Legal | Treasure.cloud

Our commitment to protecting your data

Here at Treasure, protecting what you treasure is our mission. We are excited to provide you with a solution that is truly private. With our seamless cloud storage services and end-to-end encryption, rest assured that you are in full control of your information at all times.

What data we collect and why

We will only collect information necessary to provide you with cloud storage services that you desire (only your name, email address, and location data). We may also collect information to provide you with product updates, notifications and most importantly – promotions! Read More

Why we need your data to provide you services

In order to identify you, your preferences and requests, we may need your data to upkeep your account with us. This also helps us to meet the legal obligations and protect our network and the safety and integrity of the services we provide you. Read More

How long do we take care of your information?

We store the information you provide us securely as long as you have an account with us. We also minimise the collection of other information beyond what is necessary to provide services to you, and these will not be stored for longer than 24 months. Read More

Why do we share your personal data?

We mask your information to the best of our abilities so that you remain unknown to partners that we work with (unless necessary). By sharing your masked information, we hope to provide you with a customised experience with less ads, great customer support and robust security measures. Read More

Transfers of personal data to other countries

To provide our services to you, your information may be shared – but don’t worry, we remove personal identifiers that point back to you. This information may be shared with our partners, agencies, external cloud service providers of your choice, as well as law enforcement authorities (but don’t worry, this is only when it is necessary!).

Furthermore, before any transfer, we ensure that our partners adhere to strict standards of security and confidentiality through Standard Contractual Clauses.

You may see the full list of our partners below. Read More

Our use of cookies

Cookies are small files of information that help to remind us if you’ve visited our website before, and if so, how you like to use it. These cookies help us to improve your experience navigating our website, and will be stored in your browser only with your consent.

Don’t forget though – you will always have the option to opt-out by clicking ‘manage cookies’ tab at the bottom of the page. Read More

You are always in control

If you Treasure it, we treasure it too! We believe in empowering you and your information to the highest extent. You always have the right to ask and request to see how we have used your information – most importantly, you are always in control. Contact us if you ever change your mind! Read More

Don’t fancy hearing from us?

Drop us a note at [email protected], and we assure you that you won’t be hearing from us (we will miss you though ☹). Read More

We are here to help

Our friendly Customer Support staff will be delighted to assist you should you have any queries. Do also check out our FAQs page (treasure.cloud/FAQs).

1. General Information

This Privacy Policy clarifies the purpose of the processing of personal data and other circumstances surrounding it within the framework of data processing procedures and with regard to the services provided by TREASURE CLOUD PTE LTD. (12 Marina View, #11-01, Asia Square Tower 2, Singapore 018961, registration number: 201826795W, registered by: Accounting and Corporate Regulatory Authority (ACRA), (hereinafter referred to as “Controller”, “Company” or “we”) and with regard to its related website, functions and contents (hereinafter referred to as “Website”).

Please read our provisions carefully and if you have any questions or inquiries in connection with the data processing of the Controller, please contact us using the contact details below:

TREASURE CLOUD PTE. LTD.

Address: 12 Marina View, #11-01, Asia Square Tower 2, Singapore 018961

E-mail address: [email protected]

Website: https://treasure.cloud/

Representative in the European Union (EU): [email protected]

Data Protection Officer: Cephas Tan, [email protected]

We highlight that in such cases, when customers or other persons share with us personal data that is unnecessary for the given purpose of data processing specified below (especially including: accidentally shared personal data), we delete such personal data irreversibly, without delay. If such sharing happens multiple times, we also draw your attention to avoid sharing unnecessary data. We recommend for the customers and other persons, however, to check in each case what data they provide to us before sending (e.g. by double-checking email attachments or forwarded information prior to their being sent).

We also highlight that information provided in this Privacy Policy is relevant, where processing of personal data carried out by us (including transfer of personal data from us to other controllers specified in this Privacy Policy or processing of personal data by our data processor partners) is related: (a) to the offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the European Union; or (b) to the the monitoring of their behaviour as far as their behaviour takes place within the European Union. We also highlight that in case of other controllers specified in this Privacy Policy, you can find information on data processing by such controllers in their respective privacy policies. We further highlight that there might be cases, where we provide our services as a data processor on behalf of a data controller. In these cases, you can also find information on the relevant processing in the privacy policy of the given data controller.

What data are considered personal data?

Personal data are any information relating to an identified or identifiable natural person (the data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Thus, for example, personal data include the name, e-mail address of the data subject (e.g. a customer or contracting party’s representative) and data related to the service provided for that customer (e.g. the fact and nature of the service, as well as the personal data processed in the framework of providing the service).

What personal data are classified as special categories of personal data?

Special categories of personal data include personal data referring to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Who can be a data subject?

The Controller may, in particular, but not exclusively, collect and/or process the data of the following natural persons:

a customer (user)
a potential customer (user)
contact persons of business partners, as well as subcontractors
other natural persons (e.g. a person lodging a complaint against the Controller, his/her legal counsel).

By customer or user, we mean such persons, who use our services by signing up and using a Treasure Account. Our services include but are not limited to product offering and maintenance services, onboarding and verification services; as well as product support services. Business customers can also be entities (i.e. legal persons or other organizations) depending on the relevant subscription; in these cases, however, the data subjects, whose personal data we process, are their representatives and their employees acting and providing data in their name. You can find more information on our subscriptions on our Website.

Who is regarded as controller or processor?

(Data) controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Unless otherwise stated by the Company, the Company is regarded as the controller.

(Data) processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Our data centers

Our data centers used for storing personal data under the GDPR (as specified above) are currently located in the EU. When we still have to store personal data in a third country outside of the EU, or in case we use a third country processor for processing personal data referred to above or transfer/provide access to data to a third country controller, we provide information to the data subjects affected primarily in this Privacy Policy and in certain cases in other ways (e.g. in consent forms or on our Website, as relevant).

