Portal Terms and Conditions

PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THIS PLATFORM

What's in these terms?

These terms tell you the rules for using any website or app provided by ICAS World (our platforms).

1. Who we are and how to contact us.

We are ICAS World. We are made up of the following companies all of which are
registered in England:

(i) ICAS International Holdings Limited – [Company Number 03245537]

(ii) ICAS World Ltd – [Company Number 13065199]

(iii) ICAS World UK Ltd – [Company Number 13474737]

(iv) ICAS Digital Health Limited – [Company Number 12838038]

(v) Hello Tomo Limited – [Company Number 13545177]

All our above companies have their registered office at 85 Gresham Street, London, England, EC2V 7NQ.

To contact us, please use the details that can be found at www.icasworld.com under the heading “Contact Us”.

2. By using our platforms you accept these terms.

By using our platforms, you confirm that you accept these terms of use and that you agree to comply with them.

If you do not agree to these terms, you must not use our platforms.

We recommend that you print a copy of these terms for future reference.

3. There are other terms that may apply to you.

These terms of use refer to the following additional terms, which also apply to your use of our platforms:

Our Privacy Policy

Our Acceptable Use Policy which sets out the permitted uses and prohibited uses of our platforms. When using our platforms, you must comply with this Acceptable Use Policy.

Our Cookie Policy, which sets out information about the cookies on our platforms.

If a particular ICAS World platform contains its own bespoke terms, then those terms will apply to your use of that platform.

4. We may make changes to these terms.

We amend these terms from time to time. Every time you wish to use our platforms, please check these terms to ensure you understand the terms that apply at that time.

5. We may make changes to our platforms.

We may update and change our platforms from time to time to reflect changes to our services, our users’ needs and our business priorities or where required to by applicable regulatory guidance, including clinical regulatory guidance. We will try to give you reasonable notice of any major changes.

6. We may suspend or withdraw our platforms.

Except for our general corporate website, located at www.icasworld.com, our platforms are made available to you as part of employee wellbeing services that we are contracted to provide to a corporate entity or corporate group with which you or a family member has an employment, worker or contractor relationship.

We do not guarantee that our platforms, or any content on them, will always be available or be uninterrupted. We may suspend or withdraw or restrict the availability of all or any part of our platforms for business and operational reasons, including where we are no longer contracted to provide the employee wellbeing services referred to in the previous paragraph.

You are also responsible for ensuring that all persons who access our platforms through your internet connection are aware of these terms of use and other applicable terms and conditions, and that they comply with them.

7. We may transfer this agreement to someone else.

We may transfer our rights and obligations under these terms to another organisation. We will ensure any such transfer complies with the contracts between us and corporate entities under which we provide employee wellbeing services (including this platforms).

8. Our platforms and authorised users.

Except for our general corporate website, located at www.icasworld.com, our platforms are only available as part of the employee wellbeing services that we are contracted to provide to certain corporate entities. You may only use the platforms if you, or a family member, works for one of those corporate entities. You should also ensure the corporate entity has clarified that you have the right to access the portal; for example, they may have stated this on their intranet or provided you or your family member with promotional material describing the platforms, or ICAS World’s wider services.

We do not provide our employee wellbeing platforms for the use of the general public. If you do not fall within the eligibility criteria explained above, then you must not use those platforms and should only access our general corporate website, located at www.icasworld.com.

9. Keeping your account details safe.

For some of our platforms, you will be provided with generic ‘log in’ details to ensure that you can access the platforms anonymously.

If you have been provided with such generic ‘log in’ details by ICAS World or your employer, we encourage you to share those details with members of your immediate household, as they will also be eligible to access the platforms.

If our platforms give you the option of registering your own personal account, it is up to you whether you choose to do so.

If you do choose to register a personal account, then we will provide you with a user identification code, password or other similar pieces of information as part of our security procedures. You must treat such information as confidential. You must not disclose it to any third party.

We have the right to disable any user identification code or password, whether chosen by you or allocated by us, at any time, if in our reasonable opinion you have failed to comply with any of the provisions of these terms of use.

If you choose to register a personal account, and you know or suspect that anyone other than you know your personal user identification code or password, you must promptly notify us using the following email address: idh@4.234.178.66

10. How you may use material on our platforms.

We are the owner or the licensee of all intellectual property rights in our platforms, and in the material published on them. Those works are protected by copyright laws and treaties around the world. All such rights are reserved.

You may print off one copy, and may download extracts, of any page(s) from our platforms for your personal use and you may draw the attention of others within your organisation to content posted on our platforms.

