Privacy Policy

of Aqua Mail, Inc.

4501 Mission Bay Drive, Suite 3A
San Diego, CA 92109, USA

privacy@aqua-mail.com

(the “Company“, “us“, “we“, or “our“)

Aqua Mail, Inc. operates the aqua-mail.com website and the Aqua Mail mobile application for Android and iOS (the “Service”).
Our website contains a subscription form, which allows you to subscribe in order to be informed of the Service`s updates or new releases, improvements, insider tips and resources, marketing and promotional materials, etc. If you subscribe, Aqua Mail, Inc. will be acting as Data Controller with respect to your Personal Data, associated with the subscription, and this Privacy Policy shall apply. Please note that you can always unsubscribe from the mailings by following the link, embedded in each email you receive. The data collected via the Aqua Mail mobile application is also subject to our Privacy Policy, therefore, this document aims to acquaint you with the main moments related to the processing of your Personal Data. Aqua Mail, Inc. as Data Controller (hereinafter referred to as such) reserves the right to update it, and its current version will be at your disposal at any time on the Service.

Please note that Aqua Mail is not a cloud-based email client. The data and information stored in your email inbox is confidential and not monitored, accessed, or modified by us, therefore, it is not a part of the Personal Data/ Information we receive and process hereunder.
Our Service does not address anyone under the age of eighteen (“Child”). In some countries, we may impose higher age limits as required by the applicable law. We do not knowingly collect Personal Data of and from Children. If you are a holder of parental responsibility (a parent or a guardian) and you become aware that your Child has provided us with Personal Data without your consent or authorization, please contact us. Once we become aware of that, we will delete them.

 

I. Definitions

1. Consent: means any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes by which the person, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Cookies: means are small pieces of data stored on the user’s device.
3. Data Controller: means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the way any personal data are, or are to be, processed.
4. Data Processor or Service Providers: means a natural or legal person, public authority, agency, or other body (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
5. Personal Data: means any information relating to an identified or identifiable natural person (the “Data Subject”) via an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
6. Processing: means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
7. Recipient: means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not.
8. Usage Data: means the data collected automatically either generated using the Service or from the Service infrastructure itself.
9. User: means the individual visiting and using our Service. The User corresponds to the Data Subject.

 

II. Principles

2.1 The main principles on which the Data Controller bases the processing of personal data are: (i) legality; (ii) good faith and transparency; (iii) minimizing data and limiting the purposes and retention period; (iv) accuracy; (v) integrity and confidentiality; (vi) accountability.
2.1.1 In order for the Processing to be lawful, the Data Controller processes your Personal Data based on your Consent or on other legitimate grounds, when necessary, in the context of a contract or with an expressed intention to conclude such.
2.1.2 The principle of good faith and transparency requires the Data Controller to ensure that all information and communication related to the Processing of your Personal Data is easily accessible and understandable, using clear and unambiguous wording. This principle applies to the information that you as a Data Subject receive about the identity of the Data Controller and the purposes of the Processing, as well as to the additional information guaranteeing conscientious and transparent Processing.
2.1.3 Compliance with the third principle, namely to minimize data and limit the purposes and period of storage by the Data Controller, is ensured by collecting only those data that are absolutely necessary for the purposes and activities of the Data Controller and its compliance with the legal requirements, as they are processed only for specific, explicitly stated and legitimate purposes, and are not processed in a way incompatible with these purposes, and are stored for a period not longer than necessary or provided by the law.
2.1.4 The principle of accuracy requires that all Personal Data processed by the Data Controller be accurate and kept up to date, and for this purpose the Data Controller relies on you as a Data Subject, on your correctness and assistance. If it proves impossible to correct inaccurate Personal Data provided by you, the Data Controller shall delete them in a timely manner, considering the purposes for which they are processed.
2.1.5 In accordance with the principle of integrity and confidentiality, the Data Controller processes your Personal Data in a way that ensures an appropriate level of security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, applying appropriate technical or organizational measures.
2.1.6 The principle of accountability comes to ensure before you that everything the Data Controller does regarding your Personal Data is subject to control and the Data Controller is responsible for it.
2.2 The Data Controller ensures that all persons involved in the Personal Data processed by it are familiar with the basic principles set out here, this Policy, as well as the applicable legal requirements regarding the protection of your Personal Data.

