Opoyi Pvt. Ltd. (henceforth called Opoyi) recognises the importance of your privacy. This Privacy Policy (“Privacy Policy”) describes our policies and procedures on the collection, use, disclosure, and sharing of your personal information when you use the Opoyi Platform. Also please read our Terms of Use.

The Information We Collect

We collect information directly from individuals, from third parties, and automatically through the Opoyi Platform.

Account and Profile Information

When you create an account and profile on the Opoyi Platform, we collect your name, contact information, demographic information, and other information you provide, such as topics that you know about or find interesting. Your name, photo, and any other information that you choose to add to your public-facing profile will be available for viewing by the public and other users of the Opoyi Platform. Once you create a profile, others will be able to see in your profile certain information about your activity on the Opoyi Platform, such as the questions and answers you post, your followers and who you follow, topics of interest to you, the information you list as credentials, and your edits to your content. For more information about your choices for publicly displayed information, see the section below about Your Choices.

Your Content

When you create an account and profile on the Opoyi Platform, we collect your name, contact information, demographic information, and other information you provide, such as topics that you know about or find interesting. Your name, photo, and any other information that you choose to add to your public-facing profile will be available for viewing by the public and other users of the Opoyi Platform. Once you create a profile, others will be able to see in your profile certain information about your activity on the Opoyi Platform, such as the questions and answers you post, your followers and who you follow, topics of interest to you, the information you list as credentials, and your edits to your content. For more information about your choices for publicly displayed information, see the section below about Your Choices.

Communications

When you communicate with us (via email, through the Opoyi Platform, or otherwise), we may maintain a record of your communication.

Integrated Service Provider and Linked Networks

You can connect your existing Opoyi account with certain third-party networks like Twitter or Google, for example (each a “Linked Network”). You can also elect to sign in or sign up to the Opoyi Platform through a Linked Network. If you elect to sign up through or connect a Linked Network, we receive certain profile and account information about you from the Linked Network. These Linked Networks may also appear in your profile, so that people can find you on these Linked Networks. The specific information provided to us by Linked Networks is determined by you and these third parties, and may vary by network. In all cases, the permissions page for the Linked Network will describe the information being shared. You should consult their respective privacy policies for information about their practices. You may elect to use information from the Linked Network to populate your profile on the Opoyi Platform and help you find and follow your contacts on the Opoyi Platform. For information on your choices, including how to disconnect a Linked Network from your Opoyi profile, see the Your Choices section below. You may also elect to connect and make and receive payments to and from use through third-party networks (“Integrated Service Provider”); if you do so, you will be allowing us to pass to and receive from the Integrated Service Provider your login information and other user data for payment purposes.

Automatically Collected Information About Your Activity

We use cookies, log files, pixel tags, local storage objects, and other tracking technologies to automatically collect information about your activities, such as your searches, page views, date and time of your visit, and other information about your use of the Opoyi Platform. We also collect information that your computer or mobile device provides to us in connection with your use of the Opoyi Platform such as your browser type, type of computer or mobile device, browser language, IP address, mobile carrier, unique device identifier, location, and requested and referring URLs. We also receive information when you view content on or otherwise interact with the Opoyi Platform, even if you have not created an account. For more information, see the “Cookies, Pixels and Tracking” section below and our Cookie Policy.

Engagement

We collect browsing information – such as IP address and location, date and time stamp, user agent, Opoyi cookie ID (if applicable), URL, unique advertising or content identifiers (if applicable) and time zone, and other information about user activities on the Opoyi Platform, as well as on third-party sites and services that have embedded our Opoyi pixels (“Pixels”), widgets, plug-ins, buttons, or related services. See the section below about Opoyi Ads and Personalization for more detailed information about how our Pixels may be used by publishers or users of our advertising services (“Ad Services”) on the Opoyi Platform to enable personalization, as well as your choices related to advertising and personalization. We may also receive information about you from third parties, such as other users, partners (including ad partners), or our affiliated companies.

