Last updated: 02/18/2025
Welcome to Mookee. Shuffle Note Inc. (“Mookee”, “us”, “we” or “our”) operates mookee.io, mookee.fans and mookee.link and their subdomains (hereinafter referred to as “Service”).
Our Privacy Policy governs your visit to mookee.io, mookee.fans and mookee.link on all platforms, and explains how we collect, safeguard and disclose information that results from your use of our Service.
We use your data to provide and improve Service. We are a Canadian corporation subject to the Canadians laws. Canada may not offer a level of privacy protection as great as that offered in other jurisdictions. Since our servers are located in Canada, your data may be transferred to, stored, or processed in Canada. By using Service, you agree to the collection and use of information in accordance with this Privacy Policy and you understand and consent to the collection, storage, processing, and transfer of your data to our facilities in Canada and those third parties we share your data with as described in this Privacy Policy and our Terms of Service. Unless otherwise defined in this Privacy Policy, the terms used in this Privacy Policy have the same meanings as in our Terms of Service.
Our Terms of Service (“Terms”) govern all use of our Service and together with the Privacy Policy constitutes your agreement with us (“agreement”).
SERVICE means the mookee.io, mookee.fans and mookee.link websites operated by Shuffle Note, Inc.
PERSONAL DATA means data about a living individual who can be identified from those data (or from those and other information either in our possession or likely to come into our possession).
USAGE DATA is data collected automatically either generated by the use of Service or from Service infrastructure itself (for example, the duration of a page visit).
COOKIES are small files stored on your device (computer or mobile device).
DATA CONTROLLER means a natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. For the purpose of this Privacy Policy, we are a Data Controller of your data.
DATA PROCESSORS (OR SERVICE PROVIDERS) means any natural or legal person who processes the data on behalf of the Data Controller. We may use the services of various Service Providers in order to process your data more effectively.
DATA SUBJECT is any living individual who is the subject of Personal Data.
THE USER is the individual using our Service. The User corresponds to the Data Subject, who is the subject of Personal Data.
We collect several different types of information for various purposes to provide and improve our Service to you.
While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you (“Personal Data”). Personally identifiable information may include, but is not limited to:
We may use your Personal Data to contact you with newsletters, marketing or promotional materials, and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link.
While using our Service, we may ask you to provide us with certain Non-Personal Data. “Non-Personal Data” is any information not relating to an identified or identifiable natural person. Non-Personal Data we may collect includes:
We may also collect information that your browser sends whenever you visit our Service or when you access Service by or through a mobile device (“Usage Data”).
This Usage Data may include information such as your computer's Internet Protocol address (e.g., IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers, plug-ins, add-ons, location, the version of the Service you are using, and other diagnostic data.
When you access Service with a mobile device, this Usage Data may include information such as the type of mobile device you use, your mobile device unique ID, the IP address of your mobile device, your mobile operating system, the type of mobile Internet browser you use, unique device identifiers, and other diagnostic data.
We may use and store information about your location if you give us permission to do so (“Location Data”). We use this data to provide features of our Service, to improve and customize our Service.
You can enable or disable location services when you use our Service at any time by way of your device settings.
We use cookies and similar tracking technologies to track the activity on our Service and we hold certain information.
Cookies are files with a small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device.
Other tracking technologies are also used, such as beacons, tags, and scripts, to collect and track information and to improve and analyze our Service.
You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
Examples of Cookies we use:
While using our Service, we may also collect the following information: sex, age, date of birth, place of birth, passport details, citizenship, registration at place of residence and actual address, telephone number (work, mobile), details of documents on education, qualification, professional training, employment agreements, non-disclosure agreements, information on bonuses and compensation, information on marital status, family members, social security (or other taxpayer identification) number, office location, and other data.
Shuffle Note, Inc. uses the collected data for various purposes:
We will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
We will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.
Your information, including Personal Data, may be transferred to – and maintained on – computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ from those of your jurisdiction.
If you are located outside Canada and choose to provide information to us, please note that we transfer the data, including Personal Data, to Canada and process it there.
Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.
Shuffle Note, Inc. will take all the steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy, and no transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place, including the security of your data and other personal information.
We may disclose personal information that we collect, or you provide:
Under certain circumstances, we may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities.
If we or our subsidiaries are involved in a merger, acquisition, or asset sale, your Personal Data may be transferred.
We may disclose your information also:
The security of your data is important to us, but remember that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
If you are a resident of the European Union (EU) and European Economic Area (EEA), you have certain data protection rights, covered by GDPR. – See more at https://eur-lex.europa.eu/eli/reg/2016/679/oj.
We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.
If you wish to be informed what Personal Data we hold about you and if you want it to be removed from our systems, please email us at contact@mookee.io.
In certain circumstances, you have the following data protection rights:
Please note that we may ask you to verify your identity before responding to such requests. Please note, we may not be able to provide Service without some necessary data.
You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA).
CalOPPA is the first state law in the nation to require commercial websites and online services to post a privacy policy. The law’s reach stretches well beyond California to require a person or company in the United States (and conceivable the world) that operates websites collecting personally identifiable information from California consumers to post a conspicuous privacy policy on its website stating exactly the information being collected and those individuals with whom it is being shared, and to comply with this Privacy Policy. – See more at: https://consumercal.org/about-cfc/cfc-education-foundation/california-online-privacy-protection-act-caloppa-3/.
According to CalOPPA we agree to the following:
Our Policy on “Do Not Track” Signals:
We honor Do Not Track signals and do not track, plant cookies, or use advertising when a Do Not Track browser mechanism is in place. Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked.
