Published using Google Docs
General Privacy Policy (ENG) Sept 22
Updated automatically every 5 minutes

 image1.png

GENERAL PRIVACY POLICY

This English version is provided for information only. Only the Czech version is considered legally binding.

Through the general principles of personal data protection (hereinafter referred to as the "Policies"), we present you with information on the handling of your personal data. You will find out what types of personal data we process, for what purpose we do so, on which legal titles we base the processing in question, for how long we store your personal data, in what ways (and from whom) we obtain them, what are your rights in relation to the processed personal data data, who you can contact in case of any questions and other related information.

Introduction of the administrator and service

Hello, we are Qerko s.r.o. young technological company with its registered office at Drtinova 557/8, Prague 5, registered at the Municipal Court in Prague under file number C 286872, doing business under ID number 06678815. Hereinafter referred to as "Qerko" or "we". We are glad that you have decided to use our services. Thank you!

Services means Qerko's technology platform, through which users of Qerko's mobile applications or websites (hereinafter referred to as the "Application") can collect points under the Loyalty Program (and thus obtain benefits and offers) and pay for the expenditure or part thereof for the services and goods provided by a partner of Qerko (e.g. a restaurant), if the latter enables payment for its services and goods through the application in question based on a contract with Qerko (hereinafter referred to as "partner").

The administrator of personal data processed in connection with your use of our products and services is Qerko. He is the company's executive Ing. Lukáš Kovač (kovac@qerko.com).  

When processing personal data, we comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (hereinafter referred to as "Regulation"), the national (adaptation) law No. 110/2019 Coll., on the processing of personal data, including the relevant accompanying law and other relevant legislation of the Czech Republic.

On behalf of Qerko, we would like to assure you that we approach the protection of personal data with respect and awareness of its importance. We are clearly aware of the importance of personal data protection for building user trust in modern and innovative digital services.

In relation to your personal data, processed during the use of our products and services, we are primarily in the position of personal data administrator. If a situation arises where we (someone else will) process data from the position of (another) independent administrator, joint administrator or processor, we will provide you with information about this.

Scope of the

Presented Policy The Presented Policy applies to the processing of data relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to a specific identifier, e.g. name, identification number, location data, network identifier or to one or more special elements of physical, physiological, genetic, psychological, economic, cultural or social and identity of this natural person.

Processing is considered to be operations with personal data (or sets thereof), in particular the following: collection, recording, arrangement, structuring, storage, adaptation or modification, search, viewing, use, making available by transmission, dissemination or any other making available, sorting or combining , restriction, erasure or destruction.

When interpreting individual aspects related to the protection of personal data, we are guided not only by applicable laws, but also take into account the interpretation opinions of the European Board for Personal Data Protection (formerly Working Group WP29) and the position of the National Office for Personal Data Protection (ÚOOÚ).

Scope of processed personal data

We are glad that you use our services! Thank you At the same time, however, interactions occur during which personal data is (may be) collected. At the same time, we come into contact with them in various situations, while the form and extent of processing, as well as the storage time of personal data, are different for them. In addition to the actual essence (nature) of the processing, the aforementioned is also determined by the various functionalities and technical possibilities of the cash register systems used by restaurants.

In the process of registering a user account, for example, we process identification and contact data to create your presence (entity) in Qerko. At the same time, we keep you internally in our database under a specific ID (a unique series of numbers and letters). When using the Qerko mobile application, we work with these (and potentially other) personal data for the purpose of delivering the provided service, and thus for the actual fulfillment of the contractual obligation. We further process personal data when managing the Qerko Loyalty Program and providing benefits arising from it. At the same time, we come into contact with your personal data when creating a "takeaway" order, when reserving a table in a restaurant, when purchasing via the Qerko e-shop application or for payment of requested third-party content (Qerko as a web payment gateway).

When you use the Site www.qerko.com, there is limited (necessary) processing of your data in order to ensure its trouble-free technical operation. The Qerko website performs several tasks. They are a presentation tool through which we communicate to the public and users important information about our company, the scope and form of the services offered and a number of facts related to our operations. The information presented here reflects both the need to present ourselves openly and transparently, as well as to fulfill the obligations given to us by the applicable legislation. At the same time, the home page enables direct requests for selected services to a similar extent as in the environment of the Qerko mobile application (creating and managing restaurant reservations; displaying restaurant offers directly on our company's website; purchasing in restaurants via Qerko's own e-shop interface; or payment for third-party content via a QR code on the website).    

We handle personal data in the same way when communicating with you for the fulfillment of a business relationship, when sending business messages as part of direct marketing, in the course of fulfilling our obligations set by law and others, as well as the facts presented in the document (see "Overview of situations where personal data is processed data").  

When collecting personal data, we respect the individual provisions of the Regulation and the main principles of personal data processing. These are the following principles: legality, correctness and transparency; limitation of the purpose of processing; data minimization; processing accuracy; limitation of storage (we store personal data only for the time necessary to achieve the set goal, or for the time set by the legal order of the Czech Republic); and last but not least, the principle of integrity and confidentiality of processing.

According to the source of the initiative, the processing on the Qerko side can be divided into three basic categories:

We generally process your personal data in two modes:

Overview of processed personal data

Personal data/category

Mode

Processed data

Provided by the user

Identification data

Logged

in Name and surname, e-mail (used as a username), password in encrypted form, year of birth and telephone number. In the case of business partners, also the address of the establishment, ID number, VAT number.

Contact details

Subscriber

Email address, phone number, address/billing address. Entering a phone number is optional (and we only display it for selected activities).

Additional personal data

Logged

in Photo of the user (optional data).

Registered

Payment card: during the registration process, information is only entered into the secure payment gateway of the contracted operator (GP Webpay, PayU, ČSOB, Stripe, Adyen). Qerku transmits only the first 6 and last 4 card numbers and card type (MasterCard, VISA...) to payment gateway providers. The customer himself then provides the payment card number, its expiration date and the security code of the card to the aforementioned companies in order to make the payment.

In the case of linking Qerko with a user account maintained with the companies Sodexo, Edenred, Benefit Plus, Up Déjeuner, Twisto and Mallpay, the data for the used financial instrument is processed in a similar form and scope.

User settings

Logged

in We currently only use identification and contact information (if you upload a photo, we have access to it as well).

Data associated with reporting problematic content

Logged

Not logged

in Name and surname, e-mail/telephone number (according to the method of reporting), date and time of reporting, content of the message. If reporting occurs directly via Qerko applications, we also store the internal user ID.

Data from communication with you

Logged

Not logged

in Date, time and method of communication. Content of communication. Including IP address type identifiers.

Data from Qerko service installations

Logged

Installation version, installation time, record and version of updates, operating system version.

Granting of consent

Logged

in Personal data processed (will vary depending on the nature of the matter) and confirmation of the granting of consent itself (to document consent on the part of Qerko).

Obtained by your activity

Data about your settings/user profile.

Logged

in Identification and contact information that the user provides in his profile. With the exception of e-mail, the user can edit all data continuously and according to his own choice. The data is stored in the given user profile.  

