Terms of Use

BACKGROUND

1. The Customer and Veed Limited (Provider) are willing to enter into terms of sale for business clients for paid services (Master Agreement) that may require the Provider to process Personal Data on behalf of the Customer.
2. This Personal Data Processing Agreement (Agreement) sets out the additional terms, requirements and conditions on which the Provider will process Personal Data when providing services under the Master Agreement. This Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation (EU) 2016/679) (UK GDPR) for contracts between controllers and processors.

AGREED TERMS

1) Definitions and Interpretation

The following definitions and rules of interpretation apply in this Agreement.

 1.1) Definitions:

Authorised Persons: the persons or categories of persons that the Customer authorises to give the Provider written personal data processing instructions as identified in Annex A and from whom the Provider agrees to accept such instructions.

Business Purposes: the services to be provided by the Provider to the Customer as described in the Master Agreement and any other purpose specifically identified in this Agreement.

Commissioner: the Information Commissioner as defined in Article 4(A3) UK GDPR, section 114 DPA 2018 and/or the Data Protection Legislation (as applicable). 

Controller: has the meaning given to it in section 6, DPA 2018.

Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended. 

Data Subject: the identified or identifiable living individual to whom the Personal Data relates.

EEA: the European Economic Area.

Personal Data: means any information relating to an identified or identifiable living individual that is processed by the Provider on behalf of the Customer as a result of, or in connection with, the provision of the services under the Master Agreement; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. 

Personal Data Breach: a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.

Processing, processes, processed, process: any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third-parties. 

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Records: has the meaning given to it in Clause 12.

Term: this Agreement's term as defined in Clause 10.

UK GDPR: has the meaning given to it in section 3(10) (as supplemented by section 205) of the DPA 2018.

 1.2) This Agreement is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this Agreement.

 1.3) The Annexes form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.

  1.4) A reference to writing or written includes faxes and email.

  1.5) In the case of conflict or ambiguity between:

      a) any provision contained in the body of this Agreement and any provision contained in the Annexes, the provision in the body of this Agreement will prevail;

      b) the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and

      c) any of the provisions of this Agreement and the provisions of the Master Agreement, the provisions of this Agreement will prevail.

‍

2) Personal data types and processing purposes

  2.1) The Customer and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation:

      a) The Customer is the Controller and the Provider is the Processor.

      b) The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the processing instructions (in any form, written or otherwise) it gives to the Provider. 

      c) Annex A describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Provider may process the Personal Data to fulfil the Business Purposes.

      d) where Personal Data is transferred to the EEA and/or the UK, the Provider is not obliged to agree to the standard contractual clauses as set out in Annex B and Annex C as the European Commission has announced on 28.06.21 that the UK offers an adequate level of protection of personal data and any transfers of personal data from the EEA to the UK can be made without any further specific authorisation. The Provider therefore need not strictly comply with the standard contractual clauses as set out in Annex B and Annex C where Personal Data is transferred to the EEA and/or the UK. 

      e) the standard contractual clauses as agreed and set out in Annex B and Annex C shall not apply to any Personal Data that does not originate in the UK or the EEA (as applicable).

‍

3) Provider's obligations

  3.1) The Provider will process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes. The Provider will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Provider may notify the Customer if, in its opinion, the Customer's instructions do not comply with the Data Protection Legislation.

  3.2) The Provider will use its reasonable endeavours to consider any Customer written instructions reasonably requiring the Provider to amend, transfer, delete or otherwise process the Personal Data. The Provider will comply with such written instructions so far as it is able to without substantial expense or difficulty. 

  3.3) The Provider will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by any law, court or regulator (including the Commissioner). If a a law, court or regulator (including the Commissioner) requires the Provider to process or disclose the Personal Data to a third-party, the Provider must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits the giving of such notice

3.4) The Provider will reasonably assist the Customer, charged on a time and materials basis, with meeting the Customer's compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider's processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner under the Data Protection Legislation.

  3.5) The Provider will use its reasonable endeavours to notify the Customer of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting the Provider's performance of the Master Agreement or this Agreement.

‍

4) Provider's employees

The Provider will ensure that its employees with access to the Personal Data:

      a) are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;

      b) have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and

      c) are aware of their personal duties and obligations under the Data Protection Legislation and this Agreement.

‍

5) Security‍

 5.1) The Provider will at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data. 

  5.2) The Provider will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

     a) the pseudonymisation and encryption of personal data;

      b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

      c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and 

      d) a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

‍

6) Personal data breach

  6.1) The Provider will, as soon as reasonably practicable, notify the Customer in writing if it becomes aware of:

      a) the loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data;

      b) any accidental, unauthorised or unlawful processing of the Personal Data; or

      c) any Personal Data Breach.

  6.2) Where the Provider becomes aware of (a), (b) and/or (c) above, it will also provide the Customer with the following written information:

      a) description of the nature of (a), (b) and/or (c), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;

      b) the likely consequences; and

      c) a description of the measures taken or proposed to be taken to address (a), (b) and/or (c), including measures to mitigate its possible adverse effects.

  6.3) Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will coordinate with each other to reasonably investigate the matter. 

  6.4) The Provider will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer's written consent, except when required to do so by domestic law.

‍

7) Cross-border transfers of personal data from the UK and/or the EEA to third countries

  7.1) The Provider (and any subcontractor/sub-processor) will not transfer or otherwise process the Personal Data outside the UK and/or the EEA to third countries other than in accordance with this Agreement, without obtaining the Customer's prior consent, save where the Provider is processing the Personal Data per the Customer’s request(s) or instruction(s).

  7.2) Where such consent is granted, the Provider may process, or permit the processing, of the The Provider may authorise third-parties (subcontractors/sub-processors) to process the Personal Data if:

      a) the Provider notifies (by any means, directly/indirectly) the Customer of the appointment of subcontractors/sub-processors; and

      b) the Provider enters into contracts with subcontractors/sub-processors that contain terms similar to those set out in this Agreement, and, upon the Customer's written request, provides the Customer with copies of the relevant excerpts from such contracts.

  7.3) Those subcontractors/sub-processors who may process the Personal Data as at the commencement of this Agreement and from time to time are as set out or referred to in Annex A. 

‍

8) Complaints, data subject requests and third-party rights

  8.1) The Provider will, charged on a time and materials basis, take such technical and organisational measures as may be appropriate, and provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

      a) the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and

      b) information or assessment notices served on the Customer by the Commissioner under the Data Protection Legislation.

  8.2) The Provider will notify the Customer in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party's compliance with the Data Protection Legislation.

  8.3) The Provider will notify the Customer if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.

  8.4) On the Customer’s written request, the Provider will give the Customer, charged on a time and materials basis, its cooperation and assistance in responding to any specific complaint, notice, communication or Data Subject request.

  8.5) The Provider will not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer's written instructions, or as required by law.

‍

9) Term and termination

  9.1) This Agreement will remain in full force and effect so long as:

      a) the Master Agreement remains in effect; or

      b) the Provider retains any of the Personal Data related to the Master Agreement in its possession or control (Term).

  9.2) Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Personal Data will remain in full force and effect.

  9.3) If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Master Agreement obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation 30 days, either party may terminate the Master Agreement on not less than 30 working days on written notice to the other party.

‍

10) Data return and destruction

  10.1) At the Customer's request, the Provider will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in a reasonable format.