You must not modify the paper or digital copies of any materials you have printed off or downloaded in any way, and you must not use any illustrations, photographs, video or audio sequences or any graphics separately from any accompanying text.
Our status (and that of any identified contributors) as the authors of content on our
platforms must always be acknowledged (except where the content is user-generated).
You must not use any part of the content on our platforms for commercial purposes
without obtaining a licence to do so from us or our licensors.
If you print off, copy, download, share or repost any part of our platforms in breach of
these terms of use, your right to use our platforms will cease immediately and you must, at
our option, return or destroy any copies of the materials you have made.
No text or data mining, or web scraping
You shall not conduct, facilitate, authorise or permit any text or data mining or web
scraping in relation to our platforms or any services provided via, or in relation to, our
platforms. This includes using (or permitting, authorising or attempting the use of):
Any “robot”, “bot”, “spider”, “scraper” or other automated device, program, tool, algorithm,
code, process or methodology to access, obtain, copy, monitor or republish any portion of
the platforms or any data, content, information or services accessed via the same.
Any automated analytical technique aimed at analysing text and data in digital form to
generate information which includes but is not limited to patterns, trends and correlations.
The provisions in this clause should be treated as an express reservation of our rights in this
regard, including for the purposes of Article 4(3) of Digital Copyright Directive ((EU)
2019/790).
This clause shall not apply insofar as (but only to the extent that) we are unable to exclude
or limit text or data mining or web scraping activity by contract under the laws which are
applicable to us.

5. We may make changes to our platforms.

Principle 1 – lawfulness of processing, fairness and transparency

ICAS will ensure that all processing is carried out in accordance with applicable laws.

ICAS will inform and explain to individuals, at the time when their personal data is collected, how their personal data will be processed.

Principle 2 – purpose limitation

ICAS will only obtain and process personal data for those purposes which are known to the individual or which are within their expectations and are relevant to ICAS.

ICAS will only process your data for the express purposes for which it was given, for example out of contractual obligation, because you’ve given your express consent, or where there is a legal basis for doing so. Where we consider ‘Legitimate Interest’ a legal basis, we will balance this against the potential risks to the rights and freedoms of the individual – for example, limiting what we keep, who we send your data to, how long we keep it for, what we do with it and the technical measures we use to protect your information.

How do we collect your personal information?

We collect personal information directly from you:

using our EAP services generally and which may be telephonically, via e-mail through the web, mobile or web applications, any other internet based application or in person;
when you contract with ICAS to provide services on our behalf or where we agree to provide services on your behalf.
via cookies. You can find out more about this in our Cookie Policy;
through feedback forms;
via our telephone calls with you, which may be recorded;
when you provide your details to us either online or offline;
when you respond to any job advertisement or are employed by ICAS
We also collect your personal information from many different sources including third parties such as:
- your employer
- medical professionals

Principle 3 – data minimisation

ICAS will ensure that data collected and processed is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

What personal information do we collect?

As the data controller, joint data controller and/or data processor ICAS may collect and process the following information about you

Personal information
- contact, gender, details such as name, email address, postal address and telephone number
- factors specific to physical, physiological, economic, cultural or social identity
- call recordings
- information obtained through our use of cookies. You can find out more about this in our Cookie Policy.

Sensitive personal information
- details of your current or former physical or mental health
- details regarding criminal offences, including alleged offences, criminal proceedings, court judgments, outcomes and sentences
- details concerning sexual life or sexual orientation, for example marital status

Principle 4 –accuracy

ICAS International will keep personal data accurate and, where necessary, kept up to date.

Every reasonable step taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).

Principle 6 – integrity and confidentiality (security)

ICAS has a dedicated security team who maintain stringent controls over the personal data we collect, maintaining it in firewalled and secured systems and databases with strictly limited and controlled access rights, to ensure it is secure. If you would like to know more about how we secure your data you can contact us by emailing dataprotectionofficer@4.234.178.66.

Where processing is necessary for us to provide you with the services you require, such as assessing your needs, setting you up as a user, communicating with you, and assisting you with technical support, for example on our ICAS Hub App, your data will be processed and stored within the European Union. Please be aware that if you reside outside of the EEA, your data may also be processed at one of our regional servers, depending on the technical and operational requirements of the service provided. All processing will be in line with the relevant data protection regulations. You can find further information in the Jurisdictional Clauses at the bottom of this policy.

ICAS will implement appropriate technical and organisational measures to ensure a level of security of personal data that is appropriate to the risk for the rights and freedoms of the individuals

ICAS will ensure that providers of services to ICAS also adopt appropriate and equivalent security measures.

ICAS will comply with data security breach notification requirements as required under applicable law.

ICAS will ensure that information is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

How do we use your personal information?

We use your personal information to provide you with the services you require based on your situation. So, if you have a problem, we make sure the right network of providers and specialists are in place. However, there are many other reasons why we use your personal information.

Under UK and EU data protection laws we need a reason to use and process your personal information and this is called a legal basis. Generally speaking, most countries we operate in require a legal basis for us to process user data, where this is the case, you can view our Jurisdictionally specific sections at the bottom of this policy however as the GDPR sets such a high bar, we refer to this as a reliable benchmark.