 

III. Types of Personal Data collected

3.1 While using our Service, we may ask you to provide us with certain Personal Data. The categories of Personal Data may include, but are not limited to:

  • First name and last name
  • Country and/ or country code
  • Email address
  • Phone number (if applicable)
  • Habitual residence (if applicable)
  • Payment data and information about payments
  • Cookies and Usage Data – device type, device ID and/ or IP address, and other information as clarified below (if applicable)
  • Communications with us and their content, including audio, video, text (typed, inked, dictated, or otherwise), in a message, email, or chat (if applicable).

3.2 The Data Controller receives your Personal Data in the following ways: (i) personally from you, when you visit and start using the Service; (ii) from other sources like PayPro, Google, Apple, Huawei, etc. but only as supplementary information to that, already provided voluntarily by you; and (iii) through so-called Cookies and other unique identifiers.
3.3 Integration with third party services (Google, Apple, Huawei, PayPro and more) may require exchange of information, such as username, OpenID, single-sign-on tokens, and any other data required for implementation of said integration. Integration is optional for social media, and necessary for payments. Any data received from third party service is covered by this Privacy Policy.
3.4 Please note that when you provide your credit or debit card number on the Service, this Personal Data is automatically redirected to our Service Providers as enumerated in item 9.4 below. We do not process this Personal Data ourselves. We process only a derivative information about your payments (amount paid, date of payment, return, if any, transaction history, etc.).
3.5 Where required by law, we store the data and information we collect from you when you are unauthenticated (not signed in) separately from any Personal Data that directly identifies you, such as your name, email address, or other. If we link other data and information relating to you with your Personal Data, we will treat that linked data as Personal Data. Please note that, if you use the unauthenticated version of our Service, you may contact us with a request concerning your rights as Data Subject, but in this case, we may not be able to identify you. If such a situation occurs, please go to your Service settings and explore your options.
3.6 In addition, some of our Service have optional features which, if used by you, require us to collect additional information to provide such features. You will be notified of such collection, as appropriate. If you choose not to provide the information needed to use a feature, you will not be able to use the respective feature. For example, you cannot open files from your device if you don’t grant file access permission to the respective application. Permissions can be managed through your device`s apps settings.

 

IV. Grounds for Processing

4.1 Once provided, your Personal Data will be processed by us (our authorized employees/ representatives/ Data Processors) on the following grounds: (i) you as Data Subject have given your Consent to the processing of your Personal Data for one or more specific purposes; (ii) the Processing is necessary for the performance of a contract to which you as Data Subject are party or in order to take steps at your request prior to entering into any such contract; (iii) the Processing is necessary for compliance with a legal obligation to which we as Data Controller are subject; and (iv) the Processing is necessary for the purposes of the legitimate interests pursued by us as Data Controller or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms as Data Subject which require protection of Personal Data, in particular where you are a Child.
4.2 By pressing the “Subscribe”, “Grant”, or “Next” buttons, you give us your prior, explicit, written, informed, freely given and unambiguous Consent for the Processing of your Personal Data for the purposes stated below and declare that you are familiar with this Privacy Policy of the Data Controller, accept it and agree to observe it unconditionally. Thus, your Consent is given electronically, and we shall keep a record of it.
4.3 You have the right to withdraw your Consent (to opt out) at any time by one of the means described in the sections below. The withdrawal of the Consent shall not affect the lawfulness of the Processing carried out on any of the other grounds listed in item 4.1 above.
4.4 When you have consented to your Personal Data being processed by the Data Controller for direct marketing and remarketing purposes, you have the right to object/ opt out to this at any time in one of the ways described below. Upon receipt of your objection/ opt out, we shall cease the Processing of your Data for these purposes.

