PRINCIPLES OF PERSONAL DATA PROCESSING

of the company Retino.cz s.r.o. , ID number: 06222234, with registered office at Klimentská 1746/52, Nové Město, 110 00 Prague 1 (hereinafter referred to as the „address of the registered office“), represented by Petr Boroš, managing director, registered in the commercial register maintained by the Municipal Court in Prague, sp. . trade mark C 278391 (hereinafter referred to as „we“ or „Administrator“ or „Retino“ for simplicity).

We do not take the protection of personal data lightly. In these policies, you will learn for what purpose, for what reason and how we process your Personal Data. You will also find information about your rights in connection with the protection of personal data.

If you have any further questions regarding the processing of your Personal Data, please contact us by e-mail at support@retino.com or by post at the registered address.

1. DEFINITIONS

In order to make the text clearer, we will make it easier for you to read several terms that we use in this Personal Data Processing Policy:

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council;

CCPA – California Consumer Protection Act of 2018;

EEA – European Economic Area;

Commercial communication – usually an e-mail message or SMS sent for the purpose of promoting our services;

Personal data – any information about the User on the basis of which it can be directly or indirectly identified;

Service – Retino software application for management of back processes in e-commerce;

Contract – the contract for the provision of Services as amended by the Retino Terms of Service, which is concluded between us and the registered User, or it will be a contract under individually negotiated conditions or a contract for ordering transportation through our Retino application;

Data Subject – a natural person who can be directly or indirectly identified on the basis of Personal Data;

User / you – the natural person to whom the Personal Data relates, most often it will be a customer (the person who signed the Agreement with us and the person who subsequently set up a user account with us and is provided with the Service) or a potential customer , or users of our websites who are just browsing them;

Administrator – the entity (in relation to your data, it is us) which alone or jointly with others determines the purposes and means of processing Personal Data

Processor – we use other entities to, for example, ensure secure data storage for us or to send you a newsletter. During this cooperation, they may process Personal Data that you have provided to us;

Processing of Personal Data – in simple terms, this is any handling of Personal Data – whether it is their storage, sharing, deletion, or change;

Special categories of Personal Data – data that we understand to be more sensitive. They concern, for example, what your ethnic origin is, what your sexual orientation is, whether you are in a trade union or how your health is and what your faith is. Genetic and biometric data are also considered a special category of data if they are processed for the unique identification of a natural person. We do not process this Personal Data.

If terms that are not specified above appear within that document, then they are governed by the interpretation given in the Retino Terms of Service.

Users from California. If you are located in the State of California, the terms “Personal Information”, “Data Subject”, “Controller” and “Processor” used in this policy are equivalent to the terms “Personal information”, “Consumer”, “Business” and “Service provider” under the CCPA. At the same time, in connection with the CCPA, we state that under no circumstances do we sell, rent or otherwise disclose your Personal Data for financial or other consideration. If we make your Personal Data available to a third party in any way, we do so for the purpose of providing our Services or fulfilling our legal obligation, in accordance with these principles.

2. HOW WE APPROACH PERSONAL DATA PROCESSINGŮ

Your privacy is a priority for us, therefore we only require from you the personal data that is necessary to provide the Services. Our Services meet the standards required by the GDPR. If you entrust us with your data, we undertake to handle it in accordance with the relevant legislation that applies to you (GDPR, CCPA, etc.). We inform you below about the rights you have in connection with Personal Data.

3. WHAT ROLE WE FIND IN RELATION TO PERSONAL DATA

With regard to the kind of Services we provide, we may find ourselves in the position of Administrator and Processor in relation to Personal Data.

When do these policies apply? This personal data processing policy applies only to situations where we are in the position of Administrator, unless otherwise stated in the text of the policy.

A. RETINO AS ADMINISTRATOR

When is Retino an Administrator? In relation to Users, we are the Administrator of Personal Data. You have entrusted us with some information about yourself (such as your name and email), for example to register an account for you. An overview of the processed Personal Data, including the reasons for their processing, can be found below. If anything is unclear, don’t hesitate to contact us at support@retino.com.

