Protection of personal data is governed primarily by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “Regulation“).
1. Collected data
1.1 The User’s processed personal data shall include in particular: (i) identification data (name and surname, date of birth, gender), (ii) contact information (e-mail and address or location), (iii) data and information concerning the User’s skin condition (smoking status, eye color, skin color, type of dermatitis, information on parent diseases, information on other diseases, information on food allergies, flareup area, picture of the flareup area, level of discomfort and triggers exposed to). (the “Personal Data“)
1.2 The User acknowledges that he is obliged to always provide correct and truthful Personal Data and that he is obliged to inform the Provider of any of their changes without an undue delay.
1.3 If the User provided the Provider with his contact details (e.g. email), he may receive information from the Provider about new Services, promotions or news regarding the Provider and/or the Application and other marketing information, as well as information about any upcoming events, etc.
2. Purposes of collecting and using the data
2.1 The Provider processes the Personal Data on the basis of a:
· consent with Personal Data processing;
· performance of the Agreement concluded between the User and the Provider;
· fulfillment of the statutory obligations; and/or
· protection of the legitimate interests of the Provider (e.g. for the purposes of direct marketing).
2.2 The Provider may use the Personal Data and information collected from the User for the following purposes:
· for the purpose of performance of the rights and obligations arising from the Agreement (i.e. for the purpose of provision of the Services through the Application). In such case, the Provider retains the Personal Data for the duration of the Agreement (i.e. for the period of using the Application by the User) and after its the termination (i.e. after termination of using the Application by the User), for a period necessary for the resolution of eventual disputes and/or the exercise of his rights under the Agreement;
· for marketing and/or other business purposes. In such case, the Provider retains the Personal Data for a period necessary to fulfill the stated purpose.
2.3 The Provider shall retain the information and data, including the Personal Data, for the aforementioned period, unless a longer retention period is required or permitted by the law. After the expiry of the specified retention period, the Provider shall delete the Personal Data. Personal Data will be processed in an electronic form in an automated manner or in a printed form in a non-automated manner. The Provider does not perform automatic individual decision making within the meaning of Art. 22 of the Regulation.
3. Cookies, tracking technologies and the use of anonymous data
3.2 For internal analytical purposes regarding the use of the Services and their continuous improvement, the Provider may automatically record certain information when the User uses the Services, especially the:
· URL, IP address, browser type and language, hostname, screen resolution, location and time zone, device type, platform and date and time of the User’s use of the Services, as well as information, which part of the Application the User has used.
3.3 The Provider may also use any aggregated, non-personally identifiable data (i.e. data and information that do not allow for the identification of a specific individual), provided by the User or collected by the Provider in connection with the use of the Application and/or the Services by the User, for the purpose of the Provider’s own analytical, statistical, auditing or product and market research purposes.
4.1 The Provider shall not disclose the Personal Data of the Users to any third person, with the exception of:
· his server providers, payment transaction processors, legal, accounting, or tax service providers and/or IT specialists.
The Personal Data will be in such cases provided only to the minimum (necessary) extent required. The Provider may authorize a third person to process the Personal Data (as a processor).
5.1 The User’s Personal Data is adequately protected against their loss, destruction, misuse, change, unauthorized disclosure, transfer and/or processing, through appropriate technical and organizational measures implemented in accordance with the state of technology, the costs of implementation and the nature, scope, context and purposes of processing, as well as the degree of risks for the rights and freedoms of individuals, including:
· the pseudonymisation and encryption of Personal Data;
· the ability to ensure an ongoing confidentiality, integrity, availability and resilience of the processing systems and services;
· the ability to restore the availability and access to the Personal Data in a timely manner in the event of physical or technical incidents;
· regular testing, assessing and evaluating the effectiveness of the technical and organizational measures, put in place for ensuring the security of the data processing.
5.2 For achieving the appropriate level of security, the Provider has implemented especially the following technical and organizational measures, internal control systems and means of information security protection:
· anti-virus protection of devices,
· authentication procedures,
· limited access rights of employees,
· data encryption (SSL certificate),
· restrictions on storage, disposal with and/or liquidation of information and data,
· physical security of the premises (incl. safety entrance doors),
· regular back up, data recovery and incident management processes, etc.
6. Rights of Users
6.1 Right of access to Personal Data. The User is entitled to require information from the Provider, for example, on whether or not his Personal Data is being processed and, if so, he has the right to access information about the purposes of the processing, categories of Personal Data concerned, recipients or categories of recipients, etc. The User has the right to receiving copies of the processed Personal Data. The right to obtain the copies, however, must not adversely affect the rights and freedoms of others.
6.2 Right to the rectification of Personal Data. The User has the right to rectification of inaccurate or incomplete Personal Data, which are concerning him.
6.3 Right to the erasure of Personal Data (“the right to be forgotten”). In specific cases – for example, when the processed Personal Data is no longer needed for set the purposes – the User has the right to require the Provider to erase his Personal Data.
6.4 Right to restriction of processing. In certain situations, the User has the right to restrict the processing of Personal Data concerning him, such as in case he denies the accuracy of the Personal Data.
6.5 Right to data portability. The right to Personal Data portability applies only to cases, when the Personal Data is provided by the User to the Provider (i) on the basis of the Agreement or consent, and (ii) the processing is carried out by automated means. When exercising the right to data portability, the Provider shall transmit the Personal Data to the User or to another data controller designated by him in a structured, commonly used and machine-readable format.
6.6 Right to withdraw consent. The User may withdraw his consent with Personal Data processing, in situations when the processing is based on such a consent, revoke at any time by email at email@example.com.
6.7 Right to object. If the Personal Data processing is performed for purposes of the Provider’s legitimate interests or for purposes of carrying out a task in the public interest or in the exercise of official authority, incl. automated decision making and/or profiling, the User has the right to object against the processing.
6.8 The User can exercise his rights on request at the e-mail address: firstname.lastname@example.org. The Provider will process the request as soon as possible, but not later than within one (1) month. The Provider is entitled to extend this period by up to two (2) months, if necessary and with regard to the complexity and the number of requests received. The Provider will inform the User about the extension.
6.9 All communications and representations (including handling of the Users’ requests) are provided free of charge. However, if the User’s request is clearly unreasonable or inappropriate, in particular if it would be repeated, the Provider will be entitled to charge a reasonable fee corresponding to the administrative costs associated with the provision of the requested information.
6.10 If the User considers that the processing of his Personal Data is in violation with the applicable laws, he has the right to file a complaint with the Office for Personal Data Protection (address: Pplk. Sochora 27, 170 00 Praha 7, e-mail: email@example.com).
Mgr. Michaela Peterková
Adress: Prague 17, Řepy, Španielova 1312/54