Occollo logooccollo


Personal Data Protection Policy

1. Introduction

Thank you for choosing to use the services of the crowdfunding platform (hereinafter referred to as the “Platform”) operated by occollo s.r.o., Company ID: 073 32 084, with its registered office at Dlouhá 730/35, Old Town, 110 00 Prague 1, a company registered in the Commercial Register maintained by the Municipal Court in Prague, file no. C 299210 (hereinafter referred to as the “Operator”).

Our Platform aims to enable fast and transparent investment in specific development products (Loan Project). To operate the Platform effectively, we process your personal data, but only to the extent necessary and with a high level of security. Personal data is processed in two modes: first, under the rules for processing personal data, the acceptance of which is a condition for creating a user account on the Platform, and second, under the consent to the processing of personal data, which the Platform user (data subject) provides voluntarily and can revoke at any time.

In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), the rules for processing personal data are as follows:

2. Content of the Policy

2.1. What information we process

2.2. The sources from which this information originates

2.3. The purposes for which we process the information

2.4. Who may process your data

2.5. How long we retain personal data

2.6. The method of data processing

2.7. Your legal rights regarding the processing of personal data

3. What Information We Process

3.1. Basic identification data: Name, surname, birth number, date of birth, address, nationality. For legal entities, data listed in the Commercial Register, or basic data about the representative of the legal entity.

3.2. Login and registration data: Password, username, copy of an identity document (to the extent required by law), or other login elements.

3.3. Contact details: Postal address, phone number, email, social media identifiers, IP address, or identification of the user’s communication device.

3.4. Bank details: Account numbers used to identify you and match detected payments to your person.

3.5. Information about Platform usage: To monitor and improve the Platform’s functionalities, we use information about which pages, applications, or products you use on the Platform.

3.6. Interactions with Platform users: To ensure continuity of communication with you, we record information about contacts made between you and us. This includes, in particular, data such as the date (and possibly time) of the contact, its reason, and whether you initiated the contact or we did. This applies to contacts via all channels – phone, SMS, chat, mail, email, or in-person meetings with the Operator.

3.7. Data about the Loan Project: If you use the Platform as a Borrower, we process the information you provide about the Loan Project. This data is used for verification and cross-checking of information we continuously receive from you about the Loan Project. This also includes information used for the classification of Loan Projects.

3.8. Data processed to fulfill our legal obligations: This includes data we are primarily required to collect, evaluate, and retain for a specified period due to our legal obligations. Examples include archiving obligations under laws regulating our business, obtaining and evaluating data to meet obligations for preventing money laundering, and other legal requirements. Examples include: sources and origin of income, capital connections, nationality, place of residence, business activities, political affiliations, etc. With your marketing consent, this data may also be processed for marketing purposes.

3.9. Data processed for our legitimate interests: Typically, this includes data used to ensure the secure use of our products and services, assess trustworthiness and solvency, and prevent and evaluate potential fraudulent activities. With your consent, this data may also be processed for marketing purposes.

4. Sources of the Information

4.1. Data processed within the Platform is obtained solely from the Platform’s operations or directly from Platform users.

5. Purposes of Processing Information

5.1. Fulfilling our legal obligations (e.g., the obligation to identify Platform users).

5.2. Fulfilling our commitments to you within the Platform.

5.3. Improving the efficiency of the Platform’s operations.

5.4. Communicating with you, responding to your inquiries, informing you about your selected Loan Project, and communicating with technical support.

5.5. Maintaining records and cataloging users.

5.6. Conducting tests and checks required by legislation (e.g., measures against money laundering and terrorist financing) or contractually.

5.7. Filling out contract proposals, forms, and similar documents within or outside the Platform environment, or any necessary use of personal data for the Operator’s intermediary activities.

5.8. Facilitating interactions between the Lender and the Borrower, including the mutual transfer of individual personal data between these parties.

5.9. Ensuring operational and commercial communication of the Platform with individual users, including sending informational messages and commercial communications, exclusively in accordance with Act No. 480/2004 Coll., on certain information society services, as amended.

5.10. The user in the role of Lender acknowledges that their personal data may be shared with the Borrower to the appropriate extent. The user in the role of Borrower acknowledges that their personal data may be disclosed to an unspecified group of persons to the appropriate extent.

6. Who May Process Your Data

6.1. The data controller is the Operator, i.e., occollo s.r.o. Data protection regulations allow the controller to delegate the processing of personal data to a processor. A processor is any user who processes personal data based on a specific law, authorization, or mandate from the controller.

7. Functional and Analytical Cookies

7.1. A cookie is a short text file that a visited website sends to the browser. Functional and analytical cookies enable the basic functionality of the page; the Platform cannot function without them. Cookies are used, for example, to store your safe search settings, facilitate the registration of new services, and protect your data. The user’s identity cannot be determined based on this information, even when combined with other information we process about you. Cookies are not dangerous and are not used to obtain sensitive personal data.

