May 11, 2023
This Policy applies to your use of the Services of Primsell, as defined in our Terms. This Policy explains when, where, and why we process personal data of our WebApp Users, how we use it, the conditions under which we may disclose it to others, your rights in respect of your personal data, as well as how we keep it secure.
Capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the Terms.
- What Is Personal Data and the Processing of Personal Data?
- Personal Data is any information relating to you and that alone or in combination with other pieces of information allows us to identify you as an individual.
- Processing of the personal data means any operation with your personal data, whether or not by automated means, as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Data Subject is any identified or identifiable natural person, whose personal data is processed by the controller responsible for the processing; means you as a user of Primsell. Consent of the data subject/user is any freely given, specific, informed, and unambiguous indication of the data subject/user’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to the data subject.
- Data Controller means the natural or legal person, which determines the purposes and means of the processing of your personal data; means us, Primsell OÜ.
- Primsell’s Lawful Bases for Processing
- Primsell processes your personal data only when we have lawful bases.
- Specifically, Primsell processes your personal data if:
- processing is based on the consent you have given;
- processing is necessary to provide our Services to you according to our Terms, which constitute a contract between you and us as regards to information services of Primsell;
- processing is necessary for the purposes of our legitimate interests; those legitimate interests are: (i) provisions of Services to you; (ii) compliance with applicable financial and accounting legislation, including but not limited to Estonia and the EU; (iii) fraud prevention; (iv) network and information security.
- What Personal Data do we collect?
- Access to the WebApp is available with or without the necessity to register an account. However, whenever you access the WebApp, we collect log information and put cookies on your device, by which we track your activity on the WebApp. You can always opt out of cookies except those, without which the WebApp cannot work.
- When you are a registered User Primsell may collect from you and process cookie identifiers and those data you specifically provide us with upon registration, including: (i) first and last name and (ii) email.
- You have choices about the data we collect. When you are asked to provide personal information, you may decline. But if you choose not to provide data that is necessary to enable us to make the Services available to you or otherwise provide our Services (in a manner that may include personal information), you may not be able to sign up for or use the WebApp and Services. The data we collect depends on the context of your interactions with us, and the choices you make (including your privacy settings). The data we collect can include the following:
- Information Automatically Collected. We may collect data about your device and how you and your device interact with our WebApp. For example, we may collect your interactions on our WebApp, your feature usage patterns, location data, and your interactions with us. We may also collect data about your device and the network you use to connect to our WebApp; this may include data such as your IP address, browser type, operating system, and referring URLs.
- Payment Services. We use Stripe Connect as our third-party payment provider to facilitate your purchase of NFTs through our WebApp, instead of directly processing your credit/debit card information. Buyers paid balance for one or more NFTs is safe as we use an integrated iframe for checkouts from our partner payment provider (Stripe Connect) and Sellers get the payment for each confirmed purchase securely through third-party payment providers (Stripe Connect). Correspondingly all transactions are secured as Stripe Connect use SSL encryption protection. All payment information is stored encrypted and securely by Stripe Connect. We do not store your payment information on our servers. We may also use your payment transaction data (date, type and amount) as shared by third-party service provider to confirm to Sellers a specific transaction occurred so that they can verify your purchase with our records.
- Information We Will Never Collect. We will never ask you to share your private keys, passwords or wallet seed phrase, or other information of your chosen payment method.
- What do we use your Personal Data for?
- We use the data we collect for the following purposes:
- to operate our business and to make the WebApp available to you (using the data to improve our WebApp, improve the relevance and security of our WebApp, and to personalize your experiences);
- to communicate with you (inform you about your sales and purchases, your account, provide security updates, give you information about the WebApp, and respond to user enquiries);
- to provide you with technical support (diagnose problems, and to provide customer care and other support services);
to schedule a product demo;
- to administer, through us and Sellers, contests, promotions, experiences, surveys, or other WebApp features;
- to improve our advertising campaigns, primarily in an effort to prevent targeting you with advertisements that are not relevant to you;
- to manage your email subscriptions;
- to send you periodic marketing communications about our WebApp depending on the marketing preferences you select on your privacy dashboard (occasional marketing emails about our WebApp, which you can unsubscribe from at any time using the link provided in the message);
- to develop aggregate analyses and business intelligence that enable us to operate, protect, make informed decisions, and report on the performance of our business operations.
