Personal data processing policy of the Stavario online application

version 1.1.

  1. Introduction and identification of the administrator

This document presents the Principles of Personal Data Processing for customers and users of the Stavario online application, operated by Vím o všem sro , Company ID: 06935338, with its registered office at Smetanova 1249/6, 419 01 Duchcov, Czech Republic (hereinafter referred to as the “ Company ” or the “ Controller ”). The Company is a personal data controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation; hereinafter referred to as the “GDPR” ). These principles apply to both customers – entrepreneurs (B2B) and consumers (B2C) – and to all natural persons who use the Stavario application or otherwise come into contact with us.

The aim of this document is to explain in a clear manner what personal data about you as a data subject (i.e. an identified or identifiable natural person) our company collects and processes when providing services, selling products, operating the website and the Stavario online application, and when communicating with you as an existing or potential customer. You will also learn for what purposes and on what legal basis we use your data, to whom we may transfer it, what rights you have in connection with the processing and how long we store your data. We always carry out all processing of personal data in accordance with applicable personal data protection legislation, in particular Regulation (EU) 2016/679 (GDPR; in Poland also referred to as RODO), Act No. 110/2019 Coll., on the processing of personal data, and relevant Polish legislation in the field of personal data protection. You can be sure that we handle your personal data with due care and respect the highest standards of their protection.

  1. What data do we collect?

We only process such personal data as are necessary for the fulfillment of the stated purposes and the provision of our services. We collect in particular data that you provide to us as part of registration, conclusion of a contract or use of the application, or data obtained from your use of our services. The application also processes data of third parties, i.e. end customers of users of the Stavario online application. The specific user of the Stavario online application is always responsible for the proper processing and information about the use of personal data of these persons, when the processing of this personal data occurs outside the sphere of influence of the company. We typically process the following categories of personal data (including examples):

  1. Basic identification and address data . In particular, name, surname, business name (company name), date of birth, business registration number, tax identification number, permanent residence, registered office or business address, or correspondence or billing address, and possibly your (electronic) signature. This data is necessary, for example, for concluding and fulfilling a contract and for unambiguous identification of the customer.
  1. Contact details . In particular, your e-mail address, telephone number, or contact address or address of your social media profile. This data is used to ensure communication with you. Please note that the main communication channel with our company is usually e-mail (or telephone in justified cases specified in the terms of the contract), therefore we actively use your contact details to send information related to the use of the service.
  2. User account data . Login data required to access the application (username, password in encrypted form) and possibly other settings of your account. We manage this data to secure your account and enable you to log in and work in the Stavario application.
  3. Service usage and transaction data . Information about the services and licenses you have ordered or used, about transactions and payments you have made. This includes, for example, data about the type and specification of the service or product provided, the extent of use of the services, their price, payment history and payment habits (data about invoice payments, or amounts owed and reminders). This data is generated during the use of our services and is necessary for billing services and managing the contractual relationship. If you specify a payment card as a payment method, the data is processed within the framework of the selected payment method for the purpose of fulfilling the contract.
  4. Communication and interaction data . Records of mutual communication between you and our company, whether in person, by phone or in writing (email correspondence, technical support chats, etc.). This also includes data about your use of our website and the Stavario application, such as logs of activity in the system, preference settings, data about the device from which you log in, etc. Thanks to this data, we can better respond to your requests, solve any problems and improve the quality of our services (e.g. by adapting the functionality to your needs). In the case of a B2B relationship, this also includes recordings of telephone communication.
  5. Technical data . When you use our website and application, certain technical data is automatically collected. This includes, in particular, the IP address of your device, cookie identifiers, information about the browser and operating system used, access times and activity logs on our server. This information may be considered personal data under certain circumstances, as it can be assigned to a specific user. It is used primarily to ensure system security, prevent unauthorized access and for statistical purposes. Details about cookies and similar technologies are provided in section 7 below.
  6. Data processed based on your consent . This is data that we do not necessarily need for our activities to fulfill a contract, legal obligations or legitimate interests, but we process it if you voluntarily give us your consent. Based on your consent, we process in particular:
  • data necessary for marketing purposes – for example, your contact details if you agree to receive commercial communications (newsletters, offers, etc.) or personalized advertising,
  • biometric signature data, if you use the option to electronically sign a document in the application. When electronically (digitally) signing documents within the Stavario application, we may process your biometric signature (recording your handwritten signature using a touch device). We process this data only on the basis of your explicit consent and it is used to enable the conclusion of a contract or other document remotely. (Note: After the document is concluded, we may store an imprint of your electronic signature for possible proof of validity and conclusion of the contract - see below for processing purposes.)
  1. How we use the data (purposes and legal bases of processing)