We have set out below the main reasons why we process your personal information and the applicable circumstances when we will do so. When the personal information we process about you is classed as sensitive personal information (such as details about your health, sexual orientation, or criminal offences) we must have an additional legal ground for such processing. Legal grounds are as follows.

Processing is necessary for us to provide you with the services you require, such as assessing your needs and setting you up as a user of the services and communicating with you.

We have a legal or regulatory obligation to use such personal information, for example, when the relevant data protection regulator requires us to maintain certain records of any dealings with you.

We need to use your personal information to establish, exercise or defend our legal rights, for example when we are faced with any legal claims or where we want to pursue any legal claims ourselves.

We need to use your personal information for reasons of substantial public interest, such as investigating fraudulent or criminal activities.

In certain instances, you may elect to use our EAP services anonymously. However, where necessary we will ask for your consent in relation to processing your sensitive personal information (such as health data) such as where you are in a safety-critical role. This will be made clear when you provide your personal information. We will ask for your consent and explain why it is necessary. Without your consent in these circumstances, we may not be able to provide you with some of our services. Where you provide sensitive personal information about a third party we will ask you to confirm that the third party has provided his or her consent.

We have appropriate legitimate business need to use your personal information (such as call recordings) to maintain our business records, developing and improving our products and services to train our staff and complaints handling all while ensuring that such business need does not interfere with your rights and freedoms and does not cause you any harm.

We need to use your sensitive personal information such as health data because it is necessary for your vital interests, this being a life-or-death matter.

Principle 7 – rights of individuals

ICAS will adhere to the data subject rights procedure under GDPR, where we operate in a country outside of the EU, UK or the broader EEA, your rights will be based on our obligations in that country, as such, we will respond to any requests from individuals to access their personal data in accordance with applicable law.

ICAS will also deal with requests to rectify or erase inaccurate or incomplete personal data, or to cease processing personal data in accordance with the data subject rights procedure. Please see below the contact details for each of our regional offices where you can exercise these rights.

The right to access your personal information

You are entitled to a copy of the personal information we hold about you and certain details of how we use it. In Europe, there will not usually be a charge for dealing with these requests. Your personal information will usually be provided to you in writing, unless otherwise requested, or where you have made the request by electronic means, in which case the information will be provided to you by electronic means where possible. For requests to access medical records, we will provide a summary of clinical interactions.

The right to rectification

We take reasonable steps to ensure that the personal information we hold about you is accurate and complete. However, if you do not believe this is the case, please contact us and you can ask us to update or amend it.

The right to erasure

In certain circumstances, you have the right to ask us to erase your personal information, for example where the personal information we collected is no longer necessary for the original purpose or where you withdraw your consent. However, this will need to be balanced against other factors, for example according to the type of personal information we hold about you and why we have collected it, there may be some legal and regulatory obligations which mean we cannot comply with your request. Please note that if you withdraw your consent, we may not be able to provide you with the services you have requested.

Right to restriction of processing

In certain circumstances, you are entitled to ask us to stop using your personal information, for example where you think that the personal information, we hold about you may be inaccurate or where you think that we no longer need to process your personal information.

Right to data portability

In certain circumstances, you have the right to ask that we transfer any personal information that you have provided to us to another third party of your choice. Once transferred, the other party will be responsible for looking after your personal information.

Right to object to direct marketing

You can ask us to stop sending you marketing messages at any time.

Right not to be subject to automated-decision making

Some of our decisions are made automatically by inputting your personal information into a system or computer and the decision is calculated using certain automatic processes rather than our employees making those decisions.

The right to withdraw consent

For certain uses of your personal information, we will ask for your consent. Where we do this, you have the right to withdraw your consent to further use of your personal information. Please note in some cases we may not be able to deliver the services you require if you withdraw your consent.

The right to make a complaint

You have a right to complain to the relevant regulator at any time if you object to the way in which we use your personal information. More information can be found below on the appropriate regulator for the regions covered.

Principle 8 – ensuring adequate protection for trans-border transfers

ICAS is a global business. To offer our services, we may need to transfer your personal data to companies within the ICAS Group of companies and with third parties in other countries.

ICAS will not transfer personal data that is subject to GDPR to third parties outside the UK or the European Economic Area (“EEA”) without ensuring adequate protection.

With the exception of those countries with Adequacy under GDPR, where data is transferred outside the United Kingdom, EEA or Switzerland, for example to the US where ICAS’s parent company, Lyra Health is registered the EU Standard Contractual Clauses, and the associated UK Addendum will apply to personal data that is transferred. This will also apply where either directly or via onward transfer and to any country or recipient outside the UK, EEA or Switzerland that is not recognised by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland).

We use “cookies” and other web technologies to collect information and to support certain features of our websites, this will include the transfer of identifiable cookie data to countries outside the UK and EEA that have different privacy laws and requirements, and some provide less legal protection for your personal information than others. For more information see our Cookie Policy.

Who do we share your personal information with?