Transaction history: data about the transaction made through the Qerko application

Logged

Not logged

Data processed by Qerko

Payment in the restaurant

User name, date, time and place of the service provided, information about the establishment, table number in the restaurant, information about items paid, about the amount charged, about amounts provided tip, sending a receipt to the user's e-mail address and other possible connections related to the transaction through Qerko (e.g. provided satisfaction rating with the given restaurant/service). Confirmation of payment result and transaction ID from GP Webpay, PayU, ČSOB, Stripe and Adyen. In the case of payment from the "cafeteria" or from another similar tool (service), Qerko also obtains identification data for the user and the transaction carried out through the meal voucher and benefits provider. A list of such companies is provided below.    

E-shop (takeaway food)

Name and contact details for processing takeaway food orders (phone number/email). In the case of payment via Qerko, we further process information about the items paid, the amount charged, the receipt sent to the user's e-mail address, the amount of the tip provided and other possible connections associated with the given transaction (e.g. the satisfaction rating provided with the given restaurant/service). If the user chooses "delivery" provided directly by the contracted restaurant, the physical address for delivery is further processed. Last but not least, the user is issued a confirmation of the payment result and transaction ID from GP Webpay, PayU, ČSOB, Stripe and Adyen. Last but not least, contact details and data related to the completed transaction are processed when making a payment from the user's account maintained with one of the contractual meal voucher companies.    

Creating and managing a reservation

a) Registered user: User ID.

b) Unregistered user (via the website): name, e-mail, telephone.  

Web payment gateway

User ID, amount and date of payment, email (for sending receipt). Furthermore, the ID of the service provider and the used payment instrument.

Restaurant rating User

ID and rating provided.

Data processed by the contractual partner

Payment in the restaurant

First name and first letter of the last name of the user, date, time and place of service provision, information about the establishment, table number in the restaurant, information about paid items and the amount charged and the amount of the tip (transaction history).

E-shop/Takeaway food

Name, phone number. In the case of self-delivery, also the delivery address. The customer registers at the restaurant with the order number.  

Create and manage a reservation 

Name and surname, telephone.

Rating of the restaurant

Name and first letter of the last name, date and time of visit, information about paid items and amount charged and amount of tip, provided rating.

Payment gateways and methods

The personal data processed are theuser's e-mail, payment amount and number, date and time of payment, used payment instrument and related information.

Transaction history: data on completed orders (in progress)

Logged

in Users: overview of completed purchases and payments made at Qerko contractual partners.

Business partners (restaurant operators): information on purchases and payments made (see data on the transaction made above).

Data from the use of additional Qerko functionalities

Logged

Rating of the restaurant (optional): name, date, time of visit and provided rating (if the user decides to provide a rating of the given restaurant).

Data about your end device

Logged

Unlogged

Model of the end device, information about its HW, OS, language version, data from online identifiers, browser and its version, or data about the movement of the device (after providing consent).

Traffic information

Logged

Not logged

in Device IP address, date and time of access, application functions used, pages visited, application collapse (and other system activities), browser type, third-party sites, before coming to www.qerko.com.  

Data about your behavior on the website

Logged

Not logged

in Movement on our website/within the Application, data about the terminal device, online identifiers, browser and its version, derived location of the terminal device, OS and its version.

Data from logging in through a third-party service (social network, e-mail, etc.).

Logged

E-mail

Name, surname, password and password confirmation. You can optionally enter your phone number and date of birth.  

Facebook, LinkedIn

First name, last name, e-mail, telephone (if indicated).  

AppleID, Google Login

ID, login date and time.

From our initiative

Data related to the concluded contractual relationship and its management: User

Logged

Identification and contact data, date of conclusion of the contractual relationship (and related records of data from the installation of the service), information about the services/products provided (transaction history), information about payments via payment gateways, internal user ID (under which it is kept in the database). Including the registration of data for the fulfillment of legal obligations.  

Data related to the concluded contractual relationship and its management: business partner – natural person doing business

Registered

Identification and contact data, date of conclusion of the contractual relationship (and related records of data from the installation of the service), information on the services/products provided (transaction history), information on to payments through payment gateways, the user's internal ID (under which it is kept in the database). Including records of data for the fulfillment of legal obligations, address of establishment, ID number. Access to the administrative interface: login name and password (Qerko does not know the password).

Loyalty program: ensuring the proper functioning of the Program

Registered

Name and surname, username; contact details: e-mail address, profile on social networks.

Data on the participant's end device: end device model, data on its HW, operating system, language version, data from cookie files (and other online identifiers), browser and its version.

Information about the use of the Qerko application (in relation to the Program): date, time and derived location of application use; application control method/preferences.

Information about the operation of the Qerko application: IP address of the device, date and time of access, used Qerko functions, record of possible application collapse (and other system activities).

Communication data: date, time and method of communication, content of communication.

Customer support: records of contacting support, resolved issues, and Participant satisfaction.  

Loyalty program: provision of personalized offers and benefits

Logged

in First and last name, username; contact information: e-mail address, phone number (primarily for security and user verification), or profile (ID) on the social networks Facebook or LinkedIn;

Participant profile: assignment, storage, analysis and processing of data related to your purchasing behavior when using the Qerko application.

Transaction history: information about paid orders, ordered items, the amount of payments, dates, time and places of services used, the amount of tips provided in establishments, purchases and payments with contractual partners of the Program.

Business communication: first and last name; email/social network profile; date and time of sending, content of communication.

Other data: possible addition of data about the Program participant from publicly available sources, from partners and other third parties (and their assignment to the profile in the Qerko application).

Online identifiers: the identifier of the logged-in user - Token - will be used. This is needed to ensure the general identification of the user's end device.    

Internal product messages

Logged

in First and last name, email, transaction data, location (partners/restaurant location)

Network identifiers

Logged

Not logged

in Qerko: see separate table below

Third party: Google Analytics, AdWord

Information to manage the data that Google over its services collects are available here.

Google Privacy Policy here.    

Data from direct personal meetings

Logged

Not logged

Identification and communication data of natural persons (data from business cards).

Data related to sending business messages

Registered

Name and surname, username, e-mail, telephone.

Data collected by third parties

Logged

Not logged

in Google Analytics (for apps; for Firebase), Google Ads, Google Cloud and Google Workspace. Privacy policies for the mentioned tools are available here: Google Cloud; Google AdWords; Google Analytics; Google Workspace. Google's general privacy policy can be found here here. You can then get information from websites or apps that use Google services here.

With regard to the use of cloud services from Amazon Web Services, selected personal data may also be collected by this provider.

Amazon Web Services cloud services. The AWS privacy policy is available here.

Processing purposes We process

your personal data for specific purposes. According to the Regulation, the purposes must be specific, explicitly expressed and legitimate, while they must not be processed in a way that is incompatible with the defined purposes. The fact that each piece of data is processed for multiple purposes is common. In certain cases set out in the GDPR, we may also process your data for purposes other than those listed below. However, this occurs in exceptional cases, which the Regulation also makes subject to the fulfillment of other conditions. By defining the purpose, Qerko defines the reason for which it processes your personal data.

Information on specifically processed personal data is available in the "Overview of processed personal data" table. You will find out under which situations this occurs in the section "Overview of situations where personal data is processed".  

