We may process personal data of individuals on the basis of a concluded contract (e.g., the conclusion of a contract for the use of our services) or negotiations for the conclusion of a contract (e.g., when an individual contacts our organization through our official communication channels and wants to obtain more information about our services).

In the described cases, you provide us with personal data as part of a contractual obligation or as part of negotiations for the conclusion of a contract, whereby we consequently do not need your explicit consent for the above-mentioned processing of your personal data. In principle, you will not suffer any serious negative consequences in situations where we would otherwise need your personal data to perform our services and you do not provide us with these data. However, such situations can significantly complicate or even prevent the execution of ordered services or our cooperation, and you will be informed in advance or subsequently in these cases.

Our organization may also process personal data for the purposes of fulfilling legal and other lawful obligations, especially those governing taxes and accounting requirements (e.g., records of issued and received invoices, etc.), for example: when an inspector or another holder of public authority orders our organization to entrust him with personal data of a certain client/visitor in accordance with the law (for example, in the context of conducting inspection supervision under the provisions of the applicable law, when our organization processes personal data of a client to whom it has issued an invoice, our organization processes this invoice and client data (e.g., personal name, contact details, etc.) on the basis of the applicable tax laws and regulations (see section 3.2.), etc.

We are also allowed to process certain personal data for the purposes of safeguarding our own legitimate interests. Such cases may arise, for example, when the processing of your data would be necessary from the perspective of administrative, criminal, or civil proceedings (e.g., when our organization would have to submit a database as evidence in a procedure, otherwise our organization would suffer a penalty or severe and irreparable damage), in which case we will always process only those data that are absolutely necessary to pursue such legitimate goals. OUR organization is also allowed to process the personal data of an individual in cases where the processing is necessary to protect the vital interests of the individual (e.g., looking up the address of an individual who is facing an immediate and serious life-threatening danger).

Interacting with us and the use of our services is generally not conditional on you agreeing to the processing of your personal data.

However, we can also process your personal data based on your explicit consent. An individual’s explicit consent is considered as his voluntary declaration of will by which he agrees to the processing of certain personal data for a certain purpose, (e.g., when you consent to receiving our newsletter or other commercial messages), whereby in such cases we process those data that are indicated in the relevant section of the table from point 1, where consent is indicated as the legal basis for processing.

Receiving such communication can be stopped at any time by following the link contained in every newsletter/commercial email message or by contacting us at the email address that is listed at the beginning of this document.

Based on your consent, our online advertising can also be performed, provided that you have agreed to the installation of optional (advertising) cookies and tracking pixels of our advertising partners when visiting our website (e.g., installation of the Google Analytics cookie, which enables us to advertise our services more easily on other websites, etc.). A detailed list of optional cookies from our advertising partners, the data we process with them, and the retention periods of these data is defined on the “Cookies” page.

Our organization provides each individual with the right to withdraw his explicit consent at any time in a simple way, by contacting us at any time at the email address that is listed at the beginning of this document.

The withdrawal of consent does not affect the legality of the processing that was carried out on the basis of consent until the moment of withdrawal.

If you do not give consent for the processing of personal data, give consent partially or withdraw consent (partially), we will, if possible, cooperate with you only to the extent of the given consent or in ways permitted by applicable law.

Consent is voluntary and if you decide not to give it or later withdraw it, this in no case infringes on your other rights or represents additional costs or aggravating circumstances for you.

The retention period of personal data depends on the basis and purpose of processing each category of personal data. Personal data is usually stored as long as necessary to fulfill the purpose for which the data was collected, or until some regulation requires us to keep it, after which it is deleted.

If the retention period of individual data is not more precisely defined in the table in section 1, the following applies:

Our organization may retain the data for another 15 days after the expiration of the said retention period with the aim of being able to destroy the stored data from all data carriers and servers during this period.

An individual can always request the deletion of data by sending their request to our organization’s official email address that is listed at the beginning of this document.

Your personal data is processed by those employees in our organization who need the data in order to perform their work. All employees are bound by confidentiality and are required to protect your personal data.

In certain cases, as prescribed by applicable legislation, our organization must also provide or report your personal data to the competent state authorities, as well as to authorities that are, for example, competent for financial, tax or other supervision (e.g., the Estonian Data Protection Inspectorate, etc.). In certain cases, our organization is obliged to provide data to third parties, if such an obligation to provide or disclose is imposed on our organization by law or the legal entitlement of a third party.

In addition to the employees in our organization, the users of personal data can also be employed persons of contractual processors of our organization, who can process personal data as confidential exclusively on behalf of our organization and within the limits of the contract on external processing of personal data, which our organization has concluded with each such processor. Contractual processors may only process personal data within the instructions of our organization (i.e., the contract), and they may not use the data to pursue any of their own interests.

The contractual processors our organization engages that might come into contact with your personal data are:

Our organization will not disclose your personal data to third unauthorized persons.

If you would like to obtain an exact list of all contractual subprocessors of our organization, you can write to us at the email address that is listed at the beginning of this document.

