Last Updated on October, 24, 2024
1. Basic provisions
1.1 This Policy has been prepared by ReWio s.r.o., with registered office at Karpatské námestie 10A, Bratislava - mestská čast' Rača 831 06, Slovak Republic, ID No.: 56 262 361, registered in the Commercial Register of the District Court Bratislava III, Section: Sro, File No.: 178735/B (hereinafter referred to as the "Operator").
1.2 The Operator is the operator of the rewio.app web portal and the ReWio mobile application (hereinafter referred to as the "Web Portal / Mobile Application"). The Web Portal includes any and all websites operated on and accessible from the Web Portal or Mobile Application.
1.3 The purpose of this Policy is to provide concise, transparent, understandable and easily accessible information regarding the processing of personal data of Users of the Rewio Web Portal and Mobile App.
1.4 This Policy is an integral part of the Terms and must be read and interpreted together with the Terms. In the event of a conflict between the Terms and this Policy, this Policy shall prevail.
1.5 This Policy is drafted in accordance with Articles 13 and 14 of the GDPR.
2. Definitions and interpretation
2.1 Capitalised words used in this Policy shall have the following meanings:
GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);
Unregistered User means any natural person who uses the Web Portal / Mobile Application and who has not created an account on them (has not registered) and, for the purposes of Article 7 of the Policy, also any natural person who uses the Operator's pages on social networking platforms;
The Terms are the General Terms and Conditions of Use and Terms and Conditions for Users of the Website, available here: https://rewio.app/terms-and-conditions;
Registered User means a user of the Web Portal / Mobile Application who has created an account (registered) on them;User means a Registered User and/or a Non-Registered User;
Act is Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments and Additions to Certain Acts, as amended;
Contract is primarily a contractual relationship concluded between the Operator and the Registered User, the subject of which is the provision of the Operator's services or products to the Registered User and from which the Operator and the Registered User both derive certain rights and obligations. The contract shall also be understood to include registration for the Web Portal / Mobile Application;
Profiling means any form of automated processing of personal data which consists of the use of such personal data to evaluate certain personal aspects relating to the User.
2.2 The User is a data subject within the meaning of the GDPR.
3. Purposes of the processing of personal data
3.1 The Controller processes the User's personal data for the following purposes: registration on the Web Portal and creation of an account on the Web Portal;
registration in the Mobile Application and creation of an account in the Mobile Application;
use of any services and functionalities of the Web Portal / Mobile Application;
fulfilling the legal obligations of the Operator in the field of tax administration, accounting and registry;
keeping records and handling litigation and other legal proceedings, which the Operator pursues in particular to prove, assert or defend its legal claims;
keeping records of mail received and sent.
4. Legal basis for the processing of personal data
4.1 The Controller processes Users' personal data on the legal bases set out in this Article 4 of the Principles.
4.2 Legal basis of consent (Article 6(1)(a) GDPR).
4.2.1 The Controller processes personal data for the purpose of carrying out direct marketing, sending commercial communications by all available means, including electronic means of communication (newsletters) in relation to Users. For these purposes, the Controller processes the User's personal identification data in the following range: e-mail address.
4.2.2 The User may unsubscribe from the newsletters at any time by clicking on the unsubscribe link located at the footer of each email that the User receives from the Operator. The User may also notify the Operator of his/her decision to unsubscribe by email to support@rewio.app
4.3 Legal basis for the performance of the contract (Article 6(1)(b) GDPR)
4.3.1 The Controller processes personal data for the purpose of the necessity of the performance of the subject matter of the Contract or the necessity of the performance of measures prior to the conclusion of the Contract, including the handling and registration of complaints.
4.3.2 The provision of personal data by the Registered User when registering and creating an account on the Web Portal / Mobile Application is a necessary requirement for the conclusion of the Contract, failing which the Operator cannot create an account and conclude the Contract.
4.3.3 For these purposes, the Operator processes the Registered User's personal identification data in the following scope (the scope of the processed data may vary depending on the specific Contract): email address, telephone number, username, location, debit or credit card number, IBAN and other information provided by the Registered User when concluding the Contract.
