Data Protection

Privacy Policy

I

Data Controller

1.1 The data controller within the meaning of Article 4(7) of the European Parliament and Council Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter: 'GDPR') is Triligo (hereinafter 'Triligo').

1.2 Contact details of the controller are:

address: Příčná 1892/4, Nové Město (Prague 1), 110 00 Prague,

email: info@triligo.com

1.3 The controller has not appointed a Data Protection Officer.

II

Sources and Categories of Processed Personal Data

2.1 The controller processes personal data provided by the data subject, or personal data obtained by the controller in connection with the performance of a contract.

2.2 The controller mainly processes identification and contact data, in particular: first name, last name, date of birth, bank account information, contact details, and other data necessary for the performance of the contract.

2.3 The controller also processes special category personal data within the meaning of Article 9 GDPR, always based on the explicit consent of the data subject.

2.4 The controller also processes personal data obtained from publicly available registers, lists, or databases (e.g., Commercial Register, Trade Register, Insolvency Register, ARES database, etc.) or from other public information sources, for the purpose of verifying the accuracy of the provided data, identifying contracting parties, or protecting its legal claims.

III

Legal Basis and Purpose of Personal Data Processing

3.1 Triligo processes personal data based on the following legal grounds:

a) the data subject has given consent to the processing of their personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into a contract;

c) processing is necessary to comply with a legal obligation to which the controller is subject;

d) the controller's legitimate interest in providing direct marketing (especially sending commercial communications and newsletters);

e) based on consent for the purpose of providing direct marketing (especially sending commercial communications and newsletters) under Article 6(1)(a) GDPR in conjunction with §7(2) of Act No. 480/2004 Coll., on certain information society services (Slovakia: §62(2) Act No. 351/2011 Coll. on electronic communications), if no contract has been concluded with the controller.

3.2 The purposes of personal data processing are:

a) exercising rights and obligations arising from the contractual relationship between you and the controller; during contract negotiations, personal data necessary for successful contract conclusion (name, address, contact, date of birth) are required; providing personal data is necessary for contract conclusion and performance; without providing personal data, the contract cannot be concluded or performed by the controller;

b) compliance with a legal obligation applicable to the controller (e.g., accounting, tax obligations);

c) sending commercial communications and performing other marketing activities;

d) establishing, exercising, or enforcing legal claims.

3.3 The controller does not perform automatic individual decision-making under Article 22 GDPR.

IV

Data Retention Period

4.1 The controller stores personal data:

a) for the period necessary to exercise rights and obligations arising from contractual relationships and enforce claims (usually 3 years from termination of the contract due to limitation periods);

b) for 10 years from the end of the accounting period in which the performance occurred, if required for statutory archiving and tax obligations (especially according to the Accounting Act and VAT Act);

c) until consent for marketing purposes is withdrawn, but no longer than 10 years, if personal data are processed based on consent.

4.2 After the retention period, the controller will irreversibly delete, shred, or anonymize personal data.

V

Recipients of Personal Data

5.1 In processing personal data, we also use services of trusted and contractually bound external business partners. These are recipients and processors who develop and maintain functional and secure systems for Triligo, provide necessary software solutions, or offer other services or products (e.g., accounting, legal, or cloud services) required for processing personal data for the above purposes.

5.2 Additionally, personal data may be provided to:

a) courts, other public authorities, and other state bodies, if necessary to exercise the controller’s rights toward the data subject or to fulfill the controller’s legal obligations;

b) law enforcement authorities, if necessary to exercise the controller’s rights toward you or to fulfill legal obligations;

c) third parties authorized by the controller to act on its behalf in providing services or performing other activities related to service provision;

d) third parties involved in arranging opportunities to conclude contracts with the controller;

e) third parties providing marketing services;

f) new owners of our company and legal advisors in case of sale of our company or similar transaction.

5.3 The controller may transfer personal data to a third country (outside the EU) or international organization. Recipients of personal data in third countries include providers of mailing or cloud services or persons involved in arranging contract opportunities, service operation, or marketing services.

5.4 In such cases, the controller will adopt adequate safeguards for data protection pursuant to Articles 44 et seq. GDPR.

VI

Your Rights

6.1 Under GDPR, you have the following rights:

a) right of access to your personal data under Article 15 GDPR;

b) right to rectify personal data under Article 16 GDPR or restrict processing under Article 18 GDPR;

c) right to erasure of personal data under Article 17 GDPR;

d) right to object to processing under Article 21 GDPR (especially for direct marketing);

e) right to data portability under Article 20 GDPR;

f) right to withdraw consent to personal data processing at any time in writing or electronically to the controller's address or email specified in Chapter I.

6.2 The data subject also has the right to lodge a complaint with the supervisory authority if they believe their personal data have been processed in violation of GDPR. In the Czech Republic, the supervisory authority is the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, email: posta@uoou.cz, website: https://www.uoou.cz. For subjects from other EU member states, complaints can be filed with the authority of their usual residence, place of employment, or where the alleged violation occurred.

6.3 You have the right to object to processing based on the controller’s legitimate interest (including direct marketing). If you object to marketing, the controller will immediately stop processing your data for this purpose.

VII

Voluntary Provision of Personal Data

7.1 Providing personal data is voluntary; however, failure to provide necessary personal data is incompatible with establishing the relevant legal relationship and fulfilling the rights and obligations arising from it.

VIII

Personal Data Security Conditions

8.1 The controller declares that it has adopted all appropriate technical and organizational measures to secure personal data and data storage containing such data.

8.2 The controller declares that only authorized persons have access to personal data.

IX

Cookies

9.1 Triligo websites use cookies. Cookies are small text files stored on your device (computer, tablet, or mobile phone) when browsing the website.

9.2 The controller uses the following categories of cookies on its websites:

a) Technical (necessary) cookies: These cookies are essential for proper website functionality, security, and correct display on your device. They cannot be disabled in our system, and your consent is not required.

b) Analytical and statistical cookies: Help us understand how visitors use the website (e.g., which pages are most visited). These cookies are activated only based on your voluntary consent via the cookie banner.

c) Marketing and preference cookies: Used to personalize content and advertisements and connect with social networks. These cookies are used only with your explicit consent.

9.3 You can change your cookie preferences or withdraw consent at any time via the cookie banner or your browser settings.

9.4 Most browsers accept cookies automatically unless configured otherwise. Disabling even technical cookies may prevent the website from functioning correctly.

X

Final Provisions

10.1 You agree to these terms by checking the consent box online or signing a contract. By doing so, you confirm that you have read and accept the privacy policy in full.

10.2 The controller is entitled to amend these terms. The updated privacy policy will be published on the website or sent to data subjects via the email address provided.