Privacy Policy

How we collect, use, and protect your personal data.

Last updated: March 4, 2026

1. 1. Introduction & Scope

Welcome to Sydcup ("we," "us," "our," or the "Company"). Sydcup is a software development and IT outsourcing company registered in the Republic of Estonia. We are committed to protecting the privacy of all individuals who interact with our website, services, and business operations.

This Privacy Policy ("Policy") explains how we collect, use, disclose, retain, and protect your personal data when you visit our website at sydcup.com (the "Website"), communicate with us, use our services, or otherwise interact with our business. This Policy applies to all personal data we process regardless of the medium or method of collection.

This Policy is designed to comply with the following data protection laws and regulations, among others:

General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 of the European Parliament and of the Council
United Kingdom General Data Protection Regulation (UK GDPR) — as retained by the European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018
California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) — California Civil Code sections 1798.100 et seq.
Lei Geral de Proteção de Dados (LGPD) — Brazilian Federal Law No. 13,709/2018
Protection of Personal Information Act (POPIA) — South African Act No. 4 of 2013
Personal Information Protection and Electronic Documents Act (PIPEDA) — Canadian federal privacy law, S.C. 2000, c. 5
Australian Privacy Act 1988 — including the Australian Privacy Principles (APPs)
Swiss Federal Act on Data Protection (FADP / nDSG) — as revised effective September 1, 2023

By accessing our Website, submitting information through our contact forms, engaging our services, or otherwise providing personal data to us, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described in this Policy, please do not use our Website or provide us with your personal data.

This Policy does not apply to third-party websites, applications, or services that may be linked from our Website. We encourage you to read the privacy policies of any third-party services you access.

2. 2. Data Controller Information

For the purposes of applicable data protection laws, the data controller responsible for your personal data is:

Company Name: Sydcup

Registered Address: Sepapaja tn 6, Lasnamae, Tallinn, Harju county, 15551, Estonia

Email: [email protected]

Website: sydcup.com

As the data controller, Sydcup determines the purposes and means of processing your personal data. We are responsible for ensuring that your personal data is processed in accordance with applicable data protection legislation.

If you have any questions about this Privacy Policy, our data processing activities, or wish to exercise your data protection rights, please contact us using the details provided above or in Section 14 of this Policy.

For purposes of the UK GDPR, where we process personal data of individuals located in the United Kingdom, Sydcup acts as the controller. Although we are established in Estonia (within the European Economic Area), we comply with UK GDPR requirements when processing UK residents' data.

For purposes of the LGPD, Sydcup acts as the controlador (controller) when we determine the purposes and means of processing personal data of data subjects located in Brazil.

For purposes of POPIA, Sydcup acts as the "responsible party" in relation to personal information of data subjects located in South Africa.

For purposes of PIPEDA, Sydcup is the "organization" responsible for personal information under its control.

3. 3. Information We Collect

We collect and process various categories of personal data depending on how you interact with us. Below is a detailed description of the types of information we collect:

3.1 Information You Provide Directly

When you voluntarily submit information to us, we may collect the following:

Contact Form Submissions: When you fill out a contact form on our Website, we collect your name, email address, phone number (if provided), company name (if provided), and the content of your message or inquiry.
Business Communications: When you correspond with us via email, phone, video conferencing, or other communication channels, we may collect your name, contact details, professional title, company affiliation, and the substance of your communications.
Service Engagement Information: When you engage our software development or IT outsourcing services, we may collect your name, business contact details, billing information, project specifications, and any other information necessary to deliver our services.
Job Applications: If you apply for a position at Sydcup, we may collect your name, contact details, resume/CV, cover letter, work history, education background, professional references, and any other information you choose to include in your application.
Event and Newsletter Sign-ups: If you sign up for our newsletters, webinars, or events, we collect your name, email address, and any preferences you indicate.

3.2 Information Collected Automatically

When you visit our Website, certain information is collected automatically through technical means:

Device and Browser Information: We collect information about your device type, operating system, browser type and version, screen resolution, and device identifiers.
Network Information: We collect your Internet Protocol (IP) address, Internet Service Provider (ISP) information, and approximate geographic location derived from your IP address.
Usage Data: We collect information about your interactions with our Website, including pages visited, links clicked, time spent on each page, referring and exit URLs, date and time of visits, and navigation paths through the Website.
Log Data: Our servers automatically record information in server log files, including web requests, IP addresses, browser types, referring/exit pages, number of clicks, landing pages, and pages viewed.

3.3 Cookies and Similar Technologies

We use cookies, web beacons, pixels, and similar tracking technologies to collect certain information about your browsing activities. For detailed information about our use of cookies, please see Section 6 of this Policy.

3.4 Information from Third Parties

We may receive personal data about you from third-party sources, including:

Analytics Providers: We may receive aggregated and/or individual-level analytics data from services such as Google Analytics.
Business Partners and Referrals: We may receive your contact information from business partners, referral networks, or professional contacts who recommend our services to you or refer you to us.
Publicly Available Sources: We may collect professional information from publicly available sources, such as LinkedIn profiles, corporate websites, or business directories, for legitimate business development purposes.

3.5 Sensitive Personal Data

We do not intentionally collect or process sensitive personal data (also known as "special categories of data" under the GDPR), such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation. If you voluntarily provide such data to us (for example, in the body of a message), we will treat it with the highest level of care and in accordance with applicable law.

4. 4. Legal Basis for Processing (GDPR Art. 6)

Under the General Data Protection Regulation (GDPR), we are required to identify a lawful basis for each processing activity involving personal data of individuals in the European Economic Area (EEA), the United Kingdom, and Switzerland. We rely on the following legal bases as set out in Article 6(1) of the GDPR:

4.1 Consent — Article 6(1)(a)

Where we process your personal data based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. We rely on consent for the following processing activities:

Sending marketing communications, newsletters, or promotional materials to your email address.
Placing non-essential cookies and similar tracking technologies on your device (where required by applicable law).
Processing any sensitive personal data that you voluntarily provide to us.

