Privacy Notice

• Notice on the Processing of Personal Data of Natural Persons Within the Lifestorie Service
  • Registered Service Users
    • What are the Purposes of Personal Data Processing?
    • Legal Basis for Processing
    • What Data Do We Process and what Are Their Sources?
    • How Will Your Process Personal Data Be Processed?
    • Termination of Service
  • Who May Have Access to Your Personal Data?
  • Are You Mandated to Provide Your Personal Data?
  • Our Services and Children
  • Consent
  • Right to Object
  • Automated Decision-Making
  • Commercial Communications (Newsletter)
  • Updates
  • ”Report Inappropriate Content” Function
  • ”Comment” Function
  • Risks and Recommended Procedures
• Your Rights under the GDPR
• How Can You Contact Us?

This Notice summarizes the basic principles governing the processing of personal data of LifeStorie users (natural persons) by Mystorie s.r.o.

The operator of the LifeStorie portal – Mystorie s.r.o., ID No. 175 77 888, with the registered office at Čs. armády 251, 263 01 Dobříš, registered in the Commercial Register of the Municipal Court in Prague, Section C, Insert 373185 (“Lifestorie”) is the personal data controller.

When processing your personal data, we are subject to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR; the “Regulation”) and other relevant legislation, in particular Act No. 110/2019 Coll., on the processing of personal data (the “Act on Personal Data Processing”).

Registered Service Users

This section of the Notice summarizes the basic principles of the processing of your personal data by Mystorie s.r.o. if you are a registered user of the LifeStorie service.

What are the Purposes of Personal Data Processing?

This section provides an overview of the purposes for which we will use (process) your personal data. Usually, each piece of data is used for more than one purpose at the same time. The means of processing, the duration of the processing, etc., are then determined by the stated purposes. In certain cases set out in the Regulation , we may also process your data for purposes other than those set out below, but only in exceptional and limited cases, subject to further conditions as determined by the Regulation.

The data collected by LifeStorie are used for the following purposes:

• the primary purpose is the operation of the LifeStorie service (including the LifeStorie Forum – the “Discussion Forum”), i.e. to render the LifeStorie service that you use through our app, including the registration of users of this service and contractual relations
• to protect our or third-party rights (e.g. in the event of a litigation relating to our services or photos posted on LifeStorie and to recover debts)
• statistical purposes (but in this context your data is usually aggregated so that you cannot be identified)
• to measure LifeStoria website traffic (in particular via Google Analytics)
• improving the content of the LifeStoria website and its development (e.g. by measuring)
• ensuring the security of our systems and network against external attacks or misuse by users, to the extent customary in the market
• for book-keeping and fulfilling other legal obligations (proving the legal basis for processing your personal data and fulfilling other obligations under the Regulation and, where applicable, other data protection legislation)

We usually process your data using our own computer systems, although we may also use third-party systems (so-called processors). You can log in to LifeStoria via our iOS and Android app. The app allows you to log in to your own account, access your own albums, create new albums and events, upload content to them and edit existing albums and events. 

Each processing of personal data is based on the applicable legislation – i.e. must rely on one of the legal bases for processing provided for in the Regulation. Similarly, as in the case of a purpose, each piece of data may be processed under more than one legal basis for processing. If no legal grounds apply anymore, we will discontinue processing your data. The possible legal grounds for processing are listed in Article 6 of the Regulation.

The legal basis for the processing of your personal data is in particular:

• the obligation to perform a contract,
• the recovery of debts arising from the actual use of the LifeStorie service,
• the legitimate interests of LifeStorie (given by the interest in protecting our rights, processing for statistical purposes, measuring website traffic, improving the content of our website and its development, ensuring the security of our systems and network) and third parties (in particular our contractors involved in the performance of services for you or the persons shown in photos),
• compliance with legal requirements (prevention of illegal conduct, compliance with requirements under data protection legislation, in particular the Act on Personal Data Processing and the Regulation, bookkeeping and compliance with obligations under tax laws).

Your consent may also represent a legal basis for the processing of your data, in particular if you enter so-called special categories of data into LifeStorie. In this case, you can withdraw your consent at any time (for withdrawal, please use the interface of the service or contact us using the details set below). Please note that the withdrawal of consent to the processing of personal data is without prejudice to the lawfulness of processing based on consent given before its withdrawal.

This section describes the types of your personal data that will be subject to processing. Personal data mean any information about an identified or identifiable natural person (the “Data Subject”); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, a network identifier or to one or more specific features of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.  

Your personal data that we process will usually be obtained directly from you or as part of tracking your activity on our website (accounts). In justified cases (in particular as part of debt recovery), we may also seek further information about you from open and publicly available sources.

