PRIVACY POLICY

1. PURPOSE OF THE PRIVACY POLICY

The purpose of this "Privacy and Data Protection Policy" is to disclose the conditions governing the collection and processing of personal data by TIKITUP, making every effort to ensure the fundamental rights, honour and freedoms of persons whose personal data is processed in compliance with the regulations and laws governing the Protection of personal data according to the European Union and the Spanish Member State and, specifically, those expressed in the section "Processing Activities" of this Privacy Policy.

Therefore, in this Privacy and Data Protection Policy, users of the TIKITUP application are informed of all the details of interest regarding how these processes are carried out, for what purposes, which other entities may have access to their data and what are the rights of users.

2. DEFINITIONS

"Personal data": any information about an identified or identifiable natural person ("the application user"); an identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of that person's physical, physiological, genetic, mental, economic, cultural, or social identity.

"Processing": any operation or set of operations performed on personal data or sets of personal data, whether or not by automated procedures, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, communication by transmission, dissemination, or any other form of enabling access, matching or interconnection, restriction, erasure or destruction.

"Limitation of processing": the marking of personal data retained for the purpose of limiting their processing in the future.

"Profiling": any form of automated processing of personal data consisting in using personal data to evaluate certain personal aspects of a natural person, in particular to analyse or predict aspects relating to that natural person's professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

"Pseudonymization" means the processing of personal data in such a way that they can no longer be attributed to a data subject without the use of additional information, provided that such additional information is listed separately and is subject to technical and organizational measures designed to ensure that the personal data are not attributed to an identified or identifiable natural person.

"File": any structured set of personal data, accessible according to specified criteria, whether centralized, decentralized or distributed in a functional or geographical manner.

"Manager in charge of the treatment” or "manager": the natural or legal person, public authority, service, or other body which alone or jointly with others determines the purposes and means of processing; if Union or Member State law determines the purposes and means of processing, the manager or the specific criteria for its appointment may be laid down by Union or Member State law.

"Processor" or "processor": the natural or legal person, public authority, service, or other body processing personal data on behalf of the controller.

"Recipient": means the natural or legal person, public authority, department, or other body to whom personal data are disclosed, whether or not it is a third party. However, public authorities which may receive personal data in the framework of a specific investigation in accordance with Union or Member State law shall not be regarded as recipients; the processing of such data by such public authorities shall be in accordance with the data protection rules applicable to the purposes of the processing.

"Third party": any natural or legal person, public authority, service, or body other than the data subject, the controller, the processor, and the persons authorized to process personal data under the direct authority of the manager or the processor.

"Consent of the data subject": any freely given, specific, informed, and unambiguous expression of will by which the data subject agrees, either by a statement or by a clear affirmative action, to the processing of personal data concerning him or her.

"Breach of security of personal data": any breach of security resulting in the accidental or unlawful destruction, loss, or alteration of, or unauthorized communication or access to, personal data transmitted, stored, or otherwise processed.

"Genetic data": personal data relating to inherited or acquired genetic characteristics of a natural person that provide unique information about that person's physiology or health, obtained in particular from the analysis of a biological sample from such person.

"Biometric data": personal data obtained from specific technical processing, relating to the physical, physiological, or behavioural characteristics of a natural person which enable or confirm the unique identification of that person, such as facial images or dactyloscopic data.

"Health-related data": personal data relating to the physical or mental health of a natural person, including the provision of health care services, revealing information about his or her health status.

"Principal establishment": (a) as regards a manager with establishments in more than one Member State, the place of its central administration in the Union, unless decisions on the purposes and means of processing are taken in another establishment of the manager in the Union and the latter establishment has the power to implement such decisions, in which case the establishment which has taken such decisions shall be considered as the main establishment; (b) as regards a processor with establishments in more than one Member State, the place of its central administration in the Union or, if there is no central administration, the establishment of the processor in the Union where the main processing activities are carried out in the context of the activities of an establishment of the processor in so far as the processor is subject to specific obligations under this Regulation.

