Privacy policy

Protection of your personal data is important to us.

In the following, we would like to inform you that we ask for personal data from you and store it electronically. Your data will be stored and processed in accordance with the applicable provisions of the national data protection laws, as well as the General Data Protection Regulation (GDPR).

Controller within the provision of aforementioned regulations is:

Pulserio AG

Address: Wassergrabe 3, 6210 Sursee

CHE-316.798.144

Contact Data:

E-Mail: info@leadrebel.io

Website: https://leadrebel.io

Responsible for content: Pulserio AG

1. General provisions

1. Definitions

In order to improve the legibility and comprehensibility of our privacy policy, we would like to inform you about the general provisions used by the GDRP.

• Personal data

Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

• Data subject

The data subject is an identified or identifiable natural person, whose personal data is processed by the controller.

• Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

• Restriction of processing

Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.

• Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

• Pseudonymization

Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

• Controller

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

• Processor

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

• Recipient

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

• Third party

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.

• Consent

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Type and extent of data collection

Data is collected and processed when you access our website or retrieve a file stored on our website. As a rule, this does not take place unless it’s necessary to provide a functional website or its contents and services. Furthermore, personal data is regularly collected and used only after appropriate consent. An exception applies in cases where obtaining prior consent is not possible for practical reasons and the processing of the data is permitted by legal provisions.

1. Legal basis for the processing of personal data

If personal data is processed for fulfilling the contracts entered into with us, Art. 6 Para 1 lit. b GDRP serves as a legal basis. This also applies to processing operations, which are necessary to carry out pre-contractual actions.

If we obtain consent of the concerned person for processing operations of personal data, Art. 6 Para 1 lit. a GDRP serves as a legal basis.

If processing of personal data is required to fulfill a legal obligation, which our company is subject to, Art. 6 Para 1 lit. c GDRP serves as a legal basis.

In case vital interests of the concerned person or any other natural person require the processing of personal data, Art. 6 Para 1 lit. d GDRP serves as a legal basis.

If processing of data is required to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the concerned person do not outweigh the above-mentioned interest, then Art. 6 Para 1 lit. f GDRP serves as a legal basis for the processing.

2. Data deletion and duration of storage

The personal data collected by us is deleted as soon as the purpose for storing the data ends.

Data is stored if there is a law, a Union regulation or other provisions authorizing such storage.

Furthermore, data is deleted when the retention period prescribed by the norms mentioned expires, unless there is a necessity for storing data further for concluding a contract or for the fulfillment of a contract.

2. Data collection via the website

1. Log files

1. Description and scope of data processing

When you access our website,

• Browser type/-version
• Operating system used
• Referrer URL (website visited previously), as well as pages retrieved on our website
• IP address
• Date and time of the server request
• Internet Service Provider

are logged.

2. Legal basis of data processing

Legal basis for storing data and the log files is Art. 6 Para 1 lit. f GDRP.

3. Purpose of data processing

Storing data in log files ensures that our website is functioning properly. It further helps in optimization and security of our systems. Therein also lies our legitimate interest in the processing of data according to Art. 6 Para 1 lit. f GDRP. In accordance with this use, we do not evaluate data for marketing purposes.

4. Duration of storage

The data stored by us is deleted as soon as we do not need it anymore for achieving the purpose for which it was collected. This happens at the latest after seven days. Storing data longer than that is possible. In this case, the users’ IP addresses are deleted or anonymized, in order to make identifying the user impossible.

5. Possibility of opting out and elimination

Recording the data mentioned is absolutely necessary for the operation of the website. As a result, there is no option for the user to object to it.

2. Cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are saved on the user's computer system when retrieving our website. Cookies contain a string, which enables identification of the visitor's browser when our website is retrieved again. We use technically necessary cookies, which help in making our services more user-friendly, more effective and more secure.

The following data, for example, is stored and transmitted in the cookies:

• Items in the shopping cart

• Login information
• Language settings

The data obtained from this is pseudonymized by us. Therefore, it is not possible to link data back to the visitor. Furthermore, this data is not stored together with other personal data.

You can set your browser in such a way that you are informed about the setting of cookies and individually decide on their acceptance or refuse the acceptance of cookies for specific cases or in general. If you do not accept cookies, the functionality of our website may be limited.