2. In which cases does the Controller process your personal data?

For what purpose do we process your data?	The purpose of data processing is for the Controller to provide cloud storage and related services; to facilitate registration by the users on the Website (by signing up to Controller’s services); providing support services in a timely manner; and the maintenance of the user accounts for accessing and using the services (including through connected services). We may collect personal information such as names, email addresses, and location data in order to provide you the services, verify your identity, reward you with extra storage space or other incentives, as well as to meet our regulatory and compliance requirements.
What is the legal basis for processing your data?	The Controller processes your data for the above-mentioned purpose based on your consent, which you give when connecting your additional account to your Treasure account (including Google Drive, Dropbox, OneDrive or Box) (Art. 6 (1) a) of the GDPR). based on your consent, when you refer a person in the framework of our referral program (Art. 6 (1) a) of the GDPR). We highlight it in this respect that your consent only serves as the legal basis for our processing of your personal data. In case, when a person referred by you sign up to our services, we will process his/her data as our customer specified below. You will not get information on the signing up of a specific person, but you will receive information in specific referral periods on the number of successful registrations, after which you may be entitled to receive certain incentives. We highlight that the in case whereby you process another person’s data for taking part in our referral program, you are solely responsible as a sole controller for requiring the consent of the referred person for processing or for relying on another legal basis and for providing information to such person on his/her being referred; where necessary for the performance of a contract (terms & conditions) to which you are party or in order to take steps at your request prior to entering into a contract (Art. 6 (1) b) of the GDPR). when you are acting in the name of another person/organization by requiring and using the Controller’s services, the legitimate interest of the Controller and the person/organization represented by you (Art. 6 (1) f) of the GDPR). Legitimate interests: the contractual provision and using of services by and between the Controller and such person/organization. the processing is necessary to fulfill a legal obligation to which the Controller is subject (e.g. storage of invoice information for tax and accounting purposes) (Art. 6 (1) c) of the GDPR). In this respect, our own legitimate business interests (Art. 6 (1) f) of the GDPR) can be referred to in certain cases specified below. we also store backups on account information based on the Controller’s legitimate interest (Art. 6 (1) f) of the GDPR). The legitimate interest is to protect our network as well as the safety and integrity of our services.
Do you have to provide your data?	You are free to choose to register (sign up) on the Website and to use the Controller’s service. When you do so, however, the Controller is required to process your data for complying with the related contract (terms & conditions) and to perform any additional services (including connecting your additional account if you decide to do so). In addition, the Controller may process your data in order to comply with his legal obligations (Art. 6 (1) c) of the GDPR), including tax and accounting obligations, in which case the data processing and plausible retention is necessary. This is only relevant for paid services (Plus or Premium) however.
What data do we process?	We process the following personal data in connection with providing registration (sign up), managing accounts and providing our services in accordance with the terms & conditions: your name and e-mail address (for signing up and regarding account management); the password you entered when registering (for signing up and regarding account management); verification code for registration (signing up); your IP address (for us to know the applicable data protection laws that apply to you) mobile phone number – in case the two-factor authentication is set by the customer, a text message is sent to the given mobile phone number. Alternatively, a Google authenticator or Authy can also be set by the customer; user ID (for helping to identify the customer by the Company); backup of the customer’s master key used for login; a backup of such master key stored in the Anqlave Data Vault (ADV) which empowers the secret management capabilities of the Controller; your information stored in your Treasure account; your information stored in your additional accounts (including: Google Drive, Dropbox or Box) if you connect them to your Treasure account; related contractual communication with the Controller (including troubleshooting). In case, when you pay for the relevant service and it is invoiced to you by the Controller, the Controller is required to process your related data for complying with invoicing and taxations laws as referred to below. We also highlight that the Company can store your account information in security backups specified below.
How long do we store your data?	We store your above data as long as you are successfully registered with Treasure (until the deletion of your Treasure account). While we seek to minimize the collection of any data beyond necessary for providing verification and support services to you, such data (which may or may not constitute personal data) will stored for no longer than 24 months. We also highlight that we may store backups for security purposes (e.g. your account data can still be stored after deletion as a backup for strictly security purposes). Such security backups are stored for no longer than seven (7) days. In the event of a dispute initiated by you or the process of a court or authority that affects your registration or the information you have stored on your Treasure account, we may store the personal data concerned until the competent court or authority makes a final decision in the given case or this court or authority orders so. In this case, the data processing is necessary to enforce our claims or to protect against your or third party (e.g. the company represented by you) claims, our data processing is based on our legitimate interests (Art. 6 (1) f) of the GDPR) in order to protect our professional reputation and to defend ourselves against the claims of data subjects or third parties or to enforce our claims as the case may be. In such cases, when the data processing (especially including: further data storage or providing data to the competent court or authority) is necessary based on the order of the competent court or authority or the relevant, obligatory provision of law, the processing is necessary to fulfil a legal obligation to which we are subject to (Art. 6 (1) c) of the GDPR). In addition to that, in case our services are invoiced to you, we must process your relevant invoicing data to meet accounting and taxation obligations until the storage period, which is prescribed in the relevant accounting and tax regulations. In such case, when this is prescribed by EU or member state law, the Controller processes the relevant personal data for complying with its relevant legal obligations (Art. 6 (1) c) of the GDPR). If such processing is prescribed, however, by the laws of Singapore or other third country – depending on the relevant contractual terms – the Controller relies on its legitimate business interests (Art. 6 (1) f) of the GDPR) to comply with its accounting and taxation obligations at its establishment. In these cases, we only provide personal data to third country (e.g. Singaporean) authorities, if it is strictly necessary for complying with the relevant legal obligation. Such data transfer may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the Controller, which are not overridden by the interests or rights and freedoms of the data subject, and the Controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The Controller shall inform the competent data protection supervisory authority of the transfer. It is also noted that such data transfer with respect to any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring the Controller to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State (Art. 48, 49(1) of the GDPR).
