When we refer to “Mono”, “Clokke” or use the word “we”, “our” or “us”, we mean that Mono d.o.o. acts as the controller of the information we hold about you or the processor of the information that a customer has entrusted to us, as explained in more detail under the “data controller” part of this Policy.
By “you” we mean the individual reading this text, i.e., you as a natural person (and not any company or other organization that you may be associated with).
Some words and phrases in this Policy (e.g., “controller”, “processor” and “data subject”) are legal terms, having the same meanings as given to them in the EU General Data Protection Regulation, i.e., Regulation (EU) 2016/679 (“GDPR”).
When we mention “Personal Data”, we refer to any information about a living individual from which that person can be identified. Personal Data do not include information from which no individual can reasonably be identified, that is to say, anonymous information or personal data rendered anonymous in such a manner that the individual is not, or no longer is, identifiable (de-identified or anonymized information). The Policy does not apply to such information.
The functionality delivered via the Service is organized within certain logically defined environments where a Service user (“User”) can enter, record, store, use, disclose and otherwise manipulate various data. The User who created this environment is the one that determines the purposes of, and otherwise controls, the processing of these data. That authority can be assigned to another User, but, at any rate, there is always at least one particular User, identified as an “Administrator”, that has legal control over, and is responsible for, the data in the environment he created. That User is also the controller of all Personal Data maintained in the environment. Clokke processes these data on the controller’s behalf and is thus considered to be the processor of the said Personal Data. This means that any inquiry, request, objection or complaint that you as a data subject may have in connection with the processing of Personal Data that form part of environment data (i.e., where the information concerned relates to you) should be addressed to, and resolved by, the relevant controller.
Mono is the controller of the Personal Data that are collected by us or on our behalf, or which are otherwise processed for the purposes of our business. Specifically, it is Mono that acts as the controller of the said Personal Data. The following sections explain the collection and subsequent processing of these data in more detail.
The information we collect
Clokke collects, generates and receives information in a variety of ways. Some of this information constitutes Personal Data and the rest does not. We shall use the word “Information” to designate any and all of the data that are collected, generated or otherwise processed by us or on our behalf. This part of the Policy describes how Information is collected or generated in our system.
We collect Information about you in the course of negotiating, preparing, concluding and amending agreements between you and Mono. The Information collected may include the data provided in such agreements and any data that you furnish for the purposes of negotiating, concluding or amending those agreements.
When you register for a user account, we may ask you to give us your full name, email address, country of residence and time zone. During the sign-up procedure, we may automatically record your internet protocol address (IP address). For validating human access to the User Account, you will create a user name and a password, which both will be stored in our database. You will also be assigned a user identifier (user ID), which is a certain numerical value that we generate, store and can identify you by.
If a User subscribes to a paid plan, we ask her to supply us with the full name of the person or entity that will pay for the Service plan, their physical address and, optionally, email address and VAT number. The payer may or may not be the User subscribing to the Service plan, so it is possible for us to receive the above Information about you from another User.
In the case of a paid plan, you will supply a third-party payment service provider (who acts independently from us) with such information as they request from you to facilitate your payments to us. We do not collect any information about your methods or instruments of payment.
As with most websites and on-demand software solutions (i.e., where software is delivered over the internet in the form of a “service”), certain data are automatically collected when you visit a Website or use a Service application and this Information is recorded in log files. For example, when you log in to the Service, the date and time of your login will be recorded along with your IP address (giving us your approximate location) and a limited user agent string (telling us what type of device - web, desktop or mobile - was used for the login). When you create a data entry via the Service, your Service application type and version may be recorded.
If you use the Service feedback feature, then certain Information about you and some technical data concerning your Service release and other software and hardware are automatically sent to us along with the content of your communication. The Information we receive depends on the type of Service you are using but will usually include some of your Profile Information (name, user ID and email address) as well as information about which Service application and what version you are running and the type and version of your device’s operating system. It may also include the name of your device and information as to your web browser type and version, Service settings and usage history and Service plan.
