I. INTRODUCTORY PROVISIONS
1.1 Purpose of the Policy
This Privacy Policy (hereinafter referred to as the "Policy") sets out how the Controller handles the personal data of natural persons in connection with the provision of Hexado.pro services, in particular hosting services, servers, web hosting, and related IT services.
The Policy is prepared in accordance with:
– Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, hereinafter referred to as "GDPR"),
– Act No. 110/2019 Sb., on the processing of personal data,
– Act No. 480/2004 Sb., on certain information society services,
– and other relevant legal regulations of the Czech Republic.
This Policy constitutes information for data subjects under Article 13 of the GDPR.
1.2 Data Controller
The Controller of personal data is:
Name/Company: PhDr. Petr Balek
ID No. (IČO): 72638699
Registered Office: třída Tomáše Bati 955, 760 01 Zlín, Czech Republic
E-mail: [email protected]
(hereinafter referred to as the "Controller")
1.3 Contact Details for Data Protection
For any requests, queries, or the exercise of rights in the area of personal data protection, the Controller can be contacted at:
E-mail: [email protected]
As of the effective date of this Policy, the Controller has not appointed a Data Protection Officer; the obligation to appoint an officer is continuously evaluated in accordance with the GDPR and Czech law.
1.4 Processing of Children's Personal Data
Hexado.pro services are not intended for children under 18 years of age. The Controller does not knowingly process the personal data of children and minors in connection with the offer of information society services if the person has not reached the age of 18.
II. SCOPE AND SOURCES OF PROCESSED PERSONAL DATA
2.1 Sources of Data
The Controller obtains personal data mainly:
a) directly from data subjects (Customers) during:
– registration and creation of a user account,
– creation and processing of orders,
– concluding and fulfilling contracts for the provision of services,
– communication with technical support or a business contact,
b) indirectly from the Controller's technical systems (logs, service monitoring, cookies, analytical tools),
c) exceptionally from public sources (e.g., commercial register, trade register) for the purpose of verifying the identification of business entities.
2.2 Categories of Processed Data
The Controller processes in particular the following categories of personal data:
a) Identification data
– name, surname,
– company name, ID No., VAT ID (for entrepreneurs),
– possibly a contact person for a legal entity.
b) Contact data
– e-mail address,
– phone number,
– billing address,
– possibly a delivery address.
c) Data on the contractual relationship and services
– information about ordered and provided services,
– order history,
– payment status and history,
– communication with the Controller (support, complaints, inquiries).
d) Operational and technical data
– IP address,
– access logs to systems and servers,
– device identifiers,
– activity data in the client section (logins, settings changes),
– cookies and similar technologies.
e) Payment data
– data on executed payments (bank account number, variable symbol, amount, date of payment),
– name of the bank or payment service provider.
The Controller does not have access to complete payment card data; this data is processed by the payment gateway provider (Stripe) as an independent controller or processor.
f) Other data
– data necessary to assert legal claims and legal defense (e.g., in court or administrative proceedings),
– data necessary to fulfill legal obligations (accounting, tax agenda, etc.).
2.3 Special Categories of Personal Data
The Controller does not routinely request or process special categories of personal data (sensitive data under Article 9 of the GDPR, e.g., health data, religion, etc.). Should such processing occur in justified cases, it will always be strictly to the extent permitted by law and subject to the conditions of the GDPR.
III. PURPOSES AND LEGAL BASES FOR PROCESSING
The Controller processes personal data only to the extent necessary to fulfill the purposes listed below and on the basis of lawful grounds under Article 6 of the GDPR.
3.1 Performance of a Contract and Pre-contractual Negotiations (Article 6(1)(b) GDPR)
Purposes:
– user account registration,
– concluding and fulfilling a contract for the provision of services,
– administration of the client section,
– providing and managing services (server setup, hosting, domain, support),
– communication with the Customer in connection with the fulfillment of the contract (service, incidents, service changes).
Providing this data is a contractual requirement. If the Customer fails to provide the requested data, the Controller cannot conclude or fulfill the contract and provide services.
3.2 Fulfillment of Legal Obligations (Article 6(1)(c) GDPR)
Purposes:
– keeping accounting and tax records,
– issuing and archiving tax documents,
– obligations arising from tax and accounting regulations and other legal regulations,
– fulfilling obligations towards public authorities (e.g., providing cooperation based on legal requirements).
