1. Introduction

This document outlines and summarizes the basic principles for handling and processing personal data of users of websites and other online systems running on the domains climblife.cz, climblife.eu, and climblife.app (hereinafter referred to as the “System”). The processing is governed by legal regulations, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council, the General Data Protection Regulation (hereinafter referred to as “GDPR”), and Act No. 110/2019 Coll., on the processing of personal data, as amended.

Link to GDPR legislation: https://www.mvcr.cz/gdpr/clanek/gdpr-web-legislativa-legislativa.aspx

Your information and data are used exclusively in connection with the services you choose to use, and we do not share or transfer it to anyone unauthorized without your consent. In this policy, you will learn how and why we process your data, how it is protected, and what rights you have regarding your data.

 

2. Personal Data Controller — Who We Are and Why We Process Your Data

We are the owner and operator of the System, i.e., the websites and other web systems running on the domains climblife.cz, climblife.eu, and climblife.app, as well as the ClimbLife Mobile Applications available in Google Play and Apple App Store.

To provide our services efficiently and at a high quality, we need to process a certain amount of personal data concerning the individuals involved in our activities. These individuals include our clients, users of the System and our services, employees, suppliers, contractors, or others with whom we need to communicate and collaborate.

The law designates us as a data controller, meaning we must ensure the security of your data, fulfill various obligations regarding its processing, and assist you in exercising your rights. If you have any questions or requests, please contact us:

 

ClimbLife s.r.o.

Registered office: Chudenická 1059/30, Hostivař, 102 00 Prague

Company ID: 19549326

File No.: C 201285 registered with the Municipal Court in Prague

Phone: +420 792 432 312

E-mail: info@climblife.eu

Data box ID: 5b2vfb

 

(hereinafter referred to as “ClimbLife” or “Controller”)

 

These policies reflect our values and approach to personal data protection and ensure that:

 

• We comply with the legal requirements for personal data protection, especially the principles of personal data processing in accordance with Article 5 of the GDPR

• We protect the privacy of our clients, employees, partners, and other individuals

• We process your data primarily to provide you with high-quality and reliable services. We process data only to the extent necessary for the specified purpose.

 

The Controller has not appointed a Data Protection Officer, as this is not required by law.

 

3. When We Collect or Otherwise Process Your Personal Data

 

We may collect your data in various ways, particularly in the following situations:

 

• You use the System’s services

• You enter into a contract or otherwise cooperate with us

• You communicate with us via phone, email, or special forms

• You subscribe to our newsletter

 

4. What Personal Data We Collect and Process and For What Purpose

 

The types of data we process will vary depending on the specific service, activity, or relationship between you and ClimbLife. Below is an overview of these activities and relationships, along with the types of data processed and the purposes for processing.

 

ClimbLife primarily processes data provided by the data subject in forms displayed within the System. Some of these data are essential for the operation of the services we offer. Specifically, we process the following personal data:

 

A. Registration and Management of Your User Accounts

 

Some of our services are available only if you create a user account in our System or place an order. To ensure effective account management, address your requests, and provide quality services, we must process certain personal data for these purposes, including:

 

• Identification data (first name, last name)

• E-mail

• Phone number

• Gender

 

The user provides the above data voluntarily. You may also fill in additional optional fields, but always ensure that you do not provide any sensitive data or information that you do not wish to be shared.

 

Additional indirect data:

 

• IP address

• Cookies (to offer relevant content for you and facilitate browsing the website)

• Information about browser version and operating system to ensure proper website display

• Usage of location

 

The Controller is not responsible for the accuracy of personal data provided by the user and processed by the System. If the Controller becomes aware of inaccuracies or incompleteness in the data provided by the user, they are obliged to correct, supplement, or delete the data as necessary.

 

B. Information About Our People and Activities

 

To provide transparency on whom you can contact, we publish on the website the data of our staff or partners, including photos, names, phone numbers, emails, and other contact information, with their consent.

 

C. Handling Inquiries and Communication with You

 

You may contact us via phone, email, or a designated form with questions, requests, or suggestions. We will gladly help resolve your queries. For this purpose, we may need to process your contact details and, if necessary, your name for the duration of the resolution process. We will not process your data for email marketing or send you offers without your explicit consent.

 

D. Sending Newsletters

 

If you give us your consent, we may inform you about interesting updates regarding our services through email newsletters. Naturally, you can revoke your consent at any time.

