Privacy Policy

We at Sufio s.r.o. (“Sufio”, “we”, “us”, “our” and terms of similar meaning) as the operator of the website hosted at the sufio.com domain and all associated subdomains (the “Website”) and services provided by the Website (the “Service”) appreciate the confidence you are placing in us when you provide us with your personal data.

We do our best to use your personal data in a fair and transparent manner, and we care about your understanding of how your personal data will be used.

This Privacy Policy will explain to you how the personal data you provide to us will be processed and protected and what your options are in this regard.

This document describes how we treat personal data of natural persons while complying with Regulation (EU) 2016/679 of the European Parliament and of the Council – the General Data Protection Regulation, also known as the GDPR (the “GDPR”). This Privacy Policy represents the fulfillment of our information obligation as a controller in respect of data subjects within the meaning of Article 13 of the GDPR.

The Privacy Policy forms an integral part of the Terms of Service and the provisions of the Terms of Service apply to this Privacy Policy. Capitalized terms not defined in this Privacy Policy take the meaning assigned to them in the Terms of Service.

1. Data we collect and process

1.1 Registration and profile data

When signing up on our Website, we will request that you provide us with your name, surname, email address and password. We need you to give us this data so that we can provide you with the full scope of the Service on the Website. Without providing this data, you will not be able to use the Service that we offer on the Website.

If you use your account with an online store based on the Shopify or BigCommerce platforms, you use the same login data as for your online store to log in to your account. For these accounts, we use data from the settings of your online store, such as your name, surname and email address; we do not store the password in any form.

When using the Website, you may optionally provide the following data in the profile of the account created by us when you sign up: address (street name, street number, city, postcode, country), company registration number, tax identification number, VAT registration information, other business information (e.g. registrations in business registers), bank account number, the invoicing currency used. In addition, you may fill in your phone number, fax number and links to your website and profiles on social media platforms.

1.2 Your customers’ data

When you create an invoice for a customer, we process the following data on your customers provided by you in the invoice: name of the customer’s company, address (street name, street number, city, postcode, country), company registration number, tax identification number, VAT registration information, other business information (e.g. registrations in business registers), notes about the customer and the name, surname, phone number and email address of the customer’s contact person. We also process data on the invoiced products and the quantity and price of the products.

If you use your account with an online store based on the Shopify or BigCommerce platforms, data on customers and products stored in your online store is automatically synchronized and stored in your account. This allows you to use data on existing customers and products when creating a new invoice.

1.3 Other user data

Even when you browse our Website without signing up or logging in, we collect various technical information from visitors that is automatically recorded using a variety of tools, such as weblogs, cookies etc. Data collected through our Website includes, in particular:

  • the browser you use,
  • the IP address from which you connected to our Website,
  • the operating system of your device (computer, tablet or phone),
  • the unique IP address of the device that you used to access our Website,
  • conversion and retargeting tracking,
  • how you use our Website.

We need this data for technical reasons to be able to display our Website to you, ensure that the Website is stable and secure and adapt the Website’s content to your current needs.

Read more about cookies and about how you can set up or disable them in our Cookie Policy.

2. How we can use the data

2.1 Provision of the Service

We process the data that you provide to us primarily for the purpose of providing the Service on the Website on the basis of Article 6(1)(b) of the GDPR (i.e. steps at the request of the data subject prior to entering into a contract and the subsequent performance of the contract to which the data subject is party), which includes, in particular:

  • allowing the use of the full scope of the Service and the Website,
  • setting up, keeping and administrating your Website account created by us when you sign up.

2.2 Improving the Website and protecting users and ourselves

Since we have a legitimate interest in improving our Website, maintaining our relationship with you and protecting you and other users of the Website, on the basis of Article 6(1)(f) of the GDPR (i.e. legitimate interests pursued by the controller) we also use your personal data for the following purposes:

  • improving the design of the Website and optimizing its content, features and the Service that it provides,
  • informing you about our new products and services,
  • informing you about changes on the Website, the terms of use of the Website, this Privacy Policy and other terms relating to our Website,
  • enforcing our terms of use of the Website and detecting violations thereof.

Therefore, we will send to your mailbox news and notifications regarding features and updates on the Website, as well as notifications related to your use of the Website (e.g. alerts to violations of the Terms of Use etc.).

2.3 Marketing

In addition to the cases referred to above, we use your personal data for marketing purposes only with your express consent under Article 6(1)(a) of the GDPR (i.e. the data subject’s consent to the personal data processing) – i.e. if you have subscribed to receive ads, offers and other marketing communication by email; in every such email, you will be given the option to unsubscribe from the newsletter. Further information about how you can withdraw your consent can be found under “Withdrawal of consent” below.

3. For how long we retain the data

3.1 Period of retention of registration, profile and other user data

Personal data referred to in 1.1 and 1.3 is retained for the duration of the contract (Terms of Service), i.e. for the duration of your user account. We store an archived copy of your personal data for the period of 60 days after the contract is terminated for the event of a dispute regarding the relationship between you and us related to the Terms of Service or this Privacy Policy.

