Privacy Policy

What is the privacy statement about…

We attach great importance to the protection and security of your personal data. Therefore, we consider it vital that we then inform you about your personal data that we process for what purpose and what rights you have in relation to your personal data.

This data protection statement is subject to the GDPR and any applicable data protection laws of Greece.

The Smart HR

The Smart HR application is a leave calendar in the form of a Web / iOS & Android app to which every employee & manager of the business has access with a personal username and password. The application is in the cloud, so that everyone can connect whenever and wherever they want. Registration in the application is done through our Smart HR login.

What is personal data and what does processing mean?

"Personal data" (hereinafter referred to as "data") is any information that says something about a natural person. Personal data is not only information that directly refers to a specific individual (such as a person's name or e-mail address), but also information with which, taking into account appropriate additional knowledge, reference can be made to a specific person .

"Processing" means any action taken in relation to your personal data (such as collecting, recording, organizing, ordering, storing, using or deleting data).

Who is responsible for processing your data?

The person responsible for processing your data is:

SMARTUP I K E

45 KOMNINON STREET

THESSALONIKI PC 56224

email: info@smartupweb.com

phone: +302310526279

What rights do you have as the owner and supplier of your data?

Within the framework of the provisions of the legislation, as the owner and supplier of the data you have the right to:

Access information about your data.

In editing and correcting incorrect data and filling in missing data.

Deletion of your data, in particular if (1) it is no longer necessary for the purposes stated in this data privacy policy, (2) you withdraw your consent and there is no other legal basis for the processing, (3) your data has been is processed unlawfully or (4) you have objected to the processing and there are no compelling legitimate grounds for the processing;

To restrict the processing of your data, particularly if the accuracy of the data is disputed by you or the processing of your data is unlawful and instead of deletion you require restriction of use.

Object to the processing of your data based on legitimate interests for reasons arising from your particular situation or, without specific justification, to the processing of your data carried out for direct marketing purposes; unless it is an objection to direct marketing, we ask you to explain the reasons why we should not process your data as we may when you object. In case of your reasoned objection, we will consider the merits of the case and stop the processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

To receive your data in a structured, widely used and machine-readable format and the right to transfer your information directly from us to another controller.

Withdraw your consent if you have given us your consent for processing. Please note that the withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of your consent until the withdrawal.

If you seek to assert the above rights, please note that we may ask you to provide evidence to prove that you are who you say you are.

In addition, you have the right to file a complaint with a supervisory authority if you believe that the processing of your data violates the GDPR.

Links to other websites

Our application may contain links to and from websites of other providers not affiliated with us (“third parties”). After clicking on the link, we no longer have any influence on the processing of any data transmitted to the third party when the link is clicked (such as the IP address or the URL in which the link is located), the processing of your data by third parties is of course beyond our control. Therefore, we cannot assume any responsibility for the processing of such data by third parties.

Data processing

Download and use the Smart HR app

When the Smart HR app is downloaded or used on your mobile device, the app transmits the following data to our web servers, which we store in so-called log files:

What data do we process and for what purpose?

We process the following data:

Your location if you give permission

Date and time of access to the application

The type and version of the browser you use and the operating system you use

We process this data in principle only for the purpose of ensuring stability as well as network and information security.

Processing for other purposes only takes place if the required legal conditions according to Art. 6(4) GDPR have been complied with. In this case, we will of course comply with any information obligations pursuant to Art. 13(3) GDPR and Art. 14(4) GDPR.

On what legal basis do we process your data?

Processing for other purposes can only be considered if the necessary legal requirements are met in accordance with Article 6 para. 4 GDPR.

Registration / Authentication when entering the application

We collect the following data during registration and authentication within the Smart HR app:

What data do we process and for what purpose?

We process the following data:

• Your unique Device ID

• Smart HR User ID

• Smart HR App ID

• If not, your first and last name

• your email address

• Your password (encrypted)

• If not, your profile picture

• Your country and language

• Date and time of registration / validation

This data is in principle processed by us exclusively for registration / authentication purposes in our Smart HR application.

On what legal basis do we process your data?

Processing for other purposes can only be considered if the necessary legal requirements according to Article 6 para. 4 GDPR are met. In this case, we will of course comply with any information obligations pursuant to Article 13 para. 3 GDPR and Article 14 para. 4 GDPR.

Data when using the Smart HR app

We collect the following data when using the Smart HR app:

• User's first name, last name, email.

• Your password (encrypted)

• The number of hours the user works on specific projects / day

• Firebase token (app ID)

On what legal basis do we process your data?

Processing for other purposes can only be considered if the necessary legal requirements are met in accordance with Article 6 para. 4 GDPR. In this case, we will of course comply with any information obligations pursuant to Article 13 para. 3 GDPR and Article 14 para. 4 GDPR.

