PRIVACY POLICY
OF THE WEBSITE https://allieslaw.com/bo-bf-allies/

1. Definitions
1.1. Controller or Administrator - "ALLIES" CHARITABLE FOUNDATION with the head office located at: Ukraine, 40022, Sumy region, the city of Sumy, Revolution of dignity street, building 19, office 16 (the address is also used for the referral correspondence), identification code 45376557. Information about Controller is stipulated in the Unified State Register of Legal Entities, Individual Entrepreneurs and Public Organizations. E-mail address: a.titarenko@allieslaw.com, phone number: +380 99 631 65 84.
1.2. Personal data - information about person identified or identifiable by one or more factors that determine physical, physiological, genetic, mental, economic, cultural or social identity, including device IP address, location data, internet identifier, as well as information collected using cookies and other similar technology.
1.3. Policy - this Privacy Policy containing information on the processing of Personal Data, as well as on the use of cookies and similar tracking technologies within the Website (hereinafter - the "Website").
1.4. GDPR – Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016 "On the protection of natural persons in connection with the processing of personal data and on the free movement of such data, and on the repeal of Directive 95/46/EU".
1.5. Website – The website launched by the Controller on the domain https://shop.smeg.ua which is accessible through web browsers.
1.6. User is any natural person who visits the Website or uses one or more services or functions described in the Policy.
1.7. Device – means the electronic device with which the User accesses the Website.

2. General information
2.1. Due to the usage of the Website, we collect data necessary to conduct the charitable activities, as well as information about your activity on the Website. In this regard, we are the controller of your Personal Data and attach great importance to its proper protection. We ensure that our data processing processes comply with the relevant legal provisions, in particular, the GDPR, the Constitution of Ukraine, the Law of Ukraine "On the Protection of Personal Data", etc. Our goal is to provide you with the opportunity to receive complete and full information about our processing of your Personal Data and to provide you with tools that will allow you to exercise your rights. In this Policy we provide you with the information on how we process your Personal Data.
2.2. We process your Personal Data in accordance with the law, ensuring that it is up-to-date and correct. Therefore, from time to time we may remind you to update them by sending a message to the e-mail address you have provided or by posting a notice on the Website, but only after you have logged in to your account.

3. How can I contact the controller and data protection officer?
3.1. If you have any questions related to our processing of your Personal Data, or you want to exercise your rights, write directly to our Data protection officer at the e-mail address: a.titarenko@allieslaw.com or to our head office address (Ukraine, 40022, Sumy region, the city of Sumy, Revolution of dignity street, building 19, office 16). Our Data protection officer is Oleksiy Titarenko.

4. How do we receive your personal data?
4.1. We receive your Personal Data directly from you for the purpose to conduct the charitable activities and smooth functioning of our website. You provide us with your data primarily through special forms when you wish to receive a gift for a donation (this function will be available after September 1, 2024), or when you subscribe to our newsletter or contact us, for example, using the contact form.
4.2. The list of personal data is exhaustive within the scope of your performance of a certain action on the website, in particular:
- to register on the Website (in case of availability of such option), you need to enter your last name, first name and patronymic, phone number and e-mail address in the appropriate form;
- to receive a gift for a donation you need to enter last name, first name, phone number, e-mail address and delivery address in the appropriate form;
- to make a payment as donation on the Website, you need to specify information about the payment method with all the necessary payment details;
- to subscribe to the newsletter, you need to specify a phone number and/or an e-mail address.

5. Is it mandatory to provide personal data?
5.1. Only you can decide whether to provide us with Personal Data and which Personal Data to provide us - this is optional. Please note, however, that in some cases the provision of Personal Data is necessary for the proper performance of the services we offer or for the conclusion and performance of a contract/agreement/arrangement, as detailed below.