You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.
If you are a California resident, you are entitled to learn what data we collect about you, ask to delete your data, and not to sell (share) it. To exercise your data protection rights, you can make certain requests and ask us:
(a) What personal information we have about you. If you make this request, we will return to you:
Please note, you are entitled to ask us to provide you with this information up to two times in a rolling twelve-month period. When you make this request, the information provided may be limited to the personal information we collected about you in the previous 12 months.
(b) To delete your personal information. If you make this request, we will delete the personal information we hold about you as of the date of your request from our records and direct any service providers to do the same. In some cases, deletion may be accomplished through de-identification of the information. If you choose to delete your personal information, you may not be able to use certain functions that require your personal information to operate.
(c) To stop selling your personal information. We do not sell your personal information for monetary consideration. However, under some circumstances, a transfer of personal information to a third party, or within our family of companies, without monetary consideration may be considered a “sale” under California law.
If you submit a request to stop selling your personal information, we will stop making such transfers. If you are a California resident, to opt-out of the sale of your personal information, send an email to contact@mookee.io.
Please note, if you ask us to delete or stop selling your data, it may impact your experience with us, and you may not be able to participate in certain programs or membership services which require the usage of your personal information to function. But in no circumstances, we will discriminate against you for exercising your rights.
To exercise your California data protection rights described above, please send your request(s) by one of the following means:
Your data protection rights, described above, are covered by the CCPA, short for the California Consumer Privacy Act. To find out more, visit the official California Legislative Information website. The CCPA took effect on 01/01/2020.
We may employ third-party companies and individuals to facilitate our Service and/or that help us promote, provide, or support our Service or the services of our customers (“Service Providers”), provide Service on our behalf, perform Service-related services, or assist us in analyzing how our Service is used.
These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
We may use third-party Service Providers to monitor and analyze the use of our Service.
Google Analytics
Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network.
For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: https://policies.google.com/privacy?hl=en.
We also encourage you to review Google's policy for safeguarding your data: https://support.google.com/analytics/answer/6004245.
Microsoft Clarity
Microsoft Clarity is a web analytics service offered by Microsoft that provides insights into website user behavior, including session recordings and heatmaps. It tracks and reports website traffic to help us understand how users interact with our Service.
For more information on the privacy practices of Microsoft Clarity, please visit the Microsoft Privacy Statement: https://privacy.microsoft.com/en-us/privacystatement.
Amplitude
Amplitude is an analytics service provided by Amplitude Inc. that tracks and monitors user behavior to help us analyze how our Service is being used. Amplitude collects data to provide insights into user engagement, retention, and other metrics.
For more information on the privacy practices of Amplitude, please visit their Privacy Policy: https://amplitude.com/privacy.
We may use third-party Service Providers to automate the development process of our Service.
GitHub
GitHub is provided by GitHub, Inc.
GitHub is a development platform to host and review code, manage projects, and build software.
For more information on what data GitHub collects, its purpose, and how the protection of the data is ensured, please visit the GitHub Privacy Policy page: https://help.github.com/en/articles/github-privacy-statement.
Google Cloud Platform (GCP)
Google Cloud Platform is provided by Google LLC.
GCP offers cloud computing services, including hosting, CI/CD automation, and infrastructure management to support our development and deployment processes.
For more information on what data Google Cloud Platform collects, its purpose, and how data protection is ensured, please visit the Google Cloud Privacy Policy page: Google Cloud Privacy Policy.
We may use third-party Service Providers to show advertisements to you to help support and maintain our Service.
Opting Out of Receiving Email Communications from Us
If you no longer want to receive marketing-related emails from us, you may opt out via the unsubscribe link or by notifying us at contact@mookee.io. We may still send you important messages regarding administrative matters, updates, disputes, and customer service issues that are required to provide you with the Service.
Opting Out of Receiving SMS Messages from Us
Mookee offers you mobile alerts regarding its and/or its business partners’, customers’, vendors’, event organizers’, suppliers’, advertisers’, or sponsors’ information, migrations, products, events, marketing, advertising, and promotions by SMS messaging (“SMS Messaging”). Enrollment in SMS Messaging requires you to provide your mobile phone number and agree to this Privacy Policy and Mookee’s Terms of Service before the SMS Messaging starts.
To stop receiving SMS Messaging from Mookee, reply with STOP to any SMS Messaging you received from Mookee or use the unsubscribe link we may provide within any of Mookee’s SMS Messaging. This is the exclusive method for opting out. After texting STOP to Mookee, you may receive one additional message confirming that your request has been processed. Text HELP to any SMS Messaging you received from Mookee for support.
Cookies and Other Tracking Technologies
Mookee and/or its business partners, customers, vendors, event organizers, suppliers, advertisers, or sponsors may use cookies and other tracking technologies such as pixels and web beacons on the Service to administer the Service, track your movements around the Service, analyze trends, serve targeted advertisements, and gather demographic information.
You can control the use of cookies at the individual browser level. Our third-party partners may use cookies or other tracking technologies to provide you advertising on other sites based upon your browsing activities and interests. If you want to opt-out of interest-based advertising, please visit http://preferences-mgr.truste.com/, or if located in the European Union, visit http://www.youronlinechoices.eu.
Web Beacons
When we send emails to customers and/or users, we may use web beacons to track who opened the emails and clicked links to measure campaign performance and improve features for our customers and/or users. We also use web beacons in the emails we deliver for our customers and/or users to create reports about campaign performance and determine what actions our subscribers and/or users took.
