Terms and Conditions
By using the CookieBox application, the Provider and the Beneficiary of the application - hereinafter referred to individually as the Party and collectively as the Parties – have agreed on the following terms and conditions (the Contract)
Visitors – shall refer to the internet users that access a website, identified by a cookie file in a database, used within the CookieBox Platform, in observance of the legislation in force;
Website – shall refer to a website owned by Beneficiary and regsitred on CookieBox Platform;
Logs – shall refer to the cookie preferences chosen by Visitor on Beneficiary website, through the CookieBox Popup;
CookieBox Trial period – shall refer to the manner of collaboration that is based on a free-of-charge subscription to the CookieBox Platform throughout the collaboration, for a maximum 7 days. After these 7 days, the Beneficiary will have to choose one of the monthly subscription offers or the service will be terminated;
CookieBox Monthly subscriptions – shall refer to the manner of collaboration that is based on the issue of a monthly invoice sent to the Beneficiary based on allocated resources by the Provider to the Beneficiary described here: https://www.cookiebox.ro/#price;
MAU – Monthly active users (MAU) are only the visitors that expressed their cookie usage preferences. A user that doesn’t have a preference about the cookie usage, will not be counted;
CookieBox Personalized – For nonprofit organizations and students who wish to use CookieBox for their personal website, CookieBox offer pro bono packages;
CookieBox is only the service provider and it is your own responsibility to ensure correct settings and implementation of CookieBox is used on your website in case you use it to comply with a certain law, regulation or directive, including but not limited to EU’s General Data Protection Regulation (GDPR) and EU’s ePrivacy Directive.
CookieBox offers a set of options for the pop-up, which is constantly updating to ensure Services cover as much customer needs as possible.
CookieBox organizes server resources in a way to provide a high level of service with at least 99.9% uptime on the operation of the cloud service, both website and scripts hosting.
First month of the subscription – shall refer to the calendar month during which the Contract is concluded;
"Personal data from the Beneficiary" shall mean any Personal Data processed by CookieBox on behalf of the Beneficiary, based on or with regard to the Contract; particular, their right to privacy with regard to the processing of Personal Data, applicable in Romania;
"Services" shall mean the services to be provided by CookieBox to the Beneficiary, in line with the Contract.
2. SUBJECT MATTER OF THE CONTRACT
2.2. The Cookie Consent services provided to the Beneficiary are the following:
administration by the Providers of the hardware and software infrastructure referred to in paragraph a);
monitoring the account usage and instant or periodic reporting of errors caused following the integration with external IT systems, as well as reactive reporting of any blacklisting;
consultancy services with regard to the Cookie Consent activity;
developing customized pop-up or banner templates, according to the requirements of the Beneficiary;
graphic design services for pop-up and banner;
management services for Cookie Consent, for the benefit of the Beneficiary;
Other cookie consent related-activities.
3. GENERAL PROVISIONS
3.1. The CookieBox platform may be used on a monthly subscription basis.
3.2. The monthly subscription fee paid by the Beneficiary to the Supplier for the use of the CookieBox Platform shall be as follows:
|7 day trial period||Free *|
* It is forbidden to use several free clone accounts (several accounts of the same user, website, commercial company or campaign). CookieBox reserves the right to deactivate any identified clone accounts.
4. RATES AND PAYMENT
4.1. The Beneficiary shall pay to the Provider a monthly subscription fee for a CookieBox contract, based on the package choosen (Tiny, Business, Enterprise and Personalized).
4.2. The Beneficiary is under the obligation of making full payment of the subscription fee, irrespective of whether or not it made use of the CookieBox Services during the respective month.
4.3. The invoice shall be issued covering the subscription fee in full, in advance, for the following month.
4.4. The Provider shall issue a tax invoices in RON, using the RON/ EUR exchange rate published by the National Bank of Romania on the date of the invoice, and shall send it to the Beneficiary if the Beneficiary has the fiscal residence in Romania. If the fiscal residence has ben declared outside Romania, we will isuue an invoice withouth VAT and the amount will be expressed in EUR.
4.5. The Beneficiary may use the CookieBox account only after the Provider has collected the payment under the CookieBox Business subscription in full.
4.6. Subsequently to making the payment for the first month of the subscription, the Beneficiary shall pay for the CookieBox subscription within 5 (five) days of the issue of the invoice by the Provider. The Provider reserves the right to suspend its services without prior notice in case the Beneficiary does not make payment within 5 (five) days of the issue of the invoice.