The recipients of your personal data in the event of data transfer	Your data can be passed on to the following partners: Our payment, analytics and business services (CRM provider) partner (for customers selecting Plus or Premium plans), processing payment details and device information: Stripe Inc. (510 Townsend Street, San Francisco, CA 94103, USA, Attention: Stripe Legal; [email protected]) as our data processor located in a third country. The transfer of personal data to a third country is based on the Standard Contractual Clauses applied by Stripe. The Controller uses Stripe for payment, analytics, and other business services. Stripe collects identifying information about the devices that connect to its services (please see for more information: https://support.stripe.com/questions/3d-secure-2-device-information#:~:text=When%20authenticating%20a%20card%20payment,the%20iOS%20and%20Android%20SDKs). Stripe uses this information to operate and improve the services it provides to the Controller, including processing necessary payments for paid customers (subscribers). Stripe further undertakes fraud detection measures, KYC measures as a sole controller with respect to its below specified privacy policy. We highlight that in cases, where you rely on Stripe’s services additionally or where Stripe collects or processes your data for its own requirement to comply with regulatory compliance, or for providing marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://stripe.com/en-be/privacy). For more information on cases, where Stripe acts as a data processor or a data controller, please also visit Stripe Privacy Center (https://stripe.com/privacy-center/legal); Our security (two-factor authentication, i.e. 2FA) service provider partner (processing mobile number): Twilio Ireland Limited (25-28 North Wall Quay, Dublin 1, Ireland; [email protected]) as our data processor. If a customer has enabled 2FA-SMS (two-factor authentication by SMS or through Authy), an OTP is sent to the customer's mobile number. This OTP has to be provided by the customer to log in to the relevant Treasure Account. We highlight that in cases, where you rely on Twilio’s services additionally or in other cases, where Twilio processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://www.twilio.com/legal/privacy); As regards Kibana logs for developing our marketing campaigns and development of our services, our service provider partner: Elasticsearch B.V. (Attn: Privacy Team, Keizersgracht 281, 1016 ED Amsterdam) as our data processor. We highlight that in cases, where you rely on Elasticsearch’s services additionally or where Elasticsearch processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (). We highlight that in all cases, where Elasticsearch transfers your data outside of the European Economic Area, it relies on the European Commission’s standard contractual clauses or adequacy decisions; As regards Postgres database for developing our marketing campaigns and development of our services, our service provider partner: The PostgreSQL Global Development Group (810 E. Montecito, Ste C, Santa Barbara, California, 93103, United States; e-mail address: [email protected]) as our data processor. We highlight that in cases, where you rely on The PostgreSQL Global Development Group’s services additionally or where The PostgreSQL Global Development Group processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://www.postgresql.org/about/policies/privacy/); As regards the provision of our mirror database used for business analytics, our service provider partner: Metabase, Inc. (660 4th Street #557, San Francisco, CA 94107, United States, e-mail address: [email protected]) acting as our data processor. We highlight that in cases, where you rely on Metabase’s services additionally or where Metabase processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://www.metabase.com/privacy/); As regards the Anqlave Data Vault used for our Key Management System for storing the user’s master key, our service provider partner: Anqlave PTE Ltd. (NTU Innovation Centre, 71 Nanyang Drive #04-01, Singapore 638075, e-mail address: [email protected]) acting as a sole data controller in providing its data storage services in line with its own privacy policy (https://namic.sg/privacy-policy/); As regards Website tracking and integration with HubSpot, our service provider partner: Trimantium GrowthOps Limited (Privacy Officer Trimantium GrowthOps Limited Level 11, 31 Queen Street, Melbourne VIC 3000, Australia, [email protected]) (“GrowthOps”) acting as our data processor. We highlight that in cases, where GrowthOps processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://growthops.com.au/privacy-policy/); As regards web development, our service provider partner: Maxgaba International Trading Sdn. Bhd. (Unit SB/BO-02, Block 2, Southbank Commercial, Pusat Komersial Tebing Selatan, 179, Jalan Klang Lama, 58000 Kuala Lumpur, Malaysia, e-mail address: [email protected]) (“MXB”) acting as our data processor. We highlight that in cases, where MXB processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://www.mxb2u.com/web/); As regards web development and our trouble (complaint/bug) ticket management, our service provider partner: Zendesk (989 Market St San Francisco, CA 94103, (“Zendesk”) acting as our data processor. The Company and Zendesk apply standard contractual clauses or rely on other appropriate safeguards for transferring personal data from the EU to the US as the case may be. We highlight that in cases, where Zendesk processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://www.zendesk.com/company/agreements-and-terms/privacy-policy/); In case, when you connect the below specified additional account(s) to your Treasure Account, our following partners – acting as sole data controllers with respect to the processing of your data for the provision of their services – can access your data but only to such extent to which you share with them by using their own services (e.g. Google can access your data stored in your Google Drive regardless of whether you connect it to your Treasure Account): As regards Amazon S3 bucket: Amazon Web Services Inc., 410 Terry Avenue North, Seattle, WA 98109-5210, United States (AWS) (for contact information: https://aws.amazon.com/contact-us/?nc1=f_m). When customers and AWS Partner Network (APN) Partners use AWS services to process personal data in their content, AWS acts as a data processor of the respective customers and partners. When AWS collects personal data and determines the purposes and means of processing that personal data – for example, when AWS stores account information for account registration, administration, services access, or contact information for the AWS account to provide assistance through customer support activities – it acts as a data controller. In case of data transfers to third parties, AWS relies on its AWS GDPR Data Processing Addendum, which incorporates standard contractual clauses, where applicable (for more information, see the link below). For more information on data processing by AWS, please see: https://aws.amazon.com/compliance/gdpr-center/ As regards Google Drive: Google Ireland Limited (Gordon House, Barrow Street, Dublin, D04 E5W5, Dublin, Ireland) acting as a sole data controller in line with its own privacy policy (https://policies.google.com/privacy?hl=en-US). We also highlight that in case of Google’s services are used outside of the EU, other Google entities may have access to personal data, such as Google LLC (1600 Amphitheatre Parkway, Mountain View, California 94043, Keith Enright, Chief Privacy Officer, [email protected]) (“Google”); As regards Box: Box, Inc. (Box Privacy, 900 Jefferson Avenue, Redwood City, CA 94063, United States, e-mail address: [email protected]) acting as a sole data controller in line with its own privacy policy (https://www.box.com/legal/privacypolicy). We highlight that in terms of data transfer to the US, Box uses its standard contractual clauses, and Box group of companies is also awaiting approval of Box’s European BCRs (for more information: https://www.box.com/legal/regionalnotice); As regards Dropbox: Dropbox, Inc. (1800 Owens St, San Francisco, CA 94158, [email protected]) acting as a sole data controller in line with its own privacy policy (https://www.dropbox.com/privacy). Dropbox relies on standard contractual clauses for data transfers. For more information, please see: https://assets.dropbox.com/documents/en/legal/data-processing-agreement-dfb-013118.pdf. Our marketing, profiling and advertising partner: Facebook Ireland Ltd. 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland; [email protected] as our data processor. If a customer has consented to their data being used for this purpose, data may be used to form look-alike-profiles for us to promote our brand and services to other customers. We highlight that in cases, where you rely on Facebook’s services additionally or where Facebook processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy. (https://www.facebook.com/privacy/explanation). We highlight that we use the following additional service providers to enhance our processing power and storage capacity, as well as service capabilities. The following service providers act as processors for supporting our above capabilities, but act as sole controllers, independently from us, when they process your data for their own marketing, service development or other purposes in accordance with their own privacy policies and only access your personal data as necessary: Amazon Web Services (AWS). For contacting AWS: https://aws.amazon.com/contact-us/; For data transfer concerning AWS, please see above and the following link. For more information on data processing by AWS, please see: https://aws.amazon.com/compliance/gdpr-center/ Microsoft Privacy, Microsoft Corporation, One Microsoft Way (Redmond, Washington 98052, USA. tel.: +1 (425) 882 8080) concerning Microsoft Azure and for storing security backups. In respect of further information on Microsoft’s obligations with respect to the processing and security of customer data and other personal data in connection with Azure, please see Microsoft’s Online Services Data Protection Addendum and Microsoft’s other relevant documents (https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=67; https://azure.microsoft.com/en-us/support/legal/); Regarding Intel’s Software Guard Extensions (SGX) used by us to enhance ADV’s security capabilities: Intel Corporation (ATTN: Privacy/Grievance, M/S RNB4-151, 2200 Mission College Blvd., Santa Clara, CA 95054 USA; Intel Privacy Office – US Headquarters), Intel Ireland Limited (with respect to the GDPR) (M/S: Intel Privacy Office, Collinstown Industrial Park, Leixlip, Co. Kildare, Ireland, W23 CX68 – Intel Data Protection Officer). In this respect, secrets are always encrypted at rest or in motion and are used inside secure enclaves which are protected memory regions created using SGX. For more information on Intel’s privacy practices: https://www.intel.com/content/www/us/en/privacy/intel-privacy-notice.html#contact-us

