Privacy Policy

November 24, 2022

Padrino Delivery Privacy Statement

1. RECITALS

1.1. With this Privacy policy users of the Padrino App application for food ordering and
website https://padrinodelivery.com are informed about which personal data are being
collected by the application and website, the purpose and basis of their processing
data, duration of data storage, instructions about user rights, procedures in case of
an incident, as well as user consent that the application and website can collect,
process and store their personal data, as explained below.

1.2. Application and website use user data in accordance with this Privacy Policy
and the handler undertakes to protect the privacy of all users, to collect only
necessary, basic data about users, that is necessary data for service operation,
fulfillment of contractual obligations, informing users, in accordance with good
business practices and to provide quality service, all in accordance with the Privacy
Policy.

1.3. By using services provided by the application and website, the user declares
that he read, understood, and accepted this Privacy Policy, that is, that he agreed to
the collection, processing, and duration of data storage in the manner prescribed by
the Privacy Policy.

1.4. Application Padrino App and website https://padrinodelivery.com are owned and
controlled by the company PADRINO TECH GROUP DOO NOVI SAD, Bulevar Jovana
Ducica 43, Novi Sad, PIB: 113299776, identification number: 21841811,
(Hereinafter: Handler).

1.5. Privacy policy is created in accordance with the rules provided by the Personal
Data Protection act of the Republic of Serbia and GDPR, and on everything that is
not regulated by the Privacy Policy, rules explained in this document will be applied,
whereby in the case of different solutions, the provisions of the mentioned
documents take precedence.

2. MEANING OF TERMS

2.1. Terms used in this Privacy Policy have the following meanings:

  • HANDLER – company from article 1.4.who processes personal data

  • SERVICE – using an application and website to use the service of ordering food and other articles, as well as access other content on a website. Within the service itself, visitors can participate in the new recruitment processes published on the Handler website, as well as contact Handler for cooperation or obtain additional information, as well as to receive notifications about news and current affairs from the Handler, both via the application, website, and email, as well as by choosing to directly follow the Handler’s account on social networks Twitter, Facebook and Instagram(hereinafter: Service).

  • INTERESTED PERSON – a person who, in addition to general information on the website itself, is interested in receiving additional information about current events with the Handler, either through direct contact or via email and direct monitoring of the Handler's account on social networks Twitter, Facebook and/or Instagram (Hereinafter: Interested person).

  • USER – common name for all users of Handler’s application and website, i.e. its services, including interested persons (Hereinafter: User).

  • LAW – The Law on the Protection of Personal Data of the Republic of Serbia (Official Gazette of the S No. 87 November 13, 2018) (Hereinafter: Law);

  • GDPR - General Data Protection Regulation of the European Union (2016/679);

  • CONSENT is every voluntary, specific, informed, and unequivocal expression of User will, by which the user gives his consent to the processing of personal data related to him by a statement or a clear affirmative action;

  • PERSONAL DATA is any data related to a person whose identity is determined or determinable, directly or indirectly, in particular, based on an identity marker, such as name and identification number, location data, identifiers in electronic communication networks, or one or more features of his physical, physiological, genetic, mental, economic, cultural and social identity;

  • PERSONAL DATA PROCESSING is any action or set of actions performed automatically or non-automated with the User's personal data, such as collecting, recording, sorting, grouping, i.e. structuring, storing, adapting or changing, discovering, viewing, using, revealing by transmission, i.e. submitting, duplicating, disseminating or in another way making available, comparing, restricting, erasing or destroying;

  • PROCESSOR is a natural or legal person, hired by the Handler to process the User's personal data on his behalf and for his needs;

  • THIRD PERSON is a natural or legal person, that is, an authority that is not a User, Handler, or Processor, as well as a person authorized to process personal data under the direct supervision of a Handler or Processor;

