Privacy Policy

1. Data controller

The data controller pursuant to Regulation (EU) 2016/679 (GDPR) is Petr Pacas, self-employed individual (OSVČ), Business ID 04676718, registered office at Mezníkova 394/14, Nové Dvory, 674 01 Třebíč, Czech Republic, contact email info@spiritevents.cz (the „Controller“ or „Operator“).

To exercise any data subject rights, please contact the email address above.

2. What data we process

2.1 Data of registered users

• email address, name (optional)
• sign-in records (time, IP address, session identifier) for security purposes
• language preference, last active organization

2.2 Data of organizers (organizations)

• organization name, contact email, optional billing details
• content and metadata of published events (text, images, dates, venues, links)

2.3 Operational data

• server and application logs for security and error handling
• audit records of sensitive administrative actions (e.g. organization identity change)

SpiritEvents.cz does not currently sell tickets or process payments; the Controller therefore does not process payment information or buyer identification data. Should native ticketing be launched in the future, this Policy will be updated in advance.

3. Purposes and legal bases

• Performance of a contract (Art. 6(1)(b) GDPR) – operation of the user account, organization management, technical support.
• Legal obligations (Art. 6(1)(c) GDPR) – accounting and personal data protection law obligations.
• Legitimate interest (Art. 6(1)(f) GDPR) – security of the Service, abuse prevention, audit trail, dispute resolution.

4. Retention

• account data – for the duration of the account and 3 years after deletion (dispute resolution)
• organizer event content – for the duration of the organization; archiving of past events for profile purposes
• audit records – 3 years
• technical logs – maximum 90 days

5. Recipients and processors

To technically operate the Service we use the following processors, with whom we have concluded data processing agreements where required by the GDPR:

• Resend (Resend, Inc.) – sending transactional emails (sign-in, invitations).
• Vercel Inc. – application hosting.
• Neon Inc. – database hosting in an EU region.
• Cloudflare, Inc. – R2 object storage for uploaded images and files.

Some processors may be established outside the EU/EEA. In such cases, transfers are secured by appropriate safeguards under Art. 46 GDPR (typically standard contractual clauses).

6. Your rights

As a data subject you have the right:

• to access your personal data (Art. 15 GDPR)
• to rectify inaccurate data (Art. 16)
• to erasure („right to be forgotten“) where statutory conditions are met (Art. 17)
• to restrict processing (Art. 18)
• to data portability (Art. 20)
• to object to processing based on legitimate interest (Art. 21)
• to lodge a complaint with the supervisory authority – Office for Personal Data Protection (www.uoou.cz)

To exercise your rights, contact the Controller at info@spiritevents.cz. Requests will be handled without undue delay, within 30 days at the latest.

7. Cookies and local state

The Service uses only necessary (functional) cookies, which do not require consent:

• better-auth.session_token – user sign-in (httpOnly, session duration)
• NEXT_LOCALE – stored language preference
• se_last_active_org_id – last active organization for smooth return to admin (httpOnly, 1 year)

The Service does not use analytics or marketing cookies and does not track users via third parties. If this changes in the future, we will publish a cookie banner and update this Policy.

8. Security

We adopt reasonable technical and organizational measures to protect personal data – in particular encrypted transport (HTTPS), database-level role separation, audit of sensitive actions, and minimization of access permissions.

9. Changes to this Policy

This Policy may be updated from time to time. The current version is always published in the Service with its effective date and version. We will notify affected users of material changes by email.