|1 November 2023
(a) individuals interacting with us in the ordinary course of business;
(b) the users of www.rockawaycapital.com or other webpages that may have led you here, including any online services offered on any such webpage (collectively, the “Websites”); and
(c) the visitors of Rockaway’s office premises.
Before reading this Policy, you’ll need to understand what ‘personal data’ and its ‘processing’ means: Personal data refers to (i) information which immediately identifies you (such as your name or your e-mail address), as well as (ii) other information which doesn’t identify you on in isolation but which could still theoretically lead back to you if someone were determined to achieve such identification, using proportionate means. Processing of personal data refers to any operation involving personal data, including its collection, storage, transfers, analysis, collation into databases, linking with other data, usage to draw conclusions about you and other forms of use.
This Policy applies to processing activities of the following companies:
(a) Rockaway Capital SE, ID No. 019 67 631;
(b) Rockaway Advisors s.r.o., ID No. 090 52 127;
(c) Rockaway Ventures a.s., ID No. 063 87 136; and
(d) Rockaway Ventures Advisors a.s., ID No. 141 25 129.
These companies (“Rockaway”, the “Rockaway Companies” or “we”) are closely interlinked and jointly determine the terms of processing your personal data. As such, they are what the GDPR calls joint controllers of your data.
If you have questions regarding this Policy or wish to exercise one of the rights described in section 9 (Your Rights), please contact us:
(a) by e-mail, at firstname.lastname@example.org;
(b) through the Czech databox service (datová schránka), at ID ah6u54b; or
(c) by post, addressed to Rockaway Advisors s.r.o., at the address listed in the row ‘sídlo’ here.
The Rockaway Companies maintain an arrangement where Rockaway Advisors s.r.o. accepts and processes your queries and requests on behalf of all Rockaway Companies.
Taking into account all the ways you typically interact with us, we process the following categories of personal data related to you:
|Personal data categories
|Typically processed when…
|Name; last name.
|… you get in touch with us.
… it’s an inherent part of dealing with us in a certain matter.
|E-mail address; phone number; address of residence; delivery address.
|Identification and contact data; nationality, citizenship; tax residency; type of business; source of funds; copy of your personal ID/passport; bank details; sanction status; political exposure status.
|… within the context of your dealings with us, we are obliged to perform AML checks.
|Any personal information regarding transactions (contracts, payments etc.) between you (directly or an organisation which you represent) and Rockaway or its affiliates, including bank account numbers, contact addresses etc.
|… you, typically being an investor, investee, a supplier, customer or another business partner, do, have done or negotiate future business with us.
|IP address and approximate geolocation determined based on such address; MAC address; type, version, technical parameters of your device and browser; time zone; analytical and statistical information derived from any such data.
|… you browse our Websites.
|Information on how you use the Websites, e.g. what you click on, how much time you spend on various sections of the Websites and how you move around these sections; analytical and statistical information derived from any such data.
|E-Mail Interaction Data
|Data about if and when you read our direct marketing e-mails and what links you click on; analytical and statistical information derived from any such data.
|… you’ve subscribed to one of our newsletters.
|Photos and videos which feature you.
|… you attend one of our events.
|CV; cover letter; education and professional experience; information provided during interviews and related assessments; interview and assessment performance data; previous employer references; evaluation of all of the information above so as to assess whether you are a good fit for a given role; data necessary for the preparation of a contract of employment/services and compliance with employment-related regulations.
|… you’ve applied for a position at Rockaway.
|Visual records from security cameras.
|… you visit our offices.
|Privacy Control Data
|Information regarding consents or opt-ins to data processing or cookie storage and withdrawals of consents with or opt-outs from data processing or cookie storage; details about instances in which you’ve exercised your rights relating to privacy protection, including the subsequent dealings and proceedings in this regard; personal ID/passport copies/information to the extent needed to verify your identity when exercising rights.
|… you grant us or withdraw your consent with (or opt in for or opt out of) data processing or cookie storage.
|The contents of any communications exchanged between you and us, including any personal data contained in such communications which you choose to give to us.
|… you communicate with us in any matter.
