CS.DEALS Privacy Policy
Last Updated: June 6th 2023
Introduction
Your privacy matters to us.
This privacy policy (the “Privacy Policy”) sets out the way Shooriboom Holdings Ltd, a company registered in Cyprus under registration number HE437847, with office address at 48 Archangelou Avenue, 1st Floor, Engomi, 2404, Nicosia, Cyprus (hereinafter referred to as the “Company” or the “controller” or “we” or “us”) collects, process and shares your personal data which you provide us and which we otherwise collect during the course of our business, including via our website www.cs.deals (the “Marketplace”), email communications, digital platforms and other applications (together the “Technology Tools”).
You have the right to be provided with clear, transparent and easily understandable information about how we use your personal data and your rights. We encourage you to read it in full.
We do not process any personal data when you merely browse our Marketplace website; however, when you actively use our Services (as this term is defined in our User Agreement), we shall need to process your personal data.
By using our Services, you are confirming that you have carefully read and understood the contents of this Privacy Policy.
The processing of any personal data you provide to us, such as your full name, age, address, email address, or telephone number shall always be in compliance with the General Data Protection Regulation (2016/679) as amended from time to time (hereinafter referred to as the “GDPR”) and any other data protection regulations under applicable law.
Section 1 – Definitions
1.1 Our Privacy Policy uses terminology as defined by the European legislator pursuant to GDPR.
1.2 In this Privacy Policy, the following definitions are being used:
o “consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
o “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
o “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
o “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
o “processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
o “profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
o “pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
o “recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
o “restriction of processing” means the marking of stored personal data with the aim of limiting their processing in the future;
o “third party” means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
Section 2 – Purposes for Collecting Personal Data
2.1. We may only process your personal data for purposes relating to ensuring that we provide the best possible user experience and may include:
2.1.1. to get in touch with you with questions or suggestions;
2.1.2. to provide the best possible user experience on our Marketplace;
2.1.3. to deliver the content of our Marketplace correctly;
2.1.4. to provide Services to you via our Marketplace;
2.1.5. to optimise the content of our Marketplace, whether through marketing/advertising or individual suggestions;
2.1.6. to ensure the long-term viability of our information technology systems and website technology; and
2.1.7. to detect fraudulent or illegal activities and where necessary, prosecute and/or provide law enforcement authorities with any information necessary to prosecute any individual that may be involved in fraudulent or illegal activities.
2.2. We may only process your personal data where we have a legal basis, in accordance with GDPR.
2.3. The legal basis which we rely on in order to process your personal data, is:
2.3.1. where you have given us your consent (Art. 6 (a) GDPR);
2.3.2. where it is necessary to provide services to you under the performance of the contract we have with you (Art. 6 (b) GDPR);
2.3.3. where we are required to do so in accordance with legal or regulatory obligations (Art. 6 (c) GDPR); and
2.3.4. where it is in our legitimate interests to process your personal data, provided that none of these interests prejudice your own rights, freedoms and interests (Art. 6 (f) GDPR).
2.4. See below a table of the “Purposes/Activities” for which we (including any of our partners, agents, sub-contractors and/or employees) process your data, the legal basis on which we carry out such processing and the respective retention period:
|
Purpose/Activity
|
Legal basis
|
Retention period
|
Purchases and Payment
|
Users can purchase virtual good through our Marketplace. To do so they provide us with their details during the ordering process. Such data is entered into an input mask and is transmitted to us and stored. Further, the information users provide us is passed on to our payment processor Adyen N.V. and/or any other payment service provider(s) who are responsible for the processing of transactions. Adyen N.V., a processor within the meaning of GDPR, is solely responsible for the manner in which they process such data and thus users shall also consult its privacy policy available here.
The following data is collected:
o full name
o residential address
o email
o date of birth
o payment details
|
We process such data because it is necessary to provide services to you under the performance of the supply of goods contract we have with you (Art. 6 (b) GDPR).
|
We retain such data for as long as necessary to complete payment, including for the purposes of satisfying any legal, accounting, or reporting requirements. We may retain the data we collected for future payment purposes if you provide your consent to that effect, otherwise it will be deleted. In the event that you wish to delete your account or it may be suspended by us due to a violation, the data processed for the purpose payment will be deleted. Such data may be retained for longer periods if this is required by applicable law.
|
Marketplace
Website
|
Upon each call-up of the Marketplace website, we collect the personal data that your browser automatically transmits to our server and temporarily store it in the log files of the server. Such data is collected so that our Marketplace is able to operate correctly and can provide users with a personalised experience.