Our Relationship with Subscribers
Our customers may import into the Services Personal Data they have collected from their subscribers or other individuals. We have no direct relationship with Customers’ subscribers or any individuals other than our customers.
Customers are responsible for making sure they have the necessary permissions for us to collect, store, and process Personal Data about our customers’ subscribers or other individuals. A subscriber should unsubscribe directly from a customer’s email, newsletter, or other communication or contact the customer directly to change, update, or delete the subscriber’s data. If a subscriber contacts us, we will refer you to that customer and support them in responding to your request if necessary.
Consistent with this Privacy Policy, we may transfer customer or subscriber Personal Data to our Service Providers. All Service Providers agree to protect Personal Data in accordance with this Privacy Policy.
Google AdSense DoubleClick Cookie
Google, as a third-party vendor, uses cookies to serve ads on our Service. Google's use of the DoubleClick cookie enables it and its partners to serve ads to our users based on their visit to our Service or other websites on the Internet.
You may opt out of the use of the DoubleClick Cookie for interest-based advertising by visiting the Google Ads Settings web page: http://www.google.com/ads/preferences/.
Shuffle Note, Inc. uses remarketing services to advertise on third-party websites to you after you visited our Service. We and our third-party vendors use cookies to inform, optimize, and serve ads based on your past visits to our Service.
Google Ads (AdWords)
Google Ads (AdWords) remarketing service is provided by Google Inc.
You can opt out of Google Analytics for Display Advertising and customize the Google Display Network ads by visiting the Google Ads Settings page: http://www.google.com/settings/ads.
Google also recommends installing the Google Analytics Opt-out Browser Add-on – https://tools.google.com/dlpage/gaoptout – for your web browser. Google Analytics Opt-out Browser Add-on provides visitors with the ability to prevent their data from being collected and used by Google Analytics.
For more information on the privacy practices of Google, please visit the Google Privacy Terms web page: https://policies.google.com/privacy?hl=en.
X
X remarketing service is provided by X Corp.
You can opt out of X's interest-based ads by following their instructions: https://help.x.com/en/safety-and-security/privacy-controls-for-tailored-ads.
You can learn more about the privacy practices and policies of X by visiting their Privacy Policy page: https://x.com/privacy.
Meta
Meta remarketing service is provided by Meta Inc.
You can learn more about interest-based advertising from Facebook by visiting this page: https://www.facebook.com/business/help/182371508761821?id=176276233019487.
To opt-out from Facebook's interest-based ads, follow these instructions from Facebook: https://www.facebook.com/help/568137493302217.
Facebook adheres to the Self-Regulatory Principles for Online Behavioural Advertising established by the Digital Advertising Alliance. You can also opt out from Facebook and other participating companies through the Digital Advertising Alliance in the USA http://www.aboutads.info/choices/, the Digital Advertising Alliance of Canada in Canada http://youradchoices.ca/, or the European Interactive Digital Advertising Alliance in Europe http://www.youronlinechoices.eu/, or opt out using your mobile device settings.
For more information on the privacy practices of Facebook, please visit Facebook's Data Policy: https://www.facebook.com/privacy/explanation.
We may provide paid products and/or services within the Service. In that case, we use third-party services for payment processing (e.g., payment processors).
We will not store or collect your payment card details. That information is provided directly to our third-party payment processors, whose use of your personal information is governed by their Privacy Policy. These payment processors adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express, and Discover. PCI-DSS requirements help ensure the secure handling of payment information.
The payment processors we work with are:
Stripe
Their Privacy Policy can be viewed at: https://stripe.com/us/privacy.
Third-Party Sites
Our Service may contain links to other sites that are not operated by us. If you click a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.
We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. When you click on links to third-party sites, you may leave the Service. This Privacy Policy does not cover any collection, use, or disclosure by third parties through any applications, websites, products, or services that we do NOT control or own, or any third-party features or services made available through the Service. By using the Service, you expressly relieve Mookee from any and all liability arising from your use of any third-party website.
The inclusion of a link or accessibility of third-party sites does not imply endorsement of such third-party sites by us. All trademarks, trade names, and logos of third parties featured on the Service belong to their respective owners.
Each merchant and third-party payment processor collects and shares your information according to its own privacy policy and terms of service. Mookee is not responsible for the actions of third-party processors or merchants, including how such entities treat your information. You are responsible for knowing and understanding their policies and terms.
Public Data
We may provide areas on the Service where you can publicly post information. This information may be read, collected, and used by anyone. We do not control or endorse the information posted by third-party users, are not liable for your or third-party posts to the Service, and specifically disclaim any liability resulting from such posts.
Our Service is not intended for use by children under the age of 13 (“Children”).
We do not knowingly collect personally identifiable information from Children under 13. If you become aware that a Child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from Children without verification of parental consent, we take steps to remove that information from our servers.
Depending on where you live, you may have certain state or country-specific rights regarding your Personal Data. Under some of these laws and regulations, where applicable, you may have the right to access, deletion, correction, verification, portability, opt-out of tracking for targeted advertising purposes, opt-out of profiling, among other rights. To exercise any rights under these or other applicable data protection laws, please email us at contact@mookee.io.
You may also have the right to file a complaint about Mookee’s collection and processing of Personal Data. To file a complaint, contact the applicable supervisory authority or data protection authority.
We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.