We use personal data for clearly defined purposes, based on one of the legal grounds under the GDPR. In practice, this means that we process your data either (i) to perform a contract with you or to take steps prior to entering into a contract, (ii) to comply with our legal obligations, (iii) on the basis of our legitimate interest, or (iv) on the basis of your consent. Specifically, we use your personal data for the following purposes:

  1. Provision of our services and performance of the contract . We primarily process data in order to be able to conclude and subsequently properly perform the service provision contract with you (license to use the Stavario application). This includes, in particular, enabling your registration and account creation, providing access to the online application, storing your data in the cloud and ensuring the functionality of the services according to the license agreement. (Legal basis: performance of the contract.)
  2. User account management and customer support . We use your data to establish and maintain your account in the application (including securing access using your login details) and to provide technical support or customer service if you contact us with a question or problem. This category also includes communication regarding updates, changes or maintenance of the Stavario system. (Legal basis: performance of the contract.)
  3. Communication with customers . We use your contact details for ongoing communication related to the provision of services. This may include, for example, sending notifications regarding the operation of the application, notification of the approaching expiration of the license, answers to your questions, resolution of complaints, etc. This communication is necessary for the proper provision of the service and customer care. (Legal basis: performance of the contract; in some cases, the company's legitimate interest in maintaining good customer relations.)
  4. Ensuring the functionality and security of the application . We also process your data (in particular technical information about the device and activity) for the purpose of maintaining and improving the technical functioning of our software. We monitor the performance and load of the system, detect and eliminate errors or potential security threats. These activities are necessary to ensure the availability, integrity and confidentiality of data within the Stavario service and to protect our systems and users from misuse. (Legal basis: the company's legitimate interest in ensuring the security and quality of services.)
  5. Invoicing and fulfillment of legal obligations in the field of accounting and taxes . We use personal data (identification and payment) to issue and record tax documents, process received payments, keep accounts and fulfill obligations towards tax authorities. We retain data (e.g. on invoices) for the period specified by law for accounting and tax record purposes. (Legal basis: performance of the contract and fulfillment of legal obligations)
  6. Fulfillment of other legal obligations . In some cases, we are obliged to process and store your data on the basis of specific legal regulations. This may include, for example, the obligation to store certain documents for a specified period, the obligation to provide cooperation to courts, criminal prosecution authorities or supervisory authorities, etc. If the law requires us to store or transfer your data, we do so only to the extent and in the manner specified by the relevant legal regulations. (Legal basis: fulfillment of a legal obligation.)
  7. Debt collection and legal disputes . If you do not pay for our services properly and on time or if we have another claim against you, we may use your data to collect it (out of court or in court). We may also process your data necessary to defend our rights and claims in the event of a legal dispute, complaint, etc. (for example, to prove what contract was concluded with you and under what conditions). (Legal basis: the company's legitimate interest in protecting its rights and property.)
  8. Prevention of fraud and misuse of services . In the event of suspicion of illegal conduct, fraud or other misuse of our application by a user, we may process the necessary data to investigate such conduct and take appropriate measures (e.g. account restrictions or blocking). We may also keep internal records of customers who have seriously violated contractual terms or caused damage to the company in the past in order to protect our legitimate interests in the future. (Legal basis: the company's legitimate interest in preventing fraudulent conduct and securing its services.)
  9. Offer and promotion of our services to existing customers . If you are our customer, we may use your contact details and information about the services you use to send you information about our new services or special offers (as well as offers of suitable services or offers from our business partners) that may be of interest to you. We send such commercial communications to a reasonable extent based on our legitimate interest in promoting similar services, within the limits set by Act No. 480/2004 Coll., on certain information society services. Each e-mail of this type from us will contain a simple opt-out option in case you are no longer interested in further messages. The offer and promotion in the Stavario online application depends on the choice of license type and in the case of displaying offers and promotions in the Stavario online application, it is not possible to opt-out, while offers and promotions in the Stavario online application can only be excluded by agreeing to a higher form of license. (Legal basis: legitimate interest of the company – direct marketing to existing customers.)
  10. Sending newsletters and commercial communications based on consent . In other cases (e.g. if you are not our customer or if required by law), we ask you for your consent to send marketing messages. If you give us your consent, we will send you newsletters, product offers, invitations to events and other commercial information electronically. Consent is voluntary and you can withdraw it at any time (see your rights below). We will not send you commercial communications without your consent, unless you are given another legal option or authorization to do so. In the case of end customers of the Stavario Online Application, such consent is required to be provided by the user before entering personal data into the Stavario Online Application, where the company, based on the concluded contract and the obligations imposed on the user therein, has the right to expect that the user has obtained such consent and the user of the Stavario Online Application who would not have obtained such consent is solely responsible for its failure to do so. (Legal basis: Your consent.)
  11. Content and advertising personalization . In order to provide you with the best user experience and functionality of the Stavario online application, we may use data about your use of the application and the website to adapt the content we display to you and to personalize offers or advertisements. This may include, for example, recommendations of features that you might find useful based on the way you use the service, or displaying targeted advertising for our products or our partners' products according to your preferences. If we use cookies or similar tools for such personalization, we comply with applicable legal regulations. In cases where your consent is required (e.g. for the use of marketing cookies or advanced analysis of your behavior for advertising purposes), we perform personalization only with your consent.
    In other cases, we proceed from our legitimate interest in improving and targeting services. In any case, you always have the option to refuse personalized offers or adjust your cookie settings (see section 7 below). (Legal basis: legitimate interest, or consent - depending on the nature of the personalization.)
  12. Analysis and development of new functionalities . We also process data on the operation of the application, on how users use the functions and related statistics internally for the purposes of analyzing
    and evaluating how our services work and how we can improve them in the future. These analyses help us decide on new functions and optimize existing processes to make the Stavario application as user-friendly and efficient as possible. For these purposes, we mainly use aggregated or anonymized information that no longer identifies you as an individual. (Legal basis: the company's legitimate interest in improving services.)
  13. Enabling electronic signing of documents . Within the Stavario application, we offer you the possibility to conclude certain contracts or other documents electronically using a so-called biometric signature. For this purpose, we may process your captured signature sample (electronic signature fingerprint) on a touch device. We perform such processing only if you give us your consent during the signing process. We will use your biometric signature exclusively to complete the contract or document being signed and to verify its validity. After the document is concluded, we may retain the biometric signature data for possible proof of authenticity and conclusion of the contract, which represents our legitimate interest - protection of the company's rights in the event of a dispute. (Legal basis: Your consent; subsequent retention for evidentiary purposes - legitimate interest of the company.)
  1. Who do we share data with (recipients of personal data)