4.2 Performance of a Contract — Article 6(1)(b)

We process personal data where it is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract. This includes:

Processing your contact information and project requirements to provide software development and IT outsourcing services.
Managing our contractual relationship with you, including invoicing, payment processing, and service delivery.
Communicating with you about the status of your projects, deliverables, or service agreements.
Responding to your inquiries submitted through our contact forms when your inquiry relates to services you have contracted or wish to contract.

4.3 Legitimate Interests — Article 6(1)(f)

We process personal data where it is necessary for our legitimate interests or the legitimate interests of a third party, provided that such interests are not overridden by your fundamental rights and freedoms. We have conducted a balancing test for each of the following processing activities to ensure our interests do not disproportionately impact your rights:

Website Operations and Improvement: Analyzing usage data to improve the functionality, user experience, and performance of our Website.
Security and Fraud Prevention: Monitoring and analyzing access to our Website and systems to detect, prevent, and respond to security threats, fraud, and abuse.
Business Development: Using business contact information for networking, relationship management, and business development activities within the scope of reasonable expectations.
Customer Relationship Management: Managing our relationships with clients, prospective clients, and business partners.
Responding to Inquiries: Processing contact form submissions and communications to respond to your questions or requests about our services.
Legal Claims: Processing personal data to establish, exercise, or defend legal claims.

4.4 Legal Obligation — Article 6(1)(c)

We process personal data where it is necessary for compliance with a legal obligation to which we are subject. This includes:

Retaining financial and transactional records as required by Estonian tax law, EU regulations, and other applicable legislation.
Responding to lawful requests from governmental authorities, courts, and regulatory bodies.
Complying with anti-money laundering (AML) and know-your-customer (KYC) requirements, where applicable.

4.5 Legal Bases Under Other Jurisdictions

For processing activities involving personal data of individuals located in jurisdictions outside the EEA and UK, we rely on the equivalent legal bases provided by applicable local law, including but not limited to:

LGPD (Brazil): We rely on consent, performance of a contract, legitimate interests, compliance with a legal or regulatory obligation, and other legal bases specified in Article 7 of the LGPD, as applicable.
POPIA (South Africa): We rely on consent, contractual necessity, legitimate interests, and compliance with a legal obligation as set out in Section 11 of POPIA.
PIPEDA (Canada): We obtain meaningful consent (express or implied, as appropriate) for the collection, use, and disclosure of personal information, in accordance with PIPEDA's consent principles.
Australian Privacy Act: We collect personal information only where it is reasonably necessary for our functions or activities and by lawful and fair means, in accordance with Australian Privacy Principle 3.

5. 5. How We Use Your Information

We use the personal data we collect for the following purposes:

5.1 Providing and Managing Our Services

To deliver software development, IT outsourcing, and related professional services to our clients.
To manage project workflows, timelines, deliverables, and communications related to service engagements.
To process payments, generate invoices, and manage financial transactions related to our services.
To communicate with clients and partners regarding ongoing projects, service updates, and contractual matters.

5.2 Responding to Inquiries and Communications

To respond to contact form submissions, emails, phone calls, and other communications you send to us.
To provide you with information about our services, capabilities, and availability as requested.
To schedule and conduct meetings, calls, and demonstrations.

5.3 Website Operations and Analytics

To operate, maintain, and improve the functionality and performance of our Website.
To analyze usage patterns, traffic sources, and user behavior to optimize the Website experience.
To diagnose technical issues, monitor system performance, and ensure the availability and reliability of our Website.
To generate aggregated, anonymized, or de-identified statistical data about Website usage.

5.4 Marketing and Communications

To send you newsletters, promotional materials, industry insights, and other marketing communications, where you have consented to receive such communications or where we are otherwise permitted to do so under applicable law.
To personalize the content and offers we present to you based on your preferences and interactions.
To invite you to events, webinars, or other professional activities.

5.5 Security and Legal Compliance

To protect the security, integrity, and availability of our Website, systems, and data.
To detect, investigate, and prevent fraudulent, unauthorized, or illegal activity.
To comply with applicable laws, regulations, legal processes, and government requests.
To establish, exercise, or defend legal claims and protect our rights and interests.

5.6 Recruitment and Human Resources

To evaluate job applications and manage the recruitment process.
To communicate with applicants about their applications and the status of open positions.
To conduct background checks and reference checks where permitted by applicable law and with your consent where required.

5.7 Business Operations and Administration

To manage our internal business operations, including accounting, auditing, and administrative functions.
To conduct business planning, forecasting, and reporting.
To manage vendor, partner, and supplier relationships.

We will not use your personal data for purposes that are materially different from or incompatible with the purposes described above without providing you with prior notice and, where required by law, obtaining your consent.

6. 6. Cookies & Tracking Technologies

Our Website uses cookies and similar tracking technologies to enhance your browsing experience, analyze Website traffic, and understand how visitors interact with our Website. This section explains what cookies are, what types of cookies we use, and how you can manage your cookie preferences.

6.1 What Are Cookies?

Cookies are small text files that are placed on your device (computer, tablet, or mobile phone) when you visit a website. Cookies are widely used to make websites function properly, operate more efficiently, and provide information to website operators. Cookies can be "session cookies" (which are erased when you close your browser) or "persistent cookies" (which remain on your device for a set period or until you delete them).

6.2 Types of Cookies We Use

Strictly Necessary Cookies

These cookies are essential for the operation of our Website. They enable core functionality such as page navigation, access to secure areas, and basic Website features. The Website cannot function properly without these cookies. These cookies do not collect personal data for marketing purposes and do not require your consent under applicable law.

Analytics and Performance Cookies

These cookies allow us to recognize and count the number of visitors and to see how visitors move around our Website. This helps us improve the way our Website works by, for example, ensuring that users can easily find what they are looking for. We may use services such as Google Analytics to collect and process this data. The information collected by these cookies is typically aggregated, though individual-level data may be processed. Where required by law, we obtain your consent before placing these cookies.

Functionality Cookies

These cookies enable our Website to provide enhanced functionality and personalization, such as remembering your preferences (e.g., language selection, region) and providing you with a more personalized experience. If you do not allow these cookies, some or all of these features may not function properly.

