Digital World Ltd. – Xmart Home App

INFORMATION NOTICE

pursuant to Article 13, Regulation (EU) 2016/679 (“GDPR”)

DATA CONTROLLER

Digital World Ltd., owner of the Xmart Home App, having its registered office in Tintyava 15-17 Str., Sofia, Bulgaria is the data controller of your personal data (“Data Controller” or “Digital World”).

PERSONAL DATA DEFINITION AND INFORMATION REGARDING THE PROCESSING ACTIVITIES

Under the GDPR, personal data is defined as: “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (“Data”).

In addition, the GDPR identifies particular categories of Data that defines as “personal data revealing racial or ethnic origin, political opinions, religious of philosophical believes, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation” (“Sensitive Data”).

Digital World will process the following Data you might provide the Data Controller with in case you decide to download the app Xmart Home (“Xmart Home” or the “App”) and create your profile on it:

I.​ user name (i.e., family name/surname(s));

II.​ email address and/or phone number;

III.​ country of residence

Furthermore, whether you decide to customize your account in the App, you might provide us with further Data about you for which you give, such as:

IV.​ profile picture;

V.​ nickname;

VI.​ preferences as to languages, units of measurement, additional services chosen on the App, etc;

VII.​ information as to persons living with you or your family members (i.e. to create a household and manage / use the products that are connected to that household).

Provided that your prior specific authorization is given, we might also collect information as to:

VIII.​ your geographical position when the App is active.

On top of this, when you either send us a feedback as to the App, its functionalities, the device(s) on which the App has been downloaded (the “Device(s)”) or as to those you had connected to it (the “Smart Device(s)”), or ask us for support, we will also come to know about:

IX.​ data you voluntarily insert in the communications you send us through the App, including further email addresses, phone numbers, pictures, etc.

Please also be informed that, either when you download the App or while you use it, some of the following information about you might be collected automatically:

X.​ information as to the Device(s), such as MAC address, IP address, wireless connection information, mobile network information, push notification identifiers, application version number, etc.;

XI.​ usage data, such as information relating to visits, clicks, downloads, etc.;

XII.​ log information relevant to your use of the App;

XIII.​ Smart Device(s) related information, including basic information on Smart Device(s), such as device name, device ID, online status, activation time, firmware version, and upgrade information;

XIV.​ information reported by Smart Device(s), depending on the Smart Device at issue. For example, smart weights or fitness trackers may report also Sensitive Data about you, including your height, weight, body fat mass (BFM), BMI and skeletal muscle mass (SMM), while smart cameras may report images or videos they captured. On this regards, please note that the Data Controller might process Sensitive Data only whether you your prior consent is given;

XV.​ location data, such as your real-time precise or non-precise geo-location when you use specific Smart Device(s) or functionalities available on the App, such as the weather service.

The provision of all Data listed under points from (I) to (VII) above is voluntary. However, should you refuse to provide Data from points (I) to (III) above, it would not be possible for you to setup and start using the App. In case you decide not to provide Data listed under points from (IV) to (VII), even if you will still benefit of the basic features of the App, there would not be possible for you to customize it to better serve your needs or to fit with your preferences.

The provision of Data listed under point (VIII) above is voluntary as well; consequently, you may decide not to give your consent to the processing of said Data or, at any time, to withdraw the consent previously given. Either you give your authorization for the processing of your location Data or not, the Data Controller will be in any case able to follow up the most of the requests you might have forward through the App.

As to Data listed under point (IX) above that you might want to share with us in case you need support, the refuse to provide said information might prevent the Data Controller to follow up to your requests for assistance efficiently.

Lastly, as to Data listed under points from (X) to (XIV) above, their collection and processing is automatic once you decide to install the App, use its functionalities or pair it with your Smart Device(s). Should you wish to stop us from collecting said information, at any time, you might want either to delete the App from your Device(s), to stop using it or its functionalities, or to un-pair your Smart Device(s). The processing of your location data (point (XV) above) when you use a specific Smart Device or you benefit of a specific feature available on the App is automatic as well; in these cases, however, you will receive a push notification remembering you that the processing of information relevant to your location is necessary to access that particular service.

In any event, the Data Controller is committed to ensure that the information collected and processed is appropriate for the purposes as set forth hereby, and that this does not involve an invasion of your privacy.

PURPOSES FOR THE PROCESSING AND RELEVANT LEGAL BASIS

Satisfaction of your request(s)

Digital World will process your Data listed under paragraph 2, in order to permit you to download and setup the App, to provide you with the service(s) you might have requested, and to follow up the requests you might have made while you are using the App.

In particular, some information might be processed in order to allow you to personalize the App as it better serves your needs, benefit from some of its features (e.g., weather, etc.), couple your Smart Device(s) with the App, and manage them through it.

