Data Processing Notice
Notice to individuals under Article 13 of the General Data Protection Regulation (GDPR) regarding the processing of personal data
THE CONTROLLER OF YOUR PERSONAL DATA IN CONNECTION WITH THE “Nestoralpha” SERVICE IS:
QUANTIC CAPITAL LIMITED
5 Calcutt Close, Dunstable,
United Kingdom
https://nestoralpha.io
(hereinafter: the controller or organisation)
A data protection officer has been appointed and is available at dpo@nestoralpha.io
General information on the Nestor Alpha service
Our organisation provides its Nestor Alpha service to clients who want to effectively audit and vet their crypto project as trustworthy and transparent. The Nestor Alpha service has been created with a view of eliminating “rug-pull” situations from the crypto landscape by offering the crypto community with transparent project vetting and safeguards in cases of apparent project mishandling and fraud.
Simply put, Nestor Alpha uses its online and offline processes in order to obtain, verify and potentially disclose information about vetted crypto projects and their founders. The service includes the underlying hardware and software, as well as the online platform https://nestoralpha.io (hereinafter: the platform) and various third-party entities, which offer the organisation their assistance in relation to KYC and other control procedures, as listed herein.
By coming forward and undergoing our proprietary due diligence and KYC processes, clients disclose technical project details as well as personal information regarding their founders and team to our organisation and its partners (processors) in the scope of our vetting process (hereinafter: the service).
All vetted projects are entered into our publicly accessible database and potentially face the threat of the vetted service badge and/or certificate being revoked and the necessary information being forwarded to the relevant prosecutors or criminal investigation agencies. Please note that such consequences are contractually agreed upon between our organisation and its clients and only take place in cases of fraud and apparent mishandling of individual projects, as specified in the Vetting Service Agreement.
Our organisation thus effectively acts a trusted intermediary in relation to the visitors of our platform, namely the crypto community at large and all potential or actual token holders/investors of a particular vetted project and the team behind such vetted project.
To this end, the organisation receives, collects and processes certain information which includes personal data, as defined in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on free movement such information and repealing Directive 95/46 / EC (hereinafter the: General Data Protection Regulation or the GDPR).
This data processing notice undertakes to explain which personal data we process, to what end we process such data, under which legal grounds, how long the data is kept and under what circumstances we disclose said personal data to law enforcement and other organisations.
If, as an individual, you want to obtain information about the data that our organisation is storing, showing or otherwise processing in relation to you, we advise you to contact us at dpo@nestoralpha.io and review section 5.1. of this notice.
Please also note, that since the core functionality of our service includes the publishing of information which relates to vetted projects and founder teams in our project database, the corresponding personal data may remain publicly available for up to 5 years in our database even after revocation of a Vetted Service Badge and/or Certificate or after a client has withdrawn his project from our database (please see point 2.1. of this notice for more information).
Unless otherwise stated, the terms of the General Data Protection Regulation (e.g. personal data, processing, controller, processor, etc.) appearing in this notice have the same meaning as the terms of the GDPR regulation in question. This general information on the processing of personal data may be updated from time to time in order to better reflect changes in data protection or for other operational and legal reasons.
If we change this notice significantly, we will publish the news on our platform or send a notification within the service or via e-mail to the relevant data subject that might be affected.
1. Review of databases and types of personal data, categories of data subjects, legal grounds for processing, data retention timescales and purposes as well as types of data processing activities
|
NAME OF THE PERSONAL DATABASE |
TYPES OF DATA |
CATEGORIES OF DATA SUBJECTS |
LEGAL GROUNDS FOR PROCESSING |
DATA RETENTION TIMESCALES* |
PURPOSES OF PERSONAL DATA PROCESSING AND TYPES OF PROCESSING |
|
TEAM MEMBER AND PROJECT INFORMATION – for proprietary due diligence / KYC vetting
|
First Name Citizenship, Discord (handle) Signature, Name, surname and contact information of the persons acting on behalf of the company, Personal ID / Passport / Driving licence (photo/scan), Geolocation / IP, Residence permit.
