Assoluto

Privacy Policy

Version 1.0 · effective from May 1, 2026

1. Who is the data controller

The data controller for personal data processed when you visit assoluto.eu and when you operate a Hosted Service account is Václav Mudra, Company ID (IČO) 09989978, with registered office at Lidická 2020/2, 405 02 Děčín. Contact: team@assoluto.eu.

For personal data that you (the Customer) upload about your own end clients into the portal — order data, contact records, drawings — the Provider acts as a data processor under Article 28 GDPR; the Customer remains the controller of that data. A standard DPA is available on request at the same address.

The Provider has not designated a Data Protection Officer because the size and nature of processing falls below the GDPR Article 37 threshold. For all GDPR-related matters please contact the Provider directly at the email above.

2. What personal data we process and on what legal basis

We process the following categories of personal data, on the legal bases set out next to each category:

  • Account identification (full name, work email, role, company name, IČO, DIČ if provided) — Article 6(1)(b) GDPR, performance of the contract.
  • Login credentials (password stored only as an Argon2id hash; we never see your plaintext password) — Article 6(1)(b) GDPR.
  • Content you create in the portal (orders, attachments, comments, customer records, products) — Article 6(1)(b) GDPR. For end-client personal data inside this content we act as a processor on your instructions.
  • Billing data (Czech tax-document fields, payment status, invoice history) — Article 6(1)(b) GDPR for the contract; Article 6(1)(c) GDPR for the legal obligation to retain accounting records.
  • Technical/security logs (IP address, User-Agent, request path, login success/failure, CSRF token activity) — Article 6(1)(f) GDPR, legitimate interest in operating a secure service.
  • Audit-trail records of administrative actions inside your tenant — Article 6(1)(b) and (f) GDPR.

We do not process any special-category (sensitive) personal data and we ask that you do not upload such data into the portal.

3. Why we process the data (purposes)

  • Operating the Service you ordered — letting you log in, see your orders, send notifications, generate invoices.
  • Issuing tax-compliant invoices and meeting Czech accounting and tax-reporting obligations.
  • Detecting and responding to abuse — brute-force login attempts, spam, attempts to access other tenants' data.
  • Sending operational emails (welcome, password reset, invoice delivery, subscription notifications).
  • Improving the Service based on aggregated usage patterns; we do not perform automated decision-making with legal effects (no profiling, no algorithmic eligibility decisions).

4. Where data is stored and our subprocessors

We rely on the following subprocessors. Each receives only the data they need to deliver their part of the Service; none have permission to use your data for marketing or to share it onward.

Subprocessor Purpose Data categories Location
Hetzner Online GmbH Application hosting + database (VPS) + S3-compatible storage All Customer data (encrypted at rest) DE (EU)
Brevo (Sendinblue SAS) Transactional email delivery Recipient email, name, message body FR (EU)
Stripe Payments Europe Ltd. Subscription billing, card processing, dunning Billing email, company name, tax IDs, card data (held by Stripe, never by us) IE (EU); some processing in US under SCCs
Porkbun LLC DNS hosting and domain registrar Public DNS records only — no personal data US

Stripe transfers some processing to its US affiliates under Standard Contractual Clauses (SCCs) approved by the European Commission. We rely on Stripe's published transfer impact assessment.

Subprocessor changes are disclosed at least 30 days in advance by updating this page and emailing active tenant administrators. The Customer may object to a new subprocessor by terminating the subscription before the change takes effect.

5. How long we retain data

  • Active account data — for the duration of the active subscription.
  • After subscription cancellation — full access continues until the end of the paid period plus a 3-day data-export grace period; afterwards the account is deactivated.
  • Manual recovery on request — data remains recoverable on written request for 30 days after deactivation. After that, it is permanently deleted.
  • Database backups — 14 days rolling, then automatically purged.
  • Authentication and security logs (last_login timestamps, failed login attempts, IP) — 90 days.
  • Audit trail of admin actions inside the tenant — for the lifetime of the tenant; after deletion, retained for up to 3 years for evidentiary purposes in case of dispute.
  • Billing records and tax documents — 10 years from the end of the accounting period, as required by Czech Act 563/1991 Coll. on Accounting.
  • Application request and error logs — 14 days.

Where the law mandates a longer retention (such as billing records), we retain only what the law requires and isolate it from the operational dataset where possible.

6. Recipients and data sharing

We do not sell or rent your personal data. We share data only:

  • with the subprocessors listed in Section 4, strictly for the purposes set out there;
  • with public authorities when required by law or by an enforceable order;
  • with our professional advisors (accountant, tax advisor) under confidentiality, for billing and accounting purposes only.

7. Your rights

Under GDPR Articles 15–22 you have the right to: access your personal data, rectify inaccurate data, request erasure, restrict processing, receive your data in a portable format (CSV / ZIP via the in-app export), and object to processing based on legitimate interest. The data-export and account-delete actions are available self-service in the application's admin profile section.

To exercise any other right, write to team@assoluto.eu. We respond within 30 days of verifying your identity. The response is free of charge unless the request is manifestly unfounded or excessive (Article 12(5) GDPR).

If you believe your rights have been infringed you may lodge a complaint with the Czech Office for Personal Data Protection (uoou.gov.cz), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic.

8. Cookies and similar technologies

The portal uses only strictly-necessary cookies (login session, CSRF protection, locale and theme preference). We do not deploy analytics or marketing cookies, and we do not track you across sites. Full inventory: Cookies policy.

9. Data security

We apply the technical and organisational measures appropriate to the risk: TLS 1.2+ for all traffic, Argon2id password hashing, per-tenant database isolation enforced at the row level (Postgres RLS), encrypted backups, principle-of-least-privilege access by the Provider, no plaintext storage of credentials or payment cards. Security incidents affecting your data will be reported to you and (where required) to the supervisory authority within 72 hours under Article 33 GDPR.

10. Changes to this Privacy Policy

Material changes — new subprocessors, expanded data categories, longer retention — are announced at least 30 days in advance by updating this page and emailing active tenant administrators. The version number and effective date at the top of the page identify the current version.