We will collect personal data of registered users of our LifeStorie service primarily directly from you to the following extent in particular: your completed login details (username, email), your password to the service (stored in hash form), stored photos/videos including so called EXIF (name of the file, used camera, date of the photo, used ISO value, geolocation data), profile and main photo uploaded into the service including EXIF, your favorite events and authors, your comments on other people´s photos or posted in the discussion forum and your address, contact details and billing and payment details, including the relevant account number. We will also process data about how you registered or, where applicable, whether and how you consented to the processing of your personal data (usually by storing information about how and when you registered/consented, including, for example, your IP address from which you checked the relevant box or details of your reaction to a confirmation email) and when you cancelled your registration or withdrew your consent.

We will also store logs of your activity within your account in the system to document your activity and as a security measure. In this context, we will collect related information about you, i.e. the IP address from which you log in to our services or use within the service, the date and time you accessed these services, the changes you made.

If we are forced to cancel your registration, e.g. due to a breach of the Terms of Service, we will store your basic identification data, registration and cancellation data and, where applicable, information about consents granted and withdrawn, activity logs and the reason for cancelling the service for a reasonable period of time, in particular to protect our rights and the rights of third parties and to be able to prove the lawfulness of personal data processing.

If you enroll for a contest, we will store the related data for the duration of your account.

The personal data processed by us will thus be obtained either directly from you (by providing it to us as part of your registration for the service and your activity within the service interface or from individual communications with you) or as part of tracking your activity within our service.

Our services also use cookies. An overview of cookies is available here and the general cookie policy can be accessed here.

The duration of personal data processing is not at our company´s discretion, it depends on how long we actually need them. We try to limit this period taking into account both your and our interests.

All data collected as part of the registration for the LifeStorie service and during the use of the registered LifeStorie service are usually stored for the entire registration period and for 3 months after cancellation, when you can reactivate your account. The photos/videos originally stored in the service are backed up for a period of 3 months after cancellation of the account or deletion of the uploaded files in order to protect the rights of our company and third parties and to be able to provide proof of lawfulness of personal data processing. These backups are deleted after 3 months, except where an incident relating to the data in question is currently being resolved. Thereafter, only the basic registration data, information about consents granted/withdrawn and the reason for termination of the service or the data forming part of the operational backups and the security logs of the activity within the account are stored for a reasonable period of time (determined in particular with regard to the limitation period for legal claims that could be exercised against our company).

Cancellation of the above accounts is without prejudice to our right to retain for an extended period of time information that such an account existed, when it was set up and cancelled.

Information about the use of paid services (payment details, etc.) is usually stored for 10 years after delivery as proof of our contractual performance. For registered users, the underlying photos are stored in their profile where they can be deleted.

We reserve the right to make inaccessible or delete accounts that are not used by the user for a reasonable period of time or seem to be defective.

The above time limits may be exceeded where appropriate given the circumstances, e.g. if an inspection by a regulatory authority is initiated or in the event of a pending dispute.

As regards the processing period, unless it is expressly stated in the Terms of Service or provided for by law, we determine the adequacy of the processing period based on the following considerations in particular:

• the length of the limitation period (including a reasonable time buffer) for learning that a lawsuit has been filed or other proceedings have been initiated,
• the likelihood of legal claims being brought against Mystorie s.r.o.,
• the anticipated reaction times for detecting attacks against our network or other security breaches,
• common market practices and recommendations of regulatory authorities; and
• the likelihood and significance of imminent risks.

You may discontinue your use of our LifeStorie service whenever you wish. If you want to cancel your account, please contact the administrator of the service, who will complete the cancellation process with you, or cancel the service directly from your user account. If you cancel your registration, we will stop using your data to provide the service.

Please also note that – as stated above – we will store certain data even after cancellation as backups in order to protect the rights of our company and third parties, as part of IT security and to prove compliance with legal regulations, in particular on data protection and accounting.

Who May Have Access to Your Data?

We are not the only entity that may process your personal data. We may hire third parties, called data processors, to process personal data. We try to engage only processors with sufficient credibility. As part of the service, we may also disclose data about you to other service providers or third parties in the event of incidents.

If you order a paid service, we will disclose selected personal data to our partner companies that are owners of such products. Basic identification data will also be shared with Apple Pay, Google Pay, which allows you to make payments for service orders (however, the payment itself is carried out outside our system and we only receive general information without an account number, and we do not have access to detailed data on payment methods).

