Privacy Policy – RatingIt

1. Who is the data controller?

RatingIt, S.L.
Tax ID (N.I.F.): B22572440
Registered office: C/ Cirilo Amorós, nº 6, entlo. 1ª, 46004. Valencia, Spain.
Email: dpo@ratingit.app

If you wish to contact us regarding your personal data, you can do so at the address indicated in the previous point.

The Data Controller will be referred to alternatively as “RatingIt”, the “Controller”, the “Platform” or “we”.

2. Introduction

RatingIt is the owner of the domain www.ratingit.app, of this website and of the app, as well as any other type of software developed, operated and/or maintained by RatingIt (hereinafter the “Platform”).

This text makes available to the User (hereinafter also referred to as the “User”, “Data Subject” or “you”) RatingIt's Privacy Policy in order to describe the personal information we collect, the purpose for which we use it and, in general, the processes and ways in which we process it during the course of use of the Platform by Users (both registered and unregistered, depending on the processing) while they browse it. This Policy applies to Users located in the European Union/EEA and in the United Kingdom and is interpreted in accordance with Regulation (EU) 2016/679 (GDPR) and, in the United Kingdom, the UK GDPR together with the Data Protection Act 2018.

RatingIt may make this Privacy Policy available to the User in different languages. In such case, this Spanish version will prevail in the event of any interpretative conflict.

3. Processing of personal data on behalf of our clients

When the Platform is integrated by our end clients within their business activity under a services contract, the Platform will process personal data for the provision of the services on behalf of such clients, acting as the Processor.

In such case, the said client will be the Controller of the personal data it shares with, or enters into, the Platform.

The processing of personal data by RatingIt as Processor will not be governed by this Privacy Policy, but by the provisions of the services agreement between the Platform and the end client, in accordance with the instructions and purposes specified therein, as well as in the specific Data Processing Agreement and with the privacy policy of the end client that integrates our services, in compliance with the applicable data protection regulations.

4. Processing activities and purposes for which we process your data as controller

Processing we carry out as Controller:

4.1. Platform functionality

• Purpose: to enable the use of the Platform and browsing thereof, to ensure proper functioning, allow updates and technical maintenance, and improve navigability, security and performance.
• Categories of data processed:
  • Platform usage data and app/device data: browsing and usage data, IP address, usage preferences, visits made, language, device information, browser type, device type and operating system, approximate location (region and country), cookies and anonymised statistical data.
  • If the User arrives at the Platform from an external source (e.g., a link on a third-party website or social network), statistical and anonymous information about that source will be collected to better understand the origin of traffic and improve marketing and positioning strategies.
• Categories of data subjects: Registered and unregistered users who make use of the Platform.
• Method of collection: shared by the User through browsing the Platform.
• Legal bases: legitimate interests (GDPR/UK GDPR) in ensuring the proper, up-to-date and secure operation of the Platform and understanding the origin of traffic; or the User's consent where necessary (e.g., non-essential cookies).
• Retention period: usage data for up to 12 months from collection in accordance with Law 25/2007; after this period, it will be deleted unless required by an authority. Anonymised statistical data may be kept indefinitely.

4.2. Security and fraud prevention

• Purpose: to ensure Users' security, prevent fraud, conduct investigations and use information for possible claims by us or third parties. This processing includes:
  • Collection of traffic data: IPs, browser type, pages visited, time spent and other browsing data.
  • Analysis of behaviour patterns to detect unusual or suspicious behaviour.
  • Threat detection through intrusion-detection systems and real-time analysis.
  • Identity verification supported by traffic data to ensure legitimate access and transactions.
  • Maintenance of detailed logs of access and activities for audits and incident response.
  • Cooperation with competent authorities where appropriate, in compliance with legal obligations.
• Categories of data processed: browsing and usage data, IP address, access logs, failed log-in attempts and suspicious activity, device information, browser type, device type and operating system, approximate location (region and country).
• Categories of data subjects: Users who make use of the Platform.
• Method of collection: shared by the User through browsing the Platform.
• Applicable legal basis: compliance with legal obligations relating to the logging of access and activity; legitimate interests in investigating, detecting, preventing and pursuing fraud, protecting our own or third-party interests, defending against possible claims and ensuring correct and secure operation.
• Retention period: access and activity logs for 1 year in accordance with Law 25/2007; thereafter they may be blocked for the legal retention and limitation periods if there is a risk of claims.

4.3. Provision of contracted services

• Purpose: to ensure the provision of the Platform's services (rate products, publish reviews, obtain points, participate in rankings and prize draws), manage requests and operational communications, registration and authentication, payment management and other processing necessary to perform the contract. With consent and device settings, sending of push notifications.

  Public reviews will be shared within the Platform and visible to other Users, including the username. No other personal data will be shared unless the User enters it voluntarily as part of their username.

