Privacy policy

PRIVACY NOTICE (EFFECTIVE DATE: 24th August, 2022)

Rebura External Privacy Notice

PRIVACY NOTICE (EFFECTIVE DATE: 24th August, 2022)

I. Introduction. Your privacy is important. This Privacy Notice (the “Privacy Notice,”) together with its addendums, our Terms and Conditions and any other documents referred to in this Privacy Notice or the Terms and Conditions explains how we comply with applicable privacy requirements and sets out minimum standards for how we deal with all personal data that we collect from you, or that you provide to us including via this website and any other websites or applications of Rebura Holdings Limited (United Kingdom) and its subsidiaries (collectively, the “Websites”). Rebura Holdings Limited (United Kingdom), its subsidiaries and our applicable affiliates (collectively, “we,” “us,” “our,” or “Rebura”) include Rebura Limited (United Kingdom), Rebura Inc. (USA), and the Jefferson Frank brand of Frank Recruitment Group Services Limited (United Kingdom). For more information on the privacy practices of our other affiliates not subject to this Privacy Notice including those which operate under Frank Recruitment Group Services Limited (United Kingdom) not mentioned here and its applicable affiliates, please see https://www.frankgroup.com/privacy-notice/.

This Privacy Notice sets out the basis on which we collect, store, use and disclose personal data we receive in writing, through our Websites or through the consulting services that we provide.  It therefore applies to personal data that you provide to Rebura telephonically, electronically (including email) and in person.

This information may be updated from time to time, and should be read in the context of any additional specific information such as that provided in privacy policies applicable to specific businesses or local areas as displayed on the relevant Website or distributed to you from time to time.

This Privacy Notice also informs you how we obtain and use information gained by us through your use of the Websites, including by using “cookies” and third party vendors.

Please read the following carefully to understand our views and practices regarding your personal data, how we will treat it and your rights.

This Privacy Notice applies to Rebura globally. The first part of the policy is general and applies globally. The second of the Privacy Notice is comprised of country-specific addendums, and where applicable, Rebura will handle Personal Data relying on certain exemptions under local law.  Please be sure to check the addendums below to see if there is one that applies to your country or local jurisdiction. In the event of a conflict between the general part of this Privacy Notice and an addendum, the addendum prevails.

II. Who are we?

Rebura is one of the fastest growing AWS Consulting Partners, AWS End User Computing (EUC) Partners, and AWS Solutions Providers in the world. We are a one-stop-shop for all of your AWS support, cost-optimization, and consulting needs (“AWS Services”).

If you want to contact Rebura or any of its group companies, please click here.

You can contact Rebura’s Chief Privacy Officer (“CPO”) by emailing privacy@rebura.com or by sending written correspondences here:

Rebura Limited
The St. Nicholas Building
St. Nicholas Street
Newcastle-Upon-Tyne
Tyne & Wear U.K. NE1 1RF
Attn: Chief Privacy Officer

III. Who does this Privacy Notice protect?

This Privacy Notice protects individuals throughout the world who access our Websites or receive AWS services from us. This also includes individuals who are employed by an actual, former or prospective Rebura client.  A Rebura “client” is one of (a) a business that Rebura has contracted with to provide AWS services or is in the process of doing so, (b) a business that Rebura may solicit with the intention of providing AWS services or (c) a business to whom Rebura may provide relevant AWS services information. Additionally, Rebura acts as the data controller for Personal Data (as defined below) obtained concerning those protected under this Section III. Notwithstanding the forgoing, Rebura and/or Rebura Limited acts as the data processor for Personal Data (as defined below) obtained concerning those protected under this Section III during the provision of AWS services.

IV. What information will we collect?

Some of the data that we collect and receive from you is personal data which means that it is information that could personally identify you (“Personal Data” or “PII”). The Personal Data that we may collect from all users of our Websites and users of our recruitment services may include any of the following:

  • Your name;
  • Business/company name;
  • Your gender;
  • Contact details e.g. street address, email address, cell (or mobile) or home telephone numbers;
  • Web browser type and version (automatically collected) [a list of URLs starting with a referring site, your activity on our Websites, and the site you exit to (automatically collected);
  • Job Title; and
  • IP address (automatically collected).

V. Why do we process your Personal Data?

Generally, we use your Personal Data for our business and activities, and in our efforts to expand and improve our business. Examples include:

A. All users of the Websites and/or our services

  1. To provide our AWS services to you, your employer or your company;
  2. To facilitate the AWS services process, including but not limited to:
  • To enable us to develop and market other products and services and where you have consented to being contacted for such purposes;
  • To improve our customer service and to make our services more valuable to you (including tailoring the Websites when you log on to enrich your personal online experience);
  • To send you electronically or by post surveys, reports, Rebura event details, promotions, offers, networking and client events and general information about relevant industry sectors which we think might be of interest to you, where you have consented to being contacted for such purposes (and we will provide you with an opportunity to opt out);
  • To identify you, and respond to and process your requests for information and provide you with a product or service;
  • To amend records to remove personal information;
  • To use your information on a pseudonymized basis to monitor compliance with our equal opportunities policy, other Rebura policies and any legal or compliance requirements;
  • To use your information on a pseudonymized basis to create marketing materials; and
  • To carry out our obligations arising from any contracts entered into between you and us, and for other everyday business purposes that involve use of Personal Data.

B. Entities or individuals who solicit or participate in AWS Consulting

  • To contact you, your employer, or your company about AWS Consulting services that Rebura provides, including but not limited to:
    • optimisation,
    • migration and enablement,
    • monitoring and support,
    • architecture review,
    • audit and risk management,
    • resource and professional services, and
    • Amazon WorkSpaces implementation;
  • To communicate with you, your employer, or your company after Rebura has started a consultation to make sure all is going well or to remedy, or attempt to remedy, any problems;
  • To answer any questions you have about a consultation;
  • To fulfill any aspect of your employer’s or your company’s contract with Rebura;
  • To collect any money due, or allegedly due, to Rebura or any Rebura client (or Rebura’s client’s client);
  • To obtain or inquire about any property (including computers and confidential business information) owned, or allegedly owned, by Rebura or any Rebura client (or Rebura’s client’s client); and
  • To establish, exercise or defend any legal claims.

VI. Who do we send your Personal Data to?

A. All users of the Websites and/or our services

  • To third parties where we have retained them to provide services that we or you have requested or that Rebura clients have requested and to verify the details you have provided from third party sources.
  • To third parties to provide data storage, data cleansing and marketing (via email & SMS, standard SMS and text rates may apply) services to Rebura where such third parties have agreed to maintain the confidentiality of, and to protect, your Personal Data in accordance with applicable law.
  • To third parties to assist with credit control and payment management
  • To third parties, regulatory or law enforcement agencies if we believe in good faith that we are required by law to disclose it in connection with the detection of crime, the collection of taxes or duties, in order to comply with any applicable law or order of a court of competent jurisdiction, in connection with legal proceedings or other similar cause or circumstance.
  • In the event of a sale, merger, liquidation, receivership or transfer of all or substantially all of the assets, or a controlling interest in the equity, of Rebura (or any of its group companies) provided that such counterparty(ies) to any such transaction agrees to adhere to the terms of this Privacy Notice (or a similar document) and applicable law.

VII. What will Rebura do if my Personal Data is breached?

Rebura has put in place reasonable technical, administrative and physical safeguards intended to prevent a breach of your Personal Data.  That being said, Rebura cannot guarantee that your Personal Data will not be breached.

A breach can take many forms, including, without limitation, the loss of your Personal Data or the unauthorized access to, disclosure, modification, copying and transfer of your Personal Data.

Once Rebura becomes aware of the breach, Rebura will take reasonable steps to isolate the breach, stop the breach, determine the root cause, determine the Personal Data breached, fix the root cause and determine if notice to you and/or the appropriate government agency(ies) is required.  Rebura will comply with all applicable law in reacting to, and dealing with, a breach of Personal Data.

If you believe, for any reason, that your Personal Data has been breached while in Rebura’s care, custody or control, please email Rebura immediately at privacy@rebura.com.

If Rebura obtains your Personal Data from someone other than you, this Privacy Notice includes all information required under applicable law except that Rebura shall not provide you with this information if you already possess this information, providing you with such information is against (or not mandatory under) applicable law, is subject to an obligation of professional secrecy, proves impossible, would involve a disproportionate effort or would render impossible or seriously impair the achievement of the objectives of the processing, in which case, Rebura shall take appropriate measures to protect your rights, freedoms and legitimate interests. If you have any questions, please contact Rebura at privacy@rebura.com.

