Data Protection Privacy Policy of SIA Mitigate, unified reg. No. 50103381201, VAT reg. No. LV50103381201, legal address: Gustava Zemgala gatve 74A, Riga, LV-1039, Latvia, hereinafter - the Company. This Policy is applicable in cases when the Company, or the Company together with its Cooperation Partners, processes personal data.

Regarding potential employees the Privacy policy is applied till decision about candidates employment is made. After moment decision on candidate's employment is made, all internal regulations are applied as for any employee.

1. Definitions

1. Controller is a natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data;
2. Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
3. Third party is a natural or legal person, public authority, agency or body other than the Data Subject, the controller, the processor and persons, who under direct authority by the Controller or the Processor are authorised to process Personal Data;
4. Personal data is any information relating to an identified or identifiable natural person (Data Subject);
5. Data Subject is an identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, surname, identification number, prhone number, e-mail address, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
6. Processing is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or being made available otherwise, alignment or combination, restriction, erasure or destruction;
7. Customer is any natural or legal person who uses, has used, or has expressed a wish to use any services provided by SIA Mitigate or is in any other way related to them;
8. Cooperation Partner is any natural or legal person with whom the Company works on joint projects or whose objectives are shared by the Company;
9. Candidate is any natural person, who has applied to vakancy or who has been contacted by Company using social media profile contact information, or who has been contacted and candidate (You) have replied to, or You have provided Your personal information to recruitment company.

2. General Provisions

1. 2.1. This privacy policy, hereinafter - the Policy, describes the procedure by which the Company handles the personal data that comes into its possession. Depending on the legal basis of the data processing, the Company may be a controller, a processor or a third party;
2. 2.2 The Company shall ensure the confidentiality of personal data within the framework of applicable laws and regulations and has implemented appropriate technical and organisational measures to protect personal data from unauthorised access, unlawful processing or disclosure, accidental loss, alteration or destruction;
3. 2.3. In cases where the Company acts as a controller of personal data, it shall determine the purposes and means of personal data processing;
4. 2.4. In cases where the Company acts as a processor of personal data, the Company shall process personal data on behalf of the controller;
5. 2.5. In cases where the Company acts as a third party, the Company is authorised to process personal data under the direct supervision of the controller or processor;
6. 2.6. In cases where the Company processes data, the Company may use approved personal data processors for personal data processing. In such cases, it shall take the necessary measures to ensure that such processors process personal data in accordance with the instructions of the Company and in accordance with applicable laws and regulations and require appropriate security measures to be taken;
7. 2.7. If the Company updates this Policy, the current version of the Policy shall be published on the Company's website www.mitigate.dev in the privacy policy section, while you may get acquainted with the historical versions of this Policy by contacting the Company and sending an e-mail to: datuapstrade@mitigate.dev.

3. How the Company obtains the data of natural persons (you)

1. 3.1. The Data Subject (You) submits his/her data to the Company;
2. 3.2. The Company receives personal data from its Customers or Cooperation Partners;
3. 3.3. Company receives personal data from third parties;
4. 3.4. The Company records your data, which is located in the public space (media, social networks, your workplace website, etc.);
5. 3.5. You are visiting our website (see cookie policy);
6. 3.6. You participate in corporate events organised by us, where you can be photographed or filmed;
7. 3.7. You participate in our surveys, contests, etc.;
8. 3.8. You participate in business forums, business networking, your contact information in social networks is created for the exchange of mutual communication, such as LinkedIn, or You follow us on social media, contact us etc.;
9. 3.9. You visit our office.
10. 3.10. You add Your data in Company`s systems;
11. 3.11. You apply for our services using the registration forms posted on our website.

In cases where the Company obtains data from the controller, any responsibility for informing the Data Subject shall rest with the relevant controller.

Company doesn't perform video surveillance in it's office. In building, where office is located, landlord performs video surveillance of common areas and is responsible for that.

4. What personal data may be processed by the Company?

Depending on the nature of the data processing, the Company may process the following personal data:

• Personal identification data - name, surname, personal identification number/ID, date of birth;
• Personal contact information - address, telephone number, e-mail address;
• Personal workplace data - workplace, position held;
• Data on Your experience, education, professional skills, recommendations and other data, which allows to evaluate You as professional;
• Actions taken on internet websites - IP address, actions taken, date and time;
• Data published by a person on social networks;
• Survey and contest data - name or date of the survey or contest, date of the answer, questions/tasks of the survey and answers provided;
• Photos, videos of corporate events, date, place of the photos;
• Photos uploaded to Company systems;
• Your contact details from social media accounts, which are used for detail exchange, as Linkedin;
• Communication data, in case of communication between us;
• Data of various categories, including, in exceptional cases, data of special categories, which the Company processes within the framework of various projects as a controller, processor or as a third party on the basis of the authorisation of the Controller.
• Depending on the provided service, the provided product, the nuances of mutual cooperation, your above-mentioned data may be processed to different extents, in different combinations, with different purposes, and on different legal grounds, as mentioned in this privacy policy.

