Privacy policy

We will process your personal data that you have voluntarily provided to us for the purposes set out in this Privacy Policy. The collection and processing of your personal data is carried out in accordance with applicable law, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council General Data Protection Regulation (hereinafter referred to as GDPR) and Act No. 110/2019 Coll., on the processing of personal data (hereinafter referred to as the Personal Data Processing Act).

As a company that wants to act responsibly, we strive to find a balance between innovation and ensuring the necessary level of data protection and security for our users. While carrying out our tasks, the Principles of Personal Data Protection help us at all levels to make decisions that protect our users.

Use information to provide quality products and services to our users

Information from users enables us to create useful and beneficial services and products. We believe that focusing on users will help us develop products and features to protect personal information.

Ensure that the collection of personal information is transparent

We make users aware of what information we use to personalize our services. Where possible, we are transparent about what information we have about individual users and what information we use to provide our services.

Provide users with choices so they can protect their privacy

People have different needs and opinions about privacy. To accommodate the wide range of our users, we try to give users detailed choices about how their personal information is handled. We do not trade users' personal information.

We handle the information we receive responsibly

We accept responsibility for the protection of the information that users entrust to us. We take security matters seriously.

I. PERSONAL DATA CONTROLLER AND DATA SUBJECT

The personal data controller is SAFE TREES, ID: 26935287, with its registered office at Kyselkova 285/4, 612 00 Brno, registered with the Regional Court in Brno, Section C, Insert 46404.

Contact details: gdpr@safetrees.cz

Personal data means, within the meaning of Article 4 paragraph 1 of the GDPR, any information about an identified or identifiable natural person ("data subject"); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, a network identifier or one or more specific elements of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Data subject within the meaning of Article 3 of the Personal Data Processing Act means the natural person to whom the personal data relate.

II. SCOPE OF PERSONAL DATA

In the case of using the Trees under Control app, we process personal data according to the position in which you act, as follows:

• If you register as a user, we will process: first name, last name, email address and password.
• If you register as a partner, we will process: first name, last name, email address, password, partner name, partner country, partner ID number, contact address and contact phone number.
• If you register as an arborist, we will process: first name, last name, email address, password, name of the arborist, country of the arborist, ID number, contact address and contact phone number. If you voluntarily provide us with this information, we will also process information about the arborist's activity, in which regions it is practiced, information about expertise and certifications, and other information provided.
• Publicly available data from the land registry are also processed in the application, in particular data on parcels and owners.

III. PURPOSE AND LEGAL BASIS OF PROCESSING

We only use your personal data for purposes related to the relationship, the performance of our obligations under the contract, the provision of contractual communication and the provision of our services. Thus, we process personal data on the basis of the performance of contractual obligations within the meaning of Article 6 paragraph 1(b) of the GDPR.

We are also required to keep accounting records and comply with other legal obligations (e.g. taxes, etc.). In this case, we process your personal data on the basis of fulfilling legal obligations pursuant to Article 6(1)(c) GDPR.

In addition to the purposes mentioned above, we will also process your personal data for the purpose of possible litigation and debt recovery, whereby this processing is based on our legitimate interest pursuant to Article 6 paragraph 1(f) of the GDPR. We may also use technical information based on the legitimate interest of ensuring the functionality and quality of our services.

If you register on our website and give us your consent, we use your email address for the purpose of sending you commercial communications. The legal basis for this processing is therefore your consent pursuant to Article 6 paragraph 1(a) of the GDPR. In every commercial communication we send you, you will find an option to unsubscribe and opt-out of receiving further commercial communications. As part of the newsletter, we also send information provided by the CSOP Arborist Academy, especially invitations to their training courses or their information about the field of arboriculture.

However, we do not need your consent to send you information that is related to the use of the services we provide, which is usually technical information or confirmation emails; these emails are again sent on the basis of the performance of contractual obligations within the meaning of Article 6 paragraph 1(b) of the GDPR.

IV. PRINCIPLES OF PERSONAL DATA PROCESSING

SAFE TREES processes your personal data according to the principles of personal data processing within the meaning of Article 5 of the GDPR.

Personal data are:

1. processed fairly and in a lawful and transparent manner in relation to the data subject ("lawfulness, fairness and transparency");
2. collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered incompatible with the original purposes pursuant to Article 89(1) ('purpose limitation');
3. proportionate, relevant and limited to what is necessary in relation to the purpose for which they are processed ('data minimisation');
4. accurate and, where necessary, up-to-date; all reasonable steps will be taken to ensure that personal data which are inaccurate having regard to the purposes for which they are processed are erased or rectified without delay ('accuracy');
5. stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed; personal data may be stored for a longer period if they are processed solely for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1), provided that the appropriate technical and organisational measures required by GDRP are implemented in order to safeguard the rights and freedoms of the data subject ('storage limitation');
6. processed in a manner which ensures appropriate security of personal data, including protection by appropriate technical or organisational measures against unauthorised or unlawful processing and against accidental loss, destruction or damage ('integrity and confidentiality');

The controller shall be responsible for compliance with paragraph IV and shall be able to demonstrate such compliance ("accountability").

