TERMS AND CONDITONS

. . . . .

SPOTTERFISH Privacy Policy

Effective: 30 April 2020

1. INTRODUCTION

1.1. This privacy policy (the “Privacy Policy”) applies to the data processing carried out by Spotterfish on its website in connection with offering the Spotterfish Service (“Service”). The Service is governed by the Terms of Service between Spotterfish and the customer who has entered into an agreement for access and use of the Service. Through this Privacy Policy, we inform you about our processing of your personal data in connection therewith and your rights.

2. YOUR RIGHTS

2.1 Our processing of your personal data may be subject to the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable legislation for the protection of privacy, which grants you certain rights as an individual. These rights, subject to applicable limitations and exceptions, include the following:

i) Right of Access - the right to be informed of and request access to the personal data we process about you;

ii) Right to Rectification - the right to request that we amend or update your personal data where it is inaccurate or incomplete;

iii) Right to Erasure - the right to request that we delete your personal data;

iv) Right to Restrict - the right to request that we temporarily or permanently stop processing all or some of your personal data;

v) Right to Object;

- the right, at any time, to object to us processing your personal data on grounds relating to your situation;

- the right to object to your personal data being processed for direct marketing purposes;

vi) Right to Data Portability - the right to request a copy of your personal data in electronic format and the right to transmit that personal data for use in another party’s service; and

vii) Right not to be subject to Automated Decision-making - the right to not be subject to a decision based solely on automated decision making, including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.

2.2 In order to enable you to learn more about and exercise these rights and record your preferences in relation to how Spotterfish uses your personal data, we provide the following:

Privacy Settings (accessed via your account page) - allow you to exercise choices with respect to processing of certain personal data.
Notification Settings (accessed via our email messages to you) - allow you to choose which marketing communications you will receive from Spotterfish. You can use notification settings to exercise choices about all categories of email and push marketing communication; and
Cookies policy - provides information on how we use cookies and information on how you can manage your cookie preferences.

2.3 If you have any further questions about your privacy or your rights under the GDPR or other privacy issues, please contact Spotterfish at the address set out below or your local Data Protection Authority. If you are dissatisfied with our processing of personal data, you may always lodge a complaint with the Swedish Data Protection Authority (Datainspektionen) or your local Data Protection Authority.

3. HOW WE COLLECT YOUR PERSONAL DATA

3.1. We collect personal data from you:

i) When you sign up for an account to use the Service;

ii) Through your use of the Service;

iii) When you engage with a third-party that integrates with the Service and transfers your personal data to us.

3.1.2 We use anonymised and aggregated data for analysing our software systems and to perform maintenance and development in regard to these.

4. WHAT PERSONAL DATA WE USE

4.1. Regarding your registration of an account we may use the following personal data:

- Full name (optional);

- Username; and

- E-mail address or telephone number.

4.2. Regarding your use of the Service we use the following information, which may contain personal data:

- Your interactions with the Service and your interactions with other users through the Service;

- Content posted by you through the Service; and

- Technical data such as what device, browser and network you are using and your device ID in relevant cases.

5. THE PURPOSES FOR USING PERSONAL DATA AND BASIS FOR USE

5.1. We use your account information to offer the Service, continuously maintain or develop the Service further and communicate with you. This is done on the basis of performing our customer contract (point (b) of Article 6(1) GDPR) and our legitimate interest (point (f) of Article 6(1) GDPR).

5.2. We may use your account information to detect fraudulent activities. This is done on the basis of performing our customer contract (point (b) of Article 6(1) GDPR), and our legitimate interest (point (f) of Article 6(1) GDPR) and compliance with legal obligations (point (c) of Article 6(1) GDPR).

5.3. We use your personal data for marketing, research and for promotional purposes. This is done on the basis of consent (point (a) of Article 6(1) GDPR) and our legitimate interest (point (f) of Article 6(1) GDPR), respectively.

6. SHARING YOUR PERSONAL DATA

6.1. Some of your personal data will, or may, be shared with the following categories of recipients.

6.2. Publicly available information: your username and profile picture may be public in the Service and visible to all users.

6.3. Personal data you may choose to share: specific personal data that is explicitly required for an additional feature or function. The categories of recipients for this personal data are the following:

i) Third-party application providers – providers of applications or service that you choose to connect with our Service.

