Last Updated: 9 July 2024
Amberfied Ltd., Unit 2a, Atlantic Suites, Europort Road, Gibraltar ("Amberfied") is committed to maintaining robust privacy protections for its users. This Privacy Policy is designed to help you understand how we collect, use and safeguard the information you provide to us and to assist you in making informed decisions when using our service. This policy also explains your rights in relation to your personal data and how to contact us or any relevant regulator in the event you have a complaint. This policy applies to our website visitors and any users of our services, and we may issue separate policies in relation to our staff.
Amberfied Ltd., Unit 2a, Atlantic Suites, Europort Road, Gibraltar (the "Amberfied") is committed to maintaining robust privacy protections for its users. Our Privacy Policy ("Privacy") is designed to help you understand how we collect, use and safeguard the information you provide to us and to assist you in making informed decisions when using our Service.
We are Amberfied Limited, a company established in Gibraltar, registered under company number 123952, with our office at Unit 2a, Atlantic Suites, Europort Road, Gibraltar GX11 1AA , ("we", "us", "our" or "Amberfied"). For any questions regarding our privacy practices, you can contact us at privacy@amberfied.com, or by mail at the same address.
As an entity established in Gibraltar, Amberfied has arrangements in place to comply with its obligations with respect to the protection of personal data under the Data Protection Act 2004 ("DPA 2004"), and the Gibraltar General Data Protection Regulation ("GGDPR") (both of which form part of the "data protection legislation", as defined in s.2(1) DPA 2004). Our privacy practices adhere to the laws of the jurisdictions where we operate. This ensures that we implement the practices outlined in this notice only in locations where they are permitted by local laws.
Amberfied does not currently promote, market, or advertise its goods and services, nor solicit to clients (or potential clients) outside of Gibraltar and based in the European Union ("EU") or the United Kingdom ("UK"), but to such extent as the European Union General Data Protection Regulation ("EU GDPR") or UK General Data Protection Regulation ("UK GDPR") may apply to processing activities, this policy will also apply.
Capitalised words and expressions not defined in this document shall have the meanings given to them in our Terms of Service, which are made available to our users.
Any references to Articles (e.g. 'Art. 5') are to Articles of GGDPR, UK GDPR and EU GDPR given the article numbering in most cases is identical. Where the intention is to refer to an article within only one of the three similar regimes, that regime will be identified within the reference.
For the purposes of this policy, "personal data" means any information relating to you as an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an online identifier or to one or more factors specific to your physical, physiological, genetic, mental, economic, cultural, or social identity.
"processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. The term "process" shall be interpreted accordingly.
The nature of Amberfied's services in relation to (both physical and mental) wellness and promotion of a healthy lifestyle also means there may be instances of processing of health data, which is a type of "special category" personal data under the data protection legislation. Special category personal data refers to personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, or trade union membership, genetic data and biometric data (where used for identification purposes) and data concerning health, sex life or sexual orientation. We may also refer to this as "sensitive data", under which we also include personal data relating to criminal convictions and offences, allegations, proceedings, and related security measures (which will only be processed under exceptional circumstances in accordance with the data protection legislation).
Amberfied is the organisation legally responsible for deciding how and for what purposes your personal data is used. Amberfied is a therefore the "controller" (sometimes referred to as a "data controller") when it determines the purposes and means of processing. We may also act as a "processor" (sometimes referred to as a "data processor") when we process your data and may use other data processors who act on our instructions.
Personal information we process is obtained from different sources:
Data collected from other sources may include information obtained from account owners who request services for or on behalf of other users, such as friends or family members. Additionally, data may be collected from account owners who are businesses creating accounts on behalf of their employees to promote their services via the Amberfied application.
Information provided by users or others in connection with claims or disputes. Third party vendors who provide us data to supplement the information we collect about you, in accordance with applicable laws. For example, we receive fraud and security warnings from service providers for our fraud prevention and risk assessment efforts.
If any other third party submits a report and/or complaint about you or your activity on Amberfied, we may receive information relating to the specific report and/or complaint, we will review and address it.
Under the data protection legislation, all processing of your personal information will be conducted on lawful bases [Art.6]. In most cases, it will be because:
As we are not a public authority, we do not rely on 'public task' as a lawful basis, and we generally also do not rely on 'vital interests' (either of you or of a third party) other than in cases of genuine emergency.
Where there is any processing of special category personal data [Art. 9]or personal data relating to criminal convictions and offences [Art. 10], then additional justifications [Art.9(2) plus s.12, s.13 and Schedule 1, DPA 2004] will need to be considered.
Amberfied uses personal data to facilitate convenient connections between Users and Wellness Providers, ensure a reliable method for purchasing Wellness Services, and provide convenient delivery of those services. In the context of Amberfied's services, health data may be processed and this will be subjected to additional protections and controls to preserve the confidentiality and sensitivity of this data.
