Effective as of 1 July 2021

General Principles 

We are committed to transparent and secure data processing. As a company incorporated in the European Union we are committed to process any personal data in line with EU privacy standards and laws. In this privacy notice we provide you with information about what personal data we process and for what purposes, what are your rights and where you can contact us in case you have any questions or concerns about your personal data processing. We only process personal data where we have your consent or where we are entitled to do so based on other legitimate reasons, in particular where (a) processing is necessary for the performance of the Service and to enable us to contract with you in connection with provision of the Service, (b) processing is necessary for compliance with a legal obligation to which we are subject; (c) processing is necessary for the purposes of the legitimate interests pursued by us as the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of you as the data subject and which require protection of personal data, in particular where the data subject is a child.

We do not process any special categories of personal data, i.e. we do not process any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

If you are not at least 16 years old, please seek advice of your parents, or other adult person who is the holder of parental responsibility before you start using the Wallet or any of the Services.

Definitions and Interpretations

Unless a definition of a capitalized term used in this Privacy Policy is defined below you will find the interpretation of the term in our Terms of Services.

Provider or we or BudgetBakers means company BudgetBakers s.r.o. (contact information provided in Contacts section at www.budgetbakers.com), incorporated under the laws of the Czech Republic, with its registered office Radlická 180/50, Smíchov, 150 00 Praha 5, Czech Republic, company ID: 02882957, registered in the company register kept by the Municipal Court in Prague folio C 224352.

BudgetBakers is an AISP (Account Information Service Provider) within the meaning of section 41 of Czech Act No. 370/2017 Coll., on Payment Systems, as amended, authorized by the national competent authority, the Czech National Bank (the “CNB”), ID 48136450, with registered office Na příkopě 864/28, Praha 1 – Nové Město, Czech Republic (www.cnb.cz), to provide payment account information service.

Service means a set of features which allow users to track and analyze their financial situation or any other service provided by BudgetBakers (as the case may be). Services may be different for users of different platforms – Android, iOS and web and can also be divided into Free Features and Premium Features. Provider has the right to add or limit scope of services at any time. For further information visit our Terms of Services.

User or you means a person who uses the Wallet, Services, other applications, websites or reads Content created or made available by Provider.

Wallet means a program (application) Wallet which was created by the Provider to record the Users’ income and expenses as well as other financial or nonfinancial records or content by User’s choice. Wallet is available for devices running on Android and iOS systems as a mobile app and as a desktop internet platform available at the Website. The purpose of Wallet is to track the expenses and incomes of the User. Through Wallet you may grant the Provider a consent to require information about your payment account from a third party, which maintains your payment account. 

App means a specialized program (application) used by the User, including the Wallet and third party application such as Woolsocks app.

App Store means an app store platform allowing users to browse and download apps including the Wallet, e.g. Apple Store, Google Play, HUAWEI AppGallery.

Website means a connected group of pages available at www.budgetbakers.com on the World Wide Web, regarded as a single entity with certain Content maintained by Provider.

Premium features mean additional set of services which are bringing certain value for certain Users and are accessible during trial period or via an in-app-purchase. This set of features is not definite as the Provider can add or remove Premium features.

Sharing means to grant specific Users access to online Content in Wallet or Website. This is done via Premium feature called Group sharing where User can invite and select Users by his or her choice to give them access and roles to view, manage or admin Content in Wallet.

Bank Connections means automated algorithm created by Provider, which is used by User and with permission given to BudgetBakers from User to access information from various types of bank accounts held by User in order to read data from this bank account and display them in an App and only to the User, unless he authorized in the Wallet that other persons see it via the Sharing functionality. Wallet is only displaying information from bank accounts, Wallet is not designed and therefore not able to change, modify or send any information in User’s bank account.

Content means something that is to be expressed in the Wallet, Website or other media, as speech, writing, film, clip, video or any of various arts. Content can be created by Provider or by User.

Personal information or personal data means in general any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Third party means an organization which Provider cooperates (and which, as the case may be can provide certain parts of Service or operate an application used by a User).

