Privacy Policy
1 Who we are
Cartamundi Group (“we” or “us”) includes various entities and commercial activities. Personal data is collected and processed by different entities based on the related services and application(s) (the “Services”). The Cartamundi Group includes different legal entities of which a full list, containing their names and office locations, can be consulted on our corporate website.
We value your privacy and are committed to protecting your personal data in accordance with applicable privacy and data protection laws based on the Services we provide to you.
This privacy policy describes the processing activities that we conduct in connection with your use of the Services (the “Privacy Policy”).
If you have any further questions regarding our use of your personal data, contact us at privacy@cartamundi.com.
2 Who this Privacy Policy applies to
This Privacy Policy applies to the processing of your personal data when you use our Services from either of the entities as explained below:
Cartamundi Entities
Description
Service
Example
Cartamundi Services NV (data controller)
Is a Belgian company of the Cartamundi Group and performs certain centralized services for affiliated entities of the Cartamundi Group.
Recruitment support services consisting of posting vacancies, collecting and transmitting CVs.
Whistleblowing support services consisting of transmitting Speak Up! reports to the relevant local legal entity.
Support for Services
You use our Services with the intention to apply for one of our job vacancies and/or are in the selection process for a specific job.
You use our Services because you want to report misconduct, unethical behavior, illegal practices, or other compliance issues you came across in your interaction with us, via our Speak Up! channel.
You reside in Europe and use of any of our Services and contact us, including when this is done via one of the contact forms or chatbots integrated in the Services.
Cartamundi Inc.
Is a company based in the United States that is part of Cartamundi Group.
Owns the Cardtopia.com webshop (“Cardtopia”) and the Card Games by Bicycle app (“Bicycle App”), and is the data controller with regard to these activities.
Support for Services
You are a Cardtopia or Bicyle App user that created and maintained a customer account.
You are a Cardtopia user that purchased a product on the webshop/app (either via your customer account or by ordering as a guest).
You reside in the US and use of any of our Services and contact us, including when this is done via one of the contact forms or chatbots integrated in the Services.
United States Playing Card Company
Is a company based in the US that is part of the Cartamundi Group.
May act as an independent controller for marketing activities related to Cardtopia
You reside in North America and consent to receiving marketing communication from Cardtopia.
Cartamundi Deutschland GmbH, Cartamundi France, and Cartamundi UK Ltd., Cartamundi Benelux NV, and Naipes Heraclio Fournier, S.A
Are companies based in Europe that are part of Cartamundi Group.
May act as an independent controller for marketing activities related to Cardtopia
You reside in Europe and consent to receiving marketing communication from Cardtopia.
3 Personal data we collect, purpose, legal basis, and how long we keep your data
Below we clarify which personal data we collect, the legal basis for processing it, the purpose for processing it, and how long we keep your data. Personal data is data that can be used to identify an individual directly or indirectly. We primarily obtain your personal data directly from you, when you contact us, except as expressly indicated below.
Note that we do not process all your data listed below. This depends on the situation, your relationship with us, your preferences, and how we maintain contact. We first indicate below which data we collect from users of any of our Services. Then, we clarify which data we may additionally process from specific categories of users as defined in the section “Who this Privacy Policy applies to” above.
To the extent we store and use anonymized personal data, we will not try to reidentify the information, except to test our deidentification methods.
3.1 Users of any of our Services
Purpose
Type of personal data
Legal basis
Retention period
Answering your query when you contact us, including when this is done via one of the contact forms or chatbots integrated in the Services.
Contact details
E.g. first name, last name, form of address, email address, phone number, active industry, country, the company you work for (optional), function, address, and other information you provide to us.
Communication and contact history
E.g. reason for contact, communication made.
Where your request cannot be framed in the establishment or performance of a contract, our legitimate interest consisting of our commercial interest as a company in answering your questions in relation to us and/or our products.
Up to 1 year after moment of contact.
For webshop related questions, up to 3 years after moment of contact.
Fulfilling our legal obligations as a company, such as in the domains of data protection, consumer protection, and tax and accounting.
