Privacy Policy

Updated: September 21st 2020

Notice for European Union Residents

If you are a resident of the European Union ("EU") and you use our Services or are otherwise subject to our Terms and Conditions, you have additional privacy rights discussed in the Privacy Policy Addendum for Residents of the European Union, described here.

Notice to Residents of the State of California

If you are a resident of the State of California, in the United States of America, and you use our Services or are otherwise subject to our Terms and Conditions, you have additional privacy rights described here.

In this Policy, the words "you", "your" or “User” refer to each customer or user. For the purposes of this Policy, “Personal Information” means personally identifiable information about you, or information that would allow someone to contact you, or any other information that is defined as such under applicable laws.

1. Introduction

1.1 We are committed to safeguarding the privacy of our Platform and Services users.

1.2 This policy applies to all LUCA platforms and services, including our applications, websites, features, and other services (collectively, the “Platform” and/or the “Services”) where we are acting as a data controller with respect to the personal data of our Platform and Services users; in other words, where we determine the purposes and means of the processing of that personal data.

1.3 We use cookies on our website. Insofar as those cookies are not strictly necessary for the provision of our Platform and Services, we will ask you to consent to our use of cookies when you first visit our Platform.

1.5 In this policy, “we”, “us”, “our”, and the “Company” refer to LUCA.

1.6 This Policy is incorporated as part of the LUCA Terms and Conditions and your use of the Platform or of the Services indicates your consent to them.  

2. How we use your personal data

2.1 We collect data from our clients, our clients’ LUCA administrators, in most cases we collect data from end-users. In this Section 2 we have set out:

(a) the general categories of personal data that we may process;

(b) in the case of personal data that we did not obtain directly from you, the source and specific categories of that data;

(c) the purposes for which we may process personal data; and

(d) the legal basis of the processing.

2.2 We may process data about your use of our Platform and Services (“usage data”). The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and Platform navigation paths, as well as information about the timing, frequency and pattern of your service use. This usage data may be processed for the purposes of analyze the use of the Platform and services. The legal basis for this processing is consent or our legitimate interests, namely monitoring and improving our Platform and services.

2.3 We may process your account data (“account data”). The account data may include your name and email address. The account data may be processed for the purposes of operating our Platform, providing our services, ensuring the security of our Platform and services, maintaining back-ups of our databases and communicating with you. The legal basis for this processing is consent or our legitimate interests, namely the proper administration of our Platform and business.

2.4 We may process your information included in your personal profile on our Platform (“profile data”). The profile data may include your name, address, telephone number, email address, profile pictures, company name and other related information. The profile data may be processed for the purposes of enabling and monitoring your use of our Platform and services. The legal basis for this processing is consent or our legitimate interests, namely the proper administration of our Platform and business.

2.5 We may process your personal data that are provided in the course of the use of our services (“service data”). The service data may include your location data, your usage data, your communications with our subcontractors and third-party providers, any information you provide while participating in a survey, questionnaire, or contest. The service data may be processed for the purposes of operating our Platform, providing our Services, ensuring the security of our Platform and Services, maintaining back-ups of our databases and communicating with you. The legal basis for this processing is consent or our legitimate interests, namely the proper administration of our Platform and business.

2.6 We may process information and drawings that you post for publication on our Platform or through our Services (“publication data”). The publication data may be processed for the purposes of enabling such publication, training artificial intelligence algorithms to turn quantitative data into qualitative data, analyzing one’s mood and administering our Platform and Services. The legal basis for this processing is consent or our legitimate interests, namely the proper administration of our Platform and business.

2.7 We may process information contained in any enquiry you submit to us regarding subscriptions, goods and/or services (“enquiry data”). The enquiry data may be processed for the purposes of offering, marketing and selling relevant subscriptions, goods and/or services to you. The legal basis for this processing is consent.

2.8 We may process information relating to our customer relationships, including customer contact information (“customer relationship data”). The customer relationship data may include your contact details, and information contained in communications between us and you. The customer relationship data may be processed for the purposes of managing our relationships with customers, communicating with customers, keeping records of those communications and promoting our products and services to customers. The legal basis for this processing is consent or our legitimate interests, namely the proper management of our customer relationships.

