SAFE
Privacy Policy
This Privacy Policy explains how ORRO GROUP a.s. collects, uses, and protects personal data in connection with the SAFE application. It should be read together with the SAFE Terms of Service.
1. Who We Are (Data Controller)
The controller responsible for your personal data is:
ORRO GROUP a.s.
Budilova 161/15, 301 00 Plzeň, Czech Republic
Company identification number (IČO): 04365569
Email: orro-group@orro-group.com
We have not appointed a Data Protection Officer, as we are not legally required to do so. For any privacy-related question, please use the contact email above.
2. What Personal Data We Collect
Teachers and tutors (account holders). When you register and use SAFE, we collect:
- identification and contact data: your name and email address;
- billing data: information necessary to process payments and issue invoices (handled primarily by our payment processor – see Section 4);
- account and subscription data: your subscription plan, status, and billing history;
- technical data: information necessary to operate and secure the service, such as IP address, device and browser information, and log data.
Students. Students use SAFE-EN without creating an account. Apart from transient technical data necessary to deliver the service (such as IP address and device identifiers), we do not store personal data about students beyond the duration of their session.
Vocabulary content. Vocabulary sets created in SAFE-GEN-EN are stored locally in the teacher’s browser and are not transmitted to our servers unless you explicitly use a backup, synchronisation, or sharing feature that clearly indicates that data will be uploaded.
We do not intentionally collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, or health information).
3. Why We Use Your Data and Our Legal Basis
We process personal data for the following purposes, on the following legal bases under Article 6 of the GDPR:
- To provide and operate SAFE (create and manage your account, deliver the service) – performance of a contract (Article 6(1)(b) GDPR).
- To process payments and issue invoices – performance of a contract and compliance with a legal obligation under Czech tax and accounting law (Articles 6(1)(b) and 6(1)(c) GDPR).
- To keep accounting and tax records – compliance with a legal obligation under Czech law (Article 6(1)(c) GDPR).
- To secure the service and prevent misuse – our legitimate interest in operating a safe and reliable service (Article 6(1)(f) GDPR).
- To communicate with you about your account, important service changes, and these policies – performance of a contract and our legitimate interest (Articles 6(1)(b) and 6(1)(f) GDPR).
We do not sell your personal data, and we do not use it for advertising or for automated decision-making that produces legal or similarly significant effects.
4. Who We Share Data With (Processors)
We do not sell or rent personal data. We share it only with trusted service providers (processors) who help us operate SAFE and who process data on our behalf under a data processing agreement:
- Stripe, Inc. – payment processing. Stripe processes and stores your card details under its own security standards; we do not receive or store full card numbers.
- Supabase – authentication and database hosting (storage of account and subscription data).
- Vercel – application hosting and delivery of the SAFE web application.
We may also disclose personal data where required by law, by a public authority, or to protect our legal rights.
5. International Transfers
Some of our processors are established outside the European Economic Area (EEA), or may process data outside the EEA. Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, such as the European Commission’s Standard Contractual Clauses or a relevant adequacy decision, so that your data continues to receive an adequate level of protection.
6. How Long We Keep Your Data
We keep personal data only for as long as necessary for the purposes described above, and for as long as required by applicable law:
- Account and contact data (name, email, subscription data) – for as long as your account is active and for 3 years after your account is closed, in order to handle any follow-up requests, claims, or legal obligations.
- Billing, accounting, and tax records (invoices and related documents) – for 10 years from the end of the tax period in which the relevant transaction took place, as required under Czech accounting and tax law.
- Technical and log data (IP address, device and browser information, log entries) – for up to 12 months from the date of collection, unless a longer period is necessary in connection with a specific security incident or legal matter.
- Students’ transient technical data – kept only for the duration of the session and deleted or anonymised immediately after the end of the session, and in any case within 24 hours.
After these periods expire, we delete or anonymise the data in a secure manner.
7. Cookies and Similar Technologies
SAFE uses only strictly necessary cookies and similar technologies that are required to provide the service – for example, to keep you signed in (authentication and session) and to keep the service secure. Strictly necessary cookies do not require your consent.
We do not use advertising, marketing, or third-party tracking cookies. If we later add analytics or other non-essential cookies (for example, Google Analytics), we will implement a consent banner that complies with applicable law and we will update this Privacy Policy accordingly.
8. Your Rights
Under the GDPR, you have the right to:
- access the personal data we hold about you;
- request correction of inaccurate or incomplete data;
- request erasure of your data (“right to be forgotten”), where applicable;
- restrict or object to certain processing;
- receive your data in a portable, machine-readable format (data portability);
- withdraw consent at any time, where processing is based on consent.
To exercise any of these rights, contact us at orro-group@orro-group.com. We will respond within the time limits set by the GDPR.
You also have the right to object, on grounds relating to your particular situation, to processing based on our legitimate interests (Article 6(1)(f) GDPR).
9. How to Complain
If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with the Czech supervisory authority, the Office for Personal Data Protection (Úřad pro ochranu osobních údajů):
Úřad pro ochranu osobních údajů
Pplk. Sochora 27, 170 00 Praha 7, Czech Republic
Web: https://uoou.gov.cz
If you are resident in another EU country, you may also lodge a complaint with your local supervisory authority.
10. How We Protect Your Data
We use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or misuse, including encrypted connections (HTTPS), access controls, and security measures provided by our hosting and payment partners. No system can be guaranteed to be completely secure, but we work to maintain a level of security appropriate to the risk.
11. Changes to This Policy
We may update this Privacy Policy from time to time, for example to reflect changes in law or in our services. Where changes are material, we will notify account holders by email. The effective date at the top of this policy shows when it was last updated.
12. Contact
For any question about this Privacy Policy or your personal data, please contact:
ORRO GROUP a.s.
Budilova 161/15, 301 00 Plzeň, Czech Republic
Email: orro-group@orro-group.com
Web: www.orro-group.com