Applicability Of This Privacy Policy & DPA#️⃣

This Privacy Policy & DPA applies to Localazy’s mobile apps (collectively, the “Apps”) and Localazy’s websites (collectively, the “Websites”) and other interactions (e.g., customer service inquiries, etc.) you may have with Localazy. If you disagree with the terms, do not access or use the Apps, the Websites, or any other aspect of Localazy business.

This is an important document that forms the contractual basis for processing data on your behalf. It explains how your data may be processed and what its purpose is. We will only process your personal data as necessary and on your instructions as set out in the Agreement.

Our Websites and Apps may contain links to other third-party applications, websites, products, and services that could be integrated into our services solely for the convenience of our customers. These third-party services may have their own terms of use and privacy policies, and your use of these third-party services will be governed by and subject to their documentation.

These are not our services, so we do not endorse any third-party services and are not responsible for their conduct, features, or content, and it is ultimately your decision whether or not to enable them.
In addition, we make no express or implied warranties regarding the information, materials, products, or services contained in or accessible through third-party services. Any access to or use of a Third Party Service is solely at your own risk, governed directly between you and the applicable Third Party Provider.

Due to the size of our customer base, it would not be possible to enter into individually signed contracts with each of our users. We also hope that the ease of agreeing to this Agreement will ensure that accepting the new terms and conditions to comply with GDPR will be less time-consuming for you.

Information We Collect And Receive#️⃣

Localazy may collect and receive this information (collectively, the “Information”):

• Log Data. As with most websites and technology services delivered over the Internet, our servers automatically collect information when you access or use our Websites or Apps and record it in log files. This log data may include the Internet Protocol (IP) address, other network identifiers, the address of the web page visited before using the Websites, browser type and settings, the date and time the Websites and the Apps were used, information about browser configuration and plugins, language preferences and cookie data.
• Device Information. Localazy collects information about devices accessing the Apps, including the type of device, what operating system is used, device settings, application IDs, unique device identifiers, and crash data.
• Cookie Information. Localazy uses cookies and similar technologies on our Websites that help us collect the information above. The Websites may also include cookies and similar tracking technologies of third parties, which may help us to collect information.
• Contact Information. We store the contact information you provide when signing up to our Websites & Apps (e-mail address, Google account, GitHub profile) or for the purpose of contacting our company. If you contact us, we may use your contact information to respond to your request, comments, and questions via e-mail, social networks, product feedback sites, and other places. We do not require you to provide your real name and other personal information to use our Websites or Apps.
• Additional Information Provided by You. We receive information when submitted to our Websites or Apps or if you participate in a focus group, contest, activity, or event, apply for a job, request support, interact with our social media accounts, or otherwise communicate with Localazy.

How We Use Information#️⃣

Localazy relies on its legitimate interests to provide, update, maintain and protect our Apps, Websites, and business; to investigate and help prevent security issues and abuse; to run direct marketing campaigns; to monetize the Apps and Websites using advertisement; to personalize the Apps, Websites and advertising in order to provide better user experience; and to communicate with you by responding to your requests, comments, and questions.

As required by applicable law, legal process, regulation, or fulfilling the Agreement with you.

Your Rights#️⃣

In accordance with EU law, you have a number of rights and choices regarding the use of your information. When you decide to exert any of your rights, please contact us using the e-mail address mentioned above.

• Access. You have the right to access your information.
• Porting. Where legally required, we can provide your information in an easily accessible format and assist in transferring some of this information to third parties.
• Rectify, Restrict, Limit, Delete. You can also rectify, restrict, limit or delete your information.
• Object. In certain circumstances, such as the processing of your information based on our legitimate interests, you have the right to object to the processing of your information by us.
• Revoke Consent. You have the right to withdraw your consent to our processing of your information.
• Complain. Without prejudice to any other rights you may have, you also have the right to file a complaint against us with your local supervisory authority. Click here to find your local supervisory authority.

How We Share And Disclose Information#️⃣

Third-Party Service Providers and Partners. We may engage third-party companies or individuals as service providers or business partners to process Information and support our business. These third parties may, for example, provide virtual computing and storage services.

To Comply with Laws. If we receive a request for information, we may disclose Information if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation, or legal process.

To enforce our rights, prevent fraud, and for safety. To protect and defend the rights, property, or safety of Localazy or third parties, including enforcing contracts or policies or in connection with investigating and preventing fraud or security issues.

Aggregated or De-identified Data. We may share or disclose your non-private, aggregated, or otherwise non-personal information, such as usage statistics, number of users, favorite applications, etc. It must not be possible to identify you as a source of information.