4.7. Given the nature of the services provided, since the Beneficiary is able to use the CookieBox Platform immediately after making the payment, the Beneficiary acknowledges and expressly agrees that the right of withdrawal within 14 days following the provision of the Service, provided for in Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights - transposed in the national legislation through Emergency Ordinance No. 34/2014 on consumer rights in contracts concluded with professionals, amending and supplementing certain normative acts - shall not apply in the case of the CookieBox Service, in line with the exceptions referred to under Article 16 (including Article 16, letters a and m) of the Directive and of Emergency Ordinance No. 34/2014.
5. RIGHTS AND DUTIES OF THE BENEFICIARY
5.1. Aside from all other rights set forth herein, the Beneficiary shall have the following rights:
5.2. Aside from all obligations set forth herein, the Beneficiary shall have the following obligations:
not to use the CookieBox Platform to display any unrequested messages (Spam), irrespective if the purpose of the message is commercial or non-commercial.
not to contribute to disseminating electronic messages containing or promoting any materials hazardous to the IT equipment of the visitor or containing obscene or indecent language, illegal, intimidating, abusive, indecent, racist, or chauvinistic messages, or which might be discriminatory towards any individual in any manner, or which would infringe in any way or to any extent any standard or regulation in force;
to observe all duties stipulated hereunder and in the applicable legislation in force pertaining to the activity carried out, including, but without limitation to the legislation in force in the field of electronic communication and the legislation on personal data protection;
to pay to the Supplier, in observance of the deadline set hereunder, the amount of the CookieBox subscription fee, as well as any other service fees ordered by it;
not to provide access to the CookieBox Platform to un-authorized persons or entities, bearing responsibility for the consequences of such un-authorized access to the CookieBox Platform. In case there is a breach of security or the Beneficiary notices any un-authorized access to their account, the Beneficiary is under the obligation of notifying the Provider immediately, providing all relevant details about the incident;
to hold all intellectual property rights on all materials (texts, images, files) sent through the messages and to be accountable for the content thereof.
6. RIGHTS AND DUTIES OF THE PROVIDER
6.1. Aside from the other rights set forth herein, the Provider shall have the following rights:
to check, at any time, the observance by the Beneficiary of the Contract, and of the legal provisions in force, and to suspend, at any time, the provision of the e-mail marketing services, if the Beneficiary fails to meet this obligation;
to use the logo and brand of the Beneficiary for marketing purposes;
to amend, at any time, the Contract, the commercial policy and the rates, as it considers fit. Any amendment of the rates shall operate immediately upon notification of the Beneficiary.
to suspend the provision of cookie consent services to the Beneficiary whenever there is suspicion or proof that the Beneficiary is infringing the provisions hereof.
6.2. Aside from the other right set forth herein, the Provider shall have the following duties:
to ensure proper operation of the CookieBox Platform and to repair, as fast as possible, any error or technical problem;
to inform the Beneficiary prior to any maintenance works on the CookieBox Platform;
7.1. The liability for the content of the messages shown thourgh pop-up or banner rests solely with the Beneficiary;
7.2. In case of any delay in the payment of the invoices due, the Beneficiary is in default by operation of law, and must pay default penalties of 0.5% per day of the total amount of the invoice issued. Aside from the right to apply default penalties for non-observance of the payment deadlines set forth herein, the Provider is entitled to suspend the provision of the Service until all due payment are made by the Beneficiary, including any compensations and/ or any penalties.
7.3. For any payment obligation, the Beneficiary shall be deemed in default by operation of law, without any prior notification from the Provider, as of the date on which the payment obligation becomes due.
7.4. The Provider is entitled to direct any amount received from the Beneficiary towards cover any of the outstanding amounts owed by the Beneficiary, without taking into account the destination indicated by the Beneficiary for the payment.
7.5. In case of failure by the Beneficiary to observe any obligation set hereunder, the Provider is entitled to suspend the provision of the Service or to interrupt the Service, without any formalities or without the intervention of any court of law, until the repair/ fulfilment of the obligation by the Beneficiary.