  • COMPETENT AUTHORITIES are authorities that are competent for the prevention, investigation, and detection of criminal acts, as well as the prosecution of perpetrators of criminal acts or the execution of criminal sanctions, including the protection and prevention of threats to public and national security, as well as the legal entity that is responsible for the execution of the previously listed actions authorized by law;

  • TRUSTEE or SUPERVISORY AUTHORITY is an independent and autonomous authority established based on the Law, which is responsible for supervising the implementation of the Law and performing other tasks prescribed by the Law;

3. DATA HANDLER

3.1. Data handler is company PADRINO TECH GROUP DOO NOVI SAD, Bulevar Jovana Ducica 43, Novi Sad, PIB: 113299776, identification number: 21841811

3.2. Data handler is responsible for personal data collected from users, in the manner and to the extent provided by this Privacy Policy and the Law.

3.3. The operator undertakes the necessary technical, organizational, and personnel measures to ensure that the processing is carried out in accordance with the Law and to be able to present it to the Users, taking into account the nature, scope, circumstances, and purpose of the processing, as well as the probability of occurrence of the risk and the level of risk for the rights and freedoms of the User.

4. CONTACT INFORMATION OF THE DATA HANDLER

4.1. In case of the need to interpret the provisions of the Privacy Policy, the realization of the user rights, as well as other issues provided for by the Law, Users can contact the Data Handler at the following contact details:

Dario Pantić; dario.pantic@padrinodelivery.com; Bulevar Jovana Dučića 43, Novi Sad

5. USER DATA COLLECTED AND PROCESSED

5.1. To provide the Service, as well as to comply with legal obligations, legitimate interests, and reasons for the improvement, more efficient and legal work of the Handler or based on the User's consent, which is further explained in the text, the Handler collects and processes personal data of the User

5.2. The data collected and processed by the Handler can be divided into the following categories of data:

  • Data provided by Users themselves

  • Data collected automatically when using the application or when visiting the website

5.2.1. Data provided by Users themselves

5.2.1.1. Necessary data for registering an account:

  • E-mail address

  • Contact number

  • Delivery address

5.2.1.2. Unnecessary data that can be entered after registration on the profile screen:

  • Name

  • Profile picture

  • Credit card (on the profile screen or at the end of the order)

  • Location (if the user wants to be found through the device, instead of manually entering the delivery address)

5.2.1.3. Other data that the User can give when using the application:

  • Evaluation of delivery and merchant (restaurant or market), after successful delivery

  • Dietary preferences for the "Surprise me" feature

5.2.2. Data collected automatically when using the application or when visiting the website:

  • IP Adress

  • Device IMEI (device identification number)

5.3. Special categories of personal data

5.3.1. The Handler does not process data related to racial or ethnic origin, political opinion, or philosophical belief, as well as processing genetic data, biometric data for unique identification of a person, or data about a natural person's sex life or sexual orientation.

5.4. Data obtained from the User's internet browser - Cookies

5.4.1. In order to improve the Service on its website, as well as to improve the User's experience when browsing the page, the Handler collects data from the User's internet browser, i.e. Cookies.

5.4.2. Data about the type of specific cookie, name, supplier, the purpose of collection, as well as the type and duration of data storage and other data that could be important for Handler to store can be found at the address: https://padrinodelivery.com/cookie-policy

6. PURPOSE AND BASIS OF PROCESSING

6.1. Data from Article 5 is processed by the Handler

  • Based on the consent given by the User, which may have a separate form or can be integrated into this Privacy Policy can be considered as given, in the sense of Article 12, paragraph 1, point 1 of the Law;

  • Based on the performance of contractual obligations;

  • Based on the legal obligation of the Handler in the sense of Article 12, paragraph 1, point 3 of the Law;

  • according to other conditions stipulated by the Law according to which the Operator is obliged to collect, store and process the User's data.

6.2. Data processing from Article 4 is carried out by the Handler for the following purposes:

  • For the purposes for which the User's consent was given, unless the consent is withdrawn in accordance with the Law and this Privacy Policy;

  • To execute the contract concluded with the User;

  • To fulfill the legal obligations of the Handler;

  • For other purposes in accordance with the Law.

