Atelier E.B

Cleo’s

1. Why a charter on the protection of your personal data?

Atelier E.B considers your privacy to be a priority. So we undertake to treat the personal data of Cleo’s users (hereinafter ‘you’) with the greatest care and to provide the best possible protection for such data in accordance with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter ‘GDPR’) and the national law applicable in this field.

This charter provides information about:

• the personal data that we collect about you and why we do so;
• the terms of use of your personal data;
• your rights as regards your personal data and the ways in which you can exercise them.

Please note you can manage your personal data on your personal info page at any time.

2. Explanatory glossary of the main legal terms used in this charter

Terms that are often used in this charter	Definitions provided by the GDPR (General Data Protection Regulation)	Explanation of the terms in standard language
Data of a personal nature (hereinafter ‘personal data’)	Any information relating to an identified or identifiable natural person (hereinafter ‘the data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.	All sorts of information relating to a natural person, that is an individual, who can be identified as a person, directly or indirectly who can be distinguished from other people. Examples: a name, a photo, a fingerprint, an e-mail address, a telephone number, a social security number, an IP address, a voice mail, your browsing data on a website, data relating to an online purchase, etc.
Processing	An operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.	Any use of personal data, regardless of the procedure involved (recording, organisation, storage, adaptation, alignment with other data, transmission, etc. of personal data). Examples: the use of your data to manage an order, a delivery, send a newsletter, etc.
Controller	The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.	The person, public authority, company or body which manages your data and determines how they are used. He/she decides whether to start or discontinue processing and determines why your data will be processed and to whom they will be transferred. He/she is the main party responsible for ensuring the protection of your data.
Processor	The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.	Any natural or legal person that performs processing tasks following the instructions and under the responsibility of the controller.

3. Who is responsible for the use of your data in the context of your relationship with our services?

The controller responsible for the processing of your personal data on Cleo’s (hereinafter “Cleo’s” or the “service(s)”) is Atelier E.B Limited (hereinafter “AEB” or “we”), the head office of which is at 3a Queen Charlotte Lane, Edinburgh EH6 6AY, UK., registered in the Companies House (the United Kingdom’s registrar of companies) under no. SC487256.

Any question or request concerning the processing of your data may be addressed to the following e-mail address: cleosapp@ateliereb.com.

4. Why do we collect your personal data and on what grounds?

We collect personal data about you for various reasons.

AEB collects and uses your personal data to be able to work efficiently and offer you the best possible experience with its services.

Moreover, you should know that we can only collect and use your personal data if this use is based on one of the legal grounds defined by the GDPR (e.g. the performance of a contract concluded with you).

The table below lists more specifically the purposes for which AEB uses your personal data and the corresponding legal basis.

Purposes for which your personal data are collected	Legal basis for the processing of your personal data
(1) Registration The registration process is a prerequisite to using our services. We process your personal data to create your account.	Implementation of a pre-contractual measure (Article 6.1.b) of the GDPR), in this case the General Terms and Conditions of Use.
(2) Use of our services In order to allow you to use Cleo’s, we process your personal data to let you access your account and manage it, to operate and provide our services, including customer service, and customizing and improving our services.	The fulfilment of a contract concluded with you (article 6.1.b) of the GDPR), in this case the General Terms and Conditions of Use.

5. What personal data do we collect about you?

Below we give details of the personal data that we collect about you, the reason why they are collected, the way in which they are collected.

Purpose of the collection	Personal data collected	Direct or indirect collection of your personal data
(1) Registration	Personal identification data: first name, family name, e-mail address, location, website address (optional).	For this purpose, the data is collected directly from you.
(2) Use of our services	Personal identification data: first name, family name, e-mail address, location, website address (optional), photos you upload.	For this purpose, the data is collected directly from you.

6. Who do we share your personal data with?

We do not share your data with commercial partners who may want to offer you products or services.

In the context of our activities, our service providers and subcontractors can access your personal data for the processing operations they perform. It goes without saying that in the contact of such processing activities, we will ensure optimal protection of your personal data.

Below you will find the list of subcontractors with whom we share your data, their location and the reason why we share the information in question with them.

Service providers, and subcontractors that are involved in the sharing of your personal data	Location of service providers, partners and/or subcontractors	Reason for sharing your personal data
Nodes	Artillerivej 86, st. tv., 2300 København S, Denmark	Website publisher and developer, Infrastructure systems and application maintenance
Vapor Cloud	42 West Street, Brooklyn, NY, USA	Website hosting
Mailgun Technologies, Inc.	535 Mission St., 14th Floor, San Francisco, California 94105	Mail sending services
Bugsnag, Inc.	939 Harrison St, San Francisco, California 94107	Bug reporting
Amazon.com, Inc.	2021 Seventh Ave, Seattle, Washington 98121	Infrastructure subcontractor to Vapor Cloud

We may have to share your personal data with government bodies, in response to legal requests, including requirements regarding national security or the application of the law. In the context of a transaction, such as a merger, a takeover, a consolidation or a sale of assets, it may be that we have to share your personal data with the buyers or sellers.

