Preamble and scope of this Privacy Statement

This Privacy Statement applies to the use of the following websites and/or applications offered and operated by DAR TECH Limited, Themistokli Dervi, 3, Julia House, CY-1066 Nicosia (in short, "DAR TECH"), including all videos, recordings, sounds, texts, graphics and other materials sent, received, stored or otherwise displayed via the following services:

• the "DAR Lean" landing page, accessible via the address https://darlean.com;
• the “DAR Lean” web platform, accessible via the address https://app.darlean.com;
• the application "DAR Lean", which is available for download via the digital distribution platforms App Store (Apple) as well as Play Store (Google).

DAR TECH provides the following information in this regard:

• with regard to which Processing operations DAR TECH shall be deemed to be the Controller or Processor;
• which Personal Data DAR TECH processes;
• the purposes for which DAR TECH processes Personal Data;
• the legal bases due to which DAR TECH is entitled to process Personal Data;
• to whom and to which entities DAR TECH transfers Personal Data;
• how long DAR TECH stores Personal Data;
• which external tools and plugins DAR TECH uses;
• what rights data subjects have with regard to their Personal Data;
• how DAR TECH can be reached in connection with data protection issues as well as the exercise of data subject rights.

With this Privacy Statement, DAR TECH fulfils its information obligations under data protection law within the meaning of Articles 12 to 14 of the UK GDPR and Articles 12 to 14 of the EU GDPR.

The definitions used in this Privacy Statement refer exclusively to this Privacy Statement and do not affect the definitions in DAR TECH's Terms and Conditions (T&C).

Definitions

1. General Data Protection Regulation (GDPR)

   • UK General Data Protection Regulation or UK GDPR, for Processing UK Personal Data, means the General Data Protection Regulation, Regulation (EU) 2016/679, as it forms part of domestic law in the UK by virtue of section 3 of the European Union (Withdrawal) Act 2018 (including as further amended or modified by the laws of the UK from time to time).
   • EU General Data Protection Regulation or GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the Processing of Personal Data, on the free movement of such data and repealing Directive 95/46/EC in the latest valid version.
   • EEA means the European Economic Area.
   • EU means the European Union.
   • Member State means a member state of the European Union.
   • Personal Data means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
   • Processing means any operation or set of operations which is performed on personal data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
   • Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; where the purposes and means of such Processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
   • Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
   • Recipient means a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a third party or not. However, public authorities which may receive Personal Data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as Recipients; the Processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the Processing.
   • UK means the United Kingdom of Great Britain and Northern Ireland.

2. General

   • Privacy Statement means this Privacy Statement of DAR TECH in accordance with Articles 12 to 14 of the UK GDPR and Articles 12 to 14 of the EU GDPR.
   • Terms & Conditions means DAR TECH's Terms and Conditions.
   • Annex to the Terms & Conditions means DAR TECH’s Annex to the Terms and conditions pursuant to Article 28 of the UK GDPR and Article 28 of the EU GDPR which contains provisions relating to the Processing of Workspace Data by DAR TECH as Processor on behalf of the Contractual Partner as Controller.
   • DAR TECH means DAR TECH Limited, Themistokli Dervi, 3, Julia House, CY-1066 Nicosia.
   • DAR Lean Platform means the cloud-based internet platform operated by DAR TECH which allows a Team to organise and manage operational processes as well as teamwork, including, inter alia, productivity tools, processes, planning, HR management and reporting. The DAR Lean Platform consists of the following components:
     • DAR Lean Landing Page: the website operated by DAR TECH at the web address https://www.darlean.com, which can be accessed by means of compatible web browsers and on which the DAR Lean Products are presented and promoted.
     • DAR Lean Web Platform: the web platform operated by DAR TECH at the web address https://app.darlean.com, which can be accessed by means of compatible web browsers and on which the individual modules are provided to the Users depending on the selected Subscription of the Contractual Partner.
     • DAR Lean App: the software application offered by DAR TECH, which is made available for download via the App Store offered by Apple Inc. and the Play Store offered by Google Inc. and which, depending on the Contractual Partner's selected Subscription, enables Users to use individual or all modules of the DAR Lean Platform on compatible end devices.
   • Workspace means a virtual Workspace within the DAR Lean Platform in which Users are provided with the possibility to use certain modules or tools.
   • Team means a plurality of Users who are inscribed to the same Workspace.