We do not disclose your personal data to any third parties for their own marketing purposes or sell them. However, as part of our activities, we use the services of several external partners who provide us with certain professional services - we transfer your personal data to them to the necessary extent. We always ensure that each such entity meets high standards of personal data protection and we have concluded a written personal data processing agreement with them (pursuant to Article 28 of the GDPR), which guarantees that your data will also be safe with our partners. The main categories of recipients of your data include:

  1. Processors – service providers for the company. These are specialized external companies that provide us with support or additional services necessary for the operation of Stavaria and our business activities. These include in particular: IT service providers (server operation and management, cloud data storage, email and communication software, technical support of the system), providers of analytical and marketing tools (e.g. tools for traffic analysis or advertising targeting), payment service providers and banks (for processing payments and bank transactions), external accountants and tax advisors (for bookkeeping and tax affairs), or legal representatives and collection agencies (for debt collection or legal representation in the event of a dispute), or external sales representatives (if we use business partners to offer our services in certain regions). These processors process data only according to our instructions and for the purposes defined above.
  2. Public authorities. We may also provide your personal data to the necessary extent to state authorities, if we are required to do so by law. This may include, in particular, the transfer of data to criminal authorities (police, public prosecutor's office), courts, tax authorities or supervisory authorities (e.g. the Office for Personal Data Protection) - however, always only on the basis of their legal authority and within the limits of legal regulations.
  3. Other persons for lawful reasons. In certain circumstances, we may share your data with other entities if this is necessary to protect our rights or property, or the rights and safety of other persons. This may include, for example, providing data on suspicious activities to specialized consulting firms for the purpose of detecting fraud, etc. However, we will only make such a transfer if there is an appropriate legal basis for it (e.g. our legitimate interest in detecting illegal activity).
  4. Legal successors of the company. In the event that our company or a substantial part of it is sold in the future, merged with another company or otherwise transferred, your personal data may be transferred to the new owner or successor entity. In such a case, we will ensure that the new controller respects this Policy and applicable personal data protection laws, and you will be informed of any change of controller in a timely manner in accordance with the law.

The company takes care to maintain confidentiality and security when transferring your data. We transfer to each recipient only the data necessary to fulfill the given purpose and we require them to protect personal data at least in the same way as we do. The processors are mainly located in the Czech Republic or in other European Union countries. We do not transfer your data to third countries outside the EU, unless the recipient has met additional measures under the GDPR (for details, see section 9 below).