The following data is collected:
o the date and time you accessed the Marketplace website
o the Internet Protocol (IP) address of your device
o the internet service provider of your accessing system
o the browser you use
o the operating system of your device
o your access provider
o name and URL of files we retrieve
o the website from which you accessed our Marketplace website (referrer URL)
o the sub-websites
o any other similar data that we may collect to make our information technology (IT) systems safer in the event of any attacks
|
It is in our legitimate interests to process such data for the provision of our services, provided that none of these interests prejudice your own rights, freedoms and interests (Art. 6 (f) GDPR).
|
We retain such data until the purpose for which the data was collected is fulfilled. Upon fulfilment of such purpose, the data is deleted from our records. The abovementioned data is vital for the operation of our Marketplace website and so users cannot object to such processing and storing. Such data may be retained for longer periods if this is required by applicable law.
|
Registration
|
When you register an account with us you provide us with some personal data (e.g. name, email address) so that we can set up and verify your account and be able to contact you. Please note that such details can be provided to authorities in the event of an investigation.
|
We process such data because you have given your consent during the registration process (Art. 6 (a) GDPR).
|
We retain such data until the purpose for which the data was collected is fulfilled. Upon fulfilment of such purpose, the data is deleted from our records. You may change your details by contacting us and we will delete the old and retain the new details you provide us. You can also delete your account or it may be suspended by us due to a violation, in which case the data processed for the purpose of registration will be deleted. Such data may be retained for longer periods if this is required by applicable law.
|
AML/KYC Procedures
|
When you register an account with us and in any other case as required by our AML & KYC policy, we request that you provide us with personal information for purposes including but not limited to ensuring compliance with AML & KYC standards under applicable law. Such data is entered into an input mask and is transmitted to us and stored.
The data we collect includes:
o full name
o date of birth
o residential address
o email
o payment details
o ID/Passport number or copy
o citizenship
o utility bill
o bank statement
We pass on such data to our payment processor Adyen N.V and/or any other payment service provider(s), and they may collect any additional data themselves for the purposes of their respective AML & KYC procedures.
|
We process such data because it is necessary for compliance with legal or regulatory obligations we are subject to under AML & KYC applicable law standards (Art. 6 (c) GDPR).
|
We retain such data until the purpose for which the data was collected is fulfilled. Upon fulfilment of such purpose, the data is deleted from our records. In the event that you inform us regarding the change of any of the above information we will delete the old data and retain the new. In the event that your account is deleted by you or suspended by us due to a violation, data processed for AML & KYC purposes will be deleted. Such data may be retained for longer periods if this is required by applicable law.
|
Newsletter
|
Users have the option to subscribe to our email newsletter to stay informed with our news and offers. For registration purposes, we collect your email address, your IP address and the date and time of registration. Such data is entered into an input mask and is transmitted to us and stored.
We use the double opt-in procedure to verify a data subject’s email address. Upon subscription to our newsletter, a confirmation email will be sent to the email address registered by the data subject which will contain a link to that effect. This is done to ensure that only the data subject is authorised to receive our newsletter.
Our newsletter can contain so-called tracking pixels. A tracking pixel is a miniature graphic embedded in such emails, which are sent in HTML format to enable log file recording and analysis. This allows a statistical analysis of the success or failure of online marketing campaigns. Based on the embedded tracking pixel, we may see if and when an email was opened by a data subject, and which links in the email were called up by data subjects. Such personal data collected in the tracking pixels contained in the newsletters are stored and analysed by the controller in order to optimise the shipping of the newsletter, as well as to adapt the content of future newsletters even better to the interests of the data subject.
The personal data collected as part of subscription to the newsletter will be used for the sole purpose of sending our newsletter. There will be no transfer of personal data collected by the newsletter service to third parties.
|
We process such data because you have given your consent for this specific purpose during your subscription to our newsletter (Art. 6 (a) GDPR).
|
We retain such data for as long as you remain subscribed to our newsletter. If you wish to unsubscribe from our newsletter a corresponding link can be found in each newsletter or you can otherwise inform the controller for that purpose. We will delete the data collected for this purpose when you unsubscribe from our newsletter. In the event that you wish to delete your account or it may be suspended by us due to a violation, the data processed for the purpose of sending you our newsletter will be deleted. Such data may be retained for longer periods if this is required by applicable law.
|
Contact form
|
Our Marketplace website contains a “contact us” functionality that enables users to get in touch with us. The personal data transmitted via the contact form (i.e. name and email address) is automatically stored in our records. Such data is stored solely for the purpose of responding to the data subject and will not be transmitted to third parties.
|
We process such data because you have given your consent for this specific purpose when you send your inquiry via the contact form (Art. 6 (a) GDPR).
|
We retain such data until your inquiry is resolved. In the event that you wish to delete your account or it may be suspended by us due to a violation, the data processed for the purpose of responding to your inquiry will be deleted. Such data may be retained for longer periods if this is required by applicable law.
|
Cookies
|
Our Marketplace website uses cookies to provide a user-friendly experience. Cookies are small text files stored on the browser of your device when you visit certain websites.