7. How long do we keep your personal data?

AEB has laid down precise rules on the storage period for your personal data. This period varies depending on the respective objectives and has to take account of any legal obligations to keep some of your data.

Purpose of the collection	Storage period
(1) Registration	The storage period is 60 days from the last action/reaction by the user. Once the deadline has expired, the relevant personal data will either be deleted if you decide not to create an account or be used as part of our services’ use if you decide to create an account.
(2) Use of our services	Your personal data will be kept as long as your account exists. If you decide to delete your account, the storage period is 60 days from the last action/reaction by the relevant person.

8. What rights do you have as regards your personal data and how can you exercise these rights?

We aim to inform you as clearly as we can about your rights with regard to your personal data. And we aim to ensure that you can easily exercise these rights.

Please find below a summary of your rights and a description of the way in which you can exercise them.

8.1 Right of access

You can ask us to grant you access to all the following information with regard to:

• The categories of personal data that we collect about you;
• The reasons why we use these data;
• The categories of people with whom we share or will share your personal data;
• The periods for which your personal data will be kept in our systems;
• Your right to ask us to correct or delete your personal data or to limit the use that we make of your personal data and your right to object to this use;
• Your right to lodge a complaint with a European data protection body.

How can you exercise your right to access?

To do so, you can either access your personal info page, or contact us by e-mail at cleosapp@ateliereb.com, with the subject ‘right of access: personal data’, along with a brief description of the information you would like to access, and attach a copy of your ID card. Unless you indicate otherwise, you will receive a copy of the information requested free of charge in electronic format within one (1) month following receipt of the request or two (2) more months if the request necessitates further research.

If you do not manage to access your information by e-mail, you can send us your request by post to the following address: Atelier E.B, 3a Queen Charlotte Lane, Edinburgh EH6 6AY, UK.

Written requests must be signed and accompanied by a copy of your ID card. The request must specify the address to which the response should be sent. A response will then be sent to you within one (1) month following receipt of the request or two (2) more months if the request necessitates further research or if AEB receives a very high number of requests.

8.2 Right to rectification

You can ask AEB to correct and/or update your personal data.

How can you exercise your right to rectification? 

To do so, you can either correct your personal data on your personal info page or contact us by e-mail at cleosapp@ateliereb.com, with the subject ‘right to rectification: personal data’.

Remember to also indicate the reason for this request in the body of your e-mail: ‘rectification of inaccurate information’, and the information to be amended with evidence of the correct information, if you have it and if applicable.

You can also exercise this right by writing to us at the following address: Atelier E.B, 3a Queen Charlotte Lane, Edinburgh EH6 6AY, UK.

Your written request must be signed and accompanied by a copy of your ID card. The request must specify the address to which the response should be sent. A response will then be sent to you within one (1) month following receipt of the request or two (2) more months if the request necessitates further research or if AEB receives a very high number of requests.

8.3 Right to erasure of data (right to be forgotten)

You can also contact us at any time to ask us to erase the personal data that we are processing about you, if one of the following situations applies to you:

• Your personal data are no longer necessary as the reasons for which they were collected or processed are no longer valid;
• For your own reasons, you believe that one of the instances of processing your data is infringing on your privacy and causing you excessive damage;
• Your personal data are not being processed in accordance with the GDPR and the applicable national regulations;
• Your personal data must be erased to comply with a legal obligation provided for by European Union law or by Belgian national law to which AEB is subject.

How can you exercise your right to erasure?

Simply send an e-mail to cleosapp@ateliereb.com, indicating your full name and in the subject field ‘Right to erasure of data: personal data’, and attach a copy of your ID card. Remember to also indicate the reason for this request in the body of your e-mail.

You can also exercise this right by writing to us at the following address: Atelier E.B, 3a Queen Charlotte Lane, Edinburgh EH6 6AY, UK.

Your written request must be signed and accompanied by a photocopy of your ID card. The request must specify the address to which the response should be sent. A response will then be sent to you within one (1) month following receipt of the request or two (2) more months if the request necessitates further research or if AEB receives a very high number of requests.

However, we may not be able to accede to your request for the right to be forgotten. Indeed, it must be borne in mind that this right is not absolute. We must balance it with other rights or important values such as freedom of speech, fulfilment of a legal obligation to which we are subject or important reasons of public interest.

