Privacy Policy
This policy details the Company's practice regarding the placement, use and administration of "cookies" used by the domain www.yolobook.com (hereinafter referred to, generically, as the Website or Site) and the YoloBook application (hereinafter referred to as the App), being intended to inform users about this subject.
By using the Website and the App, you acknowledge that you have become aware of and agree to this Privacy and Data Protection Policy, and also to the Cookie Policy and also the Terms and Conditions published on the Site.
- Identification of the data controller
Name: YOLOAPP TECHNOLOGY d.o.o. (hereinafter the Company or YT)
Headquarters: Croatia, Osijek, Ivana Frana Gundulića str.,no. 5/II
Registration no.: 030205217
OIB: 02246359736
Email: support@yolobook.com
- Contact details in the field of personal data protection
YT collects information from the App users/Site visitors, in the following ways: directly from the user/visitor, from the traffic reports recorded by the servers hosting the Site and the App, as well as through cookies.
Information provided directly by the user/visitor:
- When the App user/Site visitor fills in the fields in the "Contact" box, he/she indicates: name and e-mail address (all being personal data which shall be processed after pushing the “Send” button).
This information is required by YT in order to be able to respond to requests sent by that visitor/user.
Other personal data could be processed by the Company if included in the information / request sent by the visitor/user. YT did not request the respective data, but insofar as they are absolutely necessary in order to be able to respond to those transmitted by the visitor/user through the "Contact" box, the processing of personal data shall be performed at the request of the App user/visitor of the Site.
Filling in the gaps in the "Contact" section, is not obligatory neither for viewing the content of the Site, nor for purchasing the YT products. Moreover, all this information can be transmitted to the Company in another way (for example, the submission of written requests to the Company's headquarters).
- When a person creates a user account in the App, in order to be able to order YT products, he/she must indicate an e-mail address and a personal password for this account (all of which are personal data processed after clicking the "Login" button).
Creating a user account is necessary in order to place a definitive order and subsequently track the delivery status.
- When the user fills in the order fields existing in the App, he/she must indicate: name, surname, telephone number in order for the courier to be able to contact the buyer, domicile address for the invoicing and the delivery address if it is not identical with the domicile address in order to know where the delivery should be made (all being personal data which shall be processed after clicking the "Order-Check" button).
- When a person expresses his/her consent for the use of his/her e-mail address and telephone number for marketing purposes by YT, namely for receiving information about new products, ongoing promotions, organized events and so on (personal data shall be processed after the user ticks the box corresponding to his/her consent from Registration form, the end of the Order form or Contact form).
Also, the Company confirms that none of the personal data indicated above, shall be used for purposes other than those expressly indicated without observing the legal provisions.
Information obtained from the traffic reports recorded by server:
When a website is accessed or an app is used, visitors/users automatically disclose certain information, such as the IP address, the time of the visit, the place where the website/app was accessed. YT, like other companies, registers this information.
Information obtained through cookie:
All details on how data is processed in this context, are indicated in the Cookie Policy available on the Website and the App.
The contact details that the visitor of the Site/users of the App can use to transmit any requests, notifications or claims regarding this Privacy and Data Protection Policy, as well as in the Terms and Conditions and the Cookie Policy, as well as any other information published on the Site or the App, policies or operations performed by the Company, are indicated at point 1 above.
The deadline for the Company to send a response is no more than 30 days from the receipt of the request.
- Data subject
Given that the Company processes personal data of visitors/users, they hold the status of Data Person and declare that they are over 18 years old.
If the information / requests transmitted by the visitors/users, or the photographs sent in order to receive the YT products, also concern personal data relating to other persons (those persons hence acquiring the status of data subject), the Company shall process their data strictly in order to be able to respond to that information / request and it does not undertake any liability additional to the one provided herein, in the Terms and Conditions or in the applicable law.
- Processed personal data
Any information regarding an identified or identifiable natural person, respectively the data subject, can be considered as personal data.
Considering the processing purposes indicated herein, the Company tries to reduce as much as possible the personal data processed.
Thus, according to the Cookie Policy, the data subject shall be able to choose the types of cookies (applicable where their use is not automatically made for the functioning of the Site and the App) by checking a box, in order to ensure a more complete and better experience when browsing the Site/the App.
