PRIVACY POLICY

Version applicable as of 7th July 2023

1. WHY SHOULD I READ THIS PRIVACY POLICY?

This Privacy Policy ('policy') describes how Rebilita UAB (hereinafter referred to as the "Company", "We", "Us", "Our") collects, uses, discloses, and stores your personal information and what statutory rights you do have. We protect your personal information under the EU General Data Protection Regulation (2016/679) ('GDPR') and other applicable laws. We may amend this policy from time to time. Therefore, please visit our website regularly for the latest version of this policy.

2. WHO IS RESPONSIBLE FOR PROTECTING MY INFORMATION?

We are: Rebilita UAB

Our company number is: 304912714

Our address: Gedimino str. 45-7, LT-44239 Kaunas, Lithuania

Our e-mail address: support@hypnozio.com

3. WHY AND HOW DO YOU COLLECT MY INFORMATION?

3.1. TO PROVIDE YOU WITH OUR ONLINE SERVICES AND / OR PRODUCTS

When is this relevant for me? What information do you collect about me? What is your legal basis to collect my information? Where do you collect the information from? Am I obliged to provide this information? How long do you store information about me?
When you use / receive our online services and / or products First name, last name, email address, password, other data that you provide while registering, date of account creation, date of user’s most recent log in, selected account settings, online services and/ or products received by user, tests’ results, games’ scores Contract (Art. 6 (1) (b) of GDPR) From yourself It is a requirement necessary to enter into a contract. If you do not provide this information, you will not be able to use / receive our online services and / or products 5 years from the last login to your account

3.2. TO PROCESS YOUR ORDERS AND RECEIVE PAYMENTS

When is this relevant for me? What information do you collect about me? What is your legal basis to collect my information? Where do you collect the information from? Am I obliged to provide this information? How long do you store information about me?
When you make a payment at our website First name, last name, email, subscription plan, ordered services and / or products, paid amount, currency, payment information (card number, expiration date, CVC number, postal code) Contract (Art. 6 (1) (b) of GDPR) From yourself It is a requirement necessary to enter into a contract. If you do not provide this information, you will not be able to use our services 10 years from the moment you made a purchase

3.3. TO ENSURE SECURITY OF OUR WEBSITE/APP AND CONTINUOUSLY IMPROVE IT FOR YOU

When is this relevant for me? What information do you collect about me? What is your legal basis to collect my information? Where do you collect the information from? Am I obliged to provide this information? How long do you store information about me?
When you use our website IP address or other device address or ID, web browser and/or device type, hardware and software settings and configurations, the web pages or sites that you visit just before or just after visiting the Site, the pages you view on the Site, your actions on the Site, and the dates and times that you visit, access, or use the Services. When you use the Site on a mobile device, we may also collect the physical location of your device by, for example, using satellite, cell phone tower or wireless local area network signals Consent (Art. 6 (1) (a) of GDPR) From yourself No 1 month after you visit our website

3.4. TO PROVIDE YOU WITH CUSTOMER SUPPORT

When is this relevant for me? What information do you collect about me? What is your legal basis to collect my information? Where do you collect the information from? Am I obliged to provide this information? How long do you store information about me?
When you submit an inquiry or file a complaint to our customer support First name, last name, e-mail address, country, telephone number, subject of your inquiry, date of your inquiry, content of your inquiry, attachments to your inquiry, reply to your inquiry Consent (Art. 6 (1) (a) of GDPR)) From yourself No 3 years from the moment your last inquiry was received

3.5. TO ENSURE AND IMPROVE THE PERFORMANCE OF OUR WEBSITE/APP, TO ADAPT ITS CONTENT AND FORMAT TO THE NEEDS OF USERS AND TO SHOW YOU RELEVANT INTERNET ADS

When is this relevant for me? What information do you collect about me? What is your legal basis to collect my information? Where do you collect the information from? Am I obliged to provide this information? How long do you store information about me?
When we want to inform you or ask your opinion about our products or show you internet ads Full name, e-mail, telephone number, IP address, order information, country, postback information, website that directed the company’s website, your interaction with internet add Consent

