Global Consumer Privacy Policy
Welcome to the Chaos Global Consumer Privacy Policy
Chaos Software GmbH and its affiliates (together, Chaos or We) take your right to privacy seriously. We appreciate that you trust us with your personal information and respecting your privacy is at the core of our interactions with you.
We respect the privacy of all users, customers, and business contacts. This Privacy Policy describes the ways and conditions under which We process and use your personal data. We recommend that you read this Privacy Policy to get more information about the processing of your personal data.
Effective Date: June 28, 2024
The Chaos Global Consumer Privacy Policy (Privacy Policy) describes the personal information that Chaos collects from or about users of the Websites, Mobile Applications (Apps), Desktop Software Products (Software Products), Plug-In Software Products (Plugins), Cloud Rendering Services and other online and offline products and services that Chaos operates (together, the Websites,Products and Services) and how we use and protect that personal information. This Privacy Policy also explains how users can make choices about their personal information.
When we refer to personal information (sometimes referred to as personal data under some laws) in this Privacy Policy, we mean information that identifies or can be used to identify an individual human being. This includes information such as name, address, email, billing address or telephone number. Information that is not directly related to your identity (for example, the number of users on the Websites) does not fall within this category. When we refer to you or a user, we mean someone who uses any of the Websites, Products and Services. When we refer to a controller, we mean the person or entity that determines what personal information is collected from or about you and how that personal information is used and protected.
Governing law applicable to this Privacy Policy is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR) and other applicable privacy laws and regulations in countries where we operate.
How we collect, use, and protect your personal information is subject to the laws in the places in which we operate. This means that we may have different practices in different places. For more information, please see Section14. Privacy Rights and Choices, which includes additional descriptions of your rights and our obligations in certain key jurisdictions and who to contact.
1. SCOPE OF THIS PRIVACY POLICY
The Privacy Policy applies to the personal information collected from users of our Websites, Products and Services in which the Privacy Policy is posted or linked, when the Privacy Policy is specifically referenced in the Websites, Products and Services or when Chaos asks you to acknowledge it. This Privacy Policy also covers personal information that we collect from consumers who contact us by email, telephone and offline, such as during in-person events.
If you are one of our Partners or Resellers, this policy also tells you how we process personal data when we conduct business with you.
This Privacy Policy also may apply to personal information provided to us by consumers who engage with us through social media.
This Privacy Policy aims to provide you with comprehensive information in a clear and understandable language about what actions are taken with the personal data you provide to us, including:
- What personal data do we process?
- For what purposes do we process your personal data?
- For how long do we keep the personal data you provide?
- Who do we share your personal information with?
- What are your rights regarding your personal data and how you can exercise them?
- How Do We notify you of a change to our Privacy Policy?
With this Privacy Policy, Chaos declares that it has implemented all technical and organizational measures to protect the personal data of individuals prescribed by applicable law.
2. WHO IS RESPONSIBLE FOR THE PROCESSING OF YOUR PERSONAL DATA?
The data controller in the sense of the GDPR and other applicable data protection laws is:
Chaos Software GmbH, a limited liability company incorporated under the laws of the Federal Republic of Germany, Amtsgericht Mannheim, HRB 726749.
Chaos is part of a corporate group of entities operating in and outside of Germany. Chaos may share your personal data with other Affiliates within this Corporate Group if the applicable legal requirements are met. For avoidance of doubt Affiliate should mean an entity that controls, is controlled by or is under common control with Chaos Software GmbH. For purposes of this defined term, “control” means ownership of more than fifty (50%) percent of the voting stock or other ownership interest in an entity.
In certain cases, the immediate data controller may be one of Chaos Software GmbH’s Affiliates, please see Section14. Privacy Rights and Choices, which includes additional descriptions of your rights and our obligations in certain key jurisdictions and who is the responsible data controller depending on your country of residence.
3. HOW TO CONTACT US?
If you have any questions and / or requests related to your personal data that Chaos processes, you can contact us at: An der Raumfabrik 33b, 76227 Karlsruhe, Germany, or email: dpo@chaos.com
You can contact our Data Protection Officer at the following email: dpo@chaos.com
Please see Section14. Privacy Rights and Choices, which includes additional descriptions of your rights and our obligations in certain key jurisdictions and who to contact depending on your country of residence.
4. SPECIAL NOTICE – IF YOU ARE UNDER 18 YEARS OLD
Chaos develops 3D visualization technology for architecture, engineering, construction, product design, manufacturing, and media and entertainment.
Our Websites, Products and Services are strictly professional and are not aimed at children under 18 years old and we will not deliberately collect, use, provide or process in any other form any personal information of children under the age of 18. We therefore also ask you, if you are under 18 years old, please do not provide us with your personal information (for example, your name, address, and email address). In case you are under 18 years old and wish to use our Websites, Products and Services please ask your parent or guardian to register and buy a license for you. If we learn that we have collected personal data through our Websites, Products and Services from a child under 18 without the consent of the child’s parent or guardian as required by law, we will delete it.
5. WHAT TYPES OF PERSONAL INFORMATION DOES CHAOS COLLECT?
Any information and data by which an individual can be identified falls directly or indirectly under the definition of “personal data”.
For example, indirect identification is your mobile number. Direct identification is achieved when you provide a unique identifier such as Personal Identification Number (PIN), passport number, etc.
"Special categories of personal data" means for example data revealing racial or ethnic origin, political views, religious or philosophical beliefs or membership of trade unions, as well as the processing of genetic data, biometric data for the sole purpose of identifying an individual, health data or data about the sexual life or sexual orientation of the individual.
We collect personal data directly from you, for example when you create an account with us or contact us. We also collect data when you use our Websites, Products and Services including usage data. We sometimes collect data from third parties, including our Resellers and Partners.
