Privacy Policy

Privacy Policy of INSIO software s.r.o.

I. INTRODUCTION

INSIO software s.r.o., with registered office at Vinohradská 3217/167, Strašnice, 100 00 Praha 10, IČO 27389847, registered in the Commercial Register maintained by the Municipal Court of Prague, section C, insert 109725 (hereinafter referred to as „INSIO“), when providing services and selling products, handles certain personal data originating from the client as a party interested in the conclusion of a contract with INSIO or as the other contractual party from such a contract (hereinafter referred to as „Client“), or, where applicable, with the data of members of their bodies, their employees or third parties as end users specified in the INSIO consent (hereinafter referred to as "Authorised User"). This is particularly in connection with the negotiated license agreement or contract for the provision of software as a service (hereinafter referred to as the "Contract"), under which INSIO provides the Clients with the service of using the software called INSIO Software (hereinafter referred to as the "Service"), which consists of a complex system for optimizing business processes and maintaining a complete business agenda in electronic form and which consists of individual functional modules created by the Provider, which enable process optimization and agenda management at various levels (hereinafter referred to as the "SW").

Personal data is handled by INSIO in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "GDPR"), and Act No. 110/2019 Coll., on the processing of personal data, as amended (hereinafter referred to as the "Act"). In this Privacy Policy (the "Policy"), we would therefore like to inform you about:

  • what personal data we collect,

  • to which ends we utilise these,

  • whether and to whom we provide them,

  • what rights you have in relation to the processing of your personal data; and

  • in what way you can exercise these rights with us.

Unless the relevant text indicates otherwise, the individual terms, abbreviations, and definitions used in this Policy and capitalized shall have the meaning used in the relationship between INSIO and the Client in connection with the Service, the provision of which is governed by the Terms of Service of INSIO software s.r.o., which are available on the website of INSIO software s.r.o. (https://insio.cz/), and upon request.

II. PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE CONTRACT

The Client acknowledges that the SW is operated on the INSIO server (hereinafter referred to as the "Cloud") and all data entered by the Client or Authorised User when using the Service is entered and stored on the Cloud.

INSIO declares that it ensures a high level of protection and security of all data uploaded by the Client or Authorised Users when using the Service on the Cloud. In relation to data that can be considered personal data within the meaning of Article 4(1) of the GDPR, INSIO ensures compliance with all obligations that apply to it when processing personal data under the GDPR.

The Client acknowledges that in relation to the personal data of natural persons entered when using the Service on the Cloud, the Client is the so-called controller within the meaning of Article 4(7) of the GDPR, and INSIO is the so-called processor within the meaning of Article 4(8) of the GDPR. INSIO also informs the Client that as a data controller it is obliged to comply with the obligations arising for it from the provisions of the GDPR, in particular from Articles 24 et seq. and 82(2) GDPR, and also to provide data subjects within the meaning of Article 4(1) GDPR, i.e. individuals whose personal data it uploads to the Cloud when using the Service, with information pursuant to Article 13 GDPR.

INSIO, as the processor of personal data uploaded by the Client or Authorised User when using the Service on the Cloud, declares that it ensures the processing of personal data in accordance with the relevant provisions of the GDPR, in particular Article 28(3) GDPR, and undertakes to fulfil all obligations arising from the aforementioned provisions.

The processing of personal data entered by the Client or Authorised User when using the Service on the Cloud is carried out by means of SW in an automated manner, only to the extent of the data entered by the Client or Authorised User when using the Service on the Cloud, and for the purpose resulting from the nature of the functions of the Service made available by INSIO and used by the Client.

The type of personal data and categories of data subjects that are uploaded to the Cloud by the Client or Authorised User when using the Service are determined by the nature of the functions made available and used by the Client.

The processing of personal data uploaded to the Cloud by the Client or Authorised User during the use of the Service lasts no longer than the period of provision of the Service under the Agreement. After the termination of the provision of the Service, INSIO shall, in accordance with the Client's decision, delete all personal data entered by the Client or the Authorised User when using the Service on the Cloud, or return them to the Client, and delete existing copies, unless the relevant legislation requires the storage of the personal data in question.

