Privacy Policy

Introduction

Welcome to Call Climber ("we," "us," or "our"). At Call Climber, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our services or visit our website.By accessing or using our services, you consent to the practices described in this Privacy Policy. If you do not agree to this Privacy Policy, please do not use our services.

Definition

Establishment: For the purposes of this policy, "establishment" refers to the primary location where decisions regarding data processing activities are made by the data controller in the EU. In the case of data processors, it refers to their administrative center. If a data controller operates outside the EU, they must appoint a representative within the jurisdiction to act on their behalf and engage with supervisory authorities.

Personal Data: Personal data encompasses any information linked to or identifying a natural person (referred to as the 'data subject'). This includes but is not limited to data that can directly or indirectly identify an individual, such as names, identification numbers, location data, online identifiers, and factors related to their physical, physiological, genetic, mental, economic, cultural, or social identity.

Special Categories of Personal Data: These are specific types of personal data that are particularly sensitive. They include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for unique identification, health-related data, and data concerning an individual's sex life or sexual orientation.

Data Controller: The "data controller" refers to the natural or legal person, public authority, agency, or organization that independently or in collaboration with others, determines the purposes and methods of personal data processing. In cases where Union or Member State law dictates the purposes and methods, the controller may be designated or specified by such laws.

Data Subject: A "data subject" is any living individual who is the subject of personal data held by an organization. In other words, it's the person to whom the data pertains.

Customer: A "customer" is an entity that receives or consumes products or services and has the ability to choose among different products and suppliers. In the context of government, a customer could be a government employee, citizen, resident, or visitor availing government services.

Users: "Users" encompass individuals, including both employees (both permanent and contracted) and non-employees (such as contractors, consultants, suppliers, vendors, partners, customers, etc.) affiliated with CallClimber.

Processing: "Processing" refers to any operation or set of operations performed on personal data, whether automated or manual. This includes collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, restriction, erasure, or destruction of personal data.

Profiling: "Profiling" is a form of automated personal data processing aimed at evaluating specific personal aspects of an individual or predicting aspects such as work performance, economic situation, location, health, preferences, reliability, or behavior. Data subjects have the right to be informed about profiling, object to it, and understand its potential effects.

Personal Data Breach: A "personal data breach" involves a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data that has been transmitted, stored, or processed. Controllers are obligated to report such breaches to supervisory authorities if they are likely to adversely affect the data subject's personal data or privacy.

Data Subject Consent: "Data subject consent" refers to a data subject's voluntary, specific, informed, and unambiguous indication of their agreement to the processing of their personal data. Consent is typically expressed through a statement or a clear affirmative action.Child: As per the GDPR, a "child" is an individual under the age of 16. Member State laws may lower this age to 13. Processing personal data of a child is only lawful if parental or custodian consent has been obtained.

Third Party: A "third party" denotes any natural or legal person, public authority, agency, or entity other than the data subject, data controller, processor, and individuals authorized by the controller or processor to process personal data.

Filing System: A "filing system" is a structured collection of personal data organized based on specific criteria. It can be centralized, decentralized, or dispersed functionally or geographically.

Information We Collect

1. Personal Information

We may collect the following types of personal information from you:Contact Information (e.g., name, email address, phone number).Account Information (e.g., username, password).Payment Information (e.g., credit card details).Call Records (e.g., call logs, recordings, and transcripts).Communication Data (e.g., messages and emails you send us).

2. Automatically Collected Information

We may also collect certain information automatically when you use our services:Log Data (e.g., IP address, browser type, access times).Device Information (e.g., device type, operating system).Usage Information (e.g., pages visited, features used).

3. Roles and Responsibilities under Data Protection Regulation:

3.1 Call Climber's Data Processing Responsibility: At Call Climber, the management team and all individuals in managerial or supervisory positions bear the responsibility for fostering sound information handling practices. These responsibilities should be clearly outlined in individual job descriptions.