Otherwise, Mystorie s.r.o. may disclose your personal data to third parties only if required or permitted by law or with your consent. Mystorie s.r.o. only discloses personal data to processors or other recipients to the extent customary:

• suppliers of external services for Mystorie s.r.o. (typically programming or other technical support services, server services, e-mails, services related to measuring our website traffic and tailoring its content to user preferences),
• back-up server operators or operators of technologies used by LifeStorie who process them to ensure the functionality of the relevant LifeStorie services,
• to the extent necessary, to legal, economic and tax advisors of Mystorie s.r.o. and to the auditors of Mystorie s.r.o. who process them for the purpose of providing consulting services to Mystorie s.r.o.,
• personal data relating to debtors with overdue debts may also be disclosed to debt insurance companies or debt collection agencies for the purpose of collecting or recovering debts owed to Mystorie s.r.o.,
• in the event of a specific incident (e.g. if a third party disputes the legitimacy of the publication of a photo), the complaint and the response may be sent to the relevant other party for comment,
• upon request or in the event of suspected breach of law, personal data may also be transmitted to the relevant public authorities.

Provision of your personal data to Mystorie s.r.o. is voluntary (however, if you want to register for our service, certain types of personal data are mandatory, i.e., in their absence, you will not be able to use the LifeStorie service). If you are obliged by a specific law to disclose personal data for processing in some instances, you will be informed of this fact separately.

The Regulation or the Act on Personal Data Processing restricts the processing of data in connection with web services in some cases if they are to be used by children under the age of 15. It also provides for enhanced erasure rights for users who entered data into the service when they were under 18 years of age.

As part of registration, we reserve the right to directly require the user to indicate whether he/she is 12 years of age or younger in order to verify whether the consent of his/her parent or other legal guardian is required for this process.

If you still wish to register for our service as a person under 18 years of age, please be advised that you have an enhanced right to request the erasure of any data processed about you that was entered before the age of 18. We will always strive to comply with your request for erasure. If you were under the age of 18 when you registered for or entered data into the service and subsequently request erasure, please let us know of this so that we can take your age into account sufficiently and properly.

Although consent is only one of the grounds for processing, the Regulation imposes specific requirements for obtaining it. If you believe that you are being forced to grant it, please contact us and we will focus on the issue immediately.

Note that if the legal basis for processing of your personal data is your consent (typically given by selecting it in the service settings), you may withdraw such consent at any time, free of charge, either directly in the service interface or by contacting using the details below. Withdrawal of consent is without prejudice to the lawfulness of processing based on consent given prior to its withdrawal.

Connection to Social Networks

You may link your LifeStorie account to your Apple account or Google account, whereby we will obtain from these services and store your email address, name and profile photo within your account.

Right to Erasure

You have the right to request that Mystorie s.r.o. erases your data without undue delay in accordance with Article 17 of the Regulation if any of the following grounds apply:

1. a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
2. b) you withdraw the consent on the basis of which the data were processed pursuant to Article 6(1)(a) or 9(2)(a) of the Regulation and there is no further legal basis for the processing;
3. c) you object to processing pursuant to Article 21(1) of the Regulation and there are no overriding legitimate grounds for processing or you object to processing pursuant to Article 21(2) of the Regulation;
4. d) the personal data have been processed unlawfully;
5. e) the personal data must be erased to comply with a legal obligation under EU or Member State applicable to Mystorie s.r.o.;
6. f) the personal data have been collected in connection with the offer of information society services pursuant to Article 8(1) of the Regulation

Right to Object to Processing

Pursuant to Article 22 of the Regulation, you have the right as a Data Subject not to be subject to any decision based solely on automated processing, including profiling, which has legal effects on you or significantly affects you in a similar way (“the right to automated individual decision-making”).

The right to automated individual decision-making will not apply if the decision is:

1. necessary to enter into or perform the contract between you and Lifestorie;
2. permitted by EU or Member State law that applies to Mystorie s.r.o. and that also provides for appropriate measures to ensure the protection of the rights and freedoms and legitimate interests of your data; or
3. based on your express consent.

Mystorie s.r.o. has no intention to carry out any automated decision-making that would have legal effects for you or would affect you in a similarly material manner within the meaning of Article 22 of the Regulation. If you are, for example, denied the opportunity to register for our service due to an automated check of, for example, a duplicate email address, you can always contact the administrator of the relevant service or LifeStorie in general to request a final decision, which will always be based on an assessment by the operator.

In order to improve the protection of our service from illicit use, we will be introducing automated checks of uploaded content for illegality. In this regard, we use artificial intelligence to analyze individual photos and then alert our operators to potentially problematic photos. Our operators will review such content and, where necessary, delete them or contact the uploader. However, the artificial intelligence we use is not intended to recognize individual persons by tracking biometric data.