4.4 Legal basis for compliance with a legal obligation (Article 6(1)(c) GDPR)
4.4.1 The Controller processes personal data for the purpose of the necessity of fulfilling its legal obligations specified in particular in Act No. 431/2002 Coll. on Accounting, as amended, Act No. 222/2004 Coll. on Value Added Tax, as amended, Act No. 595/2003 on income tax, as amended, Act No. 563/2009 Coll. on tax administration (Tax Code) and on amendment and supplementation of certain acts, as amended, Act No. 395/2002 Coll. on archives and registers and on supplementation of certain acts, as amended.
4.4.2 The provision of personal data by the Registered User is a necessary legal requirement, in the event of failure to provide such data, the Operator cannot enter into a Contract with the Registered User or, in the event of its conclusion, would not be able to fulfil its legal obligations.
4.4.3 For these purposes, the Controller processes personal identification data and personal data for billing purposes to the extent specified in Article 4.3.3 of the Policy.
4.5 Legal basis of legitimate interests (Article 6(1)(f) GDPR)
4.5.1 The Controller processes personal data for the purposes of the legitimate interests of the Controller or third parties. The legitimate interests of the Controller are the protection of the safety and interests of the Users, the protection of the Controller's property, the prudent conduct of the Controller's business, the promotion of the Services, the Controller's goodwill and reputation.
4.5.2 In connection with the aforementioned legitimate interests, the Operator processes personal data for the purpose of keeping records and handling litigation and other legal proceedings, which the Operator pursues in particular to prove, assert or defend its legal claims, as well as keeping records of the mail received and sent.
4.5.3 The Controller specifically notifies that the legitimate purpose of the Controller and third parties is also the processing of personal data in connection with the implementation of direct marketing, i.e. market research and the sending of commercial communications to Registered Users, the implementation of targeted marketing on social networks (e.g. through the tools of Facebook Inc.), the raising of awareness of the Controller and its services in the online space, including Profiling, by all means, including electronic means of communication. Market research includes evaluation of the Operator's activities in connection with the operation of the Web Portal / Mobile Application, data on the use of the sent commercial communications and subsequent outputs. Processing on this legal basis and for this purpose only takes place if a Contract has been concluded between the User and the Operator.
4.5.4 For these purposes, the Operator processes personal identification data in the range of first name, surname, email address, telephone number and other data provided by the Registered User when concluding the Contract.
5. Rights of the User as a data subject
5.1 The User may, at any time, in connection with the processing of his/her personal data by the Controller, exercise his/her rights set out in this Article 5 of the Principles in the form of a request to the Controller. In such a case, the Controller is obliged to provide the User with information on the measures taken on the basis of her request without undue delay, but at the latest within 1 month. The Operator may extend this period by a further 2 months, in which case it shall inform the User of any such extension within 1 month of receipt of the request, together with the reasons for missing the deadline.
5.2 Right to withdraw consent (Article 7 GDPR). If personal data is processed on the legal basis of the User's consent, the User has the right to withdraw his/her consent at any time without affecting the lawfulness of the processing based on the consent given prior to its withdrawal.
5.3 Right of access to personal data (Article 15 GDPR). The User has the right to obtain confirmation as to whether the Controller is processing his/her personal data and, if so, the right to access such personal data. The User also has the right to be provided with all the information within the scope of this Policy, and the Controller shall update this Policy regularly.
5.4 Right to rectification (Article 16 GDPR). The User has the right to rectification of the personal data that the Controller processes about him/her, without undue delay. The User also has the right to have incomplete personal data completed.
5.5 Right to erasure/forgetting (Art. 17 GDPR). The User has the right to erasure of the personal data processed by the Controller about him/her without undue delay. However, the right to erasure is not absolute and it is necessary that at least one of the grounds within the meaning of Article 17(1) of the GDPR is met, or the Controller is not obliged to erase such personal data in the cases referred to in Article 17(3) of the GDPR.
5.6 Right to restriction of processing (Article 18 GDPR). The User has the right to have the Controller restrict the processing of his/her personal data under the conditions set out in Article 18 GDPR.
5.7 Right to portability (Art. 20 GDPR). The User has the right to obtain the personal data he has provided to the Controller in a structured, commonly used and machine-readable format and has the right to transfer this personal data to another controller if he has provided his personal data on the basis of consent and this personal data is processed by the Controller by automated means.
