Last edited August 29, 2022
Thank you for using Musicians Health Lab services! This Privacy Notice explains what personal data Musicians Health Lab Inc. and its subsidiaries (“we” in this notice) collect about you and how we use your personal data, as well as the choices you have about your personal data.
This Privacy Notice applies to all of Musicians Health Lab’s services (such as our online music learning app Musicians Health Lab and our instrument tuning apps), websites like MusiciansHealthLab.com or kensleybehel.com and related services and properties we control and which we collectively here call the “Services”. We may update this Privacy Notice from time to time by posting a new version of the Privacy Notice on our website. If the changes we make are material, we will notify you by posting a notice in the Services or by other appropriate means. Please note that your use of the Services after the effective date is subject to the new Privacy Notice.
The terms and conditions applicable to our Services have been set out in our Terms of Service.
1. CONTACT US
If you have any questions about this Privacy Notice or the ways we use your data, please contact us at firstname.lastname@example.org
For the activities described in this notice, the data controller (i.e. the entity that determines how and why personal data is processed) is Musicians Health Lab Inc. Our address is Musicians’ Health Lab 1601 29th St. Suite 1292 #1123 Boulder, CO 80301, USA. When we operate the Services, we may share your data with the partners we work with. Some of the partners are data controllers independently of us and they can determine how and why they process your data.
2. WHAT PERSONAL DATA WE COLLECT AND WHERE WE GET THE DATA
Personal data that you provide us:
Contact information, such as your name, email address or other contact information, if you have provided them to us (for example, if you create an account in our Services or subscribe to our communications),
Your username and password (if you create an account in our Services),
Profile information (such as profile photo, if you choose to add this to your profile),
Your payment related data for processing the billing of your Services subscriptions and other purchases you make,
School name and contact details, if you enroll in our Service as a teacher user to make sure it’s a real place of education,
Your messages to the Services (such as if you are in touch with us or our support agents about resolving issues in the Services, send messages to our forums or support),
Your comments, feedback or other info you provide, if you participate in our surveys or other research,
Other data you choose to give to us through our Services or otherwise,
With your consent, other information explained to you when asking for your consent.
Personal Data we get from our partners:
If you choose to connect a third party account (for example a Facebook account) with our Services, we receive information from the third-party account provider (for example if you decide to sign up to our Service with Facebook login, we receive from Facebook your name, email address or other identifier to enable cross-device gameplay, profile picture, and friends information to connect you with your friends who already use our Services),
Data from platforms that the applications run on (e.g. to verify payments),
We also receive personal information from our analytics and advertising partners, such as information about your interactions with our ads outside our Services (for example on third party websites), including information on how you were referred to our Services,
If you are shown ads in our Services, we receive personal information from our advertising partners, such as information about how you interact with those ads (for example, the number of times you click, view or engage with an ad, as well as your device platform and country of location),
If you make purchases in our Services, we receive data relating to the transactions from the third-party payment service providers involved in those transactions to validate those purchases.
Services collect certain data automatically when you use them:
Information on your use of the Services, such as your data about your use of our Services (e.g. progress, songs played, levels, session length, visits to our websites), and your interactions in the Services (such as data on or purchases you make or content you choose to share) as well as crash logs and other information related to bugs, errors and other issues in our Services
Your IP address to bring our product to your device, but also to get an idea of your general location through IP geolocation data (on city, state or country level) so that we can manage the content available in the Service in your territory or to show you pricing in your own currency and also to analyse our Service and its usage.
Device identifiers (such as your device ID, advertising ID, IMEI), identifiers we assign to your account, other technical information about the device you use for our Services (such as device type, operating system, language or browser type and version)
Cookies and other similar technologies (such as software development kits, SDKs) we use can collect some data automatically. You can find more details about our cookie usage at the end of this document in the “Cookies” -section.
We may also generate and assign a user ID when you access or use our Services
We do not intend to collect or process any data relating to you belonging to special categories, such as data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic, biometric or health information, or data concerning person’s sex life or sexual orientation. Please do not provide this type of information to us or make it available to others in the Services.
3. WHY WE PROCESS YOUR PERSONAL DATA
We will use your personal data for the following purposes on these legal bases:
To make the Services work.