We will let you know via email and/or a prominent notice on this page or our Service, prior to the change becoming effective and update the “effective date” at the top of this Privacy Policy. You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
If you have any questions about this Privacy Policy, please contact us:
By email: contact@mookee.io.
This binding addendum (this “Addendum”) is between Shuffle Note, Inc. (“Mookee”) and Customer and supplements the Mookee Customer Terms of Service or the Platform Terms (the “Agreement”) between Mookee and Customer. Capitalized terms used but not defined herein shall have the meanings ascribed to such terms in the Agreement. For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties agree to supplement and amend the Agreement as follows:
Subject to Mookee’s then-current data import functionality and policies (including, without limitation, Mookee’s requirements regarding form and formatting of imported data), Mookee will ingest certain data, information, and other materials uploaded, transmitted, or otherwise provided to or through the Service by Customer, including without limitation pre-collected telephone numbers (collectively, “Data Imports”) so as to permit Customers to send messages via Mookee Numbers solely to individuals residing in any country (and other Territories as may be added by Mookee from time to time, if any). Customer hereby grants to Mookee a non-exclusive license to host, copy, process, use, transmit, and disclose all Data Imports as necessary to perform its obligations and exercise its rights under this Addendum and the Agreement.
Customer, for itself and on behalf of its Authorized Users, represents, warrants, and covenants that:
(a) it owns or otherwise has all necessary rights to the Data Imports to grant to Mookee all rights and licenses set forth herein;
(b) Mookee’s ingestion and use of Data Imports on or through the Service does not and will not violate Applicable Law, the AUP, or the privacy rights, publicity rights, copyrights, contract rights, intellectual property rights, or other rights of any person or entity;
(c) Customer/Authorized User will not upload or otherwise provide any Data Imports to the Service that contain any Restricted Data;
(d) the upload, posting, or other submission of Data Imports to the Service does not and will not result in a breach of contract between Customer/Authorized User and any third party;
(e) Customer/Authorized User will not knowingly collect personally identifiable information from children under thirteen (13) in connection with Data Imports and/or the Service; and
(f) when using the Service to send messages, Customer will, and will cause Customer/Authorized User to:
(i) comply and maintain appropriate records to demonstrate its compliance with all Applicable Laws and the AUP;
(ii) ensure the content of all messages complies with Applicable Laws and the AUP;
(iii) send messages only to individuals from whom Customer has obtained all necessary and legally required consent to do so in accordance with its obligations under Applicable Laws;
(iv) promptly notify Mookee of all requests made by individuals to stop receiving messages from Mookee on behalf of Customer; and
(v) verify any previously collected Data Imports have been collected in accordance with Applicable Laws.
Customer’s responsibilities as set forth in this Section 2 and the Agreement will remain the sole responsibility and liability of Customer notwithstanding that Mookee may offer templates, advice, guidance, or suggestions relating to any of the matters that are Customer’s responsibility and notwithstanding that Mookee may be engaged to provide services related to such responsibilities of Customer.
Customer will indemnify, defend, and hold Mookee, its affiliates, and their respective directors, officers, employees, agents, successors, and assigns (each, a “Mookee Indemnitee”) harmless from and against any losses, damages, liabilities, debts, and expenses, including reasonable attorneys’ and experts’ fees that may be incurred by a Mookee Indemnitee in relation to any demand, suit, cause of action, or governmental/regulatory inquiry/proceeding arising from or relating to any:
(a) use of the Service by Customer or any Authorized User in violation of this Addendum, the Agreement, Applicable Laws, or the AUP;
(b) breach of Customer’s representations, warranties, or covenants contained herein;
(c) Data Imports uploaded, transmitted, or otherwise provided to the Service and/or Mookee’s use thereof in the exercise of its rights or performance of its obligations hereunder; or
(d) allegation that Customer or Authorized User used the Service, or otherwise caused Mookee, to send messages in violation of any Applicable Laws.
Customer may not enter into any settlement on a Mookee Indemnitee’s behalf without the Mookee Indemnitee’s prior written consent. Each Mookee Indemnitee shall have the right to employ separate counsel and participate in its defense at its sole expense.
If you have any questions about this Privacy Policy, please contact us:
By email: contact@mookee.io
We at Shuffle Note, Inc. are committed to processing personal data securely and respecting the privacy of the concerned individuals.
Version No. and Date of the Last Update:
v. 1.0.0
February 18, 2025
Approved by:
Felix Brochier, CEO of Shuffle Note, Inc.
This policy shall be reviewed annually or each time when changes in our data processing occur.
Scope.
This Personal Data Protection Policy (the “Policy”) describes Shuffle Note, Inc. internal rules for personal data processing and protection. The Policy applies to Shuffle Note, Inc., including Shuffle Note, Inc. employees and contractors (“we,” “us,” “our,” “Mookee”). The management of each entity is ultimately responsible for the implementation of this policy, as well as to ensure, at the entity level, there are adequate and effective procedures in place for its implementation and ongoing monitoring of its adherence. For the purposes of this Policy, employees and contractors are jointly referred to as the “employees.”
Privacy Manager.
Privacy Manager is an employee of Mookee responsible for personal data protection compliance within Mookee (the “Privacy Manager”). The Privacy Manager is in charge of performing the obligations imposed by this Policy and supervising other employees, subject to this Policy, regarding their adherence to this Policy. The Privacy Manager must be involved in all projects at an early stage to take personal data protection aspects into account as early as the planning phase.
The designated Privacy Manager at Shuffle Note, Inc. is Felix Brochier.
EU Representative.
