Codevision pays great attention to protecting personal data and complying with the law when it collects, processes and uses such data. We want you to feel safe when you visit our site and use our services – and that is why we are providing you with this Privacy Policy. Here you can find out about our data collection and use of data policy.
This Privacy Policy sets forth our current privacy practices with regard to the information we collect when you interact with our site or by using our contact and job application forms.

The integral part of this Privacy Policy is our Cookies Policy, where you can learn more about our use of cookies technology.

If you happen to be left with even more questions after reading our policy – or already have some – do not hesitate to contact us.

1.1. Codevision Sp. z O.O. (hereinafter referred to as the “Company”, “We”), KRS 0000965749, having its registered address at Gęsia 8 / 205, 31-535 Krakow, Poland, manages financial transactions at the codevisiondev.com website (hereinafter referred to as the “Website”), takes its responsibilities with regard to the requirements of the EU GDPR and UK GDPR very seriously.
1.2. This document provides the Privacy Notice framework through which effective management of Data Protection matters can be achieved.
1.3. This Privacy Notice is addressed to the Company’s customers who will provide their personal data to the Company for processing.

2.1. Customer – an individual engaging in gaming on the Company’s website;
2.2. Data Providers – third-party service providers or public authorities used to collect additional information in order to carry out AML/CFT procedures.
2.3. Data Subject – any individual whose personal data the Company may process, including, but not limited to, Company’s Customers, job applicants, Visitors, etc.
2.4. Personal data – any information relating to an identified or identifiable Data Subject;
2.5. Visitor – any individual using the Website;
2.6. Website – codevisiondev.com;
2.7. Processing – any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
2.8. Personal data breach – a breach of data security leading to unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
2.9. Restriction of processing – marking of stored personal data with the aim of limiting the scope of their processing in the future;
2.10. Consent – any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which they, by a statement or by clear affirmative action, signify agreement to the processing of their personal data;
2.13. EEA – European Economic Area (the European Union Member States, Norway, Iceland and Liechtenstein);
2.14. AML/CFT – Anti-Money Laundering / Combating the Financing of Terrorism legal rules and standards as envisaged in the FATF recommendations, the EU regulations and national legislation.

The Company determines the purposes and means of processing of personal data and therefore acts as the Controller, in the following situations:

• when “cookie” files are collected in the course of the Website or livechat operation (if any);
• when the Company obtains registration data while onboarding a new customer;
• when the Company carries out AML/CFT procedures in respect of its customer;
• when the Company carries out responsible gaming procedures in respect of its customer.

The Company may collect and further process personal data submitted via the Website in order to:

• provide Visitors with such information as they may request;
• evaluate the information presented by job applicants when considering their candidacy and to contact them subsequently;
• provide a Customer with the gaming functionality through the Company’s Website;
• identify and authenticate the Customer for the purposes of the applicable AML/CFT and/or other laws and regulations as well as of the Company’s internal due diligence policies and procedures;
• verify Customer’s identity for the purposes of the applicable AML/CFT and/or other laws and regulations as well as of the Company’s internal due diligence policies and procedures;
• determine Customer’s risk status for the purposes of the applicable AML/CFT and/or other laws and regulations as well as of the Company’s internal due diligence policies and procedures.

The Company always relies on the appropriate legal grounds of processing, which may depend on the processing purposes:

• for the cookie-file processing, consent is obtained via the cookie banner (Article 6(1)(a) of the GDPR);
• for emailing Visitors after they have consented (Article 6(1)(a) of the GDPR) to it by ticking a special checkbox;
• when the information presented by job applicants is reviewed, two legal grounds equally apply: (i) Article 6(1)(c) of the GDPR (“compliance with a legal obligation” based on labor laws to which the Company is subject); and (ii) Article 6(1)(f) of the GDPR (since “legitimate interest” allows the Company to evaluate personal information when considering the job candidacy of a certain applicant and to be able to contact them back on the matter);
• when information is collected during a business inquiry or communication, the Company relies on Article 6(1)(b) of the GDPR (prescribing to “take steps at the request of the data subject prior to entering into a contract”), as well as Article 6(1)(f) of the GDPR (where there is “legitimate interest” to enter into the Agreement, to provide the Services, to communicate with the representative of the Client etc.);
• When the Company performs AML/CFT procedures in respect of the Customers, the Company relies on Article 6(1)(c) of the GDPR: “[personal data] processing is necessary for compliance with a legal obligation to which the controller is subject” and Article 6(1)(e) of the GDPR: “[personal data] processing is necessary for the performance of a task carried out in the public interest”;
• In the course of AML/CFT procedures, the Company may also arrange consent functionality and rely on Article 6 (1)(a) of the GDPR: “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”.