As part of our services, we process your personal data for the following purposes:

Legal bases of processing

The processing of personal data to achieve the purposes declared above takes place on the basis of individual legal titles. The GDPR defines six of them: consent; contract performance; fulfillment of a legal obligation; protection of vital interests; performance of tasks in the public interest; and the controller's legitimate interest.legal basis is the following legal titles:

Performance of

the contract We will use the legal title of performance of the contract in situations where the processing of personal data takes place for the purpose of concluding, fulfilling or terminating the contractual relationship between you and Qerko. At the same time, it applies to selected cases where you, as a user, actively request a certain service. In addition to the classic contract, this also includes other activities carried out in favor of starting and using a certain service. Processing as part of the performance of the contract takes place only and only for the purpose of fulfilling or concluding a contractual obligation. Therefore, we will not process your personal data for other purposes without another appropriate legal basis. Examples include the processing of data for your identification before the actual conclusion of the contract, data required for invoicing (if payment is being made for the provision of the service) or data necessary for the provision of the service.

Legitimate interest

The Regulation allows us to base the processing of your personal data on a subjectively determined interest. A prerequisite for the aforementioned is the provision of information about the right to object to processing based on a legitimate interest, as well as the right to erasure and assessment of the processing's own legitimacy. We must define the legitimate interest in accordance with the law, while this must prove to be necessary for the achievement of the stated goal. For this purpose, they must successfully pass the so-called balance test, in which we compare our interests against your interests and risks. Last but not least, the legitimate interest must be real and current for the given time and type of processing. The category of legitimate interest is normally met by activities to ensure the proper technical operation of the Qerko platform and services, to assert legal claims and protect one's own rights, to create general statistics and overviews of the operation and use of our services, or processing done for the purpose of reporting potential crimes.  

Compliance with legal obligations

The processing of personal data is not least in selected cases determined by national and European legislation and obligations to ensure the necessary cooperation with the legal system of the Czech Republic. An example can be processing due to obligations set out in the Accounting Act, the VAT Act or the Consumer Protection Act or ensuring cooperation with law enforcement authorities. In the event of a legally based request from the competent authority, we must store, share or display the processed personal data to the extent and time defined by a specific legal act.    

Overview of situations where personal data is processed

A. Use of website functionalities

Although Qerko is a mobile solution, we have prepared a website for users and business partners www.qerko.com. This can be used as: 1) a basic information page about the Qerko technology platform and the company itself (for the general public); 2) gateway to the administrative environment for contractually secured business partners (including natural persons doing business); 3) space for using selected Qerko services (see further in the text). The page also includes a request form for the introduction of Qerko in the restaurant (expressing the restaurant's interest in deploying the solution in the affected establishment).  

As is the case with other websites, during the operation of the website www.qerko.com , selected personal data is processed through issued network (online) identifiers. The use of an online identifier does not automatically mean the processing of personal data.

Among the best-known network identifiers are cookies. These are small text files that our servers store on your end device via the web browser you have installed and set up. They primarily contain information about settings related to the page visited. As such, they increase the user-friendliness of the visited pages. Cookies may also be issued by providers of advertising management tools, websites or cloud service providers (see below).  

You can find information on privacy protection settings within browsers on the websites of their providers. You can therefore choose the level of protection in relation to cookie files according to your own preferences. Below are links to their settings for selected browsers:  

The website as a general information page

The basic purpose of the website www.qerko.com is to present the product and services of Qerko. It is a "static" presentation of information without the need and interest to monitor and evaluate the ways of its use by visitors and business partners. Via the Qerko home page, it is also possible to view the menu of partner restaurants without any more advanced interaction beyond the simple display of information (in this case, the menu offer of the restaurant in question).

During normal browsing of the Qerko website, only online identifiers are issued in order to ensure the technical operation of the site and to achieve IT and network security (the issued online identifiers are listed in the table "Overview of used network identifiers"). The legal basis for the processing here is Qerko's legitimate interest in achieving the aforementioned.

The website www.qerko.com also uses selected tools from Google and Amazon Web Services (AWS). In the case of the former, these are advertising and website management tools, cloud services and analytics. Specifically, these are Google Analytics, Google Ads, Google Cloud and Google Workspace. The analytical tools are provided by the second of the listed companies - AWS. Google Analytics tools are specifically used to display advertising on the Qerko application in the Google advertising network. At the same time, this is done through a solution for managing advertising - Google Ads). At this point, however, we would like to emphasize that Qerko does not use them to evaluate any information about the given user. However, cookies are issued here by Google.  

In practice, it works as follows: the user's browser is marked with a simple online identifier that records the visit to the Qerko website. The web browser sends information such as the URL address of the visited page and the IP address number of your end device to Google. If the user subsequently uses the same browser to visit another page that is part of the Google advertising network, he may also see an advertisement for Qerko among other messages. However, we do not provide any identifying information to Google or other third parties. The processing of personal data within Ads (and other cited tools) is governed by Google's general personal data protection policy (here), while there are also partial adjustments for individual tools (see later in the document). Cookies can also be sent to your web browser when you visit a website or an advertisement is displayed that uses one of the services in question (whether in Google services or on another website or application). According to Google's own statement, the information that websites and applications share with it is used to provide, manage and improve its services, to measure the effectiveness of advertising, to protect against fraud and abuse, and to personalize the content and advertisements displayed on Google and on websites and in partner applications.  

Network identifiers used:

Name

Type

Purpose of processing

Legal title

Stored information

Recipients

Processing time

users

identification

 

General identification of the logged-in user

Legitimate interest

Logged-in user identification token,

Qerko

For the duration of the user account

accessToken

session

General identification of the logged-in user

Legitimate interest

Access Token of the logged-in user,

Qerko

Removal of 1 week of inactivity

refresh Token

session

General identification of the logged-in user

Legitimate interest

Refresh Token of the logged in user, identification string of

Qerko

3 months. The Refresh Token is updated with the user's activity and its validity is thereby extended.

Seznam.cz API

cookie

Geographical designation of the establishment in the Mapy.cz application

Legitimate interest

points saved by Qerek in Mapy.cz (geographical location of the partner/restaurant)

Qerko

Seznam.cz  

For the period of use of the API

Ads

cookie

Issuing of advertising

See Google Ads

terms See

Google

During the period of use of the Ads

Web service as a gateway to the admin environment for our partners

, contractually secured partners have access to the Qerko administration environment established within the website www.qerko.com . They will get access to information about services provided and purchases made in their establishment(s) using the Qerko application. At the same time, they will find anonymized ratings provided by guests who have made a payment with them through our service.

The restaurant operator can access the interface after logging in. The business partner chooses the login name and password. At the same time, Qerko does not know the user's password.

Qerko processes business partner identification data, transaction data and network identifiers necessary to ensure proper operation of the administration environment. The transaction data of our users for a given establishment/establishment is provided to the restaurant operator (our business partner) in a pseudonymized form (first name and first letter of the surname of the Qerko user and transaction data in the form of date, time, amount of payment and content of the service provided). This is a simple preview of the admin section of the Qerko solution, with no tools provided for further manipulation. The issued network identifiers are so-called tokens (see table Used network identifiers).

The processing of personal data of our partners (here primarily natural persons running businesses or contact persons on the side of companies) is carried out for the following purposes:

The primary legal basis here is the performance of the contract. Other bases are the fulfillment of a legal obligation and the legitimate interest of Qerko.    