For the transmission of answers to the requests / notifications sent by users using the "Contact" box, to create and send the products ordered by the App users and also to send marketing messages, the Company processes the following personal data:
- Data of the visitor/user:
- Through the Contact form: the user's first name, as well as his/her e-mail address
- When creating the user account for the App: e-mail address and password (the password is not known by YT, but if a user forgets it and requests it, the Company can ask the company that provides the hosting of the Site and the App, to recover it)
- By the Order form: the name and surname of the user-buyer, the telephone number, the domicile address and the delivery address of the products if it does not coincide with that of the domicile
- By express consent of the user offered by checking the corresponding box for data processing in marketing purposes, indicated at the end of the Contact form or the Order form: the e-mail address and telephone number
- The IP of the visitor/user
Depending on the cookie settings, other data can be processed (especially those related to user/visitor preferences and behaviour on the Site and the App).
- Data of other persons than the visitor/user:
Depending on the content of messages transmitted by the visitors/users through the "Contact" and / or "Order" form, other data could be processed if indicated, although they were not requested.
Also, if in the photos submitted by the user for the creation of personalized YT products, there are personal data regarding third parties, the Company shall process those personal data by default. Thus, although the creation of the products is done by automatic means and do not usually involve the access of YT employees, the data processing takes place if the employees view the photos to find out whether they have an adequate content or not, when packing the products, but also keeping them in the Company's records and storage until the deadlines indicated at point 10 of this policy.
In relation to such third person data, the Company undertakes to comply with the legislation on protection of personal data, without however undertaking to obtain a consent from a third party in this regard. The user who transmitted those information / photos is the one who assumes full responsibility in this regard and declares that those third persons have agreed with the processing carried out by YT, being fully informed in this regard.
- Processing of personal data
It represents the processing of personal data, any operation or set of operations performed on personal data or on personal data sets, with or without the use of automated means.
The Company accesses, collects, uses and performs any other actions allowed by the applicable law on the personal data provided by visitors, within the limits indicated at point 4 above and 6 below.
- Purpose
The visitor of the Website is the person who accesses this page, and the user is the person that has created a user account for the App and can become a buyer when placing a firm order confirmed by YT, persons whose data are processed for different purposes – namely:
- For the personal data provided directly by the visitor/user:
- providing answers, clarifications and remediation of problematic situations, related to the requests and notifications sent by the user through the "Contact" section;
- creating the user account in the App needed for generating the desired personalized product, placing the order, invoicing by YT, delivering the product by YT through its subcontractors, replacing and repairing the product, and tracking the status of the product delivery;
- transmission of information for marketing purposes;
- ensuring compliance with this Privacy and Data Protection Policy, the Terms and Conditions and the Cookie Policy, as well as the applicable legal provisions for the protection of the rights, property or security of the Site/the App.
- For the personal data provided by the traffic reports recorded by server:
- identification of the sections of interest of the Site/the App
- safer administration of the computer system
- For the personal data provided by the use of cookies:
- functioning and smooth operation of the Site (needed cookie)
- depending on the settings chosen by the visitor/user, additional personal data can be used for obtaining statistical information that allows to improve the offered services, saving preferences, advertising etc. All details regarding this type of data processing can be found in the Cookie Policy.
If the Company intends to subsequently process the personal data for a purpose other than those indicated above, it shall provide the Data Subject prior to such further processing, additional relevant information regarding the secondary purpose, by completing the necessary formalities according to the law.
- Recipients of the processing
The personal data shall be provided to:
- the statutory representatives and employees of the Company that deal with the administration of the Website/App and who are involved in the activities regarding which the visitor/user sends questions / notifications through the "Contact" section – name, surname and e-mail address of the visitor/user as well as any other data provided by him/her through the message sent, shall be processed;
- the associates of the Company and the employees who are involved in the process of packing and delivery of products, as well as invoicing – shall process all personal data indicated in the Order form;
- the support service providers contracted by the Company in order to fulfil its contractual or legal obligations, such as:
- the company Yolo Technology DOO Beograd-STARI GRAD, having its headquarters in Blvd. of Mihailo Pupin 115, 11070 Belgrade, Serbia, with registration number 21343498, website www.yolobook.rs (company briefly called Yolo Technology DOO) - shall process the images contained in the photos submitted by users to create YT products, and delivеry data provided by user when placing the order in order to create address label. Thus, the Company shall send Yolo Technology DOO the photos received from the user for the creation of the product, and the type of product desired by him/her, and this company shall create the album in material form, the picture boxes and the photo frames, and send them afterwards to YT for verification and transmission to the user who ordered the respective products;
- the courier company that shall deliver the products from YT to the buyer - shall process the name, surname, telephone number and delivery address of the ordered products;
- the IT company - can access all the data recorded in the Company's online records, including those of the users/visitors and the photos they sent;
- the accounting firm - shall process the name, surname and home address indicated in the invoices, as well as any other banking data (if payment / refund of the price shall be made in this way);
- the payment service company - payment processing services enable YT to process payments by credit or debit card. To ensure greater security, YT shares only the information necessary to execute the transaction with the financial intermediaries handling the transaction. Some of these services may also enable the sending of timed messages to the user, such as e-mails containing invoices or notifications concerning the payment;
- the lawyers of the Company - can access all data recorded in the Company's records, including those of the users, in case of legal issues that require their involvement;
- advertising, PR and communication companies for the marketing activity. These companies may collect anonymous data through cookies or through the registration forms for the event or feedback, and to the extent that this happens, YT shall provide this information to the data subjects in advance and obtain their consent where needed;
- public authorities (including the labour and consumer authorities);
- courts of law.
