Privacy Policy
Information on personal data processing by remeco s.r.o. in accordance with GDPR and Slovak legislation.
1. Introduction and Controller Identification
This Privacy Policy (hereinafter "Policy") provides information on how remeco s.r.o. processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter "GDPR") and Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments to Certain Acts, as amended (hereinafter "Personal Data Protection Act").
Controller Identification
| Company name | remeco s. r. o. |
|---|---|
| Legal form | limited liability company |
| Registered office | Karpatské námestie 10A, 831 06 Bratislava – Rača |
| ID Number | 56 423 985 |
| Tax ID | 2122304426 |
| VAT ID | SK2122304426 |
| Registration | Commercial Register SR, Bratislava III District Court |
| Website | www.remeco.sk |
| Contact email | info@remeco.sk |
| Contact phone | +421 948 057 712 |
Data Subject Identification
Data subject is an identified or identifiable natural person whose personal data is processed by the controller. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
For the purposes of this Policy, data subjects include:
- customers – natural persons using the controller's services, purchasing its products, or persons who have entered into a contractual or similar legal relationship with the controller,
- potential customers – persons who have expressed interest in the controller's products or services, for example through contact forms, email communication, phone contact or other similar means,
- website visitors – persons whose personal data may be processed through cookies, analytical tools or when filling out forms on the website,
- communicating persons – persons communicating with the controller via email, phone, social media or other communication means.
Personal data of data subjects is processed exclusively to the extent and under the conditions set out in this Privacy Policy and in accordance with the GDPR and the Personal Data Protection Act.
Data Protection Officer
The controller is not required to appoint a Data Protection Officer pursuant to Article 37 GDPR and Section 44 of the Personal Data Protection Act, because:
- it is not a public authority or public body (Article 37(1)(a) GDPR),
- the controller's core activities do not consist of processing operations which require regular and systematic monitoring of data subjects on a large scale – property photography documents buildings, not people (Article 37(1)(b) GDPR),
- the controller does not process special categories of personal data on a large scale (Article 37(1)(c) GDPR).
Contact for personal data protection matters: directly to the controller at info@remeco.sk or by phone at +421 948 057 712.
Controller's commitment: The controller undertakes to protect the personal data of data subjects and to process them exclusively in accordance with applicable legal regulations, transparently and only for specified purposes.
2. Sources of Personal Data Collection
The controller obtains personal data from the following sources:
a) Directly from data subjects
- when ordering services (by email, phone, WhatsApp application or in person),
- by filling out a contact form on the website (if available),
- through email, phone or WhatsApp communication,
- by providing billing information when concluding a contract.
b) Automatically via the website
- technical data (IP address, browser type, operating system) – necessary for website operation,
- cookies and tracking technologies (including Meta Pixel) – exclusively with consent,
- data on website behavior (visited pages, time spent on website) – only with consent.
c) Incidentally when providing services
During photography, Matterport scanning or drone footage of properties, the following may be incidentally captured:
- neighboring properties, nearby persons or vehicle license plates during drone footage,
- personal belongings of residents (photos, documents) during interior photography.
Minimization measures: The controller takes measures to minimize the collection of such data – camera angle adjustment, starting recording only at altitude, checking footage after each flight, and blurring or removing identifiable third-party data before delivery to the client.
d) From publicly available sources
- Commercial Register of the Slovak Republic,
- Trade Register,
- public websites of business partners.
Legal bases: Article 13 GDPR (data obtained directly from the data subject) and Article 14 GDPR (data obtained from other sources).
3. Categories of Data Subjects, Purposes and Legal Bases
3.1 Customers (service orderers)
Primarily legal entities and natural persons – entrepreneurs.