Cookies means a small amount of data, which often includes an anonymous unique identifier, that is sent to your browser from a website’s computers and stored on your computer’s hard drive.

Web beacons means images (single-pixel gifs) embedded in a web page or email for the purpose of measuring and analyzing site usage and activity.

Offer means any unspecified marketing activity which can be displayed to User.

Law means the laws of the Czech Republic or directly applicable Regulations of the European Union. 

What information do we process about you and how is it collected?

We process identification personal data that you provide to us when you create an account and fill in forms during the registration process. To register into the Wallet, you are required to create your username by providing us with your email which allows us to identify the registered User of our Wallet. You also need to create a password which protects your data inside the app. After login, you can update your personal information and add name, surname, date of birth and sex. This information helps us to provide you with our Services, including customer support and system alert notifications. Providing the name, surname, date of birth and sex is voluntary and you can use an alias as your name and surname.

When you choose to log into the Wallet using your Google or Facebook account, we will receive some of your Google account information or Facebook account information in the extent corresponding to your Google/Facebook privacy settings. We are receiving from those services your email, name and surname.

Where you wish to obtain a Premium feature of our App, the payment service providers will collect information necessary in order to process the payment for our Services. We do not process information about your credit or debit card, as the payment is processed via the respective App Store. We identify you in our system via your respective App Store ID, which is a digital code. We do not obtain your identity information that you provided to the respective App Store.

When you use the Wallet we collect details as how you use our Wallet, in order to provide you with the Service those data are collected by analytical tools – Mixpanel, Fabric or Google Analytics.

When you use the Wallet and you will grant us a permission for that, we can:

The above permissions are opt-in and you can always change your setting in your mobile device in Settings – Apps – Permissions section.

When you use an App to track your finances, your transaction data are stored on our servers including income, expenses, categories, amounts, currency, labels, account type, date, time and other details provided by the User.

What we use your personal data for

Your data may be used for providing services you request in relation to your use of Wallet or other Services provided by BudgetBakers. Sending communications or contacting you with relevant information regarding our services or with Offers. We use your data for statistical and marketing analysis, system testing, maintenance and development or in order to deal with your request or claim through our customer service channel. Based on your data, we use your data to provide information we believe is of interest of you such as advices on financial behavior or special offers from our partners.

We may use analytics technology to create reports and analysis of your preferences (geodata, purchase preferences, planned spending), which will enable us to provide you with better Service and make you personalized Offers. We use Google Analytics, Facebook Analytics, Mixpanel and Fabric analytic services to be able to address you more relevant messages based on your behavior.

If you use an App provided by BudgetBakers, we may from time to time send a push notification or in-app message directly to your Wallet, or an email, commercial communication. You may turn-off such communication within the Wallet  or by unsubscribing from this service following instructions at the end of each of such email communication.

If you subscribe to our newsletter service, you authorize us to send you commercial communication to your e-mail or push notification or in-app message directly to your app, with third parties’ Offer of goods and services tailored to your interests until you turn off such communication within the Wallet or by unsubscribing from such communication following instructions at the end of each of such email communication.

We do not share these aggregate data with any third party, unless it is anonymized or pseudonymized (e.g. by using only your Apple ID code or Google ID code, which does not allow third parties to identifying you), or unless you request us to share the data and provide us with consent to such sharing.

Recipients of your personal data

We may be required by law to grant access to personal data about you that we process for the purpose of investigating criminal activities and violations of the law, to judicial or other government agencies in particular law enforcement authorities subject to warrants, subpoenas or other governmental orders.

 Your data may be also shared with third party social media providers – when you are registered with your social service account. Please refer to privacy policy of these social media providers to find out more about your account settings. 

To provide you some Services such as Bank connection, we share your personal data with trusted 3rd parties or banks. Subject to your request and explicit consent with sharing of data, we may also share your data with an operator of a third party App. 

