Personal Data Processing Principles of EndorphinIT a.s.
The purpose of this document is to provide you with a comprehensive and understandable summary of information about the processing of personal data, particularly how, to what extent, for what purpose, and for how long we will process personal data, and to inform you about all your individual rights that you can exercise in connection with the processing of personal data.
If you do not understand anything in this document, do not hesitate to contact us through the contacts listed below, and we will be happy to explain everything in more detail.
We also refer in particular to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as well as the Czech adaptation law to this regulation No. 110/2019 Coll., on the processing of personal data, according to which our relationship in connection with the processing of personal data is primarily governed.
Who is the controller of your personal data?
The controller of personal data is generally a person who, alone or jointly with others, determines the purpose and means of processing personal data, for which they bear the associated responsibility.
The controller of personal data for the purposes of these personal data processing principles is EndorphinIT a.s., identification number 219 06 998, with its registered office at Švábova 772/18, Hlubočepy, 152 00 Prague 5.
You can contact them via email at hi@endorphinit.com.
Data Protection Officer
A Data Protection Officer has not been appointed.
Our main principles
When processing your personal data, we honor and respect the highest standards of personal data protection and comply with the following principles in particular:
- We process your personal data for a specified purpose, by specified means, and in a specified manner, and only for the time that is necessary with regard to the purposes of their processing;
- We protect your personal data and ensure their processing with the highest security to prevent any unauthorized or accidental access to your personal data, their alteration, destruction or loss, unauthorized transfers, or other unauthorized processing;
- We comply with appropriate technical and organizational measures to ensure a level of security corresponding to all possible risks; all persons who come into contact with personal data are obliged to maintain confidentiality about information obtained in connection with the processing of this data.
What personal data do we process?
The nature of the personal data we collect from you and subsequently process depends primarily on your relationship with us (contractual partner, customer of a contractual partner, apppcant for contact mediation, website visitor, etc.) and for what purpose the personal data is collected.
Typically, we will obtain the following information from you:
- Identification data
- Your name, surname, title, gender, date of birth, personal identification number, residential address, nationality, identification number (if you are an entrepreneur), registered office address or place of business (if you are an entrepreneur), signature.
- Contact details
- Residential address, correspondence address, email address, telephone number, or other information you provide for the purpose of contact or mediation of your contact details to our contractual partners.
- Records of our mutual communication
- Primarily records of our email or written communication between us. In some cases, we may also use a system of recording telephone calls with your prior consent.
- Records of communication between our contractual partner and you
- Primarily records of email or written communication between you and our contractual partner. In some cases, we may also use a system of recording telephone calls with your prior consent.
- Information regarding your business
- Information provided by you or obtained by us regarding your business.
- Billing and payment data
- Data from issued invoices or obtained in connection with other payments made between us.
- Other data
- For example, data we obtain from your internet browser or based on storing cookies.
How do we obtain personal data?
Personal data is provided to us primarily by you voluntarily through https://endorphinit.com and as part of using our platform at https://xmation.app (hereinafter referred to as the "Platform"), by placing orders, filling out surveys, questionnaires, calculators, or as part of information and data provided for the purpose of concluding a mediation agreement, cooperation agreement, service agreement, or other similar agreement. We also obtain personal data from our own activities. Furthermore, we may obtain personal data from third parties with whom we cooperate or with whom we have some other relationship, and who are authorized to process and share your personal data.
For what purposes do we obtain personal data?
We use your personal data for purposes arising from our activities, with the understanding that for most such processing, we do not need to obtain your consent, as processing is allowed directly based on legal regulations. We are also entitled to process personal data or their category for various purposes (where applicable).
In case consent is required for any of the purposes, you can withdraw this consent at any time during the period for which it is granted. We only note that the withdrawal of consent has effects for the future, thus it does not affect the lawfulness (and legitimacy) of the processing of personal data until the moment of its withdrawal.