2.9 We may process information relating to transactions, including purchases of subscriptions, goods and services, that you enter into with us and/or through our Platform (“transaction data”). The transaction data may include your contact details, your card details and the transaction details. The transaction data may be processed for the purpose of supplying the purchased subscriptions, goods and services and keeping proper records of those transactions. The legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract and our legitimate interests, namely the proper administration of our Platform and business.

2.10 We may process information that you provide to us for the purpose of subscribing to our email and platform notifications and/or newsletters (“notification data”). The notification data may be processed for the purposes of sending you the relevant notifications, push notifications, emails, information and/or newsletters pertaining to the Services. The legal basis for this processing is consent or the performance of a contract between you and us.

2.11 We may process information contained in or relating to any communication that you send to us (“correspondence data”). The correspondence data may include the communication content and metadata associated with the communication. The correspondence data may be processed for the purposes of communicating with you and record keeping. The legal basis for this processing is our legitimate interests, namely the proper administration of our Platform and business and communications with users.

2.13 We may process any of your personal data identified in this policy where necessary for the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is our legitimate interests, namely the protection and assertion of our legal rights, your legal rights and the legal rights of others.

2.14 We may process any of your personal data identified in this policy where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks, or obtaining professional advice. The legal basis for this processing is our legitimate interests, namely the proper protection of our business against risks.

2.15 In addition to the specific purposes for which we may process your personal data set out in this Section 2, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

2.16 Please do not supply us with any other person’s personal data, unless we prompt you to do so.

3. Providing your personal data to others

3.1 We may disclose your personal data to our professional advisers insofar as reasonably necessary for the purposes of obtaining or professional advice, or the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

3.2 We may disclose your usage data, account data, your profile data, your service data, your publication data, your enquiry data, your correspondence data, your transaction data, notification data, and your customer relationship data to our suppliers or subcontractors insofar as reasonably necessary for the provision of the Platform and Services.  

3.3 We may disclose some of your data to one or more of the following third party providers on our Platform for the purpose of providing you with the relevant goods and/or services, notably, HotJar, TikTok, Plotly, PowerBI, Office 365, and Webflow (the “Service Providers”). You can find information about third party service providers’ privacy policies and practices at:

HotJar:  

https://www.hotjar.com/legal/policies/privacy/  

Webflow:

https://webflow.com/legal/privacy  

Each such third party will act as a data controller in relation to the enquiry data that we supply to it; and each such third party has its own privacy policy, which will govern that third party’s use of your personal data. We advise you to read carefully those third parties’ privacy policies.

3.6 In addition to the specific disclosures of personal data set out in this Section, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

4. Retaining and deleting personal data

4.1 This Section sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.

4.2 Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes, including providing you our Platform and Services.

4.3 LUCA provides ways for you to access and delete your personal data as well as exercise other data rights which gives you a certain level control over your personal information.  

(a) Email Subscriptions. You can always unsubscribe from our commercial or promotional emails by clicking unsubscribe in those messages. We will still send you transactional and relational emails about your use of the Platform and Services.

(b) Push Notifications. You can opt out of receiving push notifications through your device settings. Please note that opting out of receiving push notifications may impact your use of the Platform and Services.

(c) Profile Information. You can review and edit certain account information you have chosen to add to your profile by logging in to your account settings and profile.

(d) Cookie Tracking. You can modify your cookie settings on your browser, but if you delete or choose not to accept our cookies, you may be missing out on certain features of the Platform.

(e) Do Not Track. Your browser may offer you a “Do Not Track” option, which allows you to signal to operators of websites and web applications and services that you do not want them to track your online activities. The Platform does not currently support Do Not Track requests at this time.

(f) Deleting Your Account. If you would like to delete your account, please contact LUCA through the email provided on the website. In some cases, we will be unable to delete your account, such as if there is an issue with your account related to trust, safety, or fraud. When we delete your account, we may retain certain information for legitimate business purposes or to comply with legal or regulatory obligations. When we retain such data, we do so in ways designed to prevent its use for other purposes.

4.4 Notwithstanding the other provisions of this Section, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

5. Amendments

5.1 We may update this policy from time to time by publishing a new version on our Platform.

5.2 You should check this page occasionally to ensure you are happy with any changes to this policy.

5.3 When you aren’t prompted to reaccept the updated privacy policy, we may notify you of significant changes to this policy by email or through a banner on our Platform.