- We may also share your personal data with the following categories of recipients:

ii) Service providers – we use service providers to host, maintain and operate the Service. We use service providers to communicate with you. We cooperate with advertisement partners to bring you promotions and offerings;

iii) Partners – if you have elected to integrate or interact with a third-party service, we may share some data with that third-party to facilitate the integration and offer you your requested service;

iv) Law enforcement – we may share your personal data with law enforcement authorities when required to do so by law; and

v) Purchasers of our business – if Spotterfish and/or its business is sold (directly or indirectly; be it through share or asset transfer), or in the process of negotiating such a sale, your personal data may be shared with the buyer or prospective buyer.

7. DATA RETENTION POLICY

7.1. We keep your personal data only as long as necessary to provide you with the Service and for legitimate and essential business purposes, such as maintaining the performance of the Service, making decisions about new features and offerings, complying with our legal obligations and protecting our legal rights and resolving disputes. We keep some of your personal data for as long as you are a user of our Service.

7.2. If you request, we will delete or anonymise your personal data so that it no longer identifies you, unless we are legally allowed or required to maintain certain personal data (and/or unless the personal data forms part of Customer Content uploaded to the Service; in which case you will need to contact the customer for the Service on whose behalf we are processing such data), including situations such as the following:

- If there is an unresolved issue relating to your account, such as an outstanding credit on your account or an unresolved claim or dispute we will retain the necessary personal data until the issue is resolved;

- Where we are required to retain the personal data for our legal, tax, audit, and accounting obligations, we will retain the necessary personal data for the period required by applicable law; and/or

- Where necessary for our legitimate business interests such as fraud prevention or to maintain the security of our users.

8. TRANSFER OF PERSONAL DATA

Spotterfish may share your personal data with entities in different countries in order to carry out the activities specified in this Privacy Policy. Spotterfish may also subcontract processing to, or share your personal data with, third parties located in countries other than your home country. Personal data collected within the European Union and the EEA may be transferred to and processed by third parties located in a country outside of the European Union and the EEA. Spotterfish will ensure that the transfer of your personal data is carried out in conformity with applicable law and that all appropriate contractual, technical, and organizational measures are in place such as the Standard Contractual Clauses approved by the EU Commission (or any amendment or replacement thereof).

9. CHANGES

We may occasionally make changes to this Privacy Policy. When we do so, we will provide you with prominent notice as appropriate under the circumstances, e.g. by displaying a prominent notice within the Service or by sending you an e-mail. Please, therefore, make sure you read any such notices carefully.

10. CONTACT INFORMATION

10.1. If you have any questions or requests in relation to this Privacy Policy, please send these to the address below.

Spotterfish AB
Skedala Tallbacken 158
305 93 HALMSTAD
Sweden
Contact us using the blue Chat button on the bottom right

10.2. Spotterfish AB (Swedish company Reg. No.: 559249-9239) is the data controller for the purposes of this Privacy Policy.

SPOTTERFISH DATA PROCESSING AGREEMENT

1. INTRODUCTION AND OBJECTIVE

1.1 This Data Processor Agreement (including its appendices) constitute the “Data Processor Agreement” has been entered between you (Customer) and us (Supplier) in connection with an agreement (“Main Agreement”) between us regarding your access and use of the Service (as defined in the Terms of Service for the Main Agreement) that we shall provide to you. This Data Processor Agreement governs the processing of Personal Data which Supplier processes on Customer´s behalf in connection with the Main Agreement. Except as may be otherwise required under Data Protection Laws, Customer, on behalf of any other Controller (e.g., where applicable, companies within its company group or other Controllers designated by Customer and as may be agreed by Supplier), shall serve as a single point of contact for Supplier in all matters under this Data Processor Agreement and shall be responsible for the internal coordination, review and submission of instructions or requests to Supplier as well as the onward distribution of any information, notifications and reports provided by Supplier hereunder.

1.2 Unless stipulated otherwise, the provisions of the Data Processor Agreement shall take precedence over the provisions of the Main Agreement with respect to the subject matter hereof.

1.3 This Data Processor Agreement is valid for as long as the Personal Data is processed. The Data Processor Agreement shall be governed by the same law and dispute resolution mechanism as the Main Agreement.

2 DEFINITIONS

2.1. “Customer” means the entity which has entered into a contract with us and is defined as “customer” in the Main Agreement. Customer shall, for the purpose of this Data Processor Agreement, include, where applicable, also entities within the Customer´s group of companies.

2.2. “Controller” means the party that determines the purposes and means of processing Personal Data, acting alone or with others.

