This privacy notice is designed to transparently communicate to our clients the personal data processing operations that take place when using a client account on the Orgo platform at https://orgo.space. Please read this privacy policy carefully to understand how we handle your personal data. If you would like to read about our processing of personal data when you are simply browsing our website, please go to https://orgo.space/website-policy .

1. Who we are

We are Orgo Informatics S.R.L. (hereinafter “Orgo”, “we, “us” or similar),(a limited liability company with registered address in European Union, Romania, at Ploiesti, Gheorghe Grigore Cantacuzino Street no. 14, Prahova County, reg. no.: J29/2796/2019, fiscal code RO41650396.

When you are using the Orgo platform at app.orgo.space, we collect and process several categories of personal data from you as representative of our client (“Client” or “you”). This makes us a controller with regard to the personal data we process.

2. What Personal data we process and why

2.1 Creation of an account on the Orgo website

When creating an account on the Orgo platform, we collect your name and your business e-mail address. In the profile section of your account, you can also fill in your phone number. You will also be required to set up a password to ensure security of your account.

We use this data in order to manage your account and to communicate to you with regard to your usage of our services. This processing takes place based on our legitimate interest to ensure the management and coordination of our services (art. 6.1.f GDPR).

These categories of data are being stored by Orgo for a duration of 3 years as of the de-activation of the account.

2.2 General management of the contractual relation with the Client

In performing our services, we will process certain information, including your contact data, as needed to contact you or otherwise communicate with you about the services you are using, manage your account, enable the usage of our services, billing and payment, providing customer support, responding to complaints or requests. Such information is processed under our legitimate interest to ensure the coordination of our activity and perform our services contracted by the Client (which includes trial periods), evaluate and review our business performance, improve our services; and identify potential cyber security threats. If necessary, we will also use your data (or data about you) to pursue or defend ourselves against legal claims.

These categories of data are being stored by Orgo for a duration of 3 years as of the termination of the Customer Agreement concluded with Orgo.

Also, we are required under the law to collect and store tax documents, such as invoices, proof of performing the services and proof of payments issued or made in the course of performing the Customer Agreement. Such data will be processed under our legal obligations under the accounting law and related legislation and will be kept the applicable tax prescription duration (currently 10 years as of 1 July of the year following the operation).

2.3 Monitoring the use of the Orgo services

When using the Orgo services, we track and monitor your activity, in order to ensure functionality of our services and to verify that the terms of use, as set forth in our Customer Agreement are being observed. This implies that we process data regarding your activity on the Orgo platform, and for each user of your organisation. We process this data in our legitimate interest, for the management and coordination of our services.

These categories of data are being stored by Orgo for a maximum duration of 3 years.

2.4 History audit

Following your use of the Orgo platform, we create audit reports that show the activity in your account, that you can access from your Orgo account. Such reports contain details regarding your performed action, the username, the IP, the time of the action and the related logs. We process such data in our legitimate interest, for the management and coordination of the Orgo services and in the legitimate interest of the Client, for your management and supervision of the Orgo account, as well as assisting Client’s compliance with audit and security requirements.

These data are being stored by Orgo for a duration of no more than 5 years.

2.5 Use of the Orgo website

When visiting our website, certain information is collected and stored by us. You can read more about how we process data when you visit our website and about our use of cookies in our Website Privacy Policy.

2.6 Marketing

If you give us your consent, or if you are our customer and did not oppose to direct marketing, we will also use your email address for our email marketing campaigns, to send you commercial information with regard to our services. You can withdraw your consent or object to this use at any time by following the link to unsubscribe at the bottom of our marketing emails.

2.7 IMPORTANT

We do not have access to, and we do not collect, store or process in any way, any information or data that is run by the Client through the Orgo platform (“Client Content”). As such, we do not have any role or connection with your processing of personal data included in the Client Content.

3. How we share information

We will disclose your personal data only for the purposes and to those third parties, as described below. We will take appropriate steps to ensure that your personal data are processed, secured, and transferred according to applicable law.

3.1 Disclosure to recipients

We will share the strictly necessary parts of your personal data, on a need-to-know basis with the following categories of recipients:

(a) payment processors that process your payment for our services. These payment platforms act as controllers with regard to your data, collect most data directly from you, and such personal data processing is subject to their own privacy policy.

