privacy-notice

PRIVACY NOTICE


1. Introduction

Welcome! My name is Teresa Zuppardo and I am a language teacher.

My company Auri Studio AB ("we", "our", "us") with organization number 559280-4495 is registered in Sweden, and is the Personal Data Controller regarding all Processing of Your Personal Data that is performed by us or on our behalf, insofar as we determine the means and purpose of the Processing.

In this Privacy Notice, You can read about among other things:

• how we Process Personal Data;

• which Personal Data we Process;

• the purpose and legal basis of the Processing;

• where the Personal Data is stored;

• to whom Personal Data may be shared;

• what rights You have according to the GDPR; and

• other information about our Processing of Personal Data.

Our Processing of Personal Data takes place in accordance with the information specified in this Privacy Notice, and we always comply with applicable laws and regulations regarding the Processing of Personal Data, such as GDPR and SCC where applicable. This Privacy Notice covers all types of Personal Data, in both structured and unstructured data.


2. Definitions

The following terms used in this Privacy Notice shall have the meanings set forth below, both when expressed in the plural and the singular:

"Controller" refers to the person/entity who determines the purpose of a particular Processing of Personal data and how the Processing is to be carried out. Natural persons, legal persons, authorities, institutions or other bodies may be Personal data Controllers.

"Data Subject" refers to the natural person who can be identified through the Personal data.

"GDPR" refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

"Payment Service Provider" refers to a Third party that, among other things, processes payments from You for our services on our behalf.

"Personal data" refers to all data that, directly or indirectly, alone or together with other data, can be linked to an identified or identifiable physical living person. Common examples of Personal data are: name, telephone number, address, email address, user ID, credit card number, etc.

"Processing" refers to everything that is made with Personal data, automated or otherwise. Processing can take place through an individual measure or through a combination of different measures. Examples of common Processes of Personal data are storage, erasure, sharing, usage, registration, copying, collection, organization, use, adjustment, destruction, etc.

"Processor" refers to the one who Processes Personal data on behalf of a Personal data Controller, according to the Controller's instructions.

"SCC" refers to Commission implementing decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or later updated version.

"Terms" means the terms and conditions of our services which You accept in connection to Your purchase of our services.

Any other GDPR-related terms not defined herein shall have the same meaning in this Privacy Notice as set forth in Article 4 of the GDPR.


3. How we access Personal Data that we Process

We may access, collect and Process Your Personal Data when You for example:

• Enter into an agreement with us

• Contact us or give us feedback

• Use our services

If we receive information about You from someone else, it depends on Your and our respective relationships with the Third-party and their policies.


4. Categories of Personal Data that we Process

In accordance with the principle of data minimization, we only process Personal Datain our capacity as a Controller that is adequate, necessary, and relevant to fulfil the purposes for which it was collected. We mainly Process the following categories of Personal Data:

• First and last name

• Email address

• Home address (for invoicing)

• Telephone number

• National identification number (sw: personnummer) (if necessary).

• preferences in receiving marketing from us.


5. Legal basis and purpose for our Processing of Personal Data

In accordance with the principle of purpose limitation, we only Process Personal Datain our capacity as Controller for special, explicitly stated, and justified purposes. In addition, all Processing is legal in accordance with the provisions of the GDPR.

We Process Personal Data primarily on one of the following legal bases:

• Consent:You have consented to our Processing of their Personal Data for one or more specific purposes (Article 6(1)(a) GDPR).

• Contract:The Processing is necessary to perform a contract to which You are a party or take steps at Your request before entering into a contract with us (Article 6(1)(b) GDPR).

• Legal obligation:The Processing is necessary for compliance with a legal obligation to which we are subject (Article 6(1)(c) GDPR).

• Legitimate interest:The Processing is necessary for the legitimate interests pursued by us or a third party, except where such interests are overridden by Your interests or fundamental rights and freedoms, which require protection of Personal Data (Article 6(1)(f) GDPR).

You may have to provide Your Personal Data to us, in order to a) enter into an agreement with us, or b) to comply with legal or contractual obligations.

In some cases, it is optional for You to provide Your Personal Data. However, if Youdo not give Your Personal Data, for instance, we might not be able to provide the requested services. Unless otherwise stated, You will not suffer any negative legal repercussions if You do not submit Your Personal Data.

When data Processing is based on Your consent, You have the right to withdraw the consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal.

Below You can read more about the legal basis and purpose of our Processing of Personal Data that we conduct in our capacity of Controller. Where appropriate, we have also identified what our legitimate interests are.


1) When You visit the Website:

The website may use cookies. The use of non-necessary cookies takes place only if You give Your consent to it. Legal basis for the Processing of Personal Data: Consent.