Use of selected Qerko web services The

home page www.qerko.com also serves for user access to selected services. These are the following:

As part of the aforementioned Qerko services, selected personal data are generally processed (name and surname, e-mail/telephone number, date and time of the activity performed and process information related to the payment, possibly also the address for the delivery of "takeaway" food) in full or pseudonymized form. In the latter case, it is the name and the first letter of the surname and, depending on the nature of the service, additional data. For more detailed information, see the "Overview of processed personal data" table (personal data "obtained by your activity" section).

Reservation

Before visiting the restaurant, you have certainly used the option to reserve a table for a given time many times. With Qerko, we can do so conveniently via the website and the app (and therefore as an unregistered and registered user of our services), while our robot also calls the restaurant for you. You don't have to wait so long for the phone to ring in a restaurant or the often lengthy search for a waiter in the physical reservation book. In the registration form to create a reservation, you enter your first name, phone number and e-mail address.

At the same time, you can make a reservation through selected services of Seznam.cz, primarily through the profile of the partner restaurant Qerko on the Firmy.cz portal. At the same time, Qerko does not transfer information about you as a user to Seznam.cz.  

In the case of a registered user, we match the reservation request to your existing Qerko account. Unregistered users will be asked to create an account with Qerko. The reservation can be canceled just as easily electronically.    

E-shop (takeaway order)

The Qerko e-shop is currently designed as a web version of a takeaway order. This is our own solution, which we provide for use by individual restaurants as part of the services offered. The e-shop can be used by both registered and unregistered users. Qerko processes the name entered by the user in the online form, contact information (phone number or e-mail) and delivery address, if the user opts for delivery. In the case of a registered user, it works with similar data related to the user's account (primarily ID/e-mail address). At the same time, the system does not currently allow the connection (use) of third-party delivery services. It is therefore a delivery provided directly by the partner restaurant. In case of payment via Qerko, we further process the paid items, date, time and place of purchase. If the user selects "delivery", the delivery address is logically processed as well. Last but not least, the user is issued a confirmation of the payment result and transaction ID from GP Webpay, PayU, ČSOB, Stripe and Adyen. The user is identified by the generated order number at pick-up. Depending on the type of checkout system, the user's first name and the first letter of the last name, as well as the phone number (if the user has filled it in their account) may appear on the order on the restaurant's side.  

Viewing the restaurant menu

Our partner restaurants allow convenient viewing of their menus. It is a simple presentation of the offer via a QR code generated and inserted directly by the restaurant on the website. This service can also be used by unregistered users. In the case of a registered user, we work with his created ID, and the menu menu opens directly in the Qerko application environment after "loading".  

When displaying the restaurant's menu, we only process the network identifiers necessary to ensure the requested functionality at the restaurant selected by the customer (own operation of the website and display of the menu using a QR code). Static information about the restaurant's menu is further supplemented by links to scan the QR code in order to create an order via the Qerko application and a link to the restaurant's location in Google Maps. As already mentioned in the section "The website as a general information page", cookies may also be displayed by providers of advertising systems. In this case, the processed data associated with the display of network identifiers do not reach contractual partners (restaurants).

Qerko as a web payment gateway

Qerko was created as a modern tool for convenient payment in restaurants. However, our solution enables the use of QR codes for payment in areas other than gastronomy. The payment gateway service can only be used by registered users, in the case of those who thereby enter into a contractual relationship with Qerko. Cooperation with providers of other services (for example, the video portal Oktagon.tv, which makes content of a sports, entertainment and informative nature available via the Internet) is usually further conditional on registration with the given third party (and therefore with the provider of the requested service). Here, Qerko serves as a modern payment tool. Therefore, we do not share personal or other data related to other Qerko services and the activities of registered and unregistered users with third parties. For the purpose of fulfilling the contractual relationship (mediation of payment via the Qerko QR code/Qerko application), we process only the user ID, amount and date of payment, e-mail (for sending the receipt), ID of the service provider and the used payment instrument. On the side of the provider of additional content, the Qerko user's e-mail, the amount and number of the payment and the used payment instrument are processed. 

The processing of personal data when using the cited Qerko web services (reservation; e-shop; menu display; Qerko as a payment gateway) takes place for the following purposes:

The primary legal basis for here is the performance of the contract. Others are the fulfillment of legal obligations and the legitimate interest of Qerko.

Request form for the possible deployment of the Qerko system at a partner

Directly from the website, last but not least, there is the possibility to send an inquiry about the possible deployment of Qerko in a specific establishment. Mandatory data to be filled in are: partner's name; city; name; surname; e-mail; telephone number; type of cash register system.

The questionnaire is processed for the purpose of fulfilling the contract (possible conclusion of a contractual relationship). The legal basis is the fulfillment of the contract. The processing takes place for the period necessary to conclude the contractual relationship, or subsequently for the period of fulfillment of the concluded obligation.      

B. Registration to the Qerko platform

The default prerequisite for using most of the Qerko platform services is the creation of a user account. The user can register via e-mail, an existing Facebook and LinkedIn social network account, or with the help of Apple ID or Google Login. The Qerko application can be downloaded from one of the online app stores (Google Play, Apple Store, Huawei App Gallery). The processing of personal data associated with the process of downloading the application (if such occurs) is governed by the rules of the provider of the given website/app store.

In the case of registration using e-mail, personal data entered in the registration form, such as first name, surname and e-mail, are processed. Entering a phone number is optional (only displayed for selected activities). If you decide to use the login of one of the social networks to create an account, we will only work with the given ID. In all cases, we have operational information (login date and time) and issue online identifiers necessary to ensure the technical operation of the service.

Natural persons who run a restaurant in their own name can also register. In this case, the name and surname, the name and address of the restaurant and the contact details for the given establishment (telephone and e-mail) are entered. For the purpose of starting cooperation, the brand/type of the cash register system used is also indicated.  

In the process of creating an account and for the duration of its existence, Qerko processes your identification, contact and additional information personal data. While inserting a photo is voluntary (by this step you voluntarily provide us with the photo in question for the purpose of maintaining it in the Application), the payment card details are necessary to ensure the full functionality of Qerko (for making payments in the network of our business partners).

During registration to the Qerko platform, we process personal data for thefollowing purposes:

The primary legal basis for processing here is the fulfillment of the contract (provision of the requested service), the secondary ones are the fulfillment of a legal obligation due to the fulfillment of the legal order of the Czech Republic and legitimate interest. In this case, this primarily relates to ensuring the smooth and safe operation of Qerko in the process of registering to the Qerko platform and securing communication with the registering user/restaurant operator.    

The moment of creation of the contractual relationship is the creation of your registration (its successful completion). For the duration of the contractual relationship, which ends at the moment of cancellation of your user account (registration), we therefore have information on user account settings and its operation (use). We store the data for the duration of the existence of your account (until you request deletion) and in accordance with the archiving terms imposed by individual legal standards (e.g. for financial and tax purposes).  

During registration, you will be prompted to add a payment card to the Qerko application. After selecting a VISA or Mastercard payment card in the Qerko application, you will be redirected to the website of the payment gateway GP Webpay, PayU, ČSOB, Adyen or Stripe. With an activation payment of CZK 1, which is used to verify the existence of a payment card, you will be redirected to the secure environment of a specific payment gateway. This will verify the existence of the payment card and at the same time enable Qerko to make repeated payments from the given payment card (as part of the fulfillment of the contractual relationship with you). In the process, you enter your payment card information and confirm the payment.companies GP Webpay, PayU, ČSOB, Adyen or Stripe will return to Qerku only the information that the payment was successfully made together with the signature of the message and the identifier of the verification payment. All information about the payment card remains correctly with GP Webpay, PayU, ČSOB, Adyen or Stripe. So we don't have full data about our user's payment card. Qerko only records the verification payment identifier in its database for the relevant user account, which is unique for each instance of adding a card and a specific user.

