Rekola - Discover city with Rekola Bikesharing

Through this Privacy Policy (hereinafter referred to as the "Policy"), we inform the data subjects whose personal data we process about all processing activities and about the privacy protection principles of the data subjects.

Responsible persons

Administrator of the personal data:

Rekola Bikesharing s.r.o., ID number: 048 93 875, with registered office at Křenová 89/19, Brno, 602 00, Czech Republic

Contact for exercising rights in connection with the protection of personal data: info@rekola.eu

(hereinafter also referred to as "Rekola", "Company", "we", "our" or "us")

Basic concepts

GDPR:

Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in connection with the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC effective from 25/05/2018.

Personal data:

Personal data in the sense of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons in connection with the processing of personal data and on the free movement of such data and on the repeal of Directive 95/46/EC (hereinafter referred to as "GDPR") means all information about identified or identifiable natural person, (i.e. about the data subject = you).

Special personal data:

Special personal data means data on racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person and data on health or sex life or sexual orientation Individuals.

Data Subject = You:

Data subject means an identified or identifiable natural person, whereby an identifiable natural person is a natural person who can be directly or indirectly identified, in particular by reference to a certain identifier, for example name, identification number, location data, network identifier or to one or more special elements of physical , physiological, genetic, psychological, economic, cultural or social identity of this natural person.

Processing of personal data:

Processing of personal data within the meaning of Article 4(2) of the GDPR means any operation or set of operations with personal data or sets of personal data that is carried out with or without the aid of automated procedures such as collection, recording, arrangement, structuring, storage, customization or alteration, retrieval, inspection, use, disclosure by transmission, dissemination or any other disclosure, arrangement or combination, restriction, erasure or destruction.

Administrator:

We are the administrator of your personal data. In the sense of Article 4, Paragraph 7 of the GDPR, a controller is a natural or legal person, public authority, agency or other entity that alone or jointly with others determines the purposes and means of personal data processing; if the purposes and means of this processing are determined by the law of the Union or a Member State, this law may determine the controller concerned or special criteria for its determination.

Processor:

A processor, in the sense of Article 4, paragraph 8 of the GDPR, is a natural or legal person, public authority, agency or other entity that processes personal data for the controller; i.e. also some of the Company's business partners who process personal data on the Company's instructions and according to the Company's requirements.

Risk processing:

Risky processing means processing that is likely to pose a risk to the rights and freedoms of data subjects, the processing is not occasional, or includes the processing of special categories of data listed or personal data related to judgments in criminal cases and offenses referred to in Article 10 of the GDPR.

Automated individual decision-making incl. profiling

generally means any form of decision based on the automated processing of personal data, i.e. without human intervention, consisting, among other things, of evaluating some personal aspects related to the data subject, in particular for the purpose of analysis or estimation or analyzing or predicting aspects related to his work performance, economic situation, health status, personal preferences, interests, reliability, behavior, location or movement.

Categories of data subjects

We process personal data of persons divided into the following categories

Our customers (users of the Rekola application and persons with whom we have concluded a framework contract for renting a means of transport - bicycles)
Job seekers
Our suppliers of goods and services

Personal data processed

We process your identification data (name, surname), contact data (address, e-mail, telephone), location data (GPS), data on the use of the Rekola application, data contained in the resumes of job applicants for the purposes of the selection process, accounting data of our suppliers (bank account number), history of orders and deliveries, data on complaints. We process this data in accordance with legal regulations, in particular GDPR, as amended.

The purpose of personal data processing

We process personal data for a clearly defined purpose:

Categories of data subjects	The purpose of personal data processing	Legal basis and processed personal data	Processing time
Our customers	Fulfillment and implementation of contracts concluded with customers (providing services, handling complaints, making payments for bicycle rental, etc.)	The legal basis is fulfillment of the contract. We process identification data (name, surname, date of birth, date of registration), contact data (telephone number, e-mail address and address of permanent residence), information on the history of orders (including payments), information on the location of the bicycle when it is received and return, information about the user's actions within the framework of contact with us, including the GPS location where these actions took place.	For this purpose, personal data may be processed for a period of time duration of the contractual relationship.
	Exercising claims from contractual relationships after the termination of the contract (in particular handling complaints or, recovery of claims and other obligations from concluded contracts)	The legal basis is our legitimate interest. We process contact data (phone, e-mail; fingerprint of the mobile device), order history - rides and location data in the range of: pick-up location, bicycle drop-off location, location of device when using the mobile app, and location of nearest bike.	For this purpose, personal data may be processed for a period of time four years from the termination of the contractual relationship and if court or other proceedings are initiated, then for the entire duration of these proceedings.
	Providing proof of fare payment by a third party (e.g. a company MultiSport Benefit, s.r.o., etc.)	The legal basis is your consent. In the Rekola application, you can enter various benefit cards that can pay a discount or the entire ride for you. We provide these companies with your benefit card number to validate fares; the date and time of the start and end of the loan; or the total length of the loan.	For this purpose, personal data may be processed after time granting your consent.
	Providing additional information to a third party	The legal basis is your consent. In the Rekola application, you have the option of connecting other applications and services to which we will, after your consent, send your data or your data that you generate by using Rekola. Such consent will list all such data and identify the partner who obtains such data after your consent.	For this purpose, personal data may be processed after time granting your consent.
	Bicycle location monitoring to prevent theft and damage to bicycles	The legal basis is our legitimate interest. A GPS sensor can be installed on the bike. We process the location of the bike outside of the rental and possibly also during your rental. If the location is processed during the rental, in the Rekola application you will find a graphical representation of the recorded points of the bike's location in the ride history.	For this purpose, personal data may be processed for a period of time four years from the termination of the contractual relationship and if court or other proceedings are initiated, then for the entire duration of these proceedings.
	Providing anonymized information to a third party	The legal basis is our legitimate interest. When using bicycles, data is generated about the movement of bicycles and the functioning of our users in the city. This data is a great resource, for example, for planning the improvement of transport infrastructure. The data provided to third parties (cities, municipal companies, but also commercial entities) are either the result of the aggregation of multiple data (e.g. heat map) or anonymized (e.g. a package of individual bike rides, from which it is not possible to tell that the bike was borrowed by a specific person)	For this purpose, personal data may be processed for a period of time four years from the termination of the contractual relationship.
	Optimizing the spread of business messages on social networks	The legal basis is our legitimate interest. Registering to Rekola generates data about your use of the application (completion of registration, date of driving, activation of subscription and others), which we can to use to optimize the dissemination of business messages on social networks of the company META (Facebook, Instagram), X (formerly twitter.com) and TikTok by sending them to the given services. Based on this, we can better target and evaluate the success of advertising campaigns. To identify the user, we only send the so-called hashed e-mail and hashed phone number to social networks.	For this purpose, personal data may be processed for a period of time duration of the contractual relationship.
	Dissemination of business communications in the form of email newsletters containing offers, information and news	The legal basis is our legitimate interest. The identification and contact personal data of customers are processed for the purpose of disseminating business communications in accordance with the law	For this purpose, personal data may be processed for an indefinite period until the recipient unsubscribes.
	Fulfilling our accounting and tax obligations	The legal basis is performance legal obligations, which are imposed on us by legislation.	For this purpose, personal data may be processed for up to 5 let from the end of the tax period in which the transaction took place.
Our suppliers of goods and services	Fulfillment and implementation of contracts concluded with suppliers, external collaborators and creditors, debt collection	The legal basis is fulfillment of the contract. Processing identification and accounting personal data of other contracting parties is necessary for the fulfillment of mutual contractual obligations.	Personal data may be processed for this purpose for the duration of the contractual relationship.
Our suppliers of goods and services	Exercising claims from contractual relationships after the termination of the contract	The legal basis is our legitimate interest. Collecting identification and accounting data, including payments made, is necessary for processing complaints, collecting claims and other contractual obligations from contracts concluded between us and these data subjects.	For this purpose, personal data may be processed for a period of time four years from the termination of the contractual relationship, in case of disputed proceedings, for the entire duration of the proceedings.
Job seekers	Assessment of the suitability of the job applicant during the selection procedure and re-approach in the event of termination of the employment relationship with another selected applicant during the probationary period	The legal basis is implementation of measures taken before the conclusion of the contract at the request of the data subject. We collect identification, contact, qualification and other personal data obtained as part of the selection process (mainly through the applicant's CV or during the interview).	Personal data are processed for this purpose 3 months from the cancellation of the selection procedure or from the entry of another selected applicant to the advertised position.
Job seekers	Possible proof of compliance with the prohibition of discrimination and the obligation of equal treatment according to the Employment Act during the selection process for employees	The legal basis is our legitimate interest. We collect identification data (name, surname, date of birth, information on personal status and photo, if included in the CV), personal contact data (phone, e-mail) for the purpose of possibly proving compliance of the selection procedure for the position of an employee with the provisions of the law on employment, on the prohibition of discrimination and the obligation of equal treatment.	For this purpose, personal data may be processed for a period of time four years from the end of the selection process, in the case of an ongoing court or other process, for the entire duration of the process.