7.6. The Provider shall not be held liable by the Beneficiary for any damages - direct, indirect, current or potential - or for any loss of profit, including (for example, but not limited to): financial loss, loss of revenue or profit, loss of clients or any other type of loss or damage of any nature and for any reason, if it is a result of the suspension and/ or termination of the Service.
8. CONFIDENTIALITY OF THE INFORMATION
8.1. The Parties acknowledge that, in consideration of the provision of the CookieBox Service, the following information shall become confidential, subject to the confidentiality agreement undertaken herein:
access data of the Beneficiary to the CookieBox Platform;
all information related to the Visitors of the Beneficiary.
9. INTELLECTUAL/ INDUSTRIAL PROPERTY RIGHTS
9.1. The Beneficiary declares and acknowledges that the technology and know-how – whether patented or not - incorporated in the CookieBox Platform and in the CookieBox Service are and shall remain property of the Provider.
Therefore, the Beneficiary acknowledges and agrees that the Provider holds all intellectual property rights concerning the CookieBox Platform and the CookieBox Service and, that, except for the right to use the CookieBox Platform and the CookieBox Service, and that, on condition that all obligations herein are observed in full, it does not acquire any other right with respect to the CookieBox Platform and/ or the CookieBox Service.
9.2. The Beneficiary acknowledges and undertakes to observe at any time the property right of the Provider on the CookieBox Platform and on the CookieBox Service;
9.3. In case the Provider receives a notification or a complaint from a third party, the Provider shall forward it to the Beneficiary, which shall be solely responsible for correcting the situation and indemnifying the affected third parties, as well as the Provider for any costs or damages incurred.
10. TERMINATION OF USE OF SERVICE
10.1. The Parties may terminate this Contract unilaterally, by sending a 30-day prior notification to the other party. The termination shall operate after the expiry of the 30-day period following the receipt of the notification.
10.2. In case of suspicion and/ or non-observance by the Beneficiary of any obligation set for it under this Contract, the Provider, as it deems fit, may notify the Beneficiary about the termination of provision of the CookieBox Service, which termination shall operate immediately, by operation of law, without any other formalities and without the intervention of any court of law, the Beneficiary being directly responsible for any damage generated. In case of contract termination for such provisions, the Beneficiary shall lose any right to request reimbursement of the amounts paid in advance.
11. SPECIAL CLAUSES
11.1. The Beneficiary shall guarantee and shall hold the Provider harmless against any claims, actions, causes of action, suits, damages, liabilities, obligations, costs and expenses (including, but without limitation, any legal fees, in-house conciliation costs, court litigation expenses, hereinafter collectively referred to as Losses) which can be attributed or which are corelated with the infringements by the Beneficiary of this Contract and any other liability claim.
11.2. The conclusion of this Contract and/ or the use by the Beneficiary of the CookieBox Platform is equivalent to acknowledging that the Beneficiary read, understood and agreed with the provisions hereunder and with the Terms and Conditions of the Service, as displayed at any time on the CookieBox Platform.
11.3. The Beneficiary shall be liable for all obligations, operations and debts resulted from this Contract and/ or the use of the Service until full discharge therefrom.
12. PROCESSING OF PERSONAL DATA FROM THE BENEFICIARY
12.1. During the provision of the Services by the Provider in line with the Contract, the Provider, in its capacity as Person authorized by the Beneficiary, may process Personal Data from the Beneficiary on behalf of the Beneficiary, as Personal Data Processor.
12.2. In all cases in which Personal Data from the Beneficiary is processed on the basis of, or in connection to the Contract, the Provider:
12.2.1. shall process, transfer, modify, change or alter Personal Data from the Beneficiary or shall disclose or allow the disclosure of Personal Data from the Beneficiary to third parties according to Annex 1 (Details on the Processing of Personal Data from the Beneficiary), and exclusively:
according to the requirements concerning the observance of the Beneficiary’s instructions - documented and reasonable (which, except if provided otherwise, shall relate to the processing of personal data from the Beneficiary as required for the purpose of providing the Services hereunder), including with regard to the transfer of Personal Data from the Beneficiary to a third party or an international organization; or
according to the requirements concerning the observance of the applicable legislation by the Provider, case in which the Provider (to the extent permitted under the law) shall inform the Beneficiary with regard to the legal requirement in question before processing the respective Personal Date from the Beneficiary.