 

V. Purposes of Processing

5.1 The Data Controller processes/ uses your Personal Data and Usage Data for the following purposes:
5.1.1 for provision and maintenance of the Service, its modifications, changes, updates, or enhancements, including but not limited to, provision of interactive features associated with the Service; for Service-related announcements; to detect, prevent and address technical and security issues; for monitoring of the Service usage; for transfer of your Personal Data to our Service Providers/ Data Processors; for measuring effectiveness and analysis; for processing of subscriptions; for execution of distance End-User License Agreements; for returns and reimbursements; for measures to protect the Service against fraud, IP rights infringements, cyberattacks and other attempts to harm the rights, property, piracy, or safety of the Data Controller and/ or our employees, Users, Children, or the public
5.1.2 for direct marketing and remarketing, including but not limited to, tracking preferences and interests, sending you information about our Services and/ or special offers, participation in promotions, raffles and competitions, filling in and submitting questionnaires and quizzes, conducting surveys, market research, etc.
5.1.3 for customer support, assistance, and solving problems; for investigating and responding to any comments or complaints
5.1.4 for the observance of legal obligations by the Data Controller, including arising from the applicable tax and accounting legislation
5.1.5 for the protection of the legitimate rights and interests of the Data Controller and third parties, in full balance with your interests, fundamental rights and freedoms
5.1.6 for the transfer of your Personal Data to competent authorities; for handling various other risks,
as well as any other purposes compatible with the above.
5.2 The Processing of Personal Data for purposes other than those for which they were originally collected is also permitted when the Processing is compatible with the purposes for which they were originally collected. Processing for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes should be considered as compatible lawful processing operations.

 

VI. Retention period

6.1 The Data Controller will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
6.2 The Processing of your Personal Data will continue as follows: (i) in cases where you have filled in and submitted incorrect, incomplete or inaccurate data, and there is no way to be corrected or updated by the Data Controller, they will be deleted within one (1) month as of their receipt; (ii) in cases where the processing is only on the basis of your Consent, until its withdrawal, but not later than the end of the month in which the withdrawal is received by the Data Controller; (iii) in the case of Consent given for direct marketing, until the Data Controller has received your objection/ opt-out to the processing of Personal Data for this purpose; (iv) in cases where the Processing is based on a signed contract – until the final settlement of the legal relationship between you and the Data Controller and five (5) years thereafter, except in cases of legal or enforcement proceedings, tax inspections and/ or audits, as well as when the protection of the legitimate interests of the Data Controller or third parties requires a longer period. All these terms will be valid only on condition that laws or by-laws do not provide for longer or shorter ones. Usage Data is generally retained for short periods, except when this data is used to strengthen the security or to improve the functionalities of our Service, or we are legally obligated to retain this data for longer time periods.
6.3 The Data Controller makes regular checks on the Personal Data processed and stored, and based on the rules contained herein, proceeds with their deletion, destruction, or anonymization for statistical or research purposes. Regarding Personal Data, for the storage of which special laws provide for longer periods, the Data Controller shall take technical and organizational measures for their archiving so that they are not subject to further Processing and cannot be amended.

 

VII. Transfer of Personal Data. Recipients

7.1 Your Personal Data may be transferred to and processed on computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction. If you are located outside United States and choose to use the Service, please note that your Personal Data are received and processed in the United States, for which you have explicitly consented. For the avoidance of any doubt, by giving your Consent, you authorize us to transfer your Personal Data across national borders and to other countries where we and our Recipients operate, including the United States. The privacy protections and rights of authorities to access your information may not be equivalent to those in your country. We will only transfer your Personal Data when appropriate safeguards are put in place to ensure that they receive adequate protection.
7.2 Depending on the case, we transfer or may give access to some of your Personal Data to the following categories of Recipients: (i) companies from the group to which the Data Controller belongs; (ii) Service Providers – partners and contractors like payment/ banking service providers, marketing service providers, including digital advertising agencies and market research service providers, IT and hosting service providers, fraud monitoring and prevention service providers, and other companies with which the Data Controller develops joint programs; (iii) public government bodies and organizations, where this is necessary in order to protect the legitimate interests of the Data Controller or third parties, or where it is provided for as a legal obligation.
7.3 The Data Controller may entrust the processing of your Personal Data on its behalf only to Data Processors who provide sufficient guarantees that they will apply appropriate technical and organizational measures in such a way that the Processing complies with legal requirements, this Privacy Policy, and ensures the adequate protection of your interests, fundamental rights, and freedoms.
7.4 If the Data Controller merges with or is acquired by another company, sells a Service, or business unit, or if all or a substantial portion of our assets are acquired by another company, your Personal Data will likely be disclosed to our advisers and any prospective purchaser’s advisers and will be one of the assets that is transferred to the new owner.

