ESL Ltd.
ESL’s SubLift Application– Privacy Statement

[Last update 13 May 2025]
This privacy statement explains what Personal Information Publisher (or “We”) receives and collects when using the SubLift application (the “App”), and how and for what purposes Publisher uses or transfers such Personal Information to third parties.

IMPORTANT NOTICE
IT IS HEREBY CLARIFIED THAT WITH RESPECT TO ANY CUSTOMER PERSONAL DATA (AS DEFINED BELOW) WE OPEARATE AS PROCESSORS, AND THEREFORE THE INFORMATION CONTAINED HEREIN IS FOR KNOWLEDGE AND INFORMATIVE PUROSES ONLY, WHEREAS OUR OBLIGATIONS AND RIGHTS RELATED TO THE PROCESSING OF SUCH PERSONAL INFORMATION AS PROCESSORS IS GOVERNED UNDER APPLICABLE LAWS AND/OR SUBJECT TO A SEPARATE DATA PROCESSING AGREEMENT BETWEEN CUSTOMER AND US.

WITH RESPECT TO CUSTOMERS ADMINISTRATIVE CONTACT INFORMATION, WE ACT AS CONTROLLERS AND THIS PRIVACY NOTICE GOVERNS OUR OBLIGATIONS AND UNDERTAKINGS TOWARDS DATA SUBJECTS WITH RESEPCT TO ANY PROCESSING WE CARRY OUT AS CONTROLLERS.
Personal Information Received and Collected

1. Customer’s Administrative Contact Information (“Transactional Personal Information”). To enable us to set accounts, Administrative Contact person(s) of Customer will be asked to provide us with: name, role, e-mail address (for invoices and administrative contacts), phone number and name of Customer.
2. Customer’s and Customer’s End User Information (“Customer Personal Data”)
   2.1. We collect (through API) –
   2.1.1. Customers’ data: ‘Company’, ‘account ID’, ‘Monday Domain’, Monday Num Of Users (i.e. number of Customer’s Users using the App), total number of usages, monthly number of usage, license tier, subscription period (provided by Monday).
   2.1.2. Customer’s Users (persons using Customer’s Monday account for Customer’s operations) data – Installation Date, User Name, User e-mail, Last Visit (Date).
   2.1.3. Data Used by Customer’s Users through the App API. any values and/or information populated in Customer’s Monday account used by the App for the calculation operation (e.g. calculation of mean, range, sum etc.), are only used for the purpose of applying the required function, and any data so processed is only stored temporarily for the duration of the operation, thereafter the data is immediately erased.
   2.1.4. Financial Data. All payment will be conducted through a qualified third-party payments service provider (and subject to such third-party payments service provider’s privacy policy and service terms) therefore we do not collet any financial data from Customers including personal financial data.
   Storage and Security
3. All information received and collected will be stored on servers protected by security measures. However, no security measures can assure absolute and hermetic protection from unauthorized access or other damage or loss, and hence we hereby fully disclaim any liability for such events.
4. All Personal Information we process will be erased when Customer uninstalls the App.
5. In addition, we store the following data encrypted (in rest and in transit):: Customer Users: User Email ; Customer: Monday Domain, Company.
6. We examine the information held by us periodically and whenever We find excess information, We destroy it.
   How We Use and With Whom We May Share Your Information
7. We use or may use all the information We receive and collect: (a) to operate, support and improve the App; (b) for technical issues; (c) to assure security (including for investigating suspicious activity); (d) in connection with receiving payments and collecting them; and (e) to create aggregated, statistical or other anonymized data for product betterment and development, and publications in relation to the App.
8. We do not share the information with third parties, other than with our Affiliates and with our service providers and partners (e.g. app marketplace platform) solely for the provision of their services to us and subject to their undertaking to keep such information confidential and not use any of this information for any other purpose than the provision of the services to us. The categories of service providers we are using or may use in connection with the App are: data base management services, cloud hosting services, payment processing, and marketing and monetization services.
9. In addition, We may collect, use, and share your information if We have a good-faith belief that it is necessary to: (i) comply with applicable law, regulations, legal proceedings, debt collection, orders or instructions of competent authorities (ii) detect, investigate, prevent, and address fraud and other malicious or illegal activity, security, or technical issues; (iii) protect the rights, property, and safety of Publisher, Customer, Customer’s users or others; (iv) investigate, prevent, address and deal with security and cyber incidents; (v) legal disputes or proceedings that We (or any of our affiliates) are involved in – whether as plaintiffs, if the dispute is with respect to Customer or its activity, or as defendants; or (vi) use it as part of our reorganization, merger, sale of assets or shares, or investment activity in Us.
   Data Transfers and Global Processing
10. We process personal data collected by the App in servers of our service providers located in Ireland (data servers) and in the US (app servers). Processing may also take place when using the App in countries other than the location from which personal data was collected, and personal data may be accessed and/or processed at and/or transferred to countries other than the location from which such personal data was collected. We may do this where data is accessed/processed:
11. By Us for operational, administrative, compliance purposes or customer support teams, from various locations where we have staff; currently, in Israel.
12. By our service providers, for the purposes we specified under the section “How We Use and With Whom We May Share Your Information”; currently, in the US and in Ireland.
13. Company will take steps reasonably necessary to ensure that Personal Information is treated securely and in accordance with this Privacy Notice and no transfer of personal data will take place to an organization or a country unless there are adequate controls in place including for ensuring the security of Personal Information, all in line with applicable laws.
14. The safeguards we may deploy for performing such transfers across boundaries:
15. Adequacy. If you are located outside of Israel, and choose to provide information to us, please note that we access and process Personal Information at Our headquarters located Israel and process it there. Any transfers to Israel may be made on the basis of an adequacy decision made by the European Commission. Transfers by us to other locations (e.g. servers of our service providers) may be made on the basis of other adequacy decisions, such as with regards to the US Privacy framework.
16. Model Clauses. With some of our processors, we use standard contractual clauses approved by the European Commission and/or the UK, as the case may be, that are binding standards of processing of personal data committed to contractually by third parties processing information for us and on our behalf.
17. Consent. In the absence of an adequacy decision or Model Clauses, and in the absence of any other right to transfer your data, your consent shall serve as the basis for such transfer, and to the extent required we shall request your consent accordingly.