As an entity processing personal data in accordance with the EU’s legislation but located outside of the European Union, Mookee must appoint a representative within one of the EU Member States. The task of the representative is to be a contact point for, including but not limited to, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.
Term
Definition
Competent Supervisory Authority
Means a public authority that is responsible for regulating and supervising personal data protection with regards to activities of Mookee.
Data Breach
Means a breach of the security and/or confidentiality leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed. This includes, but is not limited to, emails sent to an incorrect or disclosed list of recipients, unlawful publication of Personal Data, or unauthorized access to personal information.
Data Controller
Means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines (makes a decision) the purposes and means of the processing of Personal Data.
Data Processor
Means a natural or legal person, public authority, agency, or other body which processes the Personal Data on behalf of the data controller.
Data Protection Laws
Mean any laws and legal rules on personal data use and protection applicable to the activities of Shuffle Note, Including, but not limited to, the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, GDPR).
Data Subject Request (DSR)
Means any request from the Data Subject concerning their personal data and/or data subject rights.
Data Subject
Means a natural person whose Personal Data we process. Data Subjects include, but are not limited to, users, website visitors, employees, contractors, and partners of Mookee.
Personal Data
Means any information relating to an identified or identifiable Data Subject; a Data Subject can be identified by reference to an identifier such as a name, identification number, location data, online identifier, or to one or a combination of factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that Data Subject.
Processing
Means any operation or set of operations which is performed by Mookee on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Standard Contractual Clauses
Means the European Commission Decision of February 5, 2010, on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU).
Third Party
Means a natural or legal person who accesses the Personal Data for further processing and is not an employee, member, or corporate affiliate of Mookee. This definition does not apply to natural persons who provide services to Mookee as contractors on a regular basis.
User
Means a Data Subject who uses our services provided on Mookee’s website.
Mookee’s processing activities must align with the principles specified in this section. The Privacy Manager must ensure that Mookee’s compliance documentation, as well as data processing activities, comply with these data protection principles.
We must process Personal Data in accordance with the following principles:
Accountability
We shall demonstrate compliance with Data Protection Laws (the accountability principle). In particular, we must ensure and document relevant procedures, efforts, and internal/external consultations on personal data protection, including:
Records of Processing Activities
The Privacy Manager must maintain Mookee’s Records of Processing Activities, an accountability document prepared in accordance with Article 30 of the GDPR. These records must include at least the following information for each processing activity:
If Mookee acts as a data processor, additional information must include:
Legal Grounds
Each processing activity must have one of the lawful grounds specified in this section to process the Personal Data. If we do not have any of the described grounds, we cannot collect or further process the Personal Data.
If Mookee intends to use personal data for purposes other than those specified in the Records of Processing Activities, the Privacy Manager must evaluate, determine, and, if necessary, collect/record the appropriate legal basis.
If legal requirements from other countries apply, the Privacy Manager must evaluate and propose an alternative legal ground, such as legitimate interests or consent.
Access to Personal Data
Before sharing personal data with any person outside of Mookee, the Privacy Manager must ensure that this Third Party has an adequate data protection level and provides sufficient data protection guarantees in accordance with Data Protection Laws. This includes, but is not limited to, compliance with the processorship requirements (Art. 28 of the GDPR) and international transfers compliance (Section 5 of the GDPR). Where necessary, the Privacy Manager must make sure that Mookee enters into the appropriate data protection contract with the third party.
Employees may share personal data with third parties only if, and to the extent, explicitly prescribed by their manager and specified in the Records of Processing Activities.
If we are required to delete, change, or stop processing the Personal Data, we must ensure that the Third Parties with whom we shared the Personal Data fulfill these obligations accordingly.
Whenever Mookee is engaged as a data processor on behalf of another entity, the Privacy Manager must ensure Mookee complies with its processorship obligations. In particular, the following must be adhered to:
Personal data processed under the processor role must not be processed for any purposes other than those specified in the relevant instructions, agreement, or other legal act regulating the relationships with the controller.
If we have employees, contractors, corporate affiliates, or Data Processors outside of the EEA, and we transfer Personal Data to them for processing, the Privacy Manager must ensure that Mookee takes all necessary and appropriate safeguards in accordance with Data Protection Laws.
The Privacy Manager must assess the available safeguards and propose to Mookee’s management the appropriate safeguard for each international transfer. The following regimes apply to the transfers of Personal Data outside of the EU:
Information Obligations:
As part of our information obligations, Mookee must inform Data Subjects that their Personal Data is being transferred to other countries and provide details about the safeguards used for the transfer. This information obligation must be performed in accordance with Subsection 6.2.
Derogations:
In exceptional cases (the “Derogation”), where the safeguards mentioned above cannot be applied and a transfer of Personal Data is required, one of the following conditions must be met:
The Privacy Manager must pre-approve any Derogation transfers, document the approved Derogations, and record the rationale for them.
Before introducing any new activity involving the processing of personal data, the employee responsible for its implementation must inform the Privacy Manager.
Upon receiving information about a new activity, the Privacy Manager must:
To ensure current or prospective processing activities do not and will not violate Data Subjects’ rights, Mookee must conduct a DPIA, where required by Data Protection Laws. The DPIA is a risk-based assessment designed to identify risks and measures to mitigate them.
The Privacy Manager, involving competent employees and/or external advisors where necessary, must conduct a DPIA if at least one of the following conditions is met:
A DPIA must include:
If the DPIA does not identify effective measures to address risks, the Privacy Manager must consult the competent Supervisory Authority to seek guidance. Mookee must not proceed with the activity until the Supervisory Authority approves it.