 

VIII. Disclosure for law enforcement

Under certain circumstances, we may be obliged to disclose your Personal Data by law or in response to valid requests by public authorities (e.g., a court or a government authority). Therefore, we may disclose your Personal Data in the good faith belief that such action is necessary to:

  • comply with a legal obligation, a subpoena, a court or administrative order or another official act of a competent public or government authority
  • protect and defend the rights or property of the Data Controller
  • prevent or investigate possible wrongdoing in connection with the Service
  • protect the personal safety of our employees, Users, Children, or the public
  • respond to an emergency involving the danger of death or serious bodily harm
  • protect ourselves against legal liability.

 

IX. Cookies. Usage Data. Service Providers. Others

9.1 Cookies. We use cookies and similar tracking technologies to track the activity on our Service and hold certain information. Cookies are files with small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to analyze the performance of and improve our Service. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service. Examples of Cookies we use:

  • Necessary Cookies: we use Necessary Cookies to operate our Service. They help make the Service usable by enabling basic functions and access to secure areas. The Service cannot function properly without these cookies.
  • Preference Cookies: we use Preference Cookies to remember your preferences and various settings. They enable the Service to remember information that changes the way it behaves or looks like your preferred language or the region that you are in.
  • Statistic Cookies: we use Statistic Cookies to help us understand how you interact with the Service by collecting and reporting information anonymously.
  • Security Cookies: we use Security Cookies for security purposes.
  • Advertising Cookies: we use Advertising Cookies to serve you with advertisements that may be relevant to you and your interests.

Via our cookie banner the Data Controller collects and stores your prior, explicit, and affirmative Consent before using cookies and trackers, or any other technology that stores Personal Data on your terminal equipment (hardware and software) and before allowing third-party interference into your electronic communications. You have the following options: (i) Deny, (ii) Allow all, or (iii) Adjust preferences. You can also control the use of cookies at the individual browser level. If you reject cookies, you may still use our Service, but your ability to use some of its features or areas may be limited.
9.2 Usage Data. We may also collect Usage Data that your browser sends whenever you visit our Service or when you access the Service by or through a mobile device. This Usage Data may include information such as your computer’s Internet Protocol address (e.g., IP address), browser type, browser version, search terms, entered into a search engine which led you to our Service, types of apps and websites of your interest, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers, and other diagnostic data. When you access the Service by or through a mobile device, this Usage Data may include information such as the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, and other diagnostic data.
9.3 We may employ third party companies and individuals to facilitate our Service (“Service Providers”), to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used. These third parties have access to your Personal Data only to perform the tasks assigned on our behalf and are obligated not to disclose or use them for any other purposes whatsoever.
9.3.1 Service Providers of Analytics Data:
a) Google Analytics and Firebase are web and application analytics services offered by Google that track and report website and applications traffic and information about your device. This information is automatically uploaded to the Google servers and used to provide better services to the Users. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network. For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: https://policies.google.com/privacy.
b) We use Adjust in our Android and iOS app when conducting our marketing campaigns. Adjust may gather some analytics or statistical consumer data on our behalf to help us better understand how Users use our apps, and how our marketing campaigns are performing. For in-depth information about Adjust, see here. To opt out of tracking by Adjust follow this link here.
c) We use AdMost in our Android and iOS app. It’s an analytics and advertising mediation platform. AdMost may gather some analytics or statistical consumer data and information on our behalf to help us better understand how Users use our apps, and how our marketing campaigns are performing. For in-depth information about AdMost, see here.
9.3.2 Service Providers of Advertising Data:
a) AdMob by Google is provided by Google Inc. You can opt-out from AdMob by Google service by following the instructions described by Google: https://support.google.com/ads/answer/2662922?hl=en. For more information on how Google uses the collected information, please visit the “How Google uses data when you use our partners’ sites or app” page: http://www.google.com/policies/privacy/partners/ or visit the Privacy Policy of Google: http://www.google.com/policies/privacy/.
b) Meta Audience Network is used in our Android and iOS apps when conducting our marketing campaigns. They have developed a targeting technology which allows advertisements to reach a specific audience. While posting an ad, an advertiser is provided a set of characteristics that will define his target market. For in-depth information about Meta Audience Network, please see https://www.facebook.com/audiencenetwork/.
c) Google Ads remarketing service is provided by Google Inc.
You can opt-out of Google Analytics for Display Advertising and customize the Google Display Network ads by visiting the Google Ads Settings page: http://www.google.com/settings/ads. Google also recommends installing the Google Analytics Opt-out Browser Add-on – https://tools.google.com/dlpage/gaoptout – for your web browser. Google Analytics Opt-out Browser Add-on provides visitors with the ability to prevent their data from being collected and used by Google Analytics.
For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: http://www.google.com/intl/en/policies/privacy/.
d) A4G – is an advertising service provider. It manages mobile ad sources in our Android and iOS app by providing full suite of video, rich media, interstitial&native ad formats. For more information on the privacy practices of A4G, please visit: https://a4g.com/privacy.