The list of suppliers listed above is not exhaustive, but it does indicate the main such collaborating companies. They shall have the capacity of independent data controller, joint data controller or data processor in relation to the Company – depending on the factual situation and the contract’s clauses. However, regardless of the quality held, they are obliged to maintain the confidentiality and security of the personal data of the data subject, adopting appropriate technical and organizational measures. All YT collaborators located outside the European Union territory have concluded agreements with YT containing standard contractual clauses recommended by the European Commission (respectively in the case of YT and Yolo Technology DOO Serbia, the clauses recommended by the European Commission Decision of 5 February 2010 regarding data transfer to processors established in third countries). Upon request, the main clauses of those contracts can be communicated to the data subject.
- Legal ground for processing
- Art. 6 letter a GDPR – the processing is carried out based on the consent of the visitor/user -> applicable situation when the processing of the data is done in the context of the cookies accepted by the visitor/user and which are not necessary for the functioning of the Website/the App, as well as when personal data of the visitor/user are processed for marketing purposes;
- Art. 6 letter b GDPR – processing is necessary for the performance of a contract to which the user is party or in order to take steps at the request of the user prior to entering into a contract -> situation applicable when the data processing is done in the context of filling in personal data in the "Contact" or "Order" section, as well as in the context of creating the user account for the App, delivering, repairing and replacing the products (or other accessory activities to the one of product creation for that user);
- Art. 6 letter c GDPR - processing is necessary for compliance with a legal obligation to which the Company is subject –> situation applicable in the context of data processing in relation to the competent authorities or legal service providers such as the one ensuring the invoicing;
- Art. 6 letter f GDPR - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject –> situation applicable in the context of data processing for the normal functioning and administration of the Site and the App.
- Type of processing
Data processing activities performed by the Company, mainly refer to:
- collecting the data indicated by the visitor/user in the "Contact" form;
- collecting the data indicated by the user when creating the user account for the App and/or in the "Order" form;
- use of data for providing feedback and answers to the messages transmitted by the visitor/user;
- use of data for the conclusion and execution of the contract;
- use of data for the purpose of each category of cookies chosen by the visitor/user;
- collecting other unsolicited data if provided by the data subject (user) in a communication, request or complaint addressed to the Company, so that it can respond and solve the request or remedy the incident;
- collecting unsolicited data provided by the data subject through the photographs transmitted for the creation of YT products, or through the messages sent using the Contact section;
- sending the photos and delivery data received from the user through a confirmed order, to Yolo Technology DOO for their printing and creation of photo albums, boxes and photo frames, and address labels;
- storing personal data according to the law and within the limits necessary to achieve the purpose, in the electronic and secure database held by the Company;
- allowing access to personal data to certain employee and external collaborator who provide support services for YT, whose activity involves the processing of personal data under the condition of undertaking the obligation of confidentiality and standard contractual clauses recommended by the European Commission (for the collaborators located in countries outside the EU);
- allowing access to personal data to the competent authorities, insofar as the law obliges.
