ERNIEAPP LIMITED - PRIVACY AND COOKIES POLICY
Last updated: May 31st 2023
Dear User,
As Data Controller, ErnieApp Ltd. (“ErnieApp” or the “Data Controller”) acknowledges the importance of personal data protection and considers privacy and data protection as one of the main objectives of its business.
Before you (the “end-user”) disclose any personal data to the Data Controller, we encourage you to carefully read this Privacy Policy as it includes important information about your privacy, personal data protection, and the security measures taken to ensure confidentiality in compliance with the applicable legislation. This Privacy Policy:
· shall refer to the mobile Application for Android and iOS devices and the web dashboard made available by ErnieApp (hereinafter “Application”) and managed by the Data Controller; and
· this Policy does not apply to websites that may be consulted through external links.
· this Policy is written pursuant to Article 13 of the General Data Protection Regulation ("GDPR") (and other applicable data protection law) for the information of users interacting with the Application;
The Data Controller informs you that the processing of your Personal Data will be based on the principles of fairness, lawfulness, transparency and the protection of your privacy and your rights. Your personal information will therefore be processed in accordance with the provisions of the GDPR and the confidentiality obligations provided for therein (and other applicable data protection law).
SUMMARY
This Privacy Policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. We may use your personal data on the following legal bases: (i) where you have given us your express consent; (ii) to perform a contract with you; (iii) for our legitimate business purposes; and/or (iv) to comply with legal and regulatory requirements.
Registering for an ErnieApp account on our Application, use of your account and/or accepting the terms of this Privacy Policy indicates that you have reviewed the terms of the Privacy Policy and have understood it.
In this Privacy Policy the term "Personal Data" means data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, our possession, and includes personal data as described in GDPR or applicable data protection law.
Below a summary of the contents of this Privacy Policy is provided so that you can easily find information regarding the processing of your Personal Data.
1. DATA CONTROLLER AND DATA PROCESSOR
2. PERSONAL DATA SUBJECT TO PROCESSING
a. REST API connection logs
b. Data provided by end user
c. Information collected through third-party services
3. PURPOSES OF THE PROCESSING AND OBLIGATORY OR VOLUNTARY DISCLOSURE OF DATA
4. PROCESSING AND SECURITY DATA PROCESSING
5. COMMUNICATION AND DISSEMINATION
6. YOUR RIGHTS
7. AMENDMENTS
8. HOW TO CONTACT US
By accessing and using the Application, your Personal Data may be processed. The details of the Data Controller are as follows: ErnieApp Ltd (registration number 595950), with its registered office at 88 Harcourt Street, Dublin 2, D02 DK18 (Ireland).
Your Personal Data may be processed by employees and/or third parties retained and or employed by the Data Controller, belonging to the administrative, commercial, legal, accounting departments or IT administrators, or service providers, depending on the processing activity, and who act under the authority of the Data Controller and who have received appropriate operating instructions pursuant to Articles 28 and 29 of the GDPR or applicable data protection law.
The list of data processors may be requested by sending an email to:
The Application's operation involves the use of computer systems and software procedures, which collects information about the Application's users as part of their routine operation. While ErnieApp does not collect this information in order to link it to specific users, it is still possible to identify those users either directly via that information, or by using other information collected – as such, this information is also considered Personal Data.
This information includes several parameters related to the operating system run by your device and its IT environment, including your IP address, location (country), the domain names of your computer, the URI (Uniform Resource Identifier) addresses of resources you request on the Application, the time of requests made, the method used to submit requests to the server, the dimensions of the file obtained in response to a request, the numerical code indicating the status of the response sent by the server (successful, error, etc.) and device properties (including manufacturer, model, OS version, size of the screen in inches, screen resolution of the device). Device properties are collected when the user completes the registration process, and are kept updated whenever the end-user interacts with the Application.
