PERSONAL DATA PROCESSING POLICY

TERMS AND DEFINITIONS

• Policy — this document, published on the website https://laflau.com/docs/personal-data.html.
• Personal Data — any information relating to the Data Subject.
• Data Subject — an identified or identifiable natural person (a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person).
• Processing — any action (operation) or set of actions (operations) performed on personal data, whether or not by automated means. Examples include the collection, recording, organization, structuring, accumulation, storage, adaptation or alteration, uploading, viewing, use, transmission, dissemination, or otherwise making data available, alignment or combination, restriction, erasure, or destruction of data.
• Company — Laflau, an entrepreneur Meleshko Vladislav (ICO: 17693489), operating in accordance with the laws of Czech Republic.
• Service — all pages of the website available at https://laflau.com, as well as mobile applications operated by the Company.
• User — a Data Subject who has provided their Personal Data to the Company in connection with (1) the use of the Service and/or (2) the receipt or provision of services via the Service.
• Seller — a User selling products via the Service.
• Purchaser — a User purchasing products via the Service for personal, non-commercial use.
• Recipient — a Data Subject designated by the Purchaser as the recipient of the product in cases where the Purchaser is not the recipient of the products.

A. CONTACTS

1. Should you have any inquiries, comments, or suggestions related to this Policy, please contact us at [email protected].

1. SUBJECT MATTER. APPLICATION

1.1. This Policy defines the procedure for processing and protecting Personal Data by the Company (the “Company,” “Laflau,” “we,” “us,” “our”), which is received (collected) by the Company from the Data Subjects (“you,” “your”): (1) when you use the Service, (2) when we provide services to you or you provide services to us, as well as in relation to (3) the activities carried out in accordance with the Company’s constituent documents, (4) entering into and performing any contracts and agreements to which either the Company or the Data Subject is a party, (5) exercising rights and performing obligations arising out of the employment relationships involving the Company, and (6) in other cases as stipulated by the applicable laws of Czech Republic or other regulations governing the processing of Personal Data, or by this Policy.

1.2. The Policy shall apply:

(1) to the Data Subjects (see Appendix 02 to this Policy for more details);

(2) to other persons, if their participation is required for the processing of Personal Data in case of transmitting the Personal Data by the Company to counterparties under personal data processing agreements, other agreements, and contracts (see Section 5 of the Policy for more details);

(3) irrespective of where we store or process your Personal Data.

2. WHAT PERSONAL DATA WE COLLECT AND PROCESS

2.1. We collect and process the following categories of Personal Data:

(1) Provided Data: data you provide to us. You provide data when signing up for the Service, filling out forms within the Service, or communicating with us via email, phone, messengers, or social media. We keep a record of such messages if you write to or call us.

(2) Usage Data: data we collect automatically. We automatically collect certain information when you visit, use, or navigate through the Service.

(3) Third-party Data: data we receive from third parties. We may receive information about you from other sources, including third parties, which help us to update, expand, and analyze our available data; prevent or detect fraud; process payments; or analyze your usage of the Service.

For more details on the Personal Data we collect and process for each category, see Appendix 01 to this Policy.

3. PROCESSING OF PERSONAL DATA. PURPOSES AND LEGAL GROUNDS

3.1. We process Personal Data for the following purposes: (1) ensuring the proper functioning of the Service, including cases where we provide services to you and/or you provide services to us, (2) entering into and performing existing contracts and agreements, (3) in cases provided by the applicable laws of Czech Republic or other regulations governing the processing of Personal Data, and (4) for other purposes.

3.2. We process Personal Data on the following legal grounds:

(1) Consent: We process your Personal Data with your express consent to the processing of the Personal Data for a specific purpose.

(2) Legitimate Interests: We process your Personal Data to the extent reasonably required to meet our legitimate business interests.

(3) Contract Performance: We process your Personal Data where it is required to perform the terms and conditions of the contract you have entered into with us.

(4) Legal Obligations: We process your Personal Data where it is required by law to comply with applicable laws, government requests, in the course of a court proceeding, in accordance with court rulings, or in the course of a legal process, e.g., in response to a court ruling or subpoena (including in response to requests from public authorities to comply with national security or law enforcement requirements).

For a list of specific purposes of the Personal Data processing, the legal grounds for such processing, and the categories of processed Personal Data, see Appendix 03 to this Policy.

4. RIGHTS OF THE DATA SUBJECTS

4.1. The Data Subjects have the following rights, including: (1) the right to access, (2) the right to data rectification, (3) the right to data erasure (the “right to be forgotten”), (4) the right to restrict processing, (5) the right to data portability, (6) the right to object, as well as (7) other rights stipulated by the applicable laws of Czech Republic or other regulations governing the processing of Personal Data, or by this Policy.

