PRIVACY POLICY

FLARIE PRIVACY POLICY (2022:1)

1. GENERAL

1.1 Privacy and data protection is important to us at Flarie AB, reg. no 556856-2747 (“Flarie”, “we”, “us” or “our”). This privacy policy (“Privacy Policy”) aims to inform you about our processing of your personal data, and what rights you have as a data subject. Flarie’s processing of personal data is carried out in accordance with applicable legislation, including the general data protection regulation (“GDPR”).

1.2 This Privacy Policy (including all its appendices) applies to the personal data we may process in connection with (i) the use of any of our services, including for example, but not limited to, our webpage https://flarie.com/, our game manager tool “Flarie Studio” and our mobile software application “Flarie” (the “Services”, “Platform” or “App”), (ii) customer contracts and engagements, and (iii) business contacts and engagements.

1.3 In connection with your use of our Services and/or registering for a personal user account on our Platform or in our App, we will collect and process your personal data as a controller in accordance with this Privacy Policy. However, content in our Services is either made available directly by us or by a third-party associated with us (“Flarie Partner”). When accessing content made available directly or indirectly by a Flarie Partner, a separate privacy policy provided by such Flarie Partner will apply in addition to this Privacy Policy and such Flarie Partner, in connection with you accessing such content, will process your personal data as a controller for a separate individual purpose. Therefore, prior to accessing such content by a Flarie Partner in our Services, you will in each event be separately informed thereof by such Flarie Partner regarding the relevant Flarie Partner’s processing of your personal data. For the avoidance of doubt, Flarie Partners are each separately responsible, as controllers for their processing of your personal data. We have no control over, and assume no responsibility for the content, privacy policies, processing, or practices of any Flarie Partner.

1.4 Set forth below in this Privacy Policy is a general description of how we process your personal data, and the table in Appendix A sets out the details hereof including but not limited to the types of personal data as well as each separate processing activity conducted by us in relation to your personal data.

1.5 If you wish to receive additional information on the processing of your personal data, you are welcome to contact us at: privacy@flarie.com.


2. PERSONAL DATA WE PROCESS

2.1 Personal data refers to information which, directly or indirectly, may be associated with a living natural person.

2.2 We process the following main categories of personal data (i) contact information, (ii) identity and other regulatory information, (iii) matter and billing information, (iv) marketing preferences, (v) user related data and browsing and device usage information, and (vi) correspondence with customer services and feedback. The table in Appendix A, Section 2 therein, sets out the details of the categories and types of personal data we process as well as how such data is obtained by us.

2.3 We will not specifically ask you to provide us with special categories of personal data and will not process such personal data unless we have a legitimate interest to do so. Processing of personal data considered as special categories of personal data, is subject to special security measures, according to GDPR. Special categories of personal data are for example, but not limited to, racial or ethnic origins, sexual orientation, political opinions, religious beliefs etc. When using our Services, you may choose to provide us with any category of personal data. However, you hereby agree not to provide us with any special categories of personal data when using our Services.

2.4 The personal data that Flarie processes is either provided (i) directly by you in connection with your use of our Services, (ii) indirectly by you via your Facebook or Google account (subject to your selection), (iii) automatically through your use of our Services, (vi) by the company which you represent (if applicable), and which uses our Services. We may also, if necessary subject to any of our purposes for the processing, collect personal data from private and public registers, publicly accessible sources as well as from public authorities.

2.5 You are responsible for any personal data obtained, published or shared with us (whether via the App, Platform or otherwise), including such personal data which you have obtained from a third party. You shall also be able to confirm that you have such third party’s’ consent to provide such personal data to us (if applicable).

2.6 Depending on the device you use when accessing our Services via our App, the App may request certain permissions that allows the application to access your personal data on your device. Permissions must always be granted by you before such information is accessed and processed by the App and includes, but is not limited to, camera permission, precise location permission (continuous) and reminders permission. In order to revoke these permissions, we refer you to your devices’ settings. Note that revoking of such permissions might impact the proper functioning of the App and the Service.


3. PURPOSE AND LAWFUL BASIS FOR THE PROCESSING

3.1 We process personal data for various purposes. However, we must always have a lawful basis (i.e., a reason prescribed by law) for processing your personal data. The table in Appendix A, Section 3 therein, sets out the purpose for the processing of the relevant category of your personal data including the corresponding lawful basis thereto. 

