We consider the personal data of our users and business partners to be highly confidential and we take their protection very seriously. In this document, we describe what data we collect and how we process and secure it against misuse. Under no circumstances does our company provide personal data to third parties, neither for payment or consideration, except where we are required to do so by law.
Definition of terms
The BeerSport application (hereinafter also referred to as the Application) is a product of Cool Ticketing s.r.o., which consists of a mobile application for smartphones on Android and iOS platforms and a server part (the so-called back-end).
A user is a natural person who meets at least one of the following conditions:
- has actively used or is using the Application,
- contacted Cool Ticketing s.r.o. user support by the designated means (phone, e-mail, social networks) in order to obtain information or resolve a request.
A prize is a unique digital record of a voucher, loyalty card or playing card that is stored in the Application.
Product recognition means the process in the Application whereby the User enables access to the camera of a mobile device and subsequently takes pictures of the surroundings using the Application. During this process, the Application stores the captured images and uses artificial intelligence to try to recognize the object of interest (e.g., beer on tap, mixed drink, etc.) based on the captured images.
The controller of the Users' personal data is Cool Ticketing s.r.o., ID No.: 02387662, třída Karla IV. 468/18, 500 02 Hradec Králové (hereinafter also referred to as "we" or "our company").
The processor of personal data is always the Controller, i.e. Cool Ticketing s.r.o.
The Act means Act No. 110/2019 Coll., on the processing of personal data, as amended.
Regulation means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter also referred to as "GDPR").
Why we collect and process personal data
Our company provides services with a high degree of personalization. The main function of the Application is to offer, securely store and use digital Valuables. At the same time, we publish other offers both inside and outside the App, which we try to target to be relevant to Users based on their demographics, current location and personal preferences.
In particular, we collect and process Users' personal data for the following purposes
- providing, maintaining, improving and protecting all of our services and features of the App and ensuring the integrity and security of the digital Valuables stored in the BeerSport mobile app,
- communicating Partner offers.
Providing the Services means, among other things, providing user support. Service protection also means, among other things, targeting offers in accordance with the law (e.g. we do not allow Users under the age of 18 to deposit alcoholic beverage vouchers).
What data we process
The data that we collect and process when using the Application is not personal data according to the provisions of GDPR Article 4(1). We only obtain data directly from the BeerSport mobile app. This includes the following data:
- Phone make and model
- Phone operating system version
- Unique installation identifier generated by the App
- IP address of the phone
- Phone operating system intervention flag (root, jailbreak)
- Phone location in time (GPS coordinates)
- User activity in the Application
- History of stored Valuations including their status (used, expired, forwarded, etc.)
- Links between devices (e.g. if a Valuables is forwarded and saved to another device)
- User's date of birth
In the listed cases, the User acknowledges that the data obtained so far have or may acquire the character of personal data. These are the following cases:
- registration of the User, which means entering the e-mail address in the Application and its subsequent confirmation by a link in the message sent,
- the use of the Product Recognition function, where we may obtain and process images of the surroundings which may be personal data,
- entering a bank account number to provide cashback, where the account number may be personal data.
In the case of registered Users, we may also collect and process personal data that arises from the use of our services or is algorithmically derived from the data collected (so-called profiling). Depending on the User's activity and how they use our services, this may include the following data:
- Email address (including confirmation of its validity)
- Public information from social media profiles (typically a photo or avatar, first and last name)
- History of payment transactions made on the App
- Answers to contests posted on the App
If there is any contact between the User and us, for example to request support or in the case of physical prizes requiring mailing, we may obtain additional personal information from the User:
- Telephone number
- User's postal address.
We never collect, process or derive the following data from other data:
- sensitive personal data, i.e. data related to confidential health information, racial or ethnic origin, political or religious beliefs or sexuality,
- data from the customer's phone other than those listed above, such as contacts, call or message history, files, documents or photos stored on the phone's internal storage unless created by the Application itself,
- payment card data (the recipient is the bank that provides the payment gateway interface, the Administrator does not have access to this data).
How long we keep your personal data
We retain and process personal and anonymous data for varying lengths of time, depending on the activities you have performed on the Application.
- We retain anonymous and de-identified data without limitation.
- We retain personal data for as long as you use the Application, but no later than the time you request its destruction (see also Users' rights regarding personal data in a later section).
Our legitimate interest within the meaning of the GDPR Regulation, Article 6, paragraph 1, letter f) is, among other things, the prevention of fraud (e.g. the prevention of the repeated use of the Prizes by one User within a limited issue). Therefore, in specific cases, we retain personal data for 10 years from your last activity on the Application, even if you have requested its destruction. These are cases where you have performed any of the following activities on the Application:
- made a payment on the App using a credit card or credits,
- saved a Prize as part of an action specified by a Partner of the Administrator,
- earned cashback on your account,
- won a physical prize on a playing card.
How we obtain consent to process personal data
We may obtain your consent to process your personal data either implicitly (i.e. automatically if you choose to use any of our services under the applicable Terms and Conditions or explicitly (i.e. when you give your consent in any contact with us).
Consent may be obtained directly through our means (Apps, websites, etc.).
You also give consent implicitly if you participate in an event that has specific rules. These rules are always available on our company's website and referenced on the specific Prize (e.g. playing card). By using this Prize Card, you grant your consent to the extent defined in the rules.
Consent to the provision and processing of data related to the installation of the BeerSport mobile application on the User's phone is mandatory and is granted by the User at the moment of the first launch of the mobile application. Without this consent or the provision of basic personal data, the Application cannot be used.
You also implicitly grant consent if you participate in an event that has specific rules. These rules are
- available on our company website and referenced to a specific Prize (e.g. playing card) or
- stated directly on the Prize.
