Tietosuojakäytäntö

Reservio recognizes that Users, Partners, End Customers, and others who visit the Website, available at www.reservio.com, the Customer Application (i.e., the mobile application through which End Customers can order or reserve a Partner Service), and the Marketplace Website, available at www.reservio.cz and www.reservio.sk, value their privacy. This document (hereinafter referred to as the “Privacy Policy”) contains important information pertaining to our processing of personal data.

We would therefore like to inform you about the principles and procedures for the processing of personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the “GDPR”).

The Privacy Policy is one of the core documents along with the General Terms and Conditions, available here, and the Reservio Terms of Service for End Customers available here (collectively, the “Terms and Conditions”).

Note: In the event of any discrepancies between the English and Czech language versions of this Privacy Policy, the English version will prevail.

This document uses certain terms with initial capital letters. The definition of these terms is set out in the Terms and Conditions.

I. BASIC INFORMATION

Identification and contact details of the Controller: Reservio, s.r.o., business ID No. 29376033. Detailed contact details for Reservio are available here (hereinafter referred to as “Reservio”), contact e-mail: support@reservio.com.

Data Protection Officer: No Data Protection Officer has been appointed as we are not an obliged entity under Article 37 of the GDPR.

Transfer of personal data to a third country or international organization: If Reservio transfers your personal data to countries outside the European Union, compliance with Article 44 et seq. of the GDPR is always ensured and we require data processors to fulfil all obligations arising from these provisions. We will only transfer data to countries outside the European Union that are able to ensure the level of protection under the GDPR. This level of protection is ensured, in particular, by an adequacy decision issued by the EU Commission or by standard data protection clauses in accordance with Article 46(2)(c) of the GDPR.

Reservio will not transfer personal data to third countries or international organizations, except to the following processors based in the USA:

Twilio Inc., 375 Beale Street, Suite 300, San Francisco, CA 94105, which runs the SendGrid service. This processor ensures an adequate level of personal data security that complies with the GDPR, https://sendgrid.com/en-us/resource/general-data-protection-regulation-2. In addition, this processor has Data Privacy Framework certification.
OpenAI, L.L.C., 3180 18th St, San Francisco, CA 94110. This processor ensures an adequate level of personal data security that complies with the GDPR, see https://openai.com/policies/data-processing-addendum/.

Automated individual decision-making: Reservio will not use profiling or automated individual decision-making within the meaning of Article 22 of the GDPR.

Information on the nature of disclosure: Where personal data are processed for the performance of an agreement or legal obligation, the provision of the data is a legal requirement. Where personal data are processed on the basis of the data subject´s consent, the provision of the data is a contractual requirement.

Supervisory authority: The supervisory authority is an independent public authority competent for the protection of personal data in the country. The supervisory authority in the place of Reservio´s registered office is the Office for Personal Data Protection, having its registered office at Pplk. Sochora 27, 170 00 Prague 7, e-mail: posta@uoou.cz, tel.: 234 665 125.

A. RESERVIO BOOKING SYSTEM AND RESERVIO MARKETPLACE

In providing the RESERVIO Booking System service and the RESERVIO Marketplace service, Reservio is qualified both as a personal data controller and as a personal data processor.

1. Reservio as the personal data controller

Reservio acts as a personal data controller in relation to the personal data of Users (if they are individuals or representatives of Users). The Partner is also considered a User.

Why do we process personal data?

Reservio processes, not by way of limitation, the following personal data for the purpose of fulfilling an agreement (in particular, concluding the agreement, communicating with the User) or performing legal obligations (in particular, bookkeeping, issuing and recording tax documents): name, surname, business name, identification number, tax identification number, place of residence/place of business, telephone, e-mail. The legal basis for processing in this case is Article 6(1)(b) of the GDPR – performance of an agreement and Article 6(1)(c) of the GDPR – performance of legal obligations.

As part of our performance of the agreement, we also send educational e-mails to Users that contain instructions, tips or information about advanced features of the RESERVIO Booking System. The purpose of these communications is to allow Users to use the RESERVIO Booking System more efficiently. Educational emails never contain marketing communications from Reservio or any third party.

Reservio processes the following personal data based on its legitimate interest (providing direct marketing – sending commercial communications): e-mail, telephone number. The legal basis for processing in this case is Article 6(1)(f) of the GDPR – legitimate interest.

Processing by Reservio of personal data in addition to those specified in this Article, or for other purposes, requires a validly granted consent to the processing of personal data. Consent to the processing of personal data must be given on a separate document.

