ONTOP PLATFORM

Privacy Policy

Last updated: August 20th, 2021

Ontop Holdings Inc. (“Ontop” “us”, “we” or “our”) recognizes the need for appropriate protection and management of personal data and information shared with us. This privacy policy (“Privacy Policy”) will help you understand the personal data that we collect from you as a user of our website or software platform (collectively the “Service(s)”) or as a customer (“user”, “you” or “your”, interpreted accordingly), what we use the data for and the choices you have regarding our use and collection of personal data and information.

This Privacy Policy addresses the privacy rights of individuals who:
● visit our Website or use our Software Platform (as defined below) and/or Services;
● interact with us on behalf of a Customer (as defined below) in connection with the provision of our Services;
● interact with us on behalf of a Service Provider (as defined below) in connection with the products and services that our Service Provider provides to us;
● interact with us on behalf of a business partner in connection with our relationship with the business partner;
● apply to work with us;
● receive marketing communications from us; and/or
● interact with us by registering for, attending and/or otherwise taking part in our trade events, webinars, or conferences or who communicate with us via email, phone, or in-person.

Definitions


“Controller” means a person or entity that, alone or jointly with others, determines the purposes (i.e. “why”) and means (i.e. “how”) of the Processing of Personal Data (both as defined below).

“Cookies” are small text files sent to your computer for record-keeping purposes and this information is stored in a file on your computer’s hard drive. A persistent cookie retains user preferences for a particular website allowing those preferences to be used in future browsing sessions and remains valid until its set expiry date (unless deleted by the user before the expiry date). A temporary cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

“Customer” means a business that has, formerly had, or is contemplating purchasing or using our Services, or any party that is employed by such business and accesses Services pursuant to such business purchasing or using our Services.

“Personal Data” means any information relating to an identified or identifiable natural person.

“Process” and “Processing” means any operation or set of operations which are performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, erasure, deletion or destruction.

“Processor” means a person or organization that engages in Processing.

“Representative” means an individual who (i) acts on behalf of, or is employed by, a Customer, including, a Customer’s employees, agents, and representatives, (ii) acts on behalf of a Service Provider (as defined below), including a Service Provider’s employees, agents, and representatives, (iii) acts on behalf of a business partner, including a business partner’s employees, agents and representatives or (iv) otherwise interacts with us in any manner, for example through our Website, Software Platform or uses our Services (all as defined below), in any manner whatsoever.

“Service Provider”means a supplier, subcontractor, vendor or other third party who provides services to us.

“Website(s)” means all of the websites and/or applications maintained by us that display a link to this Privacy Policy.

“Website Visitor”means an individual who visits our Website.

By visiting this Website (www.ontop.ai) or using our Software Platform, you are accepting and consenting to the practices described in this Privacy Policy.

ADDITIONAL COUNTRY/REGION-SPECIFIC PRIVACY TERMS


Depending on your current country of residence, a section of this Privacy Policy may apply to you. Please refer to the Section that applies to you in addition to the general terms of this Privacy Policy.

Country of Residence Applicable Section of the Privacy Policy
All countries GENERAL PRIVACY POLICY (Sections 1-12)
California, USA GENERAL PRIVACY POLICY & APPENDIX A: CALIFORNIA RESIDENTS
EEA/EU/UK/Switzerland GENERAL PRIVACY POLICY & APPENDIX B: GDPR PRIVACY POLICY
In the event of conflict and/or discrepancy between the privacy terms of the General Privacy Policy (Sections 1-12 below) and those that are region-specific (i.e. Appendices A and B), region-specific terms will prevail.

GENERAL PRIVACY POLICY


1. Personal Data We Collect


We collect and Process the following categories of Personal Data from Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, individuals that receive marketing communications from us and individuals that interact with us by registering for, attending and/or otherwise taking part in our webinars or conferences or who communicate with us via email, phone or in person, in each case to operate its business for the specific purposes identified below.

Contact and Account Data. The personal details provided when users sign up to our Service. This includes the user's name, e-mail address, telephone number, address, job title and password, organization (if a legal entity), and other ways for us to contact you.