2.2. Provision of marketing materials

For what purpose do we process your data?	The purpose of data processing is the provision of marketing materials to our users (including special offers and promotions and product updates and newsletters) and related profiling based on the users’ consent. With your consent, we may also engage third-party service providers to create customised look-alike-profiles of you, so that we may identify potential customers similar to you and grow our business. In this instance, your data will not be used to target you.
What is the legal basis for processing your data?	The Controller collects your data for processing pursuant to the above-mentioned purposes: based on your consent, which you give when registering (signing up) on the Website, separately from signing up to the Controller’s services (Art. 6 (1) a) of the GDPR). In the case that you also consent to our profiling activity, such consent (ticking the appropriate box) is also regarded as your explicit consent in line with Art. 22 (2) c) of the GDPR. we highlight that we can also send our existing customer marketing materials, which relate to services similar to those, which are used or were previously used by them. Such materials would not include third-party materials, would not require profiling (e.g. personalized marketing messages) and would not target customers, who previously indicated that they do not wish to receive marketing materials from the Controller. In this case, the sending of the above marketing materials is based on our legitimate business interest (Art. 6 (1) f) of the GDPR), which is the promotion of our brand and services and strenghtening customer relationships. In this case, however, we cease to send such materials, if the customer objects to the processing of personal data and communicates this to us.
Do you have to provide your data?	You are free to choose to sign up for receiving the above-mentioned marketing materials. If you do not give consent to receiving special offers and promotions and product updates and newsletters, you can still be signed up for the Controller’s services. You can also additionally consent to only receive special offers and promotions OR product updates and newsletters. In the case of marketing materials being sent based on our legitimate business interest, you are also entitled to object to the processing of personal data, in which case we do not process your personal data for direct marketing purposes anymore.
What data do we process?	We process the following personal data in connection with provision of our above marketing activities: your name; the name and the position of the business customer’s contact person (if relevant); the scope of your consent (tick boxes ticked) (if processing is based on consent); your e-mail address; the service currently used by you (in case of marketing materials sent based on our legitimate business interest); possible communication with the customer concerning the sending of marketing materials and newsletters and – in case of the customer’s unsubscribing from the newsletter or objecting to the processing of their data for the sending of marketing materials and newsletters – the fact of such unsubscribing or objection (to avoid sending new materials unless the given customer consents); as regards e-mail marketing campaigns empowered by HubSpot, the following data are processed by us and HubSpot: the name of customer, the date of account creation, the Treasure plan the user has subscribed to, the digital campaign (first click) that influenced the customer, email marketing sent to the customer, marketing emails and links within emails opened/clicked by the customer, forms filled in by the customer, city and country of the customer’s residence. These data are used for profiling, to help the Controller understand, how the given customer can be targeted by marketing materials and which services might be interesting to him/her. E.g. if a customer created his/her account years ago, we might provide him/her a discount especially tailored for longtime customers. Another example: by understanding, what marketing materials previously sent by us the customer opened, we also get information on the marketing messages, which the customer finds interesting, so we could send him/her similar messages the next time (processing based on consent).
How long do we store your data?	We store your above personal data until you withdraw your consent by email sent to the Controller or through the Treasure (web) application. In case of the customer’s unsubscribing from the newsletter or objecting to the processing of their data for the sending of marketing materials and newsletters – the fact of such unsubscribing or objection can be processed until the deletion of the given customer’s Treasure Account. Unless you provide consent, we further do not send you marketing materials based on our legitimate interest, if you delete your Treasure Account.
The recipients of your personal data in the event of data transfer	Your data may be passed on to the following partner: Our CRM, Marketing Automation System operating partner: HubSpot, Inc. (Address: 25 First Street, 2nd Floor, Cambridge, MA 02141, United States, in line with HubSpot’s Data Processing Agreement (https://legal.hubspot.com/dpa); “HubSpot”) as our data processor located in a third country. The data currently processed by HubSpot for the above purpose is the name of customer, the date of account creation, the Treasure plan the customer has subscribed to, the digital campaign (first click) that influenced the customer, email marketing sent to the customer, marketing emails and links within emails opened/clicked by the customer, forms filled in by the customer, city and country of the customer’s residence. Customers can also withdraw their consent for receiving marketing messages with respect to HubSpot’s above solution by unsubscribing through HubSpot or by withdrawing consent via the Treasure app. The transfer of personal data to a third country is based on the Standard Contractual Clauses applied by HubSpot. We highlight that in cases, where you rely on HubSpot’s services additionally or where HubSpot processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://legal.hubspot.com/legal-stuff); As regards creative and web development, our service provider partner: MXB acting as our data processor. The Company and MXB apply standard contractual clauses or rely on other appropriate safeguards for transferring personal data from the EU to the UK as the case may be. We highlight that in cases, where MXB processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://www.mxb2u.com/web/).

2.3. Service development, business analytics

For what purpose do we process your data?	The purpose of our data processing is to develop our services in order to serve you better. In line with the GDPR’s Data Minimization Principle, we only analyze and combine necessary customer data to understand customer engagement with our product (subscription, features) and marketing campaigns. We use the below specified services of HubSpot in this respect. HubSpot combines analytics from various channels, including Google (Analytics), Facebook, Twitter, YouTube. We also use the services of MXB as specified below.
What is the legal basis for processing your data?	The Controller processes your data for the above mentioned purpose based on your consent, which you give when registering (signing up) on the Website (Art. 6 (1) a) of the GDPR). In the event that you also consent to our profiling activities, such consent (ticking the appropriate box) is also regarded as your explicit consent in line with Art. 22 (2) c) of the GDPR.
Do you have to provide your data?	You are free to choose to consent to the processing of your data for our above referred customer development.
What data do we process?	We process your personal data regarding the usage of our services. Such data include: subscription type concerning the given customer, the data of the creation of the relevant Treasure Account, e-mail address of the given customer, his/her last login or login attempt to the Treasure Account (including failed attempts), the type of marketing promotions the customer has signed up to and is targeted by, applications and cloud accounts linked to the given Treasure Account, file activity (e.g. upload, download, share file, open file) on the given Treasure Account, customer support records, the customer’s referral and e-mail marketing activity (e.g. e-mail opens, click throughs). We process anonymous data generally (i.e. in most cases, the above data cannot be linked to an individual customer or other data subject once used for service development or business analytics by us. Yet, in cases, where we have to understand, whether a given user or certain users use our services in a way we predict, we have to check the above data linked to exact customers (e.g. by picking a customer from every country or region for using the data as a reference point or to check, whether our analytics solutions work appropriately. In these cases, however, we store and process such personal data separately from other customer data and delete it (in certain cases, through anonymization and/or pseudonymization), as soon as the above purpose ceases. It is highlighted that for analytics purposes, we also use Google Analytics: Google Ireland Limited (Gordon House, Barrow Street, Dublin, D04 E5W5, Dublin, Ireland) acting as data controller jointly with the Controller (joint data controllers) concerning the use of Google Analytics services. We also highlight that in cases, where Google’s services are used outside of the EU, other Google entities may have access to personal data, such as Google LLC (1600 Amphitheatre Parkway, Mountain View, California 94043, United States, Keith Enright, Chief Privacy Officer, [email protected]). We highlight that in cases, where you rely on Google’s services additionally (e.g. your Google Drive account) or where Google processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://policies.google.com/privacy?hl=en-US).
How long do we store your data?	We store your above personal data until you withdraw your consent.
The recipients of your personal data in the event of data transfer	Your data can be passed on to the following partner: Our CRM, Marketing Automation System operating partner: HubSpot as our data processor located in a third country. The data currently processed by HubSpot for the above purpose is the name of customer, the date of account creation, the Treasure plan the user has subscribed to, the digital campaign (first click) that influenced the customer, email marketing sent to user, marketing emails and links within emails opened/clicked by the customer, forms filled in by the customer, city and country of the user’s residence. Customers can also withdraw their consent for receiving marketing messages with respect to HubSpot’s above solution by unsubscribing through HubSpot or by withdrawing consent via the Treasure app. The transfer of personal data to a third country is based on the Standard Contractual Clauses applied by HubSpot. We highlight that in cases, where you rely on HubSpot’s services additionally or where HubSpot processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://legal.hubspot.com/legal-stuff); As regards creative and web development, our service provider partner: MXB acting as our data processor. The Company and MXB apply standard contractual clauses or rely on other appropriate safeguards for transferring personal data from the EU to the UK as the case may be. We highlight that in cases, where MXB processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://www.mxb2u.com/web/).