The legal basis of the processing of said Data is therefore the satisfaction of your request(s)/the performance of the contractual relationship with you.

Provide you with the assistance you might need

Digital World might process some of the Data listed under paragraph 2 above upon your request, should you ask us for assistance you might need during the download, setting up, or use of the App.

The legal basis of the processing of said Data is therefore the satisfaction of your request(s)/the performance of the contractual relationship with you.

Management and improvement of the App and the serviceswe provide

We might process Data relevant to your Device(s), the usage of the App, and your Smart Device(s) to manage, administer and optimize the App, to ensure its functionalities and security, as well as to develop and improve the App, its performances and the services we provide.

To that end, in particular, the Data Controller might carry out statistical analyses aiming at assessing the performance of the App, its features and services, developing and improving the functionalities available on it, preventing fraud, and tracing fraudulent or inappropriate usage.

Your Data will therefore be processed on the basis of the legitimate interest of the Data Controller.

In doing so, information is usually stored anonymously and processed as an aggregate. Therefore, said activities, as a general rule, do not involve the process of your Data, intended as information referred to you as an identifiable individual. Should your Data be processed, security measures to protect your Data (such as, by way of example, encryption and desensitization) shall be implemented.

Sending of non-marketing communication

The Data Controller might process some of the Data as listed under paragraph 2 above to send you - by email or (in case you activated this mean on your Device(s)) via push notifications - important information as to the service(s) provided, changes of terms, conditions and policies relevant to the usage of the App, and other administrative information.

These kinds of communications, being strictly relevant to the services we provide you with, are of contractual nature and do not consist in any form of marketing or promotional activity.

The legal basis of the processing of said Data is therefore the performance of the contractual relationship with you.

Marketing

The Data Controller may process Data listed under paragraph 2 above, to: (i) send you marketing and/or promotional communications, relating to products and/or services, either they be of the Data Controller or of other legal entities (members of the Group the Data Controller is a party or not) which might be similar (or not) to those you have already used, purchased, ordered or manifested your interest into; (ii) invite you to take part to promotional campaigns, and/or to events/initiatives organized by the Data Controller, its partners, and/or by other legal entities members of the Group the Data Controller is a member of; (iii) invite you to try new features and/or new tools available on the App; (iv) ask you for feedbacks and invite you to take part to surveys (even though they are not strictly related to the use you made of the App).

Please also be informed that, in order to make possible for the Data Controller to send you promotional messages as to services, products and features which might of some interest for you, the Data Controller might need to take into account your preferences, as you showed, for example, when you downloaded or set up the App or by using the features available therein. However, this shall have no consequences on your rights and freedoms as a data subject (since, in any case, you will be given the chance to have access to all features/services available on the App, and to further products/services offered by the Data Controller or other companies members of the Group it is a party to), and no restrictions will be implemented on the basis of data subjects preferences.

This (i.e., sending of marketing communications listed under this paragraph) might be carried out by the Data Controller only whether your prior consent is given, being it the legal basis for the processing.

On this regard, please also be informed that you might decide to exercise your right to withdraw the consent previously given as to the processing of your Data for the mentioned purpose, at any time and free of charge, either by following the instructions available in each marketing communication we send, or by contacting the Data Controller at the contact details set forth below. In case you exercise your right to revoke the consent given, it would not be possible for the Data Controller to send you further marketing/commercial communications of this kind in future.

On top of this, please also be informed that, should you activate the relevant functionality on the Device(s), marketing communication might also be sent through push notifications.

Compliance with a legal obligation

Digital World might process your Data where it be necessary or appropriate to fulfill legal obligations and/or to respond to requests from public and government authorities.

The provision of your Data for said purpose is mandatory.

DISCLOSURE OF YOUR DATA TO EU THIRD PARTIES

Digital World may disclose your Data to third parties providing the Data Controller with services necessary and/or functional to satisfy your request(s), and/or related to the management of the App and/or of the activities relevant to the purposes set forth above.

In particular, your Data may be disclosed to organizations that support the Data Controller in managing the App, monitoring its functionalities and performance, creating, developing and implementing its features and tools, or which provide the Data Controller with services ancillary to the management of the App, including providers of IT services, marketing and/or advertising agencies, and/or external consultants.

Said third parties shall process your Data as data processors.

The Data Controller keeps the list of data processors up-to-date; you might ask for having access to said list by contacting the Data Controller at e-mail set forth below.

The Data Controller may also disclose your Data to third parties to which said disclosure is provided for as a legal obligation, to public authorities, to other legal entities members of the Group established in the European Economic Area for administrative purposes, and, if the case be, to the providers or manufacturers of your Smart Device(s).

Your Data might also be disclosed to target/buyer companies or to partner companies in the event of reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stocks (including without limitation in connection with any bankruptcy or similar proceedings). In such events, you will be notified via email and/or through a prominent notice on the Data Controller website of any change in ownership, incompatible new uses of your Data.