  1. How to manage your data – Your rights

As a data subject, you have a number of rights in relation to the processing of your personal data by us, which are guaranteed to you by the GDPR and other legal regulations. Below we have listed your basic rights, together with an explanation of what they mean and how you can exercise them. Please note that some of your rights are not absolute and their exercise may be limited in justified cases (e.g. we may refuse a request to delete certain data if its processing is still required by a legal obligation). However, we will do our best to accommodate you and will always inform you of the outcome of your request. Your rights include:

  1. Right to access personal data . You have the right to request confirmation from us as to whether we are processing your personal data and, if so, to obtain access to such data, including a copy of all personal data we hold about you. You also have the right to be informed of the details of the processing – in particular the purposes for which we use the personal data,
    the categories of personal data concerned, the recipients to whom we disclose the data, the planned retention period, the source from which we obtained the data (if we did not obtain it from you) and, where applicable, whether automated decision-making, including profiling, is being carried out. (See Article 15 GDPR.)
  1. Right to rectification of inaccurate data . If you find that we are processing outdated, incomplete or incorrect data about you (e.g. you have changed your surname, address, etc.), you have the right to request its correction or completion. We will make the correction without undue delay as soon as you notify us. (See Art. 16 GDPR.)
  2. Right to erasure (“right to be forgotten”) . In certain circumstances, you may ask us
    to erase your personal data. You have such a right if one of the following reasons applies: (i) the data is no longer necessary for the purposes for which it was collected or processed; (ii) you withdraw your consent to the processing of data that we process solely on the basis of your consent and there is no other legal ground for the processing; (iii) you object (see below) to processing carried out on the basis of our legitimate interests or for direct marketing purposes and we find that our interests no longer override or that we no longer need the personal data for these purposes; (iv) it is established that our processing of the personal data is unlawful; (v) erasure is necessary for compliance with a legal obligation under EU or Member State law to which we are subject.

Please note that in some cases we cannot comply with your requests for erasure – in particular if further processing of your data is necessary for compliance with our legal obligations (e.g. archiving of accounting documents), for the establishment, exercise or defence of our legal claims, for the exercise of the right to freedom of expression and information, for scientific or historical research purposes or statistics, or for another similarly important reason. In such cases, we will inform you why we cannot erase the data and on the basis of which exception we continue to store your data. (See Article 17 GDPR.)

  1. Right to restriction of processing . This right allows you to temporarily “block” the processing of your data in certain situations. You can request restriction of processing if (i) you dispute the accuracy of your personal data – for a period of time until we verify its accuracy; (ii) we are processing your data unlawfully but you do not want to erase it and instead request restriction of use; (iii) we no longer need your data for the stated purposes, but you require it for the establishment, exercise or defence of legal claims; or (iv) you have objected to processing (point 7 below) – until we have verified whether our legitimate grounds override yours. During the restriction of processing, we may continue to store your data, but we may not carry out any other operations on it, unless you have given your consent or legal claims require it.
    We will of course inform you in advance of the lifting of the restriction. (See Article 18 GDPR.)
  2. Right to rectification/erasure/restriction notification . You have the right to be informed by our company if we rectify, erase or restrict the processing of your personal data. Therefore, if you have asked us to rectify, erase or restrict it and we do so, we will inform all specific recipients to whom the data may have been disclosed (if possible and does not involve disproportionate effort). Upon your request, we will also inform you of the recipients to whom your data has been disclosed. (See Article 19 GDPR.)
  3. Right to data portability . Where we process your personal data by automated means based on your consent or for the performance of a contract, you have the right to receive this data from us in a commonly used, machine-readable format (e.g. CSV) and to transmit it to another data controller. If technically feasible, you may also ask us to transmit your data directly to another data controller as specified by you. (See Art. 20 GDPR.)
  4. Right to object. You have the right to object at any time to the processing of your personal data that we carry out on the basis of legitimate interests (see above). If we receive such an objection, we must stop processing your data, unless we demonstrate compelling legitimate grounds for continuing (which outweigh your interests and rights), or if the processing is necessary for the establishment, exercise or defence of legal claims. You can also object to the processing of your data for direct marketing purposes - in which case we will always stop using your data for marketing purposes (for e-mailing purposes). (See Article 21 GDPR.)
  5. Right to withdraw consent . If we process some of your data based on your voluntary consent, you have the right to withdraw this consent at any time. Withdrawal of consent does not have retroactive effect – i.e. processing carried out before the withdrawal remains valid – however, it means that we will no longer process your data for the given purpose. Consent can be withdrawn in the same way as it was granted (e.g. by clicking on the unsubscribe link in the e-mail, by unchecking the relevant option, by sending an e-mail, etc.). In case of doubt, you can contact us
    and we will advise you. Withdrawal of consent may have a negative impact on your use of our basic services, it will certainly mean that we will no longer be able to provide you with some additional functions (e.g. newsletter, personalized offer, etc., if consent was required for them). ( See Art. 7(3) GDPR.)
  6. Right to lodge a complaint with a supervisory authority . If you believe that we are processing your personal data in breach of applicable law, you have the right to lodge a complaint with a supervisory authority. The supervisory authority in the Czech Republic is the Office for Personal Data Protection (relevant contact address: Pplk. Sochora 27, 170 00 Prague 7, website: www.uoou.cz ). This option applies to Czech consumers and Polish entrepreneurs with regard to the applicable law. In the case of Polish consumers in the Republic of Poland, you can contact the Office for Personal Data Protection (Urząd Ochrony Danych Osobowych https://uodo.gov.pl ). Alternatively, if you are a consumer, you can lodge a complaint
    with a supervisory authority in another Member State of the European Union, in particular in the country of your usual residence or employment. However, we recommend that you always use our internal solutions first and contact us with any complaints – we care deeply about your satisfaction and respect your privacy, so we will do our best to correct any shortcomings. (See Article 77 GDPR.)