Over and above that, we use cookies, which allow us to analyze the surfing habits of visitors to our website (so-called analysis cookies).

The following data, for example, is stored and transmitted in the analysis cookies:

• Page visits
• Use of the website functions
• Language settings

When retrieving our website, the user is informed about the use of cookies and the user’s consent is obtained for processing the personal data used.

2. Legal basis of data processing

The legal basis for the processing of personal data by using cookies is Art. 6 Para 1 lit. f GDRP. The legal basis for the processing of personal data by using cookies for analysis purposes is Art. 6 Para 1 lit. a GDRP if the user has consented to using cookies.

3. Purpose of data processing

Technically necessary cookies serve to simplify the use of websites. Some functions of the website or the online shop cannot be provided without the use of cookies. For these functions it is necessary that a browser returning to our website can be correctly identified.

The user data collected by technically necessary cookies is not used for creating user profiles.

Analysis cookies are used for improving the quality of our website and its contents. Through the analysis cookies we learn how our website is used and they enable us to continuously improve our services.

4. Duration of storage, opt-out option and elimination

Cookies are saved on the user's computer and are transmitted by it. That is why users also have full control over the use of cookies. You can deactivate or restrict the transfer of cookies by changing the settings in your Internet browser. Cookies that are already saved can be deleted at any time. This can also happen automatically. Deactivating cookies for our website may result in the loss of some of the functions of our website.

3. Contact form and email

1. Description and scope of data processing

Visitors to our website are provided with a contact form for fast, electronic contact. The data entered in the input screen is transmitted to and stored by us.

In addition, the IP address of the user as well as the date and time of transmission are stored at the time of sending.

Alternatively, contact is possible via the email address provided. In this case, the user's personal data transmitted via email is stored.

Data is never transferred to third parties. The data is only used for processing the request.

2. Legal basis of data processing

The legal basis for processing the data, if the user has consented to it, is Art. 6 Para 1 lit. a GDRP.

The legal basis for processing the data, which is transmitted while sending an email, is Art. 6 Para 1 lit. f GDRP. If contact via email aims to conclude a contract, then additional legal basis for the processing is Art. 6 Para 1 lit. b GDRP.

3. Purpose of data processing

Processing of personal data serves the sole purpose of processing contact. In case of contact via email, this also includes the required legitimate interest in the processing of the data.

Other personal data processed in the sending process serves the purpose of preventing misuse of the contact form and to ensure the security of our information technology systems.

4. Duration of storage

The data is deleted as soon as we do not need it for achieving the purpose for which it was collected. For personal data from the input screen of the contact form and that which has been sent via email, this is the case when the respective conversation with the user has ended. The conversation ends when it is clear from the circumstances that the relevant facts have been finally clarified.

The additional personal data collected during the sending process is deleted at the latest after a period of seven days.

5. Option to revoke consent and elimination

At any given time, the user has the option to revoke his consent to the processing of personal data. For this purpose, the user can contact the controller via the contact options provided on the website. If the user contacts us by email, then he/she may object to the storage of his personal data at any time. The conversation cannot continue in such a case.

4. Registration of a user account

1. Description and scope of data processing

To use our services, a user account must be created.

While registering, the data requested from the input screen is transmitted to and stored by us.
The personal data can be shared with third parties like, for instance, parcel services, if this is necessary for the fulfillment of the contract. These third parties use the forwarded data only for internal purposes attributed to us. For details, see section III. this privacy policy.

b. Legal basis of data processing

If the registration serves the purpose of fulfilling a contract, to which the user is contractual party, or to the execution of pre-contractual measures, then the legal basis for processing the data is Art. 6 Para 1 lit. b GDRP.
The legal basis for processing the data, if the user has consented to it, is also Art. 6 Para 1 lit. a GDRP.

c. Purpose of data processing

The registration of the user is necessary for the fulfillment of contracts or for executing pre-contractual measures.
Furthermore, registration of the user is necessary for having specific content and services available on our Website.

d. Duration of storage

The data is deleted as soon as we do not need it for achieving the purpose for which it was collected.
This is the case for the data collected during the registration process, when the registration on our website is cancelled or modified.
During the registration process for the fulfillment of a contract or execution of pre-contractual measures, this is the case when the data is not required any more for the execution of the contract. Even after the contract is completed, it can be necessary to store personal data of the contractual partner, to comply with the contractual or statutory obligations.

e. Possibility of opting out and elimination

At any given time, users have the option to cancel their registration. Also, at any given time, users can modify the data themselves, or have it modified.
You can ask the controller how to cancel your registration.
If data is necessary for fulfillment of a contract or for executing pre-contractual measures, premature deletion of data is only possible provided that contractual or statutory obligations do not prevent a deletion.

