STEINWEG ONLINE PRIVACY POLICY

1. INTRODUCTION

• This Privacy Policy (“Policy”) provides information on the personal data processing by C. STEINWEG ONLINE 1847 PTE. LTD. (Company Registration No.: 201533584D), a company incorporated in Singapore and having its registered office at 28 Jurong Port Road, Singapore 619113 (“Steinweg Online”, “us”, “our” or “we”)
• Steinweg Online can be reached via the following contact details:
  Telephone number: +65 3163 7547
  Email address: support@steinwegonline.com
• Steinweg Online is part of the C. Steinweg Group, with its headquarters in Rotterdam, The Netherlands.
• This Policy applies for all personal data processed by Steinweg Online and/or on behalf of Steinweg Online, which identify or may identify a natural person (“Personal Data”). These natural persons are hereinafter collectively referred to as data subjects (“Data Subjects”, “you” or “your”).
• Steinweg Online reserves the right to review and/or alter this Policy periodically, in order to comply with (local and/or European) legislation, and for any other purpose deemed reasonably necessary by Steinweg Online.
• For queries and inquiries about this Policy, please contact the Data Protection Officer at: support@steinwegonline.com.

2. HANDLING OF PERSONAL DATA

• This Policy sets out the elements necessary for Steinweg Online’s compliance with applicable privacy legislation, principles and practice, including but not limited to the General Data Protection Regulation (“GDPR”) and Personal Data Protection Act 2012 of Singapore (“PDPA”) (the GDPR and the PDPA collectively, “Applicable Laws”).
• This Policy is an external policy, and is directed towards you and other Data Subjects whose Personal Data are being processed by Steinweg Online for the purpose of producing and delivering services (“Services”) in respect of Steinweg Online’s mobile application and website at www.steinwegonline.com (collectively, “Steinweg Online Website”). This Policy applies to the processing of Personal Data, in which Steinweg Online acts as the data controller within the meaning of the GDPR and acts as an organisation within the meaning of the PDPA. This is the case when Steinweg Online determines the purpose for and the means for the processing of Personal Data of Data Subjects within the purposes of this Policy.
• For business purposes as described below, you may be asked to provide your Personal Data. If this is the case, Steinweg Online and its partners shall be required to keep such information confidential.

3. PERSONAL DATA

• Personal Data mentioned herein and defined by Steinweg Online refers to information of all kinds that can, directly or indirectly, identify a Data Subject -- their name, address, email address, mobile phone number, and so on -- that are transmitted to Steinweg Online by Data Subjects.
• The categories of Personal Data that Steinweg Online processes are:
  
   - name;
  
  
   - personal and business mobile telephone numbers;
  
  
   - company address;
  
  
   - company email address;
  
  
   - biometric data, including photographs and other audio-visual material (e.g. voice-recordings);
  
  
   - employment information (company name and title);
  
  
   - Service account information;
  
  
   - marketing preferences;
  
  
   - server logs;
  
  
   - visitor information;
  
  
   - information about devices;
  
  
   - preferred communication methods; and
  
  
   - information required to satisfy our obligations under applicable laws and regulations.
• Web tracking data
  When you visit the Steinweg Online Website, we collect and store the following log information from you:
  
   - information in server logs, including Internet protocol (“IP”) address, mobile device IP address, Internet service provider (ISP), GPS location, clickstream data, browser type and language, viewed and exit pages and date or time stamps; your login information, browser type and version, time zone setting, browser plug-in types and versions; and operating system and platform;
  
  
   - information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from the Steinweg Online Website (including date and time); information you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page; and any phone number used to call our customer service number; and
  
  
   - information about the device you use to access the Steinweg Online Website or to use the Services, including unique device identifiers, usage information (such as page requests and average time spent on the Steinweg Online Website), operating system, browser type and the device’s mobile network information and telephone number (if relevant).
• Links to third party sites, content and services
  The Steinweg Online Website may also contain links to other websites. This Policy does not cover the privacy policies and information practices of any such third parties. These other websites are governed by their own privacy policies or information collection practices, which may be substantially different from ours.