3.2 Terms of processing your customers’ data

We process the personal data referred to in 1.2 under the Data Processing Agreement, which represents the legally binding contract on the personal data processing referred to in Article 28(3) of the GDPR and forms part of this Policy.

You can withdraw the consent you have given for marketing purposes by clicking the appropriate link provided in every email newsletter. If you withdraw your consent, we will immediately cease processing the relevant personal data and delete it, unless there is another legal basis for continued processing thereof. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

4. Provision and disclosure of personal data

When providing the Service, we are assisted by certain third-party Subprocessors.

We may also process your invoicing data via our subsidiary Sufio Inc.

Your personal data may be transmitted to the United States of America, in particular to third parties referred to in the preceding paragraph, whose operations are consistent with European personal data protection standards since these parties make use of standard contractual data protection clauses, which have been approved by the European Commission to help safeguard the transfer of information we collect from the European Economic Area (“EEA”), the United Kingdom, and Switzerland. The processing of personal data by third parties is governed by their own terms of service.

We make use of a variety of legal mechanisms to safeguard the transfer, including the European Commission-approved standard contractual data protection clauses, or other appropriate legal mechanisms. For transfers to or from the United Kingdom, we make use of the standard contractual clauses.

We do not disclose personal data.

5. Security of personal data

5.1 Security measures

We undertake to keep all personal and other data you have provided to us properly, in compliance with the highest security standards. We will treat all data in accordance with the rules contained in this Privacy Policy and in compliance with applicable legislation, in particular the GDPR.

Our Website has several levels of security. We have introduced software and hardware security systems, including a firewall and encryption of data intended to protect your personal data from unauthorized access. Nevertheless, despite our efforts, no system provides a full guarantee that your personal data will never be accessed without authorization and your use of this Website means you are willing to take that risk.

5.2 Our responsibility

Protection under this Privacy Policy applies to personal data only to the extent that can reasonably be expected from us.

Our Website may contain links to websites operated by third parties. We are not responsible for information on these websites or for the services or products that they offer. Your use of these websites, including the provision of personal data, is at your own risk. Therefore, we recommend that you review the privacy policies (and, if applicable, other terms) of these websites before you use them for the first time.

6. Your rights and options

Listed below are your rights and options in relation to personal data that we process. If you want to use any of these options, please contact us at privacy@sufio.com.

6.1 Right of access to personal data

You may request that we confirm whether or not we process your personal data and, if we do, you have the right of access to this data (a copy of your personal data) and information about the terms of processing it. We will generally provide this information within one month of the date of your request.

6.2 Right to rectification and completion of the data

You may at any time rectify, complete and update your personal data in your account on the Settings → Company Profile page. We recommend that you do so every time this data changes. If you have a problem updating your personal data, please contact us.

6.3 Right to erasure

In addition to withdrawal of consent, you may have your personal data erased where one of the following grounds applies:

  • the personal data is no longer necessary for the purposes referred to above,
  • you object to your personal data being processed on the legal ground of a legitimate interest and there are no overriding legitimate grounds for the processing or you object to your personal data processing for direct marketing purposes,
  • the personal data has been unlawfully processed, or
  • the personal data has to be erased for compliance with a legal obligation,

where the processing is not necessary for compliance with a legal obligation or for the establishment, exercise or defense of legal claims, unless the GDPR grants other exemptions.

6.4 Right to restriction of processing

In addition, you may request restriction of processing of your personal data, if:

  • you contest the accuracy of your personal data, for a period during which its accuracy is being verified,
  • personal data has been processed unlawfully (instead of requesting erasure of the data), or
  • we no longer need the personal data for the purposes referred to above, but you need it for the establishment, exercise or defence of legal claims,
  • you object to your personal data being processed on the legal grounds of a legitimate interest, for a period during which it is being verified whether there are legitimate grounds for continued processing thereof.

6.5 Right to portability

You have the right to have personal data, which you have provided to us for the purposes of performing the contract or on the grounds of your consent and which we process using automated means, transferred to another organization, if technically possible.

6.6 Right to object

You may object, for reasons related to your particular situation, to your personal data being processed on the legal grounds of a legitimate interest. In the event of such objection, we will cease processing your personal data unless compelling legitimate grounds for continued processing or for the establishment, exercise or defense of legal claims are demonstrated.

6.7 Right to lodge a complaint

If you feel that we have violated privacy legislation, you may lodge a complaint with the regulatory authority, which is the Office for Personal Data Protection at Hraničná 12, 820 07 Bratislava, Slovak Republic (dataprotection.gov.sk).

7. Amendments to the Privacy Policy

We may amend this Privacy Policy every now and again (especially due to legal or technological changes, or after adding new or modifying existing features on the Website). We will notify you of any amendments to this Privacy Policy by sending a notification to your mailbox.

The latest and up-to-date version of the Privacy Policy will always be available on the Website, including information about its effective date. If you use our Website after the effective date of such amendments, you will be deemed by us to have read the amendments to the Privacy Policy and the version of the Privacy Policy effective at the time you use the Website.

8. Contact

Should you have any questions related to this Privacy Policy, please contact us at privacy@sufio.com.

Last updated on May 24, 2018.