PERSONAL DATA PROCESSING AND COOKIE USAGE POLICY
PREAMBLE
This Policy (hereinafter referred to as the “Policy”) constitutes an integral part of the User Agreement of BP.CX (hereinafter referred to as the “Agreement”) and governs the procedure for the processing of personal data performed by BP.CX and by any User of the Website / Services (hereinafter referred to as the “User”). All terms referenced in this preamble are disclosed in Article 2 of the Agreement. Each of the designated parties, when mentioned separately, may be referred to in the text of the Policy as a “Party,” and when mentioned jointly, the designated parties may be referred to as the “Parties.”
1. GENERAL PROVISIONS
1.1. This Policy establishes the principal principles, purposes, conditions, and methods for the processing of Users’ personal data via the Website/Services, as carried out by BP.CX.
1.2. This Policy has been developed in compliance with the requirements of the Law of the Republic of Costa Rica No. 8968 (Ley 8968) “On the Protection of Personal Data,” the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), the General Data Protection Regulation (GDPR), and the APEC Privacy Framework.
1.3. This Policy applies to all operations conducted by BP.CX with personal data, whether by automated means or otherwise. BP.CX processes Users’ personal data only when the User independently completes and/or submits personal data through forms within the interfaces of the relevant Services. By completing the relevant forms, the User expresses Consent to this Policy.
1.4. The User independently decides to provide their personal data and grants Consent freely, voluntarily, and in their own interest, in accordance with the provisions of Article 9 of this Policy.
1.5. This Policy may be amended at any time at the sole discretion of BP.CX. The current version of the Policy is posted on the Website or in the relevant section of the interface of the applicable Service, and updates or amendments do not require separate notification to Users. The updated or amended Policy enters into force upon its publication on the Website or in the relevant section of the interface of the applicable Service. Continued use of the Website or Services by the User after amendments, updates, or additions to this Policy shall constitute the User’s acceptance of and Consent to such changes, updates, or additions.
2. DEFINITIONS
For the purposes of this Policy, the following terms shall have the meanings set forth below:
2.1. Personal data means any information relating, directly or indirectly, to an identified or identifiable individual (Data Subject – User).
2.2. Personal data processing means any operation or set of operations performed with or without the use of automation tools on personal data, including collection, recording, systematization, accumulation, storage, clarification (updating, modification), retrieval, use, transfer (dissemination, provision, access), anonymization, blocking, deletion, or destruction of personal data.
2.3. Automated processing of personal data — processing of personal data by means of computing equipment.
2.4. Dissemination of personal data — actions aimed at disclosing personal data to an indefinite circle of persons.
2.5. Provision of personal data — actions aimed at disclosing personal data to a specific person or a specific group of persons.
2.6. Blocking of personal data — temporary suspension of the processing of personal data (except where processing is necessary for the clarification of personal data).
2.7. Destruction of personal data — actions that render it impossible to restore the content of personal data within the personal data information system and/or actions that result in the destruction of physical storage media containing personal data.
2.8. Data Subject (User) — an individual who can be directly or indirectly identified by means of personal data.
2.9. Consent to personal data processing, Consent— the performance by the User of conclusive actions as described in paragraph 9.1 of this Policy, which confirm the User’s voluntary decision to provide BP.CX with personal data to the extent, on the terms, and for the purposes defined in this Policy.
2.10. Cookies are text files that are stored on the User’s device when visiting the Website (and/or other Services). They assist us in improving the operation of the Website (Services) and in providing a personalized experience.