Address Book Sharing

You have the option of syncing your contacts with Opoyi. Doing so enables us to increase the reach of your content within Opoyi so that you can have richer conversations. We also use your contact book to suggest that your friends follow you when they join Opoyi. Your contact book information also helps us improve the personalisation of your home feed and helps us reduce the effort required for you to share content within and outside Opoyi

We do not sell your data and are committed to protecting your privacy. We also protect your personal information by using robust systems that keep your data encrypted and secure.

How We Use Your Information

We do not sell your personal information – such as your name and contact information – to third parties to use for their own marketing purposes. Opoyi uses the information we collect for the following purposes:

  • Provide our Services

    To provide you the services we offer on the Opoyi Platform and make the Opoyi Platform available to the public, communicate with you about your use of the Opoyi Platform, respond to your inquiries, provide troubleshooting, and for other customer service purposes.

  • Personalization

    To tailor the content and information that we may send or display to you in the Opoyi Platform, to suggest followers and content, to offer location customization, and personalized help and instructions, and to otherwise personalize your experiences while using the Opoyi Platform.

  • Advertising

    To display interest-based advertising to you in the Opoyi Platform, to improve our advertising and measurement systems so we can show you relevant ads, to pre-fill forms in ads, and to measure the effectiveness and reach of ads and services. For more information, see the Ad Services section below about Opoyi Ads and Personalization.

  • Marketing and Promotions

    For marketing and promotional purposes, such as to send you news and newsletters, special offers, and promotions, or to otherwise contact you about products or information we think may interest you, including information about third-party products and services.

  • Analytics

    To gather metrics to better understand how users access and use the Opoyi Platform; to evaluate and improve the Opoyi Platform, including the Ad Services and personalization, and to develop new products and services.

  • Comply with Law

    To comply with legal obligations, as part of our general business operations, and for other business administration purposes.

  • Prevent Misuse

    Where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person or violations of our Terms of Service or this Privacy Policy.

  • How We Share Your Information

    We share information as set forth below, and where individuals have otherwise consented:

    • Service Providers

      We may share your information with third-party service providers who use this information to perform services for us, such as payment processors, hosting providers, auditors, advisors, consultants, customer service and support providers, as well as those who assist us in providing the Ad Services.

    • Affiliates

      The information collected about you may be accessed by or shared with subsidiaries and affiliates of Opoyi, Inc., whose use and disclosure of your personal information is subject to this Privacy Policy.

    • Business Transfers

      We may disclose or transfer information, including personal information, as part of any merger, sale, and transfer of our assets, acquisition or restructuring of all or part of our business, bankruptcy, or similar event.

    • Legally Required

      We may disclose your information if we are required to do so by law.

    • Protection of Rights

      We may disclose information where we believe it necessary to respond to claims asserted against us or, comply with legal process (e.g., subpoenas or warrants), enforce or administer our agreements and terms, for fraud prevention, risk assessment, investigation, and protect the rights, property or safety of Opoyi, its users, or others.

    • Your Content and Public Information

      Your content, including your name, profile picture, profile information, and certain associated activity information is available to other users of the Opoyi Platform and may be viewed publicly. Public viewing includes availability to non-registered visitors and can occur when users share your content across other sites or services. In addition, your content may be indexed by search engines. In some cases, we may charge for access to your content and public information on the Opoyi Platform. See the section below about Your Choices for information about how you may change how certain information is shared or viewed by others.

    • Metrics

      We may share with our advertisers or publishers aggregate statistics, metrics and other reports about the performance of their ads or content in the Opoyi Platform such as the number of unique user views, demographics about the users who saw their ads or content, conversion rates, and date and time information. We do not share IP addresses or personal information, but certain features may allow you to share your personal information with advertisers on our platform if you choose to do so. We may also allow our advertisers or publishers to use Pixels on the Opoyi Platform in order to collect information about the performance of their ads or content.

    • Anonymized and Aggregated Data

      We may share aggregated or de-identified information with third parties for research, marketing, analytics and other purposes, provided such information does not identify a particular individual.

    Cookies, Pixels and Tracking

    We and our third-party providers use cookies, clear GIFs/pixel tags, JavaScript, local storage, log files, and other mechanisms to automatically collect and record information about your usage and browsing activities on the Opoyi Platform and across third-party sites or online services. We may combine this information with other information we collect about users. Below, we provide a brief summary of these activities.

