Definitions

To facilitate your understanding of this Policy, we explain the usage of the definitions listed here in accordance with the GDPR. We use the following definitions in this Policy:

• “data controller” means the natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is processed.
• “data processor” means the natural or legal person who processes personal data on behalf of the data controller.
• “data subject” is any living individual who is using our Platform and/or Services.
• “personal data” means any information relating to you and helping identify you (directly or indirectly) such as your name, last name, email, location data, etc.
• “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
• “joint controllers” means two or more controllers jointly determining the purposes and means of processing.

Data Collection

We collect and process information about you according to this Policy. In this section, you can read more about personal data we may collect when you visit and use our Platform. We collect information about you in connection with our Platform and Services and process it either as a data controller or as a data processor. In particular, we collect:

• (а) Contact Information. When you submit your personal data via the Platform’s forms, chatbot, social media, or email address to contact us and/or provide feedback, we may collect some information about you. Such data may include your name, email address, phone number, and any other details you provide to us via available contact options.
• (b) Cookies Information. We may use cookies and other tracking technologies on our Platform for various purposes, including analytics, marketing activities, and remembering your preferences. This may involve the transfer of information between you, us, and third-party websites. For more information about our use of cookies, please see our Cookie Policy.
• (c) Contract Information. If we sign a service agreement with our client or need to carry out due diligence, we may collect certain information relating to the contract between us and the client. This information may include, but is not limited to, the client’s full name, position, country, name of employer company and any necessary documentation authorising the individual to represent the company.
• (d) Registration Information. When you create an account on the Platform, we collect some information about you and the organization you represent, such as the name of the organization, your full name, email address, country, account type (e.g. school, college, or general), and account name. You must enter the above information yourself to create an account unless we receive such information about you from the third-party authentication token when you choose to sign up using the respective button.
• (e) Authentication Token Information. When you sign in to our Platform using the ‘Office 365 Login’ button, we collect an encrypted authentication token from your chosen service provider. We can obtain certain information about you, including your email address, phone number, and Skype login.
• (f) Integrations Information. Clients’ tokens or other information, which are necessary to integrate your account (e.g. giving our Platform access to a third-party platform API) with other third-party services such as Office 365, Microsoft Teams, OneDrive, etc.
• (g) Automatically Collected Information. When you use our Platform, we collect certain information about you and your device automatically, such as logs.
• (h) Payment Information. If you order Services from us, you will need to provide certain details, including payment information, so the order can be fulfilled. Such data can include but is not limited to the name of the organisation, the type of the organisation, and the tax registration number. We use Payment Information to issue invoices and receive payments for the Services.
• (i) Review Information. To enhance our services, we may solicit your feedback through a third-party service provider by asking you to write a review of our services. During this process, we may collect certain information from you, including your name, job title, email address, and other details pertaining to your use of our services.
• (j) Other Person’s Information. As part of our Services, we can process third-party personal data that has been provided to us by our clients, including through integrations. In this case, we process such personal data (which typically relates to pupils, students, or employees of our clients) under instructions provided by the respective client.

We use the personal data we collected and the personal data you provided us with or requested us to collect only for the purposes listed in this Policy. We may share your personal data with third parties solely for the purposes listed herein.

When we act as data controllers:

• we DO NOT sell your data;
• we DO NOT use automated decision-making and profiling;
• we DO NOT intentionally collect and process any sensitive personal data.

Grounds for Processing

Our grounds for processing your personal data are your consent; our legitimate interests; the performance of a contract; our legal obligations. We do NOT intentionally collect and process sensitive personal information. Please, refrain from sharing your sensitive personal data when you provide information to us through our Platform or in other ways.

We collect and process your personal data in accordance with the provisions of the GDPR. GDPR provides an exclusive list of lawful bases allowing us to process your personal data. During personal data processing, we rely only on four of them, namely:

Article 6.1(a): consent

We collect the information you choose to give us, and we process it with your consent. You may withdraw your consent to the processing of your personal data at any time.

Please remember that the withdrawal of consent does NOT automatically mean that the processing before the withdrawal is considered unlawful. You may withdraw the consent to the processing of your personal data by sending us an email at org.privacy@gamalearn.com, or by contacting us in any other way convenient for you.

Article 6.1(f): legitimate interests

We process your personal data to protect our legitimate interests, such as preventing fraud, ensuring the security of our Platform, and providing you with a seamless user experience. We only collect and use the strictly necessary data to achieve these purposes and do not override your fundamental rights and freedoms.

Article 6.1(b): performance of a contract

When you provide us with personal data to register an account on our Platform, this can be considered as a request to form a contract or to perform a contract between you and us. However, in case of doubt, we may ask you for clear consent.