In order for us to perform our contract with you, we process your data necessary to
set up and maintain your account in our Services (where applicable) and allow you to use our Services,
operate the Services,
provide you the Services and products you request,
process transactions and verify and confirm payments,
send you service-related communications (for example confirmations, administrative messages, technical notices).
To make the Services more suitable to our users.
In order to provide great Services to our users and to provide you the best user experience possible, we have a legitimate interest to process necessary data to
analyze, develop and improve our Services and the user experience, and customize it for you,
manage our customer relationship with you,
provide social features as part of the Services (for example, leaderboards),
provide user support and respond to your questions and comments,
analyze your use of our Services, for example to understand what type of content or music genre you are interested in, and customize your service experience,
send you updates, alerts, news and other information related to our Services or other operations,
troubleshoot or debug any errors or other issues in our Services,
create data that is not identifiable to you (for example, aggregated data),
conduct surveys or other research to learn more about our Services or users.
To make sure that we reach interested audiences.
Based on our legitimate interest to promote our Services, to make sure we reach relevant, interested audiences, and, where applicable, to fund our Services so that we can offer them free of charge, we process necessary data to
provide you with our offers in the Services, in other websites and services, and by email,
send you communications about our events, or other news related to our Services and operations,
keep track on installations of our applications (including the source of each install),
serve, target, deliver, measure and improve our advertising and the Services (including our advertising outside of our Services),
request our advertising partners to show personalized ads outside our Services,
show ads to you in our Services from our advertising partners, including both contextual and personalized ads,
allow our advertising partners to personalize the ads you see in our Services to make them more relevant to you.
For information on how to opt-out from personalized advertisements, see section ‘Your rights’ below.
To keep services fair and safe.
In order to ensure acceptable, safe and fair use of the Services and to safeguard our operations, we have legitimate interest to process necessary data to
monitor that the use of the Services is acceptable and to prevent activity in the Services we determine to be misconduct, against our terms and conditions, or potentially illegal and take action against such use or otherwise exercise or defend our legal rights,
audit our operations or processes.
To analyse and segment.
For all of the above purposes, we can analyse and segment all collected data.
With your consent.
If we wish to process your personal data for any other purpose where we are not able to rely on any other legal basis for processing under applicable law, we will ask for your consent.
We also may process your data as necessary to comply with legal obligations we consider apply to us (including cooperating with authorities upon due request and for accounting and tax requirements). We can also process your data for additional purposes compatible with any of the purposes listed above.
We do not use your personal data to make any automated decisions (meaning decisions without any human involvement) which significantly affect you.
We may show ads in our Services to enable you to access content in our Services free of charge. In order to show you ads in our Services, we may integrate SDKs into our Services provided by third-party ad partners. These third-party ad partners may show contextual or personalized ads based on your privacy preferences and whether you have opted-out of receiving personalized ads in the Service’s privacy settings.
Where you have not opted-out of receiving personalized advertising, these third-party SDKs may collect your IP address, device ID, performance data, advertising data, non-user-related crash logs, data relating to how you interact with our Service, and other statistical and technical information in order to serve ads relevant to you.
Where you have opted-out of personalized advertising, these third-party SDKs may collect non-personal, contextual data including geolocation data, query terms and content on the Service. They may also collect your advertising ID solely for the purposes of frequency capping, aggregated ad reporting and combating fraud and abuse. Our ad partners may use your information for a number of purposes, including but not limited to, to personalize the ads that you see to make sure they are relevant to your own interests, diagnose problems and improve the SDK, understand the effectiveness of existing product features and plan new features, measure and improve the performance of ads as well as the effectiveness of the Service’s features, as well as for analytical purposes.
For information on how to opt-out from personalized advertisements, see section ‘Your rights’ below.
4. WHO CAN SEE YOUR DATA
Instead of doing absolutely everything on our own, we need help from others. We have partners that provide services and data processing for us for the purposes described in this notice. We share your data with the following types of recipients:
Social Features. We have social features in our Services, which means that other users may, for example, see your profile data and your leaderboard position or other activities in the Services, and read or comments or questions you post in our forums.
Musicians Health Lab Companies. Other companies belonging to the Musicians Health Lab group of companies, for example to help us to develop or operate our Services.