(Art. 6 (1) (a) of GDPR)(Art. 81 (1) of Lithuanian Law on Electronic Communications)

Customer relationship (Art. 81 (2) of Lithuanian Law on Electronic Communications)
From yourself

Social media service providers

Marketing service providers
No 5 years after you use our services or after you give your consent, unless you withdraw your consent earlier

3.6. TO INTERACT WITH YOU VIA SOCIAL MEDIA

When is this relevant for me? What information do you collect about me? What is your legal basis to collect my information? Where do you collect the information from? Am I obliged to provide this information? How long do you store information about me?
If you interact with our social media profiles (e.g., send a message, follow our profiles, share a post, react to a post) Name and surname, e-mail address, gender, country, picture, message, time and date the message was received, content of the message, message attachments, response to the message, time of response to the message, information about Company’s rating, comments on a post, post shares, information about post reactions Consent

(Art. 6 (1) (a) of GDPR)
From yourself and social media platforms No 10 years from the moment you interact with our social media profiles

3.7. TO CARRY OUT THE SELECTION OF POTENTIAL EMPLOYEES

When is this relevant for me? What information do you collect about me? What is your legal basis to collect my information? Where do you collect the information from? Am I obliged to provide this information? How long do you store information about me?
When we receive your application for a job position, when you give us your consent, or we contact you based on the information you publicly disclose on professional social media platform Full name, e-mail, phone number, CV, work experience, other information you provide us with Legitimate interest (to contact you when you publicly disclose your information on professional social media platforms) (Art. 6 (1) (f) of GDPR) From yourself and professional social media platforms (i.e. Linkedin). It is a requirement necessary to evaluate your competences and potential to fit into the open position in order for the company to find the right candidate 6 months after the end of the relevant recruitment process, or 3 years after you give us your consent or publicly disclose your information on professional social media platforms

3.8. TO FULFIL STATUTORY ACCOUNTING REQUIREMENTS

When is this relevant for me? What information do you collect about me? What is your legal basis to collect my information? Where do you collect the information from? Am I obliged to provide this information? How long do you store information about me?
When you order our products Full name, e-mail address, telephone number, bank account number, address, signature, invoices, reports, accounting documents, payments, paid amounts, other information we are statutorily required to collect Legal obligation (Art. 6 (1) (c) of GDPR)

Law on Accounting of the Republic of Lithuania
From yourself It is a statutory requirement. If you do not provide this information, you will not be able to buy goods or services from us 10 years from a transaction

3.9. TO FULFIL STATUTORY ACCOUNTING REQUIREMENTS

When is this relevant for me? What information do you collect about me? What is your legal basis to collect my information? Where do you collect the information from? Am I obliged to provide this information? How long do you store information about me?
In case we become a party or concerned party in legal process which you are subject to or we are statutorily required to collect and/or provide information about you in order to comply with the law All of the afore-mentioned information, accounting and legal case files, legal documents, other information you provide us with, other information that we are statutorily required to collect and/or provide

If the case arises - information about criminal offenses and convictions
Legal obligation (Art. 6 (1) (c) of GDPR)

Legitimate interest (to protect our rights and interests) (Art. 6 (1) (f) of GDPR).

Establishment, exercise, or defence of legal claims (Art. 9 (2) (f) of the GDPR)
From afore-mentioned sources, law enforcement authorities, parties that are subject to legal process, courts You are statutorily obliged to provide personal information. In other cases, we will collect your personal information when we have a legitimate interest to defend our rights and interests 10 years following the end of contractual relationship with us or, whichever is longer, for the duration of legal process and 3 years following the date of entry into force or full enforcement of a judgment of a court or authority

4. WHO DO YOU SHARE MY INFORMATION WITH?

We share your information with information recipients, both within and outside European Economic Area (EEA), in cases where necessary for the above-describe purposes and allowed in accordance with applicable laws.