• Categories of data processed:
  • Registration data: username and password (first and last names or other data are not required unless voluntarily included).
  • Contact data: email address.
  • Service information: ratings and reviews made.
  • User region: assigned by IP to the nearest available region; the User can change it in Settings.
  • Access data of registered Users. If registration is carried out with Apple or Google, RatingIt receives certain data associated with that account (avatar/image, email and first and last names).
• Categories of data subjects: Users who make use of the Platform's services.
• Method of collection: directly from the Data Subject when using the Platform.
• Legal bases: performance of a contract or application of pre-contractual measures at the Data Subject's request.
• Retention period: for the duration of the service provision; once ended, blocking during the legal periods (tax, commercial, AML/CFT and limitation periods).

4.5. Sending marketing communications

• Purpose: to send marketing communications, offers and promotions:
  • Email: messages to the User's address with the option to object at any time (via the Controller's email or the link in the email itself).
  • Push notifications: messages on the device when the User has configured and consented to them; you can disable them on the device.
  • Third-party communications: only with prior express consent; revocable at any time.
  • Personalised communications: require prior consent; revocable at any time.

  The User may object or withdraw consent at any time via the Controller's postal or electronic address or the channels provided.

• Categories of data processed:
  • Identifiers: username.
  • Contact: email address.
  • User preferences, where applicable.
• Categories of data subjects: Users of the Platform or those who consent to receive communications.
• Method of collection: directly from the User.
  • Registered users or customers: through registration on the Platform.
  • Unregistered users: via forms, newsletter and similar means.
• Legal bases:
  • Registered users or customers: legitimate interests (GDPR/UK GDPR) to inform about products/services contracted or similar, unless objected to. In the United Kingdom, where the recipient is an individual, we will also rely, where appropriate, on the soft opt-in exception provided under PECR.
  • Users with no contractual relationship (individuals): prior consent (GDPR/UK GDPR and PECR).
  • Communications to corporate entities (e.g., companies with generic emails): permitted under PECR; we will maintain suppression lists if they object.
  • In both cases, consent for push, personalised and third-party communications, until withdrawal, objection or account deletion.
• Retention period: until the User withdraws consent; thereafter, blocking during the applicable legal periods.

4.7. Handling User enquiries

• Purpose: to enable communication with the Controller for customer service, enquiries, complaints or others, through any of the contact points (forms, email or postal addresses, etc.).
• Categories of data processed: identifiers (first and last names) and contact data (email and/or phone).
• Categories of data subjects: Users who submit the enquiry.
• Method of collection: directly from Users or through subcontracted providers for that purpose.
• Legal bases: the User's consent or the Controller's legitimate interests in responding after receiving the request.
• Retention period: a maximum of 24 months from fulfilment of the purpose, unless longer retention is justified by legitimate interests or legal limitation periods.

4.8. Internal analysis and development

• Purpose: to collect and process statistical and anonymised usage data to analyse behaviour and use of the Platform, browsing patterns and features used, in order to improve the experience, optimise features, analyse trends and develop new tools or services.
• Categories of data: anonymous data about use of the Platform, browsing patterns and features used.
• Categories of data subjects: registered users and visitors (in anonymised format).
• Legal bases: legitimate interests in analysing anonymous, statistical and aggregated information to offer and develop better products and services.
• Method of collection: data shared by the User in relation to the use of the Services.
• Retention period: for the indicated purpose, indefinite retention in de-identified or anonymous format so that Data Subjects cannot be identified.

5. Where do your data come from?

As a general rule, unless otherwise indicated in specific sections of this Policy, all data come from the Data Subject, either through browsing or using the Platform or through a communication made by the User by any of the means made available.

6. Who do we share your data with?

As a general rule, the Controller will not disclose the User's personal data to third parties, except when the provision of a service requires a contractual relationship and such disclosure is strictly necessary for the management and maintenance of the relationship between the User and the Controller and/or for the fulfilment of the purposes described in this Policy.

In such cases, disclosure will be carried out only for the time strictly necessary to achieve these purposes, and always in accordance with the principles of the General Data Protection Regulation, by applying appropriate technical and organisational measures to ensure the security and confidentiality of personal data. Such measures include entering into the corresponding data processing agreements with each provider, establishing obligations equivalent to those assumed by the Controller in data protection matters. Once the service has been provided, providers must return or delete the personal data in accordance with those agreements.

In this regard, and solely to enable the operation of the Platform and the fulfilment of the purposes described, the Controller may disclose personal data to the following recipients:

• Technology and essential service providers: personal data may be shared with essential service providers, including IT and technology services (for example, payment gateways, cloud storage, communications delivery, authentication and security, analytics and other services necessary to ensure the purposes). Some of our providers are:
  • Hetzner Online GmbH, headquartered in Nuremberg, Germany, which provides cloud storage, microservices and web hosting. The data processed include information necessary for the provision of the Platform's services, such as user data, communications, published content and other associated technical data.
  • Google LLC and Google Ireland Ltd, for authentication and analytics services. Authentication involves the processing of data relating to the User; analytics may include approximate location, usage behaviour, device type, logs and errors. Processing may involve international transfers to the U.S., covered, in the EU/EEA, by the EU-U.S. Data Privacy Framework (DPF) or, failing that, by the EU Standard Contractual Clauses; and, in the United Kingdom, by the UK-U.S. Data Bridge (UK Extension to the DPF) or, failing that, by the IDTA or the UK Addendum to the EU SCCs.
  • Mailgun Technologies, Inc.: for bulk email and communications services. Although servers may be in Europe, the parent company is in the U.S., so international transfers could occur. In the EU/EEA these will rely on the EU-U.S. DPF or, failing that, the EU SCCs; and, in the United Kingdom, on the UK-U.S. Data Bridge or, failing that, the IDTA or the UK Addendum to the SCCs.
• Companies and professional consultants that provide services to the Controller to facilitate the management of the Platform and the fulfilment of its legal, contractual or administrative obligations, such as legal advice, accounting, technical or IT security services.