3. Data transfer to third parties for the fulfillment of a contract

1. Payment service providers

1. Description and scope of data processing

If a user selects a payment service provider for payment during the ordering process, the user's data required to make the payment will automatically be transmitted to the latter. These are e.g. the name and the address, bank data, e.g. Account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, summary and recipient-related information. In this case, the controller receives no account or credit card information, but only the information whether the payment process was successful. The data may be transmitted by the payment service provider to credit reporting agencies for identification purposes and credit checks. In that regard, reference is made to the terms and conditions and privacy notices of the payment service provider, which can be viewed on the website of each payment service provider.

If you have to be registered with your chosen payment service provider to use it, you will be redirected during the payment process on the payment service providers pages. In this case, the provider collects the data itself. In this respect, the privacy policy of the respective payment service provider applies.

You can find the payment service providers offered by the controller and further information about them in the section of the respective payment service provider.

b.      Legal basis of data processing

The legal basis for processing the data is Art. 6 para. 1 lit. b GDPR (processing for the implementation of pre-contractual measures and performance of a contract).

c.      Purpose of data processing

The transmission of the data to the selected payment service provider serves the fulfillment of a contract of which the user is the contracting party; in particular, data is used for payment processing, prevention of misuse, as well as for identity and credit checks.

d.       Duration of storage

Your data will be deleted if it is no longer necessary for our business processes and does not conflict with statutory retention requirements. We do not have any influence on the storage of the data at the payment service provider, please contact the payment service provider of your choice, who is the controller for this matter in the sense of the data protection regulations.

e.      Possibility of opting out and elimination

You have the rights under "V. Rights of the persons concerned ", which may be asserted against the respective controller.

2. PayPal (Plus)

1. Description and scope of data processing

If a user selects the payment service provider “PayPal” or PayPal Plus” during the ordering process, the user's data is automatically transmitted to the payment service provider. By choosing PayPal as a payment option, the user consents to the transmission of personal data required for payment processing. Provider is PayPal (Europe) S.à.r.l. & Cie. S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxemburg. The data required for payment processing is transmitted. This includes, for example, first name, last name, address, email address, IP address, telephone number, mobile phone number, and order details. The data protection regulations of PayPal can be retrieved at https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

2. Legal basis of data processing

If using the payment service provider serves to fulfill a contract to which the user is a contractual party, then the legal basis for the processing of the data is Art. 6 Para 1 lit. b GDRP.

The legal basis for processing the data, if the user has consented to it, is also Art. 6 Para 1 lit. a GDRP.

3. Purpose of data processing

The transmission takes place for payment processing, for preventing misuse, as well as to confirm the identity and credit rating.

4. Duration of storage

We have no influence on the storage of data with the provider. You may contact the provider under the above-mentioned contact details.

5. Option to revoke consent and elimination

At any given time, the user has the option to revoke the consent granted to the provider. Revocation of data, which is obligatory for payment processing, is not possible.

3. Stripe

1. Description and scope of data processing

If a user selects the payment service provider Stripe during the ordering process, the user’s data is automatically transmitted to the payment service provider. By choosing Stripe as a payment option, the user consents to the transmission of personal data required for payment processing. Provider is Stripe Inc. 185 Berry Street, Suite 550, San Francisco, CA 94107, USA. The data required for payment processing is transmitted. This includes, for example, first name, last name, address, email address, IP address, telephone number, mobile phone number, and order details. The data protection regulations of Stripe can be seen at https://stripe.com/de/privacy.

b. Legal basis of data processing

If using the payment service provider serves to fulfill a contract to which the user is a contractual party, then the legal basis for the processing of the data is Art. 6 Para 1 lit. b GDRP.