 

5. What Is the Legal Basis for Processing Your Data

For our processing activities to be lawful, there must be a legal basis for each processing operation. The legal grounds for the types of processing listed above, according to Article 6 of the GDPR, are:

 

A. Processing is necessary to fulfill our legal obligations

 

This applies to the processing of data that we, as an employer, must handle regarding our employees, as well as data subject to tax, accounting, or other regulations in connection with invoicing or fulfilling other legal obligations of ClimbLife.

 

B. Processing is necessary for the performance of a contract

This pertains particularly to the processing of data from contracts, data provided during registration in the System, or data involved in the use of the System.

Processing is aligned with our legitimate interests unless your rights override these interests. These legitimate interests include:

 

• The interest in creating and maintaining an online presence for ClimbLife and the System, and in developing and maintaining contacts within our operations

• The interest in ensuring communication with the authorities or officials of legal entities

• The interest in maximizing the usefulness of the System

• The interest in improving and adapting the System and ensuring efficient targeting of services and products while saving resources

 

C. When Consent Is Not Required for Data Processing

 

Personal data may also be processed without your consent for the following purposes:

• Performance of a contract involving services or products offered by us, which the customer or user has actively shown interest in. This applies to all contractual relationships, whether formalized by a written contract, an order-invoice arrangement, or an oral agreement.

• Fulfillment of legal obligations imposed on us by law or generally binding legal regulations.

• Processing within the scope of legitimate interests. This applies if we determine that it is necessary to collect and process personal data for protecting your economic or other serious interests. Legitimate economic interests include monitoring premises with camera systems, tracking individuals’ movements, as well as marketing and business interests (e.g., for direct marketing, ensuring safety, and protection of life). However, this must not result in the undue restriction of the data subjects’ rights.

• Protection of the vital interests of data subjects—this applies in situations where monitoring individuals in a business environment protects their life or health, such as in high-risk operations.

 

If necessary, we will provide you with simple ways to give or withdraw consent for data processing at any time.

 

6. Who Has Access to Your Data

 

The sole recipient of personal data is ClimbLife (its employees and cooperating entities) for the purpose of ensuring and providing services.

 

We do not sell your personal data or provide it to unauthorized third parties without your consent, including for marketing purposes. However, since we cannot manage all types of our activities on our own, we use the services of external providers (which may or may not be online). Providers of these services may have access to your data only to the extent necessary for the provision of the service or to fulfill their obligations.

 

This means that if we need to entrust your data to another entity, it will be done only to the minimum extent necessary to ensure the proper functioning of our organization and will not harm your rights or privacy.

 

Contractual service providers and associated entities include:

 

• Providers of online tools for document management, sharing, and storage, such as Google.

• Providers of online tools for tracking user interaction, such as Smartlook.com, Plausible analytics (https://plausible.io/)

• External service providers in the fields of accounting, auditing, law, development, programming, and graphic design.

• Cloud infrastructure providers: CloudFlare, Fly.io, Neon.Tech

• Email service providers: SendGrid

• Accounting software: Fakturoid

 

ClimbLife does not transfer your personal data to third countries.

 

7. What Are Your Rights and How You Can Exercise Them

 

To ensure control over your personal data, you may exercise a number of rights with respect to the Controller. We will do our best to meet your requests. The basic list of your rights is provided in Articles 15 to 22 and 34 of the GDPR, including but not limited to:

 

Right of access to personal data (under Article 15 of the GDPR), i.e., the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, if so, the right to access the personal data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly recipients in third countries or international organizations; d) the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request rectification or erasure of personal data, restriction of processing, or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) all available information about the source of the data if not collected from the data subject; h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR, and, at least in such cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

 

The Controller will provide a copy of the personal data being processed. For any additional copies requested by the data subject, the Controller may charge a reasonable fee based on administrative costs. If the request is submitted electronically, the information will be provided in a commonly used electronic format unless otherwise requested by the data subject.

 

Right to rectification (under Article 16 of the GDPR), i.e., the right to have the Controller rectify any inaccurate personal data concerning you without undue delay. Considering the purposes of the processing, you also have the right to have incomplete personal data completed, including by providing a supplementary statement.

Right to erasure (“right to be forgotten”) (under Article 17 of the GDPR), i.e., you have the right to have the Controller erase personal data concerning you without undue delay, and the Controller is obliged to erase such data under specific conditions.