- We use the data we collect for the following purposes:
- How Is Personal Data Shared?
- In order to provide high-quality services, Primsell hires people, enters into agreements with independent contractors as well as cooperates with other services providers, companies and organizations strictly under data processing agreement (DPA) or Standard Contractual Clauses (SCCs). For those reasons, some of your personal data can be passed to the persons mentioned. Primsell uses only secure places of storage, such as those provided by AWS (Amazon, the USA) with servers located in Frankfurt, the EU (EU-Central-1).
- We will not share any of your personal data with any government authorities, except in order to comply with legal or regulatory requirements. If we receive a request to disclose your personal data to a government authority, we will thoroughly assess the request and will in particular consider possible legal challenges against such request. We will only comply with any such request that is binding, enforceable and issued in full compliance with applicable law.
- Personal Data shared with Sellers
- We may also use your personal data to provide to Sellers, in order for a Seller to track your purchases, and for you to unlock experiences about your NFT, although we will not provide this information without your agreeing to it upon purchase.
- This personal data contains (i) first and last name, (ii) email, (iii) wallet address, (iv) amount purchased, and (v) purchase date.
- Such personal data is stored encrypted with limited access of Primsell personnel on a need to know basis.
- Categories of Third Party Service Providers
- Databases and servers – Personal data shared with this category of third-party service providers include AWS (Amazon Web Services).
- Monitoring errors, latency and bugs – Personal data shared with this category of third-party service providers include Sentry.
- Communication with blockchain – Personal data shared with this category of third-party service providers include Alchemy.
- Services to manage emails and send out push notifications -Personal data shared with this category of third-party service providers include Maligun.
- Payment services providers – Personal data shared with this category of third-party service providers include Stripe.
- Sharing records of events and experiences on public blockchains – Personal data shared with this category of third-party service providers include token POAP (Proof Of Attendance Protocol).
- How do we protect your information?
- We implement a variety of appropriate technical and organizational security measures to maintain the safety of your personal data when you enter, submit, or access your personal data. For instance, we offer the use of a secure server. All supplied personal data is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our gateway providers database only to be accessible by those authorized with special access rights to such systems, and are required to keep the information confidential.
- High Availability. Every part of the WebApp utilizes properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in case of failure. We take servers out of operation as part of regular maintenance, without impacting availability.
- Business Continuity. We keep encrypted backups of data daily on AWS. In case of production data loss (i.e., primary data stores loss), while never expected, we will restore data from these backups.
- Disaster Recovery. In case of outage, we will perform full migration of a duplicate environment in a different AWS region.
- Physical Access Controls. The WebApp is hosted on AWS with a featured data centers layered security model, including but not limited to extensive safeguards such as custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics. Primsell has no physical access to these data centers, servers, network equipment, or storage.
- Logical Access Controls. Only authorized Primsell team members have access to configure the infrastructure on an as-needed basis behind a two-factor authenticated virtual private network with keys stored in a secure and encrypted location.
- Your Rights as Data Subject Regarding Your Personal Data Primsell Processes
- Right of Confirmation
You can obtain confirmation from Primsell as to whether personal data concerning you is being processed.
- Right of Access
You can access your personal data processed by Primsell.
- Right to Rectification
You can ask Primsell to have incomplete personal data requiring corrections completed.
- Right to Erasure (Right to Be Forgotten)
You can request Primsell to erase personal data. In most cases, Primsell will erase it unless otherwise required by legislation. To delete your personal data, you can:
- Contact us by email at firstname.lastname@example.org we will respond to your request to delete your information within 30 days and notify you of the outcome.
- Delete specific items from your account by going to your account “Settings” page at https://app.primsell.com/
- Delete your entire account by going to your account “Settings” page at https://app.primsell.com/ and following the instructions for deleting your account.