4.2. The Data Subjects or their representatives may exercise their rights by submitting a request using the details specified in Section A of the Policy, or in any other manner provided by this Policy.

4.3. If we are unable to identify the Data Subject who has submitted the request, we may request additional information to help us identify the Data Subject, e.g., information confirming the relationship between the Data Subject and the Company (contract number and date, other details), or other information confirming that the Company has processed the Personal Data of the Data Subject.

4.4. We may reject a request if required by the laws of Czech Republic or by legislative requirements that third parties we cooperate with must comply with. The reasons for rejection will be stated in our response.

4.5. You may file a complaint against our rejection with the local supervisory authority for data protection.

For a complete list of rights of the Data Subjects and their scope, see Appendix 04 to this Policy.

5. PROVISION (DISCLOSURE) OF PERSONAL DATA TO THIRD PARTIES

5.1. We provide (disclose) Personal Data to third parties if they are: (1) competent authorities, (2) Sellers, (3) providers, including partners, contractors, or agents providing services to us or on our behalf and requiring access to such information to perform their obligations, and (4) purchasers of the Company’s business/assets.

5.2. By accepting this Policy and providing us with your Personal Data, you give your consent to such provision (disclosure) of Personal Data. If you do not consent to such provision (disclosure) of Personal Data, you will be unable to use the Service.

For the list of third parties to whom we provide (disclose) Personal Data, the categories of provided Personal Data, and specifics of processing such Personal Data by third parties, see Appendix 05 to this Policy.

6. STORAGE OF PERSONAL DATA

6.1. We store your Personal Data for the periods specified in Appendix 06 to this Policy. The applicable laws of Czech Republic or other regulations governing the processing of Personal Data may provide for a longer storage period.

7. TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES

7.1. The countries to which we or third parties we cooperate with transfer your Personal Data may not have data protection laws equivalent to those in your jurisdiction. In such cases, we take appropriate safeguards as stipulated by the applicable laws to ensure your data is adequately protected during its transfer outside your jurisdiction.

7.2. By accepting this Policy and providing us with your Personal Data, you give your consent to such transfer. If you do not consent to such transfer of Personal Data, you will be unable to use the Service.

7.3. If your jurisdiction is the European Economic Area (EEA), we may transfer your data outside the EEA to perform a contract/agreement entered into with you. During such data transfer, we (1) meet our legal and regulatory obligations; (2) take appropriate precautions, such as abiding by the standard contractual clauses on the protection of Personal Data. We will undertake all reasonable steps to ensure your data is securely processed in compliance with this Policy.

8. PERSONAL DATA OF MINORS

8.1. The Service is designed for a broad audience and may be used by minors. Minors may access certain public features of the Service and its content without having to provide us with Personal Data. However, minors wishing to access all the content and functionality of the Service must sign up. Signing up involves the collection of certain Personal Data. We may ask you to provide us with information and documents proving your age. If you are a minor, we may ask you to provide documents proving emancipation from parents or the legal consent of your parent or other legal representative.

8.2. Additionally, we use certain technologies, such as cookies (see Section 11 of this Policy), to automatically collect information on our Users (Purchasers) (including minors) when they visit or use the Service. We collect, process, store, and disclose data of minors in the manner provided by this Policy.

If you are a parent or other legal representative of a child and have become aware that your child has provided us with Personal Data, please contact us at the address specified in Section A of this Policy.

9. PROTECTION OF PERSONAL DATA

9.1. We use appropriate physical, electronic, managerial, and technical safeguards to ensure the security of all Personal Data that we process. However, we cannot ensure or guarantee the complete (absolute) security of your Personal Data that you transfer to the Service. While we do our best to protect your Personal Data, you should act responsibly when transferring your Personal Data to the Service. Please use the Service only in a secure environment, for instance, use firewalls, and choose a provider that encrypts traffic.

10. AUTOMATED DECISION-MAKING

10.1. We do not use automated decision-making processes, including User profiling, that rely on Personal Data.

11. USE OF COOKIES AND SIMILAR TECHNOLOGIES

11.1. See our Cookie Policy to learn more about how we use cookies and similar technologies and how you can control and/or opt out of such technologies.

12. AMENDMENTS

12.1. We may amend the Policy at any time. Any amendments we make to the Policy shall become effective upon the release of the revised Policy. Every new version shall supersede any prior version of the Policy. We advise you to frequently review the Policy to stay informed about how we collect, process, and protect your Personal Data.