Right to restriction of processing (under Article 18 of the GDPR), i.e., you have the right to obtain from the Controller the restriction of processing in any of the following cases: a) the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data; b) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; c) the Controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise, or defense of legal claims; d) the data subject has objected to processing pending verification of whether the legitimate grounds of the Controller override those of the data subject. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the consent of the data subject or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Right to notification (under Article 19 of the GDPR), i.e., the Controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1), and Article 18 of the GDPR to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort. The Controller shall inform the data subject about those recipients if the data subject requests it.

Right to data portability (under Article 20 of the GDPR), i.e., the data subject has the right to receive the personal data concerning them, which they have provided to a Controller, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another Controller without hindrance from the Controller to whom the personal data have been provided, where: a) the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b); and b) the processing is carried out by automated means. In exercising their right to data portability, the data subject shall have the right to have the personal data transmitted directly from one Controller to another, where technically feasible. The exercise of this right shall not adversely affect the rights and freedoms of others.

Right to object (under Article 21 of the GDPR), i.e., the data subject has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them based on Article 6(1)(e) or (f) of the GDPR, including profiling based on those provisions. The Controller shall no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning them for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise their right to object by automated means using technical specifications.

Right not to be subject to automated decision-making, including profiling (under Article 22 of the GDPR), i.e., the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This does not apply if the decision: a) is necessary for entering into, or the performance of, a contract between the data subject and a Controller; b) is authorized by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or c) is based on the data subject’s explicit consent.

Right to notification of a personal data breach (under Article 34 of the GDPR), i.e., where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall communicate the personal data breach to the data subject without undue delay. The notification to the data subject shall describe in clear and plain language the nature of the personal data breach and shall at least contain the information referred to in Article 33(3)(b), (c), and (d) of the GDPR. Notification to the data subject shall not be required if any of the following conditions are met: a) the Controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular, those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption; b) the Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; or c) it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

Right to lodge a complaint with a supervisory authority (i.e., the Office for Personal Data Protection of the Czech Republic)

Right to withdraw consent if the processing is based on consent

 

Should we intend to process your personal data for a purpose other than that for which the data were collected, we will provide you with information about that other purpose and any relevant further information before doing so.

 

We will do everything we can to assist you in exercising your rights and resolving any questions, requests, or complaints you may have. You can contact us via the Controller, i.e., ClimbLife, preferably by email at gdpr@climblife.eu, or by any other means listed in Article 2 of this policy. Email is the most effective way to handle your requests. In your message, please specify how we can assist you or what we can do for you. Please always send your email from the address you usually use in connection with our services to ensure that your data does not fall into the wrong hands.

 

We would appreciate it if you could first try to resolve the matter with us. Your satisfaction is important to us, and we are happy to help. However, if you are still not satisfied with how your request is handled, you have the right to file a complaint with the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, email: posta@uoou.cz, Data box ID: qkbaa2n.

 

8. Cookies

 

To better tailor our services to your needs, our System (website) uses cookies—small files stored on your device that record data related to your browsing of our pages. In your browser settings, you can manually delete, block, or completely disable the use of cookies. You can also block or allow cookies for specific websites. Please note, however, that changing cookie settings may adversely affect some features of our website, and some pages may behave unpredictably.

 

Cookies, or temporary files stored in your browser, can generally be divided into two types: those stored only temporarily to make the website easier to use. These temporary cookies allow the retention of information when navigating from one webpage to another, eliminating the need to repeatedly enter certain data.

 

The second type of cookies is stored for a longer period (e.g., weeks to months). These cookies help identify your computer during repeated visits to our website. However, they do not allow you to be identified as a specific person.

 

Long-term cookies allow us to better personalize our website and offer you relevant content or advertisements. The collected data is completely anonymous, and we cannot associate it with any other data.

 

9. Data Retention Period

 

ClimbLife processes personal data only for the period necessary for the purpose of its processing, typically for the duration of the provided service and/or for the period required by legal regulations.

 

10. Personal Data Security

 

The Controller has taken appropriate technical and organizational measures considering the state of the art, economic costs, the nature and purpose of the processing. The Controller has ensured an adequate level of security for personal data entered into the System and/or transmitted from the System. Risks of accidental or unlawful destruction, loss, alteration, unauthorized access, or other forms of unlawful processing of data have been taken into account.

 

The Controller is committed to maintaining these measures in light of technological developments and eliminating potential future threats to the System.

 

Employees of the Controller and other persons processing personal data based on a contract with the Controller, as well as others who come into contact with personal data as part of fulfilling their rights and obligations, are required to maintain confidentiality about personal data and security measures whose disclosure would jeopardize the security of personal data. The obligation to maintain confidentiality does not apply to information required to be disclosed by law.