General terms and conditions

Download in PDF

These General Terms and Conditions (hereinafter, the "Terms") constitute a legally binding agreement (the "Agreement") governing the provision of services by Reskyt Online SL (hereinafter, the "PROVIDER") to any individual and/or contracting company (hereinafter, the "CLIENT"), in accordance with the specific agreements entered into under particular conditions. These General Terms and Conditions shall apply to all services offered by the PROVIDER, unless expressly agreed otherwise in writing in the particular conditions.

Please read these Terms carefully, as they contain important information regarding your rights, remedies, and obligations.

NATURE OF THE RELATIONSHIP
The relationship between the CLIENT and the PROVIDER is strictly commercial in nature. No employment, agency, partnership or representation relationship exists between the parties, nor between the personnel of one party and the other. Each party shall be responsible for fulfilling its own tax, employment, and social security obligations in accordance with applicable legislation.

CLIENT’S GENERAL OBLIGATIONS
1. Collaboration and Information Provision
  - The CLIENT shall provide the PROVIDER with all information, materials, credentials, and technical or commercial documentation required for the performance of the service, in a truthful, complete and timely manner.
  - The CLIENT shall keep all information provided up to date, including legal URLs (such as privacy policies, terms of use, etc.), as well as contact details and access credentials to any third-party platforms related to the service.
2. Content and regulatory compliance:
  - The CLIENT shall ensure that all content, trademarks, texts, images or any other materials provided to the PROVIDER do not infringe third-party rights, nor violate any applicable laws, including regulations concerning intellectual property, data protection, advertising, consumer rights or competition.
  - The CLIENT shall guarantee that all content published or distributed through the contracted platform or service complies with the usage policies and terms of third parties, such as the App Store, Google Play or other relevant technology platforms.
  - The CLIENT shall be solely responsible for any legal consequences resulting from unlawful, inaccurate or inappropriate content directly or indirectly incorporated into the service.
3. Security and Technical Management
  - The CLIENT shall maintain the necessary technical accounts required for the provision of the service (e.g., Apple or Google developer accounts, access to Analytics or other third-party tools) and shall grant the PROVIDER the relevant access when so required.
  - The CLIENT shall ensure that its own systems, networks or websites comply with the minimum operational and compatibility requirements established by the PROVIDER in order to enable proper technical integration.
4. Diligent Use of the Service
  - The CLIENT shall use the contracted service in accordance with its intended purpose and terms, and shall not manipulate, alter, duplicate, or distribute any of its functionalities, technical components or documentation without the PROVIDER’s express authorisation.
  - The CLIENT shall refrain from carrying out any action that could affect the stability, security or reputation of the platform, the PROVIDER or any third parties.
5. Financial Obligations
  - The CLIENT shall pay the agreed fees in a timely manner, within the deadlines established in the specific terms and conditions.
  - The CLIENT shall bear any applicable surcharges, penalties or service interruptions arising from delays or non-payment, in accordance with these General Terms and/or the specific conditions
6. Data Protection
  - Where the CLIENT acts as data controller of personal data linked to the service, it shall ensure compliance with the applicable data protection legislation (including the UK GDPR, the EU GDPR, LOPDGDD or any other relevant regulation), and shall provide the PROVIDER with all required legal texts and terms for the proper use of such data in the delivery of the service.
  - Where applicable, the CLIENT shall execute the corresponding data processing agreement with the PROVIDER.

PROVIDER’S GENERAL OBLIGATIONS
1. Service Provision
  - The PROVIDER shall grant access to the platform and to the functionalities included in the contracted service, as defined in the specific terms and conditions.
  - The PROVIDER shall take reasonable measures to ensure the availability, stability, and proper functioning of the platform, except in cases of force majeure or incidents attributable to third parties beyond its control.
2. Technical Support
  - The PROVIDER shall offer technical and functional support to the CLIENT through the designated channels, during official business hours.
  - The PROVIDER shall address and resolve incidents reported by the CLIENT within reasonable timeframes, in accordance with the established priority levels.
3. Security and Confidentiality:
  - The PROVIDER shall implement appropriate technical and organisational measures to safeguard the integrity, availability, and confidentiality of the CLIENT’s data, in accordance with the sensitivity level of such data.
  - The PROVIDER shall ensure the confidentiality of all information provided by the CLIENT and shall not disclose or use such information for any purpose other than that necessary for the execution of the Agreement.
4. Regulatory Compliance
  - The PROVIDER shall comply with all applicable laws and regulations in the context of delivering its services, particularly regarding data protection, intellectual property rights, and consumer regulations.
  - Where applicable, the PROVIDER shall facilitate the execution of the necessary data processing agreements with the CLIENT, in compliance with the GDPR.