6.3. The operator is obliged to ensure, through the constant application of appropriate technical, organizational, and personnel measures, that only those personal data that are necessary for the achievement of each individual processing purpose are always processed, which is applied in relation to the number of data collected, the extent of their processing, the duration of their storage and their availability.

7. CONSENT

7.1. The consent given by the User can be in a separate form or integrated into the Privacy Policy as a whole, in such a way that it forms a special part of it, marked by Article 7, with a clear and prominent heading "Consent", and its content is described within the subject article in an informed, transparent, comprehensible, accessible manner, using clear and simple words in the manner prescribed by the Law

7.2. The User is not conditioned by giving consent to be provided with a Service or a part of a Service for which Consent is not necessary to be able to use the Service, and the Service can be considered voluntary unless it is not possible to enable the User to exercise his right without the processing for which consent is requested

7.3. The User has the right to withdraw Consent at any time. Withdrawing Consent does not affect the admissibility of processing that was carried out based on consent before the withdrawal. Before giving Consent, the User to whom the data refer must be informed of the right to withdraw Consent, as well as the effect of the revocation. Withdrawing Consent must be as simple as giving consent.

7.4. The User has the right to withdraw Consent for processing based solely on Consent as a basis, at any time, with the fact that the withdrawal of Consent does not affect the permissibility of processing that was carried out based on Consent before the withdrawal made by written notification to the Handler.

7.5. The Consent from Article 7.1 can also be given in electronic form in such a way that the Visitor, when using the application or website of the Handler, will have the opportunity to read the text of the Consent and, in accordance with Article 7, decide whether to accept it or not, by clicking on a certain field.

8. RIGHTS OF VISITORS BASED ON PERSONAL DATA PROTECTION

8.1. The right to be informed and the right to access information:

8.1.1. The operator is obliged to in a concise, transparent, comprehensible, and easily accessible manner, using clear and simple words, at the User's request, provide the information about:

  • The identity and contact information of the Handler and the employee or other person engaged by the Handler who is responsible for the data processing;

  • The purpose of the intended processing and the legal basis for the data processing;

  • the existence of a legitimate interest of the Handler or a Third-party, if the basis of the data processing is a legitimate interest;

  • Recipient, or group of recipients of personal data, if they exist;

  • The fact that the Handler intends to transfer personal data to another country or international organization;

  • The duration of storage of personal data or, if this is not possible, the criteria for its determination;

  • The existence of the right to request access, correction, or deletion of personal data from the Handler, and the existence of the right to limit processing, the right to object, as well as the right to data portability;

  • The existence of the right to withdraw Consent at any time, as well as the fact that the withdrawal of Consent does not affect the admissibility of data processing based on Consent before the withdrawal;

  • The right to submit a complaint to the Commissioner;

  • Whether the provision of personal data is a legal or contractual obligation or whether the provision of data is a necessary condition for concluding a contract, as well as whether the User to whom the data refers should provide personal data and the possible consequences if the data is not provided;

  • The existence of automated decision-making, including profiling, if the Handler performs such processing.

8.1.2. The Handler must respond to the request within 30 days, with the fact that this period can be extended by another 60 days if necessary, taking into account the complexity and number of requests. The Handler is obliged to inform the User about the extension of the deadline and the reasons for that extension within 30 days from the date of receipt of the request, and if the User submitted the request electronically, the information must be provided electronically if possible.

8.2.  Right to correction and addition

8.2.1. The User has the right to have his inaccurate personal data corrected if possible without delay. Depending on the purpose of the data processing, the User has the right to complete their incomplete personal data, which includes providing an additional statement.

8.2.2.  If it is possible to make the correction by correcting, deleting, and entering different data by the User, he will make the correction from Article 7.2.1. himself.