In general, the personal information we process comes from you or is derived from your use of the Websites, as described in this Policy. In some cases, we may obtain your personal information from external sources, such as:
(a) if you apply for a job at Rockaway, some of your Candidate Data may be collected from your LinkedIn account, recruitment agencies and websites (e.g. Human Capital Advisory Group, Grafton Recruitment, COCUMA, Jobs.cz, executivejob.cz, Techloop.io, AirJobs.cz, and similar), and your current or previous employers;
(b) if we need particular personal data related to you for the purpose of establishing, exercising or defending our rights against you, or for meeting a legal obligation, we can also obtain that piece of data from public registries, public authorities and any other external sources, as needed for the specific purpose.
In principle, you don’t need to share any of your personal data with us if you don’t want to. However, in some cases, a failure to do so will inevitably result in our inability to enter into a transaction with you, provide a service, or act upon your request, such as:
(a) if providing certain data is necessary for the preparation or fulfilment of a contract between us, or for meeting a legal obligation which applies in connection with the subject matter of that contract, we won’t be able to enter into the contract;
(b) by extension, if we are required to conduct identity, source of funds or other checks under anti-money laundering laws before transacting with you, we won’t be able to proceed unless you give us the necessary AML Data;
(c) if you apply for a job with us and refuse to provide the requested Candidate Details through the designated online form or to an HR colleague, your application might be incomplete, and we won’t be able to consider you for the role; and
(d) if you wish to exercise one of the rights described in section 9 (Your Rights), we need to confirm your identity and fully understand the nature and scope of your request. If you don’t help us verify your identity or define your request, we might not be able to assist you.
This section explains why we process your personal data (‘purposes of processing’) and what entitles us to do so (‘legal basis for processing’).
If you’re our investor, customer, supplier or other business partner, we may use your Identification Data, Contact Data, Transactional Data and Communications Data to communicate and do business with you (in accordance with any contract we might have, if applicable), and to administer our business relationship with you on an ongoing basis. This includes the preparation, negotiation and performance of our legal agreements with you or the organisation you represent, accepting or making payments from/to you, and the processing of any requests and queries you might have.
We’re entitled to process your personal data for such purposes because it is necessary for the preparation or fulfilment of our contract with you (Article 6(1)(b) GDPR), or, where no contract is in place and we’re not negotiating one, because it is necessary for the proper operation and administration of our business, in which we have a legitimate interest (Article 6(1)(f) GDPR).
We process your Identification Data, Contact Data, Transaction Data, AML Data, Privacy Control Data, Communications Data and other personal data to the extent necessary to comply with legal obligations. For illustration, this could be:
(a) an obligation to archive or present corporate, accounting and tax materials in accordance with Act No. 586/1992 Coll., on Income Tax, Act No. 235/2004 Coll., on Value Added Tax, Act No. 563/1991 Coll., on Accounting, and Act No. 499/2004 Coll., on Archiving (in which case mainly your Transactional Data will be used);
(b) an obligation to document and implement or respond to your preferences, questions, objections, right exercises and other communications regarding the treatment of personal data in accordance with the GDPR, Act No. 127/2005 Coll., on Electronic Communications, and Act No. 480/2004 Coll., on Information Society Services (in which case mainly your Privacy Control Data will be used);
(c) an obligation to conduct KYC/AML checks in accordance with Act No. 253/2008 Coll., on Measures against Money Laundering and Financing of Terrorism (in which case mainly your AML Data will be used); or
(d) an obligation to disclose evidence or other documentation to public authorities. We’re entitled to process your personal data for such purposes under Article 6(1)(c) GDPR.
|The processing is necessary for the fulfilment of our contract with you relating to the provision of the Websites (Article 6(1)(b) GDPR).
|The legal basis for such processing is your voluntary consent (Article 6(1)(a) GDPR). Once given, your consent is valid for as long as the respective marketing cookie remains active – see section 4 (Cookies) below. You may withdraw your consent at any time by opting out of marketing cookies on the respective Website. Such withdrawal will, however, not affect the lawfulness of processing based on the consent before its withdrawal.
