Introduction

We in SALLY ltd (hereinafter referred to as “Company”, “we”, "us", "our") as the owner of the “Sally app” (The Application) are committed to protecting “Your” personal data and privacy when visiting and /or installing and using the Application. This Policy explains how data about you is collected, used, stored, disclosed and processed when you visit, access, register or when creating an account. We ensure you that we fully respect the legal framework and especially the EU 679/2016 Regulation “on the protection of natural persons with regard to the processing of personal data and on the free movement of such data” (hereinafter referred as GDPR). This information is provided hereinafter and it is important that you read that information.

Consent to installation of the App

Before installation of this App and after reading this Privacy Policy, please indicate your consent to our processing of your personal data (including your name, contact details, and device information) as described in this policy. As described in the Terms and Conditions https://sally.app/termsandconditions.html  the installation and use of the “Sally app” is permitted only to those over the age of 16 years old.

YES I am over 16 years old

YES I consent to the installation of the App for the purposes of ordering food and sending ‘gifts’ to other users

NO I do not consent to the installation of the App.

YES I want to receive promotional information by email (like discounts, competitions etc.)

NO I do not want to receive promotional information by email

How you can withdraw consent

Once you provide consent by selecting "YES", you may change your mind and withdraw consent at any time by contacting us team@sally.app but that will not affect the lawfulness of any processing carried out before you withdraw your consent.

The Controller: Who we are

Sally ltd incorporated and registered in the Republic of Cyprus with registration number HE 410221 whose registered office is at 8 Morphou street, AGios Athanasios, 4105, Limassol, Cyprus is the controller and is responsible for your personal data.

 Our Contact details

Our full contact details are:

• Full name of legal entity: Sally LTD
• Email address: team@sally.app
• Postal address: Morfou 8, Agios Athanasios, 4105, Limassol
• 00357 99277580

Age Restriction

As said, the “Sally app” is permitted only to those over the age of 16 years old. We do not knowingly collect personal information about persons under the age of 16 without verifiable parental consent in cases where we can control it. For example, it is not possible to control information that is communicated to us online. In any event, if we find out that we have collected any personal information from a minor without verifiable parental consent (in accordance with Article 8 of the GDPR), we will delete the information from our records immediately and we will terminate the account (if any). If you believe we may have collected information from a minor, please contact us.

The data we collect about you

We may collect, use, store and transfer different kinds of personal data about you as follows:

• Your Name and Surname;
• Your email, phone number and shipping address;
• Your credit card number, the Card Verification Value CVV, the expiration date and the billing address;
• Transaction Data and goods consumed;
• Device Data;
• Content Data as described in the Terms and Conditions;
• Profile Data if you link your “Sally” account with any of your Social Media Accounts.
• Usage Data;
• Marketing and Communications Data.

We also process statistical data but it is not considered personal data in law as this data will not directly or indirectly reveal your identity.

We do not process any special categories of personal data as defined in Article 9 of the GDPR.

How is your personal data collected?

• Information you give us. This is information you consent to giving us about you by filling in forms on the App Site, or by corresponding with us. It includes information you provide when you download or register to use the Application, visit our Web Site, subscribe to and use any of our Services, share data via an Applications’ social media functions, enter a competition, promotion or survey, and when you report a problem with the Application or our Services.
• Information we collect about you and your device. Each time you visit Our Site or use our Application we will automatically collect personal data including Device, Content and Usage Data. We collect this data using cookies and other similar technologies.
• Transaction Data from providers of payment services.

Purpose of the process and legal basis

We will only collect and process your personal data when it is allowed to do so. Most commonly we will use your personal data in the following circumstances:

• Where you have consented before the processing. In such case we collect your name and surname, your telephone and email as well as your shipping address.
• Where we need to perform an agreement we are about to enter or have entered with you. This is the case when you use our Services and in such case we collect the full credit card details if you decide to pay by credit card.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. This is the case when we process transaction data and goods consumed in order to agree such information with our Customers (those companies where you are using our service).
• Where we need to comply with a legal or regulatory obligation.

We will only send you direct marketing communications by email if we have your consent. We ensure you and declare that we do not share your communication details with any third party for promotional and marketing activities. You have the right to withdraw that consent at any time by contacting us.

Retention period

We store and process personal data for as long as required by the respective processing purpose and any other lawful linked purpose.

Personal data we process based on your consent are kept from obtaining your consent and until it is revoked.

Personal data that are collected under the legal basis of ‘Legal Obligations’ and ‘perform our agreement’, are maintained after the expiry of the legal obligations or the agreement as long as the relevant institutional framework permits.