3.2 We process personal data in accordance with this Privacy Policy (i) in order to fulfil our obligations in accordance with an agreement with you (or with the company which you represent, if applicable), (ii) in order to fulfil legal obligations pursuant to applicable legislation, (iii) if we have a legitimate interest to process the personal data, and/or (iv) if we have your consent to process your personal data. For some processing activities, more than one lawful basis may be applicable. 

3.3 If we process your personal data for any specific purpose which requires your consent under the GDPR, or any other legislation, we will obtain your consent in advance.

3.4 If we process personal data for any specific purpose upon which we have a legitimate interest, we always prior thereto and in each individual case conduct an assessment of balance of interests in order to for example evaluate whether our legitimate interest is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data in accordance with GDPR. We only process personal data based on our legitimate interest if we make the assessment that our legitimate interest is not overridden by the interests and rights of the relevant data subject.

4. SECURITY MEASURES

4.1 Personal data will always be processed confidentially and protected by appropriate security measures. Flarie ensures that companies that process and/or manage personal data on our behalf, uses a high level of security measures in order to protect your personal data. However, please note that, in relation to any personal data you submit to us online, we cannot guarantee the security of data sent to us in this way. Transmission of data over the internet is at your own risk. You are responsible for keeping any passwords you use to access our platforms safe.

4.2 If we are to process personal data in a way that is likely to result in a high risk to the rights and freedoms of natural persons, we will prior to such processing carry out an assessment according to the GDPR of the impact of the envisaged processing operations on the protection of personal data (data protection impact assessment). Such assessment will at least contain (i) a systematic description of the envisaged processing operations and the purposes of the processing, (ii) an assessment of the necessity and proportionality of the processing operations in relation to the purposes, (iii) an assessment of the risk to the rights and freedoms of the relevant data subjects, (iv) the envisaged security measures to address the risks and to ensure protection of personal data and demonstrate compliance with GDPR. We only use processes subject to a data protection impact assessment pursuant to the GDPR, that have been approved by us subject to such assessment as described herein. Such approved processes are monitored and reassessed continuously in accordance with our internal routines from time to time.


5. EXTERNAL PARTIES WE USE

5.1 We may disclose your personal data to external parties with whom we collaborate in order to perform our Service and/or conduct our business. We will always ensure that agreements are entered into with each such relevant party to whom we disclose your personal data in accordance with GDPR. We may also disclose your personal data when we have a legal obligation to do so, e.g., due to anti-money laundering legislation, tax legislation, court orders or requests from government authorities. 

5.2 Further details of the categories of external parties whom we disclose your personal data to, as well as the purpose and lawful basis in each such case are set out in Appendix B hereto. If you wish to receive any additional information on the disclosure of your personal data to such external parties, you are welcome to contact us at: privacy@flarie.com.


6. PROCESSING OF YOUR DATA OUTSIDE  EU/EEA

6.1 In order to perform our Services and/or conduct our business, we may transfer and store personal data in countries outside the EU/EEA (“Third Countries”), in accordance with Appendix C hereto. Such transfer occurs when (i) we use a personal data processor established in a Third Country, or (ii) data is stored on a cloud service or a server based in a Third Country. 

6.2 When Flarie transfers personal data to Third Countries we will take reasonable legal, technical and organizational measures to ensure that your personal data is adequately protected, at the same level as it would have been within EU/EEA, through the use of relevant safeguards. However, even if we take such security measures as described herein, you acknowledge and agree that transfers and storing of personal data outside the EU/EEA area entail a risk that such personal data might not be protected at the same level as it would have been within EU/EEA. For the avoidance of doubt, such transfer as referred to herein will only include the type of personal data relevant for the purpose of the processing. 

6.3 Further details of the relevant safeguards used by us to protect the transfer of your personal data are set out in Appendix C. If you wish to receive any additional information on the transfer of your personal data to a Third Country, you are welcome to contact us at: privacy@flarie.com.


7. STORAGE AND DELETION OF PERSONAL DATA

7.1 Personal data will only be stored for a limited period of time and no longer than necessary in order for us to fulfil the purposes of the processing (see Appendix A, Section 3 therein), or for as long as we are required to store the information according to applicable legislation and relevant guidelines. This will depend on a number of factors, including for example (i) the laws and regulations that we are required to follow, (ii) whether we are in a legal or other type of dispute with each other or a third party, (iii) the type of information that we hold about you, (vi) whether we are asked by you or a regulatory authority to keep your personal data for a valid reason. If processing of your personal data is no longer necessary, it will be erased in accordance with our erasure procedure from time to time. We make the assessment in each case regarding if we are entitled to store your data, which you can find more information about in Appendix A, Section 3 therein.