"Representative": natural or legal person established in the Union who, having been appointed in writing by the manager or processor pursuant to Article 27 of the GDPR, represents the controller or processor with regard to their respective obligations under this Regulation.

"Company": means a natural or legal person engaged in an economic activity, regardless of its legal form, including companies or partnerships regularly carrying out an economic activity.

"Supervisory authority": the independent public authority established by a Member State in accordance with the provisions of Article 51 of the GDPR. In the case of Spain, it is the Spanish Data Protection Agency.

"Transborder processing": a) processing of personal data carried out in the context of the activities of establishments in more than one Member State of a controller or processor in the Union, if the controller or processor is established in more than one Member State, or b) processing of personal data carried out in the context of the activities of a single establishment of a controller or processor in the Union, but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

"Information society service": means any information society service, i.e., any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.

3. IDENTITY OF THE DATA CONTROLLER

The Data Controller is that natural or legal person, of a public or private nature, or administrative body, which alone or jointly with others determines the purposes and means of the processing of personal data; in the event that the purposes and means of the processing are determined by the Law of the European Union or of the Spanish Member State.

In the aspects expressed in this Data Protection Policy, the identity and contact details of the Data Controller are:

ONIRIA STUDIOS S.L. - CIF B10697316

Calle Santa Teresa de Jesús 3. 50006, Zaragoza (Zaragoza), Spain

Email: dpo@oniriastudios.com

Telephone: 666 38 81 08

4. APPLICABLE LAWS AND REGULATIONS

This Privacy and Data Protection Policy is developed based on the following data protection laws and regulations:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data. Hereinafter GDPR.

• Organic Law 3/2018, of December 5, 2018, on the Protection of Personal Data and Guarantee of Digital Rights. Hereinafter LOPD/GDD.

• Law 34/2002, of July 11, 2002, on Information Society Services and Electronic Commerce. Hereinafter LSSICE.

5. PRINCIPLES APPLICABLE TO THE PROCESSING OF PERSONAL DATA

The personal data collected and processed through this application will be treated in accordance with the following principles:

• Principle of lawfulness, fairness, and transparency: all processing of personal data carried out through this application will be lawful and fair, being completely clear to the user when personal data concerning him/her are being collected, used, consulted, or processed. The information relating to the processing carried out shall be transmitted in advance, easily accessible and easy to understand, in simple and clear language.

• Purpose limitation principle: All data will be collected for specified, explicit and legitimate purposes and will not be further processed in a manner incompatible with the purposes for which they were collected.

• Data minimization principle: The data collected shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

• Accuracy principle: The data shall be accurate and, if necessary, updated, taking all reasonable steps to ensure that personal data that are inaccurate in relation to the purposes for which they are processed are deleted or rectified without delay.

• Principle of limitation of the storage period: Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

• Principle of integrity and confidentiality: Data shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss or damage, by implementing appropriate technical and organizational measures.

• Principle of proactive responsibility: The entity owning the application shall be responsible for compliance with the principles set out in this section and shall be able to demonstrate it.

6. DATA PROCESSING ACTIVITIES

The data processing activities carried out by means of the application are detailed below, specifying each of the following sections:

• Activity: Name of the data processing activity.

• Purposes: Each of the uses and processing carried out with the data collected.

• Legal basis: The legal basis that legitimizes the processing of the data

• Data processed: Type of data processed

• Origin: From where the data is obtained

• Retention: Period during which the data is retained

• Recipients: Persons or third parties to whom the data is provided.

• International transfers: Cross-border transfers of data outside the European Union.

6.1. NECESSARY AND UPDATED INFORMATION

They are those data processing activities whose purposes are necessary and essential for the provision of services.

MANAGEMENT OF EVENTS AND ONLINE SALE OF TICKETS

Legal basis: (Art. 6.1.b RGPD) Existence of a contractual relationship with the data subject by means of a contract or pre-contract.