Furthermore, we share your data with different data processors in our daily processing, i.e. our suppliers, mainly delivery companies, IT suppliers, hosting and marketing services providers, providers of statistical and database software tools, and also with other entities which provide services to us. In addition to data processors, we also transmit your personal data to third parties, who are not bound by our instructions. These are, for example, our consultants, lawyers or tax consultants who receive your data from us on the basis of a contract and process your personal data for legal reasons or to protect our own interests.

Because we use different data processors and other service providers and change them from time to time, it is not appropriate to identify specific recipients of personal data. However, if you are interested, we will disclose the name of the processor(s) in use at that time upon your request.

Bank Connection Users specific information

This section applies whenever you as a user request that BudgetBakers provide you with account information service (AIS) as defined in respective payment regulations, in particular, but not limited to, the PSD2 and all laws or regulations in force from time to time in BudgetBakers’s jurisdiction giving effect to PSD2, regardless of via what App you have requested BudgetBakers to provide you with the AIS, i.e. Wallet or other third party Apps (e.g. Woolsocks operated by Woolsocks AG). Please note that other provisions of this Privacy Policy also apply, only, however, to the feasible extent.

If you request BudgetBakers to provide you with the account information services, you agree to be bound by our Terms of Services and any Third party applicable licence or service terms (as the case may be and as will be notified to you). All your Personal Information provided in connection with or accessed during your participation in the Bank Connection feature will be processed only in order to provide you with the account information service. Your Account Information and all other personal data accessed through the Bank Connection feature is transmitted through secured protocols in an encrypted mode and is temporarily stored on our servers. This information is temporarily cached in a way that it is not readable by BudgetBakers. 

The AIS is provided by BudgetBakers based on your consent. Your consent will expire in 90 days and then you will be requested to re-create it in the same way that you originally gave consent.

You can withdraw such consent anytime by the following actions:

Please note that the withdrawal or expiration of your AIS consent does not affect the actions of BudgetBakers prior to the withdrawal or expiration. 

Data Retention

We will maintain the personal information as long as you actively use your account in the Wallet. We will inactivate any account and delete any and all information entered by you into our system, if you have not logged into the Wallet for longer than 24 months. We will also delete any data you provided us while using the Wallet if you request us to do so (for details see below Right to erasure). For technological reasons your account will be deleted from our servers within 1 month following your request. In the case of the company termination or discontinuation of service, your data will be permanently deleted.

Consent

If you granted us your consent to process your personal data, you can withdraw your consent any time without affecting the lawfulness of processing based on consent before its withdrawal by removing your consent inside Wallet – Settings – Personal data & privacy section or by unsubscribing from this service following instructions at the end of each of such email communication. 

Cookies

What are cookies used for? Cookies help identify application users and web site re-occurring visitors, they remember users’ custom preferences, help user complete tasks without having to re‑enter information when browsing from one page to another or when visiting the site later. Cookies can also be used to track user preferences when web browsing for online behavioral target advertising and to show adverts relevant to something that the user searched for in the past.

What type of cookies do we use? In order to provide you with a better service, we use cookies when you visit our website www.budgetbakers.com or when you use our Wallet. We use different set of cookies. We use the term “cookies” to refer to pieces of information that are sent to your browser and stored on your computer or device to store and sometimes track information about your preferences in order to deliver behavioral advertising. System cookies enable us to provide you with services you have specifically asked for and are essential in order to enable you to move around the Website and application and use their features, such as cookies used to identify user once he or she has logged in.Without these cookies some services you have asked for cannot be provided to you. Apart from those we use cookies and third-party cookies that help us track your browsing history in order to serve you with behavioral advertising. We will only use these cookies if you grant us explicit consent on our website www.budgetbakers.com. You can disable or refuse some or all cookies, or delete the already set up cookies in the web browser you use. The cookies we use can be divided into the following:

session cookie which is erased when you close the browser, it exists only in temporary memory of your device while you navigate the website;

persistent cookie which remains on the user’s computer/device for a pre-defined period of time, these remain in operation, even when you have closed the browser, they remember your login details and password so you don’t have to type them in every time you use the site; and

third-party cookies these are installed by third parties with the aim of collecting certain information to carry out various research into behavior, demographics etc.

