PERSONAL DATA PROCESSING AND PROTECTION POLICY

1. PREAMBLE

The purpose of this Personal Data Processing and Protection Policy ("GDPR Policy") is to list the data processed, the legal grounds and method of processing (retrieval, storage, erasure, etc.), as well as the rights of the Customer, as data subject. If you do not agree with the Site Terms and Conditions and/or the GDPR Policy, please do not use the Site.

One Lucky Star is a data controller and we are required by law to inform you of your rights under the GDPR.

2. DEFINITIONS

1. GDPR - REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
2. Controller or the Undersigned - ONE LUCKY STAR SRL (One Lucky Star), CUI: RO42964940, head office in Brasov, Romania, e-mail dataprotection[at]oneluckystar[dot]com.
3. Data subject or Client- any identified or identifiable natural person whose personal data is processed by the Controller; for example: clients, potential clients, or visitors of the Site;
4. Websites or Sites - https://oneluckystar.com and https://oneluckystar.mvsite.app/ operated by the Controller;
5. Courses, Programs, Services – podcast pitching, podcast guesting strategy, self-development and/or coaching services, business support for podcasts, according to the offer presented on the Site;
6. Processing - means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
7. Consent - means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
8. Personal data or Data - means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

 3. THE WEBSITE. THE CONTROLLER

The websites https://oneluckystar.com and https://oneluckystar.mvsite.app/ is operated by ONE LUCKY STAR SRL (One Lucky Star), CUI: RO42964940, registration no.: J08/1643/2020, head-office in Brasov, Merilor street, no. 1, Brașov county, Romania, e-mail dataprotection@oneluckystar.com

The Controller is responsible only for processing the Data collected from the Client.

4. PROCESSING PRINCIPLES

Personal data are processed in accordance with relevant European and national legislation, in particular, the GDPR and its principles:

• Processing the data lawfully and transparent: the data are processed only in accordance with the law and only in a transparent manner; thus, the undersigned undertakes to any individual Client to use his or her data legally, correctly, and to inform him or her accordingly of any relevant changes in this regard (for example in the event of a system error that resulting in the erasure of the customer database);
• Proportionality: the data are collected within the limits necessary for the execution of the Services and for the issuance of the invoice related to them; any other data, which requires the consent of the concerned data subject, will be indicated accordingly, depending on the circumstances (e.g. to improve the quality of services);
• The right to intervene: you have the right to request to examine, modify and delete your personal data, which were provided for the Services, but you cannot, however, make any abuse of such right;
• The scope of the data processing: the data are used strictly for providing the Services, invoicing, and marketing.
• Data security: the controller has installed a series of reasonable security measures for data processing, and the data are as safe as possible.

5. THE PROCESSED DATA. THE SCOPE AND LEGAL BASIS.

MANDATORY DATA: Name, address

THE SCOPE: 

- for providing the Courses, Programs, Products, or Services (e.g. podcast support, podcast pitching, enrolling in courses or webinars etc.);

- invoicing;

- direct marketing.

THE LEGAL BASIS: 

- providing services according to a contract: art. 6 para. 1 let. B GDPR;

- legal obligation: art. 6 para. 1 let. C GDPR;

- consent: art. 6 para. 1 let. A GDPR (only for marketing).

DURATION: 

- 10 years for the data used for invoices;

 - 3 years for all the other data, starting from the last day of our interaction.

MANDATORY DATA: E-mail, telephone, Facebook account

THE SCOPE:

- for providing the Courses, Programs, Products, or Services (podcast support, podcast pitching, enrolling in courses or webinars etc.);

- direct marketing.

THE LEGAL BASIS:

- providing services according to a contract: art. 6 para. 1 let. B GDPR;

- consent: art. 6 para. 1 let. A GDPR (only for marketing).

DURATION: 3 years for all the other data, starting from the last day of our interaction.

MANDATORY DATA: IP Address

THE SCOPE:

- for protection against cybernetic attacks;

- fraud prevention;

- network function;

THE LEGAL BASIS: legitimate interest – Art. 6 para. 1 let. F) GDPR

DURATION: 3 years for all the other data, starting from the last day of our interaction.

MANDATORY DATA: Banking details (IBAN)

THE SCOPE: invoicing;

THE LEGAL BASIS: legal obligation: art. 6 para. 1 let. C GDPR;

DURATION: 10 years (it is required data for invoicing if you opt for bank transfer).

MANDATORY DATA: Membervault account

THE SCOPE: for providing the Courses, Programs, Products, or Services;

THE LEGAL BASIS: 

- providing services according to a contract: art. 6 para. 1 let. B GDPR;

- consent: art. 6 para. 1 let. A GDPR.

 DURATION: As long as One Lucky Star (the Controller) will use this platform for program delivery, or until you expressly request for them to be deleted.

