Privacy Policy
Last updated: June 10, 2026
1. Personal data controller
The controller of personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (the "GDPR") is:
AI Ajťák s.r.o.
Company ID: 24431354
Registered in the Commercial Register at the Regional Court in Brno, Section C, File No. 149867
Registered office: Dolny 167, 664 41 Omice, Czech Republic
E-mail: [email protected]
Website: aiajtak.cz
The company does not operate premises open to the public. All communication takes place electronically.
2. Purposes and legal basis of processing
We process your personal data only for clearly defined purposes and on an appropriate legal basis:
| Purpose | Legal basis | GDPR article |
|---|---|---|
| Handling an inquiry from the contact form | Legitimate interest (pre-customer communication) | Art. 6(1)(f) |
| Performance of a contract and pre-contractual negotiations | Performance of a contract | Art. 6(1)(b) |
| Analytics cookies (Google Analytics) | Consent | Art. 6(1)(a) |
| Marketing cookies (Sklik retargeting) | Consent | Art. 6(1)(a) |
| Website security and protection against abuse | Legitimate interest | Art. 6(1)(f) |
| Application error monitoring (Sentry) | Legitimate interest | Art. 6(1)(f) |
| Accounting and tax obligations | Legal obligation | Art. 6(1)(c) |
3. Scope of processed data
Contact form
- First and last name
- E-mail address
- Phone number (optional)
- Message text (project description / inquiry)
- IP address (for protection against abuse)
- Date and time the form was submitted
- Information about granted consent
Automatically collected data
- IP address
- Browser and operating system type
- Date and time of access
- Visited pages and time spent on the website (only after cookie consent is granted)
E-mail communication
If you contact us by e-mail at [email protected], we process your e-mail address, name (if provided), and the content of the message.
4. Data retention period
| Type of data | Retention period |
|---|---|
| Contact form — inquiries | 3 years from the last contact, then deleted |
| Contractual data | For the duration of the contract + 3 years (limitation period) |
| Accounting documents | 10 years (statutory obligation under the Accounting Act) |
| Server logs (IP addresses) | 90 days |
| Analytics data (Google Analytics) | 14 months (GA4 setting) |
| Error logs (Sentry) | 90 days |
5. Recipients and processors of data
We do not sell your personal data. Form data is never shared with third parties for marketing purposes; third-party marketing technologies (Sklik retargeting) are activated only after your consent in the cookie bar. Only the following processors and recipients may access the data:
Cloudflare, Inc.
Purpose: CDN (content delivery), DNS, protection against DDoS attacks, Turnstile CAPTCHA (form protection).
Registered office: USA — data transfer based on Standard Contractual Clauses (SCC) and DPA.
Google LLC (Google Analytics)
Purpose: Website traffic analysis — only after consent is granted through the cookie banner.
Registered office: USA — data transfer based on Standard Contractual Clauses (SCC).
We use GA4 with IP address anonymization.
Seznam.cz, a.s. (Sklik)
Purpose: Sklik retargeting (ad targeting) — activated only after consent is given via the cookie bar.
Registered office: Czech Republic — data is processed in the EU.
ActiveCampaign, LLC (Postmark)
Purpose: Delivery of transactional e-mails (confirmation of inquiry receipt, notifications).
Registered office: USA — data transfer based on Standard Contractual Clauses (SCC) and DPA.
Functional Software, Inc. (Sentry)
Purpose: Application error monitoring to ensure service stability and quality.
Registered office: USA — data transfer based on Standard Contractual Clauses (SCC) and DPA.
Google LLC (Google Fonts)
Purpose: Loading web fonts. Where possible, fonts are hosted locally (self-hosted). On the landing page, the font is loaded from the Google Fonts CDN.
Registered office: USA — when loaded from the CDN, the IP address may be transferred to Google's servers.
The hosting provider (server infrastructure) may also have access to the data, as may public authorities in cases specified by law.
7. Your rights
Under the GDPR, you have the following rights, which you may exercise at any time by e-mail at [email protected]:
Right of access (Art. 15 GDPR)
You have the right to obtain confirmation as to whether we process your personal data and, if so, to access it and receive information about the processing.
Right to rectification (Art. 16 GDPR)
You have the right to request correction of inaccurate personal data or completion of incomplete data.
Right to erasure (Art. 17 GDPR)
You have the right to request deletion of your personal data if it is no longer needed for the purpose for which it was collected or if you withdraw consent. This right does not apply if processing is necessary to comply with a legal obligation.
Right to restriction of processing (Art. 18 GDPR)
You have the right to request restriction of the processing of your data, for example if you dispute the accuracy of the data or object to processing.
Right to data portability (Art. 20 GDPR)
You have the right to receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to object (Art. 21 GDPR)
You have the right to object at any time to the processing of your data based on legitimate interest. In that case, we will stop processing the data unless we demonstrate compelling legitimate grounds.
Right to withdraw consent (Art. 7(3) GDPR)
If you have given consent to processing (for example cookies), you may withdraw it at any time. Withdrawal of consent does not affect the lawfulness of processing before withdrawal.
We will respond to your request without undue delay, no later than within 30 days. In justified cases (complexity, number of requests), this period may be extended by another 2 months, and we will inform you of this.
8. Transfers of data to third countries
Some of our processors (Cloudflare, Google, Postmark, Sentry) are based in the USA. Transfers of personal data to the USA take place on the basis of:
- Standard Contractual Clauses (SCC) approved by the European Commission
- Data Processing Agreements (DPA) with each processor
- EU-U.S. Data Privacy Framework (for processors that are certified)
Transfers of data to third countries outside the EEA take place only under the conditions set out in Chapter V of the GDPR.
9. Data security
We have adopted technical and organizational measures to protect your personal data against unauthorized access, alteration, loss, or destruction:
- All communication takes place over an encrypted connection (HTTPS/TLS)
- Form protection using CSRF tokens and Cloudflare Turnstile CAPTCHA
- Rate limiting (limiting the number of requests) to protect against abuse
- Content Security Policy (CSP) to protect against XSS attacks
- Regular software updates and security audits
- Only authorized persons have access to the data
- Secure password storage using modern hashing algorithms
10. Supervisory authority
If you believe that we process your personal data in violation of the GDPR, you have the right to lodge a complaint with the supervisory authority:
Office for Personal Data Protection (ÚOOÚ)
Pplk. Sochora 27, 170 00 Prague 7
Phone: +420 234 665 111
E-mail: [email protected]
Website: uoou.gov.cz
Before filing a complaint, please contact us; we will try to resolve your matter directly.
11. Changes to this policy
We may update this Privacy Policy from time to time, for example when processors or legal regulations change. The current version will always be available on this page.
We will inform you about material changes by means of a notice on the website.
12. Data protection contact
As a small company, we are not legally required to appoint a Data Protection Officer (DPO). You can contact us regarding all personal data protection matters at:
We will respond to your questions and requests as soon as possible, no later than 30 days from receipt.