Privacy Policy.

Purpose of this privacy policy

This policy aims to give you information on how we collect and process your personal data through your use of this Platform — including any data you provide when you sign up to our newsletter, create an account, purchase a product or service, or take part in a competition or promotion.

This Platform is not intended for children. We do not knowingly collect data relating to children under the age of 16. If you are under 16, do not use or provide any information on this Platform. If we become aware of an under-16 user, the account will be suspended without notice and the information deleted.

Read this policy together with any other privacy notice we provide on specific occasions so that you are fully aware of how and why we are using your data. This policy supplements, but does not override, those notices.

Controller

Bitroot is made up of different legal entities. This privacy policy is issued on behalf of bitroot.org, so when we mention “Company”, “we”, “us” or “our”, we are referring to the relevant company in the Bitroot.org Group responsible for processing your data. We will tell you which entity is the controller when you purchase a product or service.

Our Legal Department oversees questions in relation to this policy. If you have any questions or wish to exercise your legal rights, please contact us at the details below.

Contact details

Legal entity

Bitroot

Email

privacy@bitroot.org

Postal

149, Avior, Nirmal Galaxy, L B S Marg, Mulund West, 400080, Mumbai, MH

Changes to this policy

We keep our privacy policy under regular review. Historic versions can be obtained by contacting us. The effective date at the top of this page reflects the latest revision.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Third-party links

This Platform may include links to third-party websites, plug-ins, and applications. Clicking those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Platform, we encourage you to read the privacy policy of every website you visit.

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store, and transfer different kinds of personal data about you, grouped as follows:

• Identity Data — first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender.
• Contact Data — billing address, delivery address, email address, telephone numbers.
• Financial Data — bank account and payment card details.
• Transaction Data — details about payments to and from you and other details of products and services you have purchased from us.
• Technical Data — IP address, login data, browser type and version, time zone, location, browser plug-in types and versions, operating system, and other technology on the devices you use to access this Platform.
• Profile Data — username and password, purchases, interests, preferences, feedback, and survey responses.
• Usage Data — information about how you use our Platform, products, and services.
• Marketing and Communications Data — your preferences in receiving marketing from us and our third parties, and your communication preferences.

We also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law, as it does not directly or indirectly reveal your identity. If we combine Aggregated Data with your personal data so that it can identify you, we treat the combined data as personal data.

We do not collect any Special Categories of Personal Data (race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health, genetic or biometric data). Nor do we collect information about criminal convictions or offences.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract with you, and you fail to provide it when requested, we may not be able to perform the contract with you. In that case we may have to cancel a product or service, and will notify you if so.

We use different methods to collect data from and about you, including:

Direct interactions

You may give us your Identity, Contact, and Financial Data by filling in forms or corresponding with us by post, phone, email, or otherwise. This includes personal data you provide when you:

1. 01Apply for or request our products or services.
2. 02Create an account on our Platform.
3. 03Subscribe to our service or publications.
4. 04Request marketing to be sent to you.
5. 05Enter a competition, promotion, or survey.
6. 06Give us feedback or contact us.

Automated technologies or interactions

As you interact with our Platform, we automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data using cookies, server logs, and similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. For more, see our cookie policy.

Third parties or publicly available sources

We will receive personal data about you from third parties and public sources as set out below:

1. 01Technical Data from analytics providers, advertising networks, and search information providers.
2. 02Contact, Financial, and Transaction Data from providers of technical, payment, and delivery services.
3. 03Identity and Contact Data from data brokers or aggregators.
4. 04Identity and Contact Data from publicly available sources.

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal obligation.

Generally we do not rely on consent as a legal basis for processing your personal data, although we will get your consent before sending third-party direct marketing communications to you via email or text. You have the right to withdraw consent to marketing at any time by contacting us.

Where required by law, we will obtain your consent to use and process your personal data. Otherwise we rely on another authorised legal basis: (a) contract, (b) legitimate interests, and/or (c) legal obligation.

Purposes for which we will use your personal data

We may process your personal data for more than one lawful ground depending on the specific purpose. Please contact us if you need details about the specific legal ground we are relying on where more than one applies.

Promotional offers from us

We may use your Identity, Contact, Technical, Usage, and Profile Data to form a view on what we think you may want or need. This is how we decide which products, services, and offers may be relevant for you. You will receive marketing communications from us if you have requested information from us or purchased from us, and have not opted out.

Third-party marketing

We will get your express opt-in consent before sharing your personal data with any third party for marketing purposes.

Opting out

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message. You can also opt out by emailing privacy@bitroot.org. Opting out does not apply to data provided as a result of a product/service purchase, warranty, or other transaction.