2.3. “Processor” means the party that processes Personal Data on Controller’s behalf.

2.4. “Data Protection Laws” means the applicable laws that aim at protecting the fundamental rights and freedoms of individuals and specifically their privacy, including Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”)”.

2.5. “Data Subject” means an identified or identifiable natural person, as defined under the Data Protection Laws.

2.6. “Instruction” means Customer´s written instructions for the processing of Personal Data hereunder. Such instructions are provided in the Data Processor Agreement.

2.7. "Personal Data” means any piece of information that refers to an identified or identifiable natural person, as defined under the Data Protection Laws.

2.8. “Processing” means an action or combination of actions concerning personal data, as defined in the Data Protection Laws.

2.9. “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed hereunder.

“2.10. Sub-processor” means any third party which Processor engages to carry out its obligations under this Data Processor Agreement and which through this engagement Processes Personal Data for which Customer is Controller.

2.11. “Supplier” is Spotterfish AB, Reg. No: Reg. No.: 559249-9239, Sweden.

2.12. “Transfer” means a cross-border transfer of Personal Data to territories outside the EU in accordance with clause 11.

3. PROCESSING OF PERSONAL DATA

3.1. Purpose and categories of Processing and types of data processed. The nature and purpose of the Processing, the type of Personal Data and the categories of Data Subjects covered under this Data Processor Agreement are specified in Appendix 1.

3.2. Controller. Customer is Controller for all Personal Data which Customer shares with Supplier for Processing under the Main Agreement and this Data Processor Agreement. In its capacity as Controller, Customer confirms (for its own part and, as applicable, on behalf of each other Controller) that: a) without prejudice to Supplier’s responsibilities as Processor hereunder, Customer is solely responsible for any Personal Data provided or made accessible to Supplier under this Data Processor Agreement and the means by which it has been acquired and collected as well as the accuracy, quality, legality and integrity thereof; b) Customer is entitled to provide access to Personal Data to Supplier for the purposes hereof and, consequently, that it has and will maintain a lawful basis for Supplier´s performance of the Service under the terms of the Main Agreement and hereunder; c) all instructions from Customer for the Processing of Personal Data hereunder shall comply with Data Protection Laws, shall be reasonable and documented in writing (e.g. via email), and shall relate to and be consistent with the Service agreed to be provided by Supplier, and Customer accepts that Supplier disclaims any obligation or liability with regard to any Instructions or requests being in violation of any of the aforesaid.

3.3. Processor. Supplier and its Sub-processors are Processors for the Processing of Personal Data hereunder and shall only process Personal Data on behalf of Customer and in accordance with the Instructions. Supplier is responsible for ensuring that Sub-processors that it engage only Process Personal Data in accordance with the Data Processor Agreement and Data Protection Laws.

3.4. Instructions. Customer is responsible for giving Supplier Instructions for the Processing of Personal Data. Supplier shall only manage Customer's Personal Data in accordance with this Data Processor Agreement and the Instructions from time to time. If Supplier deems that Instructions are contrary to the requirements of the Data Protection Laws, Supplier shall notify the Customer thereof as soon as practicably possible. Supplier shall for the avoidance of doubt not be obliged to perform a certain measure if, according to Supplier´s reasonable assessment, this would result in a breach of Data Protection Rules. Supplier shall for the avoidance of doubt not be obliged to perform own investigations or surveys in order to establish whether there is a breach or not, or whether Instructions comply with Data Protection Laws or not.

3.5. Controller’s original Instructions to Processor regarding the object and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and the categories of data subjects are listed in this Data Processor Agreement and in Appendix 1.

3.6. Charges. Supplier reserves the right to charge Customer on a time and material basis for any work caused by Customer pursuant to clause 3.4 or for other work or measures (including measures or work requested to be performed by Customer) not expressly covered herein.

4. SUPPLIER'S PERSONNEL

4.1. Confidentiality. Supplier is responsible for ensuring that Supplier’s and its Sub-processors’ personnel who Process Personal Data for which the Customer is the Controller shall maintain secrecy, have received suitable training on Personal Data and are adequately bound by confidentiality.

4.2. Restricted access. Supplier is responsible for ensuring that only the personnel of Supplier and Sub-processors who need the Personal Data to fulfill Supplier's commitment under the Main Agreement shall have access to the Personal Data.