8.4 Right to object

Generally, the applicable legislation gives you the right to object, at any time for a reason particular to you, to the processing of your personal data. Indeed, if you believe that such processing is infringing on your privacy and/or causing you excessive damage, you may use this right.

However, under no circumstances may you prevent us from processing your data:

• if such processing is necessary for the entering into or performance of your contract;
• if such processing is required by law or by a regulation;
• if such processing is required to record, exercise or defend the rights in court.

How can you exercise your right to object? 

Simply send an e-mail to cleosapp@ateliereb.com, indicating in the subject field ‘Right to object: personal data’, and attach a copy of your ID card.

It is important to indicate the reasons behind your objection request.

You can also exercise this right by writing to us at the following address: Atelier E.B, 3a Queen Charlotte Lane, Edinburgh EH6 6AY, UK.

Your written request must be signed and accompanied by a photocopy of your ID card. The request must specify the address to which the response should be sent. A response will then be sent to you within one (1) month following receipt of the request or two (2) more months if the request necessitates further research or if AEB receives a very high number of requests.

However, we may not be able to accede to your request. If this is the case, we will of course make sure that we provide you with as clear a response as possible.

8.5 Right to data portability

With this right you will have the chance to control your personal data yourself more easily and, more precisely, to:

• Recover your personal data, which are being processed by us, for your personal use and to store them on a device or in private cloud storage, for example;
• Transfer your personal data from us to another company, either by you or directly by us, provided that a direct transfer is ‘technically possible’.

This right concerns your data that have been actively and knowingly declared, such as the data provided to create your online account and the information collected by AEB

Conversely, the personal data that are derived, calculated or inferred from the data that you have provided, are excluded from the right to data portability if they were created by AEB

How can you exercise your right to data portability?

Simply send an e-mail to cleosapp@ateliereb.com, indicating in the subject field ‘Right to data portability: personal data’, and attach a copy of your ID card.

Remember to specify in your e-mail the files concerned and the type of request (‘return of data’ and/or ‘transfer to a new service provider’).

You can also exercise this right by writing to us at the following address: Atelier E.B, 3a Queen Charlotte Lane, Edinburgh EH6 6AY, UK.

Your written request must be signed and accompanied by a photocopy of your ID card. The request must specify the address to which the response should be sent. A response will then be sent to you within one (1) month following receipt of the request or two (2) more months if the request necessitates further research or if AEB receives a very high number of requests.

However, please be aware that AEB is entitled to refuse your request for data portability. Indeed, this right only applies to personal data based on your consent or the performance of a contract entered into with you (to find out the exact personal data that may be subject to the right to data portability: read the purposes and grounds part).

Likewise, this right must not harm the rights and freedoms of third parties whose data may be contained in the data sent following a request for portability.

8.6 Right to restriction of processing

You have the right to ask us to restrict the processing, which involves the tagging (for example, temporarily moving your data to another processing system or locking your data, making them inaccessible) of your personal data, in order to restrict their further processing.

You may exercise this right when

• The accuracy of the personal data is contested;
• The processing is unlawful, meaning it is not processed according to the GDPR and Belgian law
• The personal data is no longer needed for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
• The decision regarding your objection to the processing is pending.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State

In case of restriction of processing of some of your personal data, we will keep you informed before the restriction of processing is lifted.

How can you exercise your right to restriction of processing?

Simply send an e-mail to cleosapp@ateliereb.com indicating in the subject field ‘Right to restriction of processing: personal data’ and attach a copy of your ID card.

It is important to indicate the reasons behind your restriction request.

You can also exercise this right by writing to us at the following address: Atelier E.B, 3a Queen Charlotte Lane, Edinburgh EH6 6AY, UK.

Your written request must be signed and accompanied by a photocopy of your ID card. The request must specify the address to which the response should be sent.

A response will then be sent to you within one (1) month following receipt of the request or two (2) more months if the request necessitates further research or if AEB receives a very high number of requests.  If your request is not clear or does not contain everything to allow us to proceed with the operations requested, we will ask you, within this time frame, to provide us with them.

9. Are your personal data transferred abroad?

9.1 Data transfer within Europe

Some data are transferred between the UK and Belgium for the purpose of certain processing operations (see point 6). Within the European Economic Area (28 EU members states, Iceland, Norway, Liechtenstein) personal data will benefit from the same level of protection.

9.2 Data transfer outside Europe

Some of third parties to whom your personal data are communicated (even hosted), are located in countries outside Europe.

You should be aware that the protection of privacy and the rules allowing authorities to access your personal data in these countries are not necessarily equivalent to those in Europe.