Information about user transactions. Details about the transactions you carry out and the payments to and from your accounts with us.

Payment Information. If payment for our Services is made via credit card, this may include the card number, expiration date, security code and billing address. If payment is used via (international) wire transfer, this may include the name and bank code, branch name and number, account number, IBAN and/or SWIFT code, among others. If payment is made via eWallet services (e.g. PayPal, Payoneer, etc.), this may include the account username, e-mail address or any other information that identifies the relevant user account or digital wallet. If payments to us are made via third-party payment processing platforms, these third parties will collect your Personal Data related to such payments and we will not retain this information. In such cases, the third party’s privacy policy will apply.

Data and Information Provided in IM Chats. To serve our users better, we make instant messaging (IM) tools available to our users. Any Personal Data or information provided via this medium will be collected and stored.

Biographical Data. Details about you that are stored in documents in different formats, or copies of them. This could include things like (without limitation) data contained in your passport, national ID, social security or any other identification documents. For the purposes of background checks, third parties may collect selfie photos and/or videos that run facial recognition software for identity verification.

Personal Data Provided by Telephone. We have customer service agents available to speak with our Customers 24/7. Calls may be recorded and any Personal Data and/or information provided over the telephone, including payment information, will be collected and stored.

Other Data and/or Information. We collect any other Personal Data and/or information you choose to provide to us through any and all available channels, participating in user/customer surveys or otherwise visiting and interacting with our Website and/or Software Platform.

2. Non-Personal Information


We may also collect information that is related to you but that does not personally identify you. Non-personal Information also includes data that could personally identify you in its original form, but that we have modified (e.g. by aggregating, anonymizing, or de-identifying such information) in order to remove or hide any characteristics that may lead to your identification.


3. How We Use Personal Data


We use Personal Data in the following cases:

● For our business transactions, including but not limited to entering into contractual agreements with you, responding to your inquiries and fulfilling your requests, sending administrative information to you, such as information regarding the Service to complete any requests to enter into and manage customized contracts and international payroll, performing quality controls and customer satisfaction activities. This use is necessary for our performance of the Service to you.

● In order to communicate with you in connection with our marketing initiatives or user and/or customer surveys. We may use any information you choose to submit in response, and we will communicate with you, provided that you give us your consent to being contacted in this way at the time you provide us with the Personal Data.

● For security purposes, included but not limited to our protection, as well as that of our employees, suppliers, contractors, Customers or platforms.

● For legitimate business interests, including but not limited to addressing complaints you make, to manage our Website and Software Platform, to better understand how visitors interact with our Service and ensure that our Website and/or Software Platform is displayed in the most effective manner from your computer/device.

● For appropriate legal reasons, such as complying with legal and regulatory requirements, carrying out background checks (KYC processes), responding to requests from public and government authorities, regulators, including those outside your country of residence, enforcing our Terms of Service (https://www.ontop.ai/terms-and-conditions/) and this Privacy Policy, protecting our operations, rights, privacy, safety or property, as well as in order to allow us to pursue available remedies or limit damages that we or other third parties may incur.

● For internal business reasons, we may anonymize, aggregate and de-identify the data that we collect and use such data for our own internal business purposes, including but not limited to sharing it with our current and prospective Customers, business partners, our affiliated businesses, agents and other third parties for commercial, statistical and/or market research purposes, for example to allow those parties to analyze patterns among groups of people, and conducting research on demographics, interests and behavior.

● For marketing and events-related communications, included but not limited to those related to our products and services, inviting you to participate in events, surveys or otherwise communicating with you for marketing purposes, pursuant to the requirements for consent under the applicable law: (i) when you consent to said communication; (ii) when it is in Ontop's legitimate interest; and (iii) increasing efficiency in the fulfillment of our legal and contractual duties.

● For reasons you have previously consented to.


4. With Whom We Share Collected Personal Data


Vendors and Service Providers. We may disclose Personal Data about you and/or other information you provide us to vendors, suppliers and Service Providers we retain in connection with our business, including but not limited to website hosting, data hosting, data analysis, order fulfillment, information technology and related infrastructure services, customer service, email delivery, tax and financial advisers, legal advisers, accountants or auditors.

