LEGAL

1 Introduction

 

This Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your information when You use the Service and tells You about Your privacy rights and how the law protects You.

We use Your Personal data to provide and improve the Service. By using the Service, You agree to the collection and use of information in accordance with this Privacy Policy.

_______________

 

2 Definitions

For the purposes of this Privacy Policy:

  1. Account means a unique account created for You to access our Service or parts of our Service.
  2. Affiliate means an entity that controls, is controlled by or is under common control with a party, where “control” means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
  3. Application means the software program provided by the Company downloaded by You on any electronic device, named ARuVR
  4. Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Agreement) refers to ARuVR LTD, Unit 1 – Alexander Charles House, E18 1JL, London UK.
  5. Country refers to: United Kingdom
  6. Device means any device that can access the Service such as a computer, a cellphone, a headset or a digital tablet.
  7. Personal Data is any information that relates to an identified or identifiable individual.
  8. Service refers to the Application.
  9. Service Provider means any natural or legal person who processes the data on behalf of the Company. It refers to third-party companies or individuals employed by the Company to facilitate the Service, to provide the Service on behalf of the Company, to perform services related to the Service or to assist the Company in analyzing how the Service is used.
  10. Third-party Social Media Service refers to any website or any social network website through which a User can log in or create an account to use the Service.
  11. Usage Data refers to data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
  12. You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

_______________

 

3 Types of Data Collected

  1. Personal Data
    While using Our Service, We may ask You to provide Us with certain personally identifiable information that can be used to contact or identify You. Personally identifiable information may include, but is not limited to:

    • Email address
    • First name and last name
    • Usage Data
  2. Usage Data
    Usage Data is collected automatically when using the Service.

    • Usage Data may include information such as Your Device’s Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that You visit, the time and date of Your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
    • When You access the Service by or through a mobile device, We may collect certain information automatically, including, but not limited to, the type of mobile device You use, the IP address of Your mobile device, Your mobile operating system, the type of mobile Internet browser You use, unique device identifiers and other diagnostic data.
    • We may also collect information that Your browser sends whenever You visit our Service or when You access the Service by or through a mobile device.

 

_______________

 

 

4 Use of Your Personal Data

The Company may use Personal Data for the following purposes:

  • To provide and maintain our Service, including to monitor the usage of our Service.
  • To manage Your Account: to manage Your registration as a user of the Service. The Personal Data You provide can give You access to different functionalities of the Service that are available to You as a registered user.
  • For the performance of a contract: the development, compliance and undertaking of the purchase contract for the products, items or services You have purchased or of any other contract with Us through the Service.
  • To contact You: To contact You by email, telephone calls, SMS, or other equivalent forms of electronic communication, such as a mobile application’s push notifications regarding updates or informative communications related to the functionalities, products or contracted services, including the security updates, when necessary or reasonable for their implementation.
  • To manage Your requests: To attend and manage Your requests to Us.
  • For other purposes: We may use Your information for other purposes, such as data analysis, identifying usage trends, to evaluate and improve our Service, products, services and your experience.

We DO NOT share Your personal information with anyone outside the Company.

_______________

 

5 Retention of Your Personal Data

The Company will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

The Company will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.

_______________

6 Transfer of Your Personal Data

Your information, including Personal Data, is processed at the Company’s operating offices and in any other places where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside of Your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from Your jurisdiction.

Your consent to this Privacy Policy followed by Your submission of such information represents Your agreement to that transfer.

The Company will take all steps reasonably necessary to ensure that Your data is treated securely and in accordance with this Privacy Policy and no transfer of Your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of Your data and other personal information.

