PRIVACY RIGHTS POLICY
Last updated: January 25, 2023
Upclick Malta Limited dba Upclick Ltd. (“Company” or “we” or “us”) values the privacy rights of our users (“you” or “yours”). Thus, we have designed this Privacy Rights Policy (“Privacy Rights Policy” or “Policy”) as an overview of your rights regarding your personal data, under the following legislation:
- The EU General Data Protection Regulation (“GDPR”), which shall apply to you in the event you are a resident of the European Economic Area (“EEA”); and
- The California Privacy Rights Act of 2020 ("CPRA" or “Act”) which shall apply to you in the event you are a “California Resident”, as defined under the CPRA.
This Policy applies solely to your rights concerning Personal Data or Personal Information (as defined under the applicable law) processed by us. If you wish to submit a request to exercise any of your rights, please contact our Data Protection Officer at:
compliance@upclick.com or contact our Data Protection Officer at:
dpo@upclick.com.
Your Right to be Informed
You have the right to be informed with the Company’s details (e.g. name, address, etc.), as well as why and how we process Personal Data. This right includes, among others, the right to be informed with the identity of the business, the reasons and lawful basis for processing Personal Data, and additional information necessary to ensure the fair and transparent processing of Personal Data. Further, you have the right to be informed on the categories of Personal Information collected, sold, disclosed by us in the previous 12 months, therefore we ensure our privacy policy discloses all of the above and is updated every 12 months. Please see our privacy policy available at: https://www.upclick.com/privacy.html
Right to Access
You have a right to request us to confirm whether we process certain Personal Data related you, as well as a right to obtain a copy of such Personal Data, with additional information regarding how and why we use this Personal Data. After we receive such request, we will analyze and determine the veracity and appropriateness of the access request and provide you with the applicable confirmation of processing, the copy of the Personal Data or a description of the Personal Data and categories of data processed, the purpose for which such data is being held and processed, and details about the source of the Personal Data if not provided by you. Our response detailed above will be provided within the period required by law (please see additional information under “Response Timing and Format” below). Notwithstanding the above, note the GDPR and CPRA provide different protections, the GDPR enables access to all Personal Data processed by the controller, however the CPRA access right applies only to Personal Information collected in the 12 months prior to the request.
The Right of Rectification
The Company must ensure that all personal data that it holds and uses about a data subject is correct. If such data is not accurate, a data subject has the right to require that the Company updates such data so it is accurate. In addition, if the Company has passed on incorrect information about a data subject to a third party, the data subject also has a right to oblige the Company to inform those third parties that this information should be updated.
Erasure Rights ("right to be forgotten" or “right of deletion”, as applicable)
Data subjects have a right to require the Company to erase certain personal data if particular conditions are satisfied. The Company is legally obligated to comply with a request to delete personal data if: the data is no longer needed for the original purpose and no new lawful purpose exists for continued processing; the lawful basis for processing is consent of the data subject and such consent is withdrawn; the data subject exercises his or her right to object to the Company’s processing of his or her personal data, and the Company has no overriding grounds for processing the data; the personal data is processed unlawfully; or erasure of the data is necessary to comply with applicable laws. In addition, if the Company has passed on personal data to a third party, a data subject also has a right to oblige the Company to tell those third parties that the information should be erased. The right to erasure is not absolute. Even if a data subject falls into one of the categories described above, the Company is entitled to reject the data subject’s request and continue processing data if such processing is: necessary to comply with legal obligations; necessary to establish, exercise or defend legal claims; or is necessary for scientific research, etc.; necessary to perform a contract between you and us; necessary to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity; necessary to debug to identify and repair errors that impair existing intended functionality; and to enable solely internal uses that are reasonably aligned with your expectations based on the our relationship with you - all subject to applicable laws.
Right to Object
With regards to Personal Data processed by us under the lawful basis of our legitimate interests (such as direct marketing), you may object to our processing on such grounds. However, even if we receive your objection, we will be permitted to continue processing the Personal Data in the event that (subject to applicable laws and regulations):
- our legitimate interests for processing override your rights, interests and freedoms;
- the processing of such Personal Data is necessary to establish, exercise or defend a legal claim or right, etc.
The Right of Restriction
A data subject may limit the purposes for which the Company may process its personal data. The Company’s processing activities may be restricted if: the accuracy of the data is contested; processing is unlawful and data subject requests restriction instead of erasure; the Company no longer needs the data for its original purpose, but the data is still required to establish, exercise or defend legal rights; or consideration of overriding grounds in the context of an erasure request.
Data Portability
You may request us to send or "port" your Personal Data held by us to a third-party entity, however note, the GDPR and CPRA apply differently to this right, thus, we will handle this according to the jurisdiction you are subject to.
Do Not Sell
You have the right to know which data is sold, to whom and for what purpose. You also have the right to request the data not to be sold. Note, “selling” data under the CPRA includes any transfer of data for the purpose of receiving valuable goods.
Nondiscrimination
Under the CPRA, you must not be discriminated for exercising any of your rights, including by denied goods or services, charging you with different fees for goods or services, including through the use of discounts or other benefits or imposing penalties; suggested you will receive a different price or rate for goods or services.
Notwithstanding the above it is allowed to set up schemes for providing financial incentives and you can opt-in to become part of them.
Response Timing and Format
We endeavor to respond to a verifiable consumer request with undue delay and in any event within 30 days from the receipt of the request subject to GDPR and between 10-45 days from receipt of a request subject to CPRA. If we require more time, we will inform you of the reason and extension period in writing. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Further, note, under the CPRA your rights only apply to the Personal Information collected 12 months prior to the request and you are not entitled to submit more than 2 requests in a 12 months period.