3.2 Policy Owner's Job Description & Responsibilities: The Policy Owner at Call Climber holds a position within the senior management team and is directly accountable to Call Climber's Board of Directors. Their responsibilities encompass the effective management of personal data within the organization and the demonstration of compliance with data protection laws and best practices. These duties include:Development and execution of GDPR requirements in accordance with this policy.Oversight of security and risk management concerning policy compliance.

3.3 Policy Owner's Qualifications: The Policy Owner is appointed based on qualifications and experience, as determined by the Board of Directors. They are entrusted with the day-to-day responsibility for ensuring Call Climber's adherence to this policy. Specifically, they are directly responsible for GDPR compliance, and other managers hold similar responsibilities within their respective areas of authority.

3.4 Policy Owner's Specific Duties: The Policy Owner carries specific responsibilities related to procedures like the Subject Access Request Procedure. They serve as the primary contact for Employees, Staff, or Contractors seeking clarification on any aspect of data protection compliance.

3.5 Responsibility for Data Protection Compliance: Compliance with data protection legislation is a collective responsibility shared by all Employees, Staff, and Contractors at Call Climber who are involved in the processing of personal data.

3.6 Accuracy and Data Updates: All Employees, Staff, and Contractors of Call Climber are accountable for ensuring that any personal data provided by them to Call Climber is accurate and kept up-to-date. This includes data about themselves that they have supplied to Call Climber.

How We Use Your Information

We use your personal information for various purposes, including:Providing and maintaining our services.Managing your account and processing payments.Communicating with you about our services and updates.Analyzing usage data to improve our services.Complying with legal and regulatory requirements.

Data Sharing

We may share your personal information with third parties under the following circumstances:

With service providers and partners to provide our services.
When required by law or to protect our legal rights.
In connection with a merger, acquisition, or sale of assets.
With your consent.

Your Choices

You have the following choices regarding your personal information:Access: You can request access to the personal data we hold about you.Correction: You can update or correct your personal information.Deletion: You can request the deletion of your personal data.Opt-Out: You can opt out of marketing communications.

Data Security


Data Protection Principles

Personal data processing must be lawful, fair, and transparent.
Lawful processing requires a valid basis (e.g., consent).
Fair processing includes providing relevant information to data subjects in clear and plain language.

Personal data collection should be for specific, explicit, and legitimate purposes.
Data should be adequate, relevant, and limited to what's necessary for processing.
Personal data must be accurate and kept up-to-date.
Data should be kept in a form that identifies the data subject only when necessary.
Data beyond the processing date should be minimized and encrypted.

Data Security Measures
A risk assessment is conducted to evaluate security appropriateness.
Consideration of potential damage, loss, and reputational damage due to security breaches.

Technical measures
Password protection (Laptop & Computer Security Policy).
Automatic locking of idle terminals.Removal of access rights for USB and other media (Secure Disposal of Storage Media).
Use of virus checking software and firewalls.
Role-based access rights, including temporary staff.
Encryption of devices leaving the premises (e.g., laptops).
Network security (local and wide area).
Identifying relevant international security standards (e.g., ISO 27001).

Organizational measures
Appropriate training levels for staff.
Measures considering employee reliability (e.g., references).
Inclusion of data protection in employment contracts.Identification of disciplinary actions for data breaches.
Staff monitoring for compliance with security standards.
Physical access controls to electronic and paper-based records.
Adoption of a clear desk policy.
Secure storage of paper-based data in lockable fire-proof cabinets.
Restrictions on the use of portable electronic devices outside the workplace.
Rules and policies about passwords (hardening policy).
Regular backups of personal data stored off-site.

Data Protection Rights

As a data subject, you have certain rights under the General Data Protection Regulation (GDPR), including:The right to access your personal data.The right to rectify inaccurate or incomplete data.The right to erasure of your personal data.The right to restrict processing of your data.The right to data portability.The right to object to processing.The right not to be subject to automated decision-making.