We will not process special categories of personal data within the meaning of Article 9 of the GDPR or personal data relating to criminal convictions and offences within the meaning of Article 10 of the GDPR.

For how long do we process your personal data?

Personal data of Users are processed for the duration of the contractual relationship and subsequently for a maximum of 10 years after the termination of the contractual relationship. Personal data processed for the performance of obligations arising from specific laws and regulations are processed for the period required by the applicable legislation. Where the use of personal data is necessary to protect our legitimate interests, Reservio processes personal data for the period necessary to exercise these rights.

Where do we obtain personal data from?

We obtain personal data directly from data subjects when concluding agreements. We always inform data subjects which personal data are required for the purpose of the particular agreement.

2. Reservio as the personal data processor

Reservio provides the User with data space for storing data operated within the RESERVIO Booking System service and the RESERVIO Marketplace service on Reservio servers. The stored data may also include personal data of individuals. As far as the personal data that will be stored on our servers (End Customers who make a reservation) are concerned, we qualify as a data processor. The controller of these personal data in this case is the User themselves.

Notice to End Customers

Use of the RESERVIO Booking System or RESERVIO Marketplace may be subject to the policies and rules of the User, if applicable. If you provide your personal data to a User, please address any questions about privacy directly to the User who is qualified as the data controller. We cannot be responsible for the privacy policies or security practices employed by Users, which may differ from this Privacy Policy.

What is the purpose of the processing and how do we handle the data?

Reservio will not perform any operations with the User´s data, including personal data, except for storing them on Reservio´s servers, will not interfere with them in any way, change them, make them available or transfer them to third parties (except for their disclosure to state authorities in accordance with the law), unless otherwise stipulated in the concluded agreement. The sole purpose of handling such personal data is their storage and potential disclosure to the User.

What personal data do we process?

We only process the personal data of End Customers that were filled in the RESERVIO Booking System or RESERVIO Marketplace. This may include, by way of example and in no way limited: name, surname, e-mail, telephone.

For how long will your personal data be processed?

Reservio processes personal data for the duration of the contractual relationship with the User. After the User cancels the account, all data will be deleted.

B. PERSONAL DATA OF END CUSTOMERS WHEN REGISTERING IN THE CUSTOMER APPLICATION AND/OR ON THE MARKETPLACE WEBSITE

Reservio acts as the controller of personal data of End Customers within the registration in the Customer Application and/or on the Marketplace Website.

Why do we process personal data?

Reservio processes in particular the following personal data for the purpose of fulfilling an agreement (in particular, concluding the agreement, communicating with the User) or performing legal obligations (in particular, bookkeeping, issuing and recording tax documents): name, surname, telephone, e-mail. The legal basis for processing in this case is Article 6(1)(b) of the GDPR – performance of an agreement and Article 6(1)(c) of the GDPR - performance of legal obligations.

For how long do we process personal data?

Where do we obtain personal data from?

We obtain personal data directly from data subjects when concluding agreements. We always inform data subjects which personal data are required for the purpose of the particular agreement.

How are personal data transferred to Partners?

We transfer the personal data of End Users to Users with whom End Users are interested in making a reservation. End Users would not be able to make a reservation with the Partner without the transfer of personal data of End Users. In relation to the personal data thus obtained, Partners act as data controllers and therefore the transfer of personal data requires the End User's informed consent to the transfer of personal data.

C. RESERVIO PAYMENTS SERVICE

1. Processing of personal data when activating the RESERVIO Payment Service

When activating the RESERVIO Payment Service, we process the following personal data: Partner´s identification data (name, first and last name, registered office address, ID No.), in the case of companies, information about the beneficial owner (name, last name, residence), contact data (e-mail address, telephone), billing information, bank account for payouts, the details of the beneficial owners and members of the legal entity´s governing body, in the case of individuals who are entrepreneurs, the date of birth, for payment volumes over EUR 1,000, the identity document of the beneficial owner with a photograph, for payment volumes over EUR 5,000, a statement from the relevant bank account.

If we receive an order for a payment terminal, we also process: the address of the point of sale in the Czech Republic where the payment terminal will be used exclusively.

The legal basis for processing in this case is Article 6(1)(b) of the GDPR – performance of an agreement and Article 6(1)(c) GDPR – performance of legal obligations.

Depending on the specific service ordered, the processing of personal data also takes place at the partner provider – Adyen N.V., ICPO: 34259528, with its registered office in the Netherlands, Simon Carmiggeltstraat 6-50, 1011 DJ, Amsterdam. For this reason, this company may require the Partner to acknowledge their terms and conditions governing the processing of personal data at the time of ordering the service.

