This Policy applies solely to personal data processed by Festivality. This Policy does not apply to any linked sites or third-party services and we are not responsible for the content or privacy and security practices and policies of any sites or third-party services that are linked to from the Website or the Festivality Platform and Services.
Personal data is understood as any information that identifies a natural person data subject (“you”). Any capitalised terms used herein should be understood as defined in the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data), unless otherwise defined herein.
FESTIVALITY’S ROLE IN PROCESSING
Please also note that any content (including any personal data therein) submitted to Festivality by the Organiser, Visitor, Merchant or any third party belongs to the respective Organiser, Visitor, Merchant or third party (collectively, “User Content”). User Content should not contain any personal data. Because we do not collect or determine the use of any personal data contained in the User Content and the Event Application and because we do not determine the purposes for which such personal data is collected, the means of collecting such personal data, or the uses of such data, we are not acting in the capacity of data controller in terms of such personal data and should be considered only as a data processor on behalf of its users.
COLLECTING YOUR PERSONAL DATA
For Organisers and Merchants, the use of the Festivality Platform and Services is only available upon registration. Any Guests and Visitors may also use the Website and the Festivality Platform and Services without registration. However, please note that certain features of the Event Application are only available for registered Visitors.
We collect your personal data in the following ways:
- you provide us your personal data yourself on the Website or via Festivality Platform (e.g. by creating or modifying an account);
- your personal data is provided to us by the Organiser;
PERSONAL DATA PROCESSED AND THE PURPOSES AND LEGAL BASIS FOR PROCESSING
We mainly process your personal data for the purpose of providing the Services. This includes providing customer support and contacting you regarding the Festivality Platform and Services (including by push notifications). For the foregoing, we process the following personal data:
- identification data (e.g. name);
- contact information (e.g. e-mail, phone number, postal address).
The purpose for processing your personal data for the foregoing is the performance of the agreement the Organiser or the Merchant has concluded with us, or performance of the agreement you have concluded with the Organiser, or taking steps at your request to entering aforementioned agreements. The legal basis for processing is either the performance of the agreement between us or our legitimate interests to fulfil our agreement with the Organiser or the Merchant, as applicable.
We also process the data received from your use of the Website, the Festivality Platform and the Services to improve the user experience is using the Website, the Festivality Platform and the Services. The legal basis for this is our legitimate interest to improve the Website, the Festivality Platform and the user experience. Taking into account that we use the data in an aggregated manner, your interests or fundamental rights and freedoms do not override our legitimate interests.
We may also process your personal data to safeguard our rights (establishing, exercising and defending legal claims). The legal basis for this is our legitimate interest to do so. In such case, your interests or fundamental rights and freedoms do not override our legitimate interests.
Additionally, we may process your personal data to fulfil our obligations arising from the law (e.g. when we are obligated to share personal data with the authorities). The legal basis for this is compliance with our legal obligation.
PROCESSING ON THE BASIS OF CONSENT
We may also process your personal data on the basis of your consent, e.g. for direct marketing purposes, or if you are using the Event Application, your location information (please note that on the basis of your consent we may also collect the precise location of your device when the Event Application is running in the foreground or background), or your contact information. From time-to-time, we may ask for your consent for processing your personal data for purposes that may not be related to the use of the Services.
When processing is based on consent, you can withdraw consent at any time by contacting us on the contact details below, setting your device not to share this data with us, deleting the Event Application from your device or, on some occasions, adjusting the settings on your account.
SHARING YOUR PERSONAL DATA
Data processors. We use service providers in order to make it possible to use and provide some or all parts of the Website, the Festivality Platform, and the Services. We remain responsible for your personal data and take all necessary measures to protect your personal data as provided in this Policy.
We use the following categories of data processors: hosting service providers (ZONE Media OÜ, Amazon Web Services Inc, NAVER Business Platform Co., Ltd), client service orientated live chat software providers (Intercom R&D Unlimited Company), payment service providers (EveryPay AS), analytics software providers (Google Analytics from Google Inc; they handle only anonymised data), email service providers (Mailgun Technologies Inc, MailChimp by The Rocket Science Group, LLC).