Additionally, we utilise personal data:
Amberfied uses the data we collect in order to:
The fraud and unsafe delivery of wellness services prevention and detection activities described above may be considered profiling under applicable laws and can result in deactivation of users (generally only after human review). For information regarding how to object to the above activities, please see "Choice and transparency" below.
We use the information we collect (which may include chat logs, in-app messages, information you've given us, such as contact details) to provide customer support, including to investigate and address user concerns and to monitor and improve our customer support responses and processes.
Information we collect from you helps us make our services more convenient and easier to use. We are trying to make our services better, develop new services and features you want, and enhance the safety and security of our services. We use information we collect to:
For instance, a Wellness Provider may use messaging to provide additional details, confirm locations, or appointment times. Similarly, a User may communicate with a Wellness Provider to provide their location, reschedule an appointment, retrieve lost items, or seek further information regarding bookings and services.
We utilise data to market Amberfied features and Wellness Providers or their services to you. This may include utilising Wellness Providers' profiles, their published services, and approximate or exact location, as well as users' account information such as usage data and booking history, to provide relevant ads and marketing communications.
We use this data to send emails, push notifications, in-app messages, or other communication messages for marketing or advertising Amberfied services, features, offers, promotions, news, and/or events. For instance, we may send push notifications suggesting wellness services of Wellness Providers that a user follows, or in-app messages offering discounts or promotions for services similar to those a user has previously purchased and booked.
Amberfied performs the above activities on the grounds that they are necessary for purposes of Amberfied's legitimate interests in informing users of Amberfied features or services offered by Wellness Providers. See the sections titled "Choice and transparency" and "Marketing and advertising choices" for information on users' choices regarding how Amberfied may use their data for marketing and advertising.
Amberfied may use data to send surveys and other communications that are not for the purpose of marketing services or products of Amberfied.
We may use data to investigate or address claims or disputes relating to the use of Amberfied's services and to satisfy requirements under applicable laws, regulations, operating licences or agreements, and insurance policies or pursuant to legal process or governmental request, including from law enforcement.
Amberfied performs the above activities based on the necessity for purposes of Amberfied's legitimate interests in investigating and responding to claims and disputes relating to the use of Amberfied's services and features, and/or compliance with applicable legal requirements.
Some of Amberfied's services and features require that we share data with other users or at users' request or with their consent. We may also share such data for legal reasons or in connection with claims or disputes.
Due to Amberfied being a Gibraltar-based company, user data is mostly operated, stored, and processed within Gibraltar. In addition, we may use processors established in the European Economic Area (EEA) and the United Kingdom (UK). We comply with applicable legal frameworks relating to the transfer of data internationally. This includes sharing your data in accordance with the GRA's Data Sharing Code of Practice, and ensuring that any international transfers are permitted under Chapter V GGDPR.
In the majority of cases, your data will only be transferred (i.e. accessed by processors, joint controllers or independent controllers) to entities based in the UK or the EEA or in other places that Gibraltar (which follows UK decisions in this area) has deemed as providing an "adequate" level of protection of personal data. We only allow those organisations to handle your personal data if we are satisfied that they take appropriate measures to protect your personal data. We also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and to you.
Amberfied is committed to protecting our users' personal data. This includes implementing measures, including:
We also provide reasonable and appropriate safeguards to prevent loss, and unauthorised use or disclosure, of personal data. We use best industry practice by leveraging Amazon Web Services ("AWS") security pillars of well architecture framework. You can learn more about AWS security measures here.
Where possible, we will take steps to de-identify you, and send anonymised information, unless prevented from doing so under law.
In cases where there is a required transfer to a territory or international organisation that has not been deemed "adequate" under the data protection legislation, we will ensure to implement "appropriate safeguards" specified under the data protection legislation [Art 46] such as use of standard data protection clauses specified in legislation or issued by relevant supervisory authorities.
In the absence of a decision based on adequacy regulations, or of appropriate safeguards , we may consider relying on derogations for specific situations as allowed by law [Art 49].
The primary reasons for our data transfers may include:
To this end, Amberfied may share data:
This includes sharing data with law enforcement officials, public health authorities, other government entities, insurance companies, or other third parties as necessary to enforce our Terms of Service or other policies; to protect the rights, safety, or property of Amberfied or others; or in the event of a claim or dispute relating to the use of our services or the services provided by wellness providers. In the event of a dispute involving the use of another person's credit card, we may be obligated by law to share a user's data, purchase, and booking information with the owner of that credit card.
Furthermore, this extends to sharing data with others in connection with, or during negotiations for, any merger, sale of company assets, consolidation, restructuring, financing, or acquisition of all or a portion of our business by or into another company.