All personal data mentioned in this Privacy Policy, to the extent relevant in function of the relevant legal obligation
Legal obligation
As stipulated by applicable laws and regulations. Depending on the applicable law, the retention period will be between 3 and 15 years.
The initiation and further management of legal or other proceedings where we are compelled to pursue protection/enforcement of our interests via the judicial system or other relevant channels, or vice versa, when legal or other proceedings are initiated by a third party against us, to organize our defense.
All personal data mentioned in this Privacy Policy, to the extent relevant in function of the relevant (impending) dispute.
Our legitimate interest to internally organize in the event of a conflict or potential conflict, to seek legal advice and representation, to communicate with our insurance company and insurance broker and to organize for litigation or settlement of dispute.
10 years after the settlement of the dispute or complaint.
3.2 Webshop and app users
Purpose
Type of personal data
Legal basis
Retention period
Registering an account on our webshop.
Account registration information
E.g. name, e-mail address, password.
Account usage information
E.g. tracking cookies.
Consent.
6 months after you delete your account.
Sending general communications related to the registration, management, and use of your account (e.g. to send a welcome e-mail, to inform you of a change to our terms).
Contact details
E.g. name, email.
Legitimate interest in keeping our webshop users informed about relevant matters relating to the registration, management and use of their account and the terms and conditions applicable thereon.
Until you object to these communications or delete your account.
Promoting our activities, products and services, by using your contact details to send marketing communications to you, via email or other channels, depending on the preferences you communicated to us (e.g. reminder that you have items in your shopping basket, notification that an item on your wish list is available, promotions for our products, promotional gifts, etc.).
Contact details
E.g. name, e-mail address, address, phone number.
Webshop usage information
E.g. shopping cart content, wish list content.
Consent.
For two years after you consent (unless re-consent is obtained) or (if earlier) until you withdraw consent. (an unsubscribe link is included in each e-mail message).
The use of cookies and similar technologies on our websites directed towards consumers as explained in detail in the relevant Cookie Policy for a website.
We may let third parties place tracking technology on our websites directed towards consumers (e.g., a cookie or a pixel). The third party might also collect data over time and across other websites. Among other things, they may use this data to serve ads tailored to your interests, which may include ads about our products or services.
Electronic identification and usage data such as. IP address, browser type, location data, by which route you arrive at our websites, the type of device via which you make use of our websites, the pages visited, the duration of visits, the way you navigate on the pages visited.
For strictly necessary cookies, our legitimate interest in providing a secure and technically sound website.
For all other categories of cookies, consent.
For an overview of the time periods during which each cookie records data, please consult the applicable Cookie Policy for that website.
When you make a purchase, entering and performing the agreement with you as our customer, including conducting transactional communications, making invoices, and processing payments, communicating about the delivery and providing support.
Contact Details
E.g. first name, last name, e-mail address, address, phone number.
Order, payment and billing data
E.g. order forms, invoices, bank account number, transaction statements, the necessary financial information corresponding to your selected method of payment (e.g. a credit card number and expiration date).
After sales data
E.g. support requests, complaints
Communication and contact history
E.g. reason for contact, communication made
Necessary for the establishment and performance of the agreement.
Legal obligation, for the processing necessary to fulfil the accounting obligations to which we are subject under tax and accounting laws as an enterprise, and product conformity and warranty obligations to which we are subject as a manufacturer/seller of goods.
Up to 10 years after your purchase.
Invoices are stored for at least 7 years given our accountability to the tax authorities.
When you have made a purchase, monitoring the quality of our products and their continuous improvement based on feedback we collect from you, including for the training of our employees, and exploring your interest in products not yet offered with a view to the possible expansion of our offering as a company. We pursue these purposes among others by:
troubleshooting and analysis of statistics and aggregated data;
market and satisfaction research.
Statistics, customer feedback
E.g. sales and support-related data, satisfaction scores and ratings.)
Legitimate interest in evaluating customer satisfaction and needs, with a view to continuously improving our products, customer service and offering
Until you exercise your right to object.
