Privacy Policy

Last updated: 11 May 2026 Version: 1.2

TL;DR

I’m a sole trader in Czechia. When you contact me through the form or by e-mail, I process your data so I can respond and possibly work with you. Invoices stay with me for ten years because the law requires it. No retargeting, no Facebook Pixel, no selling of data. Details below — written in plain English, not legalese.

1. Who I am

I am the controller of your personal data:

Name: Ondřej Mašek
Company ID (IČO): 75945916
Registered office: Malířská 609/5, 170 00 Prague, Czechia
Privacy contact e-mail: ondrej.masek@gmail.com
Phone: +420 602 878 825

I have not appointed a Data Protection Officer — the law doesn’t require it for an operation of this size. For anything privacy-related, write to the e-mail above.

2. What data I process

Only what I actually need:

From the contact form: name, e-mail, optionally phone, and the content of your message.
From e-mail correspondence: what you write to me, plus header data (sender, time).
For an engagement: billing details (name, address, IČO/DIČ or VAT ID), the contract, and related documents.
For the newsletter (if you sign up): your e-mail address and a record of your consent.
From site traffic: anonymous visit statistics via Plausible — no cookies, no identifiers. Only if you accept analytics in the cookie banner.
From server logs: IP address, user-agent, and request timestamp — short-term, for security and abuse defence.

I do not process special-category data (health, political views, etc.) and I’d rather not receive any through the form.

3. Why I do it and on what legal basis

Purpose	Lawful basis	In plain English
Responding to your enquiry	Art. 6(1)(b) GDPR — pre-contractual measures	When you write, I need your data to reply.
Performing an engagement	Art. 6(1)(b) GDPR — contract	I can’t sign or invoice without your billing details.
Issuing and archiving accounting and tax records	Art. 6(1)(c) GDPR — legal obligation	Czech accounting, VAT, and income tax laws.
Defending possible claims	Art. 6(1)(f) GDPR — legitimate interest	If a complaint or dispute arises, I need evidence for the limitation period.
Sending the newsletter	Art. 6(1)(a) GDPR — consent + § 7 of Act 480/2004 Coll.	Only with your consent; you can withdraw it any time via the unsubscribe link in every e-mail.
Measuring site traffic (Plausible)	Art. 6(1)(a) GDPR — consent	Only if you click “Accept all” or “Statistics” in the cookie banner.
Operational logs and abuse defence	Art. 6(1)(f) GDPR — legitimate interest	Without logs there’s no way to defend the site.
Delivering the website to your browser	Art. 6(1)(b) + (f) GDPR	Hosting needs your IP to send the response.

4. How long I keep data

Data	Retention	Why
Contact-form messages with no follow-up	6 months from last contact	After that there’s no reason to keep them (data minimisation, Art. 5(1)(e) GDPR).
Pre-contract e-mail correspondence	up to 3 years	Subjective limitation period, § 629 Civil Code.
Contracts and related documents	10 years from end of contract	Objective limitation period § 636(2) Civil Code + accounting overlap.
Invoices and tax documents	10 years from end of tax period	§ 35 of Act 235/2004 Coll. on VAT.
Other accounting documents	5 years	§ 31 of Act 563/1991 Coll. on accounting.
Newsletter subscription record + consent log	until unsubscribed + 3 years for proof of consent	Art. 7(1) GDPR (demonstrability).
Unconfirmed newsletter sign-ups	7 days from sign-up	Data minimisation principle, Art. 5(1)(e) GDPR.
Aggregated traffic statistics (Plausible)	24 months	Plausible default.
Server and security logs	30 days max	Minimisation principle.
Cookie consent record	12 months from last interaction	EDPB Cookie Banner Task Force guidance.

I don’t roll my own infrastructure — I use standard tools. My processors:

Vercel Inc. (USA) — site hosting, edge functions, content delivery.
Supabase Inc. (USA, EU/Frankfurt data region) — database for contact-form messages and newsletter subscriptions.
n8n GmbH (Berlin, Germany) — workflow automation for processing form messages and e-mail notifications.
Resend, Inc. (USA, EU/Frankfurt data region) — sending transactional e-mails (newsletter confirmation and unsubscribe).
Plausible Insights OÜ (Estonia, EU) — anonymous traffic statistics. Servers at Hetzner Germany, CDN at Bunny Slovenia. No transfer outside the EEA.
mailbox.org (Heinlein Support GmbH, Berlin, Germany, EU) — receiving inbound mail on the omasek.com domain and forwarding to my personal Gmail inbox.
Google LLC (USA) — Gmail, which I use for receiving and archiving e-mail correspondence.
Bank — for payment processing.
Czech Tax Office, Social Security Administration, health insurer — to the extent required by law.

I keep my own books, so no external accountant sees your data.

I don’t sell your data, don’t trade it for ad cookies, and don’t share it with anyone not on the list above.