  10.2) Subject to clause 10.4, on termination of the Master Agreement for any reason or expiry of its term, the Provider will securely delete or destroy within 60 days or, if directed in writing by the Customer before the termination or expiry of the Master Agreement, return and not retain, all or any of the Personal Data related to this Agreement in its possession or control.

  10.3) Notwithstanding clause 10.2, the Provider will retain all or any of the Personal Data related to this Agreement in its possession or control where the Customer wishes to or continues to receive the Provider’s free services after the termination or expiry of the Master Agreement.  

  10.4) If any law, regulation, or government or regulatory body requires the Provider to retain any documents, materials or Personal Data that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain and the legal basis for such retention. 

  10.5) On the Customer’s written request, the Provider will certify in writing to the Customer that it has deleted or destroyed the Personal Data after it completes the deletion or destruction. 

‍

11) Records

  11.1) The Provider will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, the processing purposes, categories of processing, and a general description of the technical and organisational security measures referred to in se 5.1 (Records).

  11.2) The Customer and the Provider will, together, review the information listed in the Annexes to this Agreement about one a year to confirm its current accuracy and update it when required to reflect current practices.

‍

12) Audit

At the Customer's written request, at the Customer’s expense, the Provider will:

      a) conduct an information security audit before it first begins processing any of the Personal Data;

      b) produce a written report that includes detailed plans to remedy any security deficiencies identified by the audit;

      c) provide the Customer with a copy of the written audit report; and

      d) remedy any deficiencies identified by the audit.

‍

13) Notice

  13.1) Any notice given to a party under or in connection with this Agreement must be in writing and delivered to:

  For the Customer: Any email address which the Provider was supplied to contact the Customer for any purpose.  

  For the Provider: The email address for the Provider as stated in the Master Agreement’s order form and/or any other email addresses which the Provider supplies for the receipt of notices under or in connection with this Agreement.

  13.2) 14.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

  This Agreement has been entered into on the date on which the Master Agreement is entered into.

‍

ANNEX A  Personal Data processing purposes and details

Subject matter of processing: The Provider’s provision of its services under the Master Agreement to the Customer as specified and pursuant to the Master Agreement.

Duration of Processing: For the term of the Master Agreement and this Agreement plus the period from expiry of the term of the Master Agreement and this Agreement until the anonymization, return, or deletion of data in accordance with this Agreement. Data shall also be processed for a further period in which the data exporter wishes to or continues to receive the Provider’s free services after the termination or expiry of the Master Agreement.

Nature of Processing: The Provider will process Personal Data for the purpose of providing the Customer its services in accordance with and as described in the Master Agreement, and as instructed by the data exporter from time to time. For the avoidance of doubt, the Provider will process Personal Data for data analytics purposes (amongst other purposes) which shall form part of the Business Purposes. 

Personal Data Categories: Any Personal Data provided to the Provider, by or at the direction of the Customer. 

Data Subject Types: Data subjects include the Customer’s users, employees and third parties with whom it has, or may develop, a commercial relationship. 

Authorised Persons: All personnel of the Customer giving the Provider instructions from an email address which the Customer used previously to contact the Provider or an email address with any domain name which the Customer uses in the course of their business. 

Subcontractors/sub-processors: The subcontractors/sub-processors which we use from time to time are listed at https://www.veed.io/data-subprocessors. The Provider may update this list of subcontractors/sub-processors from time to time. 

‍

ANNEX B: UK standard contractual clauses (Controller-Processor) 

STANDARD CONTRACTUAL CLAUSES (CONTROLLER-PROCESSOR)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection Customer (the data exporter) and VEED (the data importer) each a ‘party’; together ‘the parties’, have agreed on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1 to a third country.

Clause 1

Definitions

For the purposes of the Clauses:

1. ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
2. ‘the data exporter’ means the controller who transfers the personal data;
3. ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
4. ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
5. ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
6. ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
2. that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
3. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Annex D to this contract;
4. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
5. that it will ensure compliance with the security measures;
6. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third count
7. to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
8. to make available to the data subjects upon request a copy of the Clauses, with the exception of Annex D, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
9. that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
10. that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
2. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
3. that it has implemented the technical and organisational security measures specified in Annex D before processing the personal data transferred;
4. that it will promptly notify the data exporter about:

1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
2. any accidental or unauthorised access; and
3. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

1. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
2. at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
3. to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Annex D which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
4. that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
5. that the processing services by the sub-processor will be carried out in accordance with Clause 11;
6. to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

1. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
2. to refer the dispute to the courts in the Member State in which the data exporter is established.

1. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing law

The Clauses shall be governed by the law of which the data importer is established, namely the laws of England and Wales.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Sub-processing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of which the data importer is established, namely the laws of England and Wales.
4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12 

Obligation after the termination of personal data-processing services

1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses.

Data exporter

The data exporter is as defined in these Standard Contractual Clauses and is defined as the Customer in the data processing agreement signed between the parties.  

Data importer

The data importer is Veed Limited and is defined as the Provider in the data processing agreement signed between the parties. 

Data subjects

Data subjects include the data exporter’s users, employees and third parties with whom it has, or may develop, a commercial relationship.

Categories of data

Any personal data provided to the data importer, by or at the direction of the data exporter.  

Special categories of data (if appropriate)

Special categories of data may be transferred by the data exporter to the data importer through the uploading of video or audio files or other data on to the data importer’s website. Where the data exporter transfers any special categories of personal data to the data importer, the data exporter shall have obtained explicit consent from the data subjects of the special categories of data to process such data about them and for the data importer to process that data in the UK and/or in third countries. Data subject’s explicit written consent which the data exporter obtain must be supplied to the data importer on the data importer’s request. If a data subject does not give explicit written consent to the processing their special categories of personal data, then their special categories of personal data must not be supplied to the data importer. 

Any special categories of data transferred by the data exporter to the data importer shall be processed only for the performance of the terms of sale for business clients for paid services entered into between the data exporter and Veed Limited.

Processing operations

The personal data transferred will be subject to the following basic processing activities (as applicable):

• Personal data is transferred on a continuous ongoing basis.
• The data importer will process personal data for the purpose of providing the data exporter its services in accordance with and as described in the Master Agreement, and as instructed by the data exporter from time to time. For the avoidance of doubt, the data importer will process personal data for data analytics purposes amongst other purposes. 
• Processing by the data importer as necessary to provide its services pursuant to the Master Agreement (as defined under the data processing agreement signed between the Parties).
• The personal data will be retained for the term of the Master Agreement and the data processing agreement signed between the Parties, plus the period from expiry of the term of the Master Agreement and the data processing agreement until the anonymization, return, or deletion of data in accordance with the data processing agreement, and any further period in which the data exporter wishes to or continues to receive the Provider’s free services after the termination or expiry of the Master Agreement. 
• The data importer may engage sub-processors, to process data transferred by the data exporter to the data importer, as necessary to provide its services pursuant to the Master Agreement (as defined under the data processing agreement signed between the Parties) for the period of the Master Agreement and any further period in which the data exporter wishes to or continues to receive the Provider’s free services after the termination or expiry of the Master Agreement.

List of sub-processors

The data exporter agrees to the data importer’s use/engagement of sub-processors. The subcontractors/sub-processors which the data importer use from time to time are listed at https://www.veed.io/data-subprocessors.