Customer feedback will be stored for 3 months and afterwards on an aggregated level.
Countering fraud and other forms of abuse of our Services.
Account login
To conduct identity verification through our identity verification service provider
Legitimate Interest
For as long as: 1) we continue to use our identity verification service provider or 2) is needed for our identity verification service provider to exercise its legal obligations.
No phone numbers or other mobile information will be shared with third parties for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
3.3 Applicants
Purpose
Type of personal data
Legal basis
Retention period
Registering an account on the recruitment platform.
Log-in details e.g. username and password.
Contact details e.g. name, e-mail address.
Consent/Perfomance of contract depending on the platform.
In accordance with the privacy policy of the corresponding platform.
Applying for a vacancy of Cartamundi.
Contact details
E.g. first name, last name, form of address, address, e-mail address, phone number.
Additional information
E.g. language knowledge, CV, cover letter (if applicable), how you found our vacancy, the staff member that referred you (if applicable).
Performance of contract (precontractual steps).
12 months after you applied for the vacancy.
Sending communications regarding the application process after applying for a vacancy.
Contact details
E.g. first name, last name, form of address, address, e-mail address, phone number.
Additional information
E.g. language knowledge, CV, cover letter (if applicable), how you found our vacancy, the staff member that referred you (if applicable).
Other information provided by you through the communications.
Performance of contract (precontractual steps).
12 months after you applied for the vacancy.
Sending communications regarding vacancies based on your profile.
Contact details
E.g. first name, last name, form of address, address, e-mail address, phone number.
Additional information
E.g. CV.
Consent.
12 months after you applied for the vacancy.
3.4 Whistleblowers
Purpose
Type of personal data
Legal basis
Retention period
Receiving a report that you submit with us via our Speak Up! form and forwarding it to the relevant authorized impartial representatives of the relevant local entity, who will investigate your report in accordance with applicable group and local policies.
Contact details
E.g.your first name, last name, email address (depending on whether you want to remain anonymous or not), capacity in relation with Cartamundi, country and other information you provide to us.
Information relevant to the matter you report
Type of concern you report, description of the background and history, location, dates, sequence of events and description of circumstances, identity, and function of involved individuals.
Optional information
Any further information regarding the matter you report that you decide to provide to us, which may include any information contained in documents uploaded by you and/or, special categories of personal data and data of a potential criminal nature.
Communication and contact history
Copy and date of the report you submit.
Necessity to comply with our legal obligations under the applicable whistleblower protection legislation.
Our legitimate interests where there is no such legal obligation or if the reported concern falls outside of the material scope of the applicable whistleblower protection legislation, consisting of the investigation of reports with a view to maintaining an open culture of compliance, good corporate governance, and ethical behavior with the highest standards of honesty and accountability, and taking appropriate measures against misconduct, unethical behavior, illegal practices, or other compliance issues.
When the report contains sensitive information, these will be either processed to comply with legal obligations under the applicable whistleblower protection legislation or other applicable laws, or because it is necessary to establish, exercise or defend legal claims.
Speak Up! form: 1 day
Information collected via the Speak up! form: until the reported violation has been remedied according to the applicable statute of limitation in the relevant country. Information that is not necessary or relevant to the reported matter will be immediately deleted or anonymized.
In addition to the recipients listed in the section “Who we share data with” below, we may share the personal data of whistleblowers with third parties specifically engaged in the context of the management of whistleblowing cases, such as forensics partners or law firms.
If you are in Canada, our lawful basis for processing your data is based on consent. If you would like specific information about our lawful basis of processing in Canada, please contact us as indicated in the “Contact Information” section.
4 Who we share data with
We only use the personal data we receive for the purposes described above. In that regard, we may need to share your personal data with our affiliates or third parties outside of the Cartamundi Group, so-called ‘recipients’.
4.1 Internal transfers within the Cartamundi Group
We may share your personal data within the entities of Cartamundi Group for administrative and infrastructure-related reasons, for commercial reasons such as ensuring optimal service, as well as in connection with the provision of centralized support services we provide to other entities of the Cartamundi Group such as recruitment, whistleblowing, and acting as the central point of contact for privacy related matters.