To exercise your rights, please contact us by email or in writing at the company contacts listed below (see the end of Section 5 and Section 12). We will process your requests without undue delay, but no later than 1 month from receipt of your request (in exceptional and complex cases, we may extend the period by up to two months, of which we will inform you). Exercising your rights is free of charge, except for manifestly unfounded or unreasonable requests, in which case we may charge an administrative fee or refuse to comply with the request in accordance with the GDPR. Please note that before processing your request, we may request reasonable verification of your identity in order to prevent unauthorized access
to your data (e.g. by verifying the email from which you are requesting or by further authentication). You can exercise your rights by contacting the Administrator in the following ways:

Email address: info@stavario.com

Address for written requests: Vím o všem sro, Smetanova 1249/6, 419 01 Duchcov, Czech Republic

We will respond to your requests or questions regarding the processing of personal data as soon as possible.

  1. Automated processing and decision-making

When processing personal data in our company, there is no automated individual decision-making that would have legal effects on you or otherwise significantly affect you within the meaning of Article 22 GDPR. In other words, we do not use your data to make decisions about you based solely on automated (algorithmic) evaluation without human intervention. All key processes that could affect your rights and obligations (e.g. conclusion of a contract, its termination, application of sanctions for breach of conditions, etc.) are always assessed by our authorized employees.

We may use partially automated procedures, for example, to analyze your use of the application or personalize content, as described above, but none of these automated processes create legal consequences for you or significantly affect you - they serve primarily to improve user comfort and the efficiency of the service.

In the event that we implement fully automated decision-making in the future that significantly affects you (e.g. automatic assessment of creditworthiness for the provision of a service, etc.), we will do so only in accordance with the terms of the GDPR. This includes your right to request human intervention in an automated decision, the right to express your opinion and the right to challenge the decision. We will inform you in advance of any such intention and will amend this Policy to include the necessary information.

The company uses its own artificial intelligence (AI) systems within the Stavario online application to streamline selected processes and improve the quality of the services provided. These AI systems automatically process content that users upload to the system (for example, photos from the construction process).

However, AI systems do not make legally binding decisions without human review. All outputs generated by these systems are subject to professional supervision. In addition, the user always has the opportunity to intervene in or modify these outputs. Such use of AI is fully compliant with the requirements for personal data protection under the applicable EU legislation and the Member State in whose territory the Company offers the Stavario online application.

  1. Cookies and similar technologies

Cookies are small text files that our website or application stores on your end device (computer, phone) when you visit or use them. Similar technologies include pixel tags (web beacons ) or local browser storage. We use these technologies to ensure the functionality and convenience of our website and application, to monitor their performance and for marketing purposes.

We use different types of cookies within our services:

  1. Strictly necessary cookies. These cookies ensure the proper functioning of the website and application
    and cannot be turned off, otherwise the site would not work at all (e.g. cookies to keep you logged in, set preferences, secure your account, etc.). We do not require your consent to use them, as they are necessary to provide the requested service.
  2. Analytical cookies. They help us understand how visitors interact with our websites and applications. They provide us with anonymized statistics on traffic, performance of individual functions, and sources of visits. We use this data to improve our services
    and user experience. We often use third-party services (e.g. Google Analytics) to process the data for us in aggregate form.
  3. Marketing cookies. These cookies track your preferences and activities to enable us or third parties to show you relevant content and targeted advertising. They may remember that you have visited our site and, for example, show you advertisements for our services on other websites. We only use these cookies with your consent.