3.3 Legitimate Interest of the Controller (Article 6(1)(f) GDPR)
Data processing based on the Controller's legitimate interest takes place mainly for the following purposes:
a) Security purposes
– protection of the Controller's system and networks against misuse and attacks (e.g., DDoS),
– ensuring the stability and security of the provided services,
– prevention of fraudulent or unlawful conduct,
– maintaining technical logs and audit records.
b) Protection of the Controller's rights and claims
– asserting the Controller's legal claims (e.g., debt collection),
– defense of the Controller in potential disputes.
c) Direct marketing to existing customers
– sending commercial communications (newsletters) to existing customers concerning the same or similar services ordered by the Customer, in accordance with Section 7(3) of Act No. 480/2004 Sb.
The Customer may object to this processing at any time (see Section VIII.4). Every commercial communication will include a simple link or contact for unsubscribing.
3.4 Processing Based on Consent (Article 6(1)(a) GDPR)
Only in cases where processing cannot be based on another legal ground may the Controller request the data subject's consent, especially for:
– sending commercial communications to non-customers,
– using certain analytical and marketing cookies and tools that are not essential for the website's operation,
– any other voluntary marketing or similar activities.
Consent is always voluntary, specific, informed, and can be withdrawn at any time without affecting the processing carried out before the withdrawal of consent.
IV. RECIPIENTS, PROCESSORS, AND DATA TRANSFERS
4.1 Recipients and Processors of Personal Data
Personal data may be disclosed to the following categories of recipients:
a) Processors – contractual partners of the Controller who process personal data only on the Controller's instructions and based on a data processing agreement:
– payment service providers and payment gateways,
– accounting and tax service providers,
– IT service and infrastructure providers (data centers, cloud services, domain registrars),
– providers of e-mailing and technical support tools.
b) Public Authorities and other entities
– public authorities, courts, or administrative bodies, if required by law or necessary to protect the Controller's rights,
– any legal and tax advisors, auditing firms, etc., if necessary to protect the rights and fulfill the Controller's obligations.
4.2 Transfers to Third Countries Outside the EU/EEA
The Controller primarily processes personal data within the European Union or the European Economic Area. If in specific cases personal data were transferred to a third country outside the EU/EEA (e.g., when using certain cloud tools), such transfer will only be carried out subject to GDPR conditions, particularly:
– to countries with an adequacy decision by the European Commission, or
– based on appropriate safeguards (e.g., standard contractual clauses).
Information about a specific transfer will be provided to the data subject upon request.
V. RETENTION PERIOD OF PERSONAL DATA
The Controller retains personal data only for the time strictly necessary to fulfill the purpose of processing and in accordance with the principles of data minimization and storage limitation.
Specifically:
a) Data for the performance of a contract
– for the duration of the contractual relationship and subsequently for the time necessary to protect the Controller's rights (usually for the general limitation period, typically 3 years from the end of the contractual relationship), unless a longer period is justified in a specific case.
b) Accounting and tax documents
– for the period stipulated by legal regulations, especially the Accounting Act and tax regulations (usually 10 years from the end of the accounting period in which the document was issued).
c) Security logs, technical records
– for the time necessary to ensure the security and proper functioning of services, usually a maximum of 12–24 months, unless a longer retention is necessary in a specific case (e.g., in connection with an incident or ongoing proceedings).
d) Data for direct marketing to existing customers
– for the duration of the contractual relationship and for a reasonable period after its end (usually up to 3 years), or until the data subject objects to the processing or unsubscribes from commercial communications.
e) Data processed on the basis of consent
– until the consent is withdrawn, unless a shorter period is set; after the withdrawal of consent, the Controller will terminate the processing and delete or anonymize the data, unless its further retention is required by another legal ground (e.g., legal obligation).
After the respective retention periods have expired, the Controller will securely delete or anonymize the personal data.
VI. ROLE OF CONTROLLER AND PROCESSOR IN HOSTING
1. In relation to personal data entered by the Customer into the Controller's systems within the provided hosting and server services (e.g., end-user data on the Customer's website), the Customer generally acts as the controller and the Controller acts as the processor under Article 28 of the GDPR.
2. The rights and obligations of the Controller as a processor are stipulated in the service agreement and, where applicable, in a separate Data Processing Agreement (DPA).