Other Processors. In order to be able to provide you with the highest possible quality of our Service, we use other entities for this. We have concluded the necessary contracts with all of them and require the highest possible level of protection and security of Personal Data. All our processors can be found in section 8 of this policy.

B. RETINO AS PROCESSOR

When is Retino in the position of processor? We provide a Service whose purpose is to facilitate feedback processes in relation to your customers. As part of the Service, you and your customers enter your personal data into the Retino system. In relation to customers of Users of our Service, we may be in the position of a processor of Personal Data. If we process the Personal Data of your customers, then we do so on your behalf only as a processor, in accordance with your instructions (i.e. the User’s instructions). In this case, the protection of personal data and the rights and obligations arising therefrom are governed by the Personal Data Processing Agreement (DPA), which is an appendix to the Retino Terms of Service.

If you are a customer of our User. If you order transportation through our Application, please read section 5 point C of these Policies. In other cases, please contact our User directly for more detailed information regarding personal data protection. We are not responsible for how our Users approach the protection of personal data.

Access Retino as a processor. For the most part, Retino does not have access to the data of its Users, unless such data is made available to it by the User himself or access to it is necessary to provide the Services. We are not responsible for the content of Personal Data that the User:

• • include in the data processed as part of the provision of the Services,

• how the User collects, stores, distributes such data,

• or otherwise processes.

Subprocessors. As part of the provision of Services, we use other Entities. If we find ourselves in the position of Personal Data Processor, we may use other sub-processors, in accordance with the Personal Data Processing Agreement (DPA), which is an appendix to the Retino Terms of Service . We and our sub-processors have very limited access to your data that you save in the system, i.e. to the data of your clients, despite this we make sure that our sub-processors are bound to ensure the protection of Personal Data at the same level as we provide.

4. WHAT PERSONAL DATA DO WE PROCESS ABOUT YOU?

How do we process personal data? We process your Personal Data only to the extent necessary to achieve the purpose for which the data were collected and we comply with security technical and organizational rules when processing them. The Personal Data processing process is automated, but we do not perform profiling. The specific purposes of data processing and categories of personal data that we process for individual purposes are detailed in the following section.ti.

→ Name and surname

→ Contact information (especially e-mail, phone number) and other information that you voluntarily provide in your user interface

→ Login to the user account and behavior in the user account (in particular data filled in by the User in the user account, time of registration, date of last profile update)

→ Data in the inquiry sent by the customer or another person

→ Invoicing data and bank connection (data necessary for accounting and making payments)

→ Information that you communicate to us as part of communication with us (in particular, it will be about your questions and answers to your questions, communication with you)

→ Comments added by you to our posts on social networks (especially Facebook, LinkedIn), as well as the name (nickname) of your profile on these social networks and publicly accessible information on your profiles

→ Cookies and IP address, activity data (including information about your device or operatig system)

Special category of Personal Data. We do not process any sensitive Personal Data about you.

5. IN WHICH CASES DO WE PROCESS PERSONAL DATA AND HOW?

We process your personal data if you are a user of our website, our customer or you are interested in becoming a member of our team. We process your Personal Data only for the necessary time, but its duration may vary with regard to the relevant legislation in the place where we provide you with our Services. Data on the duration of processing are therefore only indicative.

A. USERS OF OUR WEBSITE

If you visit our website, we process your Personal Data for the purposes listed in this table.