Commercial Communications (Newsletters)

We will also process data about current or past users of our services or persons who have given us consent in this regard for the purposes of so-called direct marketing, typically emails or telephone calls with offers of similar products or services as you have received from us. You will always be allowed to opt-out of receiving commercial communications in each message you receive, or by contacting us at the details below.

Offers may usually be sent without any time limitation. However, if you reject such offers, we will not send them to you. You may reject offers in any e-mail containing such communications or during telephone conversation, or by using the contact details listed below. However, we will continue to process basic mailing data for a reasonable period to be able to demonstrate the reasons for making such offers. We will not forward your data to any third parties for the purpose of sending offers (except to our subcontractors – processors who process personal data for us).

When sending so-called commercial communications, we will process the following personal data about you: your name, surname, your e-mail address and, where applicable, a list of e-mails we have sent you. In this context, we may also use, to a reasonable extent, other data you provided within our service in order to include you in a general group of people with similar preferences and to be able, in certain cases, to limit the commercial communications to only those that you may find appealing. We will process this data for the purpose of sending you commercial communications, i.e. for the purpose of so-called direct marketing. This will involve sending commercial communications from our company, in particular concerning LifeStorie.

We will send you commercial communications at reasonable intervals, usually several times a month. You will be able to opt-out of such communications at any time by clicking the link available in each such message you receive.

As part of email communications, the relevant mailing services also usually store information about whether and when an email was opened, how you responded to the e-mail, your IP address and approximate geolocation or version of your system. This information is used to protect our or third-party rights and for our IT security and direct marketing purposes (to allow us to customize the content of emails to contain information you find interesting).

We will process data about message history, the legal basis for mailing, including, where applicable, the list of messages sent, as part of IT security, the protection of our and third-party rights, and to substantiate our compliance with the requirements set out in privacy legislation for a reasonable period of time after you have opted out of email communications.

Personal Data Updates

As a data controller, one of our obligations is to process accurate data or, where appropriate, to complete incomplete data in view of the circumstances. Please, inform us that changes have been made to your data to help us to fulfil this obligation properly. In the event of a change in the data you have provided, kindly notify us about the change or update the data yourself directly in the service interface.

Report “Inappropriate Content” Function

LifeStorie is an information society service, which means that primary responsibility for content of the uploaded photos is borne by the uploader. However, LifeStorie allows you to report inappropriate content using a simple form. When a form is submitted, we store the data entered in the form, the IP address from which it was sent and the time of submission. If the report is made by a registered user, we store the information that they have used this functionality and how. If you feel that any of the posted photos or other posted content violates your rights or the rights of third parties, please use the above function to report such violation. We will promptly investigate any reports. Of course, you can also contact us using other channels. 

In justified cases (especially if misuse of a photo is reported), we may confront the user who uploaded the photo and inform him/her about the content of the report. Likewise, we may forward his/her response to the complainant for comment. We may also use other data to resolve the incident, such as the EXIF data of the photo in question and other similar photos, which may help us determine whether the photos were taken by the same user.

“Comment” Function

LifeStorie allows registered users to comment on individual photos. Comments are displayed publicly on the LifeStorie app page. We store the comments (their text) and the IP addresses from which they were sent.

LifeStorie also allows you to activate measurement via Google Analytics.

LifeStorie does not allow the sharing of content on social networks via third-party applications.

Risks and Recommended Procedures

Any processing of personal data carries certain risks that may vary depending on the scope of the processing and the means used. Below is a list (non-exhaustive) of the best practices that can help you protect your data:

• For photos, always consider if it is appropriate to publish them or whether they should remain visible only to users with the access code. If specific people are identifiable in the photo, it should be accessible to everybody only insofar as permitted by law, especially if the photo is artistic, newsworthy or with the consent of the person in the photo. The location where the photo was taken, whether at a public event or at an event with a limited number of participants, also plays a role. Take particular care to protect children. Sometimes a simple rule can also help – ask yourself whether you would want the photo to be freely accessible and in circulation if you or your loved ones were in it. For photos that have become outdated, consider hiding or securing them. Of course, only post photos on our app where you are the author or have his/her permission. Although we try to randomly check the content submitted to our server for any signs of infringement, we cannot always detect or capture such content. We will be happy to identify such content if you notify us by using the relevant button or by contacting us.
• LifeStorie is not intended to replace secure storage for confidential documents; if you want to share confidential documents with someone while being protected by a high level of security, use one of the specialized services. Album protection will help you keep your content away from third parties, but keep in mind it is not intended as a full replacement for specialized secure services. If you merely hide an album, remember that if you have given someone a link to the photos in the album, or if the photos were indexed by a search engine before you hid the album, the link will still work. You also cannot completely rule out that someone will get the link accidentally. Alternatively, you may prefer to move such photos to a new album that will be hidden from the start.
• Always consider whether it is necessary to give us your data. In particular, you should carefully consider providing data relating to your personal life and aspects of it unrelated to the purposes for which you are providing such data. If you feel that we are prying, please contact us and we will address your issues.
• If you provide us with, or post on our services, personal information of third parties in posts (photos of your family members or third parties, etc.), please consider whether it is appropriate to publish it or to post it at all. If necessary, obtain the consent of such persons.
• If one of our co-workers asks you to provide data, feel free to ask whether it is necessary and whether the purpose of the processing can be achieved without the data.
• Each natural person must have one access to the respective service, access sharing is strictly prohibited.
• People under 18 are particularly vulnerable. If you are under 18 years of age, or if you are unsure whether you are able to make the right decision, please discuss the matter with your parent (or other legal guardian) or contact us individually. We may require a special consent from the parents or legal guardians of persons under the age of 12.
• If you log into our systems with a password, always use a unique strong password and never use it for other devices and accesses. Also, never share or disclose your password with anyone, including our staff. We will never require you to provide your password, so be especially wary of various email solicitations for passwords, even if they are signed on behalf of LifeStoria. These are likely scams that are designed to obtain your password and then misuse it. If you protect your albums with a code, never use a code that is the same as the passwords you use; this code is less protected than the passwords you use to access the service!
• If you send us confidential information, please try to use a secure method of communication, such as securing the file with a password and encryption and disclosing the password through another communication channel.
• If you feel that we are not fulfilling all our obligations, an unauthorized data leak has occurred or that someone is impersonating our associate, please inform us as soon as possible. You can find our contact details below.
• We try to keep these Notices up to date at all times. Therefore, we will amend this Notice from time to time. We will notify you separately about more substantial amendments, but we still recommend checking these rules from time to time.
• Please keep your details up to date on our service interface.

Your Rights under GDPR

Pursuant to Regulation (EU) 2016/679) of the European Parliament and of the Council

The Data Subject may exercise the following rights with us, as the data controller:

a) request access to personal data processed by the controller, namely the right to obtain confirmation from the controller as to whether or not personal data concerning him/her are being processed and, if so, the right to obtain access to such personal data and to the other information referred to in Article 15 of the Regulation,

b) request the rectification of his/her personal data being processed if they are inaccurate. Taking into account the purposes of the processing, the Data Subject also has the right, in certain cases, to request the completion of incomplete personal data, including by providing an additional declaration (Article 16 of the Regulation),

c) request the erasure of personal data in the cases provided for in Article 17 of the Regulation,

d) request the restriction of data processing in the cases provided for in Article 18 of the Regulation,

e) obtain personal data relating to him/her and

• which we process with his/her consent, or
• which we process for the performance of a contract to which the Data Subject is a party or for the performance of pre-contractual measures taken at his/her request in a structured, commonly used and machine-readable format, provided that he/she has the right to transfer the data to another controller, subject to the conditions and limitations set out in Article 20 of the Regulation (right to data portability),

f) the right to object to processing within the meaning of Article 21 of the Regulation on grounds relating to his/her particular circumstances (see section “Right to Object” for more details).

If we receive such a request, we will inform the Data Subject of the action taken without undue delay and in each case within one month of its receipt. This time limit may be extended by a further two months if necessary, taking into account the complexity and number of requests. LifeStorie is not obliged to comply with all or part of the request in certain cases provided for in the Regulation, such as, in particular, if the request is manifestly unfounded or unreasonable, especially if it has been submitted repetitively. In these cases, we may (i) impose a reasonable fee taking into account the administrative costs of disclosure or communications or taking the requested steps, or (ii) refuse to comply with the request altogether.

If we receive the above request but have reasonable doubt as to the identity of the person in question, we may ask the person to provide us with additional information necessary to establish and confirm his/her identity.

We will retain information about the Data Subject´s exercise of their rights with us and how we have dealt with their request for a reasonable period (usually 3-4 years) for archiving and statistical purposes, to improve our services and to protect our rights.

If the Data Subject believes that LifeStorie processes his/her personal data unlawfully or otherwise violates those rights, he/she has the right to lodge a complaint with the relevant supervisory authority (Office for Personal Data Protection) or pursue his/her claims in court.

How Can You Contact Us?

You can use the following contacts for any comments and questions about data protection and to contact us regarding the exercise of your legal rights:

Mystorie s.r.o.

email: info@lifestorieapp.com