Last Update: August 15, 2022
The rastel.io website, along with the subdomain app.rastel.io (webapp), is the property of the co-founders of Rastel.io. By using this site, you, as a User, acknowledge and agree to the content of this document.
Rastel.io understands the scope and consequences established by EU Regulation 2016/679 (GDPR) as well as related legislation regarding the protection of personal data. The company is committed to protecting your rights and freedoms by processing personal data safely and in compliance with all legal obligations.
Through this Personal Data Protection Policy, we aim to transparently inform you about how we collect, use, transfer, and protect your personal data when you interact with us through our website and the associated application.
To reflect any changes in how we process your personal data or any changes in legal requirements, updates and periodic changes to this Personal Data Protection Policy will be published on this page.
1. What is personal data and the categories of personal data we process
1.1 Personal data refers to any information related to an identified or identifiable natural person. Different pieces of information that, when collected, can lead to the identification of a specific individual are also considered personal data.
1.2 We collect your personal data directly from you, giving you full control over the information you provide.
1.3 Contact and Navigation Data. We directly collect your personal data through the contact form on our website (email, phone, name), the waiting list registration form (email and city), and indirectly through your access to our website (IP address used at the time of access). For example, when you send us a message through the contact form, you provide us with information such as your email address, phone number, and any data you enter in the message field. Therefore, you have full control over the type of information you provide to us.
1.5 Data from your account
We also process your data through the "My Account" section. For the proper management of your user account, we collect your email address and the password you choose at the first login. For the optimal use of the rastel.io service, we collect your name, email, phone number, and location.
2. Purpose of data processing
2.1 We process the personal data provided for:
- creating and managing the client account within the Rastel.io platform
- resolving issues of any kind that may arise from the use of the platform
- informing users about parking status via email and/or push notifications (e.g., notifications regarding parking expiration), including email notifications regarding account status
- communicating with users about their satisfaction with the rastel.io service
2.2 To provide our services
Rastel.io collects personal data necessary for creating a client account that allows the safe use of the bicycle parking network. The collected data includes the name, phone number, email, and geolocation at the time of using the application.
2.3 For the improvement of our services
To provide the best online browsing experience on our website, we may collect and use certain information about your activity on the site. We rely on our legitimate interest to carry out activities for you optimally while ensuring that we respect your fundamental rights and freedoms.
2.4 To handle your requests
We collect your data to handle requests made under the GDPR and to inform you about changes to our policies or provide information of interest to you as a beneficiary of our services. For this purpose, we will use the contact details provided by you, such as email address and phone number.
We ensure that these processing activities are carried out in accordance with your rights and freedoms and that decisions made based on them do not affect you.
2.5 To defend our legitimate interests
In certain situations, we will use or transmit information to protect our rights and activities. These include:
- Various measures to protect the website and its users against cyber attacks.
- Measures to prevent and detect fraud attempts, including the transmission of information to competent public authorities.
- Measures to manage various other risks.
- In certain cases, we base processing on legal provisions such as the obligation to ensure the security of goods and values provided by the applicable legislation, or various reporting obligations.
2.6 Also, for the constant improvement of the quality of our services, we will collect your personal data for statistical purposes, but only with the implementation of technical and organizational security measures, along with pseudonymization and/or anonymization, as appropriate. Any personal data collected in this way will be strictly kept within Rastel.io and used only for this purpose.
3. Legal basis for processing
The legal bases for processing take into account the provisions of Regulation (EU) 2016/679 on the protection of individuals concerning the processing of personal data and on the free movement of such data and the normative acts on the processing of personal data adopted at the level of Romania.
The processing of the personal data listed above is based on at least one of the following legal grounds:
- processing may be necessary for the conclusion of a legal/contractual relationship and/or for its execution (in the case of personal data used for using the application);
- processing may be necessary to fulfill a legal obligation incumbent upon us (e.g., those regarding the management of supporting documents from a fiscal point of view, reporting to the Public Health Directorate, obligations to keep evidence for certain periods, etc.);
- processing is necessary for the purpose of our legitimate interests (such as the IP address - necessary for the implementation and maintenance of website security measures or in case of exercising any defenses/rights in front of courts, authorities, or public/control institutions);
- processing is based on your consent (as is the case when you fill out the contact or waiting list registration form).
4. How long do we keep your personal data
We keep the personal data processed by us only as long as necessary for the purpose for which it was collected (including according to applicable law or regulations), such as:
- Until the withdrawal of consent for personal data processing based solely on consent (e.g., newsletter).
- All data transmitted to us when making a request will be used strictly to provide a response and resolve the request and will be kept for a period of 1 year from the date of receiving the request.
- Exceptionally from the previous provisions, we may keep any data, if applicable, until the expiration of the general prescription period of 3 years, regarding situations where we have a legitimate interest in keeping certain personal data in connection with a potential dispute that may arise between parties (e.g., in the context of possible legal liability of ours or the data subject).
- In any other case or in the absence of specific legal, regulatory, or contractual requirements, our reference period for keeping personal data is 5 years from the date of termination of relations/last contact between us and you.