On a more general level, we collect (or have third parties collect for us) anonymous Information about the use of our Service and customer base. Such data may, e.g., include Information about the number of Users and their distribution (active, passive, paying, non-paying, etc.), User churn, choices between application types, settings, modes of use and Service plans, Service performance, practices and trends in using specific features or components of the Service, the effectiveness of Service messages, and other Information that is not Personal Data.
When you use our web or cloud applications, visit Websites or retrieve resources that form part of a Website, certain pieces of data known as cookies are sent to the device you are using and will be stored there. Your web browser stores them either at our request or the request of a third party whose services we use. Each cookie distinguishes you from other Users and Website visitors. There are also other techniques, such as using web beacons or pixels, whose purpose can be similar to that of some cookies. In this Policy, the word “cookie” designates the objects delivered by those techniques as well.
Cookies vary by nature and purpose. For instance, a “session cookie” only exists in the temporary memory of your device, i.e., while your Service session or visit to a Website lasts, and is usually deleted when your web browser is closed. A “persistent cookie”, on the other hand, has a longer lifespan: it remains on your device until you delete it (i.e., instruct your browser to do so) or until it expires. A “secure cookie” can only be sent over a “secure” (encrypted) connection, making it harder for others to intercept information. A “first-party cookie” belongs to us and a “third-party cookie” belongs to someone other than us, e.g., a company providing us with Service or Website analysis services or delivering our messages (such as advertisements) across the internet.
Some of the above cookies are associated with your User Account and certain of your Profile Information, allowing you to log in to the Service and remembering that you are logged in (which makes it possible for you to use the Service, enhances security and helps us to show you the right content). Other cookies allow us (or third parties we have engaged) to recognize and count the number of visitors to a Website, see how they move around the site when using it, which links they follow and who reads what, or to selectively record and analyse how and by what means Users are interacting with our applications (only specific pieces of information are collected, and without identifying the Users). Certain cookies are used to recognize you when you return to a Website, enabling us to personalize our content for you and remember your preferences, e.g., your choice of language.
There are some third-party cookies that gather information about your browsing activities over time and across different websites following your use of ours (in other words, track your online behavior), which may result in advertisements or other messages being displayed to you based on your browsing history.
You will encounter all of these cookies when interacting with our online applications, Websites or web resources. Cookies are vital to the Service and Website. You can, however, remove them (individually, in selections or all in one sweep) and it is possible to disallow their use altogether or refuse certain types of them (your browser tools or support pages will tell you how to do that). But, if you disallow first-party cookies, your copy or instance of the Service will not operate properly or may not operate at all and your experience at Website will be notably poorer. Third-party cookies can usually be managed by the tools provided by those parties. Some of such tools are:
- https://adssettings.google.com (Google advertising settings);
- https://tools.google.com/dlpage/gaoptout (Google Analytics opt-out);
We cannot give you an exhaustive list of the means for opting out of third-party cookies as the service providers who may set such cookies in connection with the Service and Website change from time to time. Contact us, using the details at the Webiste, to learn which third-party cookies may currently be in use on a particular Website or Service.
The Service and Website do not respond to web browsers’ “do not track” signals and our data processing practices are not altered upon our receipt of such a signal.
A User can choose to permit third-party services for her copy or instance of the Service or in relation to certain aspects of the Service. Typically, a third-party service is software that integrates with the Service and a User can enable or disable this integration for her Service application. Once enabled, the relevant third-party service provider may share certain information with us. For example, if you choose to use a third-party service to validate your access to the Service, then the provider of such a service may send us your name, user name or email address to perform the validation. If some other third-party application (e.g., a storage, development, communication, project or resource management service) is enabled to permit data to be imported into your Service user environment or otherwise exchanged between the application and the Service, we may receive your name, user name, email address, profile picture, location and/or such other information as you have elected to let the application make available to us, and we are authorized to access such of your data in that third-party application as you let us. You should check the privacy settings of these third-party services to understand what data may be disclosed to us.