The data indicated above will be collected directly from the Client, as a result of completing the Contact form/course registration/newsletter registration or free materials.

In addition to the data collected directly from the data subjects, we might also collect data regarding their online behavior on the Website in order to establish future marketing strategies and to find out how we can improve the Website and the Courses, Programs, Products, or Services offered (e.g. cookies, surveys opinion, the content of e-mail messages and the like).

Also, in the case of webinars (live online seminars), there will be situations in which these will be recorded. In order to participate in them, explicit consent will be required for the recording of the image and/or voice. We inform you that these recordings may be used in the future, exclusively for study and research purposes, but also to be used in relation to other clients of the Controller (for example, people who have registered for webinars but who could not participate for various reasons). We reserve the right to modify the recordings (i.e. editing, cutting, etc.) in order to fulfill the latter purpose.

If you do not agree with the provision of the data marked as mandatory in the table above, it will be impossible to register for the courses offered by Undersigned, and, implicitly, you will not be able to benefit from the Courses, Programs, Products, or Services offered.

As for the data marked for obtaining consent, these are not mandatory, and if you do not provide the consent for processing them you will not participate in marketing campaigns and you will not receive future information on offers, discounts, organization of seminars, etc.

6. DATA TRANSFER

Your data will only be used in order to offer the contracted services, namely for: issuing the invoice, providing the Courses, Programs, Products, or Services, and, if you agree, for direct marketing purposes.

There will be the exception of the recorded webinars for which you have expressly consented, and these recordings can be used in the future and in the relationship with other clients. We reserve the right to modify the recordings (i.e. editing, cutting, etc.) in order to fulfill the latter purpose.

In addition to the above, we inform you that we may disclose your data in compliance with the law, to business partners or other third parties. We have contractual clauses with these third parties so that the data is protected. In these situations, we will ensure that any transfer is legitimate under the law.

For example, we may provide personal data to other companies, such as IT (cloud, hosting) or telecommunications service providers, accounting, legal services, and other third parties with whom we have a contractual relationship.

We will also be able to provide personal data to the prosecutor's office, police, courts, and other competent state bodies, based on and within the limits of legal provisions and as a result of express requests.

The transfer of personal data to a non-EU third country can only take place if the state to which the transfer is intended provides an adequate level of protection.

7. DATA SECURITY

We take the necessary measures to protect our customers and other persons whose data we process from unauthorized access, as well as from unauthorized modification, disclosure, or erasure of data we process in the current activity.

We have implemented the following technical and organizational measures for the security of personal data:

• We constantly adopt and review internal practices for the processing of personal data (including physical and electronic security measures), in order to protect our systems from unauthorized access or other possible threats to their security. These practices are subject to constant scrutiny to ensure that we comply with legal requirements and that the systems are functioning properly.
• Your personal data that we process are limited to those that are necessary, appropriate, and relevant for the purposes stated in this Policy.
• We restrict access to personal data that we process to the minimum necessary: employees, collaborators, and other persons who need to access this data in order to process it in order to perform a service.
• We use technologies to ensure the security of our customer’s data, always trying to implement the best solutions for data protection. We also back up data regularly so that we can recover it in the event of an incident. However, no site, application, or internet connection can be 100% secure, no matter the effort.
• We train our employees and collaborators on the legislation and best practices in the field of personal data processing.
• Where possible, we anonymize/pseudo-anonymize the personal data we process, so that the natural person concerned is not identifiable.

8. THE RIGHTS OF THE DATA SUBJECT

The rights of the concerned data subject, as a Client of the Controller, according to the GDPR Regulation are the following:

• The right to be informed with regard to data processing;
• The right to and over their data, materialized into a confirmation from the controller regarding the data processing, if applicable. If the customer so wishes, he or she also has the right to access that data;
• The right to modify/correct inaccurate or incomplete data;
• The right to request the erasure of the data or the “right to be forgotten”;
• The right to restrict data processing;
• The right to transfer the data to another controller;
• The right to object to data processing;
• The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the client or similarly significantly affects the client;
• The right to go to court for the protection of personal rights and interests;
• the right to lodge a complaint with a Supervisory Authority.

Furthermore:

• You can retract or withdraw your consent for direct marketing at any moment by following the “Unsubscribe” instructions in each e-mail;
• Should you choose to exert any of your GDPR rights, you can do so using a written letter and send it to the following e-mail: ….
• The answer to any request made according to this GDPR Policy shall be sent via email within one month. If it shall be necessary to prolong the answer, we shall duly notify you.
• If we shall not manage to identify you and you do not provide sufficient data for doing so, the Controller to comply with the request is considered finalized.

9. QUESTIONS, REQUESTS, AND EXERCISE OF RIGHTS

 If you have any questions or concerns regarding the processing of personal data or you wish to exercise your legal rights or have any other privacy concerns, you may contact us at the following e-mail address  dataprotection@oneluckystar.com.