This personal data that Chaos collects and processes for our Websites, Products and Services may include the following categories:
Categories of Personal Data: | Types of Personal Data: |
Information about you | Name, surname, family name |
Account information | Password, username |
Image data | Avatar or photo should you choose to provide one for the forum |
Contact details | Email, telephone number |
Personal identifiers | Personal identifiers, required only for invoicing upon request of the customer |
Information about your employer and your interests | Name of the company you work for and information about the industrial interest you have in software products (e.g. Film, VFX, Television, Architecture, etc.) |
Data about the persons who are eligible for discounts | Copy of documents evidencing that the consumer is an active student in a university |
Address details | Billing address, country, city, ZIP and/or postcode |
Bank data | Partial data about your bank account. Payment card purchases are processed by third-party payment processors. Chaos does not have access to complete bank account numbers, credit card numbers or debit card numbers. |
Purchase history | Data about purchased or used Products or Services |
Information collected from our Products and Services | Account information for authenticating license, Product Version, Error Reports, IP address and broad geographic location (e.g. country location), Information about your computer or mobile device (such as device type and identification number, operating system, CPU and GPU drivers), Information about 3D scene being rendered by our Products and Services (such as number of objects or lights and render settings, without collecting the scenes or assets themselves) |
Product Usage Data (Telemetry) | Anonymized Telemetry (product usage data that is not tied to an individual personalized license) and/or Personalized Telemetry (product usage data that is tied to an individual personalized license) can be collected and processed only if enabled by user |
Internet data | Data about your IP address, location data, cookie data, etc. |
Copy of communication on our website | Copies of emails or other forms of communication you might have while using our Website, Products and Services and our communication system tools |
Information received from third parties | The types of personal information that we receive from third parties include: Personal information that commercially available from marketing services providers or collected by marketing partners through campaigns and events, which is used to help identify individuals who may be interested in learning more about Chaos and to supplement personal information we already have. This personal information includes insights from matching our pseudonymised data sets with third parties’ pseudonymized data sets. Sometimes when you purchase our Products or Services through a Partner or Reseller we may acquire Information about you and Account data from that Partner or Reseller. |
User generated content | When using our cloud services You may choose to upload some of your user generated content like images, 3D scenes, 3D assets, 3D data (data about materials and textures added to a scene or image), video, text prompts or other data to the cloud. |
Other data | Other types of personal information, which you may provide by contacting us and/or making a request / inquiry |
We collect Personal Data via cookies, pixel tags, or similar technologies when you use our Websites, Products and Services (collectively referred to as Cookies), including for conducting analytics and advertising. For more information on our use of cookies, please read our Cookie Policy or use the Cookie Settings functionality available in our Websites, Products and Services that implement cookies.
Chaos does not collect any special categories of personal data since such are not required for the use of our Websites, Products and Services. If sensitive categories of personal data are provided by you during your communication with the Company or use of our Websites, Products and Services, it will be deleted as soon as possible after the processing of such data is established.
6. WHAT ARE OUR LEGAL BASIS FOR PROCESSING OF PERSONAL INFORMATION?
The processing of personal data includes the collection, storage, destruction, transfer, correction, updating, deletion, and all other activities carried out with your personal data.
Chaos processes personal data on the grounds of the performance of a contract with the consumer (Article 6, paragraph 1, item "b" of the GDPR). We may also process personal data after obtaining clear, free, and unambiguous consent from you for the purposes of processing expressed through your voluntary registration or provision of data in our Websites, Products and Services or trough clicking onto optional checkboxes (Article 6, paragraph 1, item “a” of the GDPR). The consent you provide can always be withdrawn by contacting us or using the contact form available on our website.
Some of our processing activities are based on legitimate interest (Article 6, paragraph 1, item “f” of the GDPR), but only after we have carefully assessed that such interests do not concern the fundamental rights and freedoms of the data subject.
Lastly, in a very limited number of cases we process your personal data for compliance with a legal obligation to which Chaos is subject (Article 6, paragraph 1, item “c” of the GDPR).
Chaos operates in different countries across the world which may use different legal bases for processing according to applicable laws in different jurisdictions. In any case We make sure that we process your personal information lawfully and we apply the following principles:
- Transparency
- Respect
- Trust
- Fairness
7. WHY ARE WE PROCESSING YOUR PERSONAL INFORMATION?
The personal data provided by you shall be used for the following purposes, including but not limited to:
- Administration and maintenance of our Websites and the Chaos IDs of our customers and users.
- Sale, support, development and analytics of our Products and Services.
- Usage of aggregated data (telemetry) about your use of our Products and Services for the purpose of making all our products and services better.
- For data analytics, research and product development that enable us to better understand our consumers and offer innovations for them.
- Marketing and advertising activities, including but not limited to sending you marketing messages by email, in-app notifications and phone, if the legal requirements for digital marketing are met.
- For targeted advertisements (also sometimes referred to as personalized or interest-based advertising) based on information generated by a user’s online activity, such as visiting websites that contain our advertising partners’ ads or cookies, some of which are based on geo-location.
- To create anonymized data, which are not subject to this Privacy Policy, that are used in improving Chaos’ Products and Services and similar business purposes and otherwise as permitted by contract and law.
- To detect and protect against fraud, abusive and unauthorized use of our Products and Services, including to combat against piracy of our software products.
- Processing of personal data for compliance with regulatory and other legal requirements.
- Answering claims and requests sent by our customers / users.
- Processing orders or purchases made by our customers / users.
- If you are a Reseller or Partner, communicate with you to manage our relationship.
- Performance of rights and obligations related to our products, contractual or pre-contractual relationship with our customers / users.
- Anticipating and resolving issues related to our Products and Services.
- For the purposes of ensuring proper functioning of the cloud services and to investigate and resolve issues we may have access or otherwise process the uploaded user generated content. Chaos may use automated processing techniques on content you upload in order to improve our Products and Services and user experience.
- Creating new Products or Services that would meet your needs.
Your personal data is not subject to automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR.
8. HOW DO WE PROCESS YOUR PERSONAL INFORMATION?
When you visit our Websites or use our Products and Services, Chaos processes (collects) your personal information in the following ways:
- By providing your details to purchase and use any of our Websites, Products and Services.
- By providing your details to use a free product, Not For Resale (NFR) License, trial or a demo version of any of our Products and Services.
- By completing your account registration or other various forms on our Websites.
- By filling in your required billing details.
- By processing information about IP addresses, cookies, operating system, and browser type.
- By processing anonymized telemetry or personalized telemetry (if enabled) or other product usage data when you use our Products and Services.
- By using our support functionalities, send us emails or use our forums.
- By attending events, seminars, workshops, camps or other in-person gatherings that require registration or where photographs and/or video of the event is being recorded.
- By receiving information from third parties especially when we interact with our Resellers and Partners or conduct targeted advertising activities and utilize lead generation through third-party platforms when the applicable legal grounds are met.
9. HOW LONG DO WE RETAIN YOUR PERSONAL DATA?
Depending on the legal ground based on which we process your personal data, the storage period of personal data may be different.