    Cookies

    These are small files with a unique identifier that are transferred to your browser through our websites. They allow us to remember users who are logged in, to understand how users navigate through and use the Opoyi Platform, and to display personalized content and targeted ads (including on third-party sites and applications).

    Analytics Tools

    We may use internal and third-party analytics tools, including Google Analytics. The third-party analytics companies we work with may combine the information collected with other information they have independently collected from other websites and/or other online products and services. Their collection and use of information is subject to their own privacy policies.

    Do-Not-Track Signals

    Please note we do not change system behavior within the Opoyi Platform in response to browser requests not to be tracked. You may, however, disable certain tracking by third parties as discussed in the Opoyi Ads and Personalization section below. You may also opt out of tracking by Opoyi Pixels, as described below in Opoyi Ads and Personalization.

    Opoyi Ads and Personalization

    We may display personalized content (including from third-party content publishers) and personalized ads (including sponsored content), based on information that we have collected via the Opoyi Platform, and through our Pixels, widgets, and buttons embedded on third-party sites. We also may report aggregated or de-identified information about the number of users that saw a particular ad or content and related audience engagement information to users of our Ad Services and to publishers of content on the Opoyi Platform.

    Advertisers who use our Ad Services may also provide us with information as part of their ad campaigns, including customer information (e.g., email addresses, phone numbers, or other contact information, demographic or interest data) in order to create custom audiences for personalizing their ad campaigns or for measuring the effectiveness of their ads; we only use this information to facilitate the particular advertiser’s campaign (including ad metrics and reporting to that advertiser); and we do not disclose this information to third parties (other than our service providers) unless required by law. We also do not disclose to the advertisers who use our Ad Services the names or contact information of their customers that were successfully reached as part of such campaigns without those customers’ consent.

    Third-Party Ads on Opoyi

    We may also work with third parties such as network advertisers to serve ads on the Opoyi Platform and on third-party websites or other media (e.g., social networking platforms) such as Google AdSense and Facebook Audience Network. These third party vendors use cookies to serve ads based on a user’s prior visits to Opoyi or to other websites. They may also use JavaScript, web beacons (including clear GIFs),Flash LSOs and other tracking technologies to measure the effectiveness of their ads and to personalize advertising content for you.

    You may opt out of interest-based advertising on third-party sites and through third-party ad networks (including Facebook Audience Network and Google AdSense).

    You may opt out of personalized advertising from Google and its partners by visiting Ads Settings. You can also opt out of a third-party vendor’s use of cookies for personalized advertising by visitingwww.aboutads.info.

    How We Protect Your Information

    The security of your information is important to us. Opoyi has implemented safeguards to protect the information we collect. However, no website or Internet transmission is completely secure. We urge you to take steps to keep your personal information safe, such as choosing a strong password and keeping it private, as well as logging out of your user account, and closing your web browser when finished using the Opoyi Platform on a shared or unsecured device.

    Access and Amend Your Information

    You may update or correct your account information at any time by logging in to your account. You may also make a number of other adjustments to settings or the display of information about you as described in more detail in the following section about Your Choices.

    Your Choices

    You may, of course, decline to submit information through the Opoyi Platform, in which case we may not be able to provide certain services to you. You may also control the types of notifications and communications we send, limit the information shared within the Opoyi Platform about you, and otherwise amend certain privacy settings. Here is some further information about some of your choices:

    Your Content

    You may edit or delete the content that you post at any time. Any deleted content will be removed from third-party sites from which it has been shared via Opoyi’s standard sharing features; however we have no control over deletions or changes to your content if it has been shared manually by others.

    Emails and Communications

    When you join the Opoyi Platform by signing up for an account or creating a profile, as part of the service, you will receive the Opoyi digest containing content that we believe may match your interests. You can manage your email and notice preferences in your account profile settings, under your Emails and Notifications settings. If you opt out of receiving emails about recommendations or other information we think may interest you, we may still send you transactional emails about your account or any services you have requested or received from us.

