Privacy & Data Protection Policy

1. Introductory provisions

The data controller is Codexio s. r. o., Lachova 1602/9, 851 03 Bratislava – Petržalka, ID: 55761631, VAT ID: SK2122079135 (the “Controller”).

Bloomsy is an online platform for creating digital events, generating QR codes, and temporarily collecting photos and videos from event guests.

The Controller processes personal data in accordance with Regulation (EU) 2016/679 (GDPR), Act No. 18/2018 Coll. on Personal Data Protection, and other applicable Slovak and EU laws.

2. Definitions

Controller – Codexio s. r. o.

Data subject – a natural person whose personal data are processed.

Event owner – an individual or legal entity that orders the Bloomsy service.

Guest – a person uploading content through a QR code, link, or password.

Personal data – data as defined in Article 4(1) GDPR.

Content – photographs, videos, and other audiovisual files uploaded to the system.

Processing – any operation performed on personal data as described in Article 4(2) GDPR.

Web – the public website available at https://bloomsy.eu.

3. Controller identification

Controller:
Codexio s. r. o.
Lachova 1602/9
851 03 Bratislava – Petržalka
ID: 55761631
VAT ID: SK2122079135

Contact for data protection matters: privacy@bloomsy.eu

The Controller is not required to appoint a data protection officer under Article 37 GDPR, as the legal thresholds for such appointment are not met.

4. Data subjects and scope

The Controller processes personal data mainly of:

• event owners,
• event guests,
• website visitors.

The categories of personal data include:

• identity data (name, surname, company name),
• contact data (email address, phone number),
• billing and contractual data (billing address, ID numbers, order identifiers, amounts, and currencies),
• technical data (IP address, user-agent, system logs),
• uploaded audiovisual content (photos, videos).

The Controller does not actively process special categories of data under Article 9 GDPR; such data may only appear if data subjects voluntarily include them in uploads, for which the event owner is responsible.

5. Processing principles and purposes

The Controller processes personal data lawfully, fairly, and transparently in line with the principles outlined in Article 5 GDPR, especially purpose limitation, data minimization, storage limitation, integrity, and confidentiality.

Data are processed solely for legitimate, predefined purposes related to providing Bloomsy, operating the platform, ensuring technical functionality, communicating with users, fulfilling legal obligations, and protecting the Controller’s legitimate interests.

The Controller only handles data that are adequate, relevant, and necessary and does not process them in ways incompatible with the stated purposes.

Where appropriate, data may also be used to inform users about service updates or marketing notices, always based on consent or legitimate interest, and users can refuse such processing at any time.

6. Purposes and retention

The Controller ensures that personal data are not stored longer than necessary for the purposes for which they are processed, in accordance with the GDPR’s storage limitation principle.

Data processed for providing the service, managing events, and enabling content uploads are retained for the duration of the relevant event or the duration of the contractual or similar relationship established by the service order.

Billing and accounting data are stored for the periods required by specific laws, in particular accounting and tax legislation, typically at least 10 years.

Technical and security-related records (logs, abuse protection data) are kept only as long as needed to ensure system security and reliable operation.

Audiovisual content is retained solely for the duration of the event and, after its conclusion, is permanently and irretrievably deleted without backups.

Once the retention periods expire, personal data are securely deleted or anonymized, unless further storage is required by law or the Controller’s legitimate interest.

7. Legal basis and recipients

Processing is based on contract performance, consent, legitimate interest, or legal obligation.

We share data only with authorized processors necessary to operate the service.

• Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) – infrastructure & hosting.
• Cloudflare (Inc., 101 Townsend St, San Francisco, CA 94107, USA) – storage service Cloudflare R2. We configure EU data location where available.
• Mailgun Technologies (Inc., 112 E Pecan St #1135, San Antonio, TX 78205, USA) – transactional email delivery (EU endpoint).
• Zoho Corporation B.V. (Beneluxlaan 4B, 3527 HT Utrecht, The Netherlands) – customer support mailbox/email communication.
• Stripe Ireland Ltd (1 Grand Canal Street Lower, Dublin 2, Ireland) – payment processing. Payment card data is processed by Stripe. We do not have access to full payment card details.

8. International usage

The service is accessible globally, while personal data are processed in compliance with the GDPR and typically kept within the EU.

When data are accessed from third countries, the Controller implements appropriate technical and organizational safeguards in line with Chapter V GDPR.

9. Security incidents

The Controller has procedures for detecting, assessing, and reporting data breaches in accordance with Articles 33 and 34 GDPR.

Affected individuals and the supervisory authority are notified without undue delay when GDPR requires it.

10. Content visibility and responsibility

The content remains private and available only to parties designated by the event owner.

The event owner must obtain the necessary consents from individuals depicted in photos, videos, or other audiovisual recordings; the Controller is not liable for any omissions.

11. Artificial intelligence and minors

Content is not used for training artificial intelligence or for marketing purposes; any future use would require a separate explicit consent.

The service is intended for individuals aged 18 and above; the Controller does not verify guest age, and the event owner is responsible for ensuring a lawful basis when minors appear.

12. Data subject rights

Under the GDPR, individuals have the following rights:

• the right of access to personal data processed about them,
• the right to correct inaccurate or supplement incomplete data,
• the right to erasure (“right to be forgotten”) when the GDPR conditions are met; this does not affect obligations to retain data under specific laws,
• the right to restrict processing in legally defined cases,
• the right to data portability when statutory conditions are satisfied,
• the right to object to processing carried out on the basis of the Controller’s legitimate interest,
• the right to information about automated decision-making, including profiling, if such processing occurs,
• the right to withdraw consent at any time when processing is based on consent; withdrawal does not affect the lawfulness of prior processing.

These rights apply even when personal data were not obtained directly from the data subject.

Exercising these rights may be limited to the extent permitted or required by specific laws (e.g., the obligation to keep accounting records for at least 10 years).

Submit requests to privacy@bloomsy.eu; we respond within 30 calendar days.

13. Supervisory authority

Individuals may lodge complaints with the supervisory authority:

Office for Personal Data Protection of the Slovak Republic
Hraničná 4826/12
820 07 Bratislava – Ružinov
Slovak Republic
Phone: +421 2 3231 3214
Website: dataprotection.gov.sk/uoou

14. Final provisions

These Policy rules take effect upon publication. The Controller reserves the right to update or modify them at any time, especially when laws, processing scope, or Service functionality change.

The current version is always available on the Bloomsy website.