This Privacy Policy describes the general principles of personal data processing of Stemy. The purpose of the Privacy Policy is to provide clear and transparent information on how Stemy may process your personal data when you are using our services.

If you have additional questions about how we process your personal data or if you wish to forward us requests for exercising the rights involved in personal data processing, please contact us using the contact details provided in the section “Miscellaneous” below.

1. DEFINITIONS

The capitalised terms in these Privacy Policy shall have the following meaning:

“Data subject”	Natural person whose personal data Stemy processes;
“GDPR”	Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data”	Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Applicable Law”	All valid European Union legal acts and all valid legal acts of the Republic of Estonia, including, but not limited to, the national implementation acts for GDPR which are applicable during the validity of these terms and conditions or shall be applicable after the terms and conditions enter into force.
“User”	is any person who uses the Platform (including the Student and Teacher);
“Stemy”	is Stemy OÜ, registry code 16087291, street address Telliskivi tn 60a/5, Tallinn, Harju county 10412 Estonia;
“Platform”	is the platform at the online address app.stemy.com managed by Stemy which provides the possibility to resolve assignments as an independent study form;
“Privacy Policy”	is this document on personal data processing;
“Teacher”	is the User who has registered a teacher user account on the Platform and who has the possibility to use the Platform solutions to conduct and organise study work.
“Student”	is the User who wishes to use the Platform for independent study work either through the Teacher or voluntarily.
“Data Controller”	a natural or legal person, public sector authority, agency or other body who, alone or jointly with others, determines the purposes and means of the personal data processing. For the purposes of these terms, the data controller is Stemy;
“Data Processor”	a natural or legal person, public sector authority, agency or other body who processes the personal data on behalf of the controller.

2. WHEN AND FOR WHAT PURPOSES DO WE PROCESS PERSONAL DATA?

1. Stemy as the Data Controller processes Personal Data for the purposes set out in this Privacy Policy. Stemy processes Personal Data based on the Applicable Law, including the Personal Data Protection Act and other legal acts that address personal data processing.

2. Stemy processes personal data based on the principles of personal data protection, including the principle of minimum interference, according to which we process only the data that are required for the provision of the service and achieving our purposes.

3. Data processing for contract performance. Stemy processes personal data primarily for the purposes of providing services and for performing contractual obligations. For the provision of the service, the legal basis for personal data processing is article 6(1)(b) of the GDPR (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract).

4. Data processing for the performance of a legal obligation. Stemy processes Personal Data also where it is required to perform legal obligations applicable to Stemy. For example, if a court requests Personal Data from Stemy under an applicable court order or court judgement or if a law enforcement agency requests Personal Data under an applicable regulation. Also, if Stemy is obligated to retain Personal Data, for example, under the Accounting Act or other applicable legal acts. In case of such processing, the legal basis for Personal Data processing is article 6(1)(c) of the GDPR (processing is necessary for compliance with a legal obligation to which the Data Controller is subject).

5. Date processing on the basis of legitimate interest. In certain cases, Stemy may process your personal data also when it is necessary for Stemy’s legitimate interest. In such case, the legal basis for Personal Data processing is article 6(1)(f) of the GDPR. Stemy shall process Personal Data on the basis of legitimate interest only in case such processing is not outweighed by the basic rights and freedoms of the data subject for which the Personal Data must be protected. Only data that has been received from the Data Subject or created during the performance of the contract is processed on the basis of legitimate interest.

6. Stemy may have legitimate interest in the processing of personal data if this is necessary to prepare, submit or defend legal claims. For example, such need may arise in a situation where the Data Subject has violated the contract, primarily failed to pay the monthly fee for using the Platform. Stemy may also have legitimate interest in processing personal data if this is necessary to ensure the technical functionality of the Platform.

7. The data processed on the basis of legitimate interest shall be retained in compliance with the general statutory limitation period for claims which is 3 years after the provision of service. More details on the retention periods can be found in the section “Overview of processed personal data”.

3. OVERVIEW OF PROCESSED PERSONAL DATA
   

Depending on the legal relationship between you and Stemy, Stemy may process the following data about you:

Purpose	Collected personal data	Legal basis	Retention period
Providing the Platform to the Teacher	Contact details: name, e-mail address, telephone number, class and curriculum	GDPR article 6 (1) (b), after the termination of the contract GDPR article 6 (1) (f)	Until 3 years after the provision of the service (§ 146 (1) of An Act on the General Part of the Civil Code);
Providing the Platform to the Parent	Contact details: name, e-mail address, telephone number	GDPR article 6 (1) (b), after the termination of the contract GDPR article 6 (1) (f)	Until 3 years after the provision of the service (§ 146 (1) of An Act on the General Part of the Civil Code);
Providing the Platform to the Student	Contact details: name, e-mail address, class and curriculum Data regarding the use of the Platform: solutions and answers submitted by the Students, self-evaluations and other information that the Student has inserted on the platform	GDPR article 6 (1) (b), after the termination of the contract GDPR article 6 (1) (f)	Until 3 years after the provision of the service (§ 146 (1) of An Act on the General Part of the Civil Code);
Processing of payment data	ID in the environment of the payment service provider Stripe	GDPR article 6 (1) (b), after the termination of the contract GDPR article 6 (1) (f)	Until 3 years after the provision of the service (§ 146 (1) of An Act on the General Part of the Civil Code);
Accounting documents	Documents required for the performance of a legal obligation	GDPR article 6 (1) (c)	7 years under the Accounting Act (§ 12 (4) of the Accounting Act)
Data collected with cookies	Read the separate section on using cookies

4. TRANSFER OF PERSONAL DATA AND USE OF DATA PROCESSORS

8. Stemy does not transfer personal data to third parties, except when possessing the legitimate right under the Applicable Law. Stemy does not transfer Personal Data outside the European Economic Area.

