These Personal Data Processing Principles (hereinafter the “Principles”) govern the processing of personal data when using the website http://digitoo.ai/ (hereinafter the “Website”) and our other services (hereinafter the “Services”) by their users (hereinafter the “User” or “You”).
The owner and operator of the Website and the controller of personal data within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter the “GDPR”) is Digitoo s.r.o., with its registered office at Pernerova 697/35, Karlín, 186 00 Prague, Company ID No.: 08494584, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, File 319199 (hereinafter the “Controller” or “we”).
Please read how we collect, process and protect your personal data (meaning any information of directly or indirectly identified or identifiable natural person) when you use our Website or Services. This document also contains information about your rights.
The Controller’s contact details are as follows: a) mailing address: Pernerova 697/35, 186 00, Prague 8–Karlín; b) contact email: [email protected].
The Controller has not appointed a Data Protection Officer.
Terms and Purpose of Personal Data Processing
The Controller processes only personal data provided directly by the User. The User declares that all personal data provided to the Controller are true, accurate, current, correct and complete. The Controller assumes no obligation to verify this information. If you provide any information that is false, inaccurate, outdated or incomplete, or if we have reasonable grounds to suspect that such information is false, inaccurate, outdated, or incomplete, we reserve the right to suspend or terminate our cooperation and refuse any and all current or future use of the Services (or any part thereof).
The Controller collects and processes primarily the following categories of personal data:
- Identification and contact data (e.g., first name, last name, phone number, email);
- Billing and payment data (e.g., bank account number, invoiced amounts);
- Contractual documentation (e.g., contracts concluded with suppliers);
- Technical data (e.g., customers’ IP addresses, application login records, roles and permissions).
The processing of personal data by the Controller is lawful because at least one of the following conditions is always fulfilled:
- The User has given consent to the processing of their personal data under Article 6(1)(a) GDPR for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the User is a party or in order to take steps at the request of the User prior to entering into a contract under Article 6(1)(b) GDPR;
- Processing is necessary for compliance with a legal obligation to which the Controller is subject; or
- Processing is necessary for the purposes of the legitimate interests pursued by the Controller under Article 6(1)(f) GDPR.
The Controller processes Users’ personal data for the following purposes:
- Provision of Services and fulfillment of contractual obligations: For the purpose of providing Services and fulfilling contractual obligations, the Controller may process personal data provided by the User or provided in the future through use of the Website or Services. This processing is necessary for the performance of a contract between the User, as the data subject, and the Controller;
- Sending newsletters, commercial communications and email campaigns (hereinafter “commercial communications”): If the User explicitly subscribes to commercial communications or creates a user account on the Website or in the Controller’s application, the Controller may send commercial communications to the email address provided by the User, in accordance with Section 7 of Act No. 480/2004 Coll. The User may unsubscribe from commercial communications at any time. Processing for this purpose is also necessary for the legitimate interests of the Controller;
- Protection of the Controller’s rights: The Controller may process personal data necessary for asserting potential claims and for protecting its rights. Such processing constitutes the Controller’s legitimate interest.
The Controller will process personal data only for the purposes for which it was collected, unless the Controller reasonably determines that it needs to use it for another purpose compatible with the original purpose. If the Controller needs to use personal data for another purpose, it will notify the User and explain the legal basis enabling such use.
If the User does not provide the required personal data, the Services cannot be provided.
Retention of Personal Data
The Controller retains personal data for the purpose of providing Services and fulfilling contractual obligations for the duration of the User’s use of the Services.
Personal data processed for sending commercial communications will be retained until the User unsubscribes from commercial communication.
Personal data processed for the protection of the Controller’s rights will be retained for as long as the legitimate interest persists.
Personal data are therefore retained only for the period necessary to exercise rights and obligations arising from legal relationships between the Controller and the User or until consent is withdrawn (if withdrawal entails the obligation to delete such data). After this period, the data will be deleted.
The Controller may transfer Users’ personal data to processors (subcontractors providing marketing and other support services), always in accordance with the above purposes. All necessary measures are taken to ensure secure handling in compliance with these Principles and the GDPR. An up-to-date list of processors is available upon request. Processors are obligated to adopt appropriate security measures and may not use personal data for their own purposes.
We process and store your personal data only as long as necessary for the above purposes or to comply with legal requirements. After this period, your personal data will be deleted or anonymized. If processing is based on legitimate interest, it will continue as long as that interest persists. You may object to such processing at any time.
