Privacy Policy

Last updated on November 6, 2024
Introduction

About Scaleo. We are Owly Labs s.r.o., ID No.: 276 34 051, VAT No.: CZ27634051, with its registered office at V přístavu 1585/10, 170 00 Prague, Czech Republic, registered in the Commercial Register maintained by the Municipal Court in Prague under file No. C 120368. We provide a SaaS system that is used to structure, monitor, analyze and manage data for affiliate marketing purposes, which is called "Scaleo". More information on how the Scaleo works is available on our website https://scaleo.io

Privacy Policy. Protecting Users` privacy is very important to us. This Policy has been prepared to provide the Users with essential information regarding the processing of the Personal Data. Please read this Policy carefully. It complies with the GDPR and explains what Personal Data is processed, the reasons for the processing, how we handle the processing, and how we retain the Personal Data. 

Contact. The Users can contact us at any time using these details: [email protected]

This Policy. This Policy applies to situations where we act as the Controller (mostly if the User uses the Scaleo, visits our Website, or communicates directly with us). This Policy also explains how you can object to certain uses of information about you and how you can access and update certain information about you.  If you do not agree with this Policy, do not access or use the Scaleo or our Website or interact with any other aspect of our business. 

Definitions

Definitions. To make the text easier to read, we have prepared definitions of the terms we use in this Policy. If Users encounter other terms in this Policy, which is not specified above, such terms then have a meaning defined in our Terms, available from https://www.scaleo.io/terms.

The "Controller" or "we/us" is our company, Owly Labs s.r.o. We are the entity which determines the purposes and means of the Personal Data processing. 

The "GDPR" refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. 

The "Personal Data" is any information about the natural person using the Scaleo or the Website (the User), or communicating with us, that can either directly identify them or possibly identify them indirectly with the use of other Personal Data we have available about the User.

The "Policy" refers to this Privacy Policy. 

The "Processor" refers to other entities we may use when providing the Scaleo, such as cloud software providers or entities that help us to protect the Scaleo or provide our services. During this cooperation, such entities may process the Personal Data Users have provided to us, based on instructions we give them. 

The "User" or "you" is the natural person to whom the Personal Data is related, mostly our (potential) customer or a visitor of our Website. 

What is Our Role in the Processing of the Personal Data?

We as the Controller:

  • We are the Controller in relation to our Users. Users give us certain information (e.g., name or e-mail) to register for the Master Account etc. Overview of the Personal Data processed and the reason for its processing is provided below.
  • In order to provide the Users with the best Services possible, we may use other entities to help us. Do not worry, because we always conclude the necessary agreements with all of them and we also require the highest possible level of protection and security standards for the Personal Data. However, both we and our sub-processors have a very limited access to the data Users store in the Scaleo. 
  • If you are not a natural person (e.g., you are a corporation or other legal person), the processing of information about you is not viewed as a personal data processing with regards to the applicable legal regulations. Therefore, this Policy does not apply to you. However, we still process your information with regard to the general standards of privacy and our agreements (e.g, an NDA).

We as the data processor:

  • We provide the Users with the Scaleo, which is designed to maintain affiliate marketing, partnerships etc. As a part of the Service, the Users may enter information about their clients or potential clients into the Scaleo. In relation to such persons (if they are natural persons or if some other Personal Data of their employees or other natural persons is included), we may act as the data processor. If we process such Personal Data, we do so on the User’s behalf only as a data processor and in accordance with the User’s instructions. The protection and the rights and obligations are then regulated by the Data Processing Agreement (DPA) which we have entered into with the User. 
  • If you are a client of our User, then they act as the Controller of your personal data. In other words, they are the entity responsible for the processing of your personal data. Please contact them directly, if you have any questions regarding the processing or protection of such personal data. We are not liable for how our Users handle the protection of personal data. 
  • We do not have access to the personal data of our Users, except for the authorized persons responsible for the Master Account and/or persons representing the Users in the negotiations of our agreements or their signings, unless such personal data is necessary to provide the Services (or in case the personal data is made publicly available by the User). We are not responsible for the content of the personal data the User collects, stores, distributes or otherwise processes or includes in the data processed as part of the provided Services.
What Personal Data Do We Process and for What Reasons?

