PRIVACY POLICY ARTICLE 13 REGULATION EU 2016/679

INFORMATION ABOUT THE DATA CONTROLLER

Name: Wishraiser Ltd

Address: via Stefanardo da Vimercate 28, 20128 Milano, Italia

E-mail address: admin@wishraiser.com

PURPOSES OF THE PROCESSING

a. Contractual purpose

The Data Controller will process personal data for contractual purposes. Data processing is therefore necessary to provide You with the requested services. Personal data will be collected through the online contact and register forms available on the website. Specifically, personal data will be processed in order to allow data subject to:

  • use the website and its services;
  • donating to nonprofit organizations and receive the relevant rewards;
  • participate to the charity contest promoted by the Data Controller, pursuant to the relevant contest rules;
  • answer to queries from users related to the service performance;

b. Marketing Purpose of Data Controller

If we believe it is not possible for Us to rely on legitimate interest as a legal basis for processing your personal data, we will ask for your consent to the processing of your data for direct marketing purposes (market analysis, sending commercial communications), including through profiling systems and automated processing to send you communications in line with the preferences expressed by you.

c. Third party marketing purpose

With your consent, We will also disclose Your personal data to Charities for their marketing purposes. Charities will then be able to inform you and update you on their new campaigns through both manual and automated messaging tools (e-mail, post). You will always have the opportunity to opt-out and withdraw your consent, by contacting directly the Charity or by clicking the cancellation link ("unsubscribe") found at the bottom of each e-mail received.

LEGAL BASIS FOR DATA PROCESSING

a.Contract execution and provision of services.

Under Regulation EU 2016/679, Data Controller must always have a lawful basis for processing personal data. In this circumstance, the data is necessary for our performance of services to You. I will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected, as better explained under "Data Storage Period" chapter. Your personal data will therefore be kept until you intend to use our services and will be deleted thereafter. If you do not accept and agree to such processing, we will not able to provide the services.

b. Consent

If we believe it is not possible for Us to rely on legitimate interest as a legal basis for processing your personal data, we will ask for your consent to the processing of your data for direct marketing purposes (including market analysis, sending commercial communications), including through profiling and the use of automated analytics tools with the purpose of sending e-mails and advertising tailored to Your preferences. We will also disclose Your personal data to Charities for their marketing purposes. Charities will then be able to inform you and update you on new campaigns by using both manual and automated messaging tools (e-mail, post). With your consent, We may use Your data for "cross-Device Linking", as indicated at the following policy: https://www.criteo.com/privacy/.
It consists of linking Your identifiers on the different browsers and environments You are using ("ID syncing") to serve You the most relevant ads on whichever device or browser you are currently using without collecting or processing any identifying personal data such as your name or address. You will always have the opportunity to object to such processing by sending Us an e-mail at admin@wishraiser.com, or by accessing to the control panels provided by the third-party marketing platforms mentioned under "RECIPIENTS OR CATEGORIES OF RECIPIENTS OF THE PERSONAL DATA" chapter. Tracking and remarketing services provided by Critero can be deactivated at the following page, by selecting the opt-out options https://www.criteo.com/privacy/.
You can opt-out and withdraw your consent from receiving marketing e-mails, by clicking the cancellation link ("unsubscribe") found at the bottom of each e-mail received. If You withdraw your consent, such processing will stop immediately.

c. Legitimate interest

In compliance with article 13 paragraph 2 of Directive 2009/136/EC, as well as with reference to Recital (27) of REGULATION 2016/679, We may use your e-mail address obtained through the online forms and in the context of the sale of our services, to send You electronic communications concerning the direct marketing of Our products or services and as long similar to those You showed an interest for. You will have the right, at any time and free of charge, to oppose this processing of Your data for direct marketing purposes by sending us an e-mail at admin@wishraiser.com or clicking the cancellation link ("unsubscribe") found at the bottom of each e-mail received.

RECIPIENTS OR CATEGORIES OF RECIPIENTS OF THE PERSONAL DATA

To provide you with our services, including the use of Our website including marketing purposes, We may share Your data with the following recipients:

I. Charities

When a Supporter donate through the website, his or her personal data are disclosed to Charities to allow contributions for a specific campaign. Such disclosure is required for contractual purposes and necessary to donate in favor of the Charity. Data disclosed may include Supporter's name, email address and contact details. Charities receiving this information should only use it for purposes related to the contribution. They should not contact Supporters for other incompatible purposes other than entering into a transaction, unless they have given their free, specific, informed and unambiguous consent. Charities are data controllers in respect of these data and therefore responsible to lawfully process personal data collected through the event registration form.

II. Hosting provider

Amazon Web Services, Inc. Seattle, WA 98108-1226, United States – Data disclosure is necessary for the provision of service
Amazon is a hosting provider ("Data Controller"). Under EU Regulation 2016/679 General Data Protection Regulation ("the GDPR") (Article 28, paragraph 3), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organization which processes personal data on its behalf governing the processing of that data. Therefore, the Data Controller has entered into a data processing agreement with Amazon ("Data Processor") to ensure compliance with the said provisions of the GDPR in relation to all processing of the Personal Data by the Data Processor for the Data Controller. You can find more information on how Amazon is processing personal data at the following link: https://aws.amazon.com/it/compliance/gdpr-center/

