3. Data erasure and storage time

3.1. The personal data of the person concerned will be deleted or blocked as soon as the purpose of storage ceases to apply. Furthermore, data may be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

V. PROVISION OF WEBSITE AND CREATION OF LOG FILES

1. Description and scope of data processing

1.1. Every time our website is visited, our system automatically collects data and information from the computer system of the calling computer.

1.2. The following data is visible through the use of third-party services and tools (Google):

1.2.1. Information about the browser type and version used

1.2.2. The user's operating system

1.2.3. The internet service provider of the user

1.2.4. The IP address of the user

1.2.5. Date and time of access

1.2.6. Websites from which the user's system reaches our website

1.2.7. Websites accessed by the user's system via our website

1.3. These data are currently not stored in the log files of our system.

2. Legal basis for data processing 2.1. The legal basis for the temporary storage of data and log files is Article 6.1(f) GDPR.

3. Purpose of data processing

3.1. The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. For this purpose, the IP address of the user must remain stored for the duration of the session. In addition, the data serve us to optimise the website and to ensure the security of our information technology systems. These data are currently not stored in the log files of our system. An evaluation of the data for marketing purposes does not take place in this context.

3.2. Our legitimate interest in data processing for this purpose is in accordance with Article 6.1(f) GDPR.

4. Duration of storage

4.1. The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected.

5. Possibility of objection and erasure

5.1. The collection of data for the provision of the website and the storage of data in log files is necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

VI. REGISTRATION

1. Description and scope of data processing

1.1. Registration and, by extent, access to our Service(s) and/or our Application(s) is effected with the creation of an End-User Account as provided in the registration process of each respective Service and/or Application. The required data is entered into an input mask, transmitted to us and saved accordingly. Alternatively, registration may be effected through the use of an existing account of the End-User with a third-party platform (i.e. facebook). Registration data will not be passed on to third parties. The following data is collected during the registration process:

1.1.1. Profile photo

1.1.2. Full name

1.1.3. Date of birth

1.1.4. E-mail

1.2. The End-User's consent to the processing of this data is obtained in the course of the registration process.

2. Legal basis for data processing 2.1. The legal basis for the processing of data collected upon registration is Article 6.1(a) GDPR provided that the End-User has given his consent. If registration serves the fulfilment of a contract to which the End-User is a party or the implementation of pre-contractual measures, the additional legal basis for the processing of the data is Article 6.1(b) GDPR.

3. Purpose of data processing

3.1. A registration of the End-User is necessary for the fulfilment of a contract with the End-User or for the implementation of pre-contractual measures.

4. Duration of storage

4.1. The data will be deleted upon receiving a request for deletion via e-mail or through the applicable process available through any of the Application(s), as soon as they are no longer necessary to achieve the purpose of their collection. This is the case for personal data collected during the registration process, for the performance of a contract or for the execution of pre-contractual measures, if the data is no longer required for the execution of the contract. Even after conclusion of the contract, it may still be necessary to store personal data of the contracting party in order to fulfil contractual or legal obligations.

5. Possibility of objection and erasure

5.1. As a user of our Service(s) and/or our Application(s) End-User has the option to cancel the registration at any time and/or change certain data stored about you at any time.

VII. APPLICATIONS AND SERVICES

1. Description and scope of data processing

1.1. During the use of the Applications and/or Services we may, where applicable, collect the following information either automatically or by user-input: 1.1.1. OS details (operating system and version)

1.1.2. User sessions (login timestamp, logout timestamp, activity time)

1.1.3. User activity (photos/videos uploaded, participation in challenges)

1.1.4. User preferences (followed tags, followed people)

2. Legal basis for data processing

2.1. The legal basis for the collection and processing of data collected when using the Application(s) and Service(s) serves the fulfilment of a contract to which the End-User is a party, therefore the legal basis for the processing of the data is Article 6.1(b) GDPR.

2.2. Where 2.1 hereinabove is not applicable, the legal basis for the processing of the data is Article 6.1(a) GDPR, provided that the user has given his consent.

3. Purpose of data processing

3.1. Collecting information of the End-User’s operating system and/or user sessions and/or user activity and/or user preferences:

3.1.1. is necessary for the provision of the Services and, by extent, the fulfilment of a contract with the End-User;

3.1.2. helps to enhance the user experience; and

3.1.3. helps with the production of anonymous statistical data.

4. Duration of storage

4.1. The data will be deleted upon receiving a request for deletion via e-mail or through the applicable process available through any of the Application(s), as soon as they are no longer necessary to achieve the purpose of their collection. For personal data collected for the performance of a contract, this is the case if the data is no longer required for the fulfilment of the contract. Even after conclusion of the contract, it may still be necessary to store certain personal data of the contracting party to fulfil contractual or legal obligations.

5. Possibility of objection and erasure

5.1. As a user of our Service(s) and/or our Application(s) End-User has the option to change and/or delete certain data stored about you at any time.

VIII. CONTACT FORM AND EMAIL CONTACT

1. Description and scope of data processing

1.1. There is a contact form on our website which can be used for electronic contact. If a user takes advantage of this possibility, the data entered in the input mask will be transmitted to us and stored. The data are:

1.1.1. E-mail address

1.1.2. Surname

1.1.3. First name

1.2. At the time the message is sent, the following data may also be stored: IP address of the user.

1.3. Your consent is obtained for the processing of the data within the scope of the sending process and reference is made to this data protection declaration. Alternatively, you can contact us via the email address provided. In this case, the user's personal data transmitted by e-mail will be stored. In this context, the data will not be passed on to third parties. The data is used exclusively for processing the conversation and/or correspondence.

2. Legal basis for data processing

2.1. The legal basis for the processing of the data is Article 6.1(a) GDPR provided that the user has given his consent. The legal basis for the processing of data transmitted in the course of sending an e-mail is Article 6.1(f) GDPR. If the e-mail contact aims at the conclusion of a contract, then the additional legal basis for the processing is Article 6.1(b) GDPR.

3. Purpose of data processing

3.1. The processing of the personal data from the input mask serves us only for the treatment of the establishment of contact. If you contact us by e-mail, we have a legitimate interest in the processing of your data. Other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

4. Duration of storage

4.1. The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. With regards to personal data from the input mask of the contact form and those sent by email, the purpose of collection is achieved when the respective conversation with the user is finished. The conversation is terminated when it can be inferred from the circumstances that the facts in question have been finally clarified.

4.2. The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

5. Possibility of objection and erasure

5.1. The user has the possibility to revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he can object to the storage of his personal data at any time. In such a case, the conversation cannot be continued. In this case, all personal data stored in the course of contacting us will be deleted.

Theia Ltd Data Protection Policy (“DPP”) V.1.0 Update: 21/12/2020

// 02

Contact Get In Touch

Support|Partnerships

Große Bleichen 21, 20354 Hamburg, Germany
Find us on Google Maps  

+49 (40) 55 56 57 9 – 15

contact@challenge.today

Close