Reasons. We may process the User’s Personal Data for several reasons. Users will find important information about the Personal Data processing on our part in this part of the Policy.

User of the website. When using our Website, Personal Data is processed by us in the following way:

What is the legal basis for the processing?Why?How long?What Personal Data?

CONSENT

Article 6.1 a) GDPR

or

LEGITIMATE INTEREST

Article 6.1 f) GDPR


Provision of the basic functions of our Website, analytics, improvements of our Services etc., with the help of cookies.

Preferences can be set in the cookie bar. 


The period of processing varies depending on the cookie type, see below the cookie table.Information about the User’s visit of the Website may include IP address, the date and time of the visit, operation system, language settings, history of behavior on the Website, data concerning mobile phone etc.

LEGITIMATE INTEREST

Article 6.1 f) GDPR


Defending against and tracing attacks by hackers, protecting our Website.The IP addresses are stored for no more than 1 month.To protect against attacks, we store the IP addresses of all users who access our Website. The logs created are only used to monitor security breaches and are only viewed when such an event takes place.

TAKING STEPS PRIOR TO ENTERING INTO A CONTRACT

Article 6.1 b) GDPR


Processing of the User`s data when he/she completes our contact form on the Website or gives us information on personal meetings, if in relation with a possible entering into a contract together.Closed inquiries are deleted regularly, but no later than 3 years of the date of the inquiry.

Basic identification data (e.g., name, surname)

Contact details (e.g., e-mail address, phone number)

Information from our communications (other information included in the contact form or an e-mail message, or by other means of communication)

LEGITIMATE INTEREST

Article 6.1 f) GDPR


Dealing with other inquiries or questions not directly related to entering into a contract together.Closed inquiries are deleted regularly, but no later than 3 years of the date of the inquiry.

Basic identification data (e.g., name, surname)

Contact details (e.g., e-mail address, phone number)

Information from our communications (other information included in the contact form or an e-mail message, or by other means of communication)

User of the Services. If the User chooses to enter into a contract with us and use our Services, we will process the User’s Personal Data only to the extent necessary to provide the Services in accordance with the Terms of Service.

What is the legal basis for the processing?

Why?

How long?

What Personal Data?

TAKING STEPS PRIOR TO ENTERING INTO A CONTRACT 
Article 6.1 b) GDPR

or

LEGITIMATE INTEREST

Article 6.1 f) GDPR

Provision of basic functions of our Website, the Demo, analytics, improvements of our Services. The User can set preferences in the cookie bar.

The period of processing varies depending on the cookie type, see below the cookie table. 

Information about the User’s visit of the Website may include IP address, the date and time of the access, operation system, language settings, history of behavior on the Website, data concerning the mobile phone, etc


TAKING STEPS PRIOR TO ENTERING INTO A CONTRACT AND THE PERFORMANCE OF THE CONTRACT

Article 6.1 b) GDPR


Provision of the Free Trial, so that the User can try the Services. 

For the duration of the Free Trial and in the case of upgrading to the full version for the term of the Agreement and for a subsequent period of 3 years after the termination of the Agreement. 

Basic identification data (e.g., name, surname)

Contact details (e.g., e-mail address, phone number)

Billing details and bank details

Logging into the Master Account and actions taken with respect to the Master Account (e.g., the information filled in by the User in the Master Account, the time of signing up, the date of the last profile update)

Information from our communication

THE PERFORMANCE OF THE CONTRACT
Article 6.1 b) GDPR


Conclusion and execution of the Agreement to start using the Services to the fullest extent.

Creation and maintenance of the Master Account in the extent necessary to provide all the features of the Service. 

Provision of any other agreed upon Services (e.g., dealing with service requests)

For the term of the Agreement and potentially for some time period afterwards, if we agree to let you export data from the Master Account.

Basic identification data (e.g., name, surname)

Contact details (e.g., e-mail address, phone number)

Billing details and bank details

Logging into the Master Account and actions taken with respect to the Master Account (e.g., the information filled in by the User in the Master Account, the time of signing up, the date of the last profile update)

Information about our Agreement (e.g., how is the Agreement fulfilled by both parties, how was the remuneration calculated, etc.).