6. How do we process your personal data?

Use of the website
6.1. When you use the website, but you are not a registered User (that is, you do not have an account on the website), we process your Personal Data (including IP address or other identifiers and information collected through cookies or other similar technologies):
6.1.1. for the purpose of providing services by electronic means within the scope of displaying to you the content collected on the website - then the legal basis for processing is the need for processing for the performance of the contract/agreements (Article 6 Part 1 Letter b GDPR);
6.1.2. for analytical and statistical purposes - then the legal basis for processing is the legitimate interest of the Controller (Article 6 Part 1 Letter f GDPR), which consists in analyzing the activity of Users, as well as their preferences in order to improve the functionality and services provided;
6.1.3. for the purpose of possible filing of legal claims or protection against legal claims - the legal basis for processing is the legitimate interest of the Controller (Article 6 Part 1 Letter f GDPR), which consists in the protection of its economic rights and interests;
6.1.4. for the marketing purposes of the Controller and other entities, in particular, related to the display of behavioral advertising - the rules for processing Personal Data for marketing purposes are described in the MARKETING section.
6.2. Your activity on the website, including your Personal Data, is recorded in system logs (a special computer program used to store a chronological record containing information about events and activities related to the information system used to conduct the charitable activities). The information collected in the logs is processed primarily for purposes to conduct the charitable activities. We also process it for technical and administrative purposes, in order to ensure the security of the information system and manage this system, as well as for analytical and statistical purposes - here the legal basis for processing is the legitimate interest of the Controller (Article 6 Part 1 Letter f GDPR).

Registration and account maintenance (if such options are available)
6.3. Persons who register on the website are asked to provide the data necessary to create and maintain an account.
6.4. Your personal data is processed:
6.4.1. for the purpose of providing services related to registration and maintaining an account on the website - the legal basis for processing is the need for processing for the performance of a contract (Article 6 part 1 letter b GDPR), and with regard to optional data - the legal basis for processing is consent (Article 6 Part 1 Letter a GDPR);
6.4.2. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6 Part 1 Letter f GDPR), which consists in analyzing the activity of the Users on the website and the way of using the account, as well as the preferences of the Users in order to improve the used functional capabilities;
6.4.3. for the purpose of possible filing of legal claims or protection against legal claims - the legal basis for processing is the legitimate interest of the Controller (Article 6 Part 1 Letter f GDPR), which consists in the protection of its economic rights and interests;
6.4.4. for the marketing purposes of the Controller and other entities – the rules for processing Personal Data for marketing purposes are described in the MARKETING section.
6.5. If there is a technical possibility on the website, you can also log into your account on the website through the social network Facebook. In this case, the website will download from your account in the social network only the data necessary for registration and maintenance of the account. The extent of your data to which we will have access will be indicated in the notification displayed along with the question whether to continue signing in to the account. By continuing to log in, you agree to the transfer of data to our website. Facebook will remember your choice, and if you log in again with this social network, the notification will no longer appear. Detailed information on the scope and purposes of data processing by the social network, as well as the related rights and configuration options that ensure privacy protection, are described in Facebook's Privacy Policy.
6.6. If the User places on the website any Personal Data of other persons (including their last name, first name, address, telephone number or e-mail address), he may do so only if he does not violate the law and personal rights of mentioned persons.

Processing of orders - to receive a gift for a donation
6.7. When placing an order to receive a gift for a donation, your Personal Data will be processed. The provision of data marked as mandatory is necessary for the acceptance and processing of the order, and failure to provide them will result in the impossibility of fulfilling the order. Providing other data is optional.
6.8. Your personal data is processed:
6.8.1. for the purpose of fulfilling the placed order – the legal basis for processing is the need for processing for the performance of the obligations to provide a gift for a donation (Article 6 Part 1 Letter b GDPR); and with regard to optional data, the legal basis for processing is your consent (Article 6 Part 1 Letter a GDPR);
6.8.2. for the purpose of fulfilling the legal obligations imposed on the Controller, arising, in particular, from the tax legislation and the law "On accounting and financial reporting in Ukraine" - the legal basis for processing is a legal obligation (Article 6 Part 1 Letter c GDPR);
6.8.3. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6 Part 1 Letter f GDPR), which consists in analyzing the activity of Users on the Website, as well as the way of using the account and the preferences of Users regarding purchases for the purpose improvement of the used functionality;
6.8.4. for the purpose of possible filing of legal claims or protection against legal claims - the legal basis for processing is the legitimate interest of the Controller (Article 6 Part 1 Letter f GDPR), which consists in the protection of its economic rights and interests.