Your personal data is stored as long as we have valid legal grounds for processing it. After this period has expired and in case there is no legal ground to continue storing your personal data, your information shall be fully anonymized or deleted.
10. DO WE SHARE YOUR PERSONAL DATA WITH THIRD PARTIES?
Chaos respects your privacy and keeps your data secured. Subject to statutory requirements or business needs, Chaos may disclose your personal data to the following categories of recipients:
- Service providers: When we use service providers related to client management systems, technical maintenance and provision of internal IT systems, cloud storage and operational support to our activities, Chaos may disclose personal data to those service providers. Please be informed that such disclosure shall commence only in case there are legitimate grounds for doing so and only based on a written agreement ensuring that the receiver provides adequate levels of protection for the personal data.
- Our corporate partners and companies within our distribution network: Chaos uses a network of corporate partners and distributors (referred to in this Privacy Policy as Partners and Resellers) who distribute our products and services in different jurisdictions and bundles. Therefore, we may disclose your personal data to a distributor who is in a suitable area with you in order to provide the best quality service.
- Other companies in our corporate group: Chaos shares your data with other companies within its corporate group.
- Corporate restructuring: If we are involved in a merger, acquisition or asset sale, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, your personal data may be transferred to a party involved in such arrangement.
- External companies providing services related to card payments: Payment card purchases are processed by third-party payment processors. Chaos does not have access to complete bank account numbers, credit card numbers or debit card numbers. We receive only partial bank data and statements while the third-party payment processor company processes your full bank information;
- Advisors: We work with various advisors, including tax consultants, auditors and legal advisors, with whom we may share your Personal Data.
- Legal:Information about our users, including Personal Data, will be disclosed to law enforcement agencies, regulatory bodies, public authorities or pursuant to the exercise of legal proceedings if we are legally required to do so, or if we believe, in good faith, that such disclosure is necessary to comply with a legal obligation or request, to enforce our terms and conditions, to prevent or resolve security or technical issues, or to protect the rights, property or safety of Chaos, our users, a third party, or the public.
11. DOES CHAOS TRANSFER PERSONAL INFORMATION TO OTHER COUNTRIES?
In principle, Chaos and many of its Affiliates that are based in Europe store and process personal data predominantly in the European Union (“EU”), the European Economic Area (“EEA”) and the United Kingdom (“UK”).
Chaos may transfer personal information across borders to any of the places where we and our Affiliates, Partners and Resellers operate. These other places may have data protection laws that are different from (and, in some cases, less protective) than the laws where you reside.
If your personal information is transferred across borders by us or on our behalf, we use appropriate safeguards to protect your personal information in accordance with this Privacy Policy and applicable law. These safeguards include agreeing to standard contractual clauses or model contracts for transfers of personal information among our Affiliates and among our Partners and Resellers. When in place, these contracts require our Affiliates, Partners and Resellers to protect personal information in accordance with applicable privacy laws.
For more information about how we transfer Personal Data internationally, please contact us as set out in Section 3 above.
12. WHAT ARE YOUR RIGHTS WITH RESPECT TO YOUR PERSONAL DATA?
This Section applies to residents in the EU, EEA and UK, as well as any resident of a country that is not listed in Section 14 and provided with specific rights applicable per their local legislation in the country of residence.
Subject to European law (GDPR) and the privacy laws applicable in the UK, you may have the following rights to your personal data processed by Chaos:
- Access your personal data that Chaos processes and get a copy thereof.
- In case of incompleteness or inaccuracy in the data that Chaos processes, your personal data will be corrected (right to rectification).
- Request the erasure of your personal data when the conditions are met. Such cases are if the purpose for which the data is collected is achieved, you have withdrawn your consent when the processing is based on consent and there is no other legal basis for processing, your data is being processed unlawfully, and others.
- In the cases specified by the law, you may require that the processing of your personal data is restricted.
- In the cases specified by the law, you may object to the processing of your personal data.
- Exercise your data portability rights and request that your data be provided in a structured, commonly used and machine-readable format.
- Withdrawing your consent when processing your personal data is based on consent.
You can exercise any of the above rights by submitting a formal request to the following address: An der Raumfabrik 33b, 76227 Karlsruhe, Germany, or email: dpo@chaos.com. In order to exercise your rights, it is mandatory to establish the identity of the claimant when submitting a request for exercising your rights. For your convenience we have created a Policy for Data Subjects’ Rights where you can find a lot more information about your rights related to data privacy and how to exercise them.
If you are a European resident, you also have the right to file a complaint with the respective data protection authority where you live, work or where you think we have violated data protection laws, when the relevant prerequisites are in place.
You may opt out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email or by contacting us at dpo@chaos.com. You may continue to receive service-related and other non-marketing emails.
13. UPDATING THIS PRIVACY POLICY
This policy may be updated periodically to reflect changes in personal data protection legislation and best practices. When Chaos updates this Privacy Policy, We will post the updated version and change the Effective Date above. We will also take appropriate measures to inform you in advance of significant changes that We believe affect your privacy rights either via email or including a just-in-time notice displayed in our Products or Services. If your consent is required by applicable privacy laws, we will obtain your consent to changes before the revised Privacy Policy applies to you. Please regularly check this Privacy Policy to ensure you are aware of the updated version.
14. PRIVACY RIGHTS AND CHOICES FOR SPECIFIC JURISDICTIONS
RESIDENTS OF SOUTH AFRICA
Personal information that is collected from you is required for you to have access to Chaos’ Websites, Products and Services. Failure to provide this personal information may prevent you from accessing or using any or all of our Websites, Products and Services. Under the Protection of Personal Information Act 4 of 2013 (POPIA), personal information of juridical persons also is protected; therefore, in the event that our Websites, Products and Services are accessed on behalf of a juridical person (legal entity), personal information of such legal entity should be protected.
Direct Marketing
All electronic direct marketing communication will be sent to you (until you opt out) when:
- you consent to receive direct marketing communication in accordance with POPIA; or
- We received your personal information in connection with the sale of any of our products or services to you so that we can communicate with you about our other products or services. You can choose to opt out of receiving these marketing communications at the time by using the “unsubscribe” link or contacting us at using the contact information below.
Your Rights
You have the right to make the following requests about your personal information:
- to ask whether Chaos holds personal information about you, free of charge.
- to request a record or a description of your personal information that Chaos holds about you.
- to request that Chaos update or correct inaccurate or incomplete personal information about you.
