Privacy policy

Privacy policy of the company Obalero s.r.o

This Privacy Policy (hereinafter referred to as the "Policy") is part of the Terms and Conditions for the use of the Obalero application, which is operated by Obalero s.r.o., company registration number 24241008, with its registered office at Křižíkova 530/78, Karlín, 186 00 Prague 8, Czech Republic, registered in the Commercial Register under file number C 196336 with the Municipal Court in Prague (hereinafter referred to as the "Provider" or "Controller").

The Provider r takes care to protect your personal data in accordance with the valid and effective legislation, which since 25 May 2018 is represented in particular by the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the "Regulation"), as well as Act No. 110/2019 Coll., on the processing of personal data.

The Controller is the provider (operator) of the Obalero web application for web browser, iOS and Android (hereinafter referred to as the "Application") and the websites obalero.com and obale.ro.  The Policy applies to all personal data processed by Obalero s.r.o. on the basis of the performance of a contractual relationship, legal obligation, legitimate interest or consent. The Policy describes the ways in which Obalero s.r.o. uses and protects personal data.

Obalero s.r.o. may amend the Policy at any time by posting a revised version on the Website and such amendment shall be effective as of the date of such posting. 

Controller and his contact details

The data controller within the meaning of Article 4(7) of the Regulation is Obalero s.r.o.

All communications concerning the protection of personal data or notifications of violations of rights should be sent by e-mail to the Controller at support@obalero.com or to the postal address Obalero s.r.o., Křižíkova 530/78, 186 00 Praha 8 - Karlín.

The Controller has not appointed a data protection officer within the meaning of Article 37 of the Regulation.

Personal data processed by the Controller

Personal data means any information about an identified or identifiable natural person. An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In order to create your user account for the Application ("Registration"), the Provider  requires you to provide the following personal data: first name, last name and email addresses, or Google and Apple identifiers. 

If you use the website, even without registering or creating a user account, the Controller  may record your IP address and standard data such as your browser type and links to other websites you have viewed on the Website. This information is used to monitor and prevent fraud, diagnose problems and to compile statistical data that is anonymous and does not include your personal information. 

Purposes of the processing of personal data

The Controller processes your personal data for the following purposes:

• pre-contractual negotiations;
• the performance of a contractual relationship (the relationship between you and the Controller, which has arisen in particular on the basis of the registration)
• managing user accounts (i.e. in particular, fulfilling your request for registration, setting up and managing your user account, providing access to your user account and updates to your user account);
• contacting you to resolve issues related to your use of your user account or the Application;
• sending commercial communications, offers about products and services and events organized by the Controller and other marketing activities;
• display ads based on your interest;
• fulfilling the legal obligations of the Controller;
• improving the quality of services provided by the Controller and improving the use of the Application.

Processing of personal data for the performance of the contract

In the case of registration, your personal data is processed in accordance with the provisions of Article 6, paragraph 1, letter b) of the Regulation - the provision of personal data is a necessary requirement for the performance of the contract or for the implementation of measures taken before the conclusion of the contract at the request of the data subject. Without the provision of personal data, it is not possible to carry out pre-contractual negotiations, conclude the contract or its performance by the Controller.

Granting of consent

One of the legal grounds for processing personal data is your consent to the processing of personal data within the meaning of Article 6, paragraph 1, letter a) of the Regulation. The Controller asks you for your consent to the processing of your personal data in particular when:

• sending commercial communications and offers of goods and services;
• the use of so-called social media cookies and advertising cookies.
• You have the right to withdraw your consent to the processing of your personal data at any time by sending an e-mail to the Controller's e-mail address: support@obalero.com with your name and surname for the purpose of your identification. Withdrawal of consent does not affect the lawfulness of processing based on consent given before its withdrawal.

Period of processing of personal data

Personal data will be processed by the Controller:

• in the case of processing of personal data on the basis of registration - for the period of registration and further for one year after the termination of registration;
• in the case of processing of personal data on the basis of consent - for the period from the granting of consent until its withdrawal.

After the expiry of the retention period, the Controller will delete the personal data.

