Privacy Policy

This privacy policy (hereinafter referred to as the “Policy”) aims to transparently inform about the processing of personal data in connection with the operation of the Besegma.com website (hereinafter referred to as the “Website”) and the Service itself, which is accessible at https://app.besegma.com (hereinafter referred to as the “Service”). Unless otherwise defined herein, this Policy uses definitions with the same meanings as the Terms available at https://besegma.com/terms.

1. Role of the Provider and data subjects

1.1. TESYDA s.r.o., ID No.: 21382212, with its registered office at U Habrovky 247/11, registered in the Commercial Register maintained by the Municipal Court in Prague under file No. C 288901 (hereinafter referred to as the “Provider”), may act as either a data controller or a data processor in relation to the processing of personal data in connection with the operation of the Service. The specific role of the Provider always depends on the purpose of the processing.

1.2. The subject of personal data processing by the Provider as a data controller may be a visitor to the Website, a Customer who is a natural person (hereinafter referred to as the “Customer”), or a person who has a user account in the Service but is not a Customer within the meaning of this Policy (hereinafter referred to as the “User”).

2. Provider as data controller

None of the processing described in this article involves automated decision-making, including profiling.

The Provider is the data controller for the following purposes:

2.1. Administration of contractual relationship and management of user accounts

The Provider may process the personal data of the Customer and Users for the purposes of administration of the contractual relationship between the Provider and the Customer and management of the user accounts for the Users. In addition, this purpose also includes providing support for the Service.

The legal basis for the processing in the case of the Customer is the negotiation of the Agreement or its performance (Article 6(1)(b) of the GDPR). In the case of the User, depending on the specific context, the legal basis is either the performance of the agreement (Article 6(1)(b) of the GDPR) or the legitimate interests of the Provider and the Customer (Article 6(1)(f) of the GDPR) in fulfilling their contractual relationship.

The categories of personal data concerned may be:

Identification data (e.g. first name, last name), contact data (e.g. e-mail), login data, settings and usage data (e.g. time data, IP address), customer and contractual relationship data (e.g. function, signature), content of communication (regarding support).

The source of data is the data subject, or a third party in the case of creating a user account using OAuth (Microsoft, Google). Without providing identification and contact data, an agreement cannot be concluded.

The data will be processed for this purpose for the duration of the respective contractual relationship. Certain data may subsequently be further processed on the basis of the Provider’s legitimate interests (Art. 6 (1) (f) GDPR) in protecting its rights and property, up to the applicable statutory limitation periods.

2.2. Ensuring operation and improvement

The Provider may process personal data of visitors to the Website, the Customer and other Users of the Service in order to ensure the security, availability and performance of the Website and Service, as well as their further improvement. The legal basis for this processing is the Provider’s legitimate interests in delivering a quality Service and its presentation (Article 6(1)(f) of the GDPR).

The categories of personal data concerned may be:

Identification data (e.g. first name, last name), contact data (e.g. e-mail), usage data (e.g. number of visits, time data, IP address, location, device), feedback.

The primary source of data is its automatic collection (logging), which the Provider may carry out using third-party tools. However, the Provider may also use data provided directly by the data subject, obtained through feedback collection.

The data will be processed for this purpose for the period necessary to fulfil the stated purpose, which is usually 6 months.

2.3. Sending commercial communications

This purpose includes sending newsletters and other communications that do not fall under other processing purposes specified in this Policy, to both the Customer and Users. The legal basis for the processing is the Provider’s legitimate interests in maintaining contact with persons using the Service (Article 6(1)(f) of the GDPR).

The categories of personal data in question are:

Identification data (e.g. name, surname), contact details (e.g. e-mail, telephone).

The source of the data is the data subject, i.e. Customer or User (data entered when creating a user account).

The data will be processed for this purpose until the data subject refuses to receive communications (unsubscribes) or objects to this processing, but no longer than for the duration of the contractual relationship.

2.4. Compliance with legal obligations

This purpose includes the processing of data of visitors to the Website, Customer and Users to meet the Provider’s obligations arising from legal regulations – e.g. response to data breaches, response to the exercise of rights, etc. The legal basis for such processing is the fulfilment of the Provider’s legal obligation (Article 6(1)(c) of the GDPR).

The categories of data concerned may be:

Identification data (e.g. first name, last name), contact data (e.g. e-mail, telephone), usage data (e.g. IP address, time data), data on the contractual relationship, other data necessary for the fulfilment of the respective obligation.

The source of the data may be the data subject, or it may be an automated collection.

For this purpose, the data will be processed for the period necessary to comply with the relevant legal obligation or directly stipulated by law.

3. The Customer as the data controller and the Provider as the data processor

In relation to the Customer Data processed in the Service, which have the nature of personal data, the Provider acts as a data processor. For the purpose of the data processing described below, the Customer is the data controller.