e) ReklamUp is a certified DoubleClick Ad Exchange (Google AdX) and Google AdSense partner ad network. It is used in our Android and iOS app to monetize all types of inventory including video, display, native, and interstitials. Please visit here: https://reklamup.com/privacy.php.

f) Mailchimp is a marketing automation platform and email marketing service for managing mailing lists and creating email marketing campaigns to send to customers. To check their Privacy Policy please visit: https://mailchimp.com/legal/.

9.4 Service Providers of Payments. Our Service is provided not only for free, but also against monetary consideration. In the latter case, we use payment/ banking service providers who adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information. Once collected by us, your credit or debit card number is provided directly to our third-party payment service providers whose use of your Personal Data is governed by their Privacy Policies. They are as follows:

Please note that due to integration with PayPro all the deals concluded on our website (https://www.aqua-mail.com) will make you a client of PayPro. Therefore, PayPro is acting as data controller with respect to your Personal Data, and all the processing activities associated thereto will be subject to PayPro Privacy Policy, not to ours. Aqua Mail, Inc. will be acting only in the capacity of data processor with respect to some of the data provided by you to PayPro for one or all of the following purposes: (i) for ongoing technical support; (ii) to fulfil a service to PayPro for your benefit or directly to you; (iii) for warranty or after-sales services; (iv) for returns, or (v) for any other purposes compatible with the above.
9.5 Others:
a) Behavioral Remarketing used by us to advertise on third party websites to you after you visited our Service. We and our third-party vendors use cookies to inform, optimize and serve ads based on your past visits to our Service.  You can prevent the Service Providers engaged in behavioral advertising, which collect data about your online browsing activities and use it to show you targeted ads by submitting opt-outs. Opting-out will only prevent targeted ads, so you may continue to see generic (non-targeted) ads. You may opt out to behaviorally targeted ads anytime by deleting your browser’s cookies.
b) “Do Not Track” Signals. We do not support Do Not Track (“DNT”). DNT is a preference you can set in your web browser to inform websites that you do not want to be tracked. You can enable or disable it by visiting the Preferences or Settings page of your web browser.
c) Conversion Tracking. We use Facebook Pixel for conversion tracking, which is the measurement of media performance with reference to campaign key performance indicators (KPIs). For more information, please visit this link: https://www.facebook.com/business/learn/facebook-ads-pixel.
d) Freshdesk is a customer service SaaS that help us process and manage support queries.

 

X. Links to other websites or services

Our Service may contain integrations or links to other websites that are not operated by us. We strongly advise you to review the Privacy Policy of every websites or service you visit and start using. We have no control over and assume no responsibility for the content, privacy policies or practices of any third-party websites or services.

