Privacy Policy (GDPR)

1.1 This Data Processing Agreement ("DPA") governs the processing of personal data in connection with the use of the Asset Manager - LarvaSystems service ("Service").

1.2 Provider: LarvaSystems s.r.o., ID No. 17706921, with registered office at Habrová 137, 250 66 Zdiby Prague-East ("Processor").

1.3 The customer using the Service ("Customer") typically acts as the data controller ("Controller").

1.4 The DPA is published together with the ToS and the Controller agrees to it in the same way as the ToS (e.g., by checking a box during registration/plan ordering). The Processor is entitled to keep a record of the agreement (date/time, account identification, ToS/DPA version) for demonstrability purposes.

1.5 Contact email for personal data protection and incidents: info@larvasystems.cz.

2.1 The subject of the DPA is the processing of personal data that the Controller uploads to the Service or that arises when using the Service (e.g., user accounts, audit records).

2.2 Nature of processing: in particular storage, organization, retrieval, consultation, export, backup, security, and technical management.

2.3 Purpose of processing: providing, operating, securing, and supporting the Service, including incident resolution and technical requirements of the Controller.

2.4 Duration of processing: for the duration of active use of the Service and further for the period necessary for export and termination of access according to ToS/DPA and for fulfilling legal obligations (to the necessary extent).

3.1 Categories of data subjects (typically): employees and collaborators of the Controller, Service users at the Controller, and possibly other persons registered by the Controller within asset processes.

3.2 Categories of personal data (typically according to Controller's use):

• a) user identification and contact data (name, surname, email, role, login identifiers),
• b) operational and audit data (logs, operation history, IP address within security records),
• c) other data entered by the Controller into the Service (e.g., names of responsible persons, etc.).

3.3 Processing of special categories of personal data (sensitive) The Controller does not upload to the Service. If this happens, the Controller does so at their own responsibility and the Processor will process them only to the extent necessary for providing the Service.

4.1 The Processor processes personal data only on documented instructions from the Controller. Instructions are given particularly by setting up and using the Service by the Controller and their users.

4.2 If the Processor finds that an instruction is contrary to EU/Czech law (including GDPR), it shall inform the Controller without undue delay.

5.1 The Processor shall ensure that persons authorized to process personal data are bound by confidentiality or an appropriate statutory obligation of confidentiality.

6.1 The Processor shall implement appropriate technical and organizational measures to secure personal data, particularly with regard to risks. Typically:

• a) access and role management, minimization of privileges,
• b) secure data transmission (TLS),
• c) logging of administrative and security events,
• d) regular backups and recovery procedures,
• e) protection against unauthorized access and abuse (monitoring, updates, hardening).

6.2 Backup: The Processor performs daily backups of Service operational systems data; backups are retained for 30 days (30-day retention).

6.3 Specific measures may be reasonably adjusted by the Processor according to the development of security standards and threats, while maintaining an adequate level of protection.

7.1 The Controller grants the Processor general authorization to engage sub-processors, particularly infrastructure, hosting, backup, email services, and monitoring providers, if necessary for Service operation.

7.2 The Processor shall ensure that sub-processors are bound by personal data protection obligations at least to the extent corresponding to this DPA.

7.3 The current list of sub-processors is provided in Annex 1. The Controller will be informed of substantial changes (e.g., by email or in the Service).

8.1 Primary processing and storage of Controller data within the Service takes place in the EU/EEA.

8.2 If personal data is transferred outside the EU/EEA as part of engaging sub-processors, the Processor shall ensure appropriate safeguards under GDPR (e.g., standard contractual clauses), unless other legal exceptions apply.

9.1 The Processor shall provide the Controller with reasonable assistance in: a) handling data subject requests (access, rectification, erasure, restriction, portability, objection), b) fulfilling the Controller's obligations under Articles 32 to 36 GDPR (security, impact assessment, consultation with supervisory authority), to an extent appropriate to the nature of the Service. If assistance requires extra work, it may be charged according to the support conditions stated in the ToS.

10.1 The Processor shall notify the Controller without undue delay of any detected personal data breach affecting the Controller's data and provide available information necessary for the Controller to fulfill their obligations (to an extent appropriate to the situation).

11.1 After termination of Service use, the Processor shall allow the Controller a one-time export of personal data according to the ToS. It is advisable to make the request within 30 days.

11.2 After this period expires, the Processor shall delete or anonymize personal data unless their longer retention is required by legal regulations.

12.1 The Processor shall provide the Controller upon request with reasonable information necessary to demonstrate compliance with this DPA (typically description of measures, questionnaire responses).

12.2 Physical audits at third-party premises (data center) are subject to these providers' rules. Direct audit at the Processor is possible only to a reasonable extent and by prior agreement so as not to disrupt security and operations.

13.1 This DPA is governed by the law of the Czech Republic and is interpreted in accordance with GDPR.

13.2 In case of conflict between the DPA and ToS, the DPA takes precedence in matters of personal data processing.

13.3 The DPA applies to the processing of personal data within the Service from the effective date stated in the header and in the version valid at the time of agreement.

1) Google Cloud (Google Cloud Platform)

• Provider: Google (typically Google Cloud EMEA Limited / Google Ireland Limited or other relevant Google group entity according to provided terms)
• Purpose: cloud infrastructure (hosting, databases, storage, network services, infrastructure backup, monitoring)
• Processing location: EU/EEA (primary storage and processing of Controller data in EU/EEA)

Note: If the Processor engages other significant sub-processors (e.g., emailing, monitoring), they will be added to this annex and the Controller will be informed of the substantial change according to Article 7.3.