Article 6.1(c): legal obligation

We process your personal data to fulfill our legal obligations, such as complying with tax or regulatory requirements. In case you send us a request to exercise your rights under the GDPR, we may ask you for some personal data we already have to identify you and achieve compliance with the applicable law.

Use of Your Personal Data

As a data controller, we use your personal data for the purposes listed below. The table provides details of the types of personal data we process, the legal grounds we rely on to do so, and any third parties with whom we may share your personal data:

We also process certain personal data as a data processor, at the request and pursuant to the instructions given by the respective client of our Platform (data controller in that case). We describe several possible situations where we can act as a data processor in the table below:

Data Security, Integrity, and Retention

We will store and process your personal data for as long as necessary to provide you or other users with the Services, or as required by law. If you wish to have your personal data erased from our records, you may request so by contacting us in any way convenient for you.

As a data controller, we store and process your personal data until we do not need it for any of the purposes defined in this Policy unless a longer retention period is required or expressly permitted by law. We may not delete or anonymize your data if we are required to retain it to comply with the law or legal process.

Notwithstanding any of the aforementioned periods of data storage, you may request us to delete your personal data by sending an email to org.privacy@gamalearn.com or by contacting us in any other way that is convenient to you.

We have implemented appropriate organizational, technical, administrative, and physical security measures to protect your personal data from unauthorized access, disclosure, use, and modification. We regularly review our security procedures and policies to take into account appropriate new technologies and practices.

Data Sharing and Disclosure

We only transfer your personal data to third parties in accordance with the requirements of GDPR. Where possible, we always enter into data processing agreements (DPAs) and Non-Disclosure Agreements (NDAs) with our third parties to ensure they process your personal data in compliance with GDPR. We may disclose your personal data to third parties, including those located outside the EU and EEA, provided that proper safeguards are put in place and the applicable local laws do not put your rights at risk.

We may share your personal data as a data controller with other data processors and data controllers in accordance with the provisions specified below.

Sharing data with joint controllers

In some cases, we may act as a joint controller jointly with other joint controllers, for example, while using Meta pixel. With respect to this case of personal data processing, we are the party to the Facebook Joint Controllership Addendum. In such a case, a data subject may exercise their rights under the GDPR in respect of and against both other joint controllers and us.

Sharing data with data processors

There are many features necessary to provide you with our Services that we cannot complete ourselves, and we seek help from third parties. We may grant some service providers access to your personal data, in whole or in part, to provide the necessary services.

Therefore, we may share and disclose your personal data to other data processors:

1. Zoho (Zoho CRM, Zoho SalesIQ, Zoho Creator, Zoho Campaigns, Zoho Books, Zoho Sign) (Zoho Corporation Pte. Ltd., Singapore) (the full list of Zoho entities and their respective countries of registration is available at the following link). We use Zoho for a variety of services, such as CRM, analytics, sales (to issue invoices), and marketing. You may read its Privacy Policy here.
2. Google Analytics (Google LLC, USA): to analyse data about how our Platform and Services are used in order to improve their functionality. You may read Google LLC’s Privacy Policy here.
3. Digital Ocean (DigitalOcean LLC, USA): to use as a hosting infrastructure for our Site, Community, and website https://gamalearn.com. You may read its Privacy Policy here.
4. Microsoft Azure (Microsoft Corporation, USA): to use as a hosting infrastructure for our Application. You may read its Privacy Policy here.
5. eduNEXT (edX Inc., Republic of Colombia): to provide our courses to you and use it as a hosting infrastructure for our Academy. You may read its Privacy Policy here.
6. Monster Insights (MonsterInsights LLC, USA): to analyse data about how our Platform and Services are used in order to improve their functionality. You may read its Privacy Policy here.
7. WordPress (Automattic Inc., USA): to build our websites and implement backup technologies. You may read its Privacy Policy here.
8. Zendesk (Zendesk, Inc., USA): to provide customer service for our users. You may read its Privacy Policy here.
9. EdTech Impact (EdTech Impact Ltd, UK): to obtain review from the clients about their use of Platform and Services. You may read its Privacy Policy here.

As part of our business operations, we may engage various specialists which may receive your personal data, including technical, sales, legal and marketing professionals, to provide you with better client service and ensure the accuracy and transparency of our business. Collectively, these specialists and partner websites are referred to as Contractors.

We may transfer your personal data to countries outside the European Union (EU) and European Economic Area (EEA) that are not deemed to provide an adequate level of data protection under Article 45 of GDPR (adequacy decision). In such cases, we will ensure that appropriate safeguards are implemented in accordance with the GDPR to protect your personal data.

When we transfer your personal data to third parties, we always comply with the requirements of the GDPR. Where possible, we always enter into Data Processing Agreements (DPAs) and Non-Disclosure Agreements (NDAs) with these third parties to ensure that your personal data is adequately protected. If a Contractor has an appropriate data processing agreement in place, we may join that agreement. If so, the Company and the Contractor may regulate the transfer of the personal data to such Contractor by means of such data processing agreement.