Partners working for us. Persons or companies outside of the Musicians Health Lab group that process personal data on our behalf and according to our instructions and control. These Musicians Health Lab processor partners include for example providers of hosting services, payment processors that actually deal with billing, banks and credit card companies on behalf of us, analytics services that enable us to gain insight into how we should improve our Services, user support and other services that help us to operate and develop our Services.
Public authorities and other entities.
competent law enforcement bodies or courts of law where we find it necessary as a matter of applicable law or regulation,
potential or actual buyers or their advisors in connection with a planned or actual corporate acquisition or other business restructuring or a similar arrangement,
to any person or entity where we find disclosure necessary to combat fraud or illegal activity, or to exercise or defend our legal rights or to protect your vital interests or those of any other person
5. INTERNATIONAL DATA TRANSFERS
Our Service is global by nature, and your data can therefore be transferred to and processed in countries outside of the European Union (“EU”) and the European Economic Area (“EEA”). For example, our subsidiaries and some of the servers we use to host our Services are located in the USA. We also use partners that are located outside the EU to provide services for us. Since these countries may have different data protection laws than your own country, we take steps to ensure that there are adequate safeguards in place to protect your personal data. These safeguards may include having standard contractual clauses approved by the EU Commission or other lawful safeguards in place.
6. DATA RETENTION
We retain your data as long as your user account is active or as needed to provide the Services. You may end this relationship by deleting your account. We will then delete all your personal data from our own and our partners’ systems, including backups within 30 days, unless there is a legitimate business interest to retain the data, such as to comply with our legal obligations, to enforce our agreements or to resolve disputes. We also periodically review and delete or de-identify inactive user accounts that have been inactive for five years or other data.
7. YOUR RIGHTS
You have the right to access your personal data we store about you. If you request, we will provide you a copy of your personal data in an electronic format. You also have the right to have your data deleted. If you choose to delete your profile, this will erase all personal data we have collected of you through the application thereby also anonymizing all analytics data based on such personal data, unless we, for a legitimate reason, have the right to retain the personal data. You can also demand the restriction of processing in accordance with the legal requirements.
To access your data in our applications, or to request its deletion, please send a data access or deletion request from the application settings under the “privacy” menu or through your user profile page. We ask you to primarily use these automatic tools to submit requests to help us to validate and process your requests more quickly and reliably.
Our Musicians Health Lab app provides the possibility to control some of the social features of the app and what data you share with others. You can modify your preferences in the settings under the privacy tab of the app.
You also have the right to correct or update your information. You may do this by editing your personal details on your profile if your information changes or happens to be incorrect. Or you can contact us at email@example.com
You also have the right to object to our processing of your information to the extent our processing is based on legitimate interests. You can at any time ask us to stop using your information to send you marketing communications. In the Musicians Health Lab application, you are able to modify your preferences concerning marketing communications (push and email) under the privacy tab in the Musicians Health Lab application’s settings or by following the instructions in such communications.
Any consent that you might have provided can be withdrawn at any moment.
For limiting interest based advertising, please check out your ad tracking settings of your mobile device or web browser. For your Android or iOS device, select “limit ad tracking” (Apple iOS) or “opt-out of interest-based ads” (Android) in the settings. For opting out of targeted advertising on the web, you can adjust your browser settings to limit certain tracking by cookies or by visit www.youradchoices.com and/or www.networkadvertising.org .
Where applicable, you may also opt-out from receiving personalized ads through the options provided in the Service’s privacy settings. When you decide to opt-out of receiving personalized ads, you may still be served ads in the Service by our ad partners, however, these ads will be based on contextual data and may be less relevant to you.
If you have any complaints about our handling of personal data or want to know about something specific in this regard, please email us a firstname.lastname@example.org. We take these matters seriously and will look into all requests and complaints.
Finally, you always have the right to lodge a complaint with the local data protection authority.
8. HOW DO WE KEEP YOUR DATA SECURE
We use appropriate technical and organisational measures designed to protect the data of our users. The measures we employ are designed to provide a level of security appropriate to the risk of processing your personal information and we continuously develop them. Our measures vary, but typically include controls to limit access to services or systems that contain personal data, pseudonymisation, databases protected by firewalls, passwords and other technical measures.