VIII. Will my Personal Data be transferred to another country?

Yes, Rebura may transfer your Personal Data to the categories of third parties described in this Privacy Notice, some of whom are located outside of the country in which you provided your Personal Data to Rebura or the country of collection.

If so, Rebura will take reasonable steps to ensure that your Personal Data is protected and treated in accordance with this Privacy Notice and local applicable law.  The countries where Rebura may transfer your Personal Data will have varying levels of data security practices and laws, some of which may be less stringent or protective than your country.  Rebura will use all reasonable efforts to require that any of its suppliers and vendors who receive your Personal Data are contractually bound to (a) keep your Personal Data confidential and (b) take, at a minimum, reasonable efforts to maintain the privacy and security of your Personal Data.

Under certain circumstances, Rebura may share your Personal Data with one or more of its group companies who may be located in a country other than yours or other than the country in which Rebura collected your Personal Data.  In such cases, Rebura will comply with applicable laws and its Intercompany Data Processing Agreements (“DPAs”). The DPAs are incorporated by reference into this Privacy Notice.

IX. How long will Rebura store my Personal Data for?

We are required by applicable law to store your Personal Data for as long as is necessary to comply with our legal, regulatory and contractual obligations.  This period of time will vary based on the law in your country and in the country where Rebura stores your Personal Data.

In addition, Rebura will keep your Personal Data for the identified purposes until it reasonably believes that it no longer needs it, that there is no reasonable chance that you, your employer or your company will do business with Rebura, and there is no reason to believe that we will need the Personal Data for any special circumstances such as the issuance or defence of legal proceedings, audit, investigation or collections.

X. Sending Rebura Personal Data over the internet

Your Personal Data is held on servers hosted by us, our internet services providers or third party vendors with whom Rebura has a contract. The transmission of information via the internet is not completely secure. Although we will take the efforts set forth in the Privacy Notice to protect your Personal Data, we cannot guarantee the security of any data transmitted through or to our Websites.  Any transmission of data by you to us over the internet is at your own risk.

XI. How we collect and aggregate information about visitors to our Websites

We also collect information about the way job seekers and visitors use the Websites in order to improve our services, to understand our users better, and to determine aggregate trends, most popular pages, etc. By using the Websites, you agree that we may share de-identified aggregate data with selected third parties to assist with these purposes. We may also undertake marketing profiling to help us identify candidates, clients, or jobs which may be of interest to you.  We may process Personal Data that you submit to us through the Websites under one or more of the permissible bases for processing Personal Data set forth in the Privacy Notice.

XII. Technology and Tools

Like many companies, we use technology and tools that tell us when a computer or device has visited or accessed our content. Those tools include services from search engines and other companies that help us to tailor our products and services to better suit our clients and potential clients. Search engines provide facilities to allow you to indicate your preferences in relation to the use of those tools in connection with computers and other devices controlled or used by you.

We also set out further information below about Cookies and Web Beacons.

A. What are cookies?

A “cookie” is a piece of information that is stored on your computer’s hard drive and which records your navigation of a website so that, when you revisit that website, it can present tailored options to you based upon the stored information about your last visit. You can normally alter the settings of your browser to prevent acceptance of cookies.

Cookies are used are many, many websites, including Rebura’s Websites.

B. How do we use cookies and plug-ins?

We use “cookies” and plug ins to: (1) make the Websites function properly and as a user would normally expect of a commercial website; and (2) monitor Website user traffic patterns and Website usage. Our use of these tools helps us to understand how our users use our Websites so that we can develop and improve the design, layout and functionality of the Websites and to provide more efficient and relevant services to you.

C. There are different kinds of cookies with different functions.

The cookies we use are explained below:

  1. Session cookies: these are only stored on your computer during your web session. They are automatically deleted when the browser is closed. They usually store an anonymous session ID allowing you to browse a website without having to log in to each page. They do not collect any information from your computer.
  2. Persistent cookies: a persistent cookie is one stored as a file on your computer, and it remains there when you close your web browser. The cookie can be read by the website that created it when you visit that website again.
  3. Strictly necessary cookies
    These cookies are essential to enable you to use the Websites effectively and therefore cannot be turned off.  Without these cookies, the services available to you on our Websites cannot be provided. These cookies do not gather information about you that could be used for marketing or remembering where you have been on the internet.
  4. Performance cookies
    These cookies enable us to monitor and improve the performance of our Websites. For example they allow us to count visits, identify traffic sources and see which parts of the Websites are most popular. These cookies do not collect information that identifies a visitor, as all information these cookies collect is anonymous and is only used to improve how our Websites work.
  5. Functionality cookies
    These cookies allow our Websites to remember choices you make (such as your username, language or the region you are in) and provide enhanced features. These cookies can also be used to remember changes you have made to text size, font and other pages of our Websites that you can customise. They may also be used to provide services you have requested such as viewing a video or commenting on a blog.
  6. Personalisation cookies

The Rebura Websites use personalisation cookies to help us to advertise jobs that we think may be of interest to you. These cookies are persistent and mean that when you log in, or return to, the particular Rebura Website, you may see advertising for jobs that are similar to jobs that you have previously browsed.

For information on how to reject these personalisation cookies, see Section E below

D. Cookies and Plug-ins set by Rebura or Third Parties used by Rebura

Below are tables listing the cookies that you may encounter on our Websites and the purpose for which we use each one and the duration that the cookie remains in place (unless you take action to reject the cookie). Rebura may update these tables from time to time. Most of the cookies on our Websites are set by third parties. Rebura works with several third parties to provide services which help us to keep the Websites tailored to your needs. Some of these vendors use cookies to help them deliver these services.

For our Rebura Websites generally:

CookieDomainType Description
test_cookie.doubleclick.netAdvertisementThis cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user’s browser supports cookies.
_fbp.rebura.comAdvertisementThis cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr.facebook.comAdvertisementThe cookie is set by Facebook to show relevant advertisements to the users and measure and improve the advertisements. The cookie also tracks the behaviour of the user across the web on sites that have Facebook pixel or Facebook social plugin.
bscookie.www.linkedin.comAdvertisementThis cookie is a browser ID cookie set by Linked share Buttons and ad tags.
_ga.rebura.comAnalyticsThis cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site’s analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid.rebura.comAnalyticsThis cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
_gd_svisitorrebura.comAnalyticsThis cookie is set by the Google Analytics. This cookie is used for tracking the signup commissions via affiliate program.
_hjFirstSeen.rebura.comAnalyticsThis is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
pardot.pardot.comAnalyticsThe cookie is set when the visitor is logged in as a Pardot user.
lang.ads.linkedin.comFunctionalThis cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
bcookie.linkedin.comFunctionalThis cookie is set by LinkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lidc.linkedin.comFunctionalThis cookie is set by LinkedIn and used for routing.
lang.linkedin.comFunctionalThis cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
6suuid.6sc.coOtherNo description
_an_uidrebura.comOtherNo description
_gd_visitorrebura.comOtherNo description
_gd_sessionrebura.comOtherNo description
_hjid.rebura.comOtherThis cookie is set by Hotjar. This cookie is set when the client first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behaviour in subsequent visits to the same site will be attributed to the same user ID.
UserMatchHistory.linkedin.comOtherLinkedIn – Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor’s preferences.
AnalyticsSyncHistory.linkedin.comOtherNo description
_hjIncludedInPageviewSamplerebura.comOtherNo description
_hjAbsoluteSessionInProgress.rebura.comOtherNo description
drift_campaign_refreshrebura.comOtherNo description
visitor_id661413.pardot.comOtherNo description
visitor_id661413-hash.pardot.comOtherNo description
lpv661413pi.pardot.comOtherNo description
_gat_UA-90769880-1.rebura.comPerformanceThis is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.

 

 E. How to reject cookies

If you don’t wish to receive cookies that are not strictly necessary to perform basic features of our Websites, you may choose to opt out of them by selecting the appropriate box at the bottom of any of the Websites, in a link called “Cookie Preferences.”

Note that most web browsers will accept cookies, but if you would rather that we did not collect data in this way you can choose to accept or reject some or all cookies in your browser’s privacy settings. Rejecting all cookies means that certain features of the Website(s) cannot then be provided to you and accordingly you may not be able to take full advantage of all our Websites’ features. Each browser is different, so check the “Help” menu of your browser to learn how to change your cookie preferences.