Hosting our website and storing the data you provide to us via the website (e.g. in connection with communication via the contact form on the page, etc.), is stored by our hosting provider with servers inside the EU. To obtain information on our hosting provider, please send your request to we@feelrooty.com.

As a rule, our organisation does not transfer personal data to third countries (i.e. outside the European Union, Iceland, Norway and Liechtenstein, i.e. the EEA) and international organisations.

An exception to this is the occasional transfer of certain technical and personal data to the servers of the above-mentioned processors whose headquarters or servers are located in the USA (e.g. the automatic transfer of certain data collected by Alphabet Inc.’s cookies, entering email addresses in commercial messaging tools, etc.), whereby the relevant processors are former members of the Privacy Shield (https://www.privacyshield.gov/) and have complied with and adopted security measures in relation to the receipt or transfer of data after 12 July 2020 (e.g. standard contractual clauses) or have adequately performed and achieved full self-certification in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data in the EU-US data privacy framework (i.e. in the context of the new EU-US data transfer framework in accordance with the above adequacy decision as of 10 July 2023).

More detailed information on the categories of users and data sub-processors, can be obtained by sending a request in this respect to the email address that is listed at the beginning of this document.

We do not direct individuals to provide specific personal data (i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data or biometric data, data relating to health or data relating to an individual’s sex life or sexual orientation) in connection with our website or services.

If our organisation becomes aware of a situation in which such data may be disclosed to it, the data received will be protected or otherwise dealt with as appropriate.

What are your rights regarding your personal data and how can you exercise them?

In relation to this personal data processing notice or the processing of your personal data by our organization and our contractual processors, you can contact us at any time and without any reservations via the email address that is listed at the beginning of this document. You can also use this address to send your requests and exercise other rights related to personal data and GDPR regulation.

As an individual to whom the personal data refers, the GDPR regulation provides you with the opportunity to exercise the following rights with our organization:

Right to be Informed: Individuals have the right to be informed about the collection and use of their personal data.

Right of Access: Individuals have the right to access their personal data and obtain information about how it is being processed, as well as a copy of the data itself

Right to Erasure (Right to be Forgotten): Individuals have the right to request the deletion of their personal data in specific circumstances.

Right to Withdraw Consent: If personal data processing is based on consent, individuals have the right to withdraw their consent at any time and without any detriment.

Right to Rectification: Individuals have the right to request the correction of inaccurate or incomplete personal data. If the data has been shared with third parties, our organizations must inform those parties of the rectification, if possible.

Right to Restrict Processing: Individuals have the right to request the restriction of processing of their personal data. This right applies in certain cases, such as when the accuracy of the data is contested or the individual has objected to the processing.

Right to Data Portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format in certain cases. They can also request that their data be transmitted to another controller if the processing is based on consent or a contract and where the processing is carried out by automated means.

Right to Object: Individuals have the right to object to the processing of their personal data based on legitimate interests or public interest/exercise of official authority. Our organization must cease such processing unless it can demonstrate compelling legitimate grounds that override the individual’s interests, rights, and freedoms.

Rights in Relation to Automated Decision Making and Profiling: Individuals have the right not to be subject to solely automated decisions, including profiling, which significantly affects them. They have the right to obtain human intervention, express their point of view and challenge the decision.

Right to lodge a complaint with a supervisory authority: If you believe that the processing of personal data performed in connection with you by our organization violates personal data protection regulations, you may, without prejudice to any other (administrative or other) remedy, lodge a complaint with the a supervisory authority, in particular in the country where you have your habitual residence, your place of work or where the infringement is alleged to have taken place, whereby:

- in the Republic of Slovenia the authority is the Informacijski pooblaščenec, Dunajska 22, 1000 Ljubljana, Slovenia, EU, email: ip@ip-rs.com, phone: +38612309730, website: www.ip-rs.com.

- A list of other EU supervisory authorities and their contact information can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en#

We do not use automated decision making or profiling.

Our organization does not knowingly collect or otherwise process personal data of persons under 15 years of age.

If our organization subsequently finds out that it has processed the personal data of such a person without the consent of his parent or guardian, our organization shall do everything necessary to delete all provided personal data.

At the email address that is listed at the beginning of this document., the above-described persons or their parents or guardians shall be able to submit their requests for the deletion of the data concerned at any time.

You can limit or revoke your consent for the processing of data at any time by contacting our organization as a processor of your personal data at the email address that is listed at the beginning of this document.

Our organization carefully stores and protects personal data through organizational, technical and logical procedures and measures to protect the data from accidental or intentional unauthorized access, destruction, alteration or loss, and unauthorized disclosure or other form of processing to which you have not expressly consented to.

To this end, our organization has also adopted appropriate internal processes and set up various measures (e.g. assigning, using and changing passwords, locking premises, offices, server and workstation locations, regularly updating software and upgrading security-critical components, physically protection of material containing personal data in specially designated places, training of employees, etc.). Our organization also demands these security commitments from its contractual processors.

You can learn more about them here.

Version and date of the last update of this notice.

This notice was last updated on August 20th, 2023.

Biohacking Vital d.o.o.