When any new subprocessor is engaged during the term of this agreement, VEED will, at least 30 days before the new subprocessor starts processing any data (that falls under GDPR), notify the Customer of the engagement (including the name, location and activities of the new subprocessor).

b. The Customer may, within 90 days after being notified of the engagement of a new subprocessor, object by terminating the applicable agreement by notifying VEED. 

ANNEX C: EU standard contractual clauses (Controller-Processor)

STANDARD CONTRACTUAL CLAUSES (CONTROLLER-PROCESSOR)

For the compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country

Clause 1

Purpose and scope

The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country;

The Parties:  

1. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data (hereinafter each ‘data exporter’), and
2. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

1. These Clauses apply with respect to the transfer of personal data as specified in Annex F. 
2. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2 

Effect and invariability of the Clauses

1. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
2. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiaries

1. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions

1. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
2. Clause 8.1(b), 8.9(a), (c), (d) and (e);
3. Clause 9(a), (c), (d) and (e);
4. Clause 12(a), (d) and (f);
5. Clause 13;
6. Clause 15.1(c), (d) and (e);
7. Clause 16(e);
8. Clause 18(a) and (b).

1. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

1. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
3. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail. 

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex F.

Clause 7

Docking clause

1. An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer
2. The acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer.
3. The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1   Instructions

1. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
2. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2   Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex F, unless on further instructions from the data exporter.

8.3   Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex D and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4   Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5   Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex F. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6   Security of processing

1. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex D. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
2. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
4. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7   Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex F.

8.8   Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

1. the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
2. the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
3. the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
4. the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9   Documentation and compliance

1. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
2. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
3. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
4. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
5. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

1. The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 1 hour in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
2. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
3. The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
4. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
5. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights 

1. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
2. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex D the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
3. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter. 

Clause 11

Redress

1. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
2. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
3. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

1. lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work or the competent supervisory authority pursuant to Clause 13;
2. refer the dispute to the competent courts within the meaning of Clause 18.

1. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679. 
2. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
3. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
2. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
3. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
4. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
5. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
6. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
7. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex G, shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established and/or the , as indicated in Annex G, shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex G, shall act as competent supervisory authority.

(b)The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

Clause 14

Local laws and practices affecting compliance with the Clauses 

1. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
2. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

1. the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
2. the laws and practices of the third country of destination – including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
3. any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

1. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
2. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
3. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). 
4. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities 

15.1   Notification

1. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

1. receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
2. becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

1. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
2. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). 
3. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
4. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2   Review of legality and data minimisation

1. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
2. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. 
3. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

Clause 16

Non-compliance with the Clauses and termination 

1. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
2. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
3. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

1. the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
2. the data importer is in substantial or persistent breach of these Clauses; or
3. the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

4. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
5. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

The Parties agree that these Clauses shall be governed by the laws of England & Wales.

Clause 18

Choice of forum and jurisdiction

1. The Parties agree that any dispute arising from these Clauses shall be resolved by the courts of England & Wales.
2. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
3. The Parties agree to submit themselves to the jurisdiction of such courts.

‍

ANNEX D: Technical and organisational measures to ensure the security of the data

Access controls

• Password procedures (including 2FA, password complexity, single sign on)
• Access to systems subject to approval from IT managers or HR managers
• Differentiated access rights defined according to duties
• Records of who has access to different software and the access level they have

‍

Data storage, transfer and logging

• Use of market leading infrastructure providers
• The data is encrypted and regularly backed up
• Firewalls operate on a principle of least privilege
• Use of encrypted connections for front-end to back-end transfers. HTTPS connections use TLS 1.2 or above
• Logging user access to Veed services
• Audit trail of activities within cloud service providers

‍

Availability controls

• Ability to restore services in case of system interruption
• System fault reporting in place
• Measures in place to prevent stored personal data being corrupted
• Off-site services / use of cloud services

‍

ANNEX F: Description of transfer

Categories of data subjects whose personal data is transferred

Data subjects include the data exporter’s users, employees and third parties with whom it has, or may develop, a commercial relationship.

Categories of personal data transferred

Any personal data provided to the data importer, by or at the direction of the data exporter.  

Sensitive data transferred 

Special categories of data may be transferred by the data exporter to the data importer through the uploading of video or audio files or other data on to the data importer’s website. Where the data exporter transfers any special categories of personal data to the data importer, the data exporter shall have obtained explicit consent from the data subjects of the special categories of data to process such data about them and for the data importer to process that data in the EU and/or in third countries. Data subject’s explicit written consent which the data exporter obtain must be supplied to the data importer on the data importer’s request. If a data subject does not give explicit written consent to the processing of their special categories of personal data, then their special categories of personal data must not be supplied to the data importer. 

Any special categories of data transferred by the data exporter to the data importer shall be processed only for the performance of the terms of sale for business clients for paid services entered into between the data exporter and Veed Limited.

The frequency of the transfer 

Personal data is transferred on a continuous ongoing basis.

Nature of the processing

The data importer will process personal data for the purpose of providing the data exporter its services in accordance with and as described in the Master Agreement, and as instructed by the data exporter from time to time. For the avoidance of doubt, the data importer will process personal data for data analytics purposes amongst other purposes. 

Purpose of the data transfer and further processing

Processing by the data importer as necessary to provide its services pursuant to the Master Agreement (as defined under the data processing agreement signed between the Parties).

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The personal data will be retained for the term of the Master Agreement and the data processing agreement signed between the Parties, plus the period from expiry of the term of the Master Agreement and the data processing agreement until the anonymization, return, or deletion of data in accordance with the data processing agreement, and any further period in which the data exporter wishes to or continues to receive the Provider’s free services after the termination or expiry of the Master Agreement. 

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The data importer may engage sub-processors, to process data transferred by the data exporter to the data importer, as necessary to provide its services pursuant to the Master Agreement (as defined under the data processing agreement signed between the Parties) for the period of the Master Agreement and any further period in which the data exporter wishes to or continues to receive the Provider’s free services after the termination or expiry of the Master Agreement.

ANNEX G: Competent Supervisory Authority

The competent supervisory authority in accordance with Clause 13 shall be the UK Information Commissioner’s Office.

‍

Marketing 

‍We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. 

Promotional offers from us

‍We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services and offers may be relevant for you (we call this marketing). 

You will receive marketing communications from us if you have requested information from us or purchased from us and you have not opted out of receiving that marketing.

Third-party marketing 

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes. 

Opting out

You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you (where such links are available) or by contacting us at any time. 

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a service purchase, service experience or other transactions.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the Applications may become inaccessible or not function properly. For more information about the cookies we use, please see https://veed.webflow.io/cookie-policy.

Change of purpose 

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. 

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Automated decision-making

Automated decisions are made by technological means, mostly based on algorithms subject to predefined criteria. Such automated decision-making, taken solely by technological means without any human intervention, may have legal effects or similarly significant effects on you. 

By using the Applications and/or our services, you are giving us your explicit consent to make automated decisions. If you do not consent to our making automated decisions, you must not use our Applications or services.   

The Applications may use your personal data decisions entirely or partially based on automated processes according to the purposes outlined in this privacy policy. The Applications adopt automated decision-making processes as far as necessary to enter into or perform a contract between you and us, or on the basis of your consent where consent is required by the law.