V. METHOD OF PROCESSING AND PROTECTION OF PERSONAL DATA

The processing of personal data is carried out by the controller. Processing is carried out at the controller's premises by individual authorised employees of the controller or by the processor. The processing is carried out by computer technology, in compliance with all security principles for the management and processing of personal data. For this reason, the controller has adopted technical and organisational measures to ensure the protection of personal data, in particular measures to prevent unauthorised or accidental access, alteration, destruction or loss of personal data, unauthorised transmission, unauthorised processing or other misuse of personal data.

VI. RECIPIENTS OF PERSONAL DATA

As we have already stated, we try to process all personal data ourselves through our employees, but some activities require us to involve other entities in the processing. These entities are called "recipients of personal data" and your personal data can be accessed by these recipients:

• External providers of accounting and tax services
• The administrator of our servers – Mr. Věroslav Kaplan and the company Master Internet, s.r.o.
• Providers of legal services
• If you give us your consent when you register, we will display your account contact details so that anyone who views them within the app can access them

The specific recipient in each case will be communicated by the controller to the data subject on their request.

VII. PERIOD OF PROCESSING OF PERSONAL DATA

We process your personal data for the period of time that is strictly necessary for the fulfilment of a specific purpose of processing, i.e. typically for the performance of a contractual relationship or for the period of time expressly required by applicable law or until the consent is withdrawn. The controller will inform the data subject of the specific duration of the processing in the case in question.

VIII. RIGHTS OF THE DATA SUBJECT

The data subject has the following rights:

The right to withdraw consent (Article 7)

The data subject has the right to withdraw their consent to the processing of personal data at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent given prior to its withdrawal. Withdrawal of consent may be made by sending an e-mail to gdpr@safetrees.cz.

Right to request access to personal data (Article 15)

The data subject has the right to obtain confirmation from the controller as to whether or not personal data concerning them are being processed and, if so, to obtain access to such personal data and to the following information:

• the purposes of the processing;
• the categories of personal data concerned;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
• the intended period for which the personal data will be stored or, if this cannot be determined, the criteria used to determine that period;
• the existence of the right to request the controller to rectify or erase personal data concerning the data subject or to restrict or object to processing;
• the right to lodge a complaint with a supervisory authority;
• any available information about the source of the personal data, unless it is obtained from the data subject.
• the fact that automated decision-making, including profiling, takes place and, at least in these cases, meaningful information concerning the procedure used as well as the significance and foreseeable consequences of such processing for the data subject.
• in case personal data are transferred to a third country or an international organisation, the data subject shall have the right to be informed of the appropriate safeguards applicable to the transfer.

Right to rectification (Article 16)

The data subject has the right to have inaccurate personal data concerning them rectified by the controller without undue delay. Considering the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing an additional declaration.

Right to erasure (right to be forgotten) (Article 17)

The data subject shall have the right to have the controller erase personal data concerning the data subject without undue delay and the controller shall be obliged to erase the personal data without undue delay if one of the following grounds applies:

• the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
• the data subject withdraws the consent on the basis of which the personal data were processed and there is no other legal ground for the processing;
• the data subject objects to processing carried out in the public interest, in the exercise of official authority or for the legitimate interests of the controller or a third party and there are no overriding legitimate grounds for the processing; or the data subject objects to processing for direct marketing purposes on the basis of a legitimate interest;
• the personal data have been unlawfully processed;
• the personal data must be erased in order to comply with a legal obligation under the EU law or member state law to which the controller is subject;

Right to restriction of processing (Article 18)

The data subject has the right to have the controller restrict processing in any of the following cases:

• the data subject contests the accuracy of the personal data for the period necessary to enable the controller to verify the accuracy of the personal data;
• the processing is unlawful and the data subject objects to the erasure of the personal data and requests a restriction on their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defense of legal claims;
• the data subject objects to the processing in the public interest, in the exercise of official authority or for legitimate interests of the controller or of a third party in the public interest, until it is verified that the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data may, with the exception of storage, only be processed with the data subject's consent.

Right to data portability (Article 20)

The data subject has the right to obtain personal data concerning them which they have provided to a controller in a structured, commonly used and machine-readable format and to transmit those data to another controller, without hindrance from the controller to whom the personal data have been provided, where:

• the processing is based on consent to the processing of personal data or is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject
• the processing is carried out by automated means.

Right to lodge a complaint against the controller with the supervisory authority (Article 77)

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with the Data Protection Authority.

IX. EFFECTIVENESS

This privacy policy is effective from 27.6.2022.