This data is used to compile anonymous, statistical information on the use of the Application, as well as to ensure its correct operation and identify any faults and/or abuse of the Application – the data is deleted immediately after processing, unless it must be used to identify responsible parties in the event of cybercrime committed which harms the Application or third parties.
To perform the required services, ErnieApp collects certain end-user details and in particular the username of the account that the end-user has on 3rd party digital services ("Third Party Accounts") only and if the end-user has decided to upload and configure in the ErnieApp dashboard those Third Party Accounts and until when the Third Party Account is added in the web dashboard of the Application.
To access the features offered by the Application, and which are reserved to the registered end-users only, registration to the service is required. This is done by setting up an ErnieApp account which consists of a user identifier (email), a unique user generated password, friend referral code (optional) and the confirmation of being over 16 years of age. This data-set is kept safely in ErnieApp's database and stored on our (or our contracted third party) secure servers.
The Application supports, for registered users, Operating System enabled (optional) device based biometric authentication (fingerprint / facial recognition depending on user’s device model). Biometric sensor enabling can be allowed and withdrawn anytime by the user and it’s device specific. Biometric information remains encrypted on the user's device and are not collected/viewed or stored by the Application. Should the user decide not to enable the biometric sensor the system pass code (PIN) authentication will apply by default. Should the user not have the PIN system pass code set up on the device, the Application will prompt the user to create a PIN system passcode.
The Application supports, for registered users, an optional password saving functionality (‘the vault”). The vault is offered to registered users subscribing to certain premium service plans (as determined by the Data Controller from time to time), as a secure memory space on device to save and encrypt the passwords used to authenticate on the Third-Party accounts. The vault is user authentication protected. Only the user can access the vault and save/make changes to passwords (update/delete passwords). The vault is protected by encryption techniques and built upon the technical requirements provided by the third-party Operating Systems. The Application cannot view or change the user Third-Party Accounts passwords in the vault. Should a user decide to unlink any of the Third-Party accounts configured in the web dashboard of the Application, the passwords of the Third- Party Accounts will remain stored in the vault until the user accesses the vault and deletes the password manually. Should the user decide to delete his/her ErnieApp account, any Third-Party Account configured, including saved passwords in vault, will be automatically deleted from the system on the device on which the user performs the ErnieApp account deletion. However, as the password vault is device specific, the user will have to manually delete the Third-Party Account passwords that he / she may have stored on any other device ‘vault’ if the user is using the Application on multiple devices, including of different Operating Systems. We recommend to the user who wishes to delete the ErnieApp account to proceed first with deletion of the passwords in any vault the user might have activated and then to delete the ErnieApp account from the in-app “delete my account’ option under Profile. By doing so the user will automatically request to the system the deletion execution of any personal data from the system.
Where Ernie’s are purchased, we will also process some transaction history information (such as how many Ernie's were purchased).
If you are under the age of 16 you should not use the Application or the Services. We are not responsible for checking your age but reserve the right to do verification checks, if necessary, in the future, to comply with applicable law and/or internal ErnieApp policies. Any relevant personal data that we receive will only be collected for the purpose of complying with policies, laws and/or regulations and will not be shared with any 3rd party at any time, except with public enforcement or judicial or regulatory authorities where duly requested or required in compliance with applicable laws and regulations.
To provide the core services offered by the Application, which include, but which may change from time to time: (i) ErnieApp user profile management, (ii) computation of your Openness Index, and (iii) user profile PKM configuration, including permissions required to change privacy settings and /or activate in-app value added services, the end-user shall, as prompted by the Application, provide valid access credentials for each of the Third-Party Accounts which the end-user has voluntarily added to the Application dashboard. With reference to Third-Party Account credentials (eg Gmail account), ErnieApp collects and stores the UID (username) but doesn't collect any authentication credential or password. To perform the read/write functions (open/close/delete/view), the Application leverages session cookies that are stored encrypted (with current state-of-the-art encryption algorithms) only on the end-user's device.