Targeting and Advertising Cookies

If we use advertising or remarketing services in the future, these cookies may be set through our Website by our advertising partners. They may be used to build a profile of your interests and show you relevant advertisements on other websites. They work by uniquely identifying your browser and device. If you do not allow these cookies, you will not experience targeted advertising from us. As of the date of this Policy, Sydcup does not engage in behavioral advertising.

6.3 Third-Party Cookies

Some cookies on our Website are placed by third-party service providers. These third parties may use cookies to collect information about your online activities over time and across different websites. We do not control the cookies placed by third parties, and their use is governed by their respective privacy policies. Third-party services that may place cookies on our Website include:

Google Analytics: Used for Website traffic analysis and usage statistics. Google's privacy policy is available at https://policies.google.com/privacy.
Other analytics or functionality providers as disclosed in our cookie consent management tool.

6.4 Web Beacons and Similar Technologies

In addition to cookies, we may use web beacons (also known as tracking pixels, clear GIFs, or pixel tags) in our emails and on our Website. Web beacons are small, transparent images that allow us to track whether an email has been opened and which links have been clicked. This information helps us measure the effectiveness of our communications and improve our Website and marketing efforts.

6.5 Managing Your Cookie Preferences

You can manage your cookie preferences in the following ways:

Cookie Consent Tool: When you first visit our Website, you may be presented with a cookie consent banner or tool that allows you to accept or reject different categories of cookies. You can change your preferences at any time by accessing the cookie settings on our Website.
Browser Settings: Most web browsers allow you to control cookies through their settings. You can typically set your browser to block all cookies, block third-party cookies, notify you when a cookie is set, or delete cookies that have already been placed. Please note that blocking or deleting cookies may affect the functionality of our Website.
Google Analytics Opt-Out: You can opt out of Google Analytics tracking by installing the Google Analytics Opt-Out Browser Add-On, available at https://tools.google.com/dlpage/gaoptout.
Do Not Track (DNT): Some browsers offer a "Do Not Track" feature that signals to websites that you do not wish to be tracked. As there is no universally accepted standard for how DNT signals should be interpreted, our Website does not currently respond to DNT signals. However, you can use the other methods described in this section to manage your tracking preferences.

6.6 Consent for Cookies (EU/UK/EEA)

In accordance with the ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC) and applicable local implementations, we obtain your prior consent before placing non-essential cookies on your device when you are located in the EEA, the United Kingdom, or Switzerland. Strictly necessary cookies are exempt from this consent requirement.

7. 7. Data Sharing & Third Parties

We value your privacy and do not sell, rent, or trade your personal data to third parties for their own marketing purposes. We may share your personal data with third parties only in the following circumstances and for the purposes described below:

7.1 Service Providers and Processors

We engage trusted third-party companies and individuals to perform services on our behalf ("service providers" or "data processors"). These service providers have access to your personal data only to the extent necessary to perform the specific tasks we have engaged them for and are contractually obligated to protect your personal data in accordance with applicable data protection laws. Our service providers may include:

Cloud Hosting and Infrastructure Providers: To host our Website, store data, and provide computing infrastructure.
Analytics Providers: To help us analyze Website traffic and usage patterns (e.g., Google Analytics).
Email and Communication Services: To facilitate email communications, newsletters, and other messaging services.
Customer Relationship Management (CRM) Platforms: To manage our client relationships, communications, and business development activities.
Payment Processors: To process payments and financial transactions securely.
Professional Advisors: Including legal, accounting, and consulting professionals who provide us with professional services.
IT Security Providers: To assist with cybersecurity monitoring, vulnerability assessment, and incident response.

All data processing agreements with our service providers include appropriate data protection clauses as required by Article 28 of the GDPR and equivalent provisions under other applicable data protection laws.

7.2 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, bankruptcy, or similar corporate transaction, your personal data may be transferred to the acquiring entity or successor organization. In such cases, we will ensure that the receiving party agrees to process your personal data in a manner consistent with this Privacy Policy and applicable data protection laws. We will notify you of any such transfer and any changes to the processing of your personal data as required by law.

7.3 Legal and Regulatory Disclosures

We may disclose your personal data to third parties if we believe in good faith that such disclosure is necessary to:

Comply with applicable laws, regulations, legal processes, or enforceable governmental requests.
Enforce our terms of service, contracts, or other agreements.
Protect the rights, property, or safety of Sydcup, our clients, employees, or the public.
Detect, prevent, or address fraud, security issues, or technical problems.
Respond to a lawful request by public authorities, including to meet national security or law enforcement requirements.

7.4 With Your Consent

We may share your personal data with third parties when you have given us your explicit consent to do so. You may withdraw your consent at any time, and we will cease sharing your data with the relevant third party upon receipt of your withdrawal request, subject to any legal obligations that may require continued processing.

7.5 Aggregated or De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you with third parties for research, analysis, benchmarking, and other lawful purposes. Such data is not considered personal data under applicable data protection laws.

7.6 No Sale of Personal Data

Sydcup does not sell personal data, as defined by the CCPA/CPRA, the LGPD, or any other applicable data protection law. We do not exchange personal data for monetary consideration. We also do not "share" personal data for cross-context behavioral advertising purposes as defined by the CPRA.

8. 8. International Data Transfers

As a company registered in Estonia, a member of the European Union and the European Economic Area (EEA), Sydcup processes personal data primarily within the EEA. However, due to the global nature of the internet and our business operations, your personal data may be transferred to, stored in, or processed in countries other than the country in which it was originally collected.

8.1 Transfers Within the EEA

Personal data transferred between countries within the EEA is protected by the uniform data protection standards established by the GDPR. No additional safeguards are required for intra-EEA transfers.