|Enforcement of rights. If (a) you have a work or business relationship with us, (b) cause us or another person damage/harm, or (c) we end up having a legal dispute, we may store, share and further use your personal data for the purpose of establishing, exercising and defending the affected person’s rights against you.
|The processing is necessary for the affected person’s legitimate interest in establishing, exercising and defending its rights against you (Article 6(1)(f) GDPR)
|Job offers. If you apply for a job at Rockaway and give us consent, we’ll include your Identification Data, Contact Data and Candidate Data in a candidate database shared by all Rockaway Companies and potentially contact you with relevant job offers with the Rockaway Companies in the future.
|The legal basis for such processing is your voluntary consent (Article 6(1)(a) GDPR). Once given, your consent is valid for a period of 5 years. You may withdraw your consent at any time by notifying Rockaway (see section 1.4 (Get in Touch) above). Such withdrawal will not, however, affect the lawfulness of processing based on the consent before its withdrawal.
|Newsletters. If you subscribe to one of our newsletters, or if you enter into a work relationship with us (without opting out of newsletters), we’ll be able to use your Contact Data to send you such relevant newsletter by e-mail until you unsubscribe from it.
|If you subscribe to one of our newsletters, the legal
basis for such processing is your voluntary consent
(Article 6(1)(a) GDPR). Once given, your consent is
valid indefinitely. You may withdraw your consent at
any time by notifying Rockaway (see section 1.4
(Get in Touch) above). Such withdrawal will, however,
not affect the lawfulness of processing based on the
consent before its withdrawal.
In cases where we send you newsletters because of your work relationship with us, the legal basis for the processing is our legitimate interest in keeping our team updated on the performance of, and other developments throughout, Rockaway and its affiliates (Article 6(1)(f) GDPR). You can still opt out of newsletters at any time (see section 1.4 (Get in Touch) above), in which case you will no longer receive them.
|Direct marketing analytics. If you read or further interact with a newsletter, corporate event invitation or a similar mass communication sent via MailChimp or a similar service, we’ll receive your E-Mail Interaction Data and be able to use it for various (internal) analytical purposes.
|The processing is necessary for our legitimate interest of evaluating the performance of our marketing communications such as newsletters and corporate event invitations (Article 6(1)(f) GDPR). You can opt out of newsletters and invitations at any time (see section 1.4 (Get in Touch) above), in which case you will no longer receive them.
|Event invitations. If you enter into a work or business relationship with us (without choosing to opt out of event invitations), we’ll use your Contact Data to invite you to various corporate events held by Rockaway which are relevant for you (for example Money Talks), until you opt out of such invitations.
|The processing is necessary for our legitimate interest of staying in touch (networking) with our stakeholders and business partners, and for spreading awareness about our investment group and events (Article 6(1)(f) GDPR). You can opt out of invitations at any time (see section 1.4 (Get in Touch) above), in which case you will no longer receive them.
|Photos from events. If you attend an event held by
Rockaway, then, unless you object, we may take
Photos of (among others) you and post such Photos
on our Websites, social media, and our corporate or
marketing reports, newsletters, brochures and other
materials. We’ll be able to keep using such Photos in
the described manners until you ask for them to be
taken (and kept) down.
|The processing is necessary for our legitimate interest of (a) adding content to our Websites, social media, and our corporate or marketing reports, newsletters, brochures and other materials, and (b) spreading awareness about our investment group and events (Article 6(1)(f) GDPR). You can ask for Photos to be taken (and kept) down, to be un-tagged from Photos etc. at any time (see section 1.4 (Get in Touch) above), in which case we will do so immediately.
|Cílení reklam. Pokud navštívíte naše Webové stránky a udělíte nám souhlas, můžeme sbírat Vaše Údaje o užívání a předat je třetím osobám za účelem přesnějšího cílení reklam. K těmto účelům používáme soubory cookie – viz článek 4 (Cookie) níže.