- to request that Chaos stops using your personal information for any reason
- to object to the processing of your personal information.
- to request that Chaos deletes your personal information.
- to request that Chaos restrict how your personal information is used, shared and otherwise processed.
- to request that Chaos transmit a copy of your personal information to you or to a third party selected by you.
We may (and in some cases are required to) verify your identity before we can act on your request to exercise your privacy rights.
How to contact us to exercise your privacy rights
To exercise your privacy rights, please contact Chaos using one of these options:
- Email: dpo@chaos.com
- Write: Chaos Software GmbH, An der Raumfabrik 33b, 76227 Karlsruhe, Germany.
You have a right to lodge a complaint with the Information Regulator (South Africa) https://inforegulator.org.za/
Email: POPIAComplaints@inforegulator.org.za
Other Processing Details
We also automatically collect the following information:
- Analytics information: We may collect analytics data, or use third-party analytics tools such as Google Analytics, to help us measure traffic and usage trends for the Websites, Products and Services and to understand more about the demographics and behaviors of our users.
We also permit third-party online advertising networks, social media companies and other third-party services to collect information about the user’s use of the Services over time so that they may play or display ads on the Services used by the user and on other devices the user may use
For some of the Services, we use third-party tools to monitor user experience information. These tools automatically collect usage information, including mouse clicks and movements, page scrolling and any text keyed into website forms. The information collected does not include passwords, payment details, or other sensitive personal information. We use this information for site analytics, optimization and to improve website usability. We do not permit this information to be shared with or used by third parties for their own purposes.
Our online and email advertising-related vendors may use pixel tags, web beacons, clear GIFs or other similar technologies in connection with the Services to help manage our online and email advertising campaigns and strengthen the effectiveness of such campaigns. For example, if a vendor has placed a unique cookie on the user’s computer, the vendor may use pixel tags, web beacons, clear GIFs or other similar technologies to recognize the cookie during the user’s visit to the Services and to learn which of our online advertisements may have brought the user to the Services, and the vendor may provide us with such other information for our use. We may link such other information provided to us by our vendors to Personal information about the user that we have previously collected.
We may use third-party advertising companies to serve advertisements on the Services. These companies may use information (not including the user’s name, address, email address or telephone number) about a user’s visits to the Services to provide advertisements about goods and services of interest to the user.
We may link or combine the user’s activities and information collected from the user through the Services with information we collect automatically through tracking technologies. This allows us to provide the user with a personalized experience regardless of how the user interacts with us through the Services.
RESIDENTS OF BRAZIL
Chaos Software GmbH and its Affiliates (together, Chaos or We) take your right to privacy seriously. We appreciate that you trust us with your personal information and respecting your privacy is at the core of our interactions with you.
We respect the privacy rights of all our consumers who are residents of Brazil. We aim to comply fully with the requirements of Brazil's Lei Geral de Proteção de Dados Pessoais do Brasil, also known as LGPD. In addition to our Privacy Policy above we recognize that all Brazilian residents have the following rights as per the LGPD:
- The right to access your personal data.
- The right to confirmation of the existence of the processing of your personal data.
- The right to correct incomplete, inaccurate, or out-of-date personal data.
- The right to anonymize, block or delete unnecessary or excessive personal data or personal data not being processed in compliance with the LGPD.
- The right to delete personal data processed with the consent of the data subject.
- The right to the portability of data to another service or product provider, through an express request.
- The right to information about public and private entities with which the controller has shared data.
- The right to information about the possibility of denying consent and the consequences of such denial.
- The right to revoke consent.
You can exercise your privacy rights by sending an email to dpo@chaos.com. In your request, please make clear the personal information to which your request relates. For your protection, we may verify your identity and geographic residency before fulfilling your request. We will comply with your request as soon as reasonably practicable.
The controller of your personal information is: Chaos Software EOOD, UIC 131375768, a limited liability company incorporated under the laws of Republic of Bulgaria, with seat and registered address at: 145 Tsarigradsko shose Blvd., Sofia Office Center, 12th floor, 1784 Sofia, Bulgaria
The Data Protection Officer is: Yordan Astardzhiev
Data Protection Regulator:
Autoridade Nacional de Proteção de Dados
RESIDENTS OF CANADA
Chaos Software GmbH and its Affiliates (together, Chaos or We) collects, uses, and discloses Personal Information for the purposes identified in our Privacy Policy and for any additional purposes, as permitted by law, with notice to you and your express or, where permitted, implied consent.
You have certain rights in respect of your information. To access or correct your Personal Information, please send us an email at: dpo@chaos.com. Please note we may verify your identity before we can act on your request.
For residents of Quebec: The person in charge of the protection of personal information about individuals residing in Quebec is Yordan Astardzhiev, who can be contacted by email at dpo@chaos.com.
The controller of your personal information is Chaos Software EOOD, UIC 131375768, a limited liability company incorporated under the laws of Republic of Bulgaria, with seat and registered address at: 145 Tsarigradsko shose Blvd., Sofia Office Center, 12th floor, 1784 Sofia, Bulgaria
FOR RESIDENTS OF EUROPE AND THE UNITED KINGDOM (UK)
RESIDENTS OF BULGARIA.
The controller for the personal information collected in connection with use of our Websites, Products and Services in Bulgaria is Chaos Software EOOD, UIC 131375768, a limited liability company incorporated under the laws of the Republic of Bulgaria.
Address: 145 Tsarigradsko shose Blvd., Sofia Office Center, 12th floor, 1784 Sofia, Bulgaria.
Email: dpo@chaos.com
The Privacy Policy above is fully applicable for residents of Bulgaria apart from the applicable personal data controller and the contact details listed in this section. You also have the right to file a complaint with the Bulgarian Commission for Protection of personal Data (https://www.cpdp.bg/en/index.php?p=home&aid=0).
RESIDENTS OF CZECH REPUBLIC.
The controller for the personal information collected in connection with use of our Websites, Products and Services in the Czech Republic is Chaos Czech a.s., a joint-stock company incorporated under the laws of the Czech Republic
Address: Karlovo namesti 288/17, 120 00 Prague, Czech Republic.
Email: dpo@chaos.com
The Privacy Policy above is fully applicable for residents of The Czech Republic apart from the applicable personal data controller and the contact details listed in this section. You also have the right to file a complaint with the Czech’s supervisory body, which is The Office for personal data protection, Pplk. Sochora 27, 170 00 Prague, Czech Republic, (www.uoou.cz).
