We at Sufio s.r.o. (“Sufio”, “we”, “us”, “our” and terms of similar meaning) as the operator of the website hosted at the sufio.com domain and all associated subdomains (the “Website”) and services provided by the Website (the “Service”) appreciate the confidence you are placing in us when you provide us with your personal data.
We do our best to use your personal data in a fair and transparent manner, and we care about your understanding of how your personal data will be used.
1. Data we collect and process
1.1 Registration and profile data
When signing up on our Website, we will request that you provide us with your name, surname, email address and password. We need you to give us this data so that we can provide you with the full scope of the Service on the Website. Without providing this data, you will not be able to use the Service that we offer on the Website.
If you use your account with an online store based on the Shopify or BigCommerce platforms, you use the same login data as for your online store to log in to your account. For these accounts, we use data from the settings of your online store, such as your name, surname and email address; we do not store the password in any form.
When using the Website, you may optionally provide the following data in the profile of the account created by us when you sign up: address (street name, street number, city, postcode, country), company registration number, tax identification number, VAT registration information, other business information (e.g. registrations in business registers), bank account number, the invoicing currency used. In addition, you may fill in your phone number, fax number and links to your website and profiles on social media platforms.
1.2 Your customers’ data
When you create an invoice for a customer, we process the following data on your customers provided by you in the invoice: name of the customer’s company, address (street name, street number, city, postcode, country), company registration number, tax identification number, VAT registration information, other business information (e.g. registrations in business registers), notes about the customer and the name, surname, phone number and email address of the customer’s contact person. We also process data on the invoiced products and the quantity and price of the products.
If you use your account with an online store based on the Shopify or BigCommerce platforms, data on customers and products stored in your online store is automatically synchronized and stored in your account. This allows you to use data on existing customers and products when creating a new invoice.
1.3 Other user data
Even when you browse our Website without signing up or logging in, we collect various technical information from visitors that is automatically recorded using a variety of tools, such as weblogs, cookies etc. Data collected through our Website includes, in particular:
- the browser you use,
- the IP address from which you connected to our Website,
- the operating system of your device (computer, tablet or phone),
- the unique IP address of the device that you used to access our Website,
- conversion and retargeting tracking,
- how you use our Website.
We need this data for technical reasons to be able to display our Website to you, ensure that the Website is stable and secure and adapt the Website’s content to your current needs.
2. How we can use the data
2.1 Provision of the Service
We process the data that you provide to us primarily for the purpose of providing the Service on the Website on the basis of Article 6(1)(b) of the GDPR (i.e. steps at the request of the data subject prior to entering into a contract and the subsequent performance of the contract to which the data subject is party), which includes, in particular:
- allowing the use of the full scope of the Service and the Website,
- setting up, keeping and administrating your Website account created by us when you sign up.
2.2 Improving the Website and protecting users and ourselves
Since we have a legitimate interest in improving our Website, maintaining our relationship with you and protecting you and other users of the Website, on the basis of Article 6(1)(f) of the GDPR (i.e. legitimate interests pursued by the controller) we also use your personal data for the following purposes:
- improving the design of the Website and optimizing its content, features and the Service that it provides,
- informing you about our new products and services,
In addition to the cases referred to above, we use your personal data for marketing purposes only with your express consent under Article 6(1)(a) of the GDPR (i.e. the data subject’s consent to the personal data processing) – i.e. if you have subscribed to receive ads, offers and other marketing communication by email; in every such email, you will be given the option to unsubscribe from the newsletter. Further information about how you can withdraw your consent can be found under “Withdrawal of consent” below.
3. For how long we retain the data
3.1 Period of retention of registration, profile and other user data
3.2 Terms of processing your customers’ data
We process the personal data referred to in 1.2 under the Data Processing Agreement, which represents the legally binding contract on the personal data processing referred to in Article 28(3) of the GDPR and forms part of this Policy.