The legal basis for processing the data, if the user has consented to it, is also Art. 6 Para 1 lit. a GDRP.

c. Purpose of data processing

The transmission takes place for payment processing, for preventing misuse, as well as to confirm the identity and credit rating.

d. Duration of storage

We have no influence on the storage of data with the provider. You may contact the provider under the above-mentioned contact details.

e. Possibility of opting out and elimination

At any given time, the user has the option to revoke the consent granted to the provider. Revocation of data, which is obligatory for payment processing, is not possible.

4. Data transmission for the purposes of the usage analysis

1. Google Analytics

a. Description and scope of data processing

The website uses the web analysis service Google Analytics. The provider is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
Google Analytics uses analysis cookies. The information generated by the cookies about your use of this website is usually transmitted to a Google server in the USA and is stored there. We extend the Google Analytics code by the code “gat._anonymizeIp ();”. This code has the effect that the logged IP address by Google will be truncated, within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before the transmission. Only in exceptional cases is a full IP address transmitted to a Google server in the United States and truncated there. On behalf of this website’s operator, Google will use this information to evaluate your use of the website, compile reports about website activities, and provide the website’s operator with further services related to website and Internet usage. The IP address sent by your browser as part of the use of Google Analytics is not merged with other data by Google.
More information can be found at https://www.google.com/analytics/terms/de.html or at https://policies.google.com/?hl=de.

b. Legal basis of data processing

The legal basis for processing of personal data of the user is Art. 6 Para 1 lit. f GDRP.

c. Purpose of data processing

The processing of personal data of the users enables us to analyze the surfing behavior of our users. By analyzing the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to improve our website and its user-friendliness. Therein also lies our legitimate interest in the processing of data according to Art. 6 Para 1 lit. f GDRP. The anonymization of the IP address sufficiently takes into account the interest of users in protecting their personal data.

d. Duration of storage

We have determined the retention period in the settings of Google Analytics to XX months.

e. Possibility of opting out and elimination

Cookies are stored on the user’s computer and are transmitted by it. That is why users also have full control over the use of cookies. You can deactivate or restrict the transfer of cookies by changing the settings in your Internet browser. Cookies that are already stored can be deleted at any time. This can also happen automatically. Deactivating cookies for our website may result in the loss of some of the functions of our website.
In addition, you can prevent data generated by the cookie and relating to your use of the website (including your IP address) from being collected and processed by Google, by downloading and installing the browser add-on from the following link: https://tools.google.com/dlpage/gaoptout?hl=de.For an opt-out using mobile devices, the following link <a href=“javascript:gaOptout()“>deactivate Google Analytics </a> must be clicked from each mobile device.

5. Rights of the data subjects

1. Information and access to personal data

Data subjects have the right to be provided with a confirmation if personal data is processed by a controller.

If personal data is collected, data subjects shall be provided with the following information:

• purposes of the processing
• the categories of personal data concerned;
• the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
• Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
• Where the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the access to data processed can be restricted

2. Right to rectification

The data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning him or her. The controller has to inform the data subject without undue delay. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Where the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the right to rectification can be restricted

3. Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

• the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
• the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
• the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) GDRP
• the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) GDRP, or point (a) of Article 9(2) GDRP, and there is no other legal ground for the processing;

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

Where the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the right to restriction of processing can be restricted

4. Right to erasure (“right to be forgotten”)

1. Obligation to erasure

The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
• the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
• the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

2. Information to third parties

Where the controller has made the personal data public and is obliged to erase personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3. Exceptions

The right to erase shall not apply, if the processing is necessary

• for exercising the right of freedom of expression and information;
• for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDRP
• for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph a is likely to render impossible or seriously impair the achievement of the objectives of that processing
• for the establishment, exercise or defense of legal claims.

5. Notification obligation

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Articles 16, 17(1) and 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

6. Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

• the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
• the processing is carried out by automated means.

In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

That right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on points (e) or (f) of Article 6(1), including profiling based on those provisions.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding
Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8. Right to withdraw the data subjects consent

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9. Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

This shall not apply if the decision

1. is necessary for entering into, or performance of, a contract between the data subject and a data controller;
2. is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
3. is based on the data subject's explicit consent.

In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

Decisions shall not be based on special categories of personal data referred to in Article 9(1), unless suitable measures to safeguard the data subject's rights and freedoms and legitimate interests are in place.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

10. For US website visitors only

When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email or home address. We (or service providers on our behalf) may then send communications and marketing to these email or home addresses. You may opt out of receiving this advertising by visiting https://app.retention.com/optout