RESIDENTS OF DENMARK
The controller for the personal information collected in connection with use of our Websites, Products and Services in Denmark is Cylindo International ApS, a company incorporated under the laws of Denmark,
Address: Livjaegergade 17B, 2. th., 2100 Copenhagen, Denmark.
Email: hello@cylindo.com
The Privacy Policy above is fully applicable for residents of Denmark apart from the applicable personal data controller and the contact details listed in this section. You also have the right to file a complaint with the Danish Data Protection Agency at https://www.datatilsynet.dk/.
RESIDENTS OF ITALY
The controller for the personal information collected in connection with use of our Websites, Products and Services in Italy is AXYZ design S.R.L., with registered office in Melegnano (MI), via Monte Suello n.15.
Address: Melegnano (MI), via Monte Suello n.15.
Email: support@axyz-design.com
The Privacy Policy above is fully applicable for residents of Italy apart from the applicable personal data controller and the contact details listed in this section. In addition, residents of Italy have the right to lodge a complaint with a supervisory authority (for further information, see the institutional website of the Privacy Guarantor (www.garanteprivacy.it).
RESIDENTS OF REPUBLIC OF NORTH MACEDONIA
The controller for the personal information collected in connection with use of our Websites, Products and Services in the Republic of North Macedonia is Chaos Software DOOEL, a limited liability company incorporated under the laws of the Republic of North Macedonia.
Address: 3 Dobrivoe Radosavlevik str., Bitola, North Macedonia.
Email: hello@cylindo.com
The Privacy Policy above is fully applicable for residents of the Republic of North Macedonia apart from the applicable personal data controller and the contact details listed above. You also have the right to file a complaint with the North Macedonian Data Protection Agency at https://azlp.mk/.
RESIDENTS OF THE UNITED KINGDOM
The controller for the personal information collected in connection with use of our Websites, Products and Services in the United Kingdom is Chaos Software Ltd., a limited liability company incorporated under the laws of the United Kingdom.
Address: 2 Wellington Road | St John's Wood, Westminster NW8 9SP | United Kingdom
Email: dpo@chaos.com
The Privacy Policy above is fully applicable for residents of the United Kingdom apart from the applicable personal data controller and the contact details listed above. You also have the right to file a complaint with the Information Commissioner’s Office (ICO) at https://ico.org.uk/.
RESIDENTS OF JAPAN
The controller for the personal information collected in connection with use of our Websites, Products and Services in Japan is Chaos Group Japan Co. Ltd.
Address: Tokyo, Sumida district, Narihira 3-5-2, Japan.
Email: dpo@chaos.com
The Privacy Policy above is fully applicable for residents of Japan apart from the applicable personal data controller and the contact details listed above.
RESIDENTS OF SOUTH KOREA
The controller for the personal information collected in connection with use of our Websites, Products and Services in South Korea is Chaos Group Incorporated.
Address: A-1510, 606, Seobusaet-gil, Geumcheon-gu, Seoul, Korea, (gasan-dong, Daesung D-POLIS Knowledge Industry Center), South Korea.
Email: dpo@chaos.com
The Privacy Policy above is fully applicable for residents of South Korea apart from the applicable personal data controller and the contact details listed above.
RESIDENTS OF THE UNITED STATES
Throughout this section for Residents of the United States, we use the following terms with the following meanings:
- Consumer (or you) means an individual acting in a personal or household context who uses the Services and, for California residents, individuals acting in a business-to-business context.
- U.S. Privacy Laws means the California Consumer Privacy Act, the California Privacy Rights Act, the Colorado Privacy Act, the Connecticut's Act Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act and similar laws enacted from time to time in other U.S. states, each as amended, repealed, consolidated, or replaced from time to time.
CONTROLLER
The controller for the personal information collected in connection with use of our Websites, Products and Services in the United States is Chaos Software Inc., a company with a registered office at 80 Pine Street, Floor 24, New York, NY 10005-1732. Chaos Software Inc. is hereinafter referred to in this section as Chaos or We.
RESIDENTS OF CALIFORNIA.
This California Privacy Notice (California Privacy Notice) applies to Chaos’s processing of personal information of residents of the U.S. State of California (California Consumers) as required by the California Consumer Privacy Act of 2018, as amended (CCPA). This "Residents of California" section contains our Notice at Collection under CCPA.
If you are a California Consumer, this California Privacy Notice is designed to help you understand the categories of personal information that we collect about you, where we get that personal information, why we process it, who we share it with, and the rights you have to know and control your personal information. If this California Privacy Notice and any provision in the rest of our Privacy Policy conflict, then this California Privacy Notice applies for the processing of personal information of California Consumers. This California Privacy Notice does not apply to Chaos’s employees, contractors, contingent workers, job applicants, business partners and resellers residing and operating in the U.S. State of California.
In this "Residents of California" section, Business Purposes means providing the Products and Services, operating the Websites; managing and processing interactions and transactions with California Consumers; securing and debugging the Products and Services; advertising and marketing; quality assurance; research and development; and other business purposes as may be defined in CCPA from time to time; and Service Providers means organizations that process personal information on behalf of Chaos and contractors and other organizations with which Chaos shares personal information pursuant to a contract for Business Purposes.
NOTICE AT COLLECTION
For CCPA purposes, Chaos generally acts as a “Business” with respect to your personal information, which means that Chaos determines how and why the personal information that Chaos collects from or about you is handled. (A “Business” is similar to a “controller” which is defined in the preamble to this Privacy Policy.)
This Notice at Collection of personal information describes our personal information collection practices when we are acting as the Business, including a list of the categories of personal information we collect, the purposes for which we collect personal information and the sources from which we collect personal information.
This Notice at Collection covers the twelve (12) months prior to the "Last Updated" date above. This Notice at Collection is updated at least once per year. If this Notice at Collection conflicts with the Privacy Policy, this Notice at Collection will govern as to California Consumers, unless expressly stated otherwise. If Chaos’s processing materially changes between updates to this Notice at Collection, Chaos will provide a supplemental notice when or before the changes apply.
Although we already explain what personal information we collect and why above in this Privacy Policy, the CCPA requires that we make certain disclosures using the categories of personal information used in the definition of personal information in the CCPA.