Purposes: Management of events, parties, trips, and online ticket sales, mainly for Erasmus users. The consequences of not providing this information will be the impossibility of registering as a user of our application. You have the right to receive an answer to any question, query or clarification arising from this form, by calling us, sending us an e-mail or visiting our facilities.

Data categories and groups:

App users (Identifying data; Personal characteristics).

Contacts app users (Identifying data)

Data source: The data subject himself/herself or his/her legal representative; persons other than the data subject or his/her representative but who have a certain relationship with each other.

Category of recipients: Tax Administration; Banks, savings banks and rural banks; We give your data to the organizers of events, parties or trips, as a requirement of them so that you can participate in the service contracted through our application. Otherwise, we do not transfer your data to anyone, but we may allow its processing by third parties only for technical, legal and/or service provision reasons.

International transfer: Not foreseen

Conservation period: As long as the business relationship is maintained. We keep your data for the duration of the contractual relationship or as long as you do not request its deletion or as long as necessary if there is any legal obligation or legitimate interest in this regard.

Safety measures: The security measures implemented correspond to those described in the documents that make up the organization's Data Protection and Information Security Policy.

6.2. OPTIONAL PROCESSING ACTIVITIES (if the user has marked his/her acceptance)

These are those personal data processing activities whose purposes are not essential for the provision of the service, and which are only carried out if the user has marked YES in the consent for the performance of these activities.

7. NECESSARY AND UPDATED INFORMATION

All fields marked with an asterisk (*) in the application forms must be completed, so that the omission of any of them could make it impossible to provide the services or information requested.

You must provide truthful information, so that the information provided is always updated and contains no errors, you must inform the Data Manager as soon as possible, modifications and corrections of your personal data that occur through an email to the address: dpo@oniriastudios.com.

Likewise, by clicking on the "I accept" button (or equivalent) incorporated in the aforementioned forms, you declare that the information and data you have provided are accurate and truthful, as well as that you understand and accept this Privacy Policy.

8. DATA OF MINORS

In compliance with the provisions of Article 8 of the RGPD and Article 7 of the LOPD/GDD, only those over 14 years of age may give their consent for the processing of their personal data in a lawful manner by TIKITUP.

Therefore, minors under 14 years of age may not use the services available through the application without the prior authorization of their parents, guardians, or legal representatives, who will be solely responsible for all acts performed through the application by minors in their care, including the completion of the telematic forms with the personal data of such minors and the marking, if any, of the boxes that accompany them.

9. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

The Data Controller adopts the necessary organizational and technical measures to ensure the security and privacy of your data, avoid its alteration, loss, unauthorized processing, or access, depending on the state of technology, the nature of the data stored and the risks to which they are exposed.

Among others, the following measures stand out:

• Ensure the permanent confidentiality, integrity, availability and resilience of processing systems and services.

• Restore availability and access to personal data quickly in the event of a physical or technical incident.

• Verify, evaluate, and assess, on a regular basis, the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.

• Pseudonymize and encrypt personal data in the case of sensitive data.

In addition, the Data Manager has decided to manage the information systems in accordance with the following principles:

• Principle of regulatory compliance: All information systems shall comply with the applicable legal, regulatory, and sectorial regulations affecting the security of information, especially those related to the protection of personal data, security of systems, data, communications, and electronic services.

• Risk management principle: Risks shall be minimized to acceptable levels and a balance shall be sought between security controls and the nature of the information. Security objectives shall be established, reviewed and consistent with information security aspects.

• Principle of awareness and training: Training programs, sensitization and awareness campaigns shall be articulated for all users with access to information, in terms of information security.

• Principle of proportionality: The implementation of controls that mitigate the security risks of the assets shall be carried out seeking a balance between security measures, the nature and nature of the information and risk.

• Principle of responsibility: All members of the Data Manager shall be responsible for their conduct in terms of information security, complying with the established rules and controls.

• Principle of continuous improvement: The degree of effectiveness of the security controls implemented in the organization will be reviewed on a recurring basis to increase the ability to adapt to the constant evolution of risk and the technological environment.