8.2.3. If the User is not able to make corrections and additions in the manner referred to in Article 7.2.2., they will contact the Handler with a request

8.3.  Right to erasure

8.3.1.  If the legal conditions are met, the Handler is obliged to delete personal data from Article 4 at the request of the User without undue delay in the following cases:

  • Personal data are no longer necessary to achieve the purpose for which they were collected or otherwise processed;

  • The User withdraws the Consent based on which the processing was carried out, in accordance with the Law, and there is no other legal basis for the processing;

  • The User has submitted an objection to processing in accordance with the Law, and there is no other legal basis for processing that prevails over the legitimate interest, right or freedom of the User to whom the data refer;

  • Personal data were illegally processed;

  • Personal data must be deleted to fulfill the legal obligations of the Handler;

  • Personal data were collected in connection with the use of information society services in the sense of the Law.

8.4.  Right to restriction of processing

8.4.1. Visitors have the right to ask the Handler to limit the processing of data related to them if the processing is illegal if the inaccuracy of the data is indicated if an objection to the processing has been submitted in accordance with the Law, as well as for other legal reasons.

8.5. The right to object

8.5.1. Depending on the specific case and if he considers it justified, the User has the right to submit to the Handler at any time an objection to the processing of his personal data, which is carried out based on Consent, and the Handler is obliged to stop processing the data of the User who submitted the objection.

8.5.2. The Handler is not obliged to stop the data processing in the manner referred to in Article 8.5.1. if he has presented to the User that there are legal reasons for the processing that outweigh the interests, rights, or freedoms of that User or are related to the submission, realization, or defense of legal claims.

9. STORAGE OF USER PERSONAL DATA

9.1. Personal data of the User will be stored on a server within the territory of the European Economic Zone. However, the Handler cooperates with service providers and may conduct business in multiple geographic locations. Therefore, the Handler and service providers may transfer the User's personal data, or provide access to it, in jurisdictions outside the European Economic Area or the jurisdiction of the User's residence.

9.2. The Handler will take steps to ensure that the User's personal data receives an appropriate level of protection in the jurisdictions in which it is processed. It provides adequate protection for the transfer of personal data to countries outside the European Economic Area through a series of contracts with service providers based on Standard Contractual Clauses or through other appropriate safeguards.

10. ACCESS TO DATA BY THIRD PARTIES / PERSONAL DATA PROCESSORS

10.1. The Handler is authorized to use the services of delivery partners, accounting agencies, developers, IT consultants, and other external and internal collaborators to fulfill the obligations from the Terms of Use, perform payment transactions, and legal obligations, maintain the service, improving its work, for whose work and results responds in accordance with the Law.

10.2. The Handler guarantees that the Processor will apply the necessary technical, organizational, and personnel measures, so that the data processing is carried out in accordance with the Law and that adequate protection of the User's personal data is ensured.

10.3. In order to ensure the conditions from Article 10.2. , the Handler and the Processor may conclude a data processing contract, which will be an integral or accompanying part of the basic contract, and which contract will, among other things, have all the necessary elements provided by the Law.

11. DATA SECURITY

11.1. When assessing the necessary level of established security of personal data, the Handler takes into account and monitors the level of technological achievements as well as the costs of their application, then the nature, scope, circumstances, and purpose of data processing and based on these parameters assesses the probability of the occurrence of the risk, i.e. the potential level of risk for rights and freedom of the User.

11.2. Concerning the circumstances from Article 11.1., the Handler implements appropriate technical, organizational, and personnel measures to reach the required level of organization in relation to the risk.

11.3. When sending data to Processors, the Handler is obliged to ensure a secure communication channel through which the data travels, as well as to ensure that the data is safely stored with adequate security standards.

11.4. All information about Visitors is strictly kept and is available only to the Handler's employees who need this data to perform their work, and the Handler is responsible for respecting the principles of privacy protection, in accordance with the Privacy Policy.