|Právním základem pro takové zpracování je Váš dobrovolný souhlas (článek 6 odst. 1 písm. a) GDPR). Jednou udělený souhlas je platný po dobu platnosti příslušného marketingového cookie – viz článek 4 (Cookie). Svůj souhlas můžete kdykoli odvolat tak, že odmítnete užívání marketingových cookies na Webových stránkách. Takové odvolání však nebude mít vliv na zákonnost zpracování založeného na tomto souhlasu v období před jeho odvoláním.
|Enforcement of rights. If (a) you have a work or business relationship with us, (b) cause us or another person damage/harm, or (c) we end up having a legal dispute, we may store, share and further use your personal data for the purpose of establishing, exercising and defending the affected person’s rights against you
|The processing is necessary for the affected person’s legitimate interest in establishing, exercising and defending its rights against you (Article 6(1)(f) GDPR)
|Office safety. At our offices, we record and retain CCTV Footage for the purpose of protecting our and others’ property and ensuring the safety of our personnel. If you visit our offices, you may appear in such CCTV Footage.
|The processing is necessary for our legitimate interest in protecting our and others’ property and ensuring the safety of our personnel (Article 6(1)(f) GDPR).
|Dealings not described elsewhere. If you turn to us with a request or question or otherwise communicate with us in a context not specifically addressed elsewhere in this Policy, we’ll use your Identification Data, Contact Data and Communications Data for achieving the purpose of the communication.
|We’re entitled to do so either because you have voluntarily contacted us with the personal data and asked us (given us consent) do something with it (Article 6(1)(a) GDPR), or, in other cases, because it’s necessary for our legitimate interest of properly handling all communications addressed to us (Article 6(1)(f) GDPR).
|M&A transactions. If a third party (‘an investor’) is interested in acquiring, directly or indirectly, the whole or a part of our business (a ‘transaction’), we may (a) grant the investor and its advisors very limited access to your personal data so that the investor may conduct due diligence on our business, and (b) following the transaction, transfer your personal data to the investor such that it can process the data for the same or compatible purposes as we have been.
|The processing is necessary for our and the investor’s legitimate interest in (a) preparing and executing the transaction properly (including the proper evaluation of our business and assets) and (b) ensuring smooth migration of our business to the investor following the transaction (Article 6(1)(f) GDPR).
|Analytics. We may use your personal data for the purpose of creating various internal reports, analytics, statistics and financial models.
|The processing is necessary for our legitimate interest in maximising insight into business performance (Article 6(1)(f) GDPR)
|Free use of anonymised data. We may also anonymise your personal data and use such anonymised data for any purposes whatsoever, such as the inclusion of the anonymised data in various materials which may then be shared with, or even sold to, third parties, or the commercialisation of the anonymised data in any other manner we deem fit.
|The processing is necessary for our legitimate interest in sharing insights into our business performance with our stakeholders and other third parties, and, potentially, commercialising such insights (Article 6(1)(f) GDPR).
4.1 If you visit our Websites, we’ll store small files called ‘cookies’ on your device and read them as you continue browsing the Websites. You may encounter the following types of cookies on our Websites:
(a) Strictly necessary cookies. These cookies are necessary for the Websites to work properly and cannot be turned off unless you do so in your browser settings.
(b) Personalisation cookies. Personalisation/preference cookies allow the Websites to remember certain choices you make (such as your preferred language version) and as a result provide personalised features. They will only be used if you accept them proactively.
(c) Analytical cookies. Analytical/statistical cookies collect data about how you visit, navigate and interact with the Websites so that we can get to know our audience or improve the Websites gradually. The Google Analytics service is a good example of this type of cookies. These cookies will only be used if you accept them proactively.
(d) Marketing. Marketing cookies are used to deliver advertisements which are relevant to you and your interests. They are also used to limit the number of times you see an advertisement and to help measure the effectiveness of our or others’ advertising campaigns. Information extracted from marketing cookies may be shared with third parties, such as social network operators or advertising agencies. These cookies will only be used if you accept them proactively.