Merger or Acquisition. We may disclose Personal Data collected about you and/or other information you provide us to a third party who acquires any part of our business, whether such acquisition is by way of merger, consolidation, divestiture, spin-off, or purchase of all or a substantial portion of our assets.

Disclosure Permitted by Law. We may disclose Personal Data collected about you and/or other information you provide us to law enforcement authorities, government or public agencies or officials, regulators, and/or to any other person or entity having appropriate legal authority or justification for receipt of your Personal Data and/or other information, if required or permitted to do so by law or legal process, in order to respond to claims, protect our rights, interests, privacy, property or safety, as well as those of our shareholders, employees or contractors.


5. Communications


We may contact you with newsletters and other marketing information that may be of interest to you. You may opt out of receiving any or all of these marketing communications from us at any time, by clicking on the unsubscribe link or instructions provided in any email we send or by contacting us. Please note that we may still send you transactional or administrative messages related to the Services even after you have opted out of receiving marketing communications.


6. Cookies + Other Web Technologies


Our Services may use persistent and temporary Cookies and similar technologies.

Information collected through the use of Cookies includes, but is not limited to user login information and time zone setting.

We use Cookies for several purposes, including but not limited to: (i) to improve the user experience, (ii) to collect anonymous and aggregated statistical data about users’ visits to our Website, Software Platform and/or use of our Services. We use this data to analyze how our Service is used and how to improve it, and we may use said data to advertise third-party products online.

Unless you set up your internet browser not to accept Cookies, it will accept the use of them. You can always disable Cookies in your browser’s preferences even if you have consented to the use of Cookies in the past. You may also delete Cookies stored on your computer at any given time. Please note that disabling Cookies may negatively impact your online experience with our Service and prevent you from logging in to our Website.

Amplitude. We use Amplitude (https://amplitude.com/) as an analytics tool to help us get a better understanding of how visitors use our Website and Software Platform. The information generated by the Amplitude Cookies about users of our Service is transmitted to and stored by Amplitude.


7. Information Security


The security of your Personal Data is extremely important to us. We take the appropriate steps to protect the information you provide us from loss, misuse, unauthorized access or disclosure, alteration and destruction, both against external and internal threats. Where we have given you (or where you have chosen) a password or other login information which enables you to access certain restricted parts of our Service, you are responsible for doing everything you reasonably can to keep this information secret. You must not share your password or login information with anyone else.

As no data transmission or security system can be guaranteed as 100% secure, we cannot ensure or warrant the security of any Personal Data and/or information that you transmit to us; nonetheless, we adopt all measures and make use of technology trusted by the industry to provide as much security as possible. As such, you transfer Personal Data and/or information to us at your own risk.


8. Personal Data and/or Information Collected from Other Sources


We may also collect Personal Data and/or information about you from other sources in order to help us correct or supplement our records, to improve the quality or personalization of our service to you, and to prevent or detect fraud. We work closely with third parties (e.g. business partners, Service Providers, sub-contractors, advertising networks, analytics providers, search information providers, fraud protection services) and may receive Personal Data and/or information about you from them.

In order to provide and improve our Services, we may engage with Service Providers. In the process of supplying services to us, these Service Providers may need to collect Personal Data about you.


9. Disclosure of Personal Data Via Links to Third-Party Websites, Services, and Applications


Using our Website or the Services may link to third-party websites, services and/or applications. We are not responsible for any Personal Data collected through these means. Personal Data collected in this manner is governed through the third-party website’s privacy policy. Any interactions you have with these websites, services and/or applications are beyond our control. We urge you to read the privacy and security policies of any external websites before providing any Personal Data while accessing those websites.


10. Minors


Our Software Platform and Services are not directed to minors under the age of 18. We perform age verification on users that access our Software Platform, and if you are under the age of 18, you will be unable to contract our Services.