The rationale behind the automated decision-making is:

• so that we can suggest certain settings or tips when you use our services; 
  

• to enable or otherwise improve the decision-making process;
  

• to grant you fair and unbiased treatment based on consistent and uniform criteria;
  

• to reduce the potential harm derived from human error, personal bias and the like which may potentially lead to discrimination or imbalance in the treatment of individuals etc.; or
  

• to reduce the risk of your failure to meet your obligation under your contract with us. 
  

Your rights as a result of automated decision-making 

Where you are subject to automated decision-making processes, you are entitled to exercise specific rights aimed at preventing or otherwise limiting the potential effects of the automated decisions taken.

In particular, you would have the right to:

• obtain an explanation about any decision taken as a result of automated decision-making and express your point of view regarding such decision; 
  

• challenge such a decision by asking us to reconsider a decision or take a new decision on a different basis; or
  

• request and obtain from the Owner human intervention on such processing.
  

Please contact us if you want to find out more about the purposes, the third-party services we use which makes automated decisions (if any), and any specific rationale for automated decisions used within the Applications.

Push notifications and email notifications

The Applications may send you push notifications and we may send you email notifications to achieve the purposes outlined in this privacy policy. 

You may, in most cases, opt-out of receiving push notifications by visiting your device settings (such as the notification settings for mobile phones and then change those settings for the Applications).

Note that disabling push notifications may negatively affect your use of the Applications.

You may also, in most cases (except where we send you email notifications for the purposes set out in the table in section 4 above), opt-out of the email notifications we send by contacting us, clicking the “Unsubscribe” button at the end of our emails or by managing your communication preferences on the Applications.

1. Disclosures of your personal data
   

We may share your personal data with the parties set out below for the purposes set out in the table under the “purposes for which we will use your personal data” section above.

• Third Parties as set out in the Glossary.
  

• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy. 
  

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

2. International transfers
   

Many of our external third parties are based outside the UK and/or the European Economic Area (“EEA”) so their processing of your personal data will involve a transfer of data outside the UK and/or the EEA. 

Whenever we transfer your personal data out of the UK and/or the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented: 

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK or the European Commission (as applicable). 
  

• If we transfer your personal data to any other country which is not subject to an adequacy decision of the UK or the European Commission (as applicable) regarding an adequate level of protection of personal data, we will ensure that there is a legal basis and, if required, a relevant safeguard method for such data transfer so that your personal data are treated in a manner that is consistent with, and respects the applicable laws and regulations on data protection in the UK or the EEA (as applicable).
  

• Where we use certain service providers, we may use specific contracts approved by the UK or the European Commission (as applicable) which give personal data the same protection it has in the UK or the EEA (as applicable).  
  

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK or the EEA.

3. Data security
   

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

4. Data retention
   

How long will you use my personal data for?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

You can request details of our retention periods for different aspects of your personal data by contacting us. 

In some circumstances you can ask us to delete your data; see “your legal rights” section below for further information. 

Where we use universally unique identifiers (“UUID”) for analytics purposes or for storing your preferences, a UUID is generated upon your installation of our programme(s). The UUID persists between our programme’s launches and updates, but it is lost when you delete our programme. A new UUID will be generated when you reinstall our programme.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you. 

5. Your legal rights
   

Under certain circumstances, you have rights under data protection laws in relation to your personal data. 

Broadly, you have the right to:

• Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  

• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  

• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. 
  

• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  

• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: 
  

• If you want us to establish the data's accuracy.
• Where our use of the data is unlawful but you do not want us to erase it.
• Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims. 
• You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it. 
  

• Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. 

‍
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

INFORMATION ABOUT US AND HOW TO CONTACT US

• Who are we: We are Veed Limited (“VEED”, "we", "us" or "our" in these Terms), a company incorporated in England and Wales (with company number 11264311) and our registered office address is: 320d High Road, Benfleet, Essex, SS7 5HB, England. Our registered VAT number is GB354412222.
• How to contact us: You can contact us via the chat function available through our website (www.veed.io), or by writing to us at [email protected]. 

IMPORTANT INFORMATION ABOUT THESE TERMS 

• Do these Terms apply to you? Any reference to “you” or “your”, means you, an individual consumer or a business who has not entered into an “Enterprise” agreement with us, as a recipient of the Services (as defined in clause 1.1(a) below). 
• What these Terms cover? These Terms set out the agreement between you and us and apply to all dealings in respect of your access to, and use of the Services.
• Why you should read these Terms? You should read these Terms carefully before you use the Services. These Terms tell you who we are, how we will provide the Services to you, how you and we may change or end the Contract (as defined in clause 1.3 below), what to do if there is a problem and other important information. If you think that there is a mistake in these Terms, please contact us to discuss. You should also read the [Terms of Use], [Privacy Policy] and [Cookie Policy], all of which we refer to in these Terms and shall apply to you, before you use the Services.
• How will we contact you? If we have to contact you, we will usually do so by writing to you at the email address you provided to us in your account settings. We may also contact you by telephone or by writing to you at your postal address if you have provided us with these details.
• If you do not agree to be bound by these Terms, you must not use the Services.
• "Writing" includes emails: When we use the words "writing" or "written" in these Terms, this includes emails.
  ‍

• OUR CONTRACT WITH YOU‍

On our website (Veed.io), related subdomains, and software applications (together the “Applications”), we have set out information and details relating to: 

1. various online video creation, editing, sharing and hosting services which we make available via the Applications (together the “Services”); and 
2. the fees payable for the Services which is dependent on your choice of plan among the different options as to plans available to you (“Subscription Fee”).

The Services available to you as a registered user on the Applications will vary depending on your choice of plan among the different options of plans available to you. 

2. Your subscription: When you register for an account with us to use the Services, you are subscribing to the Services. You are agreeing to these Terms by subscribing to the Services. The Services available to you and Subscription Fee (if any) applicable to your subscription are set out in the Applications. 
3. How we will accept your subscription: If no Subscription Fee is payable on your subscription, our acceptance of your subscription will take place as soon as you register for an account with us to use the Services, at which point a contract will come into existence between you and us in respect of the Services that you have subscribed to in that subscription. If a Subscription Fee is payable on your subscription, our acceptance of your subscription will take place when you have provided valid account details (including billing and contact details) and we indicate that we accept your subscription via the Applications. At the point of our accepting your subscription, a contract will come into existence between you and us in respect of the Services you have purchased from us in that subscription. Our acceptance of each subscription made is each a “Contract”.
4. If we cannot accept your subscription: If we are unable to accept your subscription, we will inform you of this either via the Applications or in writing and will not charge you for the Services. This might be because of unexpected limits on our resources which we could not reasonably plan for, or because we have identified an error in the Subscription Fee or in the description of the Services, or for other reasons.
5. Promotional materials: Any free-sessions, demos, or advertising issued by us (including, in particular, via the Applications), and any descriptions or illustrations provided by us in relation to our business, or the Services, are issued or published for the sole purpose of giving an approximate idea of the Services described in them. These will not form part of the Contract or have any contractual force.

• YOUR RIGHTS TO MAKE CHANGES TO YOUR SUBSCRIPTION 

We hope to accommodate as many user requests as possible but we are typically unable to accept change requests to individual subscriptions. We appreciate this may cause you to become dissatisfied with our Services. If this situation does unfortunately arise then you may want to cancel your subscription (see clause 7 below).