4.2 At the moment, we use the following specific cookies on our Websites:
|Type and Purpose
|First Party / Third Party
Enables you to make choices about cookie storage.
Enables you to choose your preferred Website language.
Analytics via the Google Analytics service.
|Third party (Google)
Analytics via the Google Analytics service
|Third party (Google)
Tracks your visits across websites to target ads more efficiently.
|Third party (Facebook)
4.3 You can use the cookie banner on our Websites adjust your preferences for storage of different types of cookies; this doesn’t apply to strictly necessary cookies, which are set automatically and cannot be disabled in the cookie banner.
4.4 If you’d like to avoid cookies altogether, you can restrict or prohibit their storage in the settings of your browser. This is how to do it on the most prominent browsers:
4.5 You can opt out of Google Analytics tracking completely here.
5.1 We may engage the following individuals and organisations in processing your personal data for the purposes described above:
(a) other Rockaway Companies;
(b) professional advisors (e.g. lawyers, business/management/marketing consultants, tax and accounting advisors and auditors) which provide services to the Rockaway Companies;
(c) banks and other payment services providers used by the Rockaway Companies to process payments;
(d) providers of software and other technical infrastructure (e.g. cloud and hosting services) which provide services to the Rockaway Companies;
(e) providers of analytical or ad targeting services (mainly Google via the Google Analytics service and Facebook via its marketing cookies);
(f) agencies and websites used for recruitment purposes (e.g. Human Capital Advisory Group, Grafton Recruitment, COCUMA, Jobs.cz, executivejob.cz, Techloop.io, AirJobs.cz, and similar);
(g) other providers of services necessary for the proper operation of our business;
(h) persons directly or indirectly acquiring or investing in our business, and their representatives;
(i) public authorities (e.g. courts, the police, regulatory authorities and various state bodies) where so required by law or where this is necessary for the achievement of legitimate aims; and
(j) any such other individuals or organisations which you permit or instruct us to give your personal data to.
5.2 Whenever we post an ad for a job at RockawayX on one of our Websites, we’ll forward all responses to this ad to Blockad s.r.o., ID No. 080 06 458, or another RockawayX company specified in the job ad (if applicable). In 9 this case we process your personal data on behalf of the respective RockawayX company as a so-called ‘processor’ (whereas the respective RockawayX company is the ‘controller’); we don’t process the data for our own purposes. You’ll find more information about how RockawayX processes your application here.
We may transfer some of your personal data outside of the European Economic Area where the GDPR doesn’t apply. This will typically (but not exclusively) be:
(a) the United Kingdom and Switzerland, each of which has been determined by the European Commission to ensure an adequate level of protection of personal data (a so-called ‘adequacy decision’); or
(b) the United States, in which case we use the standard contractual clauses (SCCs) adopted or approved by the European Commission or other safeguards accepted by the GDPR.
In any event, we will only export your personal data outside of the European Economic Area either (a) if the territory in question is subject to an adequacy decision (see above) or (b) if appropriate safeguards are in place in accordance with the GDPR (e.g. export based on SCCs adopted by the European Commission) and your data subject rights and effective legal remedies are preserved.
7.1 As a general rule, we store your data until they are no longer necessary for the achievement of the purposes we process them for. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the data, the potential risk of harm from its unauthorised disclosure or other processing, the purposes for which we process the data and whether we can achieve those purposes through other means, as well as the applicable legal, regulatory, tax, accounting or other requirements. Once we no longer need your data, we will either erase (destroy) it, anonymise it, or, if this is not possible, then we will securely archive your data and isolate it from any further use until deletion is possible.