Information recipient or category of information recipient Purpose of information transfer Country of the recipient European Commission decision on whether a non-EEA country has an adequate level of information protection Suitable safeguards that protect my information, when it is transferred to non-EEA countries
Accounting and audit service providers To fulfil statutory accounting requirements EU N/A N/A
Archiving service providers To keep our archive EU N/A N/A
Electronic communication service providers To operate our electronic communications EU N/A N/A
Attorneys, notaries, bailiffs, auditors, data protection officers, consultants To ensure our compliance, defend our rights and interests EU N/A N/A
E-mail and cloud hosting service providers To operate IT resources Worldwide N/A, including non-EEA countries EU Standard Contractual Clauses
Potential or actual acquirers of the Company's business/ part of the business, also their authorized consultants or other persons To evaluate and/ or execute transactions concerning the ownership of the Company EU N/A N/A
Banking, payment processing and other financial service providers To process payments Worldwide N/A, including non-EEA countries EU Standard Contractual Clauses
Marketing and telemarketing service providers To market our services Worldwide N/A, including non-EEA countries EU Standard Contractual Clauses
Customer support service providers To provide customer support Worldwide N/A, including non-EEA countries EU Standard Contractual Clauses
Social media service providers To manage our social media profiles Worldwide N/A, including non-EEA countries EU Standard Contractual Clauses

5. WHAT STATUTORY RIGHTS DO I HAVE REGARDING MY INFORMATION?

Subject to conditions, limitations, and exceptions established by statutory data protection provisions, you have the rights listed below:

My right When this right is applicable to me?
Right of access when you seek to obtain confirmation as to whether we collect or otherwise process personal data concerning you, and, where that is the case, access to the personal data and the information about the data processing.
Right to rectification when you seek to obtain from us the rectification of inaccurate personal data concerning you.
Right to erasure ('right to be forgotten') - when personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

- when you withdraw consent on which the processing is based and there is no other legal ground for the processing;

- when you object to the processing and there are no overriding legitimate grounds for the processing, or you object to the processing for direct marketing purposes;

- where the personal data have been unlawfully processed;

- where the personal data have to be erased for compliance with a legal obligation;

- where the personal data have been collected in relation to the offer of information society services directly to a child and subject to a consent.
Right to restriction of processing - where the accuracy of the personal data is contested by you;

- where the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

- where we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;

- where you have objected to processing.
Right to data portability where you seek to receive the data you have provided in a structured, commonly used and machine-readable form or to transmit those data to another controller, the processing is based on consent or on a contract and is carried out by automated means.
Right to object where the collection and use is based on a task carried out in the public interest or in the exercise of official authority vested or legitimate interest, including profiling, as explained in Section 3 of this Privacy Policy, or where you object to the collection of your personal data for direct marketing purposes.
Right to withdraw consent where the processing is based on consent, as explained in Section 3 of this Privacy Policy, and you seek to withdraw it at any time.
Right to lodge a complaint If you believe that we are processing your personal data unlawfully or we are not implementing your rights, you have the right to file a claim before the responsible Data Protection supervisory authority. You can check Data Protection supervisory authorities‘ contact information by Member State here

6. HOW DO I SUBMIT A REQUEST?

If you would like to exercise your rights described above, please submit a request to us via e-mail at support@hypnozio.com.

7. CAN I USE AN AUTHORIZED AGENT?

Sure. You may use an authorized agent to submit a request to opt-out on your behalf if you provide us with the authorized agent written permission to do so. If this is the case, please provide us with a copy of the said permission as instructed under the Section 18 of this policy below. We may deny a request from an authorized agent that does not submit proof that they have been authorized by you to act on your behalf. You may also make a request on behalf of your minor child.

8. DO YOU ENGAGE IN AUTOMATED INDIVIDUAL DECISION-MAKING, INCLUDING PROFILING?

No, we do not make decisions based solely on automated processing, including profiling, which would produce legal effects concerning you.

