PRIVACY POLICY



This Privacy Policy is meant to help you understand what data we collect, why we collect it, and what we do with it. Please, take time to read our Privacy policy carefully. We want to be clear how we’re using information and the ways in which you can protect your privacy.

This Privacy Policy applies to your Personal Data when you use the “Help a Paw” app (on iOS, Android or through the web) and does not apply to online websites or services that we do not own or control.

If you have any questions, please, contact us at help.a.paw@outlook.com


WHO WE ARE

The “Help a Paw” service is provided to you by an informal organization under the same name (referred to hereinafter as HaP), represented by Milen Marinov.

We take your right to privacy seriously and work continuously to keep the data we process minimized and in your control. Nevertheless, to enable you to use our services and to improve and secure them, we need to process some personal data. By using any of our services and/or registering an account you agree to have read and understood this Privacy Policy.


PERSONAL DATA WE COLLECT AND HOW WE USE IT

Personal data is data that describes and is linkable to someone as a person. We collect some personal data in order to provide the services to all our users. We will only process personal data for legal reasons, if we are obliged to do so by legal authorities. We don’t sell or otherwise distribute your personal data. We may share it with our selected service providers only when it is vital for the provision of our services as explicitly described below. We may process your personal data for the following purposes:

  1. Names – these are necessary for identification of each HaP Software User, using HaP Software. The main feature of HaP Software is to let users submit and receive signals about animals in need. To prevent abuse of the service it is necessary to identify the users submitting and editing signals. You can choose to use the software anonymously (without registering) in which case you will be able to only receive and view signals without modifying them.

  2. Email addresses – these are necessary for authenticating the HaP Software Users before allowing their access to the Software.

  3. Phone numbers - providing this data is optional during registration. If you choose to provide your phone number it will show on any signals that you submit with the goal of enabling other HaP Software Users to reach you faster in case any clarification about the signal is needed.

  4. Locations - this data is used to notify HaP Software Users of any signals in their proximity. You are free to deny access to this data at the operating system level in which case you will not receive the aforementioned notifications but will still be able to view the signals in any chosen area or submit new ones.

Data processing activities, listed above, are necessary for the performance of the services we offer through the Hap Software.

HaP shall not use any other personal data, entered or uploaded by HaP Software Users, except for categories of data, described above. HaP will ask for your consent before using information for a purpose other than those that are set out in this Privacy Policy.


METHOD OF COLLECTION

Each HaP Software User provides personally the Personal data, entered manually in the Software or obtained after User permission from a third party service (e.g. Facebook, Google, etc.)

HaP Software Users are not allowed to enter third party personal data, including sign up a third party using their email address, without due authorization by such third party. HaP does not monitor or control the content, entered or uploaded by Users.


SECURITY MEASURES

We take appropriate technical and organisational measures to protect your personal data against loss or other forms of unlawful processing. We make sure that personal data is only accessible by only those who need access to do their job, and that they are properly trained and authorised. Our staff is required to conduct themselves in a manner consistent with the organization’s guidelines regarding confidentiality, ethics, and appropriate usage of data.


SUBPROCESSORS AND PROCESSING OUT OF EU

For providing quality services HaP engages third party service providers - Subprocessors, carefully selected according to their capacity for personal data protection and processing in compliance with HaP’s obligations under the GDPR. We provide personal data to our Subprocessors to process it for us, only based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.

Based on the above HaP stores and processes User Data out of EU, including in the United States of America, where some of HaP’s Subprocessors are based.

By using our Software and Services, you consent to your Personal Data being transferred to other countries, including countries that have different data protection rules than your country.

HaP uses as Subprocessors and User personal data may be transferred to the providers of the following services:

  1. Data processing and storage (Backendless)

  2. Crash reporting and analytics software (Google Firebase)

HaP may replace its Subprocessors from time to time following above rules of strict selection. Updated information about the list of current Subprocessors may be found at all times here in this Privacy Policy.

All our Subprocessors do not have any right to use the personal information we share with them beyond what is necessary to assist us in making our services possible.


INFORMATION WE SHARE

We do not share personal information with companies, organizations and individuals unless one of the following circumstances applies:

  1. With your consent - we will share personal information with companies, organizations or individuals when we have your consent to do so.

  2. For making some services possible – to third party processors, as described above

  3. For legal reasons - we will share personal information with companies, organizations or individuals, if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

We may share non-personally identifiable information publicly and with our partners. For example, we may share information publicly to show trends about the general use of our service.


YOUR RIGHTS

You have the right to request a copy of your personal details at any time, to check the accuracy of the information held and/or to correct or update this information. You may ask your personal information to be deleted completely, if no enquiry from you is in progress. You also have the right to complain when your personal data protection rights have been violated. For your convenience we have provided a full list of our rights in the last Section GDPR Subject Rights.

We will make reasonable efforts to provide you with reasonable access to any of your personal information we maintain or correct it within 30 days as of receipt of your access request.

Please, note that after deleting your information, you shall not be able to use adequately the HaP Services. Users have the right to delete User Data during the above term in a manner consistent with the functionality of the Services, if such deletion is in accordance with the GDPR (please, see Section GDPR Subject Rights). HaP will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days, unless EU or Bulgarian law requires storage. Please, note that HaP may keep that information for legitimate business or legal purposes or be required (including by contract or GDPR) to keep certain of information and not delete it (or to keep this information for a certain time, in which case HaP will comply with the deletion request only after HaP has fulfilled such requirements).

If you wish to access, delete (when applicable) or correct your personal information please contact: help.a.paw (@) outlook.com. Please state clear in the subject that your request concerns a privacy matter, and more specific whether it is a request to access, correction or deletion. Bear in mind that we may ask for additional information to determine your identity.

We may reject requests that are unreasonably repetitive, require disproportionate technical effort (for example, developing a new system or fundamentally changing an existing practice), risk the privacy of others, or would be extremely impractical (for instance, requests concerning information residing on backup systems). Where we can provide information access and correction, we will do so for free, except where it would require a disproportionate effort.

If you file a privacy-related complaint, we will collect your name, email and country location and details that gave rise to your complaint. We will use the information you provide to investigate your complaint and to send you an answer once your complaint is reviewed.


SUPERVISORY AUTHORITY

If you think we have infringed your privacy rights, you can lodge a complaint with the supervisory authority of Bulgaria, which is the Commission for personal data protection. More information can be found at: www.cpdp.bg

You can also lodge your complaint in particular in the country where you live, your place of work or place where you believe we infringed your right(s).


=============================

GDPR SUBJECT RIGHTS

Right of access by the data subject

  1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

  3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.

  4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure (‘right to be forgotten’)

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

  3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

Right to restriction of processing

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

  3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

Notification obligation regarding rectification or erasure of personal data or restriction of processing

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

Right to data portability

  1. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  2. In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

  3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

  4. The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Right to object

  1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

  2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

  3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

  4. At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.

  5. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

  6. Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Automated individual decision-making, including profiling

  1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

  2. Paragraph 1 shall not apply if the decision:

  3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

  4. Decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.