7.2 Depending on the relevant purpose of the processing of your personal data, we may store the data in accordance with what is specified in the below list in this Section. In the event that we are processing your personal data based on the legal obligations described below, we cannot delete the personal data even if you were to request such action. Should we no longer be required to save your personal data due to a legal obligation, we will make an assessment whether we are in need of the data in order to safeguard our interest in any legal or other type of dispute.

(i) Personal data processed as a result of an agreement between you and Flarie are stored during the term of the agreement and a maximum of ten (10) years thereafter due to statute of limitation.

(ii) Personal data we store as a result of applicable legislation such as anti-money laundering and accounting legislation are normally stored for five (5) respective seven (7) years.

(iii) Should we no longer have a legal obligation for the processing of the personal data, the data is stored as long as necessary in order to fulfil each applicable purpose of the processing (normally we erase or anonymise the personal data three (3) months thereafter), more information hereto is set out in Appendix A, Section 3 therein.

7.3 If Flarie is subject to liquidation or bankruptcy or if Flarie’s customer database is transferred to a third party conducting similar activities as Flarie, Flarie shall thereafter erase your personal data, provided however that Flarie is not required to store the information according to applicable legislation and relevant guidelines. If Flarie is subject to a merger, acquisition, reorganization or similar process, Flarie will continue the processing of your personal data pursuant to this Privacy Policy unless otherwise is specifically announced to you in connection with such process.


8. AUTOMATED DECISION MAKING AND PROFILING

8.1 Flarie conducts profiling of you when using our Services. “Profiling” means that we automize the processing of your personal data in order to determine certain characteristics, such as for example to analyse or predict your personal preferences, like what content we think is most relevant to you based on your user activity of our Services. At the same time, we compare your data with our other users of our Services, which have similar user activities of our Services as you. The purpose of Flarie’s profiling and the personal data of each such processing are further described in Appendix A, Section 3 therein. Profiling subject to these purposes does not have a significant effect on you.

8.2 We use profiling in order to (i) provide our adapted Services to you, which adjusts its content based on what we assume is more interesting to you, and the different functions in it, and (ii) provide an adapted marketing to you via our Platform as well as via external platforms (to which you may always object to).

8.3 Flarie does not use such automatized individual decision making which could entail legal effects concerning you or would have similar significant effect on you.

8.4 If you have any questions regarding our automated individual decision-making process, you may contact us at: privacy@flarie.com. You can always object to our profiling for marketing purposes by contacting us and we will thereafter cease such profiling for marketing purposes. You can also end our profiling for our Services by terminating the Services.


9. YOUR RIGHTS AS A DATA SUBJECT

9.1 Flarie is the controller for the processing of your personal data in accordance with this Privacy Policy, and as a data subject you have certain rights as regards your personal data. The rights are however not absolute, meaning that there are exceptions to some of the rights where we cannot proceed and fulfil your request. 

9.2 As a data subject, you have the following rights:

(i) Right to withdraw your consent – meaning that you have the right to at any time withdraw your consent where Flarie process your personal data based on your consent by submitting a request in accordance with Section 9.6 below. In such event, we will no longer store or process your personal data for the relevant purpose;

(ii) Right to access – meaning that you have the right to request a confirmation of our processing of your personal data, to receive information about the processing, access the personal data in question, and the right to obtain a copy of your personal data. You will find more information about the right to access at the webpage of Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) (“IMY”); 

(iii) Right to rectification – meaning that you have the right to have any incorrect personal data about you as a data subject corrected by us. You will find more information about the right to rectification at IMY’s webpage;

(iv) Right to erasure – meaning that you have the right to have your personal data erased under certain circumstances. This right is limited, and we may be obligated to save your personal data in accordance with applicable law. You will find more information about the right to erasure at IMY’s webpage;

(v) Right to object – meaning that you have the right to object to Flarie’s processing of your personal data under certain circumstances (for example you may object to processing of your personal data if we base such processing on our legitimate interest and you have the right at any time to object to Flarie’s processing of your personal data for direct marketing purposes etc.). You will find more information about the right to object at IMY’s webpage;

(vi) Right to restricted processing – meaning that you have the right to have Flarie restrict the processing of your personal data, but not delete it, if you find that the processing is in conflict with applicable law or that we no longer are in need of your personal data for a specific purpose. You will find more information about the right to restricted processing at IMY’s  webpage; and

(vii) Right to data portability – meaning that you may request that Flarie provides you with a copy of your personal data we process in order to fulfil an agreement with you, or based on your consent, in order to (if it is technically feasible) transfer your personal data to another data controller. You will find more information about the right to data portability at IMY’s webpage.