Time of personal data processing

We keep personal data only for the time necessary for the purpose of their processing - see the table above. After this period, personal data may only be kept for the purposes of the state statistical service, for scientific purposes and for archival purposes.

Recipients of personal data and transfers of personal data outside the European Union

In justified cases, we may transfer your personal data to other entities (hereinafter referred to as "recipients").

Personal data may be transferred to the following recipients:

Processors who process your personal data according to our instructions and relationships with them are treated according to the requirements of Article 28 GDPR:

They may have access to your personal information:

Rekola Bikesharing SK s.r.o. (IČ: 53130171, with headquarters at Trenčianska 57, Bratislava, 825 10) to the extent necessary for the purpose of operating shared bikes and protecting our property (or the property of Rekola Bikesharing SK s.r.o.) in Slovakia.
Rekola Bikesharing Estonia OÜ (Company ID: 17045165, with headquarters at Tartu mnt 67/1-13b Tallinn 10115) to the extent necessary for the purpose of operating shared bikes and protecting our property (or the property of Rekola Bikesharing Estonia OÜ) in Estonia
Payment gateway providers (= e.g. Comgate a.s., Gočárova třída 1754 / 48b, Hradec Králové, 500 02, Czech Republic; Company ID: 279 24 505, DIČ CZ27924505) to the extent necessary (= mainly e-mail, name) for the purpose of successfully completing the payment. This obligation to provide additional information is governed in particular by Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006. This regulation is further amended by Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets.
providers of the programs used by us, always only to the extent necessary and for the purpose of administration and technical support of these programs.

public authorities and other entities, if required by valid legal regulation;
other entities in the event of an unexpected event in which the provision of data is necessary for the purpose of protecting life, health, property or other public interest, or if it is necessary to protect our rights, property or safety (e.g. Police of the Czech Republic).

After your first visit to our website, our server sends a small amount of data to your computer and stores it there. The browser then sends this data back to the server with each subsequent visit to the site. This small file is called a "cookie" and is a short text file containing a specific string of characters with unique information about your browser. We use cookies to improve the quality of our services and to better understand how people use our site. That is why we store user preferences in cookies and use them to monitor user trends and how people behave on our pages and how they view them.

Most browsers are set to accept cookies. However, you have the option to set your browser to block cookies or to notify you when cookies are sent. However, some services or functions will not work properly without cookies.

Our website uses only "first-party" cookies, i.e. cookies used only by our website (hereinafter referred to as "first-party cookies") and "third-party" cookies (i.e. cookies originating from third-party websites). We use first-party cookies to store user preferences and data needed during your visit to the website (e.g. the contents of your shopping cart). These are so-called "technical cookies" and are necessary for the website to function.

We use third-party cookies to monitor user trends and patterns of behavior, target advertising, with the help of third-party providers of web statistics. Third-party cookies used to track trends and patterns of behavior are used only by our website and the web statistics provider, they are not shared with any other third party. In order for us to store these cookies on your computer, you must first consent.

In particular, we use the following third-party cookies:

Google Analytics, Google AdWords
Facebook Pixel
Smartlook

Principles of personal data processing

Legality

We process your personal data in accordance with applicable legal regulations, in particular GDPR.

Consent of the data subject

We process personal data only in the manner and to the extent to which you have given us consent, if consent is the title of processing.

Minimization and limitation of personal data processing

We process personal data only to the extent necessary to achieve the purpose of their processing and for no longer than is necessary to achieve the purpose of their processing.

Accuracy of processed personal data

We process personal data with an emphasis on their accuracy. Using reasonable means, we process updated personal data.

Transparency

Through this Policy and the contacts listed above, you have the opportunity to familiarize yourself with the way in which we process your personal data, as well as with their scope and content.

Purpose limitation

We process personal data only to the extent necessary to fulfill the stated purpose and in accordance with this purpose.

Safety

We process personal data in a way that ensures their proper security, including their protection using appropriate technical or organizational measures against unauthorized or illegal processing and against accidental loss, destruction or damage.

Automated individual decision-making and profiling

When processing your personal data does not occur to automated individual decision-making, even on the basis of profiling.

Your rights as a data subject

Right of access to personal data

You have the right to request access to your personal data from us. In particular, you have the right to obtain confirmation from us as to whether or not personal data concerning you are processed by us, and further to the provision of additional information about the processed data and the method of processing in accordance with the relevant provisions of the GDPR. If you request it, we will provide you with a copy of the personal data we process about you free of charge. In the event of a repeat request, we may charge a reasonable fee for providing a copy to reflect the administrative costs of processing.