3. PRINCIPLES AND PURPOSES OF PERSONAL DATA PROCESSING
3.1. The processing of personal data is carried out by BP.CX taking into account the necessity of ensuring the protection of the rights and freedoms of Data Subjects (Users), including the protection of the right to privacy and personal and family confidentiality, on the basis of the following principles:
3.1.1. The processing of personal data shall be carried out on a lawful basis;
3.1.2. The processing of personal data shall be limited to the attainment of specific, pre-defined, and lawful purposes;
3.1.3. The processing of personal data that is incompatible with the purposes of personal data collection shall not be permitted;
3.1.4. The content and scope of the personal data processed shall correspond to the declared purposes of processing;
3.1.5. The processing of personal data in excess of the declared purposes of such processing shall not be permitted;
3.1.6. The accuracy, sufficiency, and, where necessary, the relevance of personal data to the purposes of their processing shall be ensured during the processing of personal data;
3.1.7. The storage of personal data shall be carried out in a form that allows the identification of the Data Subject (User), no longer than is required for the purposes of personal data processing, unless a longer storage period is established by statutory enactment or contract;
3.1.8. Processed personal data shall be destroyed or anonymized upon achievement of the processing purposes or when there is no longer a necessity to achieve such purposes, unless otherwise provided by statutory enactment or contract.
3.1.2. The processing of personal data shall be limited to the attainment of specific, pre-defined, and lawful purposes;
3.1.3. The processing of personal data that is incompatible with the purposes of personal data collection shall not be permitted;
3.1.4. The content and scope of the personal data processed shall correspond to the declared purposes of processing;
3.1.5. The processing of personal data in excess of the declared purposes of such processing shall not be permitted;
3.1.6. The accuracy, sufficiency, and, where necessary, the relevance of personal data to the purposes of their processing shall be ensured during the processing of personal data;
3.1.7. The storage of personal data shall be carried out in a form that allows the identification of the Data Subject (User), no longer than is required for the purposes of personal data processing, unless a longer storage period is established by statutory enactment or contract;
3.1.8. Processed personal data shall be destroyed or anonymized upon achievement of the processing purposes or when there is no longer a necessity to achieve such purposes, unless otherwise provided by statutory enactment or contract.
3.2. BP.CX processes personal data for the following purposes:
3.2.1. identification of the User for the conclusion and subsequent performance of any agreements with BP.CX;
3.2.2. conducting BP.CX promotions, surveys, interviews, tests, and research on the Website or within the Service interfaces;
3.2.3. establishing feedback with the User, including but not limited to: sending newsletters, notifications in the form of SMS messages, emails, oral and written requests, and processing requests and applications from the User;
3.2.4. confirmation of the accuracy and completeness of the personal data provided by the User;
3.2.5. statistical and other research and/or analytical purposes, provided that the User's personal data is anonymized.
3.2.2. conducting BP.CX promotions, surveys, interviews, tests, and research on the Website or within the Service interfaces;
3.2.3. establishing feedback with the User, including but not limited to: sending newsletters, notifications in the form of SMS messages, emails, oral and written requests, and processing requests and applications from the User;
3.2.4. confirmation of the accuracy and completeness of the personal data provided by the User;
3.2.5. statistical and other research and/or analytical purposes, provided that the User's personal data is anonymized.
4. SCOPE AND CATEGORIES OF PROCESSED PERSONAL DATA
4.1. BP.CX may process the personal data of the following Data Subjects: Users of the Website / Services.
4.2. The personal data processed by BP.CX includes the following categories of data (BP.CX, at its sole discretion, may collect and process only some of the categories listed below and is not obligated to collect and process all):
4.2.1. the surname, first name, and patronymic of the Data Subject (User);
4.2.2. mobile phone number;
4.2.3. email address;
4.2.4. User ID in the Telegram messenger;
4.2.5. request and viewing history in the BP.CX Services;
4.2.6. cookies, information regarding the User’s location, information concerning the User’s actions on the Website and within BP.CX Services, information about the User’s equipment, as well as the date and time of the session.
4.2.2. mobile phone number;
4.2.3. email address;
4.2.4. User ID in the Telegram messenger;
4.2.5. request and viewing history in the BP.CX Services;
4.2.6. cookies, information regarding the User’s location, information concerning the User’s actions on the Website and within BP.CX Services, information about the User’s equipment, as well as the date and time of the session.
4.3. BP.CX ensures that the content and scope of personal data processed correspond to the declared purposes of processing and, if necessary, undertakes measures to eliminate any redundancy in relation to the stated purposes of processing.