9.3 If you feel that our processing of your personal data does not comply with GDPR, and applicable data protection legislation, you are entitled to lodge a complaint with the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten). You will find more information about your right to lodge a complaint at IMY’s webpage.

9.4 You may unsubscribe from our newsletters or similar communication at any time, by using your right to object in accordance with Section 9.2(v) above. In such event we will no longer store or process your personal data for such purposes, and we will cease to provide you with such marketing materials.

9.5 You have the right to object to automated individual decision making, including profiling, by us if the decision result in legal consequences or otherwise have similar significant affects for you. See Section 8 for information about how Flarie uses atomized individual decision making, including profiling. You will find more information about the right to object to an automated decision at IMY’s webpage.

9.6 Any requests by you as a data subject to us under this Privacy Policy shall be sent to us at: privacy@flarie.com. Requests will be handled as soon as possible, but no later than within one (1) month from the date which Flarie received the request.


10. CHILDREN

Our Services are directed to users being eighteen (18) years or older. However, children being thirteen (13) years and older may receive access to our Service provided that they have their legal guardian(s) consent to access our Services. We do not and will not knowingly collect information from any unsupervised person under the age of thirteen (13). In the event that the conditions in this Section 10 are not fulfilled or if you do not accept this Privacy Policy, you may not use the Service. If you are a legal guardian and learns that your child has submitted personal data to Flarie without your consent, we ask that you contact us on the address stated in Section 9.6 above so that you can exercise your rights to, inter alia, rectification or erasure.


11. LINKS TO THIRD PARTY SITES

Our Platform and App may contain links to third party sites. If you click on a third party link, you will be directed to that site. Note that these external sites are not operated by Flarie and, therefore, we strongly advise you to review the privacy policy of these websites. We have no control over, and assume no responsibility for the content, privacy policies, or practices of any third party sites or services.


12. ADS AND SPONSORED CONTENT

Flarie uses the content that you submit in our Services, including your personal data, in order to select and personalize the content and ads that we show you in our Services. However, in order to protect your privacy and personal data in accordance with this Privacy Policy, we will always use anonymized data when we are in contact with marketing agencies and similar third parties.


13. COOKIES
Flarie and our partners may use cookies and similar technologies on the Platform as well as in the App for the purpose of providing and updating its Service and to improve the user experience. For information on how Flarie uses cookies and similar technologies, we refer to our Cookie Policy. The latest version of the Cookie Policy will always be available on the Platform as well as in the App and we advise you to review the Cookie Policy periodically for any changes.


14. AMENDMENTS AND ADDITIONS

Flarie has the right to amend this Privacy Policy from time to time without giving prior notice to such change. Should any change affect the processing of personal data, which is based on your consent, Flarie shall collect a new consent from you regarding such processing. The latest version will always be available on the Platform as well as in the App and we advise you to review the Privacy Policy periodically for any changes.


15. CONTACT DETAILS

Flarie AB, registered at the Swedish Companies Registration Office, with registration number 556856-2747, has its head office at Hornsgatan 24, 118 20 Stockholm, Sweden.

Flarie has a customer service team which administer privacy and data protection enquiries. You can reach our team at privacy@flarie.com. 

Flarie complies with Swedish data protection laws. For more information about Flarie please visit our website (https://flarie.com).



Appendix A – Details of our Processing of your Personal DatA

1. This Appendix A is a description of the details of our processing of personal data and applies if you:

(i) are a customer or prospective customer to us;

(ii) are a representative and/or employee of a customer or prospective customer to us;

(iii) are a user of our Services, Platform and/or App or are otherwise affected by our Services; and/or

(iv) have subscribed to receive our newsletter, receives other communication from us and/or attend our events.

2. The personal data we process, attributable to the data subjects listed above herein, falls into the following main categories: (i) contact information (ii) identity and other regulatory information (iii) matter and billing information (vi) marketing preferences (v) user related data and browsing and device usage information, and (vi) correspondence with customer services and feedback. The table below sets out the specifics regarding the type of data of each such main category as well as how we will obtain it. 