We apply a general rule of keeping personal information only for as long as is required to perform the purpose for which it was collected. However, in some circumstances, we will retain your personal information for longer periods of time. We will retain personal information for the following purposes:
Users can request the deletion of their account through the Account Settings menu, which is accessible via the Profile page in the Amberfied apps or website.
Following an account deletion request, we delete the user's account and data, except as necessary for the purposes of safety, security, fraud prevention or compliance with legal requirements or because of issues relating to the user's account (such as an unresolved claim or dispute). For wellness providers, this generally means that we retain some of their data for as long as necessary for actual or potential tax, litigation or insurance claims. For users, we generally delete data within 90 days of an account deletion request, except where retention is necessary for the above reasons.
Different retention periods may apply for different types of personal data, which are determined by reference to legal or regulatory requirements to retain information (e.g. retention of employment records for tax and social security purposes). Following the end of the relevant retention period, we will either anonymise your personal data or erase this from our records, unless there is further justification for continued retention (e.g. the exercise, establishment, or defence of legal claims)
Amberfied enables users to access and/or control data that Amberfied collects, including through:
All users can set or update their preferences regarding data collection and sharing, as well as notifications, through their Profile and Account Settings in the Amberfied apps.
Location data collection (User). We do not collect location data directly from Users who register to book Wellness Services. Users can choose to share their location with Wellness Providers via messenger in the Amberfied apps.
Location data collection (Wellness Providers). To publish a service, Wellness Providers are required to provide their approximate location or exact address during the Service Creation process. They retain the option to update this information on their published services or by unpublishing a service and creating a new one.
Many mobile device platforms (such as iOS and Android) have specified certain types of device data that apps are unable to access without the device owner's consent. These platforms employ various methods to obtain this permission. Users are advised to review the settings available on their devices or consult with their service provider for further guidance.
After Wellness Services are completed, both Wellness Providers and Users have the opportunity to rate each other on a scale from 1 to 5. These ratings contribute to an average rating linked to a user's account, visible to other users when providing or receiving services. For example, Users' ratings are accessible to Wellness Providers they follow, while Wellness Providers' ratings are viewable by all users and guests of the Amberfied website. Users and Wellness Providers can view their average rating by accessing their User Profile and selecting "Ratings" on the Amberfied Site or App. If a review contains abusive sentences or incorrect information, users should contact Customer Support at info@amberfied.com. Amberfied will review it, and this can lead to the removal of that review and/or the suspension or removal of the user account who has breached Amberfied Terms of Service, Wellness Providers Terms and/or Community Guidelines.
Amberfied provides users with the following choices regarding how their data is used for purposes of marketing and advertising:
Notifications. Users may disable/enable Amberfied to send push notifications about bookings updates. All users may control whether they receive push notifications in Account Settings on Amberfied app.
Users have the option to control Wellness Providers' access to their accounts and the ability to send push notifications or in-app messages by choosing to follow or unfollow specific Wellness Providers.
Cookies and Related Technologies: Amberfied utilises only essential cookies. For information on how Amberfied uses cookies and related technologies, please refer to our Cookie Policy.
You generally have the following rights, which you can exercise free of charge:
If you would like to exercise any of the above rights or obtain further information, including the circumstances in which these rights do and do not apply, please contact us on the details contained in this policy. When contacting us please let us know which right(s) you want to exercise and the information to which your request relates. You may also be asked to provide further information to identify yourself, in order to protect the rights of others (e.g. reducing identify theft).
Requests will be processed within one month of receipt, but this might be extended to two months in case of a complex request, where you have made a number of requests.
Requests are free of charge, unless manifestly unfounded or excessive (in particular because of any repetitive character in such requests) in which case we may charge a reasonable fee. Alternatively, we may refuse to comply with your request in these circumstances. Note we may also make use of exemptions/derogations contained within the data protection legislation
We may use cookies and similar technologies on our website. A cookie is a small text file which is placed onto your device (e.g. computer, smartphone or other electronic device) when you use our website. Cookies help us recognise you and your device and store some information about your preferences or past actions. They also allow us to analyse trends, administer our website and keep it secure. For further information on cookies, including how and why we use these and how to manage or disable them, please refer to our Cookie Policy.
We have appropriate security measures to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine need to access it. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. Whilst we take appropriate technical and organisational measures to safeguard your personal data, please note that we cannot guarantee the security of any data that you transfer over the internet to us.
We may periodically revise this notice and change the 'Last Updated' date above. In the event of significant changes, users will be notified in advance through the Amberfied app or via other channels, such as email. We encourage users to regularly review this notice to stay informed about our privacy practices. Continued use of our services following an update implies consent to the revised notice to the extent permitted by law.
This privacy policy is to be construed in accordance with Gibraltar law, and the courts of Gibraltar shall have jurisdiction to determine any disputes arising in relation to the interpretation or construction of the same.
© Amberfied Limited. All rights reserved