LaLoka Labs Group Privacy Policy for the GDPR

Our Privacy Policy

Contract Code: PrivacyPolicy-GDPR-Ver1.0

Effective Date 2022-04-29

This Privacy Policy for the GDPR is applicable to our group companies within LaLoka Labs: LaLoka Labs OÜ incorporated in the Republic of Estonia and LaLoka Labs LLC, incorporated in Japan, collectively known as LaLoka Labs within this document.

Your privacy is important for LaLoka Labs (hereinafter, “LaLoka Labs”, “Site”, “the Site”, “We” or “Us”) and an essence to our service. We respect the privacy of everyone that engages with the services that we run and manage (hereinafter, “Service”, “Services” or “Website”), and we are committed to being transparent about our privacy processes and policies.

At LaLoka Labs, we care about the confidentiality and privacy of your data and are fully committed to protecting it. This is something that will never change.

Our Services are not in the business of selling or renting your information. We will not sell your personal data to third parties and shall only share it when necessary for the rendering of the LaLoka Labs services as stated in this privacy policy (hereinafter “Privacy Policy”, “Policy” or “the Policy”).

Below is a description of how the data we gather from you as a visitor (hereinafter “User”, “the Visitor”, “you”, “visitor” or “Customer”) to our publicly-accessible websites where this Privacy Policy is posted and is used.

LaLoka Labs and the Customer are also jointly referred to as “Parties” within the scope of this Privacy Policy.

Please review this Policy before using any part of the Site as by using any part of the Site you hereby agree to the collection, use and disclosure of your information as outlined below.

1. Why do we collect your data

  1. The lawful basis for processing and storing data subjects personal data and data retention periods are based on the contractual obligations agreed upon by the Customer by creating the account on the basis of agreeing to the Terms and Conditions of a particular Service, legal basis derived from the EU law or by explicit consent provided for marketing purposes.
  2. We use your Personal Information for providing and improving the Service. By using the Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in the Terms and Conditions of said Service. While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to, your email address, name, phone number, and other information (“Personal Information”).

2. What kind of data is collected and how it is used

  1. Data is collected in two ways: Data which is given to Us directly, and data which We collect automatically.
  2. Personal Information of the Users will be processed by LaLoka Labs throughout the term of the contractual relationship and subsequently for the legal term during which applicable regulations require such personal data be he held thereafter.
  3. The User may at all times exercise his or her rights to access, rectification, erasure and restriction of processing and data portability as provided in the GDPR and applicable regulations by contacting LaLoka Labs at privacy@lalokalabs.ee. This may however result in the inability of the User to access and use the Service.

2.a. Data given to us directly

  1. the Visitor has the option to contact Us via e-mail or from the contact-us link, which is being recorded. We may also offer the Visitor the option to share details through signing-up to surveys or by signing-up to a newsletter, during which We will collect and record the information the Visitor provides Us in subscribing or using such opportunities.
  2. Specific for GetOTP customers and visitors
    • The Visitor will be providing to us Personal Information such as e-mail and phone number when completing a OTP transaction, which is part of our contractual obligations to our Customer.

2.b. Data which we collect automatically

  1. When visiting the Site, We and our service providers acting on our behalf may collect certain data using tracking technologies like cookies, web beacons and similar technologies.
  2. When we conduct fraud monitoring, prevention, detection or provide such services to our Customers, we will receive Personal Information from you (and your device) and about you through our Service and from our business partners, financial service providers, identity verification services, and publicly available sources (e.g., name, address, phone number, country), as necessary to confirm your identity and prevent fraud. Our fraud monitoring, detection and prevention services may collect Personal Information about you and use technology to help us assess the risk associated with an attempted transaction by you with a Service Customer.
  3. Specific for GetOTP customers and visitors
    • In order to execute our contractual obligations to our Customer, prevent fraud and improve the Service, we will also collect data of the Visitor such as IP address, country data, browser environment details such as language settings, browser version and operational system version when the Customer completes an OTP transaction.