Why? What data? How? How long
Website visit. Ensuring the basic functionality of our website, analytics, improving our services and our promotion. You can set your preferences in the cookie bar. Information about when and how you visit and view our website may include: IP address, date and time of access to our website, operating system or your language settings, history of your behavior on the website, etc. If you visit our website via mobile phone, we may also process data about your phone. Cookies or other technologies for tracking User behavior. Processing time varies depending on the type of cookie. Some process data only for the duration of the session (visit), some for a longer period.
Submitting an inquiry. You can contact us at any time with your questions and we will answer them. You can contact us via the contact form on our website or by e-mail. First name, last name, e-mail, telephone, other Personal data that you give us. In order to process the inquiry, we process the Personal Data that is necessary to process it. Communication takes place by phone, e-mail, or directly on our website. If we call you, the calls are recorded. Closed questions are deleted regularly, but no later than 3 years after the question was asked.
Webinar. If you are interested in learning more about our Service, you can sign up for one of our webinars. We will also send you a newsletter to inform you about our news. If you do not want to receive the newsletter, you can unsubscribe in the footer of the e-mail. Email, first and last name. You may share some Personal Data with us during the webinar. Sign up for the webinar by filling out the form. We will then contact you with further necessary information. The data is processed for 6 months from the webinar. We process data for sending the newsletter for 2 years from the last active viewing of the newsletter, unless you unsubscribe earlier.
Sending commercial messages (direct marketing). You have subscribed to the newsletter. If you no longer want to receive it, you can unsubscribe in the footer of the e-mail. First name, last name, phone number and e-mail. We send a newsletter in which we inform about our services and news. The data is processed for 2 years from the last active viewing of the newsletter, unless you unsubscribe earlier.

B. CUSTOMERS

If you decide to use our Services or want to try them first, we will create a user account for you. We will process your personal data to the necessary extent so that we can provide you with the Service in accordance with the Retino Terms of Service.

Why? What data? How? How long?
Website visit. Ensuring the basic functionality of our website, analytics, improving our services and our promotion. You can set your preferences in the cookie bar. Information about when and how you visit and view our website may include: IP address, date and time of access to our website, operating system or your language settings, history of your behavior on the website, etc. If you visit our website via mobile phone, we may also process data about your phone. Cookies or other technologies for tracking User behavior. Processing time varies depending on the type of cookie. Some process data only for the duration of the session (visit), some for a longer period.
Retino trial version. You can try our Service first by filling out the form on our website. Name, surname, e-mail, phone, name of your e-shop and password that you set. You provide us with this data when you fill out the form on our website. The data is processed for the duration of the trial version of the Service, in case of switching to the full version of the Service for the duration of the Agreement. In the event that we do not conclude the Agreement together, we will subsequently process your data for a period of 120 days from the end of the trial version of the Service.
A conclusion of the contract. In order to start using the Service to the full, you must first conclude a Contract with us. To conclude the Contract, we will need your name, surname, date of birth and address, and the name of the company you are acting for. You provide us with this data when filling out the registration form questionnaire and creating a user account or as part of our communication for the purpose of signing the Agreement. The data is processed for the duration of the Agreement and subsequently for a period of 4 years from the end of the Agreement.
User account. If you have concluded a Contract with us, we will create a User Account for you. Within the User Account, you can grant access to the Service to a predetermined number of people. Data filled in during registration or in the Agreement, especially your e-mail and other contact data (see above). The scope of Personal Data processing may vary depending on which Personal Data you enter in your User Account and which functions of the Service you use. You provide us with this information when you create an Instance or update it. The data is processed for the duration of the Agreement and subsequently for a period of 4 years from the end of the Agreement.
Agent. If the Administrator fills in your e-mail in the Service interface and invites you to his User account, you can use the Service to a limited extent. We will process your Personal Data to the necessary extent so that we can provide you with the functions of the Service. E-mail. These data will be provided to us when inviting to the Service. We process your data for this purpose for the duration of the existence of the user account and subsequently for a period of 4 years from the end of the Agreement.
Webinar. If you are interested in learning more about our Service, you can sign up for one of our webinars. We will also send you a newsletter to inform you about our news. If you do not want to receive the newsletter, you can unsubscribe in the footer of the e-mail. Email, first and last name. You may share some Personal Data with us during the webinar. Sign up for the webinar by filling out the form. We will then contact you with further necessary information. The data is processed for 6 months from the webinar. We process data for sending the newsletter for 2 years from the last active viewing of the newsletter, unless you unsubscribe earlier.
Communication with customer support, requests and complaints. You can send us a question by e-mail or via the website. First name, last name, phone number, e-mail, user account. In order to handle the inquiry, request or complaint, we process the Personal Data that is necessary to handle them. Communication with customer support takes place by phone, e-mail, or directly on our website. We record our phone calls. Closed questions and complaints are regularly deleted, but no later than 3 years after the question was raised or the complaint was resolved.
Direct marketing, especially sending commercial messages. If you use our Services or have signed up for a subscription, we will send you a newsletter. If you no longer want to receive it, you can unsubscribe in the footer of the e-mail. First name, last name, phone number and e-mail. We send a newsletter in which we inform about our services and news. The data is processed for 2 years from the last active viewing of the newsletter, unless you unsubscribe earlier.
Bookkeeping. We receive remuneration for the provision of Services and provide you with accounting and tax documents, which we then archive and continue to work with for the purposes of proper management of our accounting and the fulfillment of legal obligations. Data on the invoice – name, surname, e-mail address, billing address, or other identification of the User and details of performance according to the Agreement. After filling in the payment information in the profile, we save this information to create the invoice. We are required by law to archive or keep the relevant document, the time depends on what is required by law (3 – 10 years).
Sending information related to the fulfillment of the Agreement. It will be about new functionalities, planned shutdowns, changes to the price list and more. Name, surname, e-mail address, billing address, or other identification of the User and details of performance according to the Agreement. We also process your personal data for the purpose of sending information regarding our contractual relationship. It may be a change to the Terms of Service or the price list. The data is processed for the duration of the contractual relationship and subsequently for a period of 4 years from the end of the Agreement.
Handling the request to send backed-up data. We understand that data is very valuable, so we regularly back it up and send it to you upon request. For this we will need to verify your contact details and, if necessary, also your identity. First name, last name, user account. Based on your request, we export the backed up data and send it to you. The data is processed for the duration of the contractual relationship, but at the same time it will be a period of 4 years from the end of the Agreement.
Compliance with legal obligations. In certain cases, we have to process your personal data in order to fulfill the obligations established by law. In particular, this may be the name, surname, e-mail address, invoicing data or other identification of the User. In this case, we process your Personal Data in order to comply with applicable legal regulations (fulfilment of a legal obligation). We process your Personal Data for the period specified by the relevant legal regulations.