Transferring your personal data outside of the European Economic Area

We may transfer your personal data to third countries outside the European Union (EU) and the European Economic Area (EEA) under Article 46 of the GDPR with appropriate safeguards, including the Standard Contractual Clauses (SCC).

We may need to transfer your personal data to countries outside the EU and EEA that do not meet the requirements of Article 45 of GDPR on the adequacy of data protection. In such cases, we will transfer your personal data to third countries under Article 46 of GDPR with the appropriate safeguards, including Standard Contractual Clauses (SCC).

We follow internal procedures when disclosing your personal data to countries outside the EU and EEA to ensure adequate safeguards for protecting your privacy and fundamental rights and freedoms.

We take additional technical and organizational measures when transferring data outside the EU and the EEA, such as assessing the reliability and personal data protection practices of the service provider, encrypting the transferred personal data, promptly responding to any threats to confidentiality, integrity, and availability of personal data, and conducting Transfer Impact Assessments (TIA) when necessary, etc.

Your Rights under the GDPR

You may exercise the following rights under the General Data Protection Regulation:

• right of access;
• right to rectification;
• right to erasure;
• right to restriction of processing;
• right to object to processing;
• right to data portability;
• right to lodge a complaint;
• right to consent withdrawal.

You may exercise the following rights by submitting your request to org.privacy@gamalearn.com.

Rights under GDPR

• right of access means that you can ask us to send you a copy of the personal data we have about you, together with information about the nature, processing, and disclosure of that personal data;
• right to rectification means that you can ask us to update and correct any inaccurate, missing, or incomplete personal data;
• right to erasure (to be “forgotten”) means that you can ask us to delete the personal information we have about you, where prohibited by law;
• right to restriction of processing means that you can ask us to restrict the processing if:

1. 1. your personal data is inaccurate or outdated;
   2. the processing is unlawful.

• right to object to the processing means that you may object on grounds relating to your particular situation;
• right to data portability means that you can ask us to transfer a copy of your personal data to another organization or to you;
• right to withdraw the consent where your personal data is processed on the basis of your consent;
• right to lodge a complaint with the supervisory data protection authority about the processing of your personal data.

You may lodge a complaint with the supervisory authority of your place of residence within the EU or with the data protection authority specified in this Policy.

Please, note that we may need to confirm your identity in order to process your requests to exercise your rights under the GDPR. Therefore, we may not be able to comply with your request if you do not provide us with sufficient details to enable us to verify your identity and respond to your request.

Data Protection Authority under the GDPR

We kindly ask you to contact us directly so we can quickly answer your question. We encourage you to contact us first if you have any concerns related to the processing of your personal data. Please feel free to contact us at org.privacy@gamalearn.com with any questions or concerns.

Supervisory Authority under GDPR:

In case you have any questions related to data protection, you may contact the supervisory authority. We will cooperate with the appropriate governmental authorities to resolve any privacy-related complaints that cannot be amicably resolved between you and us. You can find a full list of EU supervisory authorities through this link.

California Residents: Your Rights under the CCPA

This section applies to the processing of the personal information of the residents of the state of California.

Under the California Consumer Privacy Act (the “CCPA”), California residents have certain rights regarding the collection, use, and sharing of their personal information.

When you use and/or access our Platform, we may collect various categories of personal information, including information you provide when you want to receive our Services or data which is automatically collected when you interact with our Platform. Depending on the circumstances, we may collect the following categories of personal information specified in the CCPA when you access our Platform:

Category A – Identifiers;
Category B – Personal information categories listed in the Cal. Civ. Code § 1798.80;
Category D – Commercial information;
Category F – Internet or other similar network activity;
Category I – Professional or employment-related information.

You can find a detailed description of the personal information that we may collect from you in the ‘Use of Your Personal Data’ section of this Policy. Please, note that in the ‘Data Disclosure and Sharing’ section of this Policy, you can review the categories of third parties with whom we may share your personal information. The terms used within those sections of this Policy are taken from the GDPR in consideration of the definitions established in the CCPA.

If you are a California resident, to the extent provided for by the CCPA and subject to applicable exception, you have the following rights in relation to the personal information we have about you:

• Right to obtain information. You can request information about what personal information has been collected about you and how we have used that personal information during the preceding 12 months.
• Right of access. You can request a copy of the personal information that we have collected about you during the preceding 12 months.
• Right to deletion. You can request us to delete the personal information that we have collected from you unless it is necessary for us to maintain your personal information in certain cases under the CCPA, such as protection against malicious, deceptive, fraudulent, or illegal activity.
• Right to opt-out. You can opt-out of sale or sharing of personal information.
• Right to correct. You can request us to correct inaccurate personal information.
• Right to limit the use and disclosure of sensitive personal information. You can request to limit the use and disclosure of sensitive personal information, if any.
• Right to be free from discrimination relating to the exercise of any of your privacy rights.