PURPOSE
TREATMENT
CATEGORY OF PERSONAL DATA

Contact Information

• name (first and last name)
• address
• e-mail address
• phone number
• place of work (if representing an organization)
• job title (if representing an organization)
• organization contact information (if representing an organization)

 

• provided by you
•provided by your organization (if representing an organization)
• obtained by us from publicly available resources

Identity and other regulatory information

• personal identity number 

• provided by you 
• provided by your organization (if representing an organization)
• obtained by us from publicly available resources

Service account information

• login details to your personal account on the Platform (i.e., your username and password)
• login details to your organization’s user account on the Platform (if representing an organization)
• Facebook profile (upon your selection)
• profile picture
• age
•gender
• other information you chose to upload in the Service about yourself (including correspondence with other users if applicable)

• provided by you 
• provided by your organization (if representing an organization)
• provided by Facebook or Google (upon your selection)

Marketing preferences

• your chosen marketing communications preferences

• provided by you
• obtained by us from publicly available social media platforms such as LinkedIn, Facebook etc

User related data and browsing and device usage information

• device information (including for example IP-address, language settings, webpage settings, advertising ID from iOS and Android, mobile connection, operation system, platform, screen resolution, and similar information regarding your device settings)
• user related data automatically generated when using our Platform / App, including data that you post or upload in the Services (i.e., information regarding your use of our Services, what games you have played / opened, your scores, how many times you played a specific game on our Platform, category of games you are interested in / have played, communication with other users of our Services etc.)
• location information (if activated by you in the App)

• provided by you directly
• provided by you indirectly and automatic when using our Services (i.e. from your device)

Correspondence with customer services and feedback

• recorded phone calls, chat conversations, and/or e-mail correspondence with us
• correspondence and feedback from you regarding the Service

• provided by you directly or indirectly upon your contact with our customer service team
• provided by you directly


3. We process personal data in accordance with this Privacy Policy for the purposes and on the lawful basis as specified in the following table. 

PURPOSE
TREATMENT
CATEGORY OF PERSONAL DATA
LEGAL BASIS
STORAGE PERIOD

Administer and perform our Services in accordance with an agreement with you as a user of our Platform.

• Entering into agreements with you regarding the provision of our Service (i.e. our terms of use of the Service)
• Controlling your identity and age
• Establishing you as a user of our Services
• Providing you with a personal user account in our Services
• Giving you access to the content and features in our Services (including providing you with specific content based on your profile - profiling)
• Other treatments related to any of the above items

• all categories mentioned in the table in Appendix A, Section 2 

Legitimate interest – we have in an assessment (in accordance with Article 6(1)(f) GDPR) determined that the processing is necessary in order to create a relationship with you.

Fulfilment of an agreement – the processing is necessary in order to fulfil our obligations pursuant to an agreement with you (Article 6(1)(b) GDPR). You will find the agreement / the terms of the use of the Service at flarie.com/terms.

During the term of the agreement with you. When we no longer have a legal basis (i.e., if we no longer have a legitimate interest or if the agreement is terminated) or a legal obligation to process your personal data, we will delete or anonymise the personal data that we process for the relevant purpose in accordance with our internal routines from time to time.

More information regarding our rights and obligations to save your personal data is set out in Section 7.

Administrating and performing our Service in accordance with agreements with our customers, Flarie Partners and other business partners.

• Entering, preparing and negotiating customer agreements with you / your organization regarding the provision of our Service 
• Entering, preparing and negotiating partner agreements with you / your organization
• Establishing you / your organization as a client in our systems
• Administering payment of fees from you / your organization
• Administering claims with respect to our Services or business

• all categories mentioned in the table in Appendix A, Section 2

Legitimate interest – we have in an assessment (in accordance with Article 6(1)(f) GDPR) determined that the processing is necessary in order to create a relationship with you.

Fulfilment of an agreement – the processing is necessary in order to fulfil our obligations pursuant to an separate agreement with you / your organization (Article 6(1)(b) GDPR).

During the term of the agreement with you / your organization. When we no longer have a legal basis (i.e., if we no longer have a legitimate interest or if the agreement is terminated) or a legal obligation to process your personal data, we will delete or anonymise the personal data that we process for the relevant purpose in accordance with our internal routines from time to time. 

More information regarding our rights and obligations to save your personal data is set out in Section 7.

Adapting the content in the Services based on your preferences or profile. (This treatment may include profiling, for more information about profiling see Section 8.)