6. Your rights

6.1 In this Section, we have summarized the rights that you have under data protection law. Some of the rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.

6.2 You have choices regarding our use and disclosure of your personal data:

(a) Opting out of receiving electronic communications from us. If you no longer want to receive marketing-related emails from us, you may opt-out via the unsubscribe link included in such emails. We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt-out of receiving marketing-related emails from us, we may still send you important administrative messages that are required to provide you with our Services.

(b) To see or change your account personal data. If you would like to review, correct, or update personal data that you have previously disclosed to us, you may do so by signing into your account or by contacting us.

(c) Your data protection rights. Depending on your location and subject to applicable law, you may have the following rights with regard to your personal data:

The right to request confirmation of whether LUCA processes personal data relating to you, and if so, to request a copy of that personal data;

The right to request that LUCA rectifies or updates your personal data that is inaccurate, incomplete or outdated

The right to request that LUCA erase your personal data in certain circumstances provided by law;

The right to request that LUCA restricts the use of your personal data in certain circumstances, such as while LUCA considers another request that you have submitted (including a request that LUCA make an update to your personal data); and

The right to request that we export to another company, where technically feasible, your personal data that we hold in order to provide the Platform and Services to you.

(d) Consent. Where the processing of your personal data is based on your previously given consent, you have the right to withdraw your consent at any time. You may also have the right to object to the processing of your personal data on grounds relating to your particular situation.

(e) Process for exercising data protection rights. In order to exercise your data protection rights, you may contact LUCA as described in the Our Details section below. We take each request seriously. We will comply with your request to the extent required by applicable law. We will not be able to respond to a request if we no longer hold your personal data. If you feel that you have not received a satisfactory response from us, you may consult with the data protection authority in your country. If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection.

(f) For your protection, we may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches your email address that we have on file. If we no longer need to process personal data about you in order to provide our Platform and Services, we will not maintain, acquire or process additional information in order to identify you for the purpose of responding to your request.

7. About cookies

7.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.

7.2 Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

7.3 Cookies do not typically contain any information that personally identifies a user, but personal information that we store about you may be linked to the information stored in and obtained from cookies.

8. Cookies that we use

8.1 We currently do not use cookies on our website, although in the future we might use cookies for the following purposes:

(a) authentication—we use cookies to identify you when you visit our website and as you navigate our website;

(b) status—we use cookies to help us to determine if you are logged into our website;

(c) shopping cart—we use cookies to maintain the state of your shopping cart as you navigate our website;

(d) personalization—we use cookies to store information about your preferences and to personalize our website for you;

(e) security—we use cookies as an element of the security measures used to protect user accounts, including preventing fraudulent use of login credentials, and to protect our website and services generally;

(f) analysis—we use cookies to help us to analyze the use and performance of our website and services;  

(g) advertising—we use cookies to help us to display advertisements that will be relevant to you; and

(h) cookie consent—we use cookies to store your preferences in relation to the use of cookies more generally.

9. Cookies used by our service providers

9.1 Our service providers use cookies and those cookies may be stored on your computer when you visit our website.

9.2 We use Google Analytics to analyze the use of our website. Google Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website. Google’s privacy policy is available at: https://www.google.com/policies/privacy/.  

9.3 We use Facebook Analytics to analyze the use of our website. Facebook Analytics gathers information about website use by means of cookies. The information gathered relating to our website is used to create reports about the use of our website. Facebook’s privacy policy is available at: https://www.facebook.com/policy.php.

10. Managing cookies

10.1 Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via these links:

(a) https://support.google.com/chrome/answer/95647?hl=en (Chrome);

(b) https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (Firefox);

(c) http://www.opera.com/help/tutorials/security/cookies/ (Opera);

(d) https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies (Internet Explorer);

(e) https://support.apple.com/kb/PH21411 (Safari); and

(f) https://privacy.microsoft.com/en-us/windows-10-microsoft-edge-and-privacy (Edge).

