PRIVACY POLICY – Personal Data

Effective: May 25, 2018

Activity Stream Aps. and Activity Stream ehf. (ltd.). (“We”, “Activity Stream”, “our” or “us”) are committed to protecting your (“you” or “your”) personal data, handling it responsibly and respecting your privacy.

This Privacy Policy applies to the following:
1) The personal data processed by Activity Stream on behalf of customers using our platform (the “Services”), collectively “Customer Data”.
2) The personal data required to provide our services to users (e.g. user login information and service related correspondence and user inquiries), collectively “User Data”.
3) The personal data we collect when you use our websites, and to support other interactions (e.g. exchange of emails during user conferences), collectively “Communications Data”.

The sections below explain in more detail:
The types of personal data we collect and receive.
Why and how we process personal data.
Who we share personal data with.
Personal data transfers outside of the EEA.
Data retention and data security.
Your rights to withdraw your consent.
Your other personal data rights.
How to contact us and exercise your rights.

THE TYPES OF PERSONAL DATA WE COLLECT AND RECEIVE
Activity Stream may collect and receive personal data and other information and data in a variety of ways:

Customer Data
We receive your personal data when you engage with our customers, e.g. to purchase tickets and attend events. Personal data from our customers include:
The name and contact details that you provide at the time of making a purchase, other information you provide during purchase, location, gender, purchase history, interactions with email and social media campaigns.
Your marketing preferences, including any consents you have given to our customers

User Data
Information such as your email and login information, browser or device information, web tracking and log data.
Data related to service requests and user inquires, services metadata.

Communications Data
Information about your use of our website, such as cookie information.
Your communications with us, including when you report a problem with our site or make a sales and marketing related inquiry.
Other communications such as engagement with social media campaigns, participation in a focus group, contest, activity or event, job application or comment on social media.

WHY AND HOW WE PROCESS YOUR PERSONAL DATA:
This section explains the reasons why and how we process your personal data and our legal bases for doing so. Customer Data will be processed by Activity Stream in accordance with Customer’s instructions, including any applicable terms in the Customer Agreement and Data Processing Agreement. Activity Stream is a processor of Customer Data and our customers are data controllers. The Activity Stream platform can be used for fraud detection, sales analytics, and marketing analytics. If the information is aggregated or de-identified so it is no longer reasonably associated with an identified or identifiable natural person, Activity Stream may use the information to provide other services to our customers.
Our customers have legitimate interests to instruct Activity Stream to process your personal data for the following purposes:
To detect fraud when someone with malicious intent is, for example, buying tickets from our customers.
To prevent, investigate and/or report fraud, misrepresentation, or crime.
To support delivery of our services as stated in Service Agreements with customers, such as preventing or addressing service errors, security or technical issues.
To track availability of seats and/or tickets.
To carry out profiling to improve our customer’s service offerings and make sure they are relevant and appropriate to you.
To monitor, improve and protect our customers’ products, content, and services.
For other purposes as required by applicable law, legal process or regulation.

Activity Stream has a legitimate interest in processing personal data relating to the users of our services for the following purposes.
To enable login validation and account access.
To communicate with you by responding to your requests, comments, and questions as a user of our services.
To send updates and important notices regarding our services, such as scheduled downtime and new features.
To contact you regarding billing, account management, and other administrative matters.
To analyze and monitor usage.
To manage legal claims, compliance, regulatory and investigative matters.
To investigate and help prevent security issues and abuse.

Activity Stream has a legitimate interest in processing personal data relating to potential users of our services for the following purposes.
To provide information of our services to contacts that have made requests, comments or questions.
To respond to communications regarding, for example, job applications, new service offerings or compliance.

WHO WE SHARE PERSONAL DATA WITH:
We may share personal data for the following reasons:
We may engage third party companies or individuals as service providers or business partners to process information, including personal data, to support our business.
For Customer Data, we may use third parties to provide storage and transmission services, logging services and backup services.
For User Data, we may use third parties to provide logging services, identity management, email and customer support services.
For Communications Data, we may use third parties to provide customer relationship service.
Additional information about the sub-processors we use to support delivery of our Services can be found here: Sub-processors.
We may share personal data with government authorities to assist with their official requests and comply with our legal obligations.

PERSONAL DATA TRANSFERS OUTSIDE OF THE EEA:
The EEA includes all EU countries, as well as Iceland, Liechtenstein and Norway. Some of the third parties that we share personal data with (sub-processors) are located outside of the EEA, for example in the United States of America.
Where your personal data is transferred to a country outside of the EEA and that country is not subject to an EU adequacy decision, we will ensure your data is protected by appropriate safeguards (for example, EU approved standard contractual clauses, a Privacy Shield certification, or a supplier’s Binding Corporate Rules).
Activity Stream has an office in Serbia. Our employees in Serbia adhere to all the same security and privacy controls as other employees of Activity Stream.

DATA RETENTION & DATA SECURITY:
We retain personal data relating to your purchases (Customer Data) as per Data Protection Agreements with data controllers (our customers). We retain User Data as per Service Agreements with our customers. This is to meet our legal and contractual obligations towards our customers.
Activity Stream takes the security of data very seriously. We work hard to protect all data trusted to us from loss, misuse, and unauthorized access or disclosure. These steps take into account the sensitivity of the data we collect, process and store, and the current state of technology.
We seek to use reasonable organizational, technical and administrative measures to protect personal data within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us on support@activitystream.com. If you worry that any data we may have received from our customers (the service that you bought tickets from or the venue where you attended an event) has been compromised, please immediately notify our customers of the problem by contacting them directly.
Unfortunately, the transmission of information via the internet is not completely secure. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.

YOUR RIGHTS TO WITHDRAW YOUR CONSENT:
Your rights to withdraw consent and to object (including to direct marketing)
Wherever we rely on your consent to process personal data, you always have a right to withdraw that consent.
You also have the right to object to any use of your personal data for direct marketing purposes, as well as to processing that we undertake based on our legitimate interests.
Please note that if you want to object to any processing of Customer Data the right action plan is to contact our customers (the service that you bought tickets from). For User Data and Communications Data please contact support@activitystream.com.

YOUR OTHER PERSONAL DATA RIGHTS:
In addition to your rights to withdraw your consent and to object, you have the right to ask us to:
Provide you with access to information about your personal data or for a copy of your personal data.
Correct or erase your personal data.
Restrict (i.e. stop any active) processing of your personal data.
Provide you with certain personal data in a structured, machine-readable format and to transmit that data to another organization
These rights may not always apply, for example, if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law to keep or have a compelling legitimate interest in keeping. If this is the case, then we’ll let our customers know when we respond to their request on your behalf.
We will gladly assist; however, for Customer Data, we can only assist if the request comes through our customers, the data controllers.

HOW TO CONTACT US AND EXERCISE YOUR RIGHTS:
The easiest way to stop receiving information from our customers or exercise other rights of yours regarding Customer Data is to contact them directly. Please direct any questions to support@activitystream.com and we will answer any questions you may have and support you regarding how to exercise your rights.