PRINCIPLES OF PERSONAL DATA PROCESSING

In order to make the text clearer, we will make it easier for you to read several terms that we use in this Personal Data Processing Policy:

GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council;

CCPA – California Consumer Protection Act of 2018;

EEA – European Economic Area;

Commercial communication – usually an e-mail message or SMS sent for the purpose of promoting our services;

Personal data – any information about the User on the basis of which it can be directly or indirectly identified;

Service – Retino software application for management of back processes in e-commerce;

Contract – the contract for the provision of Services as amended by the Retino Terms of Service, which is concluded between us and the registered User, or it will be a contract under individually negotiated conditions or a contract for ordering transportation through our Retino application;

Data Subject – a natural person who can be directly or indirectly identified on the basis of Personal Data;

User / you – the natural person to whom the Personal Data relates, most often it will be a customer (the person who signed the Agreement with us and the person who subsequently set up a user account with us and is provided with the Service) or a potential customer , or users of our websites who are just browsing them;

Administrator – the entity (in relation to your data, it is us) which alone or jointly with others determines the purposes and means of processing Personal Data

Processor – we use other entities to, for example, ensure secure data storage for us or to send you a newsletter. During this cooperation, they may process Personal Data that you have provided to us;

Processing of Personal Data – in simple terms, this is any handling of Personal Data – whether it is their storage, sharing, deletion, or change;

Special categories of Personal Data – data that we understand to be more sensitive. They concern, for example, what your ethnic origin is, what your sexual orientation is, whether you are in a trade union or how your health is and what your faith is. Genetic and biometric data are also considered a special category of data if they are processed for the unique identification of a natural person. We do not process this Personal Data.

If terms that are not specified above appear within that document, then they are governed by the interpretation given in the Retino Terms of Service.

Users from California. If you are located in the State of California, the terms “Personal Information”, “Data Subject”, “Controller” and “Processor” used in this policy are equivalent to the terms “Personal information”, “Consumer”, “Business” and “Service provider” under the CCPA. At the same time, in connection with the CCPA, we state that under no circumstances do we sell, rent or otherwise disclose your Personal Data for financial or other consideration. If we make your Personal Data available to a third party in any way, we do so for the purpose of providing our Services or fulfilling our legal obligation, in accordance with these principles.

Your privacy is a priority for us, therefore we only require from you the personal data that is necessary to provide the Services. Our Services meet the standards required by the GDPR. If you entrust us with your data, we undertake to handle it in accordance with the relevant legislation that applies to you (GDPR, CCPA, etc.). We inform you below about the rights you have in connection with Personal Data.

With regard to the kind of Services we provide, we may find ourselves in the position of Administrator and Processor in relation to Personal Data.

When do these policies apply? This personal data processing policy applies only to situations where we are in the position of Administrator, unless otherwise stated in the text of the policy.

When is Retino an Administrator? In relation to Users, we are the Administrator of Personal Data. You have entrusted us with some information about yourself (such as your name and email), for example to register an account for you. An overview of the processed Personal Data, including the reasons for their processing, can be found below. If anything is unclear, don’t hesitate to contact us at support@retino.com.

Other Processors. In order to be able to provide you with the highest possible quality of our Service, we use other entities for this. We have concluded the necessary contracts with all of them and require the highest possible level of protection and security of Personal Data. All our processors can be found in section 8 of this policy.

When is Retino in the position of processor? We provide a Service whose purpose is to facilitate feedback processes in relation to your customers. As part of the Service, you and your customers enter your personal data into the Retino system. In relation to customers of Users of our Service, we may be in the position of a processor of Personal Data. If we process the Personal Data of your customers, then we do so on your behalf only as a processor, in accordance with your instructions (i.e. the User’s instructions). In this case, the protection of personal data and the rights and obligations arising therefrom are governed by the Personal Data Processing Agreement (DPA), which is an appendix to the Retino Terms of Service.

If you are a customer of our User. If you order transportation through our Application, please read section 5 point C of these Policies. In other cases, please contact our User directly for more detailed information regarding personal data protection. We are not responsible for how our Users approach the protection of personal data.

Access Retino as a processor. For the most part, Retino does not have access to the data of its Users, unless such data is made available to it by the User himself or access to it is necessary to provide the Services. We are not responsible for the content of Personal Data that the User:

• • include in the data processed as part of the provision of the Services,

• how the User collects, stores, distributes such data,

• or otherwise processes.

Subprocessors. As part of the provision of Services, we use other Entities. If we find ourselves in the position of Personal Data Processor, we may use other sub-processors, in accordance with the Personal Data Processing Agreement (DPA), which is an appendix to the Retino Terms of Service . We and our sub-processors have very limited access to your data that you save in the system, i.e. to the data of your clients, despite this we make sure that our sub-processors are bound to ensure the protection of Personal Data at the same level as we provide.

How do we process personal data? We process your Personal Data only to the extent necessary to achieve the purpose for which the data were collected and we comply with security technical and organizational rules when processing them. The Personal Data processing process is automated, but we do not perform profiling. The specific purposes of data processing and categories of personal data that we process for individual purposes are detailed in the following section.ti.

→ Name and surname

→ Contact information (especially e-mail, phone number) and other information that you voluntarily provide in your user interface

→ Login to the user account and behavior in the user account (in particular data filled in by the User in the user account, time of registration, date of last profile update)

→ Data in the inquiry sent by the customer or another person

→ Invoicing data and bank connection (data necessary for accounting and making payments)

→ Information that you communicate to us as part of communication with us (in particular, it will be about your questions and answers to your questions, communication with you)

→ Comments added by you to our posts on social networks (especially Facebook, LinkedIn), as well as the name (nickname) of your profile on these social networks and publicly accessible information on your profiles

→ Cookies and IP address, activity data (including information about your device or operatig system)

Special category of Personal Data. We do not process any sensitive Personal Data about you.

