Last modified on 01 June 2023
How to contact us
How to contact the supervisory authority
Should you wish to lodge a complaint or if you feel that our company has not addressed your concern in a satisfactory manner, you may contact the Office for Personal Data Protection, contact details here: https://www.uoou.cz/
Personal data processed when using our company website
You can browse through most of our website without giving us any information about yourself.
Personal data categories
For the purposes listed below, we may collect Personal Data, including, but not limited to:
Personal data you give us in the contact form, such as user name, email address, telephone number. For job applications, we also process your CV and cover letter if sent to us. If you subscribe to our newsletters, we will also process your usage data (information about your activity on the website). Your usage data may be used for automated profiling to evaluate your potential interest in our products.
We track the domains from which visitors come to collect statistics on Whalebone’s site traffic for usage and trend analysis;
Whalebone’s website servers use standard log files. These logs include Internet Protocol (IP) addresses, ISP (Internet service provider), type of browser, and page information to administer our website, refine flow and content, and to gather broad demographic information for aggregate usage.
Sources of personal data
Personal data may be submitted by you and/or collected by Whalebone when you use this website and/or log into certain areas of this website. With regard to services we provide to our customers we may obtain the personal data from our customers, resellers and other business partners who provide the services to you.
This Website also automatically collects users’ IP addresses.
Purpose of the processing and legal basis
- Based on your consent
When we create your user account, when you fill online form, when you subscribe to our newsletter or e-book or other informational communication.
If your personal data is processed on the basis of your prior consent to its processing, you may withdraw your consent at any time by sending a written notice to us or e-mail us. You can also opt-out of receiving our marketing information at any time by using the unsubscribe link provided in every email we send you.
- Based on contract or prospective contract
In case you apply for employment until the application has been considered, after that based on our legitimate interest, if applicable
- Based on legal obligation
We may process your personal data when it is required for compliance with accounting, tax, anti-money laundering, legal order, or other obligations to which we are subject.
- Based on legitimate interest
we will use your Personal Data for:
• Product enhancement, research and to provide product improvements, new features and product updates;
• Providing information about possible privacy, security and performance improvements and products that supplement or improve our products and to optimize the format and content of this type of information;
• 3rd-party analytics to improve and evaluate the quality and performance of our products, services and websites and to follow usage trends, and to analyze conversions, campaigns and user acquisitions;
• Enable efficient performance of our business by supporting internal commercial and administrative processes (e.g. controlling, finance, legal compliance, business intelligence, information security etc.);
• Secure our applications and systems; and
• Establish, exercise or defend our legal rights.
Our company will store your personal data in accordance with the time limits stipulated hereunder or until you request for deletion within your rights of GDPR.
Unless a specific period of time is specified for a particular purpose of processing personal data, we will retain the personal data collected, as long as it is in our legitimate interest (for example, to provide you with the agreed service or to comply with legal requirements).
Our company retains the personal data collected in order to process your request submitted via an online form until the request is processed.
In the case of newsletter subscription, your personal data will be processed from the date of collection until you choose to unsubscribe from the newsletter via the link provided in any email we send you.
In case you apply for employment, we will retain your personal data until the application has been considered and then for a further 6 months if we have informed you that your application has been unsuccessful.
Once we no longer have a legitimate interest to process your personal data or once the processing period has expired, your personal data is anonymized (where allowed by law), deleted or destroyed. If this is not possible (e.g. if the data is stored in backup archives), your personal data will be stored securely and isolated from further processing until it can be deleted.
Our Identity Protection service
Our company offers / provides to its customers (namely telco providers) services consisting of the provision of information about the availability of personal data of their end-customers from leaked databases on the internet and the related collection of statistical data about logins and passwords to various services from leaked databases (the “Service”). This Service includes processing of personal data of data subjects (end-customers).
Purpose of the processing and legal basis
The processing of personal data is carried out for the following purposes:
- the creation and maintenance of a database of logins to various services from leaked databases (which would enable the telco providers to notify end-customers about the availability of their data on the internet); and
- statistics and evidence.
This processing is done on the basis of our Company's legitimate interests as well as of legitimate interests of our customers and of their end-customers in accordance with GDPR. The legitimate interest consists primarily in the protection of persons concerned from security risks (when the Service would allow notification of the persons concerned about leak of their personal data). For the purpose of statistics and evidence, our Company’s legitimate interest consists of the improvement of the security awareness and provision of useful information to the relevant community.
We have balanced your interests against our interests for the above mentioned processing operations. You have the right to object to those processing operations on grounds relating to our particular situation. For additional details please see the below section Your data protection rights.
Personal data categories and sources
Most of the personal data our company processes is obtained from leaked databases.
Within the activity the following personal data are processed: logins and password, other personal data contained in the analyzed leaked databases, except for sensitive data.
Passwords to various services from leaked databases will only be retained for a maximum period of 4 weeks.
The remaining personal data (i.e. logins) will be retained for the entire duration of the processing.
Who may have access to personal data
For the specific purpose, we engage external providers who may have access to or process your personal data (the personal data processors). We use the services of the following categories of personal data recipients:
- service providers related to our IT, operation and communication services
- admin and development providers of the websites, providers performing analysis and improvements of our websites
- external ATS system provider
- career portals (if you chose to respond to our job opening)
We take full responsibility in relation to the relevant data protection legislation and ensuring that your personal data is equally protected in case it is processed by an external provider contracted by us.
In certain circumstances, we share and/or are obliged to share your personal data with state authorities to comply with authorities proceedings.
Your personal data will never be forwarded, sold or traded with other companies, organizations or individuals without your consent.
Protection of personal data
Your data will be protected by technical and organizational measures and processes to fulfill legal security requirements and guard against unauthorized access and disclosure. Some information will be hashed and managed in encrypted form. We are certified. The information on the current certifications may be found here.
Your data protection rights
You have the following rights regarding the processing of your Personal Data:
Right to be informed
You can request information about the processing of your personal data.
Right to access
You may request a copy of your personal data.
Right to rectification
You may request from us to correct any inaccuracy or to complete incomplete personal data.
Right to data portability
You have the right to receive personal data processed for the purpose of conclusion and performance of a contract or personal data which you have provided and is being processed on the basis of consent, in machine-readable format. This right applies only to personal data which is processed by automated means.
Right to erasure (“right to be forgotten”)
In specific cases stipulated by law, you have the right to request deletion of your personal data, e.g., if there is no legally recognized title for further processing of your personal data on our part (incl. protection of Whalebone’s legitimate interests and rights).
Right to object
Applies to cases of processing carried out based on our legitimate interest. You have the possibility to object to such processing, in relation to your particular situation, and we are required to assess the processing to ensure compliance with applicable regulations and legally binding rules. In case of direct marketing, we shall cease processing Personal Data for such purposes after the objection.
Right to restrict processing
As alternative to your right of erasure you may ask us to stop processing your PD. We will still hold the data, but will not process it any further.