Data Retention#️⃣

Localazy will retain your data for the period you use the Apps and the Websites and 24 months after or as required by applicable law.

Security#️⃣

Localazy takes the security of data very seriously. Localazy works hard to protect your information from loss, misuse, and unauthorized access or disclosure. These steps consider the sensitivity of the information we collect, process, and store and the current state of technology.

We use encrypted communication whenever possible, limit the number of persons that can access stored data, limit the number of persons that can access our servers, and protect access to stored data using firewalls and isolated containerized apps.

Age Limitations#️⃣

To the extent prohibited by applicable law, Localazy does not allow the use of our Apps and Websites by anyone younger than 16 years old. If you learn that anyone younger than 16 has unlawfully provided us with personal data, please contact us, and we will take steps to delete such information.

Cookies and Related Tracking Technologies#️⃣

Cookies are small pieces of information sent by a web server to a web browser, allowing the server to identify the browser on each page uniquely.

We use cookies to analyze the usage of the Apps and the Websites and to provide our services and related web services. By using the Apps and the Websites and all related websites, you are giving consent to cookies being used.

We use the following categories of cookies on our website:

• Strictly Necessary Cookies. These cookies are essential in order to enable you to move around the website and use its features. Without these cookies, the services you have asked for, such as remembering your login details, etc., cannot be provided.
• Performance Cookies. These cookies collect anonymous information on how people use our website. For example, we use Google Analytics cookies to help us understand how customers arrive at our site, browse or use our site, and highlight areas where we can improve areas such as navigation and marketing campaigns. The data stored by these cookies never shows personal details from which your individual identity can be established.
• Functionality Cookies. These cookies remember choices you make such as the country you visit our website from, language, etc. These can then be used to provide you with an experience more appropriate to your selections and to make the visits more tailored and pleasant. The information these cookies collect may be anonymized, and they cannot track your browsing activity on other websites.
• Marketing and Advertising Cookies. These cookies are used to help us deliver advertising and improve marketing activities as well as understand the target audience of our website and service.
• Social Media Cookies. These cookies allow you to share what you’ve been doing on the website on social media such as Facebook and Twitter. These cookies are not within our control. Please refer to the respective privacy policies for how their cookies work.

If you want to delete any cookies that are already on your computer, please refer to the help and support area on your internet browser for instructions on how to locate the file or directory that stores cookies. Please note that by deleting our cookies or disabling future cookies, you may not be able to access certain areas or features of our site.

Data Protection Agreement (DPA)#️⃣

This DPA assures you that as a Data Processor, we are compliant with the requirements under the GDPR. We further assure you that we comply with the required agreements with all our third parties. For your information, details of the Privacy Policy & DPA are set out below.

Between:

You (hereinafter “the Customer” or “Data Controller”)

And

Localazy s.r.o. with a registered address at Mlýnská 326/13, 60200 Brno, the Czech Republic, registration number 09050451. Registered in Business Register by Court of the city of Brno, section C, number 116733.

each a “party”; together, “the parties”,

HAVE AGREED to the terms of this Data Processing Agreement (hereinafter the “DPA” or “Agreement”) on Personal Data Protection regarding the processing of Personal Data when the Customer is acting as Data Controller, and Localazy is acting as Data Processor, to fulfill the service obligations.

As part of the fulfillment of those service obligations, Localazy will process certain Personal Data on behalf of the Data Controller in accordance with the terms of this contract. Each party agrees and will ensure that the terms of this contract shall also be fully applicable to its Affiliates which may be involved in the processing operations of Personal Data. Specifically, Localazy will ensure that all Sub-Processors operate within the same terms as this Agreement when processing Customer’s Personal Data.

Definitions#️⃣

Personal Data is defined as any information relating to a data subject on the basis of which the data subject can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural or legal person (where applicable).

All other definitions set out in this document, including the terms Data Controller and Data Processor, are set out in the relevant data protection laws, including the EU General Data Protection Regulation 2016/679 of 27 April 2016 (“GDPR”).

Sensitive Personal Data is not considered to be processed as part of the service offered by the Data Processor and therefore is not covered by the terms of this Agreement.

By signing up for the use of our Apps & Websites and accepting the Terms and Conditions, including the Privacy Policy and this Data Protection Agreement, the parties agree under all national data protection laws and under the GDPR that this Agreement governs the relationship between the Data Controller and the Data Processor, which governs the processing of Personal Data by Localazy. This Agreement shall prevail unless superseded by another signed Data Processing Agreement that communicates its precedence over this Agreement.

The purpose of the processing of personal data by Localazy for the Customer is to ensure the full use of the Service by the Customer and to enable the performance of this Agreement. Localazy ensures that sufficient security of personal data is maintained at all times.