3. Roles

   • Contractual Partner means any natural or legal person who concludes or has concluded a contract including the Terms & Conditions as well as the Annex to the Terms & Conditions with DAR TECH for the use of the DAR Lean Platform. The Contractual Partner is by default the owner of a Workspace.
   • Interested Party means any natural person who is not yet a User of the DAR Lean Platform but has received the invitation to use it.
   • User means any natural person, including a Contractual Partner, who uses the DAR Lean Platform. A User can be assigned one of the following roles:
     • Owner: A registered User who is or can act on behalf of the Contractual Partner and who is granted access to a Workspace, including, but not limited to set up such Workspace, grant and configure access to such Workspace and manage the rights and permissions of Users who are assigned to such Workspace. The Owner has full control over the Workspace and can develop, configure, and customise it to meet the organisational needs of the Contractual Partner. The Owner is, on behalf of the Contractual Partner, permitted to request the deletion of a Workspace or Workspace Data from DAR TECH.
     • Administrator: A registered User who has the same privileges as the Owner, except for the ability to request the deletion of a Workspace.
     • Member: A registered User who is an employee of a Contractual Partner and who is assigned to a Workspace belonging to the Contractual Partner. The Member is authorised to use the modules of the DAR Lean Platform within the limits set by an Owner or Administrator and the subscription model of the DAR Lean Platform chosen by the Contractual Partner.
     • Guest: A registered User who is an outsource employee, outside partner or any external member of the Contractual Partner and who is assigned to a Workspace belonging to the Contractual Partner. The Guest is authorised to use the modules of the DAR Lean Platform within the limits set by an Owner or Administrator and the subscription model of the DAR Lean Platform chosen by the Contractual Partner. As compared to a Member, the Guest usually has fewer permissions, such as read-only mode.
     • Visitor: A User who visits the DAR Lean Platform without being registered or logged in.

Categories of Personal Data

1. Data that DAR TECH as Controller collects from the User ("DAR TECH Data"):

   • Master Data: This includes Personal Data that is necessary for establishing a contractual relationship with the Contractual Partner and for billing, as well as for establishing a User account inter alia the name (including any academic titles), the job title, the employer, the address (street, postal code/city, country), the location of the registration, account data, other payment data or information, the tax number, a unique User ID and the affiliation to one or more Workspaces.
   • Sign-in Data: This includes the User's credentials required to log in to the DAR Lean Platform, such as, the email address, a password or an SSO token (E-Mail, other social network ID including, but not limited to Facebook, Google). The SSO services are described in Section 9.
   • Profile Data:This includes Personal Data that a User enters to create or update their profile, such as the name, the contact, social links (social network name), telephone number, e-mail- address, data on the employment contract and a description of such person.
   • Correspondence Data: This includes Personal Data that arise in correspondence between DAR TECH and a User, for example, when a User submits a support request to DAR TECH via the DAR Lean Platform, by e-mail or telephone, such as the User's e-mail address or telephone number and the message content.
   • Session Data: This includes the session ID assigned to a User while logging in to the DAR Lean Platform.
   • Connection Data: This includes Personal Data of a technical nature that is collected in connection with the use of the DAR Lean platform, such as the URL accessed by the User, the timestamp (date/time), browser type/browser version, the operating system used, the referrer URL and the IP address, the geolocation of the User, date and time of visits.

   In general, the Contractual Partner as well as the User is not required to provide Personal Data. However, this may possibly result in DAR TECH not being able to provide all services of the DAR Lean Platform. For example, the non-disclosure of Master Data may lead to the fact that no contractual relationship can be established between the Contractual Partner and DAR TECH. Likewise, the non-disclosure of Correspondence Data may result in DAR TECH not being able to answer inquiries/requests or give support.

2. Data that DAR TECH as Processor processes on behalf of a Contractual Partner ("Workspace Data"):

   This includes all Personal Data that a User enters by using the various modules of the DAR Lean Platform within a Workspace, in particular:

   • Invitation Data: This includes Personal Data entered by the User for the purpose of inviting an Interested Party, such as in particular the e-mail address as well as the intended role.
   • Collaboration Data: This includes Personal Data that occurs as a result of multiple Users interacting with each other or within a Team, specifically Personal Data contained in project plans, functional personal tasks, meeting notes, Personal Data related to video conferencing (including video transmissions), or related User assignments/assignments.
   • Team Data: This includes Personal Data related to the Team (including human resources) of a Workspace, in particular listings of Users, roles, hierarchies, employee contract terms (if applicable), working time records, leave dates and types.
   • Work Data: This includes Personal Data related to tasks, in particular the assignment of Users to tasks, Personal Data related to processes, projects or budgets.
   • Media Data: This includes Personal Data contained in uploaded files, such as Word and PDF files, image, video and audio files.

Areas in which DAR TECH acts as Controller and areas in which DAR TECH acts as Processor

1. DAR TECH as Controller regarding DAR TECH Data

   DAR TECH Limited, Themistokli Dervi, 3, Julia House, CY-1066 Nicosia, Cyprus, is the sole data Controller for the Processing of DAR TECH data and for the purposes set forth in Section 5 in accordance with Article 4 (7) of the UK GDPR and Article 4 (7) of the EU GDPR.

2. DAR TECH as Processor of the contracting party regarding Workspace Data

   DAR TECH Limited, Themistokli Dervi, 3, Julia House, CY-1066 Nicosia, Cyprus, processes Workspace Data on behalf of the Contractual Partner pursuant to Article 28 of the UK GDPR and Article 28 of the EU GDPR and in accordance with the Annex to the Terms & Conditions and is therefore a Processor pursuant to Article 4 (8) of the UK GDPR and Article 4 (8) of the EU GDPR. The Processing operations that DAR TECH performs on behalf of the Contractual Partner are, for example:

   • Sending an invitation email to an Interested Party based on a User's entry of Invitation Data.
   • Storage and provision of Collaboration Data, Team Data and Work Data according to the permissions set by a User in each case.

