Skip to content

Privacy Policy

Last updated: March 29, 2026

1. Data Controller

The controller of your personal data is the operator of aityy.cz ("we," "Provider," or "controller"), a sole proprietor operating under Czech trade law, based in the Czech Republic.

Contact for data protection inquiries:
Email: info@aityy.cz

2. Data We Collect

We process the following categories of personal data in connection with our services:

2.1. Data You Provide Directly

  • Contact information: name, email address, phone number
  • Business information: company name, business description, website requirements, target audience, order notes
  • Uploaded files: photographs, logos, and other image materials intended for your website
  • Domain information: desired domain name, contact details for domain registration (if you order a domain)

2.2. Data Collected Automatically

  • Technical data: IP address, browser type, operating system, approximate location (country/region level only)
  • Usage data: anonymized analytics (Umami Analytics -- no personal data collected)

2.3. Data Processed by Third Parties

  • Payment data: card numbers and other payment details are processed directly by Stripe, Inc. -- we never have access to your full payment information. Stripe provides us only with payment confirmation, amount, and the last 4 digits of your card.

3. Purposes of Processing

  • Contract performance: Creating and delivering your website, hosting, domain registration, email service, technical support
  • Communication: Order status updates, delivery of access credentials, handling complaints
  • Payment processing: Facilitating payments through Stripe
  • Legal obligations: Accounting, tax records, document archival
  • Security: Protection against service abuse, fraud detection, security logs

4. Legal Basis for Processing

  • Contract performance (Art. 6(1)(b) GDPR) -- processing necessary to provide the ordered service
  • Legal obligation (Art. 6(1)(c) GDPR) -- accounting, tax regulations, archival requirements
  • Legitimate interest (Art. 6(1)(f) GDPR) -- service security, abuse prevention, technical logs

5. Third-Party Processors

We share your personal data with the following third parties only to the extent necessary to provide our services:

  • Stripe, Inc. (USA) -- payment processing. Stripe Privacy Policy. Stripe is certified under the EU-US Data Privacy Framework.
  • Cloudflare, Inc. (USA) -- DNS management, CDN, and DDoS protection. Cloudflare Privacy Policy.
  • Anthropic, PBC (USA) -- AI content generation for websites (Claude). Your order text specifications are processed to generate website content. Anthropic Privacy Policy.
  • Claid.ai (Let's Enhance, Inc.) (USA) — AI image enhancement of uploaded photographs (resolution, sharpness, HDR). We process only images uploaded for your website. Claid.ai Privacy Policy.
  • remove.bg (Kaleido AI GmbH) (Austria) — automatic background removal from photographs for team and testimonial sections. remove.bg Privacy Policy.
  • Resend, Inc. (USA) -- sending transactional emails (order confirmations, access credentials).
  • MXRoute (USA) -- professional email hosting (if you order this service).
  • Pexels / Unsplash -- sourcing placeholder photographs. We do not share your personal data with these services; we only use their public APIs to download images.
  • Domain registrars -- OpenProvider (OpenProvider BV, Netherlands) -- domain name registration. We share only the data required for registration (name, email, address).

We do not sell or share your data for marketing purposes.

6. International Data Transfers

Some of the processors listed above are based in the United States. Data transfers are conducted on the basis of:

  • EU-US Data Privacy Framework (where the processor is certified)
  • EU Standard Contractual Clauses (SCCs)

Website hosting servers are located in the European Union (Czech Republic).

7. Data Retention

  • Order and contract data: Duration of the contract + 3 years (statute of limitations), or longer if required by law
  • Tax and accounting records: 10 years under Czech law
  • Uploaded images (staging): Deleted within 48 hours of website delivery
  • Website content: Duration of subscription + 30 days after cancellation
  • Payment records: Retained by Stripe per their policies
  • Technical and security logs: 90 days
  • Analytics data: Anonymized, retained indefinitely

8. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of access (Art. 15 GDPR) -- the right to obtain confirmation of whether your personal data is being processed and to access it
  • Right to rectification (Art. 16 GDPR) -- the right to have inaccurate personal data corrected
  • Right to erasure (Art. 17 GDPR) -- the right to have personal data deleted under the conditions set out in the GDPR
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR) -- the right to receive your data in a machine-readable format
  • Right to object (Art. 21 GDPR) -- particularly against processing based on legitimate interest
  • Right to withdraw consent -- if processing is based on consent, at any time and without giving a reason

You may exercise your rights by contacting us at info@aityy.cz. We will respond to your request within 30 days.

You also have the right to lodge a complaint with the supervisory authority -- the Czech Office for Personal Data Protection (uoou.cz).

9. Cookies and Tracking

We do not use tracking cookies or third-party cookies. For traffic analysis, we use Umami Analytics -- self-hosted, fully GDPR-compliant, collects no personal data, and uses no cookies. Cookie consent is therefore not required.

Stripe may use its own essential cookies during the payment process for security and fraud prevention.

10. Data Security

We implement the following measures to protect your personal data:

  • All communications encrypted with TLS/HTTPS
  • Servers located in the European Union
  • Access restricted to authorized personnel only
  • Regular backups and security updates
  • Firewall and DDoS protection (Cloudflare)
  • Payment data processed exclusively by a certified provider (Stripe, PCI DSS Level 1)

11. Children's Privacy

Our service is not intended for persons under the age of 18. We do not knowingly collect personal data from minors. If we learn that we have collected data from a minor, we will promptly delete it.

12. Policy Changes

We may update this policy from time to time. We will notify you of material changes by email or through a notice on our website at least 30 days in advance. We recommend checking this policy regularly.