The Controller has implemented various measures to protect personal data. Details are available upon request.
Data Processing within the Service
As part of the Services, the Controller provides software for the automated processing of accounting documents. The User is fully responsible for the content of the documents uploaded to the system.
If the User uploads accounting documents containing personal data into the system, they are obliged to ensure that such data are anonymized. If anonymization is not possible or would prevent the proper use of the Services, the User must inform the Controller of this fact before uploading such accounting documents to the system.
In cases where data are used for training the Controller’s software, they are anonymized and used exclusively for the purpose of improving the Controller’s services.
User Rights as a Data Subject
Based on the rules set out in the GDPR, the User has in particular the right to:
- Access their personal data. This right allows the User to obtain a copy of the personal data processed by the Controller and to verify the lawfulness of such processing;
- Rectification of personal data or restriction of processing. This right allows the User to correct incomplete or inaccurate information held by the Controller or to request the suspension of processing, for example if the Controller is required to verify the accuracy of the data or the legal grounds for processing;
- Erasure of personal data. This right allows the User to request the deletion or removal of personal data where there is no reason for the Controller to continue processing it. Users also have the right to request deletion if they have objected to the processing (see below);
- Object to the processing of personal data in cases where the Controller relies on its legitimate interest (or the legitimate interest of a third party) as the legal basis. Users also have the right to object where their personal data are processed for direct marketing purposes;
- Data portability, i.e., the right to transfer their personal data to another person;
- Withdraw consent to the processing of personal data. In limited cases where the processing of personal data is based on the User’s consent for a specific purpose, the User has the right to withdraw that consent at any time. To withdraw consent, please contact [email protected]. Once the Controller receives notice of withdrawal, it will no longer process the relevant data for the purpose for which consent was originally given, unless the Controller is legally entitled to do so;
- Lodge a complaint with the Office for Personal Data Protection if the User believes that their right to personal data protection or related legal regulations have been violated.
To exercise any of these rights, the User may contact the Controller using the contact details provided above. The Controller will advise and assist Users in exercising their rights. You also have the right to lodge a complaint with the supervisory authority, the Office for Personal Data Protection of the Czech Republic. More information is available at https://uoou.gov.cz/.
Users are generally not required to pay any fee for access to their personal data or for exercising any other rights. However, the Controller may charge a reasonable fee if a request is manifestly unfounded or excessive. Under such circumstances, the Controller may also refuse to comply with the request.
Personal Data Security Conditions
The Controller declares that only persons authorized by it have access to the User’s personal data.
We are committed to storing your data securely. Therefore, we have implemented appropriate physical, technical and organizational measures and plans to protect and safeguard the data we have obtained from you (this does not relieve you of your responsibility to take appropriate steps to secure your data, especially when transmitting data). The aim is to prevent unauthorized or unlawful processing of your personal data, as well as accidental, unauthorized or unlawful disclosure, use, transfer, processing, copying, alteration, loss or damage of your data. Despite all efforts to comply with the rules set out in applicable legal regulations, it is not possible to guarantee the security of your data if it is transmitted in an unsecured manner.
If we have given you (or you have chosen) a password that enables access to certain parts of the Website, you are responsible for keeping this password confidential. We ask that you do not share this password with anyone.
Cookies
When using the Website and, where applicable, our other Services, small identification files called cookies may be stored on your computer (by the Controller or, with its consent, by a third party). These files allow us to collect certain information from your device, which helps us improve the functioning of the Website and our Services.
The Controller does not use any of these identification files to identify Users as individuals.
The User may disable the storage of cookies or delete cookies that have already been stored on their computer through the settings of their web browser.
If the User has enabled the storage of cookies in their web browser and visits the Website, they thereby consent to the use of cookies in accordance with these Principles.
To the extent that cookies constitute personal data, their processing is governed by the rules on personal data protection set out in these Principles.
Final Provisions
By checking the consent box via the online form and/or by actively using the Website or the Services, the User confirms that they have read these Principles and fully accept them.
These Principles are governed by the laws of the Czech Republic. Any related legal disputes between the Controller and the User shall be decided by the competent general courts of the Czech Republic.
If necessary, the Controller is entitled to unilaterally amend these Principles. The Controller will notify Users of any changes at least 30 days before they become effective, either by displaying a notice on the Website and/or by sending a notification to the User’s email address.
These Principles become effective on February 22, 2026.