We might share your personal information with two types of organisations – companies within the ICAS group of companies, i.e. parent companies, subsidiary and affiliated (sister companies) (“Group”), and other third parties outside the Group. We won’t share any of your personal information other than for the purposes described in this Privacy Policy and if we share anything outside the Group, it will be kept strictly confidential and will only be used for reasons that we have agreed in advance.

Principle 9 – safeguarding the use of sensitive personal data

Owing to the services that we offer, ICAS sometimes needs to process sensitive personal information (known as special category data) about you, in order to fulfill our contractual requirements – referred to as a ‘Legal Basis’. Where we collect such information, we will only request and process the minimum necessary for the specified purpose and identify a compliant legal basis for doing so based on your jurisdiction.

Where we rely on your consent for processing special category data, we will obtain your informed and explicit consent. You can modify or withdraw consent at any time, which we will act on immediately, unless there is a legitimate or legal reason for not doing so.

Additional security measures and safeguards will be implemented to ensure that this sensitive personal data remains confidential and that it is deleted as soon as is reasonably possible.

Principle 10 – accountability

ICAS takes responsibility for compliance with the other data protection principles.

ICAS implements appropriate technical and organisational measures, including record keeping, in order to be able to demonstrate compliance.

Legally Binding Effect of This Policy

ICAS and its employees (including new hires, individual contractors, and temporary staff) that process personal data worldwide must comply with, and respect, this Policy when processing personal data as a controller and / or processor, irrespective of the country in which they are located. ICAS reserves the right to change, modify or update this Policy, including changes to the Jurisdictional specific sections below at any time. Please review it frequently for any updates.

Legally Binding Effect of This Policy

ICAS reserves the right to change, modify or update this Policy, including changes to the Jurisdictional specific sections below at any time. Please review it frequently for any updates.

Contact Details and Your Rights to Complain

If you have any questions regarding the provisions of this Policy, your rights under this Policy or any other data protection issues, you can contact the ICAS Data Privacy Office at the address below who will either deal with the matter or forward it to the appropriate person or department within ICAS.

Our Data Protection Officer is available to facilitate requests for access or correction to users own personal information and to describe how you can file a complaint with the applicable regulator regarding our handling of your personal information where required by law:

To log a Data Subject Access Request, e-mail datasubjectrequest@4.234.178.66.

If you wish to comment, or make a complaint about the way we process your data or to find out more about your rights, you can contact our Data Protection Officer using the details below:

Attention: Ayjan Cunningham – Data Privacy Officer

Email: DPO@4.234.178.66

Address: ICAS International Holdings Ltd, 85 Gresham Street, London, EC2V 7NQ

Please note that in some cases we may not be able to comply with a request relating to your rights under this policy for reasons such as our own obligations to comply with other legal or regulatory requirements. However, we will always respond to any request you make within one month or whatever the requirement is under your regional legislation and if we can’t comply with your request, we will tell you why. In some circumstances exercising some of these rights (including the right to erasure, the right to restriction of processing and the right to withdraw consent) will mean we are unable to continue providing you the services you have selected and may therefore result in the cancellation thereof.

Regional enquiries

ICAS operate in over 150 territories worldwide, some regions of which are independent ‘non-ICAS’ subsidiaries who will process, maintain, and store service user data locally, and as such, will be solely responsible, and wholly accountable, under their own state or countries laws for how they manage this data. Where this is not the case, and where data is potentially processed outside of its borders by ICAS or its Parent company, we provide a non-exhaustive list of regional offices below who you can contact for data related queries. If you do not see your country listed below, please contact DPO@4.234.178.66.

Group Entity

Jurisdictions covered

ICAS contact for data related enquires, including Access Requests

The regulatory authority

ICAS Belgium

Belgium

dpo@4.234.178.66

Data Protection Authority

ICAS Canada

Canada

dpo@4.234.178.66

Office of the Privacy Commissioner of Canada (‘PIPEDA’)‎
Office of the Information and Privacy Commissioner of Alberta (‘PIPA Alberta’)‎
Office of the Information and Privacy Commissioner for British Columbia (‘PIPA ‎BC’), and
Commission d’accès à l’information du Québec (the “CAI”) (‘Quebec Privacy Act’)‎

ICAS Hungary

Hungary

info@icashungary.com

Hungarian National Authority for Data Protection and Freedom of Information

Turning Point

Malaysia

consult@turningpoint.org.my

Department of Protection of Personal Data

ICAS MENA (Dubai office)

Algeria
Bahrain
Egypt
Iraq
Jordan
Kuwait
Lebanon
Libya
Mauritania
Morocco
Oman
Pakistan
Palestine
Qatar
Saudi Arabia
Senegal
Tunisia
UAE
Yemen

dpo@4.234.178.66

The Commissioner of Data Protection
Dubai International Financial Centre Authority