We do not sell your personal information to third parties for monetary or other valuable consideration, nor do we offer any financial incentives associated with our collection, sharing, or retention of your personal information.

We take your privacy seriously and will not discriminate against you for exercising your CCPA rights.

You can exercise your rights under the CCPA by sending us an email by any other means of communication convenient for you, including those listed in the ‘How to Contact Us’ section of this Policy.

Please note that we may need to verify your identity before processing your request, so please provide us with sufficient detail to allow us to do so. Failure to provide sufficient detail may result in us being unable to fulfill your request.

Brazilian Residents’ Rights

This section applies to the processing of the personal information of the residents of the Federative Republic of Brazil.

This section will help you understand your rights under the Lei Geral de Proteção de Dados (“LGPD”) and the way how we ensure them. If you are a user located in Brazil, you are able to exercise the following rights with respect to your personal data that we process:

• right to confirmation of the existence of the processing;
• right to access the data;
• right to correct incomplete, inaccurate or out-of-date data;
• right to anonymize, block, or delete unnecessary or excessive data or data processed in noncompliance with the provisions of the LGPD;

right to the portability of data to another service or product provider, by means of an express request;

• right to delete personal data processed with the consent of the data subject;
• right to obtain the information about the possibility of not giving consent and about the consequences of the refusal;
• right to obtain the information about public and private entities with which the controller has shared data;
• right to revoke consent.

Please note that we will not be able to respond to your request or provide you with any personal information unless we are able to verify your identity and confirm that the personal information relates to you. We will only use such personal information to verify your identity.

You may exercise the above rights by sending your request to org.privacy@gamalearn.com or by any other means that is convenient to you.

Protection of Personal Information Act

This section applies to the processing of personal information under the Protection of Personal Information Act. In this section, the term “personal information” is used as it is defined in POPIA.

This section will help you understand your rights under the Protection of Personal Information Act (“POPIA”) and the way how we ensure them. If POPIA applies to us in course of the provision of our Services, you are able to exercise the following rights with respect to your personal information that we process:

• right to be notified of how the personal information is collected, accessed or acquired;
• right to access the personal information;
• right to correction, destruction or deletion of personal information;
• right to object to processing of personal information;
• right not to be subject to a decision which is based solely on the basis of the automated processing;
• right to submit a complaint;
• right to institute civil proceedings regarding the alleged interference with the protection of personal information.

Please note that we will not be able to respond to your request or provide you with any personal information unless we are able to verify your identity and confirm that the personal information relates to you. We will only use such personal information to verify your identity.

• You may exercise the above rights by sending your request to org.privacy@gamalearn.com or by any other means that is convenient to you.
• You may also submit a complaint to the Information Regulatory of the Republic of South Africa via email: POPIAComplaints@inforegulator.org.za

Children’s Privacy

In case we process children’s personal data, we perform it only in compliance with COPPA, GDPR and other applicable laws and regulations.

We undertake the best possible efforts to secure the processing of personal data belonging to the underage. Our Platform and Services are intended for general audiences and are not directed to children under the age of 13. We do not knowingly collect any personal information from children under the age of thirteen without seeking any required parental approval in accordance with applicable legal and regulatory obligations, such as the U.S. Children’s Online Privacy Protection Act (“COPPA”). If we become aware that a child has provided us with personal information without a parent’s permission, we will promptly delete this information. If you know that a child has provided us with personal information without parental consent, please contact us at org.privacy@gamalearn.com.

Changes to the Privacy Policy

We may change this Policy at any time for various reasons, such as legal compliance, business operations, or technological advancements. If we make any material changes to this Policy, we will notify you through means available to us. We encourage you to review this Policy periodically to stay informed about how we collect, use, and protect your personal data.

This Policy may be changed from time to time to reflect updates, new technologies, and changes in laws and regulations. We will notify you if these changes are material and, where required by applicable laws, we will obtain your consent for the subsequent processing. In any case, we encourage you to regularly review this Policy for any changes. Notices of changes to this Policy may be provided by email, via our Platform, or by other means consistent with applicable law.

How to Contact Us

Please contact us if you have any questions about how we process your data, this Policy, or your rights. If you have any questions regarding this Privacy Policy, our data processing activities, or your rights as a data subject under GDPR and other applicable laws, please contact us directly:

• Our email: org.privacy@gamalearn.com
• Our telephone: +971 2 6222345
• Our address: P.O. Box: 43957, Khalifa Street, GIBCA Tower, No. 002, Abu Dhabi, United Arab Emirates