When you first visit our website, you are warned about the use of cookies and can manage your preferences (agree only to some types of cookies). You can change your cookie settings at any time later - either by using our tool (you can find the link on the website in the Cookie Policy section), or by adjusting the settings directly in your web browser. Most browsers allow you to block or delete cookies from your device - you can find details in your browser's help. However, please note that if you disable some (especially necessary) cookies, the website or application may not function properly or some functions may not be available to you.

Third-party cookies.  Our website may also set cookies from our partners – for example, analytics providers (Google, or others) or social networks (Facebook, Instagram, LinkedIn, etc.) – if you use our features linked to these platforms. These cookies are subject to the management and policies of the respective third parties. We do not have access to data from third-party cookies and we recommend that you familiarize yourself with the privacy policies of these providers.

For more detailed information about what specific cookies we use, for what purposes and how to manage them, please see our separate Cookie Policy document , which is available on our website cookie policy.

  1. Personal data security

The protection of your personal data is an absolute priority for us. We have implemented technical
and organizational measures in accordance with Article 32 of the GDPR to ensure that your data is
safe with us and cannot be lost, misused or accessed without authorization. Key measures include in particular:

  1. Technical security of IT systems. We operate our servers and databases in a secure environment with limited access. We use modern encryption protocols (e.g. HTTPS/TLS) for data transmission to prevent eavesdropping on communications between you and us. We store data in systems protected by firewalls and antivirus protection, we regularly back up important data and store backups separately with high security.
  2. Access control. Only authorized company employees (or verified processors) have access to your personal data, and only to the extent necessary according to the "need-to-know" principle. Every employee with access to personal data is contractually obligated to maintain confidentiality. We have strict internal rules that determine what data can be processed and under what conditions, and by whom.
  3. Data Protection Training and Policy. We regularly train our employees in data protection and cybersecurity to keep them up to date with the latest threats and data protection best practices. We have internal guidelines and procedures in place to ensure GDPR compliance, including security incident procedures.
  4. Testing and updating. We continuously test, evaluate and update our security measures in response to technological developments. We strive to prevent emerging risks by working with IT security experts and conducting audits or tests of our systems when necessary.

Although we do our utmost to protect your data, the security of data transmission via the Internet or storage of data in electronic form cannot be guaranteed 100%. We are aware that certain residual risks always exist. However, we do everything within our power to minimize the risks. In the unlikely event of an incident (leakage or breach of personal data security), we have procedures in place to immediately resolve the situation. If the incident is likely to pose a high risk to your rights and freedoms, we will inform you immediately and comply with the reporting obligation to the supervisory authority pursuant to Articles 33 and 34 of the GDPR.

  1. International data transfers

We process your personal data mainly in the Czech Republic and within the European Union. Within the EU, a uniform level of personal data protection applies according to the GDPR, and your data therefore does not leave the European Economic Area (EEA) unless necessary.

Should we need to transfer some of your data for processing to a “third country” outside the EU/EEA (for example, if we use a cloud provider or service based outside the EEA), we will only do so in accordance with Chapter V of the GDPR. This means that we will always provide one of the following safeguards:

  1. Decision on adequacy. We will only transfer personal data abroad if the country in question guarantees an adequate level of personal data protection based on a decision by the European Commission (i.e. the country is on the list of so-called safe countries).
  2. Standard Contractual Clauses. If the recipient is located in a country that does not have EU “safe country” status, we will ensure contractual data protection using EU Standard Contractual Clauses (SCCs) or similar binding rules approved by the relevant authorities. These contractual obligations oblige the recipient of the data to comply with strict data protection requirements as if they were subject to the GDPR.
  3. Additional safeguards under GDPR. If necessary, we can also use other means, such as binding corporate rules for multinational corporations, certification mechanisms, or exceptions for specific situations (e.g. the need for transfer for the performance of a contract with you).

You have the right to request further information from us about the transfer of your data to a third country and the safeguards adopted. If you would like to receive a copy of the relevant standard contractual clauses or information about which countries your data may have been transferred to, please contact us as set out in Section 5 above. However, we do not currently systematically transfer your personal data outside the EU/EEA - all significant processors we use are based in the EU or in countries with equivalent protection of personal data. If we intend to transfer your data outside the EEA in the future, we will inform you in advance in this updated Policy or when collecting your data.