(b) companies that provide products and services to us (processors), such as: information technology systems suppliers and support, including cloud platform services (PaaS) and infrastructure services (IaaS), digital archiving, telecommunication suppliers, back-up and disaster recovery and cybersecurity services. You may obtain a list of such processors upon request.

(c) companies involved in the operation of our website as indicated in the https://orgo.space/privacy.

(d) other parties such as public authorities and institutions, accountants, auditors, lawyers and other outside professional advisors, where their activity requires such knowledge or where we are required by law to make such a disclosure.

We will also disclose your personal information to third parties:

(a) if you request or authorize so;

(b) to persons demonstrating legal authority to act on your behalf;

(c) where it is in our legitimate interests to do so to run, grow and develop our business. More specifically, if Orgo or substantially all of its assets are acquired by a third party, in which case personal information held by Orgo will automatically be one of the transferred assets;

(d) if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, any lawful request from government officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity;

(e) to respond to any claims, to protect our rights or the rights of a third party, to protect the safety of any person or to prevent any illegal activity; or

(f) to protect the rights, property or safety of Orgo, our employees, customers, suppliers, visitors, or other persons.

We, as well as some of these recipients may use your data in countries which are outside of the European Economic Area. Please see Section 5 below for more details on this aspect.

3.2 Restrictions on use of personal data by recipients

The third parties with whom we choose to share your personal information pursuant to the above, are limited (by law and by contract) in their ability to use your personal information for the specific purposes identified by us. We will always ensure that any third parties with whom we choose to share your personal information are subject to privacy and security obligations consistent with this Client Privacy Policy and applicable laws. However, for the avoidance of doubt, this cannot be applicable where the disclosure is not our decision, including where it is a legal obligation or you request it.

Save as expressly detailed above, we will never share, sell or rent any of your personal data to any third party without notifying you and, if applicable, obtaining your consent.

4. Your rights

As a data subject, you have specific legal rights relating to the personal data we collect from you. We will respect your individual rights and will deal with your concerns adequately.

(a) Right to withdraw consent: Where you have given consent for the processing of your personal data, you may withdraw your consent at any moment.

(b) Right to rectification: You may obtain from us rectification of personal data concerning you. We make reasonable efforts to keep personal data in our possession or control which are used on an ongoing basis, accurate, complete, current and relevant, based on the most recent information available to us. In certain situations (such as profile data in the Orgo account), we provide self-service mechanism so that where users have the possibility to review and rectify their personal data.

(c) Right to restriction: You may obtain from us restriction of processing of your personal data, if:

(i) you contest the accuracy of your personal data, for the period we need to verify the accuracy,

(ii) the processing is unlawful, but you object to the erasure of the personal data, requesting instead the restriction of its use,

(iii) we do no longer need your personal data, but you request it for the establishment, exercise or defense of legal rights, or

(iv) you object to the processing while we verify whether our legitimate interests override yours.

(d) Right to access: You may ask us for information regarding personal data that we hold about you, including information as to which categories of data we have in our possession, what it is being used for, where we collected it if obtained indirectly, and to whom it is disclosed, if applicable.

We will provide you with a copy of your personal data upon request. If you request further copies of your personal data, then we can charge you with a reasonable fee that we base on the administrative costs.

(e) Right to portability: You have the right to receive your personal data that you have provided to us, and, where technically feasible, request that we transmit your personal data (that you have provided to us) to another organization.

You have these rights if, on a cumulative basis:

• • we process your personal data by automated means, and the transmission is technically feasible;
  • we base the processing of your personal data on your consent, or our processing of your personal data is necessary for the execution or performance of a contract to which you are a party;
  • your personal data is provided to us by you; and
  • the transmission of your personal data does not adversely affect the rights and the freedoms of other persons.

(f) Right to erasure: You have the right to request that we delete the personal data we process about you. We must comply with this request if we process your personal data, unless such data is necessary:

• • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation that binds us;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or
  • for the establishment, exercise or defense of legal rights.