|
Data on individuals with major roles in relation to the project/client (e.g. CEO, CMO, Lead Developer, etc.) or data on other individuals that our clients contractually disclose to us or our partners during the vetting process through our Vetting Service Order Form or via the relevant input fields of our platform. |
Performance of the vetting service on the basis of the concluded contract – ordered Vetting Service (i.e. contractual basis). |
Our organisation may retain the data during the entire term of the vetting process and the term of validity of the Vetted Service Badge and/or Certificate (namely until vetted status has not been revoked by the organisation) and up to a maximum of 5 years since the start of the vetting procedure. Please note that our organisation may keep the data even after projects are no longer deemed as vetted, if legal grounds (i.e. legitimate interest for filing criminal or civil proceeding in connection with the project for the benefit of the investors/token holders/crypto community from point 1.4 of this notice) exist. If no procedure is brought forward by the relevant authority to whom data was forwarded, we shall delete the remainder of the data.
Please note, that personal IDs or documents shall only be inspected via video call, whereby images or recording of such call may be made and kept by our external KYC processor (see point 3.3 of this notice). We reserve the right to store images or copies of any recorded calls up to a period of 5 years since the start of the vetting procedure and even longer, if legal grounds (i.e. legitimate interest for filing criminal or civil proceeding in connection with the project for the benefit of the investors/token holders/crypto community 1.4 of this notice) exist. *Important: as per the service contract information contained in the Vetting Service Agreement, the right of erasure (“right to be forgotten”) of a data subject under Article 17 of the GDPR may be ineffective as per points a), d) and e) of paragraph 3 of Article 17 of the GDPR. The organisation undertakes to immediately remove any unnecessary data or data for which it has no legal grounds for processing/storing or regarding which the timescales for data retention have been exceeded. No data shall be kept longer than for a maximum period of 10 years from when it was obtained, regardless of the situation or legitimate interests of the organisation. |
The organisation can view and access the data only for the purpose of performing the vetting service, which includes:
- Manual processing (by the organisation, its employees or contractual processors as listed in section 3.3. of this notice) during the course of the proprietary due diligence / KYC or other vetting procedure: viewing, deleting, handling, forwarding, editing, transcribing, storing (including audio/video recordings of a KYC or due diligence call), adjusting, modifying, searching, deleting, making available for inspection, segmenting, transferring. Please note that before any video/audio recording of a KYC or other vetting related call, all call participants shall be duly warned beforehand.
- Transmission / forwarding of data to local or international criminal investigation authorities or other relevant bodies when circumstances, (i.e. “rug-pull”, fraud, mishandling, etc.) as described in the Vetting Service Agreement document occur.
Please note that such data shall not be disclosed “all at once” but forwarded in segments and minimised to what is essential for the elaboration of the case we deem as meeting the criteria. We shall only forward additional information on the explicit request for additional information from the relevant authority, should they find the case compelling in terms of implementing charges or carrying out a procedure.
If no procedure is brought forward by the relevant authority to whom data was forwarded, we shall delete the remainder of the data.
- Cross checking data: the data we or our partners collect for the vetting process may be cross-checked with publicly or privately available data such as Politically Exposed Person lists (PEP lists), Sanction, Warnings, Fitness and Probity lists, Adverse media in relation to general, financial, violent, sexual crimes, terrorism, fraud, narcotics, cyber-crimes and other crimes.
- Situational processing (i.e. making an upgrade of a service, exercising the rights of the data subject, etc.): disclosure by transfer, dissemination or other making available, restriction, deletion, destruction, storage (backup).