We process your personal data if you are a user of our website, our customer or you are interested in becoming a member of our team. We process your Personal Data only for the necessary time, but its duration may vary with regard to the relevant legislation in the place where we provide you with our Services. Data on the duration of processing are therefore only indicative.

If you visit our website, we process your Personal Data for the purposes listed in this table.

If you decide to use our Services or want to try them first, we will create a user account for you. We will process your personal data to the necessary extent so that we can provide you with the Service in accordance with the Retino Terms of Service.

If you order transport via our Application to return purchased goods, these terms and conditions apply to you .

Lawfulness of processing. We obtain and process all Personal Data in a lawful manner. We process personal data:

• based on your consent (e.g. when you voluntarily subscribe to our newsletter),

• for the purpose of fulfilling the Agreement (so that we can start providing you with our Services),

• for the purpose of fulfilling a legal obligation (e.g. in the case of supervision by a supervisory authority) and

• based on our legitimate interest (e.g. if you are our customer, so that we can inform you about what is new with us).

In the event that we provide the Service to you outside the European Economic Area (EEA), the legal titles for the processing of Personal Data may differ.

Our Service can be used by persons over the age of 16. In no case do we knowingly process the personal data of children and minors under this age limit. If we learn that we have received Personal Information from a child without parental consent or legal consent, we will take reasonable steps to remove that information as quickly as possible.

We have developed these policies in such a way that they are as clear as possible. However, if you are under the age of 18, you are a User of our Service and these principles of personal data processing are not sufficiently understandable for you, contact us by e-mail at support@retino.com.

Processors. We only use verified Processors with whom we have a written contract, and who provide us with at least the same guarantees as we provide you. We have listed the data that the Processors can process, including their purpose and legal title of processing. We use these Processors from the position of Administrator, that means they do not process data that you enter into the system as part of using the Service.

Legal obligations. We may transfer personal data to third parties other than the above-mentioned Processors, if required by law or in response to legal requirements of public authorities or at the request of a court in legal disputes.

Our customers can influence the scope of processing within the provision of the Service through their own settings in the User Account.

Technical measures. Security is very important to us and that is why we constantly work to ensure that your Personal Data is protected. When choosing measures, we take into account the scope of processing, the riskiness of processing or the state of our technology.

• We regularly back up data;

• we update anti-virus software systems;

• we encrypt data using SSL/TLS (“secure sockets layer / transport layer security”) for all transmissions of taxes;

• we use a secure https protocol;

• our data on servers is encrypted;

• we develop technology with regard to the protection of personal data (privacy by design);

• access passwords to information systems (where Personal Data will be processed) and access authorizations are controlled at the level of individuals.

Organizational measures. We have adopted and undertake to comply with the following measures:

• Our employees and our service providers are bound by confidentiality;

• Our employees are properly trained and also receive further regular training regarding the GDPR and familiarize themselves with the rules of safe work on work equipment;

• In the case of storing API keys, we remove authorization data;

• Access to all systems, including the information system, is personalized and covered by secure passwords;

• We keep passwords in the operational environment in a separate place (Safe store), where logs are recorded, so that we can control the access of employees to individual Personal Data of Users.

If we use Processors who are based abroad, we ensure that we meet the requirements of the relevant legislation. In particular, when data is transferred from the EEA to other countries, we ensure a high standard of Personal Data protection through standard contractual clauses approved by the European Commission, or equivalent standard contractual clauses for the United Kingdom, for transfers to countries that are not subject to an adequacy decision by the European commission or your local legislator.

We follow GDPR standards and the protection of Personal Data is very important to us. We also provide our Services outside the EEA market, so your rights related to the protection of Personal Data depend on the relevant legislation that applies to you.

How can you exercise your rights? You can exercise your rights by email at support@retino.com or by post at the registered address.

In order to process your request, we may require verification of your identity, depending on the nature of the right you are exercising. In the event that a representative will exercise rights on your behalf, we will need to document his authorization to act on your behalf in this way. We will also require your representative to identify himself. We take these steps in order to ensure the highest possible standard of protection of your Personal Data.

If you are located in the EEA, you can exercise the below rights arising from the GDPR with us.

You can exercise your rights by email at support@retino.com or by post at the registered address.

How quickly will we process your request? We will reply to you within one month at the latest. If the provision of information would endanger the privacy of other persons, or the provision would be disproportionate to the risks or costs of providing it, it is possible that we will not be able to satisfy you. In order to process your request as soon as possible, it is possible that we will need to verify your identity from you. In the event of a repeated request, the Administrator will be entitled to charge a reasonable fee for a copy of the Personal Data.

This Privacy Policy can only be changed in writing. You will be informed about this through our website. Therefore, please check this policy regularly. By continuing to use our Service, you agree to the changes to this policy.

If you have any questions regarding our Privacy Policy, please contact us at support@retino.com.

If you are unsatisfied, you can at any time submit an initiative or complaint to:

• Office for the Protection of Personal Data, with headquarters in Pplk. Sochora 727/27, 170 00 Prague 7 – Holešovice (more at https://www.uoou.cz/), or

• Office for the Protection of Personal Data of the Slovak Republic, with headquarters at Hraničná 12, 820 07 Bratislava 27, Slovak Republic (more information at https://dataprotection.gov.sk/uoou/), or

• Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, with registered office at Graurheindorfer Straße 153, 53117 Bonn (more information at https://www.bfdi.bund.de), or

• Datenschutzbehörde, located at Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna (more information at http://www.dsb.gv.at), or

• another office for the protection of personal data located in the place of your usual residence.

These principles of personal data protection are effective from July 3, 2023.