You can read more information about how we use cookies on the website through the cookie plugin installed in the website, and how You can manage the storage of cookies.


2) When You contact us:

We Process Your Personal Data that we get access to when You contact us, for example through email, the contact form on the website or social media, such as Your name, telephone number, email and the message content.

The purpose of the Processing is to enable us to know who we are talking to and to stay connected in the matter. We have a legitimate interest in Processing the Personal for the purpose stated above.

The provision of Personal Data is not a statutory or contractual requirement, and Youare not obliged to provide the Personal Data, but the possible consequences of failure to provide Your Personal Data that we request and/or need in order to respond to You, is that we may not be able to assist You.

Legal basis for the Processing of Personal Data: Legitimate interest.


3) When You receive newsletters from us:

You can consent to receive newsletters from us by providing Your active consent for us to Process Your email address to send You newsletters.

Providing Your email address to us for this purpose is voluntary, which means that it is not a legal or contractual requirement or a requirement necessary to enter into a contract with us, and You are under no obligation to provide Your email mailing address, but the possible consequences of not providing Your email address to us is that we will not send You, our newsletters. Legal basis for the Personal DataProcessing: Consent.

However, we can send newsletters to Your email address that You have previously provided to us in connection with the conclusion of an agreement with us. The Processing of Your email address then takes place for marketing purposes, to send You information about our business and our Services, which we believe may be of interest to You. We have a legitimate interest in the Personal Data being Processed for the above purpose. Our assessment is that Your interest in the protection of Your Personal Data does not outweigh our legitimate interest, thus the Processing in question does not infringe Your fundamental rights and freedoms. Legal basis for the above-mentioned Processing of Personal Data: Legitimate interest.

How You can unsubscribe from the newsletters

You can cancel Your subscription of our newsletters at any time by clicking on the unsubscribe link in the newsletter and thereby withdraw Your consent. If Youwithdraw Your consent, we will not continue to send You newsletters.

If You unsubscribe from the newsletters, You will be removed from the email list of recipients of the newsletters, but Your email address will remain in the database with a block for receiving newsletters. The purpose of this is to ensure that You do not receive any more newsletters from us. In our assessment, both we and You have a legitimate interest in the Personal Data being Processed for this purpose. The Processing is necessary for a purpose related to a legitimate interest, and that Your interest in the protection of Your Personal Data is not outweighed. Our assessment is that the Processing in question does not infringe Your fundamental rights and freedoms. Legal basis for the Processing of Personal Data: Legitimate interest.

If You want Your email address to be deleted from the block list as well, You can contact our support by email and request this. You are hereby informed that if Your email address is deleted from the block list, it means that You can receive newsletters from us again if You or someone else registers Your email address to receive newsletters again.


4) When You complete a purchase of our Services:

When You complete a purchase of our Services, we get access to Personal Data that is provided to us in connection with the purchase process. You must provide the following Personal Data and information in connection with the purchase being completed: Your name, email and other billing information.

The provision of the above-mentioned information in connection with the purchase is necessary for us to Process, for us to be able to enter into the purchase agreementwith You, and for us to be able to charge for the purchased Service. The possible consequences of such information not being provided to us is that we will not be able to enter into the agreement or fulfil the agreement.

Legal basis for the Processing of Personal Data: Contract.

Payment can be made online through the applicable payment service that we use. We hereby inform that You accept the Payment Service Providers terms and privacy policy when using the payment service.


5) Recording of lessons

Purpose and use of recorded lessons

We are committed to enhancing the flexibility and accessibility of our educational programs. To this end, we offer our students the opportunity to access recordings of group lessons. These recordings are available to registered students, providing support for those who may have missed a class or wish to review the material for better comprehension. While our standard is to provide seven-day access post the lesson date, we reserve the right to modify this availability period as necessary.

Additionally, recordings of both single private lessons and group lessons are integral to the enhancement and development of our educational services. Through the analysis of these recordings, we can evaluate and improve our course content, teaching methodologies, and teacher performance. This ongoing assessment is crucial for making essential improvements to our educational program.

Furthermore, selected segments of these recordings may also be used in our marketing efforts, such as promotional campaigns, social media, or our website. This helps to demonstrate the quality and engagement of our educational offerings and plays a vital role in attracting new students, thereby contributing to the growth and expansion of our programs.

The recorded materials are processed and stored securely, supporting our continuous development initiatives. We retain these recordings as long as necessary, driven by our legitimate interest in utilizing them for educational and promotional purposes.

