Privacy Policy

Processing of personal data using computer technology.

Temporary suspension of personal data processing (except in cases where processing is necessary to clarify personal data).

Any information relating directly or indirectly to a specific or identifiable User of the website and mobile application.

A state body, municipal body, legal or natural person, independently or jointly with other persons organizing and/or processing personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data.

This Policy has been developed in accordance with the legislation of the European Union and the Republic of Finland.

The processing of personal data is carried out in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

The Operator complies with the requirements of Finnish data protection legislation (Tietosuojalaki 1050/2018).

This Policy has been developed in accordance with the legislation of the European Union and Finland.

The Operator processes personal data based on the following principles:

Legality and fair basis

Limiting the processing of personal data to the achievement of specific, predetermined and lawful purposes

Prevention of processing of personal data incompatible with the purposes of personal data collection

Processing only those personal data that correspond to the purposes of their processing

Correspondence of the content and volume of processed personal data to the stated purposes of processing

Ensuring the accuracy, sufficiency and relevance of personal data

Destruction or depersonalization of personal data upon achievement of the purposes of their processing

The Operator processes personal data in the presence of at least one of the following conditions:

Processing is carried out with the consent of the data subject

Processing is necessary for the performance of a contract

Processing is necessary for the realization of the rights and legitimate interests of the operator or third parties

Processing of publicly available personal data

Processing of personal data subject to publication

Processing is necessary to fulfill legal obligations

The Operator and other persons having access to personal data have no right to disclose personal data to third parties and distribute them without the consent of the personal data subject, unless otherwise provided by current legislation.

The Operator has the right to entrust the processing of personal data to a third party with the consent of the personal data subject, unless otherwise provided by current legislation, on the basis of an agreement concluded with that person. A party processing personal data on behalf of the Operator is obliged to comply with the principles and rules of personal data processing provided for in this Policy.

Before initiating such transfer, the Operator must ensure that the foreign state to whose territory personal data is intended to be transferred provides adequate protection of the rights of personal data subjects.

Cross-border transfer of personal data to the territories of foreign states that do not provide adequate protection of the rights of personal data subjects may be carried out in the following cases:

- Written consent of the personal data subject

- Performance of a contract to which the personal data subject is a party

When registering on the website and in the mobile application, the Operator processes the following data:

- Email address (required, used for registration and authentication)

- OAuth provider data (Google, Apple) - when using social network authorization (see "OAuth Provider Data" section)

To communicate with the user, the Operator processes only the email address specified during registration.

⚠️ IMPORTANT: The Operator does NOT collect and does NOT process users' phone numbers. The only contact data is email.

When making purchases, the following are processed:

- Payment information (without storing full bank card data)

- Order history

Automatically collected data:

- IP address

- Cookie data

- Browser type and version

- Device operating system

- Data about visited pages

Additional information provided by the user or generated during use of the application:

- Preferences and interests

- Book opening history (which books were opened, date and time)

- Reading progress (current page, percentage read)

- List of favourite books

- Book ratings and reviews left by the user

This data is stored on the Operator's servers, linked to the user's account, and used to restore progress when logging in from other devices and to personalise recommendations.

When using authorization through Google or Apple (OAuth), the Operator receives and processes the following data:

Data received from Google:

- Unique Google account identifier (Google ID)

- Email address (if provided by the user)

- Information that the email is verified by Google

Data received from Apple:

- Unique Apple account identifier (Apple ID)

- Email address (may be hidden by Apple, in which case a private email is used)

- Information that the email is verified by Apple

How we use OAuth provider data:

- Exclusively for user authentication and authorization in the Chickitik system

- For creating and managing user accounts

- For linking OAuth account with an existing account by email (if the user is already registered)

Google data usage restrictions (compliance with Google requirements):

- We use Google data only for the purposes described in this Privacy Policy

- We do NOT use Google data for advertising or marketing

- We do NOT transfer Google data to third parties

- We do NOT use Google data to create user profiles for advertising purposes

- We do NOT use Google data for any purposes unrelated to providing Chickitik services

Apple data usage restrictions (compliance with Apple requirements):

- We use Apple data only for the purposes described in this Privacy Policy

- We do NOT use Apple data for advertising or marketing

- We do NOT transfer Apple data to third parties

- We do NOT use Apple data to create user profiles for advertising purposes

OAuth data storage:

- Unique identifiers (Google ID, Apple ID) and email addresses are stored in a secure database with restricted access

- The database is protected at the access level (only authorized administrators have access to the data)

- Technical protection measures are applied: access differentiation, registration of user actions, data encryption during transmission (SSL/TLS)

- Email addresses are stored in accordance with the general personal data storage policy

- OAuth data is stored only until the user deletes their account

OAuth data transfer:

- OAuth data is NOT transferred to third parties

- OAuth data is NOT used for purposes unrelated to providing Chickitik services

- OAuth data is accessible only to the Operator (ITcoti Oy) for authentication and account management purposes

User rights:

- The user can revoke access to OAuth provider data at any time through their provider account settings

- The user can delete their account, which will result in the deletion of all OAuth data

- The user can link or unlink OAuth account from their Chickitik account

Privacy notices:

Information about how we use OAuth provider data is available:

- In this Privacy Policy (section "OAuth Provider Data")

- On the authorization page when choosing to sign in through Google or Apple

- In the user account settings

Personal data processing is carried out to provide access to the content of the website and mobile application.