In the preceding 12 months, Chaos has collected the following categories of personal information:
Categories of Personal Data: | Source: | Purpose: | Third-party recipients | Sold/Shared |
Personal identifiers | Directly from you / From our business partners and resellers | Providing our Products or Services | Service providers, including marketing vendors, Affiliates and resellers, other third parties | No |
Account information | Directly from you | Providing our Products or Services | Service providers, including marketing vendors, Affiliates and resellers, other third parties | No |
Image data | Directly from you | Providing our Products or Services | Service providers, including marketing vendors, Affiliates and resellers, other third parties | No |
Contact details | Directly from you / From our business partners and resellers | Providing our Products or Services / advertising and marketing | Service providers, including marketing vendors, Affiliates and resellers, other third parties | No |
Information about your employer and your interests | Directly from you | Providing our Products or Services | Service providers, including marketing vendors, Affiliates and resellers, other third parties | No |
Data about the persons who are eligible for discounts | Directly from you | Providing our Products or Services | Service providers, including marketing vendors, Affiliates and resellers, other third parties | No |
Address details | Directly from you | Providing our Products or Services | Service providers, including marketing vendors, Affiliates and resellers, other third parties | No |
Bank data | Directly from you / from our third party payment processor | Providing our Products or Services | Service providers, including marketing vendors, Affiliates and resellers, other third parties | No |
Purchase history | Directly from you / from our third party payment processor | Providing our Products or Services / advertising and marketing | Service providers, including marketing vendors, Affiliates and resellers, other third parties | No |
Information collected from our Products and Services | Directly from you | Securing and debugging the Products and Services; advertising and marketing; quality assurance; research and development | Service providers, including marketing vendors, Affiliates and resellers, other third parties | No |
Internet data | Directly from you, Automatically collected during use of the Services | Providing our Products or Services / advertising and marketing | Service providers, including marketing vendors, Affiliates and resellers, other third parties | No |
Copy of communication on our website | Directly from you | Providing our Products or Services | Service providers, including marketing vendors, Affiliates and resellers, other third parties | No |
User generated content | Directly from you | Providing our Products or Services | Service providers, including marketing vendors, Affiliates and resellers, other third parties | No |
Other data | Directly from you | Providing our Products or Services | Service providers, including marketing vendors, Affiliates and resellers, other third parties | No |
Generally, when we collect precise geolocation information or other personal information that is “sensitive” under California law, Our use of this personal information is to perform a Service you have requested and is consistent with the permitted business purposes in California Civil Code § 1798.100 et seq. and implementing regulations. We will collect your consent for any other use.
Chaos does not collect:
- Government Issued Identification Numbers (e.g., social security, driver’s license, state identification card or passport number)
- Non-public Education Records as defined in Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99), i.e., education records directly maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, schedules, identification codes, financial information or disciplinary records
- Communication Content (e.g., the contents of a California Consumer's mail, email and text messages, other than when Chaos is the intended recipient of the communication)
- Health Information (personal information collected and analyzed concerning a California Consumer's health, medical history, mental or physical health, diagnosis/condition and medical treatment)
- Sex Life / Sexual Orientation (personal information collected and analyzed concerning a California Consumer's sex life or sexual orientation)
Your California Consumer Privacy Rights
CCPA offers California Consumers the following key privacy rights:
- Right to Access Information: You have the right to request access to personal information collected about you and information regarding the source of that information, the purposes for which we collect it and the third parties and service providers with whom we share it.
- Categories: You may request any of the following for the period that is 12 months prior to the request date: (1) categories of personal information we have collected about you; (2) categories of sources from which we collected your personal information; (3) the business or commercial purposes for our collection, sale, sharing of your personal information; (4) the categories of third parties to whom we have disclosed your personal information; (5) a list of the categories of personal information disclosed for a business purpose, and, for each, the categories of recipients, or that no disclosure has occurred; and (6) a list of the categories of PI we have sold or shared about you, and, for each, the categories of recipients, or that no sale or sharing has occurred.
- Specific Pieces: You may request to confirm if we are processing your personal information and, if we are, to obtain a transportable copy, subject to applicable request limits, of your personal information that we have collected and are maintaining, subject to certain limitations.
- Right to Request Deletion: You have the right to request that we delete certain personal information that we have collected from you.
- Right to Correct: You have the right to correct inaccurate personal information about you. Note that correction requests are subject to certain limitations, and we may choose to delete rather than correct your personal information in some circumstances.
- Right to Opt-Out of Sale of Personal Information to Third Parties: Our disclosure of your personal information to third party advertising and analytics providers may constitute a sale under certain state laws and, in California, may also constitute “sharing” (which is a term used to address the sharing of information for advertising purposes). To the extent that our use constitutes a sale or sharing of your personal information, you have the right to opt-out by (a) enabling an opt-out preference signal or Global Privacy Control on your browser which is recognized by our U.S.-facing websites, (b) opting-out of cookies in our Cookie Policy, or (c) for non-cookie personal information (e.g., your email address), submitting an opt-out request at dpo@chaos.com.
- Right to Limit Sensitive Personal Information Processing: Chaos will ask for your consent if we process sensitive personal information for any purpose that is not exempt from consumer choice under the CCPA (e.g., to perform the services/provide the goods that you requested).
- Right Against Discrimination: We will not discriminate against you for exercising your rights under the CCPA. We will not deny you goods or services for exercising your rights; charge you a different price or rates for goods or services, including through granting discounts or other benefits, or imposing penalties, because you exercised your rights; provide you a different level or quality of goods or services because you exercised your rights; or suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services as a result of exercising your rights.
- Automated Decision Making / Profiling: Chaos does not engage in processing that constitutes automated decision making or profiling under the CCPA. However, if in the future we opt to utilize automated decision making or profiling you have the right to opt-out of certain types of automated decision making or profiling processing.
To submit a request to exercise your California privacy rights, please:
- Click here
- Call toll-free to 1-866-I-OPT-OUT (1-866-467-8688)
- Email us at: dpo@chaos.com
Please note:
- We may (and in some cases are required to) verify your identity before we can act on your request to exercise your California privacy rights. After we receive and process your request, we will contact you using the email address provided in your request with instructions on how to verify your identity, after which we will check our records for matching information.
- We may not honor part or all your request – for example, certain information we collect may be exempt from this California Privacy Notice, such as public information made available by a government entity or information covered by a different privacy law. In these situations, we will explain why we do not honor your request when we respond to you.
Notice of Financial Incentive
We may offer discounts or other benefits to California Consumers enrolled in certain rewards or promotional programs.