By registering for Qerko, you also enter the Qerko Loyalty Program. Through it, we fulfill our mission to provide advanced payment services with higher added value. Those that reflect your interests, preferences and way of using the application, applicable in a way and in a form that suits you. And at the same time, we want to please you from time to time with attention that you don't expect. With the loyalty program, our offer will simply taste better to you! The actual purpose of the Loyalty Program is to provide personalized offers and benefits to its participants. These are created based on the analysis and processing of information about your profile and purchasing behavior as a participant in this program. For more information, see the "Overview of processed personal data" table.  

Profiling is the automated processing of personal data consisting of their use to evaluate some personal aspects related to a specific natural person (personal preferences, interests, purchasing behavior and other attributes). Both manual and automated procedures using modern technologies can (will) be applied. Processing can thus occur exclusively by automated means (and thus fully without the intervention of the human factor). This may affect the final form of the offer and/or benefits for a specific Program participant.

At the same time, we would like to inform you that natural persons have the right, given by the Regulation, not to be the subject of any decision based solely on automated processing, including profiling, which has legal effects for them or affects them in a similar way. It is possible to object to the above. You can do so by emailing privacy@qerko.com. However, the processing on the part of Qerko is not of a nature that would lead to the above-mentioned impacts/effects.    

C. Using the Qerko application

You have come to the premises of one of Qerko's contractual partners and you can comfortably pay for the services or goods provided using the Qerko application. Thank you! So you are actively using the application. However, we don't end with the option of splitting the amount of the bill in a restaurant and instant mobile payment. We are adding more advanced services to the Qerko portfolio. This includes ordering from a mobile phone after scanning a QR code on a table in the establishment, reserving a table from the website or mobile phone using a reservation machine (robot), Qerko's own e-shop solution for restaurants or the possibility to provide non-public reviews from real guests of the restaurant in question.

Payment for services provided  

Payment can be made without cash, from a mobile phone after reading a QR code connected to the operator's cash register system. Our contractual partner registers the payment in its system and you leave to meet other business or personal challenges. In addition, enriched with points and benefits within the Qerko Loyalty Program.  

In the process of fulfilling the contract, we deal with identification, contact and additional information, with data associated with your own order (information about orders, fulfillment and completed transactions), with information about user behavior and ways of using the Qerko platform and, last but not least, with information about the type, settings and operation of your end device. In general, this is the following personal data: user name, date, time, establishment information, restaurant table number, paid items, payment result confirmation and transaction ID from GP Webpay, PayU, ČSOB, Adyen or Stripe.

At the same time, the restaurant will process data such as the first name and first letter of the surname, transaction data for the service/payment (see table "Overview of personal data processed"), the amount of the tip and, if necessary, the satisfaction rating provided by the user.  

Your personal data is processed for thefollowing purposes:

In order to prevent criminal activity and ensure the integrity and security of Qerko's networks and operations, we may also process data related to the technical parameters of the user's/partner's end device and its interaction with the Qerko application (or with the systems of the providers of products and services to the Loyalty Program). In order to fulfill legal obligations, we may also process your identification and contact data, data on the payment made, information related to your own order and its fulfillment. We store personal data processed for this purpose for the period set by law (usually 10 years).  

The primary legal basis for the processing here is the fulfillment of the contract. Other legal bases are the fulfillment of a legal obligation and legitimate interest on the part of Qerko.  

Order "takeaway"

In the Qerko application, the user can choose to order "takeaway" services from a restaurant that is our contractual partner. As already mentioned in the section “A. Using website functionalities", the order can also be placed via the e-shop web solution. This involves the creation and payment of a "takeaway" order, or its delivery by the contractual partner Qerko's own capacity (restaurant). For a registered user, we work with his ID (primarily an e-mail address, which is a user name in Qerko) and a phone number. In the process of paying for services, Qerko handles the paid items, date, time and place of purchase in the same way as the web version. If the user selects "delivery", the delivery address is processed at the same time. Last but not least, the user is issued a confirmation of the payment result and transaction ID from GP Webpay, PayU, ČSOB, Adyen and Stripe. The user is identified by the generated order number at pick-up. Depending on the type of checkout system, the user's first name and the first letter of the last name, as well as the phone number (if the user has filled it in their Qerko account) may appear on the restaurant's order.  

Creating and managing a reservation

Registered Qerko users can easily request and, if necessary, manage the reservation of their favorite restaurant through the application, if it is our contractual partner. As part of the transaction history, we deal with the user's ID, while the restaurant deals with the user's first and last name and their phone number. The restaurant reservation (call) is handled by our robot, so the user can only limit himself to activities within the Qerko application.  

Evaluation

Evaluation of satisfaction with the services provided can only be used by a registered user, with the restaurant operator displaying personal data in pseudonymized form (first name and first letter of last name), date and time of the visit plus the evaluation itself. At the same time, the user has the option to choose from the offered evaluation or add his own comment.  

Web payment gateway

This is a service for registered users, in the case of those who decide to create a Qerko account in order to use it. The second of the conditions is registration with the third party itself, which operates the service in question (for example, in the form of making sports or entertainment video content available). In addition to payment via the application (with connection to payment tools GP Webpay, PayU and ČSOB), you can also make the payment via Stripe or Adyen solutions. As already mentioned in the section on the web versions of our services, in the case of a purchase through its own web portal, Qerko handles the user ID, the amount and date of the payment made and the e-mail for sending the receipt for the purchase made. At the same time, the ID of the service provider is processed and information about the used payment instrument is stored (see mention above). On the side of the contractual partner, the user's e-mail, amount and payment number, as well as the used payment instrument are processed.      

Displaying the menu

As in the case of the website, the application also involves a simple display of the menu of the selected restaurant via a QR code issued by its operator. In this case, there is no further processing of personal data beyond the scope of ensuring the own functionality of displaying the information behind the QR code. The display is logically done in the user's application and can be further saved in the activity record within the Qerko account itself. However, we do not work with the data in question any further.  

The processing purposes here are the same as those we stated for the web versions of the cited services (see section "A. Use of website functionalities"). Primarily, it is processed for the purpose of providing the service itself within the framework of the concluded contractual relationship, together with the actions necessary for the fulfillment of legal obligations and ensuring the technical operation and IT security of the services provided. At the same time, Qerko analyzes the basic characteristics of user behavior or creates general overviews and statistics. This is done primarily as part of the Loyalty Program (see table "Overview of processed personal data") and to a reasonable extent also for the purpose of direct marketing.

The legal bases here are the fulfillment of the contract, the fulfillment of the obligations given to us by the legal order of the Czech Republic and the exercise of our legitimate interests.  