11. Modifications to this Privacy Policy


We may revise this Privacy Policy from time to time. The most current version of the Privacy Policy will govern our collection, use, and disclosure of Personal Data and/or information about you. If we make material changes to this Privacy Policy, we will notify you by email or by posting a notice on our Website and/or Software Platform prior to the effective date of the changes. By continuing to access or use the Service after those changes become effective, you acknowledge and agree to the revised Privacy Policy.

12. Contact us


You may contact us concerning our Privacy Policy by writing to privacy@ontop.ai. " Please write Privacy Policy Issue on the subject line or write to us at: Ontop Holdings Inc., 1321 Upland Dr., PMB 15685, Houston, TX, 77043.



ADDITIONAL COUNTRY/REGION-SPECIFIC PRIVACY TERMS

IMPORTANT: Please check the table above to see if these apply to you.


APPENDIX A: CALIFORNIA RESIDENTS

Note: This section applies specifically to California Residents.

California Residents


This appendix (“Appendix A” or “CCPA Privacy Terms”) addresses the specific disclosure requirements under the California Consumer Privacy Act of 2018 (“CCPA”). It applies to personal information about California residents using our Website and Services. For purposes of the CCPA, personal information means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household (“Personal Information”). In the event of a conflict between Appendix A and any of our other privacy policies and or terms, Appendix A shall control only with respect to the Personal Information of California residents.

Personal Information Categories
Appendix A covers our Personal Information collection and usage more fully. The chart below describes the categories of Personal Information we collect and the sources from which we collect the Personal Information, organized into the categories specified by the CCPA.

Personal Information Category Sources
Personal Information described in Cal. Civ. Code §1798.80(e) (such as name, address, telephone number, education, employment history, credit card or debit card number) Information you provide directly or through your interactions with our Services.
Identifiers (e.g., real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, or other similar identifiers) Information you provide to us directly or through your interactions with our Website, Software Platform and/or Services.
Characteristics of protected classifications under California or Federal law (e.g., your gender or age) (“Characteristics of Protected Classifications”) Information you provide to us directly.
Commercial Information (e.g., information regarding products or services purchased, obtained, or considered) Information you provide to us directly, through your interactions with our Website, Software Platform and/or Services.
Internet or Other Electronic Network Activity Information (e.g., browsing history, search history and other information) Your interactions with our Website, Software Platform and/or Services.
Professional or Employment-Related Information Information you provide to us directly.
Inferences Information you provide to us directly or through your interactions with our Website, Software Platform and/or Services.
Audio, electronic, visual or similar information Information you provide directly or through your interactions with our Services.
We use this Personal Information for the purposes outlined in Section 3 of our Privacy Policy. We do not sell your Personal Information.

California Residents' Privacy Rights
California residents have rights to request access to or deletion of their Personal Information and may not be discriminated against because they exercise any of their rights under the California Consumer Privacy Act in violation of Cal. Civ. Code §1798.125. You can make requests by sending an email to us with details of your specific request. We may ask that you provide certain information to verify your identity, and the information we request from you will depend on your prior interactions with us and the sensitivity of the Personal Information in question. Once confirmed, we will respond to your request in accordance with the CCPA. If we deny your request, we will explain why.
You may designate an authorized agent to make a request under the CCPA on your behalf if: (1) the authorized agent is a natural person or a business entity registered with the Secretary of State of California; and (2) you sign a written declaration that you authorize the authorized agent to act on your behalf. We may ask that you provide certain information to verify your identity and that you authorized the authorized agent to act on your behalf. If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4000 to 4465, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the CCPA. If you have any questions regarding our Privacy Policy or specifically these CCPA Privacy Terms, or would like to change your preferences, you may contact us using the contact information contained in Section 12 of our Privacy Policy.




APPENDIX B: GDPR PRIVACY TERM


Note: This section applies specifically to EEA/EU/UK/Switzerland residents.

This appendix (“Appendix B” or “GDPR Privacy Terms”) applies to the Processing of Personal Data by us in our role as a Controller, or as otherwise covered by the European Union General Data Protection Regulation 2016/679 (“GDPR”), when individuals:

● visit or use our Website;
● interact with us either on your own behalf or on behalf of a Customer in connection with the provision of our Services;
● interact with us on behalf of a Service Provider in connection with the products and services our Service Provider provides to us;
● interact with us on behalf of a business partner in connection with our relationship with the business partner;
● apply to work with us;
● receive marketing communications from us; and/or
● interact with us by registering for, attending and/or otherwise taking part in our trade events, webinars, or conferences or communicate with us via email, phone, or in-person interactions.