The Privacy Manager must ensure that Mookee clearly defines the data storage periods and/or criteria for determining storage periods for each processing activity. The periods for each processing activity must be specified in the Records of Processing Activities.
Each department within Mookee must comply with the data storage periods in accordance with the retention schedule provided in the Records of Processing Activities. The Privacy Manager must supervise each department to ensure compliance with this requirement.
After the storage period ends, personal data must be:
If personal data is still necessary for other processing purposes after the storage period for a specific activity has ended, the department manager must:
The rules specified in Subsection 8.1 have the following exceptions:
Each department within Mookee must take appropriate technical and organizational measures to protect personal data under their responsibility against unauthorized, unlawful, and/or accidental:
The employee responsible for supervising personal data security within Mookee is Felix Brochier. This individual is responsible for:
Detailed security measures are described in Mookee's Security Policy.
In the case of a Data Breach, the CEO of Mookee shall urgently form the Data Breach Response Team (the “Response Team”), which will handle the breach, notify the appropriate persons, and mitigate risks.
The Response Team must be a multi-disciplinary group headed by the CEO of Mookee and include:
The team ensures that all employees and contractors adhere to this Policy and provides an immediate and effective response to any suspected, alleged, or actual Data Breach affecting Mookee.
The Response Team's duties include:
Mookee must inform the Competent Supervisory Authority about the Data Breach without undue delay and, where possible, within 72 hours of becoming aware of the breach.
The notification must include:
Notifications must use Mookee's Data Breach Notification Form.
When a Data Breach poses a high risk to Data Subjects’ rights and freedoms, Mookee must notify them without undue delay.
The notification must include:
Exemptions to notifying Data Subjects include:
Any exemptions must be documented, including reasons for not notifying and actions taken.
If a Data Breach involves Personal Data shared with or processed on behalf of a third party, Mookee must notify the third party within 24 hours.
When acting as a Data Processor, Mookee must:
Notifications to Supervisory Authorities and Data Subjects are the responsibility of the third party.
If Mookee receives a breach notification from a Data Processor or another third party, the CEO shall:
ANNEX 1 TO THE PERSONAL DATA PROTECTION POLICY
Austria
Österreichische Datenschutzbehörde
Hohenstaufengasse 3
1010 Wien
Tel. +43 1 531 15 202525
Fax +43 1 531 15 202690
e-mail: dsb@dsb.gv.at
Website: http://www.dsb.gv.at/
Art 29 WP Member: Dr Andrea JELINEK, Director, Österreichische Datenschutzbehörde
Belgium
Commission de la protection de la vie privée
Commissie voor de bescherming van de persoonlijke levenssfeer
Rue de la Presse 35 / Drukpersstraat 35 1000 Bruxelles / 1000 Brussel
Tel. +32 2 274 48 00
Fax +32 2 274 48 35
e-mail: commission@privacycommission.be
Website: http://www.privacycommission.be/
Art 29 WP Vice-President: Willem DEBEUCKELAERE, President of the Belgian Privacy commission
Bulgaria
Commission for Personal Data Protection
2, Prof. Tsvetan Lazarov blvd. Sofia 1592
Tel. +359 2 915 3580
Fax +359 2 915 3525
e-mail: kzld@cpdp.bg
Website: http://www.cpdp.bg/
Art 29 WP Member: Mr Ventsislav KARADJOV, Chairman of the Commission for Personal Data Protection
Art 29 WP Alternate Member: Ms Mariya MATEVA
Croatia
Croatian Personal Data Protection Agency
Martićeva 14
10000 Zagreb
Tel. +385 1 4609 000
Fax +385 1 4609 099
e-mail: azop@azop.hr or info@azop.hr
Website: http://www.azop.hr/
Art 29 WP Member: Mr Anto RAJKOVAČA, Director of the Croatian Data Protection Agency
Cyprus
Commissioner for Personal Data Protection
1 Iasonos Street,
1082 Nicosia
P.O. Box 23378, CY-1682 Nicosia Tel. +357 22 818 456
Fax +357 22 304 565
e-mail: commissioner@dataprotection.gov.cy
Website: http://www.dataprotection.gov.cy/
Art 29 WP Member: Ms Irene LOIZIDOU NIKOLAIDOU
Art 29 WP Alternate Member: Mr Constantinos GEORGIADES
Czech Republic
The Office for Personal Data Protection
Urad pro ochranu osobnich udaju Pplk. Sochora 27
170 00 Prague 7
Tel. +420 234 665 111
Fax +420 234 665 444
e-mail: posta@uoou.cz
Website: http://www.uoou.cz/
Art 29 WP Member: Ms Ivana JANŮ, President of the Office for Personal Data Protection
Art 29 WP Alternate Member: Mr Ivan PROCHÁZKA, Adviser to the President of the Office
Denmark
Datatilsynet
Borgergade 28, 5
1300 Copenhagen K
Tel. +45 33 1932 00
Fax +45 33 19 32 18
e-mail: dt@datatilsynet.dk
Website: http://www.datatilsynet.dk/
Art 29 WP Member: Ms Cristina Angela GULISANO, Director, Danish Data Protection Agency (Datatilsynet)
Art 29 WP Alternate Member: Mr Peter FOGH KNUDSEN, Head of International Division at the Danish Data Protection Agency (Datatilsynet)
Estonia
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Väike-Ameerika 19
10129 Tallinn
Tel. +372 6274 135
Fax +372 6274 137
e-mail: info@aki.ee
Website: http://www.aki.ee/en
Art 29 WP Member: Mr Viljar PEEP, Director General, Estonian Data Protection Inspectorate
Art 29 WP Alternate Member: Ms Maarja Kirss
Finland
Office of the Data Protection Ombudsman
P.O. Box 315
FIN-00181 Helsinki Tel. +358 10 3666 700
Fax +358 10 3666 735
e-mail: tietosuoja@om.fi
Website: http://www.tietosuoja.fi/en/
Art 29 WP Member: Mr Reijo AARNIO, Ombudsman of the Finnish Data Protection Authority
Art 29 WP Alternate Member: Ms Elisa KUMPULA, Head of Department
France
Commission Nationale de l'Informatique et des Libertés - CNIL
8 rue Vivienne, CS 30223 F-75002 Paris, Cedex 02 Tel. +33 1 53 73 22 22
Fax +33 1 53 73 22 00
Website: http://www.cnil.fr/
Art 29 WP Member: Ms Isabelle FALQUE-PIERROTIN, President of CNIL
Art 29 WP Alternate Member: Ms Florence RAYNAL
Germany
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Husarenstraße 30
53117 Bonn
Tel. +49 228 997799 0; +49 228 81995 0
Fax +49 228 997799 550; +49 228 81995 550
e-mail: poststelle@bfdi.bund.de
Website: http://www.bfdi.bund.de/
The competence for complaints is split among different data protection supervisory authorities in Germany.