10.2 Blocking all cookies will have a negative impact upon the usability of many websites.

10.3 If you block cookies, you will not be able to use all the features on our website and/or our Services.

11. Our details

11.1 This website is owned and operated by LUCA Theory Inc.

We are incorporated in the province of Quebec under registration number 1174472572, and our registered office is at 400-3 Place Ville-Marie, Montréal (Québec) H3B2E3, Canada.

11.3 You can contact us:

(a) by post, to the postal address given above;

(b) using our website contact form;

(c) by telephone, on the contact number published on our website from time to time; or

(d) by email, using <info@lucatheory.com>

EUROPEAN UNION GDPR DATA PROCESSING ADDENDUM

The Company requires the User to accept the provisions of this Data Processing Addendum ("DPA") which is intended to meet the data protection adequacy and security requirements of the GDPR-Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. Therefore, if the GDPR applies to the User's activity (for instance because the User is established in the European Union or established outside the European Union but the User offers good or services to data subjects who are in the European Union) — the User needs to accept these Data Processing Addendum terms to be compliant with GDPR so that the User can process such GDPR-eligible personal data with the Company. Unless the User accepts the Agreement involving this DPA, the User's contract with the Company will lack those terms therefore if GDPR applies to the User's activity the User must refrain from using the Company's Services unless the User accepts this DPA.

