Privacy Policy
Version 2.0 · effective from 2 May 2026
This policy describes how we process personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR") and Act No. 110/2019 Coll. on personal data processing.
1. Data controller
Jan Malatinský
Company ID: 19152361
Registered seat: Jasmínová 2241/12, Mizerov, 733 01 Karviná, Czech Republic
Data protection contact: [email protected]
General contact: [email protected]
We have not appointed a Data Protection Officer (DPO), as our core activity does not involve large-scale regular monitoring of data subjects or large-scale processing of special categories of data (Art. 37 GDPR).
2. Two roles within DataNostro
In operating the Service, we process personal data in two distinct roles:
- As controller — for concluding and performing the contract with you (the Client). This concerns your contact and billing details, your account data, and support communication. This document primarily governs this role.
- As processor — for the personal data of the end users of your websites that passes through our sGTM Container. In this relationship you are the controller and we are the processor. This relationship is governed by a separate Data Processing Agreement (DPA).
3. What personal data we process (as controller)
| Category | Specific data | Source |
|---|---|---|
| Identification | First name, surname, company ID/VAT ID, registered seat (for businesses) | Registration form |
| Contact | Email, phone (optional) | Registration, contact form |
| Account and access | Password (hash), TOTP secret for 2FA, API keys (hashes) | Created at registration |
| Operational | IP address, User-Agent, login times, actions in the dashboard (audit log) | Automatically during use |
| Billing | Payment records, invoices, transaction identifiers | Issued by us, the Comgate payment gateway |
| Communication | Emails, support tickets, contact forms | You send to us |
We do not process special categories of personal data (sensitive data under Art. 9 GDPR — health data, data on sexual orientation, biometric data, data on criminal offences).
4. Purposes of processing and legal basis
| Purpose | Legal basis (Art. 6 GDPR) | Retention period |
|---|---|---|
| Concluding and performing the contract | Performance of the contract (Art. 6(1)(b)) | For the duration of the contract + 30 days |
| Issuing invoices, keeping accounts | Compliance with a legal obligation — Act No. 563/1991 Coll. | 10 years |
| Action audit log, dispute resolution, anti-fraud | Legitimate interest (Art. 6(1)(f)) | 7 years |
| Security logs (access, failed logins) | Legitimate interest (security) | 90 days |
| Communication, support | Performance of the contract + legitimate interest | 5 years |
| Marketing newsletters, commercial communications | Consent (Art. 6(1)(a)) | Until consent is withdrawn |
| Onboarding emails | Legitimate interest (UX) | 30 days from registration |
5. Recipients of personal data
We share your personal data further only to the extent necessary, with these categories of recipients:
- Hetzner Online GmbH (Industriestr. 25, 91710 Gunzenhausen, Germany) — the data center operator. Hetzner is ISO 27001 certified.
- Cloudflare, Inc. (101 Townsend St, San Francisco, USA) — CDN, DDoS protection, TLS termination at the network edge. Transfers outside the EU are covered by the EU Standard Contractual Clauses (SCC) and the Cloudflare DPA.
- ComGate Payments, a.s. (company ID 27924505, Hradec Králové) — payment processing. Comgate is a separate controller with respect to payment data.
- Fakturoid s.r.o. (company ID 04122660, Prague) — issuing invoices and recording payments.
- SeznamEmail / SMTP provider (Seznam.cz a.s., company ID 26168685) — sending transactional and notification emails.
- Sentry / Better Stack / Healthchecks.io (once activated) — aggregation of error reports and uptime monitoring.
- Tax advisor / accountant — only to the extent necessary for keeping accounts.
- Public authorities, where required by law (the tax office, courts, the police).
The current list of subcontractors (sub-processors) is maintained in the DPA, Art. 7 and updated with every change.
6. Transfers outside the EU
The primary infrastructure (servers, database, backups) is operated in Germany. Your primary data never leaves the EU.
Cloudflare, as a CDN/proxy, operates globally and edge processing may take place in the PoP nearest the end user (e.g. Prague, Frankfurt, Vienna). Transfers to third countries are secured by the Standard Contractual Clauses (SCC) adopted by the EU Commission on 4 June 2021.
7. Cookies and similar technologies
The datanostro.com website uses only strictly necessary and analytics cookies. Details — names, validity periods, legal basis — are in the Cookie Policy.
8. Your rights under the GDPR
As a data subject you have the following rights, which you can exercise free of charge by emailing [email protected]:
- The right of access (Art. 15 GDPR)
- You can obtain information on whether we process your data, and a copy of that data. We respond within 30 days at the latest.
- The right to rectification (Art. 16)
- If your data is inaccurate, you can request correction. You can also edit most billing and contact details directly in the dashboard.
- The right to erasure (Art. 17, the "right to be forgotten")
- You can request deletion of your data if it's no longer needed for the processing purpose, you've withdrawn consent, or the law requires it of us. Exception: data we are legally required to retain (in particular invoices — 10 years) cannot be deleted before the statutory period elapses.
- The right to restriction of processing (Art. 18)
- In certain situations (e.g. when you contest the accuracy of the data) you can request temporary restriction of processing — we then merely store the data without further processing.
- The right to data portability (Art. 20)
- We provide the data you gave us in a machine-readable format (JSON or CSV). We can also send it directly to another controller where technically feasible.
- The right to object (Art. 21)
- If we process data on the basis of legitimate interest, you can object. We will either find the objection justified and stop the processing, or demonstrate that our interest prevails (e.g. in the case of the audit log for forensic purposes).
- The right to withdraw consent (Art. 7(3))
- Where processing is based on consent (typically marketing messages), you can withdraw it at any time. Withdrawal doesn't affect the lawfulness of processing carried out beforehand.
- The right not to be subject to automated decision-making (Art. 22)
- DataNostro does not use decision-making based solely on automated processing with legal or similarly significant effects on an individual.
9. Complaint to the supervisory authority
If you believe we process your data in breach of the GDPR, you have the right to lodge a complaint with the Office for Personal Data Protection (ÚOOÚ):
The Office for Personal Data Protection
Pplk. Sochora 27, 170 00 Praha 7
tel: +420 234 665 111
web: www.uoou.cz
e-mail: [email protected]
10. Security of processing
To protect personal data we apply the following technical and organizational measures (Art. 32 GDPR):
- Data encryption in transit (TLS 1.2+ / 1.3)
- Encryption of sensitive fields in the database (Fernet, AES-128 in CBC mode)
- Password hashing (Argon2 / PBKDF2 per the Django default)
- Two-factor authentication (2FA / TOTP) optional for every account
- Rate limiting per IP and per tenant against brute-force and credential stuffing
- Regular security updates of the operating system and dependencies (Dependabot)
- Network segmentation between projects (Docker network namespaces, iptables)
- An append-only audit log of Comgate callbacks and application actions (an evidentiary trail)
- Regular daily database backups (pg_dump) stored within the Hetzner infrastructure in a second region, 30-day retention, restore tested monthly
- An incident response plan under Art. 33 GDPR (notifying the ÚOOÚ within 72 h of detection)
11. Notification of a security breach
If a personal data breach occurs that is likely to cause harm to your rights and freedoms, we will notify:
- The Office for Personal Data Protection — without undue delay, at the latest within 72 hours of becoming aware of the breach (Art. 33 GDPR).
- You, as a data subject — if the breach is likely to result in a high risk to your rights (Art. 34 GDPR), without undue delay by email to the address held in your Account.
12. Changes to the policy
We may update this policy from time to time. We'll notify you of substantial changes by email at least 30 days before they take effect. The date of the last update is in the header of this document.
Effective from 2 May 2026 · Version 2.0