Most cookies contain a unique identifier called a cookie ID which consists of a string of characters that websites and servers associate with the browser on which the cookie is stored. This allows websites and servers to distinguish the browser from other browsers that store different cookies, and to recognise each browser by its unique cookie ID.
Cookies can be used by us to collect information about websites visited and content viewed by you, links and buttons clicked, URLs visited before and after you visit our Marketplace website. This allows us to provide an easier and more personalised experience to users. For example, when users accept the cookies of our Marketplace website, they will not have to fill in their details every time they want to log-in their account, they won’t have to change country and language settings, items they put in their shopping cart will remain there until they purchase or remove them etc. Further, the use of cookies allows us to understand a user’s behaviour, for example we can see the frequency of visits to certain parts of our Marketplace website and can target our advertisements around their interests.
The data subject can change their cookie settings ( i.e. deny some or all non-essential cookies, delete previous cookies) via their browser at any time. Please note that you may no longer be able to use all the functions of our Marketplace if you deny the setting of cookies.
|
We process such data as it is in our legitimate interests to provide users with a better experience while using our Marketplace website, provided that none of these interests prejudice your own rights, freedoms and interests (Art. 6 (f) GDPR).
Further, if the data subject has given us their consent to the use of cookies via the banner appearing on our Marketplace website, another legal basis for the processing of their data is due to consent under Art. 6 (a) GDPR.
|
We retain such data until the purpose for which the data was collected is fulfilled or until the data subject deletes the cookies from their browser. Upon fulfilment of such purpose, the data is deleted from our records. In the event that you wish to delete your account or it may be suspended by us due to a violation, the data processed for the purpose of cookies will be deleted. Such data may be retained for longer periods if this is required by applicable law.
|
Section 3 – Your Rights
3.1. Under certain circumstances, you have rights concerning your personal data, granted to you by the European Legislator.
You have a right to…
|
Access
(Art. 15 GDPR)
|
Obtain from the controller confirmation about whether your personal data are being processed, and if that is the case, you can request access to the following information:
o the purposes of the processing;
o the categories of personal data concerned;
o the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
o where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
o the existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing;
o the existence of the right to lodge a complaint with a supervisory authority;
o where the personal data are not collected from the data subject, any available information as to their source;
o the existence of automated decision-making, including profiling, and at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
|
Rectification
(Art.16 GDPR)
|
Have inaccurate personal data rectified and incomplete personal data completed.
|
Erasure
(Art. 17 GDPR)
|
Have certain personal data erased, where one of the following grounds applies and as long as processing is not necessary:
o where you have withdrawn your consent on which the processing is based, and where there is no other legal ground for the processing;
o where you have objected to the processing and there are no overriding legitimate grounds for the processing;
o where your personal data have been unlawfully processed;
o where your personal data must be erased for compliance with a legal obligation;
o where your personal data have been collected in relation to the offer of information society services.
Where the controller has made personal data public and is obliged to erase it because one of the abovementioned grounds applies, the controller shall inform other controllers processing the personal data that the data subject has requested erasure of such data and of any links to, or copy or replication of, those personal data, as long as processing is not necessary.
|
Restriction
(Art. 18 GDPR)
|
Request that we stop processing all or some of your personal data where one of the following applies:
o You have contested the accuracy of the personal data that we hold, for a period enabling the controller to verify the accuracy of the personal data.
o The processing is unlawful and you have opposed the erasure of the personal data and have requested instead the restriction of their use instead.
o The controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims.
o You have objected to processing and we are assessing your objection request based on whether the legitimate grounds of the controller override yours.
|
Data portability
(Art. 20 GDPR)
|
Receive a copy of your personal data in a structured, commonly used and machine-readable format. You shall have the right to transmit that personal data to another controller, where:
o you initially provided consent for us to use or where we used the information to perform a contract with you; and
o the processing is carried out by automated means;
o the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
|
Object
(Art. 21 GDPR)
|
Object, on grounds relating to your particular situation, at any time, to processing of your personal data, including in cases of profiling.