• Customize content / games in the Services (including the Platform and App) based on what we think is most relevant to you

• age, gender, address
• Service account information
• user related data and browsing and device usage information

• Fulfilment of an agreement – the processing is necessary in order to fulfil our obligations pursuant to an agreement with you (Article 6(1)(b) GDPR). You will find the agreement / the terms of the use of the Service at flarie.com/terms.

During the term of the agreement with you. When we no longer have a legal basis or a legal obligation to process your personal data, we will delete or anonymise the personal data that we process for the relevant purpose in accordance with our internal routines from time to time.

More information regarding our rights and obligations to save your personal data is set out in Section 7.

Communicating with you in order to administrating and performing our Services and our business, including providing you with information (not marketing) in an electronic format.

• Responding to your / your organization’s queries regarding our Services or our business
• Identifying you / your organization
• Resolving any complaints or disputes with you / your organization

• all categories mentioned in the table in Appendix A, Section 2

Fulfilment of an agreement – the processing is necessary in order to fulfil our obligations pursuant to an agreement with you / your organization (Article 6(1)(b) GDPR).

During the term of the agreement with you. When we no longer have a legal basis or a legal obligation to process your personal data, we will delete or anonymise the personal data that we process for the relevant purpose in accordance with our internal routines from time to time. 

More information regarding our rights and obligations to save your personal data is set out in Section 7.

Sending newsletters, information, offers and marketing of our Services on our internal platforms as well as on external platforms. (This may include profiling, for more information regarding profiling see Section 8 of the Privacy Policy, and transfer of your data to external marketing service providers in accordance with Appendix B, Section (v) therein.)

• Determine what marketing we are to provide you with (including profiling)
• Sending newsletters to you / your organization
• Provide you / your organization with offers relating to our products, Services, systems etc.
• Provide you / your organization with information relating to our Services, products, systems etc

• name, age, gender
• user related data and browsing and device usage information
• Service account information
• contact information (e.g., address, e-mail address, phone number)
• job title (if representing an organisation)

Legitimate interest – we have in an assessment (in accordance with Article 6(1)(f) GDPR) determined that the processing is necessary in order to carry out our interest to market our Services, provide you with information offers etc. (which you at any time may object to). We ensure that the processing is necessary in order to fulfil the interest and that such interest overrules your rights not to have your data processed for this purpose.

Consent – we will obtain your express consent to provide you with newsletters, offers etc. if required by us pursuant to applicable marketing legislation. You may withdraw your consent to such processing. More information about your rights as a data subject are set out in Section 9. 

During the term of the agreement with you / your organisation or when you inform us that you no longer have an interest in this type of processing or withdraw your consent (if applicable). 

More information regarding our rights and obligations to save your personal data is set out in Section 7.

Fulfilling our legal obligations, strive to prevent crime, investigate whether a crime has been committed towards us, and safeguarding our interests in a dispute.

• Control that user of our Services complies with the terms of our Service (including applicable legislation)
• Complying with our obligations according to applicable laws and regulations, court and/or official decisions (e.g., Tax Act, Accounting Act, Money Laundering and Terrorist Financing (Prevention) Act, etc.)
• Prevent, report or investigate fraud and other illegal activities
• Prevent, control and report unauthorized use of the Services, phishing, spam, other activities not allowed according to our terms of use for the Service
• Improvements of our IT-environment in order to prevent frauds and attacks

• all categories mentioned in the table in Appendix A, Section 2

Fulfilling a legal obligation – necessary pursuant to applicable law (Article 6(1)(c) GDPR) e.g., Tax Act, Accounting Act, Terrorist Financing (Prevention) Act. If the relevant personal data is not processed by us, we cannot fulfil our legal obligations.

Legitimate interest (if the above is not applicable) – we have in an assessment (in accordance with Article 6(1)(f) GDPR) determined that the processing is necessary in order to prevent abuse or misuse of our Service, prevent and investigate crimes towards us and safeguard our interests in the event of a dispute.

During the time we have the data in our systems, for example to fulfil the agreement with you or in order to fulfil a legal obligation. 

More information regarding our rights and obligations to save your personal data is set out in Section 7.

Evaluating and improving our Services, business, and systems (including analysing web traffic and keeping track of user behaviour).

• Anonymizing your personal data as necessary in order to obtain the purpose of the processing hereunder
• Adapting our Services and systems in order to make them more customer friendly and improve the user experience
• Preparing data and reports for the purpose of improving our Services, assortment, policies, operations, etc.
• Give our customers the opportunity to influence our Services, systems, assortment, etc.