Disclosure of personal data to third parties

Personal data is provided to third parties cooperating with the Controller in the provision of services within the Application and providing marketing services. These third parties, listed in the table below, need access to your data in order to carry out their activities and are obliged to comply with the principles of personal data processing set out in the Regulation when processing your personal data. An up-to-date list of third parties is available at upon request.

Processor	Description	Links
Google	Google Workspace, Google Analytics, Google Looker Studio and any other products	Privacy compliance and records for Google Workspace and Cloud Identity Google Cloud & the General Data Protection Regulation (GDPR)
Facebook	Facebook Pixel	Facebook GDPR Facebook Privacy Policy Cookie Consent Resource
Monday.com	Development and business process management system	monday.com Trust Center monday.com Privacy monday.com GDPR
Ecomail	System for sending transactional and marketing emails	Personal data processing principles
DigitalOcean	Hosting and application infrastructure	Privacy Policy Data Processing Agreement
ABRA Flexi	Economic and accounting software	Personal data processing principles
Stripe	Payment and subscription processing system	Privacy Policy Stripe Privacy Center
Intercom	System for user support	Privacy Policy
Make	System for process automation	Privacy Notice
Sentry	Application monitoring system	Trust Centre Privacy Policy

The Controller does not disclose your personal data to third parties other than those mentioned above, nor does it share it with other persons or unrelated companies without your consent, except in the following cases: 

• compliance with legislation or in response to legal requirements; 
• protect the rights and property of the Controller, its agents, users and other persons, in particular to enforce its agreements, policies and terms of use and, in urgent cases, to protect the safety of the Controller, users of its services or any other person;
• in connection with or in the course of any merger, sale of corporate assets, financing or acquisition of all or part of the Controller's business by another company.

The Controller will not transfer your personal data without your consent to a third country or an international organization unless this is necessary for the performance of the contract between you and the Controller or such an obligation does not arise for the Controller by law. 

The Controller does not provide personal data collected through the Website to third parties for direct marketing purposes without your consent. 

Rights of the data subject

As a data subject whose personal data is processed, you have the following rights, which you can exercise at any time. These are:

• the right to access your personal data (i.e. the right to be informed whether your data is being processed and, if so, to have access to it);
• the right to rectification of personal data (i.e. to request rectification if you find that the Controller is processing inaccurate or false data);
• the right to request an explanation (i.e. if you suspect that the processing of your personal data violates the protection of your personal and private life or the processing is in breach of the law);
• the right to restrict the processing of personal data (i.e. the right to request temporary restriction of the processing of your personal data);
• the right to erasure of personal data (i.e. if your data is no longer necessary for the purposes for which it was processed);
• the right to object to the processing of personal data (the Controller is obliged to demonstrate that there is a compelling legitimate reason for the processing of personal data that overrides your interests or rights and freedoms);
• the right to data portability (i.e. the right to request that a third party receives your data);
• the right to withdraw consent to the processing of your personal data at any time;
• the right to lodge a complaint with the Office for Personal Data Protection (i.e. if you believe that your right to personal data protection has been violated).

Security measures and disclosure of personal data 

Each user's account is protected by a password of your choice. We recommend that you keep your password confidential and do not disclose it to any third party, even via email where the password is requested. In the event of a forgotten password, the user will receive, at his/her request and to the email address provided in the registration, an email containing a link to reset the password, within which the user can set a new password.

The Controller is not liable for misuse of the data provided as a result of unauthorized access by a third party or during data transmission within communication networks. The registered user acknowledges that the data and information provided on the Internet, e.g. in discussion forums, chat or email, may be misused by third parties. Please therefore exercise caution when providing your data via the Internet. 

The Controller stores your personal data in accordance with the highest security standards, using a wide range of security measures, including encryption and authentication tools, to prevent unauthorized access, alteration, disclosure or destruction of your personal data and to maintain its confidentiality. Your personal information is protected by firewalls and is accessible only to a limited number of persons who are required to keep it confidential. 

This Policy is written in Czech and English. In the event of a conflict between the language versions, the Czech version shall prevail.

Effective date: 1. 8. 2024

Obalero s.r.o.