Persistent cookies and third-party cookies are deleted automatically if you are in-active and do not visit our web-site or use our application for more than 6 months. Also you can delete these cookies if you change your preferences.

Web beacons are images (single-pixel gifs) embedded in a web page or email for the purpose of measuring and analyzing site usage and activity. Web beacons or similar technologies help us better manage content on our Services by informing us what content is effective, count users of the Services, monitor how users navigate the Services, count how many e-mails that we send were actually opened or count how many particular articles or links were actually viewed. We do not tie the information gathered by web beacons to our users’ Personal Information.

You can learn more about cookies at www.allaboutcookies.org, which includes additional useful information on cookies and how to block cookies using different types of browsers. Please note, however, that blocking or deleting cookies used on the Website or the application may affect the availability and functionality of the Website and provision of service to you via our application.

Security policy

We follow strict security procedures in the storage and disclosure of your personal data. To comply with highest technical standards and to certify our internal procedures we are certified to ISO 27001 standard and our systems are regularly tested according to full OWASP methodology.

We require all 3rd parties to have appropriate technical standards in place to protect your personal data where we share your personal information with 3rd parties who act as personal data processors for BudgetBakers as personal data controller. 

Where we store your data?

We may process your personal data on third party servers, with whom we concluded data processing agreement according to the standards of the EU laws, securing your data privacy and safety. We do not process personal data of EU Users, outside the EU, i.e. we do not transfer personal data for the purposes of their data processing outside the EU. You may obtain the information about which data processors we use and where we store personal data by contacting our customer support at [email protected]

Physical Security

Provider uses Microsoft Azure servers and Linode datacentre. These data processors, which we use for storing your personal data have implemented the following data securing measures:

Biometric scanning for controlled data center access, Security camera monitoring at all data center locations, 24×7 onsite staff provides additional protection against unauthorized entry, Unmarked facilities to help maintain low profile, Physical security audited by an independent firm.

Data protection

We employ 2 different database systems. One for user profile storage, the second for individual user data. Both databases are accessed through the secure SSL protocol.

Communications

All private data exchanged with Provider is always transmitted over SSL. We are not transferring your data outside EU.

Contact

You can contact Provider at the email address: [email protected] or via contact form on the Website https://budgetbakers.com you request any information regarding personal data protection or if you would like to claim any of your rights, please contact our Data Protection Officer at [email protected] Our DPO will respond to your queries within 24 hours during normal business day.

Your Rights related personal data processing

Right of access to your data

You have right to request that we provide you with a confirmation as to whether or not we process your personal data and, where that is the case, grant you access to the personal data and the following information: (a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations; (d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (e) the existence of the right to request from us rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing; (f) the right to lodge a complaint with a supervisory authority; (g) where the personal data are not collected from you, any available information as to their source; (h) the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you. If your data were transferred to a third country or to an international organization outside the European Union, you have the right to be informed of the appropriate safeguards relating to the transfer. If you request so, we shall provide you with a copy of your personal data we are processing. For any further copies requested by you, we may charge a reasonable fee based on administrative costs. If you made the request by electronic means, and unless otherwise requested by you, the information shall be provided to you in a commonly used electronic form. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Right to rectification

You have right to obtain from us without undue delay rectification of any inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure

You have right to request that we erase your personal data without undue delay, if (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) we process your personal data on the basis of your consent and you withdraw your consent, and where there is no other legal ground for the processing; (c) you rise your objection on individual automated decision-making and there are no overriding legitimate grounds for the processing, or you objected to processing of your personal data for direct marketing purposes, including profiling to the extent that it is related to such direct marketing; (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in European Union or law to which we are subject; (f) the personal data have been collected in relation to the offer of information society services referred to a child younger than 16 years. This does not apply to the extent that processing is necessary: (a) for compliance with a legal obligation which requires processing by European Union or law to which we are subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or (b) for the establishment, exercise or defense of legal claims.