4. PURPOSE AND LEGAL BASIS OF DATA PROCESSING

• The purposes of the processing of Personal Data by Steinweg Online are:
  
  
   - authentication of the Data Subject;
  
  
   - authentication and approval of instructions for transactions;
  
  
   - security of the Steinweg Online Website;
  
  
   - delivering Services;
  
  
   - carrying out obligations arising from agreements with Data Subjects;
  
  
   - providing information requested by Data Subjects;
  
  
   - allowing Data Subjects to participate in interactive features on the Steinweg Online Website;
  
  
   - improving the design, functionality, performance and content of the Steinweg Online Website;
  
  
   - data analysis, testing, research, statistical and survey purposes;
  
  
   - personalising the user experience and measure overall effectiveness;
  
  
   - contacting you to send you information about our Services, and to notify you about changes or updates to the Steinweg Online Website or Services, including the Steinweg Online Terms and Conditions and this Policy;
  
  
   - preventing, detecting, investigating and prosecuting security threats, fraud, misconduct or other unlawful or malicious activity on the Steinweg Online Website or in respect of the Services;
  
  
   - protecting our legal rights, property or safety, or protecting third parties;
  
  
   - compliance with our legal obligations and other rules, regulations, codes of practice, and orders and directions of competent regulatory authorities or governmental bodies that we are obligated to follow;
  
  
   - resolving disputes and enforcing our agreements; and
  
  
   - internal operational and administrative purposes.
• Legal basis
  Steinweg Online is obligated to process the Personal Data in accordance with the abovementioned purposes and in compliance with the Applicable Laws. The data processing by Steinweg Online is necessary for the operation of activities, for which the Data Subject has given its explicit consent. Where the processing is based on consent, the Data Subject has the right to withdraw consent at any time, by deactivating the account. In that case, the Steinweg Online account can no longer be used by the Data Subject.
  
  The use of certain Personal Data, such as photographs, audio-visual material (e.g. voice-recordings) and biometric authentication methods (e.g. Touch ID technology), is based on a legitimate interest pursued by Steinweg Online, which is the security and authentication of the Data Subject for using the Steinweg Online Website.
• Retention period
  Steinweg Online will not use and store Personal Data longer than necessary to fulfil the abovementioned purposes, or longer than necessary to comply with contractual obligations or as permitted or required by the Applicable Laws, and shall remove the collected Personal Data after such period. Personal Data may be stored in accordance with this principle, even where Data Subjects have deactivated their account with us. As per Applicable Laws the retention period is set to 7 years from the data of collection, or as long as retention is necessary for legal or business purposes.

5. PURPOSE LIMITATION

• The Personal Data may only be processed to the extent necessary for the described purposes. Personal Data may not be processed for other purposes other than that for which the Personal Data were collected. If there is a necessity or need to process Personal Data for other purposes, it shall be investigated by Steinweg Online whether the purposes of the intended data processing is compatible with the original purposes. Steinweg Online shall provide the Data Subject prior to that further processing with information on that other purpose and obtain the consent of the Data Subject if further processing is incompatible with the original purposes.

6. SECURITY OF PERSONAL DATA

• Steinweg Online handles Personal Data carefully and confidentially, and uses all suitable and state-of-the art physical, managerial, and technical safeguards (e.g. encryption, SSL certificates and three-step authentication procedures) to preserve the integrity and security of your Personal Data.
• We have put in place procedures in an effort to safeguard and help prevent unauthorised access, maintain data security, and correctly use the information we collect. We also take reasonable steps to help make sure that third parties we work with protect the security of your Personal Data.
• Where we have given you (or where you have chosen) a password and other unique identifiers which enable you to access certain parts of the Steinweg Online Website, you are responsible for keeping this password confidential. We ask you not to share the password with anyone, and to sign out of your user account and close your browser window when you wish to exit the Steinweg Online Website. If you are using a shared or a publicly accessible computer or other device, we ask that you ensure that the cache memory on such computer or device is emptied when you close the browser on which the Steinweg Online Website was accessed in order that the contents of the Steinweg Online environment may not be viewed by subsequent users of such computer or device.

