Privacy Policy

1. Data Controller Information

This Privacy Policy describes how BORECORP s.r.o. ("we", "us", or "our") collects, uses, and protects your personal data when you use the Compenso service.

2. Legal Basis for Processing

We process personal data in accordance with:

• Regulation (EU) 2016/679 (General Data Protection Regulation - GDPR)
• Czech Act No. 110/2019 Coll. on Personal Data Processing
• Directive 2002/58/EC (ePrivacy Directive)

We process your personal data based on the following legal grounds:

• Contract Performance: To provide you with our services
• Legal Obligations: To comply with Czech and EU laws
• Legitimate Interests: To improve our services and prevent fraud
• Consent: Where you have explicitly agreed to specific processing

3. Data We Collect

3.1 Account Information

• Full name and email address
• Company name and registration number (IČO/DIČ)
• Billing address and VAT number
• Phone number (optional)
• Password (encrypted)

3.2 Business Data

• Invoice details and client information
• Financial records and transaction history
• Tax-related information
• Business preferences and settings

3.3 Usage Data

• IP address and device information
• Browser type and version
• Pages visited and features used
• Date and time of access
• Referring website

3.4 Communication Data

• Support tickets and email correspondence
• Feedback and survey responses
• Marketing preferences

4. How We Use Your Data

4.1 Service Provision

• Create and manage your account
• Process invoices and payments
• Provide customer support
• Send service-related notifications

4.2 Legal Compliance

• Comply with tax regulations
• Fulfill accounting requirements
• Respond to legal requests
• Prevent fraud and abuse

4.3 Service Improvement

• Analyze usage patterns
• Develop new features
• Optimize performance
• Conduct research and analytics

4.4 Marketing (with consent)

• Send promotional emails
• Inform about new features
• Share relevant business insights

5. Data Sharing and Transfers

5.1 Service Providers

We share data with carefully selected service providers who assist us in operating our service:

• Cloud Infrastructure: Supabase, Vercel (EU data centers)
• Payment Processing: Stripe (PCI-DSS compliant)
• Email Services: Resend (GDPR compliant)
• Analytics: Privacy-focused analytics tools

5.2 Legal Requirements

We may disclose your data when required by law, including:

• Court orders and legal proceedings
• Tax authority requests
• Law enforcement investigations
• National security requirements

5.3 International Transfers

Your data is primarily stored within the EU. Any transfers outside the EU are protected by:

• EU Standard Contractual Clauses
• Adequacy decisions by the European Commission
• Your explicit consent where required

6. Data Retention

We retain your personal data for as long as necessary to:

• Provide our services to you
• Comply with legal obligations
• Resolve disputes and enforce agreements

Specific Retention Periods:

• Account data: Duration of account + 30 days
• Financial records: 10 years (Czech accounting law)
• Tax documents: 10 years (Czech tax law)
• Communication logs: 2 years
• Usage analytics: 24 months

7. Your Rights Under GDPR

As a data subject, you have the following rights:

7.1 Right to Access

Request a copy of your personal data we hold

7.2 Right to Rectification

Request correction of inaccurate or incomplete data

7.3 Right to Erasure (Right to be Forgotten)

Request deletion of your data in certain circumstances

7.4 Right to Restriction

Request limited processing of your data

7.5 Right to Data Portability

Receive your data in a structured, machine-readable format

7.6 Right to Object

Object to processing based on legitimate interests or direct marketing

7.7 Right to Withdraw Consent

Withdraw consent at any time where processing is based on consent

7.8 Right to Lodge a Complaint

File a complaint with the Czech Data Protection Authority:

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption: All data is encrypted in transit (TLS) and at rest (AES-256)
• Access Control: Role-based access with multi-factor authentication
• Regular Audits: Security assessments and penetration testing
• Incident Response: Established procedures for data breach management
• Employee Training: Regular privacy and security awareness training
• Data Minimization: We only collect data necessary for specified purposes

9. Cookies and Tracking

We use cookies and similar technologies to enhance your experience. For detailed information, please refer to our Cookie Policy.

Types of Cookies We Use:

• Essential: Required for service functionality
• Performance: Help us understand usage patterns
• Functional: Remember your preferences
• Marketing: Used only with your consent

10. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete that information.

11. Third-Party Links

Our Service may contain links to third-party websites. We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies.

12. Data Processing Agreement

For business customers, we provide a Data Processing Agreement (DPA) that outlines our commitments as a data processor. Please contact us to request a copy.

13. Privacy by Design

We implement privacy by design principles:

• Proactive rather than reactive measures
• Privacy as the default setting
• Full functionality with privacy protection
• End-to-end security
• Visibility and transparency
• Respect for user privacy
• Privacy embedded into design

14. Updates to This Policy

We may update this Privacy Policy periodically. We will notify you of any material changes via email or through the Service at least 30 days before they take effect.

15. Contact Us

For any questions or to exercise your rights, please contact us:

Response time: We aim to respond to all privacy-related requests within 30 days, as required by GDPR.