2.4. Processing of business contacts’ data

For what purpose do we process your data?	The purpose of data processing is the processing of our business partners’ (including subcontractors, data controller and data processor partners) and their representatives’ contact data to maintain and manage business relationships.
What is the legal basis for processing your data?	The Controller processes your data for the above-mentioned purpose where necessary for the performance of a contract to which our respective (natural person) partner is party or in order to take steps at our respective partner’s request prior to entering into a contract (Art. 6 (1) b) of the GDPR). This processing does not include processing related to contracts with our customers (which is specified under Art. 2.1.). when you are acting in the name of another person/organization as a contact person, the legitimate interest of the Controller and the person/organization represented by you (Art. 6 (1) f) of the GDPR). Legitimate interests: the contractual provision related to the performing of services by and between the Controller and such person/organization (excluding contracts, where the represented person/organization requires the Controller’s services. Such processing is specified under Art. 2.1.).
Do you have to provide your data?	The processing of personal data is necessary for the performance of the related contract or related requirements (e.g. taxation and accounting requirements).
What data do we process?	We process the following personal data in respect of the above referred data processing: the name and contact information (especially e-mail address) of the related contact person, his/her/their position; the related contract, service/products and contractual communications with the related partner.
How long do we store your data?	We store your related personal data as long as it is necessitated for the performance of services/provision of products/solutions under the respective contract. We also highlight that – depending on the applicable law set out by the contract – the related data (e.g. contact details and business emails) may be stored until the end of the civil law expiry date specified by the applicable law. In the event of a dispute initiated by you or the respective partner or against such persons by us, we may store the personal data concerned until the competent court or authority makes a final decision in the given case or until this court or authority orders so. This data processing is based on our legitimate interests (Art. 6 (1) f) of the GDPR) in order to protect our professional reputation and to defend ourselves against the claims of data subjects or third parties and to successfully enforce our claims. In addition to that, in case our services are invoiced to you, we must process your relevant invoicing data to meet accounting and taxation obligations until the storage period, which is prescribed in the relevant accounting and tax regulations. In such a case, when this is prescribed by EU or member state law, the Controller processes the relevant personal data for complying with its relevant legal obligations (Art. 6 (1) c) of the GDPR). If such processing is prescribed, however, by the laws of Singapore or other third country – depending on the relevant contractual terms –, the Controller relies on the relevant partner’s and its own legitimate business interests (Art. 6 (1) f) of the GDPR) to comply with accounting and taxation obligations prescribed by the above referred legal requirements. In these cases, we only provide personal data to third country (e.g. Singaporean) authorities, if it is strictly necessary for complying with the relevant legal obligation. Such data transfer may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the Controller, which are not overridden by the interests or rights and freedoms of the data subject, and the Controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The Controller shall inform the competent data protection supervisory authority of the transfer. It is also noted that such data transfer with respect to any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring the Controller to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State (Art. 48, 49(1) of the GDPR).
The recipients of your personal data in the event of data transfer	Your data may be passed on to the following partners: Our CRM, Marketing Automation System operating partner: HubSpot as our data processor located in a third country. The data currently processed by HubSpot for the above purpose is the name of customer, the date of account creation, the Treasure plan the customer has subscribed to, the digital campaign (first click) that influenced the customer, email marketing sent to the customer, marketing emails and links within emails opened/clicked by the customer, forms filled in by the customer, city and country of the customer’s residence. For processing personal data with respect to marketing operations and business analytics empowered by HubSpot, please read above under Art. 2.2 and 2.3. The transfer of personal data to a third country is based on the Standard Contractual Clauses applied by HubSpot. We highlight that in cases, where you rely on HubSpot’s services additionally or where HubSpot processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://legal.hubspot.com/legal-stuff); regards creative and web development, our service provider partner: MXB acting as our data processor. The Company and MXB apply standard contractual clauses or rely on other appropriate safeguards for transferring personal data from the EU to the UK as the case may be. We highlight that in cases, where MXB processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://www.mxb2u.com/web/). Our payment, analytics and business services (CRM provider) partner, processing payment details and device information (for customers selecting Plus or Premium plans): Stripe Inc. (510 Townsend Street, San Francisco, CA 94103, USA, Attention: Stripe Legal; [email protected]) as our data processor located in a third country. The transfer of personal data to a third country is based on the Standard Contractual Clauses applied by Stripe. The Controller uses Stripe for payment, analytics, and other business services. Stripe collects identifying information about the devices that connect to its services (please see for more information: https://support.stripe.com/questions/3d-secure-2-device-information#:~:text=When%20authenticating%20a%20card%20payment,the%20iOS%20and%20Android%20SDKs). Stripe uses this information to operate and improve the services it provides to the Controller, including processing necessary payments for paid customers (subscribers). Stripe further undertakes fraud detection measures as a sole controller with respect to its below specified privacy policy. We highlight that in cases, where you rely on Stripe’s services additionally or where Stripe processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://stripe.com/en-be/privacy). For more information on cases, where Stripe acts as a data processor or a data controller, please also visit Stripe Privacy Center (https://stripe.com/privacy-center/legal).

