PRIVACY POLICY

The company TUITO s.r.o., IČO: 09731989, with its registered office at Thunovská 183/18, Malá Strana, 118 00 Prague 6, entered in the Commercial Register kept by the Municipal Court in Prague under file no. C 341391 (hereinafter also "Company") pays great attention to the protection of your personal data, in accordance with the obligations arising from applicable legislation. As a personal data controller, the Company processes personal data of natural persons (hereinafter also "Entities"), in accordance with Regulation (EU) No. 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing of Directive 95/46/EC (hereinafter also “GDPR”) and Act No. 110/2019 Coll., regarding the processing of personal data (hereinafter also the “Act”). The company also acts as a processor due to its role as an independent intermediary (see also "Information on the insurance intermediary"). In such a case, the company processes your personal data as a processor for the relevant partner insurance company, in activities involving the actual conclusion of the insurance contract or subsequent assistance with the administration of this insurance, or claims settlementfor this insurance company.

Introductory provisions

The Company provides its services exclusively online through its website and acts as an independent intermediary in the role of insurance broker and mediates the insurance products of partner insurance companies (see also "Information on the insurance intermediary"). The services mainly include online conclusion of insurance contracts with end customers for selected goods at cooperating e-shops, both on the website and in their physical stores (if any) through the Company's client portal, conclusion of e-commerce insurance contracts for cooperating e-shops, concluding insurance contracts for travel and accommodation cancellation via online reservations of online travel agents, as well as processing of reports and liquidation of insurance claims, analysis and sales and marketing support of merchants, hotel platforms, hotels and other accommodation facilities.

Personal data means any information about an identified or identifiable natural person. Processing of personal data within the meaning of Article 4 (2) of the GDPR means any operation or set of operations involving personal data or sets of personal data which is carried out with or without automated procedures such as the collection, recording, organization, structuring, storage, adaptation or modification, search, view, use, make available by transmission, disseminate or any other type of make accessible, align or combine, restrict, delete or destroy. The Company mainly processes personal data of website visitors and end customers of merchants, hotels and other accommodation facilities who have concluded an insurance contract with the Company. For some products, for which it is necessary in terms of their properties, the processing of data may also apply to other persons (e.g. passengers in the case of travel and accommodation cancellation insurance). Another important group are people who will be entitled to compensation from insurance. The purpose of this policy is to provide summary information about how, to what extent, for what purpose and for how long the Company processes personal data. The purpose of this policy is also to inform you about your rights in connection with the processing of personal data. These policies are regularly updated and always available in their current version on the Company's website.

Contact information

In matters of personal data protection or related matters, do not hesitate to contact the Company at the following contacts:

• Registered office address of the Company for written communication: TUITO s.r.o., Thunovská 183/18, Malá Strana, 118 00 Praha 6
• Email address for sending an email message: info@tuito.cz
• Telephone number +420 234 280 795

Categories and sources of processed personal data

The personal data that the Company processes are, in principle, the necessary information needed to offer and provide services, i.e. the ability to conclude and fulfil insurance contracts. These are data that are contained in the contracts and related documentation, or that the Company has obtained for this purpose in the form of electronic or oral communication.

The company usually processes the following categories of data:

• Identification data used for unambiguous and unmistakable identification (name, surname, title)
• Contact details (telephone number, e-mail address and contact address)
• Data related to insurance services (identification of the subject of insurance)
• Data related to the investigation of claims, including data on other persons (typically this is information related to criminal or administrative proceedings related to the claim, etc.)
• Data from communication between the Entity and the Company, including telephone communication and data on behaviour on the website, see also "Cookies"
• Transactions (premium payments, claims payments)
• Data from publicly available sources.

The company obtains the personal data:

• Directly from the Entities at the time of concluding the insurance contract, during the term of the insurance (e.g. when changing the contract or settling a claim) through insurance contracts and other related documentation, telephone, e-mail and other communications.
• From other persons with the consent of the Entity or it is necessary for the fulfilment of obligations under the contract (e.g. from the police, medical professionals, witnesses) or if so provided by legal regulations (e.g. information obtained from the Czech Insurers' Bureau)
• From public information sources (e.g. commercial register, trade register, etc.)
• From publicly available sources, especially from social networks and own activities, mainly through internal analyses of personal data from the above sources
• Passive acquisition of personal data, e.g. IP address, browser type, etc., see also "Cookies".

Purposes of personal data processing

The Company processes personal data primarily for the purpose of processing on the basis of an insurance contract and further on the basis of a legal title of legitimate interest:

