We only process your personal data in accordance with existing data protection legislation. This includes, but is not limited to, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, the “GDPR”) and applicable national data protection legislation.
What categories of personal data do we process?
To provide the Services, the Company processes the following categories of personal data:
(i) Personal data necessary for the creation of your user account, i.e. your username, password hash and email address, and additionally also the personal data necessary for processing payments received from you, i.e. your bank account details (the “Account Data”).
(ii) The Company may collect and process the categories of certain data specified below in connection with the operation of a password management system (the “System”) available to its customers as local storage solution offering various customer services; these services are defined in more detail in our Terms and Conditions available via the following link and relate in particular to free of charge version of PASSWD (Limited PASSWD) (the “Services”). The Company does not choose or determine the types of personal data that are submitted to the Services and in most cases they will not classify as personal data. However, such personal data may include information about the user of the service (the “Local Data”). The encryption of any Local Data is secured by the Company. Access to the Local Data is strictly limited; only Company’s staff and authorised customer’s employees in accordance with internal DMS business logic are permitted to access the Local Data.
(iii) Personal data concerning your logs and the functionality of your account (the “Website Data”).
For what purposes is personal data processed?
When processing your personal data, the Company is acting either:
(i) In the capacity of a data controller determining the following purposes for which and the manner in which your personal data (Account Data and Website Data) are processed:
- (a) The creation and administration of your user account, the provision of customer support or other communications with you relating to the services (legal basis under Article 6(1) letter b) of the GDPR: contractual performance);
- (b) Advertising and marketing purposes (legal basis under Article 6(1) letter f) of GDPR: legitimate interest);
- (c) Determination and enforcement of the Company’s legal claims (legal basis under Article 6(1) letter f) of the GDPR: legitimate interest); and
- (d) Compliance with legislation under Article 6(1) letter c) of the GDPR.
(ii) In the capacity of a data processor processing personal data (Local Data) for the following purposes on behalf of customers:
- (a) The Provision of Services – data storage, external communications regarding customer orders, addressing technical or service issues (legal basis: processing necessary for contractual performance).
If necessary, the Company will ask you for permission to process your personal data.
When do we collect data?
Your personal data is obtained directly or indirectly from you when you choose to use the services form the Company. In this case, you provide your personal data on a voluntary basis. Specific cases of non-disclosure of personal data may lead to the inability of the Company to provide services.
Your personal data may be collected under the following scenarios:
- (i) When you create your user account and when you interact with us via our contact details or social media platforms (Account Data);
- (ii) When you use the Services and submit and/or modify, create or otherwise work with the personal data within the Services (Local Data);
- (iii) When you are logged into the platform providing services and browse the website or alter any of your settings (Website Services).
Our services are aimed at users older than eighteen (18) years of age. Any collection of data pertaining to individuals younger than fifteen (15) years of age is carried out unwittingly.
With whom do we share personal data?
In order to provide you with the requested services, depending on the respective category, your personal data may be provided to the following third parties:
(i) Local Data may be processed in encrypted form only via:
- (a) A limited number of third-party service providers – those ensuring the provision of the services provided by the Company, in particular software service providers, customer service providers or other technical operations and data storage providers (the “Service Providers”). Only if necessary may these parties access and process personal data during the course of providing their services.
(ii) Other personal data, such as certain Account Data, may be provided to:
- (b) Service Providers;
- (c) Tax advisors, professional advisers (e.g. auditors, lawyers), including the employees of such persons;
- (d) Entities providing payment services; and
- (e) Social media providers – using the services of the Company together with a social network may require the Company to share your personal data with social media providers.
How long is your data retained?
We retain your personal data for the period of time necessary to fulfil the purposes of processing as defined above, i.e. all your data will be erased after the deletion of your user account, unless the Company has a legal obligation or legitimate interest to preserve such personal data for a longer period (for example, to protect the Company from legal claims); in such cases the Company will inform the respective data subject and warrant that it will guarantee the confidentiality of such personal data and will no longer actively process such personal data.
When providing our services for free, we are entitled to delete your account and associated personal data upon the termination of the provision of the services.
Is your personal data secured?
In accordance with best practices, we employ appropriate technical and organisational measures in order to ensure proper security measures, confidentiality and the integrity of personal data (including protection against unauthorised or unlawful processing and against accidental or unlawful destruction, loss, alteration or damage, unauthorised disclosure or access to personal data). The Company regularly monitors compliance with these measures. We strictly limit who is allowed to access such information and we keep the number of authorised individuals to a minimum. In addition, we maintain physical and cyber safeguards, such as the partial encryption of data, server protection devices, and software to negate the possible loss, misuse or alteration of your data.
Your personal data may be transferred for processing and storage to third countries outside the European Union or European Economic Area (“EEA”) through Google cloud solution. These countries may apply different privacy rules than the Czech Republic, European Union or EEA. The Company has put in place appropriate contractual and other measures to protect your personal data when personal data is transferred to third parties located in other countries.
In the event of cross-border transmission of data from the EEA to countries where the European Commission declares insufficient levels of personal data protection, the controller ensures that appropriate measures are taken, including ensuring that data recipients are bound by EU standard contractual clauses to protect your personal data. A copy of these measures can be requested from the administrator via email at: email@example.com. In order to learn more about such contractual clauses, please visit the European Commission information website, https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en.
You have the following rights in relation to your data:
(i) to require access in order to correct or delete your personal data, as well as to restrict its processing; however, your right to delete or restrict processing is applicable only if the Company is not required to process it on another legal basis (i.e. compliance with a legal obligation);
(ii) depending on the extent of the processing of your data in order to manage your user account and comply with any contracts, you are entitled to the portability of your personal data; and
(iii) to object to the processing of your personal data processed with a legitimate interest, as well as objecting to processing for marketing purposes.
If you wish to exercise your rights above or have any questions regarding the processing of your personal data, please contact the Administrator by email at: firstname.lastname@example.org. You are also entitled to file a complaint with the Office for the Protection of Personal Data (www.uoou.cz), which is the relevant data protection authority in the Czech Republic.