Data processing agreement

This agreement is an integral part of our Terms of Service. The agreement establishes the procedure for the processing and exchange of personal data that you provide to us and that we process.

1.1. We refers to Netpeak LTD, a limited liability company with its principal place of business at 41 Devonshire Street, Ground Floor, London, United Kingdom, W1G 7AJ.

1.2. Service refers to the intellectual property rights object, specifically the computer program (software product) called "RINGOSTAT," which users can access via the internet at the website: https://ringostat.com.

1.3. You refers to each of our registered users and their employees and/or representatives who have been granted access to the Service and its functionalities via Account.

1.4. Contract refers to the Terms of use placed at the following link: https://ringostat.com/terms-of-use/

1.5. Agreement refers to this Data Processing Agreement.

1.6. Representatives refers to individuals participating in the conclusion, execution, and termination of the Contract on behalf of the respective party, including signatories, workers and experts engaged to ensure proper performance and exercise of rights under the Agreement. Each party independently determines the need and conditions for involving its representatives and remains fully responsible to the other party for their actions and their consequences.

1.7. Account refers to the tool that provides access to the Service via the internet. It contains information about the user, their means of access, identification, authentication, authorization procedures, account identifier, statistical data, and other information regarding Service usage and your actions. It also contains a virtual section of our website where you can configure, manage, and control the Service, select functionality, create and modify project settings, access usage statistics, and more. Access to the account is provided through the registration process in accordance to the Contract.

1.8. Project refers to a collection of information specified by the user and performed by the user in relation to the specific website, connection, or configuration of the Service. The Project is identified in the Account by indicating your website (websites), for which the Service has been connected and will be used.

1.9. Site encompasses any information resource on the Internet, consisting of a specific number of web pages, each with its own content and Internet address, and which is freely or conditionally accessible to users under a particular domain name. 

1.10. Your information refers to an extensive amount of information collected by you using the Service. This information is stored on the technical media of the Service, which collectively ensures the functioning of the Service. It may also be transmitted by us to relevant sub-processors in accordance with the Sub-processor list (located and accessible at the following link: https://ringostat.com/subprocessor-list/). Such amount of information includes personal data.

1.11. SCC refers to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at the following link: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.

1.12. Information about you includes data pertaining to: a) the email address registered to your Account; b) phone numbers that either belong to you or are used by you while utilizing the Service; c) the name, surname and position, of your representative, as provided during registration and in the Account; d) any other data that you may disclose to us during your use of the Service (for example, through communication with our technical support service). We recognize this information as the personal data of your representatives.

1.13. Our email refers to a specially created email address by us: [email protected], used for communication with data subjects regarding the collection and processing of their personal data, including processing instructions regarding personal data.

1.14. GDPR refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), available at the following link: https://eur-lex.europa.eu/eli/reg/2016/679/oj

1.15. The terms: "Personal data", "Sensitive data", "Controller", "Processor", "Processing", "Data subject consent", "Data subject" and "Personal data breach" carry the meanings as defined by the GDPR.

1.16. If you register and engage in a relationship with us as an individual, all provisions of the Agreement where the terms "you" and "representative" (in all declensions and cases) are used apply to you equally and carry the same legal force.

2.1. Data processing contexts.

The specificity of using the Service entails two contexts of personal data processing.

• Context 1: When you provide us with information about you and your own representatives.
• Context 2: When you provide us with information about your clients.

The specified contexts of personal data processing necessitate clarification of our respective roles. Therefore, let’s determine when and under which circumstances we assumes a specific role.

2.2. We are the controller. When we receive and process information about you (i.e., Context 1), we act as an independent controller as we independently determine the purposes and means of processing personal data of your representatives.

2.3. We are the processor. When we receive and process your information (i.e., Context 2), we act as a processor, and you act as the controller. In this context, you (either independently or in conjunction with other parties) determine the purposes and means of processing personal data of your clients (users, subscribers, etc.) that you collect or process through the Service. In this context, we merely provide you with the opportunity to use our Service, but we do not know and cannot know the purposes and methods for which you will use it.

In turn, your clients (users, subscribers, etc.), within the scope of your Project and depending on the situation, assume the following roles:

• Data subjects (e.g., if your user is an individual); 
• Processors (e.g., if your client provides you with data about data subjects but is not the controller of such transmitted data and has received the data from the respective controller as a third party); 
• Controller/Joint controller (if your client provides you with data about data subjects under predefined conditions regarding the purposes and means of processing such data, and the controller directly received the data from the data subject). 