A full list of the legal entities belonging to the Cartamundi Group can be found on our corporate website. Please note that this list is subject to changes as following acquisitions, the list may be expanded with additional entities we acquire and integrate into the Cartamundi Group, or vice versa, entities may be removed from the list following their acquisition by third parties (see potential acquirers below).
4.2 External service providers
We may use external service providers to provide or perform services and functions on our behalf. We may make personal data available to them solely to perform these services and functions. We have taken the necessary technical and organizational measures to ensure compliance with data protection provisions and require external service providers to do so.
We may transfer personal data to the following categories of recipients, with these third parties acting as our processors in certain cases:
Postal companies and courier services if we need to send you written communications or items;
Processors who assist us technically or IT-wise in the operation of our businesses, for the purpose of secure and efficient digital data management within our businesses and optimal service provision, such as software service providers, hosting service providers;
Practitioners of regulated professions such as accountants and lawyers, or other independent external advisers, for the purpose of complying with our legal obligations and defending our interests, as required.
4.3 Authorities and justice system
We may also make personal data available to public or judicial authorities, law enforcement personnel and agencies as required by law, including to meet national security or law enforcement requirements, and including to agencies and courts in the countries where we operate. Where permitted by law, we may also disclose such information to third parties (including legal counsel) when necessary for the establishment, exercise or defense of legal claims or to otherwise enforce our rights, protect our property or the rights, property or safety of others, or as needed to support external audit, compliance and corporate governance functions.
4.4 Potential acquirers
In the event of a sale, merger, liquidation, dissolution, or other corporate transaction implicating an organizational change within the Cartamundi Group, certain personal data may be disclosed to the party (and/or its legal counsels) acquiring all or part of the equity or assets of the relevant entities within Cartamundi Group or their business operations. If this proves to be necessary, we will take the necessary precautions (e.g. need-to-know-basis only, enter into confidentiality agreements and apply other industry best practices) to always protect your privacy.
4.5 Other disclosures with your consent
We may share data with third parties when you consent or direct us to.
4.6 Additional information if you reside in the US
Some jurisdictions require us to disclose whether the following categories of personal data are collected, shared with third parties for a “business purpose,” or “sold,” or transferred for “valuable consideration.” The table below indicates the categories of personal data we collect and transfer in a variety of contexts. We do not “sell” your personal data for money.
Category of Personal Data
Disclosures for a Business Purpose
Sharing for Targeted Advertising
Identifiers – this may include real name, alias, postal address, unique personal identifier, online identifier, email address, account name, or other similar identifiers.
Affiliates or subsidiaries
Data analytics providers
Joint marketing partners
Operating systems and platforms
Other Service Providers
Payment processors and financial institutions
Professional services organizations, this may include auditors and law firms
Social networks
Advertising networks
Government Issued Identification – this may include social security number, driver’s license number, or state issued identification number, passport number.
Affiliates or subsidiaries
Other Service Providers
Professional services organizations, this may include auditors and law firms
N/A
Health Related Information – this may include medical information, mental or physical condition or treatment, or health insurance information.
Affiliates or subsidiaries
Other Service Providers
Professional services organizations, this may include auditors and law firms
N/A
Characteristics of protected classifications – this may include age, sex, race, ethnicity, physical, or mental handicap, etc.
Affiliates or subsidiaries
Other Service Providers
Professional services organizations, this may include auditors and law firms
N/A
Commercial information – this may include information about products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Affiliates or subsidiaries
Data analytics providers
Joint marketing partners
Other Service Providers
Payment processors and financial institutions
Social networks
Advertising networks
Internet or other electronic network activity information – this may include browsing history, search history, and information regarding an individual’s interaction with an internet website, app, or ad.
Affiliates or subsidiaries
Data analytics providers
Joint marketing partners
Other Service Providers
Social networks
Advertising networks
Geolocation data – this refers to non-precise geolocation information such as your city, state, or neighborhood.