These GDPR Privacy Terms do not apply to any Personal Data Processed, stored, or hosted by Customers using any of our Services or to the extent that we Process Personal Data in the role of a Processor on behalf of our Customers. Where we act as Processors on behalf of our Customers, that Processing is subject to the protections contained in our data processing agreements with Customers. We have no control over, and are not responsible for, any Personal Data that our Customers may store or host on their equipment or otherwise Process while using our Services. We are not responsible for the privacy or data security practices of our Customers, which may differ from those set forth in our Privacy Policy and/or these GDPR Privacy Terms. For information related to how our Customers Process Personal Data, please contact the respective Customer directly.

Furthermore, these GDPR Privacy Terms do not apply to any third-party websites or services that may be linked to our Website or the Services unless that website or service is controlled by us and displays our Privacy Policy and/or these GDPR Privacy Terms. We have no control over, and are not responsible for, the data collection and/or handling practices of these third-party websites or services outside our Website or Services. We encourage you to read the privacy statements of any third-party websites or services linking to (or linked to via) the Website or Services.

In the event of a conflict and/or discrepancy between these GDPR Privacy Terms and our general Privacy Policy, these GDPR Privacy Terms will prevail.

Our Contact Details


If you have any questions or concerns as to how your Personal Data is Processed, please write to us using the contact information contained in Section 12 of our Privacy Policy.

Our Data Collection Practices
We collect and Process the following categories of Personal Data from Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, individuals that receive marketing communications from us and individuals that interact with us by registering for, attending and/or otherwise taking part in our webinars or conferences or who communicate with us via email, phone or in person, in each case to operate its business for the specific purposes identified below.

Personal Details include data such as names, titles, company names, departments, email addresses, physical street addresses, telephone numbers, and social media usernames of individuals.
Login Credentials include data such as usernames and passwords of individuals needed to access our Services.
Unique IDs include data that we obtain from (a) prospective employees, (b) Website Visitors, or (c) other individuals that interact with us.
Customer Support Records include data such as call details and other similar data regarding customer support communications and chat sessions with Representatives.
Website and Service Records include data related your interactions with our Website and Services and other online content such as log data (i.e. login information, preferences and settings, etc.).
Employment Information includes details such as descriptions of roles performed and locations of employment.


Why do we collect Personal Data, what are the sources of Personal Data, what are the purposes for Processing and what is the lawful basis?


The table below sets out the types of Personal Data we Process, the purposes of Processing such Personal Data and our lawful basis for doing so. The lawful basis will vary with the type of Processing involved and will typically include Processing (i) necessary for us to pursue our legitimate business interests, (ii) based on your consent, where this is required by data protection laws, and (iii) necessary for us to comply with our legal obligations. Where we rely on our legitimate business interests, we have explained what the grounds are for that reliance.

Table 1. Ontop Data Processing and Lawful Basis

Purpose for Processing Personal Data Lawful Basis for Collecting Personal Data
To interact with Customers, Service Providers and business partners. When a Customer places an order for our Services, we Processes the following categories of Personal Data necessary to deliver and provide Services to our Customers:

● Personal Details
● Login Credentials
● Unique IDs

We also collect and Process Personal Data when engaging with Service Providers or business partners, as well as when we purchase products and services from them.
We have a legitimate business interest in Processing Personal Data in order to engage in transactions with our Customers, Service Providers and business partners, as well as to efficiently run our business.
To manage the security of our Website, Software Platform, systems and Services. In order to grant a Customer, Service Provider, business partner or prospective employee access rights to our systems or Services and to monitor applicable security thereof, we collect and Process the following categories of Personal Data from the Representatives of such Customer, Service Provider or business partner or the prospective employee:

● Personal Details
● Unique IDs
● Access Credentials and Visitation Records
We have a legitimate business interest in protecting the security of our Website, Software Platform, systems and Services.
To provide technical support and customer assistance. We collect and Process the following categories of Personal Data to provide our Customers and their Representatives with general and technical support:

● Personal Details
● Login Credentials
● Unique IDs
● Customer Support Records
We have a legitimate business interest in being able to provide our Customers and technical support and customer assistance.
To communicate and respond to requests and inquiries. When a Customer, Service Provider, business partner or other person or entity contacts us by email, phone, text or by submitting a contact form on our Website, we collect and Process the following categories of Personal Data from their Representatives or other related individuals in order to communicate with Customer, Service Provider, business partner or such other person or entity, as applicable, and respond to their requests and inquiries. We also collect and Process the following Personal Data from Representatives who register for a trade event, webinar, conference:

● Personal Details
● Unique IDs
● Website Records
● Marketing and Event Records
We have a legitimate business interest in being able to communicate with its Customers, Service Providers, business partners and other persons or entities and respond to their inquiries and requests.
To market our Services and tailor our marketing and sales activities. We may Process the following categories of Personal Data when marketing new and existing Services and features to our Customers and other persons and entities and in an effort to personalize such experience. We also collect and Process the following Personal Data from Representatives who register for a trade event, webinar, or conference:

● Personal Details
● Unique IDs
● Website Records
● Marketing and Event Records
Except in cases where opt-in consent is required by law for the Processing of email addresses, IP addresses or other unique identifiers to send or Process electronic communications (emails, texts, Cookies, etc.), we process this data for marketing purposes on the basis of its legitimate interests.
To analyze, improve, and optimize the use, function and performance of our Website, Software Platform and Services. We may Process the following categories of Personal Data in order to analyze, improve, and optimize the use, function and performance of our Website, Software Platform and Services, including for quality assurance and training purposes, as well as for marketing and sales campaigns.

● Personal Details
● Unique IDs
● Website Records
● Marketing and Event Records
We have a legitimate business interest in improving and optimizing the use of our Website, Software Platform and Services.
To comply with applicable laws, regulations and internal policies, practices, and procedures. We may be required to disclose certain categories of Personal Data in order to comply with applicable laws and regulations, e.g. to respond to a request from a government agency or to defend a legal claim. Additionally, we may also be required to process certain categories of Personal Data when conducting internal audits and investigations to ensure compliance with internal and external policies, practices, and procedures. We have a legitimate business interest in complying with all applicable laws, regulations, and internal policies.
To receive applications for employment. We may Process the following categories of Personal Data when receiving, reviewing, using, and storing applications for employment, including from prospective employees who visit our Website or other online locations where jobs may be posted and applications may be submitted>

● Personal Details
● Login Credentials
● Unique IDs
● Education and Work History
We have a legal obligation to collect certain information in order to confirm your right to work in the country to which you have applied. Additionally, we have a legitimate business interest in Processing the Personal Data of job applicants who seek to join the company to assess them as candidates for employment.
Sharing Personal Data with Third Parties
Except as described below, we will not share or disclose Personal Data with or to outside third parties. Any and all Personal Data provided to us by a Customer, Website Visitor, business partner, or other third party is transferred only on a “need to know” basis in keeping with the purposes outlined in our Privacy Policy and/or these GDPR Privacy Terms.

Service Providers. We may share Personal Data with our Service Providers in connection with advertising, hosting, data analytics, information technology and infrastructure, order management and fulfillment, billing, contract management, email delivery, auditing, events and other related activities. We provide such Personal Data or authorize the Processing of such Personal Data only as necessary to enable our Service Providers to perform their designated functions. Our contractual agreements with them (1) require them to act only under our instruction and for the purpose(s) directed by us with respect to such Personal Data; and (2) prohibit them from sharing such Personal Data with any third parties without our authorization.

Business Partners. We may also share your Personal Data with trusted business partners pursuant to our contractual arrangements with them, which will include appropriate safeguards to protect any Personal Data that we share with these partners. These may include, but are not limited to third parties that organize trade shows, consultants, experts and auditors.