   Regarding the Processing of Workspace Data, the Contractual Partner shall be the independent and sole Controller in accordance with Article 4 (7) of the UK GDPR and Article 4 (7) of the EU GDPR; joint responsibility with DAR TECH is excluded.

Purposes of Processing

DAR TECH processes DAR TECH Data as Controller for the following purposes:

• Provision of the DAR Lean Platform
  • Registration, creation of a User account: DAR TECH processes Master Data and Sign-in Data of the User in order to enable the User to register for the first time to the DAR Lean Platform and to set up a User account.
  • Sign-in and provision of the available modules of the DAR Lean Platform: DAR TECH processes Sign-in Data of the User as well as Session Data in order to enable the User to log-in to the DAR Lean Platform and use it accordingly. The SSO services are further described in Section 9.
  • Display of the DAR Lean Platform: DAR TECH processes certain Connection Data to enable the User to fully and properly display the DAR Lean Platform.
  • Optimised loading of the DAR Lean Platform: DAR TECH processes certain Connection Data to improve the performance of the DAR Lean Platform, for example because some components are loaded from external Content Deployment Networks (CDN).
  • Personalisation of the DAR Lean Platform: DAR TECH processes certain Master Data as well as Profile Data to personalise the DAR Lean Platform for the respective User. Such personalisation includes, inter alia, the subscriptions to Workspaces by the User.
  • Ordering of services, billing including debt collection: DAR TECH processes Master Data and, if necessary, Correspondence Data and Connection Data in order to be able to bill a Contractual Partner for services relating to the DAR Lean Platform and, if necessary, to pursue them (also in court).
• Communication with the User
  • Communication (User Request/Support): DAR TECH processes Master Data as well as Correspondence Data in order to be able to contact and correspond with the User, inter alia to be able to answer enquiries and provide support, in particular by means of the contact form on the DAR Lean Platform or by e-mail.
  • Communication (Transactional): DAR TECH processes Master Data as well as Correspondence Data to send transactional messages (including e-mails) to the User or Contractual Partner. Transactional messages, include, inter alia, important messages related to the account, a Workspace or User credentials (e.g. notification about a password reset) or information about changes/amendments relating to contracts between the User and DAR TECH or this Privacy Statement.
  • Newsletter: DAR TECH processes certain Master Data to send the User a newsletter by e-mail based on the prior registration of the User. However, DAR TECH will only process this Personal Data for this purpose if the User has given their prior consent. This consent can be withdrawn at any time without giving reasons. The withdrawal of consent shall not affect the lawfulness of Processing based on consent before its withdrawal.
• Security and abuse prevention
  • IT Security: DAR TECH processes DAR TECH Data as well as - exclusively in justified cases and only to the extent absolutely necessary in accordance with the Terms & Conditions - Workspace Data (excluding special categories of data as described in Article 9 (1) of the UK GDPR and Article 9 (1) of the EU GDPR) to ensure the security and operability of the DAR Lean Platform. This includes, in particular, Processing carried out in connection with technical and organisational measures to detect, prevent and track attacks on the DAR Lean Platform. If certain Workspace Data is found to affect IT security (e.g. because certain files contain viruses), DAR TECH reserves the right to delete such data in accordance with the Terms & Conditions as well as the Annex to the Terms & Conditions and to immediately inform the Contractual Partner. DAR TECH will, however, never transfer such data to third parties, unless explicitly required to do so by applicable UK, Union or Member State law.
  • Prevention of fraud and abuse: DAR TECH processes DAR TECH Data as well as - exclusively in justified cases and only to the extent absolutely necessary in accordance with the Terms & Conditions - Workspace Data (excluding special categories of data as described in Article 9 (1) of the UK GDPR and Article 9 (1) of the EU GDPR) to be able to detect, prevent and prosecute abuse of the DAR Lean Platform (in particular the use of the DAR Lean Platform by the User contrary to the Terms & Conditions, use of a User account by several persons, data and credit card fraud, upload of illegal content).
• Fulfilment of legal obligations under Cypriot and European law
  • Information, Recording and Retention Obligations: DAR TECH processes all DAR TECH Data to comply with statutory disclosure, recording and retention obligations, in particular those under tax and commercial law.
  • Exercise of data subject rights: DAR TECH processes all DAR TECH Data in order to fulfil Users’ data subject rights pursuant to the UK GDPR and the EU GDPR (see Section 14 in detail) and to be able to respond to them.
• Analysis and optimisation of the DAR Lean Platform
  • Improvement of the DAR Lean Platform: DAR TECH processes certain Connection Data to be able to analyse and optimise the operation of the DAR Lean Platform, inter alia to find and understand bugs of the DAR Lean Platform. The services used for this purpose as well as the relevant data being processed by these services including the legal bases for Processing are further described in Section 8.
  • Analysis of the User structure: DAR TECH processes DAR TECH Data to be able to understand the geographical presence, gender, age and product patterns of Users who use the DAR Lean Platform, as well as to understand the usage habits and usage frequency as well as the satisfaction of tools provided within the DAR Lean Platform, in order to personalise the appearance of the DAR Lean Platform and to evaluate the useability and effectiveness of the modules within the DAR Lean Platform. The services used for this purpose as well as the relevant data being processed including the legal bases for Processing are described in Sections 6 to 8.
• Further purposes
  • Purposes which require consent: DAR TECH may process Personal Data for additional purposes, which will be communicated to the User in this Privacy Statement as amended from time to time or otherwise as the occasion arises. Processing will only take place if the User has given prior consent to such Processing. Consent can be withdrawn easily at any time without giving reasons. The withdrawal of consent shall not affect the lawfulness of Processing based on consent before its withdrawal.
  • Purposes stated elsewhere within this Privacy Statement: DAR TECH may also process Personal Data for purposes and on the basis of the legal bases set forth in Sections 6 to 8.