  1. Responsibility for data entered by the user (B2B processing)

A specific situation occurs if you, as a user, store personal data of third parties in our Stavario application – typically this can be within a company account, when an entrepreneur (our customer) enters data of his employees, colleagues, clients or other persons into the system. In such a case, our company plays the role of the processor of this personal data and you (or your company) play the role of the personal data controller. This entails certain obligations for you, as a customer (controller):

  1. Lawfulness of processing. You are obliged to ensure that all personal data of third parties that you enter into the application are processed in accordance with applicable personal data protection legislation, in particular the GDPR (in the Czech Republic, Act No. 110/2019 Coll. and in Poland, the relevant provisions of the GDPR or the rules set by the supervisory authority UODO). This includes, in particular, the obligation to have an appropriate legal basis for each such processing operation (e.g. performance of a contract with the person concerned, legitimate interest, legal obligation or consent of the data subject).
  2. Information obligation and consent of data subjects. If required by law (typically in cases of processing based on consent), you, as a user of the Stavario online application, must obtain prior consent from the third parties concerned to the processing of their data within the Stavario application, or at least properly inform them that you will store their data in the system and for what purpose. In particular, if you enter the e-mail addresses of your employees or clients into the application and at the same time activate them to receive messages or notifications from our system (e.g. sending contractual or commercial communications via the application - see Article 8.4 of our Terms and Conditions), you are obliged to ensure that the persons concerned consent to such use of their contact data, if consent is legally required. Similarly, when using cookies and similar technologies within the application (e.g. if the application uses cookies to personalize content for your users), you are responsible for ensuring that your users have been informed of such processing
    and, if necessary, have given their consent (if legally required). The above also applies to uploaded content (especially photos).
  3. Restrictions on data entry. You may not store personal data in the system that you do not have the appropriate authorization to process. In particular, you may not upload sensitive personal data of special categories (such as health data, biometric or genetic data, data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation, etc.) to the application unless you have the express consent of the data subject or another legal title pursuant to Article 9 of the GDPR. Furthermore, you may not share or store personal data of third parties through the application in violation of their personality rights (e.g. upload documents or photographs containing personal data without the consent of the persons concerned, if such consent is required by law).

The company Vím o všem sro is not responsible for the processing of personal data that a user (customer) enters into the Stavario application in their name and in their user account. In other words, for all processing of personal data of third parties that occurs on the basis that you, as our customer, upload it to the system, you are primarily responsible towards these third parties. In such a case, our company acts as a processor and processes the data exclusively for you and according to your instructions for the purpose of providing our service. We will of course protect your data and process it confidentially, however, you, as the customer, are legally responsible for fulfilling the obligations of the controller (for example, for providing information to data subjects, for the lawfulness of processing instructions, responding to requests from data subjects, etc.). We have expressly regulated this fact in our contractual terms and conditions (License Agreement) and your agreement to these principles and the Contractual Terms and Conditions means that you acknowledge and accept your position as the controller of the personal data entered into the application.

In summary, if you use Stavario to store personal data of other individuals, you undertake to comply with all obligations arising from the GDPR and related laws so that the rights of these individuals are not violated. Our company provides you with the necessary cooperation in this regard - it processes personal data securely and only according to your instructions,
and at the same time allows you to fulfill your obligations towards data subjects (e.g. deletion or correction of data at your request). If your use of the Stavario application results in a breach of obligations under the Personal Data Protection Act, you, as the data controller of the third parties, will be liable for such breach.

  1. Data retention period

We store personal data in a form that allows identification of data subjects only for the period strictly necessary and in accordance with the principles set out in Article 5 of the GDPR (in particular the principle of storage limitation). The retention period may vary depending on the category of data and the purpose of the processing. We respect the statutory archiving periods set out in the relevant legal regulations and do not store data longer than is actually necessary for the given purpose. Below are the main periods for the retention of personal data:

  1. Customer data (identification, contact, contractual data). We process basic personal data associated with your customer account and the concluded contract for the duration of the contractual relationship (for the duration of using our services). After the termination of the contract (e.g. cancellation of registration, termination of the license agreement), we continue to store your data for the period necessary to protect our legitimate interests and fulfill our obligations under legal regulations. Typically, we archive this data for 10 years from the end of the year in which the contract was terminated, unless the legal regulation stipulates a longer period. This ten-year archiving results mainly from the requirements of the Accounting Act and the VAT Act, which impose on us the obligation to store accounting documents and records for a period of 10 years. At the same time, it is a reasonable period in terms of the limitation periods of any legal claims (the general limitation period according to the Civil Code is 3 years, in some situations it may be longer, for example for compensation for damage, however, 10 years is the maximum period for which claims related to our contractual relationship could arise in practice). In exceptional cases, such as ongoing litigation, complaints or other proceedings, we may retain relevant data for the entire duration of such litigation/proceedings and until the expiry of the relevant periods after its conclusion.
  2. Data in accounting and tax documents. We store invoices, accounting books, VAT records and other documents that may contain your personal data (e.g. name and address on the invoice) in accordance with legal regulations for a period of 10 years from the end of the accounting period to which they relate. This obligation arises from the Accounting Act, the VAT Act and other tax laws. After this period, we will ensure the destruction or deletion of these documents containing personal data.
  3. Communications and interaction records. We typically retain email correspondence, technical support chat records, and other customer communications for the duration of the contract and then for 1-3 years after its termination (general limitation period for claims under the contract). This period is derived from the expected length of any follow-up dialogue (e.g., resolving additional requirements after the termination of the contract) and from our legitimate interests in preserving evidence of the communication in case of future disputes. If the communication is relevant to the exercise of legal claims (e.g., contains an important agreement or acknowledgement of debt, etc.), we may retain it for the duration of the applicable limitation period (see above up to 10 years).
  4. Marketing data. If we process your contact details for the purpose of sending commercial communications based on your consent, we will do so for the period specified in the consent, or until you withdraw your consent. If you withdraw your consent or object to further marketing, we will immediately stop using your data for these purposes. However, we may retain basic information to a reasonable extent that you did not wish to be contacted - to ensure that you are no longer addressed by mistake (e.g. by including your email address on an internal "blacklist"). This information is retained for this purpose only. If we process marketing contacts based on our legitimate interest (see above - existing customers), then we will use them for the duration of the contractual relationship and a reasonable period after its termination (usually 1 - 3 years), unless you object earlier.
  5. Cookie data. The retention period for cookies varies depending on the specific type. Session cookies are temporary – they are stored only for the duration of your visit and are deleted after you close the browser. Persistent cookies remain stored on your device even after the visit ends (to remember your settings on your next visit) – however, they have a set maximum lifespan, after which they are automatically deleted. This period usually ranges from several days to several months, most often around 6–12 months. We list the specific expiration periods for individual cookies in the Cookie Policy on our website. For third parties (Google, etc.), we follow their set periods. We usually store logs from our server containing IP addresses and other technical data for several months (typically 6 months) – these logs are used for security audits and solving technical problems.

After the above periods have expired and if there is no other legal reason or legitimate interest for further processing, we delete or anonymize personal data. Deletion means that we permanently delete the data from our active databases and backups (as soon as technically possible). Anonymization means that we process the data in an aggregated or depersonalized form that no longer allows you to be identified (we may continue to use such anonymized data, for example for statistical purposes, without it being personal data anymore).

Please note that in some cases your data may be stored in backups of our systems even after they have been deleted from the production database - however, backups are used exclusively to ensure data recovery in the event of a crash and are unavailable for normal processing in the meantime. Even in backups, your data is subject to the principle of storage limitation and is regularly restored and deleted as part of the backup cycle.

  1. Contacts with supervisory authorities


If you would like to file a complaint or contact the authorities regarding the processing of personal data, we provide the contact details of the relevant supervisory authorities in the Czech Republic and Poland:

Office for Personal Data Protection (Czech Republic) – registered office: Pplk. Sochora 27, 170 00 Prague 7, Czech Republic; website: www.uoou.cz ; e-mail: posta@uoou.cz; tel.: +420 234 665 111.

Personal Data Protection Office (Poland) – registered office: ul. Stawki 2 (note: from 2019 temporarily ul. Stanisława Moniuszki 1A), 00-193 Warszawa, Poland; website: www.uodo.gov.pl ; e-mail: kancelaria@uodo.gov.pl; tel.: +48 606 950 000. (The Polish supervisory authority is competent in particular for data subjects residing in Poland or for complaints concerning activities on the territory of Poland.)

You can contact the above-mentioned supervisory authorities if you believe that your personal data protection rights have been violated. However, as stated, we would be happy if you first provide us with the opportunity to correct the problem - protecting your privacy is important to us and we will try to correct any errors to your satisfaction.

  1. Changes to this policy and their effectiveness


The law and our services may evolve over time, so we reserve the right to update or change this Policy from time to time. If we assess the change as material (especially if it could significantly affect your rights or obligations), we will notify you in advance in an appropriate manner - for example, by e-mail to your address or in the form of a message/notification in our application. The current version of the Policy will always be available on our website (in the Personal Data Protection section). We recommend that you regularly review the current version. By continuing to use our services after the effective date of any updates, you acknowledge such new version.

This Privacy Policy is valid and effective as of January 31, 2026 (version 1.1).
Previous versions of this document are available from the company upon request.