Appendix

to the Personal Data Processing Policy

CATEGORIES OF COLLECTED AND PROCESSED PERSONAL DATA

Provided Data

• Data Type:

• Information required for interaction
• Contact and personal data
• Identity card details
• Financial information
• Service account data
• Seller’s data
• Data of employees of Laflau
• Data of candidates for vacancies of Laflau
• Data of natural persons with civil-law relations with Laflau
• Data of representatives/employees of Laflau counterparties
• Additional information
• Information on a minor

• Data Processed:

• Name, contact phone number, and/or email address
• Name, date of birth, language, contact phone, email, delivery address
• Copies of identity documents (passport, driver’s license) with full details (name, ID number, date/place of issue, issuing authority)
• Bank account and payment method details (upon request)
• Username, password, account settings, User-generated content
• Seller’s full name, document details, language, photo, address, taxpayer ID
• Employee and candidate data (name, contact info, qualifications, etc.)
• Data of third-party individuals and counterparties, additional information (e.g., recorded calls, saved correspondence)
• Minor’s data

Usage Data

• Data Type:

• Log and usage data
• Information retrieved from IT systems
• Information collected through cookies and similar technologies

• Data Processed:

• Device information, IP address, OS type, browser settings, language, timezone
• Logs of actions, visited pages, errors, location, URL requests, and unique user identifiers
• Data from access control systems and surveillance systems
• Additional data according to the Cookie Policy

Third-Party Data

• Data Type:

• Third-party services data
• Information from other sources

• Data Processed:

• Data from Google Ads, Google Analytics, Firebase, and others for analytics and personalized content
• Information from third parties to combat fraud and provide services

Appendix 02

to the Personal Data Processing Policy

DATA SUBJECTS. PROCESSED PERSONAL DATA OF DATA SUBJECTS

Data Subjects | Processed Personal Data

Purchasers, including minors

1. Provided data: Contact and personal data, financial information (upon request), Service account data, additional information, information on a minor if the Purchaser is underage
2. Usage data
3. Third-party data

Sellers

1. Provided data: Seller’s data, financial information, Service account data, additional information
2. Usage data
3. Third-party data

Recipients

1. Provided data: Contact and personal data, additional information

Potential Users (signing up for the Service but not using it)

1. Provided data: Contact and personal data, Service account data, additional information, information on a minor if a potential User (Purchaser) is underage
2. Usage data
3. Third-party data

Current or former employees of Laflau

1. Provided data: Data of the current or former employees of Laflau

Candidates for Laflau vacancies

1. Provided data: Data of the candidates for Laflau vacancies

Natural persons who have or had civil-law relations with Laflau

1. Provided data: Data of the natural persons who have or had civil-law relations with Laflau

Representatives or employees of Laflau counterparties

1. Provided data: Data of the representatives/employees of Laflau counterparties

Loyalty program members

1. Provided data: Contact and personal data, financial information (upon request), Service account data, additional information, information on a minor if the Purchaser is underage
2. Usage data
3. Third-party data

Parents of minors

1. Provided data: Information on a minor

Shareholders and founders of Laflau

1. Provided data: Contact and personal data, identity card details

Individuals who reached out to Laflau with inquiries, communications, applications, complaints, suggestions via contact information or feedback tools

1. Provided data: Contact and personal data, and, in rare cases, identity card details

Individuals involved in interviews, surveys, analytical and marketing studies related to Laflau operations

1. Provided data: Information required for interaction

Visitors to Laflau office spaces

1. Provided data: Information required for interaction

Appendix 03

to the Personal Data Processing Policy

PROCESSING OF PERSONAL DATA. PURPOSES AND LEGAL GROUNDS. CATEGORIES OF PERSONAL DATA

Usage Purpose | Data Category | Legal Ground

Creation (registration), maintenance, and management of a Service account. Registration and further signing in to the Service, including seamless authorization features. Identification of the account in automated management systems, such as CRM. Sending informational messages and push notifications related to Service operation (service notifications)

• Data Category: Provided Data, Usage Data
• Legal Ground: Contract performance

Entering into contracts with Users. Performance of terms and conditions of contracts entered into with Users, including provision of services, payment for services/orders, order fulfillment and management, provision of data to third parties for order fulfillment, communication during order fulfillment (providing order status updates, responding to inquiries, complaints, and providing support)

• Data Category: Provided Data
• Legal Ground: Contract performance

Membership in loyalty programs

• Data Category: Provided Data, Usage Data, Third-Party Data
• Legal Ground: Contract performance

Exercising rights and fulfilling obligations arising from employment relationships

• Data Category: Provided Data
• Legal Ground: Contract performance and legal obligations