10. RIGHTS OF THE INTERESTED PARTIES

The current data protection regulations protect the user in a series of rights in relation to the use given to their data. Each and every one of these rights are unipersonal and non-transferable, that is to say, they can only be exercised by the owner of the data, after verifying his or her identity.

The rights of the users of the application are detailed below:

• Right of access: this is the right of the user of the application to obtain confirmation of whether or not the Data Manager is processing their personal data and, if so, to obtain information about their specific personal data and the processing that the Data Manager has carried out or is carrying out, as well as, among others, the information available on the origin of such data and the recipients of the communications made or planned in the same.

• Right of rectification: This is the right that the user of the application has to have his or her personal data that proves to be inaccurate or, taking into account the purposes of the processing, incomplete, modified.

• Right of erasure: Often referred to as the "right to be forgotten", this is the right that the user of the application has, provided that the legislation in force does not provide otherwise, to obtain the deletion of his or her personal data when it is no longer necessary for the purposes for which it was collected or processed; the User has withdrawn his/her consent to the processing and there is no other legal basis; the User objects to the processing and there is no other legitimate reason to continue the processing; the personal data have been processed unlawfully; the personal data have been obtained as a result of a direct offer of information society services to a minor under 14 years of age. In addition to deleting the data, the Manager, taking into account the technology available and the cost of its implementation, shall take reasonable steps to inform other data controllers that may be processing the personal data of the data subject's request for the deletion of any link to such personal data.

• Right to data restriction: This is the right of the Application User to limit the processing of his or her personal data. The Application User has the right to obtain the limitation of the processing when he/she contests the accuracy of his/her personal data; the processing is unlawful; the Manager no longer needs the personal data, but the User needs it to make claims; and when the Application User has objected to the processing.

• Right to data portability: In cases where the processing is carried out by automated means, the Application User shall have the right to receive from the Manager his/her personal data in a structured, commonly used, and machine-readable format, and to transmit it to another Manager. Provided that it is technically possible, the Manager shall directly transmit the data to that other Manager.

• Right to object: This is the User's right not to have his or her personal data processed or to cease the processing of such data by the Data Manager.

• Right not to be subject to automated decisions and/or profiling: The right of the User of the application not to be subject to an individualized decision based solely on the automated processing of their personal data, including profiling, existing unless otherwise provided for by the legislation in force.

• Right to revoke consent: It is the right of the User of the application to withdraw, at any time, the consent given for the processing of their data.

 The user of the application can exercise any of the above rights by contacting the Data Manager and prior identification of the User using the following contact information:

• Responsible: ONIRIA STUDIOS S.L.

• Address: Calle Santa Teresa de Jesús 3. 50006, Zaragoza (Zaragoza), Spain

• Telephone: 666 38 81 08

• E-mail: dpo@oniriastudios.com

• Website: https://www.oniriastudios.com/

11. RIGHT TO COMPLAIN TO THE SUPERVISORY AUTHORITY

Users are informed of their right to file a complaint with the Spanish Data Protection Agency if they consider that a breach of data protection legislation has been committed with respect to the processing of their personal data.

Contact information of the supervisory authority:

Spanish Data Protection Agency.

Email: info@aepd.es

Phone: 912663517

Website: https://www.aepd.es

Address: C/. Jorge Juan, 6. 28001, Madrid (Madrid), Spain

12. ACCEPTANCE AND CHANGES IN THE PRIVACY POLICY

It is necessary that the user of the application has read and agrees with the conditions of data protection contained in this Privacy Policy, as well as to accept the processing of their personal data so that the Data Controller can proceed in the manner, terms and purposes indicated.

The Data Controller reserves the right to modify this Privacy Policy, according to its own criteria, or motivated by a legislative, jurisprudential, or doctrinal change of the Spanish Data Protection Agency. Changes or updates made to this Privacy Policy that affect the purposes, retention periods, data transfers to third parties, international data transfers, as well as any rights of the User of the application, will be explicitly communicated to the user.

Version of August 11, 2022