The purpose of this Personal Data Processing Policy for visitors to the www.forclassmates.io website (the “Policy”) is to provide information on what personal data ForClassmates Finance s.r.o., Company Reg. No.: 10852531, with its registered office at Evropská 516/10, Dejvice, 160 00 Prague 6, entered in the Commercial Register kept at the Municipal Court in Prague, File No. C 349541 (hereinafter referred to as the “Company” or “Controller”), processes about natural persons when providing services, in visiting websites operated by the Company and contacts with potential customers, for what purposes and for how long the Company processes this personal data in accordance with applicable law, to whom and for what reason it may pass it on, as well as to inform what rights belong to natural persons in connection with the processing of their personal data. These Principles apply to the processing of personal data of customers, as appropriate, their representatives or contact persons, users of services, persons interested in the company's services and goods and visitors to websites operated by the Company, always to the extent of personal data corresponding to their position vis-à-vis the Company. These Principles are effective from 1 April 2021 and are issued in accordance with Regulation (EU) 2016/679, on the protection of individuals with regard to the processing of personal data and Act No. 110/2019, the Personal Data Processing Act (“Regulation” or “GDPR”) in order to ensure the information obligation of the Company as the Controller under Article 13 of the GDPR.

A. Categories of personal data

Personal data is any information that relates to a natural person that the Company is able to identify. The following categories of personal data may be processed by the Company in connection with the provision of services and the sale of goods.

1st Basic personal identification data and address data
These types of data are necessary for entering into and performing the contract. They mainly concern the following:

• academic degree
• name and surname
• business name
• birth certificate no. (in case the BC number was not assigned for any reason, then the date of birth)
• company reg. no., tax no.
• address of permanent residence
• address of registered office or place of business
• billing address
• numbers of submitted identification documents and their copies
• identification data of the customer's representative or contact person designated by the customer
• identification data of the billing payer
• bank details
• signature

In the case of contracts for one-off sale of goods, the scope is limited to basic identification data.

2. Contact details
• contact telephone number
• contact e-mail
• social media accounts

3. Data on purchased services, use of services and payment behaviour
• type and specifications of the provided service
• volume of provided services and their price
• customer segment
• information on payment behaviour

4. Other data generated in connection with the provision of services
This data arises from the provision of services other than electronic communications services or from the provision of electronic services.

5. Data from communication between the Company and a customer
This data arises during communication related to the provision of services and goods between the Company and a customer. These are records of personal communication with a customer in stores or other direct contact with a customer, written and electronic communication with a customer and records of telephone calls, chat and video chat communication between a customer and the Company.

6. Data processed with your consent
The processing of this data is not necessary for the performance of the contract or legal obligations or the protection of the legitimate interests of the Company, but their processing will enable the Company to improve services, focus on what customers are really interested in and, where appropriate, inform customers about offers that are suitable for them. This data is processed only if consent is granted and may be processed for the period of validity of this consent. In particular, it includes:

• data obtained from marketing surveys (processed by customers of services on the basis of consent to the processing of personal
data for business purposes)
• data on the use of services, products, benefits and bonuses and type behaviour when using services (processed by customers of the Company's
services on the basis of consent to the processing of personal data for business purposes
• contact details
• records of behaviour on websites managed by companies obtained from cookies if cookies are enabled in
the web browser (are processed to improve the operation of websites operated by the Company, internet
advertising and in case of consent to the processing of personal data for business purposes, this data is processed together with
other personal data for this purpose)

B. Purposes, legal reasons and times of personal data processing

The scope of processed data depends on the purpose of processing. For some purposes, it is possible to process data directly on the basis of a contract, a legitimate interest or on the basis of law (without consent), for other purposes only on the basis of consent.

1. Processing due to the performance of a contract, fulfilment of legal obligations and due to the legitimate interests of the Company
Provision of personal data necessary for the performance of a contract, fulfilment of legal obligations and the protection of legitimate interests is mandatory. It would not be possible to provide services without providing personal data for these purposes. We do not need consent to process personal data for these purposes. Processing due to the performance of a contract and fulfilment of legal obligations cannot be refused.

For customers of the Company's services, the Company is entitled, if they have fulfilled all their obligations regarding it, to process customer’s basic personal, identification, contact data, data on services and data from their communication with the Company in the customer database for a period of 5 years from the date of termination of the last contract with the Company.