    Third parties may comment on your postings within the Opoyi Platform. In your profile, under your Privacy Settings, you can adjust whether to allow people to comment on your answers and posts. You can also adjust permissions about who you allow to send you messages on the Opoyi Platform.

    Followers

    You can block the ability of another Opoyi user to follow you by selecting the setting for this in the other user’s profile. You can change whether or not you follow other users.

    Topics

    You can change topics that you follow or that your profile lists as areas that you know about.

    Credentials

    You can change your credentials that are displayed in your profile.

    Indexed Searches

    In your privacy settings, you can control whether your profile and name is indexed by search engines. Changes to privacy settings may only apply on a going-forward basis; for example, your name (e.g., answers and profile) that has already been indexed by search engines may remain indexed for a period of time even after you have turned off indexing, as implementing this change is outside of our control.

    Deleted or Deactivated Account

    If you choose “Delete Account” in your profile’s “Privacy Settings,” then all of your content will be removed from public visibility on the Opoyi Platform, and it may not be restored by us, even if you change your mind. If you choose “Deactivate Account,” then you will no longer receive any communications from us, and users will not be able to interact with you; however your content will remain on the Opoyi Platform. Once you deactivate your account, you can reactivate it any time by choosing to log in.

    Linked Networks

    You may connect or disconnect your Linked Networks, such as Google, through the Account Settings tab in your profile settings, and you may access, amend and delete much of your profile information through your profile settings. Once you disconnect a Linked Network, we will not receive information from that Linked Network going forward unless you choose to reconnect it. You may also control whether the Linked Network is visible in your profile.

    Transferring Your Data

    Opoyi and our service providers may transfer your personal information to, or access it in, jurisdictions (including the United States) that may not provide equivalent levels of data protection as your home jurisdiction. We will take steps to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it.

    Children’s Privacy

    We do not knowingly collect or solicit personal information from anyone under the age of 13 or knowingly allow such persons to register. If we become aware that we have collected personal information from a child under the relevant age without parental consent, we take steps to delete that information.

    Links to Other Websites

    The Opoyi Platform may contain links to third-party sites or online services. We are not responsible for the practices of such third parties, whose information practices are subject to their own policies and procedures, not to this Privacy Policy.

    We do not sell your personal information to third parties

    Opoyi may share your personal information with third parties and third parties may collect your personal information as described above in the How We Share Your Information section. In addition, as described in our Cookie Policy, we may also work with third parties such as network advertisers to serve ads on the Opoyi Platform and on third-party websites or other media (e.g., social networking platforms), such as Google AdSense (more info here) and Facebook Audience Network (more info here). These third parties may use cookies, JavaScript, web beacons (including clear GIFs), Flash LSOs and other tracking technologies to measure the effectiveness of their ads and to personalize advertising content to you.

    We do not collect personal information from consumers that we know are younger than 16 years old.

    Requests for Deletion, Copy and Right to Know Your Information

    Consumers have the right to make the following requests:

    • Deletion

      You have the right to request deletion of personal information that we have collected about you.

    • Copy and Right to Know

      You have the right to request a copy of the specific pieces of personal information that we have collected about you over the past 12 months, including the categories of information, sources, and purposes of collection, as well as categories of third parties we have shared it with.

    • Designated Agent

      You may designate an agent to make a request on your behalf. That agent must have access to your account in order for us to verify the request.

    You may submit a deletion, copy and right to know request by emailing us at[email protected].

    Non-Discrimination

    Opoyi will not discriminate against you, including by denying or providing a different level or quality of goods or services should you choose to exercise your options under the CCPA.

    OPOYI’s General Data Protection Regulation (“GDPR”)

    Introduction

    Privacy is a fundamental right and its protection is important to our organization. OPOYI, is therefore committed to comply with all the laws, rules and regulations related to Data Protection that its affiliates are governed by including, but not limited to, the General Data Protection Regulation (“GDPR”).

    OPOYI collects, stores and processes personal data relating to divers Data Subjects, such as its employees, job applicants, customers, suppliers and other third parties. The correct and lawful treatment of personal data shall be maintained with confidence and following the reputation of the OPOYI as a socially responsible business partner and employer.