For more information generally on cookies, including how to disable them or change cookies’ settings, please refer to aboutcookies.org (http://www.allaboutcookies.org/). You will also find details on how to delete cookies from your computer. Find out how to manage cookies on popular browsers:

To find information relating to other browsers, visit the browser developer’s website.

To opt out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.

F. Web Beacons

Rebura may use or include web beacons in emails or other electronic communications that Rebura sends to you. We use web beacons to help us analyze the effectiveness of our communications to you. For example, we may use web beacons to understand when and if you opened our email, how many times you opened the email, if you have forwarded the email to another email address, or if you clicked on a link in an email that we sent to you. The web beacons do not collect or give us your PII but they do provide information to us about your actions after receiving a communication from us. If you would like to stop receiving emails with web beacons from us, you may unsubscribe by clicking the “Unsubscribe” link in the email or by emailing privacy@rebura.com. However, you may receive auto generated emails from Rebura after you create an account on the Websites or take some other affirmative action on the Websites which contain web beacons but do not contain an “Unsubscribe” link. In those cases, just simply email privacy@rebura.com if you would like to stop receiving emails from Rebura with web beacons.

Also, Rebura works with third parties to help manage online advertising who embed web beacons in online job postings and job advertisements that Rebura requests these third parties to post online. These web beacons allow third parties to obtain information such as the IP address of the computer that downloaded the page on which the beacon appears, the URL of the page on which the beacon appears, the time the page containing the beacon was viewed, the type of browser used to view the page, and the information in cookies set by a third party such as Google Analytics. These files enable Google Analytics to recognize a unique cookie on your web browser, which in turn enables third parties to learn which advertisements bring users to our Websites or websites on which third parties placed our advertisements. The cookie on your web browser was placed by third party advertisers who work with Google Analytics. With both cookies and web beacon technology, the information that Google Analytics (either directly, see cookie/plug-in chart above) or third parties  collects and shares with us is anonymous and not personally identifiable. It does not contain your name, address, telephone number, or email address. For more information about Google Analytics, including information about how to opt out of these technologies, go to www.google-analytics.com.

XIII. Links to other websites

Please note that clicking on links and banner advertisements and RSS (Rich Site Summary) feeds may result in your transfer to another website, where data privacy practices may be different than described in this Privacy Notice. It is your responsibility to check other website privacy notices and policies to ensure that you are happy for your personal information, including Personal Data, to be used in accordance with those third parties’ privacy notices and policies. We accept no responsibility for, and have no control over, third party websites, links, adverts or RSS feeds or information that is submitted to or collected by third parties.

XIV. Changes to our Privacy Notice

We reserve the right to change this Privacy Notice from time to time by updating this Privacy Notice on our website.  Any changes to this Privacy Notice or any of its addendums will be posted on this Website so you are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. We encourage you to check this Website frequently for updates. Your continued use of this Website or any Rebura services shall constitute your acceptance of the revised Privacy Notice.

Rebura will interpret and enforce this Privacy Notice in accordance with all applicable law.

This Privacy Notice was updated on 20th April 2018, March 11, 2021.

This Privacy Notice was last updated on August 24 , 2022.

[1] The “Purposes” listed in this chart are brief summaries and not intended to explain all or every reason why Rebura uses the particular cookie or plug in. If you have any questions about the cookie table, please click the link to the cookie creator’s website and/or email Rebura at privacy@rebura.com.

UNITED KINGDOM AREA ADDENDUM

I. Who is Rebura’s Supervisory Authority for Data Protection Purposes?

Rebura has designated the UK Information Commissioner’s Office (“ICO”) as the supervisory authority for purposes of Data Protection Act of 2018 (“DPA2018”) and General Data Protection Regulation (“UK GDPR”).  This Addendum applies to both United Kingdom only.

II. How do we lawfully process your data?

In order to process your Personal Data lawfully Rebura must have a legal basis to do so.  Rebura relies on three main legal bases for processing your Personal Data:

  • where we obtain your affirmative consent to use your Personal Data in this way;
  • where we have a legitimate interest in processing your Personal Data, which we have balanced against your rights and freedoms and concluded that our processing is justifiable; or
  • where our handling of your Personal Data is necessary for us to perform the obligations under your company’s or employer’s contract with Rebura.

We may rely on one or more legal bases to process your Personal Data.

A. All users of the Websites and/or our services

Legitimate Interests: Rebura uses Personal Data that we collect for the following general purposes in the performance of our legitimate interests as a business: to provide the services to our clients; to enhance their experience, to improve our services and to contact clients.

B. Individuals who work for Rebura clients (i.e. a client contact)

Consent: If you would like to receive general marketing and other communications from us, you will have the option to affirmatively check a box consenting to Rebura processing your Personal Data for this purpose. Rebura may also ask you via email or telephone for your affirmative consent to receive marketing and other communications from us.

Legitimate Interest: Rebura has a legitimate interest in processing your Personal Data in order to provide AWS services at your company or employer, and provide you with other products and services relevant to your company or employer and to market its products and services to you in order to grow our business, to demonstrate our knowledge of the AWS services marketplace and relevant technologies and to enhance the standing and recognition of our brands. Rebura also has legitimate interest to process your Personal Data if you seek or obtain further information about Rebura or an Rebura client.

Necessary for the performance of a contract: Rebura can process your Personal Data in the performance of its contract with your company or employer.

With respect to actual or prospective client contacts, if Rebura obtains your Personal Data from someone other than you, Rebura shall inform you of the identity and contact details of the person or entity from whom Rebura obtained your Personal Data, whether Rebura obtained your Personal Data from publicly available sources, the categories of Personal Data that Rebura obtained and, if Rebura is processing your Personal Data based on its legitimate interest (see Section III below), the nature of Rebura’s legitimate interest.  Rebura shall provide you with the information listed in this paragraph by the earlier of (1) one month after Rebura obtains your Personal Data or (2) if Rebura uses your Personal Data to communicate with you, the first time that Rebura communicates with you.

Rebura shall not provide you with the information described in the paragraph immediately above if you already possess this information, providing you with such information is against applicable law, is subject to an obligation of professional secrecy, proves impossible, would involve a disproportionate effort or would render impossible or seriously impair the achievement of the objectives of the processing, in which case, Rebura shall take appropriate measures to protect your rights, freedoms and legitimate interests.

III. Your Special Rights under Data Protection Laws

A. Do I have a right to be erased (forgotten)?

Yes. You have the right to request that Rebura deletes or removes your Personal Data where there is no compelling reason for us to continue to process it. You can exercise this right, free of charge, by sending an email to Rebura at privacy@rebura.com.

Please note that your right to erasure is not absolute.  Rebura will remove your Personal Data when:

  1. the Personal Data is no longer necessary in relation to the purpose for which Rebura originally collected and/or processed it;
  2. if Rebura is processing your Personal Data on the basis of your consent and you withdraw consent;
  3. you object to the processing of your Personal Data and there is no overriding legitimate interest for us to continue to process it;
  4. the Personal Data was unlawfully processed; and
  5. the Personal Data must be erased to comply with a legal obligation.

Rebura can refuse to comply with an erasure request in the following limited circumstances:

(a) to exercise Rebura’s right of freedom of expression and information;

(b) to comply with a legal obligation or for the performance of a public interest task;

(c) for archiving purposes in the public interest, scientific research, historical research or statistical purposes; or

(d) for the establishment, exercise or defence of legal claims.

If we remove your Personal Data per your request for erasure, then we will confirm this with you.

If we have disclosed any of your Personal Data to a third party and you submit an erasure request to us, then we will inform (1) you about the recipients and (2) any such third parties of your erasure request unless doing so is impossible or involves disproportionate efforts.

We will respond to your erasure request without undue delay.  Please note that, for your and Rebura’s protection, we cannot respond to an erasure request until we have verified the identity of the person making the request.  This verification process may extend the response timeframes set forth in this paragraph.

B. Do I have a right of access to a copy of my Personal Data?

Yes. You have the right to:

  • obtain confirmation that your Personal Data is being processed;
  • a copy of your Personal Data being processed;
  • the purposes of the processing;
  • the categories of personal data being processed;
  • the recipients or categories of recipients to whom Rebura has disclosed your Personal Data; and
  • the criteria Rebura uses to determine how long it will store your Personal Data.