8.2 Transfers Outside the EEA and UK

When we transfer personal data to countries outside the EEA or the United Kingdom that have not been deemed to provide an adequate level of data protection by the European Commission or the UK Secretary of State (as applicable), we implement appropriate safeguards to ensure that your personal data receives an equivalent level of protection. These safeguards include:

Standard Contractual Clauses (SCCs): We use the European Commission's Standard Contractual Clauses (adopted under Commission Implementing Decision (EU) 2021/914) and, where applicable, the UK International Data Transfer Addendum (IDTA) or the UK International Data Transfer Agreement, as approved by the UK Information Commissioner's Office (ICO), to govern transfers of personal data to third countries.
Adequacy Decisions: Where the European Commission or the UK Secretary of State has issued an adequacy decision for a specific country, we may rely on that decision as a basis for transferring personal data to that country. As of the date of this Policy, countries with adequacy decisions include, among others, Canada (for organizations subject to PIPEDA), Japan, South Korea, the United Kingdom (for EU-to-UK transfers), and others as listed on the European Commission's website.
EU-U.S. Data Privacy Framework: For transfers to certified organizations in the United States, we may rely on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, or the Swiss-U.S. Data Privacy Framework, as applicable.
Binding Corporate Rules (BCRs): Where we engage processors or sub-processors that have approved Binding Corporate Rules, we may rely on those BCRs as an appropriate safeguard for international data transfers.
Derogations: In limited and exceptional circumstances, we may rely on derogations under Article 49 of the GDPR (or equivalent provisions under other applicable data protection laws), including transfers necessary for the performance of a contract, transfers with your explicit consent, or transfers necessary for the establishment, exercise, or defense of legal claims.

8.3 Transfer Impact Assessments

In accordance with the requirements established by the Court of Justice of the European Union in Schrems II (Case C-311/18) and guidance from the European Data Protection Board (EDPB), we conduct transfer impact assessments (TIAs) when transferring personal data to third countries using Standard Contractual Clauses. These assessments evaluate the legal framework of the recipient country to ensure that the level of protection afforded to personal data is not undermined by the laws or practices of that country.

8.4 Transfers Under Other Applicable Laws

For transfers of personal data governed by data protection laws other than the GDPR and UK GDPR, we comply with the applicable requirements of those laws:

LGPD (Brazil): We transfer personal data internationally in compliance with Chapter V of the LGPD, relying on adequacy determinations by the Brazilian National Data Protection Authority (ANPD), standard contractual clauses, or other mechanisms authorized by the ANPD.
POPIA (South Africa): We transfer personal information to third countries in compliance with Section 72 of POPIA, ensuring that the recipient is subject to an adequate level of protection or that appropriate safeguards are in place.
PIPEDA (Canada): We ensure that personal information transferred to third-party service providers outside Canada is protected by contractual or other means that provide a comparable level of protection, in accordance with PIPEDA Principle 4.1.3.
Australian Privacy Act: We take reasonable steps to ensure that overseas recipients of personal information do not breach the Australian Privacy Principles (APPs), in compliance with APP 8.

You may obtain a copy of the relevant safeguards we have implemented by contacting us using the details provided in Section 14 of this Policy.

9. 9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including satisfying any legal, regulatory, accounting, or reporting requirements. When determining the appropriate retention period, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, and whether we can achieve those purposes through other means, as well as applicable legal, regulatory, and contractual requirements.

9.1 Specific Retention Periods

Contact Form Submissions: We retain personal data submitted through our contact forms for a period of up to 24 months from the date of submission, unless the inquiry leads to a business relationship, in which case the data will be retained as part of our client records.
Client and Contract Data: We retain personal data related to our client relationships and service agreements for the duration of the contractual relationship and for a period of up to 7 years following the termination or expiration of the contract, as required by Estonian commercial law and tax regulations.
Financial and Transactional Records: We retain financial records, invoices, and transactional data for a minimum of 7 years in accordance with Estonian tax law (Taxation Act) and EU accounting requirements.
Marketing and Communication Preferences: We retain your marketing preferences and consent records for as long as you remain subscribed to our marketing communications. If you unsubscribe, we will retain a record of your withdrawal of consent for a period of up to 3 years to demonstrate compliance with applicable data protection laws.
Job Application Data: We retain job application data for up to 12 months after the end of the recruitment process. If you consent, we may retain your application data for a longer period (up to 24 months) to consider you for future opportunities.
Website Analytics Data: We retain analytics data in an identifiable form for up to 26 months. After this period, the data is aggregated and anonymized.
Server Log Data: We retain server logs for up to 12 months for security and troubleshooting purposes.
Cookie Data: Cookie retention periods vary by cookie type. Session cookies are deleted when you close your browser. Persistent cookies are retained for their specified duration, as outlined in Section 6 of this Policy.

9.2 Criteria for Determining Retention Periods

Where specific retention periods are not prescribed by law, we determine the appropriate retention period based on the following criteria:

The nature and purpose of the processing activity.
The sensitivity of the personal data.
The applicable statutory limitation periods for potential legal claims.
Industry best practices and regulatory guidance.
The legitimate interests of Sydcup and the expectations of the data subject.

9.3 Data Deletion and Anonymization

When personal data is no longer required for the purposes for which it was collected and there is no legal basis for its continued retention, we will securely delete or anonymize the data. Anonymized data, which cannot be used to identify you, may be retained indefinitely for analytical, statistical, or research purposes.

If you request the deletion of your personal data, we will comply with your request subject to any legal obligations that require us to retain certain data. We will inform you if we are unable to fully comply with a deletion request and explain the reasons for any continued retention.

10. 10. Your Rights

Depending on your location and the applicable data protection laws, you may have various rights with respect to the personal data we hold about you. We are committed to facilitating the exercise of your rights and will respond to any valid request in accordance with applicable law.