    This policy set out the requirements all those in scope must adhere and comprises the internationally accepted data privacy principles. Such requirements apply to all OPOYI’s affiliates, its employees, contractors, temporary employees, and agency workers – including anyone we collaborate with or acts on our behalf and may need occasional access to data. The policy covers all processing activities involving personal data and will help you to recognize what may be personal data, as well as your rights and obligations with respect to such data.

    OPOYI’s Data Protection Policy either supplements the national data privacy laws or is applicable in the absence of national legislation. OPOYI’s affiliates to which this policy does not directly apply due to existing governance rules (e.g. joint ventures) must implement their own policies and procedures based on their national legislation and requirements.

    An infringement of relevant data privacy laws may cause enormous damage to OPOYI in the form of loss of reputation, severe fines and affect the trust of customers, employees, and the public as well as all other stakeholders. Therefore, we rely on you to follow the requirements set forth in this Policy.

    Scope

    The scope of this Policy covers:

    • all processing activities involving personal and sensitive personal data where OPOYI acts as the Data Controller, including personal data in physical form stored in a relevant filling system.
    • all Employees, Contractors, Third Parties, Processors, or others who process Personal or Sensitive personal Data on behalf of OPOYI.
    • all geographic territories, including Third Countries outside the European Union (EU). All OPOYI affiliates and its employees must process personal data with due diligence and in compliance with the statutory requirements and this policy.

    In particular, for Entities and data processing activities that are subject to the GDPR, additional local guidelines and procedures are essential and must be developed and set up by local management or an appointed delegate for the compliance with the rules that have been enforced since May 2018 in addition to possible national law. Additional local policies and guidelines must also be developed by affiliates operating outside the European Union if this is necessary for compliance with their national legislation and data protection laws. OPOYI’s affiliates that have no national data protection laws must adopt and apply this policy.

    If relevant national laws conflicts or has stricter requirements, they may override this policy. It is responsibility of the Entity’s local Management to monitor the national data protection legislation and its development or amendments. In case amendments of national legislation conflict with this policy, this must be reported to Chief Compliance Officer.

    Definitions
    • Personal data

      Any information relating to an identified or identifiable natural person, the so- called “data subject”

    • Data subject

      an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an address, an identification number, any kind of location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Information about a persons racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, health and sexual life, criminal allegations or offences are considered sensitive and belong to special categories of personal data. Under national law, further data categories can be considered highly sensitive or the content of the data categories can be filled out differently.

      Anonymized data and data not related to a natural person (e.g. company data such as company names and addresses) are not subject to this policy.

    • Processing

      of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction

    • data controller

      is “a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”

    • Data processors

      process personal data on behalf of a data controller (e.g. payroll agency hired for payroll accounting by OPOYI, who is the data controller).

    • Security breach

      is any incident that results in unauthorized access of data, applications, services, networks and/or devices by passing their underlying security mechanisms. A security breach occurs when an individual or an application illegitimately enters a private, confidential, or unauthorized logical IT perimeter. A security breach is also known as a security violation and potentially ends up in a personal data breach.

    • Data breach

      is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data

    • Third Party

      means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

    Data Protection Framework and Principles

    This section describes the basic framework and principles, defines the minimum standards and requirements of our data protection organization and is a guideline for ensuring, monitoring, and maintaining an adequate level of personal data security. Within OPOYI, personal information is collected in a transparent way and only with the full cooperation and knowledge of interested parties. Once personal data have been collected, the following principles shall be applied:

    Personal data and all processing activities will be:

    • recorded accurately and kept up to date
    • collected for specified, explicit and legitimate purposes only
    • retained only for as long as necessary and according to statutory retention period requirements
    • processed fairly and lawfully
    • protected against any unauthorized or illegal access and misuse by internal or external parties
    • adequate, relevant, and limited to what is necessary.

    They will not be:

    • communicated internally without a purpose
    • transferred to organizations (and affiliates), states or countries that do not have adequate data protection policies and regulations.

    In addition to ways of handling the data, each entity in OPOYI has direct obligations towards individuals to whom the data belongs. Specifically, on their request, we must inform a) which of their data is processed, b) how we process such data and c) who has access to the information.