2.c. How the data is used (or not)

  1. Data given to us directly – The data given to us directly is used
    • to provide you access to the Service;
    • to provide a response to your inquiries, suggestions or complaints made by you on the Service;
    • to provide you with the reply to the surveys signed-up or to provide you with the newsletter;
  2. Data which we collect automatically – Data collected automatically as described above is used
    • to improve the Service;
    • to understand visitors are using the Site;
    • to improve the user experience on the Site;
  3. Your data is not used for ads – Earning revenue from third-party ads is not our business. We do not share your Personal Information in any way with a third-party for advertisement purposes.

3. Who we may share your data with

  1. In order to render and give you access to the Service, we list out the parties that we share your data with in this section. The following sub-processors are deemed as authorized by the User:
    • Amazon Web Services, Inc. as provider of the hosting of the Service, through servers located in the European Economic Area (EEA).
    • Digital Ocean, as provider of hosting for the Service, through servers located in the European Economic Area (EEA).
    • Google services: Google Apps, Google reCaptcha V3, Google APIs, Google Analytics and Webmaster Tools
    • Stripe, to process payments. Stripe privacy policy
    • Paddle, to process payments. Paddle privacy policy
    • HelpScout, for the provision of our customer service functionalities
    • SendGrid, used for sending transactional and marketing emails and managing users emails. The Privacy Policy in relation with SendGrid can be found here
    • Drip, used for sending marketing emails and managing users mailing list subscriptions. The Terms and Conditions and The Privacy Policy in relation with Drip can be found here
    • ipdata.co, used to get users’ location based on IP address to increase the usability and security of the Service. The Terms and Conditions and The Privacy Policy in relation with ipdata.co can be found here
    • Maxmind, to prevent fraud and increase the usability and security of the Services. Their Privacy Policy can be found here
    • LaLoka Labs LLC, Japan, for the development and maintaining of the Service
    • Customer.io (Peaberry Software Inc.), User analytics and email sending solution for transactional and promotional emails. Customer.io privacy policy.
    • Grafana (Coding Instinct AB), for dashboard metrics for visualization of collected data. Grafana privacy policy.
    • Heroku (Heroku Inc.). Heroku is a hosting platform for our apps. Binding corporate rules.
    • Mixpanel (Mixpanel, Inc.). Analytics for tracking visitors and users. Helps us understand visitors and users, and personalize our communication and website experience. Mixpanel privacy policy.
    • StitchData (Stitch, Inc.). Used to process some personal identifiable data and anonymize its results. SCC incorporated into Talend Data Processing Addendum.
    • Sentry (Functional Software, Inc.). Error collecting service. Helps us identify problems in applications. Sentry privacy policy.
  2. We mentioned that we share your information with Google through its reCaptcha V3 program above, but we think it requires special mention here due to the methods used by Google. We employ the the reCaptcha method to protect you, our Customers and our service from abuse. If you opt to use the reCaptcha method, you are subject to Google’s Terms of Service and Privacy Policy as listed below:
  3. Compliance with laws – We may disclose the data provided to Us to a third party if such disclosure is required by law, regulation or legal process. Also such information may be disclosed to enforce the Policy or in case to protect the security of the Site. If We are legally required to provide such data to third parties, we will use reasonable efforts to provide the Visitor with information about such procedures.
  4. We shall not subcontract third parties for the processing operations which may imply access to the Personal Information without the authorization of the User.
  5. In general, the User’s personal data will be stored in the European Economic Area (EEA). However, LaLoka Labs may share the Personal Information with third parties, some of which may be located outside of the EEA, only for the provision of the Service and at all times subject to the guarantees and requirements provided by applicable data protection laws.
    In the event that LaLoka Labs transfers the User’s Personal Information to another country and where the country or territory in question does not maintain adequate data protection standards, LaLoka Labs will make sure that personal data is stored and transferred in a way which is secure. Therefore, LaLoka Labs will only transfer personal data outside of the EEA where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data, for example:

    • By way of data transfer agreement, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of personal data by controllers in the EEA to controllers and processors in jurisdictions without adequate data protection laws; or
    • Transferring your data to a country where there has been a finding of adequacy by the European Commission in respect of that country’s levels of data protection via its legislation; or
    • Where it is necessary for the conclusion or performance of a contract between us and a third party and the transfer is in your interests for the purposes of that contract (for example, if we need to transfer your data to a benefits provider based outside the EEA); or
    • Where the User has consented to the data transfer.
  6. However, where personal data is stored in a third country, it may be accessible to law enforcement agencies in accordance with domestic laws.