Such data will be processed in full compliance with data protection regulations. Failure to provide such data will prevent end-users enjoying ErnieApp core features and services. The end-user is responsible for the correctness of the data provided within the ErnieApp account profile.
Personal data under this privacy policy is stored for the time necessary to render the service and also for longer periods subsequent to the termination of the service if retention is required by law or for other legitimate purposes such as ErnieApp defence, or in the case of a legitimate interest of the data controller or third parties.
If you participate in the ErnieApp Game please note that we collect all end-user responses to the quizzes, including which response the end-user gave and when (date and time) the response was provided. We collect the responses for the purpose of maintaining the game progression status, perform statistical analysis and calculating the award of Ernie’s as part of the ErnieApp Game.
With the release of the 4.1.0 Application, we will introduce the Partner Activation Code support (‘PAC’). This is a solution through which the end-user can rely on to activate, without redeeming Ernie’s, a premium plan for a pre-defined period thank to a Third-Party Sponsor having a commercial agreement with ErnieApp (usually one year period but it can vary from partner to partner based on ErnieApp commercial agreements). The Application functioning and or how the system may process your personal data is not affected by the introduction of the PAC. PACs are one-time codes which identify the Sponsor and can only be used once by the end-user. Only the sponsor controls the distribution of PACS to targets. The download of the Application and the ErnieApp account registration will continue to be required to access the services offered by ErnieApp and ErnieApp will continue to act as data controller and data processor.
Cookies and similar technologies are information that applications record and/or read on your devices. In general, these technologies allow its owners to analyse applications usage in order to avoid malfunctions and improve user experience. It is thanks to these cookies that those websites can "remember" your actions and preferences (e.g., login data, language, font size, other display settings, etc.), so that you do not need to configure them again when you next visit the website, or when you change pages within a website. In a few cases, some of the services provided to ErnieApp by third parties may result in third party access to personal data and other information stored on your device, even for purposes other than the provision of such services to ErnieApp (see reference to third party providers (including Google Play and Apple App Store below).
In detail, the third-party services used by the Application are Firebase and Amazon, AWS, Apple App Store and Google Play Store (which are used to send to the Data Controller data related to the usage of the Application).
For information on the processing of your data by third parties listed in this Privacy Policy, and if you wish to oppose such processing, we invite you to consult their privacy policies and to activate the opt-out mechanisms offered by the third parties. The following section lists the links to information on third-party technologies:
· Firebase https://firebase.google.com/terms/
· Amazon AWS https://aws.amazon.com/privacy/
· Apple App Store https://www.apple.com/legal/privacy/data/en/app-store/
· Google Play Store https://policies.google.com/privacy
The data you provide through the Application voluntarily or that are collected through it, will be processed by the Data Controller for the following purposes:
a) Purposes concerning the provision of the services requested (including but not limited to: requests for information, account set up, account configuration including permissions levels on 3rd party application and or at device level (where applicable), computation of Ernie’s users metrics, playing the ErnieApp Education Game, the operation of any prize draws, facilitation of any in-app purchases, activation of the PAC plans, resolution of issues related to the Application, sending of generic and or personalized "recommendation" to the User on his usage of the Application, push notifications for non-commercial/technical/administrative purposes etc.)
Providing your data for the aforementioned purpose is necessary for the purposes of receiving services through the Application. Failure to provide such data may render it impossible for the Application to provide the required functionalities. We generally rely on the lawful bases of performance of our contract with you or our legitimate interests (or those of a third party) to the use of your Personal Data, and any other data that we may collect or collate, for the purposes of us providing ErnieApp services to you as referred to above. We may also undertake such processing where you provide your consent.
b) Purpose of statistical research/analysis on aggregated or anonymous data – where it is not possible to identify the user - to measure the functioning of the Application, measure traffic, and evaluate usability and interest.
GDPR does not apply to processing activities with respect to aggregated or anonymous data. Notwithstanding the foregoing, ErnieApp will carry out such activities in its legitimate interest.
c) Purpose of fulfilling the obligations laid down by law, regulation or Community law.