Cookies and IP address, activity data (including information about device, operating system and browser)

Information from our communication 

LEGAL REQUIREMENTS

Article 6.1 c) GDPR


Sometimes we must process Personal Data when the law requires us to do so. This concerns mainly accounting and tax regulations.

For the period required by the legislation (normally 10 years from the end of the financial year in which the tax/accounting event occurred)

Basic identification data (e.g., name, surname)

Contact details (e.g., e-mail address, phone number)

Billing details and bank details

LEGITIMATE INTEREST

Article 6.1 f) GDPR

Where we believe it is necessary to protect our legal rights, interests and the interests of others, we may use the Personal Data in connection with legal claims, compliance, regulatory or audit functions.

For the period of up to 16 years, which corresponds to the longest statute of limitations period (15 years) and one extra year to deal with any potential disputes brought upon by you.

Basic identification data (e.g., name, surname)

Contact details (e.g., e-mail address)

Information about our Agreement (e.g., how is the Agreement fulfilled by both parties, how was the remuneration calculated etc.).

The Controller does not process any special categories of Personal Data.

Who are the Processors?

We may transfer Personal Data to other parties, mainly to ensure that we can operate effectively. However, we transfer a very limited amount of data. 

Processors. We only engage verified Processors with whom a written agreement has been concluded, ensuring that they offer at least the same level of guarantees as those provided to the User as per this Policy. We use mainly the following service providers and partners:

  1. Third-party service providers. We use third-party service providers to provide us with Website and Scaleo development, hosting, maintenance, backup, storage, payment processing, analysis, marketing, and other services. If a service provider needs to access information about you to perform services on our behalf, they do so under close instruction from us, including appropriate security and confidentiality procedures designed to protect your information.
  2. Consultants. We may use consultants who help us in the areas of taxes, accounting, law or other areas. 

Employees and contractors. The Controller may make the User's Personal Data available to its employees and contractors who provide services related to the processing of Personal Data as described herein. 

Legal obligations. The Controller may disclose Personal Data to third parties, other than the Processors mentioned above, if required by law or in response to lawful requests from public authorities or pursuant to a court order in connection with legal proceedings.

Outside EEA transfers. For personal data that falls under the scope of GDPR, please note that cross border transfers to our Processors or other entities may include countries outside of the European Economic Area (EEA). We take steps to ensure all Personal Data is transferred only where adequate protection is given. Where we transfer Personal Data outside of the EEA to a country not determined by the European Commission as providing an adequate level of protection for personal data, the transfers will be under an agreement that covers the EU requirements for the transfer of personal data outside the EEA, such as the European Commission approved standard contractual clauses. 

What About Minors?

Prohibited. The Controller’s Services are available only to individuals who are 18 years of age or older. The Controller does not knowingly process the Personal Data of children or minors under this age limit. If the Controller becomes aware that it has received Personal Data from a child or minor without parental or legal consent, appropriate steps will be taken to promptly delete such information.

Do We Really Need the Personal Data?

NecessityThe Controller strives to process the least amount of Personal Data necessary. To use the Services or access the Website, certain Personal Data may be required, typically including basic identification and contact details. If the User does not wish to provide this Personal Data, they should refrain from using the Website or the Services.

What about data security?

Measures. The Controller implements commercially reasonable technical, administrative, and organizational measures to protect the Users` Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction. However, as no method of data transmission is 100% secure or error-free, the Controller advises the User to exercise caution when deciding which Personal Data to share.

The Controller adopted and is committed, in particular, to comply with the following measures:

1. Technical measures

  1. HTTPS and Encryption. The Controller uses a secure HTTPS protocol, and all data transfers are encrypted using SSL/TLS.
  2. Backup. Daily backups of all data and files are performed.
  3. Data Center. The Scaleo operates on AWS, a leader in physical and software security, with regular stress and penetration tests to ensure resilience.
  4. Updates. Regular infrastructure updates are performed.
  5. Application Security. Access is secured by unique usernames and passwords, with options for 2FA and customizable permissions for data access.
  6. Other Security Measures. Additional hardware, software, and procedural measures are implemented to enhance data security.

