Privacy Policy

At bKlug, we value privacy. That is why we have established and implemented policies and practices governing personal data.

Introduction

This Privacy Policy elucidates how bKlug processes personal information to deliver the array of Services accessible on our Website, located at https://bklug.ai ("Services"). We require Users to carefully read and explicitly consent to the data processing practices outlined in this document before engaging with our Services.

Data Controller

MENSAGENS ELÍPTICAS - LDA, a Portuguese entity headquartered at Rua Sousa Martins 15, 5, 1050-217, with Tax Identification Number PT517467739 (hereinafter referred to as "bKlug"), serves as the Data Controller responsible for collecting and managing data through our Website.

Purposes of Processing and Legal Basis

bKlug processes User personal data for multifarious purposes, including:

Facilitating Service Operations: This encompasses maintaining, developing, and managing our Services, including customer management, contract fulfillment, and dispute resolution. The legal basis for this processing is the execution of contractual obligations.

Responding to User Inquiries: We process data to address User inquiries or requests for information promptly. This is based on bKlug's legitimate interest in providing comprehensive support.

Communication: We may use personal data to inform Users about bKlug products, services, and updates via electronic means. User consent serves as the legal basis for this processing.

Failure to accept this Privacy Policy will preclude Users from accessing our Services, potentially leading to interruptions or termination of the subscription process.

Categories of Data

Users are obliged to furnish truthful, complete, and up-to-date information, except where certain details are marked optional. Failure to comply may result in bKlug's refusal to provide Services. Users are responsible for maintaining the accuracy of their information. Bank card data is securely stored for transaction purposes, with additional provisions for recurring subscriptions facilitated by Stripe, our payment service provider. Data relating to the visual cryptogram or CVV2 on the back of your bank card are not stored. In the case of a payment by bank card, however, data relating to the bank card may be stored as intermediary archives for evidence purposes regarding the current legal obligations.

Automated Decision-Making

Users are apprised that our Services may entail automated decision-making processes, including profiling, aimed at optimizing service delivery in line with the purposes outlined in this Policy.

Recipients and Data Transfers

User data may be shared with public administrations and banking institutions to fulfill legal obligations and manage payments. Additionally, data may be disclosed to third-party processors for various purposes. In cases where data is transferred outside the European Economic Area, bKlug ensures compliance with relevant data protection regulations by implementing appropriate safeguards.

User Rights

At any time, Users retain the right to access, rectify, erase, restrict processing, request data portability, object to processing, and avoid being subject to automated decision-making. These rights can be exercised by contacting bKlug in writing. Users also have the prerogative to withdraw consent and lodge complaints with supervisory authorities.

bKlug as Data Processor

In the event that the User purchases a license to use the Services, bKlug will need to process certain personal data on behalf of the licensee (whether the licensee is the User itself or a legal entity represented by the User). For these purposes, the User shall be considered the Data Controller and bKlug shall be considered the Data Processor.

The following clauses constitute the regulation of the relationship between the Controller and the Processor for the purposes of complying with the provisions of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter, “GDPR2) and Article 33 of Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights (hereinafter, “LOPDGDD”).

1. Processing of data to be carried out by the Data Processor

The Data Processor shall process the personal data necessary to carry out the Services on behalf of the Controller. The aforementioned processing shall have a duration equal to that of the provision of the Services, in such a way that once the provision of the Services has been completed, the processing shall be deemed to have been completed.

2. Identification of the information concerned

The Data Processor shall process the personal data necessary to carry out the Services on behalf of the Controller. The aforementioned processing shall have a duration equal to that of the provision of the Services, in such a way that once the provision of the Services has been completed, the processing shall be deemed to have been completed.

For the performance of the Services, the Controller shall make available to the Processor the information described below:

The Data Processor shall process the personal data necessary to carry out the Services on behalf of the Controller. The aforementioned processing shall have a duration equal to that of the provision of the Services, in such a way that once the provision of the Services has been completed, the processing shall be deemed to have been completed.

Data of an identifying nature

Personal characteristics data

Data on social circumstances

Academic and professional data

Employment details

Economic, financial and insurance details

Transactions in goods and services data

Health data

Data revealing racial or ethnic origin

Data revealing political opinions

Data revealing religious or philosophical convictions

Data concerning sex life or sexual orientation

3. Obligations of the Processor

The Data Processor undertakes to:

a. Use the personal data undergoing processing, or that it collects for the purpose of their inclusion, only for the strict provision of the Services. Under no circumstances may it use the data for its own purposes.

b. Process the data in accordance with the instructions of the Controller. If the Processor considers that any instructions are in breach of the GDPR or any other Union or Member State data protection provisions, the Processor shall immediately inform the Controller thereof.

c. Where applicable, keep a written record of all categories of processing activities carried out on behalf of the Controller, in accordance with Article 30(2) of the GDPR.

d. Not to communicate the data to third parties, except with the express authorization of the Data Controller, in the legally admissible cases. The Data Processor may communicate the data to other data processors of the same Data Controller, in accordance with the instructions of the latter. In this case, the Data Controller shall identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied in order to proceed with the communication. If the Controller must transfer personal data to a third country or to an international organization, pursuant to Union or Member State law applicable to it, it shall inform the Controller of this legal requirement in advance, unless such law prohibits it for important reasons of public interest.