Chaos does not generally assign monetary or other value to consumers’ personal information and our promotional activity changes continually. To the extent California law requires that a value be assigned to such programs, or the price or service differences they involve, Chaos values the personal information collected and used under each program as being equal to the value of the discounts or other financial incentives provided in each such program, based upon a practical and good-faith effort to assess on an aggregate basis for all collected information: (1) the type of personal information collected in each program (e.g., email address), (2) the use of such information by Chaos in connection with its marketing activities, (3) the range of discounts provided (which can depend on each consumer’s purchases under such offers), (4) the number of individuals enrolled in respective programs, and (5) the products for which the benefits (such as price difference) can apply. These values can change over time. Note that this description is without waiver of any proprietary or business confidential information, including trade secrets, and it does not constitute any representation with regard to generally accepted accounting principles or financial accounting standards.
A different California law permits California residents to request a notice disclosing the categories of Personal Information about you that we have shared with third parties for their direct marketing purposes during the preceding calendar year. At this time, Chaos does not share Personal Information with third parties for their direct marketing purposes.
RESIDENTS OF OTHER U.S. STATES.
The U.S. Privacy Laws offer Consumers certain rights with respect to their personal information. Chaos will honor these rights for any U.S. resident. They include:
- Right to Access Information: You have the right to access and obtain a copy of your personal information.
- Right to Request Deletion: You have the right to request that we delete personal information provided by or obtained about you.
- Right to Correct: You have the right to correct inaccuracies in your personal information
- Right to Opt-Out: Our disclosure of your personal information to third party advertising and analytics providers may constitute a sale under certain state laws. In addition, we use cookies to serve targeted ads. You have the right to opt-out of these activities by (a) enabling an opt-out preference signal or Global Privacy Control on your browser which is recognized by our U.S.-facing websites, (b) opting-out of cookies in our U.S.-facing websites’ cookie preference center, or (c) for non-cookie personal information, submitting an opt-out request at dpo@chaos.com
To protect Consumers, if we are unable to verify a privacy rights request, we are unable to honor the request. We will use personal information provided in a verified privacy rights request only to verify identity or agent authority to make the privacy rights request and to track and document responses unless Chaos also received the personal information for another purpose.
Agent Requests
You may use an authorized agent to make a privacy rights request for you. We may require that you directly confirm that you authorized the agent to submit requests on your behalf or request provision of evidence for the authorization. Please note that it may take additional time to verify and fulfill agent-submitted requests. Once confirmed, your authorized agent may exercise privacy rights on your behalf, subject to the requirements of applicable law.
Appeals
You may appeal Chaos's decision regarding a request by email at dpo@chaos.com. Please use the same email address that you used to submit the initial privacy rights request when you submit your Request to Appeal and please add “Request to Appeal” in the subject line of the email. If you do not use the same email address, Chaos cannot link your Request to Appeal to your initial privacy rights request.
Chaos's Responses
Some personal information that we maintain is insufficiently specific for us to be able to associate it with a verified Consumer (e.g., data tied only to a pseudonymous browser ID). We do not include that personal information in response to those requests. If we deny a request, in whole or in part, Chaos will explain the reasons in our response.
Chaos will make commercially reasonable efforts to identify personal information that we process to respond to a privacy rights request. In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest you receive the most recent or a summary of your personal information and give you the opportunity to select whether you want the rest. We reserve the right to direct you to where you may access and copy responsive personal information yourself. We typically do not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee or refuse to act upon a request, if your request is excessive, repetitive, unfounded or overly burdensome. If we determine that the request warrants a fee or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided with a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.
Retention of your Personal Information
We retain personal information about a Consumer for as long as the Consumer’s account is active and otherwise as long as necessary for the purposes described above. We also retain personal information as long as necessary to comply with legal obligations, resolve disputes and enforce our agreements. When determining the retention period, we consider various criteria, such as the type of products and services requested by or provided to you, the nature and length of our relationship with you and mandatory retention periods under applicable law.
Policy for data subjects rights
This Policy (“The Policy”) describes the terms and conditions under which data subjects whose personal data are processed by Chaos Software GmbH and its Affiliates (together, Chaos or We) may exercise their rights under the personal data protection legislation. Please note the Policy is supplemental and should be read and interpreted only alongside our Global Consumer Privacy Policy.
Part 1: General Principles
1.1. Chaos processes and protects personal data collected throughout its activities transparently, lawfully and according to the purposes for which the personal data was collected.
1.2. Our employees, contractors and service providers who process personal data are obliged to adhere to the following principles of data processing:
- i) The personal data is processed lawfully and in good faith.
- ii) The personal data is collected for specific precise and lawful purposes and are not processed additionally in a manner not compatible with those purposes.
iii) The personal data which is collected and processed by Chaos are compatible, related to and limited to the purposes for which they are processed.
- iv) The personal data is accurate and, if necessary, updated.
- v) The personal data is being deleted or rectified when it is established that they are inaccurate or not limited for the purposes for which they are being processed.
- vi) Personal data is maintained in a format, which allows identifying of the respective natural person for a period not longer than the one necessary for the purposes for which the data were collected.
1.3. The employees who process personal data are subject to initial and subsequent periodic data privacy training and are familiarized with the applicable data privacy legislation.
Part 2: Definitions
The terms listed below shall have the following meaning:
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Applicable legislation” Governing law applicable to this Privacy Policy is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR) and other applicable privacy laws and regulations in countries where we operate.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
“Data subject” means an individual (natural person) who can be identified directly or indirectly, in particular by an identifier such as name, identification number, location data, online identifier or one or more physical, physiological, genetic, mental, economic, cultural or social identifiers of that individual
Part 3: Data subjects’ rights
The data subjects shall have the following rights regarding to their personal data processed by Chaos:
- i) Right of access.
- ii) Right of rectification.
iii) Right to data portability.
- iv) Right of erasure (‘right to be forgotten’).
- v) Right to restriction of processing.
- vi) Right to object against the processing of personal data.
vii) Right not to be subject to a decision based solely on automated processing, including profiling.
Right of Access
2.1. When requested Chaos shall present to the data subject the following information:
- i) information whether Chaos processes personal data of the data subject who made the request or not.
- ii) copy of the personal data of the person which are processed by Chaos and
iii) explanation about the processed personal data.
2.2. The explanation under item 2.1. (iii) above shall include the following information about the personal data processed by Chaos:
- i) purposes of processing.
- ii) respective categories of personal data.
iii) recipients or categories of recipients to which personal data is or may be disclosed, recipients in third countries outside of the EU or the European Economic Area.