    We must also:

    • have provisions in cases of lost, corrupted or compromised data
    • allow individuals to request that we modify, erase, reduce or correct data contained in our databases.

    For ensuring an adequate level of personal data protection we are committed to:

    • Restrict and monitor access to personal data, specially to sensitive personal data
    • Develop transparent data collection procedures
    • Train employees in online privacy and security measures
    • Build secure networks to protect online data from cyberattacks
    • Establish clear procedures for reporting privacy breaches or data misuse
    • Include contract clauses whenever considered as necessary or communicate statements on how we handle data
    • Establish data protection best practices (access controls to buildings, offices and IT systems, document shredding, secure locks, devices and data encryption, frequent backups, access authorization, disaster recovery plans etc.)

    Those principles are further described in the below sections of this policy.

    Main Principles for Processing of Personal Data

    When processing personal data, the following enforceable principles apply:

    • Fairness, lawfulness, and transparency:

      personal data may only be collected and processed for specified, explicit and legitimate purposes in a fair and transparent manner and in compliance with the applicable law. The data subject must be informed of how his/her data is being handled. In general, personal data must be collected directly from the individual concerned. When the data is collected, the data subject must either be aware of, or informed of a) the identity of the data controller b) the purpose of data processing and c) third parties or categories of third parties to whom the data might be transmitted

    • Purpose limitation:

      personal data may only be collected and processed for the purpose that was defined before the collection, limited to what is necessary in relation to the purposes for which they are processed and may not be further processed in a way incompatible with those purposes.

    • Data Minimization:

      personal data must be restricted to the adequate, necessary, and relevant extent to achieve the purpose for its processing. Personal data must not be collected in advance and stored for potential future purposes unless the Data Subject has given consent or is required or permitted by national law.

    • Accuracy:

      Personal data on file must be correct, complete, and – if necessary – kept up to date. Suitable steps must be taken to ensure that inaccurate or incomplete data are deleted, corrected, supplemented, or updated.

    • Storage Limitation and Deletion:

      personal data must be maintained in a manner only as long as this is required to achieve the intended purposes of collection and processing. After the expiration of legal or business process-related periods, Personal Data that is no longer needed must be securely deleted.

    • Integrity and Confidentiality, Data Security:

      personal data must be processed in a manner that: a) ensures adequate security of the data; b) data is stored securely using suitable, modern systems and software that is kept-up-to-date.

    Adequate Technical and Organizational Security Measures (TOM – e.g. such as access controls, password rules, physical security of servers, back-up guidelines, etc.) must be in place and formally described by all our Entities to prevent unauthorized or illegal access and misuse, processing or distribution, as well as accidental loss, modification or destruction.

    The adherence to those principles must be supported by a record of (IT) systems and processing activities where all information and procedures related to personal data are documented (e.g. category of data subject, category of Personal Data, purpose of processing) . All Entities must keep such Record of Processing Activities, specially the Entities with processing activities subject to the GDPR (Art. 30 GDPR).

    Lawfulness of Processing

    OPOYI must ensure processing is lawful and document the lawful grounds of processing. For personal data to be processed lawfully, it must be processed based on one of the following legal grounds:

    • The data subjects consent to the processing (e.g. fromJ job applicants submitting CVs, Marketing Newsletter)
    • The processing is necessary for entering in to or for the fulfilment of a contract with the data subject (e.g. employment contract)
    • For the compliance with a legal obligation to which OPOYI and its affiliates (the data controllers) is subject to (e.g. social security and tax filings)
    • For the legitimate interest of OPOYI or the party to whom the personal data is disclosed (e.g. user log files or IP addresses may be temporarily stored, and this is justified to assure proper network function and security)
    • For the vital interest of the public and other stakeholders
    • For public tasks and obligations.

    The processing of special categories of personal data must be expressively permitted or prescribed under national law. Additionally, processing can be permitted if it is necessary for the responsible authority to fulfil its rights and duties regarding employment law. The employee may also expressively consent to processing.

    Except for storage, processing shall cease immediately where there are no longer lawful grounds.