Legal Bases of Processing

Unless specified otherwise, DAR TECH processes DAR TECH Data for the purposes set forth in Section 5 based on one or more of the following legal bases:

• Performance of a contract:DAR TECH processes DAR TECH Data on the basis of a contractual agreement concluded with the Contractual Partner regarding the use of the DAR Lean Platform or in order to take steps at the request of the Contractual Partner prior to entering into a contract, insofar as the Processing is necessary for this purpose (Article 6 (1) (b) of the UK GDPR and Article 6 (1) (b) of the EU GDPR).
• Legal obligation: DAR TECH processes DAR TECH Data based on a legal obligation to which DAR TECH is subject to (Article 6 (1) (c) of the UK GDPR and Article 6 (1) (c) of the EU GDPR).
• Legitimate interest: DAR TECH processes DAR TECH Data as well as - exclusively in justified cases and only to the extent absolutely necessary in accordance with the Terms & Conditions as well as the Annex to the Terms & Conditions – Workspace Data (excluding special categories of data as described in Article 9 (1) of the UK GDPR and Article 9 (1) of the EU GDPR) based on its legitimate interest (Article 6 (1) (f) of the UK GDPR and Article 6 (1) (f) of the EU GDPR). Unless otherwise stated, the legitimate interests of DAR TECH are, in particular,
  • to establish and maintain a proper contract and User management;
  • to ensure the proper provision and functioning of the DAR Lean Platform;
  • to maintain the security and performance of the IT infrastructure used by DAR TECH;
  • to understand how the DAR Lean Platform is used, especially to identify usage habits and preferences;
  • to evaluate the performance of the DAR Lean Platform;
  • to personalise the DAR Lean Platform to the respective User preferences;
  • to find and eliminate bugs of the DAR Lean Platform; and
  • to be able to detect and stop any misuse of the DAR Lean Platform.

  If referred to separately, DAR TECH also processes DAR TECH Data, based on a previously given and voluntary consent (Article 6 (1) (a) of the UK GDPR and Article 6 (1) (a) of the EU GDPR) by the User. The User is entitled to revoke this consent at any time without giving reasons. The withdrawal of consent shall not affect the lawfulness of Processing based on consent before its withdrawal.

Transfer of Personal Data to Recipients

1. Transfer to categories of recipients

   Personal Data will be transferred by DAR TECH for the purposes mentioned in Section 5 to one or more of the following categories of Recipients:

   • banks (e.g. in order to facilitate bank transfers);
   • tax advisors (e.g. in order to carry out proper accounting);
   • lawyers and collection agencies (e.g. to collect outstanding debts or exercise other legal rights);
   • courts and public authorities (e.g. to report and clarify legally relevant facts or to enforce claims);
   • external services as described in Sections 7.2 and 8;
   • Single Sign-on providers as described in Sections 7.2 and 9.

   The data is also transferred if DAR TECH is legally obliged to do so.

2. Overview of transmission to external services

   DAR TECH also transfers Personal Data to the service providers listed below

   • DAR Solutions LLP., Almaty, Koktem microdistrict 2 – 22, Kazakhstan, based on a Processing agreement concluded with DAR TECH pursuant to Article 28 of the EU GDPR. DAR Solutions LLP processes DAR TECH Data on behalf of DAR TECH to provide technical assistance and development relating to the DAR Lean Platform and to provide support for Users. DAR Solutions LLP as well as DAR TECH are companies of the same group.
   • Web Tool Providers, as described in detail in Section 8:
     • Ynot Partners, Inc.,316 High Street, Palo Alto, CA 94301, USA, as operator of the "Userguiding.com" service, a User onboarding tool.
     • BITRIX24 LIMITED, Poseidonos, 1, LEDRA BUSINESS CENTRE, 'Egkomi 2406, Lefkosia, Cyprus, as operator of the service "Bitrix24.eu", a Content Delivery Network (CDN).
     • Stripe Payments Europe Limited 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland as operator of "Stripe", an online payment service.
     • Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland as operator of the services "Google Tag Manager" as well as "DialogFlow".
     • Volentio JSD Limited, Suite 2a1, Northside House, Mount Pleasant, Barnet, England, EN4 9EB, as operator of the service "jsDelivr", a Content Delivery Network (CDN) for open-source files, such as common frontend libraries like ReactJS.
     • Tilda Publishing Ltd., Regus Pembroke House, 28 - 32 Pembroke Street Upper, Dublin 2, Ireland, D02 NT28, as operator of the service “Tilda”.
     • Cloudflare, Inc, 101 Townsend St, San Francisco, CA 94107, USA, as operator of the service “Unpkg”.
   • Single Sign-on Providers as described in detail in Section 9:
     • Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (operator of the Service “Facebook Single Sign-on”).
     • Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (operator of the service "Google Single Sign-on”).
   • Hosting provider:
     • AMAZON WEB SERVICES EMEA SOCIÉTÉ À RESPONSABILITÉ LIMITÉE38 Avenue John F. Kennedy, L-1855 Luxembourg, Registration number: B186284 (operator of the service "AWS"): DAR TECH uses this service to provide the platform (hosting of the DAR Lean Platform). More detailed information can be found here: https://aws.amazon.com/de/compliance/gdpr-center/. The legal basis is the legitimate interest of DAR TECH (Article 6 (1) (f) of the UK GDPR and Article 6 (1) (f) of the EU GDPR), which lies in being able to fulfil the aforementioned purpose; also the fulfilment of contracts with Contractual Partners (Article 6 (1) (b) of the UK GDPR and Article 6 (1) (b) of the EU GDPR).