The specific main purposes of personal data processing are then as follows:
- operation of the Platform - the legal basis for this processing is the conclusion and performance of a contract and the protection of our legitimate interests;
- concluding and fulfilling contracts based on your previous order - the legal basis for this processing is the conclusion and performance of a contract;
- concluding and fulfilling cooperation agreements, service agreements, or other agreements concluded with our partners - the legal basis for this processing is the conclusion and performance of a contract;
- communication with you and other persons as part of our activities and for the purpose of improving our services - the legal basis for this processing is the conclusion and performance of a contract and the protection of our legitimate interests;
- direct marketing (sending newsletters or other marketing emails, SMS, or other similar activities) - the legal basis for this processing is the protection of our legitimate interests;
- enabling participation in our competitions, loyalty programs, and other similar events and their administration - the basic legal basis for this processing is the conclusion and performance of a contract, however, it is possible that in a specific case we will require your consent;
- providing cooperation to public authorities - the legal basis for this processing is the fulfillment of our legal obligations;
- establishment and protection of legal rights, protection of our privacy, our security or our property and/or rights, you or other persons, and the effort to use available remedial measures or limit our damage - the legal basis for this processing is the protection of our legitimate interests and the fulfillment of legal obligations that apply to us.
How long will we keep your personal data?
We take all steps to ensure that the personal data we collect and process safely correspond to and serve the intended purpose. Therefore, we will keep personal data only for as long as necessary in accordance with the principle of minimizing personal data. We continuously assess whether the need to process certain personal data required for a given purpose still exists. If we find that they are no longer needed for any of the purposes for which they were processed, we will destroy the data.
Below we provide examples of some of the periods we adhere to in this context:
- we keep personal data in connection with the fulfillment of our contract for a period corresponding to the relevant limitation periods;
- if we obtain some personal data from you before the conclusion of the contract and this conclusion does not eventually take place, we will keep the personal data for a maximum of 1 year from their acquisition;
- for the purposes of so-called direct marketing, we keep personal data for the duration of our contractual relationship and a maximum of 1 year after its termination;
- if you give us consent to process personal data for a purpose other than direct marketing, we will keep this personal data for the period specified in such consent, or for the period until you withdraw such consent;
- accounting and tax records, with which we document our accounting and fulfill tax obligations (and which may contain, in particular, billing personal data), we keep for the period specified by special legal regulations, starting from the end of the relevant accounting or taxation period.
With whom do we share your personal data?
We process your personal data internally and primarily make it available to our employees or persons with whom we cooperate on a daily basis. However, if necessary to achieve any of the above purposes, we may share your personal data with third parties, both in the position of processors and independent or joint controllers. In such a case, however, we undertake to transfer personal data only to such entities where a sufficient level of personal data protection is guaranteed in accordance with personal data protection regulations. At the same time, we are obliged to also transfer your personal data in some cases to public authorities if required by legal regulations. Finally, we share some personal data with third parties based on your prior consent.
Specifically, we may, subject to conditions, make your personal data available to the following entities in particular:
- clients of our services and other contractual partners - we share personal data especially with the listed categories of entities for the purpose of mediating your contact with them or as part of an effort to improve and provide our services. We also share personal data with providers of postal services, IT services, debt collection entities, law firms, accountants and tax advisors, and providers of printing, advertising, and marketing services;
- public authorities and third parties participating in judicial or similar proceedings - in accordance with our other legal obligations, we are obliged to transfer your personal data also to the relevant public authorities such as law enforcement agencies. As part of any disputed proceedings, your personal data will also be shared with third parties as participants in such proceedings;
- other third parties - we are further entitled to share personal data, for example, with payment recipients, service providers in case of extraordinary events (fire, police, and medical emergency services), etc.
What rights do you have in connection with the processing of personal data?
In connection with the processing of personal data, you have a number of rights that you can exercise towards us through our contacts listed above.
Your request to exercise any of the rights below will be processed within one month at the latest (or within three months in justified cases, and we will inform you in advance about the extension of this period) with the understanding that we will not require you to pay any fee. However, it also applies that if we receive a manifestly unfounded or disproportionate request (e.g., if a repeated request is made in a short period of time), we are in such a case entitled to require a reasonable administrative fee to cover our costs for processing this request.
- Right of access to your personal data- you have the right to request information about whether we process your personal data and if so, also to provide an extract of this data, as well as information about for what purposes we process it and for how long we plan to keep it. We will provide the first copy of the extract of processed data free of charge; for each additional copy, we may charge an administrative fee to cover our costs.