However, regardless of the type of role your client assumes, you act as controllers in relation to us and within the use of the Service. Your role in processing personal data with your clients (users, subscribers, etc.) does not affect your role as a controller in your relationship with us when performing the Agreement, Contract, using the Service, and conducting the Project.

3.1. The purposes of processing Information about you. The processing of such information serves the following purposes: 

• Account registration;
• marketing and communication with you;
• fulfilling our obligations under the Agreement and Contract and providing support and/or ensuring the functionality of the Service for you;
• accounting, taxation, invoicing, auditing, and compliance with legal requirements;
• ensuring and/or enhancing the level of security of the Service; 
• investigating fraud, spam, improper or illegal use of the Service;
• improvement of the Service;
• other purposes expressly provided for by current legislation or a requirement of a governmental authority.

We acknowledge that any purposes not explicitly stated in this paragraph are limited to our own use. 

3.2. The purposes of processing Your information. As the controller, you independently determine these purposes. We do not modify, expand, or limit the list or scope of purposes for which you collect information from your customers, users, subscribers, etc., using the Service within the Project. We have no control over the specific purposes of personal data collection. However, we require you to ensure that the purposes for collecting and processing personal data, as determined by you, adhere to the legality criterion defined by the GDPR and comply with the applicable laws of the country where you and each of your users reside.

You agree, that if we become aware of your unlawful purposes for obtaining and/or processing such data through our Service, we will prohibit your use of the Service. In such cases, we may also contact third parties, including public authorities, as necessary and based on the circumstances. You acknowledge that, in accordance with this section, and for the protection of the rights or interests of third parties (data subjects) or to restore the situation preceding the violation:

• we may disclose any information about your information to third parties and government authorities (including data that forms part of the project, account, personal cabinet, and our communication with you);
• our actions (and any consequences thereof) shall not be considered a violation of your rights and/or interests.

4.1. The legal basis for processing of Information about you. We rely on consent of yours Representative to the processing of his or her personal data for one or more specific purposes stated in Section 3.1. of this Agreement. Both parties agree that registering an Account in the Service implies consent for personal data processing and constitutes complete acceptance of this Agreement. The parties consider the Agreement concluded from the moment an account is registered in the service until its cancellation;

4.2. The legal basis for processing of Your information. Your information - we require that you process personal information of your users using the Service based on one of the grounds specified in Article 6 of the GDPR, depending on the category of personal data, data subjects, and the type of data processing. Since we receive third-party data from you, we further require that any transfer of such data (as a processing activity) be based solely on the consent obtained from the data subject, in accordance with the purposes of processing determined by such consent. Additionally, you must provide proof to each data subject, whose personal data you provide to us, about our role as your processor (as outlined in the information list specified in Clause 1 and 2 of Article 14 of the GDPR).

5.1. Categories of Information about you.

We collect and process the following categories of personal data of your representatives:

• Identity Data: includes name, surname, middle name or patronymic, salutation.
• Contact Data: includes email address, phone number. 
• Financial Data: includes information about financial transactions, such as bank account details, credit card information, and payment history. 
• Biometric Data: includes voice recordings.
• Technical Data: includes information collected through automated means, such as IP addresses, device information, browsing history, and cookies.
• Employment Data: includes job title and employer information;
• Personal Preferences: this category encompasses personal preferences, interests, and characteristics, such as language preferences and marketing preferences.

5.2. Categories of Your information. We will process all categories of personal data that you provide to us. Since the accumulation of personal data on our servers occurs automatically during your use of the Service, we do not have real-time control over the categorization of such personal information by you.

6.1. Our processing of Information about you. We process information about you based on the following principles and grounds: 

• Lawfulness, fairness, and transparency: We process information about you based on your consent (Clause 4.1 of the Agreement), and this process is open and transparent. You (or your representatives) provide us with consent by ticking the appropriate banner next to the statement "I accept the terms of the SaaS Agreement and Privacy Policy" when registering and logging into your Account. You can withdraw your consent at any time by sending us a corresponding message to Our email;
• Purpose limitation: We receive and process data solely for the purposes stated in Clause 3.1 of the Agreement. 
• Data minimization: We receive and process only the amount of data (Clause 5.1 of the Agreement) necessary to achieve our defined purposes; 
• Accuracy: We enable you to maintain the accuracy of your personal data and will update them when necessary. You can do this yourself in your Account or provide us with instructions by sending them to Our email;
• Storage limitation: We retain the received personal data only for the necessary period to achieve the defined purposes. Data retention periods are established in Clause 6.9 of the Agreement;
• Integrity and confidentiality: We ensure an appropriate level of protection for the personal data we receive, safeguarding them against unauthorized access, loss, or damage (Section 8 of the Agreement).
• Accountability: We are responsible for complying with the terms of the Agreement, ensuring proper processing of personal data, and ensuring our activities align with the requirements of the GDPR. 