Data Deletion Policy

You have the right to request that your Personal Information be deleted from our primary production servers. You own your data. Anytime you want your data removed from our system, you can request us to delete your account from our production servers. As a result, your data will be excised permanently from our production servers and further access to your account will be impossible. Additionally, any connection we had established to your Account Information will be disconnected. However, for purposes of ensuring continued ability to serve you in case of malfunction or damage to our production servers, we retain backups of portions of your data derived from your Account Information on our production servers. Your aggregated data is stored in these servers indefinitely. We reserve the right to use any aggregated or anonymous data derived from or incorporating your Personal Information.

You are responsible for maintaining the accuracy of the information you submit to us, such as your contact information provided as part of account registration. If your Personal Information changes, or if you no longer want to use our Services, you may correct or delete inaccuracies, or amend information by making the change at any time via the Service. However, in some instances we cannot delete all information we hold about you.

Right to restriction of processing

You have right to request that we restrict processing where one of the following applies: (a) the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data; (b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; (c) we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims; (d) you objected to processing for the purpose of individual automated decision-making and there is pending the verification whether the legitimate grounds of us as the data controller override those of you as the data subject. Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State. You have right to be informed by us before the restriction of processing is lifted.

Right to data portability

You have right to receive the personal data concerning you, which were provided to us, while registering into our system or while using our application, in a structured, commonly used and machine-readable format and you have the right to transmit those data to another service provider without hindrance, where: (a) the processing is based on your consent pursuant or on a contract; and (b) the processing is carried out by automated means. We will provide you these data in .csv, .xls or .pdf format by e-mail, which we use when using our system. You can request that we transmit the data directly to the other service provider, where it is technically feasible. Your exercise of the data portability right does not mean that you cancel using our services or that you withdraw your consent that we further process your personal data. This shall not affect the services we have been providing you prior to such request. We may reject your request for data portability if it shall adversely affect the rights and freedoms of others.

Right to object and automated individual decision-making

We carry our profiling only for direct marketing purposes. We do not analyze any personal data provided by you or which we collected about you while using our Wallet for any automated decision-making process nor we provide such tools or information to any third party. In case we process your personal data for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes. We as the data controller shall no longer process your personal data for this purpose unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims. You can change your consent by removing your consent inside the Wallet – Settings – Personal data & privacy section.

You, as the data subject, shall have the right not to be subject to a decision based solely on automated processing, including profiling[1], which produces legal effects concerning you or similarly significantly affecting you, unless you granted us your explicit consent.

Complains

If you find or believe that your personal data is being processed in violation of your privacy or law, especially if personal data are inaccurate with regard to the purpose of processing, you may ask at [email protected] for explanation and demand that the resulting condition be removed. In particular, it may be blocking, repairing, supplementing or disposing of personal data. We will grant the request if we find that the objection is justified. If as a result of the processing of personal data you had suffered other than property damage, you would be entitled to remedies according to the Czech Civil Code. If, in the processing of personal data, there occurred any breaches of the obligations imposed by law on the controller or the data processor, these are jointly and severally liable for them. By law, in the case of a request for blocking, correcting, supplementing or disposing of personal data, we will inform other recipients, if there were any, and if it is possible and it would not require disproportionate efforts.

In case you are concerned about your data processing, and you have not obtained satisfactory information from us, you can file a complaint to the data protection office at www.uoou.cz This is without prejudice to your other rights, to file petitions to the court and seek civil law remedies.

Miscellaneous

The relationship between us in respect of your data protection is regulated by the laws of the Czech Republic and directly applicable Regulations of the European Union. We may need to change the information contained in this Privacy Policy from time to time. We advise you to check our Privacy Policy regularly for the latest version. We will notify you about significant changes in the way we treat personal information by sending an email notice or by placing a prominent notice on our Website.

[1] Profiling means automated processing of personal data for the purpose of evaluation of certain personal aspects relating to a natural person, in particular to analyse or predict certain the persons´ behaviour such as purchase preferences, economic situation, health, interests, location or movement.