2.5. Data processing of inquiries and complaints received by the Controller, data processing in connection with a data breach, enforcement of claims

For what purpose do we process your data?	Inquiries received by the Controller (e.g. inquiry in connection with the Website or the services without contracting) and answering complaints, any comments and compliance with the legal obligations applicable to the Controller in the event of a data breach, assertion of the legal claims of the Controller.
What is the legal basis for processing your data?	Data processing and answering inquiries, comments and complaints: data are processed by the Controller based on the Controller's legitimate interests (Art. 6 (1) f) of the GDPR). Legitimate interests: processing inquiries, answering comments, complaints received by the Controller, as well as the protection of the Controller’s professional reputation. It is noted that contractual communications conducted by and between customers and their representatives are covered under Art. 2.1 of this Privacy Policy, while contractual communications conducted by and between business partners and their representatives are covered under Art. 2.4 of this Privacy Policy. It is further noted that in case, where a comment does not require any response, answer, as well as follow-up steps on the side of the Controller, it would not be processed by the Controller. It is also highlighted that under the relevant law – in accordance with the terms & conditions of the Controller – the Controller can be required to process and manage certain inquiries, comments or complaints, in which case, the data processing is necessary for compliance with a legal obligation to which the Controller is subject (Art. 6 (1) c) of the GDPR). In the case of processing the data subject's request (Art. 12 GDPR), the processing is necessary to fulfill a legal obligation to which the Controller is subject (e.g. responding to the data subject's application, facilitating the exercise of the data subject's rights according to Articles 15 to 22 of the GDPR) (Art. 6 (1) c) of the GDPR). Enforcement of claims or defending against data subject or third party claims: processing is necessary to safeguard the legitimate interests of the Controller (Art. 6 (1) f) of the GDPR). Legitimate interests: storage and other processing of the data (including inquiries or questions from the data subjects) to protect against claims of data subjects and third party claims (e.g. if the data of another person is provided by the data subject without his/her/their permission) and to enforce the claims of the Controller. Data processing concerning data breaches: in case of a data breach, the data processing is necessary for compliance with a legal obligation to which the Controller is subject (Art. 6 (1) c) of the GDPR), including the notification of personal data breach to the supervisory authority in accordance with Art. 33 of the GDPR.
Do you have to provide your data?	Naturally, you do not have to make any inquiries, file a complaint or enforce a claim against the Controller. However, if you send a request or complaint to the Controller or enforce a claim against it, the Controller will process your personal data for the management of the request or complaint, for the protection of its interests as described above. In addition to the above, in case of a data breach, the Controller may have to process your personal data for the fulfillment of its legal obligations as described above (e.g. for notifying you on the data breach and requiring you to change your password).
What data do we process?	Personal data that are affected by an inquiry submitted to the Controller or a complaint or claim, the contact details of the data subjects and the persons/organizations they represent (name, email address), the inquiries, comments and complaints and their content and the recording of the steps taken in relation to the given inquiry, comment or complaint. We process your name, email address and your other data mentioned above, as well as your other personal data regarding a legal dispute against the Controller or concerning a procedure initiated by it.
How long do we store your data?	In the event of a dispute initiated by you or the process of a court or authority that affects the above information (e.g. your complaint), we may store the personal data concerned until the competent court or authority makes a final decision in the given case or until this court or authority orders so. This data processing is based on our legitimate interests (Art. 6 (1) f) of the GDPR) in order to protect our professional reputation and to defend ourselves against the claims of data subjects or third parties. In the event that processing is necessary to comply with a legal obligation, including reporting personal data breaches, notifying the data subject of a personal data breach or responding to the data subject's request and facilitating the exercise of the data subject's rights under Articles 15 to 22 of the GDPR (e.g. within the framework of your request for data portability, exporting your data requested and transferring them in a structured, commonly used and machine-readable format to you), the Controller stores the personal data concerned as long as this is necessary to comply with these legal obligations.
The recipients of your personal data in the event of data transfer	Your data can be passed on to the following partners: Our CRM, Marketing Automation System operating partner: HubSpot as our data processor located in a third country. The data currently processed by HubSpot for the above purpose is the name of customer, the date of account creation, the Treasure plan the customer has subscribed to, the digital campaign (first click) that influenced the customer, email marketing sent to the customer, marketing emails and links within emails opened/clicked by the customer, forms filled in by the customer, city and country of the customer’s residence. For processing personal data with respect to marketing operations and business analytics empowered by HubSpot, please read below under Art. 2.2 and 2.3. The transfer of personal data to a third country is based on the Standard Contractual Clauses applied by HubSpot. We highlight that in cases, where you rely on HubSpot’s services additionally or where HubSpot processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://legal.hubspot.com/legal-stuff); Our payment, analytics and business services (CRM provider) partner, processing payment details and device information (for customers selecting Plus or Premium plans): Stripe Inc. (510 Townsend Street, San Francisco, CA 94103, USA, Attention: Stripe Legal; [email protected]) as our data processor located in a third country. The transfer of personal data to a third country is based on the Standard Contractual Clauses applied by Stripe. The Controller uses Stripe for payment, analytics, and other business services. Stripe collects identifying information about the devices that connect to its services. Stripe collects identifying information about the devices that connect to its services (please see for more information: https://support.stripe.com/questions/3d-secure-2-device-information#:~:text=When%20authenticating%20a%20card%20payment,the%20iOS%20and%20Android%20SDKs). Stripe uses this information to operate and improve the services it provides to the Controller, including processing necessary payments for paid customers (subscribers). Stripe further undertakes fraud detection measures as a sole controller with respect to its below specified privacy policy. We highlight that in cases, where you rely on Stripe’s services additionally or where Stripe processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://stripe.com/en-be/privacy). For more information on cases, where Stripe acts as a data processor or a data controller, please also visit Stripe Privacy Center (https://stripe.com/privacy-center/legal); Our trouble (complaint/bug) ticket managing data processor partner, Atlassian Pty Ltd c/o Atlassian, Inc. (350 Bush Street, Floor 13, San Francisco, CA 94104, United States, [email protected]; EU representative: Atlassian B.V. Singel 236 1016 AB Amsterdam, the Netherlands, [email protected]) providing Jira software. We forward complaint or bug reporting emails from our support inbox to Jira to better manage our troubleshooting and complaint management and coordinate the teamwork of our support team. The transfer of personal data to a third country (if it is necessary for Atlassian’s services) is based on the Standard Contractual Clauses contained in the Data Processing Addendum applied by Atlassian (https://www.atlassian.com/legal/data-processing-addendum). We highlight that in cases, where Jira processes your data for its own marketing, service development or other purposes, it shall act independently from us, as a sole data controller in line with its own privacy policy (https://www.atlassian.com/legal/privacy-policy#what-this-policy-covers). Our additional partners specified under Art. 2.1-2.4 above in case the given inquiry, complaint, dispute, claim or data breach affects the services provided by them and your personal data are processed in respect of such services.

