Personal data processing principles

The aim of this Privacy Policy (hereinafter referred to as the "Policy") is to provide information on what personal data ForClassmates s.r.o., Company ID: 05625351, Tax ID: CZ05625351, with its registered office at Evropská 516/10, 160 00 Prague, Czech Republic, registered in the Commercial Register of the Municipal Court in Prague, Section C, Insert 297922 (hereinafter referred to as the "Company" or "Controller"), acquires, stores and further processes. In particular, this concerns the processing of personal data within the online learning platform (hereinafter referred to as the "Application"), which is available at https://www.forclassmates.com/ (hereinafter referred to as the "Website").

This Policy applies primarily to the processing of personal data of users of the Application, creators of the content of the Application and visitors to the Website. In this Policy, reference may be made to the Company's general terms and conditions available on the Website (hereinafter referred to as the "T&Cs").

This Policy describes the purposes of personal data processing, the methods of their processing, informs about the individual categories of processed personal data, potential recipients of personal data, the period of storage of personal data and about your rights in relation to personal data protection.

This Policy also applies to the Websites operated by the Company. When you visit the Website, cookies are processed, for more information on the processing of files, please visit the Cookies section of the Website.

The Company protects all processed personal data as strictly confidential and handles them in accordance with valid and effective legal regulations in the field of personal data protection. The security of personal data is a priority for the company.

These Principles are issued in accordance with Regulation (EU) 2016/679, on the protection of natural persons with regard to the processing of personal data (the "Regulation" or "GDPR") and Act No. 110/2019, on the processing of personal data, in order to ensure the information obligation of the Company as an administrator pursuant to Article 13 of the GDPR.

A. Personal Data Controller

The Company is the controller of personal data within the meaning of Art. 4 para. 7 GDPR. Therefore, the Company collects, stores and uses (and otherwise processes) personal data for the performance of its business activities (the individual purposes for which personal data are processed are further defined below).

B. Data Protection Officer

The Company is not required to appoint a Data Protection Officer. Thus, a Data Protection Officer has not been appointed at the Company.

The Company, as a personal data controller, can be contacted in writing at:

ForClassmates s.r.o.
Evropská 516/10160 00 Praha 6 - Dejvice

Alternatively, at the following e-mail address: info@forclassmates.com

C. Categories of personal data

Personal data is any information that relates to a natural person that the Company is able to identify. In connection with the provision of services and the sale of goods, the Company may process the following categories of personal data.

1. Basic personal identification data and address data

Such data is required for the conclusion and performance of the contract. This includes in particular the following personal data:

· Academic Degree

· Name and surname

· Name of the company/school

· Year of birth

· Company ID, Tax ID

· Permanent residence address

· Address of the registered office or place of business

· Billing address

· Profile photo

· Bank details

· Payment data

· signature

2. Contact details

· Contact Phone Number

· Mailing address

· contact e-mail

· Social media addresses

3. Data on services subscribed, use of services and payment behaviour

· Type and specification of the service provided

· The volume of services provided and their price

· Customer segment

· Information on payment discipline

4. Education Data

· Name of the educational institution you are attending

· Year of study

· Information on educational attainment

5. Data about the services provided by the content creators of the Application and about the creators themselves

This data is created during the creation of the content of the Application, in which the creators of the Application participate, as defined in the GTC. This can be a wide amount of personal data entered by creators into their profiles (medallions) or into the content of the application.

6. Other data generated in connection with the provision of services

These data are created during the provision of services within the Application, due to the fulfilment of the company's contractual obligations. Specifically, this includes in particular personal data generated when completing educational tests, or personal data related to the fulfilment of educational obligations by the user of the Application.

7. Data from communication between the company and the customer

In particular, this includes personal data contained in e-mail, written telephone, chat or video chat communication between the Company and the Customer. .

8. Data processed on the basis of your consent

The processing of this data is not strictly necessary for the performance of a contract or legal obligations or the protection of the Company's legitimate interests, but its processing will enable the Company to improve services, focus on what customers are really interested in and, where appropriate, inform customers about offers that are suitable for them. These data are processed only if consent is granted and may be processed for the duration of the consent period.