- Transmission of data to contracted processors for the purposes of storing the data or collecting the data in our name (i.e. for the performance of KYC procedures and checks), modification and deletion of data (based on our written order). The organisation's contractual partners (processors) listed in section 3.3. of this notice may process the data only for the purpose of performing the tasks assigned to them (i.e. hosting or KYC) and which are in direct connection with the operation of the basic functionalities of the service or offering support. |
|
VETTED PROJECT INFORMATION – making vetted project data available in the project database |
Project name/description, Team wallet, Project website, Team member Discord (handle) Team member role in the company/project, project Discord / Twitter
|
Data on the vetted project as well as certain data on the founders that our clients contractually disclose during the vetting process through our Vetting Service Order Form or via the relevant input fields of our platform. |
Publicly displaying information on vetted projects and founder teams in our online project database on the basis of the concluded contract (i.e. contractual basis). |
Our organisation may retain the data and keep the data published and publicly available in the online project database during the entire term of validity of the Vetted Service Badge and/or Certificate (namely until vetted status has not been revoked by the organisation or the client has withdrawn its project from our database) up to a period of 5 years after initial entry. Please note that our organisation may keep the data published even after projects are no longer deemed as vetted, if legal grounds (i.e. legitimate interest for filing criminal or civil proceeding in connection with the project for the benefit of the investors/token holders/crypto community 1.4 of this notice) exist. *Important: as per the service contract information contained in the Vetting Service Agreement, the right of erasure (“right to be forgotten”) of a data subject under Article 17 of the GDPR may be ineffective as per points a), d) and e) of paragraph 3 of Article 17 of the GDPR. The organisation undertakes to immediately remove any unnecessary data or data for which it has no legal grounds for processing/storing or regarding which the timescales for data retention have been exceeded. No data shall be kept longer than for a maximum period of 10 years from when it was obtained, regardless of the situation or legitimate interests of the organisation. |
Processing for the purposes of the basic operation of the service (i.e. automatically when data is entered into the service/database): publicly displaying (i.e. making available) the data in the project database to visitors of our platform, collection, recording, organisation, structuring, cloud storage, backup storage, deletion, segmentation, transfer.
- Situational processing (i.e. making an upgrade of a service, exercising the rights of the data subject, etc.): disclosure by transfer, dissemination or other making available, restriction, deletion, destruction, storage (backup). - Transmission of data to contracted processors for the purposes of storing/hosting the data (see point 3.4. of this notice). |
|
ANALYTICAL DATA RELATED TO THE USE OF THE SERVICE
|
Google Analytics Data relating to visitor IP-s, session time, and other platform-usage related metrics |
Visitors of the platform (whereby clicks, session times and actions are automatically recorded). |
Consent (based on opt-in gained via the cookie-pop-up). |
Until the expiry of the storage period as specified for each cookie in our cookie policy. * The process for deleting a particular cookie is described in our cookie policy and may be subject to your browser settings. |
- Processing may include collecting, segmenting, storing and viewing the data recorded by Google Analytics on user actions in the service in order to measure and optimise the user experience and functionality of the platform / vetting service. *Explanation: This type of data does not normally represent personal data, as it is anonymized by the Google Analytics processor service.
|
|
INFORMATION RELATED TO THE CLIENT'S USER ACCOUNT AND INVOICING DATA
|
Email and phone/fax number of the authorised person of the client who has a registered account for the use of the service as well as any related personal data included on the invoice/proof of payment (i.e. personal bank account number, personal bank statement, etc.).
|
Company representatives to whom we issue an invoice. |
Performance of the vetting service on the basis of the concluded contract (i.e. contractual basis). |
Our organisation may retain the data during the entire term of the vetting process and the term of validity of the Vetted Service Badge and/or Certificate (namely until vetted status has not been revoked by the organisation) and up to a maximum of 5 years since the start of the vetting procedure.
|
- Viewing, editing, storing, making available, modifying, deleting forwarding in order to issue invoices and check proof of payment/execute transactions or refunds.
|
1.2 The legal basis for the processing of personal data - compliance with the provisions of the agreement for the use of the service
We process the personal data of individuals on the basis of a concluded use agreement (Vetting Service Agreement) which has been concluded with each client.
In this way, both parties are acting as separate controllers who exchange and process data for their own individual means and purposes, which they have solely determined.