Affiliates or subsidiaries
Data analytics providers
Joint marketing partners
Operating systems and platforms
Other Service Providers
Professional services organizations, this may include auditors Social networks
Advertising networks
Professional or employment-related information – this includes, for example, information submitted by job applicants.
Affiliates or subsidiaries
Other Service Providers
Professional services organizations, this may include auditors and law firms
N/A
Non-public education information (as defined in the Family Educational Rights and Privacy Act)
Affiliates or subsidiaries
Other Service Providers
Professional services organizations, this may include auditors and law firms
N/A
Inferences drawn from any of the information listed above
Affiliates or subsidiaries
Other Service Providers
N/A
Additional categories of personal data described in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) – this may include signature, physical characteristics, or description, insurance policy number.
Affiliates or subsidiaries
Other Service Providers
Professional services organizations, this may include auditors and law firms
N/A
We collect the following categories of sensitive personal data (as defined under California law): social security number, driver’s license, state identification card, or passport number; a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. This data is collected to process transactions, comply with laws, manage our business, or provide services. Note that we do not use such data for any purposes that are not identified within the California Privacy Rights Act Section 1798.121. We do not “sell” or “share” sensitive personal data for cross-context behavioral advertising.
5 Where we transfer personal data to
Depending on where you reside, applicable legislation requires that we inform you about where we may transfer your personal to outside of your territory.
5.1 If you reside in the EEA
The European Economic Area ("EEA") includes the countries of the European Union, Norway, Liechtenstein, and Iceland. The General Data Protection Regulation requires additional safeguards, and your personal data is transferred to entities in countries outside the EEA (such as the conclusion of agreements based on the European Commission's standard contractual clauses). As a corporate group, we have our headquarters in Belgium, and we also aim to keep your data on servers and in data centers within the EEA as much as possible.
However, some of the local establishments of the Cartamundi Group as well as some of our external service providers, are based outside the EEA. Therefore, we may transfer your personal data to other entities of the Cartamundi Group or to external service providers located in or otherwise operating outside the EEA. Where available we will base this transfer on the European Commission’s adequacy decision recognizing that personal data is given an adequate level of protection in the third country of destination (or with specific recipients within that country). We will ensure that if personal data is transferred to a recipient in a country that is not adequate, it will be made subject to the provisions of a data transfer agreement, which will include (a) the standard contractual clauses issued by the European Commission, or (b) any other mechanism in accordance with the privacy and data protection legislation, or any other regulation relating to the processing of personal data.
Below you can find an overview of the recipients of your personal data in third countries and the adequacy decision or other appropriate safeguards upon which each transfer is based. Please note that not all the below transfers may be relevant to you, as indicated below. For more information on the safeguards in place for specific transfers, you can contact us via privacy@cartamundi.com.
Recipient
Country outside EEA
Statutory transmission system
Other entities belonging to the Cartamundi Group which are based outside the EEA, insofar relevant in your specific situation, for which we refer to the explanations and examples in the section “Who we share data with” above.
Please refer to the list of all legal entities belonging to the Cartamundi Group and their locations on our corporate website.
Google LLC (for the Google Analytics service), depending upon your cookie preferences. For the specific information on the specific data collection by the use of cookies from Google Analytics, please consult the applicable Cookie Policy for that website.
USA
Meta Platforms, Inc., depending upon your cookie preferences. For, the specific information on the specific data collection by the use of cookies from Meta, please consult the applicable Cookie Policy for that website.
USA
X Corp. (formerly Twitter), depending upon your cookie preferences. For, the specific information on the specific data collection by the use of cookies from X, please consult the applicable Cookie Policy for that website.
USA
SAP
USA
5.2 If you reside in Quebec
Quebec’s Law 25 requires us to disclose whether your personal data is transferred outside of Quebec. It also requires additional safeguards if your personal data is transferred outside of the province. We aim to keep your data in Quebec as much as possible, however, some of the local establishments of the Cartamundi Group as well as some of our external service providers, are based outside Quebec. Therefore, we may transfer your personal data to other entities of the Cartamundi Group or to external service providers located in or otherwise operating outside Quebec.