These are mainly data used to send commercial communications (they are processed by service customers on the basis of consent to the processing of personal data for business purposes). E-mails with commercial communications always contain a link to a website where consent can be withdrawn.

With regard to the fact that according to the provisions of Section 7 of Act No. 110/2019 Coll., on the Processing of Personal Data, a child acquires the capacity to give consent to the processing of personal data in connection with the offer of information society services directly to the child upon reaching the age of fifteen, the personal data of children under 15 years of age are processed on the basis of the consent of one of the child's parents or legal guardians. This consent may be revoked at any time by delivering the withdrawal of consent. Consent can also be withdrawn via e-mail.

D. Purpose, legal basis and period of personal data processing

The scope of the data processed depends on the purpose of the processing. For some purposes, it is possible to process data directly on the basis of a contract, a legitimate interest or on the basis of the law (without consent), for others only on the basis of consent.

1. Processing of personal data in the performance of a contractual obligation

Without the provision of personal data for the fulfilment of the company's contractual obligations, it would not be possible to provide the services. The Company does not need consent to process personal data for these purposes, but personal data is processed on the basis of (due to) the performance of a contractual obligation.

With regard to the educational purpose of the Application, profiling takes place during the performance of the company's contractual obligations, as defined in Article 4 (1) of the Company. 4 GDPR. In the case of the Application, this is the automated processing of personal data generated when completing educational tests, or personal data related to the fulfilment of educational obligations by the User of the Application. This personal data is necessary for the performance of the contractual obligation so that the user (and possibly other persons – see below) can see the results of their tests and information about which educational documents they have already opened, even retrospectively (e.g. they can go through the results of their tests after some time). Profiling for the fulfilment of contractual obligations is permissible in accordance with Art. 22 para. 2 GDPR.

In the case of customers of the Company's services, the Company is entitled, if they have fulfilled all their obligations towards the Company, to process their basic personal, identification, contact, service data and data from their communication with the Company in the customer database for a period of 5 years from the date of termination of the last contract with the Company, or from the date of termination of the use of the Application.

2. Processing of personal data in compliance with legal obligations

The Company processes personal data in cases where it is necessary to comply with legal obligations imposed on the Company by relevant legal regulations. This applies, for example, to the retention of tax and accounting documents.

This is also personal data through which the Company can prove that it complies with the obligations imposed by the GDPR. For example, the company stores data that proves that consent to the sending of commercial communications has been provided.

3. Processing of personal data on the basis of the Company's legitimate interest

The Company may process personal data for the purpose of assessing potential security risks and removing them in order to maintain the highest security standards of the Website. The Company is committed to preventing, detecting and combating fraud and other illegal or unauthorized activities within the use of the Website.

The Company also processes personal data for the purposes of its defence or the assertion of its claims in the event of a legal dispute.

For this purpose, the Company is entitled to store personal data for the duration of the limitation period pursuant to Act No. 89/2012 Coll., the Civil Code, as amended (hereinafter referred to as the "Civil Code").

4. Processing of personal data on the basis of consent

As mentioned above, the processing of this data is not strictly necessary for the performance of a contract or legal obligations or the protection of the Company's legitimate interests, but its processing will enable the Company to improve services, focus on what customers are really interested in and, where appropriate, inform customers about offers that are suitable for them. These data are processed only if consent is granted and may be processed for the duration of the consent period.

These are mainly data obtained through marketing surveys and for sending commercial communications (they are processed by service customers on the basis of consent to the processing of personal data for business purposes).

Consent for business purposes is voluntary and can be revoked by the customer at any time. If the data subject withdraws his/her consent, this is without prejudice to the processing of his/her personal data by the Company for other purposes and on the basis of other legal titles, in accordance with this Privacy Policy.

With regard to the fact that according to the provisions of Section 7 of Act No. 110/2019 Coll., on the Processing of Personal Data, a child acquires the capacity to give consent to the processing of personal data in connection with the offer of information society services directly to the child upon reaching the age of fifteen, the personal data of children under 15 years of age are processed on the basis of the consent of one of the child's parents or legal guardians. This consent may be revoked at any time by delivering the withdrawal of consent. Consent can also be withdrawn via e-mail.