AUTHORISATION FOR THE USE OF INFORMATION
The CLIENT hereby authorises the PROVIDER to use its logos, images, and testimonials for marketing and promotional purposes.

SERVICE SUSPENSION AND TERMINATION OF THIS AGREEMENT
1. Service Suspension
  If the CLIENT fails to pay any invoice within one (1) month of its due date, the PROVIDER shall be entitled to suspend the provision of the services until the outstanding amount has been paid in full. The CLIENT shall be notified in advance of such suspension.
  Suspension of the service shall not release the CLIENT from its payment obligations nor constitute grounds for termination of the Agreement, unless the conditions set out in Clause 5.2 are met.
1. Termination of the Agreement
  This Agreement may be deemed terminated for the following reasons:
  - Payment delays exceeding three (3) months
  - Inclusion of illegal, criminal, racist, xenophobic content, content that incites terrorism or violates human rights, or any defamatory, pornographic, misleading or fraudulent content for its recipients, or any content that infringes applicable laws or regulations, or is offensive to the rights of the PROVIDER, its distributors, or third parties.
  - The PROVIDER may also terminate this Agreement for reasons beyond its control, including force majeure, such as the removal of the product from Google Play or the App Store in the case of mobile apps, or withdrawal by other essential partners necessary for the operation of the service provided by Reskyt
  - Termination of this Agreement on any of the grounds mentioned above shall not entitle either party to any form of compensation.

SUPPORT AND AVAILABILITY
The PROVIDER undertakes to deliver support and assistance services to the CLIENT during standard business hours, through the designated communication channels, including email, telephone, or video conferencing, as applicable. Updated information regarding support hours and available channels may be provided upon the CLIENT’s request.
1. Incident Management
  Support requests and incidents shall be addressed by the technical team in accordance with defined priority criteria, with the aim of minimising impact on the CLIENT’s operations and ensuring service continuity. For this purpose, two categories of incidents are established:
  - Standard incidents: Issues that do not result in a critical interruption of the service nor compromise data security. These are managed during regular business hours, with response times appropriate to their nature
  - Critical incidents: Issues involving full or partial service interruption, or those affecting the integrity, availability, or confidentiality of data. Such incidents shall be prioritised and addressed immediately, regardless of business hours, via the continuous monitoring and alert system.
1. Operational Continuity
  The technical environment supporting the PROVIDER’s services is hosted within a highly available cloud infrastructure, equipped with 24/7 active monitoring systems. Any critical anomaly is automatically reported to the on-call technical team, who shall take the necessary actions to restore service as quickly as possible.
1. Scope of Support:
  Support services include:
  - Custom services not expressly contracted.
  - Interventions involving systems, platforms, or data outside the PROVIDER’s infrastructure.
  - Management of functional and technical incidents affecting the proper operation of the service
  The following are expressly excluded from the scope of support:
  - Personalized services not expressly contracted.
  - Intervention on systems, platforms or data outside the infrastructure of the MANUFACTURER.
  - Direct support to the CLIENT’s end users.

INFRASTRUCTURE AND SUBCONTRACTING
All services are provided on infrastructure hosted in secure data centres, currently operated by Amazon Web Services (AWS) within the European Union.The CLIENT expressly authorises the subcontracting of technical services and infrastructure, provided that such subcontracting does not affect the confidentiality or scope of the contracted service.