5. PROTECTION OF PERSONAL DATA

5.1. Technical and organizational measures. Supplier shall take the technical and organizational measures for the protection of the Personal Data that are appropriate with regard to the sensitivity of the Personal Data; the particular risks that exist; existing technical capabilities and the costs of implementing the measures. The Personal Data shall be protected from any type of unauthorized Processing such as change, destruction or unauthorized access and dissemination. Supplier, accordingly, undertakes to take all measures stipulated in Article 32 of the GDPR. Supplier shall be prepared to comply with a competent authority’s decision on measures to comply with the Data Protection Laws’ security requirements.

5.2. Rights of the Data Subject. Supplier shall notify Customer without delay if Supplier receives a request from a Data Subject regarding his or her rights, such as information, correction or deletion of the Data Subject’s Personal Data. Supplier shall not respond to such a request without Customer's written consent, except for the purpose of notifying the Data Subject that the request has been received and forwarded to Customer. Supplier shall render Customer reasonable assistance in managing Data Subjects’ inquiries and rights, unless Supplier is prevented from doing so by law or by official decision.

5.3. Supplier shall assist Customer in fulfilling its duties as a Controller of Personal Data to respond to requests regarding registered user’s rights

5.4. Official communications. Supplier shall notify Customer without delay if a government authority contacts Supplier regarding Personal Data managed under the Main Agreement (unless prevented under law to provide such a notification). At Customer's request, Supplier shall, to a reasonable extent, assist Customer with official communication and shall otherwise provide information so that Customer is able to respond to the official communication within reasonable time. Supplier has no right to respond on Customer’s behalf or act in Customer's name.

5.5. Charges. Supplier reserves the right to charge on a time and material basis for work performed assisting Customer to fulfill its obligations in relation to Data Subjects and authorities.

6. SUB-PROCESSORS

Use of Sub-processors. Supplier may engage Sub-processors for the Processing of Personal Data under the Main Agreement subject to this clause 6. Customer acknowledges that appointment of new Sub-processors may from time to time be required in order to perform the Service. Supplier is responsible for ensuring that all Processing of Personal Data performed by a Sub-processor is governed by a written agreement with the Sub-processor that corresponds to the requirements of this Data Processor Agreement. Subject to the above, Customer (also on behalf of other Controllers) hereby gives its general written consent and mandate (also for the purpose of the Standard Contractual Clauses, if applicable) to Supplier to use Sub-processors, and for the Sub-processors to use Sub-processors, in respect of: i) Supplier´s affiliates, ii) other Sub-processors used in Supplier´s regular business and service delivery; and iii) otherwise any Sub-processor of which Supplier has provided thirty (30) days’ prior written notice to Customer. Supplier will maintain a list of its permitted Sub-processors; such list to be made available without undue delay upon Customer’s request and shall without undue delay notify (such notification may be given in-service or posted on-line) Customer of any change to the list of Sub-processors to the extent relating to Processing of Personal Data under this Data Processing Agreement. Customer shall have the right to object to the use of a Sub-processor under this clause 6 by written notice to Supplier, such objection only to be made in good faith and based on justifiable grounds, and without undue delay from the time Customer was notified of the use of such Sub-processor. The parties will discuss possible activities to mitigate such objection from Customer in good faith. Unless otherwise agreed, Supplier is under no obligation to refund any payments made in advance for the Service under the Main Agreement. Supplier is responsible for the Sub-processor's Processing of Personal Data under the Main Agreement and is fully responsible for Sub-processors who do not fulfill their obligations according to the Data Processor Agreement. The initial Sub-processors are listed in Appendix 1.

7. AUDITS

Customer’s right to perform an audit. If reasonable grounds exist to suspect non-compliance of this Data Processor Agreement or Data Protection Laws on Supplier´s part, or if otherwise required under the Data Protection Laws, Supplier shall, upon Customer’s request make all necessary information available to demonstrate compliance hereof and allow for audits, including inspections, to be performed by Customer or its representative. Customer shall endeavor to perform such audit without causing significant interruptions to the processor’s regular operations (e.g. to perform any such measures under reasonable time, place and manner conditions, during regular business hours) and subject to Supplier´s security policies. Customer will primarily rely on applicable existing audit reports or other available verification, if any, to confirm Supplier’s compliance and avoid unnecessary repetitive audits; unless required by Data Protection Laws, audits will not be made more than once in any twelve-month period. The audit shall not grant Customer access to trade secrets or proprietary information unless required to comply with Data Protection Laws (and Supplier will never be obliged, with regard to any information request or audit, to provide access to any price or other commercial information. Customer shall, within a reasonable period of time (at least thirty (30) days), notify Supplier before such an audit unless otherwise required by a government authority. Customer and any persons conducting an audit, must enter into adequate confidentiality undertakings prior to such audit and be conducted so as not to jeopardize the security of information belonging to other customers. In the event that Customer uses a representative/third party auditor, then Supplier may oppose to such appointment only if such auditor is a competitor of Supplier or Supplier has other justifiable grounds for objection. Notwithstanding the foregoing, Customer accepts that any requirements that Customer (itself or on behalf of any Controller referenced herein) may have with regard to the purposes of Processing Personal Data hereunder, or any requests for information, assistance or activities from Supplier by Customer hereunder, that extend beyond Supplier’s ordinary course of business, routines or policies, or what is otherwise commercially reasonable, shall be specifically agreed in writing and may be subject to additional fees and charges. Supplier shall procure that Customer is similarly entitled to conduct audits in respect to Sub-processors.