5. PROCEDURE AND CONDITIONS FOR PERSONAL DATA PROCESSING
5.1. BP.CX processes personal data using the following methods:
5.1.1. Non-automated processing of personal data;
5.1.2. Automated processing of personal data, with or without the transfer of the obtained information through information and telecommunication networks, including processing by means of automated database management systems and other software tools;
5.1.3. Mixed processing of personal data.
5.1.2. Automated processing of personal data, with or without the transfer of the obtained information through information and telecommunication networks, including processing by means of automated database management systems and other software tools;
5.1.3. Mixed processing of personal data.
5.2. The list of actions performed by BP.CX with personal data includes: collection, systematization, accumulation, storage, clarification (updating, modification), use, dissemination (including transfer), anonymization, blocking, and destruction in accordance with the regulatory acts referenced in clause 1.2 of this Policy.
5.3. The User independently decides to provide personal data and gives Consent freely, of their own will, and in their own interest.
5.4. BP.CX does not process biometric personal data.
5.5. For the proper functioning of the Services and the duly appropriate provision of services, Users' personal data may be transferred to and processed within jurisdictions other than the User's country of residence.
5.6. BP.CX does not process special categories of personal data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, or sexual life.
5.7. The processing of personal data may be terminated upon achievement of the purposes of processing, the expiry of the Consent, withdrawal of Consent by the Data Subject (User), or identification of unlawful processing of personal data.
5.8. The period for processing personal data is unlimited. The Data Subject may withdraw their Consent to the processing of personal data at any time by sending BP.CX a notification via email to the following address: support@BP.CX.
5.9. BP.CX undertakes to cease processing the personal data of the Data Subject (User) within 5 (five) business days from the date of receipt of such notification, in accordance with clause 5.8 of this Policy.
6. MAIN RIGHTS AND OBLIGATIONS
6.1. BP.CX is entitled to:
6.1.1. receive from the Data Subject (User) accurate information and/or documents containing personal data;
6.1.2. require the Data Subject (User) to promptly update the provided personal data.
6.1.2. require the Data Subject (User) to promptly update the provided personal data.
6.2. BP.CX's obligations:
6.2.1. process personal data in accordance with the procedures established by the regulatory acts referenced in Clause 1.2 of this Policy;
6.2.2. To consider requests from the Data Subject (User) (or their legal representative) regarding the processing of personal data and to provide reasoned responses;
6.2.3. To provide the Data Subject (User) (or their legal representative) with the opportunity for gratuitous and unrestricted access to their personal data;
6.2.4. To take measures to clarify or delete the Data Subject's (User's) personal data in response to lawful and substantiated requests submitted by them (or their legal representative);
6.2.5. to organize the protection of personal data in accordance with the requirements of the regulatory acts referenced in clause 1.2 of this Policy.
6.2.2. To consider requests from the Data Subject (User) (or their legal representative) regarding the processing of personal data and to provide reasoned responses;
6.2.3. To provide the Data Subject (User) (or their legal representative) with the opportunity for gratuitous and unrestricted access to their personal data;
6.2.4. To take measures to clarify or delete the Data Subject's (User's) personal data in response to lawful and substantiated requests submitted by them (or their legal representative);
6.2.5. to organize the protection of personal data in accordance with the requirements of the regulatory acts referenced in clause 1.2 of this Policy.
6.3. The Data Subject (User) has the right to:
6.3.1. receive complete information regarding their personal data processed by BP.CX;
6.3.2. access their personal data, including the right to obtain a copy of any record containing their personal data, except in cases stipulated by the regulatory acts referenced in clause 1.2 of this Policy;
6.3.3. to request the correction, blocking, or destruction of his personal data if the personal data are incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing;
6.3.4. to withdraw consent to the processing of personal data;
6.3.5. to take measures prescribed by law to protect his rights;
6.3.6. to exercise other rights provided for by the regulatory acts referenced in Clause 1.2 of this Policy.