Consent to the processing of personal data of a child under 15 years of age is given via e-mail when an e-mail is sent to the parent or legal guardian with a link to the consent grant. The e-mail address of the parent or legal guardian is filled in by the child during the registration process. Until consent is granted, the child is not allowed to use the Application.

E. Transfer of Personal Data to Third Parties

When fulfilling its obligations and obligations under contracts, the Company uses professional and specialized services of other entities. If these suppliers process personal data transferred from the Company, they are in the position of personal data processors and process personal data only within the scope of instructions from the Company and are not allowed to use it otherwise. These include, in particular, the recovery of outstanding receivables, the activities of experts, attorneys, auditors, IT systems management, internet advertising or commercial representation. Each such entity carefully selects the company and enters into a personal data processing agreement with each of them, in which the processor has strict obligations for the protection and security of personal data.

The processors are companies based both in the Czech Republic and with their registered office in a member state of the European Union or so-called safe countries. The transfer and processing of personal data in countries outside the European Union always takes place in accordance with applicable legislation.

As part of fulfilling its legal obligations, the Company transfers personal data to administrative bodies and authorities stipulated by applicable legislation.

The company uses professional services of third parties in its business activities. If these third parties process personal data transmitted by the Company, they have the status of personal data processors and process personal data only in accordance with the instructions given to them by the Company and may not use them otherwise.

Specifically, these are:

· external providers of tax advisory and accounting services;

· external providers of legal services;

· external providers of services related to the operation and professional content of the Application;

· external marketing service providers;

· external cloud service providers;

· external software developers;

· external providers of IT systems management services, computer networks and hardware.

The Company has concluded personal data processing agreements with the processors of personal data pursuant to the previous paragraph, which guarantee at least the same level of personal data protection as this Policy.

From the point of view of the transfer of personal data to third parties, the User is entitled to mark other users of the Application in the settings of their user profile, who will gain reading access to statistics from the use of the Application by the User. The user who will be allowed to monitor statistics may be either the parent of the user concerned or any other user of the Application.

In the settings of his/her user profile, the User is also entitled to mark teachers, tutors or educational institutions who will gain reading access to statistics from the User's use of the Application. For example, the user can allow the educational institution or tutor to check whether the user has done their homework, and so on.

The user is entitled to cancel the above-described designation of other users at any time and thus make the tracking of their statistics unavailable to a specific user.

The User further acknowledges that in the event of participation in the discussion forum, other users of the Application will be shown his/her username and profile photo. Furthermore, the User acknowledges that in the event of his/her participation in quizzes, games and other similar activities within the Application, other participating Users will be allowed to view the number of points (XP) achieved, the number of hours spent and the ratio of correctly answered questions to incorrectly answered questions in the Application by the affected User.

Furthermore, as part of the fulfilment of its legal obligations, the Company transfers personal data to administrative authorities and other public authorities, if the Company is required to do so by applicable law. In particular, the Company may transfer any personal data referred to in this Policy to law enforcement authorities if they request it in accordance with the laws governing criminal proceedings.

The Company does not transfer personal data outside the EU or to international organizations, nor does it carry out automated individual decision-making.

F. Method of processing personal data

The Company processes personal data both manually and automatically. The Company keeps records of all activities, both manual and automated, during which personal data is processed.

G. Commercial Communications

For commercial communications of the Company or third parties, the Company uses the abbreviation OS or another appropriate designation from which it is clear that the communication is a commercial communication within the meaning of applicable legal regulations. It is always clear from commercial communications sent by a company that the company is their sender. We can send commercial communications either to customer contacts on the basis of the company's legitimate interest, but only until you express your disagreement, or on the basis of explicit consent to the processing of personal data for marketing and business purposes. In the sent commercial communications, there is also a contact for rejecting the sending of these communications.

H. Information on the rights of data subjects

According to the Regulation and the Act, as of 25 May 2018, the data subject has the following rights if he/she is an identifiable natural person for the company and proves his/her identity.

1. Right of access to personal data

According to Article 15 of the GDPR, the data subject will have the right of access to personal data, which includes the right to obtain from the company:

· confirmation of whether it processes personal data;

· information on the purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data have been or will be disclosed, the planned period of processing, the existence of the right to request from the controller the rectification or erasure of personal data concerning the data subject or the restriction of their processing or to object to such processing, the right to lodge a complaint with a supervisory authority, any available information on the source of the personal data, if they are not obtained from the data subject, the fact that automated decision-making, including profiling, takes place on appropriate safeguards when the data is transferred outside the EU;

· provided that the rights and freedoms of others are not adversely affected, a copy of the personal data.