    Rights of Data Subjects

    Upon a data subject’s request, the concerned Entity must inform them of the collected personal data within the scope of the applicable laws. In general, data subjects may:

    • request access to any personal data held about them by a data controller.
    • prevent, object, or restrict the processing of their personal data, e.g. for direct marketing purposes.
    • ask to have inaccurate personal data amended.
    • request information on the identity of the recipient or the categories of recipients if their personal data have been transmitted to third parties (e.g. sub-contracted data processors).
    • request their data to be deleted if the processing of such data has no legal basis, or if the legal basis no longer applies. The same applies if the purpose behind the data processing has lapsed or ceased to be applicable for other reasons. Legal retention periods might override this right and must be closely monitored.

    If you received any Data Subject Access request, please contact Chief Compliance Officer immediately. Such request shall be completed as soon as possible but no more than 30 calendar days and communicated to the Data Subject securely.

    Personal Data Transfer and (Contract) Data Processing on Behalf

    Intra-group personal data transmission or personal data “Processing on Behalf” of a data controller must be based on the principles stated in sections 4.1 to 4.3 and be in compliance with the applicable laws and statutory data protection requirements of the relevant country.

    “Data Processing on Behalf” means that a Processor is carrying out processing of personal data on behalf and according to instructions of a Controller, who determines the purposes and means of the processing of personal data. In other words, a Processor is hired by the data controller as a data processor to process personal data (e.g. outsourcing of payroll administration, outsourcing of the IT servers to a hosting/cloud provider).

    “Processing on behalf” activities within the EU shall not be outsourced without a binding written contract that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of Data Subjects and the obligations and rights of the OPOYI Entity acting as Controller (Article 28 EU GDPR). In the event that personal data is transmitted from a OPOYI Entity (data controller) within the EU to a recipient (data processor) outside the EU (including intra-group transfers), this recipient must agree to maintain a data protection level equivalent to this Data Protection Policy.

    The controller shall use only data processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this policy and ensures the protection of the rights of the data subject.

    Confidentiality of Processing

    Any kind of personal data is subject to data secrecy, therefore:

    • any unauthorized collection and processing of such data by employees is prohibited
    • any data processing undertaken by an employee that he/she has not been authorized to carry out as part of his/her legitimate duties is prohibited.

    The “need to know” principle applies: employees may have access to personal information only as this is appropriate for the type and scope of the task in question. This requires a careful breakdown and separation, as well as implementation of roles and responsibilities.

    The employees´ use of our collected personal data for private or commercial purposes or their disclosure to unauthorized persons is prohibited; employers must inform their employees at the start of the employment relationship about the obligation to protect data secrecy and make them familiar with this policy (e.g. by requiring written confirmation of this policy). This obligation shall remain in force even after employment has ended.

    Security of Processing

    Personal data must be safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification, or destruction. This applies regardless of whether data is processed electronically or in paper form. Those technical and organizational security measures must be based on the state-of-the-art and modern technologies, the risks of processing, and the sensitivity of the data to be protected. In general, each OPOYI and all affiliates must make sure that:

    • buildings and office rooms are adequately protected against unauthorized access (e.g. alarm systems, entrance controls and registering).
    • personal data is stored securely using modern software that is kept-up to date.
    • access to personal data is being limited only to personnel who need access and appropriate security measures are in place to avoid unauthorized sharing of information.
    • personnel data is transferred only by secured means (e.g. email/laptop encryption, encrypted USB sticks).
    • access to personal data is monitored and protocolled (e.g. audit trails for data entries, log trails).
    • availability and recovery of data (back-up and disaster recovery procedures, firewalls, anti-virus programs).
    • when personal data is deleted, this is done securely in a way the deletion is irrecoverable.
    • adequate controls are in place when personal data are outsourced to an external data processor.
    • security incidents /data breaches and any other incidents are properly reported and managed.

    Technical and organizational must be defined and implemented before the introduction of new methods of personal data processing, particularly of new IT systems and applications. They must be continuously evaluated and assessed in respect of technical developments and organizational changes.

    Data Protection Awareness

    The effectiveness of the OPOYI data protection organization requires that all affiliates and all their employees who process personal data for OPOYI must be aware of the importance of data protection and data privacy.