C. SHIPPING ORDER SERVICE THROUGH OUR APPLICATION

If you order transport via our Application to return purchased goods, these terms and conditions apply to you .

Why? What data? How? How long?
Website visit. Ensuring the basic functionality of our website, analytics, improving our services and our promotion. You can set your preferences in the cookie bar. Information about when and how you visit and view our website may include: IP address, date and time of access to our website, operating system or your language settings, history of your behavior on the website, etc. If you visit our website via mobile phone, we may also process data about your phone. Cookies or other technologies for tracking User behavior. Processing time varies depending on the type of cookie. Some process data only for the duration of the session (visit), some for a longer period.
Shipping order. If you decide to return the goods easily via Retino, you can order transport within our Application. By sending a transport order, you conclude a Contract with us. Name, surname, address, telephone, payment details. We will issue you a shipping label and forward your data to the selected carrier. The data is processed for the duration of the contractual relationship and subsequently for a period of 4 years from the end of the Agreement.
Communication with customer support, requests and complaints. You can send us a question by e-mail or via the website. Name, surname, telephone number, e-mail, shipment number. In order to handle the inquiry, request or complaint, we process the Personal Data that is necessary to handle them. Communication with customer support takes place by phone, e-mail, or directly on our website. We record our phone calls. Closed questions and complaints are regularly deleted, but no later than 3 years after the question was raised or the complaint was resolved.

6. ON WHAT BASIS DO WE PROCESS YOUR PERSONAL DATA?

Lawfulness of processing. We obtain and process all Personal Data in a lawful manner. We process personal data:

• based on your consent (e.g. when you voluntarily subscribe to our newsletter),

• for the purpose of fulfilling the Agreement (so that we can start providing you with our Services),

• for the purpose of fulfilling a legal obligation (e.g. in the case of supervision by a supervisory authority) and

• based on our legitimate interest (e.g. if you are our customer, so that we can inform you about what is new with us).