Students and their integrity: In prioritizing student privacy, we uphold the principle of freedom of choice. Students have the option to choose whether their image or voice is included in the recordings. By disabling their webcam and/or microphone, students can participate in lessons without being visually or audibly recorded. We also inform students that chat messages, part of digital meeting platforms such as Zoom or Teams, are included in the recordings. We encourage the use of chat in a way that respects their comfort and privacy.

Consent as a privacy-enhancing measure: Clear information regarding the recording process and its purposes is provided at the start of the course through our Terms of Service and this Privacy Notice. When students enroll in our courses and accept our Terms of Service, we consider this as informed consent for the recording and use of these materials. It is essential to recognize that in this context, consent is a measure to enhance privacy and not the primary legal basis for processing personal data.

Legal basis for the Processing of Personal Data: The legal basis for recording lessons is our legitimate interests (Article 6.1.f GDPR), which encompass recording lessons for educational, quality control, internal development, and marketing purposes.


6) When we manage our relationship with You

We may investigate complaints related to our Services. The following data types are Processed: name and email address of the person making the complaint, and the information provided regarding the complaint. The Processing is based on our legitimate interest in providing high-quality customer service and implementing preventive actions. Legal basis for the Processing of Personal Data: Legitimate Interest.

We may ask You to take a survey or leave a review regarding our Services, and, in such cases, the following types of data are Processed: Your name and email (if provided), time, date, answers to the survey and/or the written review. The Processing is based on our legitimate interest in growing and developing our business. Legal basis for the Processing of Personal Data: Consent.

Suppose we are obliged by the applicable law to notify You about changes to our Privacy Notice or terms. In that case, the following types of Personal Data belonging to You may be Processed by us: name and email address. Legal basis for the Processing of Personal Data: Legal obligation.


7) When we have a legal obligation to the Processing:

If law, court, or authority decision obliges us to Process certain Personal Data, the Processing takes place on the basis of a Legal obligation as a legal basis. In such cases, the Processing takes place only to the extent that it is necessary for us to fulfilour legal obligations and then we only process the necessary Personal Data, for as long as the law requires it (in accordance with the principle of storage limitation). The Processing is made due to statutory provisions.

For example, we store invoices, receipts, and other accounting documents that we are obliged to Process in accordance with current legislation, such as the Swedish Accounting Act (1999:1078) and in accordance with the Swedish Tax Agency's requirements. Accounting documents, invoices and vouchers may in some cases contain Personal Data, such as name, address, order information and any other contact information regarding the Customer and/or the Customer’s signatory, contact person, employee etc. Such Personal Data is stored for as long as the law requires it. Legal basis for the Personal Data Processing: Legal obligation.


8) Other purposes for our Processing of Personal Data

Based on our legitimate interest, we may process Personal Data to:

• protect our rights and property,

• make recommendations or suggestions to You about events or other services that may be of interest to You,

• ensure the technical functionality of the Service,

• use data analytics to improve our marketing, products/services, partner and user relationships and experiences,

• collect anonymous statistics, performance measurements, etc.

We have concluded that we have a legitimate interest to keep our Services updated and relevant, to develop our business, products, and services.


6. Storage location and international transfers

We always strive to Process Your data within the European Union (EU) or the European Economic Area (EEA) (in accordance with the principle of integrity and confidentiality). However, in certain situations, the information may be transferred to and Processed in countries outside the EU/EEA. As we are committed to always protecting Personal Data, we will take all reasonable legal, technical and organisational measures to ensure that the Personal Data is handled securely and with an adequate level of protection comparable to and at the same level as the protection offered within the EU/EEA.

When such transfers occur, we take appropriate measures to ensure that the Personal Data receives a level of protection consistent with the requirements of EU data protection laws. These measures may include obtaining Your explicit consent, implementing contractual agreements with the receiving party that include standard contractual clauses (SCC) approved by the European Commission or verifying that the recipient country has adequate data protection laws.

We will always strive to maintain the security and confidentiality of Your Personal Data, regardless of where it is Processed and we will ensure that any transfers comply with applicable data protection laws.


7. Data retention

We will only retain the Personal Data for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, accounting or reporting requirements, in accordance with the principle of storage limitation. The exact duration of the retention period will depend on the type of Personal Data and the purpose for which it was collected.

When we store the Personal Data for purposes other than our contractual obligations, e.g., to meet anti-money laundering, accounting and regulatory capital requirements, we only store the data for as long as necessary and/or statutory for each purpose.

Invoices, receipts, and other accounting documents that we Process as a Controller, are stored for up to seven (7) years after payment has been made. They may contain identification information and contact information. These are stored for us to be able to manage any complaint matters and to be able to match a payment against an invoice while we are obliged to store such accounting documentation in accordance with current legislation.