You can exercise this right by sending an email to Rebura at privacy@rebura.com.

This right is in place to ensure that you are aware of and can verify the lawfulness of the processing. In most cases, we will provide you with a copy of your Personal Data free of charge. However, we may charge you a reasonable fee if your request is manifestly unfounded, excessive or repetitive. With respect to unfounded, excessive or repetitive requests, in rare cases, Rebura may refuse to respond to your request but will explain the reason(s) for its refusal to you without undue delay and within one month of its receipt of your request. If Rebura so refuses, you have the right to file a complaint with the ICO and to seek a judicial remedy.

If you submit your access request to Rebura electronically, Rebura will provide you with its response, and a copy of your Personal Data (if applicable) via email or other commonly used electronic form.

If Rebura did not collect your Personal Data from you, Rebura will inform you about the source from which it obtained your Personal Data. Your right of access does not adversely affect your right of erasure (forgotten) and right of rectification, both of which are described in this Privacy Notice.

Generally, Rebura will provide you with a copy of your Personal Data without undue delay and within one month of its receipt of your request, provided that Rebura may extend this time period for up to two additional months if your request is complex or numerous. If Rebura exercises this extension of time, Rebura will inform you of its decision to exercise the extension within one month of its receipt of your request, and will explain the reason(s) for the extension. If your request is large or complex, Rebura may ask you to specify the particular information or category of information you seek.

Please note that, for your and Rebura’s protection, Rebura cannot respond to an access request until it verifies the identity of the person making the request for your Personal Data. This verification process may extend the response timeframes set forth in the paragraph above.

C. Do I have a right to object to the processing of my Personal Data, including the processing of my Personal Data by Rebura for direct marketing?

Yes, you have a right to object to the processing of your Personal Data where:

  • Rebura’s processing is based on its legitimate interest; or
  • where Rebura is using your Personal Data to directly market to you.

You can exercise this right, free of charge, by sending an email to Rebura at privacy@rebura.com.

If Rebura receives an objection request from you for reasons unrelated to direct marketing, Rebura will stop processing your Personal Data unless we can show compelling legitimate ground(s) for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of any legal claims.

If Rebura receives an objection request from you for reasons related to direct marketing, we will stop processing your Personal Data.

If you receive a direct marketing communication from Rebura and you do not wish to receive future direct marketing communications from Rebura, you may request to unsubscribe from future marketing communications by sending Rebura an email at privacy@rebura.com  In addition, if the direct marketing communication you received was via email and has an “Unsubscribe” link, you can click the “Unsubscribe” link at the bottom of the email and fill out the required form. Whether through email or by clicking the “Unsubscribe” link, Rebura will process your unsubscribe request.  Please allow up to ten (10) business days for your unsubscribe request to take effect.

D. Do I have a right to restrict processing of my Personal Data?

Yes, you have a right to restrict, the processing of your Personal Data.  You can exercise this right, free of charge, by sending an email to Rebura at privacy@rebura.com.  When you exercise this right, Rebura may continue to store your Personal Data but cannot further process it.  Rebura will cease processing your Personal Data in the following circumstances:

  1. when you file a rectification request with Rebura (see the “Do I have a right to have any inaccurate or incomplete Personal Data rectified?” section below) in accordance with this Privacy Notice and applicable law. The restriction shall remain in place until such time as Rebura has verified the accuracy of the Personal Data that is the subject of your rectification request;
  2. where Rebura is processing your Personal Data based on its legitimate interest and you file a notice with Rebura objecting to the processing of your Personal Data (see the “Do I have a right to object to the processing of my Personal Data?” section above) in accordance with this Privacy Notice and applicable law, Rebura will cease processing your Personal Data until such time as Rebura has made a determination as to whether its legitimate grounds for continued processing override your reasons for objecting to the processing;
  3. when the processing is unlawful and you do not seek or want erasure and you file a restriction request with Rebura in accordance with this Privacy Notice and applicable law instead; and
  4. if Rebura no longer needs the Personal Data and you require the data to establish, exercise or defend a legal claim.

While the processing of your Personal Data is restricted, Rebura may continue to process such data by storing it, processing it with your consent or processing it for the establishment, exercise or defence of legal claims.

Rebura will inform you if it decides to lift a restriction on processing.

If Rebura has disclosed any of your Personal Data to a third party and you submit a request to restrict processing, Rebura will inform (1) you about the recipients if you so request and (2) any such third parties of your restriction request unless doing so is impossible or involves disproportionate efforts.

Rebura will act on your restriction request in accordance with this Privacy Notice without undue delay. Please note that, for your and Rebura’s protection, Rebura cannot act on a restriction request until it verifies the identity of the person making the request. This verification process may extend the timeframe in which Rebura acts on your restriction request.

E. Do I have a right to Personal Data portability?

Yes. You can exercise this right, free of charge, by sending an email to Rebura at privacy@rebura.com. This right exists to allow you to obtain and use your Personal Data for your own purposes across different services. Under this right, you can move, copy or transfer your Personal Data from Rebura to another data controller.

This right applies where Rebura is processing your Personal Data with your consent or for the performance of a contract. It also applies if we process your Personal Data by automated means. If your portability request concerns someone other than you, Rebura will have to consider whether providing or porting the Personal Data would prejudice the other person’s or people’s rights.

Generally, Rebura will respond to your portability request without undue delay and within one month of its receipt of your request, provided that Rebura may extend this time period for up to two additional months if your request is complex or numerous. If Rebura exercises this extension of time, Rebura will inform you of its decision to exercise the extension within one month of its receipt of your request, and will explain the reason(s) for the extension. Where technically feasible, you may request that Rebura transmit your Personal Data to another data controller.

F. Do I have a right to object to decision been taken by automated means?

If Rebura uses automated (i.e. non-human) methods to process your Personal Data to make decisions that could potentially have a damaging legal or similarly significant effect on you (each, an “Automated Decision”), you have the right not to be subject to the Automated Decision. This right is inapplicable to any Automated Decision made by Rebura that is necessary for entering into or the performance of a contract between you and Rebura, is authorized by law or is based on your explicit consent.

If Rebura makes any Automated Decisions to which this right applies, Rebura will ensure that you are able to obtain human intervention, express your point of view and obtain an explanation of the decision and challenge it.

If Rebura engages in “profiling” by automated means, Rebura will ensure that appropriate safeguards are in place including (1) ensuring that the processing is fair and transparent by providing you with meaningful information about the logic involved and the significance and consequences of the outcome of the decision, (2) using appropriate mathematical or statistical procedures for the profiling, (3) implementing appropriate technical and organizational measures to enable inaccuracies to be corrected and minimize the risk of errors and (4) securing the Personal Data in a way that is proportionate to the risk to your interests and rights and prevents discriminatory effects.

G. Do I have a right to have any inaccurate or incomplete Personal Data rectified?

Yes. You can exercise this right, free of charge, by sending an email to Rebura at privacy@rebura.com.

Generally, Rebura will respond to your rectification request within one month of its receipt of your request, provided that Rebura may extend this time period for up to two additional months if your request is complex. In rare cases, Rebura may refuse to respond to your request but will explain the reason(s) for its refusal to you within one month of its receipt of your request. If Rebura so refuses, you have the right to file a complaint with the ICO and to seek a judicial remedy.

If Rebura has disclosed any of your Personal Data to a third party and you submit a rectification request to Rebura that Rebura is going to honor, Rebura will inform (1) you about the recipients and (2) any such third parties of your rectification request as well as any corrected Personal Data, unless doing so is impossible or involves disproportionate efforts.

We will use reasonable endeavours to ensure that your Personal Data is maintained and up to date.

H. What are my rights if the Security of my Personal Data is breached?

A breach of Personal Data (a “Breach”) means a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, your Personal Data for which we are responsible under applicable law.

If the Breach is likely to have a significant detrimental effect on your rights and freedoms (such as resulting in discrimination, damage to reputation or financial loss), Rebura will notify the ICO without undue delay, and if feasible, within one business day of Rebura’s becoming aware of the Breach. Rebura will assess the determination of “significant detrimental effect” on a case by case basis.

If the Breach is likely to result in a “high risk” to your rights and freedoms, Rebura will notify you without undue delay. To be clear, the threshold requiring Rebura to notify you of a Breach is higher than the threshold requiring Rebura to notify the ICO of a Breach so it is possible that Rebura will notify the ICO of a Breach but not you. Rebura will assess the determination of “high risk” on a case by case basis.