Both parties hereby confirm their authority to sign this Agreement.

Data Processor Responsibilities#️⃣

The Data Processor must handle all personal data on behalf of the Data Controller and follow their instructions. By entering into this Agreement, Localazy (and any sub-processors whom the Data Processor has legal Agreement for services with) is instructed to process the Personal Data of the Customer:

In accordance with all applicable data privacy laws

• To fulfill its obligations under the Terms for the Service Application
• as further instructed by the Data Controller
• as described in this Agreement

As part of providing the Application, the Data Processor is required to always provide the Customer with adequate solutions to accompany the continued development of their business by using the service. The Data Processor tracks how the Customer uses the Application in order to make the best suggestions, provide relevant services at all times, and engage in sending the most accurate communications to aim toward continued ease of use and satisfaction. As far as the processing of personal data from the Application form part of this, they are processed only in accordance with this DPA and applicable law and are shared only as required to provide a better experience for the Customer.

If the data processor believes that an instruction of the data controller violates the GDPR or other data protection regulations, the data processor will inform the data controller immediately.

Taking into account the available technology and the cost of implementation, as well as the scope, context, and purpose of the Processing, the Data Processor is required to take all reasonable measures, including technical and organizational measures, to ensure a sufficient level of security in relation to the risk and the category of Personal Data to be protected (art. 32 GDPR). The Data Processor shall assist the Data Controller with appropriate technical and organizational measures as required and taking into account the nature of the treatment and the category of information available to the Data Processor to ensure compliance with the Data Controllers’ obligations under applicable Data Protection laws (obligation to respond to applications according to Chapter III GDPR / art. 32-36 GDPR). The Data Processor shall notify the Data Controller without undue delay if the Data Processor becomes aware of a security breach.

In addition, the Data Processor shall, as far as possible and legally, inform the Data Controller if a request for information on data held is requested (Data Access Request) by any bodies to whom they should provide it. The Data Processor will respond to such requests once authorized by the Data Controller to do so. The Data Processor will also not disclose information about this Agreement unless the Data Processor is required by law to do so, such as by court order.

If the Data Controller requires information or assistance regarding the security of data, documentation or information about how the Data Processor processes Personal Data generally, they can request this information from the Processor.

The data processor, its employees, and any Affiliates and Subcontractors shall ensure confidentiality in relation to Personal Data processed under the Agreement. This provision continues to apply after termination of the Agreement, regardless of the cause of termination.

Data Controller Responsibilities#️⃣

The Data Controller confirms, by signing this Agreement, that they shall, when using the Websites and Apps, be able to freely process their data once in line with all Data Protection legal requirements, including GDPR. They are giving explicit consent to the processing of their Personal Data at all times when using the Service.

The Data Controller can revoke this consent at any stage, but by doing so, terminates the Agreement in place, and the Data Processor will no longer be able to provide Service.

The Customer has a legal basis for processing the Personal Data with the Data Processor (including any sub-processors) with the use of Localazy Websites Apps & Services.

Subcontractors#️⃣

The Data Controller hereby grants general consent to the authorization of subcontractors in connection with the processing of data.

The Data Processor is obliged to

1. ensure by written Agreement that all subcontractors are bound by substantially the same obligations that apply to the Data Processor under this DPA.
2. assume liability to the Data Controller if the subcontractors fail to comply with their data protection obligations under the written Agreement within the meaning of point 1.

International Data Transfers#️⃣

• Localazy may transfer Information to countries other than the one in which you live.
• Localazy may transfer Information outside of the European Union.
• You can find an up-to-date list of our Suppliers & Subprocessors involved in data processingon this link.

The Data Controller consents to the possible sharing of Personal Data with the entities listed in the above-mentioned list of Suppliers & Subprocessors based on a legitimate interest of the Data Processor.

Data Protection Officer#️⃣

Localazy has not nominated a Data Protection Officer. The reason for this is as follows:

• Localazy is not a public authority
• Core activities of Localazy don’t require regular and systematic monitoring of data subjects on a large scale
• Core activities of Localazy do not involve large-scale processing of special categories of personal data
• Localazy does not process special category personal information at all

Technical and organizational measures#️⃣

The Data Processor agrees to take the necessary technical and organizational measures to ensure compliance with applicable data protection laws and this DPA. An overview of the technical and organizational measures taken by the Data Processor is set out in Annex A. The Data Processor confirms that the technical and organizational measures set out in Annex A are adequate.