6. International transfers

Some of the processors above are based in the USA. This is lawful, but I want you to know on what basis:

Vercel — certified under the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023) + Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914.
Supabase — SCCs per their Data Processing Addendum. The data layer runs in the EU region (Frankfurt on AWS); however, Supabase Inc. as the provider is US-based, so I disclose this as a third-country transfer.
Resend — SCCs per their Data Processing Addendum, plus DPF where certified.
Google (Gmail) — DPF + SCCs per Google Workspace Data Processing Amendment.
n8n GmbH — based in Germany, no transfer outside the EEA.
Plausible Insights OÜ — based in Estonia, servers in Germany, no transfer outside the EEA.
mailbox.org (Heinlein Support GmbH) — based in Berlin with servers in Germany, no transfer outside the EEA; GDPR-compliant Data Processing Agreement in place (Standard plan).

For each US processor I keep a one-page Transfer Impact Assessment (TIA) with supplementary measures (encryption in transit, data minimisation, short retention).

If the Court of Justice of the EU were to invalidate the DPF (case T-553/23 is pending), I rely on SCCs as a fallback and will update this policy.

7. Cookies and similar technologies

A detailed list lives on a separate Cookies page (linked in the footer). Briefly:

Strictly necessary — site language, your choice in the cookie banner. No consent required, the site doesn’t work without them.
Statistics — Plausible, anonymous, no cookies. Loads only with your consent.
Marketing — none. And I have no plans to start.

You can change your consent any time via “Cookie settings” in the footer. I remember your consent for 12 months; if you decline, I won’t ask again for 6 months.

8. Your rights

Under the GDPR you have the right to:

Access the data I hold about you and receive a copy (Art. 15).
Correct anything inaccurate or incomplete (Art. 16).
Erase your data when I no longer need it or you withdraw consent (Art. 17). This has limits — invoices I have to keep by law cannot be deleted.
Restrict processing in specific situations (Art. 18).
Port the data you provided in a machine-readable format (Art. 20).
Object to processing based on legitimate interest, including direct marketing (Art. 21). For direct marketing I’ll stop immediately, no questions.
Withdraw consent at any time, with effect for the future (Art. 7(3)). For the newsletter, click “Unsubscribe” in any e-mail; for cookies, change your choice via “Cookie settings”.

To exercise any right, e-mail ondrej.masek@gmail.com. I’ll respond within one month. If the request is complex, I may extend the deadline by two months — I’ll tell you why.

If you believe I’ve mishandled your data, you can lodge a complaint with the supervisory authority. In Czechia:

Úřad pro ochranu osobních údajů (ÚOOÚ) Pplk. Sochora 727/27, 170 00 Praha 7-Holešovice, Czechia e-mail: posta@uoou.gov.cz tel.: +420 234 665 111 web: https://uoou.gov.cz

You can also lodge a complaint with the supervisory authority of the country where you live, work, or where you believe the infringement took place (Art. 77 GDPR).

9. Security

What I do to protect your data:

HTTPS/TLS everywhere
Multi-factor authentication on every tool that supports it
Principle of least privilege (each tool sees only what it needs)
Encrypted backups
Regular dependency updates and reviews

No system is bulletproof. If an incident occurs with serious impact on your rights, I’ll notify ÚOOÚ within 72 hours and inform you without undue delay (Art. 33–34 GDPR).

10. Children

The site and services are not directed at people under 16. I do not knowingly process children’s data.

11. Automated decision-making and profiling

I don’t do any. No scoring algorithms, no automated evaluation. Every decision is made by me, a person.

12. UK addendum

If you live in the UK, the UK GDPR, the Data Protection Act 2018, and PECR apply alongside the rules above. The substantive content of this policy is the same; in addition:

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, https://ico.org.uk.
I do not currently meet the criteria that would require me to appoint a UK representative under Art. 27 UK GDPR (my processing relating to UK individuals is occasional and low-risk). If that changes, I’ll appoint one and update this policy.

13. US residents

I do not meet the thresholds that would bring me under the California Consumer Privacy Act (CCPA/CPRA) or similar US state laws (revenue, volume, or data-sales criteria). Even so, if you’re a US resident and want to know what data I have, request its deletion, or exercise any GDPR-equivalent right, e-mail me at ondrej.masek@gmail.com. I’ll handle it on the same terms as everyone else.

I do not sell personal data and do not engage in cross-context behavioural advertising.

14. Changes to this policy

When I update something, I’ll change the date at the top and describe the change in the log below. For material changes, I’ll notify you by e-mail (if I have your contact) or via a banner on the site.

Versions and changes:

v1.0 — 5 May 2026 — first release.
v1.1 — 8 May 2026 — added Forward Email LLC processor (catch-all inbound mail); corrected Resend region and scope.
v1.2 — 11 May 2026 — Inbound mail processor changed from ForwardEmail.net (US) to mailbox.org (Heinlein Support GmbH, Berlin, Germany). Reason: ForwardEmail free tier rejected our domain and their production servers are in Denver, not the EU. Switching to an EU-resident provider preserves our GDPR posture unchanged.

The Czech-language version of this policy is authoritative in case of dispute. Česká verze: /privacy.