9. AGE MATTERS
When we collect personal data, we do not know your age, and we do not knowingly collect or solicit personal data from anyone under the age of 13 (or any other minimum legal age) or knowingly allow such persons to use our Service. If You are under 13 (or any other minimum legal age), please do not attempt to access our Services, take them into use, or send us any information about yourself. If you believe that we might have received any information from or about a child under the age of 13 (or any other minimum legal age), please contact us at email@example.com.
10. COOKIES AND SIMILAR TECHNOLOGIES
Users can adjust their browser settings to disable cookies or to delete cookies that have been saved in the browser, but this can result in some parts of the Service not functioning properly.
11. SUPPLEMENTAL PRIVACY NOTICE FOR CALIFORNIA RESIDENTS
The California Consumer Privacy Act of 2018, as amended (“CCPA”), establishes specific rights for you to control your personal information and requires businesses to provide specific information on how personal information is collected, used and shared.
This Supplemental Privacy Notice for California Residents (“Notice”) applies solely to individual residents of the state of California who use our Services (“consumers”, or “you”) and provides you information required by the CCPA and your rights under CCPA. This Notice supplements the information contained in our Privacy Notice which provides more comprehensive information on how and why Musicians Health Lab (“we”) collect and process your data.
Unless otherwise expressly stated, any terms in this additional Notice have the same meaning as in our Privacy Notice or as otherwise defined in the CCPA.
11.1. HOW WE COLLECT AND USE PERSONAL INFORMATION
When we use the term “personal information” in this notice we mean information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household. For additional information on our data collection, please refer to our Privacy Notice.
Depending on the Services you have used, in the last 12 months, we have collected the following categories of personal information about you:
Category of personal information:
Identifiers, such as your alias, IP address, email address, device ID or other identifiers we may assign to your account
Directly from you (including automatically when you interact with our Services);
Our advertising partners, if you interact with our ads we have outside our Services;
Third party account providers, if you link a third-party account to our Services;
Third party payment service providers, if you make purchases in our Services, and other Service Providers
Category of personal information:
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as your name
Directly from you, or
Third party account providers, if you link a third-party account to our Services and allow your name to shared
Category of personal information:
Commercial information, such as information regarding purchases you have made
Directly from you (including automatically when you interact with our Services or
Third-party payment service providers, if you make purchases in our Services.
Category of personal information:
Internet or other electronic network activity information, such as information regarding your interaction with our Services, including your progress in the app, and your interactions with our ads we have outside our Services
Directly from you (including automatically when you interact with our Services);
Our advertising partners, if you interact with our ads, we have outside our Services
Category of personal information:
Geolocation data, such as your general location determined based on your IP Address, Financial Information, We use payment processors that are our Service Providers to process your payment transactions on our behalf. They have access to your credit card data, while we may only obtain access from our payment processors to limited card data to allow us to solve issues related to purchases from time to time.
Directly from you (including automatically when you interact with our Services);
Directly from you
We may use this information for the following business purposes referred to in the CCPA:
auditing related to an interaction with you and concurrent transactions
detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and potentially prosecuting those responsible for such activities.
debugging to identify and repair errors in our services
short-term, transient uses
performing our Services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, advertising and marketing,
internal research for technological development.
activities to verify or maintain the quality of safety of our Services, improving, upgrading, enhancing our services as well as activities to verify and maintain the quality of our services.
11.2. TO WHOM WE SHARE AND HOW WE MAY SELL PERSONAL INFORMATION
We share personal information to, or allow access to personal information by, the following categories of recipients:
Musicians Health Lab group companies
Customer support platforms
Hosting service providers
Third party account providers
Social Media Services
We let certain third-party advertising partners collect the categories of personal information identified above in Section 11.2 for online advertising purposes. These third party businesses collect personal information directly from a device or browser through cookies or similar tracking technologies when a consumer visits or interacts with our websites, uses our apps or otherwise engages with us online. These third parties use your personal information to serve relevant ads outside our Services on other websites or mobile apps, to serve you personalized advertising based on your interests and behavior, and to carry out other services relating to online advertising, such as analytics, reporting and attribution meaning tracking the source of installs related to ads seen outside the Services. These parties may use collected personal information for their own purposes in accordance with their own privacy policies. Because this disclosure of information can be interpreted as “sale” as defined in the CCPA, we provide you the possibility to opt-out from us disclosing your personal information to our advertising partners for this purpose. Please learn more of your opt-out right below in Section 11.4
11.3. YOUR RIGHTS AND CHOICES
CCPA grants California residents various rights to their personal information. When you submit a request to exercise your rights, we are required to verify that you are the consumer to whose personal information the request relates or that you are the person authorized to act on behalf of such consumer. If you use the automated tools provided in our applications, we will typically not need any additional information to verify your request. If you submit your request by other means (email), we may need to ask you for additional information to validate that you are the account holder or have the right to act on behalf of the account holder. In certain circumstances, we may decline a request to exercise the right to know and right to deletion, particularly where we are unable to verify your identity.