Duration & Termination of the Agreement#️⃣

The Agreement shall remain in effect for as long as the Data Processor processes Personal Data while you are using the Websites, Apps, and Services and unless superseded by another signed Personal Data Processing Agreement that takes precedence over this Agreement.

Upon termination of any subscription, the Data Controller may alsodelete all of their account information. Following a data deletion procedure initiated by the Data Controller, the Data Processor will delete all Personal Data, except for those it is required to retain under applicable legal requirements, in which case it will be retained in accordance with the technical and organizational security measures.

Data Requests#️⃣

If the Data Controller requests assistance in retrieving the data stored by Localazy, the associated costs will be determined by Agreement between the parties and will be based on the complexity of the requested process and the time to complete it in the chosen format.

Changes To This Privacy Policy & DPA#️⃣

Localazy may change this Privacy Policy from time to time. Laws, regulations, and industry standards evolve, which may make those changes necessary, or we may make changes to our business. We will post the changes to this page and encourage you to review our Privacy Policy to stay informed. If we make changes that materially alter your privacy rights, Localazy will provide additional notice, such as via e-mail or through the Apps. If you disagree with the changes to this Privacy Policy, you should uninstall the Apps and cease to use the Websites.

Annex A: Technical & Organizational Measures

Localazy isSOC2 and ISO27001 compliant company.

Organizational security measures#️⃣

• The internal organization is appropriately designed to meet the specific requirements of data protection.
• Policies and procedures are in place and are checked regularly.
• Risks are evaluated and documented.
• Information is classified according to a policy.
• Appropriate measurements for the performance and effectiveness of security management are in place.

Security measures for changes in service#️⃣

Personal data is not utilized for process or system development activities and the associated testing.

Security measures in user management#️⃣

• Measures prevent data processing systems from being used by unauthorized persons.
• Passwords are managed with a password manager.
• Two-factor authentication is enforced where required and available.

Security measures for logical access#️⃣

Logical access to personal data is restricted.

• Measures ensuring that persons authorized to use the data processing systems may only access data for which they are authorized are in place.
• Access is granted based on the need-to-know principle (Principle of Least Privilege).
• Access is granted/revoked upon request. The revocation may also happen automatically after a set timeframe or manually after a review is conducted.
• As part of the HR onboarding process and HR off-boarding process, access rights will be granted/revoked as well.
• We conduct regular reviews of logical access on all our systems, depending on the classification of information.

Separation of mandates#️⃣

Customer data is logically separated and separated from each other by security mechanisms.In addition, there are tests and staging systems that are entirely separate from the production system.

Deleting Data#️⃣

Unused data is deleted from the database or storage in accordance with the applicable policy.

Security measures for physical access#️⃣

Physical access to personal data in any format is restricted.

• Personal data, in any format, is protected against accidental disclosure due to natural disasters and environmental hazards. Personal data is not stored on the premises of the company and/or employees.
• Storage media security measurement prevents unauthorized reading, copying, modification, or removal of storage media. See:https://www.scaleway.com/en/security-and-resilience/.

Security measures for storage#️⃣

There are measures to prevent unauthorized input, evaluation, modification, or deletion of stored personal data. These also include protection against malware.

Cloud storage#️⃣

• Access to personal data is thoroughly managed; see “Security measures for logical access".
• Encryption is used for all data access workloads.
• Backups, where applicable, are kept for one month, after which they are deleted.

Employee devices#️⃣

• All company-owned employee devices are secured to a level appropriate for their operating system and vulnerability risk.
• Stolen or lost company-owned devices can be remotely locked or wiped.
• Only authorized repair shops can be used to repair company-owned devices. Computers are only bought from authorized resellers.
• Storage of data on removable media is not allowed.

Secure Development#️⃣

A secure development policy is in place to ensure that insecure code is not introduced and that existing code and third-party libraries are regularly checked for vulnerabilities.

Control over processed information#️⃣

The data subject can obtain information on the processing of their personal data and can request to have such data corrected and deleted.

Data is deleted following a retention policy after the delete request is issued.

Security measures for the transfer of data#️⃣

There are measures to prevent unauthorized reading, copying, modification, or deletion of personal data during the transmission or transport of storage media.

• All connections to our data centers are encrypted in transit with state-of-the-art TLS.
• Third parties that process personal data have appropriate security controls in place.
• Unencrypted email attachments do not include confidential or sensitive information.

Availability and Resilience#️⃣

As defined by Scaleway, where the service is hosted:https://www.scaleway.com/en/security-and-resilience/

Security measures in the event of incidents#️⃣

A procedure for managing data protection incidents and violations has been implemented.

• Employees are regularly trained on preventing security incidents and on how to react to such incidents.
• Employees are encouraged to report incidents.