9. Stemy may use Data Processors for Personal Data processing. Data Processors assigned by Stemy, who in limited circumstances may process the Personal Data, are, for example, IT-service providers (server providers, IT software developers) or other providers of services required for the functioning of the platform (such as Stripe and Mixpanel).

10. Stemy uses as Data Processors only such partners whose reliability Stemy has verified and who have committed to processing Personal Data in compliance with the Applicable Law.
    

5. USE OF COOKIES

11. Stemy uses Cookies. Cookies are small text files containing information stored on the computer and used for tracking or identification.

12. The Platform uses the following cookies:

1. Third party analytical cookies: for the better functioning and provision of the platform and collecting statistics (Google Analytics). You can read the privacy policy and terms and conditions of third parties on the cookie provider’s website: https://www.google.com/policies/technologies/cookies/.

 

2. Unclassified cookies: cookies which have not yet been classified.

13. More specifically, we use the following cookies:

Cookie	Domain	Description	Validity	Type
ajs_anonymous_id	app.stemy.com	The cookie installed by Segment.com is an anonymous random identifier assigned when the user first visits the site.	1 year	Analytical cookie
ajs_user_id	app.stemy.com	The cookie installed by Segment.com is a non-PII identifier assigned when the user is authenticated.	1 year	Analytical cookie
__Secure-next-auth.session-token	app.stemy.com	A first-party cookie to persist the users session	1 month	Authentication cookie
__Secure-next-auth.callback-url	app.stemy.com	A first-party authentication cookie to define the callback URL post authentication.	Visit session	Authentication cookie
__Host-next-auth.csrf-token	app.stemy.com	A first-party security cookie for CSRF prevention	Visit session	Authentication cookie
_fbp	app.stemy.com	This cookie installed by Segment.com is to track conversions from Meta advertisements.	3 months	Analytical cookie

14. You have the right to disable cookies at any time by changing your browser settings. When doing so, please take into account that some functions of the browser may not function properly. Cookies can be disabled by following the instructions under the browser’s “help” section. More information on how cookies operate or how to disable cookies is also available on the website www.allaboutcookies.org.

6. RIGHTS OF THE DATA SUBJECT

15. Stemy shall ensure all the rights of the data subject arising from the Applicable Law.

16. Each Data Subject shall inter alia have the following rights:

3. right to access: the right to ask at any time whether Stemy holds any personal data about them or not and receive information about which Personal Data Stemy is processing about them;
4. right to rectification: the right to request from Stemy the supplementation or rectification of their personal data if these are insufficient, incomplete or inaccurate;  
5. right to object: the right to submit objections to Stemy concerning the processing of one’s Personal Data, for example if the personal data is processed on the basis of the legitimate interests of Stemy;
6. right to erasure: the right to request the erasure of Personal Data, for example, if the Personal Data are processed based on the Data Subject’s consent and the Data Subject has withdrawn their consent;
7. right to restriction of processing: the right to request from Stemy the restriction of processing of Personal Data under the Applicable Law, for example, where Stemy no longer needs the Personal Data for the purposes of the processing or where the Data Subject has objected to processing;
8. right to withdraw the consent for processing Personal Data: if the processing of Personal Data is based on the Data Subject’s consent, the Data Subject has the right to withdraw the consent given to Stemy at any time;
9. right to data portability: the right to receive from Stemy the Personal Data that the Data Subject has provided to Operail and which are processed on the basis of the Data Subject’s consent or for the performance of a contract concluded with the Data Subject, in writing or in a generally used electronic format and, if technically possible, request that Stemy transfers these data to another Data Controller<
10. right to lodge a complaint: If the Data Subject is of the opinion that the processing of their Personal Data has violated their rights, they have the right at any time to file this claim to the Data Protection Inspectorate / Tatari 39, 10134 Tallinn, [email protected], www.aki.ee.

17. The rights of the Data Subject listed in this section regarding the processing of their Personal Data are not absolute rights. In certain cases the rights of other Data Subjects or the legal obligations of Stemy may limit the rights of the data subject.

18. In order to exercise the rights pertaining to the processing of Personal Data or to submit requests concerning the processing of personal data, please contact us using the contact details provided in the section “Miscellaneous” below.

7. SECURITY OF PERSONAL DATA

19. Stemy shall ensure the security of Personal Data processing, for the purposes of protecting Personal Data from accidental or unauthorised processing, disclosure or destruction.

20. Taking into account the state of the art and costs of implementation, and the nature, scope, context and purposes of the personal data processing as well as the risk to the rights and freedoms of data subjects, of varying likelihood and severity, that may result from personal data processing, Stemy shall apply appropriate technical and organisational measures upon personal data processing to ensure the protection of personal data.

8. MISCELLANEOUS

21. Upon changes in legal acts or practice, Stemy has the right to make amendments to the Privacy Policy which shall be immediately published at the online address app.stemy.com.

22. In case of questions concerning the processing of Personal Data or in order to submit requests concerning the processing of Personal Data, please contact Stemy.

The general contact details are:

Stemy OÜ

Telliskivi tn 60a/5, 10412 Tallinn, Harju County

[email protected]