Recipients of commercial communications

Commercial communications sent by e-mail or other electronic means are commonplace today. Current legislation allows us to create promotional offers that you can use when paying for goods and services at partners to which promotional offers or benefits apply. In the event that you have given your consent to the sending of commercial communications in accordance with § 7 of Act 480/2004 Coll., Qerko may inform you about the offers of its partners via email or SMS messages, as well as via the Qerko platform. By creating an account, you also agree to the sending of informational text messages (SMS) as part of the standard operation of using the service.

We will display the business message directly in the Qerko application. You will learn about such specific actions and benefits that you will get thanks to the Qerko platform. You will thus receive personalized messages, prepared on the basis of an analysis of your preferences and purchasing behavior. Neither the restaurant operators, nor other potential suppliers of the displayed commercial message/offer content (e.g. beverage or food manufacturers who want to communicate a special offer in a selected restaurant network) will not have access to your personal data. The senders of the message will only pass the general parameters of the "offer" to Qerko, the selection to display the relevant groups of Qerko users, and the subsequent display of the message will go fully and only to Qerko.    

When sending commercial messages, we will process your first and last name, username, e-mail and telephone number. We will do so based on the legitimate interest of Qerko.

At the same time, we would like to inform you about two of your rights that relate to such processing:

We stop processing personal data for this purpose from the moment you request the termination of such practice (e.g. by clicking on a link directly in a commercial communication), or if you decide to delete your user account. You can unsubscribe from text messages (SMS) at any time by sending an email to info@qerko.com and indicating that you no longer wish to receive them. And at the same time, you enter the phone number of the mobile device that is the recipient of these messages.      

        

Visitors to the company profile on social networks

Information about Qerko is available not only on the website www.qerko.com, but also on the social networks Facebook and LinkedIn. Qerko has his public profile here. Within its (their) framework, we only process such personal data, the processing of which is permitted by the personal data protection policy of the social networks concerned.

If you do not actively act in relation to the content presented by us (comments or labeling of our content), we do not collect any information about you. If the first of the listed variants applies, and you therefore use one of the communication channels to contact us, we process the following personal data (their categories): Your username (or first and last name); set language within the social network; time zone; the time of your activity; and the content of the message itself. If you have indicated within the social network, we will also see information about your gender.  

The purposes of processing your personal data are as follows:

We primarily process data within the social network environment. If you are interested in processing data from these networks (outside their environment), we proceed to anonymize the data, thereby achieving the exclusion of your data from the scope of the Regulation. Moreover, this preferably happens in an aggregated form. The operators of the affected social networks are in the position of independent administrators.

The legal basis here is the fulfillment of the contract (in the case of active communication with us via an account on the social network in question). Other legal bases are the fulfillment of a legal obligation and Qerko's legitimate interest.

User Communication with Qerko

Although Qerko is a user-friendly application, questions may arise during its operation and use that you will want to address with us. If you use any of the communication channels offered (e-mail, telephone, chatbot, postal address), your identification and contact personal data (possibly also additional data), records of the communication that took place, and technical information about your login, such as end device or operation as such. The purpose of the processing will therefore be to conduct communication with you (which you initiated yourself).

Communication can also be initiated by Qerko. And manifest in the form of a message displayed in the Qerko application. The content of the message can be of a different nature: from a notification of a new version of the application, to sending a personal message (including a notification of a violation of Qerko's rules) to the display of general or personalized offers from Qerko and/or business partners of our platform (see above). This will always be done in accordance with the rules of personal data protection.

The purpose of the processing here is:

The primary legal basis is also the fulfillment of the contract. The second of the applied legal bases will be a legitimate interest, which we will use for the purpose of communicating technical and procedural matters, needed to ensure the proper operation of the Qerko platform.  

Data on the processing of personal data (conducted communications) may, if necessary, be stored for the duration of the contractual relationship (or longer if it is necessary to use them to assert legal claims or to fulfill tasks carried out in the public interest - e.g. when dealing with criminal activity by the authorities law enforcement agencies). When audio recordings are made, the data subjects will be notified of the fact of the recording (in accordance with applicable legislation).

Qerko business partners The

operation of our platform is possible thanks to the cooperation of Qerko, specific establishments (and the underlying systems deployed in them) and online payment gateways. As part of the interactions, not only the personal data of Qerko end users, but also partners are processed. At the same time, they can also be entrepreneurial natural persons, whose civil name can also form the "business name of the company" (for example, "Lukáš Kovač café"). Even in this case, we process personal data to achieve specific purposes, according to the individual bases of processing and only to the extent and for the time necessary to achieve the specified purpose.  

In the case of dealing with the personal data of business partners' contact persons or the data of natural persons running a business, the following personal data are processed:

As part of the performance of the contract (or pre-contractual relations), personal data of selected employees of the partner may also be transferred (typically, for example, contact with the operator of the given restaurant). In order to fulfill the obligation to provide information to the natural persons concerned, it is necessary for employees to be informed about the possible processing of their personal data. The partner is hereby obliged to inform the employee about such processing. At the same time, the partner's employees should have the opportunity to familiarize themselves with Qerko's general principles of personal data processing.

In terms of time, the processing of personal data will take place for the duration of the contractual relationship and in accordance with the deadlines set by the individual legal regulations to which Qerko activities fall. In the case of sent business messages, then until the business partner expresses interest, not to be sent by them.

Storage of personal data

In accordance with the Regulation, we only store your personal data for a period not longer than is necessary for the purposes for which they are processed. From a procedural point of view, our internal system is set up so that access and handling of individual files of personal data fully reflects the purposes for which they were collected. Our employees are contractually authorized to handle the data, including signed NDAs. Last but not least, the retention period depends on the chosen processing purposes and the necessity of these personal data to achieve the defined processing purposes.

Obligation to provide information

The rules for the protection of personal data obligate personal data administrators to openly, clearly and clearly communicate how your personal data is handled. It is no different in the case of Qerko. After all, the presented general principles of personal data protection are a practical fulfillment of the established obligation.

Qerko makes and provides information, basic communications and actions that relate to the fulfillment of the information obligation according to the Regulation free of charge. However, if your requests are clearly unfounded or unreasonable, especially because they are constantly repeated, the Regulation gives us the right to charge such a request with a reasonable fee, taking into account the administrative costs associated with providing the required information or taking the required actions. Alternatively, reject such a request.    

The presented personal data protection principles serve to fulfill the general information obligation. In the event that Qerko processes information that you have directly provided to it, the Regulation gives you the right to obtain at least the following information:

a) Information that personal data is processed by Qerko (including our contact details).

b) Purpose and legal basis of personal data processing.

c) Information about our legitimate interests, if we use the title "legitimate interest" for processing.

d) List of possible recipients or categories of recipients of personal data.

e) Information about any intention to transfer personal data outside the territory of the EU (or an international organization).

However, if the processed personal data were not obtained directly from you, you have the right to at least the following information according to the Regulation:

a) Information that the personal data is processed by Qerko (including our contact details).

b) Purpose and legal basis of personal data processing.

c) Category of personal data concerned.

d) List of possible recipients or categories of recipients of personal data.

e) Information about any intention to transfer personal data outside the territory of the EU (or an international organization).

All of the above information is available in this document, which we repeatedly encourage you to read within the Qerko application. The general principles of personal data processing are easily accessible on the website www.qerko.com, in its lower right footer. They are also accessible from the Qerko mobile application.  