- Right to rectification and completion of your personal data - if you find that the personal data we process about you is inaccurate, outdated, or incomplete, you can ask us for correction or completion.
- Right to erasure - you can also ask us to erase your personal data that we process about you without undue delay. However, we are obliged to comply with this request only if:
- the processing of personal data is no longer necessary for the purposes for which it was collected or otherwise processed; or
- you have withdrawn your consent on the basis of which we processed the personal data (and there is no other legal reason for processing); or
- you have successfully objected to processing and there are no overriding legitimate grounds for processing; or
- the personal data has been processed unlawfully; or
- the personal data must be erased to comply with our legal obligation.
- Right to restriction of processing - you can request that we restrict the processing of your personal data (i.e., that we do not use them, but at the same time do not completely liquidate them), but only in the following cases:
- you have contested the accuracy of the personal data (processing will then be restricted for the time necessary for us to verify the accuracy); or
- the processing of personal data is unlawful and you are not interested in erasure; or
- we no longer need the personal data for the purposes of processing for which they were obtained, but you require them for the determination, exercise, or defense of your legal claims; or
- you have objected to processing and verification is underway as to whether our legitimate grounds for processing prevail or do not prevail over your objection.
- we have your consent; or
- it will be necessary for the determination, exercise, or defense of our legal claims; or
- it will be necessary for the protection of the rights of other natural or legal persons.
- Right to data portability - if the processing is carried out on the basis of your consent or for the purpose of concluding or performing a contract, you have the right, at your request, to provide you with personal data concerning you in a structured, commonly used, and machine-readable format, or alternatively, to transfer this data to another controller.
- Right to object - You have the right to object to the processing of personal data that is carried out for the purposes of our legitimate interests. If we subsequently cannot prove to you that we have serious reasons for such processing that outweigh your interests or rights and freedoms, or which is necessary for the determination, exercise, or defense of legal claims, the processing of your personal data will be stopped.
- Right to withdraw your consent to the processing of personal data - if we use your consent for the processing of your data, you are entitled to withdraw this consent at any time. The withdrawal of consent then has effects only for the future, so it will not in any way disrupt the lawfulness of previous processing. The withdrawal of consent must contain information about who is submitting the withdrawal (so include your name, surname, residential address, date of birth, or other identification data) and what specific consent you are withdrawing and to what extent.
- You have the right to lodge a complaint with the Office for Personal Data Protection - if for any reason you believe that the processing of your data is not in order, you can contact the Office for Personal Data Protection with its registered office at Pplk. Sochora 27, 170 00 Prague 7, email:posta@uoou.cz, telephone:+420 234 665 111.
We will not comply with your request for the erasure of personal data especially if their processing is still necessary for the fulfillment of our legal obligation or for the determination, exercise, or defense of our legal claims.
Please note that even in the event of a restriction of processing, we will still be able to process personal data if:
You also have the right to object at any time to the processing of your personal data for direct marketing purposes. In the event of such an objection, this personal data will no longer be processed for these purposes.
Do we use automated individual decision-making?
As part of our activities, we do not automatically process any personal data, nor do we use automated decision-making.
Personal data of other persons
If you provide us with personal data of other persons, you undertake to: (i) inform the persons concerned about the content of this document and (ii) obtain all legally required consents for the collection, use, disclosure, and transfer (including international transfer) of personal data of the persons concerned in accordance with this document.
Do we transfer personal data to a third country or international organization?
Yes, but we strictly ensure that personal data is transferred only to such third countries that provide the same or greater guarantees regarding the security of personal data protection as is given in countries where the GDPR is directly applicable.
Do we use any data analysis services?
For the purpose of possible individualization of the content of our website, we use services enabling data analysis, including but not limited to Google Analytics and cookies.
However, in order to be able to use or store your cookies, we always require your prior consent during each visit to our website.
Security
As part of our effort to maximize the security of your personal data, we take appropriate technical, physical, legal, and organizational measures in accordance with applicable privacy and data security laws. If you have reason to believe that your communication with us is no longer secure (e.g., if you feel that the security of any personal data you have entrusted to us has been compromised), please alert us to this fact immediately through the contact details provided above.
These principles are valid and effective from March 14, 2025