Creating and managing user accounts.

User authentication via email and verification code.

User authentication via OAuth providers (Google, Apple) - exclusively for signing in and account management.

Conducting financial transactions and generating receipts.

Sending notifications, responding to inquiries, informing about changes in services.

Analyzing the use of the website and application to improve functionality.

Forming personalized recommendations based on user preferences.

Sending promotional materials and special offers (only with user consent).

Fraud prevention, protection against unauthorized access.

Personal data is stored no longer than required by the purposes of its processing.

Personal data of active users is stored until the account is deleted or consent for data processing is withdrawn.

Personal data of users who have not shown activity for 3 years are subject to deletion or anonymization.

Payment data is stored for the period established by tax legislation (minimum 5 years).

Logs and technical information are stored for no more than 12 months.

Anonymized data that does not allow identification of a specific user may be stored indefinitely for statistical and analytical purposes.

The Operator may transfer personal data to third parties only in cases provided for by this Policy and current legislation.

iOS app: Subscriptions are processed via Apple In-App Purchases. The Operator only receives information about subscription status (active/inactive). Bank card data is processed exclusively by Apple Inc. and is not shared with the Operator. More info: https://www.apple.com/legal/privacy/

Website: For payment processing on the website, the Operator uses certified payment systems. Bank card data is transmitted directly to payment systems and is not stored on the Operator's servers.

Personal data is stored on secure servers located in the territory of the European Union.

When using authorization through Google or Apple, OAuth provider data is NOT transferred to third parties.

OAuth data (Google ID, Apple ID, email) is used exclusively by the Operator for user authentication and account management.

We do NOT transfer OAuth provider data to advertising networks, analytics services, or any other third parties.

We do NOT use OAuth provider data to create advertising profiles or for any purposes unrelated to providing Chickitik services.

To analyze traffic and user behavior, the Operator may use analytics services (with IP address anonymization).

The Operator uses a ticket system to provide technical support.

Data collected when creating a ticket:

- User name (optional for guests)

- Email address (optional for guests)

- Subject and description of the ticket

- IP address

- Device information (browser type, operating system)

- Unique device identifier (Device Key) - for identifying guest tickets

Purposes of ticket data processing:

- Processing and responding to user tickets

- Identifying the user and their tickets

- Sending ticket status notifications (with consent)

- Improving service quality

Ticket data storage:

- Tickets are stored in a secure database

- Retention period: until deleted by user or 3 years from ticket closure

- Device Key is stored in browser cookies and database for ticket association

Support email notifications:

- Notifications are sent only with explicit user consent

- User can revoke consent at any time through account settings

- For guests, consent is requested for each ticket

Support email: info@itcoti.fi

Standard Operator email servers are used to send notifications.

The Operator has the right to disclose personal data at the lawful request of government authorities within their powers.

Cookies are small text files that are saved on the user's device when visiting a site. They are used to improve site functionality and personalize content.

• Essential cookies: Provide basic site functionality (authorization, sessions). These cookies cannot be disabled.

• Functional cookies: Remember user settings (interface language, theme).

• Analytics cookies: Collect anonymous statistics about site traffic to improve its performance.

Users can manage cookies through browser settings. Disabling cookies may limit site functionality.

Session cookies are deleted when the browser is closed. Persistent cookies are stored until their expiration date or deletion by the user.

The personal data subject makes the decision to provide their personal data and gives consent for its processing freely, of their own will and in their own interest. Consent for personal data processing may be given in any form that allows confirmation of its receipt.

The personal data subject has the right to receive information from the Operator about the processing of their personal data.

The data subject has the right to request clarification of their personal data from the Operator if the data is incomplete, outdated, or inaccurate.

The data subject has the right to request deletion of their personal data from the Operator without undue delay.

To exercise this right, contact the Operator by email at info@itcoti.fi (or info@itcoti.fi).

The data subject has the right to request temporary cessation of personal data processing in the following cases:

- For the period of verification of personal data accuracy

- For the period of consideration of objection to processing

- When processing is unlawful but the subject does not want data deletion

The data subject has the right to receive their personal data in a structured, commonly used and machine-readable format, and to transmit that data to another operator.