In the event of a repeated request, the Company will be entitled to charge a reasonable fee for a copy of the personal data.

The right to confirmation of the processing of personal data and information can be exercised in writing to the address of the company's registered office.

2. Right to rectification of inaccurate data

Pursuant to Article 16 of the GDPR, the data subject will have the right to rectification of inaccurate personal data processed about him or her by the company. The Company's customer is also obliged to notify changes to their personal data and to prove that such a change has occurred. At the same time, they are obliged to cooperate with the company if it is found that the personal data we process about them are not accurate. We will carry out the repair without undue delay, but always with regard to the given technical possibilities. A request for correction of personal data can be made to the address of the company's registered office.

3. Right to erasure

Pursuant to Article 17 of the GDPR, the data subject will have the right to erasure of personal data concerning him/her, unless the company demonstrates legitimate reasons for the processing of such personal data. The Company has mechanisms in place to ensure automatic anonymization or deletion of personal data in the event that they are no longer needed for the purpose for which they were processed. If the data subject believes that his or her personal data has not been erased, he or she may contact us in writing at the address of the company's registered office.

4. Right to restriction of processing

Pursuant to Article 18 of the GDPR, the data subject will have the right to restriction of processing until the complaint is resolved if he or she contests the accuracy of the personal data, the reasons for their processing, or if he or she objects to the processing of the personal data, in writing to the address of the company's registered office.

5. Right to notification of rectification, erasure or restriction of processing

According to Article 19 of the GDPR, the data subject will have the right to be notified by the company in the event of rectification, erasure or restriction of the processing of personal data. If personal data is corrected or deleted, we will inform individual recipients, except where this proves impossible or involves disproportionate effort. Upon request of the data subject, we may provide information about these recipients.

6. Right to data portability

Pursuant to Article 20 of the GDPR, the data subject will have the right to the portability of the data concerning him/her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format, and the right to request the company to transmit these data to another controller.

If, in connection with a contract for the provision of services or on the basis of consent, the data subject provides us with personal data and the processing is carried out by automated means, he or she has the right to receive such data from us in a structured, commonly used and machine-readable format. If technically feasible, the data may also be transferred to the controller designated by you, provided that the person acting on behalf of the controller is duly designated and can be authorised.

In the event that the exercise of this right could adversely affect the rights and freedoms of third parties, your request cannot be granted. The application can be made at the company's brand stores after proving the legitimacy of the request.

7. Right to object to the processing of personal data

According to Article 21 of the GDPR, the data subject will have the right to object to the processing of his or her personal data on the grounds of the company's legitimate interest.

In the event that the Company does not prove that there is a serious legitimate reason for the processing that overrides the interests, rights and freedoms of the data subject, the Company shall terminate the processing on the basis of the objection without undue delay. The objection can be sent in writing to the address of the company's registered office.

8. Right to withdraw consent to the processing of personal data

Consent to the processing of personal data for business purposes effective from 25.5.2018 may be revoked at any time after this date. The revocation must be made by an explicit, comprehensible and certain expression of will, either by telephone on the customer line, at the company's store or at the company's registered office.

The processing of data from cookies can be prevented by setting your web browser.

9. Automated individual decision-making, including profiling

The data subject has the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or her or similarly significantly affects him/her. The Company states that it does not carry out automated decision-making without the influence of human judgement with legal effects for data subjects. The Company only performs profiling necessary for the performance of contractual obligations (see above).

10. Right to contact the Office for Personal Data Protection

Personal data subjects have the right to lodge a complaint regarding the processing of their personal data by the Company with the following administrative authority:

Office for Personal Data ProtectionPplk. Sochora 727/27170 00 Praha 7

Website: www.uoou.cz

CH. Policy Updates

Matters not expressly regulated by this Policy are governed by Act No. 110/2019, the Personal Data Processing Act.

This Personal Data Processing Policy is effective from 1 January 2024 and may be updated from time to time. You can always find the current version on the company's website.