Providing a valid and individual legal basis for the entry and processing of data of individuals in our online database the context of the service is the obligation of the individual client.
The organisation always operates solely and exclusively as a controller in accordance with the concluded agreement (Vetting Service Agreement) and the information that is published in this document.
1.3. The legal basis for the processing of your data may also be set out in legislation
The organisation may occasionally process personal data for the purposes of complying with legal requirements and other regulations, especially those governing the control of personal data processing. For example, when a court, inspector or other holder of public authority orders the organisation to provide it with access to the back-end of the service, whereby the inspector may also have access to databases.
This may also be the case if someone else had filed for criminal or other procedures to be instituted against a project or its team before local or international law enforcement agencies or other bodies, which might therefore contact our organisation for additional details (e.g. when data from the database would have to be presented as evidence in criminal or civil proceedings, otherwise the organisation would suffer a penalty or material and irreparable damages). Note, that we shall only fulfil such request if specifically required by local or international law.
In the above-stated case we will always strive to fulfil the request with full transparency, except in cases where this might not be possible as (in accordance with a particular request of an authorised body) notifying the public of such request might endanger the proceedings at hand.
1.4. Based on the legitimate interests of the organisation – storing and forwarding project data in certain cases
Since the main result of our Vetting Service is the publishing of certain information which relates to vetted projects and their founders in our public project database (please see the relevant fields of the table under point 1 of this notice) and the potential forwarding of this information to relevant local or national criminal investigation agencies or other relevant bodies if »rug-pull« or other fraudulent activities are detected in relation to such project (please see the Vetting Service Agreement for more information on when this might apply), the corresponding personal data may remain publicly available for up to 5 years in our project database even after revocation of a Vetted Service Badge and/or Certificate or after a client has withdrawal from our database and stay available up to a maximum period of 10 years and may be transferred to such entities based on our legitimate interests.
We ascertain the above stated processing as being performed in our (and the communities) legitimate interests based on the following legitimate interest assessment:
Purpose test
By coming forward and undergoing our proprietary due diligence and KYC processes, clients disclose technical project details as well as personal information regarding their founders and team to our organisation and its partners (processors) in the scope of our vetting process All vetted projects are entered into our publicly accessible database and potentially face the threat of the vetted service badge and/or certificate being revoked and the necessary information being forwarded to the relevant prosecutors or criminal investigation agencies, whereby this is the key feature that builds trust between the vetted projects and the crypto community, which is the mission of our organisation.
Our organisation cannot effectively act as a trusted intermediary in relation to the visitors of our platform, namely the crypto community at large and all potential or actual token holders/investors of a particular vetted project and the team behind such vetted project, if we are not allowed to publish and potentially forward vetted projects that fit our “rug-pull” or other fraudulent markers to the relevant authorities.
In performing the above-stated service and its related processing, the crypto community shall be able to regard our vetted projects as being trustworthy. In doing so, projects shall gain additional trust that is unlike current blockchain analysis / due diligence services, as currently a similar intermediary is lacking in the crypto and NFT space. Currently the majority of due diligence or project research is either solely based on technical analysis or performed ex post when a fraudulent project is discovered.
By relying on our vetting service and the following badge and/or certificate, relevant token holders/investors/NFT holders shall benefit, since they typically lack the information that is required for effectively considering a project as sound and trustworthy. This trust shall be amplified by our commitment to forward relevant data to authorities in lieu of possible criminal or other similar proceedings being brought forward.
In order to minimise the impact on the relevant data subjects, we strictly abide by the GDPR and other similar regulations and have put in place safeguards (see point 4.1. of this notice) as well as appointed a DPO and performed this LIA test. We also strictly abide by any and all data subject access or other requests.
Necessity test
We cannot achieve the status of a trustworthy intermediary when offering our vetting service, if storing and forwarding certain project data is not possible in cases of “rug-pulls” and fraud. Existing project repositories are already available and are not acting as true trustworthy intermediaries, since they take no action in cases where “rug-pull” or other fraudulent activities are detected or reported, thereby maintaining their neutral position.