• Processing on the basis of an insurance contract - these include, in particular, the offer to negotiate, change or terminate insurance, the collection and calculation of premiums, the settlement of insurance claims and the payment of benefits from insurance contracts. This includes processing carried out before the conclusion of the contract for the reasons set out above, including in the event that the contract is not finally concluded. The provision of personal data is voluntary, however, without the processing of some of them (e.g. name, surname and contact e-mail) the Company's services cannot be provided.
• Improving the quality of services provided - the Company's goal is to continuously improve the services provided and customer satisfaction, and the Company also uses the processing of personal data, such as e-mail communication or telephone conversations can be used in internal customer care training.
• Marketing communication – targeted e-mail messages, SMS, newsletters and possibly direct telephone contact with offers of our products and services. Furthermore, marketing research, analysis, satisfaction surveys, internal reporting on the effectiveness of marketing campaigns, etc.
• Fraud prevention - The Company may use selected personal information to prevent fraud. The Company continuously monitors how its services are used and strives to ensure the maximum level of personal data protection, in particular in order to be able to detect and prevent fraud and to ensure the security of the use of its services and websites.
• Retention and archiving of certain documents - as an independent intermediary, the Company is obliged to ensure the preservation of all documentation prepared in connection with the mediation of insurance products in order to be able to prove the exercise of professional care.
• Possibility to prove fulfilment of legal and contractual obligations and to defend the Company's rights in case of dissatisfaction with its services - for example complaints, judicial or out-of-court dispute resolution, enforcement of liability law, etc., especially in defence against legal claims against the Company or for the possibility of asserting legal claims by the Company against the Entities.

Automated decision making

In automated individual decision-making, personal data is processed with the help of software without human intervention on the basis of a predefined algorithm, e.g. when automatically concluding an insurance contract. In many cases, however, human operations also enter into automated processing, which means that the processing of personal data does not take place exclusively automatically. For these reasons, the Company has taken appropriate organizational and security measures to protect all personal data processed from any accidental loss, destruction, misuse, damage and unauthorized or illegal access. Employees and data processors of the Company who participate in the processing of personal data are bound by confidentiality.

Duration of personal data processing

Personal data are stored for the time strictly necessary for the exercise of rights and obligations arising from the concluded contractual relations and further for the period arising from legal regulations. Due to sectoral regulation, the Company processes individual insurance contracts that it has mediated for the period of their validity and for a further 10 years from their termination. In the absence of an agreement, the Company retains related records for the next two years from the last communication. If the purpose of the processing ceases to exist or if the Company no longer has any legal reason to process personal data, the Company's personal data will be deleted.

Recipients of personal data

The Company in the role of data controller processes personal data itself, or through the so-called processors, which are in particular:

• Partner insurance companies with which the Company cooperates for the purposes of mediation and conclusion of the insurance contract
• Other insurance companies or associations of insurance companies for the purpose of preventing and detecting insurance fraud and other illegal acts in accordance with the Insurance Act; reinsurers and reinsurance brokers
• Clients and partners of the Company cooperating in the provision of services, e.g. merchants (e-shops), online travel agents, etc., with whom the Company has concluded an appropriate agreement on the processing of personal data
• Suppliers of external services, such as accounting, auditing, consulting and legal services, as well as IT services with which the Company has a relevant agreement on the processing of personal data
• With the expressed consent of the Entities, personal data may be provided to other parties as appropriate

The processing of personal data for the above purposes takes place exclusively in the EU. The company will not transfer personal data to a third country (to a country outside the EU) or to an international organization.

Rights related to data processing

In connection with the processing of personal data, rights against the Company may be exercised through contact details (see above). If the Company is able to comply with the request, it shall notify about the response and the measures taken without undue delay, at the latest within one month of receipt of the request. However, if the request is manifestly unjustified, unwarranted or disproportionate, the Company may refuse to comply with the request within one month of receiving the request. All communications and actions related to requests related to the processing of personal data are provided free of charge.

You may object to the Company's conduct with the Data Protection Officer. If the objection is not resolved in time, you can defend yourself with a complaint to the Office for Personal Data Protection or apply for judicial protection.

In connection with the processing of personal data, you have in particular the following rights:

• Right to information: the right to receive information about the processing of personal data.
• Right of access: the right to a copy of the data being processed..
• Right to rectification and supplementation: the right to rectification if an incorrect data is found.
• Right to obtain personal data and portability: the right to receive processed data which are processed on the basis of consent or on the basis of the conclusion or performance of a contract and which have been provided or which result directly from the Entity's activities, in a machine-readable format. This applies only to automatically processed data.
• Right to restrict processing: the right to restrict the processing of one's data if: the accuracy of the data is denied until the controller verifies the accuracy; the data are not needed for the purposes of processing, but are required to be processed in order to determine, enforce or defend legal claims; an objection is raised against the processing until it is verified whether the legitimate reasons of the data controller outweigh the legitimate interests of the Entity; the processing was illegal and instead of deleting the data, only restrictions on their processing are required.
• Right of erasure: the right to erase data, but only if there is no other legally recognized reason for processing that the data controller can use (including the protection of his legitimate interests and rights).
• Right to object: applies to cases of processing for reasons of public interest held by the data controller or his own legitimate interest, including direct marketing. There is a right to object to such processing and the data controller is obliged to assess such processing in terms of compliance with all rules under the regulations. In the case of direct marketing, such processing always stops after the objection has been raised.
• Automated individual decision-making: in the case of automated individual decision-making with significant consequences (e.g. which would lead to non-conclusion of contract, refusal to pay performance, change of terms of agreed service, etc.) there is a right to have such a decision reviewed, commented on and possibly opposed.
• Right to lodge a complaint: if there is a presumption that the processing of personal data is in breach of the law, it is possible to lodge a complaint with the relevant supervisory authority. In the Czech Republic, this is the Office for Personal Data Protection based in: Pplk. Sochora 27, 170 00 Prague 7, e-mail: posta@uoou.cz, telephone: +420 234 665 111 (switchboard), web: www.uoou.cz.