Cookies

You can prevent the setting of cookies by adjusting the settings on your browser (see your browser’s Help section). If you disable cookies, some parts of this Platform may become inaccessible or not function properly. For more about the cookies we use, see our cookie policy.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis which allows us to do so.

We may share your personal data with the parties set out below for the purposes described in this policy.

• Internal Third Parties — other companies in the Bitroot.org Group acting as joint controllers or processors.
• External Third Parties — service providers, professional advisers, regulators, contest sponsors, advertising networks, and similar.
• Third parties to whom we may choose to sell, transfer, or merge parts of our business or assets. If a change happens, the new owners may use your personal data in the same way set out in this policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your data for specified purposes and in accordance with our instructions.

We may disclose your personal information to third parties where required by law or regulation, or to protect the Company and/or other customers (only to the extent legally permitted).

We share your personal data within the Bitroot.org Group, which may involve transferring your data outside the European Economic Area (EEA) or the UK.

Many of our external third parties are based outside the EEA or UK, so their processing of your personal data will involve a transfer outside the EEA or UK.

Whenever we transfer your personal data out of the EEA or UK, we ensure a similar degree of protection by relying on at least one of the following safeguards:

• Transferring to countries deemed to provide an adequate level of protection — see European Commission: Adequacy of the protection of personal data in non-EU countries.
• Using contracts approved by the European Commission, or by the UK, which give personal data the same protection as in Europe — see Model contracts for the transfer of personal data to third countries.

Please contact us if you want further information on the specific mechanism we use when transferring your personal data out of the EEA or UK.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. We limit access to your personal data to employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions, and are subject to a duty of confidentiality.

We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where legally required.

All personal information you provide to us is stored on our secure servers. Any payment information or transaction is encrypted.

The security of your personal information depends on you and your habits. If we give you a password, you are responsible for keeping it confidential. Be careful about giving out information in public spaces — information you share publicly may be viewed by other users of this Platform.

How long will we use my personal data?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes for which we collected it — including satisfying any legal, regulatory, tax, accounting, or reporting requirements. We may retain your personal data for a longer period in the event of a complaint, or where we reasonably believe there is a prospect of litigation.

To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process the data, and whether we can achieve those purposes through other means.

For more information on retention periods, please contact us. In some circumstances you can ask us to delete your data — see Your legal rights below.

Anonymised data is not personal data. In some circumstances we will anonymise your personal data (so it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice.

Under certain circumstances you have rights under data protection laws in relation to your personal data:

• Request access to your personal data — a copy of what we hold about you, and confirmation we are processing it lawfully.
• Request correction of personal data we hold about you — we may need to verify the accuracy of the new data.
• Request erasure of your personal data where there is no good reason for us to continue processing it.
• Object to processing where we are relying on a legitimate interest or for direct marketing purposes.
• Request restriction of processing — to suspend processing in certain scenarios.
• Request the transfer of your personal data to you or to a third party in a structured, machine-readable format.
• Withdraw consent at any time where we are relying on consent.

If you wish to exercise any of these rights, please contact us.

No fee is usually required

You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive — or refuse to comply in those circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data. This is a security measure to ensure that personal data is not disclosed to anyone who has no right to receive it.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take longer if your request is particularly complex or you have made a number of requests — we will notify you and keep you updated.

Lawful basis

Legitimate Interest — the interest of our business in conducting and managing our business to give you the best service and the most secure experience. We consider and balance any potential impact on you (both positive and negative) and your rights before processing your personal data for our legitimate interests.

Performance of Contract — processing your data where it is necessary for the performance of a contract you are a party to, or to take steps at your request before entering into such a contract.

Comply with a legal obligation — processing your personal data where necessary for compliance with a legal obligation we are subject to.

Third parties

Internal Third Parties — other companies in the Bitroot.org Group acting as joint controllers or processors and based in India and the United States, providing IT and system administration services and leadership reporting.

External Third Parties include:

• Service providers acting as processors who provide IT and system administration, credit card processing, research and analytics, marketing, customer support, and data enrichment.
• Professional advisers (lawyers, bankers, auditors, insurers) who provide consultancy, banking, legal, insurance, and accounting services.
• Regulators and authorities acting as processors or joint controllers, where reporting of processing activities is required.
• Contest and promotion sponsors whose contests or promotions you register for.
• Event sponsors who host events you attend or download an asset from. Your information would then be subject to the sponsors’ privacy statements.
• Third-party networks (social media networks, advertising networks) that enable us to market on third-party platforms.
• Third parties involved in a corporate transaction (merger, reorganisation, sale of assets) — we will use reasonable endeavours to notify you of any transfer of personal data to an unaffiliated third party.

We may also share anonymous or de-identified usage data with our service providers, and on an aggregate basis in the normal course of operating our business — for example, to show trends about the general use of our services.