• WE MAY MAKE CHANGES TO OR SUSPEND OR WITHDRAW THE SERVICES

Suspension of the supply of Services: We may suspend the supply of the Services temporarily: 

1. to update and change the Applications to reflect changes in relevant laws and regulatory requirements; or 
2. to implement technical adjustments and improvements, for example to address a security threat or add functionality; or 
3. if you are paying for the Services and we have not received a payment that is due; or 
4. if you breach these Terms; or
5. if you fail to give required information to us (see clause 3.3); or
6. if you use the Services in a way that is prohibited or unacceptable (see clause 8); or
7. for other unforeseen reasons which may delay the delivery of the Services.

We aim to contact you as soon as practicable to tell you why we are suspending the supply of the Services and explain when and/or how such suspension will cease.

• Withdrawing the Services and/or terminating the Contract: We may withdraw the Services and/or terminate the Contract: 

1. if you fail to give required information to us (see clause 3.3); or
2. when we have not received your payment (see clause 4.1); or 
3.  if you use the Services in a way that is prohibited or unacceptable (see clause 8); or 
4. if you breach these Terms (see clause 10); or
5. for any other reasons specified in these Terms.

Subject to clauses 4, 8 and 10, we may write to you to let you know that we are going to stop providing the Services and/or terminate the Contract. We will let you know at least 24 (twenty-four) hours in advance of our stopping the supply of the Services and/or terminating the Contract and will refund, pro-rata (where applicable), any sums you have paid in advance for the Services in respect of the period after we end the contract. 

3. If you do not give required information to us: We may need certain information from you so that we can supply the Services to you. If so, we will contact you to ask for this information. If you do not give us this information within a reasonable time of our asking for it, or if you give us incomplete or incorrect information, we may suspend the Services and/or terminate the Contract.
4. Interruptions and errors in the Applications: We do not guarantee that the Applications, any content contained in the Applications, or the Services delivered, will always be available or be uninterrupted or error-free. We may suspend or withdraw or restrict the availability of all or any part of the Applications, or the Services for business or operational (including technical) reasons. We aim to give you reasonable notice of any such suspension or withdrawal or restriction. 
5. No liability for Services that we cannot provide due to an event outside of our control: If any suspension, withdrawal, or restriction to the Services is pursuant to an event outside our control, we will not be liable to you for any period during which the Applications and/or the Services are not available pursuant to such an event. 

• OUR RIGHTS TO TERMINATE THE CONTRACT OR SUSPEND THE SERVICES

1. When we have not received your payment: Where we do not receive your payment as it becomes due, then without prejudice to our right to charge interest as per clause 5.5, we reserve the right at our sole discretion to suspend the supply of the Services until we have received the payment that is due to us and/or terminate the Contract without notice. 
2. What we usually do to receive your payment: We usually take payment from you using the billing information you supplied to us via the Applications. In the event such transaction fails, we usually contact you by email about the failed transaction and ask that you update your billing information via the Applications. We would usually attempt to take that payment from you again, using your then current billing information supplied to us, once a day for the next 5 days or until we receive your payment. After each failed transaction during those 5 days, we would usually contact you by email about the failed transaction and ask that you update your billing information via the Applications. 

• SUBSCRIPTION FEES, PAYMENT AND RENEWALS

1. The types of subscriptions that we offer: In addition to making certain Services available to you for free (where available), we also offer you the choice of paying for Services in accordance with the different plans available to you as set out on the Applications.
2. Where to find the Subscription Fee for the Services: The Subscription Fee for the Services (which includes Value Added Tax (VAT) if applicable) will be the price indicated when you make your subscription. We take reasonable care to ensure that the Subscription Fee for the Services advised to you is correctly reflected in the payment process. However, please see clause 5.3 for what happens if we discover an error in the Subscription Fee for Services you subscribe to.
3. What happens if the Subscription Fee or Services were conveyed incorrectly: It is always possible that, despite our best efforts, some of the Services may be incorrectly priced. If the Services’ correct price at your subscription date is higher than the price stated to you, we will contact you for your instructions before we accept your subscription. If we accept and process your subscription where a pricing error is obvious and unmistakable and could reasonably have been recognised by you as a mispricing, we may end the Contract and refund you any sums you have paid under the Contract.
4. When you must pay and how you must pay: You must pay the Subscription Fee in accordance with the payment process and payment methods made available to you on the Applications which may be provided by our processing partners. To receive the full value of the Services for your subscription, you would have to pay us in full and in advance of our supplying the Services, either monthly or annually as agreed.
5. We can charge interest if you pay late: If you do not make any payment to us by the due date, we may charge interest to you on any overdue amount at the rate of 5% a year above the base lending rate of the Bank of England current from time to time. This interest shall accrue on a daily basis from the due date until the date of actual payment of the overdue amount, whether before or after judgment, such interest to accrue and be added to the overdue amount on the 1st day of each month. You must pay us interest together with any overdue amount.
6. What to do if you have been charged incorrectly: If you think you have been charged incorrectly, please contact us promptly to let us know. You will not have to pay any interest until the dispute is resolved. Once the dispute is resolved we may charge you interest on correctly invoiced sums, on the basis explained in clause 5.5, from the original due date.
7. Automatic renewals: A Subscription Fee automatically renews monthly or annually depending on the payment frequency you chose and shall continue until it is cancelled in accordance with these Terms. See clause 7 below.

• CHANGES TO A SUBSCRIPTION

1. Changes in price or length of a subscription: Subscription Fee may change. The price in place when you made your initial purchase or when your Subscription Fee last renewed will stay in effect for the duration of that subscription period (e.g. monthly or annually, as applicable), but new prices may apply to any renewals or any new subscriptions. We will give you reasonable notice of any change in the price or length of a subscription available. If you do not want to renew your subscription under any new prices or any change in the length of a subscription period, you may cancel your subscription in accordance with these Terms (see clause 7 below).
2. Changes to the Services supplied under a subscription: It may be necessary to change the Services supplied under a subscription from time to time. Should this happen, we aim to give you reasonable notice of any such changes. If you are not content with the changes, and the changes are material and not minor, you may cancel your subscription and we will refund you pro-rata (where applicable) for any unused but prepaid period of your subscription.

• HOW YOU CAN CANCEL YOUR SUBSCRIPTION

1. Tell us you want to cancel your subscription: You may cancel your subscription at any time via the Applications. If this fails for any reason please get in touch with our Customer Support team either via the chat feature in the application or send us an email at [email protected].  
2. Where you are using our free Services: If you are a registered user making use of our free Services (if available), clause 7 (save for this clause 7.2) shall not be applicable. You may stop your use of the Services at any time.
3. Refunds: We are not obliged to offer refunds should you change your mind and wish to terminate the service after you have subscribed and used the Services. If you are a consumer (ie, you are using the Services for purposes which are wholly/mainly outside your trade, business, craft or profession) and you have paid for the services but have never used them (where usage includes uploading media, editing media, adding subtitles among other things) and you are still within the first 14 days of your subscription, if you have changed your mind and you cancelled your subscription via the Applications as described in clause 7.1, or sent us your completed cancellation form (see Schedule 1) to [email protected], we will refund you in full for the applicable Services under your subscription. Note the following when exercising your right to change your mind as a consumer: 
   you do not have a right to change your mind once we have supplied you with the Services (i.e. you have used the Services), even if the 14 day period is still running; and 
   if you cancel your subscription, during the 14 day period, after we have started supplying the Services (i.e. you have used the Services), any Subscription fee paid or payable remains paid or payable and you will not be entitled to any refund for the applicable Services under your subscription.  ‍
4. Cancellation of renewals: A subscription to Services may be cancelled at any time prior to two (2) business days before the applicable renewal date and your subscription will expire at the end of the applicable subscription period. You may continue to benefit from the Services up until that date. If you do not cancel your subscription prior to two (2) business days before your renewal date, we will renew your subscription per your last subscription and it will expire at the end of that following subscription period. Subject to clause 5.3, cancellations of subscriptions are not eligible for a refund unless otherwise specified in these Terms. Following cancellation, you can remain a registered user and continue to use our free Services (if available).