5.3 If you reside in the UK
The UK General Data Protection Regulation and Data Protection Act require additional safeguards if your personal data is transferred to entities in countries outside the United Kingdom (such as the conclusion of agreements based on the Information Commissioner's standard contractual clauses). As the headquarters of the Cartamundi Group, we are based outside the UK. Therefore, interacting with us involves transferring your data outside the UK, to our registered offices in Belgium and onwards as explained below.
In addition, except for Cartamundi UK Ltd. (based in Admirals park, Victory Way, Dartford DA2 6QD, United Kingdom, and registered under company number 02648879), the local establishments of the Cartamundi Group are based outside the UK (see the full list on our corporate website). Most of our external service providers are also based outside the UK. Therefore, where needed, we may onward transfer your personal data to other entities of the Cartamundi Group or to external service providers located in or otherwise operating from third countries outside the UK. Where available and in force, we will base this transfer on the UK Government’s adequacy regulations recognizing that personal data is afforded an adequate level of protection in the third country of destination (or with specific recipients within that country). We will ensure that if personal data is transferred to a recipient in a country not covered by such adequacy regulations of the UK Government, it will be made subject to the provisions of a data transfer agreement, which will include (a) the standard contractual clauses issued by the Information Commissioner, or (b) any other mechanism in accordance with the privacy and data protection legislation, or any other regulation relating to the processing of personal data.
Below you can find an overview of the recipients of your personal data in third countries and the adequacy regulations or other appropriate safeguards upon which each transfer is based. Please note that not all the below transfers may be relevant to you, as indicated below. For more information on the safeguards in place for specific transfers, you can contact us via privacy@cartamundi.com.
Recipient
Country outside UK
Statutory transmission system
Other entities belonging to the Cartamundi Group which are based outside the UK, insofar relevant in your specific situation, for which we refer to the explanations and examples in the section “Who we share data with” above.
Please refer to the list of all legal entities belonging to the Cartamundi Group and their locations
Google LLC (for the Google Analytics service), depending upon your cookie preferences. For the specific information on the specific data collection by the use of cookies from Google Analytics, please consult the applicable Cookie Policy for that website.
USA
Meta Platforms, Inc., depending upon your cookie preferences. For the specific information on the specific data collection by the use of cookies from Meta, please consult the applicable Cookie Policy for that website.
USA
X Corp. (formerly Twitter), depending upon your cookie preferences. For the specific information on the specific data collection by the use of cookies from X, please consult the applicable Cookie Policy for that website.
USA
SAP
USA
UK Extension to the EU-U.S. Data Privacy Framework
6 How long we keep your data
We may retain your personal data no longer than necessary for the purposes for which they were collected or as required by applicable law. The specific retention periods are listed in the relevant tables above.
We also describe the expiry periods for cookies that can be placed when using one of our websites in the appliable Cookie Policy for that website.
7 How we protect personal data
We apply appropriate technical, physical, and organizational measures that are reasonably designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and against other unlawful forms of processing. Access to personal data is restricted to authorized recipients on a need-to-know basis. We maintain a comprehensive information security program that is proportionate to the risks associated with the processing. The program is continuously adapted to mitigate operational risks and to protect personal data, considering industry-accepted practices. If we are required to inform you about a security incident, we will do so electronically, in writing, or by phone, as the law permits. Additionally, we maintain internal governance policies designed to protect your information. These governance policies include, but are not limited to, Written Information Security Protocols, Incident Response Plans, Data Subject Requests Protocols, and Record Retention and Destruction Schedules.
8 Your rights
Your rights with respect to our processing of your personal data depend on where you reside.
8.1 If you reside in the US
You may wish to exercise a right to obtain personal data concerning yourself or to correct, update or delete your personal data, as listed in full below. Some of these rights may be subject to some exceptions or limitations in local law. If you wish to exercise any of the rights mentioned below, please send your request to privacy@cartamundi.com.
We will take reasonable steps to verify your identity and we will respond to your request to exercise these rights within a reasonable time.