8. INCIDENTS AND NOTIFICATION OF SECURITY BREACHES

8.1. Incident management. Supplier shall evaluate and act upon events suspected of possibly resulting in unauthorized access or Processing of Personal Data (“Incidents”). In the event that the Incident may lead to unplanned or illegal deletion, loss, alteration or release of Personal Data to unauthorized persons, Supplier shall promptly notify Customer of the Incident and provide all relevant information related to the Incident. Supplier shall develop appropriate steps to manage the Incident and cooperate with Customer when appropriate to protect the Personal Data, with the aim of restoring the confidentiality, privacy and availability of the Personal Data.

8.2. Security Breach. Supplier shall promptly notify Customer as soon as a Security Breach is discovered that could pose or could have posed a risk to the Personal Data Processed under this Data Processor Agreement. Supplier shall promptly investigate the Security Breach and take measures to reduce the damage, identify the basic problem and prevent it from happening again. Customer shall be updated with relevant information related to the Security Breach and Supplier's work on the breach while the work is proceeding, and Supplier shall cooperate with Customer when appropriate to reduce the damage and protect the privacy of the Data Subjects.

9. RETURN AND DELETION OF PERSONAL DATA

9.1. Return or deletion. Within thirty (30) days of expiration of the Main Agreement, Supplier shall delete, or, where requested by Customer in writing, return all Personal Data Processed under this Data Processor Agreement.

10. LIABILITY AND LIMITATION OF LIABILITY

10.1. Damages and penalties. Supplier is only liable for claims and damages from a Data Subject or a third party and administrative penalties from an authority targeting Customer or otherwise, where Supplier or a Sub-processor fails to fulfill its obligations according to the Data Processor Agreement and relevant Data Protection Laws. Customer shall indemnify Supplier with respect to any claims and damages from a Data Subject or a third party and administrative penalties from an authority not caused by Supplier.

10.2. Limitation of liability. WITHOUT PREJUDICE TO ANY EXPRESS RIGHT OR REMEDY AVAILABLE TO DATA SUBJECTS PROVIDED UNDER DATA PROTECTION LAWS, ANY LIABILITY FOR SUPPLIER ARISING OUT OF OR IN CONNECTION WITH THIS DATA PROCESSOR AGREEMENT (WHETHER IN CONTRACT, TORT OR OTHERWISE) IS, AS BETWEEN THE PARTIES, LIMITED TO DIRECT DAMAGES (EXCLUDING ANY INDIRECT, CONSEQUENTIAL, SPECIAL OR INCIDENTAL COST, LOSS OR DAMAGE OF ANY KIND) AND SUBJECT TO THE APPLICABLE PROVISIONS ON LIMITATION OF LIABILITY OF THE MAIN AGREEMENT. CUSTOMER'S AND ANY OTHER CONTROLLER'S CLAIMS IN THE AGGREGATE, AND THE TOTAL AND AGGREGATE LIABILITY SHALL, IN ANY EVENT, FOR ANY CALENDAR YEAR BE CAPPED AT AN AMOUNT CORRESPONDING WITH FIFTY (50) PERCENT OF THE TOTAL FEES PAID BY CUSTOMER UNDER THE MAIN AGREEMENT FOR THE APPLICABLE SERVICE DURING TWELVE (12) MONTHS PRECEDING THE DATE OF THE OCCURRENCE OF THE CLAIM FORMING BASIS FOR LIABILITY. FOR CLARITY, ANY CLAIM, OR MULTIPLE INTERLINKED CLAIMS, SAHLL BE SUBJECT TO THE LIABILITY CAP APPLICABLE AT THE DATE ON WHICH THE EVENT OR CIRCUMSTANCE FORMING THE BASIS FOR THE CLAIM(S) FIRST OCCURRED.