6.2. Your instructions. We process Your information based on your instructions. Your instructions encompass the actions and settings performed within the Project using the Account of the Service, as well as the instructions sent directly to us via email or call. However, if we are unable to fulfill any of your instructions regarding the processing of personal data at any point during our cooperation, we will notify you of the impossibility and may refuse further use of the personal data received from you, limiting the use of the Service accordingly. In such cases, we will delete all personal data received from you, and you acknowledge that our actions cannot be considered a violation of your rights and/or interests or cause harm.

Regardless of the flow of personal data from the data subject to you, you guarantee and undertake that upon receiving a notification from the data subject regarding the exercise of any of their legal rights (if such exercise pertains to the data we received from you and process) in accordance with the GDPR, particularly Articles 15-21, you will promptly, but no later than 10 business days from the date of receiving such notification, inform us about the receipt of the notification and its content. This allows us to comply with the data subject's rights to manage their personal data. Furthermore, you agree that in the event of your breach of this obligation, and if such breach directly or indirectly causes damages to us, including any penalties, you shall indemnify us for such damages in full within 10 business days from the date of receiving our initial claims.

This clause of the Agreement also applies to situations where we directly receive a relevant notification from the data subject or their authorized representative. In such cases, we undertake to inform you of the receipt of such a message and its content within 10 business days from the moment of receiving it. We will act in accordance with your instructions and the provisions of the GDPR. If we do not receive instructions from you or if the instructions received do not comply with the provisions of the GDPR, we reserve the right to delete the data volume associated with the received message from the data subject from our servers. In some cases, we may consider such data volume as disputed since we cannot ascertain whether the requester of the message is a data subject under the definition provided in the GDPR.

6.3. Your obligation. As you are the controller of Your information, we require you to comply with the obligations set forth by the GDPR, the local legislation of your country of residence, or the legislation applicable to each of your users. Specifically, you are expected to respect the rights, such as the right to be forgotten, of each data subject who is your user or whose personal data you provide to us.

6.4. Data providing and control. You provide us with data through the functionalities of the Service's Account while working on the Project. It is within your discretion to determine the extent of data you transmit to the Service. Furthermore, you have autonomous control over all your personal data, including Your information and Information about you, through your account of the Service. 

6.5. Sub-processing. The parties mutually agree and acknowledge that we are authorized to transfer Your information and the Information about you to our sub-processors, as specified and in accordance with our Sub-processor List, which is accessible at the following link: https://ringostat.com/subprocessor-list/.

Furthermore, you confirm and warrant that such transfer of the aforementioned information: 

• is based on the consent obtained by you from the data subject whose data we receive from you; 
• does not infringe upon your rights/interests or the rights of the data subjects whose personal information you have provided to us; and that you have obtained consent from each data subject.

6.6. Warranties regarding the processing of personal data. You guarantee us and, by agreeing to this Agreement, you commit to comply with all GDPR requirements when providing us with personal data and when collecting personal data through the Service. If at any time you fail to meet the GDPR requirements, you are obligated to immediately notify us and cease the use of the Service. 

6.7. Our warranties. We also guarantee and commit to complying with GDPR requirements and notifying you in case of any non-compliance. 

6.8. Automated Decision-Making. We do not use Automated Decision-Making technologies and/or algorithms in our Service.

6.9. Processing Period. The commencement of the processing period of your personal data shall be the day on which you accepted the terms of this Agreement. The termination of the processing period for personal data, depending on the circumstances, shall be:

• The last calendar day of the fifth year from the day you last used our Service.
• The day you withdraw your consent for the processing of personal data.

6.10. Liability. Both parties to the agreement are fully responsible, in all applicable cases, for ensuring that the collection and processing of personal data comply with GDPR requirements, as well as for any consequences resulting from the breach of GDPR provisions by either party.