e. Not to subcontract any of the services that form part of the Services and involve the processing of personal data. If it is necessary to subcontract any processing, the Controller must be given prior written notice of this fact, at least 20 calendar days in advance, indicating the processing to be subcontracted and clearly and unequivocally identifying the subcontracting company and its contact details. Subcontracting may be carried out if the Controller does not express its opposition, in writing, within the established period. The subcontractor, who shall also have the status of data processor, is also obliged to comply with the obligations established herein for the Data Processor and the instructions issued by the Data Controller. It is the responsibility of the initial processor to regulate the new relationship in such a way that the new processor is subject to the same conditions (instructions, obligations, security measures, etc.) and with the same formal requirements as the initial processor, with regard to the proper processing of personal data and the guarantee of the rights of the data subjects. In the event of non-compliance by the subcontractor, the initial Processor shall remain fully liable to the Controller for compliance with the obligations. The Controller authorizes the Processor to carry out the following subcontracting necessary to provide the Services: see list of suprocessors (Annex 1).

f. Maintain the duty of secrecy with respect to the personal data to which it has access by virtue of the provision of the Services, even after the provision of the Services has ended.

g. To ensure that persons authorized to process personal data undertake, expressly and in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.

h. Keep at the disposal of the Data Controller the documentation accrediting compliance with the obligation established in the previous section.

i. Guarantee the necessary training in the protection of personal data for the persons authorized to process personal data.

j. Assist the Controller in responding to the exercise of the rights of:

1. Access, rectification, erasure and object;

2. Limitation of processing;

3. Data portability;

4. Not to be subject to automated individualized decisions (including profiling).

When the data subjects exercise their rights of access, rectification, erasure and object, restriction of processing, data portability and the right not to be subject to automated individualized decisions before the Data Controller, the latter must communicate this by e-mail to the Data Controller. The communication must be made immediately and in no case later than the working day following receipt of the request, together, where appropriate, with other information that may be relevant for resolving the request.

k. Notify the Controller without undue delay and, in any event, no later than 48 hours by e-mail of any breach of security of the personal data under their responsibility of which they become aware, together with all relevant information for the documentation and communication of the incident. Notification shall not be required where such a breach of security is unlikely to constitute a risk to the rights and freedoms of natural persons.If available, at least the following information shall be provided:

1. A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, as well as the categories and approximate number of personal data records concerned.

2. The name and contact details of the data protection officer or other point of contact from whom further information may be obtained.

3. A description of the possible consequences of the personal data breach.

4. Description of the measures taken or proposed to be taken to remedy the personal data breach including, where appropriate, measures taken to mitigate the possible negative effects.

If it is not possible to provide the information simultaneously, to the extent that it is not possible to provide the information simultaneously, the information shall be provided in a gradual manner without undue delay.

l. Support the Controller in carrying out data protection impact assessments, where appropriate.

m. Support the Controller in carrying out prior consultations with the supervisory authority, where appropriate.

n. Make available to the Controller all information necessary to demonstrate compliance with its obligations, as well as for the performance of audits or inspections carried out by the Controller or any other auditor authorized by it.

o. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as risks of varying likelihood and severity to the rights and freedoms of natural persons. In any case, it shall put in place mechanisms to:

1. Ensure the continued confidentiality, integrity, availability and resilience of processing systems and services.

2. Restore availability and access to personal data in a timely manner in the event of a physical or technical incident.

3. Regularly verify, evaluate and assess the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.

4. Pseudonymize and encrypt personal data, where appropriate.

p. Appoint a Data Protection Officer and communicate his or her identity and contact details to the Controller, where appropriate.

q. Once the Services have been provided, the Data Controller shall have a maximum period of 30 calendar days to access the bKlug Platform and download all its information stored therein. Once this period has elapsed, the Data Controller shall delete the information stored on the bKlug Platform. In any case, the Data Processor may keep a copy, with the data duly blocked, for as long as liabilities may arise from the performance of the service.

r. Comply with the other obligations that the GDPR, the LOPDGDD and its implementing regulations establish for the Data Processor.

4. Obligations of the Data Controller

The Data Controller has the following obligations:

a. To provide or allow access to the data specified above by the Data Controller.

b. Carry out an assessment of the impact on the protection of personal data of the processing operations to be carried out by the Data Controller, where applicable.

c. Conduct prior consultation as appropriate.

d. Ensure, prior to and throughout the processing, compliance with the GDPR, the LOPDGDD and its implementing regulations by the Data Processor.

e. Supervise the processing, including carrying out inspections and audits.

f. Facilitate the right to information at the time of data collection.

g. Comply with the rest of the obligations that the RGPD, the LOPDGDD and its implementing regulations establish for the Data Controller.

Security and Protection of Data

bKlug has adopted the Data protection security legally required, and strives to adapt additional technical measures and means within its scope to avoid the loss, misuse, alteration, unauthorized access to and theft of the personal details provided. bKlug agrees to use all of the details sent by registered Users with the utmost confidentiality and resilience.

bKlug use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. Google Workspace APIs are not used to develop, improve, or train generalized AI and/or ML models.