- iv) when it is possible, the envisaged retention period for which the personal data shall be retained and when this is impossible the criteria used for determining such period.
- v) the existence of the rights to require correction, rectification, erasure or restriction of processing of personal data related to the data subject as well as the right to object against the processing of personal data.
- vi) the right to file a complaint before the respective authorities.
vii) when the personal data are not collected through the individual full information shall be provided about the source of the collected personal data.
viii) the existence of automated decision making regardless of which this processing includes profiling and information related to the logic as well as the expected consequences from this processing to the data subject.
- ix) when personal data is transferred to a third country or to an international organization the data subject shall have the right to be informed about the applicable safeguards to their personal data related to the transfer.
2.3. The explanation about the processed personal data contains information which Chaos provides to the data subject by its privacy policy.
3.1. Based on a request by the data subject Chaos may provide a copy of the personal data, which Chaos is processing about the respective data subject.
3.2. When providing a copy of personal data Chaos shall not disclose to the subject the following categories of data:
- i) personal data of third parties, unless the said parties have given their explicit consent for this.
- ii) data which can be qualified as a trade secret, intellectual property or confidential information.
iii) other information which is protected under the applicable legislation
3.3. Granting the right of access to data subjects shall not interfere negatively with the rights of third parties or lead to a breach of Chaos’ statutory obligation.
4.1. When the requests for access are being manifestly unfounded or excessive, especially because of their repeatability, Chaos may charge a reasonable fee based on the administrative costs of providing the information or refuse to respond to the request for access.
4.2. Chaos determines on a case-by-case basis whether a request for access is manifestly unfounded or excessive.
4.3. When refusing access to personal data, Chaos issues an official explanation for its refusal and informs the data subject of his right to file a complaint with the respective personal data protection authority.
Right of rectification
5.1. Data subjects may request that their personal data processed by Chaos be corrected if the data are inaccurate or incomplete.
5.2. Upon a satisfactory request for correcting personal data, Chaos shall notify the other recipients to whom personal data have been disclosed (such as government bodies, service providers) so that they can reflect the changes.
Right of erasure (‘right to be forgotten’)
6.1. Upon request, Chaos shall erase all personal information of the data subject who made the request in case any of the following grounds apply:
- i) the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- ii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing.
iii) the data subject objects to the processing and there are no overriding legitimate grounds for the processing.
- iv) the data subject objects to the processing of personal data for the purposes of direct marketing.
- v) the personal data have been unlawfully processed.
- vi) the personal data must be erased for compliance with a legal obligation in Union or Member State law to which Chaos is subject.
vii) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
6.2. Chaos is not obliged to erase and may continue processing the personal data as long as the processing is necessary for one of the following grounds:
- i) for exercising the right of freedom of expression and information.
- ii) for compliance with a legal obligation of Chaos.
iii) if there is a valid legal ground like existing contract to provide licensed software products or services that require personal individualized account.
- iv) or archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- v) for the establishment, exercise or defense of legal claims.
Right to restriction of processing
7.1. The data subject has the right to request a restriction of processing when one of the following applies:
- i) the accuracy of the personal data is contested by the data subject, for a period enabling Chaos to verify the accuracy of the personal data.
- ii) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
iii) Chaos no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.
- iv) the data subject has objected to processing based on the legitimate interest of Chaos pending the verification whether the legitimate grounds of the controller override those of the data subject.
7.2. Chaos may process personal data whose processing is restricted only for the following purposes:
- i) storage purposes
- ii) if explicit consent is provided by the data subject.
iii) or the establishment, exercise or defense of legal claims.
- iv) for the protection of the rights of another natural or legal person; or
- v) or reasons of important public interest of the Union or of a Member State
7.3. When a data subject has requested a restriction of the processing and there is one of the grounds under Art. 7.1. above, Chaos informs the data subject before the restriction of the processing is lifted.
Right to data portability
8.1. The data subject shall have the right to receive their own personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where.
8.2. Upon request, the personal data may be transferred to another controller designated by the data subject where this is technically feasible.
8.3. The data subject may exercise the right of portability in the following cases:
- i) the processing is based on the consent of the data subject.
- ii) the processing is based on a contractual obligation.
iii) the processing is carried out by automated means.
8.4. The right of data portability cannot adversely affect the rights and freedoms of others.
Right to object
9.1. The data subject shall have the right to object against the processing of their personal data by Chaos if the data are processed based on one of the following grounds:
- i) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- ii) processing is necessary for the purposes of the legitimate interests pursued by Chaos.
iii) the processing includes profiling.
9.2. Chaos shall no longer process the personal data when the right to object is exercised by a data subject unless Chaos demonstrates compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
Right to object against processing for the purposes of direct marketing
10.1. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
10.2. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
Right of human intervention in the process of automated decision making
11.1. Where Chaos uses automated decision making, regardless of whether it includes profiling and this decision-making process have legal consequences for, or significantly affect natural persons, in a similar way, such persons may request a review of the decision with human intervention and express their point of view.
11.2. Chaos provides information to natural persons subject to automated decision making about the logic as well as the meaning and envisaged consequences of such processing when a request for such information is made.
Part 4: Procedure for exercising the rights of data subjects
12.1. All data subjects may exercise the rights under this Policy by submitting a request for the exercise of the relevant right.
12.2. Requests to exercise the data subjects’ rights shall be made in one of the following manners:
- i) By email to the following email address dpo@chaos.com
- ii) By mail to the following address: An der Raumfabrik 33b, 76227 Karlsruhe, Germany.
12.3. The request for the exercise of rights relating to the personal data of the data subject should contain the following information:
- Identification of the person beyond doubt
- Contact details: address, telephone, email
- Request - description of the request
12.3. Chaos provides information on the actions taken in relation to a request for the exercise of the rights of the data subjects within one month of the receipt of the request.
12.4. That period may be extended by two further months where necessary, considering the complexity and number of the requests. Chaos shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
12.5. Chaos is not obliged to respond to a request if it is unable to identify the data subject.
12.6. Chaos may request the provision of additional information necessary to verify the identity of the data subject when there are reasonable concerns about the identity of the requesting individual.
12.7. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.
12.8. Please see Section 14. Privacy Rights and Choices in our Global Consumer Privacy Policy, which includes additional descriptions of your rights and our obligations in certain key jurisdictions and who to contact depending on your country of residence.