12.2.2. when learning of a personal data breach:
shall notify the Beneficiary immediately, and
shall cooperate with the Beneficiary and shall take all reasonable commercial measures indicated by the Beneficiary in view of providing assistance in investigating, mitigating and repairing a personal data breach, on condition of full reimbursement by the Beneficiary in each case of all costs incurred by the Provider (including with internal resources and any costs with third parties), in a reasonable manner with regard to the fulfilment of the obligations in this paragraph 12.2.2, to the extent to which the personal data breach was not caused by the Provider.
12.2.3. upon receipt of any request, complaint or communication related to the obligations of the Beneficiary based on the applicable legislation on data protection:
shall notify the Beneficiary as soon as possible, in a reasonable manner;
shall cooperate with the Beneficiary and shall take the reasonable commercial measures indicated by the Beneficiary to allow the latter to observe any exercise of rights by a Subject on the grounds of the applicable data protection legislation, or the observance of any evaluation, inquiry, notification or investigation based on the applicable data protection legislation, on condition of full reimbursement in each case by the Beneficiary of all costs incurred by the Provider (including with internal resources and any costs with third parties) in a reasonable manner with regard to the fulfilment of the obligations in this paragraph 12.2.3.
12.2.4. shall implement the technical and organizational measures provided in Annex 2 hereto, in collaboration with the Beneficiary. The Beneficiary has confirmed that it has reviewed and approved these measures as providing a proper security level with regard to the Personal data from the Beneficiary to be processed by the Provider in its capacity as a Person authorized by the Beneficiary;
12.2.5. shall ensure that its employees with access to personal data from the Beneficiary are under contractual, professional or legal obligations of confidentiality;
12.2.6. shall provide reasonable support to the Beneficiary with regard to the impact assessment concerning the data requested on the grounds of Article 35 GDPR and to the prior consultations addressed to any Supervisory Authority of the Beneficiary which is requested on the grounds of Article 36 of GDPR, related to the processing of personal data from the Beneficiary by the Provider on behalf of the Beneficiary and in consideration of the nature of the Processing and of the information available to the Provider; and
12.2.7. with the exception of cases in which the applicable legislation imposes contrary obligation, it shall stop processing personal data from the Beneficiary within 90 days of the termination or expiry of the Contract, of, if it occurs earlier, the termination or expiry of the Service it refers to, and, as soon as possible thereafter, it shall either return or delete from its systems the personal data from the Beneficiary and any copies thereof.
12.3. The Beneficiary authorizes the Provider to hire the subcontractors with regard to the processing of personal data from the Beneficiary. During the term of the Contract, the Provider may hire other subcontractors, in observance of the following obligations:
The Provider shall notify the Beneficiary (via e-mail or otherwise) with regard to its intention of using a new subcontractor to process personal data from the Beneficiary;
The Provider shall include in the contract concluded with each subcontractor terms that are substantially similar to those provided in clause 12 thereof;
In case a subcontractor fails to meet its obligations concerning the protection of personal data from the Beneficiary, the Provider shall be fully liable before the Beneficiary with regard to the fulfilment of these obligations.
With regard to any notification set based on Art. 12.3, Paragraph 1, the Beneficiary shall have 30 (thirty) days following the receipt of the notification, to inform the Provider with regard to any reasonable objection related to the hiring of the subcontractor in question. In such situation, the parties shall attempt - in good faith and throughout a period of maximum 30 (thirty) days as of the date of the objection - to reach a reasonable solution from a commercial standpoint, which would allow to avoid hiring such subcontractor. In case such solution cannot be reached, the Provider shall be entitled to terminate the Contract unilateral, through a written notification sent to the Beneficiary.
12.4. The Provider shall make the information available to the Beneficiary and (as applicable) shall collaborate in conducting any audit or inspection, upon reasonable request from the Beneficiary to give assurance that the Provider observes the obligations set hereunder, on condition that such request does impose a duty on the Provider to provide or to allow access to:
internal information of the Provider concerning prices,
information concerning other clients of the Provider,
any of the external reports of the Provider that have not been made public or
any internal reports prepared by the internal audit functions of the Provider. Moreover, the Beneficiary may request a maximum of one audit or one inspection during any period of 12 consecutive months.