Affiliated Entities. We share Personal Data with our affiliates. Subject to local requirements, this Personal Data may be used to provide Services offered by our affiliates, for the affiliates to provide support to the affiliated entity that is sharing the Personal Data or for any other purposes described in our Privacy Policy and/or these GDPR Privacy Terms. For example, affiliates may share Personal Data about our Customers, Service Providers, business partners, representatives, prospective employees and Website Visitors for direct marketing purposes.

Fraud Prevention and Protection of Legal Rights. We may use and disclose Personal Data to the appropriate regulatory, legal, judicial or law enforcement authorities and our advisors and investigators when: (i) we believe, at our sole discretion, that such disclosure is necessary to investigate, prevent, or respond to suspected illegal or fraudulent activity or to protect our safety, rights and/or property or that of our group of companies and/or Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, employees, contractors, among others; (ii) we suspect abuse of the Website, Software Platform and/or Services or unauthorized access to any system, spamming, denial of service attacks or any other similar attacks; (iii) exercising or protecting legal rights or defending against legal claims; or (iv) pursuing available remedies, as well as mitigating or limiting the damages that we may sustain. We may disclose Personal Data to our partners, Service Providers and law enforcement to secure our Website, Software Platform and/or Services, including to detect, prevent, and investigate security incidents or violations to our Terms of Use (https://www.ontop.ai/terms-and-conditions/), Privacy Policy and/or applicable laws.

Law Enforcement. We may have to disclose the Personal Data of our Customers, Service Providers, business partners, representatives, applicants, Website Visitors or other third parties if a court, law enforcement or other public or government authority with appropriate jurisdiction requests that we provide said Personal Data and we believe, at our reasonable discretion, that such request was made in compliance with the applicable law.

Corporate Reorganization. We may transfer the Personal Data of our Customers, Service Providers, business partners, Representatives, Website Visitors or other third parties to another third party in the case of the reorganization, sale, merger, joint venture, assignment, transfer or other alienation of any or all of our business, assets and/or stocks, including in the event of bankruptcy or corporate restructuring. Except as otherwise provided by a bankruptcy or other court, the use and disclosure of all transferred Personal Data will be subject to compliance with applicable data protection laws. Any Personal Data that an individual submits or that is collected after the reorganization may be subject to a new privacy policy adopted by the successor entity, which will be informed to you as provided under Section 11 of our Privacy Policy.

Service Improvements. We may disclose Personal Data to our Service Providers in order to improve our Website, Software Platform and/or Services, such as to identify bugs, repair errors or ensure that services function as intended, or to conduct internal research and analysis in order to improve our technology.

Cross-Border Transfers of Personal Data


If we transfer EEA/EU/UK/Switzerland Personal Data to affiliates outside this EEA/EU/UK/Switzerland region, we will put in place appropriate intra-group agreements in accordance with the GDPR requirements, including use of the EU commission-approved standard contractual clauses (“SCC(s)”) for Controllers as appropriate. If we transfer EEA/EU/UK/Switzerland Personal Data to third parties, such as Service Providers or business partners in countries outside the EEA/EU/UK/Switzerland region, we will put in place the EU SCCs or other relevant international transfer documentation that complies with the GDPR requirements. We will also put in place a GDPR-compliant data processing agreement.

Data Retention
We will retain Personal Data that we collect and Process where we have a justifiable business need to do so and/or for as long as it is needed to fulfill the purposes outlined in our Privacy Policy and these GDPR Privacy Terms. We may retain Personal Data as required by law, such as for tax, legal and/or accounting purposes. When we have no justifiable business need to process your Personal Data (e.g. after all of our necessary interactions have ended, our internal record keeping policies no longer require us to continue to process your Personal Data and we have no other legal obligations to retain your Personal Data), we will either delete or anonymize your Personal Data, at our reasonable discretion.

Data Subject Rights under the GDPR
The GDPR grants individuals who are in the EU/EEA/UK the rights as detailed in the paragraphs below, with some limitations. Individuals may contact us through our contact information contained in Section 12 of our Privacy Policy to exercise any of these rights and we will respond with the requested action or information, as applicable, or we will let you know why such rights do not apply to you. These rights are not absolute and are subject to various conditions under the applicable data protection and privacy legislation, as well as the laws and regulations that apply to us. In some cases, the exercise of these rights (e.g. erasure, deletion, objection, restriction or the withholding or withdrawing of consent to Processing) may make it impossible for us to provide our Services.