The Customer, as the data controller, is responsible for ensuring a legal basis for the data processing and for providing data subjects with all information about the processing of personal data that may occur within the Service. Given that the Customer has the possibility to influence the scope of the processed personal data, the duration of their processing, and the specific purpose of processing, the information provided in this Article 3 is intended for general informational purposes only, and its accuracy and completeness are not guaranteed.

Customers may process personal data within the Service for the following general purpose:

3.1. Predictive data analysis

This purpose includes performing predictive data analysis according to the Customer’s requirements. The processing can have a nature of profiling.

The legal basis will generally be the legitimate interests of the Customer (Article 6(1)(f) GDPR) or the consent of the data subject (Article 6(1)(a) GDPR).

The categories of personal data in question may include particularly:

identification data (e.g. name, surname), business data (e.g. data on purchases and customer behaviour), any other personal data that the Customer includes in the Customer Data.

Customer Data with the nature of personal data will be processed by the Customer within the Service for the period necessary to fulfil the purpose of the processing, while the Customer is always responsible for its timely deletion. Customer Data will be removed from the Service in the event of termination of the contractual relationship between the Provider and the Customer.

4. Recipients and transfers of data

4.1. Personal data processed by the Provider as the data controller may be made available, to the extent strictly necessary to persons engaged in their processing. These are the Provider’s employees and carefully selected processors, in particular persons involved in the maintenance and support of the Service and providers of IT services (e.g. IT infrastructure provider, payment gateway provider and providers of IT tools, such as Microsoft, Stripe and HubSpot). Furthermore, the data processed by the Provider may also be made available to the extent necessary to the Provider’s advisors bound by the confidentiality obligation (e.g. attorneys), and, as required by legal regulations, to public authorities.

4.2. The Provider shall not disclose the processed personal data to third parties in any manner other than as specified in this Policy.

4.3. The processed personal data is stored on servers in the data centre of the commissioned data processor Microsoft Ireland Operations Limited, which is located in the EU. The transfer of processed personal data to third countries (usually the USA) may occur only to a very limited extent (e.g. in connection with the use of the HubSpot service), in which case appropriate safeguards will always be provided, either through the so-called standard contractual clauses, a copy of which you can request, or through the EU-US Data Privacy Framework.

5. Data security

5.1. We care about the security of our Customers’ and Users’ personal data, as well as the personal data contained in Customer Data. Therefore, we place a strong emphasis on implementing strict security measures when processing it, whether as a data controller or data processor.

5.2. All Customer Data is encrypted in transmission and at rest. Our trained employees will access your data with the nature of personal data only when necessary and in accordance with this Policy. All designated employees authorized to access the Customer Data are bound by confidentiality obligation.

5.3. Microsoft Azure Cloud, which the Provider uses as an IT infrastructure provider, holds ISO 27001, ISO 27017 and ISO 27018 security certifications. Azure Cloud services are used by banking, financial and healthcare providers around the world. More information about Azure datacenter security is available here.

6. Cookies

6.1. Only necessary cookies are used for the operation of the Service. Their placement on the device can’t be rejected.

6.2. The cookie policy relating to the Website is contained in a separate document available here. The preferences regarding the cookies set by the Website can be modified via the cookie banner on the Website.

7. Commercial communications

7.1. If the Customer or User, does not opt out of receiving commercial communications when creating a user account, the Provider is entitled to use the registered e-mail address to send messages of commercial nature. The processing of personal data for this purpose is described in Section 2.3. It is also possible to opt out of receiving further commercial communications in the manner specified in each individual message, for example via an unsubscribe link.

7.2. The Provider will never send commercial communications regarding third-party products or services.

8. Rights of data subjects

In relation to the processing of their personal data, the data subjects have the following rights, whenever the conditions set out in the legal regulations are met. These rights can be exercised against the Provider as the data controller using the contact details provided in Article 9. For processing where the Customer is the data controller (see Article 3), the rights must be exercised directly with the Customer.

The data subject has the following rights:

8.1. The right of access to personal data, i.e. the right to request confirmation as to whether its personal data is being processed and, if so, to obtain information about the processing in question, or a copy of the data being processed;

8.2. The right to request rectification of inaccurate data or the completion of incomplete data;

8.3. The right to request immediate erasure of processed data (if the statutory conditions are met);

8.4. The right to request temporary restriction of personal data processing (if the statutory conditions are met);

8.5. The right to object to data processing on the legal basis of legitimate interests, or for direct marketing purposes;

8.6. The right to withdraw consent to the processing of personal data at any time;

8.7. The right to personal data portability, i.e. the right to request the processed data in a structured, machine-readable format (if the statutory conditions are met).

9. Contact

9.1. Requests for the exercise of rights or any inquiries regarding the processing of personal data can be made by contacting the Provider at hello@tesyda.com. If the data subject has a complaint regarding the processing of personal data, it has the right to lodge a complaint directly with the competent supervisory authority, which is the Czech Office for Personal Data Protection.

Version 1.0
Effective from: 22. 2. 2025