In the event that we provide the Service to you outside the European Economic Area (EEA), the legal titles for the processing of Personal Data may differ.

7. CHILDREN AND MINORS.

Our Service can be used by persons over the age of 16. In no case do we knowingly process the personal data of children and minors under this age limit. If we learn that we have received Personal Information from a child without parental consent or legal consent, we will take reasonable steps to remove that information as quickly as possible.

We have developed these policies in such a way that they are as clear as possible. However, if you are under the age of 18, you are a User of our Service and these principles of personal data processing are not sufficiently understandable for you, contact us by e-mail at support@retino.com.

8. WHO ARE OUR PROCESSORS?

Processors. We only use verified Processors with whom we have a written contract, and who provide us with at least the same guarantees as we provide you. We have listed the data that the Processors can process, including their purpose and legal title of processing. We use these Processors from the position of Administrator, that means they do not process data that you enter into the system as part of using the Service.

Website operation, blog AWS, SendGrid, WordPress
Common website traffic analysis Google Analytics, Doubleclick
Provision of the Service AWS, Pipedrive, Stripe, SendGrid, Twilio, Workspace, Gmail, Asana, Slack, Here map, Sentry
Transportation. PPL, Liftago, GLS group
Payment Stripe.com
Bookkeeping Kodap Jihlava, Fakturoid
Communicating with customer support, handling inquiries Help Scout, Twilio, Gmail
Sending a newsletter (direct marketing) SendGrid
Marketing SGoogle Ads, Google tag manager, LinkedIn, Facebook, YouTube
Social networks LinkedIn, Facebook, YouTube
Webinars, training and face-to-face meetings Demio

Legal obligations. We may transfer personal data to third parties other than the above-mentioned Processors, if required by law or in response to legal requirements of public authorities or at the request of a court in legal disputes.

9. WHAT MEASURES HAVE WE TAKEN TO PROTECT YOUR PERSONAL DATA?

Our customers can influence the scope of processing within the provision of the Service through their own settings in the User Account.

Technical measures. Security is very important to us and that is why we constantly work to ensure that your Personal Data is protected. When choosing measures, we take into account the scope of processing, the riskiness of processing or the state of our technology.

• We regularly back up data;

• we update anti-virus software systems;

• we encrypt data using SSL/TLS („secure sockets layer / transport layer security“) for all transmissions of taxes;

• we use a secure https protocol;

• our data on servers is encrypted;

• we develop technology with regard to the protection of personal data (privacy by design);

• access passwords to information systems (where Personal Data will be processed) and access authorizations are controlled at the level of individuals.

Organizational measures. We have adopted and undertake to comply with the following measures:

• Our employees and our service providers are bound by confidentiality;

• Our employees are properly trained and also receive further regular training regarding the GDPR and familiarize themselves with the rules of safe work on work equipment;

• In the case of storing API keys, we remove authorization data;

• Access to all systems, including the information system, is personalized and covered by secure passwords;

• We keep passwords in the operational environment in a separate place (Safe store), where logs are recorded, so that we can control the access of employees to individual Personal Data of Users.

10. INTERNATIONAL PROVISION OF SERVICES

If we use Processors who are based abroad, we ensure that we meet the requirements of the relevant legislation. In particular, when data is transferred from the EEA to other countries, we ensure a high standard of Personal Data protection through standard contractual clauses approved by the European Commission, or equivalent standard contractual clauses for the United Kingdom, for transfers to countries that are not subject to an adequacy decision by the European commission or your local legislator.

We follow GDPR standards and the protection of Personal Data is very important to us. We also provide our Services outside the EEA market, so your rights related to the protection of Personal Data depend on the relevant legislation that applies to you.