Data Subject Rights

18. We shall accept and process any direct data subject requests submitted to Us by data subjects in our capacity as Controllers, when such requests are made in relation to Transactional Personal Data. We shall process data subject requests relayed to us by Customer and deemed by customer eligible, in relation to Customer Personal Data that we process, in our capacity as processors, only upon our Customers’ request, and direct requests to us by data subjects in relation to Customer Personal Data will be routed to the Customer (the Controller) for further handling.
19. Depending on data subject’s location and on the laws that are applicable to each data subject, data subjects may be entitled to various rights in relation to their Personal Information, such as follows (all subject to applicable exclusions and conditions, as prescribed by applicable data protection laws):
    19.1. The right to access – You have the right to request copies of your Personal Information, which includes the right to obtain confirmation as to whether or not personal information concerning you are being processed and, where that is the case, access to the personal information and the purposes of the processing; categories of personal data concerned; recipients or categories of recipient to whom the personal data have been or will be disclosed; where possible, the envisaged period for which the personal data will be stored; the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data or to object to such processing; the right to lodge a complaint with a supervisory authority; where the personal information are not collected from the data subject, any available information as to their source; the existence of automated decision-making, including profiling; the appropriate safeguards relating to the transfer of your personal data outside the EEA. We may charge you a small fee for this service under certain conditions.
    19.2. The right to rectification – You have the right to request that We correct any information you believe is inaccurate. You also have the right to request to complete the information you believe is incomplete.
    19.3. The right to erasure – You have the right to request to erase your personal data, under certain conditions.
    19.4. The right to restrict processing – You have the right to request to restrict the processing of your personal information, when: (a) you contest the accuracy of your personal information, for a period allowing Us to verify the accuracy of said information; (b) if you believe personal information has been unlawfully processed and you wish to restrict processing rather than delete it; (c) We no longer need the personal Information but you require to keep it in order to establish, exercise or defend a legal claim; or (d) you have exercised your right to object the processing (below) for a period allowing Us to consider whether your legitimate grounds override Ours.
    19.5. The right to object to processing – You have the right to object to the processing of your personal information at any time – this means you have the right to stop or prevent Us from processing your personal information (it could be in relation to part or all of your personal information, and for part or all of the processing purposes). When relating to processing for marketing purposes, you have an absolute right to object; while for other purposes, the existence of the right depends on what lawful basis the processing relies on.
    19.6. The right to data portability – You have the right to request that We transfer the data that we have collected to another organization, or directly to you, under certain conditions.
20. If allowed by applicable laws, data subjects have the right to withdraw consent at any time when their Personal Information is processed based on the data subject’s consent. However, withdrawal does not affect the legitimacy and effectiveness of how we process Personal Information based on data subject’s consent before the withdrawal is made; nor does it affect any data processing based on another lawful bases other than data subject’s consent.
21. If you think that the way we process your personal information does not comply with applicable data protection laws, you can contact the relevant competent data protection authority, although we urge you to contact us first to solve any issues in an amicable manner. You can obtain the information for contacting EU data protection authorities at https://edpb.europa.eu/about-edpb/board/members_en.
22. Any requests made pertaining to our processing activities should be made to the following email: appsupport@eswlab.com
    Data Retention
23. We retain the Personal Information we receive for as long as necessary to fulfill the purpose(s) for which it was collected, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.
24. We will retain your personal data for no longer than is necessary for the purposes stated in this Privacy Policy, unless otherwise extending the retention period is required or permitted by law or subject to our retention policies as may be in place from time to time. The data storage period may vary with scenario, product, and service. The standards We use to determine the retention period are as follows: the time required to retain personal information to fulfill business purposes, including providing products and services; maintaining corresponding transaction and business records; controlling and improving the performance and quality of the website; handling possible user queries or complaints and locating problems; whether the user agrees to a longer retention period; and whether the laws, contracts, and other equivalencies have special requirements for data retention; etc.
25. Specifically with respect to Customer Personal Data, Customer’s Data as specified in Section 2.1.1 and 2.1.2 is retained for four months following the Customer Account being inactive, and Data Used by Customer’s Users through the App API as specified in section 2.1.3 is retained only for the duration of the operation of the App, until a specific operation is completed, and thereafter this information is erased.

Changes to This Privacy Notice

26. We may change this Privacy Notice from time to time, and if We do, If you continue to use the App after those changes are in effect, you agree to the revised policy.