11. TRANSFER OF PERSONAL DATA

11.1. The Processing activities (including storage) shall take place on the location(s) set out in Appendix 1. Personal Data shall not be transferred outside such location, including to other countries/states, without the prior written consent of Customer. It is acknowledged that Supplier, either itself or using Sub-processors, as part of the Service, may need to perform services from locations in countries and territories outside the EEA. In case of such performance, then Customer (for its own part and on behalf of other Controllers referenced herein being established in the EEA) will give its specific written consent, mandate, authorization and instruction to Supplier for the purposes of conducting transfers outside EEA when providing the services under the Main Agreement from locations outside the EEA, as set forth below. Supplier or its Sub-processors may Process Personal Data outside the EU/EEA only if:

a) The recipient has been deemed by the EU Commission to guarantee an adequate level of protection of the Personal Data (e.g. through certification under the Privacy Shield arrangement, or any such subsequent framework or arrangement), or;

b) Supplier or its Sub-processor has provided appropriate safeguards pursuant to article 46 of the GDPR, or;

c) The transfer and rights and freedoms of the data subjects are protected through approved Binding Corporate Rules pursuant to Article 47 of the GDPR, or;

d) The transfer and rights and freedoms of the data subjects are protected through the Commission's Standard Contractual Clauses (as may be amended, updated and/or replaced by competent EU authority from time to time).

....................................................

APPENDIX 1

1. Data Subjects

The processing of personal data under the Data Processor Agreement applies to the following categories of data subjects:

Users who access the Service.
Users appearing in Customer Content.
Data Subjects (other than Users) appearing in Customer Content.

2. Categories of Processed Data

Categories of Processed Date are set out below: [please list categories of processed data below:]

Users email
Users first name
Users last name (Optional)
Users phone number (Optional)
Users photo (Optional)
IP addresses
Names, pictures, images, photos, voices/audio of Users appearing in Customer Content.
Names, pictures, images, photos, voices/audio of Data Subjects (other than Users) appearing in Customer Content.

3. Purpose, nature, objective and duration of the processing

Customer is the party that decides on the purpose of the Processing of Personal Data under the Main Agreement. The purpose of the Processing of Personal Data by Supplier is limited to

a) Providing the agreed service such as the provision of subscription and other ancillary services which may be agreed in accordance with the Main Agreement;

b) Implementing, managing and monitoring any underlying infrastructure required to provide services under the Main Agreement and to fulfill the stipulated technical and organizational requirements for the protection of Personal Data;

c) Communicating with Customer and Customer’s personnel and Users;

d) Implement Customer’s Instructions in accordance with clause 3.4; and

e) Handling service problems, Incidents or Security Breaches.

f) Supplier is entitled to use information about the use of the service for business development purposes or for example, but not limited to, providing benchmarking information or other value adding features that can be included in the services. However, Supplier is bound to only show aggregated, unidentifiable information that can’t be attributed to an individual Customer or individual User. Customer is entitled to not include their data in such value adding features but will then not be able to use such functions.

The duration of the Processing is limited to the duration of the Main Agreement.

4. Transfer of personal data to a third country

We operate a global infrastructure and process data in both EU and US-based servers certified under the Privacy Shield. We comply with regulations for safeguarding any transfers of personal data outside of the EU.

5. List of sub-contractors/SUB-PROCESSORS

A list of Sub-contractors/Sub-processors utilized at the time of entering into of the Main Agreement is set out below:

Google
- All services provided is hosted on Google Encrypted Servers
SendGrid
- All emails sent from the service is passed through Sendgrid

6. Security Measures

Technical and organizational measures. Supplier shall take the technical and organizational measures for the protection of the Personal Data that are appropriate with regard to the sensitivity of the Personal Data; the particular risks that exist; existing technical capabilities and the costs of implementing the measures. The Personal Data shall be protected from any type of unauthorized processing such as change, destruction or unauthorized access and dissemination. Supplier, accordingly, undertakes to take all measures stipulated in Article 32 of the GDPR.