Complaints
6.9. When you submit a complaint or make a return, we process your Personal Data. Providing data in the complaint form is not mandatory, but it is necessary for the correct consideration of the complaint. The provision of data in the return form is not mandatory, but it is necessary for an effective withdrawal from the contract.
6.10. Your personal data is processed:
6.10.1. for the purpose of consideration, the submitted complaint - the legal basis for processing your Personal Data is the Controller's obligation arising from the provisions of the legislation regarding the “a gift for a donation” (Article 6, Part 1, Letter c GDPR);
6.10.2. in order to fulfill other legislative obligations imposed on the Controller, arising, in particular, from tax legislation and the law "On accounting and financial reporting in Ukraine" - the legal basis for processing is a legal obligation (Article 6, Part 1 Letter c GDPR);
6.10.3. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6 Part 1 Letter f GDPR), which consists in analyzing the activity of Users on the website, as well as the way of using the account and the preferences of Users regarding purchases for the purpose improvement of the used functionality;
6.10.4. for the purpose of possible filing of legal claims or protection against legal claims - the legal basis for processing is the legitimate interest of the Controller (Article 6 Part 1 Letter f GDPR), which consists in the protection of its economic rights and interests.

Contact form
6.11. We provide the opportunity to contact us through the contact form. Using the form requires providing the Personal Data necessary to contact you and respond to your request. The provision of data marked as mandatory is necessary for the acceptance and processing of the request, and failure to provide them will result in the impossibility of processing the request. Provision of other data (for example, in the text of the application) is voluntary.
6.12. Your personal data is processed:
6.12.1. for the purpose of identifying and processing your request sent through an contact form - the legal basis for processing is the legitimate interest of the Controller (Article 6 Part 1 Letter f GDPR), which consists in the need to resolve the issue you are contacting and conduct correspondence addressed to the Controller in connection with his business activities;
6.12.2. for analytical and statistical purposes – the legal basis for processing is the legitimate interest of the Controller (Article 6 Part 1 Letter f GDPR), which consists in keeping statistics of requests made by Users through the website in order to improve its functionality.

Geolocation
6.13. Your Personal Data, including location information, is processed so that you can find the nearest delivery points of the “gift for a donation”, as well as so that we can estimate the possibility and duration of delivery to you. The legal basis for the processing of this data is your consent (Article 6 Part 1 Letter a GDPR), expressed in the form of permission on the website to use the location services of your device. We only process your location data with your consent. Consent can be withdrawn at any time by revoking permissions to access location information from your device. Withdrawal of consent does not affect the lawfulness of processing for which consent was given before its withdrawal (currently, the option of the Website to receive your geolocation data is not implemented).

7. Marketing
7.1. We process your Personal Data for the purpose of marketing activities, which may consist of:
7.1.1. showing you marketing content that matches your interests (behavioral advertising);
7.1.2. performing actions related to direct marketing;
7.1.3. in some cases, we use profiling for marketing purposes. This means that, due to automatic data processing, we evaluate some factors concerning you in order to analyze your behavior or create a forecast for the future. This allows you to better adapt the displayed content to your individual preferences and interests.

Behavioral advertising
7.2. Together with our trusted partners, we process your Personal Data, including Personal Data collected through cookies and other similar technologies, for marketing purposes in connection with targeting you with behavioral advertising (i.e. advertising that matches your preferences). In this case, the processing of Personal Data also includes profiling, and its consequence is only the display of tailored advertising based on Your Personal Data received by us and our partners.
7.3. A list of the Controller's trusted partners can be found below in the section "Information on the use of cookies" and “Who will we share your personal data with”.