We also firmly believe that the same purpose cannot be achieved by processing less data or by processing the data in another more obvious or less intrusive way, since the amount of data that is kept as publicly available in our database has been stringently reduced to key project data (namely
project name/description, team wallet, project website, team member discord (handle), team member twitter (account url/handle), that is needed for project identification.
We also believe that the data we hold and potentially forward to relevant authorities is necessary in its current scope in order for us to effectively bring a case to the relevant authorities. Such data is also not disclosed “all at once” but forwarded in segments. Such data is also always minimised to what is essential for the elaboration of the case that we deem as meeting the criteria of a “rug-pull” or fraud. We only forward additional information upon obtaining an explicit request for additional information from the relevant authority or criminal investigation agency, should they find the case compelling in terms of implementing charges or carrying out their procedure.
If no procedure is brought forward by the relevant authority to whom the data was forwarded, we delete the remaining data for that project.
It is also essential in relation to our service, that we keep certain parts of the data that relate to a vetted project and its team (see the relevant table from point 1 of this notice) public in our database even when we receive “right of erasure” requests, as fulfilling such requests in every situation could negate the publicity and transparency effect of the database and allow for fraudulent project team members to effectively cover up their tracks, thereby evading potentially defrauded investors/token holders and making the purpose of our service obsolete.
We shall however always observe and implement “right of erasure” requests to an extent, that shall not go against our legitimate interest as stated here after reviewing all aspects of the request and case at hand.
Balancing test
We only process data in relation to data subjects with which we have concluded a contractual relationship and which have been fully informed of the key aspects of our service and platform. We thereby believe that the data subjects involved do not have reasonable expectations of their data not being processed in the way that was explicitly stated in the Vetting Service Order Form or the relevant input fields of our platform and this document. All individuals have a right of opting out of the Order Form, whereby this might affect our readiness to vet a project.
In relation to the likely impact our processing might have on particular data subjects, all clients are obliged to inform any potentially affected data subject (i.e. team members, co-founders, persons acting on behalf of your company) which may be affected by the abovementioned processing or exemption in relation to the right of erasure before disclosing their information to us via the Vetting Service Order form or the relevant input fields of our platform.
We thereby believe that we are performing the above mentioned processing on the basis of our legitimate interest which actively benefits our clients and the crypto/NFT community.
2. How long do we store your personal data?
The period of retention of personal data depends on the legal basis and purpose of processing and is clearly stated for each type of data in point 1 of this notice.
Personal data is generally kept for as long as it is necessary to fulfil the purpose for which the data were collected, or as long as a legal obligation or a regulation requires us to keep the data. After that, the data is deleted.
Our organisation may retain the data and keep the data published and publicly available in the online project database during the entire term of validity of the Vetted Service Badge and/or Certificate (namely until vetted status has not been revoked by the organisation or the client has withdrawn its project from our database) up to a period of 5 years after initial entry.
The organisation undertakes to immediately remove any unnecessary data or data for which it has no legal grounds for processing/storing or regarding which the timescales for data retention have been exceeded.
No data shall be kept longer than for a maximum period of 10 years from when it was obtained, regardless of the situation or legitimate interests of the organisation.
2.1. Maintaining parts of your data in our project database and respecting your “right to be forgotten”
As per the service contract information contained in the Vetting Service Agreement and the above-mentioned legitimate interest assessment, the right of erasure (“right to be forgotten”) of a data subject under Article 17 of the GDPR may be ineffective as per points a), d) and e) of paragraph 3 of Article 17 of the GDPR.
We shall however always observe and implement “right of erasure” requests to an extent that shall not go against our legitimate interest as stated here after reviewing all aspects of the request and case at hand.
All clients are obliged to inform any potentially affected data subject (i.e. team members, co-founders, persons acting on behalf of the company) which may be affected by the above-mentioned exemption before disclosing their information to our organisation in the vetting process (i.e. before filling out the Vetting Service Order Form or providing us with their information via the relevant input fields on our platform).