  1. The terms "personal data", "data subject", "processing", "controller", "processor" and "supervisory authority" as used in this DPA have the meanings given in the GDPR.
  1. For the reasons mentioned above, if the User with any connection to the EEA, as stated  above, chooses to accept Terms and Conditions and enter the Agreement, the User enters this Data Protection Agreement which reflects the conditions governing processing and security of the personal data the User submits to the Company's system or which may be processed by the User when connect the User's e-mail account thereto, i.e. submitted, stored, sent or received via our Platform and Services, hereinafter referred to as the "User Data". Please note that whenever the word "the User" is used in this DPA, it means any persons who use the Services on the User's behalf, including the User's employees, subcontractors and other personnel members.
  1. In accordance with the GDPR regulations, this DPA shall be governed and construed in accordance with the laws of Ireland as a European Union's member state. The DPA is concluded for the whole period from the acceptance of the Agreement and this DPA until the end of the Company's provision of the Services under the Agreement, which shall include periods of suspension of Services' provision or other post-termination periods when the Company may refrain from deleting the User's data.
  1. The User Data will be processed via the Company's Services and for the purpose to provide the User with full functionalities of the Company's Services and website and related operational and technical support related to the User's usage of the services so the duration of the processing will last until the expiry of this DPA or until deletion of all the User Data. The Company will process the User Data in accordance with our Privacy Policy.
  1. The Company shall not be the controller of the User Data the User may submit to the Company's Services and will process such information within the Services solely in the processor's role and – depending on the scope of the User's activity – the User may be the controller or processor of this data. If the GDPR applies to the processing of User Data and the User is the processor, the User explicitly warrants the Company that the User's instructions and actions with respect to that User Data processing, including hereby appointment of the Company as another processor, have been authorized by the relevant controller.
  1. The personal data which may be processed (i.e. submitted, stored, sent or received) by the User when the User uses the Services may include the following categories of data: names, e-mail address, telephone, profession, company's name and address, city and country of the company, user IDs, presentations, images, calendar entries and other data which may be relevant for the User's purposes of permitted usage of the Company's Services.
  1. The User Data which the User may process might concern the following categories of data subjects: users of the Services who may include the User's employees and contractors, the personnel of the User's customers, suppliers and subcontractors or any other person who transmits data via the Services, including any individuals collaborating and communicating with users of the Services.
  1. If the explicit consent of data subject is the legal basis to process the User Data via the Company's Systems, the User represents and warrants the Company that each such consent is freely given and taken in accordance with applicable laws. In this context the User indemnify the Company of all claims and actions of third parties related to the processing of User Data via Services without explicit consent or other legal basis under the respective laws.
  1. By entering this DPA the User instructs the Company to process User Data only in accordance with applicable laws and only to:
  1. Provide the Services', and Platform’s functionalities and related customer and technical support;
  1. To provide you with our actions, services and support specified by your usage of the Services and demanded when you use the Services (such as sending e-mail messages, campaign settings, etc.); or,
  1. As further documented in herein DPA, Terms and Conditions, Privacy Policy or otherwise documented in any instructions you may give us in writing, via e-mail or other written electronic communication and that we acknowledge as constituting instructions for the User Data processing.
  1. We will comply with your instructions (including with regard to international personal data transfers) unless any European Union or European Union member states' law we could be potentially subject to requires us to otherwise process the User Data. If this is the case, we will inform you on this obligation (unless law prohibits us from doing so on important grounds of public interest). We will also inform you if your instructions for data processing if we believe it may infringe regulations of the GDPR.
  1. We enable you to delete User Data during this DPA by using functionalities within Services – including moving data to archive for limited periods or by instant permanent deletion. If the term indicated above expires or you choose to delete data permanently, the User Data may not be recovered. Each of such actions will be acknowledged as your instructions to delete relevant User Data you submitted or keep within our systems. When the Agreement is terminated or otherwise expires, we shall delete your data, including User Data, and/or give you their copy (return them) subject the terms of Agreement.
  1. Under this DPA the User authorities the Company to engage any other third parties as other processors and therefore –the Company will inform the User about such planned engagement and the User is authorized to object to such appointment terminating the Agreement within 90 days written notice. If the Company engages another processor for carrying out specific processing activities on the User's behalf (which is unlikely), the same data protection obligations as set out in the DPA will be imposed on that other processor, including in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.
  1. The Company has implemented and will maintain all the appropriate technical and organizational measures to protect User Data to ensure a level of security against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to User Data, including encryption of personal data, introducing and maintaining systems ensuring the ongoing confidentiality, integrity, availability and resilience of processing, systems ensuring ability to restore the availability and access to User Data in the event of a physical or technical incident.
  1. The User shall acknowledge that the above-mentioned technical and organizational measures to protect User Data involve i.a.: physical security, logical security, separation of databases, policy regarding the removal of magnetic and optical data (including hard drives, portable storage media, backup platforms, etc.), procedures regarding database management, provisions regarding the collection, marking, verification, processing, and distribution of the data, management of access to personnel, including determination of the methodology for providing access to data, restrictions upon access, and keeping an updated list of persons with access rights, confidentiality undertakings for those persons with access rights, encryption of personal data, provisions regarding operations of the systems and maintaining ongoing data integrity, confidentiality, availability and resilience of processing systems and services, monitoring for the discovery of breaches of data integrity and methodology for reparation of such breaches, provisions regarding employee reliability and record of data misuse in accordance with the level of data sensitivity. We shall also regularly test, assess and evaluating the effectiveness of technical and organizational measures for ensuring the security of the User Data processing.