ICAS Netherlands

Netherlands

info@icas.nl

Dutch Data Protection Authority

SACAC Counselling

Singapore

admin@sacac.sg

Personal Data Protection Commission

ICAS Spain

Spain

dpo@4.234.178.66

Agencia Española de Protección de Datos (“AEPD”)

ICAS South Africa

South Africa

paia@icas.co.za

Information Regulator

ICAS Switzerland

Switzerland

dataprotection.officer@icas.ch

Federal Data Protection and Information Commissioner (“FDPIC”)

ICAS Switzerland

France

dataprotection.officer@icas-eap.com

Commission Nationale de l’Informatique et des Libertés (“CNIL”)

ICAS Switzerland

Germany

dataprotection.officer@icas-eap.com

Bundesbeauftragter für Datenschutz und Informationsfreiheit (“BfDI”)

ICAS Switzerland

Italy

dataprotection.officer@icas-eap.com

Garante per la protezione dei dati personali (“Garante”)

ICAS Switzerland

Luxembourg

dataprotection.officer@icas-eap.com

Commission Nationale pour la Protection des Données (“CNPD”)

ICAS Switzerland

Austria

dataprotection.officer@icas-eap.com

Österreichische Datenschutzbehörde

ICAS UK

United Kingdom
Ireland

dpo@4.234.178.66

Information Commissioners Office (“ICO”)

ADDENDUM

Jurisdictional Terms

Additional terms may apply to you based upon the country you reside in or the services you use. Please click the region or state that applies to you to learn more about additional terms and rights that may apply to you.

We’ve updated our Global Privacy Statement to address requirements in the UK and countries outlined in the addendums which can be found at the bottom of this policy under the ‘Jurisdiction Specific Terms’ tab.

We’ve updated country and state requirements related to data collection, usage practices and disclosures.

Canada

Applicable Law and Jurisdiction

This Canadian Jurisdictional Addendum (“Addendum”) is incorporated into and forms an integral part of the Privacy Policy of Lyra International and is applicable to all personal data collected or processed by us from data subjects located in Canada pursuant to the Personal Information Protection and Electronic Documents Act (‘PIPEDA’). If there is any conflict between this Addendum and the rest of the Privacy Policy, the provisions of this Addendum will prevail for the protection of personal information of data subjects residing in Canada.

Definitions:

“Data Protection Law” (as defined in this Privacy Policy) includes the Canadian Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).

“Applicable Data Protection Law” (as defined in this Privacy Policy) includes the Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).

“Processor” (as defined in this DPA) includes a “Third Party Organisation” as defined under the PIPEDA.

“Personal Data” (as defined in this DPA) includes “Personal Information” as defined under the PIPEDA.

“Personal Data Breach” (as defined in this DPA) includes a “Breach of Security Safeguards” as defined under the PIPEDA.

Principle 2 – Purpose Limitation

Subject to Section 6 of the Quebec Privacy Act, information held and processed by Lyra Canada will be done so on the basis of Consent from the data subject except:
- if there is a serious and legitimate reason to not obtain consent and either of the following conditions are fulfilled:
  - the information is collected in the interest of the person concerned and cannot be collected from that person in due time;
  - collection from a third person is necessary to ensure the accuracy of the information, or
- if the collection is otherwise authorised by law.

Principle 8 – Ensuring adequate protection for trans-border transfers

With limited exceptions, the Ontario Personal Health Protection Act requires Lyra Canada to obtain consent before personal health information is transferred outside of Ontario. More broadly, where this is the case, and this involves transferring personal information of Canadians outside the province in which it was collected, it may be accessed by the courts, law enforcement and national security authorities of that jurisdiction.
We take measures to ensure that recipients of your personal information in other jurisdictions (i) provide an adequate level of protection; (ii) will not use your personal information for purposes other than those described in this Privacy Policy.

Principle 9 – Safeguarding the use of sensitive personal data

In respect of personal information obtained from Quebec residents, where personal information is transferred to third party service providers, Lyra Canada will use safeguards to ensure that such third party service providers will take necessary security measures with respect to the protection of personal information that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.

Lyra Canada’s sub-processors (subsidiaries), as set forth in Principle 8 of this policy, are third parties under Applicable Data Protection Law, with whom Lyra Canada has entered into a written contract that includes terms substantially similar to this policy. Lyra Canada has conducted appropriate due diligence on its sub-processors.

Lyra Canada will ensure that the appropriate technical and organizational measures as set forth in Principle 6, clause 2 (Security) of this policy are adhered to.

Consent to the Collection, Use, and Disclosure of Personal Information

By using the services, you are representing to Lyra Canada that you have reached the age of majority in the Canadian province in which you reside, such that you can lawfully enter into agreements with Lyra Canada and provide your informed and express consent with respect to Lyra Canada’s collection, use, and disclosure of your personal information and personal health information. If you have not reached the age of majority in the Canadian province in your province of residence, you may not use or access our services or otherwise share your personal information or personal health information with us, unless your parent or another person lawfully entitled to give or refuse consent in the place of your parent has provided us with express consent on your behalf.