3. Who processes your personal data?
3.1. Certain employees of the organisation
Your personal data is processed by individual employees of our organisation. Employees of our organisation process only those personal data that they need for their work, but they can also share them with each other if their work tasks and the internal rules of the organisation allow them to do so. All employees are committed to confidentiality and the protection of personal data.
3.2. State authorities
In certain cases, as prescribed by applicable law, the organisation must provide your personal data to the competent state authorities as well as authorities responsible for financial, tax or other type of official supervision. In certain cases, the organisation is compelled to provide data to third parties if such an obligation to provide or disclose the data is imposed on the organisation by law or on the basis of a valid legal right of a third party.
3.3. Contractual processing of personal data
In addition to the employees in our organisation, employees of our contractual processors may also process personal data as confidential and only within the scope of the contract on external processing of personal data, which has been concluded with such processors. The contractual processors may only process personal data in accordance with the organisation's instructions, and may not use the data to pursue any other interest.
The contractual processors with which the organisation cooperates are:
-
- Sum and Substance Ltd. incorporated and registered in England with company number 09688671, https://sumsub.com/terms-of-use/ acts as our main KYC provider and collects data in our name. Sum and Substance Ltd. may also store data in our name and upon receiving our written instruction, erases it completely from its servers without leaving any backup copies.
- DocuSign, Inc. incorporated and registered in Los Angeles, USA under company number 4980980, https://www.docusign.com acts as our contract signing platform. We have chosen DocuSign servers based in EU for all contract storage (please see: https://www.docusign.com/content/data-residency).
- persons who cooperate with the organisation on the basis of providing relevant business or copyright agreements (legal advice, advertising, etc.),
- the data hosting provider (see section 3.4.),
- accounting service provider,
- IT system maintenance providers
- platform/service developers
The organisation will not pass on your personal data to unauthorised third parties.
To obtain a detailed list of all contracted processors you can reach out to us at dpo@nestoralpha.io.
3.4. Hosting provider
Hosting our service and storing the data contained therein is offered by the following contractor as a contractual processor:
- Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (service: Google Cloud - https://cloud.google.com/terms/sccs/eu-c2p). Processing location: EEA (data is stored only on servers located within the EEA).
The processor protects data with the following security mechanisms and tools: dedicated security infrastructure and support, encrypted data transfer when using cloud services and encryption during transmission, DDOS protection, authentication and use of access keys, automatic encryption of stored data on server infrastructure (when idle and during distribution), physical protection of servers and network equipment (Google data centres have implemented multi-layered security and technical barriers to access and continuous monitoring. Only authorised employees with special access roles can enter the data centres).
3.5. Analytics provider
Analytics regarding the use of our platform are provided by the following contractor as a contractual processor:
- Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (service: Google Analytics https://www.google.com/analytics/terms/dpa/dataprocessingamendment_20130906.htm). Processing location: EEA (data is stored only on servers located within the EEA).
3.6. Transferring personal data to third countries and international organisations and measures to protect transferred data
As a rule, the organisation does not export personal data to third countries (i.e. outside of the European Union, Iceland, Norway and Liechtenstein) and to international organisations. An exception to this is data hosting with US-based providers (despite the fact that the data is hosted on the provider's servers within the EEA), as hosting may lead to data processing that may be treated as a non-EEA data transfer (by the organisation or the relevant public authority, whereby in the USA, public authorities, agencies and other entities may gain access to the data in certain extremely rare cases). On the date of preparation of this notice (June 2022), the contract that serves as a basis for the hosting/analytics by the processor has been drawn up to include standard contractual clauses.
You can obtain more detailed information on specific data user categories as well as more information on our contractual processors and our data transfers by sending us your request to:
the email address: dpo@nestoralpha.io
4. Processing of special categories of personal data
We do not process special categories of personal data.