We may delete the Personal Data upon Your request unless we need to Process the Personal Data in question to fulfil contractual or legal obligations.

When the Personal Data no longer needs to be retained, it is either erased, de-identified or anonymized.

In the event of a claim against us, we may retain the Personal Data until the expiration of the statutory limitation period. Similarly, in the case of an ongoing dispute, relevant Personal Data will be stored until the resolution of the dispute. We ensure compliance with applicable laws and regulations regarding the retention of Personal Data in these circumstances.


8. Disclosure of Personal Data

We may disclose Personal Data to the recipients stated below, to achieve the purposes, set out in the section above regarding “Legal basis and purpose for our Processing of Personal Data”.

Legal authorities: Personal Data may be disclosed to legal authorities in response to legal inquiries or if necessary, to prevent, detect, prevent, or investigate criminal activity and to protect our interests and our property.

Service providers: We may also disclose Personal Data to engaged serviceproviders, for example to:

- safeguard our legal interests,

- fulfil our contractual and legal obligations,

- detect and prevent technical, operational or safety problems, and

- provide, improve, and maintain our Services (software maintenance).

Examples of service providers that we engage in their capacity as our Processors are developers, IT and system administrators, providers of our cloud services, billing system, consultants etc.

Before we disclose any Personal Data to such service providers, we enter into a data processing agreement with them in accordance with the provisions of the GDPR (alternatively SCC if the Personal Data Processor is in a country outside the EU/EEA-area). This is made to ensure a secure and correct Processing of the Personal Data.

Other Third parties: We may disclose Personal Data to legal advisors, bankers, consultants, and partners, in accordance with applicable privacy laws, if it is made forus to comply with legal obligations, contractual obligations or in order to fulfil our legitimate interest.

In connection with or during negotiations of a transfer of company assets, merger, sale, financing or acquisition of all or part pf our business, we may disclose Your Personal Data to the Third-parties engaged in the business transaction.


9. Third-party websites, applications, and integrations

If You provide information to us through a Third-party website or platform, the information You provide may be collected separately by such Third-party that provides that website or platform. Such information is subject to the Third-party's privacy notices and terms. This means, among other things, that the privacy settings You have made on the Third-party website or platform do not affect our processing of data that we collect directly via our services/platforms/websites.

There may be links in our Services/platforms/websites that lead to other Third-party websites, applications, content, or other integrations, which may allow such Third-parties to collect or share Personal Data about You. We do not control or own such Third-party websites, applications, content or other integrations and we are not responsible for the Processing of Personal Data carried out by anyone else or for the privacy rules, notices, or terms of such Third parties.

For these reasons, we would like to encourage You to pay attention when You leave our Services/platforms/websites and to request details of and read the privacy notices and terms of such Third-partis, who may collect and Process Personal Databelonging to You.


10. Technical and organizational security measures

We implement appropriate technical and organizational security measures, in accordance with the GDPR and our internal routines, with a focus on Your integrity.

The measures are intended to protect against intrusion, abuse, loss, destruction, and other changes that may pose a risk to privacy (according to the principle of privacy and confidentiality).


11. Your rights according to GDPR

As a Data Subject under the GDPR, You have certain privacy rights. These rights include:

Right to information

You have the right to be informed about the collection and use of Your Personal Data. This includes details about the purposes of Processing, the categories of Personal Data involved and any third parties with whom Your Personal Data may be shared. In addition, there are certain situations where specific information should be provided to You, such as in the event of a data breach or similar incident (a Personal Databreach) occurring at our end as the Controller and there is a risk of identity theft or fraud, for example.

Right of access

You have the right to access Your Personal Data held by us. You can request information about the Processing of Your Personal Data, obtain a copy of the Personal Data in a machine-readable format (provided that there is no applicable exception to the right of access) and be informed about the safeguards for cross-border transfers. The compilation will be designed to allow You to verify the accuracy and lawfulness of the information. The right to receive a copy of Your Personal Datadoes not always imply the right to obtain the document containing Your Personal Data.

Right to rectification

You can request the correction of inaccurate or incomplete Personal Data about Youthat we Process. If we Process Personal Data about You that are inaccurate or incomplete, we will, at Your request or on our initiative, complete, rectify or delete the Personal Data in question. If the data is corrected at Your request, we will inform those to whom the data has been disclosed that the information has been updated. However, this does not apply if it proves impossible or involves a disproportionate effort. You also have the right to request information about to whom the data has been disclosed.