The processing of your data for the aforementioned purpose (c) is mandatory. Any failure to process such data would not allow the Data Controller to comply with the obligations laid down by law, regulation or Community legislation.
Your Personal Data is processed by the Data Controller - or by third parties specifically selected for their reliability and competence and appointed as data processors – in order to carry out the purposes indicated above, by electronic means, for the time strictly necessary to carry out the purposes for which they were collected.
Specific technical and organizational measures are observed to prevent data loss, misuse or incorrect use, and unauthorized access, in compliance with Article 32 GDPR.
Your Personal Data may be processed by entities external to the Data Controller, whose activity is necessary and functional for providing the functionalities of the Application and the management of our business.
Your Personal Data may also be shared with third parties such as:
a) Persons, companies or professional firms that provide assistance and advice to the Data Controller, who in certain circumstances may be appointed as Data Processors;
b) Persons, entities or authorities to whom the disclosure of your Personal Data is mandatory under statutory provisions or orders of the competent authorities;
c) Subjects and/or entities delegated and/or appointed by the Data Controller to carry out activities strictly related to the pursuit of the above-mentioned purposes (including technical maintenance on systems), who in certain circumstances may be appointed as Data Processors.
d) Business partners, such as independent Data Controllers, for their own purposes, including commercial purposes. In that case, you will be required to provide specific consent.
e) Third parties to whom we may choose to sell, transfer or merge parts of our business or assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your Personal Data in the same way as set out in this Privacy Policy.
Your Personal Data shall not be disseminated by the Data Controller, save as provided for in this Privacy Policy, without your express consent.
We do not generally transfer your Personal Data outside of the UK / EEA. In the event that your Personal Data is transferred outside of the UK / EEA, we will take all steps reasonably necessary to ensure that your Personal Data is treated securely and in accordance with this Privacy Policy. We shall ensure safeguards are in place with regard to the transfer of your Personal Data outside of the UK / EEA, in compliance with the requirements of applicable data protection law.
As a data subject you have rights under data protection legislation and we, as Data Controller, will comply with such rights in respect of your Personal Data.
Right of access to Personal Data relating to you.
You have the right to request access to the Personal Data we hold about you. This right enables you to receive a copy of your Personal Data and certain information about the way we use your Personal Data.
Requests for your Personal Data must be made to us (see 'How to Contact Us' below) specifying what Personal Data you need access to, and a copy of such request may be kept by us for our legitimate purposes in managing the Application. To help us find the information easily, please give us as much information as possible about the type of information you would like to see. If, to comply with your request, we would have to disclose information relating to or identifying another person, we may need to obtain the consent of that person, if possible. If we cannot obtain consent, we may need to withhold that information or edit the data to remove the identity of that person, if possible.
Right to update your Personal Data or correct any mistakes in your Personal Data
You can require us to correct any mistakes in your Personal Data which we hold free of charge. If you would like to do this, please:
email or write to us (see 'How to Contact Us’ below);
let us have enough information to identify you (e.g. name, registration details); and
let us know the information that is incorrect and what it should be replaced with.
It is your responsibility that all of the Personal Data provided to us is accurate and complete. If any information you have given us changes, please let us know as soon as possible (see 'How To Contact Us' below).
Right to ask us to stop contacting you with direct communication
We undertake direct communication by:
· push notification and in app notification (users can opt-out by clicking "OFF" on the Profile switch); and
· email communication (users can unsubscribe as per below).
We have a legitimate interest to send you direct communications in connection with the Service and related matters (which may include but shall not be limited to news updates, announcement of new features, services and settings, referrals information, PAC Partners, etc.). We may also ask you different questions for different services, including competitions. We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
You can ask us to stop contacting you for direct communication purposes. If you would like to do this, please:
· You can click on the 'unsubscribe' button at the bottom of the electronic communication (as applicable)
· You can put to OFF the system push-notification switch.