Any Breach notice issued by Rebura will contain, where possible, (1) the categories and approximate number of individuals and Personal Data records effected by the Breach, (2) the name and contact details of the information security manager (“ISM”) (or other Rebura contact representative if Rebura does not have a ISM at the time that Rebura issues the Breach notice), (3) a description of the likely consequences of the Breach, (4) a description of the measures that Rebura has taken, and may take, to stop the Breach and, where appropriate, to mitigate the adverse effects of the Breach and (5) recommendations on actions you can take to protect yourself in light of the Breach.

I. Will my Personal Data be transferred outside the UK?

Rebura may transfer your Personal Data to third parties described in this Privacy Notice who are located outside of the UK, Switzerland, or European Economic Area (“EEA”). If so, Rebura will take reasonable steps to ensure that your Personal Data is protected and treated in accordance with this Privacy Notice and local applicable law. Some of the countries outside the UK, Switzerland, or EEA where your Personal Data may be transferred will be on the ICO’s list of countries that it has deemed to have adequate security controls in place (the “Approved List”). Given the European Court of Justice’s decision in Data Protection Commissioner v. Facebook Ireland and Maximilian Schrems, Case C-311/18 (July 16, 2020) (“Schrems II”)  and absent consent from the Data Subject (or any other reason provided in UK GDPR Article 49(1)(b)-(f), UK law as may be amended from time to time), if Rebura transfers your Personal Data to processors (which could be external third party vendors or suppliers) that store, transfer, process, or control your Personal Data in a country not on the Approved List or not in the UK (“Third Countries”), then Rebura shall determine whether each processor (and each subprocessor that a processor has provided Rebura formal notice of) can store, transfer, process, or control the Personal Data solely within the UK or a country on the Approved List.

  • If Rebura determines that the processor (and each subprocessor that a processor has provided Rebura formal notice of) can store, transfer, process, or control the Personal Data solely within a country on the Approved List or in the UK, we will require such processor (and will require the processor to require each of its applicable subprocessors) to do so.
  • If Rebura determines that the processor (and each subprocessor that a processor has provided Rebura formal notice of) cannot store, transfer, process, or control the Personal Data in a country on the Approved List or in the UK, then:
    • Rebura will require such processor (and will require the processor to require each of its applicable subprocessors) to be bound by the model clauses promulgated by the ICO under S119A(1) Data Protection Act 2018, including but not limited to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses VERSION B1.0, as in force 21 March 2022, any successor version thereto, and any other valid transfer mechanism promulgated by the ICO  (collectively for this Addendum, “Model Clauses”). When relying on the Model Clauses, Rebura shall (a) monitor the laws and regulations of Third Countries for the adequate protections of UK Data Subjects as required by the UK GDPR or other local laws and regulations; and (b) terminate the storage, transfer, processing , or control of Personal Data by a processor (or a subprocessor where the process has informed Rebura of the country in which such subprocessor is processing your Personal Data) when (i) such laws and regulations of Third Countries are incompatible with the UK GDPR or other local laws and regulations, or (ii) access to Personal Data is requested by the public authorities of Third Countries and such access is lawful under the laws of the Third Countries but is prohibited under the UK GDPR or other local laws and regulations. If the events described in III(I)(b)(i)(b)(i) or (ii) occur, Rebura will confer with the appropriate supervisory authority regarding appropriate actions to safeguard your Personal Data.
  • Rebura shall also require the processor (and will require each processor to require its applicable subprocessors) to determine whether each processor or subprocessor can store, transfer, process, or control the Personal Data solely within the UK or a country on the Approved List.
  1. If processor (or its applicable subprocessors) can store, transfer, process, or control the Personal Data solely within the UK or a country on the Approved List, then Rebura shall contractually require the processors (and require processor to require its subprocessors to) do so.
  2. If processor (or its applicable subprocessors) must store, transfer, process, or control the Personal Data in a Third Country, then Rebura shall require its processors (and require processor to require its subprocessors to) to be bound by the Model Clauses. When relying on the Model Clauses, Rebura shall contractually require such processors (and shall also require processors to require their subprocessors) to agree to (a) monitor the laws and regulations of Third Countries for the adequate protections of UK Data Subjects as required by the UK GDPR or other local laws and regulations; and (b) terminate the transfer, processing, or control of Personal Data when (i) such laws and regulations of Third Countries are incompatible with the UK GDPR or other local laws and regulations, or (ii) access to Personal Data is requested by the public authorities of Third Countries and such access is lawful under the laws of the Third Countries but is prohibited under the UK GDPR or other local laws and regulations. If the events described in III(I)(c)(2)(b)(i) or (ii) occur with respect to your Personal Data (and if Rebura has formal notice that the events described in III(I)(c)(2)(b)(i) or (ii) have occurred), Rebura will confer with the appropriate supervisory authority regarding appropriate actions to safeguard your Personal Data.

Under certain circumstances, Rebura may share your Personal Data with one or more of its group companies who may be located in a Third Country. In such cases, Rebura will comply with its DPAs. The DPAs are incorporated by reference into this Addendum

J. How long will Rebura store my Personal Data for?

We are required by law to store your Personal Data for as long as is necessary to comply with our legal, regulatory and contractual obligations.

With respect to UK GDPR (and similar laws), we will store and process your Personal Data that we obtain via: (i) your consent, until the earlier of (a) the purpose for which we obtained such information has been fully accomplished or (b) you inform us that you have withdrawn your consent; (ii) our legitimate interest until the earlier of (a) your Personal data is no longer necessary for the purpose for which it is being processed, or (b) Rebura concludes that your rights and freedoms outweigh our right to process your Personal Data; and (iii) our necessity for the performance of a contract, until the termination or expiration of the contract including the termination or expiration of Rebura’s and your employer’s or company’s duties or obligations that survive any such termination or expiration.

Furthermore, we will store your Personal Data in special circumstances related to the issuance or defense of legal proceedings, outstanding invoices or in connection with any investigation by or of a government authority.

K. What Protections do I have if Rebura transfers my Personal Data to the U.S.?

In short, you have the protections of the Model Clauses, defined above. In addition to the Model Clauses, Rebura has additional contractual clauses that may apply to its United States clients and vendors which are in the United States of America Addendum below.

Rebura discloses Personal Data to third party service providers in connection with the operation of their respective businesses, including their provision of services to clients.

Rebura may be required to disclose Personal Data to law enforcement, regulatory or other government agencies, or to other third parties, in each case to comply with legal, regulatory, or national security obligations or requests.

Any questions, complaints, or requests to access, correct, amend, delete, or limit the use or disclosure of Personal Data (opt out) may be directed to privacy@rebura.com. If Rebura has not been able to satisfactorily resolve the issue, then you may raise it with your data protection authority (see paragraph immediately below).

L. UK residents. Should your complaint remain unresolved and you reside in the UK, then you should contact the UK Supervisory Authorities (the “SAs”) who act as an independent recourse mechanism to settle all such disputes. Such complaints can be directed either to the UK SAs panel secretariat or individual UK SAs.

Information Commissioner’s Office                               

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate)

Fax: 0162 552 4510

Or via below link :

https://ico.org.uk/make-a-complaint/

ICO regional offices

Scotland

Information Commissioner’s Office
45 Melville Street
Edinburgh
EH3 7HL

Tel: 0303 123 1115
Email: scotland@ico.org.uk

Wales

Information Commissioner’s Office
2nd floor
Churchill House
Churchill way
Cardiff
CF10 2HH

Tel: 0330 414 6421
Email: wales@ico.org.uk

Northern Ireland

Information Commissioner’s Office
3rd Floor
14 Cromac Place
Belfast
BT7 2JB

Tel: 028 9027 8757 or 0303 123 1114
Email: ni@ico.org.uk

 