The Data Controller has no intention to make your Data available to the public.

TRANSFER OF DATA TO THIRD COUNTRIES

On top of this, for the purposes as set forth above, your Data might be transferred to other legal entities part of the Group of companies to which the Data Controller is a member (e.g., to the group companies which provide IT assistance service and/or to those that offer services necessary or relevant to the ensure the App to run properly), or to third party companies established in countries outside the European Economic Area, which offer services relevant to the processing carried out by the Data Controller.

The mentioned transfer, whether the case be, shall take place only if the requirements provided for by the Regulation are fulfilled. In particular, on a case-by-case basis, the transfer might take place upon an adequacy decision issued by the European Commission, by the adoption of standard contractual clauses and/or upon any other appropriate safeguard provided for by the Regulation being implemented, including the adoption of binding corporate rules, as regard to infra-group transfers of Data.

You might ask for information as to the countries outside the European Economic Area to which your Data has been transferred, by contacting the Data Controller at e-mail set forth above.

APPLICABLE RETENTION PERIOD

As a principle, the Data Controller is committed to ensure that your Data will be processed for the time strictly necessary to fulfil the purposes mentioned above.

In particular, you might find here below information about the retention period provided for by the Data Controller as regard to main purposes of the processing:

I.​ for the purpose of performing the contractual relationship and to satisfy your requests, your Data will be processed as long as you use the App, that being said until you decide to unsubscribe by deleting the account you had created or to remove the App from your Device(s). Should more than 12 months have passed since the date of last use/access of the App, the account will be considered as inactive. Similarly, should a Smart Device be not used for more than 12 months, it will be considered as inactive. Thereafter (i.e., once the account is deleted, the App un-installed or not used for 12 months, or, as to Data relevant to a Smart Device, once 12 months have passed from the last use of that device), your Data will be stored for a period of further 24 months, either for the purpose of being compliant with legal obligations, or for the defense of the Data Controller’s rights only;

II.​ for the purpose of fulfilling legal obligations, your Data will be processed and stored by the Data Controller for the time necessary to comply with said legal obligations;

III.​ for marketing purposes, above, provided that your prior consent is given, your Data will be processed as long as you use the App (that being said until you decide to unsubscribe by deleting the account you had created or to remove the App from your Device(s)). In this context, in order to send you promotional communications and/or invitations which might be of your interest, the Data Controller might take into account the preferences you showed in the previous 12 months only. This is without prejudice for you to exercise your right to revoke the consent previously given, at any time and free of charge, relevant to the receiving of marketing communication and promotional messages/invitations that might be of your interest;

IV.​ for statistical analysis purposes, should information processed in that context falls within the definition of Data, your Data will be processed for the time strictly necessary to achieve said purpose. As a principle, the Data Controller is committed to make Data anonymous (or, at least, to encrypt it or adopt similar appropriate security measures) and to process, where possible, only aggregated information. In any case, reports will contain only anonymous information. No time retention limit is provided for in case of report containing anonymous information only.

In any case, the Data Controller has the right to retain information as to logs and some other information relevant to your usage of the App for a longer period, where it be necessary in order to prevent, monitor, remedy to fraudulent or unlawful activities carried out through the App (e.g., hacking, etc.).

YOUR RIGHTS AS DATA SUBJECTS

At any time, while we are in possession of or processing your Data, you, the data subject, have the following rights:

Right of access – you have the right to obtain confirmation as to whether or not your personal data is being processed, and, where that is the case, the right to access to the personal data and to receive any information regarding said processing;

Right of rectification – you have the right to obtain without undue delay the rectification of your personal data, should it be inaccurate or incomplete;

Right to erasure – provided that the conditions laid down in the GDPR are met, you have the right to obtain the erasure of your personal data from our records;

Right to restriction on processing – where certain conditions apply, you have the right to obtain from the Data Controller restriction of processing;

Right of portability – you have the right to have your personal data we hold transmitted to another data controller;

Right to object – you have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on the legitimate interest of the Data Controller, including profiling, unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims;

Right to withdraw the consent – you have the right to withdraw the consent previously given as regard to the processing of your personal data, at any time, provided that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right to lodge a complaint before the supervisory authority - should the Data Controller refuse to follow up to your request to exercise your rights as provided for by the GDPR, the Data Controller shall provide you with the reason underpinning said refusal. If need be, you have the right to lodge a complaint as set forth under paragraph 8 below.

Should you intend to exercise your rights as provided for by the GDPR, please contact the Data Controller at the following dedicated e-mail address: gdpr@topdigital.bg.

COMPLAINTS

Should you wish to file a motion as to how your Data is being processed by the Data Controller, or as to how your complaint has been handled, you have the right to lodge a complaint directly before the supervisory authority.