The technical and organizational measures we have implemented are summarized below:

Communications over the Internet are encrypted in transit using Transport Layer Security (TLS) to protect data between Spotterfish apps and our servers
TSL and SSL creates a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption
Files are only viewable by people you specifically grant access to your project
Spotterfish files at rest are encrypted using 256-bit Advanced Encryption Standard (AES)

_______________________

This text was last updated 30 April 2020

SPOTTERFISH COOKIES POLICY

Effective: 30 April 2020

Hi and welcome to Spotterfish’s Cookies Policy (“Policy”). The purpose of the Policy is to provide you as a user with information about the cookies we use, the role they play and the choices you can make in your cookie settings.

WHAT ARE COOKIES?

Cookies are text files which are downloaded to your device when you visit a website. They are useful because they allow a website to recognize a user’s device. Cookies include a range of technologies, including:

pixel tags (transparent graphic images placed on a web page or in an email, which indicate that a page or email has been viewed);
mobile device identifiers; and
web storage used in desktops or mobile devices.

Cookies have various functions, e.g. enabling efficient navigation between pages and remembering preferences and improving user experience in general. Cookies can also assist so that online ads are more relevant to the individual user.

CATEGORIES OF COOKIES

There are a few different categories of cookies, including:

Session Cookies: cookies which expire once you close your web browser;
Persistent Cookies: cookies which stay on your device for a set period of time or until deleted by you;
First-party cookies: cookies set by the website that you are visiting at that time, either by us, or by a third party at our request;
Third-party cookies: cookies set by a party other than that of the website you are visiting.

Cookies can also differ due to their respective purpose, including:

Strictly necessary cookies: cookies which are essential in order for you to use the features of our service. Without these cookies, the service cannot be provided. In summary, these cookies enable the service and make access and use of the agreed service possible;

Performance cookies: cookies which collect information on how visitors use our service, e.g. which page visitors visit. These cookies collect anonymous information on visited pages. Information collected by these cookies is aggregated and anonymous. It is only used to improve the performance of our service. Web analytics using cookies to gather data to enhance the performance of a website fall into this category. For example, they may be used for testing designs and ensuring a consistent look and feel is maintained for the user;

Functionality cookies: cookies which allow the website to remember choices you make (such as your user name, language or the region you are in) and enable enhanced features. These cookies can also be used to remember changes you have made to text size, fonts and other parts of webpages that can be customized. The information collected by these cookies may be anonymised and they cannot track your browsing activity on other websites. These cookies remember choices you make to improve your experience.

Advertising cookies: cookies used to deliver more relevant advertisements to the individual user. These cookies are also used to limit the number of times the user sees an advertisement as well as to measure effectiveness of advertising campaigns. They are usually placed by advertising networks with the website operator’s permission. The cookies remember that you have visited a website and shares this information with other parties, such as advertisers.

HOW DO WE USE COOKIES?

Spotterfish uses the types of cookies indicated above in the following manner:

Strictly Necessary: we use these cookies in order to operate the Service as contracted;

Performance: we use cookies and other similar technologies to analyze how the Service is accessed, used or performing. We use this information to maintain, operate and improve the Service. We may also obtain information from our email newsletters or other communications, including whether you opened or forwarded a newsletter or clicked on any of its content. This information tells us about our newsletters' effectiveness and helps us ensure we are delivering relevant information.

Functional: we use these cookies to operate the Service according to your user preferences. For example, when you continue to use or come back to the Service, we can provide you with our service based on information you provide to us, such as remembering your user name, how you have customized our service, and reminding you of content you have enjoyed or listened to on the service previously.

Advertising: we use these cookies and other similar technologies to serve you with advertisements that may be relevant to you and your interests, including interest-based advertising (e.g. to ensure that we do not display the same advertisement repeatedly).

Third Party: we may allow our business partners to use cookies or other similar technologies on or outside the Service for the same purposes identified above, including collecting information about your online activities over time and across different websites, applications, and/or devices.

Spotterfish advertisements: we work with website publishers, application developers, advertising networks, and service providers to deliver advertisements and other content promoting Spotterfish on other websites and services. Cookies and other similar technologies may be used to serve you with advertisements that may be relevant to you and your interests on other websites, applications, and devices, and to regulate the advertisements you receive and measure their effectiveness

HOW TO MANAGE YOUR COOKIE PREFERENCES

Browser Cookies

You can withdraw or modify your consent to our use of cookies at any time. If you no longer wish to receive cookies, you can use your web browser settings to accept, refuse and delete cookies. To do this, follow the instructions provided by your browser. Please note that if you set your browser to refuse cookies, you may not be able to use all features of the Spotterfish website.