Security of Personal Data

Access Control and Data Security Measures:

Personal data access is restricted to authorized personnel.Access follows the Access Control Policy.
Data can be stored securely in the following ways:In a lockable room with controlled access.In a locked drawer or filing cabinet.
Electronically, with password protection based on corporate requirements.
On removable computer media, encrypted following the Secure Disposal of Storage Media policy.
Digital files are stored on secure servers with access restricted to authorized personnel only.

Protection of Manual Records:

Manual records with personal data should not be left unattended in areas accessible to unauthorized personnel.
Removal of manual records from business premises requires explicit authorization.
Records no longer needed for daily operations should be securely archived per the data retention policy.

Data Deletion and Disposal:

Personal data can only be deleted or disposed of in line with the Data Retention Policy.
Manual records past their retention date should be securely shredded and discarded as 'confidential waste.'
Redundant PC hard drives should be removed and immediately destroyed following the disposal procedure.

These measures ensure the security and protection of personal data at Call Climber.

Data Breach Notification

The data Processor (Call Climber) is committed to ensuring the security and protection of your personal information. In the event of a personal data breach, we will immediately notify the data Controller (you) as required by applicable data protection laws. Notice will be given to one of the Controller's known addresses within 24 hours from the moment the Processor becomes aware of the breach.

The notification will include, but is not limited to, the following information:

A description of the type of the personal data protection infringement, including the categories and approximate number of affected persons, as well as the respective categories and approximate number of the personal data sets.

The name and contact details of the data protection officer or another point of contact for further information.

A description of the probable consequences of the personal data protection infringement.

A description of the measures taken or proposed by the Processor to rectify the personal data protection infringement and, where applicable, measures to mitigate their possible adverse effects.

Disclosure of Data

Call Climber is committed to safeguarding your personal data and ensuring its privacy. We do not disclose personal data to unauthorized third parties, which includes but is not limited to family members, friends, government bodies, and, under specific circumstances, law enforcement agencies such as the Police.

All requests for the disclosure of personal data for any of the aforementioned reasons must be accompanied by the necessary supporting documentation. Furthermore, any such disclosures will only be made with explicit authorization from our designated GDPR Owner. This authorization ensures that the sharing of data is conducted in compliance with relevant data protection regulations and laws.

Disclosure for Limited Use of Google API Data:

Our application at Call Climber integrates with various Google APIs and adheres to Google's API Data Policy, including its Limited Use rules. This means that any data obtained from Google APIs, including information from Restricted and Sensitive Scopes, is handled in strict accordance with Google's established policies and guidelines.

We encourage all users of the Call Climber application to review Google's API Data Policy to gain a comprehensive understanding of how their data is managed when using our app. By utilizing the Call Climber app, you agree to abide by the terms outlined in this disclosure, as well as our comprehensive privacy policy.

Please be aware that your use of our app implies your acceptance of these terms and policies.

Rights and Obligations of the Controller

As the Data Controller (Client) at Call Climber, you hold the primary responsibility for evaluating the suitability of requested data processing and safeguarding the rights of the individuals whose data is being processed.

It is incumbent upon you to maintain comprehensive records of all orders, partial orders, or instructions pertaining to data processing. In situations where immediate action is necessary, you may provide instructions verbally; however, it is imperative that such verbal instructions are swiftly confirmed and documented by you, the Controller.

Should you come across any errors or irregularities during your review of the processing outcomes, it is your duty to promptly notify the data Processor.

You have the right to oversee and ensure compliance with data protection regulations and contractual agreements with the data Processor. This oversight may be conducted directly or through third-party representatives. It includes activities such as gathering information, accessing stored data, examining data processing programs, and conducting on-site inspections. The data Processor is obligated to facilitate these audits, granting access and providing all necessary information, policies, and documentation for the review process.

It is crucial to ensure that any inspections carried out at the premises of the Processor do not unreasonably disrupt their regular business operations. Unless exceptional circumstances necessitate immediate action, which must be well-documented, inspections should be scheduled with reasonable advance notice and conducted during the Processor's standard business hours. These inspections should not occur more frequently than once every 12 months.