Under the General Data Protection Regulation (GDPR), we respect your right to control your personal data. You can delete your data at any time by navigating to 'Update my account', then selecting 'Settings' and clicking on the 'Delete data' button. This action will permanently remove all personal information associated with your account. We understand you may wish to discontinue our services without erasing your data. In such cases, we offer the option to temporarily close your account. Please be advised, while your account is closed, we will continue to securely store your personal data, ensuring it remains protected in accordance with GDPR guidelines. Nevertheless, you maintain the right to erase your data completely at any point in time, as per your discretion.

(g) Right to object: You may object – at any time – to the processing of your personal data due to your particular situation, provided that the processing is not based on your consent but on our legitimate interests or those of a third party. In this event we shall no longer process your personal data, unless (i) we can demonstrate compelling legitimate grounds and an overriding interest for the processing or (ii) if the purpose is the establishment, exercise or defense of legal claims. If you object to the processing, please specify whether you also wish the erasure of your personal data, otherwise we will only restrict it.

You may always object to the processing of your personal data for direct marketing that was based on our legitimate interest, regardless of any reason. If the marketing was based on your consent, you can withdraw consent.

Please note:

• Time period: We will try to fulfill your request within one month. Nevertheless, this period may be extended with up to two months due to reasons relating to the specific legal right or the complexity of your request. In all cases, if this period is extended, we will inform you about the term of extension and the reasons that led to it.
• Restriction of access: In certain situations, we may not be able to give you access to all or some of your personal data due to statutory restrictions. If we deny or limit your access, we will advise you of the reason for such measure.
• No identification: In some cases, we may not be able to look up your personal data due to the identifiers you provide in your request. In such cases, where we cannot identify you as a data subject, we are not able to comply with your request to execute your legal rights as described in this section, unless you provide additional information enabling your identification. We will inform you and give you the opportunity to provide such additional details.
• Exercise of your rights: In order to exercise your rights please contact us in writing or electronically at the contact addresses provided for in Section 8 below.

5. TRANSFER OF PERSONAL DATA OUTSIDE OF THE EUROPEAN UNION

The personal data may be processed by our processors operating outside the Economic European Area (European Union, Iceland, Norway and Liechtenstein), for the purposes mentioned in Section 2 above. You may see additional details on the recipients of your personal data in Section 3 above.

Where your personal data is provided to entities outside the EEA, we will take appropriate measures to ensure that the recipient protects your personal information adequately in accordance with this notice. These measures include, for example, concluding of agreements containing the European Commission approved standard clauses.

6. Security

We are committed to protecting personal information from loss, misuse, disclosure, alteration, unavailability, unauthorized access and destruction and take all reasonable precautions to safeguard the confidentiality of personal information, including through use of appropriate organizational and technical measures. Organizational measures include physical access controls to our premises and staff training. Technical measures include use of encryption, passwords for access to our systems and use of anti-virus software.

In the course of provision of your personal data to us, your personal information may be transferred over the internet. Although we make every effort to protect the personal information which you provide to us, the transmission of information between you and us over the internet is not completely secure. As such, we cannot guarantee the security of your personal information transmitted to us over the internet and that any such transmission is at your own risk. Once we have received your personal information, we will use strict procedures and security features to prevent unauthorized access to it.

7. Changes to our Privacy policy

We reserve the right, at our discretion, to modify our privacy practices and update and make changes to this privacy policy at any time. For this reason, we encourage you to refer to this privacy policy on an ongoing basis. This privacy policy is current as of the date which appears at the top of the document. We will treat your personal data in a manner consistent with the privacy policy under which they were collected.

8. Contact information; requests and complaints

Please direct your questions regarding the way we collect, use or store your personal data and any requests in the exercise of your legal rights to the following contact details:

contact@orgo.space

We will investigate and use all reasonable efforts to resolve any request or complaint regarding the use or disclosure of your personal information.

If you are not satisfied with our reply, you may also make a complaint to the relevant data protection supervisory authority (in Romanian: National Supervisory Authority for Processing of Personal Data or ANSPDCP). You can find further information about the process of lodging complaints with ANSPDCP at https://www.dataprotection.ro/?page=procedura_plangerilor, and you can file a complaint using the form available at https://www.dataprotection.ro/?page=Plangeri_RGPD&lang=ro or by contacting ANSPDCP directly by email at anspdcp@dataprotection.ro or by post at 28-30 G-ral. Gheorghe Magheru Blvd., Sector 1, postal code 010336, Bucharest, Romania.