Personal Data that may be necessary for our legitimate interests as the controller are kept until the reason for such storage has expired.

Personal data of expression of interest through a query or a complaint are kept no longer than 6 months after the query or the complaint is answered and permanently settled.

In the event that you do not use our Services for a period of five (5) years then we will treat the account as expired and your personal data may be deleted.

In some circumstances we will anonymise your personal data (so that it can no longer be associated any way with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Data security

We have implemented reasonable and appropriate organisational and technical measures to protect the personal data and the entire information we collect from security risks. We follow international standards and practices to ensure the security of our networks. We may ensure you that your personal data is processed securely and legally, by adhering to policies and developing and implementing procedures. However, no data transmission over the Internet or wireless transmissions, and no data storage system are ever completely secure. We do not store credit card details as the payment is implemented through authorised companies (as an example JCC) under encryption.

Where we have given you (or where you have chosen) a password that enables you to access certain parts of the Application, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.

International Data Transfer

We do not transfer or store or process other way your personal data outside the European Economic Area.

Personal Data Breach

In the event of a breach of the security and integrity of the personal data processed, we will take the following measures (in accordance with Article 33 and 34 of the Regulation) and we will:

• assess it in order to implement the appropriate procedures needed to limit the breach
• examine the extent of the breach and the sensitivity of the data included
• evaluate the risk and its impact on your rights and freedoms
• endeavour to reduce as much as possible the damage that is or may be caused
• notify within a time limit of 72 hours of becoming aware of the breach, the National Personal Data Protection Authority, if required

• assess the impact on your privacy and take appropriate measures to prevent the repeating of the incident

Disclosures of your personal data

We only disclose part of your personal data to corporate customers in relation to our Services under confidentiality agreements and provided that they are fully complying with the GDPR.

Your rights as a data subject and exercising such rights

You have the right to be informed, the right of access to your personal data, the rights of rectification and erasure (in cases it is permitted), the right to restriction of processing, the right to data portability, the right to object. If processing is based on your consent you may withdraw it at any time.

The right to be informed is exercised through this privacy and data processing notification. All other rights have to be expressed in a proven form (electronic or paper based).

Right of access: you have the right to obtain from us confirmation as to whether or not your personal data are being processed as well as other relevant information, and, where that is the case, access to your personal data.

Right of rectification: you have the right of rectification of your inaccurate personal data as well as to have incomplete personal data completed by providing a supplementary statement.

Note: Since it is not possible for us to be aware of any changes to your personal data if you do not inform us, please help us keep your information accurate by informing us of any changes to your personal information we do process.

Right to erasure (‘right to be forgotten’): we have to answer such right when:

• your personal data are no longer necessary in relation to the purposes for which we collected it
• withdraw your consent on which the processing is based and where there is no other legal basis for the processing
• your personal data have been unlawfully processed
• have to be erased for compliance with a legal obligation we are subject to

We reserve the right to refuse this right if the processing is necessary for compliance with any legal obligation we are subject to, or for reasons of public interest, or for the foundation and exercise or support of our legal claims (according Article 17 § 3 of the GDPR).

Right to restriction of processing: you have the right to restriction of processing when:

• you contest the accuracy of your personal data for a period enabling us to verify the accuracy of the personal data
• the processing is unlawful and you opposes the erasure of the personal data and request the restriction of their use instead
• we no longer need your personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims
• you objected to processing pending the verification whether our legitimate grounds override those of yours.

Right to data portability: You have the right to receive your data in a structured, commonly used and machine-readable format and under an explicit request such data to be transferred to both you and another natural or legal person who will process it.

Right to object: you have the right to object to the processing of your data at any time when the reason for the processing relates to direct marketing.

We inform you that we do not use decision making software based solely on automated processing and we do not use profiling processing.  

In the event that you make such request in a written or electronic form regarding any of the above rights and provided that the request is coming from the data owner and this may be verified, we will assess your request and respond within one month of its receipt, either for its satisfaction or to provide you with objective reasons preventing it from being satisfied, or, given the complexity of the request and the number of requests at the given time, request an extension of response for a further two months period (Article 12.3 of GDPR).

The exercise of your rights is free of charge.

If you are dissatisfied with the use of your data by us, or our response after exercising your rights, you have the right to lodge a complaint with a supervisory authority. Before such complaint, you may contact us if you wise so we can provide you with complete information and support.

You can exercise any of these rights at any time by contacting us at team@sally.app

Changes to the privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review.

This version was last updated on 9th of September 2020. It may change and if it does, these changes will be posted on this page.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you.