The parties have expressly requested and required that this Privacy Policy and all other related documents be drawn up in the English language. Les parties conviennent et exigent expressément que cette politique ainsi que tous les documents qui s’y rapportent soient rédigés en anglais.

Complaints and Exercising Your Rights

Malaysia (Turning Point)

This Malaysian Jurisdictional Addendum (“Addendum”) is incorporated into and forms an integral part of the Privacy Policy of Lyra International and is applicable to all personal data collected or processed by us from data subjects located in Malaysia pursuant to the Personal Data Protection Act 2010 (PDPA). If there is any conflict between this Addendum and the rest of the Privacy Policy, the provisions of this Addendum will prevail for the protection of personal information of data subjects residing in Malaysia.

If there is any conflict between this Addendum and the rest of the Privacy Policy, the provisions of this Addendum will prevail for the protection of personal information of data subjects residing in Malaysia.

Definitions:

“PDPA” refers to the Personal Data Protection Act 2010 of Malaysia and any subsequent amendments.

“Data Subject” refers to an individual who is the subject of personal data as defined under the PDPA.

Data Controller and Data Processor

Turning Point, Malaysia will be deemed the Data Controller for personal data collected from individuals residing in Malaysia.

Turning Point may engage third-party service providers as Data Processors to process personal data on its behalf. Such engagement will comply with the PDPA and be governed by a written agreement.

Principle 1 – lawfulness of processing, fairness and transparency

Where Turning Point collect personal data, Turning Point will collect, use, disclose, and process personal data of individuals in Malaysia only in accordance with the PDPA.

Turning Point will obtain explicit consent from Data Subjects before collecting or processing their personal data, unless exempted under the PDPA.

Turning Point will inform Data Subjects of the purpose of data collection and obtain separate consent if personal data will be used for any purpose beyond the original consent obtained.

Principle 6 – integrity and confidentiality (security)

Turning Point will implement reasonable technical and organisational measures to protect personal data from unauthorised access, disclosure, alteration, or destruction, as required by the PDPA.

In the event of a personal data breach, Turning Point will notify affected Service Users and the relevant regulatory authority in accordance with the PDPA.

Principle 7 – rights of individuals

Service Users have the right to access, correct, update, or delete their personal data as set out under the PDPA. Turning Point will respond to such requests within the timelines prescribed by the PDPA.

Service Users have the right to withdraw their consent for the processing of their personal data. Turning Point will respect such requests, except where retention is necessary by law or for legitimate business purposes.

Principle 8 – ensuring adequate protection for trans-border transfers

Turning Point may transfer personal data of individuals in Malaysia to other countries, subject to compliance with the PDPA’s requirements for cross-border data transfers.

Turning Point will ensure appropriate safeguards, such as obtaining consent or implementing contractual arrangements, to protect personal data during cross-border transfers.

Complaints and Inquiries

MENA (Dubai Office)

Applicable Law and Jurisdiction

This Dubai Jurisdictional Addendum (“Addendum”) is incorporated into and forms an integral part of the Privacy Policy of Lyra International and is applicable to all personal data collected or processed by us from data subjects located in Dubai, United Arab Emirates (UAE) pursuant to the Protection of Personal Data Protection (“PDPL”). If there is any conflict between this Addendum and the rest of the Privacy Policy, the provisions of this Addendum will prevail for the protection of personal information of data subjects residing in Dubai.

Definition of Terms

For the purpose of this Addendum, the terms “personal data,” “data subject,” “controller,” “processor,” and “processing” shall have the same meaning as provided under the General Data Protection Regulation (GDPR).

Local Legal Framework

Although the European Union’s General Data Protection Regulation (GDPR) provides a unified approach to data protection for individuals within the EU, Dubai has its specific legal framework concerning data protection. While this Addendum considers local regulations, it primarily serves to bridge any gaps or clarify any overlaps between the GDPR and local laws in Dubai.

Data Protection Authority

The relevant authority overseeing and enforcing data privacy and protection in Dubai is the Dubai Data Protection Department. Any concerns or questions related to the processing of personal data in Dubai should be directed to this authority.

Principle 7 – rights of individuals

Access: You have the right to request access to the personal data we hold about you, consistent with local laws and regulations.

Correction: If the personal data we hold about you is inaccurate or incomplete, you can request that we correct it.

Deletion: In specific circumstances, you can request the deletion of your personal data, unless there are compelling reasons for its retention.

Objection: You have the right to object to the processing of your personal data in some circumstances.

Principle 8 – ensuring adequate protection for trans-board transfers

Given Dubai’s role as a global business hub, personal data may be transferred internationally. Any data transferred out of Dubai will be in line with local regulations and will only occur with jurisdictions that provide an adequate level of data protection as judged by Dubai’s standards.