5.8 Right to object (Article 21 GDPR). The User has the right to object to the processing of personal data processed by the Controller about him/her if such processing is carried out on the legal basis of the performance of a task carried out in the public interest or for legitimate purposes of the Controller or third parties, including objecting to Profiling based on these legal bases. The User also has the right to object to the processing of personal data processed by the Data Controller about him/her for direct marketing purposes, including Profiling.
5.9 Right in relation to automated individual decision-making, including Profiling (Article 22 GDPR). The User has the right not to be subject to a decision which is based solely on automated processing, including Profiling, and which has effects which concern him or her or similarly significantly affect him or her.
5.10 Right to institute proceedings (Section 100 of the Act). The User has the right to bring a data protection proceeding under Section 100 of the Act if he believes that the Controller is processing his personal data in breach of the GDPR or the Act. The motion to initiate proceedings pursuant to the preceding sentence shall be filed with the Office for Personal Data Protection of the Slovak Republic, with its registered office at Hraničná 12, 820 07 Bratislava. More information is available on the web portal of the Office for Personal Data Protection of the Slovak Republic (https://dataprotection.gov.sk/uoou/).
6. Recipients of personal data
6.1 The Data Controller may provide the User's personal data to other natural or legal persons, public authorities or international organisations.
6.2 In particular, the Data Controller provides the User's personal data to the following categories of recipients:Controlling or controlled entities and other entities in the horizontal or vertical hierarchy of the Controller's organisational structure;business partners of the Controller;the Operator's legal, tax, accounting and IT advisors;entities providing cloud solutions and services and other entities providing or supplying technology and support for the functionality of the Web Portal/Mobile Application; andentities providing marketing activities (including social media service providers for targeted marketing and awareness of Operator and its services in the online space to the extent provided for in this Policy), data analytics activities and/or archiving services for Operator.
6.3 In addition to the above categories of recipients, the Operator also provides the User's personal data to recipients who process advertising and other cookies. These recipients process the User's personal data only if the User consents thereto, whereby the User is also entitled to give consent only to certain recipients and is entitled to withdraw his/her consent at any time.
6.4 The Controller may provide certain cookies (e.g. marketing cookies ) to third parties in return for payment for their own targeted marketing purposes. Such cookies are anonymised and the third party cannot identify the data subject from them.
7. Use of social networking platforms
7.1 The Operator uses certain social networking platforms to communicate with the User and to promote itself and its services. The Operator processes personal data using these platforms in various ways, as follows:
7.1.1 Pages. The User's personal data is used by the Operator when the User posts content or otherwise interacts with the Operator on the Operator's official pages on Facebook, Instagram, LinkedIn, Twitter, TikTok and other social networking platforms. The Page Insights service for Facebook, Instagram and LinkedIn is also used by the Operator to display statistical information and reports relating to the User's interactions with the pages managed by the Operator on these platforms and their content. If these interactions are recorded and form part of the information accessed by the Operator through these Page Insights services, the Operator is a joint processor with the relevant social network platform.
7.1.2 Event data for ad targeting. When targeting Users on social networks, the Operator may also use data provided by the User. "List-based" targeting occurs when the Controller uploads pre-existing lists of personal data (e.g., email addresses or phone numbers) so that the social network provider can match them with information on the social network to create a target group for displaying ads. In this case, the Controller is a joint processor with the relevant social network platform.
7.1.3 Controller's relationship with Facebook and LinkedIn. As the Controller is a joint controller with these platforms for certain types of processing operations (i.e. Pages services, including page statistics and list-based targeting), the Controller has entered into a contract with Facebook and LinkedIn. Facebook, which is the joint controller of the User's personal data, is Facebook Ireland Limited, with registered office at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). LinkedIn, which is the joint data controller of the User's personal data, is LinkedIn Ireland Unlimited Company, based at Wilton Place, Dublin 2, Ireland ("LinkedIn"). Further information about these platforms and their use of the User's personal data is available here:The Facebook Operator's Addendum for Page Statistics is available at this link:
https://www.facebook.com/legal/terms/page_controller_addendum and the Facebook Operator's Addendum for Business Tools is available at this link: https://www.facebook.com/legal/controller_addendum.
The LinkedIn Operator Addendum for LinkedIn Insights is available at this link:
https://legal.linkedin.com/pages-joint-controller-addendum.
