Global Data Pricacy Policy

1. Introduction

   1. One Degree IBC Limited is committed to ensuring compliance with applicable data protection laws and regulations.

   2. This Data Protection Policy complies with the principles and requirements of global data protection as informed by the EU General Data Protection Regulation and similar legislation in accordance with the adequacy requirements set out therein as enacted in other jurisdictions.

   3. This Policy describes how and why we collect, process your personal data, as well as your rights with regard to the processing of your personal data.

2. Scope and Supplement

   1. This Policy applies to One Degree IBC Limited as incorporated in the Seychelles, and its subsidiaries world-wide. This Policy applies to the processing of personal data obtained through any channel of communication or by any means, including but not limited to email, file transfer, feeding personal data into applications and tools, websites or mobile apps, social media pages and platforms.

   2. This Policy may be supplemented by specific data protection and privacy notices and statements that relate to specific forms or purposes of data processing. Anonymized data (non-personal data), e.g. for statistical evaluations or studies, is not subject to this Policy.

   3. In countries where the data of legal entities is protected to the same extent as personal data, this Policy applies equally to data of legal entities.

3. Application of national laws

   1. While the GDPR is applicable throughout the EU and is the global standard for data protection, there may be laws and regulations in some countries that specify further data protection requirements, in particular conditions for lawful data processing.

4. Glossary and definitions

5. Personal Data we process, Purposes and Legal Basis

   1. Handling orders and fulfilling contractual obligations

      1. When you purchase goods or services from us, or if you request information about products and services prior to placing an order, or if you request support regarding the product or services you have ordered, we will process personal data that is necessary to negotiate and execute a contract and to fulfil any contractual obligations, and to exercise our rights under the contract. This also includes advisory services under the contract if this is related to the contractual purpose.

      2. For this purpose we process personal details (including name, title, email, telephone, postal address, shipping and billing address, educational qualifications and employment history), order and customer information (including goods and services ordered and provided, instructions regarding the order, customer business activities and interests and order history), financial information (including invoice data, preferred payment options, term of payment, bank account and credit card information).

   2. Browsing or registering on our websites, social media pages or platforms

      1. When you browse our websites, social media pages or platforms, we may use Cookies and other tracking technologies to capture and understand how you use our websites, social media pages and platforms.

      2. Not all of our websites employ Cookies and tracking technology that collect personal data. Depending on the Cookies and tracking technologies in use, we collect information about your online browsing behaviour on our websites, social media page or platform, including information on how to react to adverts and offers. We may also collect information about the device you have used to access our websites, social media pages or platforms, (including device model and operating system, browser type, IP-address, mobile device identifiers).

      3. Specific information regarding the Cookies and tracking technology in use on our respective websites, social media pages and platforms is being provided in our Cookie Policy. This includes information on how to disable Cookies in your browser and how to prevent tracking of your browsing behaviour.

      4. When you register on one of our websites, social media pages or platforms we will additionally process personal details (including name, title, email, telephone), and account details (including username, password, login-/logoff data).

   3. Communication, marketing and feedback

      1. When you contact us for any sort of inquiry or request, we will process your personal details (including name, title, company or organization you work for, email, telephone, other contact information), as far as this is necessary to deal with your inquiry or request and to respond to.

      2. When you have purchased goods or services from us, or if you have indicated to us that you are interested in certain goods or services, we may process your personal details (including name, title, company or organization you work for, email, telephone, other contact information) to contact you and to send you information about our or our business partners’ goods and services, new technological developments, special offers and other opportunities.

   4. Legal obligations and compliance

   5. Recruitment and application

6. Personal Data of Children

7. Sharing Personal Data with Service Providers and Third Parties

   1. Not all processing of your personal data will be carried out by One Degree IBC Limited itself. Sometime we will make use of service providers and vendors (“processors”) who will process personal data for us, on our behalf and under our instructions. Such processors can be external companies or affiliates of One Degree IBC Limited (group companies). Any such outsourcing of data processing will follow a service provider / vendor due diligence and monitoring protocol, and will be governed by a Data Processing Agreement.

   2. As far as we use service providers and vendors as processors to process personal data on our behalf, your personal data may be shared with the following categories of recipients:

      1. IT service providers, application service providers, Internet service providers, platform and website host service providers, data disposal companies, marketing agencies, market research agencies, advertising partners, order and account management service providers, payment service providers, and customer care service providers.

   3. Apart from sharing personal data with service providers and vendors it may be necessary to share your personal information with third parties, because there is a legal obligation to do so, or because there is a legitimate interest to ensure compliance with policies and regulations, or to facilitate business cooperation and collaboration. In such cases your personal data may be shared with the following categories of recipients:

      1. Public authorities and administrative bodies, law enforcement and fraud prevention agencies, courts, lawyers, tax accountants, accounting and auditing firms, credit reference agencies, payment card and insurance providers and resellers.

   4. If you use our websites, social media pages or platforms and if you choose to link your social media accounts to us or if you are logged in into your social media account, your personal data may be shared with the operators of those social media pages and platforms.

   5. If we sell or buy any business or assets or transfer an area of our business to a new owner, we will disclose your personal data to the prospective seller or buyer of such business or assets or any third party who acquires our assets or who the business is transferred to.

8. Storing periods for Personal Data

   1. We keep personal data for no longer than is necessary for pursuing or achieving the purposes for which the personal data is processed. However, in most circumstances personal data is processed for more than one purpose, e.g. if the data processing takes place in the context of a service we process personal data for the purpose of delivering the services, invoicing and payment, and providing customer care afterwards. Yet, as a company we are also subject to record keeping obligations and have to comply with finance and commercial laws that require much longer retention of certain documents and files that may contain personal data.