  1. If the User has further questions on the Company's technical and organizational means for personal data protection, the User shall inquire the Company to provide the User with additional information prior to submitting User Data to the Company's systems or it shall be otherwise considered that the User agreed that taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of User Data as well as the risks to individuals our data protection standards are appropriate to the risk in respect of the User Data.
  1. The Company also ensures that their employees, contractors and sub-processors have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality to the extent applicable to their scope of performance.
  1. If the Company becomes aware of a data incident – meaning a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, User Data on systems managed by or otherwise controlled by the Company, excluding unsuccessful attempts or activities that do not compromise the security of User Data, unsuccessful login attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems “Data Incident” – we will notify the User of the Data Incident promptly and without undue delay and promptly take reasonable steps to minimize harm and secure User Data. Such Data Incident notification will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps the Company may recommend addressing the Data Incident. The Company will deliver such notification to the User's e-mail address or, at the Company's discretion, by phone call or other direct communication. It is the User's sole responsibility to provide the Company with and update the User's current and valid contact information. Neither of the Company's notifications or communications regarding Data Incidents shall be construed as an acknowledgement of fault or liability with respect to the Data Incident.
  1. By entering this DPA the User explicitly acknowledges, agrees and confirms that the Company will never assess the contents of User Data the User may submit, store, send or receive using the Company's Services in order to identify information subject to any specific legal requirements or to assess the User's compliance with any laws or infringements thereof. Therefore, the User is solely responsible for complying with applicable incident notification laws and fulfilling any third party notification obligations related to any Data Incident(s).
  1. The User agrees that, without prejudice, the User shall be solely responsible for their use of the Services, including: making appropriate use of the Services and exercise adequate security controls to ensure a level of security appropriate to the risk in respect of the User Data, securing the account authentication credentials, systems and devices which the User may use to access the Services and backing up their User Data.
  1. As we provide solely online Services, we shall have no obligation to protect User Data that the User may choose to store or transfer outside of the Company's systems, for instance for physical storage – in any form. If the User has further questions on the Company's technical and organizational means for personal data protection, the User shall inquire the Company to provide additional information prior to submitting User Data to the Company's systems or it shall be otherwise considered that the User agrees that taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of User Data as well as the risks to individuals our data protection standards are appropriate to the risk in respect of the User Data.
  1. Notwithstanding the Company's obligations in respect to this DPA, the User shall also take all the reasonable precaution steps in order to ensure appropriate security and to prevent any destruction, loss, alteration, disclosure, unauthorized or illegal access to or acquirement of User Data and any other personal data the User may process using via the Company's Services. If the data the User processes via Services were accessed or obtained by an unauthorized person or if there occurs a breach of such personal data security, the User shall immediately notify the Company on such Data Incident and shall cooperate with the Company in order to take any steps deemed required for the mitigation of any loss or damage.
  1. If the User breaches any obligations they may have under the GDPR the User shall be unconditionally and solely liable and it shall compensate the Company and any third parties or data subjects against (a) any damage, loss, costs, taxes and expenses (including legal charges related to judicial Pros and lawyers), (b) the refund of any fines or penalties paid by us to the supervisory authority, (c) any other damages resulting from the negligence, fault or gross misconduct or from any breach of an obligation related to User Data and other personal data processed via the Services as a consequence of non-complying with this DPA and the GDPR.
  1. The Company will consider any breach of any representation or provision of the DPA and the GDPR by the User shall represent a gross breach of the Agreement and it shall entitle the Company to terminate the Agreement immediately by sending a termination notice, without any grace or remedy period and without any other formality, notification or intervention of any court of law or another jurisdictional body.
  1. To the extent necessary for the reason of this DPA, the Company will make available for the User's review the documents and information to demonstrate our compliance with our obligations under this DPA.
  1. If GDPR applies to the processing of User Data, we will also allow the User or the User's appointed independent auditor to conduct audits (including inspections) to verify the Company's compliance with obligations under this DPA, including the Company's documentation and we will contribute to such audits. In any case such audits will be subject to prior arrangements and reasonably agreed terms for such audits and inspections which may involve fees based on our reasonable costs of such reviews. If the User wishes to appoint an auditor, the Company may object to the User's choice if in the Company's reasonable opinion the appointed auditor is not suitably qualified or independent, a competitor of the Company or otherwise manifestly unsuitable. If this is the case the Company will require the User to appoint another auditor or conduct the audit itself.
  1. If applicable, the Company will assist the User in ensuring compliance with any of the User's obligations in respect of data protection impact assessments and prior consultation, including if applicable the User's obligations pursuant to Articles 35 and 36 of the GDPR, taking into account the nature of the processing and the information available to the Company, for instance by providing additional security information or providing the information with regard to performance of the Agreement including this Data Processing Addendum.
  1. During the term of the Agreement, the Company will enable the User to access, rectify and restrict processing of User Data, including deletion of this data (subject to the hereinabove terms) and to export User Data – in a manner consistent with the functionalities of the Services.
  1. If the Company receives any request from a data subject in relation to User Data the Company may process, the Company will advise the data subject to submit their request to the User and the User shall be responsible for responding to any such request including, where necessary, by using the functionality of the Services. Nevertheless, taking into account the nature of the processing of User Data via the Services, the Company will assist the User in fulfilling any obligation to respond to requests by data subjects, including obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR. Depending on the case, the Company may provide you Services' functionalities to perform our commitments you assist you or we may help you in other appropriate manner, including serving you with additional information on processing of User Data.
  1. Shall the User have any questions in respect of this Data Protection Addendum, please contact the Company at: info@lucatheory.com.