Right to Not Provide Consent or to Withdraw Consent. We may seek to rely on your consent in order to Process certain Personal Data. Where we do so, you have the right to not provide your consent and the right to withdraw your consent at any time. If you withdraw your consent, this will not affect the lawfulness of the Processing conducted based on consent before its withdrawal.

Right of Access. You have the right to obtain confirmation as to whether or not we collect or Process Personal Data concerning you and, if this is the case, you have the right to request a copy of such Personal Data in digital format.

Right of Rectification. You have the right to require that we correct any inaccurate Personal Data concerning you and that we supplement incomplete Personal Data.

Right of Erasure. Under certain circumstances, you have the right to request that we erase Personal Data concerning you; e.g. if it is no longer necessary for the purposes for which it was originally collected and we do not otherwise have a legitimate reason to retain the Personal Data. We may need to retain certain Personal Data when legally required for internal, record keeping purposes and/or in order to complete any transactions initiated prior to your request to remove or delete your Personal Data. When we are unable to delete Personal Data from our systems, we will anonymize it so it will no longer be directly or indirectly linked to your identity or identifiable.

Right to Restrict Processing. Under certain circumstances, you have the right to request that we restrict the Processing of your Personal Data that we have collected; e.g. when you believe that your Personal Data that we retain is not accurate or unlawfully held.

Right to Data Portability. Under certain circumstances, you have the right to receive the Personal Data concerning you that you have provided to us in a structured, commonly used, machine readable format, and for us to transmit the data to another entity where technically feasible.

Right to Object to the Processing. Under certain circumstances, you have the right to request that we stop Processing your Personal Data, including when we rely on legitimate interests as a legal basis set forth in Table 1 above. If you receive commercial electronic communications from us, you can unsubscribe from the receipt of future commercial electronic communications from us by clicking on the “unsubscribe” link provided in such communications. Please also note that if you do opt out of receiving commercial electronic communications from us, we may still send you important administrative messages (such as updates about your account or changes to the Services) and you cannot opt out from receiving these messages, unless you stop engaging our Services.

Right to Not be Subject to Decisions Based Solely on Automated Processing that Produce Legal Effects. We do not make decisions based solely on automated Processing - including profiling - that produces legal effects or similarly affects you.

Right to Complaint before a Supervisory Authority. You have the right to lodge a complaint with a Supervisory Authority if you believe that our Processing of Personal Data relating to you is inconsistent with our obligations under the GDPR. In this situation, we ask you please consider contacting us first, so that we can try and assist with your query or address your concern.

In order to exercise any of your rights as set forth herein, please contact us in writing, via email or postal mail as indicated in Section 12 of our Privacy Policy, so that we may consider your request under the applicable law. We may ask that you provide the following Personal Data for us to promptly address your request:

● The name, user ID, pseudonym, email address or other identifier you have provided to us or, if you have not otherwise previously interacted with us, your first and last name and an address where we can contact you;
● The country in which you are located;
● A clear description of the Personal Data or content that you wish to receive or to be deleted or corrected and/or the action you wish to be taken; and
● Sufficient information to allow us to locate the content or Personal Data to be deleted, removed and/or corrected.

For your protection, we may only respond to requests with respect to the Personal Data that is associated with the particular email address that is registered under your user account. In addition, please note that, depending on the nature of your inquiry, request and/or complaint, we may need to verify your identity before implementing your request and require documentary proof of identity, such as in the form of a government issued ID and proof of your physical address. We will make all efforts to comply with your request as soon as reasonably practicable and in any case within the timelines prescribed by the applicable law. However, we reserve the right to refuse to act on a request that is manifestly unfounded or excessive (e.g. because it is repetitive) and/or to charge a fee that takes into account the administrative costs for providing the information or the communication or taking the action requested, in the cases where such action is justified.