XI. Security of Data

11.1 The Data Controller undertakes to apply appropriate technical and organizational measures to ensure an appropriate level of security of your Personal Data. In assessing the appropriate level of security, account shall be taken of the risks associated with the Processing, and in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
11.2 With regard to automated processing, the Data Controller is applying measures aiming at:
11.2.1 control over access to equipment – to deny unauthorized persons access to the equipment used for Personal Data Processing
11.2.2 control of data carriers – to prevent reading, copying, modification or removal of data carriers by unauthorized persons
11.2.3 control over storage – to prevent the entry of Personal Data by unauthorized persons, as well as the performance of checks, modification, or deletion of stored Personal Data by unauthorized persons
11.2.4 consumer control – to prevent the use of automated processing systems by unauthorized persons through the use of data transmission equipment
11.2.5 control over access to data – to ensure that persons who are allowed to use an automated processing system have access only to the Personal Data covered by their access authorization
11.2.6 control over communication – to ensure the possibility of verification and establishment of which persons have been or may be transferred Personal Data, or which persons have access to Personal Data through data transmission equipment
11.2.7 control over data entry – to ensure the possibility for subsequent verification and establishment of what Personal Data have been entered into the automated processing systems, as well as when and by whom they were entered
11.2.8 control over the transfer – to prevent the reading, copying, modification or deletion of Personal Data by unauthorized persons during the transfer of Personal Data or during the transfer of data carriers
11.2.9 recovery – to ensure the possibility of recovery of the installed systems in case of failure of the functions of the systems
11.2.10 reliability – to ensure the implementation of the functions of the system and the reporting of defects in the functions
11.2.11 integrity – to ensure that the stored personal data is not damaged due to improper functioning of the system.
11.3 Through measures under the previous point, the Data Controller is aiming to ensure the protection of Personal Data at the design stage, considering the achievements of technical progress, implementation costs and the nature, scope, context, and objectives of Personal Data Processing, as well as risks to the rights and freedoms of individuals. For further information please also check our Privacy Notice.
11.4 We follow generally accepted standards to protect the Personal Data submitted to us during Processing. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we do not guarantee the Personal Data absolute security.

 

XII. Your rights as Data Subject. General Standards

The Data Controller respects your privacy no matter where your habitual residence is. We hereby provide you with the right to request access, correction, completion, update, and/ or erasure of your Personal Data. We will aim to address all you request, complaints and/ or worries within reasonable time as of their receipt by being compliant with our high standards for Personal Data protection and the applicable legislation.

 