3.3 Withdrawal of consent
You can withdraw the consent you have given for marketing purposes by clicking the appropriate link provided in every email newsletter. If you withdraw your consent, we will immediately cease processing the relevant personal data and delete it, unless there is another legal basis for continued processing thereof. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
4. Provision and disclosure of personal data
When providing the Service, we are assisted by certain third-party Subprocessors.
We may also process your invoicing data via our subsidiary Sufio Inc.
Your personal data may be transmitted to the United States of America, in particular to third parties referred to in the preceding paragraph, whose operations are consistent with European personal data protection standards since these parties make use of standard contractual data protection clauses, which have been approved by the European Commission to help safeguard the transfer of information we collect from the European Economic Area (“EEA”), the United Kingdom, and Switzerland. The processing of personal data by third parties is governed by their own terms of service.
We make use of a variety of legal mechanisms to safeguard the transfer, including the European Commission-approved standard contractual data protection clauses, or other appropriate legal mechanisms. For transfers to or from the United Kingdom, we make use of the standard contractual clauses.
We do not disclose personal data.
5. Security of personal data
5.1 Security measures
Our Website has several levels of security. We have introduced software and hardware security systems, including a firewall and encryption of data intended to protect your personal data from unauthorized access. Nevertheless, despite our efforts, no system provides a full guarantee that your personal data will never be accessed without authorization and your use of this Website means you are willing to take that risk.
5.2 Our responsibility
5.3 Links to other websites
Our Website may contain links to websites operated by third parties. We are not responsible for information on these websites or for the services or products that they offer. Your use of these websites, including the provision of personal data, is at your own risk. Therefore, we recommend that you review the privacy policies (and, if applicable, other terms) of these websites before you use them for the first time.
6. Your rights and options
Listed below are your rights and options in relation to personal data that we process. If you want to use any of these options, please contact us at email@example.com.
6.1 Right of access to personal data
You may request that we confirm whether or not we process your personal data and, if we do, you have the right of access to this data (a copy of your personal data) and information about the terms of processing it. We will generally provide this information within one month of the date of your request.
6.2 Right to rectification and completion of the data
You may at any time rectify, complete and update your personal data in your account on the Settings → Company Profile page. We recommend that you do so every time this data changes. If you have a problem updating your personal data, please contact us.
6.3 Right to erasure
In addition to withdrawal of consent, you may have your personal data erased where one of the following grounds applies:
- the personal data is no longer necessary for the purposes referred to above,
- you object to your personal data being processed on the legal ground of a legitimate interest and there are no overriding legitimate grounds for the processing or you object to your personal data processing for direct marketing purposes,
- the personal data has been unlawfully processed, or
- the personal data has to be erased for compliance with a legal obligation,
where the processing is not necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims, unless the GDPR grants other exemptions.
6.4 Right to restriction of processing
In addition, you may request restriction of processing of your personal data, if:
- you contest the accuracy of your personal data, for a period during which its accuracy is being verified,
- personal data has been processed unlawfully (instead of requesting erasure of the data), or
- we no longer need the personal data for the purposes referred to above, but you need it for the establishment, exercise or defence of legal claims,
- you object to your personal data being processed on the legal grounds of a legitimate interest, for a period during which it is being verified whether there are legitimate grounds for continued processing thereof.
6.5 Right to portability
You have the right to have personal data, which you have provided to us for the purposes of performing the contract or on the grounds of your consent and which we process using automated means, transferred to another organization, if technically possible.
6.6 Right to object
You may object, for reasons related to your particular situation, to your personal data being processed on the legal grounds of a legitimate interest. In the event of such objection, we will cease processing your personal data unless compelling legitimate grounds for continued processing or for the establishment, exercise or defense of legal claims are demonstrated.
6.7 Right to lodge a complaint
If you feel that we have violated privacy legislation, you may lodge a complaint with the regulatory authority, which is the Office for Personal Data Protection at Hraničná 12, 820 07 Bratislava, Slovak Republic (dataprotection.gov.sk).
Last updated on May 24, 2018.