- Processing and storing of data duration
The storage period of the personal data collected, is:
- until the withdrawal of the consent or the exercise of the right to data erasure (right to be forgotten) of the visitor/user - for the processing of personal data based on the consent of the data subject;
- for 3 (three) years after receiving the message from the "Contact" field – for processing of the data provided by a message sent using the Contact form. Data are kept for 3 (three) years in order to be able to demonstrate the measures taken by the Company in consideration of the request/question received, taking into account the duration of the general limitation period for the right to action before the courts regulated by the law;
- for the data contained in the photographs sent to YT for the creation of the products – for 30 (thirty) days from the moment the YT confirmed receving buyer’s order. The data are kept for 30 (thirty) days considering delivery period and the period of 8 (eight) days from the receipt, in which the users can notify YT about any defects of the products - as indicated in the Terms and Conditions. The YT products themselves shall be stored up to 2 (two) months from the moment when YT receives back the product after the package could not be delivered to the address indicated by the user because of reasons independent of YT and the courier company, considering that for 7 (seven) days from the date of delivery the user who ordered the product may request its reshipment with payment of the related price, and considering the dynamics of collaboration between YT and it’s collaborator regarding destruction services. If this second delivery is again unsuccessful for reasons independent of the Company, YT shall initiate the process of cancelation and destroying the respective product - as indicated in the Terms and Conditions;
- a longer period than the abovementioned, when the law regulates in such manner or when there is a well-justified ground for this action (for example, to exercise a right before the court in a litigation started before the expiry of the storage period indicated herein).
Upon expiry of the aforementioned periods, all data shall be deleted from the Company's records.
- Rights of the data subject
- The right to be informed
The internal regulations and policies of the Company are always available to the data subject, being posted on the Site and the App. See in this regard the present policy, the Cookie Policy and the Terms and Conditions.
The Company reserves the right to modify / update the content of the Site and the App, including the policies to which references are made, at its sole discretion, at any time and for any reason (including but not limited to the occurrence of legislative or jurisprudential changes that may affect the consequences to those published on the Site and/or the App). The revision of this policy in the future shall be signalled by modifying the "Last updated" date at the top of this document. After the date the updated policy is published, accessing the Site and the App shall represent the visitor's/user's acceptance of these updated conditions.
However, if there shall be significant changes that could affect the rights and freedoms of the visitors/users or if it shall become obligatory to obtain their consent, informing them about these changes shall be made by easily visible indications posted on the Site or the App (pop-ups) or by transmitting e-mails to the addresses provided (if applicable). Such significant changes shall have effects for visitors/users within 7 days from the time of the posting the pop-up in question or of sending the email (how the information shall be made being decided by the Company, by on a case by case basis).
However, regardless of the extent of the change, the responsibility to check the content of the Site and the App, in order to be up to date with the latest versions, shall be entirely the responsibility of the visitor/user. Thus, STUDY OF THIS PRIVACY AND DATA PROTECTION, OF THE TERMS AND CONDITIONS AND THE COOKIE POLICY, SHOULD BE MADE BY VISITORS/USERS WHENEVER THEY ACCESS THE SITE/THE APP AND BEFORE MAKING ANY REGISTRATION OR PROVIDING ANY DATA, WHEREAS CHANGES CAN APPEAR.
Upon request, the data subject shall be informed about the essence of the contracts concluded with the abovementioned recipients of personal data where possible, and also of the data source.
- The right of access the personal data processed
If the data subject wishes to receive information regarding the processing of data performed by YT, he/she can send a request to the Company, and a response shall be provided within 30 days as of reception.
- The right to data rectification
If the data subject wishes to rectify / amend the inaccurate / incomplete personal data concerning him or her as provided to YT, he / she can send a request to the Company, and a response shall be provided within 30 days as of reception.
The exceptional cases provided in art. 17 paragraph 3 of the European Regulation no. 679/2016 are applicable.
Some data are part of the Company's records, which it keeps in relation to its legal obligations or its legitimate interest. Therefore, not all data can be erased, according to the law. However, any refusal to delete the data shall be motivated by the Company and shall be based on a clear legal basis.
- The right to restriction of processing and the right to object
The restriction of processing can be applied if the data subject finds out that:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
The Company may continue processing the restricted personal data if it is necessary to establish, exercise or defend a right in court, or protect / defend a person but only with the consent of the data subject.
The Company shall communicate to the recipients that a rectification, deletion or restriction of the personal data took place, unless it is impossible or it involves disproportionate efforts.
- The right to data portability
The data subject or a third party indicated by him / her, can receive on request, the personal data processed by the Company. YT assumes no responsibility for the data processing performed by that third party.
The obligation to ensure the right to portability is the responsibility of the Company only if the processing of the personal data is based on the consent of the data subject or on the conclusion and execution of the contract. The actions shall be taken within 30 days from the receipt of the request.
- The right to object
The data subject shall have the right to object, on grounds relating to his / her particular situation, at any time to processing of personal data based on the legitimate interest of the Company (including profiling).
Regardless to the above, if YT demonstrates well justified legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims, the processing of data can continue.
- The right to submit a claim
The data subject may submit:
- a request / a claim using the contact data of the Company, as indicated at art. 1 above;
- an action before the competent court;
- a complaint before his/her national competent data protection authority.