In the case of purchasing goods from the Company, the Company is entitled to process basic personal, identification and contact data of a customer, data on goods and data from communication between the customer and the Company for 4 years from the date of expiry of the warranty period for the goods.

In the case of negotiations between the Company and a potential customer on entering into a contract, which was not completed by entering into the contract, the Company is entitled to process the personal data provided for a period of 3 months from the relevant negotiations.

Invoices issued by the Company are archived for a period of 10 years from their issuance in accordance with Section 35 of Act No. 235/2004 Coll., on Value Added Tax. Given the need to document the legal reason for issuing invoices, customer contracts are also archived for a period of 10 years from the date of termination of the contract.

2. Processing the data of the Company services’ customers with consent for business purposes effective from 25 May 2018 (effectiveness of the regulation)
We process personal data for business purposes with a customer of the Company service with his/her consent. For the period from 25 May 2018, the Company obtains a new consent for business purposes, which is effective after this date. The effective date of the consent to the processing of personal data for business purposes is in the text of the consent.

The provision of consent for business purposes is voluntary and the customer may revoke it at any time after 25 May 2018. This consent remains valid for the period of use of the goods and services and for the next 4 years thereafter or until the customer revokes it. All categories of data listed in section A of this document (except for signing and copies of identification documents) may be processed for business purposes with consent, for the period during which the Company is entitled to record this data for the purposes of providing services, fulfilling legal obligations and protection of their legitimate interests, but no later than the withdrawal of consent or until the expiration of a period of 4 years from the date of termination of the contract for services provided by the Company, unless the customer previously withdraws the consent. If the data subject withdraws its consent, this does not affect the processing of its personal data by the Company for other purposes and on the basis of other legal grounds, in accordance with these principles of personal data processing.

Customer of the Company's service if it allows users to use this service confirms in the context of granting consent to the processing of personal data for business purposes that it is entitled to give consent regarding data relating to users of the service other than the Customer.

3. Processing of cookies from websites operated by the Company
If a subject has cookies enabled in its web browser, we process records of behaviour from cookies placed on websites operated by the Company, for the purpose of ensuring better operation of the Company's website and for the purposes of the Company's Internet advertising.

C. Categories of recipients of personal data

The Company uses the professional and specialised services of other entities to fulfil its obligations under contracts. If these suppliers process personal data transferred from the Company, they have the status of processors of personal data and process personal data only within the instructions of the Company and may not use them otherwise. These include, in particular, the recovery of debts, the activities of experts, lawyers, auditors, the administration of IT systems, internet advertising or sales representatives. Each such entity is carefully selected by the Company and a personal data processing contract is entered into with each one, in which the processor has strict obligations to protect and secure personal data.

Processors are companies domiciled in the Czech Republic or domiciled in a Member State of the European Union or the so-called safe states. The transfer and processing of personal data in countries outside the European Union always take place in accordance with applicable legislation.

As part of the fulfilment of its legal obligations, the Company transmits personal data to administrative bodies and offices specified by the valid legislation.

D. Method of processing personal data

The Company processes personal data manually and automatically. The Company keeps records of all activities, both manual and automated, in which personal data is processed.

E. Business message

For business messages of the Company or third parties, the Company uses the abbreviation BM or other appropriate designation, which indicates that the message is a business message in the sense of applicable law. It is always clear from the business messages sent by the Company that the Company is their sender. We may send business messages either to customers' contacts based on the Company's legitimate interest, only until you express your disagreement, or on the basis of explicit consent to the processing of personal data for marketing and business purposes. The sent business messages also contain a contact for refusing to send these messages.

F. Information on the rights of data subjects in connection with the processing of personal data valid from 25 May 2018

According to the regulation and the law, the data subject has the following rights from 25 May 2018 if he/she is an identifiable natural person for the Company and proves his/her identity.