10.1 Rights Under the GDPR (EEA and UK)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR (or UK GDPR, as applicable):

Right of Access (Article 15): You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of the personal data along with information about the purposes of processing, the categories of data concerned, the recipients to whom the data has been or will be disclosed, the retention period, and the source of the data.
Right to Rectification (Article 16): You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data concerning you.
Right to Erasure / Right to Be Forgotten (Article 17): You have the right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, when you object to processing, when the data has been unlawfully processed, or when erasure is required to comply with a legal obligation. This right is subject to certain exceptions, such as where processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims.
Right to Restriction of Processing (Article 18): You have the right to request the restriction of processing in certain circumstances, such as when you contest the accuracy of the data, when the processing is unlawful but you prefer restriction over erasure, when we no longer need the data but you require it for legal claims, or when you have objected to processing pending verification of our legitimate interests.
Right to Data Portability (Article 20): You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance, where the processing is based on consent or a contract and is carried out by automated means.
Right to Object (Article 21): You have the right to object to the processing of your personal data based on our legitimate interests or on public interest grounds. We will cease processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or where the processing is necessary for the establishment, exercise, or defense of legal claims. You also have the right to object at any time to the processing of your personal data for direct marketing purposes.
Right Not to Be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. Sydcup does not currently engage in automated decision-making or profiling that produces legal or similarly significant effects.
Right to Withdraw Consent: Where we process your personal data based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. In Estonia, the competent supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, Estonia; website: www.aki.ee. In the United Kingdom, you may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10.2 Rights Under the CCPA/CPRA (California, USA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the personal information was collected, the business or commercial purpose for collecting or selling the personal information, the categories of third parties with whom we share the personal information, and the specific pieces of personal information we have collected about you.
Right to Delete: You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions provided by the CCPA/CPRA (such as where the information is necessary to complete a transaction, detect security incidents, comply with a legal obligation, or enable internal uses reasonably aligned with your expectations).
Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you.
Right to Opt Out of Sale or Sharing: You have the right to opt out of the "sale" of your personal information and the "sharing" of your personal information for cross-context behavioral advertising purposes. As stated in this Policy, Sydcup does not sell or share personal information as defined by the CCPA/CPRA.
Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of your sensitive personal information to uses necessary to perform our services or provide our goods, as reasonably expected by an average consumer. Sydcup does not use sensitive personal information for purposes beyond those permitted by the CPRA.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you goods or services, charge you different prices, provide you with a different level or quality of goods or services, or suggest that you will receive a different price or quality of goods or services because you exercised your rights.

To exercise your CCPA/CPRA rights, please submit a verifiable consumer request by contacting us at [email protected]. We will verify your identity before processing your request by matching information you provide with information we have in our records. For additional California-specific disclosures, please see Section 15 of this Policy.

10.3 Rights Under the LGPD (Brazil)

If you are located in Brazil, you have the following rights under the Lei Geral de Proteção de Dados (LGPD), as set out in Article 18:

Right to Confirmation and Access: You have the right to confirm the existence of processing of your personal data and to access such data.
Right to Correction: You have the right to request the correction of incomplete, inaccurate, or outdated personal data.
Right to Anonymization, Blocking, or Deletion: You have the right to request the anonymization, blocking, or deletion of unnecessary or excessive personal data, or data processed in non-compliance with the LGPD.
Right to Portability: You have the right to request the portability of your personal data to another service or product provider, subject to regulations issued by the Brazilian National Data Protection Authority (ANPD).
Right to Deletion of Data Processed with Consent: You have the right to request the deletion of personal data processed on the basis of your consent, except in cases where retention is legally authorized.
Right to Information about Sharing: You have the right to obtain information about the public and private entities with which we share your personal data.
Right to Information about Non-Consent: You have the right to be informed about the possibility and consequences of not providing consent.
Right to Revocation of Consent: You have the right to revoke your consent at any time.
Right to Review of Automated Decisions: You have the right to request the review of decisions made solely based on automated processing of your personal data that affect your interests, including decisions intended to define your personal, professional, consumer, or credit profile, or aspects of your personality.
Right to Petition the ANPD: You have the right to petition the Brazilian National Data Protection Authority (ANPD) regarding your data protection concerns.

10.4 Rights Under Other Applicable Laws

If you are located in another jurisdiction with applicable data protection laws, you may have similar or additional rights. We will respect and facilitate the exercise of your rights in accordance with the laws of your jurisdiction. Key rights under other applicable laws include:

POPIA (South Africa): Rights of access, correction, deletion, objection to processing, the right not to be subject to automated decision-making, and the right to lodge a complaint with the Information Regulator.
PIPEDA (Canada): Rights of access, correction, challenge compliance, and withdraw consent, as well as the right to file a complaint with the Office of the Privacy Commissioner of Canada.
Australian Privacy Act: Rights of access, correction, and the right to complain to the Office of the Australian Information Commissioner (OAIC).

10.5 How to Exercise Your Rights

To exercise any of the rights described above, please contact us at [email protected] with a clear description of your request. We may need to verify your identity before processing your request. We will respond to your request within the timeframes required by applicable law:

GDPR / UK GDPR: Within one month of receipt of your request, with the possibility of a two-month extension for complex or numerous requests.
CCPA / CPRA: Within 45 days of receipt of your verifiable consumer request, with the possibility of an additional 45-day extension.
LGPD: Within 15 days of receipt of your request (or such other period as specified by the ANPD).
POPIA: Within a reasonable time, as prescribed by the Information Regulator.
PIPEDA: Within 30 days of receipt of your request.
Australian Privacy Act: Within a reasonable period (generally within 30 days).

If we are unable to comply with your request (in whole or in part), we will explain the reasons for our decision and inform you of your right to challenge our response or lodge a complaint with the relevant supervisory authority.

11. 11. Children's Privacy

Our Website and services are not directed at children, and we do not knowingly collect personal data from children. For the purposes of this section:

Under the GDPR and UK GDPR, "children" refers to individuals under the age of 16 (or the lower age specified by the applicable EU member state, which ranges from 13 to 16 depending on the jurisdiction).
Under the CCPA/CPRA, "children" refers to individuals under the age of 16.
Under the U.S. Children's Online Privacy Protection Act (COPPA), "children" refers to individuals under the age of 13.
Under the LGPD, specific rules apply to the processing of personal data of children (under 12) and adolescents (12 to 17).
Under POPIA, "children" refers to individuals under the age of 18, unless the child is a competent person for a specific purpose.
Under PIPEDA and the Australian Privacy Act, there is no specific age threshold, but the maturity and capacity of the individual to consent is considered.

Our services are designed for businesses and professionals, and we do not market to or intentionally solicit information from children. If we become aware that we have inadvertently collected personal data from a child without appropriate parental or guardian consent where required by law, we will take prompt steps to delete the data from our systems.

If you are a parent or guardian and believe that your child has provided personal data to us without your consent, please contact us immediately at [email protected], and we will take appropriate steps to investigate and address the matter, including deleting the data if appropriate.