Web Tools including the Cookies set by these tools

1. Introduction and Technical Explanation

   DAR TECH utilises certain web tools as further described in Sections 8.2 to 8.9. Some of these web tools may utilise cookies. The link to the Consent Tool (including cookies) can be found here: Cookie-Banner.

   For detailed information about the Cookies set by the individual services listed below please refer to the https://darlean.com/cookies.

2. Bitrix24.eu

   Bitrix24.eu is an external service provided by BITRIX24 LIMITED, Poseidonos, 1, LEDRA BUSINESS CENTRE, 'Egkomi 2406, Lefkosia, Cyprus.

   DAR TECH uses this service for the purpose of organizing communication with Users, thus to be able to answer User enquiries and provide support, as well as to enable proper presentation of the DAR Lean Platform and to optimise speed (for example by sideloading fonts). Among the data collected is the User name, the User phone number and the User e-mail-address.

   The legal basis is the legitimate interest of DAR TECH (Article 6 (1) (f) of the UK GDPR and Article 6 (1) (f) of the EU GDPR) to achieve the aforementioned purposes. The Service Provider makes its Privacy Policy available at the following location: https://www.bitrix24.eu/gdpr/.

3. Stripe

   Stripe is an external service offered and operated by Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland.

   Stripe is an online payment service provider. If the Contractual Partner makes a payment via the DAR Lean Platform, the relevant payment data (name, address, data on bank details), the IP address and data on the contract concluded with DAR TECH are transmitted to the payment service provider who subsequently stores the data.

   DAR TECH uses this service to perform the billing (Processing regarding payment). The legal basis is the fulfilment of the contract (Article 6 (1) (b) of the UK GDPR and Article 6 (1) (b) of the EU GDPR) vis-à-vis the Contractual Partner; if cookies are used, additionally the prior consent of the Contractual Partner (Article 6 (1) (a) of the UK GDPR and Article 6 (1) (a) of the EU GDPR).

   The Service Provider makes its Privacy Policy available at the following location: https://stripe.com/gb/privacy.

4. Google Tag Manager

   Google Tag Manager is an external service offered and operated by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

   Google Tag Manager is a tag management system with which tracking codes and associated code fragments can be centrally integrated, managed and updated on the DAR Lean Platform. The service is provided by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

   The Google Tag Manager serves as a mere system for passing through other tools, is hosted locally and does not transfer any Personal Data to Google. Information on Processing in connection with these other tools can be found under the respective tools in this Privacy Statement.

   The service provider makes its privacy policy available at the following location: https://policies.google.com/technologies/partner-sites?hl=de&hl=de

5. DialogFlow

   DialogFlow is an external service offered and operated by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

   DialogFlow is a natural language understanding platform used to design and integrate a conversational user interface into mobile apps, web applications, devices, bots, interactive voice response systems and related uses.

   DAR TECH uses DialogFlow to offer advice and to respond to Users’ requests by implementing the service into a chatbot solution. DialogFlow uses machine learning to understand inputs and respond accordingly. In general, DialogFlow does not request Personal Data from Users.

   Google Ireland Limited, Google LLC or Alphabet Inc. may anonymise the dialog created by the User and the DAR Lean Platform and subsequently use it to improve and train the DialogFlow product.

   The legal basis for Processing is the consent given by the User in accordance with Articles 6 (1) (a) and 49 (1) (a) of the UK GDPR and Article 6 (1) (a) and 49 (1) (a) of the EU GDPR. See in detail Section 11. Consent can be withdrawn at any time without giving reasons. The withdrawal of consent shall not affect the lawfulness of Processing based on consent before its withdrawal.

   Possible data Recipients are:

   • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as Processor according to Article. 28 of the UK GDPR and Article 28 of the EU GDPR)
   • Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
   • Alphabet Inc, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA

   The service provider makes its privacy policy available at the following location: https://cloud.google.com/dialogflow/docs/data-logging-terms?hl=en.