A. CALIFORNIA CONSUMER PRIVACY ACT

What are your rights? The CCPA guarantees you the following rights:
Right to information. You have the right to request information about what personal data we collect, use, disclose, share and sell about you, where we obtained it and for what purpose we process it.
Right to erasure. You have the right to ask us to delete your Personal Data and to ask our Processors to do the same. We will delete your data unless we have a legal obligation to keep your data or one of the other exceptions applies.
Right to refuse sale or sharing. You have the right to refuse us as a company to sell your data. Because we share personal information with our Processors, this operation may be considered a “sale of personal information under the CCPA.
Right to rectification. You have the right to request the correction of inaccurate personal data. You can correct some data in your user profile.
The right to restrict the use and disclosure of sensitive personal information. You can request us to use your sensitive data (social security number, information about your bank account, etc.) only for the purpose of providing services.
No discrimination. You have the right not to receive discriminatory treatment as a result of exercising your rights.

How can you exercise your rights? You can exercise your rights by email at support@retino.com or by post at the registered address.

In order to process your request, we may require verification of your identity, depending on the nature of the right you are exercising. In the event that a representative will exercise rights on your behalf, we will need to document his authorization to act on your behalf in this way. We will also require your representative to identify himself. We take these steps in order to ensure the highest possible standard of protection of your Personal Data.

11. YOUR RIGHTS AND OPTION TO SUBMIT A REQUEST REGARDING THE PROTECTION OF PERSONAL DATA

If you are located in the EEA, you can exercise the below rights arising from the GDPR with us.

You can exercise your rights by email at support@retino.com or by post at the registered address.

How quickly will we process your request? We will reply to you within one month at the latest. If the provision of information would endanger the privacy of other persons, or the provision would be disproportionate to the risks or costs of providing it, it is possible that we will not be able to satisfy you. In order to process your request as soon as possible, it is possible that we will need to verify your identity from you. In the event of a repeated request, the Administrator will be entitled to charge a reasonable fee for a copy of the Personal Data.

Right of access We will confirm whether we are processing your Personal Data. You have the right to information about the purposes of processing, categories of personal data, recipients to whom they are made available, and the time of processing. You have the right to know whether a right has already been exercised. It is also assumed that the rights and freedoms of other persons and the copy of personal data will not be adversely affected.
Right to rectification You have the right to request the correction of inaccurate personal data. You can correct some data in your user profile.u.
Right to erasure If there is no other reason to process this data further, then we will delete or anonymize the data requested by you.
Right to restriction of processing Please contact us if you believe that we are processing data incorrectly. Whether it is the reasons for the processing or its scope.
The right to be notified of correction, erasure or restriction of processing If you contact us with a request, we will inform you of the result. Sometimes we may not be able to comply (e.g. the email address you wrote to us from no longer works).
Right to portability We will provide your Personal Data, which you have provided to us in a structured and machine-readable format, to another administrator at your request.
The right to object If we process your data based on a legitimate interest (e.g. sending a newsletter to Users). It is up to us to prove our legitimate interest. If your objection is justified, we will stop processing Personal Data.
Right to withdraw consent If you’ve changed your mind, please let us know. Processing related to marketing and business purposes can be revoked at any time.
Automated individual decision-making including profiling You don’t want a computer to decide about you? We respect your right, so we do not perform profiling. We provide the Service, your Personal Data may be processed automatically.

12. CONCLUSION

This Privacy Policy can only be changed in writing. You will be informed about this through our website. Therefore, please check this policy regularly. By continuing to use our Service, you agree to the changes to this policy.

If you have any questions regarding our Privacy Policy, please contact us at support@retino.com.

If you are unsatisfied, you can at any time submit an initiative or complaint to:

• Office for the Protection of Personal Data, with headquarters in Pplk. Sochora 727/27, 170 00 Prague 7 – Holešovice (more at https://www.uoou.cz/), or

• Office for the Protection of Personal Data of the Slovak Republic, with headquarters at Hraničná 12, 820 07 Bratislava 27, Slovak Republic (more information at https://dataprotection.gov.sk/uoou/), or

• Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, with registered office at Graurheindorfer Straße 153, 53117 Bonn (more information at https://www.bfdi.bund.de), or

• Datenschutzbehörde, located at Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna (more information at http://www.dsb.gv.at), or

• another office for the protection of personal data located in the place of your usual residence.

These principles of personal data protection are effective from July 3, 2023.