Sending promotional/marketing messages. Presenting targeted advertising using cookies and similar technologies

• Data Category: Provided Data, Usage Data, Third-Party Data
• Legal Ground: Consent

Conducting promotional/marketing events

• Data Category: Provided Data
• Legal Ground: Consent

Sending information on amendments in terms and conditions, policies, agreements

• Data Category: Provided Data
• Legal Ground: Legitimate interests

Sending information on new products/services/features

• Data Category: Provided Data
• Legal Ground: Legitimate interests

Searching and selecting candidates for Laflau vacancies

• Data Category: Provided Data
• Legal Ground: Legitimate interests

Conducting research and surveys. Requesting and posting feedback

• Data Category: Provided Data
• Legal Ground: Legitimate interests

Developing new features, creating new products/services and offers

• Data Category: Provided Data, Usage Data
• Legal Ground: Legitimate interests

Collecting, processing, and presenting statistical data and other research based on anonymized Personal Data

• Data Category: Provided Data, Usage Data, Third-Party Data
• Legal Ground: Legitimate interests

Entering into, performing, and terminating civil-law contracts with third parties

• Data Category: Provided Data
• Legal Ground: Legitimate interests

Carrying out activities provided for by Laflau constituent documents

• Data Category: Provided Data
• Legal Ground: Legitimate interests

Preventing misconduct, specifically fraud. Enhancing methods for combating fraud

• Data Category: Provided Data, Usage Data, Third-Party Data
• Legal Ground: Legitimate interests

1) Assessing and improving service quality
2) Identifying and preventing technical issues within the Service
3) Managing the Service in terms of internal operations, including fault searching and correction, data analysis, testing, research, statistics, and surveys
4) Ensuring optimal Service performance
5) Maintaining Service security and robustness

• Data Category: Provided Data, Usage Data, Third-Party Data
• Legal Ground: Legitimate interests

1) Providing responses during legal, regulatory, and arbitration proceedings
2) Responding to information requests received from public authorities or other third parties
3) Preventing damage in accordance with the law

• Data Category: Provided Data, Usage Data
• Legal Ground: Legal obligations

Appendix 04

to the Personal Data Processing Policy

RIGHTS OF THE DATA SUBJECTS

Rights of Data Subjects | What You May Do | How to Exercise Your Rights

Access to Personal Data

• What You May Do:

1. Obtain confirmation on whether your Personal Data are processed by us;
2. Obtain access to your Personal Data along with information on how we use it.

• How to Exercise: Please contact us at the address specified in Section A of the Policy.

Rectify Incorrect Data

• What You May Do: Demand correction of any incomplete or incorrect Personal Data concerning you.
• How to Exercise: Please contact us at the address specified in Section A of the Policy.

Object to Processing

• What You May Do: Object to the processing of your Personal Data if we process them under our legitimate interests.
• How to Exercise: Please contact us at the address specified in Section A of the Policy.

Data Portability

• What You May Do: Under specific circumstances, request a copy of your Personal Data in a structured, widely-accepted, and machine-readable format.
• How to Exercise: Please contact us at the address specified in Section A of the Policy.

Erase Data

• What You May Do: Under specific circumstances, request the deletion of your Personal Data, e.g., if they are no longer necessary for us, or you revoke consent that served as a basis for processing.
• How to Exercise: Use your account settings to delete your Personal Data. You may also opt out of promotional/marketing emails within your account settings or contact us at the address specified in Section A of the Policy.

Revoke Consent to Data Processing

• What You May Do: Withdraw consent for the processing of your Personal Data.
• How to Exercise: Please contact us at the address specified in Section A of the Policy.

Restrict Processing

• What You May Do: Request the restriction or termination of collection, use, processing, and/or disclosure of your Personal Data.
• How to Exercise: Please contact us at the address specified in Section A of the Policy.

Opt-Out of Advertising/Marketing Messages and Targeted Advertising

• What You May Do: Opt-out of promotional mailings.
• How to Exercise: Use the unsubscribe link in any of our promotional emails, or opt-out of targeted advertising by disabling cookies as provided in Section 11 of the Policy. Alternatively, contact us at the address specified in Section A of the Policy.

Information on Data Transfer Precautions to Third Countries or International Organizations

• What You May Do: Ask us about the precautions taken.
• How to Exercise: Please contact us at the address specified in Section A of the Policy.

File Complaints

• What You May Do: File a complaint with the authority overseeing compliance with personal data protection laws regarding our collection and use of your Personal Data.
• How to Exercise: Please contact your local supervisory authority.