Competent authorities can be identified according to the list provided under https://www.bfdi.bund.de/bfdi_wiki/index.php/Aufsichtsbeh%C3%B6rden_und_Landesdatenschutzbeauftragte
Art 29 WP Member: Ms Andrea VOSSHOFF, Federal Commissioner for Freedom of Information
Art 29 WP Alternate Member: Prof. Dr. Johannes CASPAR, representative of the federal states
Greece
Hellenic Data Protection Authority
Kifisias Av. 1-3, PC 11523 Ampelokipi Athens
Tel. +30 210 6475 600
Fax +30 210 6475 628
e-mail: contact@dpa.gr
Website: http://www.dpa.gr/
Art 29 WP Member: Mr Konstantinos Menoudakos, President of the Hellenic DPA
Art 29 WP Alternate Member: Dr.Vasilios ZORKADIS, Director
Hungary
National Authority for Data Protection and Freedom of Information
Szilágyi Erzsébet fasor 22/C H-1125 Budapest
Tel. +36 1 3911 400
e-mail: peterfalvi.attila@naih.hu
Website: http://www.naih.hu/
Art 29 WP Member: Dr Attila PÉTERFALVI, President of the National Authority for Data Protection and Freedom of Information
Art 29 WP Alternate Member: Mr Endre Győző SZABÓ Vice-president of the National Authority for Data Protection and Freedom of Information
Ireland
Data Protection Commissioner
Canal House Station Road Portarlington Co. Laois
Lo-Call: 1890 25 22 31
Tel. +353 57 868 4800
Fax +353 57 868 4757
e-mail: info@dataprotection.ie
Website: http://www.dataprotection.ie/
Art 29 WP Member: Ms Helen DIXON, Data Protection Commissioner
Art 29 WP Alternate Members: Mr John O'DWYER, Deputy Commissioner; Mr Dale SUNDERLAND, Deputy Commissioner
Italy
Garante per la protezione dei dati personali
Piazza di Monte Citorio, 121 00186 Roma
Tel. +39 06 69677 1
Fax +39 06 69677 785
e-mail: garante@garanteprivacy.it
Website: http://www.garanteprivacy.it/
Art 29 WP Member: Mr Antonello SORO, President of Garante per la protezione dei dati personali
Art 29 WP Alternate Member: Ms Giuseppe BUSIA, Secretary General of Garante per la protezione dei dati personali
Latvia
Data State Inspectorate Director: Ms Daiga Avdejanova
Blaumana str. 11/13-15
1011 Riga
Tel. +371 6722 3131
Fax +371 6722 3556
e-mail: info@dvi.gov.lv
Website: http://www.dvi.gov.lv/
Art 29 WP Alternate Member: Ms Aiga BALODE
Lithuania
State Data Protection
Žygimantų str. 11-6a 011042 Vilnius
Tel. + 370 5 279 14 45
Fax +370 5 261 94 94
e-mail: ada@ada.lt
Website: http://www.ada.lt/
Art 29 WP Member: Mr Raimondas Andrijauskas, Director of the State Data Protection Inspectorate
Art 29 WP Alternate Member: Ms Neringa KAKTAVIČIŪTĖ-MICKIENĖ, Head of Complaints Investigation and International Cooperation Division
Luxembourg
Commission Nationale pour la Protection des Données
1, avenue du Rock’n’Roll L-4361 Esch-sur-Alzette Tel. +352 2610 60 1
Fax +352 2610 60 29
e-mail: info@cnpd.lu
Website: http://www.cnpd.lu/
Art 29 WP Member: Ms Tine A. LARSEN, President of the Commission Nationale pour la Protection des Données
Art 29 WP Alternate Member: Mr Thierry LALLEMANG, Commissioner
Malta
Office of the Data Protection Commissioner Data Protection Commissioner: Mr Joseph Ebejer
2, Airways House
High Street, Sliema SLM 1549 Tel. +356 2328 7100
Fax +356 2328 7198
e-mail: commissioner.dataprotection@gov.mt
Website: http://www.dataprotection.gov.mt/
Art 29 WP Member: Mr Saviour CACHIA, Information and Data Protection Commissioner
Art 29 WP Alternate Member: Mr Ian DEGUARA, Director – Operations and Programme Implementation
Netherlands
Autoriteit Persoonsgegevens
Prins Clauslaan 60
P.O. Box 93374
2509 AJ Den Haag/The Hague Tel. +31 70 888 8500
Fax +31 70 888 8501
e-mail: info@autoriteitpersoonsgegevens.nl
Website: https://autoriteitpersoonsgegevens.nl/nl