DATA PROTECTION POLICY
The personal data of those who subscribe to and sign this contract shall be processed by both parties solely for the purpose of managing its execution and complying with the legal obligations arising therefrom. This data shall be retained for as long as a contractual relationship exists between the parties and, thereafter, shall be blocked for the legally required periods, applying appropriate technical and organisational measures to ensure, where applicable, the pseudonymisation or definitive deletion of the data.
Data shall not be disclosed to third parties unless required by law or in cases where it is necessary to engage service providers acting as Data Processors, duly authorised by each party.
The parties and signatories are informed that they may exercise their rights of access, rectification, erasure, objection, restriction of processing, and data portability, as provided under applicable law, by means of a written request accompanied by identification, addressed to the contact details stated in this contract. Likewise, they may lodge a complaint with the Spanish Data Protection Agency (www.aepd.es) if they believe their rights have been violated.
Where the CLIENT acts as Controller of personal data linked to the service, RESKYT ONLINE S.L. shall process such data in accordance with Article 28 of Regulation (EU) 2016/679 and the provisions of Organic Law 3/2018, acting in this respect as the PROCESSOR.
The processing assignment shall last for the same duration as the main service contract. Below are the conditions regulating the rights and obligations of both parties regarding data protection, including the obligations of the PROVIDER as Processor:
Specifications for the APP or Platform Creation Service
1. Description:
  Processing of data generated by users’ devices who download and use the CLIENT's application for the purpose of:
  - Managing push notification delivery.
  - Providing technical and functional support to the CLIENT.
  - Offering advanced features based on configuration and selected modules: segmentation, loyalty, database creation, analytics, and integration with the CLIENT’s CMS (Content Management System).
2. Categories of Data Subjects:
  Users who download and use the CLIENT’s application.
3. Types of Data Processed:
  - Push notification token.
  - Device UUID.
  - Geolocation data (subject to the user’s prior consent).
  - IP address (only for admin panel access logs, not for end users).
  - Language, country, app access dates.
  - Functional information on abandoned carts (number of items and last interaction), excluding cart content or identifiable user data.
  - User identification data: name, surname(s), email address, postal address, and telephone number. This data shall only be processed in cases where the CLIENT has activated specific functionalities that require it, such as loyalty programs, advanced segmentation, or synchronization with their content management system (CMS).
4. Hosting:
  Personal data processed through the platform is hosted on servers provided by Amazon Web Services (AWS), located in data centres within the European Economic Area (EEA), thereby ensuring compliance with applicable data protection regulations.
5. Retention Period:
  App user data is deleted from the platform 30 days after contract termination.
Specifications for the TIME TRACKING SOFTWARE Service
1. Description:
  Processing of data generated by the use of personnel management software that will allow the user organizations (customers) to manage the registration of the working day of their employees, as well as to manage leaves, vacations and absences. The MANUFACTURER as processor does not maintain a direct relationship with end users. We only process End Users' personal data on behalf of our Customers and according to their instructions.
2. Categories of Data Subjects:
  Employees and collaborators as end users of the software.
3. Types of Data Processed:
  Depending on the functionalities enabled and on the instructions of our customers, the following categories of personal data may be processed:
  - User identification information: first name, last name, e-mail address, mailing address, phone number.
  - Identification and employment information: job title or position, date of birth, user ID.
  - Workday registration data: arrival and departure times, breaks, incidents, leaves of absence, absences and vacations.
  The MANUFACTURER as processor does not have a direct relationship with End Users. We only process End Users' personal data on behalf of our Customers and according to their instructions.
4. Hosting:
  Personal data processed through the platform is hosted on servers provided by Amazon Web Services (AWS), located in data centres within the European Economic Area (EEA), thereby ensuring compliance with applicable data protection regulations.
5. Retention Period:
  Upon completion of the provision of the service covered by this contract, and at the express request of the CUSTOMER, the TREATMENT CONTROLLER shall facilitate the export of the personal data processed on behalf of the CUSTOMER, in a structured and commonly used format, in order to enable the latter to comply with its legal obligations of record keeping, especially in relation to the control of working time and other applicable legal requirements.
  Unless otherwise instructed by the CLIENT, the PROVIDER, as Processor, shall proceed with the deletion of the data within a maximum period of 30 days from the termination of the service, using secure mechanisms that ensure the effective destruction of the data, unless legal liabilities may arise.
Obligations of the PROVIDER as Processor
1. Process data solely in accordance with the CLIENT’s documented instructions.
2. Ensure that authorised personnel are committed to confidentiality.
3. Adopt appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including data protection measures by design and by default (art. 25 of the GDPR).
4. Subcontracting: The CLIENT expressly authorises the PROVIDER to engage Amazon Web Services, Inc. (AWS) as Sub-Processor exclusively for hosting and processing personal data within the Reskyt platform’s cloud services. AWS provides its services from data centres located in the European Union (Ireland) and complies with the GDPR on data security and protection. The PROCESSOR shall ensure that AWS is bound by the same obligations as set forth in this contract. Any further change or addition of Sub-Processors shall require the prior specific or general authorisation of the CLIENT.
5. Create, whenever possible and considering the nature of the processing, the technical and organisational conditions necessary to assist the CONTROLLER in fulfilling data subject rights requests. In the event the PROCESSOR receives such a request, it shall immediately notify the CONTROLLER, and in no case later than the following business day after receipt, along with any relevant information.
6. Notify without undue delay any personal data breach to enable the CONTROLLER to take appropriate measures to remedy and mitigate the effects.
7. Cooperate with the CLIENT in carrying out impact assessments and prior consultations with the supervisory authority when necessary.
8. Make available to the CLIENT all necessary information to demonstrate compliance with its obligations, and to allow and contribute to audits or inspections by the CLIENT or an authorised auditor..
9. The CONTROLLER authorises the PROCESSOR to carry out international data transfers provided that such transfer is based on adequacy decisions by the European Commission (Article 45 of the GDPR), appropriate safeguards (Article 46 of the GDPR), or specific derogations (Article 49 of the GDPR). The PROCESSOR shall bear sole responsibility for demonstrating that the transfer offers appropriate safeguards under the GDPR and shall provide the CONTROLLER with sufficient information to verify or obtain evidence thereof.
Obligations and Rights of the CONTROLLER
1. The CONTROLLER warrants that the data provided to the PROCESSOR has been lawfully obtained and is adequate, relevant, and limited to the purposes of the processing.
2. The CONTROLLER shall provide the PROCESSOR with all necessary information to execute the processing tasks.
3. The CONTROLLER warns the PROCESSOR that, if it independently determines the purposes and means of processing, it shall be deemed a Controller and shall be subject to all applicable legal obligations as such.
Security Measures
The PROCESSOR commits to implementing, throughout all phases of development, deployment, and maintenance of the App, appropriate technical and organisational measures to ensure that the processing of personal data is carried out in accordance with the principles of the GDPR, particularly data minimisation, purpose limitation, confidentiality, integrity, and security. These measures shall take into account the state of the art, implementation costs, the nature of the data, the context and purposes of processing, and the risks to the rights and freedoms of individuals.
The following specific measures shall be implemented:
1. Data minimisation and pseudonymisation:
  - Collection limited to data strictly necessary for each App functionality.
  - Use of pseudonymisation or substitution of personal identifiers when direct identity retention is not essential.
  - Avoidance of unnecessary information collection via closed-form fields, limiting open fields wherever possible..
2. Logical separation of environments and data:
  - Separation of development, testing, and production environments, avoiding real data in testing unless anonymised.
  - Segregated and restricted-access storage for records containing personal identifiers.
  - Functional or project-based data separation.
3. Restricted and controlled access:
  - Role-based access control (RBAC), under the principle of least privilege.
  - Access traceability via logging and periodic audits.
  - Access logs retained for at least two years for special category data.
4. Privacy-oriented default settings:
  - All functionalities involving non-essential data (e.g. geolocation) shall be disabled by default and require explicit user or CONTROLLER activation.
  - Application of the “privacy by default” principle, ensuring the highest level of privacy from initial installation.
5. Additional security measures:
  - Access control via strong authentication.
  - Encryption of communications and, where applicable, data at rest.
  - Activity monitoring and incident alerts.
  - Regular software updates and security patching.
  - Periodic technical vulnerability assessments.
6. Resilience, continuity, and verification:
  - Mechanisms to restore data availability and access in the event of physical or technical incidents.
  - Automatic backups and recovery policies.
7. Continuous evaluation and cooperation:
  - Cooperation with the CONTROLLER in conducting Data Protection Impact Assessments (DPIAs), where appropriate.
  - Risk analysis and communication to the CONTROLLER of emerging threats to data security.

