Caflou is fully prepared for GDPR (Regulation (EU) 2016/679)

The provider of the service/application is:

Petr Macek & Co. s.r.o.
Address: Rižská 1527/1, 102 00 Praha 10
ID no.: 04075081
VAT ID no.: CZ0407508
Contact: support@caflou.com, +420-775-242-956
Represented by: Ing. Petr Macek (agent)

Caflou as the administrator (of personal data)

Personal information that we collect and why:

User

  • E-mail of the user – during registration (mandatory and necessary for use of the account, signing in to the application), an e-mail is not necessary if the user registers via his/her Facebook profile or a Google account
  • Name and surname of the user – voluntary; the system does not request data (the system uses data to personalize the account and communication) 

We use data/e-mail for communication within the application and by e-mail

  • “Working” communication by e-mail –  the user can unsubscribe
    • Communication on account activity (summary e-mails, notifications)
  • “Support” communication by e-mail – the user can unsubscribe
    • Communication for so-called “onboarding”, gaining feedback
  • “System” communication necessary for the account to function – cannot be unsubscribed, it is sent with isolated frequency and is not sent after a profile is deleted. 
    • Confirmation of e-mail after registration
    • Invitations to an account
    • Notification of upcoming removal of an unpaid profile after 30 days of inactivity

Account

This concerns invoicing data that we use only for invoicing for using of the service/application (in the event of voluntary upgrade to a paid package); it is personal information in the case of a physical person

  • Company name or personal name – mandatory only for paid accounts
  • Address – mandatory only for paid accounts
  • ID and VAT ID no. – not mandatory
  • Invoicing e-mail – mandatory only for paid accounts

It is not possible to invoice for using the paid service without providing this data

How data are entered

  • All data are submitted by the user him/herself or the administrator of the account (for account data) 
  • The submitting party has full control over their data; this data can be changed or deleted in the application 
  • The submitting party has full control over what happens to their data

For the paid account, we generate regular pro forma invoices (payment notices) and invoices that can, in the case of physical persons, contain personal data – all accounting/tax documents we issue for use of the application are protected by a high level of security and are located in safe repositories. 

Agreement to use personal data

  • The Privacy Statement (declaration of the protection of personal data) can be easily found on the website www.caflou.com and can be accessed at the bottom of the website (under Privacy) or at the following address: https://www.caflou.com/privacy 
  • During registration, the user accepts the Terms and Conditions and agrees to having been acquainted with the Privacy Statement. 
    • Date and time of this acceptance is recorded in the profile of the registered user and the user has access to this information in his/her profile settings 
    • Existing users that have not expressed their agreement (see the point above – historically, active agreement has not been required) will be informed (by e-mail) that by using the application, they agree with the Terms and Conditions and are acquainted with the Privacy Statement
      • Date and time of agreement will be that of the first log-in after 18.5.2018 (inclusive)
  • In accepting the Terms and Conditions, the user willingly agrees that he/she will not use the Caflou application in contradiction to the law
  • Changes may be made to the Terms and Conditions and/or the Privacy Statement based on changes in legislation or while changing the functionality of the application. If a change is made to the Terms and Conditions and/or the Privacy Statement, users of the Caflou application will be informed of the change (by e-mail and/or upon their next log-in to the application). 
  • The user may decline to accept the Terms and Conditions and decline to agree with the Privacy Statement directly in the application’s profile settings or by sending a request to the e-mail address support@caflou.com. By declining, the user will lose access to the Caflou application (by confirming, the profile will be deleted or Caflou’s support will delete the profile at the user’s request). An alternative is deletion of the profile carried out by the user him/herself. 

Where we store personal data

    • Technology: Amazon Web Services
    • Supplier: Amazon Web Services, Inc.
    • Location of data: EU
    • Contact: 410 Terry Ave North, Seattle , WA 98109-5210 , USA
    • Purpose: Application databases, back-up
    • Technology: DigitalOcean
    • Supplier: DigitalOcean
    • Location of data: EU
    • Contact: 101 Avenue of the Americas, 10th Floor, New York, NY 10013, USA
    • Purpose: Application server, back-up
    • Technology: Mailgun
    • Supplier: Mailgun Technologies
    • Location of data: USA
    • Contact: 535 Mission St., 14th Floor San Francisco, CA 94105, USA
    • Purpose: Sending system e-mails
    • Technology: Intercom
    • Supplier: Intercom, Inc.
    • Location of data: USA
    • Contact: 55 2nd St., 4th Fl., San Francisco, CA 94105, USA
    • Purpose: Communication with application users

All data (including user and account data in the Caflou application) and users’ personal data are stored centrally in safe repositories that are located in the European Union or the USA. Data do not in any way leave the European Union or the USA and are not kept anywhere outside the European Union or USA. 