Right to know
You have the right to request that we disclose to you, upon verification of your identify, what categories of personal information we have over the past 12 months collected from you, from which categories of sources, for which purposes we have collected that information and also to which categories of third parties we have shared the information with. You also have the right to request a copy of the specific pieces of personal information we have collected about you. To learn what categories of personal information, from what sources, for which business purposes we disclose the personal information, please refer to Section 11.2 and 11.3 of this Notice. To learn how we “sell” your data within the meaning of CCPA, please refer to “Online Advertising” in Section 3. To request a copy of your data, please use the automated tools in our applications. Alternatively, you can contact us by email. For more information, please refer to Section 7 in our Privacy Notice.
Right to request deletion
You have the right to request that we delete personal information we have about you. For deleting your data, we encourage you to use the automated tools in our applications. Alternatively, you can contact us by email. For more information, please refer to Section 7 in our Privacy Notice. Following receiving your verifiable request, we will delete or anonymise your personal information and direct our service providers to do so, unless we have a lawful right to retain your information under the CCPA. For example, we may deny your request if retaining your personal information is necessary to detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activities or to comply with a legal obligation.
Right to opt out
You have the right to direct us to not sell your personal information which in our case means that we do no longer share your identifiers and other information with our ad partners to make the ads you see outside our Services more relevant to you. To exercise your right to opt-out, please use the automated tool provided in our applications. The “Do not sell” tab can be found in the app settings under “privacy” or similar heading.
Right to non-discrimination
You have the right not to receive discriminatory treatment for exercising any of the rights described above.
11.4. CHANGES TO THIS NOTICE YOUR RIGHTS AND CHOICES
We reserve the right to amend this Notice at our discretion and at any time and may update it due to changes in our operations or in the processing of personal information. The date this Notice was last updated is identified at the top of this page. You are responsible for periodically visiting the Musicians Health Lab website and this Notice to check for any changes.
11.5. CONTACT US
If you have any questions about this Notice, the ways we collect or use your personal information, your rights and choices regarding such use or if you wish to exercise your rights under the CCPA, you may contact us via email at firstname.lastname@example.org
12 GDPR DATA PROTECTION AGREEMENT
In connection with the Service, the parties anticipate that Musicians Health Lab may process outside of the European Economic Area (“EEA”) and United Kingdom, certain Personal Data in respect of which the Customer or any Affiliate of Customer may be a data controller or data processor, as applicable, under applicable EU Data Protection Laws.
The parties have agreed to enter into this DPA in order to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data as required by EU Data Protection Laws.
How this DPA applies
Data Processing Terms
The parties agree that the obligations under this DPA that are specific to the GDPR shall not apply until the GDPR has come into full force and effect.
1. The following definitions are used in this DPA:
a. “Adequate Country” means a country or territory that is recognized under EU Data Protection Laws as providing adequate protection for Personal Data;
b. “Affiliate” means, with respect to a party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such party (but only for so long as such Control exists);
d. “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 May 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data);
e. “Personal Data” means all data which is defined as ‘personal data’ under EU Data Protection Laws and to which EU Data Protection Laws apply and which is provided by the Customer to Musicians Health Lab, and accessed, stored or otherwise processed by Musicians Health Lab as a data processor as part of its provision of the Service to Customer;
f. “Verified Technical Resource” means a category, in accordance with Article 13(1)(e) of the GDPR, of technical contractors verified by Musicians Health Lab to be able to technically adhere to the security provisions of this DPA and the GDPR, have entered an agreement with Musicians Health Lab at least as restrictive as this DPA; and may provide services to Musicians Health Lab when requested.
g. “Processing”, “data controller”, “data subject”, “supervisory authority” and “data processor” shall have the meanings ascribed to them in EU Data Protection Laws.