We receive from you such Information as you provide us when filling in forms (e.g., applications or questionnaires) on a Website or via the Service or when you participate in our Service-related campaigns or programs, sign up to receive notifications, newsletters or other communications from us, request support for the Service, interact with our social media accounts or correspond or otherwise communicate with us. If you email us or send us a letter or a message, we may retain a record of such communication, including your name and address, email address or telephone number (as applicable), the content of your communication and our response. We may complement these data with other Information.
Legal bases and purposes for information processing
The purposes for which Information is processed and the legal grounds for such processing are varied and depend on the nature of the Information. If information is anonymous or de-identified, we may collect, use, disclose and otherwise process it for any purpose. Our processing of Personal Data, however, is limited to the purposes set out in this Policy.
The legal grounds we rely on are the following:
- If processing is necessary to fulfill our contract with you, i.e. what we are obliged to provide under the agreement between you and us. For example, we may need to store your e-mail address to send you system notifications.
- With your consent, which you may withdraw at any time. It should be noted that a withdrawal of a consent cannot affect the lawfulness of processing that has already been carried out based on that consent before its withdrawal.
- As necessary to comply with our legal obligations; for example, Clokke must store some purchase information to comply with tax and accounting regulations. The legal ground for this processing (storing) is therefore necessary for compliance with legal obligations.
- Occasionally to protect your vital interests or those of others. On rare occasions, we may process your data if doing so is necessary to protect your vital interests - for example, if there is an immediate security risk or system error that can affect your account.
- As necessary for our (or others) legitimate interests. Clokke has a legitimate interest in providing an innovative, personalized, safe and profitable service to our existing and future users, unless those interests are overridden by your interests or fundamental rights and freedoms that require protection of personal data.
The communications that we initiate with you can broadly be classified as: (a) Service-related technical, administrative, business, legal and subscribed-to promotional messages that we address to Users and which you only receive if you are one (“Service Messages”); and (b) messages about products, services, events and other matters you have shown interest in or which we believe may be of interest to you (“Marketing Messages”).
You can unsubscribe from certain Service Messages by adjusting your User Account settings and from others by following the instructions provided in the message. There are, however, some Service Messages that form part of the Service and which you cannot opt out of receiving unless you unsubscribe from the Service.
You can always opt out of receiving Marketing Messages, but the variety of procedures for doing so may depend on the nature of the message and whether you have a User Account. If you do, try adjusting your User Account settings, and whether you have an account or not, there should always be opt-out instructions in the message itself. If you have trouble unsubscribing, contact us and we shall opt you out.
Failure to provide information
Generally, no one is obliged to give us her Personal Data but failure to do so may, or, depending on the circumstances, will or is likely to, result in our not being able to achieve the data processing purpose(s) specified for the occasion in question (as listed in the table under section 17) and the particular data subject may, or, respectively, will or is likely to, miss the benefits corresponding to that purpose (or those purposes).
Where we need to collect your Personal Data by law or under the terms of a contract we have with you, or in order to enter into such a contract, and you fail to provide those data when requested, we may not be able to perform or enter into the relevant contract. Should that be the case, we may have to cancel a product or service you have with us, but we shall let you know at the time if that applies.
If you limit the ability of a Service application or Website to set cookies, you may, and in some cases most definitely will, prevent yourself from using that application or site or certain of its features, or may worsen your user experience as the item in question will not be personalized to you. It may also stop you from saving customized settings and you may need to validate your access to the Service or the Website more frequently during your browsing session.
Duration of Personal Data storage
We only store your Personal Data for as long as necessary in the light of, or compatible with, the purposes for which the data were collected (e.g., enjoying our rights and performing our obligations under the contract you have with us, if that was the sole purpose) and such additional period as may be required by law.