The Operator may also use the Web Custom Audience service provided by Facebook to manage audiences for advertising campaigns or measurement and analytics services where Facebook processes personal data on behalf of the Operator to measure the performance and reach of the Operator's advertising campaigns and provides the Operator with reports on Users who have seen and responded to the Operator's advertising campaign. In such cases, the Operator uses Facebook as an intermediary, and the following legal safeguards are used by the Operator to process the User's personal data:
https://www.facebook.com/legal/terms/businesstools and https://www.facebook.com/legal/terms/dataprocessing.
8. Registration and login via third party services
8.1 Registration on the Web Portal / Mobile App is also possible via third-party login services. In this case, no special registration on the Web Portal / Mobile App is required and, if the User chooses this type of registration, the respective third party automatically provides the Operator with the User's personal data to the extent necessary for registration on the Web Portal / Mobile App, to the Operator.
8.2 Registration pursuant to Article 8.1 of the Policy is possible through accounts set up by Apple Inc., Google LLC and Facebook Inc.
9.Retention period of personal data
9.1 The Controller retains the User's personal data for a period of time, the length of which varies depending on the category of personal data, the legal basis or the purpose of the processing of the personal data. In general, the Controller shall retain the User's personal data for the following periods:
specified in generally binding legal regulations in the event that the personal data is processed on the legal basis of necessity for the performance of legal obligations;
the duration of the Contract or pre-contractual relations, if the personal data are processed on a legal basis and for the purpose of fulfilling the subject matter of the Contract;
the continuation of the legitimate interests of the Controller or third parties; orexpressly stated in the User's consent or until the consent is withdrawn.
10. Transfer of personal data to third countries
10.1 The Controller may transfer the User's personal data to third countries, i.e. countries outside the European Union or the European Economic Area. In the case of transfer of personal data to third countries, the Controller shall always undertake to ensure a sufficient level of protection of the User's personal data.
10.2 The Controller shall not transfer personal data to third countries that do not guarantee adequate protection of personal data.
11. Special provisions
11.2 The Registered User may publish and share various personal data and other content in the form of contributions (e.g. photographs) on the Web Portal / Mobile App, which will be accessible to the public.
12. Cookies
12.1 Cookies are small text files that are stored by the web browser or application on the User's computer or other device such as a mobile phone or tablet when visiting the Web Portal / Mobile Application. Among other things, cookies allow the Web Portal / Mobile Application to recognize the User's device and remember certain information about the User's sessions during the connection. Cookies remember the type of web browser used or the settings chosen, which remain the default settings when the User revisits the Web Portal / Mobile Application, improving the User's experience.
12.2 The Operator uses cookies primarily to ensure the smooth functionality of the Web Portal/Mobile Application and to improve the provision of its services on the Web Portal/Mobile Application and the User's browsing experience on the Web Portal/Mobile Application. For these purposes, the Operator uses third-party cookies.
12.3 The legal basis for the processing of the User's personal data by means of cookies is the User's consent. The User may revoke the consent granted at any time, either directly on the Web portal or also on the pages http://www.aboutads.info/choices or http://www.youronlinechoices.eu.
12.4 The User can block cookies in his web browser or delete cookies from his device. If all cookies are blocked by the User, the Web Portal may not function properly for the User or some functions of the Web Portal may not be accessible at all.
13. Final provisions
13.1 The Operator reserves the right to change this Policy (in particular due to legislative changes) without the User's consent. In such case, the Operator shall publish a new full version of the Policy on the Web Portal and Mobile Application, which shall replace the previous version of the Policy in its entirety and which shall be effective as of the effective date specified in the new version of the Policy, but not earlier than 14 days after the date of publication of the new version of the Policy (hereinafter referred to as the "Effective Date").
13.2 If the User continues to use the Web Portal / Mobile Application and its services after the Effective Date, the User agrees to the new version of the Policy without reservation.
13.3 In case of any questions regarding this Policy, the User may contact the responsible person of the Operator at the email address support@rewio.app or in writing to the address of the Operator's registered office at ReWio s.r.o., Karpatské námestie 10A, Bratislava - mestská čtvrt' Rača 831 06, Slovak Republic.
13.4 This Policy was drawn up on 24.10. 2024.