   2. If we process personal data for the purpose of handling orders and fulfilling contractual obligations we will keep your personal data for as long as you have a customer or business relation with us. Personal data that is included in documents or files that are subject to tax laws will be kept for 10 years (unless statutory provisions or pending lawsuits or tax proceedings require longer retention), personal data that is included in documents or files that are subject to commercial laws will be kept for 7 years (unless statutory provisions or pending lawsuits require longer retention).

   3. If we process personal data for the purpose of understanding your online browsing behaviour we will keep personal data only for as long as necessary to create user statistics and analytics reports that use aggregate data (non-personal data). Specific information as to how long such personal data will be kept is being provided in our Cookie Policy.

   4. If we process personal data for the purpose of communication, marketing, promotion, event and feedback purposes, we will keep the data for as long as we need the data to communicate with you, or for as long as we have a legitimate interest to provide you with business, product and service information, or marketing materials, but only where you have opted in to receive such materials.

   5. If we process personal data for the purpose of compliance with laws and regulations that impose legal obligations on One Degree IBC Limited, we keep personal data for as long as such laws and regulations require.

   6. If we process personal data for the purpose of recruitment and carrying out the application process, we keep personal data for as long as necessary to review and assess the applications, to select applicants, to negotiate and execute an employment contract, and to exercise rights or defend against claims in the context of the applications process. If an application is successful, your personal data – as far as necessary for carrying out the employment contract – will be kept for as long as you are employed with One Degree IBC Limited and after termination of your employment, for as long as necessary to comply with retention requirements, or for as long as forthcoming or pending lawsuits require longer retention. If your application is not successful we will keep your personal data for up to six months for the purpose of defending us against potential claims and lawsuits.

   7. If your application was not successful, but you have agreed that we keep your personal data on file for future opportunities, we will keep your personal data for up to two years, unless specified otherwise on our careers websites, recruitment platforms or job portals, or in a job advertisement.

9. Transfers of Personal Data to other countries

   1. Most territories provide requirements to which One Degree IBC Limited must comply relating to the export of personal data from such territories to a third party country.

   2. As far as such data transfers involve recipients in third party countries, we will ensure that the transfers will be made in compliance with the data protection provisions that restrict the transfer of personal data outside the territory in which it was originally captured, and which require that appropriate safeguards are implemented to ensure an adequate level of data protection.

   3. Such safeguards could either be an adequacy decision by in respect of the recipient third party country in that it is deemed to to have adequate data protection laws in place, or the execution of a data processing agreement to ensure contractual compliance with the required data protection measures.

10. Security of Personal Data

    1. We have implemented appropriate technical and organizational security measures to protect personal data we process against accidental or unlawful manipulation, destruction or loss, alteration, and against unauthorized disclosure or access by third parties. Such security measures include authentication tools, firewalls, monitoring of IT systems and networks, pseudonymization and encryption of personal data.

    2. The technical and organizational security measures are reviewed and adjusted on an annual basis, taking into account industry best practice. However, given the dynamic context of security measures, advances in technology, threats and risks, absolute security cannot be guaranteed.

11. Marketing Preferences

    1. As outlined in this Policy, we may have a legitimate interest to process your personal details (including name, title, company or organization you work for, email, telephone, workplace type, rate other contact information) to provide you with marketing information about us or our business partners’ goods and services. For these purposes we may use your personal details provided you have provided us with your consent to do so.

    2. You can instruct us to stop sending you product and service information and marketing messages at any time should you have opted in.

    3. If you instruct us to stop sending you product and service information and marketing messages it might take some time for all our systems and applications to be updated, so you might still get messages from us while we fully process your instruction.

    4. Please note that instructing us to stop sending marketing messages will not stop our other communication with you, such as operational messages.

12. Your Rights over your Personal Data

    1. Right to access your Personal Data

    2. Right to rectify your Personal Data

    3. Right to erase your Personal Data

    4. Right to object to the processing of your Personal Data

    5. Right to restrict the processing of your Personal Data

    6. Right to withdraw Consent to process your Personal Data

    7. Right to portability of your Personal Data

    8. Right to lodge a complaint with the Data Protection Authority

13. Data Controller and Responsibility

    1. Unless indicated otherwise, the One Degree IBC Limited entity that collected your personal information is the Data Controller of your personal data. It determines the purposes and means for processing your personal data and is responsible for compliance with applicable data protection laws and regulations and the requirements of this Policy.

14. Amendments to this Policy

    1. We reserve the right to amend this Policy at any time.

Appendix A: Definitions

1. Accountability Principle means that controllers will be responsible for, and be able to demonstrate compliance with the GDPR which requires the controller to implement appropriate technical and organizational measures to ensure and be able to demonstrate that data processing is performed in accordance with the GDPR, and review and update those measures where necessary.

2. Controller (also referred to as a responsible party in certain jurisdictions) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

3. Data Protection Policy means this Data Protection Policy.

4. Data Processing Agreement means an agreement between a controller and a processor to reflect the parties' agreement with regard to the processing of personal data, in accordance with the requirements of Data Protection Laws.

5. Data Protection Impact Assessment means the process to assess the particular likelihood and severity of the high risk to the rights and freedoms of data subjects, taking into account the nature, scope, context and purposes of the processing and the sources of the risk; an impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data.

6. Data subject means an identified or identifiable natural person (and in certain jurisdictions an identifiable legal entity); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

7. GDPR means the General Data Protection Regulation, being Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

8. International organization means an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

9. Personal data means any information relating to (i) an identified or identifiable natural person and (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations).

10. Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

11. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

12. Processor (also referred to as an operator in certain jurisdictions) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

13. Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

14. Pseudonymisation( or anonymisation) means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

15. Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

16. Special Categories of personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

17. Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.