2. Organizational measures

  1. Confidentiality. All employees are bound by confidentiality obligations.
  2. Staff Training. Employees receive regular training on Personal Data protection and security protocols.
  3. Data Processing Logging. We log access to Personal Data, including any changes or deletions, with a retroactive record of 30 days.
  4. Access Control. Only authorized personnel can access Personal Data, within their specific scope of responsibility.
  5. Safe Storage. Passwords are stored securely in a separate environment with access logs.
  6. Transfer Control. Measures are in place to protect Personal Data from unauthorized access during transfer or storage.
  7. Internal Audit. Regular audits can be conducted to minimize Personal Data processing and ensure appropriate security measures are maintained. 
What Rights Do the Users Have in Relation to the Processing of the Personal Data?

The Users have the following rights concerning the processing of the Personal Data:

  1. Access to the Personal Data. The User may request information on whether the Personal Data is processed by the Controller, and upon such request, the Controller must also provide access to that Personal Data.
  2. Correction. The User may request the correction of inaccurate Personal Data or the completion of incomplete Personal Data held by the Controller.
  3. Right to Erasure (Right to be Forgotten) Under certain conditions, the User may request the erasure of their Personal Data or the restriction of its processing. The Controller is obliged to comply with such requests where applicable.
  4. Right to Restrict. If the User believes that the Controller is processing their Personal Data incorrectly, whether regarding the reasons for processing or the scope of the Personal Data being processed, the User is encouraged to contact the Controller. 
  5. Right to Data Portability. Upon the User's request, the Controller will provide the Personal Data that the User has supplied in a structured, commonly used, and machine-readable format for transfer to another controller.
  6. Right to Lodge a Complaint. If the User believes that their Personal Data is being processed unlawfully, they have the right to lodge a complaint with the relevant data protection authority. In the Czech Republic, this is the Office for Personal Data Protection, which can be contacted at https://uoou.gov.cz/en and Pplk. Sochora 27, 170 00 Praha 7, the Czech Republic.
  7. Right to Withdraw Consent. Only applies to the situations where a consent is given. If the User changes their mind, they may inform the Controller at any time. Consent to the processing of the Personal Data for marketing and commercial purposes can be revoked at any time without affecting the lawfulness of processing based on the consent before its withdrawal. 
  8. Right to object. The User has the right to object to the processing of their Personal Data when it is based on the Controller's legitimate interests. This objection can be made by sending an email to the Controller’s contact address. The Controller will investigate the objection and provide a response within one month of receiving the request.

The Controller will not process Personal Data using automated individual processing that would have legal effects on the User as a data subject or affect User in a similarly significant way. 

What About Cookies?

Cookies. We also use cookies and may process some Personal Data in that regard. A cookie is a small piece of data that our Website stores on the User’s device, and accesses each time they visit, so that we can understand how they use our Website. This helps us to serve content based on the preferences of the User’s. Cookies can be divided into essential, preference, analytical and marketing cookies.

We collect these specific cookies:


Type
Name
Purpose
Expiration




Technical

_cf_bm

Cloudflare cookie used for bot management and to differentiate between bots and humans.

30 days

Technical

__cfruid

Used by Cloudflare for rate limiting and managing traffic.

30 days

Technical

_cfuid

Used by Cloudflare for identifying trusted web traffic.

30 days

Technical

cf_clearance

Cloudflare cookie used to ensure access to the site after passing a CAPTCHA or security check.

30 days

Technical

admin_auth

Used for managing authentication for administrators or logged-in users.

30 days

Technical

october_session

Related to session management for users on the site, possibly linked to the October CMS.

30 days

Technical

lang

Stores user language preferences, typically used for internationalized content display.

30 days

Technical

referrer_user_id

Used to track the ID of a referring user, potentially for affiliate marketing or referral tracking.

30 days

Conclusion

This Policy may only be amended in writing. Users will be informed of any changes via the Website. It is recommended that Users review this Policy regularly. The User’s continued use of the Services constitutes acceptance of any changes to the Policy.

This Policy is effective as of 05.11.2024.