• ACCEPTABLE USE

What happens if you use the Services in a way that is prohibited: Notwithstanding any other clauses in these Terms, failure by you to comply with our [Terms of Use], constitutes a material breach of these Terms and may result in the immediate, temporary, or permanent suspension of the Services or termination of Contract. In the event of such suspension or termination, no refund will be available to you and we will not be liable to you for any fees paid by you in respect of Services paid for but not received.

• PROPRIETARY RIGHTS

1. You acknowledge and agree that we and/or our licensors own intellectual property rights in original work in the Applications and the Services. Except as expressly stated in these Terms, we do not grant you any rights to, under or in, any patents, copyright, database right, trade secrets, trade names, trade marks (whether registered or unregistered), or any other rights or licences in respect of the Applications or the Services. 
2. We confirm that we control any intellectual property rights in relation to the Applications and the Services that pursuant to which any grants of rights to you is expressly made under these Terms. 
3. Subject to our [Terms of Use], you may share different types of video content with us when you make use of the Services. You have sole responsibility for such content. You must own, or have the right or permission to submit and share, such content, and you grant us a non-exclusive, irrevocable, royalty-free, worldwide licence to reproduce and use such content.

• WE MAY END YOUR RIGHTS TO USE THE SERVICES AND/OR TERMINATE THE CONTRACT IF YOU BREACH THESE TERMS

1. Notwithstanding any other clauses in these Terms, we may end your rights to use the Services and/or terminate the Contract at any time if you have breached these Terms. 
2. If we end your rights to use the Services and/or terminate the Contract: 

you must stop all activities authorised by these Terms, including your use of the free (if available) and/or paid Services accessed via the Applications unless we tell you otherwise; 

we may disable your registration account with us and we shall have no liability to you in relation to any content stored or accessed by you via your account (as applicable); 

1. no refund will be available to you and we will not be liable to you for any fees paid by you in respect of Services paid for but not received; and
2. all sums due and owing to us shall be immediately paid by you to us. 

• OUR RESPONSIBILITY FOR LOSS OR DAMAGE SUFFERED BY YOU

This section of the Terms is important. Please take your time and read it carefully before you agree to these Terms.    

• We do not exclude or limit in any way our liability to you where it would be unlawful to do so: This includes any liability on our part for death or personal injury caused by our negligence or the negligence of our employees, agents or subcontractors; for fraud or fraudulent misrepresentation; or for breach of your statutory rights in relation to the Services.
• You agree and accept that the Services are provided on an "as-is" basis and your use of the Services is at your own risk: We cannot and do not guarantee the accuracy or completeness of the Services or of any content, information or documentation contained in or shared or received via the Services and you rely on the Services at your own risk.  
• We are responsible to you for foreseeable direct loss and damage caused by us: If we fail to comply with these Terms, we are responsible for direct loss or damage you suffer that is a foreseeable result of our breaking these Terms or our failing to use reasonable care and skill, but we are not responsible for any loss or damage that is indirect or not foreseeable. Loss or damage is indirect if the act or omission on our part was not the proximate cause of that loss or damage. Loss or damage is foreseeable if either it is obvious that it will happen, or if, at the time you accepted the Terms, both we and you knew it might happen. In particular, we shall not be liable for indirect loss or damage including:

1. loss of profits, sales, business, or revenue;
2. business interruption;
3. loss of anticipated savings;
4. loss of business opportunity, goodwill, or reputation; or
5. any indirect or consequential loss or damage.

• When we are liable for damage caused by defective digital content: If defective digital content which we have supplied damages a device or digital content belonging to you and this is caused by our failure to use reasonable care and skill we will either repair the damage or pay you compensation. However, we will not be liable for damage which you could have avoided by following our advice to apply an update offered to you free of charge or for damage which was caused by you failing to correctly follow user instructions or to have in place the minimum system requirements advised by us.
• Our liability is limited: Except as specified in clause 11.1, our liability to you for breach of these terms or on any other basis is limited to the Subscription Fee you paid under the Contract. Where you only use our free Services (if available) and therefore paid no Subscription Fee under the Contract, our liability to you for breach of these terms or on any other basis (save as specified in clause 11.1) is limited to £0. 

• HOW WE MAY USE YOUR PERSONAL INFORMATION

1. How we will use your personal information: We will only use your personal information as set out in our [Privacy Policy] and our [Cookie Policy]. 
2. Please be aware that internet transmissions are never completely private or secure and that any message, document, or information you send using the Services may be read or intercepted by others, even if there is a special notice that a particular transmission is, or that parts of the Services are stated as being, encrypted. 

• GENERAL TERMS

1. We reserve the right to amend these Terms and any Contracts between you and us: We reserve the right to amend these Terms and any Contracts between you and us by giving you advance written notice. 
2. We may transfer any Contracts between you and us to someone else: We may transfer our rights and obligations under these Terms and Contracts between you and Us to another organisation. We aim to tell you in writing if this happens and we will ensure that the transfer will not affect your rights under the Contract.
3. You need our consent to transfer your rights to someone else: You may only transfer your rights or your obligations under these Terms to another person if we agree to this in writing.
4. Nobody else has any rights under these Terms and any Contracts: These Terms and any Contracts between you and us do not give rise to any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any provision of these Terms. 
5. If a court finds any part of these Terms or any Contracts unlawful, the rest will continue in force: Each of the clauses of these Terms or any Contracts between you and us operates separately. If any Court or relevant authority decides that any of them is unlawful, the remaining clauses will remain in full force and effect.
6. Even if we delay in enforcing these Terms or any Contract, we can still enforce these later: Even if we delay in enforcing these Terms or any Contracts between you and us, we can still enforce it later. If we do not insist immediately that you do anything you are required to do under these Terms or any Contracts between you and us, or if we delay in taking steps against you in respect of your breaches, that will not prevent us taking steps against you at a later date. 
7. Which country's laws apply to these Terms or any Contract, and to any disputes between us: These Terms or any Contracts between you and us, their subject matter and their formation are governed by the laws of England and Wales. You and we both agree that the Courts of England and Wales will have the exclusive jurisdiction, except that if you are our customer personally as an individual consumer and a resident of Scotland you may also bring legal proceedings in Scotland, and if you are a resident in Northern Ireland you may also bring legal proceedings in Northern Ireland.

SCHEDULE 1

MODEL CANCELLATION FORM 

You will have to complete and return this form to us by email (to [email protected]) if you wish to cancel your subscription.