INSIO implements all measures required under Article 32 et seq. of the GDPR, in particular technical and organisational measures to ensure a level of security appropriate to the risks to the rights and freedoms of natural persons arising from the processing of personal data through the SW, and also ensures:

a) encryption of data;

b) the continued confidentiality, integrity, availability and resilience of processing systems and services;

c) the ability to restore the availability of and access to personal data in a timely manner in the event of physical or technical incidents;

d) a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures in place to ensure processing security.

INSIO shall report any personal data breach to the Customer without undue delay.

The Client acknowledges that, in addition to the data and personal data mentioned above, INSIO processes the personal data of the Client and Authorised Users in connection with the fulfilment of this Agreement as a controller within the meaning of Article 4(7) GDPR. The Client declares that they have been informed by INSIO about the processing of personal data to the extent pursuant to Article 13 of the GDPR prior to the conclusion of this Agreement and acknowledges that this information on the processing of personal data forms the following Article III of this Policy and undertakes to make the affected individuals aware of this information.

III. INFORMATION ON THE PROCESSING OF PERSONAL DATA OF THE CLIENT AND AUTHORISED USERS

A) The purpose of this Article

The purpose of this article is to provide you with information about the processing of your personal data within the scope provided for in Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as "GDPR") by the company INSIO software s. r.o as the so-called data controller, in connection with the fulfilment of contractual obligations under the Contract for the provision of software called INSIO Software (hereinafter referred to as the "Service") concluded with the Client (hereinafter referred to as the "Contract").

B) Identity and contact details of the controller

The controller of your personal data is the trading company INSIO software s.r.o., with registered office at Vinohradská 3217/167, Strašnice, 100 00 Praha 10, IČO 27389847, registered in the Commercial Register maintained by the Municipal Court of Prague, section C, insert 109725 (hereinafter referred to as „Controller“).

If you have any questions about the processing of personal data by our company or wish to exercise your rights regarding the processing of personal data, please contact us in writing using the following contact details of the Controller.

  • Delivery address: Vinohradská 3217/167, Strašnice, 100 00 Praha 10 

The Controller is not subject to the obligation to appoint, and therefore has not appointed, a data protection officer within the meaning of Articles 37 to 39 of the GDPR.

C) Categories of processed data

In connection with the conclusion of the Contract or with the negotiations leading to the conclusion of the Contract (e.g. when requesting the processing of a quotation or other consultations, etc.), the Controller processes the following categories of personal data that you have provided to us or obtained from publicly accessible registers:

a) Identification data: business name, name and surname, ID number, VAT or other tax number

b) Contact details: telephone number, e-mail, correspondence address

c) Data related to the use of the Service: login data, user account data, terminal device data 

d) Other data (place of fulfilment of the Contract or other sub-orders)

D) Sources of personal data and other personal data

We obtain personal data directly from you if you are the person who has entered into a Contract with us or conducted the negotiations leading to its conclusion. Another source may also be publicly accessible registers (insolvency register, trade register, VAT register).

In the event that you provide us with personal data for a purpose other than those mentioned above (e.g. by sending us an enquiry that does not relate to our products or an existing Contract, via a form on the website, etc.), the personal data provided in this way and its possible processing will be assessed individually and we will inform you of its processing. In the event that we need your consent to process it, we will ask you for your consent.

We process personal data to the extent necessary for the purpose of processing; however, it is not possible to conclude the Contract without disclosing the aforementioned personal data.

E) Legal basis for processing personal data

The legal grounds for the processing of your personal data by the Controller are as follows:

a) processing is necessary for the performance of a Contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a Contract; within the meaning of Article 6(1)(b) of the GDPR (to the extent necessary for the conclusion of the Contract, including negotiations leading to the conclusion of such a Contract, such as inquiries, surveys, etc., and performances resulting therefrom, such as installation, operational tests, complaints, servicing, etc.);


b) processing is necessary for compliance with a legal obligation to which the controller is subject; within the meaning of Article 6(1)(c) of the GDPR (to the extent necessary to fulfil the obligation imposed on us by law, e.g. keeping accounting records in accordance with Act No. 563/1991 Coll., on Accounting, Act No. 586/1992 Coll., on Income Tax and Act No. 235/2004 Coll., on Value Added Tax, and in the public interest and for the exercise of public authority, to fulfil our obligation to provide information to the Police, courts, authorities, etc.);


c) processing is necessary for the purposes of the legitimate interests pursued by the controller; within the meaning of Article 6(1)(f) GDPR (to the extent necessary for dealing with the customer, recording the activities and functionality of the Service provided, invoicing, etc.)