5. Legal basis for data processing

1. 5.1. Conclusion and performance of the agreement - in order for the Company to be able to conclude and perform the agreement concluded with the Customer or the Cooperation Partner, providing high-quality services, it must collect and process certain personal data. (GDPR clause 6 part 1, b subsection);
2. 5.2. Legitimate interests of the Company - in order to observe the interests of the Company based on compliance with the requirements of applicable laws and regulations and provide high-quality services and timely support to the Customer and/or Cooperation Partner, the Company may process personal data of the Customer or Cooperation Partner to the extent objectively necessary and sufficient. In addition, the processing of personal data providing information about news in the field in which the Company operates, new development opportunities, including direct marketing, as a result of which the Company can individually address various persons to inform them about news in the field, education and development opportunities, on opportunities to provide a new and/or individually prepared offer of the Company's products and services, shall be considered a legitimate interest. However, the Company respects the wishes of the Data Subject and provides an opportunity to opt out of receiving the above information. (GDPR clause 6 part 1, f subsection);
3. 5.3. Fulfilment of legal obligations - the Company is entitled to process personal data in order to comply with the requirements of the laws and regulations, as well as to provide answers to lawful requests of the state and local government authorities. (GDPR clause 6 part 1, c subsection);
4. 5.4. Consent of the Data Subject. The Data Subject himself/herself consents to the collection and processing of personal data for specified purposes. Consent is his/her free will and an independent decision that can be given at any time, thus allowing the Company to process personal data for specified purposes. The Data Subject may withdraw his/her prior consent at any time through the specified channels of communication with the Company. The applied changes shall come into effect within three working days. Revocation of consent shall not affect the lawfulness of processing which is based on the consent before revocation. (GDPR clause 6 part 1, a subsection);
5. 5.5. Protection of vital interests. The Company may process personal data in order to protect the essential interests of the Customer, Cooperation Partner or other natural person, for example if processing is necessary for humanitarian purposes, monitoring of natural disasters and epidemics caused by human beings and the spread thereof, or in emergency humanitarian situations (acts of terror, in technological disaster situations, etc.) (GDPR clause 6 part 1, d subsection);
6. 5.6. Exercise of official authority or public interest. The Company may process data in order to perform a task in the public interest or in the exercise of official authority legally granted to the Company. In such cases the grounds for personal data processing are included in the laws and regulations. (GDPR clause 6 part 1, e subsection);
7. 5.7. If the Company processes the data as a processor on the basis of a duly concluded agreement with the data controller, the Company shall follow the instructions given by the controller;
8. 5.8. If the Company performs activities with personal data as a third party on the basis of a duly concluded agreement with the data controller, the Company shall comply with the authorisation granted by the controller.

6. Purposes of data processing

The following purposes of data processing are distinguished:

1. 6.1. General management of relations with the Customer and the Cooperation Partner and provision and administration of access to products and services, in order to enter into and execute an agreement with the Customer and the Cooperation Partner; deliver the purchased service or product, verify the availability and quality of the service or product, to fulfil the obligation imposed by law, provide reports and declarations, calculate and pay taxes, to ensure high-quality, timely service and cooperation during the term of the contractual relationship; to ensure the timeliness and accuracy of the data by checking and supplementing the data.;
2. 6.2. The Company shall process personal data for email marketing purposes and customer relationship management using third-party services such as Mailchimp, a service provided by The Rocket Science Group LLC, to manage email subscriber lists and send emails to our Customers and Cooperation Partners.;
3. 6.3. Create a corporate link between the Company, Customers and Cooperation Partners;
4. 6.4. Find out the opinion of the Customers, Cooperation Partners and others about the work of the Company, necessary improvements;
5. 6.5. Defend Company`s legal rights;
6. 6.6. The Company is entitled to process the data for the above, as well as for other purposes, if there is a legal basis for it.

7. Rights of the Data Subject

The Data Subject has the following rights with regard to the processing of his/her data:

1. 7.1 If the Company receives personal data from the Data Subject, the Company shall provide all the following information to the Data Subject during the acquisition of personal data:
   1. 7.1.1. registration number and legal address, contact information of the Company;
   2. 7.1.2. the contact details of the data protection specialist, if any;
   3. 7.1.3. the purposes of processing for which the personal data is intended, as well as the legal basis for the processing;
   4. 7.1.4. legitimate interests if the processing is based on Article 6 (1) (f) of the Regulation;
   5. 7.1.5. recipients or categories of recipients of personal data, if any;
   6. 7.1.6. whether the data shall be transferred to a third country or international organisation, if so, the relevant information in accordance with the requirements of applicable laws and regulations.
2. 7.2. In addition to the above, during the collection of personal data the Company shall show the Data Subject this Policy, which ensures fair and transparent processing, i.e.:
   1. 7.2.1. the Data Subject has the right to be informed of the period for which his or her personal data will be stored or, if that is not possible, the criteria used to determine that period;
   2. 7.2.2. the Data Subject has the right of access to his or her data, i.e. the right to rectify, erase, object to the processing as well as the right to data portability;
   3. 7.2.3. where processing is based on Article 6 (1) (a) or Article 9 (2) (a) of the Regulation, the right to withdraw consent shall be without prejudice to the lawfulness of the processing based on which the consent was given before the withdrawal;
   4. 7.2.4. the Data Subject has the right to submit a complaint to the supervisory authority;
   5. 7.2.5. the Data Subject has the right to know whether automated decision-making, including profiling, exists.
3. 7.3 If the Company has personal data that is not obtained from the Data Subject, in cases where the Company is the controller, the Company, in addition to the above, shall inform the Data Subject about the source from which the personal data has been received;
4. 7.4 If the controller intends to further process personal data for a purpose other than the purpose for which the personal data were obtained, the Company shall inform the Data Subject of such other purpose before further processing and provide it with all relevant additional information, unless the provision of such information requires a disproportionate effort;
5. 7.5. In cases where the Company is a processor or a third party, the Company shall act in accordance with the task or authorisation of the controller; in the case of a request from the data subject, the controller of the request received shall be informed immediately.
6. 7.6. You have the right, by contacting us, to receive information about what your data is, in what amount, on what legal basis, for how long, etc. are processed, depending on the nuances of our cooperation.

8. Retention period

Personal data is only processed for as long as necessary for achieving the purpose of processing. The retention period may be based on the concluded agreements, the Company's legitimate interests or applicable laws and regulations.

9. Technical and organisational requirements for data protection

1. 9.1. The Controller shall ensure, review on a regular basis and improve the personal data protection measures in order to protect personal data of the Data Subject from unauthorised access, accidental loss, disclosure or destruction. To ensure this, the Company shall use modern technologies, technical and organisational requirements, including appropriate software, using firewalls, intrusion detection, analysis software and data encryption, as well as physical data protection (access code at the front door), alarm;
2. 9.2. The Company shall carefully inspect all service providers who process personal data on behalf and upon instruction of the Company, as well as assess whether cooperation partners (processors of personal data) apply appropriate security measures to ensure that personal data is processed in accordance with the Company's delegation and requirements of the laws and regulations;
3. 9.3. The Company shall regularly train its employees and ensure their qualifications are maintained;
4. 9.4. The Company shall not be liable for any unauthorised access to personal data and/or loss of personal data if it is beyond the Company's control, for example due to the fault and/or negligence of the Customer or the Cooperation Partner or the Data Subject.

10. Processing area

1. 10.1. Personal data may be processed within the EU/EEA and, for the purposes of email marketing, may be transferred to Mailchimp’s servers located in the United States. The Company ensures that all data transfers to Mailchimp are covered by appropriate safeguards in line with GDPR requirements, such as standard contractual clauses or Mailchimp’s Privacy Shield certification;
2. 10.2. The transfer and processing of personal data outside the EU/EEA may take place if there is a legal basis for doing so, namely to fulfil a legal obligation, enter into or perform an agreement, or in accordance with the Customer's consent, and appropriate security measures have been taken.
   
   The European Commission has recognized which countries provide a level of personal data protection that corresponds to the relevant level of data protection in the European Union (Article 45 of the Regulation "Transmission based on a decision on the adequacy of the level of protection"). On the other hand, if the Company transfers personal data to countries for which the EC decision on the adequacy of the level of protection has not been adopted, the Company performs additional supervision over the implementation of relevant protection measures. For example, according to Article 46 of the Regulation "Shipping based on appropriate guarantees". Ensuring the appropriate guarantees by including the requirements for the personal data protection framework in a legally binding document (agreement, agreement, etc.) for both parties (both the sender of personal data and the recipient of personal data), clearly indicating the procedure for implementing the data subject's rights and the legal remedies available to the data subject means of protection;
3. 10.3. Upon request, the Customer can receive more detailed information on the transfer of personal data to countries outside the EU/EEA.

11. Contact information

1. 11.1. The Data Subject may contact the Company regarding any matter, withdraw his/her consent, make requests for information, use Data Subject rights and submit complaints on the processing of personal data;
2. 11.2. The contact information of the Company is available at www.mitigate.dev in the contact section;
3. 11.3. Responsible for data processing datuapstrade@mitigate.dev.
4. 11.4. For any questions regarding the management of your data by Mailchimp, or if you wish to opt-out of email marketing communications, please contact us using the details provided below. You may also directly unsubscribe using the link provided in every marketing email.

Approved on October 18, 2023.
Revised on 7 November, 2023.
The next review shall take place by no later than October 18, 2024.