In some circumstances, you may designate an authorized agent to exercise certain privacy rights on your behalf. If you are an authorized agent submitting a request on behalf of an individual, you must attach a copy of a completed Authorized Agent Designation Form which shows that you may act on another’s behalf.
You have a right of access to your personal data and confirm that we process your data. This allows you to check what personal data we process about you and to get a copy of it to the extent this does not adversely affect the rights and freedoms of others;
You have a right to rectify your personal data. This allows you to correct or complete incorrect or incomplete personal data that we process about you;
You have the right to opt-out of online tracking based targeted advertising (e.g., cookies) by clicking the cookie settings link here. Note that if you change your browsers or devices, or if you clear your browser’s cache, you may need to click the link again to apply your preference. We recognize Global Privacy Control (GPC) signals enabled by customers on their browser or browser extension as valid opt-out requests where required by applicable law. Please note that your opt-out preference signal will be applied only to your current browser and device. For more information on GPC, visit Global Privacy Control;
You have the right to request a list of third parties to which we have disclosed personal data. Please note, some jurisdictions also allow you to obtain a list of the categories of third parties to which we have disclosed personal data. You can find that information in the table above under the “Who we share data with” section;
You have a right to erasure of your personal data. This allows you to permanently delete personal data that we process about you. We are not always obliged to delete your personal data at your request – this right only applies in the cases and to the extent provided for by law;
You have the right to specifically object to the processing of your personal data for direct marketing purposes (e.g. via clicking on the unsubscribe button);
You have the right to data portability. This allows you to transfer, copy or forward personal data easily from one data controller to another;
If you disagree with our denial of a request, you have the right to appeal our decision. Please do so by emailing us with the subject line “appeal;”
If you would like more information on the categories of personal data (if any) we share with third parties or affiliates for those parties to use for direct marketing, submit a written request using the information in the Contact Information section.
We do not recognize the “Do Not Track” signal.
Not all the rights above are absolute, and they do not apply in all circumstances. We may limit or deny some requests because the law permits or requires us to. We will not discriminate against individuals who exercise their privacy rights under applicable law.
8.2 If you reside in Canada
You may wish to exercise a right to obtain personal data concerning yourself or to correct, update or delete your personal data, as listed in full below. Some of these rights may be subject to some exceptions or limitations in local law. If you wish to exercise any of the rights mentioned below, please send your request to privacy@cartamundi.com.
We will take reasonable steps to verify your identity and we will respond to your request to exercise these rights within a reasonable time.
You have a right of access to your personal data. This allows you to check what personal data we process about you and to get a copy of it to the extent this does not adversely affect the rights and freedoms of others;
You have a right to rectify your personal data. This allows you to correct or complete incorrect or incomplete personal data that we process about you;
You have a right to erasure of your personal data. This allows you to permanently delete personal data that we process about you. We are not always obliged to delete your personal data at your request – this right only applies in the cases and to the extent provided for by law;
You have the right to opt-out of online tracking based targeted advertising (e.g., cookies) by clicking the cookie settings link here. Note that if you change your browsers or devices, or if you clear your browser’s cache, you may need to click the link again to apply your preference;
You have the right to object to the processing of your personal data carried out on the basis of our legitimate interests. This allows you to oppose the further processing of your personal data. We are not always obliged to honour your objection, when we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms;
You have the right to specifically object to the processing of your personal data for direct marketing purposes (e.g. via clicking on the unsubscribe button);
You have the right to withdraw your consent at any time where the processing of your personal data is carried out on the basis of your consent;
8.3 If you reside in the EEA
You may wish to exercise a right to obtain personal data concerning yourself or to correct, update or delete your personal data, as listed in full below. Some of these rights may be subject to some exceptions or limitations in local law. If you wish to exercise any of the rights mentioned below, please send your request to privacy@cartamundi.com.
We will take reasonable steps to verify your identity and we will respond to your request to exercise these rights within a reasonable time.