Direct marketing
7.4. If you consent, your data may be used by us to send you marketing content through various channels, i.e. by e-mail (in the form of a newsletter), by MMS/SMS or by telephone. The legal basis for processing your data in this case is the legitimate interest of the Controller (Article 6, Part 1, Letter f GDPR) in connection with your consent, which consists in the marketing. We take such actions only after you have given us your consent, which you can withdraw at any time. You can withdraw your consent at any time by clicking on the link we send in each e-mail containing commercial information, by contacting us at the e-mail address: a.titarenko@allieslaw.com or using the contact form. Withdrawal of consent does not affect the lawfulness of data processing in the period before its withdrawal.
7.5. We may also do direct marketing by traditional mail to the mailing address you provide. The legal basis for processing your data in this case is the legitimate interest of the Controller (Article 6, Part 1, Letter f GDPR), which consists in the marketing. You can object to the processing of your data for this purpose at any time. You can object by writing to us at the email address: a.titarenko@allieslaw.com or using the contact form.

Push notifications
7.6. In the case of providing separate consent to receive push notifications, you may receive messages in the form of notifications displayed on your mobile device and in the web browser you use with marketing content related to our offers, services and promotions. The legal basis for processing your Personal Data for this purpose is the legitimate interest of the Controller (Article 6 Part 1 Letter f GDPR), which consists in the marketing in connection with your express consent to receive notifications in the form of push messages. You can withdraw your consent to receive push notifications at any time. Withdrawal of consent does not affect the lawfulness of processing for which consent was given before its withdrawal. Consent can be withdrawn by changing the settings of the web browser used or your mobile device.

8. Data processing of persons visiting the Controller's profiles in social networks
8.1. The controller has public profiles on social networks Facebook, Instagram, YouTube. In this regard, it processes data left by visitors to these profiles (in particular, comments, likes, internet identifiers).
8.2. Personal data of such persons are processed:
8.2.1. for the purpose to be active in the profiles;
8.2.2. for the purpose to effectively maintain profiles, by providing users of social networks with information about initiatives and other measures of the Controller, as well as in connection with the promotion of various types of events, services and goods;
8.2.3. for statistical and analytical purposes;
8.2.4. data may be processed for the purpose of filing possible legal claims or protection against legal claims.
8.3. The legal basis for processing Personal Data is the legitimate interest of the Controller (Article 6 Part 1 Letter f GDPR), which consists in:
8.3.1. promoting one's own brand and improving the quality of conducting the charitable activities,
8.3.2. conducting an analysis of activity and preferences,
8.3.3. if necessary, in the event of a claim or defense against a claim.
ATTENTION: The above information does not apply to the processing of personal data by social network controllers.

9. Information on the use of cookies
What are cookies?
9.1. Cookies (also known as "cookies") are small text files that are stored on the devices with which the User uses the website. Cookies collect information that facilitates the use of the website - for example, by remembering the visits and actions of the User. The cookies we use are safe for the user's device. In particular, this prevents viruses or other unwanted or malicious software from entering users' devices. These files make it possible to identify the software used by the User and to configure the operation of the website individually for each User.

Types of cookies used by the Controller
9.2. We use the following types of cookies:
9.2.1. Mandatory cookies are necessary for the proper functioning of the website. Due to these files, the Controller can ensure the safe execution of such actions as, for example, fulfilling the User's order, "remembering" the User who entered the website after switching to another page or automatically filling in address data during purchases. Blocking these cookies in the User's browser may cause the website to malfunction. These cookies are mandatory and cannot be deactivated.
Specific purposes of using technical cookies:
- ensuring the security and reliability of the Website;
- implementation of the processes necessary to ensure the full functionality of the website, including, in particular: adaptation of the content of the website in order to enable the User to fully use the available functionality and optimize the use of the website pages. In particular, these files allow recognizing the basic parameters of the User's Device and properly displaying the website to it.
9.2.2. Analytical cookies are used by the Controller both to analyze the behavior of Users on the website for business purposes and to understand how Users use the website. This allows you to determine which functionality needs to be improved or updated. The information received by the Controller using analytical cookies is anonymous - based on it, the Controller cannot identify the User from whom the information was received.
9.2.3. Personalization cookies allow the analysis of the behavior of Users on the website and their shopping preferences, which allows us to provide Users with personalized product offers, make changes to the functionality of the website and publish sponsored content. Data obtained through these types of cookies may also be used to improve existing systems and software, as well as to develop new solutions and functionalities.
9.2.4. Рекламні файли cookie дозволяють Контролеру адаптувати рекламу, що відображається, відповідно до уподобань та інтересів Користувачів, тобто націлювати на Користувачів поведінкову рекламу. З їх допомогою суб’єкти, які співпрацюють з Контролером, такі як оператори мережі Facebook або Instagram, зможуть належним чином налаштовувати рекламний вміст, що відображається, таким чином, щоб він відповідав уподобанням Користувача.