III. Platforms for automated marketing

Criteo SA 32 rue blanche, 75009 Paris, France ("Joint controller"). By virtue of a specific agreement concluded between the parties, Criteo and Wishraiser have the role of Joint controllers of the processing with respect to the data collected through the Site. This agreement adequately reflects the respective roles and relationship between the joint controllers. You can ask us to know the essential content of the agreement by sending a communication to the following address: admin@wishraiser.com.
To find out how the joint controller processes the personal data, please visit the privacy policy at the following link: https://www.criteo.com/privacy/

AdRoll, Inc. 2300 Harrison St, Fl 2 San Francisco CA, 94110 United States The provision of the services by AdRoll involves it in processing the personal data on behalf of the Data Controller.
Under EU Regulation 2016/679 General Data Protection Regulation ("the GDPR") (Article 28, paragraph 3), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organization which processes personal data on its behalf governing the processing of that data. Therefore, the Data Controller has entered into a data processing agreement with AdRoll Inc ("Data Processor") to ensure compliance with the said provisions of the GDPR in relation to all processing of the Personal Data by the Data Processor for the Data Controller. You can view the agreement at the following link: https://www.adrollgroup.com/it-IT/terms/data-processing.
You can find more information on how Mailchimp is processing personal data at the following link: https://www.adrollgroup.com/it-IT/privacy

Mixpanel Inc. 405 Howard Street, 2nd Floor, San Francisco, CA 94105
The provision of the services by Mixpanel involves it in processing the personal data on behalf of the Data Controller. Under EU Regulation 2016/679 General Data Protection Regulation ("the GDPR") (Article 28, paragraph 3), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organization which processes personal data on its behalf governing the processing of that data. Therefore, the Data Controller has entered into a data processing agreement with Mixpanel ("Data Processor") to ensure compliance with the said provisions of the GDPR in relation to all processing of the Personal Data by the Data Processor for the Data Controller. You can view the agreement at the following link: https://mixpanel.com/legal/gdpr-resources/#Data_Processing_Addendum.
You can find more information on how Mixpanel is processing personal data at the following link: https://mixpanel.com/legal/privacy-policy/

IV. Stripe, Inc – payment processing services

Stripe's services in Europe are provided by a Stripe affiliate—Stripe Payments Europe Limited ("Stripe Payments Europe")—an entity located in Ireland and subject to European law. Stripe Payments Europe Limited may transfer personal data to Stripe, Inc., located in the US. To ensure the adequate protection of personal data, Stripe, Inc., has certified to the EU-U.S. and Swiss-U.S. Privacy Shield Framework. To check how Stripe processes your personal data please refer to the following link: https://stripe.com/privacy-shield-policy
Under EU Regulation 2016/679 General Data Protection Regulation ("the GDPR") (Article 28, paragraph 3), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organization which processes personal data on its behalf governing the processing of that data. Therefore, the Data Controller has entered into a data processing agreement with Stripe Inc ("Data Processor") to ensure compliance with the said provisions of the GDPR in relation to all processing of the Personal Data by the Data Processor for the Data Controller.

TRANSFER OF PERSONAL DATA OUTSIDE THE EU

Transfer of data to: United States

All Data Recipients participate in and have certified their compliance with the EU-U.S. Privacy Shield Framework and are therefore deemed to ensure, according to the European Commission, an adequate level of protection for personal data transferred from the data Controller to the Data Processors.

JOINT CONTROLLERS

Article 26 of the EU Regulation 679/2016 states that "Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall in a transparent manner determine their respective responsibilities for compliance with the obligations under this Regulation, in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless, and in so far as, the respective responsibilities of the controllers are determined by Union or Member State law to which the controllers are subject". The Data Controller has entered into a joint controller agreement with Charities. Both Controller and Charities determine the purposes and means of processing of users' personal data. Charities will process user's personal data for the purposes specified in this privacy policy.

CRITERIA TO DETERMINE PERSONAL DATA STORAGE

The account information will be retained until you decide to delete your account or until the contract expires or till the end of the service. Personal data will be kept only for the time strictly necessary to provide the service and thereafter deleted. The information and data used for marketing purposes will be deleted as soon as you ask us to do so by withdrawing Your consent, either through the opt-out links present in the commercial communications or through the control panels, or by sending us a communication.

YOUR RIGHTS AS DATA SUBJECT

Under the GDPR, You have the following rights:

a. The right to obtain from Us confirmation as to whether or not personal data concerning You are being processed;

b. The right to access your personal data;

c. The right to have your personal data rectified if any of your personal data held by us is inaccurate or the right to have incomplete personal data completed, including by means of providing a supplementary statement;

d. The right to be forgotten, including to delete the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or because You withdraw consent on which the processing is based;

e. The right to restrict the processing of your personal data according to article 18 of GDPR;

f. The right to object to Us using your personal data for a particular purpose or purposes;

g. The right to data portability. This means that, if you have provided personal data to Us directly, We are using it with your consent or for the performance of a contract, and that data is processed using automated means, You can ask us for a copy of that personal data to re-use with another service or business in many cases;

h. Rights relating to automated decision-making and profiling;

i. You have the right to lodge a complaint with a supervisory authority.

HOW DO YOU ENFORCE YOUR RIGHTS?

You can enforce your rights at any time by sending us an e-mail to the following address: admin@wishraiser.com. We have a duty to respond to your requests at the latest within one month of receiving them. This deadline may be extended by two additional months if necessary, taking into account the complexity and the number of requests received. In case of extension you will be informed of the delay and the reasons.

If We do not take action on your request, We will inform you without delay and at the latest within one month of receipt of your request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.