Privacy Policy

1. Data Controller

Santiago Studio ("we," "us," or "our"), with registered office at [Address, Prague, Czech Republic], IČO: [XXXXXXXX], is the data controller responsible for your personal data processed through this website.

Contact: pravilo.praha@gmail.com

2. Data We Collect

We collect the following categories of personal data:

Account data: name, email address, and profile picture provided by your login provider (Google, Facebook, or Telegram).
Booking data: selected events, preferred time slots, booking status, and any notes you provide.
Contact form data: name, email address, phone number, and message content.
Technical data: IP address, browser type, device identifiers, and anonymised usage data (analytics cookies — with consent only).
Preference data: your language setting and cookie consent choices.

3. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Art. 6):

Performance of a contract (Art. 6(1)(b)) — to manage your account and process bookings.
Legitimate interests (Art. 6(1)(f)) — to maintain website security, prevent fraud, and ensure technical operation of our services.
Consent (Art. 6(1)(a)) — to load analytics and marketing cookies. You may withdraw consent at any time via the "Cookie Preferences" link in the footer.
Legal obligation (Art. 6(1)(c)) — where required by Czech or EU law (e.g. accounting records).

4. How We Use Your Data

To create and manage your user account
To process, confirm, and manage event bookings
To send transactional emails (booking confirmations and reminders)
To respond to enquiries submitted via our contact form
To analyse website usage and improve our services (with consent)
To measure the effectiveness of our marketing (with consent)

5. Data Retention

Account and booking data: retained until you delete your account, or for 3 years from the last booking date for accounting and contractual purposes.
Contact form messages: deleted after 12 months.
Session tokens: expire after 30 days of inactivity.
Analytics data: retained per the provider's default settings (Google Analytics 4: 14 months).

6. Third-Party Processors

We work with the following data processors who may access your personal data solely to provide their services:

Cloudflare, Inc. (USA) — website hosting, CDN, and DDoS protection. Standard Contractual Clauses (SCCs) apply.
Sanity AS (Norway / EU) — headless content management system. GDPR-compliant; data stored in EU.
Resend, Inc. (USA) — transactional email delivery. SCCs apply.
Google LLC (USA) — authentication (OAuth) and analytics (GA4, with consent). SCCs apply.
Meta Platforms Ireland Ltd. (EU / USA) — authentication (Facebook OAuth) and marketing pixel (with consent).
Telegram Messenger Inc. — optional Telegram Login Widget.
cal.com, Inc. (USA) — session booking widget. SCCs apply.

We do not sell your personal data to any third party.

7. International Data Transfers

Several processors listed above are based outside the European Economic Area (EEA), primarily in the United States. All such transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Art. 46(2)(c), or equivalent safeguards, ensuring your data receives the same level of protection as within the EEA.

8. Your Rights

Under the GDPR, you have the following rights in relation to your personal data:

Access (Art. 15): obtain a copy of all personal data we hold about you.
Rectification (Art. 16): request correction of inaccurate or incomplete data.
Erasure (Art. 17): request deletion of your data ("right to be forgotten").
Restriction of processing (Art. 18): ask us to limit how we process your data in certain circumstances.
Data portability (Art. 20): receive your data in a structured, machine-readable format.
Object to processing (Art. 21): object to processing based on legitimate interests.
Withdraw consent (Art. 7(3)): withdraw any previously given consent at any time; this does not affect prior lawful processing.

You can exercise most rights directly from your account dashboard. For any other request, email us at pravilo.praha@gmail.com. We will respond within 30 days as required by GDPR Art. 12.

9. Supervisory Authority

You have the right to lodge a complaint with the Czech data protection supervisory authority:

Úřad pro ochranu osobních údajů (ÚOOÚ)
Pplk. Sochora 27, 170 00 Praha 7
www.uoou.cz

10. Cookies

We use three categories of cookies:

Necessary: required for core site functions (session, language, consent state). Always active; no consent required.
Analytics (Google Analytics 4): anonymised statistics that help us understand how visitors use our site. Active only after you accept analytics cookies.
Marketing (Meta Pixel): measures the performance of our advertising. Active only after you accept marketing cookies.

You can update your preferences at any time via the "Cookie Preferences" link in the footer.

11. Security

We implement appropriate technical and organisational measures to protect your personal data, including HTTPS encryption in transit, HTTP-only secure session cookies, and restricted access controls on our infrastructure. In the event of a personal data breach, we will notify the ÚOOÚ and affected users as required by GDPR Art. 33–34.

12. Children

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. We will notify registered users of material changes by email at least 30 days before they take effect.

14. Contact

For any questions or data subject requests regarding this Privacy Policy, please contact us:

Santiago Studio
[Address], Prague, Czech Republic
pravilo.praha@gmail.com