Data Disposal at the End of the Contract

Upon termination of this contract, the PROVIDER shall delete all personal data accessed, along with any copies thereof, unless retention is required by legal obligation.

CONFIDENTIALITY
The parties undertake to maintain the strictest confidentiality regarding all information exchanged that is of a confidential nature. This obligation shall remain in force even after termination of the contract. Disclosure to third parties shall require the prior written consent of the affected party.

LIMITATION OF LIABILITY
The PROVIDER shall not be held liable for:
1. Failures arising from third-party services (Google Play, App Store, AWS, etc.).
2. Content provided by the CLIENT.
3. Loss of profit or indirect disruptions.
In any case, the PROVIDER’s maximum liability shall be limited to the annual amount paid by the CLIENT.

INTELLECTUAL PROPERTY
All rights to the source code, designs, tools, and developments of the Reskyt platform belong exclusively to the PROVIDER. The CLIENT acquires only a limited, non-exclusive right of use, under the terms defined in the specific conditions.

AMENDMENTS
Any amendment to these General Terms and Conditions must be made in writing and shall be notified to the CLIENT with reasonable prior notice. In the event of any discrepancy, the specific conditions agreed between the parties shall prevail over the provisions herein.

APPLICABLE LAW AND JURISDICTION
The parties agree that this document shall be governed by and construed in accordance with the laws of Spain. For any controversy or dispute that may arise concerning the interpretation, execution or validity of this document, the parties expressly submit to the jurisdiction of the Courts and Tribunals of the city of Barcelona, expressly waiving any other jurisdiction that may otherwise apply.