12. 12. Security Measures

Sydcup takes the security of your personal data seriously. We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, destruction, loss, or accidental damage. These measures are designed to provide a level of security appropriate to the risk associated with the processing of your personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks to your rights and freedoms.

12.1 Technical Measures

Encryption: We use industry-standard encryption protocols (such as TLS/SSL) to encrypt data transmitted between your browser and our Website. Data at rest is encrypted using appropriate encryption algorithms where technically feasible and proportionate to the risk.
Access Controls: We implement role-based access controls to ensure that only authorized personnel have access to personal data. Access is granted on a need-to-know basis and is regularly reviewed.
Network Security: We employ firewalls, intrusion detection and prevention systems, and other network security measures to protect our systems from unauthorized access.
Secure Development Practices: As a software development company, we follow secure coding practices and conduct regular code reviews and security assessments to identify and address vulnerabilities in our systems and applications.
Vulnerability Management: We conduct regular vulnerability assessments and penetration testing to identify and remediate potential security weaknesses.
Monitoring and Logging: We monitor our systems for security events and maintain logs to facilitate incident detection and response.

12.2 Organizational Measures

Data Protection Policies: We maintain internal data protection policies and procedures that govern the collection, use, storage, and disposal of personal data.
Employee Training: Our employees receive regular training on data protection obligations, information security best practices, and the handling of personal data.
Confidentiality Obligations: All employees and contractors who have access to personal data are bound by confidentiality obligations.
Third-Party Due Diligence: We conduct due diligence on our service providers and data processors to ensure they implement appropriate security measures. We enter into data processing agreements that include security obligations consistent with applicable data protection laws.
Incident Response: We maintain a data breach response plan that outlines the procedures for detecting, investigating, containing, and reporting personal data breaches. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within the timeframes required by applicable law (72 hours under the GDPR) and, where required, notify affected individuals without undue delay.
Business Continuity: We implement business continuity and disaster recovery measures to ensure the availability and resilience of our systems and the personal data they process.

12.3 Your Responsibilities

While we take extensive measures to protect your personal data, the security of information transmitted over the internet cannot be guaranteed. We encourage you to take steps to protect your personal information, including:

Using strong, unique passwords for your accounts.
Being cautious about sharing personal information in emails or other communications.
Keeping your devices and software up to date with the latest security patches.
Reporting any suspected security incidents or unauthorized access to your personal data to us promptly.

If you become aware of any security incident involving your personal data, please notify us immediately at [email protected].

13. 13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable laws, or regulatory guidance. When we make changes to this Policy, we will revise the "Last Updated" date at the top of this page.

13.1 Notification of Material Changes

If we make material changes to this Privacy Policy that significantly affect how we collect, use, or share your personal data, we will provide you with prominent notice through one or more of the following methods:

Posting a conspicuous notice on our Website before the changes take effect.
Sending a notification to the email address associated with your account or communications with us (where we have your email address and it is appropriate to do so).
Displaying a pop-up or banner on our Website informing you of the changes.

13.2 Review and Consent

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data. Where material changes require your consent under applicable law (for example, changes to the purposes of processing for which we rely on consent), we will obtain your consent before implementing such changes.

13.3 Prior Versions

If you would like to review prior versions of this Privacy Policy, please contact us at [email protected], and we will provide you with the relevant version.

13.4 Continued Use

Your continued use of our Website or services after the posting of changes to this Privacy Policy constitutes your acknowledgment of the changes. However, where your consent is required for specific processing activities, we will not rely on continued use as a basis for consent and will seek your affirmative consent as required by applicable law.

14. 14. Contact & Complaints

If you have any questions, concerns, or requests regarding this Privacy Policy, our data processing practices, or the exercise of your data protection rights, please contact us:

Sydcup

Address: Sepapaja tn 6, Lasnamae, Tallinn, Harju county, 15551, Estonia

Email: [email protected]

Website: sydcup.com

We aim to respond to all inquiries and requests within the timeframes required by applicable law. If your inquiry relates to a data protection right, please provide sufficient information for us to verify your identity and process your request.

14.1 Complaints to Supervisory Authorities

If you are not satisfied with our response to your inquiry or believe that we are processing your personal data in a manner that violates applicable data protection laws, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction. Key supervisory authorities include:

Estonia — Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon): Tatari 39, 10134 Tallinn, Estonia. Website: www.aki.ee. Email: [email protected].
European Union: You may lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. A list of EU supervisory authorities is available on the website of the European Data Protection Board (EDPB) at edpb.europa.eu.
United Kingdom — Information Commissioner's Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. Website: ico.org.uk. Helpline: 0303 123 1113.
Switzerland — Federal Data Protection and Information Commissioner (FDPIC): Feldeggweg 1, CH-3003 Berne, Switzerland. Website: www.edoeb.admin.ch.
Brazil — National Data Protection Authority (ANPD): Website: www.gov.br/anpd.
South Africa — Information Regulator: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001. Website: www.justice.gov.za/inforeg. Email: [email protected].
Canada — Office of the Privacy Commissioner of Canada: 30 Victoria Street, Gatineau, Quebec, K1A 1H3, Canada. Website: www.priv.gc.ca. Toll-free: 1-800-282-1376.
Australia — Office of the Australian Information Commissioner (OAIC): GPO Box 5218, Sydney, NSW 2001, Australia. Website: www.oaic.gov.au. Phone: 1300 363 992.

14.2 Dispute Resolution

We encourage you to contact us directly before filing a complaint with a supervisory authority, as we are committed to resolving any concerns you may have in a timely and satisfactory manner. However, lodging a complaint with a supervisory authority is your right, and you may do so at any time without first contacting us.

If we are unable to resolve your complaint, you may also have the right to seek a judicial remedy before a competent court in accordance with applicable law.

15. 15. California-Specific Disclosures

This section provides additional disclosures required under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) for California residents. This section supplements the information provided elsewhere in this Privacy Policy.