EUROPEAN ECONOMIC AREA & SWITZERLAND ADDENDUM

This Addendum applies to the European Economic Area (“EEA”) and Swiss residents. I. Who are Rebura’s Supervisory Authorities and EU Representative for Data Protection Purposes? Rebura is not established in the EEA or Switzerland. Therefore, the supervisory authority for Rebura in the EEA is located in the EEA country in which you reside or where your Personal Data is processed under this Addendum as defined in Section III(L) below (the, “EEA SAs”). If you live in Switzerland, Rebura’s supervisory authority is the Federal Data Protection and Information Commissioner (“FDPIC”). Collectively for this Addendum, the EEA SAs and the FDPIC are the “SAs”). Rebura has appointed its Dutch affiliate, Frank Recruitment Group B.V., as its European Union Representative (“EU Rep.”). II. How do we lawfully process your data? In order to process your Personal Data lawfully Rebura must have a legal basis to do so.  Rebura relies on three main legal bases for processing your Personal Data:
  • where we obtain your affirmative consent to use your Personal Data in this way;
  • where we have a legitimate interest in processing your Personal Data, which we have balanced against your rights and freedoms and concluded that our processing is justifiable; or
  • where our handling of your Personal Data is necessary for us to perform the obligations under your company’s or employer’s contract with Rebura.
We may rely on one or more legal bases to process your Personal Data. A. All users of the Websites and/or our services Legitimate Interests: Rebura uses Personal Data that we collect for the following general purposes in the performance of our legitimate interests as a business: to provide the services to our clients; to enhance their experience, to improve our services and to contact clients. B. Individuals who work for Rebura clients (i.e. a client contact) Consent: If you would like to receive general marketing and other communications from us, you will have the option to affirmatively check a box consenting to Rebura processing your Personal Data for this purpose. Rebura may also ask you via email or telephone for your affirmative consent to receive marketing and other communications from us. Legitimate Interest: Rebura has a legitimate interest in processing your Personal Data in order to provide AWS services at your company or employer, and provide you with other products and services relevant to your company or employer and to market its products and services to you in order to grow our business, to demonstrate our knowledge of the AWS services marketplace and relevant technologies and to enhance the standing and recognition of our brands. Rebura also has legitimate interest to process your Personal Data if you seek or obtain further information about Rebura or an Rebura client. Necessary for the performance of a contract: Rebura can process your Personal Data in the performance of its contract with your company or employer. With respect to actual or prospective client contacts, if Rebura obtains your Personal Data from someone other than you, Rebura shall inform you of the identity and contact details of the person or entity from whom Rebura obtained your Personal Data, whether Rebura obtained your Personal Data from publicly available sources, the categories of Personal Data that Rebura obtained and, if Rebura is processing your Personal Data based on its legitimate interest (see Section III below), the nature of Rebura’s legitimate interest.  Rebura shall provide you with the information listed in this paragraph by the earlier of (1) one month after Rebura obtains your Personal Data or (2) if Rebura uses your Personal Data to communicate with you, the first time that Rebura communicates with you. Rebura shall not provide you with the information described in the paragraph immediately above if you already possess this information, providing you with such information is against applicable law, is subject to an obligation of professional secrecy, proves impossible, would involve a disproportionate effort or would render impossible or seriously impair the achievement of the objectives of the processing, in which case, Rebura shall take appropriate measures to protect your rights, freedoms and legitimate interests. III. Your Special Rights under Data Protection Laws A. Do I have a right to be erased (forgotten)? Yes. You have the right to request that Rebura deletes or removes your Personal Data where there is no compelling reason for us to continue to process it. You can exercise this right, free of charge, by sending an email to Rebura at privacy@rebura.com. Please note that your right to erasure is not absolute.  Rebura will remove your Personal Data when:
  1. the Personal Data is no longer necessary in relation to the purpose for which Rebura originally collected and/or processed it;
  2. if Rebura is processing your Personal Data on the basis of your consent and you withdraw consent;
  3. you object to the processing of your Personal Data and there is no overriding legitimate interest for us to continue to process it;
  4. the Personal Data was unlawfully processed; and
  5. the Personal Data must be erased to comply with a legal obligation.
Rebura can refuse to comply with an erasure request in the following limited circumstances: (a) to exercise Rebura’s right of freedom of expression and information; (b) to comply with a legal obligation or for the performance of a public interest task; (c) for archiving purposes in the public interest, scientific research, historical research or statistical purposes; or (d) for the establishment, exercise or defence of legal claims. If we remove your Personal Data per your request for erasure, then we will confirm this with you. If we have disclosed any of your Personal Data to a third party and you submit an erasure request to us, then we will inform (1) you about the recipients and (2) any such third parties of your erasure request unless doing so is impossible or involves disproportionate efforts. We will respond to your erasure request without undue delay.  Please note that, for your and Rebura’s protection, we cannot respond to an erasure request until we have verified the identity of the person making the request.  This verification process may extend the response timeframes set forth in this paragraph. B. Do I have a right of access to a copy of my Personal Data? Yes. You have the right to:
  • obtain confirmation that your Personal Data is being processed;
  • a copy of your Personal Data being processed;
  • the purposes of the processing;
  • the categories of personal data being processed;
  • the recipients or categories of recipients to whom Rebura has disclosed your Personal Data; and
  • the criteria Rebura uses to determine how long it will store your Personal Data.
You can exercise this right by sending an email to Rebura at privacy@rebura.com. This right is in place to ensure that you are aware of and can verify the lawfulness of the processing. In most cases, we will provide you with a copy of your Personal Data free of charge. However, we may charge you a reasonable fee if your request is manifestly unfounded, excessive or repetitive. With respect to unfounded, excessive or repetitive requests, in rare cases, Rebura may refuse to respond to your request but will explain the reason(s) for its refusal to you without undue delay and within one month of its receipt of your request. If Rebura so refuses, you have the right to file a complaint with the SAs and to seek a judicial remedy. If you submit your access request to Rebura electronically, Rebura will provide you with its response, and a copy of your Personal Data (if applicable) via email or other commonly used electronic form. If Rebura did not collect your Personal Data from you, Rebura will inform you about the source from which it obtained your Personal Data. Your right of access does not adversely affect your right of erasure (forgotten) and right of rectification, both of which are described in this Privacy Notice. Generally, Rebura will provide you with a copy of your Personal Data without undue delay and within one month of its receipt of your request, provided that Rebura may extend this time period for up to two additional months if your request is complex or numerous. If Rebura exercises this extension of time, Rebura will inform you of its decision to exercise the extension within one month of its receipt of your request, and will explain the reason(s) for the extension. If your request is large or complex, Rebura may ask you to specify the particular information or category of information you seek. Please note that, for your and Rebura’s protection, Rebura cannot respond to an access request until it verifies the identity of the person making the request for your Personal Data. This verification process may extend the response timeframes set forth in the paragraph above. C. Do I have a right to object to the processing of my Personal Data, including the processing of my Personal Data by Rebura for direct marketing? Yes, you have a right to object to the processing of your Personal Data where:
  • Rebura’s processing is based on its legitimate interest; or
  • where Rebura is using your Personal Data to directly market to you.
You can exercise this right, free of charge, by sending an email to Rebura at privacy@rebura.com. If Rebura receives an objection request from you for reasons unrelated to direct marketing, Rebura will stop processing your Personal Data unless we can show compelling legitimate ground(s) for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of any legal claims. If Rebura receives an objection request from you for reasons related to direct marketing, we will stop processing your Personal Data. If you receive a direct marketing communication from Rebura and you do not wish to receive future direct marketing communications from Rebura, you may request to unsubscribe from future marketing communications by sending Rebura an email at privacy@rebura.com  In addition, if the direct marketing communication you received was via email and has an “Unsubscribe” link, you can click the “Unsubscribe” link at the bottom of the email and fill out the required form. Whether through email or by clicking the “Unsubscribe” link, Rebura will process your unsubscribe request.  Please allow up to ten (10) business days for your unsubscribe request to take effect. D. Do I have a right to restrict processing of my Personal Data? Yes, you have a right to restrict, the processing of your Personal Data.  You can exercise this right, free of charge, by sending an email to Rebura at privacy@rebura.com.  When you exercise this right, Rebura may continue to store your Personal Data but cannot further process it.  Rebura will cease processing your Personal Data in the following circumstances:
  1. when you file a rectification request with Rebura (see the “Do I have a right to have any inaccurate or incomplete Personal Data rectified?” section below) in accordance with this Privacy Notice and applicable law. The restriction shall remain in place until such time as Rebura has verified the accuracy of the Personal Data that is the subject of your rectification request;
  2. where Rebura is processing your Personal Data based on its legitimate interest and you file a notice with Rebura objecting to the processing of your Personal Data (see the “Do I have a right to object to the processing of my Personal Data?” section above) in accordance with this Privacy Notice and applicable law, Rebura will cease processing your Personal Data until such time as Rebura has made a determination as to whether its legitimate grounds for continued processing override your reasons for objecting to the processing;
  3. when the processing is unlawful and you do not seek or want erasure and you file a restriction request with Rebura in accordance with this Privacy Notice and applicable law instead; and
  4. if Rebura no longer needs the Personal Data and you require the data to establish, exercise or defend a legal claim.