Cookies on the Desktop Application

You can withdraw your consent to our use of cookies on the desktop application at any time. If you no longer wish to receive cookies, navigate to your account settings page and turn on the cookies opt-out feature. Please note that if you set the desktop application to block cookies, then your experience may be affected. Please note that even if you opt out using the mechanisms above, you may still receive advertisements when using the Service.

UPDATES TO THIS POLICY

We may from time to time make changes to this Policy. In such case, we will provide you with prominent notice, e.g. by displaying this within the Service or by sending you an email. If you want to find out more about the Policy and how Spotterfish uses your personal data, please contact us at info@spotterfish.io

CONTACT DETAILS

Thank you for reading the Policy. If you have any questions, please contact us at the following address:

Spotterfish AB
Skedala Tallbacken 158
305 93 HALMSTAD
SE-
Sweden

Email us

SPOTTERFISH ACCEPTABLE USE POLICY

Effective: 30 April 2020

In order to run our service smoothly, we need help from you and the users not to abuse the Service. In this Acceptable Use Policy (”AUP”) we have tried to describe and list activities which are not permitted. We reserve the right to remove any content that we deem inconsistent with the AUP. You acknowledge that it is difficult to list all behavior which constitute misuse or abuse, and that list below therefore is non-exclusive.

You must not, and shall not allow or enable others to:

1. use the service in a manner prohibited by law;

2. violate the rights of third parties;

3. try to gain unauthorized access to or disrupt any service or any device, data, account or network;

4. compromise our systems or the service, including testing the vulnerability;

5. use the service beyond stipulated use parameters or in a manner causing information overload, e.g. by imposing an unreasonably large load that consumes extraordinary resources (e.g. using robots or automated systems);

6. spam or distribute malware, or transmit or cause to be transmitted any viruses, worms, Trojan horses, time bombs, cancel bots or any other harmful, damaging or destructive programs or content;

7. circumvent any security or authentication measures;

8. disable, tamper with, or otherwise attempt to circumvent any billing mechanisms that meter use of the service, nor force any electronic barriers or locks which have been adapted for the purpose of protecting the service; or share or transfer any license key, password or other security device to any other user or any third party;

9. make any correction, adjustment, modification, customization, addition, creation of derivative works (including but not limited to creating new or extending existing tables or databases) or in any other way using any portion of the service or any software related thereto, nor seek to decompile, reverse engineer, disassemble, decrypt, translate or unbundle the service or related software, or attempt to extract or in any other way recreate or derive the source code or review data structures or similar materials included therein or produced by it;

10. publish any results of benchmark tests performed with respect to any portion of the service;

11. otherwise use the service in any manner for which it was not intended or act in any way that would negatively impact any of our rights in the service or that would deprive us, in whole or in part, of any fees to which we are entitled;

12. misrepresent or disguising yourself (including “phishing”, impersonating anyone else or making false implications);

13. violate the privacy of others, including publishing or posting private and confidential information about other persons without legal ground to to so;

14. use the service to stalk, harass or post threats of violence against others;

15. use the service to generate or send unsolicited communications, advertising or spam;

16. post, upload, share or submit content that infringes Spotterfish’s or a third party’s intellectual property or other rights, including copyrights, trademark, patents, trade secrets, moral rights, privacy rights any other right;

17. post, upload, share or submit any content which is fraudulent, illegal, defamatory, libelous, threatening, pornographic (including child pornography), harassing or hateful or which encourages illegal conduct or attacks others based on race, ethnicity, religion, sex, gender, sexual orientation, disability, or medical condition.

The term “content” means, for the purpose of this AUP: (1) any information, data, text, code, scripts, music, sound, photos, graphics, videos, messages, tags, interactive features, or other materials that you post, upload, share, submit, or otherwise provide in any manner to the services and (2) any other materials, content or data which you provide to Spotterfish or use with the service. Without affecting any other remedies available to us, Spotterfish may permanently or temporarily terminate or suspend your or any of your users´ account or access to the service without any notice or liability, in the event that Spotterfish (in its sole discretion) determines that this AUP has been violated. You will promptly notify us of any event or circumstance which may constitute or result in violation of the AUP of which you become aware (including to such circumstance which could lead to claims or demands against us) and will provide us with all relevant information relating to such event or circumstance to us at our request.

Data Processing Agreement

Cookies Policy

Acceptable Use Policy

Appendix 1