2. An entity “Controls” another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or pursuant to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it pursuant to its constitutional documents or pursuant to a contract; and two entities are treated as being in “Common Control” if either controls the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.
2. STATUS OF THE PARTIES
1. The type of Personal Data processed pursuant to this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, are as described in Annex 1.
2. Each party warrants in relation to Personal Data that it will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply), with EU Data Protection Laws. As between the parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data.
3. In respect of the parties' rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that the Customer is the data controller or processor, and Musicians Health Lab is the data processor or sub-processor, as applicable, and accordingly Musicians Health Lab agrees that it shall process all Personal Data in accordance with its obligations pursuant to this DPA.
5. Each party shall appoint a Data Privacy Officer within its organization authorized to respond from time to time to enquiries regarding Personal Data, the parties shall make the Data Privacy Officer known to the other party, and the Data Privacy Officer shall deal with such enquiries promptly.
3. MUSICIANS HEALTH LAB OBLIGATIONS
1. With respect to all Personal Data, Musicians Health Lab warrants that it shall:
b. upon becoming aware, inform the Customer if, in Musicians Health Lab’s opinion, any instructions provided by the Customer under clause 3.1(a) are in conflict with the GDPR;
c. implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data;
d. take reasonable steps to ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data are under obligations of confidentiality;
e. without undue delay after becoming aware, notify the Customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Musicians Health Lab, its sub-processors, or any other identified or unidentified third party (a “Security Breach”);
f. promptly provide the Customer with reasonable cooperation and assistance in respect of a Security Breach and all reasonable information in Musicians Health Lab’s possession concerning such Security Breach insofar as it affects the Customer, including, to the extent then known, the following:
i. the possible cause and consequences for the Data Subjects of the Security Breach;
ii. the categories of Personal Data involved;
iii. a summary of the possible consequences for the relevant data subjects;
iiii. a summary of the unauthorised recipients of the Personal Data; and
v. the measures taken by Musicians Health Lab to mitigate any damage;
g. not make any public announcement about a Security Breach (a “Breach Notice”) without the prior written consent of the Customer, unless required by applicable law;
h. promptly notify the Customer if it receives a request from a data subject of Customer to access, rectify or erase that individual’s Personal Data, or if a data subject objects to the processing of, or makes a data portability request in respect of, such Personal Data (each a “Data Subject Request”). Musicians Health Lab shall not respond to a Data Subject Request without the Customer’s prior written consent except to confirm that such request relates to the Customer, to which the Customer hereby agrees. To the extent that the Customer does not have the ability to address a Data Subject Request, then upon Customer’s request Musicians Health Lab shall provide reasonable assistance to the Customer to facilitate such Data Subject Request to the extent able and in line with applicable law. To the extent Customer does not respond, Musicians Health Lab may respond to the Data Subject Request in any manner it deems appropriate. Customer shall cover all costs incurred by Musicians Health Lab in connection with its provision of such assistance or response;
j. taking into account the nature of processing and the information available to Musicians Health Lab, provide such assistance to the Customer as the Customer reasonably requests in relation to Musicians Health Lab’s obligations under EU Data Protection Laws with respect to:
i. data protection impact assessments (as such term is defined in the GDPR);
ii. notifications to the supervisory authority under EU Data Protection Laws and/or communications to data subjects by the Customer in response to any Security Breach; and
iii. the Customer’s compliance with its obligations under the GDPR with respect to the security of processing;
iiii. if the Customer shall cover all costs incurred by Musicians Health Lab in connection with its provision of such assistance.
1. The Customer grants a general authorization: (a) to Musicians Health Lab to appoint any Affiliate as sub-processors, and (b) to Musicians Health Lab and any Affiliate to appoint any Verified Technical Resource to act as third party data center operators, and outsourced marketing, business, engineering and customer support providers as sub-processors to support the performance of the Service.