4.1 Additional technical aspects of protecting special categories of personal data
Only a limited number of employees have direct access to databases in the service that contain or may contain special categories of personal data, whereby they access the data in order to ensure the operation of the basic functionalities of the service or the provision of support activities and access to such databases is limited at the level of individual workstations and administrator passwords belonging to employees according to their position.
The server application is isolated and protected by internal security mechanisms and software tools that prevent possible external intrusions.
5. What rights do you have in connection with your personal data and how can you exercise them?
In connection with this general information on the processing of personal data or regarding the processing of your personal data by our organisation and our contractual processors, you can contact us at any time and without hesitation via dpo@nestoralpha.io.
You can also contact us on the email mentioned above in order to send us your specific requests and for exercising your other rights, which relate to your personal data and applicable local legislation or the GDPR.
As a data subject, the GDPR gives you the opportunity to exercise the following rights with our organisation as the controller:
5.1. Right of access to your personal data (Article 15 of the GDPR)
You have the right to obtain confirmation, whether personal data are processed in relation to you and, where applicable, request access to the personal data concerned together with the information referred to in Article 15 (1) of the GDPR:
When personal data is transferred to a third country or international organisation, you, as the data subject, have the right to be informed of appropriate safeguards in accordance with Article 46 of the GDPR Regulation in respect of such transfer.
If you request the aforementioned, you must also be provided with a copy of the personal data processed in connection with you. For any further copies requested by you, the organisation may charge a reasonable fee based on administrative costs.
Where the data subject submits the request by electronic means, and unless the data subject requests otherwise, the information shall be provided in a commonly used electronic form.
5.2. Right to rectification of personal data (Article 16 of the GDPR)
As a data subject, you also have the right to have inaccurate personal data corrected in connection with you without undue delay.
The data subject has the right to supplement incomplete personal data, including the submission of a supplementary statement, taking into account the purposes of the processing.
5.3. Right to erasure of personal data ("right to be forgotten") (Article 17 of the GDPR)
As a data subject, you have the right to have your personal data deleted without undue delay. Our organisation or our processors will delete personal data without undue delay even when one of the following reasons applies:
| a) | personal data are no longer needed for the purposes for which they were collected or otherwise processed; |
| b) | when the processing of personal data was carried out on the basis of your consent, which you have revoked; |
| c) | if you have objected to the processing of personal data and there are no overriding legitimate reasons for the processing, |
| d) | if personal data have been processed illegally; |
| e) | if personal data need to be deleted in order to fulfil a legal obligation in accordance with Union law or national law, |
| f) | if personal data have been collected in connection with the offer of the “information society” services (which was offered to a person under the age of 15 and was not agreed to by the guardian of such a person). |
5.4. The right to revoke consent or partially revoke consent
If, as a data subject, you have consented to the processing of your personal data for one or more specific purposes (see point 1.3 of this notice), you have the right to revoke your consent at any time without affecting the lawfulness of the processing, that had been carried out on the basis of said consent until its revocation.
You can limit or revoke your consent for the processing of data at any time by contacting our organisation at dpo@nestoralpha.io.
5.5. Right to limit processing (Article 18 of the GDPR)
As a data subject, you have the right to restrict the processing of your personal data when one of the following cases applies:
| a) | when, as a data subject, you dispute the accuracy of the data, for a period that allows the accuracy of the personal data to be verified; |
| b) | where the processing is illegal and as a data subject, you oppose the deletion of personal data and instead request a restriction on their use; |
| c) | where our organisation no longer needs personal data for the purposes of processing, but you, as the data subject, need them to assert, enforce or defend legal claims; |
| d) | when, as a data subject, you lodge an objection to the processing and until it is verified that the legitimate reasons of our organisation prevail over your reasons (i.e. the reasons of the data subject) as explained in points 1.4. and 2.1 of this notice. |
Where the processing of personal data has been restricted, such personal data, with the exception of their storage, shall be processed only with the consent of the data subject or to assert, enforce or defend legal claims or to protect the rights of another natural or legal person due to important interests of the European Union or the nation in which the our organisation resides.