The above processing is necessary to enable the service to be activated in accordance with regulatory requirements (including without limitation anti-money laundering legislation).

Personal data will be processed for the duration of the service and for 10 years after its termination or the last transaction.

2. Processing of personal data when using the RESERVIO Payment Service

When using the RESERVIO Payment Service, the following information is processed: data on the method of using the services (including chargebacks, etc.), the selected frequency of payouts, statements of payments made, information on any discounts granted, details of mutual communication, service intermediation fee, data from issued tax documents and information on the due date and payment or non-payment of invoices. In the event that a bank is linked or online bank transfers are made available, details of the bank and bank account that the merchant is linking are also processed, including whether it is a personal or business/corporate account, IBAN, website and a copy of the relevant business authorization.

The legal basis for processing in this case is Article 6(1)(b) of the GDPR – performance of an agreement and Article 6(1)(c) GDPR – performance of legal obligations.

The above processing is necessary to ensure that the service can be properly provided and at the same time the conditions of the partner providers are properly fulfilled and the service is provided in compliance with regulatory provisions (including without limitation legislation on the provision of payment services and anti-money laundering).

The personal data will be processed for the duration of the service and for 10 years after its termination or the last transaction.

3. Processing of personal data of End Customers

If a Partner Service is ordered and payment is made via the RESERVIO Payment Service, we process the following personal data related to the payment: purchase information (service, date and time of transaction, price), End Customer data (name, surname, address, email address, IP address), payment data (type of payment card, card number, card validity), payment disputes, if applicable, information that a payment has been rejected, etc. , fraud prevention information, including the confidentiality score of the device.

The legal basis for processing in this case is Article 6(1)(b) of the GDPR - performance of an agreement and Article 6(1)(c) GDPR – performance of legal obligations.

The above processing is necessary for the ordered service, i.e. to enable payment for the services, as well as for the purpose of providing support in the event of problems with payment, complaints, etc., or for the correct calculation of the service fee. Partner providers then process personal date for the purpose of fulfilling their obligations under the law (including without limitation for the purpose of preventing money laundering).

Personal data will be processed for the duration of the service and for 3 years after the individual transaction, and in cases provided for by law (in particular anti-money laundering legislation) for 10 years after its completion or the last transaction.

D. PERSONAL DATA OF WEBSITE VISITORS

Reservio processes the data received from individuals when they use the Website, available at www.reservio.com, the Customer Application and the Marketplace Website, available at www.reservio.cz and www.reservio.sk: cookies, log files (IP address or other online identifiers). We process these personal data on the basis of our legitimate interest or your consent. Information about cookies is set out below in this Privacy Policy and in the cookie bar.

E. PERSONAL DATA OF JOB APPLICANTS AND EMPLOYEES

Rules for the processing of personal data of job applicants and employees are provided in a separate internal company document.

II. RIGHTS OF DATA SUBJECTS

As a data subject, you have:

(a) the right of access to personal data: The data subject has the right to obtain confirmation from Reservio as to whether or not their personal data are being processed and, if so, to obtain access to such personal data and to the following information: (a) the purpose of the processing; (b) the categories of personal data concerned; (c) the recipients to whom the personal data have been or will be disclosed; (d) the intended duration for which the personal data will be stored; (e) the existence of the right to request the controller to rectify or erase the personal data or to restrict or object to the processing; (f) the right to lodge a complaint with a supervisory authority; (g) any available information on the source of the personal data, unless obtained from the data subject; (h) the fact that automated decision-making, including profiling, is taking place. The data subject will also have the right to obtain a copy of the personal data processed.

(b) the right to rectification of personal data: The data subject has the right to have inaccurate personal data concerning them corrected or incomplete personal data completed without undue delay.

(c) the right to erasure of personal data: The data subject has the right to have the personal data concerning them erased without undue delay if: (a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; (b) the data subject withdraws the consent on the basis of which the data were processed and there is no further legal basis for the processing; (c) the data subject objects to the processing and there are no overriding legitimate grounds for the processing; (d) the personal data have been unlawfully processed; (e) the personal data must be erased in order to comply with a legal obligation under Union or Czech law; (f) the personal data were collected in connection with the offer of information society services. However, the right to erasure will not apply if the processing is necessary for compliance with a legal obligation, for the establishment, exercise or defense of legal claims and in other cases provided for in the GDPR.

(d) the right to restriction of processing: The data subject has the right to request restriction of processing in any of the following cases: (a) the data subject disputes the accuracy of the personal data, for the time necessary for us to verify the accuracy of the personal data; (b) the processing is unlawful and the data subject refuses to erase the personal data and requests instead that we restrict its use; (c) Reservio no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defense of legal claims; (d) the data subject objects to the processing until it is verified that our legitimate grounds override those of the data subject.

