Privacy Policy

RAPP Privacy Statement

Article 1: General

This privacy statement describes how the web application RAPP handles your personal data. RAPP focuses on consumers in Belgium and requires user registration with an email address and password. We respect your privacy and process your personal data in accordance with the General Data Protection Regulation (GDPR) and applicable Belgian legislation, in particular the Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data. We only collect personal data that is necessary for the functioning of the app, in line with the principle of data minimisation. This privacy statement has been drawn up in professional and legally correct language to comply with all requirements of the GDPR and Belgian privacy legislation.

Article 2: Data controller

The data controller for the processing of your personal data is Viinovate, Martkweg 30 bus 31, Aalst, Belgium. Viinovate is registered in the Crossroads Bank for Enterprises under company number (VAT) BE1003.537.650. You can contact us with any privacy-related questions by email at support@viinnovate.com.

Article 3: Personal data we process

We only process personal data that you provide yourself or that is generated by your use of RAPP, insofar as this data is necessary for the app to function properly. This includes the following categories of data:

• Identification data: your email address and, if you choose to provide it, your name (providing your name is optional).

• Account and profile data: your login information (email address and password). Passwords are stored securely (hashed) and are not readable by us.

• App usage data: information about your use of the app, such as your progress in the application, scores achieved, and your login status (e.g. whether you are logged in and for how long). This data is necessary to provide the functionality of the app, such as tracking your progress and user profile.

• Payment data: if you use paid features or make purchases in the app, the payment will be processed by the external payment provider Stripe. RAPP itself does not store any detailed payment data (such as credit card numbers). We only receive information from Stripe that is necessary to confirm your payment (e.g. a payment confirmation or transaction reference).

We do not process any sensitive personal data (such as race, health data, etc.) and do not collect any data that is not relevant to the purposes mentioned above. In accordance with the GDPR principle of data minimisation, we limit processing to what is adequate and necessary for the purposes of the app. No data is collected for marketing purposes and we do not use your personal data to send you unsolicited promotions or newsletters.

Article 4: Purposes of processing and legal basis

We process your personal data only for specific, explicitly described and legitimate purposes, and not in a manner that is incompatible with those purposes. The main purposes of processing within RAPP, with the corresponding legal basis, are:

1. Provision of the service (performance of the agreement): We use your email address and password to create and manage your user account so that you can log in and use the app. Your app usage data (progress, scores, etc.) is processed to provide RAPP's core service: we track your progress, display your results and ensure that the app functions properly in accordance with the agreements we have with you (the terms of use). The legal basis for these processing operations is the necessity for the performance of the contract with you (Art. 6(1)(b) GDPR), as these data processing operations are necessary to provide you with access to and use of the app.

2. Payment processing: If you make a payment (e.g. for premium features or content in the app), we process the necessary data to complete the transaction. Your payment details are processed directly by Stripe (our external payment service provider) for the purpose of processing the payment. The legal basis for this is also the performance of the contract (Art. 6(1)(b) GDPR) – processing your payment is necessary to provide the service you have requested (a purchase in the app).

3. Communication and support: If you contact us for support or if we need to inform you about service-related matters (e.g. important changes to the app or this privacy statement), we will use your contact details (such as your email address) to communicate with you. This is done to fulfil our agreement with you (customer support is part of our services) or based on our legitimate interest in providing good customer service. However, we will not send you any marketing messages without your explicit consent.

4. Security and authentication: We process your login details and any technical log files to ensure the security of the app and your account. This includes verifying your identity when you log in and monitoring suspicious login attempts to prevent fraud or misuse. The legal basis for this is our legitimate interest (Art. 6(1)(f) GDPR) in maintaining the integrity and security of our service, as well as the performance of the contract, since secure access is part of the service.

In all cases, we do not ask for your consent for the above processing, as it is either necessary for the performance of a contract with you or based on another legal basis (such as legitimate interest). Since we do not process personal data for direct marketing, profiling or non-essential purposes, consent is generally not required under the GDPR. If we do require your consent for a specific purpose in the future, we will request it separately and clearly in accordance with the GDPR requirements for valid consent.

Article 5: Sharing data with third parties

Your personal data will not be sold or shared with third parties for commercial or marketing purposes. We will only pass on your data to third parties to the extent necessary for the functioning of the app and the fulfilment of the above-mentioned purposes. The parties we work with are:

• Stripe (payment provider): For the processing of payments, we use Stripe Payments Europe, Ltd. (based in Dublin, Ireland) as an external payment processor. When you make a payment in RAPP, the necessary transaction data (such as amount and payment method) is securely transmitted to Stripe. Stripe processes this data in accordance with its own privacy policy and may act as a (joint) controller in that context. RAPP itself does not store any sensitive payment data (such as card numbers); these are processed exclusively by Stripe. We ensure that appropriate agreements (processing agreement) have been made with Stripe to guarantee the protection of your data.