Cookie storage period
9.3. The cookies described above can be divided into two types depending on their storage period:
9.3.1. Session cookies are stored on the User's Device and remain there until the end of the browser session. After that, the stored information is permanently deleted from the device memory.
9.3.2. Persistent cookies are stored on the Device until they are deleted. Ending the browser session or turning off the Device does not delete them. If the User does not delete persistent cookies from his Device, they will be stored for up to 60 days from the moment they are saved.

Managing cookies on the website
9.4. Only mandatory cookies are required for the proper functioning of the website. For other types of cookies, you may consent to their use, but this is not mandatory. You can control the extent to which we use analytical cookies, personalization cookies and advertising cookies by consenting to or withdrawing consent to their use. You have the ability to manage your consent to certain types of cookies at any time using a panel on our website.

10. Who will we share your personal data with?
10.1. We may transfer your Personal Data to entities we cooperate with.
10.2. Depending on the method of delivery the “gifts for the donation” goods chosen by you, we will provide your data necessary for delivery to one of the entities we cooperate with in the sphere of delivery of goods. In the case of using the geolocation service, including when searching for stationary delivery points, your Personal Data will also be transferred to entities that provide location services, in particular to Nova Poshta.
10.3. Depending on which payment method you chose for donation, we will transfer your data, necessary for receiving or making payment, to one of the entities we cooperate with in the sphere of payment processing, in particular: Fondy.ua.
10.4. If you have given your consent to receive commercial information to the e-mail address or phone number you provided, we will transfer your data to entities that provide the service of sending commercial information on our behalf.
10.5. Ми також можемо передати Ваші Персональні дані іншим суб’єктам, з якими ми розпочнемо співпрацю, включаючи консультантів з юридичних питань і питань оподаткування, а також суб’єктам, які надають бухгалтерські, ІТ, логістичні та маркетингові послуги.
10.6. Ми також маємо право розкривати деяку інформацію про наших Користувачів компетентним органам або третім особам, які подадуть запит на отримання такої інформації на основі відповідної правової підстави та відповідно до чинного законодавства.

11. How long will we process your personal data?
11.1. The period of processing of your data by us depends on the type of service we provide and the purpose of processing. As a rule, data is processed during the entire period of service provision or order fulfillment, until the consent is withdrawn or an objection is filed against data processing in cases where the legal basis for data processing is the legitimate interest of the Controller.
11.2. The period of data processing may be extended if the processing is necessary for the filing of possible legal claims or defense against legal claims, and after this time only if and to the extent required by law. After the end of the processing period, the data is irretrievably deleted or anonymized.

12. How do we protect your data?
12.1. We use a number of IT and organizational security measures to minimize the risk of data leakage, destruction and disintegration. Security measures include tools such as: a firewall system, anti-virus and anti-spam systems, internal access procedures, data processing and recovery procedures, and a multi-level backup system. We provide a very high level of security through the use of a Web Application Firewall (WAF) and a security system against DDoS attacks. We also use high-level HTTPS/SSL connection encryption in accordance with accepted best practices, and we work with a carefully selected hosting service provider that has an ISO 9001 quality certificate and an AQAP-2110 certificate of compliance, as well as an information security management system compliance certificate requirements of the ISO/IEC 27001 standard.
12.2. Remember that using the Internet always carries the risk of certain security incidents. However, we assure you that due to implemented procedures for regular checking of information processing systems and their updates, as well as active monitoring of critical system points, we strive to reduce this risk as much as possible.

