PRIVACY POLICY

Privacy Policy of Lavastone Ltd and its Subsidiary Companies

Lavastone Ltd and its Subsidiary Companies (hereinafter “The Company” or “we” or “us”) are concerned about privacy issues and wants you to know how we are collecting, using, processing, disclosing and protecting your information in accordance with applicable law and the Data Protection Act 2017.

You agree to the collection and use of information in connection with this policy if you are a data subject who chooses to use our service, purchase our product, is an employee, is in correspondence with us, or otherwise involved in the activities of the Company. Where the Company has a website, you will be requested to accept the terms of this Privacy Policy when visiting the website. However, where you do not consent to the collection and use of your information in certain circumstances, we may not be able to provide you certain products or services or react to a problem you raised.

You may not be asked for consent where the Company has a lawful basis for processing personal data we already have, or acquire through performance of a contract, in compliance with legal requirements, for the protection of your vital interests as a data subject, for the performance of a task carried out in the public interest or the processing is necessary for other legitimate interests of us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Lavastone Ltd and its Subsidiary Companies have the right at any time to update or modify this Policy. The most recent Privacy Policy will be updated on this page.

Personal Data we collect

Personal data means any information relating to a data subject, as such term is defined under the Data Protection Act 2017. Personal data includes, but is not restricted to:

• Personal contact details (name, address, contact number, country ID number, email address, login and password details)
• Date of birth
• Medical information
• Employment information such as social security, passport or visa number or the identification of information required to confirm eligibility for employment by a government entity.
• Bank details
• Curriculum Vitae
• Signature
• Citizenship
• Photographs
• Video and audio recordings

Personal data such as race, ethnicity, sexual orientation, medical information or biometrics are sensitive data according to the requirements under the Data Protection Act 2017 and as such are subject to enhanced security measures as required by the applicable law.

Use of Personal Data

To the extent permitted by law, we may use your information for purposes of operating our business and other legitimate purposes. We may use your personal information in the following ways:

• Performance of a contract
• Reporting to management
• Recruiting and employment
• To deliver services to you
• To reply to your requests
• Data analysis
• To personalize your experience (Your information helps us respond better to your individual needs)
• Website- to know your preferences
• Contacting you with information about our products and services
• Sending you important notices

The purpose and retention conditions for which we collect the personal data will be stated in any consent form you are asked to accept or implied in any participation in a lawful basis for collection. Where we collect or use personal information other than as set out in this policy, we will ensure that we do so in accordance with applicable law and the Data Protection Act 2017.

Disclosure of Personal Data

We may disclose your Personal Information with your consent or:

• When it is required by law
• To comply with law (Judicial proceedings, court order, law enforcement, exercise our legal rights, defend against legal claim, request from public and governmental authorities)
• When there is an investigation or in prevention, against illegal activities
• When there is a suspected fraud
• When there is a potential threat to a safety of any person
• For the purposes set out in this Privacy Policy, to our affiliates
• To our third-party service providers to provide service on our behalf, facilitate our service or perform related services

Third-Party

The privacy practices and data protection policies of third parties are not covered by this Policy and cannot be controlled. Please read and refer to the third party’s privacy policy when you submit personal information to such a third party. In circumstances, we disclose your personal data to third parties for the purposes described in this policy, they are bound by contractual obligation not to disclose or use the information for any other purpose.

If you choose to provide personal information of a third party (such as name, email and telephone number) to Lavastone Ltd and its Subsidiary Companies, you represent and warrant that you have permission from the third party to do so (e.g. Marketing material or Job referrals). However, we do not accept any personal data of third party without the proof of consent.

Your Rights

Lavastone Ltd and its Subsidiary Companies are committed to comply with regulations with respect to your rights. It is your responsibility as a data subject to assure that your information we collect is kept up to date and is accurate. The Company takes all reasonable step to discard or update any inaccurate data without delay.

You have certain rights in respect to how we use your personal data. These are:

• to request a copy of the personal information we have about you as far as practical; unreasonable request, or information that is difficult or time consuming to retrieve, may be subjected to charges.
• to ensure that your personal data that we have is up-to-date, accurate and complete. However, it is your responsibility to submit correct and updated data to Lavastone Ltd and its Subsidiary Companies and our responsibility is to update the data provided by you.
• to have your personal data erased if the personal data collected, for the purposes for which it was collected, are no longer necessary, unless we are required by law to retain it.
• to withdraw your consent whenever Lavastone Ltd and its Subsidiary Companies process your personal data based on your consent, subject to applicable laws.
• to object to the processing of your personal data and if you think that your data protection rights are being breached you have the right to contact the applicable supervisory authority to register a compliant.

Please contact us at dpo@lavastone.mu if you wish to exercise any of the above rights.

Protecting your Personal Data

The security of your personal data is important for us. We use appropriate methods to protect your personal data. Lavastone Properties Ltd and its subsidiary firms are compliant with the basic privacy and security principles such as access control to different categories of personal data, clear screen policy, clean desk policy, and lockable document storage cabinets. Wherever practical, we ensure that data is encrypted during transit and storage and that access to this data is strictly limited to a minimum number of individuals and subject to confidentiality obligations.

We also train our employees on privacy and security protection to raise awareness on personal data protection and to ensure the security of your personal data. Our personnel having access to your personal data are bound by a non-disclosure agreement with the Company.

The Company only retains your personal data for a reasonable period and until the purpose for which the data was collected is achieved, including for the purposes of satisfying any legal, accounting, or reporting requirements. It is our policy to destroy personal information once we are no longer required to retain it by law or business.

In certain circumstances, we may anonymize your personal data (so that it is no longer associated with you) for research or statistical purposes.

Children’s Personal Data

The Company is sensitive with regards to children’s personal data, which is considered sensitive data. Children’s personal data is collected with prior consent from their parents or guardians, for purposes outlined in that consent, for example, to be published in our newsletter or on our website or otherwise displayed within the Company. Lavastone Properties Ltd and its subsidiary firms will be using or disclosing the data only as permitted by law, with the clear consent of the parents or guardians of the child or as required for the child’s protection. If we accidentally collect personal data of a child without verified prior permission from the parent or guardian, we will endeavor to delete the data at the earliest practicable opportunity.

Transfer of information outside Mauritius

Your personal data we collect may be processed or accessed outside Mauritius where Lavastone Properties Ltd and its Subsidiary Firms or its affiliates, service providers or business partners are situated. In this case, we take appropriate safeguards to ensure that the personal data is treated securely in accordance with this policy and applicable laws. We use encryption where appropriate. The Company uses a wide range of legal procedures, such as standard contractual clauses with those parties to ensure data is processed in a secure manner.

Contact us

If there are any questions regarding this Privacy Policy or if you have any complaints or concerns about privacy and want to contact the Data Protection Officer of Lavastone Properties Ltd and its subsidiary firms, do not hesitate to contact us on dpo@lavastone.mu.