9. DO YOU USE COOKIES?

Yes, following cookies may be used in our Website:

Cookie Name Cookie purpose/function Cookie Expiry
Strictly Necessary
HSID, SID Security cookies to confirm visitor authenticity, prevent fraudulent use of login data and protect user data from unauthorized access. 399 days
CONSENT Stores user’s state regarding their cookies choices 394 days
AEC Prevents malicious sites from acting on behalf of a user without that user’s knowledge 174 days
ennence_session This is used to hold information about your current visit with us. This cookie is essential to the functionality of the site. Same day
parity_save_data This cookie is used by one of our games to track the game progress. 365 days
digital_session This is used to hold information about your current visit with us. This cookie is essential to the functionality of the site. Up to 24 hours
apple_pay_supported When a user visits a website that supports Apple Pay, the website may set the "apple_pay_supported" cookie to store a flag or indicator that their browser is capable of using Apple Pay as a payment method. This information can be used by the website to determine whether to display Apple Pay as a payment option during the checkout process. 30 days
rpp This cookie is used by our platform to pass some information between pages. 2 days
cart The "cart" cookie helps maintain the user's shopping session by keeping track of the items they have added to their cart. 3 days
srpp This cookie is used by our platform to pass some information between pages 7 days
XSRF-TOKEN This cookie is written to help with site security in preventing Cross-Site Request Forgery attacks. Same day
NID, _Secure-ENID This cookie is used to remember your preferences and other information, such as your preferred language, how many results you prefer to display on a search results page (for example, 10 or 20) and whether you want Google's SafeSearch filter to be activated. 183 days
Statistics Cookies
_ga, _ga_7D261W9FDJ The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. 400 days
_Secure-1PSID The purpose of this cookie is to track and differentiate user sessions on the website for analytical purposes. It helps Google Analytics provide accurate and aggregated data to website owners, enabling them to measure and improve their website's performance and user experience. 399 days
_gid Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. 24 hours
DSID The purpose of the "DSID" cookie is to track user interactions with websites that are using the DoubleClick advertising services. It helps Google collect information about the user's browsing activity, such as the pages they visit, the ads they interact with, and the actions they take on the website. 14 days
_gaexp Cookie is used to store ID's of experiments and sessions for A/B testing. 92 days
_hjAbsoluteSessionInProgress, _hjFirstSeen, _hjIncludedInSessionSample_3021418, _hjSession_3021418 Cookies set by Hotjar to track the session and ensure the accuracy. Includes identifying of first session, holding current session data, ensuring subsequent requests in session are attributed to the same session Up to 24 hours
_hjSessionUser_3021418 This cookie is set by Hotjar. Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Ensures data from subsequent visits to the same site are attributed to the same user ID. 366 days
_hjMinimizedPolls, _hjDonePolls Used to track whether a user has minimized or closed a website poll or if user has already participated in poll. This cookie allows the website to remember the user's preference and keep the poll minimized or closed throughout their browsing session, enhancing their user experience by avoiding intrusive or repetitive poll displays. 365 days
fbq_purchase The specific purpose of the "fbq_purchase" cookie is to track and record information about user purchases or completed transactions on a website. Session
t_gid Assigns a unique User ID that Taboola uses for attribution and reporting purposes, and to tailor recommendations to this specific user. 364 days
ANONCHK Indicates whether MUID is transferred to ANID, a cookie used for advertising. Clarity doesn't use ANID and so this is always set to 0. up to 24 hours
_clck This cookie is installed by Microsoft Clarity to store information of how visitors use a website and help in creating an analytics report of how the website is doing. The data collected includes the number of visitors, the source where they have come from, and the pages visited in an anonymous form. 365 days
_clsk This cookie is installed by Microsoft Clarity to store information of how visitors use a website and help in creating an analytics report of how the website is doing. 1 day
Marketing Cookies
OTZ The specific purpose of the "otz" cookie is to provide information to Google Analytics about the user's journey across different websites and to measure and optimize advertising campaigns 24 days
_gcl_au The primary purpose of the "_gcl_au" cookie is to help track the effectiveness of Google Ads campaigns and measure conversions. | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. 90 days
SID This cookie is used provide ad delivery or retargeting, prevent fraud prevention 399 days