While the processing of your Personal Data is restricted, Rebura may continue to process such data by storing it, processing it with your consent or processing it for the establishment, exercise or defence of legal claims. Rebura will inform you if it decides to lift a restriction on processing. If Rebura has disclosed any of your Personal Data to a third party and you submit a request to restrict processing, Rebura will inform (1) you about the recipients if you so request and (2) any such third parties of your restriction request unless doing so is impossible or involves disproportionate efforts. Rebura will act on your restriction request in accordance with this Privacy Notice without undue delay. Please note that, for your and Rebura’s protection, Rebura cannot act on a restriction request until it verifies the identity of the person making the request. This verification process may extend the timeframe in which Rebura acts on your restriction request. E. Do I have a right to Personal Data portability? Yes. You can exercise this right, free of charge, by sending an email to Rebura at privacy@rebura.com. This right exists to allow you to obtain and use your Personal Data for your own purposes across different services. Under this right, you can move, copy or transfer your Personal Data from Rebura to another data controller. This right applies where Rebura is processing your Personal Data with your consent or for the performance of a contract. It also applies if we process your Personal Data by automated means. If your portability request concerns someone other than you, Rebura will have to consider whether providing or porting the Personal Data would prejudice the other person’s or people’s rights. Generally, Rebura will respond to your portability request without undue delay and within one month of its receipt of your request, provided that Rebura may extend this time period for up to two additional months if your request is complex or numerous. If Rebura exercises this extension of time, Rebura will inform you of its decision to exercise the extension within one month of its receipt of your request, and will explain the reason(s) for the extension. Where technically feasible, you may request that Rebura transmit your Personal Data to another data controller. F. Do I have a right to object to decision been taken by automated means? If Rebura uses automated (i.e. non-human) methods to process your Personal Data to make decisions that could potentially have a damaging legal or similarly significant effect on you (each, an “Automated Decision”), you have the right not to be subject to the Automated Decision. This right is inapplicable to any Automated Decision made by Rebura that is necessary for entering into or the performance of a contract between you and Rebura, is authorized by law or is based on your explicit consent. If Rebura makes any Automated Decisions to which this right applies, Rebura will ensure that you are able to obtain human intervention, express your point of view and obtain an explanation of the decision and challenge it. If Rebura engages in “profiling” by automated means, Rebura will ensure that appropriate safeguards are in place including (1) ensuring that the processing is fair and transparent by providing you with meaningful information about the logic involved and the significance and consequences of the outcome of the decision, (2) using appropriate mathematical or statistical procedures for the profiling, (3) implementing appropriate technical and organizational measures to enable inaccuracies to be corrected and minimize the risk of errors and (4) securing the Personal Data in a way that is proportionate to the risk to your interests and rights and prevents discriminatory effects. G. Do I have a right to have any inaccurate or incomplete Personal Data rectified? Yes. You can exercise this right, free of charge, by sending an email to Rebura at privacy@rebura.com. Generally, Rebura will respond to your rectification request within one month of its receipt of your request, provided that Rebura may extend this time period for up to two additional months if your request is complex. In rare cases, Rebura may refuse to respond to your request but will explain the reason(s) for its refusal to you within one month of its receipt of your request. If Rebura so refuses, you have the right to file a complaint with the SAs and to seek a judicial remedy. If Rebura has disclosed any of your Personal Data to a third party and you submit a rectification request to Rebura that Rebura is going to honor, Rebura will inform (1) you about the recipients and (2) any such third parties of your rectification request as well as any corrected Personal Data, unless doing so is impossible or involves disproportionate efforts. We will use reasonable endeavours to ensure that your Personal Data is maintained and up to date. H. What are my rights if the Security of my Personal Data is breached? A breach of Personal Data (a “Breach”) means a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, your Personal Data for which we are responsible under applicable law. If the Breach is likely to have a significant detrimental effect on your rights and freedoms (such as resulting in discrimination, damage to reputation or financial loss), Rebura will notify the SAs without undue delay, and if feasible, within one business day of Rebura’s becoming aware of the Breach. Rebura will assess the determination of “significant detrimental effect” on a case by case basis. If the Breach is likely to result in a “high risk” to your rights and freedoms, Rebura will notify you without undue delay. To be clear, the threshold requiring Rebura to notify you of a Breach is higher than the threshold requiring Rebura to notify the SAs of a Breach so it is possible that Rebura will notify the SAs of a Breach but not you. Rebura will assess the determination of “high risk” on a case by case basis. Any Breach notice issued by Rebura will contain, where possible, (1) the categories and approximate number of individuals and Personal Data records effected by the Breach, (2) the name and contact details of the information security manager (“ISM”) (or other Rebura contact representative if Rebura does not have a ISM at the time that Rebura issues the Breach notice), (3) a description of the likely consequences of the Breach, (4) a description of the measures that Rebura has taken, and may take, to stop the Breach and, where appropriate, to mitigate the adverse effects of the Breach and (5) recommendations on actions you can take to protect yourself in light of the Breach. I. Will my Personal Data be transferred outside the EEA or Switzerland? Rebura may transfer your Personal Data to third parties described in this Privacy Notice who are located outside of  Switzerland or EEA. If so, Rebura will take reasonable steps to ensure that your Personal Data is protected and treated in accordance with this Privacy Notice and local applicable law. Some of the countries outside  Switzerland or EEA where your Personal Data may be transferred will be on the EU Commission or Swiss Federal Data Protection and Information Commission’s list of countries that it has deemed to have adequate security controls in place (for this Addendum, the “Approved List”). Given the European Court of Justice’s decision in Data Protection Commissioner v. Facebook Ireland and Maximilian Schrems, Case C-311/18 (July 16, 2020) (“Schrems II”) as well as the September 8, 2020 Swiss Federal Data Protection and Information Commissioner’s Policy paper on the transfer of personal data to the USA and other countries lacking an adequate level of data protection within the meaning of Art. 6 Para. 1 Swiss Federal Act on Data Protection, and absent consent from the Data Subject (or any other reason provided in GDPR Article 49(1)(b)-(f),  Swiss law as may be amended from time to time), if Rebura transfers your Personal Data to processors (which could be external third party vendors or suppliers) that store, transfer, process, or control your Personal Data in a country not on the Approved List or not in  Switzerland or EEA (for this Addendum, “Third Countries”), then Rebura shall determine whether each processor (and each subprocessor that a processor has provided Rebura formal notice of) can store, transfer, process, or control the Personal Data solely within  Switzerland, EEA, or a country on the Approved List.
  • If Rebura determines that the processor (and each subprocessor that a processor has provided Rebura formal notice of) can store, transfer, process, or control the Personal Data solely within a country on the Approved List or in Switzerland or EEA, we will require such processor (and will require the processor to require each of its applicable subprocessors) to do so.
  • If Rebura determines that the processor (and each subprocessor that a processor has provided Rebura formal notice of) cannot store, transfer, process, or control the Personal Data in a country on the Approved List or in Switzerland or EEA, then:
    • Rebura will require such processor (and will require the processor to require each of its applicable subprocessors) to be bound by the model clauses promulgated by the European Commission as provided here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN (or any updated link which the European Commission may supply from time to time) (for this Addendum, the “Model Clauses”). When relying on the Model Clauses, Rebura shall (a) monitor the laws and regulations of Third Countries for the adequate protections of UK, Swiss, or EEA Data Subjects as required by the GDPR or other local laws and regulations; and (b) terminate the storage, transfer, processing , or control of Personal Data by a processor (or a subprocessor where the process has informed Rebura of the country in which such subprocessor is processing your Personal Data) when (i) such laws and regulations of Third Countries are incompatible with the GDPR or other local laws and regulations, or (ii) access to Personal Data is requested by the public authorities of Third Countries and such access is lawful under the laws of the Third Countries but is prohibited under the GDPR or other local laws and regulations. If the events described in III(I)(b)(i)(b)(i) or (ii) occur, Rebura will confer with the appropriate supervisory authority regarding appropriate actions to safeguard your Personal Data.
  • Rebura shall also require the processor (and will require each processor to require its applicable subprocessors) to determine whether each processor or subprocessor can store, transfer, process, or control the Personal Data solely within Switzerland, EEA, or a country on the Approved List.
  1. If processor (or its applicable subprocessors) can store, transfer, process, or control the Personal Data solely within Switzerland, EEA, or a country on the Approved List, then Rebura shall contractually require the processors (and require processor to require its subprocessors to) do so.
  2. If processor (or its applicable subprocessors) must store, transfer, process, or control the Personal Data in a Third Country, then Rebura shall require its processors (and require processor to require its subprocessors to) to be bound by the Model Clauses. When relying on the Model Clauses, Rebura shall contractually require such processors (and shall also require processors to require their subprocessors) to agree to (a) monitor the laws and regulations of Third Countries for the adequate protections of Swiss or EEA Data Subjects as required by the GDPR or other local laws and regulations; and (b) terminate the transfer, processing, or control of Personal Data when (i) such laws and regulations of Third Countries are incompatible with the GDPR or other local laws and regulations, or (ii) access to Personal Data is requested by the public authorities of Third Countries and such access is lawful under the laws of the Third Countries but is prohibited under the GDPR or other local laws and regulations. If the events described in III(I)(c)(2)(b)(i) or (ii) occur with respect to your Personal Data (and if Rebura has formal notice that the events described in III(I)(c)(2)(b)(i) or (ii) have occurred), Rebura will confer with the appropriate supervisory authority regarding appropriate actions to safeguard your Personal Data.
Under certain circumstances, Rebura may share your Personal Data with one or more of its group companies who may be located in a Third Country. In such cases, Rebura will comply with its DPAs. The DPAs are incorporated by reference into this Addendum J. How long will Rebura store my Personal Data for? We are required by law to store your Personal Data for as long as is necessary to comply with our legal, regulatory and contractual obligations. With respect to GDPR (and similar laws), we will store and process your Personal Data that we obtain via: (i) your consent, until the earlier of (a) the purpose for which we obtained such information has been fully accomplished or (b) you inform us that you have withdrawn your consent; (ii) our legitimate interest until the earlier of (a) your Personal data is no longer necessary for the purpose for which it is being processed, or (b) Rebura concludes that your rights and freedoms outweigh our right to process your Personal Data; and (iii) our necessity for the performance of a contract, until the termination or expiration of the contract including the termination or expiration of Rebura’s and your employer’s or company’s duties or obligations that survive any such termination or expiration. Furthermore, we will store your Personal Data in special circumstances related to the issuance or defense of legal proceedings, outstanding invoices or in connection with any investigation by or of a government authority. K. What Protections do I have if Rebura transfers my Personal Data to the U.S.? In short, you have the protections of the Model Clauses, defined above. In addition to the Model Clauses, Rebura has additional contractual clauses that may apply to its United States clients and vendors which are in the United States of America Addendum below. Rebura discloses Personal Data to third party service providers in connection with the operation of their respective businesses, including their provision of services to clients. Rebura may be required to disclose Personal Data to law enforcement, regulatory or other government agencies, or to other third parties, in each case to comply with legal, regulatory, or national security obligations or requests. Any questions, complaints, or requests to access, correct, amend, delete, or limit the use or disclosure of Personal Data (opt out) may be directed to privacy@rebura.com. If Rebura has not been able to satisfactorily resolve the issue, then you may raise it with your data protection authority (see paragraph immediately below). L. EEA residents. Should your complaint remain unresolved and you reside in the EEA, then you should contact the EEA Supervisory Authorities (the “EEA SAs”) who act as an independent recourse mechanism to settle all such disputes. Such complaints can be directed either to the EEA SAs panel secretariat or individual EEA SAs. Currently, the contact information relevant to the submission of the EEA standard complaint form is as follows: Commission Européenne, Directorate General Justice, Directorate C (Fundamental Rights and Union Citizenship) of the European Commission, Data Protection Panel, B-1049 Brussels, Belgium, Telephone: (32-2) 299 11 11, Fax: (32-2) 298.80.94, email: ec-dppanel-secr@ec.europa.eu. You can find the standard compliant form at https://edps.europa.eu/data-protection/our-role-supervisor/complaints/edps-complaint-form_en. The contact information for individual EEA SAs can be found at: http://ec.europa.eu/justice/data-protection/bodies/authorities/eu/index_en.htm M. Swiss residents. Should your complaint remain unresolved and you reside in Switzerland, then you should contact the FDPIC of Switzerland with whom Rebura has agreed to cooperate regarding such disputes. The contact information for the Swiss FDPIC can be found at: https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/links/data-protection—switzerland.html