By using this Prize, you are giving your consent to the extent defined in the rules.
The User may revoke or change the consent to the processing of personal data. The ways to do this are described below in the section on Users' rights.
How and by what means we process personal data
We process the personal data of Users and Business Contacts in accordance with the provisions of GDPR Article 4(2).
We may use third party tools, such as Google analytics tools, to monitor and analyse data about Users' activity on the App, movement around our websites and reading of our emails.
We use our own analytics algorithms to derive additional personal data (such as Users' gender or preferences from their stored voucher history) or we may use third party services such as NameAPI.
We use our own analytical algorithms and manual review by authorized persons to process photos obtained during Product Recognition.
How we protect your personal data
We primarily store personal information in secure databases that are an integral part of the Application. This includes both the database on the User's device, which is part of the installed BeerSport mobile application, and the database on the server part of the Application.
Only the mobile application itself has access to the personal data in the database of the BeerSport mobile application, which can send this data to the server database using a secure encrypted protocol.
Access to the personal data in the server database of the Application is only allowed to authorized persons, whose authentication is done using a name and password via a secure encrypted protocol.
We may use Google services, such as Google Docs, for records of user support provided.
If we obtain a User's personal data through channels other than secure channels (e.g. email), this data is promptly stored (if necessary to retain it) in secure storage. At the original source, the data is permanently deleted as soon as the nature of the contact reasonably allows (e.g., in email communications between you and our support, we maintain a thread of communication at least until the issue you have contacted support with is resolved).
We do not disclose personal data to any third party except to recipients who may request personal data under the Act or special regulations (e.g. law enforcement authorities).
Although we try to do our best to protect Users' personal data, in some cases we are not responsible for its possible leakage and misuse, especially when the User does not use his/her phone on which the BeerSport mobile application is installed in accordance with the general security rules and recommendations. "Unsafe" use of the phone includes, in particular, interference with the operating system (root on the Android platform, jailbreak on the iOS platform, etc.), intentional damage to the integrity of the database or mobile application, installation of potentially harmful third-party applications, etc.
What rights you have in relation to your personal data
- You have the right to ask us for information about what personal data we record and process about you.
- You have the right to ask us to amend, supplement or correct the data we hold about you.
- You have the right to request the destruction of your personal data. We carry out the destruction by irreversibly anonymising the relevant data.
- You have the right to change the scope of your consent to the processing of your personal data, e.g. if you do not wish to receive commercial communications by email. We provide detailed information on email communication in the following section.
- You have the right to request information about to which recipients your personal data has been provided, when and why (the recipient and new data controller is e.g. the sponsor of the contest in the Application in which you participate by submitting a contest answer).
How the User can request the deletion of the data:
- by using the BeerSport App's resources, specifically by using the Request Account Deletion button or the Help button in the Settings section.
- using the means in the email communication
- by written request.
If the User withdraws consent or modifies the scope of his/her consent to the collection and processing of personal data, some services or parts of the Application may cease to function. (For example, if you disable the use of location services on your phone, this may prevent you from redeeming certain types of Prizes that require location services to be enabled for security and/or at the request of the campaign or event organizer.)
All written requests related to the User's personal data must always be sent to the e-mail address firstname.lastname@example.org, or in paper form to the address of the Administrator's registered office. For the purpose of identifying the User as the authorized subject, we will use the e-mail address from which the User will communicate with us.
If we receive a request from the User to exercise any of the above rights, we will inform the User of the measures taken without undue delay and in any case within 48 hours of receipt of the request. This period may be extended by a further two days if necessary and taking into account the complexity and number of requests.
In the event of a request for the destruction of personal data, we proceed in accordance with the Act and the GDPR Regulation, whereby personal data may be retained after receipt of the User's request
- provided that we need the data to process the User's order or
- if it is in our legitimate interest within the meaning of GDPR Regulation Article 6, paragraph 1, point f).
The personal data is disposed of in the primary database. Residual records of personal data may continue to be contained in the system backups for a maximum of 1 month and in the system log for a maximum of 6 months, at which point at the latest, the disposal records will also be promoted to these repositories.
We will retain information that the User has exercised any of the above rights with us and how we have dealt with his/her request for a reasonable period of time (5 years) to document this fact, for statistical purposes, to improve our services and to protect our rights.
E-mail communication from the Controller
There are two basic types of messages that we can send to Users via email:
- transactional messages - these are directly related to the use of our services or the use of the Application (e.g. an email asking you to confirm your registered email address),
- commercial messages - these are only our offers that we send on our behalf.
Typical transactional messages include: a confirmation email after registering an email address, confirmation of a purchase, information about tickets ready to be saved, confirmation of participation in a contest, and more. You cannot opt out of receiving transactional messages because they are directly related to the User's use of our services and the Application. The only way to not receive transactional messages is to remove the email address that the User has registered in the BeerSport mobile app settings. This will result in the non-functionality of certain parts of the Service that require a registered address (e.g., paying in the BeerSport mobile app, participating in contests we post on the App, being able to win prize cards, being able to use loaded credit or receive Prizes as part of a purchased subscription).
If the User does not want to receive commercial communications, he/she has the option to unsubscribe at any time.
In exceptional cases, we may contact selected Users with communications of a non-transactional or non-business nature. This may include, for example:
- notification of a security incident involving User's personal information,
- a request for the User's cooperation in the context of a previous joint communication or in connection with the use of the Application, in particular to correct errors in the Application or to verify that the Application is being used in accordance with the Terms and Conditions,
- prompting you to verify the User's identity in order to process an incoming request.