XIII. Your rights as Data Subject in case you have habitual residence in EU. GDPR Compliance

13.1 Although the main establishment of the Data Controller is in California (USA), this Privacy Policy takes under consideration and is made to comply with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (“GDPR”). In addition, we have implemented processes in place to support Users having habitual residence in EU to receive information how their Personal Data is processed and how to exercise their rights, which are as follows:
13.1.1 Right of access: you have the right to obtain from the Data Controller confirmation as to whether or not Personal Data concerning you are being processed, and, where that is the case, access to the Personal Data and the following information: (a) the purposes of the Processing; (b) the categories of Personal Data concerned; (c) the Recipients or categories of Recipient to whom the Personal Data have been or will be disclosed, in particular Recipients in third countries or international organizations; (d) where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from the Data Controller rectification or erasure of Personal Data or restriction of Processing of Personal Data concerning you or to object to such Processing when it is marketing purposes; (f) the right to lodge a complaint with a supervisory authority; (g) where the Personal Data are not collected from you, any available information as to their source; (h) the existence of automated decision-making, including profiling or at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for you and (i) other processing-relevant information.
13.1.2 Right to rectification: you shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate Personal Data concerning you – right to have incomplete Personal Data completed, including by means of providing a supplementary statement.
13.1.3 Right to erasure (“to be forgotten”): you have the right to request the Data Controller to delete without undue delay the Personal Data that concern you, when they are no longer needed for the purposes for which they were collected and/ or processed; when you withdraw your Consent, on which their processing is based and there is no other legal basis for it; when you object to their Processing for the purposes of direct marketing and there are no legitimate grounds for processing to take precedence; when your Personal Data is processed in violation of the principles outlined above; when it must be deleted in order to comply with a legal obligation for the Data Controller or the Personal Data have been collected in relation to the offer of information society services. This right shall not apply to the extent that Processing is necessary: (a) for exercising the right of freedom of expression and information; (b) for compliance with a legal obligation to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller; (c) for reasons of public interest in the area of public health; (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right is likely to render impossible or seriously impair the achievement of the objectives of that Processing; or (e) for the establishment, exercise or defence of legal claims.
13.1.4 Right to restriction of Processing: the Data Controller restricts the processing of Personal Data without deleting them when: (i) the accuracy of the Personal Data is disputed by you as a Data Subject and this cannot be verified, or (ii) Personal Data must be kept for evidentiary purposes.
13.1.5 Right to data portability: you have the right to receive the Personal Data concerning you, in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from the Data Controller to which the Personal Data have been provided, when the Processing is based on Consent – upon its withdrawal or on a contractual obligation and is performed in an automated manner. This right of yours cannot adversely affect the rights and freedoms of others.
13.1.6 Right of objection: If you have consented to the Processing of your Personal Data for the purposes of direct marketing, you have the right to object to this Processing at any time, including when it involves profiling. In any such case, the Processing of your Personal Data for the purposes of direct marketing is suspended.
13.1.7 In addition you have the right not to be the subject of a decision based solely on automated processing, including profiling, which has legal consequences for you and affects you significantly. In case you exercise this right, the Data Controller is obliged to apply appropriate measures to protect your rights, freedoms, and legitimate interests, ensuring human intervention and giving you the right to express your point of view and challenge its decision.
13.2 As a Data Subject, you may exercise the rights above by submitting a written application to the Data Controller. The application can be submitted by mail (at the address of the Data Controller or by e-mail). The application must contain: (i) name, surname, habitual residence, IP address (if applicable); (ii) a description of the request; (iii) a preferred form of obtaining information in the exercise of rights; (iv) signature, date of filing of the application. When the Data Controller has reasonable concerns, it may request additional information needed to verify your identity. The Data Controller satisfies your requests completely free of charge within (1) month of receipt. The period may be extended by two (2) months when this is necessary due to the complexity or number of requests. Where requests from a Data Subject are manifestly unreasonable or excessive, in particular because of their recurrence, the Data Controller may: (i) charge a fee commensurate with the administrative costs of providing the information or correspondence, or of acting on the request, or (ii) refuse to act on the request. Each time the Data Controller refuses to accept an application submitted by you for the exercise of the rights above, you will receive a written refusal, as well as the reasons for it. In these and other cases, the Data Controller will also inform you of your right to appeal or seek a court redress.
13.3 A register that contains information on submissions, considerations, and responses to all Data Subjects` requests will be kept by the Data Controller.
13.4 In case of the Personal Data breach, and provided that, it is likely to result in a high risk to your rights and freedoms, we will notify you thereof without undue delay and describe in clear and plain language the nature of the Personal Data breach, the likely consequences of it and the measures taken or proposed to be taken by us to address it, including, where appropriate, measures to mitigate its possible adverse effects. In some cases the communication shall not be required, especially when: (i) we have implemented appropriate technical and organizational protection measures, and those measures were applied to the Personal Data affected by the Personal Data breach, such as encryption; (ii) we have taken subsequent measures which ensure that the high risk to your rights and freedoms is no longer likely to materialize; (iii) it would involve disproportionate effort, in which case, you will be informed in an equally effective manner like via a public communication or other.
13.5 In case of a violation of your rights under GDPR you have the right to refer to the competent supervisory authority at your habitual place of residence within six (6) months as of the violation discovery, but not later than two (2) years from its occurrence. You have an additional opportunity to file a claim against us before the competent court. In this proceeding you can seek compensation for the damages suffered by you as a result of illegal Processing of your Personal Data.

 

XIV. Your rights as Data Subject in case you are a California resident. CCPA Compliance

WE DO NOT SELL OR RENT ANY COLLECTED PERSONAL DATA AND INFORMATION WITH ANY THIRD PARTY.

 

XV. Amendments and supplements

We may update this Privacy Policy from time to time. The updated version of this Privacy Policy will be posted on the Service. Please review it periodically because any and all amendments and/ or supplements will become effective when posted. Under certain circumstances (material changes) we will provide notice to you of these changes and, where required by applicable law, we will obtain your consent. Notice may be made by email to you, by posting a notice on our Service, or by other means consistent with applicable law.

Please do not hesitate to contact us at privacy@aqua-mail.com in case you need assistance or clarification, want to exercise your legal rights, or file a complaint.