Besides the above, we highlight that the below specified services and service providers are used for communication with the data subjects:

In-App messaging with the help of HubSpot: HubSpot provides the service as a sole controller, communication, however, is processed by us for communicating with customer, business contacts or to answer inquiries, comments and complaints, which we process also as sole controllers (see: Art. 2.1, 2.4. and 2.5.)
Gmail for our inbox support: Google provides the service as a sole controller, communication, however, is processed by us for communicating with customer, business contacts or to answer inquiries, comments and complaints, which we process also as sole controllers (see: Art. 2.1, 2.4. and 2.5.);
Facebook comments: Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland, for more information: https://www.facebook.com/privacy/explanation) provides the service as a sole controller, communication, however, is processed by us for communicating with customer, business contacts or to answer inquiries, comments and complaints, which we process also as sole controllers (see: Art. 2.1, 2.4. and 2.5.);
Twitter comments: Twitter (Twitter International Company, attn: Data Protection Officer, Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland, for more information: https://twitter.com/en/privacy) provides the service as a sole controller, communication, however, is processed by us for communicating with customer, business contacts or to answer inquiries, comments and complaints, which we process also as sole controllers (see: Art. 2.1, 2.4. and 2.5.).

3. Data transfer

You can find more information about data transfer under Art. 2.1-2.5 entitled “The recipients of your personal data in the event of data transfer”.

4. Contact for exercising data protection rights

Each time you contact us for exercising your data subject rights under Art. 15 to 22 of the GDPR, your information necessary for processing your request will be processed in accordance with Art. 6 (1) c) of the GDPR (a legal obligation to which the Controller is subject). The purpose of such data processing is to respond to the data subject’s request and to facilitate the exercise of the data subject’s rights in accordance with Art. 15 to 22 of the GDPR (Art. 6 (1) c) of the GDPR).

5. Information about cookies

You can find more information about the cookies used on our Website here.

We highlight that cookies enable the efficient and individual use of all functions of our Website. Some functions are not available without cookies.

Most browsers offer different options for protecting your privacy. Deactivating cookies means that it is not possible to save new cookies. It does not prevent previously set cookies from continuing to work on the device until all cookies have been deleted in the browser settings. The help function of the browser or the operating instructions of the end device describe an individual management of the cookie settings. In addition, company-specific settings can be regulated by guidelines.

You can find information on the cookie settings of the most popular browsers under the following links:

Google Chrome: https://support.google.com/accounts/answer/61416?hl=en

Firefox: https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop

Microsoft Internet Explorer 9: https://support.microsoft.com/en-gb/help/278835/how-to-delete-cookie-files-in-internet-explorer

Microsoft Internet Explorer 10: https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies

Microsoft Internet Explorer 11: https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies

Microsoft Edge: https://support.microsoft.com/en-gb/help/4468242/microsoft-edge-browsing-data-and-privacy

Safari: https://support.apple.com/en-gb/guide/safari/sfri11471/mac

You can find more information about cookies under the following links:

https://en.wikipedia.org/wiki/HTTP_cookie

https://www.youronlinechoices.com/uk/

https://www.allaboutcookies.org/

https://cookiepedia.co.uk/cookie-laws-across-europe

Google Analytics

We use Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin, D04 E5W5, Dublin, Ireland, based on your consent (within the meaning of Art. 6 (1) a) of the GDPR) (“Google“). Google uses cookies. User data may be stored on servers in the United States that affect Google services. Google complies with the European Commission’s standard contractual clauses in this respect.

We only use Google Analytics with activated IP anonymization. This means that the IP address of the user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there.

The IP address transmitted by the user’s browser is not merged with other Google data. Users can prevent the storage of cookies by setting their browser software accordingly.

Users can also prevent Google from collecting the data generated by the cookie and from processing this data by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

You can find further information on the use of data by Google, setting and objection options on the Google website: https://policies.google.com/technologies/partner-sites?hl=en (“Use of data by Google when you use websites or apps of our partners”), https://policies.google.com/technologies/ads?hl=en (“Use of data for advertising purposes”), http://www.google.de/settings/ads (“Managing information that Google uses, to show you advertising”).

6. Rights and remedies of the data subjects

Answering your data protection inquiries or completing your request is free of charge. However, if your request to exercise your data protection rights is manifestly unfounded or excessive (e.g. in the case of frequent repetition), we are entitled to either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested or refuse to act on the request.

The data protection rights and remedies of the data subjects (including yours if the person responsible processes your personal data) are listed in the relevant provisions of the GDPR (in particular Art. 15, 16, 17, 18, 19, 20, 21, 77. 78, 79, 80 and 82 of the GDPR). The following is a summary of the key provisions and, accordingly, the Controller will inform data subjects about their rights and remedies regarding data processing.

The Controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The Controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.

If the Controller does not take action on the request of the data subject, the Controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

Right of access by the data subject

You shall have the right to obtain from the Controller confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and the following information:

the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from you, any available information as to their source.

Where personal data are transferred to a third country, you shall have the right to be informed of the appropriate safeguards relating to the transfer.

The Controller shall provide a copy of the personal data undergoing processing. For any further copies requested by you, the Controller may charge a reasonable fee based on administrative costs. Where you make the request by electronic means, and unless otherwise requested by you, the information shall be provided in a commonly used electronic form.

Right to rectification

You shall have the right to obtain from us the erasure of personal data concerning you without undue delay and we shall have the obligation to erase personal data without undue delay where one of the following grounds applies.

Please note that by reporting a change in your personal information, you can help us serve you better by giving us accurate information about you.

Right to erasure

You have the right to request that the Controller delete personal data concerning them immediately and the Controller is obliged to delete personal data immediately if one of the following reasons applies:

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
you withdraw your consent on which the processing is based, and where there is no other legal ground for the processing;
you object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in European Union or Member State law to which the Controller is subject;
the personal data have been collected in relation to the offer of information society services.

Right to restriction of processing

You shall have the right to obtain from the Controller restriction of processing where one of the following applies:

the accuracy of the personal data is contested by you, for a period enabling the Controller to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead;
the Controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
you have objected to processing pending the verification whether the legitimate grounds of the Controller override those of you.

Right to data portability

The data subject shall have the right to receive the personal data concerning him/her/them, which he/she/they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where

processing is based on consent or on a contract; and
the processing is carried out by automated means.

The exercise of the right shall not be without prejudice to the right to erasure and shall not adversely affect the rights and freedoms of others.

You can withdraw your consent (Art. 7 (3) of the GDPR) at any time for the future or object to our processing (including profiling), which is based on our legitimate interests (Art. 6 (1) f) of the GDPR). You can send the withdrawal or the objection either by e-mail or by post using our contact details above.

As regards objection, the Controller shall no longer process your personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

As regards the withdrawal of consent, we highlight that the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Information on automated decision-making and profiling

Information on automated decision-making and profiling can be found with regard to the relevant data processing operations under Section 2. above. You may freely withdraw your consent by contacting us here.

Complaint

Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

A list of the supervisory authorities in the European Union (EU) can be found at https://edpb.europa.eu/about-edpb/board/members_en

8. Privacy information to non-EU residents

As regards processing the personal data of other, non-EU resident customers and business contacts, as well as their rights and remedies under the respective privacy laws, please see our information on the respective part of our Website: Privacy Policy

9. Amendment of our Privacy Policy

We reserve the right to change our Privacy Policy in order to adapt it to changes in the relevant law or in the event of changes to the data processing. If user consent is required, the changes will only be made with the consent of the user.