6. jsDelivr

   jsDelivr is an external service offered and operated by Volentio JSD Limited, Suite 2a1, Northside House, Mount Pleasant, Barnet, England, EN4 9EB. It is a Content Delivery Network (CDN) for open-source files, such as common frontend libraries like ReactJS.

   DAR TECH uses this service to automatically keep certain libraries used for the DAR Lean Platform up to date by automatically including the latest distribution into it. This is necessary to safeguard IT Security and to optimize the loading time of the DAR Lean Platform. When the User accesses the DAR Lean Platform, certain Connection Data to the aforementioned service provider is transmitted.

   The legal basis for Processing is the legitimate interest of DAR TECH (Article 6 (1) (f) of the UK GDPR and Article 6 (1) (f) of the EU GDPR) which is to be able to fulfil the aforementioned purposes, especially to keep the DAR Lean Platform up to date and to avoid security flaws caused by outdated libraries.

   The service provider makes its privacy policy available at the following location: https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net.

7. Matomo

   Matomo is an open source web analytics application to track online visits to websites and display reports on these visits for analytics. DAR TECH uses this service to statistically analyze the User structure and subsequently optimize the DAR Lean Platform. DAR TECH collects the following Personal Data: User IP address, Optional User ID, Date and time of the request, Title of the page being viewed (Page Title), URL of the page being viewed (Page URL), URL of the page that was viewed prior to the current page (Referrer URL), Screen resolution being used, Time in local user’s timezone, Files that were clicked and downloaded (Download), Links to an outside domain that were clicked (Outlink), Pages generation time (the time it takes for webpages to be generated by the webserver and then downloaded by the user: Page speed), Location of the user: country, region, city, approximate latitude and longitude, Main Language of the browser being used, User Agent of the browser being used, Random unique Visitor ID, Time of the first visit for this user, Time of the previous visit for this user, Number of visits for this user.

   The legal basis for Processing is the legitimate interest of DAR TECH pursuant to Article 6 (1) (f) of the UK GDPR and Article 6 (1) (a) of the EU GDPR to improve the DAR Lean Platform and to understand the user structure. If cookies are set, the legal basis for Processing is consent given by the User in accordance with Article 6 (1) (a) of the UK GDPR and Article 6 (1) (f) of the EU GDPR. Consent can be withdrawn at any time without giving reasons. The withdrawal of consent shall not affect the lawfulness of Processing based on consent before its withdrawal.

   DAR TECH is using the Matomo Cloud service (“matomo.cloud”) , which is provided by InnoCraft Ltd, 7 Waterloo Quay, PO625, 6140 Wellington, New Zealand (“InnoCraft”), to store the aforementioned Personal Data. The European Commission has determined that New Zealand has an adequate level of data protection pursuant to Article 45 GDPR (Commission Implementing Decision 2013/65/EU pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of Personal Data by New Zealand). However, all Personal Data is stored on servers within the European Union. InnoCraft publishes its “Matomo Cloud Privacy Policy” under https://matomo.org/matomo-cloud-privacy-policy/. DAR TECH has concluded a data Processing agreement pursuant to Article 28 GDPR whose text can be accessed under https://matomo.org/matomo-cloud-dpa/.

8. Tilda

   Tilda is an external service offered and operated by Tilda Publishing Ltd., Regus Pembroke House, 28 - 32 Pembroke Street Upper, Dublin 2, Ireland, D02 NT28.

   Tilda is a no-code website builder and content delivery network (CDN) service. Its purpose is to deliver web content – inter alia web pages, videos and/or audio files – to the User. The purpose of this service is to increase the performance of the DAR Lean Platform and to provide the User with visually appealing web pages. When the User visits the DAR Lean Platform, a connection to servers of the Service Provider is made and Connection Data is processed.

   The legal basis is the legitimate interest of DAR TECH (Article 6 (1) lit f EU GDPR and Article 6 (1) lit f UK GDPR) to achive the aforementioned purposes.

   The Service Provider makes its Privacy Policy available at the following location: https://tilda.cc/privacy/. DAR TECH has concluded a data Processing agreement pursuant whose text can be accessed under https://tilda.cc/dpa/. According to the Service Provider, Personal Data of Users within Europe or the USA is stored on servers within the European Union. The technical information of Tilda can be accessed under https://tilda.cc/lp/technical-information/.

9. Unpkg

   Unpkg is an external service offered and operated by Cloudflare, Inc, 101 Townsend St, San Francisco, CA 94107, USA (“Cloudflare”).

   Unpkg is a global content delivery network (CDN) for JavaScript packages; it delivers such JavaScript packages to the User. The purpose of this service is to increase the performance of the DAR Lean Platform and to enable DAR TECH to include the most recent versions of such JavaScript packages into the DAR Lean Platform. This relieves DAR TECH from manually updating these packages; it furthermore also guarantees the security of the DAR Lean Platform. When the User visits the DAR Lean Platform, a connection to servers of the Service Provider is made and Connection Data is processed.

   The legal basis is the legitimate interest of DAR TECH (Article 6 (1) lit f EU GDPR and Article 6 (1) lit f UK GDPR) to achive the aforementioned purposes. Cloudflare outlines its GDPR compliance under https://www.cloudflare.com/trust-hub/gdpr/#gdprfaq. Its privacy policy is available under https://www.cloudflare.com/privacypolicy/.