_______________

 

7 Disclosure of Your Personal Data

  • Business TransactionsIf the Company is involved in a merger, acquisition or asset sale, Your Personal Data may be transferred. We will provide notice before Your Personal Data is transferred and becomes subject to a different Privacy Policy.
  • Law enforcementUnder certain circumstances, the Company may be required to disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
  • Other legal requirementsThe Company may disclose Your Personal Data in the good faith belief that such action is necessary to:
    • Comply with a legal obligation
    • Protect and defend the rights or property of the Company
    • Prevent or investigate possible wrongdoing in connection with the Service
    • Protect the personal safety of Users of the Service or the public
    • Protect against legal liability

_______________

 

8 Third Party Processors

Our carefully selected partners and service providers may process personal information about you on our behalf as described below:

“Digital Marketing Service Providers

We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information.  Our appointed data processors include:

(i)Prospect Global Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact Sopro and view their privacy policy here: http://sopro.io.  Sopro are registered with the ICO Reg: ZA346877 their Data Protection Officer can be emailed at: dpo@sopro.io.”

_______________
9 Data Subject Access Request Process (DSAR)

a. Information to be provided to data subjects

ARuVR provides natural persons (the data subjects) with information in an appropriate format which clearly communicates:

  • the identity of ARuVR and its representatives where applicable
  • the purposes for which the personal information can be processed
  • the legitimate interests of ARuVR or the processing where ‘legitimate interest’ is the legalbasis used
  • the types of personal information collected, where this is from a source other than the naturalperson
  • information about the disclosure of personal information to third parties
  • whether personal information is transferred outside the UK and EEA and an explanation of thesafeguards in place, and how to get a copy of the safeguards
  • where ARuVR is based outside the EU and the natural person is in the EU, the identity of theEU based representative, where this is required
  • details of any technologies (such as cookies) used on a web site to collect personalinformation about the natural persons
  • other information to make the processing fair and transparent, such as:
    • the retention period(s) or the criteria used to set retention
    • information regarding the natural person’s rights of access to, and correction, deletion and restriction of personal information, as well as their right to data portability o the right to lodge a complaint with the ICO
    • where the processing is based on consent, the right to withdraw consent
    • where the provision of information is a statutory or contractual requirement, informing the natural person why it is necessary and what the consequences are o failing to provide the information
    • information about any automated decision making and/or profiling that the information might be used for, including logic involved and the consequences for the natural person

Where personal information is collected for marketing purposes or might be used in the future for marketing purposes, ARuVR ensures the natural person(s) are aware of how they can object to such marketing. This is clearly explained to them.

Where profiling by automated means is used for marketing purposes, ARuVR ensures the natural person(s) are aware of how they can object to such marketing. This is clearly explained to them.

All requests for access to their personal information from data subjects shall be notified to the ARuVR CTO who acts as the Data Protection Officer (DPO), or another person appointed by the ARuVR Directors as responsible for data protection compliance and the PIMS.

a.1. Timing of privacy information

Where ARuVR collects personal information directly from a natural person (a data subject), it ensures the natural person is provided with, or has access to, the privacy information required to be given, in advance of the data being collected.

Where ARuVR does not collect personal information directly from the natural person (data subject) the privacy information is provided after obtaining the personal information or:

  • Within one month (having regard to the specific circumstances in which the information is processed)
  • If the information is used to communicate with the natural person, then at the time of first communication
  • If the information is intended to be disclosed to another recipient, then at least when the information is first disclosed

The ARuVR CTO acting as Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, monitors all data subject requests to ensure ARuVR responds in time.

a.2. Timing of privacy information

ARuVR ensures that personal information collected from third parties is collected fairly and lawfully. Where necessary the identified natural persons are provided with the information listed above in the bullet points in Section 3 within one month of collection unless the natural person already has the information or doing so would involve disproportionate effort. ARuVR will make considerable effort to provide the information.

The CTO acting as Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, monitors all data subject requests to ensure ARuVR responds in time.

b. Rights of natural persons

b.1 Timeline for responding to data subject requests

The natural person’s rights in relation to their personal information are respected by ARuVR. Requests from natural persons to exercise their rights are addressed without undue delay and within one month of receipt of the request from the natural person. If it is not possible for ARuVR to respond to the request within one month the natural persons are informed in the event of any necessary extension to the one-month time period for supplying the information in an electronic or hard-copy format as requested by the natural person. Any extension to the one-month period for complying with a request from a natural person is no longer than a further two months (maximum of three months). ARuVR may consider whether any derogations (relaxations of law) or exemptions apply.