7.2 To give you a more exact idea, the following are some of the more specific principles we follow:
(a) CCTV Footage is automatically overwritten every 2 months;
(b) if we process a certain piece of personal data based on your consent and you withdraw such consent or the consent expires, we’ll erase the data after such withdrawal or expiration unless this Policy states we may process the data for a different purpose, on a different legal basis;
(c) if we are required by law to retain a certain piece of personal data (see e.g. Act No. 586/1992 Coll., on Income Tax, Act No. 235/2004 Coll., on Value Added Tax, Act No. 563/1991 Coll., on Accounting, Act No. 499/2004 Coll., on Archiving or Act No. 253/2008 Coll., on Measures Countering Money Laundering and Financing of Terrorism), we’ll keep the data for as long as the law prescribes, irrespective of any default retention period;
(d) if we find ourselves in a dispute with you, we’ll keep personal data needed to establish, exercise or defend our rights in such dispute (see first row of section 3.6 (Enforcement of Rights; Safety Measures)) at least until such time the dispute has been concluded and we no longer owe each other anything, irrespective of any default retention period;
(e) if we anonymise a certain piece of data, we can retain it indefinitely. 7.3 In some cases, you have the right to demand that we erase your personal data – see section 9.4 (Right to Erasure).
Any personal data we process is kept strictly confidential and secure. Our Websites possess a valid certificate issued by a trusted security authority and your personal data is protected using Secure Socket Layers (SSL) as it passes between you and the Website. That means the information is encrypted and can’t be intercepted by an attacker. We follow best practices in information security to protect your personal data during transmission and once we receive it, meaning only authorised persons are permitted to access it. All such persons with access are bound by confidentiality agreements.
(a) In order to retain control over your personal data, you have a multitude of rights at your disposal. Such rights are summarised further in this section, but note this summary is simplified and you should read the GDPR or obtain independent legal advice to get a full picture.
(b) If you wish to exercise one of your rights or want to raise another request or query in connection with your personal data, please reach out using one of the means set out in section 1.4 (Get in Touch).
(c) We’ll respond to your request and let you know what steps we’ve decided to take in relation to it as soon as possible, and no later than 1 month from the time we’ve received a clear, complete request from you and have verified your identity. Particularly complicated requests might exceptionally take us up to 2 more months to sort out – we’ll let you know if this happens to be the case.
You may at any time request confirmation as to whether we process personal data concerning you and, if so, for what purposes, to what extent, to whom they are disclosed, for how long we will process them, whether you have the right to rectification, erasure, restriction of processing or objection or to file a formal complaint, where we have obtained the personal data and whether automated decision-making, including profiling, occurs on the basis of the processing of your personal data. In addition, you have the right to obtain a copy of your personal data, the first provision of which is free of charge (we may charge a reasonable administrative fee for the provision of further copies).
You can ask us to correct or complete your personal data at any time if it is inaccurate or incomplete.
You can ask us to erase your personal data if:
(a) it is no longer necessary for the purposes for which it was collected or otherwise processed;
(b) it is processed based on your consent, you withdraw such consent and no other legal basis for processing is available;
(c) you object to the processing and there are no overriding legitimate grounds for the processing;
(d) its processing is unlawful; or
(e) we are required to do so by law.
Please understand that the right to erasure is not absolute (unconditional); for example, we may not be able to delete your data if we need to retain it in order to establish, exercise or defend legal claims, or if an important public interest prevents erasure.
Where one of the following circumstances applies, you can ask us to pause (‘suspend’) processing your personal data with the exception of storage, and to only use them for establishing, exercising or defending legal claims or for purposes with which you give consent:
(a) you challenge the accuracy of the processed data (in which case we’ll restrict its processing until we verify accuracy);
(b) processing of the data is unlawful and you don’t want us to erase it;
(c) we no longer need the data for the purposes for which it was collected or otherwise processed; or
(d) you have objected to the processing and there are no overriding legitimate grounds for the processing (in which case we’ll restrict its processing pending our assessment of the legitimate grounds).
You have the right to object to the processing of personal data that we process for direct marketing purposes (see e.g. section 3.5 (Marketing and Events)) or for processing based on our or others’ legitimate interests. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes; in other cases, we’ll stop the processing activity if your own interests outweigh our interests in continuing the processing.
10.1 This Policy becomes effective on the date first written above
10.2 We may make changes to this Policy at any time, in which case we’ll publish a new version of it on our Websites.
10.3 This Policy is governed by the laws of the European Union and, beyond the scope of EU law, the laws of the Czech Republic.