Likewise, the User's data may be shared with public authorities if we are obliged to do so by court order or by legal imperative. Under no circumstances will personal data be disclosed to third parties for commercial purposes without the User's prior, freely given, specific and informed consent. You may request additional information about disclosures made to the Controller through any of the contact points indicated in this Policy.

7. Do we make international data transfers to third countries or international organisations?

In the context of providing its services, the Platform may carry out international transfers of personal data from the United Kingdom to the European Union/EEA.

Such transfers are covered by the Adequacy Decision adopted by the European Commission on June 28, 2021, pursuant to Article 45 of Regulation (EU) 2016/679 (GDPR). This decision recognizes that the United Kingdom ensures a level of protection substantially equivalent to that required in the European Union, allowing the free flow of data between both jurisdictions without the need for additional safeguards.

In the event that this decision is not renewed or is modified in the future, the Platform will adopt the necessary contractual, technical, and organizational measures to ensure an adequate level of protection of personal data in accordance with the applicable regulations (including, where appropriate, the execution of Standard Contractual Clauses approved by the European Commission or equivalent mechanisms).

Furthermore, in order to fulfill its purposes, international data transfers may be carried out to our service providers that are essential to guarantee the purpose(s) for which the data was collected. Likewise, even if Ratingit does not directly carry out such transfers, they may be carried out by the service providers.

In such cases, the Controller will contract with providers that comply with the GDPR and, where applicable, with the UK GDPR, applying the safeguards provided for in Articles 44 et seq. GDPR and the equivalent legislation in the United Kingdom. This includes adequacy decisions (EU ↔ UK and UK ↔ EU; list of countries based on an adequacy decision, as well as the EU-U.S. Data Privacy Framework and the UK-U.S. Data Bridge for the U.S.), as well as the use of Standard Contractual Clauses (SCC) of the European Commission and, in the United Kingdom, the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.

Below, we indicate the list of providers to whom IDTs could be made, as indicated:

• Google: Google LLC, located at 1600 Amphitheatre Pkwy, Mountain View, California 94043, is the Google group company that provides authentication and analytics services. Data relating to the User will be processed. However, personal data may be hosted on the servers of Google Ireland Ltd., the Google group company operating from the EEA. If IDTs are carried out, according to Google's privacy policy (link) they will be carried out by applying appropriate security safeguards in compliance with the GDPR and/or UK GDPR, through its certification and adherence to the EU-U.S. Data Privacy Framework (link) (and, in the case of the United Kingdom, to the UK-U.S. Data Bridge), as well as through the EU SCCs (link) or, in the United Kingdom, the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.
• Mailgun Technologies, Inc.: For bulk email and telemarketing services. Although the server is located in Europe, since the headquarters is in the United States, international data transfers may be made. If IDTs are carried out, according to Mailgun's privacy policy (link) they will be carried out by applying appropriate security safeguards in compliance with the GDPR and/or UK GDPR, through its certification and adherence to the EU-U.S. Data Privacy Framework (link) (and, in the case of the United Kingdom, to the UK-U.S. Data Bridge), as well as through the EU SCCs (link) or, in the United Kingdom, the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.

You may request more information about the IDTs we make by contacting us through the addresses indicated at the beginning of this Policy.

8. Do we process special categories of personal data?

The Controller will not request or process “special categories of personal data”, understood to be data revealing “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”, in accordance with Articles 9 and 10 of Regulation (EU) No. 2016/679.

However, if the user decides to share such information, that processing will be carried out in accordance with their consent.

9. Method of processing

The processing of the data provided is based on the principles of lawfulness, transparency, purpose and storage limitation, data minimisation, accuracy, integrity and confidentiality, and will in all cases be carried out subject to the provisions of Regulation (EU) 2016/679 and Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights.

In particular, processing may be carried out using paper, IT and electronic means, also in accordance with Article 29 of Regulation (EU) 2016/679 and, in all cases, with appropriate means to ensure its security and confidentiality in accordance with Article 32 of the same Regulation (EU) No. 2016/679.

11. Cookies

Currently, RatingIt does not collect cookies or other analogous or similar tracking technologies. If such technologies are used in the future, the data subjects will be duly informed.

12. Retention of your personal data

As a general rule, the Controller will keep your personal data only for as long as necessary for the purpose for which it was collected at the outset, and for the maximum periods indicated in each of the processing activities referred to in this Policy.

Retention periods according to the type of data, purposes and applicable legislation. In the United Kingdom, the periods may be adjusted to what is provided by the UK GDPR, the Data Protection Act 2018 and, where applicable, the PECR.