• all categories mentioned in the table in Appendix A, Section 2

Legitimate interest – we have in an assessment (in accordance with Article 6(1)(f) GDPR) determined that the processing is necessary in order to fulfil our interest of evaluating and improving our Services, business, systems, assortment, etc. We ensure the processing hereunder is necessary to achieve the purpose and our interest overrules your right not to have your data processed for this purpose. By anonymizing data concerning you, we also ensure that we use personal data to an extent as minimal as possible. If you prefer more information about how the assessment has been made, you can always contact us (see our contact details in Section 15).

During the time we have the data in our systems, for example to fulfil the agreement with you or in order to fulfil a legal obligation. 

More information regarding our rights and obligations to save your personal data is set out in Section 7.

Administrating and performing merger, acquisition, reorganization, reconstruction, asset transfer (including our customer database) or similar processes where we and/or our customer data base is the target, meaning that we may share your data with external parties according to Section (iv) in Appendix B (i.e., potential buyers of the business or assets)

• Carrying out a merger, acquisition, reorganization, asset transfer (including our customer database)
• Fulfilling an agreement with a counterparty (providing similar activities as Flarie) in such process
• Ensuring the counterparty in such process continues the processing of your personal for the same purposes and in the same way as described in this Privacy Policy (unless otherwise is announced to you)

• all categories mentioned in the table in Appendix A, Section 2

Legitimate interest – we have in an assessment (in accordance with Article 6(1)(f) GDPR) determined that the processing is necessary in order to to facilitate an acquisition or reorganization process. I.e., we have assessed that our interest to do so is overridden by your legitimate interests and rights of not having the data processed. However, such transfer of your personal data requires the overtaking party is conducting similar activities as Flarie. We make sure that the processing this entails is necessary in order to fulfil the relevant interest. You have a right to object to this type of processing, due to circumstances in each relevant case. If you prefer more information about how the assessment has been made, you can always contact us (see our contact details in Section 15).

During the time we have the data in our systems, for example to fulfil the agreement with you or in order to fulfil a legal obligation. 

More information regarding our rights and obligations to save your personal data is set out in Section 7.

Transfer your personal data to suppliers, sub-suppliers, professional advisors and authorities (the purpose varies depending on the recipient, see the relevant Sections in Appendix B)

• Transferring your personal data to our suppliers, sub-suppliers, professional advisors and authorities

• all categories mentioned in the table in Appendix A, Section 2

Varies depending on the relevant external party (see Appendix B for more details hereto).

During the term of the agreement with you. When we no longer have a legal basis or a legal obligation to process your personal data, we will delete or anonymise the personal data that we process for the relevant purpose in accordance with our internal routines from time to time. 

More information regarding our rights and obligations to save your personal data is set out in Section 7.

Transfer of your personal data (if you are a representative of an organization) to accounting service providers, payment service providers and other financial institutions (see Section (vi), in Appendix B)

• Administer payments of fees from your organization regarding your organization’s order of our Service

• contact information (such as name and e-mail address)
• job title 

Fulfilment of an agreement – the processing is necessary in order to fulfil our obligations pursuant to an agreement with your organization (Article 6(1)(b) GDPR).

Primarily when the purchase is initiated and performed but also during the period we have your data in our systems. When we no longer have a legal basis or a legal obligation to process your personal data, we will delete or anonymise the personal data that we process for the relevant purpose in accordance with our internal routines from time to time. 

More information regarding our rights and obligations to save your personal data is set out in Section 7.


APPENDIX B – EXTERNAL PARTIES WE USE

(i) External parties with whom we collaborate in order to provide the Service

Description of the external parties: Suppliers and sub-suppliers are organisations that process the personal data they receive from us on our behalf (i.e. personal data processors). Examples of such suppliers are software and data storage providers, email providers, analyse system providers, website service providers, other IT services providers and business consultants.

Purpose and legal basis: We need access to the services and functionalities from other organisations that we cannot provide ourselves in order to provide our Services (including the Platform and App). We have a legitimate interest to get access to these services and functionalities and we assure that the treatment it entails, is necessary in order to fulfil the interest in question. In this case, our interests have been deemed overruled by individuals’ interests of not having their data processed. You always have a right to object to such processing due to circumstances in each relevant case, and you will find more information about your rights hereto in Section 9 in the Privacy Policy.