Such rights include access to information, objection to processing, rectification of inaccurate information, erasure and/or restriction on the use of information, data portability and the right not to be subject to automated processing where such processing relates to profiling or that significantly affects the natural person.

The CTO acting as Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, monitors all data subject requests to ensure ARuVR responds in time.

b.2 Timeline for responding to data subject requests

In response to a request from a data subject the Data Protection Officer (DPO) or the person appointed by the Directors as responsible for data protection compliance and the PIMS verifies the identity of the requestor then confirms whether or not personal information concerning them is being processed and, where that is the case, advises the data subject that they can receive a copy of their personal information and the following information (unless a specific derogation (relaxation of law) applies):

  • The purpose(s) of the processing
  • The categories of personal information concerned
  • The recipients or categories of recipient to whom the information has been disclosed, inparticular recipients in third countries or international organisations
  • Where possible, the envisaged period for which the personal information will be stored, or ifnot possible, the criteria used to determine that period
  • The existence of the right to request rectification or erasure of personal information orrestriction of processing of personal information concerning the natural person, or to object tosuch processing
  • The existence of the right to lodge a complaint with the ICO
  • Where the personal information has not been collected from the data subject, any availableinformation as to the source of the information
  • The existence of automated decision-making, including profiling and meaningful informationabout the logic involved, as well as the significance and consequences of such processing forthe natural person
  • Where the personal information is transferred to a third country or international organisation,what the appropriate safeguards are that have been put in place

The Data Protection Officer (DPO) or the person appointed by the Directors as responsible for data protection compliance and the PIMS first verifies the identity of the requestor. The template in Annex A is then completed and supplied to the data subject. The records of communication to/from the data subject are retained in accordance with the Information Retention Policy.

b.3 Data rectification requests procedure

ARuVR ensures that the natural person is able, without undue delay, to obtain the rectification of inaccurate personal information concerning him or her.

The natural person is also entitled to have incomplete personal information completed.

In response to a data rectification request from a data subject the CTO or Data Protection Officer (DPO) or the person appointed by the Directors as responsible for data protection compliance and the PIMS, verifies the identity of the requestor, checks the inventory of PII and data flows diagram to determine the location(s) of the data, then issues the instruction to the relevant department(s) to rectify the data. The relevant departments respond to confirm the data has been rectified. The data subject is then informed that the data has been rectified. The records of communication to/from the data subject are retained in accordance with the ARuVR Information Retention Policy.

b.4 Data erasure requests procedure

ARuVR ensures that requests from natural persons under the “right to erasure” are appropriately handled.
ARuVR ensures that a natural person has the right to obtain erasure of personal information about them without undue delay where:

  • The personal information is no longer necessary in relation to the purposes for which it was originally collected or otherwise processed
  • Where the processing was based on consent, the natural person withdraws their consent, and there is no other legal ground for continuing to process the information
  • The natural person has objected to the processing in question and there are no overriding legitimate grounds for the processing, or the natural person has objected to marketing

Company Confidential 7 of 12

  • The personal information has been unlawfully processed
  • The personal information needs to be erased to conform to a legal obligation
  • The personal information has been collected to offer information society services

ARuVR ensures that where the information has been made public, appropriate measures are taken to inform other organisations that might be processing the personal information that the natural person has requested the erasure of the information
In response to a data erasure request from a data subject the CTO or Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, verifies the identity of the requestor, checks the inventory of PII and data flows diagram to determine the location(s) of the data, checks whether there is an overriding obligation to retain the data, then if it should be erased issues the instruction to the relevant department(s) to erase the data. The relevant departments respond to confirm the data has been erased. The data subject is then informed that the data has been erased. The records of communication to/from the data subject are retained in accordance with the ARuVR Information Retention Policy.

b.5 Restriction of processing requests procedure

ARuVR ensures that a natural person has the right to obtain restriction of processing personal information where:

  • The accuracy of the personal information has been contested by the natural person, for a period enabling ARuVR to verify the accuracy of personal information
  • The processing is unlawful and the natural person objects to the erasure of personal information and requests the restriction of its use instead
  • ARuVR no longer needs the personal information for the purposes of the processing, but it is required by the natural person for the establishment, exercise or defence of legal claims
  • The natural person has objected to processing and the restriction stays in place pending the verification as to whether the legitimate grounds of the organisation override those of the natural person

