Privacy Policy: GDPR Data Processing Addendum Last updated: Dec 28, 2019

The European Union's General Data Protection Regulation ("GDPR") is in effect as of May, 2018. This act applies to the processing of User Personal Data by ShipLeaf if these processing activities relate to an establishment of the User in the European Union ("EU"), European Economic Area ("EEA"), Switzerland or the United Kingdom. ShipLeaf Users that offer goods or services to data subjects in the EU, EEA, Switzerland, or the United Kingdom are subject to the new regulations imposed by the GDPR.

Data Processing

For the purposes of our Privacy Policy and this addendum, and in respect of any GDPR Activites described, ShipLeaf is a data intermediary and data processor of the User Personal Data, while the User may be either a data controller or data processor.

In respect of the GDPR Activities described, if the User is a data processor, the User warrants to ShipLeaf that they have all necessary instructions and authorizations from the data controller to appoint ShipLeaf as a data subprocessor of the User Personal Data.

All processing of User Personal Data will be carried out by trusted employees, staff, agents, contractors, service providers, and sub-processors who will be subject to a duty of confidence.

User Instructions

ShipLeaf will only process User Personal Data on the instructions of the User unless required by law to act without such instructions.

By using the ShipLeaf Service, the User agrees to the ShipLeaf Terms, including this addendum, and instructs ShipLeaf to process User Personal Data as follows:

Types of Personal Data

The User can submit User Personal Data to ShipLeaf to an extent determined and controlled by the User in its sole discretion, and which may include (but not necessarily limited to) personal data on the following categories of data subjects:

Data Retention and Deletion

The User may delete User Personal Data in a manner consistent with the functionality of the Service during the term of service. If the User uses a Service function to delete any User Personal Data in such a way that it can not be recovered by the User, this will constitute an instruction to ShipLeaf to delete the relevant data from its systems in accordance with applicable law.

If the User wishes to delete User Personal Data that can not be deleted via functionality provided by the Service, the User should send a deletion request to [email protected]. ShipLeaf will strive to respond to all such requests as soon as reasonably practical.

If the User ceases to subscribe and use the Service, or ShipLeaf permanently discontinues access to the User's account, all User Personal Data will be deleted or anonymized unless ShipLeaf is required by applicable law to retain the data.

Data Security Measures

ShipLeaf follows industry standards on information security management to safeguard sensitive information, such as User Personal Data. Our information security systems apply to people, processes and information technology systems on a risk management basis.

Because no method of transmission over the Internet, or method of electronic storage, is 100% secure, ShipLeaf cannot guarantee that unauthorised parties will not gain access to User Personal Data. To the extent permitted by applicable law, ShipLeaf expressly excludes any liability arising from any unauthorised access to User Personal Data.

Incidents and Notification

In the unlikely event of any accidental, unauthorized, or unlawful processing of, disclosure of, or access to User Personal Data, ShipLeaf will notify any Users responsible for impacted data as soon as reasonably practical. Notice of any data breaches or security incidents do not constitute an admission of responsibility by ShipLeaf.

Data Subject Rights

ShipLeaf will pass on to the User any requests they receive from data subjects and the User's end customers to exercise any data rights. The User accepts and acknowledges that it is the User's sole responsibility to respond to any data rights requests with the data subjects and end customers directly, or to instruct the relevant data controller to respond to these requests.

ShipLeaf will, taking into account the nature of the processing activity, assist the User in responding to such data rights requests by building appropriate functionality into the Service, such as the ability to delete and/or amend User Personal Data. The User agrees to exhaust all possible means of responding to a data subject’s data rights request using the Service’s functionality before contacting ShipLeaf for help to respond to such requests by email at [email protected]. ShipLeaf reserves the right to refuse assistance if, in its sole discretion, the User is able to respond to the data rights request using the Service’s functionality, or to seek reimbursement from the User of reasonable costs incurred by ShipLeaf in providing assistance to the User under this clause.

Data Subprocessors

ShipLeaf uses the following subprocessors for User data:

Limitation of Liability

ShipLeaf and all of its entities' aggregate liability to the User, arising from or related to this addendum, are subject to the "Limitation of Liability" section of the Terms.