| Processing purpose | Legal basis | Data categories |
|---|---|---|
| Concluding and fulfilling service contracts | Article 6(1)(b) GDPR – contract performance | name, contact details, address, order subject |
| Issuing invoices and bookkeeping | Article 6(1)(c) GDPR – legal obligation (Act No. 431/2002 Coll., Act No. 222/2004 Coll.) | billing data, ID number, tax ID, VAT ID, bank account |
| Order or service communication | Article 6(1)(b) GDPR – contract performance | name, email, phone |
| Asserting legal claims | Article 6(1)(f) GDPR – legitimate interest (protection of controller's rights) | all data from business relationship |
3.2 Website visitors
| Processing purpose | Legal basis | Data categories |
|---|---|---|
| Technical website operation | Article 6(1)(f) GDPR – legitimate interest (ensuring website functionality) | IP address, browser type, session cookies |
| Traffic measurement and ad optimization (Meta Pixel) | Article 6(1)(a) GDPR – consent | IP address, cookie ID, visited pages, clicks, device information |
| Remarketing and targeted advertising (Meta Pixel) | Article 6(1)(a) GDPR – consent | cookie ID, website behavior |
3.3 Contact persons of business partners
| Processing purpose | Legal basis | Data categories |
|---|---|---|
| Business communication | Article 6(1)(f) GDPR – legitimate interest (normal business activity) | name, job position, email, phone |
3.4 Persons incidentally captured during photography, scanning or drone footage
| Processing purpose | Legal basis | Data categories |
|---|---|---|
| Property photography or scanning (primary purpose) | Article 6(1)(b) GDPR – contract performance with orderer | property photos or 3D scans |
| Incidental capture of persons or surroundings during drone footage | Article 6(1)(f) GDPR – legitimate interest (necessary for service provision; interest in property documentation prevails) | persons' appearance, vehicle license plates, neighboring property facades |
Mandatory minimization measures for drone footage:
- camera view set to minimize surrounding capture,
- recording starts at altitude, not at takeoff,
- checking footage after each flight,
- blurring or removing identifiable third-party data (faces, vehicle license plates) before delivery to client and before any publication,
- hiding or retouching personal items (photos, documents) visible in interiors,
- not keeping unprocessed footage longer than necessary.
Important: For Meta Pixel and marketing cookies, consent is the only permissible legal basis. Legitimate interest is not permissible for tracking and marketing cookies.
3.5 Obligation to provide personal data
The provision of personal data may be a legal or contractual requirement, or a requirement necessary to conclude a contract. The following table indicates whether providing data is mandatory or voluntary and what are the possible consequences of not providing it:
| Processing purpose | Provision obligation | Consequences of non-provision |
|---|---|---|
| Concluding and fulfilling service contracts | Contractual requirement | Without providing data (name, contact, property address), it is not possible to conclude a contract and provide services. |
| Issuing invoices and bookkeeping | Legal requirement (Act No. 431/2002 Coll. on Accounting, Act No. 222/2004 Coll. on VAT) | The controller is obliged to issue an invoice; without billing data, it is not possible to provide services in accordance with the law. |
| Order or service communication | Contractual requirement | Without contact details (phone or email), it is not possible to coordinate appointment and service delivery. |
| Marketing cookies (Meta Pixel) | Voluntary (consent) | No negative consequences; services will be provided without any limitation. |
| Technical website operation | Necessary for service functionality | Without technical cookies, the website may not function properly. |
4. Categories of Personal Data Recipients
4.1 Processors pursuant to Article 28 GDPR
- WebSupport s.r.o. – website hosting and email services. Location: Slovak Republic, Bratislava data center. Contract: part of general terms and conditions. Transfer outside EU: no.
- faktury-online.com – online invoicing software. Location: Slovak Republic/EU.
- External accounting firm based in SR – accounting processing. Location: Pezinok, Slovak Republic. Processor agreement pursuant to Article 28 GDPR.
- Matterport Inc. (CoStar Group) – 3D scan processing. Location: USA. Data Processing Addendum (DPA) version 1.2, transfer via standard contractual clauses (SCC).
- Microsoft Corporation (OneDrive) – cloud storage and photo sharing. Location: USA. EU-US Data Privacy Framework + SCC. Microsoft Online Services DPA.
- Google LLC – email and cloud services. Location: USA. EU-US Data Privacy Framework + SCC.
4.2 Joint controllers pursuant to Article 26 GDPR
- Meta Platforms Ireland Ltd. – Meta Pixel on website, management of Facebook and Instagram corporate profiles (@remeco_official), WhatsApp Business communication. Joint controller agreement: Meta Business Tools Terms, Page Insights Controller Addendum. More information: Privacy Policy Meta Platforms.
- TikTok Technology Ltd. – TikTok corporate profile management. More information: Privacy Policy TikTok.
4.3 State authorities and institutions (based on legal obligation)
- Tax Authority / Financial Administration SR (Act No. 595/2003 Coll., Act No. 563/2009 Coll.),
- Personal Data Protection Office SR (during supervision),
- Courts of the Slovak Republic (in legal disputes).