12.5. The Beneficiary guarantees that all Personal Data from the Beneficiary processed by the Provider according to this section were and shall be collected and processed by the Beneficiary in observance of the applicable law on data protection, including, but without limitation:
ensuring that all notifications sent to regulatory authorities and all approval from such authorities required according to the applicable Legislation on data protection are made and kept by the Beneficiary, and
ensuring that all Personal Data from the Beneficiary is collected and processed in an equitable and legal manner, that they are correct and updated, and a notification concerning the processing of personal data is sent to the Subjects to describe the processing to be carried out by the Provider based on this Contract.
12.6. The Beneficiary shall indemnify and exempt the Provider from any responsibility for all losses incurred and all fines and sanctions applied by public authorities, including by any Supervisory Authority, which derive from any request by a third party or public authority, including any Supervisory Authority, which derives from any infringement of section 12.5.
ANNEX 1: DETAILS FOR THE PROCESSING OF PERSONAL DATA FROM THE BENEFICIARY
This Annex 1 includes certain details regarding the Processing of Personal Data in line with Article 28, paragraph (3) of the GDPR.
Subject matter and duration of processing of Personal Data from the Beneficiary:
The Subject matter and duration of processing of Personal Data from the Beneficiary are set in the Contract.
Nature and purpose of the Processing of Personal Data from the Beneficiary:
The purpose of the Processing of Personal Data from the Beneficiary is set in the Contract. Upon request, the Provider shall provide Account Management services, which means that an account manager of the Provider manages the content and images from popup and banner.
The types of personal data from the Beneficiary to be processes are, as applicable:
Cookies, IP Address, Browser Technology, Operating System.
The categories of Subjects to which the Personal Data from the Beneficiary refer: Subscribers
The rights and duties of the Beneficiary are set within the Contract.
ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES
The minimum security requirements for the Processing of Personal Data from the Beneficiary shall cover the following:
- Identification and authentication of users
A user is any person acting under the authority of the Provider, with the right to access the Personal Data from the Beneficiary.
In order to gain access to a personal data database, users must identify themselves. Identification is done through username and password.
Each user shall have its own identification code. It is not possible for several users to share the same identification code.
Any user account is accompanied by a method of authentication.
Authentication is done using a password.
Passwords are changed periodically.
The Provider’s computer system shall automatically deny access to a user after introducing a wrong password 5 times.
Any user receiving an identification code and a method of authentication must observe the confidentiality thereof and shall be accountable to the Provider.
The Provider shall authorize certain users to revoke or suspend an identification and authentication code, following their user’s resignation or dismissal, contract termination, transfer to another service or assignation of new tasks that do not require access to Personal Data from the Beneficiary, in case of misuse of the codes received or in case of lengthy absence for a period determined by the entity.
Access of users to Personal Data from the Beneficiary carried out manually shall be done based on an authorization issued by the Provider.
- Type of access
Users shall only access Personal Data from the Beneficiary required for the fulfilment of the purpose set in the Contract.
The department providing technical support shall have access to Personal Data from the Beneficiary to solve exceptional situations.
- Collecting personal data from the Beneficiary
The Provider shall nominate users authorized for the collection and introduction of Personal Data from the Beneficiary in a computer system.
Any modification of the Personal Data from the Beneficiary can only be done by authorized user nominated by the Provider.
- Creating backup copies
The Provider shall determine the timeline for the backup copies of the Personal Data from the Beneficiary, as well as for the programs used for automated processing. A limited number of users shall be appointed by the Providers to create backup copies.
- Computers and access terminals
Computers and other access terminals are installed in rooms where access is allowed using magnetic cards or keys.
- Access files
The Provider shall take measures to ensure that any access of Personal data from the Beneficiary is recorded in an access file (entitled log for the purpose of automated processing (or in a registry for manual processing of personal data.
For automatic processing, this information shall be stored in a general access file or in separate files for each user.
- Telecommunication systems
The Provider shall carry out periodic control of authentications and on the types of access to detect dysfunctionalities pertaining to the use of telecommunication systems.
- Training of personnel
During user trainings, the Provider shall provide information on the provisions of the applicable legislation on data protection as well as regarding risks entailed by personal data processing.
Users with access to personal data from the Beneficiary shall be informed by the Provider concerning the confidentiality thereof.
- Use of computers
To maintain security in the processing of Personal data from the Beneficiary (particularly against computer malware), the Provider has implemented measures consisting in:
forbidding the use by the users of software programs from external or suspicious sources;
informing users about the dangers of computer malware;
implementing automated malware removal and computer security systems.