To: Veed Limited

Email: [email protected]

I hereby give notice that I cancel my contract of sale of the following services: 

[INSERT THE SUBSCRIPTIONS THAT YOU WOULD NOW LIKE TO CANCEL]

The subscriptions above were subscribed on [INSERT DATE] by: 

[INSERT YOUR NAME]

[INSERT YOUR ADDRESS]

[SIGN OFF WITH YOUR NAME]

[INSERT DATE OF YOUR SENDING THIS FORM TO US]

TERMS LAST UPDATED  ON: 02/11/2021

This document informs Users about the technologies that help this Application to achieve the purposes described below. Such technologies allow the Owner to access and store information (for example by using a Cookie) or use resources (for example by running a script) on a User’s device as they interact with this Application.

For simplicity, all such technologies are defined as "Trackers" within this document – unless there is a reason to differentiate.
For example, while Cookies can be used on both web and mobile browsers, it would be inaccurate to talk about Cookies in the context of mobile apps as they are a browser-based Tracker. For this reason, within this document, the term Cookies is only used where it is specifically meant to indicate that particular type of Tracker.

Some of the purposes for which Trackers are used may also require the User's consent. Whenever consent is given, it can be freely withdrawn at any time following the instructions provided in this document.

This Application uses Trackers managed directly by the Owner (so-called “first-party” Trackers) and Trackers that enable services provided by a third-party (so-called “third-party” Trackers). Unless otherwise specified within this document, third-party providers may access the Trackers managed by them.
The validity and expiration periods of Cookies and other similar Trackers may vary depending on the lifetime set by the Owner or the relevant provider. Some of them expire upon termination of the User’s browsing session.

In addition to what’s specified in the descriptions within each of the categories below, Users may find more precise and updated information regarding lifetime specification as well as any other relevant information – such as the presence of other Trackers - in the linked privacy policies of the respective third-party providers or by contacting the Owner.

Activities strictly necessary for the operation of this Application and delivery of the Service

This Application uses so-called “technical” Cookies and other similar Trackers to carry out activities that are strictly necessary for the operation or delivery of the Service.

Other activities involving the use of Trackers

Basic interactions & functionalities

This Application uses Trackers to enable basic interactions and functionalities, allowing Users to access selected features of the Service and facilitating the User's communication with the Owner.

Interaction with live chat platforms

This type of service allows Users to interact with third-party live chat platforms directly from the pages of this Application, for contacting and being contacted by this Application support service.

If one of these services is installed, it may collect browsing and Usage Data in the pages where it is installed, even if the Users do not actively use the service. Moreover, live chat conversations may be logged.

Drift Widget (Drift.com, Inc.)

The Drift Widget is a service for interacting with the Drift live chat platform provided by Drift.com, Inc.

Personal Data processed: Cookies, Data communicated while using the service, Usage Data and various types of Data as specified in the privacy policy of the service.

Place of processing: United States – Privacy Policy.

Experience enhancement

This Application uses Trackers to provide a personalized user experience by improving the quality of preference management options, and by enabling interaction with external networks and platforms.

Interaction with external social networks and platforms

This type of service allows interaction with social networks or other external platforms directly from the pages of this Application.
The interaction and information obtained through this Application are always subject to the User’s privacy settings for each social network.
This type of service might still collect traffic data for the pages where the service is installed, even when Users do not use it.
It is recommended to log out from the respective services in order to make sure that the processed data on this Application isn’t being connected back to the User’s profile.

Twitter Tweet button and social widgets (Twitter, Inc.)

The Twitter Tweet button and social widgets are services allowing interaction with the Twitter social network provided by Twitter, Inc.

Personal Data processed: Cookies and Usage Data.

Place of processing: United States – Privacy Policy.

Measurement

This Application uses Trackers to measure traffic and analyze User behavior with the goal of improving the Service.

Analytics

The services contained in this section enable the Owner to monitor and analyze web traffic and can be used to keep track of User behavior.

Google Analytics

Google Analytics is a web analysis service provided by Google LLC or by Google Ireland Limited, depending on the location this Application is accessed from, (“Google”). Google utilizes the Data collected to track and examine the use of this Application, to prepare reports on its activities and share them with other Google services.

Google may use the Data collected to contextualize and personalize the ads of its own advertising network.

Personal Data processed: Cookies and Usage Data.

Place of processing: United States – Privacy Policy – Opt Out; Ireland – Privacy Policy – Opt Out.

Google Analytics Demographics and Interests reports

Google Analytics Demographics and Interests reports is a Google Advertising Reporting feature that makes available demographic and interests Data inside Google Analytics for this Application (demographics means age and gender Data).

Users can opt out of Google's use of cookies by visiting Google's Ads Settings.

Personal Data processed: Cookies and unique device identifiers for advertising (Google Advertiser ID or IDFA, for example).

Place of processing: United States – Privacy Policy – Opt Out; Ireland – Privacy Policy – Opt Out.

MixPanel (MixPanel)

MixPanel is an analytics service provided by Mixpanel Inc.

Personal Data processed: Cookies and Usage Data.

Place of processing: United States – Privacy Policy – Opt Out.

Analytics services managed directly by this Application

The services contained in this section allow the Owner to collect and manage analytics through the use of first-party Trackers.

Analytics collected directly (this Application)

This Application uses an internal analytics system that does not involve third parties.

Personal Data processed: Cookies and Usage Data.

Anonymized analytics services

The services contained in this section allow the Owner, through the use of third-party Trackers, to collect and manage analytics in an anonymized form.

Google Analytics with anonymized IP

Google Analytics is a web analysis service provided by Google LLC or by Google Ireland Limited, depending on the location this Application is accessed from, (“Google”). Google utilizes the Data collected to track and examine the use of this Application, to prepare reports on its activities and share them with other Google services.

Google may use the Data collected to contextualize and personalize the ads of its own advertising network.

This integration of Google Analytics anonymizes your IP address. It works by shortening Users' IP addresses within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the complete IP address be sent to a Google server and shortened within the US.

Personal Data processed: Cookies and Usage Data.

Place of processing: United States – Privacy Policy – Opt Out; Ireland – Privacy Policy – Opt Out.

How to manage preferences and provide or withdraw consent

There are various ways to manage Tracker related preferences and to provide and withdraw consent, where relevant:

Users can manage preferences related to Trackers from directly within their own device settings, for example, by preventing the use or storage of Trackers.

Additionally, whenever the use of Trackers is based on consent, Users can provide or withdraw such consent by setting their preferences within the cookie notice or by updating such preferences accordingly via the relevant consent-preferences widget, if available.

It is also possible, via relevant browser or device features, to delete previously stored Trackers, including those used to remember the User’s initial consent.

Other Trackers in the browser’s local memory may be cleared by deleting the browsing history.

With regard to any third-party Trackers, Users can manage their preferences and withdraw their consent via the related opt-out link (where provided), by using the means indicated in the third party's privacy policy, or by contacting the third party.

Locating Tracker Settings

Users can, for example, find information about how to manage Cookies in the most commonly used browsers at the following addresses:

• Google Chrome
• Mozilla Firefox
• Apple Safari
• Microsoft Internet Explorer
• Microsoft Edge
• Brave
• Opera

Users may also manage certain categories of Trackers used on mobile apps by opting out through relevant device settings such as the device advertising settings for mobile devices, or tracking settings in general (Users may open the device settings and look for the relevant setting).