6.3.2. access their personal data, including the right to obtain a copy of any record containing their personal data, except in cases stipulated by the regulatory acts referenced in clause 1.2 of this Policy;
6.3.3. to request the correction, blocking, or destruction of his personal data if the personal data are incomplete, outdated, inaccurate, unlawfully obtained, or not necessary for the stated purpose of processing;
6.3.4. to withdraw consent to the processing of personal data;
6.3.5. to take measures prescribed by law to protect his rights;
6.3.6. to exercise other rights provided for by the regulatory acts referenced in Clause 1.2 of this Policy.
6.4. The Data Subject (User) shall:
6.4.1. provide BP.CX with accurate information about themselves;
6.4.2. (if necessary) provide documents containing personal data to the extent required for the purpose of processing;
6.4.3. notify BP.CX of the specification (update, amendment) of their personal data.
6.4.2. (if necessary) provide documents containing personal data to the extent required for the purpose of processing;
6.4.3. notify BP.CX of the specification (update, amendment) of their personal data.
7. USE OF COOKIES
7.1. The definition of cookies is set forth in clause 2.10 of this Policy.
7.2. Types of cookies used:
7.2.1. mandatory cookies: required for the operation of the Website / Services and cannot be disabled;
7.2.2. Functional cookies: ensure the retention of User preferences (for example, language selection);
7.2.3. Analytical cookies: collect data regarding the use of the Website / Service to improve its performance;
7.2.4. Advertising cookies: are used to display personalised advertising;
7.2.5. Third-party cookies: are set by third parties (for example, operators of Services not owned by BP.CX).
7.2.2. Functional cookies: ensure the retention of User preferences (for example, language selection);
7.2.3. Analytical cookies: collect data regarding the use of the Website / Service to improve its performance;
7.2.4. Advertising cookies: are used to display personalised advertising;
7.2.5. Third-party cookies: are set by third parties (for example, operators of Services not owned by BP.CX).
7.3. Purposes of cookie usage:
7.3.1. ensuring the proper operation of the Website / Services;
7.3.2. Analysis of User behavior for the improvement of the Website / Services;
7.3.3. Integration with social networks and content sharing.
7.3.2. Analysis of User behavior for the improvement of the Website / Services;
7.3.3. Integration with social networks and content sharing.
7.4. Cookie Management:
7.4.1. Upon the User’s first visit to the Website, a banner is presented to accept or configure cookies:
7.4.2. Cookies are collected only after the User’s explicit consent (opt-in);
7.4.3. The User may decline non-essential cookies at any time;
7.4.4. The User may configure the use of cookies through a dedicated section on the Website;
7.4.5. The User may disable cookies in their browser settings; however, this may affect the functionality of the Website / Services.
7.4.2. Cookies are collected only after the User’s explicit consent (opt-in);
7.4.3. The User may decline non-essential cookies at any time;
7.4.4. The User may configure the use of cookies through a dedicated section on the Website;
7.4.5. The User may disable cookies in their browser settings; however, this may affect the functionality of the Website / Services.
7.5. Both session cookies (deleted after closing the browser) and persistent cookies (stored for the duration of the Consent to personal data processing) are used.
7.6. Data collected through cookies may be transferred to third parties (such as analytics or advertising partners) in accordance with their privacy policies.
8. PROCEDURE FOR RESOLUTION OF DISPUTES
8.1. Any disputes between the Parties shall be resolved in accordance with the provisions of the Agreement referenced in the preamble, of which this Policy constitutes an integral part.
9. CONSENT TO THE PROCESSING OF PERSONAL DATA
9.1. By accepting the Agreement referenced in the preamble of this Policy, the User thereby grants BP.CX Consent to the processing of personal data in accordance with the provisions of this Policy.
9.2. The Consent referred to in Clause 9.1 of this Policy shall be effective from the moment it is granted and for the duration of the User’s use of the Website / Services, or until such time as the Consent is withdrawn in accordance with Clause 5.8 of this Policy.