Appendix 05

to the Personal Data Processing Policy

THIRD PARTIES TO WHICH WE PROVIDE (DISCLOSE) PERSONAL DATA

1. Competent Authorities

1.1. We transfer and disclose Provided Data, Usage Data, and Third-Party Data. Personal Data is provided upon request and in compliance with the applicable laws.

2. Sellers

2.1. We transfer and disclose the Purchasers’ Provided Data to enable the Seller to fulfill their contractual obligations to the Purchasers.

3. Service Providers

3.1. Payment acceptance and invoicing service providers

3.1.1. We only transfer and disclose Provided Data to the mentioned providers upon their request. If you do not engage payment acceptance and invoicing services within the Service, we will not share Provided Data with them.

3.1.2. We neither collect nor store your credit card information. Such information is provided directly to our payment acceptance and invoicing service providers. Their use of Provided Data for payment processing is governed by their privacy policy.

3.2. Data storage service providers

3.2.1. We store Provided Data, Usage Data, and Third-Party Data at the Scaleway Data center Paris 1 (France, Paris).

3.3. Telecommunication Service Provider

3.3.1. We transfer and disclose Provided Data to telecommunication service providers.

3.4. Advertising Platforms and Applications

3.4.1. We transfer and disclose Usage Data. The advertising platforms we use allow us to optimize and display ads based on Service usage data, such as tracking Usage Data, including cookies.

3.5. Marketing and Analytics Platforms

3.5.1. We transfer and disclose Usage Data, including cookies, for web and mobile analytics purposes, as well as to personalize content within the Service: for example, to offer you only those of our services that might be of particular interest to you.

Platforms

Google Analytics; Firebase

Usage Purpose

1. Tracking the Service traffic and the behavior of Users (Purchasers) within the Service.
2. Analyzing usage of the Service by the Users (Purchasers) to improve its performance and manage ad placement according to their interests and preferences.

Who Stores and Processes Data

Google LLC, Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States.

Where to Find the Service Privacy Policy (if available)

https://policies.google.com/privacy

How You Can Opt Out

1. For Google Analytics: by installing the browser plugin https://tools.google.com/dlpage/gaoptout.
2. For Firebase: by adjusting device settings, such as mobile advertising settings.

3.6. Review Aggregators

3.6.1. We transfer Provided Data for the purpose of requesting reviews related to the operation of the Service.

4. Purchasers of the Laflau business/assets

4.1. We transfer and disclose Provided and Usage Data in relation to any merger, acquisition, sale of the Laflau assets, financing, or purchase of all or a portion of the Laflau business/assets by another company, or in the course of negotiation regarding any of the above.

5. Affiliated companies

5.1. We transfer and disclose the Provided Data, Usage Data, and Third-Party Data to affiliated companies to the extent required for achieving the objectives outlined in the Policy.

6. Other suppliers and partners

6.1. We may transfer and disclose Provided Data, Usage Data, and Third-Party Data to other suppliers and partners with which we enter into agreements for the purposes set out in the Privacy Policy.

Appendix 06

to the Personal Data Processing Policy

STORAGE PERIOD OF PERSONAL DATA

• Purchasers, including minors: Throughout the entire period of Service usage and for 96 months following the most recent use of the Service or the completion of the most recent order, whichever comes later.
• Sellers: Throughout the entire period of Service usage and for 96 months following the most recent use of the Service or the completion of the most recent order, whichever comes later.
• Recipients: 96 months after the completion of the most recent order.
• Potential Users (you sign up for the Service but do not use it thereafter): 96 months after signing up for the Service.
• Laflau current or former employees: Term of the employment contract, and for 96 months after its termination, unless the laws of the applicable jurisdiction provide for a longer period.
• Candidates for Laflau vacancies: For 96 months after the receipt.
• Natural persons who have or had civil-law relations with Laflau: Term of the contract, and for 96 months after its termination, unless the laws of the applicable jurisdiction provide for a longer period.
• Representatives or employees of Laflau counterparties: Term of the contract, and for 96 months after its termination.
• Members of loyalty programs: 96 months after the termination of membership in the loyalty program.
• Parents of minors: Symmetrical to the minor’s data storage period.
• Laflau shareholders and founders: Throughout the term of being a shareholder/founder, and for 96 months after the cessation.
• Natural persons who have reached out to Laflau with inquiries, communications, applications, complaints, suggestions using contact information or feedback tools: 96 months after the cessation of communication with such a person.
• Natural persons involved in the interviews, surveys, analytical and marketing studies related to Laflau operations: 96 months after the receipt.
• Visitors to Laflau office spaces: 96 months after the receipt.

Release date: 04.11.2024