Data Breach Notification

In case of a data breach that poses a risk to the rights and freedoms of individuals, we are obliged to notify the Dubai Data Protection Department and the affected individuals without undue delay.

Complaints and Exercising Your Rights

Singapore

Applicable Law and Jurisdiction

This Singapore Jurisdictional Addendum (“Addendum”) is incorporated into and forms an integral part of the Privacy Policy of Lyra International and is applicable to all personal data collected or processed by the us from data subjects located in Singapore. If there is any conflict between this Addendum and the rest of the Privacy Policy, the provisions of this Addendum will prevail for the protection of personal information of data subjects residing in Singapore.

Definition of Terms

Principle 1 – lawfulness of processing, fairness and transparency

SACAC shall ensure that any processing of personal data within Singapore complies with the legal bases for processing as set forth in the GDPR.

SACAC shall obtain explicit and informed consent from individuals located within Singapore when processing their personal data unless another lawful basis for processing under the GDPR is applicable.

Principle 5 – limited retention of personal data

SACAC shall retain personal data of individuals located within Singapore only for as long as necessary to fulfil the purposes for which it was collected unless a longer retention period is required or permitted by law.

Principle 7 – rights of individuals

Individuals located within Singapore shall have the same rights as outlined in the Privacy Policy and as granted under the GDPR, including but not limited to the right to access, rectification, erasure, restriction of processing, and data portability.

SACAC shall respond to any requests made by individuals located within Singapore exercising their data subject rights within the timeframes specified by the GDPR.

Principle 8 – ensuring adequate protection for trans-board transfers

SACAC may transfer personal data of individuals located within Singapore to recipients located outside Singapore, subject to compliance with the requirements under the GDPR for international data transfers. SACAC shall ensure that appropriate safeguards, such as Standard Contractual Clauses, are in place when transferring personal data to recipients outside Singapore, unless an exception under the GDPR for such transfers applies.

Cross-Border Data Transfer Assessments

If SACAC engages in regular and systematic monitoring of individuals located within Singapore or carries out large-scale processing of special categories of personal data, it shall conduct a data protection impact assessment (DPIA) in accordance with the requirements of the GDPR.

Data Breach Notification

In the event of a personal data breach affecting individuals located within Singapore, SACAC shall promptly notify the relevant Singaporean authorities and affected individuals, as required by the GDPR.

Complaints and Inquiries

South Africa

Applicable Law and Jurisdiction

This South African Jurisdictional Addendum (“Addendum”) is incorporated into and forms an integral part of the Privacy Policy of Lyra International and is applicable to all personal data collected or processed by us from data subjects located in South Africa pursuant to the Protection of Personal Information Act 4 of 2012 (“POPIA”). If there is any conflict between this Addendum and the rest of the Privacy Policy, the provisions of this Addendum will prevail for the protection of personal information of data subjects residing in South Africa.

Definitions:

“Controller” (as defined in this DPA) includes a “Responsible Party” as defined in the POPIA.

“Data Protection Law” (as defined in this DPA) includes the South African Protection of Personal Information Act 4 of 2012 (“POPIA”).

“Personal Data” (as defined in this DPA) includes “Personal Information” as defined in the POPIA.

“Processor” (as defined in this DPA) includes an “Operator” as defined in the POPIA.

“Restricted Transfer of SA Personal Data” means any transfer of Customer Personal Data subject to the POPIA which is undergoing Processing or is intended for Processing after transfer to a SA Third Country or an international organisation in a SA Third Country, including data storage on foreign servers.

“SA Third Country” means a country outside of the Republic of South Africa.

Principle 1 – lawfulness of processing, fairness and transparency

The personal information collected by Lyra Southern Africa is consistent with the collection limitations set out by POPIA, which allows for the collection of personal information for a specifically defined, lawful purpose related to a function or activity of the Responsible Party. We ensure that data subjects are made aware that their personal information is being collected and the purpose for which it is being collected.

Personal information will only be processed with the explicit consent of the Data Subject unless processing is necessary for compliance with applicable laws. Lyra Southern Africa will ensure that adequate security measures are in place to protect the integrity and confidentiality of the personal information.

Principle 6 - integrity and confidentiality (security)

Lyra Southern Africa will implement reasonable technical and organisational measures to protect personal data from unauthorised access, disclosure, alteration, or destruction, as required by POPIA.

In the event of a personal data breach, Lyra Southern Africa will notify affected Service Users and the relevant regulatory authority in accordance with POPIA.

Principle 7 – rights of individuals

Under POPIA, data subjects have the right to:

Be notified that their personal information is being collected.

Access and correct their personal information.

Object to the processing of their personal information in certain circumstances.

Lodge a complaint with the Information Regulator.