In order to ensure standards are adhered to in terms of data and privacy protection, we impose technical and legal guarantees on all recipients / processors of the data. This could be, in particular, by imposing standard data protection clauses on the recipient / processor or by ensuring that it is compliant with the Privacy Shield framework (e.g. for a service provider based in the USA).

The table below details how to transfer your personal data outside Europe.

Categories of recipients	Company name	Location of the company	Reason of the transfer	Legal safeguards applicable to the transfer
Subcontractor	Vapor Cloud	USA	Website hosting	We transfer and/or grant access to your personal data to a partner located in a non-EEA country only if appropriate safeguards have been implemented in accordance with the GDPR. Your data is transferred to the United States of America, in accordance with article 46 of the GDPR through the conclusion of standard contractual clauses. To obtain more information and/or a copy of the guarantees taken, simply send us an e-mail to cleosapp@ateliereb.com with your surname, first name and in the subject “transfers outside the EU: personal data”. Also remember to specify in the body of your e-mail the exact information you wish to obtain.
Subcontractor	Mailgun Technologies, Inc.	USA	Mail sending services	Mailgun Technologies, Inc. is committed to and respects the Privacy Shield principles. This is a self-certification mechanism for companies established in the United States that has been recognized by the European Commission as providing a legal guarantee for personal data transfer by a European entity to companies established in the United States. For more information about Privacy Shield.
Subcontractor	Bugsnag, Inc.	USA	Bug reporting	Bugsnag, Inc. is committed to and respects the Privacy Shield principles. This is a self-certification mechanism for companies established in the United States that has been recognized by the European Commission as providing a legal guarantee for personal data transfer by a European entity to companies established in the United States. For more information about Privacy Shield.
Subcontractor	Amazon.com, Inc.	USA	Infrastructure subcontractor to Vapor Cloud	Amazon.com, Inc. is committed to and respects the Privacy Shield principles. This is a self-certification mechanism for companies established in the United States that has been recognized by the European Commission as providing a legal guarantee for personal data transfer by a European entity to companies established in the United States. For more information about Privacy Shield.

10. Data security

AEB takes all useful and appropriate physical, logical, technical, functional, administrative and organisational precautions and measures to guarantee the security of your personal data, with regard to the state of the art, implementation costs and the nature, extent, context and purposes of the processing, as well as the risks, whose degree of likelihood and severity vary, to the rights and freedoms of natural persons, to preserve data security and confidentiality and guarantee a level of security appropriate to the risks, and particularly to prevent the data being distorted, damaged or accessed by unauthorised third parties.Due to the difficulties inherent in exercising an activity on the Internet and the risks, of which you are aware, resulting from the electronic transmission of data, AEB may not be bound by a performance obligation in such circumstances.In the event that difficulties occur, AEB shall do its utmost to circumvent the risks and shall take all adequate measures, in accordance with its legal and regulatory obligations (corrective actions, informing the national authority responsible for personal data protection and, where relevant, data subjects, etc.).In the event that all or part of the personal data processing is subcontracted, AEB contractually imposes security guarantees on its subcontractors, particularly in terms of confidentiality in respect of the personal data to which they may have access (appropriate technical and organisational measures to protect that data).

11. Would you like to contact us about this personal data protection charter and/or to make a complaint to a data protection authority?

Do you have any questions or suggestions regarding this personal data protection charter? 

Please do not hesitate to contact us

• by e-mail: cleosapp@ateliereb.com
• by post: Atelier E.B, 3a Queen Charlotte Lane, Edinburgh EH6 6AY, UK.

We would be happy to hear from you and we will reply to you as soon as we can.

Do you think that we are not doing enough to protect your personal data?

If you believe that AEB is not processing your personal data in accordance with the GDPR and with the applicable Belgian legislation, you have the right to make a claim to:

• The data protection authority in the European country in which you normally reside; or
• The data protection authority in the European country in which you work; or
• The data protection authority in the European country in which the breach of the GDPR occurred.

Make a complaint to the Belgian data protection authority

• by e-mail: contact@apd-gba.be
• by post: Autorité belge de Protection des données [Belgian data protectionauthority], rue de la Presse, 35, 1000 Bruxelles

Make a complaint to another European data protection authority

To make a complaint to another data protection authority, please consult the list on the European Commission website: http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080

12. How will you know if this personal data protection charter has been amended?

The personal data protection charter may be amended at any time, in particular to take account of any legislative or regulatory amendments.

Notification of any amendments made will be given by e-mail or via our website.

When we publish amendments to this Charter, we will revise the ‘last update’ date at the top of the Personal data protection charter and we will give a description of the changes in the ‘Change History’ tab.

Please consult this charter regularly to see how AEB is protecting your personal data.