5. Personal Data Retention Period
The controller retains personal data only for the period necessary to achieve the processing purpose, while complying with statutory retention periods:
| Data type | Retention period | Legal basis for period |
|---|---|---|
| Accounting documents (invoices, accounting books) | 10 years following the year to which they relate | Section 35(3) of Act No. 431/2002 Coll. on Accounting |
| VAT invoices | 10 years from the end of calendar year | Act No. 222/2004 Coll. on VAT |
| Tax documents | 5 to 10 years | Section 69 of Act No. 563/2009 Coll. (Tax Code) |
| Contracts with business partners | Duration of obligation + 4 years (limitation period) | Section 397 of Act No. 513/1991 Coll. (Commercial Code) |
| Customer contact details | Duration of business relationship + applicable retention period | Article 5(1)(e) GDPR |
| Marketing consent / cookies | Until consent withdrawal | Article 7(3) GDPR |
| Consent records (cookies) | 3 years from grant (proof of legitimacy) | Article 7(1) GDPR |
| Meta Pixel data | According to Meta terms (max. 2 years for cookies) | Privacy Policy Meta Platforms |
| Business correspondence | 5 years | Act No. 395/2002 Coll. on Archives |
| Property photographs (working files) | Duration of business relationship + 2 years (portfolio) | Article 5(1)(e) GDPR – legitimate interest |
| OneDrive photos (shared with client) | Until delivery of final files to client + 6 months | Article 5(1)(e) GDPR |
| WhatsApp communication | Duration of business relationship + applicable retention period | Article 6(1)(b) and (f) GDPR |
After the retention period expires, personal data is securely deleted or anonymized.
6. Transfer of Personal Data to Third Countries
Some third-party services used by the controller may involve the transfer of personal data outside the European Economic Area (EEA), particularly to the United States of America or other countries where these service providers may have their servers or process personal data.
6.1 Transfers to USA
| Service | Recipient | Transfer mechanism |
|---|---|---|
| Meta Pixel, Facebook, Instagram, WhatsApp | Meta Platforms Inc. | EU-US Data Privacy Framework (DPF) + SCC |
| OneDrive (cloud storage) | Microsoft Corp. | EU-US Data Privacy Framework (DPF) + SCC |
| Google account | Google LLC | EU-US Data Privacy Framework (DPF) + SCC |
| Matterport 3D tours | Matterport Inc. (CoStar) | Standard Contractual Clauses (SCC) pursuant to EC Decision 2021/914 |
About EU-US Data Privacy Framework (DPF):
- Adopted by European Commission Decision of July 10, 2023.
- Valid as of March 2026.
- In September 2025, the General Court of the EU dismissed the action for annulment (T-553/23).
- The applicant filed an appeal to the Court of Justice of the EU in October 2025.
The controller actively monitors the situation and will take appropriate measures in case of changes to the legal framework (switching to SCC as the primary mechanism).
6.2 Data transfers via social networks (TikTok)
The controller uses the TikTok social network for marketing and promotional purposes through the company's official profile. In this case, the controller is a joint controller of personal data processing (pursuant to Article 26(1) GDPR) to the extent of user interactions with content published on this platform.
The controller does not systematically collect or require customer personal data through the TikTok platform. However, if data subjects communicate with the controller via this platform (e.g., through comments or private messages), personal data processing may occur to the extent of data voluntarily provided by the data subject.
The controller recommends that data subjects do not share sensitive or confidential personal data via social networks. If specific requirements need to be addressed or detailed information needs to be provided, the controller preferably communicates with data subjects via email, phone or in person.
The company operating the TikTok platform may, within the provision of its services, transfer and process personal data outside the European Economic Area. Such transfers are carried out on the basis of appropriate safeguards in accordance with Articles 44 to 49 GDPR, in particular through standard contractual clauses approved by the European Commission or other mechanisms ensuring an adequate level of personal data protection.
Detailed information on personal data processing by TikTok is provided in the privacy policy of this platform.
6.3 Personal data processing on social networks
The controller may use profiles on social networks (e.g., TikTok, Facebook, Instagram or LinkedIn) for the purposes of customer communication, service presentation and marketing.
When visiting or interacting with the controller's profiles on social networks, personal data processing may occur by the controller and also by the operator of the given social network. In certain cases, this may involve personal data processing in the joint controller regime pursuant to Article 26 GDPR.
The controller has access particularly to aggregated statistics on traffic and user interactions with content published on the social network. This data is provided by the social network operator and generally does not allow direct identification of individual users.
The social network operator may also process user personal data for its own purposes, particularly for user behavior analysis, advertising personalization or service improvement. The website controller has limited influence over this processing.
Detailed information on personal data processing is provided in the privacy policy of the respective social network.