7.2. Third-party cookies are processed and managed by these third parties, and we do not have access to read them. Such third parties are:

7.2.1. Google Ireland Limited, with its registered office at Gordon House, Barrow Street, D4 Dublin, Ireland

7.2.2. Seznam.cz, a.s., with its registered office at Radlická 3294/10, 150 00 Prague 5

7.2.3. Facebook Ireland Limited, with its registered office at 4 Grand Canal Square, D2 Dublin, Ireland

7.3. Common internet browsers allow you to disable cookies in their settings. Refer to your browser’s help section and follow the instructions provided. If you allow cookies in your browser, we assume you consent to the use of cookies on our websites. Note that disabling cookies may significantly reduce the comfort of our services.

8. How Long We Retain Personal Data

8.1. We process your (personal) data for the duration of your use of the Platform and for a maximum of 36 subsequent months. The use of the Platform also includes the duration of any loan relationship established or to be established with you through the Platform. If we no longer need your personal data for our legitimate interests, we will delete it without undue delay after you cease using the Platform.

8.2. Your (personal) data may still be processed after the above period or after the expiration of your consent to personal data processing, but only if there is another legal basis for processing and only to the extent required by that legal basis. Such legal bases include fulfilling legal obligations (especially tax and accounting obligations) and processing necessary for the legitimate interests of the Operator or third parties (e.g., processing for the duration of the user’s right to assert claims against the Operator).

9. Method of Data Processing

9.1. Data processed about Platform users is processed only for the necessary duration and to the necessary extent. Typically, only two individuals on the controller’s side (i.e., the Operator) and two on the processor’s side have access to the data. Personal data is technically protected against unauthorized data leaks.

9.2. The hosting server is located in a data center in a securely locked rack cabinet. Only designated individuals have access to the data center and the rack cabinet itself. Access to the server database is via authentication, i.e., username and encrypted password. External access to the database server is restricted by user permissions and the server’s firewall – the network port is open only to designated IP addresses. File access is possible via FTP and SSH with authentication, i.e., username and encrypted password. Access to the FTP and SSH server is protected against dictionary attacks and by a firewall. For the SSH server, the network port is open only to designated IP addresses. The network itself is also protected by a professional Fortinet hardware firewall, which filters DDoS attacks. The internal network is protected via VLAN. Server data is backed up daily to a separate disk array, with backup rotation every 7 days. The server’s data disk operates in multi-RAID mode. Network devices and the physical server’s power supply are also redundant. The hosting server runs in a Cloud system in HA Cluster mode. The entire application is secured using the HTTPS protocol. Passwords in the database are encrypted. The application verifies access and permissions for individual actions not only at the request level but also directly before executing the action. The application uses techniques to prevent SQL injections. Your data is stored on secure data storage within the European Union.

9.3. Personal data will be processed both manually and automatically to the extent provided. The Platform Operator is obliged to protect personal data in a manner equal to or better than required by legal regulations. Users’ personal data will be securely stored in electronic or paper form. If any of your data is stored in paper form, which will be an exception, it will be kept in a safe, with access limited to the Operator’s director and possibly one person designated by the director. Personal data stored in paper form will be stored and processed under conditions similar to electronic data. The inspection and shredding of paper data carriers will occur twice a year.

9.4. To protect users and the Platform, the Operator is entitled to monitor and evaluate user activity on the Platform using any technical means.

10. Your Legal Rights Regarding Personal Data Processing

10.1. Access to personal data: Access to personal data refers to the user’s right, upon active request, to obtain information (confirmation) from the controller about whether their personal data is being processed, and if so, the user has the right to obtain this personal data and related information.

10.2. Right to rectification of personal data: The user has the right to have their personal data corrected.

10.3. Right to erasure: The controller (Operator) is obliged to delete personal data if at least one of the following conditions is met:

10.3.1. personal data is no longer needed for the purposes for which it was collected or otherwise processed,

10.3.2. the user revokes consent (if consent was required for processing), and there is no other legal basis for processing,

10.3.3. the user objects to processing, and there are no overriding legitimate grounds for processing,

10.3.4. personal data was processed unlawfully,

10.3.5. personal data must be erased to fulfill a legal obligation,

10.3.6. personal data was collected in connection with the offer of information society services under Article 8(1) of the GDPR. The right to erasure is not an absolute right that allows the user to request deletion of personal data at any time or in any situation.

10.4. Right to data portability: The essence of the right to data portability is the user’s ability, under certain conditions, to obtain personal data concerning them that they provided to the controller and to transfer this data to another controller.

10.5. Right to object to personal data processing: The user has the right, based on their specific situation, to object to the processing of personal data at any time. The controller will cease processing personal data unless it demonstrates compelling legitimate grounds for processing that override the user’s interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. Users have the right to contact the Office for Personal Data Protection (www.uoou.cz) with a suggestion or complaint if the controller or processor does not comply with a request to remedy a defective state; however, you may also contact this office directly at any time.

10.6. Right not to be subject to any decision based solely on automated decision-making: This right ensures that the user is not subject to a decision based solely on automated processing, except in possible exceptions. A situation where the user formally does not meet the Platform’s requirements is not considered automated decision-making.

11. Final Provisions

11.1. The above principles are effective from 09 April 2019.