   Cloudflare ensures and provides sufficient guarantees that European data protection law is complied with. Cloudflare is certified under the EU-US Privacy Framework. For the USA, the European Commission adopted its adequacy decision on July 10, 2023.

   The User can prevent the collection and Processing of Personal Data by Cloudflare by deactivating the execution of script code or by installing a script blocker in the web browser.

Single Sign-on

1. Facebook Single Sign-on

   Facebook Single Sign-on is an authentication (single sign-on) service operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (formerly Facebook, Inc).

   DAR TECH uses this service to allow users to log in to the platform using the Facebook login without having to create a specific user account (with individual email and password).

   The legal basis for Processing is the explicit consent given by the User in accordance with Articles 6 (1) (a) and 49 (1) (a) of the UK GDPR and Articles 6 (1) (a) and 49 (1) (a) of the EU GDPR. See in Detail Section 6 (Legal Basis) and Section 11 (Data Export). Such explicit consent is given by the User clicking on the "Facebook" button on the login page of the DAR Lean Platform. Consent can be withdrawn at any time without giving reasons. The withdrawal of consent shall not affect the lawfulness of Processing based on consent before its withdrawal.

   The service provider makes its privacy policy available at the following location: https://www.facebook.com/privacy/policy/.

2. Google Single Sign-On

   Google Single Sign-on is an authentication (single sign-on) service operated by Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

   DAR TECH uses this service to allow users to log in to the platform using the Google login without having to create a specific user account (with individual email and password).

   The legal basis for Processing is the explicit consent given by the User in accordance with Articles 6 (1) (a) and, if applicable, 49 (1) (a) of the UK GDPR and Articles 6 (1) (a) and 49 (1) (a) of the EU GDPR. See in Detail Section 6 (Legal Basis) and Section 11 (Data Export). Such explicit consent is given by the User clicking on the "Google" button on the login page of the DAR Lean Platform. Consent can be withdrawn at any time without giving reasons. The withdrawal of consent shall not affect the lawfulness of Processing based on consent before its withdrawal.

   The service provider makes its privacy policy available at the following location: https://policies.google.com/privacy?hl=en.

Specific Information for the DAR Lean App

This section provides additional information on the Processing of Personal Data in connection with the use of the DAR Lean App.

1. Provision of the DAR Lean App for Downloading

   DAR TECH enables the User to download the DAR Lean App via various internet-based digital distribution platforms for application software. The download via these distribution platforms usually requires that the User has previously registered with the distribution platforms used. The distribution platforms on which the DAR Lean app is offered for download are:

   • App Store: This is a distribution platform for application software offered and operated by Apple Inc. or other legal entities of Apple. Apple's privacy policy is available at https://www.apple.com/legal/privacy.
   • Play Store: This is a distribution platform for application software offered and operated by Google LLC or another legal entity of Google. Google's privacy policy is available at https://policies.google.com/privacy.

   DAR TECH has neither knowledge nor influence of the way in which and the purposes for which these distribution platforms process the User's Personal Data.

Transfer to third countries and international organisations

Some of the Recipients listed above are located outside the UK or process Personal Data outside of the UK. DAR TECH may transfer Personal Data to service providers that carry out certain functions on its behalf. This may involve transferring Personal Data outside the UK and the EEA to countries which have laws that do not provide the same level of data protection as the UK or the EEA.

Whenever DAR TECH transfers Personal Data to service providers outside of the UK, DAR TECH ensures a similar degree of protection is afforded to such Personal Data by ensuring that the countries have been deemed by the UK to provide an adequate level of protection for Personal Data, namely, countries in the EEA (particularly Cyprus, Ireland, Luxembourg), or by implementing the following safeguards:

In general, DAR TECH transfers Personal Data only to countries for which the EU Commission has published adequacy decisions, or measures are taken by DAR TECH to ensure that all Recipients can guarantee an adequate level of data protection. For example, standard contractual clauses (pursuant to Implementing Decision (EU) 2021/914) will be concluded for this purpose. DAR TECH will make these standard contractual clauses available upon request.

In July 2023 the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF). The decision concludes that the United States ensures an adequate level of protection – comparable to that of the EU – for Personal Data transferred from the EU to US organisations under the new framework. On the basis of the new adequacy decision, Personal Data can flow safely from the EU to US companies participating in the DPF, without having to put in place additional data protection safeguards.

If no adequacy decision exists, the organisations are not participating in the DPF, or if DAR TECH has not concluded standard contractual clauses with the respective service provider, DAR TECH will obtain the User's explicit consent prior to transmission. Explicit consent obtained for Processing for the respective Processing purpose pursuant to Article 6 (1) (a) of the UK GDPR and Article 6 (1) (a) of the EU GDPR shall also be deemed to be consent in accordance with Article 49 (1) (a) of the UK GDPR and Article 49 (1) (a) of the EU GDPR.

Due to the U.S. Cloud Act there may be a right of access to data stored by organisations not registered with the DPF by the American government, even if the data is not stored in the USA. It might be possible that an authority or other government agency, in particular an intelligence service, could request access to certain User data from these Recipients without first obtaining a court order. It is also possible that, if such a request is fulfilled by the service provider, the User may lack legal protection against such access, such as a right to information or a right of complaint.