(e) the right to object to processing: The data subject has the right to object at any time, on grounds relating to their particular situation, to processing of personal data concerning them which we process on the grounds of legitimate interest. In this case, Reservio will no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests or rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims. Right to object to processing for direct marketing purposes: If we process your personal data for direct marketing purposes, you have the right to object to such processing at any time. In this case, Reservio will not further process the personal data.

(f) the right to data portability: The data subject has the right to obtain the personal data concerning them that they have provided to us in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from Reservio, provided that: (a) the processing is based on consent and (b) the processing is carried out by automated means. In exercising the right to data portability, the data subject has the right to have personal data transmitted directly from one controller to another controller, if technically feasible.

(g) the right to lodge a complaint with the supervisory authority: If the data subject considers that we are not processing their personal data in a lawful manner, they have the right to lodge a complaint with a supervisory authority, in particular in the country of their habitual residence, place of employment or place of the alleged breach of the rules on the processing of personal data.

(h) the right to be notified of rectification or erasure of personal data or the restriction of processing: We are obliged to notify individual recipients to whom personal data have been disclosed of any rectification or erasure of personal data or restriction of processing, except where this proves impossible or requires disproportionate effort. If the data subject so requests, we will inform the data subject of the recipients.

(i) the right to be informed in the event of a personal data breach: If a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, we are obliged to notify the data subject of the breach without undue delay.

(j) the right to withdraw consent to the processing of personal data: If the processing of some of the personal data is carried out on the basis of consent, the data subject has the right to withdraw their consent to the processing of personal data in writing at any time by sending a letter of withdrawal of consent to the processing of personal data to the following e-mail address support@reservio.com.

III. PERSONAL DATA SECURITY

We use reasonable and appropriate technical and organizational measures to secure data against unauthorized or accidental disclosure. Technical measures consist of the deployment of technologies that prevent unauthorized access to data by third parties. We use data encryption for maximum protection. Organizational measures are a set of rules of conduct for our employees and are incorporated into Reservio´s internal policies, but are considered confidential for security reasons. Reservio makes sure that if the servers are located in a data center operated by a third party, similar technical and organizational measures are in place at that third party.

All data are located only on servers in the European Union or in countries that ensure protection of personal data in a manner equivalent to the protection provided by the legislation of the Czech Republic.

IV. SENDING COMMERCIAL COMMUNICATIONS, INFORMATION ABOUT DIRECT MARKETING

When sending commercial communications, we proceed in accordance with Act No. 480/2004 Sb., on certain information society services, as amended. You can cancel the sending of commercial communications by using the unsubscribe link in each e-mail sent.

The right to object to processing for direct marketing purposes: If we process your personal data for direct marketing purposes, you have the right to object to such processing at any time. In this case, we will no longer process your personal data.

V. RECIPIENTS OF PERSONAL DATA

Reservio will not transfer personal data to any other controllers.

Reservio uses the following processors of personal data:

Companies or individuals in the accounting business who are authorized to carry out accounting operations.
Companies or individuals in IT solutions that are responsible for IT administration and development of software programs used by Reservio.
Companies or individuals providing server services who are authorized to store data.
Companies providing email messaging services.

In view of the fact that partner providers (payment service providers) are involved in the execution of payments within the RESERVIO Payment Service, they have access (to the extent specified above in this Privacy Policy) to certain data, including without limitation:

the issuers of the relevant payment cards and the banking institutions through which the End Customer's payment is made;
partner providers according to the General Terms and Conditions, i.e. companies involved in the dispatch of payments (Adyen N.V., ICPO: 34259528, with its registered office in the Netherlands, Simon Carmiggeltstraat 6-50, 1011 DJ, Amsterdam).
In the case of special promotions or contests, additional personal data may be processed as described in the specific rules of the promotion/contest, and registration data may be transferred to Google or Microsoft as part of the registration form. This processing is always voluntary, but may be necessary for participation in the promotion/contest.

The processing of personal data may only be carried out by processors on the basis of a data processing agreement, i.e. with guaranteed organizational and technical security of the data, specifying the purpose of the processing. The processors may not use the data for other purposes.

Under certain conditions, personal data may be disclosed to public authorities (courts, police, notaries, tax authorities, etc., in the exercise of their legal powers) or may be disclosed to other entities to the extent provided for by a specific law.

A full list of processors is available at Reservio´s registered office and on request.