5.6. Right to data portability
As a data subject, you have the right to receive personal data that relate to you and which you have provided to us in a structured, commonly used and machine-readable form, and you have the right to pass this information on to another controller without being hindering in doing so when:
(a) processing is based on consent or a contract; and
(b) processing is carried out with automated means.
As a data subject, in exercising this right of data portability, you have the right to transfer personal data directly from one controller (e.g. our organisation) to another, where technically feasible.
5.7. Right to object to processing (Article 21 of the GDPR)
As a data subject, you have the right to object to the processing of personal data concerning you on grounds relating to your specific situation, where the processing is necessary for the performance of a task in the public interest or in the exercise of official authority, which has been granted to us as the controller or where the processing is necessary for legitimate interests pursued by us as the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data, in particular when the data subject is a child. The above also applies to the creation of profiles in such cases of processing.
In the event that you object, our organisation will stop processing personal data unless it can prove that the legitimate interests for processing outweigh the interests, rights and freedoms of you as a data subject, or that the processing is necessary for the enforcement, implementation or defence of legal claims (see point 1.4 of this notice).
When personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data relating to them for the purposes of such marketing, including the creation of profiles insofar as such direct marketing is concerned.
Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for those purposes.
As part of using information society services, you, as a data subject, can exercise your right to object to processing by automated means technical specifications.
Where data are processed for scientific or historical-research purposes or for statistical purposes, you as the data subject have the right to object to the processing of data relating to you for reasons related to your particular situation, unless the processing is necessary for the performance of a task carried out due to reasons of public interest.
5.8. Right to lodge a complaint with a supervisory authority
If you believe that the processing of personal data performed in connection with you by our organisation as the controller violates personal data protection regulations, you may, without prejudice to any other (administrative or other) remedy, lodge a complaint with the supervisory authority, in particular in the country where you have your habitual residence, your place of work or where the infringement is alleged to have taken place. Whereby in the UK the authority is the:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, Telephone: 0303 123 1113, Fax: 01625 524510, Contact: https://ico.org.uk/global/contact-us/
6. Existence of automated decision making and profiling
The service does not include automated decision making or profiling based on your personal data.
7. Processing of personal data of persons under 16 years of age
Our organisation does not knowingly collect or otherwise processes personal data of persons under 16 years of age.
If our organisation subsequently finds out that it has processed the personal data of such person without the consent of his parent or guardian, our organisation shall do everything necessary to delete all provided personal data.
At the address dpo@nestoralpha.io, the above-described persons or their parents or guardians shall be able to submit their requests for the deletion of the data concerned at any time.
8. Who can you contact for further clarification regarding the processing of personal data in our organisation and regarding your rights?
You can limit or revoke your consent for the processing of data at any time by contacting our organisation at:
the email address: dpo@nestoralpha.io
9. Protection of personal data
Our organisation carefully stores and protects personal data through organisational, technical and logical
procedures and measures to protect the data from accidental or intentional unauthorised access, destruction, alteration or loss, and unauthorised disclosure or other form of processing to which you have not expressly consented to.
To this end, the organisation has also adopted appropriate internal processes and set up various measures (e.g. assigning, using and changing passwords, locking premises, offices, server and workstation locations, regularly updating software and upgrading security-critical components, physically protection of material containing personal data in specially designated places, training of employees, etc.). The organisation also demands these security commitments from its contractual processors.
The subprocessors protect data with the following security mechanisms and tools: dedicated security infrastructure and support, encrypted data transfer when using cloud services and encryption during transmission, DDOS protection, authentication and use of access keys, automatic encryption of stored data on server infrastructure (when idle and during distribution), physical protection of servers and network equipment (Google data centres have implemented multi-layered security and technical barriers to access and continuous monitoring. Only approved employees with special access can enter).
10. Version and date of the last update of this notice
The text of this notice represents version 1.1 of this document.
This notice was last updated on August 18th, 2022.