g_state Cookie is used to store information related to the current state of the Google Analytics session. It helps track the user's activity, such as the pages they visit, the duration of their visit, and other engagement metrics. The specific purpose of the "g_state" cookie may vary depending on how the website owner has configured Google Analytics and the specific features they have enabled. However, in general, it helps collect data for analytical purposes and provides insights into the website's performance and user behavior. 173 days
_tt_enable_cookie, _ttp To measure and improve the performance of your advertising campaigns and to personalize the user's experience (including ads) on TikTok. 390 days
_uetsid The primary purpose of the "_uetsid" cookie is to collect and store information about a user's interaction with advertisements served by Microsoft Advertising 24 hours
_uetvid The "_uetvid" cookie enables Microsoft Advertising to measure the effectiveness of advertising campaigns, optimize ad targeting, and improve overall ad performance by attributing user actions, such as clicks and conversions, to specific advertisements. 39 days
MUID to store and track visits across websites. | This cookie is set by Microsoft Advertising. Identifies unique web browsers visiting Microsoft sites. These cookies are used for advertising, site analytics, and other operational purposes. 390 days
SRM_B Identifies unique web browsers visiting Microsoft sites. These cookies are used for advertising, site analytics, and other operational purposes. 391 days
fr This cookie is set by Facebook as part of their embedded services on our websites 21 days
sb This cookie is used by Facebook to store browser details. 396 days
oo This cookie helps store your advertising preferences. 280 days
xs The "xs" cookie by Facebook is used for session management and security purposes. It helps identify the user's session, maintain their login status, and ensure the secure transmission of data between the user's browser and Facebook's servers. The "xs" cookie plays a crucial role in authenticating and authorizing the user's access to Facebook's services and protecting their account from unauthorized access. 365 days
Targeting Cookies
1P_JAR Used by Google to display personalized advertisements on Google sites, based on recent searches and previous interactions. 30 days
APISID Personalizes Google ads on websites based on recent searches and interactions. 399 days
DV Used to track user activity and deliver targeted advertisements. It helps serve relevant ads based on the user's browsing behavior, interests, and demographics. up to 24 hours
SAPSID, _Secure-1PAPISID Used by Google to display personalized advertisements on Google sites, based on recent searches and previous interactions, used to enable Google to collect user information for videos hosted by YouTube. 399 days
SSID Google collects visitor information for videos hosted by YouTube on maps integrated with Google Maps. 399 days
SSIDCC Used by Google to store user preferences and information when users interact with websites that use Google services 365 days
UULE ‘UULE’, sends precise location information from your browser to Google’s servers so that Google can show you results that are relevant to your location. The use of this cookie depends on your browser settings and whether you have chosen to have location turned on for your browser. up to 6 hours
_Secure-3PAPISID, _Secure-3PSID Builds a profile of website visitor interests to show relevant and personalized ads through retargeting. 399 days
_Secure-3PSIDCC, _Secure-1PSIDCC Used for targeting to profile the interests of website visitors and display relevant and personalized Google Ads. Used by YouTube for ads on Google/YouTube. 365 days
IDE The "IDE" cookie is associated with Google's DoubleClick advertising platform. It is used to store and serve targeted advertisements to users based on their interests and online behavior. 389 days
_geps, _gess This cookie is set by retention.com as part of their embedded services on our websites 30 days
m-b, m-b_lax, m-s, m-theme Quora cookies to measure how visitors are interacting with our website so that we can display relevant advertising to prospective customers. 358 days
m-sa, m-uid Quora cookies to measure how visitors are interacting with our website so that we can display relevant advertising to prospective customers. 393 days
idid, _lc2_fpi Collects data on visitors’ behavior and interaction – This is used to make advertisement on the website more relevant. The cookie also allows the website to detect any referrals from other websites. 400 days

10. HOW CAN I MANAGE COOKIES?

You can configure your browser to decline some or all cookies or to ask for your permission before accepting them. Please note that by deleting cookies or disabling future cookies you may be unable to access certain areas or features of our website. You can control the use of functionality cookies, targeting cookies or advertising cookies by adjusting your browser settings. To find out how to manage cookies in your browser, please visit one of the links below:

11. HOW CAN I CONTACT YOUR DPOs?

If you have any questions, comments, or complaints regarding how we collect, use, and store your personal information, we have our data protection officers to help you. If you need their help, you may contact them at any time:
E-mail address: support@hypnozio.com