3. Musicians Health Lab will ensure that any sub-processor it engages to provide an aspect of the Service on its behalf in connection with this DPA does so only on the basis of a written contract which imposes on such sub-processor terms substantially no less protective of Personal Data than those imposed on Musicians Health Lab in this DPA (the "Relevant Terms"). Musicians Health Lab shall procure the performance by such sub-processor of the Relevant Terms and shall be liable to the Customer for any breach by such person of any of the Relevant Terms.
5. AUDIT AND RECORDS
1. Musicians Health Lab shall, in accordance with EU Data Protection Laws, make available to the Customer such information in Musicians Health Lab’s possession or control as the Customer may reasonably request with a view to demonstrating Musicians Health Lab’s compliance with the obligations of data processors under EU Data Protection Law in relation to its processing of Personal Data.
2. The Customer may exercise its right of audit under EU Data Protection Laws in relation to Personal Data, through Musicians Health Lab providing:
a. an audit report not older than eighteen (18) months, prepared by an independent external auditor demonstrating that Musicians Health Lab’s technical and organizational measures are sufficient and in accordance with an accepted industry audit standard;
b. additional information in Musicians Health Lab’s possession or control to an EU supervisory authority when it requests or requires additional information in relation to the processing of Personal Data carried out by Musicians Health Lab under this DPA; and
c. Customer shall cover all costs incurred by Musicians Health Lab in connection with any such audit.
6. DATA TRANSFERS
1. To the extent any processing of Personal Data by Musicians Health Lab takes place in any country outside the EEA (except if in an Adequate Country), the parties agree that the standard contractual clauses approved by the EU authorities under EU Data Protection Laws will apply in respect of that processing, and Musicians Health Lab will comply with the obligations of the ‘data importer’ in the standard contractual clauses and the Customer will comply with the obligations of the 'data exporter'.
3. If, in the performance of this DPA, Musicians Health Lab transfers any Personal Data to a Verified Technical Sub-processor located outside of the EEA (without prejudice to clause 4), Musicians Health Lab shall in advance of any such transfer ensure that a legal mechanism to achieve adequacy in respect of that processing is in place, such as:
a. the requirement for Musicians Health Lab to execute or procure that the Verified Technical Sub-processor execute to the benefit of the Customer standard contractual clauses approved by the EU authorities under EU Data Protection Laws;
b. the requirement for the Verified Technical Sub-processor to be certified under the EU-U.S. Privacy Shield Framework; or
c. the existence of any other specifically approved safeguard for data transfers (as recognized under EU Data Protection Laws) and/or a European Commission finding of adequacy.
4. The following terms shall apply to the standard contractual clauses:
a. The Customer may exercise its right of audit under clause 5.1(f) of the standard contractual clauses as set out in, and subject to the requirements of, clause 5.2 of this DPA; and
b. Musicians Health Lab may appoint Verified Technical Sub-processors as set out, and subject to the requirements of, clauses 4 and 6.3 of this DPA.
3. This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
4. This DPA and any action related thereto shall be governed by and construed in accordance with the laws of the United Kingdom, without giving effect to any conflicts of laws principles. The parties consent to the personal jurisdiction of, and venue in, the courts of London.
5. This DPA is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA. No modification of, amendment to, or waiver of any rights under the DPA will be effective unless in writing and signed by an authorized signatory of each party. This DPA may be executed in counterparts, each of which shall be deemed to be an original, but all of which, taken together, shall constitute one and the same agreement. Each person signing below represents and warrants that he or she is duly authorized and has legal capacity to execute and deliver this DPA. Each party represents and warrants to the other that the execution and delivery of this DPA, and the performance of such party’s obligations hereunder, have been duly authorized and that this DPA is a valid and legally binding agreement on each such party, enforceable in accordance with its terms.
Details of the Personal Data and processing activities
a. The personal data comprises: in relation to Customer`s name, email, telephone number, registration address; in relation to visitors of the Customer's online properties identification data, connection data, or localization data (including IP addresses).
d. The purpose(s) of the processing is/ are: necessary for the provision of the Service.
e. Personal data may concern the following data subjects:
Prospective customers, customers, resellers, referrers, business partners, and vendors of the Customer (who are natural persons);
Employees or contact persons of the Customer’s prospective customers, customers, resellers, referrers, sub-processors, business partners, and vendors (who are natural persons);
Employees, agents, advisors, and freelancers of the Customer (who are natural persons); and/or
Natural persons authorized by the Customer to use the Service.