You can do this if:
- We are processing your personal data on the legal basis of legitimate interests, or
- We are processing your personal data for direct marketing purposes,
- We are processing your data for scientific or historical research purposes or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
However, please note that we may still process your personal data where there are other relevant lawful bases or where we have compelling grounds to continue processing your personal data in our interests which are not overridden by your rights, interests or freedoms.
|
Not be subject to automated decision making
(Art. 22 GDPR)
|
Not be subject to a decision based solely on automated processing (decisions without human involvement), including profiling, which produces legal effects concerning you, or similarly significantly affects you, as long as the decision:
o is not necessary for entering into, or the performance of, a contract between the you and the controller, or
o is not authorised by European Union law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
o is not based on your explicit consent.
|
Withdraw consent
(Art. 7 (3) GDPR)
|
Withdraw your consent to processing of your personal data at any time.
|
Lodge a complaint
(Art. 77 GDPR)
|
Lodge a complaint with a supervisory authority in the place of your habitual residence, place of work or place of the alleged infringement.
The supervisory authority in Cyprus is the Commissioner for Personal Data Protection and you can find more details here.
We would appreciate it if you first contact us to resolve any concerns before you approach the supervisory authority.
|
3.2. If you would like to exercise any of your rights, you can do so by contacting us as at [email protected]. Please note that while we will try to accommodate any request you may make relating to your rights, such rights are not absolute rights. This means that we may have to refuse your request or may only be able to comply with it in part. We will not charge any fees when you request to exercise any of your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.
3.3. Where you make a request in respect of your rights, we will require proof of identification. We may also ask that you clarify your request. If we receive repeated requests or have reason to believe requests are being made unreasonably, we reserve the right not to respond.
Section 4 – Disclosure of Personal Data to Third Parties
4.1. We may, for the Purposes/Activities listed in section 2 of this Policy, disclose your information to the following recipients:
4.1.1. our payment processor Adyen N.V. and/or any other payment service provider(s);
4.1.2. our suppliers;
4.1.3. advertising and marketing partners;
4.1.4. our auditors and other advisors;
4.1.5. law enforcement;
4.1.6. purchasers of our business; and
4.1.7. any other partner or third party which assists us in providing our Services or which otherwise has a lawful basis to know such information.
Section 5 – Analytics
5.1. We may receive personal data about you such as the number and frequency of visits you make to our website, your geographic location, internet protocol (IP) address, your operating system and browser type and the search terms you use, from our analytics providers such as Google Analytics.
5.2. We obtain such information via the use of analysis tools which allow us to statistically analyse visitors' usage of our website and use the acquired information to improve our website and Services.
5.3. The use of such analysis tools is justified under Art. 6 (a) GDPR because of the consent that users provide to us when they accept the use of cookies.
Section 6 – Cross-border Data Transfers
6.1. Because of the global nature of our business, we may transfer personal data to recipients established outside the European Economic Era (“EEA”) for the Purposes/Activities listed in section 2 of this Policy.
6.2. Where personal data is transferred to other countries in which applicable laws do not offer the same level of data protection as afforded in the EEA under GDPR and any other applicable privacy laws, we take measures to make sure that personal data is stored and processed securely. For example, our written agreement with such processors will include Standard Contractual Clauses (SCC) which are approved by the European Commission and offer data subjects the same protection they would have had in the EEA.
Section 7 – Retention of Personal Data and Erasure
7.1. The controller shall process and retain the personal data of the data subject only for the period necessary to fulfil the purpose for which the data was collected. In certain occasion we may retain such data for additional periods as permitted by applicable law (e.g. for legal, tax, accounting or auditing purposes, or to detect illegal activity). In any case the data will not be retained for a period of more than 5 years.
7.2. Upon fulfilment of the respective purpose for which the data was collected or upon the expiry of any additional period permitted by applicable law, the data of the data subject are routinely blocked or erased in accordance with legal requirements.
7.3. In certain occasions such as for research or statistical purposes, we may take steps to render the data anonymous (so it can no longer be associated to the data subject), in which case we may use this information indefinitely without further notice to you.
Section 8 – Data Security
8.1. We are committed to protecting our users' personal data. We have put in place appropriate technical and organisational security measures and follow industry standards that ensure the security of your personal data. Some of these measures include pseudonymisation, encryption, training our employees on preventing and dealing with data breaches, access, and retention policies. However, you should be aware that no system is ever secure in its entirety.
8.2. There are things you can do to protect the security of your data as well. Your account information is protected by a password. We encourage you to take measures to protect your account and information from unauthorised access by carefully choosing a strong password which you only use for your user account, keeping your password and computer secure and signing out after using your account on a shared device.
Section 9 – Your duty to inform us of any changes to your personal data
9.1. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal information changes during your access to the Service.
Section 10 – Amendments to this Policy
10.1. We reserve the right to make changes to our Privacy Policy at any time, without prior notice and for any reason. The updated version of the Policy will be indicated by an updated “Revised” date and the updated version will be effective as soon as it is accessible. You are responsible for reviewing and becoming familiar with the Policy to stay informed of any updates.
Section 11 – Contact us
11.1. If you have any questions about this Privacy Policy, please contact our Data Protection Office at [email protected].