6.4 Services without transfer outside EU
- WebSupport s.r.o. – Bratislava data center, Slovak Republic
- faktury-online.com – Slovak Republic / EU
- External accountant – Slovak Republic
Legal bases: Articles 44 – 49 GDPR (transfers to third countries), Article 45 GDPR (adequacy decision), Article 46(2)(c) GDPR (standard contractual clauses).
7. Automated Decision-Making and Profiling
The controller does not perform automated individual decision-making pursuant to Article 22 GDPR that would have legal effects or similarly significantly affect data subjects.
The controller does not perform profiling for its own purposes.
Notice – Meta Pixel: Meta Pixel collects data that Meta Platforms uses for profiling and ad targeting on Meta platforms. This profiling is performed by Meta as a joint controller. More information can be found in the Privacy Policy Meta Platforms.
The data subject has the right to withdraw consent to Meta Pixel at any time (through cookie banner settings on the website), which will stop data collection for Meta profiling purposes.
8. Technical and Organizational Security Measures
The controller has implemented appropriate technical and organizational measures to ensure personal data protection pursuant to Article 32 GDPR and Section 39 of the Personal Data Protection Act.
Technical measures
- access management via passwords,
- regular software and operating system updates,
- data backup through cloud services,
- communication encryption (SSL/TLS).
Organizational measures
- limitation of access to personal data to the necessary extent,
- confidentiality obligation.
Given the nature of the one-person company, access to data is limited exclusively to the managing director.
Processors are contractually obliged to comply with appropriate security measures.
Details on security measures are available upon request at info@remeco.sk.
9. Data Subject Rights
As a data subject, you have the following rights in connection with the processing of your personal data:
9.1 Right of access (Article 15 GDPR)
You have the right to obtain confirmation as to whether your personal data is being processed, and if so, you have the right to access that data and to a free copy of the processed data.
9.2 Right to rectification (Article 16 GDPR)
You have the right to rectification of inaccurate personal data and to completion of incomplete personal data.
9.3 Right to erasure (Article 17 GDPR)
You have the right to request erasure of personal data if: data is no longer necessary, consent has been withdrawn, an objection has been made, or processing was unlawful. Exceptions: statutory retention obligation (accounting, taxes), assertion of legal claims.
9.4 Right to restriction of processing (Article 18 GDPR)
You have the right to restriction of processing during verification of data accuracy, if processing is unlawful but you do not want erasure, if the controller no longer needs the data but you need it for legal claims, or during verification of an objection.
9.5 Right to data portability (Article 20 GDPR)
You have the right to receive personal data in a structured, commonly used and machine-readable format. Applies only to data processed based on consent or contract by automated means.
9.6 Right to object (Article 21 GDPR)
You have the right to object at any time to processing based on legitimate interest. For processing for direct marketing purposes, you have an absolute right to object – after objection, data will no longer be processed for this purpose.
9.7 Right to withdraw consent (Article 7(3) GDPR)
You have the right to withdraw consent at any time. Withdrawal is as simple as granting. Withdrawal does not affect the lawfulness of processing before withdrawal. For cookies: through cookie banner settings on the website.
9.8 Right to lodge a complaint (Article 77 GDPR)
You have the right to lodge a complaint with the supervisory authority. Supervisory authority: Personal Data Protection Office SR, Hraničná 12, 820 07 Bratislava 27, tel.: +421 2 3231 3214, email: statny.dozor@pdp.gov.sk, web: dataprotection.gov.sk.
9.9 Right to an effective judicial remedy (Article 79 GDPR)
You have the right to an effective judicial remedy, without prejudice to any administrative remedy.
Common information for exercising rights
- Response deadline: 1 month from receipt of request.
- The deadline may be extended by an additional 2 months (for complex or numerous requests) – with notification within 1 month.
- Handling of requests is free of charge; fee only for manifestly unfounded or repetitive requests.
- The controller may request identity verification of the requester.
10. How to Exercise Rights and Contact Information
You can submit a request to exercise your rights under GDPR:
Controller contact information
info@remeco.sk
+421 948 057 712
remeco s.r.o.
Karpatské námestie 10A
831 06 Bratislava – Rača
The controller reserves the right to verify the requester's identity. A response will be provided within 1 month of receiving the request.
12. Final Provisions
The controller reserves the right to change or supplement this Policy at any time. Changes will be published on this page with the date of the last update indicated.
For substantial changes, the data subject will be informed by email or website notice.
We recommend that data subjects regularly review this Policy.
This Policy takes effect on: January 1, 2026
Last update: March 1, 2026