Legal retention periods vary depending on the type of Information concerned, and they can be quite long. For instance, Personal Data relevant to our accounting or taxation must be retained for at least ten years after the primary purpose for their processing ceases to apply (e.g., ten years following the financial year when our business relationship with you terminated and the last transaction between us occurred).
Personal Data Disclosure
If you invite another User to your environment or join someone else’s environment, you are instructing us to display certain of your Profile Information (which may include your name, address, email address, profile picture) and, if applicable, Billing Information (including your name, billing address, billing email address, VAT number) in the environment such that other Users may or will have access to them (depending on their User privileges).
When you share environment data or other content from your User Account by distributing links to such data (e.g., to allow someone without a User Account to view something you have created with the Service), certain Profile Information (e.g., name, email address and/or profile picture) is likely to be disclosed to the addressee(s) along with the material you share (and you may also be disclosing other Users’ Personal Data).
Your Profile Information and possibly Billing Information may also be shared when integrating third-party services with your Service application and when using such third-party services in conjunction with the Service. You can control which data are shared when enabling and/or while enjoying the integration (depending on the third-party service). At any rate, do check your privacy settings for both the Service as well as the third-party service prior to integration as well as during to determine which data may be shared. And please note that we are not responsible for the privacy practices (or other acts or omissions) of such third-party service providers, so it would be advisable for you to make sure, before the integration, that you trust the service and the provider in question and are satisfied with the provider’s policies.
We have engaged and will continue to use third-party service providers to assist us in providing, maintaining, developing, protecting and promoting the Service and Website. We may, for example, use such parties for hosting the Service or a Website, sending out Service Messages or Marketing Messages, providing or hosting customer support services, performing analyses related to the Service or a Website, or for processing payments. We may also store Personal Data in locations outside our direct control, e.g., on third-party cloud infrastructure or platforms (IaaS/PaaS) or cloud infrastructure whose operation we have entrusted to other parties. These service providers may have access to your Personal Data for the limited purpose of providing the service we have engaged them to provide. Importantly for you as a data subject, our use of such service providers may involve transmitting your Personal Data to jurisdictions other than the one you reside in.
We may share your Personal Data with our corporate affiliates and outside accountants, legal counsels and auditors.
If we engage in or are subject to a merger, acquisition, division, transformation, public offering of our securities, obtaining financing, divestiture of all or substantially all of our assets or a significant part of such assets, transfer of the enterprise or a part of the enterprise to which your agreement with us pertains, or a similar transaction or proceeding, or if we take steps in contemplation of such activities (e.g., submit to due diligence), your Personal Data may, subject to standard confidentiality arrangements, be shared with, or transferred to, our counterparties or other relevant participants in the respective transaction or proceeding.
We may find ourselves in a situation where we are legally obliged to disclose some or all of your Personal Data or where we reasonably believe that we are so obliged. This may be the case if we receive an Information request from an authority or there is a law or regulation that requires us to make a disclosure without specific request (e.g., to comply with national or international measures against terrorism or money laundering). We may also be compelled to disclose your Personal Data by a judicial, arbitral, administrative or otherwise mandatory order or judgment. Where any of the foregoing applies, we shall make the disclosure, and we may not be permitted to tell you that your Personal Data have been disclosed.
There may also be situations where we find the disclosure of your Personal Data to be necessary in order to exercise, enforce or defend our rights, freedoms or legitimate interests or to protect the rights, freedoms or legitimate interests of a third party (e.g., a data subject or an intellectual property owner).
We shall disclose your Personal Data at your request (unless legally prohibited, impracticable or involving unreasonable effort or expense) or may do so upon your Consent.
We shall not transfer your Personal Data from countries participating in the European Economic Area (“EEA”) to those which do not, or from the EEA to international organisations, unless the recipient country or the particular person or entity receiving the data ensures an adequate level of protection for the data received, or, if it does not, then without applying such safeguards as legally required and/or without the transfer being subject to such other conditions as the law provides for these kinds of transfers.