- Right of Restriction of Processing
You can contest the accuracy of your personal data or in case Primsell is not interested in processing your personal data any longer, but you want Primsell to do this for different reasons, for example, to bring a claim against somebody and, instead of the erasure of information, its processing will be restricted.
- Right to Data Portability
You can have your personal data transmitted directly from one controller to another, where technically feasible and when doing so does not adversely affect the rights and freedoms of others.
- Right to Object to Processing of Your Personal Data by Primsell
You can object to our processing of your personal data when the processing is related to the performance of our task carried in the public interest or the exercise of official authority vested in us. The other case is if we process your data for the purposes of the legitimate interests pursued by us or by a third party and you believe that such interests are overridden by your interests or fundamental rights and freedoms. If you make a request with objection to processing, we will no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing.
- Right to Withdraw Consent at any Time by Contacting Us
- Right of Confirmation
- Third Party Links
Occasionally, at our discretion, we may include or offer third party products or services on our WebApp or through our WebApp. If you access other WebApps using the links provided, the operators of these WebApps may collect information from you that will be used by them in accordance with their privacy policies. These third party sites have separate and independent privacy policies. We, therefore, have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.
- Where we Store and Process Personal Data
Personal data collected by Primsell may be transferred to, stored and processed in Estonia and other countries of the EU and the EEA, or in any other country where Primsell or its affiliates, subsidiaries or service providers maintain facilities. We take steps to ensure that the data we collect is processed according to the provisions of this Policy and the requirements of applicable laws wherever the data is located, including the transfer of data in accordance with a valid data transfer mechanism.
- International Transfers
Personal data we collect may be transferred to, stored and processed in, the United States, or any other country in which we or our affiliates or subcontractors maintain facilities, as described above. To the extent we may transfer personal data to or from the EEA, U.K., or Switzerland, we will take steps that are reasonably necessary to ensure that your personal data is treated securely and appropriately safeguarded in accordance with this Policy and applicable data protection or privacy laws, such as the use of standard contractual clauses.
- How Long Will the Personal Data Be Processed and Stored by Primsell?
- Your personal data will be stored by Primsell no longer than is necessary for the purposes for which the personal data is processed. Generally, Primsell retains your personal data as long as your account is active. If your last activity on Primsell was more than 2 years ago, your account will be considered expired. In this case or when you decide to delete your Primsell account, we undertake to remove your personal data from our active systems and servers within 90 days or earlier.
- However, in case of conflict situations in progress, Primsell may retain your personal data for longer in order to be able to establish, exercise or defend legal claims. Upon the settlement of the conflict situation, all personal data gets deleted if the standard retention period has expired.
- We may also retain some of your personal data for longer if we need it to comply with the applicable legal, regulatory, tax, accounting or other requirements.
- Personal Data collected when you registered on our mailing list or for the newsletter will be stored as long as you are interested in receiving our emails. We consider that you’re interested in this until you unsubscribe from them.
- Children’s Privacy
- Primsell Services are not intended for use by children under the age of 18 without the supervision of their parent or legal guardian.
- We do not knowingly collect information from children under the age of 18, and discourage the use of Primsell Services by children under this age.
- California Resident Rights
- “DoNotTrack” Requests. Primsell does not share personal data with third parties for their direct marketing purposes. Also, our Services do not support “Do Not Track” requests.
- California Privacy Rights. In case you are a resident of California, you are entitled to certain rights over your personal data under the California Consumer Privacy Act of 2018. Specifically, as a resident of California, you have the right to (i) know about the categories and specific pieces of personal data that we have collected about you and access a copy of your personal data (“Right to Know”); (ii) have inaccurate personal data about you corrected (“Right to Correction”); (iii) request deletion of your personal data that we have collected (“Right to Deletion”); (iv) opt out of the sale of your personal data (“Right to Opt-Out”).
- Legal Matters
- Governing Law
- Changes to our Policy
How to Contact Us
Any questions regarding this Policy and our Services should be sent to email@example.com
Your Primsell Team