    Therefore, the management of each OPOYI Entity has the duty to promote this awareness to all employees processing personal data, for example, by regular, but at least annual data protection trainings, corporate awareness and sensitization programs in the form of online training or other suitable methods (e.g. on-site trainings).

    Organizational Structure

    The Executive Management of all OPOYI’s Entities is responsible for ensuring an appropriate data protection level that complies with all applicable laws throughout its affiliates and enables the implementation of an adequate data protection organization.

    For ensuring an adequate data protection level and enforcement of this policy, the implementation of the following roles and functions is required:

    • Data Protection Coordinators (“DPCs”) must be appointed by the local Management of each Entity. The data protection coordinators are the contact persons on site for data protection. They can perform checks and must inform the employees with the content of this data protection policy
    • Data Protection Officers (“DPOs”) where required by the applicable law.

    National legal requirements may define additional roles and tasks. The Regional and/or Local Management of an Entity ensures that DPOs and DPCs:

    • are sufficiently involved and in due time in all matters relating to the protection of personal data
    • obtain access to all processes concerning the processing of personal data
    • can directly report to the Chief Compliance Officer
    • are obliged to secrecy and non-disclosure regarding their activities in compliance with the applicable laws.

    The DPCs and DPOs may perform other tasks, duties, and functions if these do not constitute a conflict of interest regarding their activity as a DPC or DPO. The DPCs and DPOs may be appointed for several Entities of a region or a country if such an appointment is does not constitute a conflict of interest.

    Data Protection Incidents

    The following data protection-relevant incidents must be promptly reported by the regional or the local Management of an Entity to their local DPCs and/or DPOs in charge as well as to the Chief Compliance Officer and to the Legal Department:

    • Any reported, anticipated, or potential data breach (e.g. E-mail sent to the wrong recipients, personal data disclosed to unauthorized persons, a security breach usually results into a data breach).
    • data protection complaints, claims and accusations by data subjects (e.g. employees, customers, suppliers).
    • data protection requests by any data subject (e.g. customer asking for processing activities of their personal data).
    • violations or potential violations of data protection laws, as well as violation of this Data Protection Policy.
    • fines imposed by data protection authorities.
    • audits advised by data protection authorities.
    • Any security breaches or incidents of IT systems (e.g. compromised systems, system breakdowns, hacking attempts, intrusion of systems, unauthorized access attempts) that might result into a data breach.

    The loss or theft of mobile devices (laptops, mobile phones, tablets, USB sticks) might result into a potential data breach and therefore have also to be reported to the local DPC/DPO, Chief Compliance Officer and to the Global Head of IT.

    In addition to that, local Management must:

    • maintain a record of all incidents and events mentioned above.
    • maintain all relevant documents, communication and measures taken related to those incidents and requests in a separate file and have it available on request.

    All appointed DPOs and DPCs as well as any subsequent changes must be reported with all their contact details to Chief Compliance Officer and/or Group Legal Department.

    Responsibilities and Duties, Audit

    Group and local Management staff is responsible for ensuring that all relevant organizational, HR, and technical measures are in place so that any personal data processing is carried out in accordance with national data protection laws. The adherence and compliance with those requirements are the responsibility of all relevant employees.

    All OPOYI employees (including temporary employees and lease staff), executives and service providers who process personal data on OPOYI’s premises, use OPOYI’s data processing systems and equipment or are connected thereto are obliged to comply with this policy.

    Group Internal Audit will periodically review the compliance with this Data Protection Policy by on-site or remote data protection or/and IT security reviews or similar assessments. Performing this task, Group Internal Audit is authorized to hire external auditors or experts of this area.

    Contact Us

    If you have any questions about our practices or this Privacy Policy, please contact us at[email protected].

    Changes to Our Privacy Policy

    If we change our privacy policies and procedures, we will post those changes on this page. If we make any changes to this Privacy Policy that materially change how we treat your personal information, we will endeavor to provide you with reasonable notice of such changes, such as via prominent notice in the Opoyi Platform or to your email address of record, and where required by law, we will obtain your consent or give you the opportunity to opt out of such changes.