However, the Company wishes any conflict / dispute to be resolved amicably and provides all availability in this regard.
- The right to withdraw the consent given
The data subject may withdraw his / her consent at any time, without however affecting the legality of the processing before the withdrawal nor the one based on another legal grounds.
- The right to not be subject to an automated decision
The Company does not take any decision based solely on automatic processing of personal data.
- Main obligations of the data subject
- Confidentiality
The data subject has the obligation to keep the confidentiality of all personal data with which he / she comes into contact in relation to the Company, for an unlimited period of time.
- Complying with the data security measures
The data subject shall not process any confidential data or personal data of third parties, unless it is absolutely necessary, confidentiality is ensured and the specific legislation is fully complied with.
In case of breach of the obligations indicated in this art. 12 by the data subject, the Company shall be entitled to obtain from him / her compensation for all the damages suffered.
- Obligations of the Company. Security measures applicable to the processed personal data
The Company complied with the provisions of the data protection legislation and has implemented appropriate technical and organizational measures to ensure the security of the processed personal data and the rights of the data subjects. Thus, the Company has implemented measures such as:
- the conclusion of contracts with collaborators which have undertook the obligation of confidentiality in relation to the personal data processed, as well as the general obligation to comply with the applicable legislation in the field of personal data protection;
- the conclusion of contracts with collaborators outside the territory of the European Union which contain the standard contractual clauses recommended by the European Union;
- training the employees and collaborators on the importance of personal data protection, as well as limiting their access to data according to their attributions and competences;
- establishing internal procedures having the purpose of protecting personal data;
- indicating specially contact data which can be used for questions/claims regarding personal data (ie. the one indicated in art. 1 of the present policy);
- indicating the Unsubscribe button at the end of each message sent for marketing purposes or in the App;
- implementing information security measures;
- not installing structures that allow access to the Site only if a user account is created – this condition to have a user account applies only for installing the App and placing an order;
- not installing cookies in addition to those necessary for the functioning of the Site/the App and offering the visitors/users at all times the possibility to choose the additional cookies accepted.
Also, the Company shall inform the competent data protection authority in the event of a breach concerning data security, without undue delay and, if possible, within 72 hours from the moment it became aware of it, unless it is unlikely to create a risk for the rights and freedoms of individuals. If the notification to the authority shall not be made within the 72 hours, it shall be accompanied by a justified explanation for the delay.
In the event of an incident concerning the security of personal data, YT shall also inform the data subject without undue delay, if the breach of the security of personal data is likely to generate a high risk for his / her rights and freedoms. However, informing the aforementioned data subject is not necessary if any of the following conditions is met:
- the Company has implemented adequate technical and organizational protection measures, and these measures have been applied in the case of the personal data affected by the security breach;
- the Company has taken further measures to ensure that the high risk for the rights and freedoms of the data subjects is no longer likely to occur;
- would require a disproportionate effort. In this situation, a public notification shall be conducted instead or a similar measure shall be taken, so that the data subjects are informed in an equally effective manner.
Any statistics regarding the traffic of the visitors/users on the Site/the App, which YT shall provide to third party advertising networks or to other sites, shall have a data set form and shall not include any identifiable information about any individual visitor/user.
Unfortunately, no data transmission through the internet can be guaranteed to be 100% secure. Consequently, despite YT's efforts to protect visitors' and users' personal data, it cannot guarantee or ensure the security of information transmitted by them through the Site or the App. The visitors and users are therefore warned that any information sent through the online environment shall be done at their own risk.
- Liability of the Company
The Company's liability in relation to the data subject shall be established in relation to the quality held in the respective data processing operation, the reason and place of the incident, the security measures taken, the measures took to avoid incidents and the observance of the other legal obligations.
- Transfer of personal data to third countries / international organizations
The Company transfers personal data contained in the photos sent by the user, outside of Croatia, more specifically in Serbia, to its collaborator Yolo Technology DOO.
This Serbian company shall deal with the printing of images, the creation of personalized boxes and frames, and creation of address labels. After completing its activity related to those photos, Yolo Technology DOO shall permanently delete them from its database. Also, the Serbian company has contractually undertook to ensure the complete confidentiality of the data, and to implement the security measures recommended by the European Commission through the standard contractual clauses proposed.
- Final provisions
This policy applies to the Company, to the Site visitors and to the App users.
This document is part of the Company's set of security policies. Other policies can apply to the topics addressed herein and can be reviewed according to specific needs.