§ 1 Definitions (Article 4 GDPR)
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”).
“Processing” means any operation or set of operations performed on personal data, such as collecting, recording, organizing, storing, altering, retrieving, using, disclosing, or deleting.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
§ 2 Data Controller (Article 24 GDPR)
Fleksa is the data controller for the processing of personal data when providing our services to our customers (the “Customer”) and their customers.
§ 3 Legal Basis for Processing (Article 6 GDPR)
We process personal data on the following legal bases:
a) Consent: If the Data Subject has given consent to the processing of their personal data for one or more specific purposes (Article 6(1)(a) GDPR).
b) Contract: If the processing is necessary for the performance of a contract to which the Data Subject is a party, or to take steps at the request of the Data Subject before entering into a contract (Article 6(1)(b) GDPR).
c) Legal Obligation: If the processing is necessary for compliance with a legal obligation to which the Controller is subject (Article 6(1)(c) GDPR).
d) Legitimate Interest: If the processing is necessary for the purposes of the legitimate interests pursued by the Controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject (Article 6(1)(f) GDPR).
§ 4 Personal Data We Collect (Article 13 GDPR)
We collect the following types of personal data from our customers and their customers:
a) Contact Information: Name, address, email address, and phone number.
b) Account Information: Login credentials, account preferences, and order history.
c) Payment Information: Credit card details, bank account details, and other payment-related information.
d) Usage Information: IP address, device information, browser information, and details about how our services are used.
e) Communication Information: Information shared through correspondence, feedback, or inquiries.
f) Customer Data: Information provided by the Customer about their customers, such as names, contact details, and order history.
§ 5 How We Use Personal Data (Article 6 GDPR)
We use personal data for the following purposes:
a) To provide our services to our customers and their customers (Article 6(1)(b) GDPR).
b) To process and manage orders, reservations, payments, and customer loyalty programs (Article 6(1)(b) GDPR).
c) To communicate with our customers and their customers, including sending updates, promotions, and customer service messages (Article 6(1)(a) and 6(1)(f) GDPR).
d) To improve and personalize our services (Article 6(1)(f) GDPR).
e) To comply with legal and regulatory requirements (Article 6(1)(c) GDPR).
f) To protect our rights and interests and the rights and interests of our customers and their customers (Article 6(1)(f) GDPR).
§ 6 Data Sharing and Disclosure (Article 13 GDPR)
We may share personal data with the following categories of recipients:
a) Service Providers: Third parties who provide services on our behalf, such as payment processing, data storage, analytics, and customer support (Article 28 GDPR).
b) Affiliates: Our subsidiaries and other companies within our corporate group (Article 6(1)(f) GDPR).
c) Business Partners: Third parties with whom we collaborate to provide our services or who provide complementary services to our customers and their customers (Article 6(1)(f) GDPR).
d) Legal and Regulatory Authorities: Public authorities, agencies, or other bodies to comply with legal obligations or to protect our rights, the rights of our customers, or the rights of their customers (Article 6(1)(c) and 6(1)(f) GDPR).
e) Business Transfers: In the event of a merger, acquisition, or sale of assets, we may disclose personal data to the acquiring entity, subject to applicable data protection laws (Article 6(1)(f) GDPR).
§ 7 Data Retention (Article 5(1)(e) GDPR)
We retain personal data for as long as necessary to fulfill the purposes for which it was collected, or as required by law or contractual obligations. After this period, we will delete or anonymize personal data in accordance with applicable laws.
§ 8 Data Security (Article 32 GDPR)
We take appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. However, no method of transmission or storage is completely secure, and we cannot guarantee the absolute security of personal data.
§ 9 Data Subject Rights (Articles 15-21 GDPR)
Data Subjects have the following rights under applicable data protection laws:
a) Access: To request access to their personal data and information about its processing (Article 15 GDPR).
b) Rectification: To request the correction of inaccurate or incomplete personal data (Article 16 GDPR).
c) Erasure: To request the deletion of personal data, subject to certain conditions (Article 17 GDPR).
d) Restriction: To request the restriction of the processing of personal data, subject to certain conditions (Article 18 GDPR).
e) Data Portability: To receive a copy of their personal data in a structured, commonly used, and machine-readable format, and to request the transmission of this data to another controller (Article 20 GDPR).
f) Objection: To object to the processing of personal data, subject to certain conditions (Article 21 GDPR).
g) Withdraw Consent: To withdraw consent to the processing of personal data, where consent is the legal basis for processing (Article 7(3) GDPR).
§ 10 International Data Transfers (Chapter V GDPR)
We may transfer personal data to countries outside of the Data Subject’s country of residence, including to the United States, Germany, and India, in accordance with applicable data protection laws. We will take appropriate measures to ensure the protection of personal data during such transfers.
§ 11 Third-Party Websites and Services (Article 13 GDPR)
§ 13 Contact Information (Article 13 GDPR)
In addition to the GDPR, we also comply with applicable local data protection laws and regulations in the countries where we operate. We encourage our customers and their customers to be aware of their rights and obligations under the relevant data protection laws in their respective jurisdictions.