Rights of data subjects

The Regulation gives you specific rights that you can invoke in relation to processing on the part of Qerko. You can use all available information channels to exercise your rights. However, we would like to ask you to use the e-mail address privacy@qerko.com. Similar conditions apply to the provision of information, as in the case of the above-mentioned information obligation.  

Right to information about processing and access to personal data

Upon request, in accordance with the Regulation, we will provide you with information on whether we are processing personal data concerning you. If we process your personal data, you have the right to obtain it. And we will hand them over to you. Article 15 of the Regulation defines the specific information you have the right to access. Specifically, these are:

Right to rectification of personal data

We process your personal data with appropriate consistency and attention, however, it may still happen that some of them are inaccurate (out of date). If we find out the mentioned facts (or you report them to us), we will proceed to rectify them. After all, it is in our own interest to always process accurate and up-to-date personal data. However, the regulation also gives us the option not to process, based on your request, such data that would be redundant with regard to the specified processing purposes.  

 

The right to withdraw consent

If we process your personal data based on the consent granted, we will inform you at the time of the request for the provision of consent about the possibility of withdrawing this consent at any time. This also applies to consent to direct marketing (sending commercial messages). While you can access the latter via the link (by clicking on it) at the end of each such communication, please send other withdrawals of consent to privacy@qerko.com. Thank you!  

 

Right to erasure ("right to be forgotten")

If one of the reasons listed below occurs, you have the right to request the erasure of your personal data. We will do so without undue delay whenever:

However, despite the above, there are situations where we will not be able to fully or partially comply with your request. Primarily, it concerns those where the processing is necessary for the fulfillment of a legal obligation.

Right to restriction of processing

The Regulation defines the situations in which you have the right for us to restrict the processing of your personal data. After receiving the application, we will assess without undue delay whether at least one of the specified conditions has been fulfilled. Within a period of up to 1 month, we either have to restrict the processing, or they will reject the request, or extend the period. We will inform you about the result of the assessment within this period.restrict processing in the following circumstances:

 

The right to be informed about corrections, deletion or restriction of processing

The Regulation obliges us to notify you of all corrections, deletions and restrictions according to its articles 16, 17 and 18. The exception is cases where this proves to be impossible or would require unreasonable efforts.

 

Right to portability of personal data

You have the right to portability of personal data that you have provided to us in the course of using the Services. Moreover, in a structured, commonly used and machine-readable format. At the same time, you have the right to transfer the data in question to another administrator, provided that the processing is based on consent or a contract, or the processing is carried out automatically. The regulation also gives you the right to transfer your personal data directly to another administrator. That is, if it is technically feasible. However, your right to portability of personal data must not adversely affect the rights and freedoms of other persons. In accordance with the Regulation, we will also provide you with personal data generated by your activity within our Services. Requests for transfer (portability) of your personal data should be sent to the address privacy@qerko.com.

The right to object

Another right is to object to the processing of personal data that is carried out in the public interest or is necessary for the purposes of the controller's legitimate interest. This also applies to profiling based on the processing in question. The regulation also gives you the right to object at any time to the processing of personal data for direct marketing purposes. Primarily, these are situations where you, as a natural person, do not have the possibility to influence the given processing in any way (that is, on the assumption that it is not processing in the public interest or vital interests). We will clearly inform you of the right to object. You can send it to privacy@qerko.com.

The right not to be the subject of processing based solely on automated processing

The Regulation further grants you the right not to be the subject of any decision based solely on automated processing, including profiling, which would have legal effects on you or would significantly affect you in a similar way.

 

The right to file a complaint with the supervisory authority (ÚOOÚ)

Processing your personal data in accordance with the Regulation and to your full satisfaction is in our own interest. However, it may happen that you become convinced of a mistake on our part, the unauthorized processing of your data or its non-compliance with the Regulation. We would like to inform you that the Regulation gives you the right to file a complaint against us with the competent supervisory authority, which for the Czech Republic is the Office for the Protection of Personal Data (ÚOOÚ), based in Plk. Sochora 27, 170 00 Prague 7. Submission can also be made via the electronic form ÚOOÚ, which is available here.

Announcing Changes

Life brings changes. This is no different in the case of the services provided. They also evolve over time. If there are changes on our part that may affect the way, scope and form of processing your personal data, we will inform you about it. However, this will always be preceded by an assessment of the real impact of the changes made on your rights and freedoms. After all, the chosen tools and methods of communication (announcement) will also depend on the severity of the changes.        

Recipients of personal data

Pursuant to Article 4, paragraph 9 of the Regulation, the recipient of personal data is a natural or legal person, public authority, agency or other entity to which personal data is provided. Regardless of whether the recipients are so-called "third parties" or not.

In most cases, personal data is processed directly by Qerko as a personal data administrator. We also share selected personal data with restaurant operators (business partners) who are directly involved in the functioning of the Qerko platform. They deal with them from the position of independent administrators of personal data.

If some of the partners were to process personal data for the benefit of Qerko, from a subordinate position, but above all on the basis of the instructions and conditions set by us, they would be in the position processor of personal data (with all obligations and requirements on the part of Qerko and the concerned partner according to the Regulation).  

are involved in the execution of your order through the Qerko platform personal data administrators:

Providers of payment gateways and solutions

Payments for services can be made after linking a payment card with a Qerko user account and payment instruments and solutions with which we have a cooperation agreement. Considering the sensitivity of the whole matter, Qerko management selects trusted providers who guarantee professional services, including personal data protection. These are the following providers: GP Webpay, PayU, Stripe, Adyen, ČSOB, Twisto, MallPay and meal voucher companies Sodexo, Edenred, Benefit Plus; and Up Déjeuner.      

A contract defining their status as independent administrators is concluded with all companies. This is done for the purpose of payment for services in the Qerko partner network through payment gateways and other payment instruments and solutions of the cited operators based on the legal basis of the performance of the contract. Data on the completed payment transaction are primarily transmitted (see table Overview of processed personal data). In the case of meal voucher companies, this is the possibility to pay for services paid through Qerko from the user's "benefit" card/account that the user in question has with the given service provider.  

The privacy policy of GP Webpay can be found here, PayU here, ČSOB here, Stripe here, Adyen here, Twisto here and MallPay here. In the case of meal voucher companies, you can familiarize yourself with the handling of personal data on their solutions at the following links: Sodexo here, Edenred here, Benefit Plus here, Up Déjeuner here.   

Public

authorities Personal data are transferred to public authorities at their request (and in accordance with the relevant conditions and procedures), for legal reasons. Data are transmitted in the scope and form determined by individual legal standards. Therefore, from their position, they independently and on their own responsibility determine the purposes and means of processing the personal data made available.

Business Partners/Service Providers

Service providers include restaurant operators and third parties for whose services users pay through the Qerko payment gateway. Depending on the nature of the chosen service (payment at the establishment, creation and management of orders, reservations, delivery provided directly by the restaurant), pseudonymized or "full" personal data are processed. This primarily happens within the Qerko client section, to which the operator has access. In the case of payments for third-party content (e.g. video portal Oktagon.tv), this involves the disclosure of personal data necessary to make payment for the requested content.

is also in the position of personal data administrator Seznam.cz, as Information about the possibility to pay with Qerk and the possibility to make a reservation can be displayed in its services. These are currently Mapy.cz and Firmy.cz. At the same time, the role of the administrator refers to the processing of data relating to a natural person who runs a restaurant in his own name. The selected data (name of the restaurant, ID number of the restaurant owner, address and opening hours) are transmitted to Seznam via a feed or API interface from the database of partner restaurants Qerko.