ARuVR ensures that when a restriction is going to be lifted, the natural person is informed before this takes place.
In response to a restriction of data processing request from a data subject the CTO or Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, verifies the identity of the requestor, checks the inventory of PII and data flows diagram to determine the location(s) of the data, checks whether there is an overriding obligation to continue processing the data, then if it should be restricted, issues the instruction to the relevant department(s) to restrict the processing of that natural person’s data. The relevant departments respond to confirm the data processing has been restricted. The data subject is then informed that the data processing has been restricted. The records of communication to/from the data subject are retained in accordance with the ARuVR Information Retention Policy.

b.6 Data portability request procedure

ARuVR ensures that where the natural person has the right to data portability and the information is being processed by automated means, the natural person is able to have that information transmitted to them, or to any other organisation they nominate, free of charge and in a structured, commonly used machine-readable format.
In response to a data portability request from a data subject the CTO or Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, verifies the identity of the requestor, checks the inventory of PII and data flows diagram to determine the location(s) of the data, checks whether there is an overriding obligation to not release or to retain the data, then if it should be ported, issues the instruction to the relevant department(s) to supply the natural person’s data in a format suitable for porting. The relevant departments prove the data to the 3rd party and then responds to confirm the data has been ported. The data subject is then informed that the
Company Confidential 8 of 12
data has been ported. The records of communication to/from the data subject are retained in accordance with the ARuVR Information Retention Policy.

b.7 Objection to processing requests procedure

ARuVR ensures that the PIMS has procedures to consider and respond to requests from a natural person who objects to processing of personal information.
Where a natural person objects to the processing of personal information for the purposes of direct marketing, ARuVR ensures that processing ceases for that natural person.
In response to an objection to data processing from a data subject the CTO or Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, verifies the identity of the requestor, checks the inventory of PII and data flows diagram to determine the location(s) of the data, checks whether there is an overriding obligation to process the data, then if it should not be processed, issues the instruction to the relevant department(s) to cease processing that natural person’s data and if appropriate to erase the data. The relevant departments cease processing the data and confirms the data processing has been ceased and/or erased. The data subject is then informed that the data processing has been ceased and/or erased as appropriate. The records of communication to/from the data subject are retained in accordance with the ARuVR Information Retention Policy.

c Complaints and appeals procedure

In response to a compliant or appeal to data processing from a data subject the CTO or Data Protection Officer (DPO), or the person appointed by the Directors as responsible for data protection compliance and the PIMS, verifies the identity of the requestor, then logs the complaint in the ARuVR Complaints Log spreadsheet then investigates the nature and grounds for the complaint or appeal. Where necessary ARuVR legal counsel shall be informed and asked to provide legal advice and support.
The result of an upheld compliant or appeal will be one of the actions detailed above in Section 4.
The records of communication to/from the data subject are retained in accordance with the ARuVR Information Retention Policy.

10 Information Security Policy Statement

ARuVR Ltd is committed to implementing, operating and continually improving an appropriate information security management system, policies, processes and controls to maintain the confidentiality, integrity and availability of its and its customers’ information and its information processing facilities.
The primary objective is to ensure that ARuVR Ltd is legally compliant and fulfils all of its information security obligations to customers and other interested parties.
The information security management system provides the framework for identifying applicable legislation and controlling risks to information security through the implementation of operational controls, setting objectives and continuous improvement, thus maximising our potential to fulfil all information security obligations to customers and other external parties, such as suppliers and business partners. It provides all interested parties and customers with the confidence that their information shall be kept appropriately secure whilst under the control of ARuVR Ltd.
We recognise that our business relationships require on-going commitment to achieving business excellence and information security at every level of ARuVR Ltd and its supply chains.

11  More information.

ARuVR reserves the right to update and change these Privacy Policy from time to time, without notice.
If you have any questions about this Privacy Policy, You can contact us: info@aruvr.com