7.1. Right to Information: the right to receive clear and understandable information about what personal data is being collected, how it is used, with whom it may be disclosed, and how long it will be retained. All of this information consists at scope of our documents: Privacy Policy, Agreement, Cookie Policy and Sub-processor list. You and your Representatives may also always contact us with any request regarding your personal data at the Our email;

7.2. Right to Access: the right to request a copy of Your and Representatives personal data held by Us and obtain information about its processing. To exercise this right, please contact us via email at Our email and we will provide you with a copy of your personal data;

7.3. Right to rectification: the right to request the correction of inaccurate or incomplete personal data concerning them. You can do this yourself in your Account or provide us with instructions by sending them to Our email;

7.4. Right to erasure (Right to be Forgotten): the right to request the deletion of Your and your Representatives personal data when it is no longer necessary for the purposes for which it was collected or when You or Your Representative withdraws Your/their consent. You can do this yourself in your Account or provide us with instructions by sending them to Our email;

7.5. Right to Restriction of Processing: the right to restrict the processing of Your and your Representatives personal data under certain circumstances, such as disputing the accuracy of the data or the lawfulness of its processing. To exercise this right, please contact us via email at Our email and we will restrict Your or your Representatives personal data in accordance with your/their instructions;

7.6. Right to Data Portability: the right to receive their personal data in a structured, commonly used, and machine-readable format and transmit it to another organization, where technically feasible. To exercise this right, please contact us via email at Our email and we will provide you with a copy of your personal data.

Right to Withdraw Consent: the right to withdraw Your or your Representatives consent at any time. You can withdraw your consent at any time by sending us a corresponding message to Our email; 

7.7. Right to Object: the right to object to the processing of Your and/or your Representative personal data based on our legitimate grounds. For example, this may occur when You and/or your Representatives believe that the processing of your/their data infringes upon their rights and freedoms, or when you/they do not wish their data to be used for direct marketing purposes. To exercise this right, please contact us via email at Our email and we will provide you with a copy of your personal data.

7.8. Right to Lodge a Complaint: the right to lodge a complaint with the relevant data protection authority if You/your Representatives believe that your/their rights regarding the protection of personal data are violated. In such cases, you have the right to lodge a complaint with the relevant supervisory authorities without any limitations. Here is a list of all the supervisory authorities responsible for personal data protection in the EU: https://edpb.europa.eu/about-edpb/about-edpb/members_en. 

8.1. The legal effect of this section of the Agreement. The Parties have agreed that in the event you are an individual or a legal entity who, at the time of entering into this Agreement, is a resident of a third country that does not have the status of a state with an adequate level of personal data protection (meaning a country for which there is no implementing act adopted by the Commission, that such third country, its territory, or one or more specified sectors within such third country, or an international organization provides an adequate level of data protection), the processing of personal data shall be governed in accordance with this section of the Agreement, the legal effect of which extends to the relationship between the parties regarding the exchange of personal data.

8.2. Transfer Mechanism. The parties acknowledge that, according to Article 46(2)(с) of the GDPR, the sole applicable mechanism for the transfer of personal data between the parties is the application of the SCC.

8.3. Conflicting Provisions of the Agreement. In the event that the provisions of this section, in accordance with section 8.1 of the Agreement, apply to the relationship between the Parties, the Parties agree that such relations shall be governed by the provisions of this section. In the case of any inconsistencies between the provisions of this section and other terms of the Agreement, the provisions of this section shall prevail legally in such conflicts. Any matters not addressed by the provisions of this section shall be regulated in accordance with other terms of the Agreement.

8.4. Incorporation by reference.  By accepting the Agreement, the Parties acknowledge that each of them: 

• has unrestricted access to the content of the SCC;
• prior to accepting this Agreement, independently or with the involvement of relevant consultants, has reviewed, understood (i.e., each Party confirms the clarity and transparency of the clauses and modules of the SCC), and is familiar with the terms of the SCC, to which reference is made in this Agreement; 
• recognizes that each reference in this Agreement to any provision of any module of the SCC is incorporated into the content of this Agreement; 
• accepts the terms of both the Agreement itself and those references and modules of the SCC to which reference is made in this Agreement; 
• recognizes each and every reference to the SCC as adequate and consistent with the context of the Agreement;
• fully accepts all the obligations arising from the provisions of the SCC referred to in this agreement and assumes full responsibility for their execution.