You have a right of access to your personal data. This allows you to check what personal data we process about you and to get a copy of it to the extent this does not adversely affect the rights and freedoms of others;
You have a right to rectify your personal data. This allows you to correct or complete incorrect or incomplete personal data that we process about you;
You have a right to erasure of your personal data. This allows you to permanently delete personal data that we process about you. We are not always obliged to delete your personal data at your request – this right only applies in the cases and to the extent provided for by law;
You have a right to restrict the processing of personal data relating to you. This allows you to freeze the use of your personal data by us, without deleting it. We are not always obliged to restrict your personal data at your request – this right only applies in the cases and to the extent provided for by law;
You have the right to object to the processing of your personal data carried out on the basis of our legitimate interests. This allows you to oppose the further processing of your personal data. We are not always obliged to honour your objection, when we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms.
You have the right to specifically object to the processing of your personal data for direct marketing purposes (e.g. via clicking on the unsubscribe button), which we are always obliged to honour;
You have the right to withdraw your consent at any time where the processing of your personal data is carried out on the basis of your consent;
You have the right to data portability. This allows you to transfer, copy or forward personal data easily from one data controller to another. This right can only be exercised if the processing is based on your consent or on an agreement we have with you.
In addition to your data subject rights mentioned above, you also have the right to lodge a complaint with your data protection supervisory authority. You can lodge a complaint with the supervisory authority of the EEA member state where you usually reside, where you have your place of work or where the alleged infringement has taken place. As the headquarters of the Cartamundi Group are located in Belgium, you may also lodge a complaint with the Belgian Data Protection Authority on their website: https://www.dataprotectionauthority.be/citizen/actions/lodge-a-complaint
For further information and the contact details of the supervisory authority of each EEA member state, please refer to this website page of the European Data Protection Board with all relevant contact details. In addition, you may always file a claim with the competent civil court.
8.4 if you reside in the UK
You may wish to exercise a right to obtain personal data concerning yourself or to correct, update or delete your personal data, as listed in full below. Some of these rights may be subject to some exceptions or limitations in local law. If you wish to exercise any of the rights mentioned below, please send your request to privacy@cartamundi.com.
We will take reasonable steps to verify your identity and we will respond to your request to exercise these rights within a reasonable time.
You have a right of access to your personal data. This allows you to check what personal data we process about you and to get a copy of it to the extent this does not adversely affect the rights and freedoms of others;
You have a right to rectify your personal data. This allows you to correct or complete incorrect or incomplete personal data that we process about you;
You have a right to erasure of your personal data. This allows you to permanently delete personal data that we process about you. We are not always obliged to delete your personal data at your request – this right only applies in the cases and to the extent provided for by law;
You have a right to restrict the processing of personal data relating to you. This allows you to freeze the use of your personal data by us, without deleting it. We are not always obliged to restrict your personal data at your request – this right only applies in the cases and to the extent provided for by law;
You have the right to object to the processing of your personal data carried out on the basis of our legitimate interests. This allows you to oppose the further processing of your personal data. We are not always obliged to honour your objection, when we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms.
You have the right to specifically object to the processing of your personal data for direct marketing purposes (e.g. via clicking on the unsubscribe button), which we are always obliged to honour;
You have the right to withdraw your consent at any time where the processing of your personal data is carried out on the basis of your consent;
You have the right to data portability. This allows you to transfer, copy or forward personal data easily from one data controller to another. This right can only be exercised if the processing is based on your consent or on an agreement we have with you.
In addition to your data subject rights mentioned above, you also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK data protection supervisory authority.
Information Commissioner's Office
Address: Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
United Kingdom
Tel. 0303 123 1113
In addition, you may always file a claim with the competent civil court.
9 Changes to this Privacy Policy
We may update this Privacy Policy from time to time. In circumstances where a change will materially change the way in which we collect or use your personal data, we will send a notice of this change to all impacted individuals.
10 Contact information
If you have questions, comments, or complaints on our privacy practices, or if you need to access this Privacy Policy in a different form due to a disability, please contact us. We will try to address your requests and provide you with additional privacy-related information.
***
Version control
V0.1
May 2025