In any situation, except for cases provided by applicable law, we delete your data when you request it. Applicable exceptional situations will be communicated to the applicant through the response forwarded to him/her by Rastel.io regarding the request for data deletion.
5. To whom do we transmit your personal data
As appropriate, we may disclose your data to the following categories of recipients:
- To Rastel.io contractual partners or potential partners (e.g., IT service providers, marketing service providers, etc.).
- To public authorities or institutions, as well as to the competent authorities, in order to comply with legal obligations or to protect our rights.
In cases where we transfer your personal data to third parties, we will take all necessary measures to ensure that this data is kept secure, and any transfer of this type of data is carried out only under the conditions provided by law and in accordance with applicable legal regulations.
6. In what countries do we transfer your personal data?
Currently, we store and process your personal data on the territory of Germany and on our server located in Frankfurt, Germany. However, it is possible that we may transfer certain personal data to entities located in the European Union or outside the Union, countries to which the European Commission has recognized an adequate level of protection of personal data.
We take all measures to ensure that any international transfer of personal data is carefully managed to protect your rights and interests, and we allow such transfers only when absolutely necessary, applying the principle of minimization. Data transfers will always be protected by contractual commitments and, where appropriate, by other technical or organizational guarantees. To find out more information about the countries to which we transfer your data, you can contact us at any time.
We are committed to ensuring the security of personal data by implementing appropriate technical and organizational measures, following industry standards.
Despite the measures taken to protect your personal data, we do not assume responsibility for vulnerabilities in systems that are not under our control. We remind you that transmitting information over the Internet is not completely secure, and there is a risk that data may be viewed and used by unauthorized third parties independent of our intervention.
7. What are your rights?
The General Data Protection Regulation provides that you, as a data subject, have the following rights:
You can request us to confirm whether we process your personal data, and we will provide you with a copy of your data and present information about how we use it, to whom we disclose it, whether we transfer it abroad, how we protect it, how long we keep it, what rights you have, how to file a complaint, where we obtained your data, to the extent that this information has not already been provided to you in this notice.
You can ask us to rectify or complete your inaccurate or incomplete personal data. We may verify the accuracy of the data before rectifying it.
7.3. Data Deletion
You can ask us to delete your personal data, but only if:
- It is no longer necessary for the purposes for which it was collected;
- You have withdrawn your consent (if the data processing was based solely on your consent);
- It has been processed unlawfully;
- You have exercised a legal right to object;
- We have a legal obligation to do so.
We are not obligated to comply with your request for the deletion of personal data in any circumstance. The most likely situations in which we could refuse your request are:
- To comply with a legal obligation;
- To establish, exercise, or defend a legal claim.
7.4. Restriction of Data Processing
You can ask us to restrict the processing of your personal data only if:
- Its accuracy is contested (see the Rectification section) to allow us to verify its accuracy;
- It is no longer needed for the purposes for which it was collected, but you need it to establish, exercise, or defend a legal claim;
- Processing is unlawful, but you do not want the data to be deleted;
- You have objected to the processing, and verification of whether our legitimate interests override yours is in progress.
We may continue to use your personal data following a request for restriction if we have your consent, or to establish, exercise, or defend a legal claim or to protect the rights of Rastel.io Solutions SRL or another natural or legal person.
7.5. Data Portability
You can ask us to provide your personal data in a structured, commonly used, and machine-readable format, or you can request it to be directly transferred to another data controller, provided that the processing is based on your consent or on the conclusion or performance of a contract with you, and is carried out by automated means, as well as that the transfer is technically possible.
You can object to the processing of your data at any time if you believe that your fundamental rights and freedoms prevail over our legitimate business interest.
7.7. Automated Decisions
You can request not to be subject to a decision based solely on automated processing when that decision:
- Produces legal effects concerning you;
- Significantly affects you in a similar way.
This right does not apply when the decision:
- Is necessary for the conclusion or performance of a contract with you;
- Is authorized by law, and there are adequate safeguards for your rights and freedoms;
- Is based on your explicit consent.
You have the right to lodge a complaint with the National Supervisory Authority for Personal Data Processing regarding the processing of your personal data. However, we recommend that you contact us first, and we assure you that we will make every effort to resolve any issues amicably.
To exercise your rights, you can contact us using the contact form on the contact page. We aim to respond to any valid requests within a maximum of 30 days, unless the matter is particularly complex or if you have made multiple requests, in which case we will respond within a maximum of 60 days, notifying you accordingly.
8. Changes to this Policy
Rastel.io reserves the right to make changes to this Personal Data Protection Policy at any time by notifying its Users on this page and, if possible from a technical and legal point of view, by sending a notification to users through any contact information available to us. It is strongly recommended to check this page frequently, referring to the date of the last modification listed under the title.
If the changes affect the processing activities performed based on the User's consent, we will collect new consent from the User, if necessary.
We are always open to hearing your opinions and providing you with any additional information you may need regarding the processing of your data. If you have questions about the content of this document or want to exercise your rights, feel free to contact us by email at email@example.com.