15.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA/CPRA (Cal. Civ. Code Section 1798.140):

Category	Examples	Collected
A. Identifiers	Name, email address, IP address, company name	Yes
B. Personal information categories listed in Cal. Civ. Code Section 1798.80(e)	Name, address, telephone number	Yes
C. Protected classification characteristics	Age, gender, race, etc.	No
D. Commercial information	Records of services purchased or considered	Yes
E. Biometric information	Fingerprints, faceprints, voiceprints, etc.	No
F. Internet or similar network activity	Browsing history, search history, interaction data	Yes
G. Geolocation data	Approximate location derived from IP address	Yes
H. Sensory data	Audio, visual, or similar information	No
I. Professional or employment-related information	Job title, company name, professional background	Yes
J. Non-public education information	Education records	No
K. Inferences drawn from other personal information	Profiles reflecting preferences or behavior	No
L. Sensitive personal information	Social Security number, financial account information, precise geolocation, etc.	No

15.2 Sources of Personal Information

We collect personal information from the following categories of sources:

Directly from you (e.g., through contact forms, emails, service engagements).
Automatically from your device and browser when you visit our Website.
From third-party sources, such as analytics providers, business partners, and publicly available sources.

15.3 Business or Commercial Purposes for Collecting Personal Information

We collect and use personal information for the business and commercial purposes described in Section 5 of this Privacy Policy, including:

Providing, personalizing, and improving our services.
Communicating with you and responding to your inquiries.
Operating, maintaining, and improving our Website.
Detecting and preventing security threats and fraud.
Complying with legal obligations.
Marketing and business development (with consent where required).

15.4 Sale and Sharing of Personal Information

Sydcup does not "sell" personal information as defined by the CCPA/CPRA. Sydcup does not "share" personal information for cross-context behavioral advertising purposes as defined by the CPRA. We have not sold or shared personal information in the preceding 12 months.

15.5 Disclosure of Personal Information for Business Purposes

In the preceding 12 months, we may have disclosed the following categories of personal information to our service providers for business purposes:

Identifiers (Category A)
Personal information categories listed in Cal. Civ. Code Section 1798.80(e) (Category B)
Commercial information (Category D)
Internet or similar network activity (Category F)
Geolocation data (Category G)
Professional or employment-related information (Category I)

15.6 Retention of Personal Information

We retain each category of personal information for the periods described in Section 9 of this Privacy Policy. The specific retention period depends on the purpose of collection and applicable legal requirements.

15.7 Exercising Your Rights

California residents may exercise their rights under the CCPA/CPRA as described in Section 10.2 of this Privacy Policy. You may submit a request by contacting us at [email protected].

You may designate an authorized agent to make a request on your behalf. If you use an authorized agent, we may require you to provide written authorization to the agent and verify your identity directly with us, or the agent must provide a power of attorney executed pursuant to California Probate Code sections 4000 to 4465.

15.8 California "Shine the Light" Law

Under California Civil Code Section 1798.83, California residents who have provided personal information to a business with which the individual has established a business relationship may request information about whether the business has disclosed personal information to any third parties for the third parties' direct marketing purposes. As stated in this Policy, we do not disclose personal information to third parties for their direct marketing purposes. If you have questions about this practice, please contact us at [email protected].

15.9 Metrics

In accordance with CCPA/CPRA requirements, we compile and disclose annual metrics regarding the number of requests to know, delete, and opt out that we receive from California residents, as well as our response times, upon request. You may request this information by contacting us at [email protected].

16. 16. Supplemental Notices by Jurisdiction

This section provides supplemental information for individuals located in specific jurisdictions, in addition to the information provided elsewhere in this Privacy Policy.

16.1 United Kingdom

If you are located in the United Kingdom, the following supplemental provisions apply:

Applicable Law: The processing of your personal data is governed by the UK GDPR (as retained by the European Union (Withdrawal) Act 2018) and the UK Data Protection Act 2018.
Data Controller: Sydcup, registered in Estonia, acts as the data controller in respect of your personal data. Although we are not established in the UK, we comply with UK GDPR requirements when processing personal data of UK residents where our processing activities relate to offering goods or services to UK data subjects or monitoring their behavior in the UK.
UK Representative: Where required under Article 27 of the UK GDPR, we will appoint a representative in the United Kingdom. Please contact us at [email protected] for the details of our UK representative, if applicable.
International Transfers: Transfers of personal data from the UK to countries outside the UK that have not been deemed adequate by the UK Secretary of State are governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the ICO.
Supervisory Authority: You have the right to lodge a complaint with the Information Commissioner's Office (ICO). Contact details: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. Website: ico.org.uk. Helpline: 0303 123 1113.
Age of Digital Consent: Under the UK Data Protection Act 2018, the age of digital consent is 13 years. We do not knowingly process personal data of children under the age of 13 in the UK.

16.2 Switzerland

If you are located in Switzerland, the following supplemental provisions apply:

Applicable Law: The processing of your personal data is governed by the Swiss Federal Act on Data Protection (FADP / nDSG), as revised effective September 1, 2023, and its implementing ordinance (DPO / DSV).
Data Controller: Under the FADP, Sydcup acts as the "controller" responsible for processing your personal data.
Legal Basis: Under Swiss law, personal data may be processed without a specific legal basis unless the processing violates the personality rights of the data subject. Justification grounds include overriding private or public interest, consent, and a direct connection to a contract.
International Transfers: Transfers of personal data from Switzerland to countries without an adequate level of protection (as determined by the Swiss Federal Council) are governed by the EU Standard Contractual Clauses (as recognized by the Swiss Federal Data Protection and Information Commissioner) or the Swiss-U.S. Data Privacy Framework, as applicable.
Supervisory Authority: You have the right to lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC). Contact details: Feldeggweg 1, CH-3003 Berne, Switzerland. Website: www.edoeb.admin.ch.
Data Breach Notification: Under the revised FADP, we are required to notify the FDPIC as quickly as possible in the event of a personal data breach that is likely to result in a high risk to the personality or fundamental rights of data subjects.