The data subject has the right to object at any time to the processing of their personal data for marketing purposes or profiling.

If the data subject believes that the Operator violates their rights, they have the right to lodge a complaint with the data protection supervisory authority.

In Finland: Tietosuojavaltuutetun toimisto (Office of the Data Protection Ombudsman)

Email: tietosuoja@om.fi

To exercise their rights, the personal data subject can send a request to the Operator by one of the following methods:

• By email: info@itcoti.fi

• Through the feedback form on the website

• Through profile settings in the mobile application

The request must contain:

• Full name of the data subject

• Email address for response

• Description of the requested action (access, rectification, deletion, etc.)

• Signature (for written requests)

The Operator has the right to request additional information to verify the identity of the data subject in order to prevent unauthorized access to data.

The Operator is obligated to provide a response to the request within 30 days from the date of receipt.

If necessary, the deadline may be extended for another 30 days with notification to the data subject of the reasons for the delay.

The Operator has the right to refuse to fulfill the request in cases provided by legislation, with justification of the reasons for refusal.

To withdraw consent for personal data processing, the subject can:

• Send a written request to info@itcoti.fi

• Delete their account through profile settings

After consent withdrawal, the Operator ceases processing of personal data and deletes it, except when data retention is provided by legislation.

To delete an account, the user can:

1. Go to profile settings

2. Select "Delete Account"

3. Confirm deletion

Alternatively: send a request to info@itcoti.fi

Personal data is deleted within 30 days from the date of receiving the request, except for data that must be retained in accordance with legislation.

The security of personal data processed by the Operator is ensured through the implementation of legal, organizational, and technical measures necessary to meet the requirements of current legislation in the field of personal data protection.

To prevent unauthorized access to personal data, the Operator applies the following organizational measures:

The Operator applies the following technical protection measures:

Organization of access control on the Operator's territory, security of premises with technical means of personal data processing.

All information collected by third-party services, including payment systems, communication means, and other service providers, is stored and processed by these parties (Operators) in accordance with their User Agreement and Privacy Policy. The Operator is not responsible for the actions of third parties, including the service providers specified in this clause.

In case of detecting a personal data security breach that may pose a high risk to the rights and freedoms of data subjects, the Operator undertakes to notify the relevant supervisory authorities and affected data subjects.

Notification to the supervisory authority is made no later than 72 hours after detection of the breach.

The notification must contain:

• Nature of the breach

• Categories and approximate number of affected data subjects

• Likely consequences of the breach

• Measures taken or proposed to remedy the breach

When there is a high risk to the rights of data subjects, the Operator notifies affected individuals immediately in clear language.

All data security breaches are documented by the Operator indicating circumstances, consequences, and measures taken.

The Operator reserves the right to make changes to this Privacy Policy at any time.

When making material changes, the Operator notifies users by one of the following methods:

• Posting a notice on the website

• Sending a notification to email

• Push notification in the mobile application

Changes take effect from the moment of their publication on the website, unless otherwise specified in the change notification.

Continued use of the website and mobile application after changes indicates user agreement with the new version of the Policy.

Previous versions of the Privacy Policy are available upon request at info@itcoti.fi

Chickitik services are available to users of all ages, including children. The platform provides educational content (books for reading and listening) for children of different ages.

For minors under 16 years of age:

• Account registration and processing of personal data is carried out only with the consent of parents or legal representatives

• Children can freely use publicly available content (reading and listening to books) without registration

• We do not collect personal data from children without parental consent

Parents or legal representatives have the right to:

• View their child's personal data

• Request deletion of the child's account

• Withdraw consent for data processing

• Contact us regarding the child's data: info@itcoti.fi

This Policy and the relationship between the Operator and data subjects are governed by the legislation of the European Union and the Republic of Finland.

All disputes arising in connection with the processing of personal data shall be resolved through negotiations. If no agreement is reached, disputes shall be submitted to the competent court of Finland (Kankaanpää, Finland).

The Operator is obliged to publish or otherwise provide unlimited access to this Personal Data Processing Policy.

This Policy is available at: https://chickitik.com/privacy

Other rights and obligations of the Operator in connection with the processing of personal data are determined by applicable personal data legislation.

• Email: info@itcoti.fi

• Postal address: Neuvoksenkatu 24 A, 38700 Kankaanpää, Finland

• Phone: +358 40 258 2158

• Email: info@itcoti.fi

• Phone: +358 40 258 2158

Tietosuojavaltuutetun toimisto (Office of the Data Protection Ombudsman of Finland)

• Website: https://tietosuoja.fi

• Email: tietosuoja@om.fi