(ii) Authorities

Description of the external parties: We may have to provide necessary information to authorities such as the Police, Tax Agency, and other authorities and courts.

Purpose and legal basis: Provision of your personal data to authorities will be made if we have a legal requirement to do so and in certain cases if you ask for it, if it is necessary in order to administer tax deductions, prevent crimes etc. Depending on the authority and purpose, the legal basis is (i) a legal obligation, (ii) fulfil an agreement with you / your organisation, (iii) legitimate interest to protect ourselves from crimes or unauthorized use of our Services.

(iii) Professional advisors

Description of the external parties: We may have to provide necessary information to our professional advisors (such as legal and financial advisors and other experts).

Purpose and legal basis: Provision of your personal data to such advisors or experts are made when we are in need of legal or financial advice. Depending on the purpose, the legal basis is (i) legitimate interest to examine our legal obligations, (ii) legitimate interest to protect ourselves from crimes, (iii) legitimate interest to protect ourselves in a dispute, or (iv) fulfil an agreement with you / your organisation.

(iv) Potential buyer of Flarie’s business or assets

Description of the external parties: Should Flarie or its shareholders wish to sell the business or assets, Flarie may have to provide your personal data to a potential buyer in such transaction. Personal data of Flaries users or customers may have to be transferred in the event an essential segment of Flaries assets is purchased by a third party buyer.

Purpose and legal basis: We have a legitimate interest of being able to perform transactions of our business or assets and we make sure that the processing of your personal data such transaction may entail is necessary in order to fulfil the interest in question. In this case, our interests have been deemed overruled by individuals’ interests of not having their data processed. You always have a right to object to such processing due to circumstances in each relevant case, and you will find more information about your rights hereto in Section 9 of the Privacy Policy.

(v) Marketing service providers

Description of the external parties: We use marketing service providers in order to conduct direct marketing and marketing campaigns of our Services on our internal platforms as well as external platforms, provided that you have given your express consent to receive such marketing form us.  

Purpose and legal basis: Provision of your personal data to such marketing service providers is made when you have provided your consent to receive marketing and newsletters from us. You always have a right to withdraw your consent to such processing, and you will find more information about your rights hereto in Section 9 of the Privacy Policy.

(vi) Accounting service providers, payment service providers and other financial institutions

Description of the external parties: External parties that provide its services to us in order to (i) carry out and administer payments from our clients (organizations), as well as (ii) assisting us with our accounting obligations. If you represent an organization that is a client to us, we may share your name, job title, and e-mail address to such external parties, if necessary.

Purpose and legal basis: We need access to the services and functionalities from such external parties in order to administer payments from our clients (organizations) as well as to perform our accounting obligations. Some payment service providers also collect and use your personal data independently in accordance with their own data protection information. The legal basis is to fulfil an agreement with the organization which you represent.


APPENDIX C – THIRD COUNTRY TRANSFERS

Subject to Section 6 in the Privacy Policy, we transfer personal data to the following Third Countries (i.e., countries outside the EU/EEA), based on the referred to appropriate safeguard pursuant to GDPR:

(i) England – the country is subject to an adequacy decision pursuant to GDPR Article 45 and we therefore do not take any further steps pursuant to GDPR Article 45 specifically, other than continuously monitoring that the adequacy decision remains valid;

(ii) United States of America – the country is not subject to an adequacy decision by the European Commission pursuant to GDPR Article 45, we therefore rely on standard contractual clauses approved by the European Commission pursuant to GDPR Article 46 as the transfer tool, and furthermore take the additional steps as listed in the below herein.

If a potential transfer of personal data to any of the countries referred to above in this Appendix C can neither be lawfully based on an adequacy decision nor any of the exceptions in GDPR Article 49, we always take the following additional steps prior to such transfer to ensure compliance with EU level of protection of personal data:

(i) make an assessment whether the transfer tool we rely on is effective in practice (in light of the law in the relevant third country);

(ii) adopt supplementary security measures which we have deemed are effective for the set of transfer to the specific Third Country, such measures are for example but not limited to (i) contractual measures, (ii) organizational measures, and/or (iii) encryption or pseudonymisation of the personal data;

(iii) conduct any identified procedural steps (if applicable); and

(iv) continuously monitor developments in the relevant third country and re-evaluate the initial assessment and decisions for the transfer to the relevant country accordingly.


If you wish to receive any additional information on the transfer of your personal data to a Third Country, you are welcome to contact us at any time. Our contact details can be found in Section 15 in the Privacy Policy.