Operators of social networks

In the position of administrators are also operators of social networks for which Qerko has an established profile. This is processing derived from the existence and use of tools of fan pages on Facebook, Instagram, YouTube and LinkedIn, conducting communication through the mentioned services or possibly organizing marketing competitions through these social networks. The basic one here is the user ID on the given social network. Any processing of personal data by social network operators is governed by their conditions (see the link to them in the "Scope of personal data processed" section). At the same time, Qerko does not purposefully transfer any personal data of its users to the operators of Facebook, Instagram, YouTube and LinkedIn.

The processors of personal data involved in the operation of the Qerko platform are listed below. Personal data are made available to them to the extent necessary to achieve the purpose of processing.

Suppliers/operators of technological services and solutions

Qerko uses modern technological solutions of third parties for its activities. These are web and cloud service providers (specifically Amazon and Google), suppliers of analytical and advertising tools (Google and Meta) and other IT solutions and tools used by Qerk.

When using Qerko functionalities working with Google tools (Google Analytics, Google Ads, Google Cloud and Google Workspace) and Amazon Web Services, data associated with your internet browser, with the type and settings of the end device, with the operating system, with data about mobile network or with information about the version of the installed application of the solution in question. Also collected is information about the interaction of your applications, browsers and devices with the services provided by Google and AWS (activity on websites and in applications), including IP address, crash reports, system activity and the date, time and URL of the referring source of your request. The processor of personal data from Google tools used by Qerk is Alphabet Inc., and in the case of Amazon cloud services, Amazon Web Services (AWS). Its privacy policy can be found here.  

A contract was concluded between Google and Qerko for the use of Google Analytics and Ads tools. Among other things, it also deals with the issue of personal data processing. Information to manage the data that Google collects on its services is available here. The same is true of cloud services from AWS.

To manage ads on social networks Facebook and Instagram, Qerko uses the Meta Ads tool. Again, this is based on a bilateral agreement between Qerko and Meta. Information on processed personal data on Meta's side is available in their general privacy policy here.

Under contractual conditions, suppliers and operators of internally used IT solutions and services for Qerko may also have access to personal data. Specifically, it is the provider of the following solutions: the provider of the PipeDrive. At the same time, we use the Webflow tool to import data into PipeDrive, whose personal data protection policy you can find here. Another provider is SendGrid Inc., which is the operator of a modern e-mail API platform. Qerko uses its tools to send receipts, user emails or measure clicks. Her mother Twilio's privacy policy is available here. Last but not least, we use the services of Ecomail, which is a marketing platform for e-mail and omni-channel communication, to send marketing messages within the Qerko network. Based on the concluded contract, all providers have precisely defined controls for handling personal data generated by using the Qerko solution. If they are violated, they become independent personal data administrators and act at their own risk and responsibility. We would like to assure you at this point that we select established companies that have good references in the digital solutions market.          

However, if contact with personal data occurs as part of service interventions or updates of the provided solutions, this is not handling of personal data from the position of the processor. Therefore, a processing contract is not necessary here, although most suppliers are contractually and procedurally prepared for possible requests from clients.

Providers of legal and consulting services

The processors of personal data also include selected providers of external services, primarily legal, tax, accounting or consulting. In this case, personal data is processed to the extent and form determined by Qerko.

The situation where transaction data from establishments of natural persons doing business is shared is specific here. This is because the personal data of the operator, who is a natural person, is handled. The sharing (transmission) of such data is possible only with the prior consent of the natural person doing business. In the case of data related to the Loyalty Program, sharing can only take place under the conditions set and agreed within the program itself. Therefore, if the operator is a natural person doing business, consent to the processing of personal data is always signed.          

In conclusion, we would like to emphasize that, in the spirit of the Regulation, we transfer your personal data only to trustworthy, technically and procedurally prepared administrators and processors. Cooperation is always contractually treated, including the adoption of a confidentiality statement and other measures. If we have doubts, we solve them without delay.

Transfer of data outside the EU

The Regulation deals with the transfer of personal data in cases where the data is provided to administrators or processors outside the EU. This can happen in situations where the Commission has decided that a certain third country or international organization outside the EU provides a sufficient level of personal data protection. If the decision in question has not been issued in relation to the country in question, the transfer can only be made on the basis of suitable guarantees. These include the standard clauses for the protection of personal data (here). The standard clause is a sample text of a contract between a controller or processor of personal data who intends to transfer personal data to a third country outside the European Union, or outside the EEA, and the recipient of the personal data in that third country.         

In the previous section of these general processing principles, we presented a list of parties to whom we transfer (can transfer) personal data. Your data may reach outside the territory of the Union in the case of the global social networks Facebook and LinkedIn, software tools used by Google or payment gateway providers GP Webpay, PayU, Stripe, Adyen or ČSOB. The issue of the transfer of personal data and their processing in accordance with the GDPR is mutually contractually treated in the above cases.  

 

Termination of use of our services

Although we will regret the decision to terminate the use of our services, we will do our best to ensure that everything goes to your satisfaction. From the point of view of personal data protection, the resulting situation will lead to the following measures: if there is no legal reason for further processing of your personal data, we will proceed to remove them from our servers. The technical and procedural way of doing it will make it impossible for anyone on Qerko's side to continue to use this data. However, in the case of our interest, we can fully anonymize the personal data in question, thereby exempting them from the scope of the Regulation. Before the actual deletion, we will inform you of the right to request their transfer or transfer to another administrator. In both cases in a structured, commonly used and machine-readable format. Please direct your requests for erasure or data portability to the address privacy@qerko.com.

Notification of data security breaches

Regardless of the quality of our processes and the level of technical security of our service, your personal data may be breached. In certain cases, under certain circumstances, we are obliged to notify a breach of personal data security. The regulation distinguishes between two modes of reporting:

a) (

If there is a breach of the security of personal data and it is likely that this will result in a risk to your rights and freedoms, according to the regulation, Qerko is obliged to report the breach to the supervisory authority within 72 hoursÚOOÚ).

 b) data subject

If it is likely that a breach will result in a high risk for your rights and freedoms, we will report this event to you without undue delay. We will clearly and comprehensibly inform you of the nature of the violation and provide you with at least the following information:

 

Security of personal data

Protection of personal data is not possible without its corresponding procedural and technical security. The common denominator of security is the need to prevent violations of the confidentiality and integrity of personal data processing. The main risks are: accidental or illegal destruction of data; their loss; modification of personal data; and unauthorized disclosure to third parties (or unauthorized access by them during their processing).

Measures taken on the part of Qerko:

 

Questions and contacts

We are aware of the fact that the protection of personal data is a necessary, but at the same time complex area. The handling of the same data by two different controllers may or may not be processing of personal data. Therefore, do not hesitate to contact us in case of questions about the processing of personal data. In the same way, we do not resist your suggestions and suggestions. In all matters, please also use the email address privacy@qerko.com. With regard to the nature, scope and purposes of the currently processed personal data, we do not fall under the scope of Article 37 of the Regulation and we are not subject to the obligation to appoint a personal data protection officer.

September 2022