Services from third parties when using the application

A. General information

In providing our application, we use technologies and services. We then provide you – as a user of our application – with additional information about data processing through the use of technologies and services.

I. What are technologies and services?

Technologies and services may be used to determine whether there has already been communication from your end device to our application. Only the technology or service on your end device is recognized. Personal data may, for example, be stored in the technologies and services if this is technically absolutely necessary, e.g. to enable a secure connection.

Technologies and services may for example be small text files that a web server or application can store and read on your terminal equipment (computer, smartphone or similar) that you use. The technologies and services contain individual, alphanumeric character strings that allow identification of the web browser you are using and may also contain information about user-specific settings.

The aforementioned technologies & services and other technologies are hereinafter collectively referred to as “Technologies”.

II. What kinds of technologies are there?

We distinguish between basic technologies on the one hand and optional technologies on the other:

Core technologies are those that are technically necessary for the functionality and to ensure the security and stability of our application and information technology systems. We also assign to this category those technologies that store certain settings you have made, selected options or information you have entered until you close your application (at the latest), in order to provide the desired functionality you have requested (e.g. status connection, language setting, etc.). Your consent is not required to store or read core technologies. Therefore, you cannot manage core technologies through the settings of the consent management service we use;

Optional technologies are those that are not necessary for the functionality or to ensure the security and stability of our application and information technology systems, but are used for analytical or marketing purposes. These technologies can, for example, be used to gather anonymous statistics and collect information about how our application is used, which enables us to analyze the use of our application and thereby optimize it. We also assign to this category those technologies that store certain settings you have made, selected options or information you have entered. these remain after you close your application to provide the desired functionality you have requested (e.g. login status by selecting "Remember my email address", wish list, comparison list, etc.) for a longer period of time. Storing or reading optional technologies generally requires your prior consent. You can consent to the use of optional technologies and withdraw any consent you have granted at any time with future effect through the settings of the consent management service we use.

Both essential and optional technologies can be so-called "session technologies" or "persistent technologies", which differ in their intended lifetime or operational lifetime:

Session technologies are stored on your terminal equipment and are automatically deleted when you close your application.

Permanent service information is stored on your terminal equipment and is not automatically deleted when you close your application, but remains on your terminal equipment for a predetermined period of time.

B. Use of Technologies in Our Application

I. Basic Technologies

What key technologies are used for what purpose and for how long?

Service

Purpose

Service provider

Functional life

Service

Purpose

Provider

Google Firebase Crashlytics

Preparing bug reports, which are necessary to maintain the security and stability of the Smart HR application and to be able to guarantee it in the future.

Google Ireland Ltd.,

Gordon House,

44-47 Barrow Street,

Dublin 4D,

Ireland

Language detection

Language detection to display app language for a specific user

Google Firebase Crashlytics

We have integrated Google Firebase Crashlytics into the Smart HR for crash analysis and debugging. The report serves the stability and improvement of the application. Information is collected about the device used and the use of the Smart HR application (eg timestamp, when the application was started and when the error occurred), which enables us to diagnose and resolve problems. Our legitimate interest in data processing also lies in these purposes. The legal basis for the use of Google Analytics is the article. 6 para. 1 liter f) DSGVO. Data is stored anonymously. This personal data is not merged with your other profile information.

Please note that the required technologies are already stored when you access our application and the relevant framework is pre-selected. It is not possible to deselect the required technologies through the consent management service. The functionality of the consent management service itself requires the use of certain technologies.

Information about the service provider:

Google Ireland Limited, Gordon House, 44-47 Barrow Street Dublin 4 D, Ireland

Website: https://firebase.google.com

II. Optional technologies

Using the following information, we would like to enable you to make an informed decision for or against the use of optional technologies and related data processing.

Service	Purpose	Provider
Google Firebase analytics	Application statistics	Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
		User device
Push Notifications	Send updates via push msg	Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Google (Firebase) Analytics

Subject to your consent, we use app analytics technologies to analyze the use of our app so that we can continuously improve it. The anonymous user statistics collected (eg number and origin of app visitors) enable us to optimize our app and improve its design – such as placing information or topics in our app in the appropriate location to meet demand .