Owner and Data Controller

Timur Mamedov

VEED LIMITED, 136 High Holborn, Holborn, London WC1V 6PX

Owner contact email: [email protected]

Since the use of third-party Trackers through this Application cannot be fully controlled by the Owner, any specific references to third-party Trackers are to be considered indicative. In order to obtain complete information, Users are kindly requested to consult the privacy policies of the respective third-party services listed in this document.

Given the objective complexity surrounding tracking technologies, Users are encouraged to contact the Owner should they wish to receive any further information on the use of such technologies by this Application.

Definitions and legal references

Personal Data (or Data)

Any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.

Usage Data

Information collected automatically through this Application (or third-party services employed in this Application), which can include: the IP addresses or domain names of the computers utilized by the Users who use this Application, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilized to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilized by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.

User

The individual using this Application who, unless otherwise specified, coincides with the Data Subject.

Data Subject

The natural person to whom the Personal Data refers.

Data Processor (or Data Supervisor)

The natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, as described in this privacy policy.

Data Controller (or Owner)

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data, including the security measures concerning the operation and use of this Application. The Data Controller, unless otherwise specified, is the Owner of this Application.

This Application

The means by which the Personal Data of the User is collected and processed.

Service

The service provided by this Application as described in the relative terms (if available) and on this site/application.

European Union (or EU)

Unless otherwise specified, all references made within this document to the European Union include all current member states to the European Union and the European Economic Area.

Cookie

Cookies are Trackers consisting of small sets of data stored in the User's browser.

Tracker

Tracker indicates any technology - e.g Cookies, unique identifiers, web beacons, embedded scripts, e-tags and fingerprinting - that enables the tracking of Users, for example by accessing or storing information on the User’s device.

Legal information

This privacy statement has been prepared based on provisions of multiple legislations, including Art. 13/14 of Regulation (EU) 2016/679 (General Data Protection Regulation).

This privacy policy relates solely to this Application, if not stated otherwise within this document.

VEED uses subcontractors to provide infrastructure and services to support our apps. As such certain information is processed by the subcontractors. In order to meet our data security and privacy policy standards we require all subcontractors to meet the same or similar standards where possible. By using our apps you agree to the use of subcontractors and their sub-processing of data. The subcontractors/sub-processors which the data importer uses from time to time are listed below. This list will be updated from time to time as the needs of the business change but we will always endeavour to maintain the same or higher security and privacy standards.

We also engage professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services. And we are regulated by various authorities and public entities that require reporting of processing activities in certain circumstances. 

HM Revenue & Customs, regulators and other authorities who require reporting of processing activities in certain circumstances.

Introduction

Veed Limited (“Veed”) respects your privacy and is committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data when you visit our website(s) (including subdomains of our website(s) and websites through which we make our services available) and/or our applications for mobile, tablet, desktop, browser and other smart device systems (“Applications”) (regardless of where you visit it from) and use our services, and tell you about your privacy rights and how the law protects you. 

By using the Applications or our services, you agree to be bound by this privacy policy and that we proceed to the processing of personal data on the terms outlined below.

The Privacy Policy last updated on: 02/11/2021

Please use the Glossary to understand the meaning of some of the terms used in this privacy policy.

1. Important information and who we are
   

Purpose of this privacy policy

This privacy policy aims to give you information on how Veed collects and processes your personal data through your use of the Applications and our services, including any data you may provide through the Applications (for example, when you chat with us on our “support chat” function available through our website (www.veed.io)), create an account with us, purchase a service or upload and edit audio or video files. 

The Applications are not intended for children and we do not knowingly collect data relating to children. 

It is important that you read this privacy policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them. 
‍

Controller

Veed Limited (collectively referred to as “Veed”, "we", "us" or "our" in this privacy policy) is the controller and responsible for your personal data, except where we process your personal data because you use our services as a result of your relationship with a customer who we supply our services to (for example, if you use our services as a result of your being our customer’s employee or client). 

We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact the data privacy manager using the details set out below. 

Where we process your personal data because you use our services as a result of your relationship with a customer who we supply our services to, we are not the data controller as we would be processing personal data on behalf of our customer as a data processor.  

Where we are processing your personal data on behalf of our customer, the privacy policy that you should be referring to would be our customer’s privacy policy. Our customer’s privacy policy should inform you as to how your personal data will be processed. 
‍

Contact details

If you have any questions about this privacy policy or our privacy practices, please contact our data privacy manager in the following ways:

Full name of legal entity: Veed Limited

Email address: [email protected]

Postal address: 320d High Road, Benfleet, Essex, England, SS7 5HB 

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. 
‍

Changes to the privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review. Historic versions (if any) can be obtained by contacting us.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
‍

Third-party links

The Applications may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave the Applications, we encourage you to read the privacy policy of every website you visit.

2. The personal data we collect about you
   

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender and visual and/or audio identifiers.
  

• Contact Data includes billing address, email address and telephone numbers.
  

• Financial Data includes bank account and payment card details.
  

• Transaction Data includes details about payments to and from you and other details of services you have purchased from us.
  

• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, other technology on the devices you use to access the Applications, and information in or about the audio or video files you provide (including metadata), such as the location of a video or the date it was created. 
  

• Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.  
  

• Usage Data includes information about how you use the Applications and services. 
  

• Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
  

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We do not ask you for any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we ask you for any information about criminal convictions and offences.  

You may choose to provide us with Special Categories of Personal Data through your uploading of video or audio files or other data on to the Applications. Where you provide us with such Special Categories of Personal Data, you are giving us your explicit consent to process such data about you to the extent permitted by the UK and/or EU data protection regime (as applicable). Where you provide us with such Special Categories of Personal Data about persons other than yourself, you must obtain each of their explicit written consent for us to process their Special Categories of Personal Data to the extent permitted by the UK and/or EU data protection regime (as applicable) and in accordance with this privacy policy. Their explicit written consent which you obtain must be supplied to us on our request. If a person does not give explicit written consent to our processing their Special Categories of Personal Data, then their Special Categories of Personal Data must not be supplied to us. That is to say, you must not upload video or audio files containing Special Categories of Personal Data of anyone who you have not obtained explicit written consent from. 

Special Categories of Personal Data are subject to special protections under the UK and/or the EU data protection regime (as applicable).  
‍

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services). In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time. 

3. How is your personal data collected?
   

We use different methods to collect data from and about you including through:

• Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
  

• apply for our services;
• upload audio or video files on the Applications; 
• create an account on the Applications;
• subscribe to our service or publications; 
• request marketing to be sent to you;
• enter a survey; or
• give us feedback or contact us. 
  

• Automated technologies or interactions. As you interact with the Applications, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy https://veed.webflow.io/cookie-policy for further details.
  

• Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources as set out below: 
  

• Technical Data from the following parties:
  

1. analytics providers; 
2. advertising networks; and
3. search information providers.
   

• Contact, Financial and Transaction Data from providers of technical and payment services.
  

• Identity and Contact Data from data brokers or aggregators.
  

• Identity and Contact Data from publicly available sources such as Companies House and the Electoral Register based inside the UK.
  ‍
  

4. How we use your personal data
   

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you.
  

• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  

• Where we need to comply with a legal obligation.
  

The types of lawful bases that we will rely on to process your personal data is set out in the Glossary.

Generally, we do not rely on consent as a legal basis for processing your personal data, save for the processing of Special Categories of Personal Data (where applicable) and our making automated decisions (where applicable), although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.
‍

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.