The full list of such service providers together with their contact details is available upon request.
Third parties. We only disclose your personal data to third parties without your prior consent if provided in this Policy or the law. We may disclose your personal data to the following third parties:
- an acquirer, or successor or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets. The legal basis for such disclosure and transfer are our legitimate interests, provided your interests or fundamental rights and freedoms do not override them;
- supervisory and law enforcement authorities. The legal basis for such disclosure is complying with our legal obligation;
- our lawyers, auditors, and other professional service providers. The legal basis for such disclosure are our legitimate interests to protect our rights or complying with our legal obligation, as applicable.
We disclose anonymised data to analytics service providers. We also disclose anonymised usage data to Merchants and Organisers.
Please note that when you choose to use certain functions of the Website, Festivality Platform or Services, some of your personal data will be visible to other users or the public.
TRANSFER OF PERSONAL DATA OUTSIDE THE EU
We do not generally transfer to or store your personal data in any third country outside the EU. However, if we or our data processors do transfer (including store) your personal data outside the EU, it will strictly take place in accordance with applicable law i.e. (i) the recipient is in a country which provides an adequate level of protection for personal data (including in the U.S. if the recipient is certified under the Privacy Shield programme), or (ii) under an instrument which covers the EU requirements for the transfer of personal data to recipients outside the EU.
HOW LONG WE STORE YOUR PERSONAL DATA
We only store your personal data as long as necessary for the purposes of the personal data collected for, as long as necessary to safeguard our rights, or as required by law (e.g. for tax purposes). In general, we store your personal data as follows:
- in accordance with the maximum limitation period for claims arising from transactions under Estonian law for when the obligated person intentionally violated the person’s obligations, we may retain your personal data related to such claims for a maximum of 10 years from the date when the claim falls due;
- In accordance with the Estonian tax and accounting regulations, we may retain billing information for 7 years as of the end of the financial year in which the information was provided to us;
- all other data is retained for 5 years.
HOW WE PROTECT YOUR PERSONAL DATA
We implement appropriate organisational, technical and physical safeguards to protect your personal data, taking into account (i) the state of art, (ii) cost of implementation, (iii) nature, scope, context and purposes of the processing, and (iv) risks posed to you. However, no data transmission or storage system can be guaranteed to be 100% secure. Your information is maintained in what we believe to be a well-protected environment. Among other things, we use the following safeguards: server access with public-private keys, database access from whitelisted IP addresses, all communication over secure protocols.
To the extent required by applicable data protection regulations, you have all the rights of a data subject as regards your personal data. Such rights include the following:
- request access to your personal data;
- obtain a copy of your personal data;
- rectify inaccurate or incomplete personal data;
- erase personal data;
- restrict the processing of personal data;
- portability of personal data;
- object to processing of personal data which is based on legitimate interest and personal data which is processed for direct marketing purposes.
In order to exercise your rights, please contact us on the contact details below. Please note that you can exercise some rights (e.g. review and update your personal data) already by logging into your account on Festivality Platform or editing settings on your profile in Event Application.
Should you believe that your rights have been violated, we kindly ask you to contact us on the contact details below. You also have the right to lodge a complaint with your local data protection authority (if you are located in an EU member state), the Estonian data protection authority (Estonian Data Protection Inspectorate), or the court.
As we are a company registered in the Republic of Estonia, the processing of your personal data shall be governed by the laws on the Republic of Estonia.
Festivality is owned and operated by Festivality OÜ (Estonian commercial registry code 12853297, address Tatari 64, 10134 Tallinn, Republic of Estonia), a private limited company registered in the Republic of Estonia.
If you have any questions, comments, complaints or requests related to this Policy or the processing of your personal data, you can contact us on the following contact details:
Tatari 64, 10134 Tallinn, Estonia
Date of entry into force: 25.05.2018