8.5. Equal Interpretation. The Parties agree to interpret references in this Agreement to the provisions of SCC as follows:

• If the reference is to a specific section/clause/module of the SCC without specifying individual provisions within that section/clause/module - it is considered that this agreement is supplemented by the entire content of that section/clause/module of the SCC with all the provisions contained therein (general provision); 
• If the reference is to a specific section/clause/module of the SCC with the specification of individual provisions within that section/clause/module - it is considered that this agreement is supplemented exclusively by the content of those provisions of the section/clause/module to which specific references are made (specified provision), and all other provisions of the respective section/clause/module, for which specifying references are absent, are deemed not included in the text of this agreement;
• In the case where a specific section/clause/module of the SCC offers a choice of using optional provisions (or requires clarification/completion) - it is considered that the parties have chosen the optional provision (or requires clarification/completion) of the respective section/clause/module of the SCC to which a specific reference is made in the text, or the text itself specifies such optional provision (for example, optional governing law determination according to module 3 and 4 of clause 17 of Section IV of the SCC).

8.6. Status of Parties and Application of SCC provisions:  ‍

• When both parties are independent controllers, the following provisions of the SCC apply: 
  ‍
  [SECTION I]; [SECTION II: Clause 8, Module 1; Clause 10, Module I; Clause 11(a)]; [SECTION IV: Clause 16]
  
• When one party is a Controller transferring data to another party acting as a Processor, the following provisions of the SCC apply: 
  ‍
  [SECTION I]; [SECTION II: Clause 8, Module 2; Clause 9, Module 3(a), OPTION 2: ‘thirty calendar days’, Module 3(b – e); Clause 10, Module 3; Clause 11(a)]; [SECTION IV: Clause 16]
• When one party is a Processor transferring data to another party acting as a Controller, the following provisions of the SCC apply: 
  ‍
  [SECTION I]; [SECTION II: Clause 8, Module 4; Clause 10, Module 4; Clause 11(a); Clause 12, Module 4]; [SECTION III: Clause 14, Module 4; Clause 15, module 4]; [SECTION IV: Clause 16; Clause 17, module 4, OPTION 1: ‘Bulgaria’; Clause 18, module 4: ‘Bulgaria’]

9.1. Considering the current advancements in technology, implementation costs, nature, scope, context, and purposes of the Processing, as well as the varying risks associated with potential harm and the severity of such harm (its impact) on the rights and freedoms of data subjects, we employ suitable technical and organizational measures to ensure an appropriate level of security commensurate with these risks. These measures may include those outlined in Article 32(1) of the GDPR. 

9.2. During the provision of the Service, we assess the appropriate level of security by taking into account the risks associated with the Processing, particularly those arising from potential breaches of personal data security. 

9.3. Privacy of communication. We guarantee the security of the content of your communication that forms part of Your information. Specifically, without your instruction (e.g., when providing technical assistance to reproduce a conversation with your client) and request (unless otherwise stipulated in clause 5.3 of the Agreement or as expressly required by applicable law), we commit to refraining from interfering with the content of such communication. We recognize the limitations on our rights to listen, review, modify, access, or edit the content of communications recorded within the Project using the Service. 

9.4. Actions in the event of a Personal data breach. We pledge to promptly notify you upon becoming aware of a Personal Data security breach (a security incident) that adversely affects Your information and/or Information about you. In such cases, we will provide you with all available information concerning the security incident, enabling you to fulfill any obligations to notify or inform Data Subjects, supervisory and/or regulatory authorities about the personal data breach in accordance with the GDPR. We will send this notification to the email address associated with your Account. 

9.5. Audit. We grant you the right, and warrant your entitlement, to request and receive all necessary information to demonstrate our compliance with this Agreement. Furthermore, we will reasonably facilitate audits conducted by you or an auditor engaged by you, to assess the lawfulness of our processing of Personal Data received from you. Should you wish to conduct an audit, you are required to provide us with advance notice of no less than 15 business days before the scheduled date of the audit, unless obtaining the necessary information regarding our compliance with the GDPR is otherwise impossible.

10.1. Changes. In line with our ongoing efforts to enhance personal data processing procedures and expand the features of the Service, you acknowledge and agree that we retain the right to modify this Agreement at our sole discretion, at any time. We will inform you about any changes by sending a notification to the email address associated with your Account. Additionally, if you have opted out of receiving such email notifications, we will provide a link on this page to access the previous version of the Agreement at the time of each update.

10.2. Protection Officer: 
‍
YURII BONDAR
Email: [email protected] 
Address: 41 Devonshire Street, Ground Floor, London, United Kingdom, W1G 7AJ‍

10.3. Our EU representative:

NETPEAK EOOD (LTD) 
Email: [email protected]
‍Legal address: 47 Cherni vrah blvd., 1407 Sofia, Bulgaria