Skip to content

Privacy Policy

Last updated: March 29, 2026

1. Data Controller

The controller of your personal data within the meaning of Art. 4(7) GDPR is the operator of aityy.cz ("we," "Provider," or "controller"):

Eduard Roch, sole proprietor operating under Czech trade law, Czech business ID (IČO) 87248824, registered address: Osiková 382/34, 637 00 Brno-Jundrov, Czech Republic, email: info@aityy.cz.

Contact for data protection inquiries: info@aityy.cz.

2. Data We Collect

We process the following categories of personal data in connection with our services:

2.1. Data You Provide Directly

  • Contact information: name, email address, phone number
  • Business information: company name, business description, website requirements, target audience, order notes
  • Uploaded files: photographs, logos, and other image materials intended for your website
  • Domain information: desired domain name, contact details for domain registration (if you order a domain)

2.2. Data Collected Automatically

  • Technical data: IP address, browser type, operating system, approximate location (country/region level only)
  • Usage data: anonymized analytics (Google Analytics 4 + Google Ads, loaded via Google Tag Manager with Consent Mode v2 -- no identifiers stored without your consent)

2.3. Data Processed by Third Parties

  • Payment data: card numbers and other payment details are processed directly by Stripe, Inc. -- we never have access to your full payment information. Stripe provides us only with payment confirmation, amount, and the last 4 digits of your card.

2.4. Record of Consent to Performance Before the 14-Day Period Expires (§ 1837 Czech Civil Code)

At the moment you tick consents in the order form we store the timestamp, your IP address, and the verbatim consent text, so that we can prove compliance with the disclosure duties under § 1820 and § 1828 of the Czech Civil Code. Legal basis: Art. 6(1)(c) GDPR — compliance with a legal obligation. Storage form: the IP address is retained in full for 30 days from the order, after which it is replaced with a salted short-hash. The complete record is deleted after 4 years (3-year general limitation period under § 629 of the Czech Civil Code plus a one-year buffer).

3. Purposes of Processing

  • Contract performance: Creating and delivering your website, hosting, domain registration, email service, technical support
  • Communication: Order status updates, delivery of access credentials, handling complaints
  • Payment processing: Facilitating payments through Stripe
  • Legal obligations: Accounting, tax records, document archival
  • Security: Protection against service abuse, fraud detection, security logs

4. Legal Basis for Processing

  • Contract performance (Art. 6(1)(b) GDPR) -- processing necessary to provide the ordered service
  • Legal obligation (Art. 6(1)(c) GDPR) -- accounting, tax regulations, archival requirements
  • Legitimate interest (Art. 6(1)(f) GDPR) -- service security, abuse prevention, technical logs

5. Third-Party Processors

We share your personal data with the following third parties only to the extent necessary to provide our services:

  • Stripe, Inc. (USA) -- payment processing. Stripe Privacy Policy. Stripe is certified under the EU-US Data Privacy Framework.
  • Cloudflare, Inc. (USA) -- DNS management, CDN, and DDoS protection. Cloudflare Privacy Policy.
  • Anthropic, PBC (USA) -- AI content generation for websites (Claude). Your order text specifications are processed to generate website content. Anthropic Privacy Policy.
  • Claid.ai (Let's Enhance, Inc.) (USA) — AI image enhancement of uploaded photographs (resolution, sharpness, HDR). We process only images uploaded for your website. Claid.ai Privacy Policy.
  • remove.bg (Kaleido AI GmbH) (Austria) — automatic background removal from photographs for team and testimonial sections. remove.bg Privacy Policy.
  • Resend, Inc. (USA) -- sending transactional emails (order confirmations, access credentials).
  • MXRoute (USA) -- professional email hosting (if you order this service).
  • Pexels / Unsplash -- sourcing placeholder photographs. We do not share your personal data with these services; we only use their public APIs to download images.
  • Domain registrars -- OpenProvider (OpenProvider BV, Netherlands) -- domain name registration. We share only the data required for registration (name, email, address).