Principle 8 – ensuring adequate protection for trans-board transfers

With regards to any Restricted Transfer of Personal Data from South African service users to Lyra International within the scope of this Data Processing Addendum and the Principal policy, the following mechanisms, in the order of precedence, will apply:

Data Protection Law to which Lyra International is subject, that effectively upholds the principles for reasonable processing of Personal Data that are substantially similar to the conditions for the lawful processing of Personal Data relating to a Data Subject, and which includes provisions substantially similar to Section 72 of the POPIA, relating to any further onward transfer of Personal Data (for the purposes of this Section 4.2.1 of this policy, the Parties agree that transfers to Lyra entities within the EEA, which are subject to the GDPR and Lyra entities within the UK, which are subject to UK Data Protection Law, comply with this mechanism);

The terms of this DPA, as a binding agreement between the Parties to effectively uphold the principles for reasonable processing of Personal Data that are substantially similar to the conditions for the lawful processing of Personal Data relating to a Data Subject, and which includes provisions substantially similar to Section 72 of the POPIA, relating to any further onward transfer of Personal Data; or

Any other lawful data transfer mechanism, as provided for in the POPIA.

Complaints and Inquiries

Switzerland

Applicable Law and Jurisdiction

This Swiss Jurisdictional Addendum (“Addendum”) is incorporated into and forms an integral part of the Privacy Policy of Lyra International and is applicable to all personal data collected or processed by us from data subjects located in Switzerland pursuant to the Federal Act on Data Protection of 25 September 2020 (FADP). If there is any conflict between this Addendum and the rest of the Privacy Policy, the provisions of this Addendum will prevail for the protection of personal information of data subjects residing in Switzerland.

Definition of Terms

Principle 1 – lawfulness of processing, fairness and transparency

The Company shall process personal data of data subjects located in Switzerland only on a lawful basis as provided under the FADP. The legal basis for processing may include the data subject’s consent, the necessity of processing for the performance of a contract with the data subject, compliance with a legal obligation, protection of vital interests, the performance of a task carried out in the public interest or in the exercise of official authority, or the legitimate interests pursued by the Company or a third party.

Principle 7 – rights of individuals

Data subjects located in Switzerland have the following rights regarding their personal data:

Right to Information: Data subjects have the right to obtain information about the processing of their personal data, including the purposes, categories of personal data processed, recipients or categories of recipients to whom the personal data is disclosed, and the retention period for the personal data.

Right of Access: Data subjects have the right to access their personal data held by the Company and receive a copy thereof.

Right to Rectification: Data subjects have the right to request the rectification of inaccurate personal data concerning them and the completion of incomplete personal data.

Right to Erasure: Data subjects have the right to request the erasure of their personal data under certain circumstances, such as when the personal data is no longer necessary for the purposes for which it was collected or processed.

Right to Restriction of Processing: Data subjects have the right to request the restriction of the processing of their personal data under certain circumstances, such as when the accuracy of the personal data is contested, or the processing is unlawful.

Right to Data Portability: Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format, and have the right to transmit such data to another controller without obstruction.

Right to Object: Data subjects have the right to object to the processing of their personal data, including for direct marketing purposes or when the processing is based on the legitimate interests pursued by the Company.

Automated decision making: We are committed to protecting your data privacy and ensuring compliance with data protection regulations, including the Federal Act on Data Protection (FADP). In accordance with our data processing practices, we want to inform you that we do not engage in any automated decision-making processes in relation to your personal data.

Automated decision-making refers to processes that use algorithms, artificial intelligence, or machine learning to make decisions about individuals without human intervention. These decisions can have significant effects on your rights and interests. However, we want to assure you that any decisions made regarding your data, if necessary, are subject to human review and consideration to ensure fairness, transparency, and compliance with FADP.

Principle 8 – ensuring adequate protection for trans-board transfers

Lyra Schweiz only transfers anonymised data from Switzerland to locations inside the European Economic Area (EEA), as such, under Swiss law, this falls outside of the scope of what is considered personal data.

Swiss law allows the transfer of personal data to countries with adequate data protection, therefore, where the data of a service user is not processed in Switzerland, for example when using the online chat feature outside of working hours, Lyra Schweiz will only transfer personal data from Switzerland to a country inside the European Economic Area (EEA). This compliance ensures that personal data is protected according to Switzerland’s robust data protection standards.

Complaints and Inquiries

“ICAS” includes but is not limited to ICAS International Holdings including ICAS Gulf (branch), ICAS Spain, ICAS Southern Africa, ICAS Hungary, ICAS Netherlands, ICAS Belgium, ICAS Schweiz (Group), Turning Point (MY), SACAC (SING) and designated third parties (“Group Members”).
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Personal data” / “Personal information” means any information relating to an identified or identifiable natural person (“Data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Sensitive personal data” means “special categories of personal data” as set out in GDPR as well as Article 6 in the UK GDPR, which must be treated with extra security. These categories include health information and also genetic data and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
For the purpose of this Policy, reference to Europe means the EEA which incorporates Norway, Iceland, Lichtenstein as well as Switzerland.