7. TRANSFER OF PERSONAL DATA

• Personal Data are being stored or transferred by Steinweg Online and other third parties such as our affiliates, associated companies, business partners, suppliers, sub-contractors analytics and search engine providers, for one or more of the purposes set out in paragraph 4 of this Policy.
• Steinweg Online will not disclose Personal Data provided by Data Subjects to any party, other than Steinweg Online itself, its affiliates and associated companies, without the prior permission from the Data Subjects unless otherwise in accordance with the requirements of Applicable Laws.
• Steinweg Online discloses Personal Data in case such disclosure is mandatory under Applicable Laws or is reasonably judged to be essential in order to protect and safeguard the rights, property and safety of other parties, Steinweg Online itself, and/or Steinweg Online’s affiliates.
• Steinweg Online may transfer Personal Data to a third country or international organisations outside of the European union/European Economic Area (“EU/EEA”), such as to Singapore, which shall take place only in compliance with the Applicable Laws, and where appropriate safeguards are in place that ensure the level of protection of Data Subjects as required by the Applicable Laws (e.g. transfers on the basis of an adequacy decision or standard EU Model clauses). In situations where Steinweg Online transfers Personal Data to countries outside the EU/EEA, Steinweg Online will enter into appropriate contractual arrangements with EU Model Clauses.
• In certain circumstances, it is possible that Personal Data may be subject to disclosure pursuant to judicial or other government subpoenas, warrants, or orders.

8. RIGHTS IN RELATION TO PERSONAL DATA

• Data Subjects have the right of information, access, rectification, addition and erasure of Personal Data, and the right to object against or restrict the processing of Personal Data (or withdraw an earlier given consent), as well as the right to data portability. The procedure of Steinweg Online that enable Data Subjects to exercise these rights, is described below.
• Data Subjects may file a request for access with Steinweg Online, and Steinweg Online shall respond as soon as possible, and in any event within one (1) month, about:
  
  a) whether Steinweg Online holds any Personal Data relating to the respective Data Subject; and, if Steinweg Online holds such Personal Data, information on the purposes of the processing; the categories of Personal Data, the recipients (if applicable); the envisaged period for which the Personal Data will be stored, or the criteria used for retention; the existence of the right to request rectification, erasure, restriction or to object to processing, the right to lodge a complaint with a supervisory authority, the existence of automated decision-making; and where the data is transferred to a third country, the appropriate safeguards applied to and the source(s) of the Personal Data.
  
  To protect your privacy and security, we will take reasonable steps to verify your identity before processing any request under this paragraph 8.
• A Data Subject may also request Steinweg Online to correct, restrict, amend, add, erase and/or transport the Personal Data. Steinweg Online informs the Data Subject within one (1) month after receiving the request whether the request shall be complied with (in time), and if not, accompanied with the reasons for the delay or rejection.
• Information provided shall be free of charge. Data Subjects can exercise these rights at reasonable intervals. Data Subjects can exercise their rights by contacting the Data Protection Officer in writing (see address above) or per e-mail at: support@steinwegonline.com.
• Unless Steinweg Online is entitled to or prohibited from complying with a request under Applicable Law, Steinweg Online will comply with a legitimate request of a Data Subject for correction, restriction or erasure if the Personal Data are factually incorrect, incomplete or irrelevant for the purpose(s) of the data processing, or otherwise processed in violation of the Applicable Laws.
• With regard to a request to erase Personal Data, it should be taken into account that Steinweg Online shall not comply with such request if it is incompatible with any legal obligations of Steinweg Online, or if a request is manifestly unfounded or excessive, in particular because of their repetitive character. If you would like your Personal Data to be permanently removed from our servers or databases, please contact us with your request. If there are no incompatible legal obligations, we will promptly delete your account and you will no longer receive information or updates regarding our Services. The removal of your account and Personal Data from our servers and databases will not delete information stored in our data backups and archives, which we reserve the right to maintain for purposes of compliance with our legal obligations, but which we will delete in the normal course of our business.
• If a request is allowed, Steinweg Online shall execute the decision to correct, amend, erase and/or transport the Personal Data as soon as possible.
• In the event of concerns about the handling of Personal Data, Data Subjects also have the right to lodge a complaint with a local supervisory authority.

9. CHANGES TO POLICY

• We may update this Policy from time to time. In such cases we will notify you in writing and upon your next login to the Steinweg Online Website you will have the option to accept or reject the updated privacy policy.

10. QUESTIONS AND INQUIRIES

• For queries and inquiries about this Policy, please contact the Data Protection Officer of Steinweg Online at: support@steinwegonline.com.