12. PROCEDURE IN CASE OF DATA PROTECTION THREATS

12.1. If data from Article 4, security from Article 10 is compromised, the Handler will take all necessary notification and protection measures provided by the Law, including notification of the competent Supervisory Authority, as well as Visitors if the conditions from the Privacy Policy and the Law are met.

12.2. In the event of a data breach, the Handler is obliged to inform the Supervisory Authority about the violation of the right for personal data protection, which may cause a risk to the rights of the User, without undue delay, or at the latest within 72 hours of becoming aware of the violation. In case of failure to act within the relevant deadline, the Handler will explain the reasons for the delay.

12.3. Notification of the Handler to the Supervisory Authority from Article 12.2. must contain at least the following information:

  • Description of the nature of the violation of the right to personal data protection, including the types of data and the approximate number of Users to whom the data refers, as well as the approximate number of personal data whose security has been violated;

  • Name and contact information of the person from whom information about the injury can be obtained;

  • Description of the possible consequences of the injury;

  • Description of the measures taken by the Handler or proposed to be taken in connection with the violation, including the measures taken to reduce the harmful consequences.

12.4. In case of violation of the right to personal data protection, the Handler is obliged to inform the Visitors about the violation of personal data that may cause a risk to the rights and freedoms of natural persons.

12.5. The notification to the User from Article 12.4. must clearly and comprehensibly describe the nature of the data and specify the information from Article 12.3.

12.6. The Handler is not obliged to notify the User in the situation referred to in Article 12.4. if:

  • The Handler has undertaken appropriate technical and organizational protection measures about personal data whose security has been violated;

  • The Handler has subsequently taken measures to ensure that the violation of personal data with a high risk for the rights and freedoms of the User to whom the data relates can no longer produce consequences for that User;

  • Informing the User to whom the data refer would represent a disproportionate expenditure of time and resources, in which case the Handler is obliged to provide notification to the User to whom the data refers through public notification or in another effective way.

13. DURATION OF DATA STORAGE AND ITS DELETE

13.1. The data from Article 4 is collected as long as it is necessary to achieve the purpose for which it is processed, that is until the withdrawal of Consent in the sense of Article 7.4. of this Privacy Policy, as well as to the extent permitted by the Law.

13.2. Most personal data related to the User's user account is deleted within 90 days from the day the User deleted the user account. Part of the personal data that is an integral part of the user account is stored as long as such processing is required by law or as reasonably necessary for our legal obligations and legitimate interests, such as conducting procedures, accounting, internal reporting, and reconciliation procedures. All personal data related to the User's user account is deleted within 10 years after the User deletes the user account, except for personal data required in certain rare cases such as legal proceedings.

13.3. The Handler stores the Analytical data of Users who do not have a user account for a period of 90 days.

14. TRUSTEE / SUPERVISORY AUTHORITY

14.1. The Supervisory Authority for personal data protection in the Republic of Serbia is the Commissioner for Information of Public Importance and Protection of Personal Data of the Republic of Serbia. You can contact the authority at Bulevar kralja Aleksandra 15, 11000 Belgrade, Republic of Serbia, by email address: office@poverenik.rs or by phone: +381 11 3408 900.

14.2. The Handler cooperates with the Commissioner in the exercise of his authorizations, by the obligations prescribed by the Law.

15. FINAL PROVISIONS

15.1. The User confirms that he accepts the Privacy Policy, that he has read and understood it, and that he agrees with the basis and purposes of data processing, as prescribed by this document.

15.2. All changes to the Privacy Policy will be publicly available in the designated place on the Handler's website, about which Visitors will be notified through the same means of communication, in such a way that they will be able to read the new document.

16. APPLICABLE LAW AND JURISDICTION

16.1. The material law that applies to the processing of the User's personal data and in connection with the processing by the Handler is the law of the Republic of Serbia, the Personal Data Protection Act as well as the GDPR where applicable.

16.2. For administrative and judicial proceedings, the local competent authorities and competent courts of the Republic of Serbia are in accordance with the positive legislation of this country.