PRIVACY POLICY

Data Processor

For customers within the European Union:
ACCEPIO s.r.o.
Rybná 24
110 00 Prague, Czech Republic
Company ID: 21288526

For customers outside the European Union:
ACCEPIO, LLC
800 North King Street
Suite 304 1060
Wilmington, DE 19801
USA

1. Definitions

GDPR – General Data Protection Regulation – an EU regulation effective from 25 May 2018. Its aim is to increase the level of personal data protection and to strengthen the rights of EU citizens in this area.
Personal Data – any information relating to an identified or identifiable natural person.
Controller – processes personal data in its own name, e.g. data about its own employees or customers.
Processor – processes personal data for other companies and on their behalf, e.g. companies providing cloud storage or payroll services.

2. Scope of Processing

The Parties agree to regulate their mutual cooperation in accordance with the GDPR and relevant data protection legislation to ensure compliance with applicable legal requirements.

Data Retention: Personal data shall be retained for one year after the end of the trial period, unless the customer requests earlier deletion, or for ten years in the case of invoicing. For contacts collected for marketing purposes (e.g., newsletters, promotional communications), personal data shall be retained for the duration of the consent or until consent is withdrawn, but no longer than 5 years after the last interaction.

Categories of Personal Data: first name, last name, email address, phone number, billing details, and other information necessary to provide services or for marketing communication.

Purpose of Processing: to ensure the functionality of the Accepio application, to process and manage orders and invoicing, as well as to send commercial communications and newsletters, inform about new features, and conduct marketing campaigns.

Legal Basis for Processing: performance of a contract, compliance with legal obligations (e.g., accounting requirements), and in the case of marketing communications, the legitimate interest of the Controller or the consent of the data subject.

Sub-Processors: The Processor may use third parties (sub-processors) for personal data processing. These include in particular:

  • ECOMAIL.CZ, s.r.o., Company ID: 02762943, Na Zderaze 1275/15, Nové Město, 120 00 Prague 2, Czech Republic – provides bulk email distribution and marketing communication services.
  • Účetní služby Praha s.r.o., Company ID: 27148401, Na Pankráci 1062/58, Nusle, 140 00 Prague 4, Czech Republic – provides accounting services and tax document processing.

3. Rights and Obligations of the Controller

The Controller shall operate its databases and information systems in a manner that ensures compliance with security principles and adequate protection of personal data. The Controller undertakes in particular to:

  • Familiarize itself with the security project and related documentation on data protection.
  • Keep all access credentials secure. Credentials are unique for each employee and each person is legally responsible for their potential misuse.
  • Unlock a service account for maintenance activities performed by the Processor and block such account immediately after completion.
  • Maintain confidentiality regarding the Processor’s processes, data, and documents.
  • Ensure adequate protection of personal data encountered during work.
  • Immediately report misuse of access credentials, theft of equipment, or loss of data to the Processor, no later than 36 hours after the incident.
  • Perform audits of the Processor’s compliance with data protection, with at least 3 business days’ prior notice.
  • Request cooperation from the Processor in reviewing logs and monitoring security incidents.

4. Rights and Obligations of the Processor

The Processor ensures the technical functionality of the systems provided to the Controller, in particular the Accepio system. The Processor undertakes in particular to:

  • Remain fully responsible for any sub-processors engaged.
  • Familiarize itself with the security project and other relevant documentation on data protection.
  • Keep all access credentials secure. Credentials are unique for each employee and each person is legally responsible for their potential misuse.
  • Regularly update antivirus software and the operating system.
  • Not store any personal data from the Controller’s systems on local devices.
  • Request blocking of service accounts after maintenance operations are completed.
  • Maintain confidentiality regarding the Controller’s processes, data, and documents.
  • Ensure adequate protection of personal data encountered during work.
  • Handle incidents of misuse of credentials or theft of equipment/data in accordance with the Incident Reporting and Response Plan.
  • Provide the Controller with all information necessary to demonstrate GDPR compliance and allow audits.
  • Implement appropriate security measures to protect personal data (e.g., pseudonymisation, encryption, regular testing and evaluation of measures, the ability to restore availability of data after an incident).
  • Delete or return all personal data and delete all copies after termination of services.

5. Rights of Data Subjects

In accordance with GDPR, data subjects have the following rights:

  • Right of Access – to obtain confirmation as to whether personal data is being processed and, if so, access to that data.
  • Right to Rectification – to request correction of inaccurate or incomplete personal data.
  • Right to Erasure ("Right to be Forgotten") – to request deletion of personal data when no longer needed or when consent has been withdrawn.
  • Right to Restriction of Processing – to request limitation of processing in cases provided by GDPR.
  • Right to Data Portability – to obtain personal data provided in a structured, commonly used, and machine-readable format and transfer it to another controller.
  • Right to Object – to object to processing carried out on the basis of legitimate interests, including objection to processing for direct marketing.
  • Right to Lodge a Complaint – with the relevant supervisory authority. In the Czech Republic this is the Office for Personal Data Protection (www.uoou.cz).

To exercise these rights, data subjects may contact the Controller at: info@accepio.com

6. Final Provisions

Any changes or extensions to the subject matter of this agreement must be made in writing and approved by both parties.
The parties agree not to disclose or allow disclosure of information resulting from this agreement to any third party and not to use such information for any purpose other than arising from this agreement. Each party agrees to take reasonable steps to ensure such information is not disclosed or disseminated by its employees or third parties.
Neither party shall be liable for any delay or failure to fulfill its obligations under this agreement if caused by circumstances beyond its reasonable control (force majeure).
The agreement may be terminated by written agreement of both parties or by notice of either party.
The reason for termination may include a breach of Articles 3 or 4 of this agreement. The notice period is three months, starting on the first day of the month following delivery of the written notice.
This agreement enters into force and effect on the date of signature by both parties.
Any matters not covered by this agreement shall be governed by the relevant provisions of applicable commercial law.

Effective date: August 20, 2025