We will provide you with information on action taken on a request to stop direct communication - this may be in the form of a response email confirming that you have 'unsubscribed'. Unsubscribing from direct communication does not unsubscribe you from essential electronic communications in respect of the administration of Your Account.
If we wish to send you direct marketing with respect to a third party's products or services we will seek your express consent to such actions.
Please note that if you ask us to stop contacting you for direct marketing purposes, we may still need to send you direct communications relating to important information you need to know as part of your relationship with us (i.e., service messages), as these are not direct marketing communications. If you turn to OFF system push notifications then you will not be able to receive this information.
Right to restrict or prevent processing of Personal Data
In accordance with GDPR, you may request that we stop processing your Personal Data temporarily if:
· you do not think that your Personal Data is accurate (but we will start processing again once we have checked and confirmed that it is accurate);
· the processing is unlawful, but you do not want us to erase your Personal Data;
· we no longer need the Personal Data for our processing; or
· you have objected to processing because you believe that your interests should override the basis upon which we process your Personal Data.
If you exercise your right to restrict us from processing your Personal Data, we will continue to process the Personal Data if:
· you consent to such processing.
· the processing is necessary for the exercise or defence of legal claims.
· the processing is necessary for the protection of the rights of other individuals or legal persons; or
· the processing is necessary for public interest reasons.
Right to data portability
In accordance with data protection legislation, you may ask for an electronic copy of your Personal Data that you have provided to us and which we hold electronically, or for us to provide this directly to another party. This right only applies to Personal Data that you have provided to us – it does not extend to data generated by us. In addition, the right to data portability also only applies where:
· the processing is based on your consent or for the performance of a contract; and
· the processing is carried out by automated means.
Right to erasure
In accordance with GDPR you have the right to require the erasure of your Personal Data.
ErnieApp allows you to effectively erase your Personal Data by deleting your ErnieApp account in the Application. In your Profile you can click on 'Delete Account’ and confirm that you wish to delete your account. Please be aware that deleting your Personal Data and your account will result in the loss of any Ernie’s s that you may have accrued and/or purchased at the time of deletion of your account as well as the status reached in the Game.
We may continue to process your Personal Data in certain circumstances in accordance with data protection legislation (e.g., where we have a legal justification to continue to hold such Personal Data, such as it being within our legitimate business interest to do so (e.g., retaining evidence of billing information etc.). Where you have requested the erasure of your Personal Data, we will inform recipients to whom that Personal Data have been disclosed, unless this proves impossible or involves disproportionate effort.
Withdrawal of Consent
If you no longer consent to our processing of your Personal Data (in respect of any matter referred to in this Privacy Policy as requiring your consent) you may delete your Personal Data by deleting your ErnieApp account as referred to above. Please note that if you withdraw your consent to such processing, it may not be possible for us to provide all or part of our services to you.
Right to complain to the Data Protection Commissioner
If you do not think that we have processed your Personal Data in accordance with this Privacy Policy, please contact us in the first instance. If you are not satisfied, you can complain to the Irish Data Protection Commissioner or exercise any of your other rights pursuant to data protection legislation. Information about how to do this is available on the DPC website at https://www.dataprotection.ie
ErnieApp may change its Privacy Policy from time to time and at ErnieApp sole discretion. These changes and updates to the Privacy Policy shall be notified to users on the Data Controller website home page as soon as they are introduced and will be binding as soon as they are published on the Application. We therefore invite you to regularly visit this section to get to know the most recent and updated version of this Privacy Policy so that you are always updated on the information we collect and on how we use it. We will not process your Personal Data in a manner not contemplated by this Privacy Policy without your consent.
If you wish to receive any information on the processing of your Personal Data by the Data Controller, please send an email to: privacy@ernieapp.com or you can send physical mail to our registered office at:
Ernieapp Ltd
88 Harcourt Street
Dublin 2
D02 DK18
Ireland