For application analysis we use “Google (Firebase) Analytics”, an application analysis service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. parent company: Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (hereinafter collectively "Google"), with the extension "IP anonymization" (also called "IP masking method"). For this purpose, we have entered into a data processing agreement with Google in accordance with Article 28 GDPR. Google will accordingly process the collected data (data about your terminal equipment or web browser, IP addresses and your application or application activities) on our behalf for the purpose of evaluating the use of our application,

Data collected using Google (Firebase) Analytics may be stored and processed in the USA or any other country in which Google or Google's sub-processors maintain facilities. The IP masking method we use ensures that before the IP address is transferred to a Google server in the USA and stored there, it is shortened within EU member states or other EEA member states, so that the entire IP address is not transferred, preventing or significantly complicating the identification of an individual. Only in exceptional cases will the complete, i.e. the entire IP address be transferred to a Google server in the USA and only shortened there. To transfer data to a third country, i.e. a country outside the EU or EEA, appropriate safeguards are generally required to protect your personal data. After Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-US Privacy Shield was declared invalid by the European Court of Justice, the Privacy Shield EU-US can no longer be used to guarantee an adequate level of protection in the US according to EU standards. Consequently, there is currently no level of data protection in the US equivalent to that prevailing in the EU under Article 45 GDPR and no we can provide appropriate safeguards under Article 46 GDPR to compensate for this shortcoming. Hence, the transfer of data to the USA is only permitted here with your express consent in accordance with Article 49 para. 1 point GDPR. Possible risks of this data transfer are that access by government authorities, such as security and/or intelligence services, cannot be blocked and your data could be processed by them – possibly without you being informed separately and without having executed rights and effective legal remedies available to you – for national security, law enforcement or other purposes in the US public interest.

Transfer of data to a third country, i.e. a country outside the EU or EEA, generally requires appropriate safeguards to protect your personal data. After Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-US Privacy Shield was declared invalid by the European Court of Justice, the Privacy Shield EU-US can no longer be used to guarantee an adequate level of protection in the US according to EU standards. Consequently, there is currently no level of data protection in the US equivalent to that prevailing in the EU under Article 45 GDPR and no we can provide appropriate safeguards under Article 46 GDPR to compensate for this shortcoming. Consequently, in the US there is currently no level of data protection equivalent to that prevailing in the EU under Article 45 GDPR and we cannot provide adequate safeguards under Article 46 GDPR to compensate for this lack. The transfer of data to the USA is therefore only permitted here with your express consent in accordance with Article 49 para. 1 point GDPR. Possible risks of this data transfer are that access by government authorities, such as security and/or intelligence services, cannot be blocked and your data could be processed by them – possibly without you being informed separately and without having executed rights and effective legal remedies available to you – for reasons of national security,

Information about the service provider:

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. parent company: Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA

Terms and conditions of outsourced data processing for Google advertising products:

https://privacy.google.com/businesses/processorterms/

https://marketingplatform.google.com/about/analytics/terms/de/

Overview of data use in Google (Firebase) Analytics:

https://support.google.com/analytics/answer/6004245?hl=de

https://policies.google.com/privacy?hl=de

Technical explanation of "IP Anonymization (or IP masking) in Google Analytics":

https://support.google.com/analytics/answer/2763052?hl=de

Additional note:

If you want to disable Google (Firebase) Analytics in all applications, you can download and install the “Google Analytics Browser Opt-Out Plugin” at https://tools.google.com/dlpage/gaoptout?hl=en. This option only disables web analytics if you're using the app for which you've installed the plugin.

Data Recipients

We may transfer your data to third parties such as:

• The providers of the features and any other services you actively use;

• Our service providers we use to achieve the aforementioned purposes

• The recipient or recipients you specify.

• Courts, arbitral tribunals, authorities or legal counsel, if this is necessary to comply with applicable law or to establish, exercise or defend legal claims.

Data transfer to third countries

The transfer of data to entities in countries outside the European Union or the European Economic Area (so-called third countries) or to international organizations is only permitted (1) if you have given us your consent or (2) if the European Commission has decided that there is adequate level of protection in a third country (Article 45 GDPR). If the Commission has not taken such a decision, we may only transfer your data to recipients located in a third country if appropriate safeguards are in place (e.g. standard data protection clauses approved by the Commission or the supervisory authority under a special procedure) and the enforcement of Your rights as a data subject are guaranteed or the transfer is permitted in individual cases on other legal bases (Article 49 GDPR).

Where we transfer your data to third countries, we will inform you of the relevant details of the transfer in the relevant sections of this data privacy policy.

Data storage and deletion period

We process your data, provided that this is necessary for the respective purpose, if you have not materially objected to the processing of your data or materially withdraw any consent you may have given.

If there are statutory retention obligations, we must store the data affected by them for the duration of the retention obligation. After the retention obligation has expired, we will check whether there is a need for further processing. If there is no longer a need, your data will be deleted.

Data Security

We use technical and organizational security measures to ensure that your data is protected from loss, inappropriate changes or unauthorized access by third parties. Furthermore, we ensure that, on our part, access to your data is provided only to authorized persons and then only to the extent required for the aforementioned purposes. All data transfer is encrypted.