To obtain access to your personal data, please use the contact provided in this Policy.

The right to withdraw consent to the processing of personal data, if the processing is based on consent

You have the right to revoke your consent to the processing of personal data processed by us on the basis of this consent at any time, in particular through the contact specified in these Policies.

The right to correct personal data

If you find that the personal data we hold about you is inaccurate, you can request that we correct this data without undue delay. If it is reasonable with regard to the specific circumstances of the case, you can also request the addition of the data that we process.

You can request correction, restriction of processing or erasure of data through the contact specified in this Policy.

The right to erasure of personal data

You have the right to request that we delete the personal data we process concerning you without undue delay, in the following cases:

if you revoke your consent to the processing of personal data and there is no other legitimate reason for their processing on our side that would override your right to erasure;
if you object to the processing of personal data (see below);
Your personal data is no longer needed for the purposes for which we collected or otherwise processed it;
personal data were processed by us unlawfully;
personal data were collected by us in connection with the offer of information society services to a person under the age of 18;
personal data must be deleted to fulfill a legal obligation set out in European Union law or in the Czech legal order that applies to us.

We are obliged to delete your personal data in these cases even without your request. Under the conditions set out in Article 17 of the GDPR, we do not have to delete your personal data (for example, if we need the data to exercise our legal claims against you).

You can request erasure in these cases through the contact provided in this Policy.

The right to restrict the processing of personal data

You have the right to have us restrict the processing of your personal data in cases where:

you deny the accuracy of the personal data. In this case, the restriction applies for the time necessary for us to verify the accuracy of the personal data.
the processing is unlawful and you refuse the erasure of the personal data and request the restriction of their use instead.
We no longer need your personal data for the purposes for which we processed them, but you require them to determine, exercise or defend legal claims;
you object to the processing (see below). In this case, the restriction applies until it is verified whether the legitimate reasons on our side outweigh your legitimate reasons.

During the period of restriction of personal data processing, we can process your personal data (with the exception of their storage) only with your consent, or for the purpose of determining, exercising or defending our legal claims, for the purpose of protecting the rights of another natural or legal person or for reasons of important public interest of the Union or a member state. As stated above, you can request the restriction of processing through the contact specified in this Policy.

The right to object to processing

You have the right to object to the processing of your personal data in the following cases:

If your personal data is processed for the reason that the processing is necessary for the purposes of our legitimate interests, and you object to the processing, we cannot further process the personal data unless we demonstrate serious legitimate reasons for the processing that outweigh your interests, rights and freedoms, or to establish, exercise or defend our legal claims.
If your personal data is processed for direct marketing purposes and you object to the processing, we will no longer process the personal data for these purposes.
If your personal data is processed for the purposes of scientific or historical research or for statistical purposes, we will not process it further, unless the processing is necessary to fulfill a task carried out for reasons of public interest.

You can file an objection through the contact provided in this Policy.

Right to data portability

In the event that we process your personal data on the basis of your consent or for the reason that it is necessary to fulfill the contract concluded between us, you have the right to obtain from us the personal data that concern you and that you have provided to us, in a structured , a commonly used and machine-readable format, if personal data is processed by us. You have the right to transfer this data to another data controller or to request that we provide this data directly to another data controller if technically feasible.

To obtain your personal data, please contact the contact listed in this Policy.

The right not to be subject to any decision based solely on automated processing, including profiling

You have the right not to be subject to any decision based solely on automated processing, including profiling, which has legal effects for you or similarly significantly affects you.

This does not apply if:

automated decision-making is enabled by law;

automated decision-making is necessary to conclude or perform a contract concluded between us;
your explicit consent to automated decision-making has been granted.

The right to receive information about a breach of the security of your personal data

If it is likely that a breach of our security will result in a high risk to your rights and freedoms, we will notify you of the breach without undue delay. If appropriate technical or organizational measures have been used to process your personal data, ensuring, for example, that it is not comprehensible to an unauthorized person, or if we have taken additional measures to ensure that a high risk does not manifest itself, we do not have to pass on information about the breach to you.

The right to lodge a complaint with the supervisory authority

If you believe that the processing of your personal data violates the obligations set out in the GDPR, you have the right to file a complaint with a supervisory authority. The supervisory authority in Estonia is the Estonian Data Protection Inspectorate, located at Tatari 39, 10134 Tallinn, Estonia, phone: +372 627 4135, E-mail: info@aki.ee, www.aki.ee.

This Privacy Policy is effective from 19.8.2025