We do not sell or share your data for marketing purposes.

6. International Data Transfers

Some of the processors listed above are based in the United States. Data transfers are conducted on the basis of:

  • EU-US Data Privacy Framework (where the processor is certified)
  • EU Standard Contractual Clauses (SCCs)

Website hosting servers are located in the European Union (Czech Republic).

7. Data Retention

  • Order and contract data: Duration of the contract + 3 years (statute of limitations), or longer if required by law
  • Tax and accounting records: 10 years under Czech law
  • Uploaded images (staging): Deleted within 48 hours of website delivery
  • Website content: Duration of subscription + 30 days after cancellation
  • Payment records: Retained by Stripe per their policies
  • Technical and security logs: 90 days
  • Analytics data: Anonymized, retained indefinitely

8. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of access (Art. 15 GDPR) -- the right to obtain confirmation of whether your personal data is being processed and to access it
  • Right to rectification (Art. 16 GDPR) -- the right to have inaccurate personal data corrected
  • Right to erasure (Art. 17 GDPR) -- the right to have personal data deleted under the conditions set out in the GDPR
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR) -- the right to receive your data in a machine-readable format
  • Right to object (Art. 21 GDPR) -- particularly against processing based on legitimate interest
  • Right to withdraw consent -- if processing is based on consent, at any time and without giving a reason

You may exercise your rights by contacting us at info@aityy.cz. We will respond to your request within 30 days.

You also have the right to lodge a complaint with the supervisory authority -- the Czech Office for Personal Data Protection (uoou.cz).

9. Cookies and Tracking

We use Google Analytics 4 for traffic analysis and Google Ads for conversion measurement, both loaded via Google Tag Manager. These services use cookies and other storage technologies for identification and measurement. They run in Consent Mode v2: until you grant consent via the cookie banner, Google stores no identifiers and retains no data associated with you (analytics_storage='denied', ad_storage='denied'). You can grant or withdraw consent at any time -- the "Cookie preferences" link is in the page footer.

On our example sites (kadernictvi.aityy.cz, remeslnik.aityy.cz, restaurace.aityy.cz, zubar.aityy.cz) your browser stores a technical record of whether you have submitted the "Build a website for free" contact form. The record contains no personal data -- only the submission timestamp and a session flag. It is stored in browser localStorage (key aityy_leadcap_v1) and sessionStorage (key aityy_leadcap_session). It is used solely to avoid showing the same form to you again. This is "strictly necessary" technical storage under Article 5(3) of the ePrivacy Directive and PECR Regulation 6(4)(b) -- no consent is required. Additionally, we aggregate anonymous interaction statistics (impressions, form opens, dismissals, submissions) on the server in a popup_events table to evaluate this form's effectiveness. The identifier is a short hash of the IP address using a daily-rotating salt (16 characters of SHA-256) and a hash of the User-Agent string -- these values cannot be reverse-engineered back to your IP or any personal data, and the same user's hash changes after 24 hours. Legal basis: Article 6(1)(f) GDPR (legitimate interest in service improvement).

Stripe may use its own essential cookies during the payment process for security and fraud prevention.

10. Data Security

We implement the following measures to protect your personal data:

  • All communications encrypted with TLS/HTTPS
  • Servers located in the European Union
  • Access restricted to authorized personnel only
  • Regular backups and security updates
  • Firewall and DDoS protection (Cloudflare)
  • Payment data processed exclusively by a certified provider (Stripe, PCI DSS Level 1)

11. Children's Privacy

Our service is not intended for persons under the age of 18. We do not knowingly collect personal data from minors. If we learn that we have collected data from a minor, we will promptly delete it.

12. Policy Changes

We may update this policy from time to time. We will notify you of material changes by email or through a notice on our website at least 30 days in advance. We recommend checking this policy regularly.