Personal Data Security
We shall maintain adequate technical and organizational measures to ensure such level of security in our processing of Personal Data as appropriate in the given circumstances. In doing so, we are particularly addressing the following:
- the protection of Personal Data against unauthorized or unlawful processing and against accidental loss, alteration or destruction;
- the integrity and confidentiality of Personal Data;
- the availability, resilience and stability of the Service features pertinent to the processing of Personal Data;
- our ability to restore the availability and access to Personal Data in a timely manner after a Service failure.
Our efforts notwithstanding, no security measure is perfect. Therefore, we cannot guarantee that your Personal Data, during transmission over the internet or while stored in our systems or those of our service providers or while otherwise in our care, will be absolutely safe from unauthorized or unlawful processing or accidental loss, alteration or destruction, or that they will indeed be intact and confidential at all times. Note also that we cannot control, and are not responsible for, the actions of other parties with whom you share your Personal Data.
Your rights as a Data Subject
Data subjects in the EEA have certain statutory rights under the GDPR concerning the Personal Data that we have on them. Subject to such statutory exceptions as may apply in your particular case, your data subject rights include the following:
- Access your data: you have the right to obtain from a confirmation from us whether or not personal data concerning you is being processed, and if that is the case, a right to access information including, but not limited to, the purpose of the processing and the categories of personal data that Clokke has concerning you. By your request, Clokke is required to provide you with a copy of undergoing processing of your personal data.
- Rectify your data: if it comes to your knowledge that certain personal data of yours which is being processed by Clokke is inaccurate, you have the right to obtain a rectification and in some cases a right to have incomplete data completed.
- Erase your data: You have the right to obtain from Clokke the erasure of your personal data when, for example, (i) the data no longer is necessary in relation to the purpose for which it was collected, (ii) if you withdraw a consent, (iii) if you object to the processing and there are no overriding legitimate grounds for the processing, or if (iv) the personal data have been unlawfully processed.
- Restrict and object to certain processing of your data: You have the right to restrict Clokke from processing your data when, for example, (i) you contest the accuracy of the personal data, or (ii) if Clokke no longer needs certain data for the purposes of the processing.
- Port your data: If the legal ground for a processing of personal data is based on either (i) consent or (ii) fulfilment of a contract between you and Clokke, you have a right to receive data which you have provided us in a commonly used and machine-readable format and have the right to transmit such data to another controller.
- Withdraw consent: If we are processing your Personal Data based on Consent, you may withdraw that consent at any time (but this will not affect the lawfulness of any processing activities carried out based on your consent before its withdrawal).
You can exercise some of your data subject rights through your User Account. If you are unable to do so, or if you have no User Account, or if the right in question cannot be thus exercised, then please use the contact details at the end of this Policy to get in touch with us and we shall do what we reasonably can to facilitate the exercise of your rights.
We aim to respond to any legitimate request within a month of its receipt but it may take us longer if your request is particularly complex or you have made several requests. If that is the case, we shall let you know and keep you updated.
We shall not charge you any fee for exercising the above rights unless your requests are clearly unfounded or excessive (e.g., because of their repetitive character), in which case we may charge a reasonable fee. Alternatively, we may decline your request in such circumstances.
Posting a complaint with a supervisory authority
In case you believe that we are processing your Personal Data in violation of the GDPR, you have the right to lodge a complaint with the supervisory authority located in the EEA country where you reside or work or where the alleged infringement took place or you can lodge the complaint with our supervisory authority whose details are below.
Croatian Personal Data Protection Agency
Fra Grge Martića 14
Changes to this Policy
The data controller responsible for your information is Mono d.o.o. which you can contact by e-mail at firstname.lastname@example.org or by post at:
Attn: Data Protection Officer
Last revised: Dec 1st, 2018