The Company may collect and further process the following personal data depending on the processing purpose:
● Visitors’ personal data
The Company may process certain data of the Visitors using the Website through “cookie” files or other similar technologies (e.g., IP address, equipment information, location information, “beacons”).
● Personal data of Users contacting the Company via the Company
– full name/first name;
– e-mail address.
● Personal data of job applicants
– full name;
– e-mail address;
– contact phone number;
– CV details.
● Personal data of Customers

• general personal data, such as full name, sex, personal identification code or number, date of birth, legal capacity, nationality and citizenship, location (street, city, country, postcode);
• identity document data, such as document type, issuing country, number, expiry date, MRZ, information embedded into document barcodes (may vary depending on the document), security features;
• facial image data, such as photos of face (including selfie images) and photo or scan of face on the identification document, videos, sound recordings;
• biometrical data such as facial features;
• banking details, such as card holder name, expiry date, first 6 and last 4 digits of the

card number, data extracted from documents provided as proof of source of funds/wealth;

• contact details, such as address, e-mail address, phone number, IP address;
• technical data, including, but not limited to, information regarding the date, time and
• activity on the Website; IP address and domain name; software and hardware attributes (e.g., camera name and type); general geographic location (e.g., city, country) from Data Subject’s device;
• unique identifier (Applicant ID) created only for association Data Subject’s and its personal data inside the the Company’s system;
• relevant publicly available data, such as information regarding a person being a Politically Exposed Person (PEP) or included in sanctions lists;
• personal information, such as contact details;
• personal information additionally provided by Data Subjects, such as data obtained during their communications with the Company (e.g., requests, reports).

The retention period depends entirely on the relevant data processing purpose:

• regarding Visitors contacting the Company upon certain requests and technical data, the retention period is three years (enabling the Company to re-contact the Visitor in the event of unforeseen circumstances and to manage the Website efficiently);
• regarding the purpose of emailing Visitors regarding compliance-related advice, news and guidelines, the retention period lasts until the Data Subject unsubscribes by following the respective link in the email;
• regarding evaluation of job applications, the retention period is one year from the disqualification of the candidacy (enabling the Company to contact the applicant if the position is re-opened);
• regarding business communication, the retention period is up to five years;
• regarding “cookie” files, the retention period is up to five years;
• regarding Customer’s personal data, the retention period is established in the respective Agreement and typically constitutes five years, unless the applicable AML/CFT laws require to retain data for a longer period.

The Company does not process children’s personal data.

As the Data Controller, the Company respects and guarantees the following rights of each Data Subject:

• Right to obtain confirmation as to whether or not his or her personal data are being processed (Article 15 of the EU GDPR and the UK GDPR);
• Right to rectify inaccurate personal data without undue delay (Article 16 of the EU GDPR and the UK GDPR);
• Right to erase personal data, or “right to be forgotten” (Article 17 of the EU GDPR and the UK GDPR) if one of the following applies: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) Data Subject objects to the processing and there are no overriding legitimate grounds for the processing; (iii) the personal data have been unlawfully processed;
• Right to restrict personal data processing (Article 18 of the EU GDPR and the UK GDPR) if one of the following applies: (i) the accuracy of the personal data is contested (during the period when the Company is able to verify its accuracy); (ii) the processing is unlawful and the Data Subject objects to the erasure of the personal data and requests to restrict their use instead; (iii) The Company no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject to establish, exercise or defend legal claims; (iv) the Data Subject has objected to processing pending the verification whether the Company’s legitimate grounds override those of Data Subject;
• Right to be informed as to rectification or erasure of personal data or restriction of their processing (Article 19 of the EU GDPR and the UK GDPR);
• Right to receive personal data in the form that is machine-readable and ready for transmission to another controller (Article 20 of the EU GDPR and the UK GDPR and);
• Right to object to personal data processing (Article 21 of the EU GDPR and the UK GDPR) if the processing is justified by the “public interest” or “legitimate interest” legal ground as set out in point (e) and (f) of Article 6(1) of the GDPR;
• Right not to be subject to a decision based solely on automated processing (Article 22 of the EU GDPR and the UK GDPR) unless one of the following applies: (i) such decision is necessary for entering into, or performance of, a contract between the Data Subject and the Company; (ii) such decision is authorised by the law to which the Company is subject and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests, or (iii) such decision is based on the Data Subject’s explicit consent.

Company is responsible for establishing policies and procedures in order to comply with the EU GDPR and the UK GDPR. Our Data Protection Officer can be contacted via the following e-mail address: support@codevisiondev.com

4.1. Company adheres to the principles of personal data protection as envisaged in the Curacao Data Protection Ordinance (Ordinance No. 84 of 4 September 2010 Laying Down Rules on the Protection of Personal Data), the EU GDPR and UK GDPR. In accordance with these principles, personal data is:

• Processed fairly and lawfully and in a transparent manner in relation to the Data Subject;
• Processed for specified, explicit and legitimate purposes only and not further processed in a manner that is incompatible with those purposes;
• Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• Kept accurate and up to date;
• Retained in a form permitting identification of Data Subjects for no longer than is necessary for the purposes for which they are processed;
• Not retained longer than necessary;
• Processed in a manner that ensures their appropriate security;
• Not transferred outside the European Economic Area (EEA) or the EU without adequate protection (where applicable to the European Data Subjects).

4.2. Whenever a cross-border transfer of personal data outside the EU or the EEA is carried out, the Company implements appropriate safeguards as set out in Chapter V of the EU GDPR. Third-Party Processors likewise rely on appropriate safeguards, which includes Binding Corporate Rules, Standard Contractual Clauses etc.

1. Preamble

2. Definitions

3. Scope of the Privacy Notice

5. Purposes of personal data processing

6. Lawfulness of personal data processing

7. Types of personal data processed by the Company

8. Personal data retention period

9. Processing of children’s personal data

10. Data Subjects’ rights

11. Company’s responsibilities

4. Principles of personal data processing that the Company adheres to

The Company’s Data Protection Officer holds responsibility for:

• drawing up guidance and promoting compliance with this Privacy Notice;
• appropriate compliance with the EU GDPR, UK GDPR and Data Protection Act 2018 and other applicable laws;
• ensuring that any personal data breaches are resolved, catalogued and reported

appropriately in a swift manner;

• investigating and responding to complaints regarding data protection, including

requests to cease the processing of personal data.

Company’s personnel who are involved in personal data processing comply with the requirements of this Privacy Notice. Personnel ensures that:

• all personal data is kept securely;
• no personal data is disclosed either verbally or in writing, accidentally or otherwise, to

any unauthorised third party;

• any queries, requests and complaints regarding data protection are promptly directed

to the Data Protection Officer;

• any data protection breaches are swiftly brought to the attention of the Governance

Team and the Data Protection Officer;

• where there is uncertainty regarding a data protection matter, advice is sought from

the Data Protection Officer.
***
This Privacy Notice is constantly reviewed and amended in order to provide appropriate compliance with the Curacao Data Protection Ordinance (Ordinance No. 84 of 4 September 2010 Laying Down Rules on the Protection of Personal Data), the EU GDPR and the UK GDPR.
If you have any request or complaint regarding the Privacy Notice or would like to exercise any of the data subject’s rights granted to you by the applicable laws, please contact us at support@codevisiondev.com

12. Company’s Data Protection Officer’s responsibilities

13. Company’s personnel responsibilities