PRIVACY POLICY ADDENDUM FOR CALIFORNIA RESIDENTS

This Privacy Policy Addendum supplements the Privacy Policy and describes additional rights of residents of the State of California.  

Persons with disabilities may obtain this notice in alternative format upon request by contacting us at <EMAIL>.

Your California Privacy Rights.

California residents are entitled once a year, free of charge, to request and obtain certain information regarding our disclosure, if any, of certain categories of personal information to third parties for their direct marketing purposes in the preceding calendar year. We do not share personal information with third parties for their own direct marketing purposes. 

California Consumer Privacy Act

The California Consumer Privacy Act (“CCPA”) provides California residents with rights to receive certain disclosures regarding the collection, use, and sharing of “Personal Information,” as well as rights to know/access, delete, and limit sharing of Personal Information.

The CCPA defines “Personal Information” to mean “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Certain information we collect may be exempt from the CCPA because it is considered public information (i.e., it is made available by a government entity) or covered by a specific federal privacy law, such as the Gramm–Leach–Bliley Act, the Health Insurance Portability and Accountability Act, or the Fair Credit Reporting Act. Your rights are described below: 

Right to Notice at Collection Regarding the Categories of Personal Information Collected. 

You have the right to receive notice of the categories of Personal Information we collect, and the purposes for which those categories of Personal Information will be used. This notice should be provided at or before the time of collection. The categories we use to describe the information are those enumerated in the CCPA.

  • Identifiers. We collect your name, phone number, contact address and e-mail address when you engage with our website. We use this information to manage and provide the Services that you request, respond to your requests, and to communicate with you about the Services. We collect your social media handle when you interact with our Services through social media. We use this information to improve the user experience and our Service.
  • Personal information categories listed in the California User Records statute (Cal. Civ. Code § 1798.80(e)). In addition to the identifiers in the above section, we collect your credit card number to provide you with requested Services.
  • Internet or other similar network activity. We automatically collect information about your browsing history and your interaction with the content of our Services to measure activity, determine the effectiveness of our Services, and improve them.
  • Sensory Data. We collect your audio or voice recordings to provide you with Services.

We may use any of the categories of information listed above for other business or operational purposes compatible with the context in which the Personal Information was collected.

We may share any of the above-listed information with Service Providers, as described above. Service Providers are restricted from using Personal Information for any purpose that is not related to our engagement. The types of Service Providers with whom we share information and the services they provide are described in the Privacy Policy. We have not sold any personal information.

Right to Know/Access Information

You have the right to request access to Personal Information collected about you over the past 12 months and information regarding the source of that information, the purposes for which we collect it, and the third parties and service providers with whom we share it. You may submit such a request as described below. To protect our users’ Personal Information, we are required to verify your identity before we can act on your request.

Right to Request Deletion of Information 

You have the right to request in certain circumstances that we delete any Personal Information that we have collected directly from you. You may submit such a request as described below. To protect our users’ Personal Information, we are required to verify your identity before we can act on your request. We may have a reason under the law why we do not have to comply with your request, or why we may comply with is in a more limited way than you anticipated. If we do, we will explain that to you in our response.

How to Submit a Request 

You may submit a request to exercise your rights to know/access or delete your Personal Information by sending us an email at  info@lucatheory.com. 

Only you or your authorized agent may make a verifiable consumer request related to your personal information.  If you use an authorized agent to submit a request on your behalf, we may require that you (1) provide the authorized agent written permission to do so, and (2) provide a copy of the authorization or provide a copy of a power of attorney that complies with California Probate Code sections 4000 to 4465 so that we can verify the identity of the authorized agent.

In verifying requests, we employ reasonable measures to detect fraudulent requests and prevent unauthorized access to your personal information. To meet our obligations, we are required to verify your identity, and the identity of your authorized agent, if the request is submitted via an agent, by associating the information provided in your request to personal information previously collected by us. 

If we suspect fraudulent or malicious activity on or from the password-protected account, we may decline a request or request that you provide further verifying information.

You may only make a verifiable consumer request twice within a 12-month period. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify your identity or authority to make the request.

Right to Opt Out of Sale of Personal Information to Third Parties

You have the right to opt out of any sale of your Personal Information to third parties. We do not sell information to third parties.

Right to Information Regarding Participation in Data Sharing for Financial Incentives

You have the right to be free from discrimination based on your exercise of your CCPA rights.  We do not discriminate against anyone who chooses to exercise their CCPA rights.