4. Your rights

  1. The User, as the Data Subject, may at all times exercise his or her rights to access, rectify, erase and restrict the processing and data portability as provided in the GDPR and applicable regulations by contacting LaLoka Labs via email to privacy@lalokalabs.ee.
  2. Any withdrawal of consent by the User to the collection and processing of the Personal Information does not affect the lawfulness of the processing based on the consent before withdrawal thereof.
  3. However, please note that the withdrawal of consent by the User can result in the Service to be unusable by the User.
  4. If at any time the User wishes to stop receiving communications regarding the Service or with commercial information about the Service, the User may request so by sending an email to privacy@lalokalabs.ee.
  5. The exercise of the above mentioned rights is free of charge. We will provide the User with information about the follow-up to the request immediately and in any case within one month of receipt of the request. Depending on the complexity of the request and on the number of requests, this period can be extended by another three months. We will notify you of such an extension within one month of receipt of the request.
  6. If the User’s requests are manifestly unfounded or excessive, we will either charge the User a reasonable fee or refuse to comply with the request.
  7. In addition to the above mentioned rights, for service managed by LaLoka Labs OÜ, the User may also lodge a complaint before the Estonian Data Protection Inspectorate if the User feels the Service Provider is not protecting his or her rights in a reasonable manner.

5. Cookies

Please refer to our Cookies Policy here.

6. Use by minors

The Service is not directed to individuals under the age of thirteen (13), and we request that they not provide Personal Information through the Services.

We do not knowingly collect personally identifiable information from children under 13. If you are a parent or guardian and you are aware that your Children has provided us with Personal Information, please contact us. If we become aware that we have collected Personal Information from a children under age 13 without verification of parental consent, we take steps to remove that information from our servers.

7. Links to other websites

The Service may provide the ability to connect to other websites. These websites may operate independently from us and may have their own privacy notices or policies, which we strongly suggest you review. If any linked website is not owned or controlled by us, we are not responsible for its content, any use of the website or the privacy practices of the operator of the website.

8. Communications

We may use your Personal Information to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link or instructions provided in any email we send.

9. Security of your data

The security of your Personal Information is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, in compliance with GDPR, we cannot guarantee its absolute security.

10. Changes to this privacy policy

This Privacy Policy is revised over time. Any modifications made to the Policy will be updated and the version of the Policy with the effective date shall be written at the top of the document. The customer is encouraged to check the effective dates of the Policy. The continued use of the Service shall be considered as an acceptance to all revisions of the Policy. If the customer shall not agree to any changes made, then the customer must cease to use the service and LaLoka Labs shall not be obliged to offer any services to the customer.

11. Term and termination

  1. This Privacy Policy becomes effective when signed by both Parties and remains in force until the fulfilment of the obligations arising from the provision of Service or the Service Agreement.
  2. Either Party has the right to terminate the Privacy Policy by written notice to the other Party by giving 30 days’ advance notice. For the sake of clarity, provision of Service or the Service Agreement shall not be possible without valid Agreement in force.
  3. The Parties agree that upon the termination of the Agreement, LaLoka Labs shall return all the Personal Information transferred and the copies thereof to the Customer or shall destroy all the Personal Information and certify in writing to the Customer that it has done so, unless legislation imposed upon LaLoka Labs prevents it from returning or destroying all or part of the Personal Information transferred. In that case LaLoka Labs is obligated to ensure the confidentiality of Personal Information transferred by the Customer and cease for further Processing of the Personal Information.

12. Contact us

If you have any questions about this Privacy Policy, please contact us through our online form or send an email to privacy@lalokalabs.ee.