16.3 Australia

If you are located in Australia, the following supplemental provisions apply:

Applicable Law: The processing of your personal information is governed by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Organization: Although Sydcup is not established in Australia, we comply with the Australian Privacy Act and APPs where we carry on business in Australia or collect personal information from individuals in Australia.
Collection (APP 3): We only collect personal information that is reasonably necessary for our functions or activities. We collect personal information by lawful and fair means and, where reasonably practicable, directly from you.
Use and Disclosure (APP 6): We will not use or disclose your personal information for a purpose other than the primary purpose for which it was collected, unless you have consented, the secondary purpose is related to the primary purpose and you would reasonably expect the information to be used for that purpose, or an exception under APP 6 applies.
Cross-Border Disclosure (APP 8): Before disclosing personal information to an overseas recipient, we take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information. We may transfer personal data to our service providers in other countries. By providing your personal information, you consent to such cross-border disclosures where we have been unable to ensure that the overseas recipient complies with the APPs.
Access and Correction (APPs 12 and 13): You have the right to request access to the personal information we hold about you and to request that we correct any inaccurate, out-of-date, incomplete, irrelevant, or misleading information.
Complaints: If you believe we have breached the APPs, you may lodge a complaint with us by contacting [email protected]. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC). Contact details: GPO Box 5218, Sydney, NSW 2001. Website: www.oaic.gov.au. Phone: 1300 363 992.
Anonymity and Pseudonymity (APP 2): You have the option of dealing with us anonymously or using a pseudonym where it is lawful and practicable to do so. However, if you do not provide us with your personal information, we may not be able to provide you with our services or respond to your inquiries.

16.4 Brazil

If you are located in Brazil, the following supplemental provisions apply:

Applicable Law: The processing of your personal data is governed by the Lei Geral de Proteção de Dados (LGPD), Federal Law No. 13,709/2018.
Controller (Controlador): Under the LGPD, Sydcup acts as the controller (controlador) of your personal data and determines the purposes and means of processing.
Legal Bases: We process your personal data on the legal bases set out in Article 7 of the LGPD, including consent, performance of a contract, legitimate interests, and compliance with a legal or regulatory obligation. For detailed information about our legal bases, please see Section 4 of this Policy.
Data Protection Officer (DPO / Encarregado): We have appointed a data protection officer (encarregado) responsible for receiving and addressing data subject communications and inquiries. You may contact our DPO at [email protected].
Your Rights: Your rights under the LGPD are described in detail in Section 10.3 of this Privacy Policy.
International Transfers: Where we transfer personal data from Brazil to other countries, we do so in compliance with Chapter V of the LGPD, relying on the mechanisms described in Section 8 of this Policy.
Supervisory Authority (ANPD): You have the right to petition the Brazilian National Data Protection Authority (ANPD) regarding any complaints or concerns about our processing of your personal data. Website: www.gov.br/anpd.

16.5 South Africa

If you are located in South Africa, the following supplemental provisions apply:

Applicable Law: The processing of your personal information is governed by the Protection of Personal Information Act, 2013 (POPIA).
Responsible Party: Under POPIA, Sydcup acts as the "responsible party" in respect of your personal information.
Information Officer: Our designated Information Officer can be contacted at [email protected]. The Information Officer is responsible for encouraging compliance with POPIA, dealing with data subject requests, and working with the Information Regulator.
Processing Conditions: We process your personal information in accordance with the eight conditions for lawful processing set out in POPIA: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation.
Consent: Where we rely on consent as the basis for processing, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
Retention: We retain personal information only for as long as it is needed for the purpose for which it was collected, unless retention is required or authorized by law, or you have consented to retention for a longer period.
Direct Marketing: We will only send you direct marketing communications via electronic means (including email) with your prior consent, in accordance with Section 69 of POPIA and Section 45 of the Electronic Communications and Transactions Act (ECTA). You have the right to opt out of direct marketing at any time.
Trans-Border Transfers: We transfer personal information outside of South Africa only in compliance with Section 72 of POPIA, ensuring that the recipient country provides an adequate level of protection or that appropriate safeguards are in place.
Your Rights: Under POPIA, you have the right to access your personal information, request correction or deletion, object to the processing of your personal information, and not be subject to a decision based solely on automated processing. You also have the right to submit a complaint to the Information Regulator.
Information Regulator: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001. Website: www.justice.gov.za/inforeg. Email: [email protected]. Complaints email: [email protected].

16.6 Canada

If you are located in Canada, the following supplemental provisions apply:

Applicable Law: The processing of your personal information is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, and, where applicable, substantially similar provincial privacy legislation (such as the Quebec Act respecting the protection of personal information in the private sector, Alberta's Personal Information Protection Act, or British Columbia's Personal Information Protection Act).
Organization: Under PIPEDA, Sydcup is the "organization" responsible for personal information under its control, including personal information transferred to a third party for processing.
Consent: We collect, use, and disclose your personal information with your knowledge and consent, except where otherwise permitted or required by law. Consent may be express (such as written or verbal agreement) or implied (such as through your use of our Website or services), depending on the sensitivity of the information and your reasonable expectations. You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice. We will inform you of the implications of withdrawing consent.
PIPEDA Fair Information Principles: We adhere to the ten fair information principles set out in Schedule 1 of PIPEDA: accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance.
Access and Correction: Under PIPEDA, you have the right to request access to the personal information we hold about you and to request that we correct any inaccurate or incomplete information. We will respond to your access request within 30 days.
Breach Notification: In the event of a breach of security safeguards involving your personal information that creates a real risk of significant harm, we will notify you and report the breach to the Office of the Privacy Commissioner of Canada as required by PIPEDA.
Accountability: We are accountable for personal information in our possession or custody, including information that has been transferred to a third party for processing. We use contractual and other means to ensure that third-party service providers provide a comparable level of protection while the information is being processed by them.
Quebec Residents: If you are a resident of the Province of Quebec, additional rights and requirements may apply under the Quebec Act respecting the protection of personal information in the private sector (as amended by Law 25). These include enhanced consent requirements, privacy impact assessments, and the appointment of a person responsible for the protection of personal information. The Commission d'accès à l'information du Québec serves as the supervisory authority.
Privacy Commissioner: You have the right to file a complaint with the Office of the Privacy Commissioner of Canada. Contact details: 30 Victoria Street, Gatineau, Quebec, K1A 1H3, Canada. Website: www.priv.gc.ca. Toll-free: 1-800-282-1376.