Users are asked to inform themselves regularly about the content of our Privacy Policy. Regarding main changes, we would further inform our users and the relevant other data subjects directly (especially via e-mail or via their account).

Cookie	Duration	Description
__stripe_mid	1 year	Used by Stripe to enable them to monitor for and detect potentially harmful or illegal use of Stripe's services.
__stripe_orig_props	1 year	Used by Stripe to enable them to understand how visitors interact with Stripe's services, allowing Stripe to analyze and improve Stripe's services (also through third party analytics).
__stripe_sid	Session	Used by Stripe to enable them to monitor for and detect potentially harmful or illegal use of Stripe's services.
_ga	2 years	Used by Stripe to allow Stripe to place targeted Stripe advertisements on other sites that the user may visit, and to measure user's engagement with those ads.
cid	Session	Used by Stripe to help Stripe understand how visitors interact with our services, allowing Stripe to analyze and improve Stripe's services (also through third party analytics).
docs.prefs	1 year	Used by Stripe to save user preferences and recognize user when user returns to Stripe's services.
lang	1 year	Used by Stripe to save user preferences and recognize user when user return to Strip's services
locale	Session	Used by Stripe to ensure that Stripe's site and services work correctly, such as showing the user the correct and relevant information based on their location.
merchant	Session	Used by Stripe to help Stripe understand how visitors interact with Stripe's services, allowing Stripe to analyze and improve Stripe's services (also through third party analytics).
recent-views	1 year	Used by Stripe to save user preferences and to recognise the user when the user returns to Stripe's services.
SIDCC	2 years	Security cookie to protect a user’s data from unauthorized access.

Cookie	Duration	Description
__Secure-3PAPISID	2 years	Used by Google Analytics that provides an aggregate analysis of website visitors.
__Secure-3PSID	2 years	For targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalised Google advertising.
__Secure-3PSIDCC	1 year	These cookies are used to deliver ads more relevant to you and your interests.
__utmzzses	session	This cookie is set by the provider Google Analytics. This cookie is used for storing the traffic source or campaigns that explains how the user reached the website. This cookie is updated every time when the data is sent to the Google Analytics.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_60GXYXXB14	2 years	This cookie is installed by Google Analytics.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
1P_JAR	1 day	Used by Google Analytics that provides an aggregate analysis of website visitors.
APISID	2 years	Used by Google Analytics that provides an aggregate analysis of website visitors.
DV	Session	Used by Google Analytics that provides an aggregate analysis of website visitors.
HSID	2 years	Used by Google Analytics that provides an aggregate analysis of website visitors.
initialTrafficSource	2 years	Used by Google Analytics that provides an aggregate analysis of website visitors.
lastTrafficSource	2 years	Used by Google Analytics that provides an aggregate analysis of website visitors.
lastTrafficSource	2 years	Saves the last traffic source that drove the user to Treasure Cloud’s website.
myoc	1 month	This allows the website to track marketing campaign for statistical purposes.
NID	6 months	Used by Google Analytics that provides an aggregate analysis of website visitors.
OGPC	1 month	Used by Google Analytics that provides an aggregate analysis of website visitors.
OTZ	1 month	Used by Google Analytics that provides an aggregate analysis of website visitors.
pageviewCount	1 month	Used by Google Analytics that provides an aggregate analysis of website visitors.
s	Session	Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes.
SAPISID	2 years	Used by Google Analytics that provides an aggregate analysis of website visitors.
SEARCH_SAMESITE	5 months	Used by Google Analytics that provides an aggregate analysis of website visitors.
Secure-3PSID	2 years	For targeting purposes to build a profile of the website visitor's interests in order to show relevant & personalised Google advertising
SID	2 years	Used by Google Analytics that provides an aggregate analysis of website visitors.
spin	1 day	This Cookie is placed by Facebook. It enables treasure.cloud to measure, optimize and build audiences for advertising campaigns served on Facebook. In particular it enables treasure.cloud to see how our users move between devices when accessing the treasure.cloud web site and Facebook, to ensure that treasure.cloud’s Facebook advertising is seen by our users most likely to be interested in such advertising by analysing which content a user has viewed and interacted with on the website.
SSID	2 years	Used by Google Analytics that provides an aggregate analysis of website visitors.
user_id	Session	This cookie is set by Treasure, in order for Google Analytics to provide an aggregate analysis of website visitors.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
_fbp	3 months	This cookie will help deliver our advertising to people who have already visited our website when they are on Facebook or a digital platform powered by Facebook Advertising. For information on how to opt out of these cookies refer to Facebook’s cookie policy.
ANID	9 years	This cookie carries out information about how the end user uses the website and any advertising that the end user may have seen before visiting the said website.
c_user	1 year	This cookie will help deliver our advertising to people who have already visited our website when they are on Facebook or a digital platform powered by Facebook Advertising. For information on how to opt out of these cookies refer to Facebook’s cookie policy
datr	2 years	This cookie will help deliver our advertising to people who have already visited our website when they are on Facebook or a digital platform powered by Facebook Advertising. For information on how to opt out of these cookies refer to Facebook’s cookie policy
dpr	Session	This cookie will help deliver our advertising to people who have already visited our website when they are on Facebook or a digital platform powered by Facebook Advertising. This Cookie helps record the ratio and dimensions of your screen and windows in order to render sites and apps correctly on your displays.
DSID	1 month	This is an advertising cookie set by DoubleClick to make advertising more engaging to users and more valuable to publishers and advertisers.
fr	3 months	This cookie will help deliver our advertising to people who have already visited our website when they are on Facebook or a digital platform powered by Facebook Advertising. For information on how to opt out of these cookies refer to Facebook’s cookie policy.
id	Session	This is an advertising cookie set by DoubleClick to make advertising more engaging to users and more valuable to publishers and advertisers.
m_pixel_ratio	Session	This cookie will help deliver our advertising to people who have already visited our website when they are on Facebook or a digital platform powered by Facebook Advertising. For information on how to opt out of these cookies refer to Facebook’s cookie policy
presence	Session	This cookie will help deliver our advertising to people who have already visited our website when they are on Facebook or a digital platform powered by Facebook Advertising. For information on how to opt out of these cookies refer to Facebook’s cookie policy
sb	2 years	This cookie will help deliver our advertising to people who have already visited our website when they are on Facebook or a digital platform powered by Facebook Advertising. For information on how to opt out of these cookies refer to Facebook’s cookie policy
x-referer	Session	This cookie will help deliver our advertising to people who have already visited our website when they are on Facebook or a digital platform powered by Facebook Advertising. For information on how to opt out of these cookies refer to Facebook’s cookie policy
xs	1 year	This cookie will help deliver our advertising to people who have already visited our website when they are on Facebook or a digital platform powered by Facebook Advertising. For information on how to opt out of these cookies refer to Facebook’s cookie policy.