3. Data subjects whose data the Customer processes on the Controller's infrastructure should primarily exercise their rights against the Customer as the controller. If a data subject contacts the Controller and the Controller is merely a processor, the Controller will forward the request to the respective Customer or refer the data subject to them.
VII. COOKIES AND ONLINE TECHNOLOGIES
7.1 What are cookies
Cookies are small text files stored on the user's device when visiting the Controller's website. They serve to ensure website functionality, improve user experience, and for analytical or marketing purposes.
7.2 Types of cookies used
The Controller uses only strictly necessary (technical) cookies:
– they are essential for the operation of the website and the provision of services (e.g., logging into the client section, security, shopping cart). The website cannot function properly without these cookies. Their use does not require consent.
VIII. RIGHTS OF DATA SUBJECTS
Data subjects have the following rights against the Controller under the GDPR and related regulations.
Requests may be submitted by e-mail to [email protected]. The Controller processes requests without undue delay, no later than 1 month from receipt; this period may be extended by up to 2 months in exceptional cases, of which the data subject will be informed along with the reasons.
8.1 Right of access
The data subject has the right to obtain confirmation from the Controller as to whether their personal data is being processed, and, if so, the right to access this data and information about the processing.
8.2 Right to rectification
The data subject has the right to request the Controller to rectify inaccurate or complete incomplete personal data without undue delay.
8.3 Right to erasure ("right to be forgotten")
The data subject has the right to request the erasure of personal data if the conditions under Article 17 of the GDPR are met (e.g., the data is no longer necessary for the purpose, consent was withdrawn and there is no other legal ground, the data was processed unlawfully, etc.). However, data cannot be erased if the Controller must retain it based on legal regulations (especially accounting and tax documents) or needs it for the establishment, exercise, or defense of legal claims.
8.4 Right to object
The data subject has the right to object at any time to processing based on the Controller's legitimate interest (especially direct marketing). In the event of an objection to direct marketing, the Controller will immediately cease processing for such purposes.
8.5 Right to restriction of processing
Under the conditions laid down in Article 18 of the GDPR, the data subject may request the restriction of processing (e.g., while verifying an objection or data accuracy).
8.6 Right to data portability
If processing is based on consent or a contract and carried out by automated means, the data subject has the right to receive their personal data in a structured, commonly used, and machine-readable format, and potentially transmit it to another controller.
8.7 Right to withdraw consent
If processing is based on consent, the data subject has the right to withdraw their consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
8.8 Right to lodge a complaint with a supervisory authority
The data subject has the right to lodge a complaint with a supervisory authority if they believe that the processing of their personal data violates the GDPR. The supervisory authority in the Czech Republic is:
Office for Personal Data Protection (Úřad pro ochranu osobních údajů)
Pplk. Sochora 27
170 00 Prague 7
Website: www.uoou.cz
IX. SECURITY OF PERSONAL DATA
1. The Controller has implemented appropriate technical and organizational measures to ensure the security of personal data, taking into account the nature, scope, context, and purposes of processing, as well as the risks to the rights and freedoms of natural persons. These measures include in particular:
– restricting access to data only to authorized persons,
– encrypted communication (e.g., HTTPS),
– access rights and password management,
– regular system updates and patching,
– internal rules and training for personnel processing data.
2. The Controller regularly evaluates the suitability of the measures taken and adapts them to current risks and technical developments.
3. Although the Controller makes every reasonable effort to protect personal data, they cannot guarantee the absolute security of data transmission over the Internet. The user is aware of the risks associated with the internet environment and is obligated to protect their access credentials and devices.
4. In the event of a personal data breach likely to result in a high risk to the rights and freedoms of data subjects, the Controller will, if required by law, notify the competent supervisory authority and the affected data subjects.
X. CHANGES TO THIS POLICY
1. The Controller is entitled to unilaterally amend this Policy, in particular due to changes in legal regulations, recommendations of supervisory authorities, or changes in the method of personal data processing.
2. The current version of the Policy is always available on the Controller's website. In the case of material changes, the Controller may also notify Customers by e-mail or via the client section.
3. By using the services after the effective date of a new version of the Policy, the data subject acknowledges the updated content of the Policy; this does not affect their rights under the GDPR and related legal regulations.