Right to erasure

In certain circumstances, You have the right to request that Your Personal Data be erased. This applies, for example, if the data is no longer necessary for the purpose it was collected or if You withdraw Your consent and there is no other legal basis for the Processing. However, legal obligations may prevent us from immediately deleting parts of the Personal Data. These obligations may come from, for example, but are not limited to, accounting and tax legislation, banking and money laundering legislation and consumer law. If data is erased at Your request, we will also inform those to whom the data has been disclosed about the erasure. However, this does not apply if it proves impossible or involves a disproportionate effort.

Right to restriction

You have the right to request the restriction of Processing Your Personal Data in certain cases. Restriction means that the data is marked so that it can only be Processed for specific limited purposes in the future. The right to restriction applies, among other things, when You believe the information is inaccurate and request rectification. In such cases, You can also request that the Processing of the data be restricted while the accuracy of the information is being investigated. When the restriction is lifted, we will inform You about this.

Right to data portability

You can receive and transfer Your Personal Data to another Controller where technically feasible. Another prerequisite is that Processing Personal Data is based on Your consent or for fulfilling a contract. This right also only applies to Personal Data that You have provided Yourself.

Right to object

You have the right to object to our Processing of Your Personal Data. The right to object applies when Personal Data is Processed based on a legitimate interest. If You object to the Processing, we may only continue Processing the data if we can demonstrate compelling legitimate grounds for the Processing that override Your interests, rights and freedoms or if the Processing is necessary to establish, exercise or defend legal claims. However, You always have the right to object to using Your Personal Data for direct marketing. Such objections can be made at any time. If an objection is raised against direct marketing, the Personal Data may no longer be Processed for such purposes and we will inform You when we have deleted the Personal Data if You request it.

Right not to be subject to automated decision-making

You have the right not to be subjected to decisions based solely on automated processing, including profiling, if these decisions significantly affect You. Exceptions apply in cases where the decision is necessary for the performance of a contract or is authorised by law. If an automated decision has been made, with or without profiling, You can request that it be reviewed or contested. We do not conduct any automated decisions, either with or without profiling.


12. How to exercise the rights

Suppose You want to invoke any of the above rights as a Data Subject regarding Your Personal Data that we Process as Controller. In that case, You are welcome to contact us through the contact information listed below. However, it's important to note that the rights mentioned above are subject to certain limitations and conditions under the GDPR.

Exercising the rights is free of charge, provided that Your requests are not exaggerated, repeated or unfounded. In such cases, we have the right to charge a reasonable fee to process Your request or refuse the execution of Your request.

Before we process or respond to Your request, we may request additional information from You if necessary to enable us to verify Your identity.

We will inform You of our processing of Your request without delay and no later than one (1) month after we receive the request. If the request is complex or if, for example, we have received many requests, this period can be extended by another two (2) months. In such cases, we will notify You of the extension within the first month after we receive Your request.

Suppose we cannot comply with Your request due to applicable law or other exceptions. In that case, we will inform You why we cannot comply with Your request with the limitations imposed by law.


13. Changes to this Privacy Notice

We review the contents of this Privacy Notice at least once a year to ensure that the information is accurate and up to date. The contents of this Privacy Notice may be updated, if necessary, with or without prior notice. For example, if we need to provide clarification due to changes, new legislation or any modifications in our Processing of Personal Data.

You are responsible for reading the contents of the at any time applicable Privacy Notice and keeping up to date on any changes. We will notify You if we make material changes provided that such notification is mandatory according to applicable law.

The applicable version of this Privacy Notice is always available on our Website.


14. Translations

This Privacy Notice may be written/published in other language versions. The English version shall always prevail in the event of any conflict and/or confusion between the versions.


15. Questions or complaints

If You have any questions about this Privacy Notice or our privacy practice, or if Youare dissatisfied with our Processing of Your Personal Data, You are always welcomed to contact us. Below are our company and contact information:

Company: Auri Studio AB

Reg. no: 559280-4495

Email: support@teresazuppardo.com

Address: Badelunda Blåsbo 1, 72356 Västerås


Our contact person for Personal Data matters:

Name: Teresa Zuppardo

Email: Teresa.zuppardo@auristudio.com


You also have the right to contact and/or to submit a complaint regarding our Processing of Your Personal Data to our lead EU Supervisory Authority: TheSwedish Authority for Privacy Protection.

Name: Integritetsskyddsmyndigheten (IMY).

Phone: 08-657 61 00.

Email: imy@imy.se.

Postal address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm.


You may also direct Your complaint or concern to Your local data protection authority.

You can find the different EU Member States Supervisory Authorities through the following link: https://edpb.europa.eu/about-edpb/about-edpb/members_en

2 (10)