UNITED STATES OF AMERICA ADDENDUM

UNITED STATES OF AMERICA ADDENDUM I. If you would like a copy of Rebura’s US comprehensive information security program, please email Rebura’s CPO at privacy@rebura.com. If Rebura receives a “Do Not Track” signal or request from a web browser, Rebura will not honor such request or signal. Rebura has taken this position in part to provide you with a personalized and efficient experience on the Websites. As discussed in this Privacy Notice, there are third parties who conduct tracking on the Websites. Information about web beacons used by Rebura and third parties with whom it contracts can be found in Section XII.F of the Privacy Notice above. II. For information on Rebura’s transfers of EEA/Swiss data to the U.S., see the section entitled “ In addition to the forgoing, for compliance with applicable law, the following terms, to which Rebura reserves the right to revise from time to time without notice, shall be incorporated by reference where these terms are required in client contracts: (A). In the event Rebura transfers to client or any of its affiliates, or provides client or any of its affiliates with access to any Personal Data (as defined for this Section II below) of European Union or Switzerland residents, including employees of Rebura or its affiliates and actual or prospective Rebura client contacts, and client maintains, receives, has access to, stores, uses or processes such Personal Data in the United States, client shall comply with data protection, data security and confidentiality requirements at least as strong as those set forth in the Privacy Shield Principles issued by the U.S. Department of Commerce, as revised from time to time (collectively, the “Principles”) During the term of such contracts and while client creates, receives, maintains, stores, uses, processes or disseminates any Personal Data, client shall:
  1. use the Personal Data only for the specific and limited purposes intended in the client contract including for the purposes of providing AWS services;
  2. provide immediate written notice to Rebura as applicable if (a) client determines that it can no longer meet its obligation to provide the same level of protection of the Personal Data as is required by the Principles, and in such case client shall cease processing the Personal Data or (b) client becomes aware of any accidental or unlawful destruction of, or accidental loss or alternation of or unauthorized disclosure or access to, any Personal Data (a “Breach”) which notice shall include a description of the quantity of Personal Data subject to the Breach, the approximate length and duration of the Breach, the data subjects whose Personal Data was subject to the Breach and a Breach remediation plan;
  3. at its cost, employ its best efforts to stop, limit and remediate the Breach, perform a “root cause” analysis of the Breach, employ its best efforts to prevent the same or a similar Breach from reoccurring and keep Rebura up to date on all its efforts under this subsection II(A)(3);
  4. implement appropriate technical and organizational measures to protect Personal Data against a Breach;
  5. not transfer any Personal Data to third parties without the data subject’s prior written or email consent (which Rebura as applicable shall attempt to obtain after receiving notice from client of its need to transfer Personal Data to a third party);
  6. assist Rebura in responding to data subjects exercising their rights under the Principles;
  7. act only on instructions from Rebura; and
  8. either have in place an independent recourse mechanism to handle data subject complaints that complies with the requirements of the Principles or make available an equivalent mechanism.
(B) Upon the termination or expiration of the applicable client contract, client shall, at Rebura’s option, return all Personal Data to Rebura as applicable or permanently destroy all Personal Data (and all copies and derivative works thereof) in its care, custody or control except for any Personal Data that applicable law, if any, requires client to maintain (“Archival Personal Data”). With respect to any Archival Personal Data, client’s obligations and requirements under this Section II shall remain in full force and effect for as long as such Archival Personal Data remains in client’s care, custody or control. (C) If client forwards or gives access to any of the Personal Data to any third party at any time, including any subprocessor or controller of client, client shall ensure that its written contract with such third party contains these terms, as applicable. (D) For purposes of this Section II, the term “Personal Data” shall have the same meaning ascribed to that term as in the Principles which can be found at https://www.privacyshield.gov/servlet/servlet.FileDownload?file=015t00000004qAg as revised from time to time.