Storage duration

DAR TECH stores Personal Data for the period necessary to achieve the purposes set forth in this Privacy Statement and, in addition, for the duration of any statutory retention obligation. In particular, the following storage or retention periods apply, unless European or Cypriot law provides otherwise:

• Master Data, Profile Data, and Sign-in Data of Users are stored for at least the duration of the existence of the User relationship with DAR TECH and then for a subsequent period of 3 years after the termination of the account.
• Correspondence Data will be stored at least for the duration of the existence of the User relationship with DAR TECH, but no longer than 3 years after the termination of the account.
• Session Data is stored for the duration of the visit to the DAR Lean Platform and deleted at the earliest after logout, but at the longest after 72 hours.
• If the sole legal basis for Processing is consent, Personal Data is stored until such consent is withdrawn; after that, such Personal Data is deleted, as long as there are no other legitimate purposes for which this Personal Data is processed, such as legal retention periods. Depending on the purpose for which the consent was given, the Processing time within which DAR TECH complies with the request may be a maximum of 7 days after the withdrawal of consent.

Automated decision making including profiling

DAR TECH does not process Personal Data for the purpose of automated decision-making, including profiling.

Rights of data subjects in connection with Personal Data

1. Overview of rights of data subjects

   Data Subjects whose Personal Data is processed by DAR TECH are entitled – to:

   • request information as to whether and which Personal Data of the Data Subject DAR TECH is Processing and to receive further information on such Processing; also to receive copies of such data (Article 15 of the UK GDPR and Article 15 of the EU GDPR);
   • request the correction or completion of Personal Data (Article 16 of the UK GDPR and Article 16 of the EU GDPR);
   • request the deletion of Personal Data that is incorrect or processed in a way that does not comply with the law (Article 17 of the UK GDPR and Article 17 of the EU GDPR);
   • request DAR TECH to restrict the Processing of the Personal Data (Article 18 of the UK GDPR and Article 18 of the EU GDPR);
   • know the identity of third parties to whom the Personal Data is transferred (Article 19 of the UK GDPR and Article 19 of the EU GDPR);
   • request data portability, provided that the Processing is based on the legal grounds of consent or the performance or initiation of a contract and is carried out by means of automated processes (Article 20 of the UK GDPR and Article 20 of the EU GDPR);
   • object to the Processing of Personal Data under certain circumstances, whereby an objection to the Processing for purposes of direct marketing is possible at any time without stating reasons (Article 21 of the UK GDPR and Article 21 of the EU GDPR);
   • if the Processing is based on the legal basis of consent, to withdraw the consent, whereby such withdrawal shall not affect the lawfulness of the Processing carried out on the basis of the consent until the withdrawal (Article 7 (3) of the UK GDPR and Article 7 (3) of the EU GDPR);
   • file a complaint with the competent supervisory or regulatory authority: for the UK, the Information Commissioner's Office, Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF, or for Cyprus, the Commissioner for Personal Data Protection, Iasonos 1, 1082 Nicosia, Cyprus.

2. Exercise of Rights

   Whenever DAR TECH acts as Controller relating to DAR TECH Data (e.g. correspondence between the User and DAR TECH), the rights as described in Section 14.1 will be satisfied directly by DAR TECH within the timelines set by applicable law.

   Whenever DAR TECH acts as processor relating to Workspace Data (e.g. when the User has written or was mentioned in meeting notes, or when a User requests the deletion of a file uploaded by him/her), DAR TECH will, after the receipt of such request, immediately transmit this request to the competent Contractual Partner as Controller of the Workspace the User is assigned to. Such a request is usually not directly answered by DAR TECH, but satisfied directly by the Contractual Partner, as DAR TECH is not a controller regarding this category of Personal Data. Only after having received a documented instruction of the Contractual Partner, DAR TECH may answer the request on behalf of the Contractual Partner as described in the Terms & Conditions as well as the Annex to the Terms & Conditions.

Contact details of DAR TECH as Controller

For enquiries regarding data protection or the exercise of Data Subject rights, please contact exclusively:

DAR TECH Limited

Themistokli Dervi, 3, Julia House

CY-1066 Nicosia

Cyprus

E-mail: info-eu@darlean.com

Changes to the Privacy Policy and your duty to inform DAR TECH of changes

DAR TECH keeps this Privacy Statement under regular review. This version was last updated on June 10, 2024. Historic versions can be obtained by contacting DAR TECH using the contact details in Section 15. DAR TECH reserves the right to change and/or amend this Privacy Statement from time to time.

It is important that the Personal Data DAR TECH holds about Users is accurate and current. Users should keep DAR TECH informed (using the respective functions on the Platform or the contact details in Section 15) if their Personal Data changes during their relationship with DAR TECH, for example a new address or email address.

Changes to the Privacy Policy and your duty to inform DAR TECH of changes

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about individuals. DAR TECH does not control these third-party websites and is not responsible for their privacy statements. When a User leaves our website, DAR TECH encourages each User to read the privacy policy of every website visited.