We have valid agreements with all partners. These are prominent and reliable partners that are registered in the Czech Republic, EU, or USA. 

Additional information on data security 

  • No personal data are used or will be used for marketing purposes
  • The Privacy Statement can be found in the Privacy section or here: https://www.caflou.com/privacy
  • Security of data, information, and the application is described in detail in the Security section or here https://www.caflou.com/security 
    • Our employees are aware of the necessity to secure data and are trained in data protection; we require two-phase authentication to access all our systems; access to data is given only to select employees
    • We protect all data with strong security and these data are stored in safe repositories; we exclusively use an HTTPS encoded connection
    • For user access to the application, strong passwords are required, which are encoded and may not be retrieved; voluntary two-phase authentication is available 
    • You will find three levels of security in the application: 
      1. User log-in
      2. User authorization for the account
      3. User rights in the account and in objects
  • Leaks of personal data
    • We are required to report serious violations within 72 hours to the Office for Personal Data Protection
    • Users whose data was affected by the leak will be informed of any serious leak via an adequate method (e-mail, Caflou website, message in the Caflou application)

Users’ access to their data

  • All data that we possess have been entered into the system by the user him/herself
  • The user has full access to these data from his/her profile and their account in the application 
  • The user can edit his/her data in the application
  • The user can delete the data him/herself, delete his/her profile, or delete his/her account

At the user’s request, we can:

  • Delete the user’s personal data (deleting the profile, account)
  • Hand over personal data to the user 
  • Inform the user on how we use personal data
  • Correct the user’s personal data 
  • Stop using data for direct contact
  • Stop processing/using the user’s personal data
  • Stop using messages based on “profiling” and use of the application

Requests can be sent to support@caflou.com; we may request authentication of identity based on information available to us. 

Removal of unused data

  • Profiles
    • Users of free accounts (which are not at the same time members of our affiliate program) who have not used the application for a period of 30 days are informed by e-mail that after a period of 10 days their profile, including personal data, will be deleted 
    • If the user does not log into the application within the next 10 days of receiving the notification, his/her profile will be deleted
    • Over the course of the following 30 days of the profile’s removal, the profile is deleted from the security back-up – this means the removal of the profile is irreversible 
  • Accounts 
    • Accounts without users (typically after removal of a user profile from an account with one user only or the removal of all users of an account) are deleted in the following 10 days after removal of the final user of the account
    • During the following 30 days, the account is also deleted from the security back-up – this means the removal of the account including all data is irreversible

After removing deleted profiles and accounts from the security back-up, we no longer have access to the data and information of profiles or accounts. 

Caflou as the processor (of personal data)

Saving personal data of third party entities by users of the Caflou application

  • In accepting the Terms and Conditions, the user willingly agrees that he/she will not use the Caflou application in contradiction to the law
  • Caflou application users can store data in the application including personal data (and the personal data of third party entities)
    • Functions designated for this purpose (i.e. possible storage of personal data) are the Companies, Contacts, and Uploads features
    • In this case, Caflou is the processor of data
      • The Client (user/owner of the account in the Caflou application) continues to be the administrator. The Client is not freed of the responsibility for the processing of personal data by using the Caflou application
  • An optional “Reason for Filing” attribute has been added to the Companies, Contacts, and Uploads features. In it, the party entering data may add information regarding the filing of a company/contact (e.g. purpose for filing and details on agreement with processing)
  • The “Where we store personal data” section above on this page describes where data/information is stored
  • Security of data and information stored on user accounts is described in detail on the Security page or at https://www.caflou.com/security 
    • We protect all data with strong security and these data are stored in safe repositories; we exclusively use an HTTPS encoded connection
    • For user access to the application, strong passwords are required, which are encoded and may not be retrieved; voluntary two-phase authentication is available 
    • You will find three levels of security in the application: 
      1. User log-in
      2. User authorization for the account
      3. User rights in the account and in objects
  • We reserve the right to “ad hoc” access data and information of accounts and users, we use this right only in cases where this access is necessary to service the application

Caflou offers operations that make it possible to transfer and delete data:

  • Export companies and contacts (to xls, csv, pdf), download files to computer
  • Delete companies, contacts, files (individually or in bulk)
    • The deleted object stays in the Trash of the user’s account for 30 days, any objects can be emptied from the Trash at any time. In the next 30 days after the objects was removed from the Trash, the object is saved on a security back-up and subsequently and irreversibly deleted