VI. COOKIES AND LOG FILES

We use cookies, which are small text files that identify users of the Website, available at www.reservio.com, and the Marketplace Website, available at www.reservio.cz and www.reservio.sk, and record their user activities. The text in the cookie is often made up of a series of numbers and letters that uniquely identify the user´s computer, but do not provide any specific personal information about the user.

The website automatically identifies the user´s IP address. An IP address is a number automatically assigned to a user´s computer when they connect to the Internet. All this information is recorded in an activity file by the server, which allows subsequent processing of the data.

Types of cookies:

Essential cookies: Due to its legitimate interest, Reservio uses essential cookies that are necessary for the operation of the website and to ensure its functionality. These may be persistent or session cookies. A persistent cookie remains on your hard drive even after you close your browser. Persistent cookies may be used by the browser on subsequent visits to the Reservio Website. Persistent cookies can be deleted. Session cookies are temporary and are deleted once the browser is closed. Reservio uses this data to operate the Website, including without limitation to identify and resolve errors, analyze the use of the Website and make adjustments or improvements. These are purposes for which Reservio has a legitimate interest in processing the data pursuant to Article 6(1)(f) of the GDPR.

You can configure your browser to block these cookies. Reservio advises that in this case some parts of the website will not work**.**

With your permission, Reservio uses other cookies:

Analytical and performance cookies: These cookies help Reservio analyze your use of the website. For example, they may be used to measure and improve the performance of the website. These cookies also allow us to know how you arrived at the website, whether directly, through a search engine or via a link on a social network. Reservio also learns how long you stay on the site and what links you click on.

These cookies will be used in your device only if you give your consent when you first visit the website (pursuant to Article 6(1)(a) of the GDPR). Analytical cookies can be rejected at any time by simply making a change in the detailed cookie settings.

Advertising cookies: Advertising cookies allow us to display advertising based on your preferences. They can be used, for example, to allow the Operator to create a profile of your interests and to show you relevant advertisements.

These cookies will be used in your device only if you give your consent when you first visit the website (pursuant to Article 6(1)(a) of the GDPR). Advertising cookies can be refused at any time by simply making a change in the detailed cookie settings. If you do not give your consent, you will not receive content and advertisements tailored to your interests.

or other cookies, as the case may be, if they are specified in the cookies settings.

A complete list of the cookies we use, including expiration dates, can be found in the cookie settings in the cookie bar.

Third party cookies

Our website may also include third party cookies. This may be the case, for example, because we have commissioned a third party to analyze the site. Reservio uses the following service providers:

Microsoft Corporation (bing.com, clarity.ms)
Intercom, Inc. (intercom.com)
Seznam.cz, a.s. (imedia.cz)
Facebook, Inc. (facebook.com, facebook.net)
Google Inc. (googleapis.com, google-analytics.com, google.com, google.cz, googleadservices.com, googletagmanager.com)
New Relic, Inc. (newrelic.com)
OpenAI, L.L.C. (openai.com)

Cookies settings:

Most web browsers accept cookies automatically. However, it is possible to configure your computer to block or remove cookies. Users of the www.reservio.com website are therefore entitled to set their browser to prevent the use of cookies on their computer.

Instructions for blocking or removing cookies in browsers can usually be found in the privacy policy or help menu of each browser.

Log files:

User´s website browser automatically reports certain information whenever a user views our website. When registering on or navigating the website, the servers automatically record certain information that the web browser sends each time you visit the website. These server logs (log files) may include information such as the web request, IP address, browser type, browser language, referring/exit pages and URLs, platform type, number of clicks, domain names, landing pages, number of pages viewed and the order of those pages, amount of time spent on certain pages, date and time of the request, and one or more cookies that can uniquely identify the web browser.

VII. APPLIED DATA PROTECTION LEGISLATION

Reservio declares that it is governed by certain legal provisions governing data protection, including without limitation:

European Union legislation

All legislation based on Article 16 of the Treaty on the Functioning of the European Union and Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, namely:

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;
Commission Regulation (EU) No. 611/2013 of 24 June 2013 on measures applicable to personal data breach notifications under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (in limited scope);
Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, including without limitation electronic commerce, in the internal market (in limited scope).

Council of Europe legislation

Council of Europe Convention No. 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data.

Czech Republic legislation

Act No. 110/2019 Sb., on the personal data protection;

VIII. FINAL PROVISIONS

Reservio may update this Privacy Policy from time to time. The current version of the Privacy Policy will always be available here. If this Privacy Policy introduces a significant change to the way we treat personal data, Reservio will notify data subjects by posting a visible notice prior to implementing such changes.