Personal data processing and protection policy in accordance with GDPR.
Privacy Policy
Personal data processing policy pursuant to Regulation (EU) 2016/679
1. Data Controller
The controller of personal data within the meaning of Art. 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (hereinafter referred to as "GDPR") is:
Dalibor Čmolík
registered office: Holešov, Žeranovice 296, 769 01, Czech Republic
ID No.: 41580362
e-mail:
phone: +420 603 228 600
(hereinafter referred to as the "controller")
The controller has not appointed a data protection officer.
2. Categories of Processed Data
The controller processes personal data provided by the data subject or obtained by the controller on the basis of contract performance or legitimate interest:
2.1. Identification and Contact Data
- First and last name
- E-mail address
- Phone number
- Registered office / residential address (for contracting parties)
- ID No., VAT No. (for business entities)
2.2. Contact Form Data
- Name, e-mail, phone number, message text
- IP address and submission time (for abuse protection)
2.3. Billing and Contractual Data
- Data necessary for issuing tax documents and contract performance
- Order history and records of services provided
2.4. Technical Data
- IP address, browser type, operating system
- Website visit data (cookies — see Cookie Policy)
3. Purposes and Legal Basis of Processing
| Purpose of Processing | Legal Basis (GDPR) | Data Categories | Retention Period |
|---|---|---|---|
| Responding to enquiries from the contact form | Art. 6(1)(b) — pre-contractual measures; Art. 6(1)(f) — legitimate interest | Name, e-mail, phone, message, IP address | 3 years from last contact |
| Contract performance for the provision of services or delivery of digital products | Art. 6(1)(b) — contract performance | Identification, contact and billing data | Duration of the contract + 3 years (limitation period) |
| Issuing tax documents and bookkeeping | Art. 6(1)(c) — legal obligation (Act No. 563/1991 Coll., Act No. 235/2004 Coll.) | Billing data | 10 years from the end of the tax period |
| Abuse protection of the contact form (Cloudflare Turnstile) | Art. 6(1)(f) — legitimate interest | IP address, verification result | Processed by Cloudflare under its own terms |
| Website traffic analysis | Art. 6(1)(a) — consent (cookies) | Technical data, browsing behaviour | As configured in the analytics tool |
| Legitimate interests of the controller (protection of rights, debt recovery) | Art. 6(1)(f) — legitimate interest | Identification and contractual data | For the duration of the legitimate interest |
4. Recipients of Personal Data
The controller may transfer personal data to the following categories of recipients, only to the extent necessary:
- Hosting provider — WEDOS Internet, a.s. (data storage, servers in the Czech Republic)
- Cloudflare, Inc. — form abuse protection (Turnstile), CDN
- Analytics service provider — if traffic measurement is active (based on consent)
- Accountant and tax advisor — processing of tax documents
- Public authorities — on the basis of a legal obligation (tax office, courts)
The controller does not transfer personal data to third countries outside the EU/EEA, with the exception of Cloudflare services, where the transfer is ensured by standard contractual clauses (Art. 46(2)(c) GDPR) or an adequacy decision of the European Commission (Art. 45 GDPR).
5. Data Subject Rights
In accordance with the GDPR, every data subject has the following rights:
5.1. Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation from the controller as to whether your personal data are being processed and, if so, to access the data and information about the processing.
5.2. Right to Rectification (Art. 16 GDPR)
You have the right to request the rectification of inaccurate personal data or the completion of incomplete data.
5.3. Right to Erasure (Art. 17 GDPR)
You have the right to request the erasure of personal data if:
- the data are no longer necessary for the purpose for which they were collected;
- you withdraw consent and there is no other legal basis;
- you object and there are no overriding legitimate grounds;
- the data have been processed unlawfully.
The right to erasure does not apply where processing is necessary for compliance with a legal obligation (e.g. archiving of tax documents).
5.4. Right to Restriction of Processing (Art. 18 GDPR)
You have the right to request the restriction of processing, for example if you contest the accuracy of the data or object to the processing.
5.5. Right to Data Portability (Art. 20 GDPR)
You have the right to receive the personal data you have provided to the controller in a structured, commonly used and machine-readable format.
5.6. Right to Object (Art. 21 GDPR)
You have the right to object at any time to the processing of personal data based on the legitimate interest of the controller. The controller shall no longer process the data unless it demonstrates compelling legitimate grounds overriding the interests of the data subject.
5.7. Right to Withdraw Consent
Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to its withdrawal.
5.8. Right to Lodge a Complaint
You have the right to lodge a complaint with the supervisory authority:
Office for Personal Data Protection (Úřad pro ochranu osobních údajů)
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
web: www.uoou.cz
e-mail:
6. Exercising Your Rights
You may exercise your rights:
- by e-mail at
This email address is being protected from spambots. You need JavaScript enabled to view it. - in writing at the controller's registered office: Holešov, Žeranovice 296, 769 01, Czech Republic
The controller shall process your request without undue delay, no later than 30 days from receipt. In exceptional cases (complexity, large number of requests), the period may be extended by a further 2 months, of which the controller shall inform you.
The controller is entitled to verify the identity of the applicant if there are reasonable doubts about the identity of the person submitting the request.
7. Security of Personal Data
The controller has adopted appropriate technical and organisational measures to ensure the security of personal data, in particular:
- encrypted data transmission (HTTPS/TLS);
- contact form protection against automated abuse (Cloudflare Turnstile);
- restricted access to personal data to authorised persons only;
- regular data backups;
- software updates and security patches.
8. Cookies
The controller's website uses cookies. Detailed information on the types of cookies, their purpose and management options can be found in the Cookie Policy.
9. Automated Decision-Making
The controller does not carry out automated decision-making or profiling within the meaning of Art. 22 GDPR.
10. Final Provisions
10.1. The controller may update this policy. The current version is always available on the controller's website.
10.2. In the event of a discrepancy between the Czech and English versions, the Czech version shall prevail.
10.3. The processing of personal data is governed by the laws of the Czech Republic, in particular Regulation (EU) 2016/679 (GDPR) and Act No. 110/2019 Coll., on the processing of personal data.
This privacy policy is effective as of 16 June 2026.