1st Right of access to personal data
According to Article 15 of the GDPR, the data subject will have the right of access to personal data, which includes the right to obtain the following from the Company:

• confirmation of processing personal data,
• information on processing purposes, categories of personal data concerned, the recipients to whom the personal data were or will be
accessed, on the planned processing time, on the existence of the right to request the controller to rectify or delete personal data
concerning the data subject or restrictions on their processing or raise an objection to such processing, on the right to lodge a
complaint with the supervisory authority, on all available information on the source of personal data, if not obtained from the data
subject, on the fact that automated decision-making is taking place, including profiling, on appropriate safeguards for the transfer of data
outside the EU,
• provided that the rights and freedoms of others are not adversely affected, as well as a copy of personal data.

In the event of a repeated request, the Company will be entitled to charge a reasonable fee for a copy of personal data.
The right to a confirmation of the processing of personal data and to information can be exercised in writing to the address of the Company's registered office.

2. Right to rectification of inaccurate data
According to Article 16 of the GDPR, the data subject will have the right to rectify inaccurate personal data that the Company will process about him/her. A customer of the Company is also obliged to notify changes to his/her personal data and to prove that such a change has occurred. At the same time, he/she is obliged to provide cooperation to the Company if it is found that the personal data we process about him/her is not accurate. We will carry out the rectification without undue delay, but always with regard to the given technical possibilities. A request for the rectification of personal data can be submitted to the address of the Company's registered office.

3. Right to erasure
According to Article 17 of the GDPR, the data subject will have the right to erasure of personal data concerning him/her, unless the Company proves legitimate reasons for the processing of such personal data. The Company has mechanisms in place to ensure automatic anonymisation or deletion of personal data if they are no longer needed for the purpose for which they were processed. If a data subject believes that his/her personal data has not been deleted, he/she can contact us in writing at the address of the company's registered office.

4. Right to restriction of processing
According to Article 18 of the GDPR, the data subject will have the right to restrict the processing until a complaint is resolved, if he/she denies the accuracy of personal data, the reasons for their processing or objects to their processing, in writing to the Company's registered office.

5. Right to notification regarding rectification or erasure of personal data or restriction of processing
According to Article 19 of the GDPR, the data subject will have the right to be notified by the Company in case of rectification or erasure of personal data or restriction of the processing of personal data. If personal data is rectified or erased, we will inform the individual recipients, except in cases where this proves impossible or requires a inordinate effort. Upon request, the data subject may provide information on these recipients.

6. Right to data portability
According to Article 20 of the GDPR, the data subject will have the right to portability of data concerning him/her provided by the controller in a structured, commonly used and machine-readable format, and the right to request the company to transfer such data to another controller.

If the data subject provides us with personal data in connection with a contract for the provision of services or on the basis of consent and their processing is performed automatically, he/she has the right to obtain such data from us in a structured, commonly used and machine-readable format. If technically feasible, data may also be transferred to the administrator designated by you, provided that the person acting on behalf of the relevant administrator is duly designated and can be authorised.

In the event that the exercise of this right could adversely affect the rights and freedoms of third parties, your request cannot be granted. The request can be applied for in the Company's branded stores after proving the legitimacy of the request.

7. Right to object to processing of personal data
According to Article 21 of the GDPR, the data subject shall have the right to object to the processing of his or her personal data due to the legitimate interest of the Company.

If the Company does not prove that there is a compelling legitimate reason for processing which outweighs the interests or rights and freedoms of the data subject, the Company shall terminate the processing on the basis of the objection without undue delay. The objection can be sent in writing to the address of the Company's registered office.

8. Right to withdraw consent to the processing of personal data
Consent to the processing of personal data for business purposes effective from 25 May 2018 can be withdrawn at any time after this date. The withdrawal must be made by an explicit, comprehensible and definite expression of will, either by a call to the customer line, at the Company's store or at the Company's registered office.

Processing of data from cookies can be prevented by setting a web browser.

9. Automated individual decision-making, including profiling
The data subject has the right not to be the subject of any decision based solely on automated processing, including profiling, which would have legal effects for him/her or have a significant effect on him/her. The Company states that it does not perform automated decision-making without the influence of human judgment with legal effects for data subjects.

10. Right to contact the Office for Personal Data Protection
The data subject has the right to contact the Office for Personal Data Protection (www.uoou.cz).

Matters not expressly regulated by these principles are governed by Act No. 110/2019, the Personal Data Processing Act.

These Principles relating to processing of personal data are effective as of 1 April 2021 and may be continuously updated. You can always find the current version on the website.