• Microsoft Azure (hosting and authentication): RAPP is hosted on Microsoft Azure cloud servers and uses Azure services for user authentication and security. Microsoft acts as a processor on our behalf. This means that Microsoft provides the technical infrastructure in which your personal data (such as your account details and usage data) is stored and processed, but they are not permitted to use this data for their own purposes. We have entered into a processing agreement with Microsoft that complies with the requirements of Article 28 of the GDPR, and Azure offers strong security measures for data processing.

In addition to the above service providers, we may need to share data with other parties if this is required by law or at the request of competent authorities (e.g. a court or the police). In such cases, we will comply with the law and only provide the requested data if there is a valid legal basis for doing so.

International data transfer: We strive to process and store your data within the European Economic Area (EEA) as much as possible. Microsoft Azure has data centres in the EEA and we choose European data locations for hosting RAPP. Stripe processes payments through its European entity (Stripe Payments Europe in Ireland); however, certain data may be transferred to parent companies or sub-processors outside the EEA (e.g. the US) in the context of payment processing. In such cases, we – and Stripe – will ensure appropriate safeguards in accordance with Chapter V of the GDPR, such as standard contractual clauses or other mechanisms approved by the European Commission, to ensure an adequate level of protection for the personal data transferred.

Article 6: Cookies and tracking

The RAPP web application does not use cookies or tracking technologies to collect data about your behaviour. We therefore do not place analytical cookies, tracking cookies or similar technologies on your device. This means that we do not monitor your use of the app for marketing or advertising purposes, and do not build profiles beyond what is strictly necessary for the functioning of the service. Only if a technically necessary cookie or similar technology is required (e.g. to maintain your login session) will we use it, but RAPP does not currently use such technology. You can therefore use the app without any personal tracking taking place.

Article 7: Retention period

We do not retain your personal data for longer than is necessary for the purposes for which it was collected. In practice, this means that your data will be retained for as long as your user account is active. As long as you use RAPP and have not deleted your account, we need your data to provide the service (e.g. to track your progress).

If you choose to terminate your account or have it deleted, we will delete or anonymise your personal data.

In the event of inactivity for a long period of time, we may ask you to confirm whether you wish to keep your account active; in the event of continued inactivity, we reserve the right to delete your account (and therefore your personal data), provided that we notify you in advance.

We may retain certain data for longer if this is required by law or to defend our legitimate interests. For example, we may retain proof of your consent or transaction records (invoice data) for administrative and legal purposes during the statutory limitation period. In principle, however, this will not apply to most of your RAPP usage data, as RAPP itself does not store any payment details and does not process any other data subject to statutory archiving requirements.

We therefore always apply the principle that personal data is not stored in an identifiable form for longer than is necessary for the purposes of processing. As soon as there is no longer any need to store your data, it will be deleted or anonymised.

Article 8: Security of your data

We take appropriate technical and organisational security measures to protect your personal data against loss, misuse, unauthorised access, unwanted disclosure and unauthorised modification. Some of the measures we have taken are:

• Secure infrastructure: Your data is stored on Microsoft Azure servers, which are known for their high security standards. Azure offers encryption of data in transit and at rest, firewall protection and continuous monitoring. We use Azure's European data centres to ensure a high level of protection and compliance with EU privacy rules.

• Authentication security: Passwords are stored hashed and encrypted via Azure Identity services. This means that even in the unlikely event of a data breach, your password will not be visible in readable form. In addition, access to your account is protected by your personal password; we recommend that you choose a strong password and keep it secret.

• Access control: Only authorised persons within our organisation (and our authorised processors as mentioned in Article 5) have access to personal data, and only to the extent necessary. They are bound by strict confidentiality obligations.

• Monitoring and updates: We keep our systems up to date and apply security patches as soon as they become available. Suspicious activity (such as unusual login attempts) is monitored so that we can intervene in a timely manner in the event of potential security incidents.

Although we make every effort to ensure security, no digital service can be 100% secure. If, despite our measures, a data breach occurs that is likely to pose a high risk to your rights and freedoms, we will report this to the Data Protection Authority and, if required by law, also to you as the user concerned, in accordance with the reporting obligation under the GDPR.

Article 9: Minors

RAPP does not apply any specific age limit for users; the application is accessible to all ages. However, we would like to emphasise that the privacy of children is particularly protected by law. Under Belgian law (Article 7 of the Law of 30 July 2018 transposing the GDPR), parental consent must be obtained for children under the age of 13 when their personal data is processed in the context of a direct offer of information society services.

In concrete terms, this means that if you are under 13 years of age, a parent or legal guardian must give consent for your registration and use of RAPP, insofar as such consent is required by law. Although RAPP does not, in principle, carry out processing based on consent (see Article 4) and the service is generally based on contractual necessity, we assume that users under the age of 18 have the consent and supervision of a parent/guardian when creating an account and using the app. We do not specifically target children under the age of 13 in our offering, and we do not knowingly collect data from children under the age of 13 without parental consent. If we discover that we have unintentionally collected personal data from a minor under the age of 13 without verifiable parental consent, we will make reasonable efforts to delete that data as soon as possible.