F) Purpose of the processing of personal data

The purpose of processing your personal data is to fulfil the obligations arising for the Controller from generally binding legal regulations and the fulfilment of contractual obligations under the Contract and to protect the Controller's rights to the software when providing the Service. Where we process data on the basis of your consent, the purpose of the processing will be set out in the consent request together with other processing conditions, such as consent to the processing of personal data for the purpose of providing personalised product offerings from the Controller.

There is no automated individual decision-making by the controller within the meaning of Article 22 GDPR.

G) Processing of personal data when visiting the website

The websites operated by INSIO and the online services associated with them use so-called cookies, which are small amounts of data that enable the recognition of the visitor's device when they visit the website again, in order to optimise the service and save you time. Cookies remember, for example, your preferred language, currency, login email, completed forms or other minor settings in the client administration. When you first open our website, you will always be informed about the use of cookies and you have the option to decide whether or not to give your consent. You can also directly adjust your web browser settings for each website, where you can restrict or completely block cookies. Most modern web browsers automatically set cookies as active by default unless otherwise selected.

H) Duration of storage of personal data

We process personal data in the context of providing a price offer, where no contract has yet been concluded, for a period of one year. After this period, quotations are anonymised (all personal data is deleted) and only a identification number of the offer is used for identification.

We process personal data processed in connection with the conclusion of the Contract and its performance for the duration of the contractual relationship (Contract) with the Client, which allows us to process your personal data, as well as for the time necessary for archiving purposes in accordance with the relevant generally binding legal regulations.

After the lawful reason to process personal data ceases, we delete the relevant personal data unless we have no other lawful reason to process it or you have given us your consent to the processing. We do not use the services of third parties for any archiving.

If we process personal data on the basis of consent, the period of storage of personal data is indicated directly in the text of the consent, which we will always inform you of in advance.

CH) Categories of recipients of personal data

The other recipients of your personal data will be:

a) state administration bodies to the extent provided for by law;

b) persons who cooperate with the controller and ensure the processing of personal data for the controller, which may be:


  • entities providing data storage to the controller,

  • entities providing accounting services to the trustees,

  • entities providing legal and accounting services.

I) Transmission of personal data

We process personal data only in the Czech Republic or in EU member states. We do not transfer personal data to third countries (outside the EU) or international organisations.

J) Rights of data subjects

Under the conditions set out in Articles 15 to 22 of the GDPR or the relevant provisions of the Act, you are entitled to rights towards the Controller, in particular:

  • the right to access your personal data pursuant to Article 15 of the GDPR,

  • the right to rectification of personal data pursuant to Article 16 GDPR,

  • the right to erasure of personal data pursuant to Article 17 GDPR.

  • the right to restrict the processing of your personal data in the cases set out in Article 18 GDPR,

  • the right to data portability under Article 20 of the GDPR,

  • the right to object to processing under Article 21 of the GDPR,

  • the right to withdraw consent to processing in writing or electronically to the address or email of the Controller of Part B) of this Policy.

  • the right to lodge a complaint with The Office for Personal Data Protection if you believe that your data protection rights have been breached.

If you believe that the processing of your personal data has violated or is violating a generally binding legal regulation, in particular the GDPR or the Act, you have the right to lodge a complaint with the supervisory authority, which is The Office for Personal Data Protection, with its registered seat at Pplk. Sochora 27, 170 00 Prague 7, ID 70837627, databox ID: qkbaa2n.

The provision of your personal data to the Controller for the performance of the Agreement is voluntary and you are under no obligation to provide such personal data. However, without the provision of your personal data it is not possible to conclude the Contract or for the Controller to perform it. Providing consent to the processing of personal data for marketing purposes is voluntary. Consent may be withdrawn at any time.

In the event of an objection to the protection of personal data, the Controller shall always inform the data subject without undue delay, and in any event within one month of receipt of the request, of the processing of his or her request.

The Controller is entitled to modify the wording of this Policy. It will post the new version of the Policy on its website and will also send the new version of the Policy to you at the e-mail address you have provided to the Controller.

This version of the Privacy Policy is valid and effective as of 1.1.2024