Art 29 WP Member: Mr Aleid WOLFSEN, Chairman of Autoriteit Persoonsgegevens
Poland
The Bureau of the Inspector General for the Protection of Personal Data - GIODO
ul. Stawki 2
00-193 Warsaw
Tel. +48 22 53 10 440
Fax +48 22 53 10 441
e-mail: kancelaria@giodo.gov.pl; desiwm@giodo.gov.pl
Website: http://www.giodo.gov.pl/
Art 29 WP Member: Ms Edyta BIELAK-JOMAA, Inspector General for the Protection of Personal Data
Portugal
Comissão Nacional de Protecção de Dados - CNPD
R. de São. Bento, 148-3° 1200-821 Lisboa
Tel. +351 21 392 84 00
Fax +351 21 397 68 32
e-mail: geral@cnpd.pt
Website: http://www.cnpd.pt/
Art 29 WP Member: Ms Filipa CALVÃO, President, Comissão Nacional de Protecção de Dados
Art 29 WP Alternate Member: Isabel CRUZ, Secretary-General of the DPA
Romania
The National Supervisory Authority for Personal Data Processing President: Mrs Ancuţa Gianina Opre
B-dul Magheru 28-30
Sector 1, BUCUREŞTI
Tel. +40 21 252 5599
Fax +40 21 252 5757
e-mail: anspdcp@dataprotection.ro
Website: http://www.dataprotection.ro/
Art 29 WP Member: Ms Ancuţa Gianina OPRE, President of the National Supervisory Authority for Personal Data Processing
Art 29 WP Alternate Member: Ms Alina SAVOIU, Head of the Legal and Communication Department
Slovakia
Office for Personal Data Protection of the Slovak Republic
Hraničná 12
820 07 Bratislava 27
Tel.: + 421 2 32 31 32 14
Fax: + 421 2 32 31 32 34
e-mail: statny.dozor@pdp.gov.sk
Website: http://www.dataprotection.gov.sk/
Art 29 WP Member: Ms Soňa PŐTHEOVÁ, President of the Office for Personal Data Protection of the Slovak Republic
Art 29 WP Alternate Member: Mr Anna VITTEKOVA, Vice President
Slovenia
Information Commissioner
Ms Mojca Prelesnik Zaloška 59
1000 Ljubljana
Tel. +386 1 230 9730
Fax +386 1 230 9778
e-mail: gp.ip@ip-rs.si
Website: https://www.ip-rs.si/
Art 29 WP Member: Ms Mojca PRELESNIK, Information Commissioner of the Republic of Slovenia
Spain
Agencia de Protección de Datos
C/Jorge Juan, 6
28001 Madrid
Tel. +34 91399 6200
Fax +34 91455 5699
e-mail: internacional@agpd.es
Website: https://www.agpd.es/
Art 29 WP Member: Ms María del Mar España Martí, Director of the Spanish Data Protection Agency
Art 29 WP Alternate Member: Mr Rafael GARCIA GOZALO
Sweden
Datainspektionen
Drottninggatan 29 5th Floor
Box 8114
1.20 Stockholm
Tel. +46 8 657 6100
Fax +46 8 652 8652
e-mail: datainspektionen@datainspektionen.se
Website: http://www.datainspektionen.se/
Art 29 WP Member: Ms Kristina SVAHN STARRSJÖ, Director General of the Data Inspection Board
Art 29 WP Alternate Member: Mr Hans-Olof LINDBLOM, Chief Legal Adviser
United Kingdom
The Information Commissioner’s Office
Water Lane, Wycliffe House Wilmslow - Cheshire SK9 5AF Tel. +44 1625 545 745
e-mail: international.team@ico.org.uk
Website: https://ico.org.uk
Art 29 WP Member: Ms Elizabeth DENHAM, Information Commissioner
Art 29 WP Alternate Member: Mr Steve WOOD, Deputy Commissioner
EUROPEAN FREE TRADE AREA (EFTA)
Iceland
Icelandic Data Protection Agency
Rauðarárstíg 10
1.Reykjavík
Tel. +354 510 9600; Fax +354 510 9606
e-mail: postur@personuvernd.is
Liechtenstein
Kirchstrasse 8, P.O. Box 684
9490 Vaduz
Principality of Liechtenstein Tel. +423 236 6090
e-mail: info.dss@llv.li
Norway
The Data Inspectorate
P.O. Box 8177 Dep 0034 Oslo
Tel. +47 22 39 69 00; Fax +47 22 42 23 50
e-mail: postkasse@datatilsynet.no
Data Protection Authority: Mr Bjørn Erik THORN
Switzerland
Data Protection and Information Commissioner of Switzerland
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter Mr Adrian Lobsiger
Feldeggweg 1
3003 Bern
Tel. +41 58 462 43 95; Fax +41 58 462 99 96 e-mail: contact20@edoeb.admin.ch