Minors aged 13 to 16 are deemed to be able to give their own consent to data processing by online services under the Belgian implementation of the GDPR. We emphasise once again that RAPP does not process data on the basis of explicit consent, but we advise minors to involve their parents in their use of the app.

Article 10: Rights of data subjects

As a data subject (user of RAPP whose personal data is processed by us), you have various legal rights under the GDPR.

We respect these rights and have procedures in place to accommodate them. Your rights include:

• Right of access: You have the right to obtain confirmation as to whether we are processing your personal data and, if so, to access that data. This means that you can request which personal data we hold about you and receive a copy of it.

• Right to rectification: You have the right to have inaccurate or incomplete personal data corrected or supplemented. If you notice that certain information we hold about you is incorrect (e.g. an error in your name or an outdated email address), you can request us to correct it.

• Right to erasure (right to be forgotten): You may ask us to delete (some or all of) your personal data. We will comply with such a request for erasure in the cases provided for by law – for example, if the data is no longer necessary for the purposes for which it was collected, or if you withdraw your previous consent and we have no other legal basis for processing it, or if the processing is unlawful. Please note that this right is not absolute; sometimes we may or must retain data despite your request (for example, to comply with a legal obligation). However, in the context of RAPP, exercising this right will usually mean that we will delete your account and erase all your usage data, unless there is a compelling reason to retain (some of) the data.

• Right to restriction of processing: You have the right to ask us to temporarily restrict the processing of your data. This may be the case, for example, if you dispute the accuracy of your data (during the period we are checking this), or if the processing is unlawful but you do not want the data to be deleted, or if we no longer need the data but you need it for a legal claim. In the event of restriction, we will continue to store the data but may not process it further other than with your consent or for legal claims, etc.

• Right to object: You have the right to object to certain processing of your personal data. In particular, you may object at any time to processing based on our legitimate interest (Art. 6(1)(f) GDPR), provided that you give reasons related to your specific situation. Given the nature of RAPP, we base our processing primarily on contractual necessity; however, to the extent that we rely on legitimate interest (e.g. for security or support), you have the right to object. If you object, we will cease the relevant processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms (or if the processing is related to a legal claim). Please note: you also have the absolute right to object to any processing for direct marketing purposes. As indicated, we do not currently use your data for direct marketing, so this right is mainly for information purposes.

• Right to data portability: Where applicable, you have the right to obtain the personal data you have provided to us in a structured, commonly used and machine-readable format so that you can transfer it to another service provider. This right only applies to data that we process on the basis of your consent or on the basis of a contract with you, and insofar as the processing is automated. In the case of RAPP, this concerns, for example, your profile and usage data. At your request, we can also forward the data directly to a new provider, if technically possible.

• Right not to be subject to automated decision-making: You have the right not to be subject to a decision based solely on automated processing (including profiling) that has legal effects on you or otherwise significantly affects you. RAPP does not make any such automated decisions about users who meet this criterion; therefore, there is currently no profiling or automated decision-making with legal impact in our services.

To exercise any of your rights, you can submit a request to us via the email address support@viinnovate.com. Please clearly indicate which right you wish to exercise and, if necessary, which data is concerned. We may ask you for additional information to verify your identity so that we do not disclose your data to the wrong person (for example, we may ask you to make the request from the email address associated with your account or to provide proof of identity in case of doubt). We will respond to your request free of charge and within one month. In exceptional cases (e.g. very complex or multiple simultaneous requests), we may extend this period by up to two additional months, but in that case we will inform you of the delay and the reasons for it within the first month.

Article 11: Complaints and supervision

If you have any questions or complaints about our processing of your personal data, please contact us in the first instance (using the contact details in Article 2). We will do our best to respond to and resolve your complaint.

Article 12: Changes to this privacy statement

Privacy legislation and our services may change over time.

We therefore reserve the right to change or update this privacy statement from time to time. In the event of material changes, we will notify you via the app (e.g. via a notification or email) and, if required by law, ask for your consent again if the change relates to processing operations for which consent is required. The date of the most recent change is stated at the top of the privacy statement. We recommend that you consult this statement periodically to stay informed about how we process your personal data.

Article 13: Deleting your account and data

You can delete your entire account – including all associated personal data and app progress – at any time. In the web app, go to Settings → Profile and select ‘Delete account & data’ at the bottom. After your confirmation:

• your account will be deactivated immediately so that you no longer have access to RAPP;

• we will delete all your identifiable data from our active systems and backups within a maximum of 30 days, unless we are required to retain certain data for longer in order to comply with legal obligations (e.g. tax retention periods for payment receipts);

• there will be no refund for any subscription fees or purchases already paid, regardless of the remaining usage period or unused content.

Please note: this action is irreversible – your progress, scores and any purchased content will be permanently lost. If you wish to use RAPP again at a later date, you will need to create a new account.

If you have any questions about how RAPP handles your privacy after reading this privacy statement, please feel free to contact us at support@viinnovate.com. We will be happy to assist you and provide you with any further information you may require. Your trust and privacy are very important to us, and we are committed to the secure and compliant processing of your personal data.