13. What rights do you have in connection with the processing of your personal data?
13.1. Due to the fact that we process your Personal Data, you have the following rights:
13.1.1. the right to information about the processing of Personal data - on this basis, the Controller provides you with information about the processing of your Personal data, including, first of all, information about the purposes and legal grounds for processing, the amount of available data, the entities to whom it is disclosed and the planned date of data deletion;
13.1.2. the right to receive a copy of the data - on this basis, the Controller provides you with a copy of your Personal Data that it processes;
13.1.3. right to rectification – the Controller is obliged to eliminate any possible inconsistencies or errors in the Personal Data it processes and to supplement them if they are incomplete;
13.1.4. the right to delete data – on this basis, you can request the deletion of data, the processing of which is no longer necessary for the implementation of any of the purposes for which they were collected;
13.1.5. the right to restrict processing - upon receiving such a request, the Controller will stop processing your Personal Data - except for the operations to which you have given your consent and store the data in accordance with the accepted storage rules - or until the reasons for restricting data processing cease to exist (for example, a decision of the supervisory body will be issued, in which permission is given for further data processing);
13.1.6. the right to data portability - on this basis - to the extent that the data is processed using automated means in connection with the concluded contract or given consent - the Controller issues the data provided by you in a computer-readable format. It is also possible to submit a request to send this data to another subject, however, subject to the availability of technical capabilities both on the part of the Controller and on your part;
13.1.7. the right to object to the processing of data for marketing purposes – You may object to the processing of your Personal Data for marketing purposes at any time, without having to justify such an objection;
13.1.8. the right to object to other purposes of data processing - You may at any time object - for reasons related to your particular situation - to the processing of your Personal Data, which is carried out on the basis of the legitimate interest of the Controller (for example, for analytical or statistical purposes or for reasons related to the protection of property rights); objections to this extent must contain justification;
13.1.9. the right to withdraw consent – if the data is processed on the basis of your consent, you have the right to withdraw it at any time, which, however, does not affect the legality of the processing carried out before the withdrawal of consent;
13.1.10. the right to file a complaint - if you believe that the processing of Personal Data violates the provisions of the GDPR, the Constitution of Ukraine, the Law of Ukraine "On the Protection of Personal Data" or other provisions on the protection of personal data, you can file a complaint with the body that controls the processing of personal data, according to your location, workplace or place of alleged violation. In Ukraine, the controlling body is the Human Rights Commissioner of the Verkhovna Rada of Ukraine (+380 800-50-17-20 (toll-free), +380 44-299-74-08 e-mail: hotline@ombudsman.gov.ua, address: 01008, city of Kyiv, 21/8 Instytutska Str.).

Submission of an application with requirements related to the exercise of rights
13.2. You can exercise some of the above rights yourself. If you have an account, you always have access to your Personal Data and can correct and update it. You can also delete your account yourself.
13.3. You can submit an application with a demand for all the above-mentioned rights by writing to our Data protection officer at the e-mail address: a.titarenko@allieslaw.com or at our head office (Ukraine, 40022, Sumy region, the city of Sumy, Revolution of dignity street, building 19, office 16), as well as using our contact form.
13.4. We will try to fulfill your request as soon as possible and answer your questions regarding the processing of your data. You will receive an answer within 30 days from the date we receive your request. If it turns out that due to the complexity of the request or the number of requests we received, we cannot provide you with information about the actions taken during this period - we will inform you about the extension of the period.
13.5. If we have any doubts about whether you are the one making the claim, we may ask you some additional questions to confirm your identity. Providing such data is not mandatory, but failure to provide them will result in refusal to fulfill the requirement. We may also need additional information to determine the exact content of your request.
13.6. The claim can be made in person or through a representative (for example, a family member). For data security reasons, we advise you to use a power of attorney certified by a notary, which will speed up the verification of the authenticity of the claim.
13.7. If the request was sent to us in electronic form, we will provide a response in the same form, unless the applicant requests a response in a different form. In other cases, we will provide a written response. In the event that the deadline for fulfilling the requirement makes it impossible to provide a written response, and the volume of the applicant's data processed by us allows us to communicate electronically, we will provide a response electronically.
13.8. We retain information about the claim received and the person who submitted the claim, in order to ensure the ability to demonstrate compliance of legal claims of data subjects. The register of requirements is kept in a way that ensures the integrity and confidentiality of the data contained in it.

14. Changes to the Privacy Policy
14.1. The policy is constantly reviewed and updated as necessary.