Privacy Policy
- Effective date:
- 2026-07-07
- Version:
- 1.0
1. Data controller
The data controller pursuant to Regulation (EU) 2016/679 (GDPR) is Petr Pacas, self-employed individual (OSVČ), Business ID 04676718, registered office at Mezníkova 394/14, Nové Dvory, 674 01 Třebíč, Czech Republic, contact email info@spiritevents.cz (the „Controller“ or „Operator“).
To exercise any data subject rights, please contact the email address above.
2. What data we process
2.1 Data of registered users
- email address, name (optional)
- sign-in records (time, IP address, session identifier) for security purposes
- language preference, last active organization
2.2 Data of organizers (organizations)
- organization name, contact email, optional billing details
- content and metadata of published events (text, images, dates, venues, links)
2.3 Data of ticket buyers
- email address for ticket delivery and order communications
- name on the ticket (where the Organizer requires named tickets)
- order identifier, time of order, details of purchased tickets
- language preference for order communication
The Operator does not receive or store card payment data (card number, CVV, expiry) — such data is processed solely by a PCI-DSS-certified payment gateway provider. The Operator receives only the transaction identifier, payment status, and a masked preview of the card (e.g. card type and last four digits) from the gateway for the purpose of identifying the payment and processing refunds.
2.4 Operational data
- server and application logs for security and error handling
- audit records of sensitive administrative actions (e.g. organization identity change)
3. Purposes and legal bases
- Performance of a contract (Art. 6(1)(b) GDPR) – operation of the user account, organization management, technical support.
- Legal obligations (Art. 6(1)(c) GDPR) – accounting and personal data protection law obligations.
- Legitimate interest (Art. 6(1)(f) GDPR) – security of the Service, abuse prevention, audit trail, dispute resolution.
4. Retention
- account data – for the duration of the account and 3 years after deletion (dispute resolution)
- organizer event content – for the duration of the organization; archiving of past events for profile purposes
- order and ticket data – for the period necessary for performance of the contract and 5 years after the end of the accounting period under section 31 of Act No. 563/1991 Coll. on accounting; tax documents 10 years under the VAT Act
- audit records – 3 years
- technical logs – maximum 90 days
5. Recipients and processors
To technically operate the Service we use the following processors, with whom we have concluded data processing agreements where required by the GDPR:
- Resend (Resend, Inc., based in the USA) – sending transactional emails (sign-in, invitations). Transfers outside the EU are secured by standard contractual clauses under Art. 46 GDPR.
- Vercel Inc. (based in the USA, application hosting in the Frankfurt (EU) region) – application operation, anonymized traffic and performance telemetry (Web Analytics, Speed Insights). These tools do not use cookies or persistent identifiers and do not require consent under Art. 5(3) of the ePrivacy Directive. Data is processed in the EU; any necessary support-related transfers outside the EU are governed by standard contractual clauses under Art. 46 GDPR.
- Neon Inc. (based in the USA, database hosting in an EU region) – database. Data is stored and processed in the EU; any necessary support-related transfers outside the EU are governed by standard contractual clauses under Art. 46 GDPR.
- Cloudflare, Inc. (based in the USA, R2 object storage in an EU region) – uploaded images and files. Data is stored in the EU; any necessary support-related transfers outside the EU are governed by standard contractual clauses under Art. 46 GDPR.
- Functional Software, Inc. (Sentry) (based in the USA) – application error and performance monitoring. Processes technical data (stack trace, IP address, browser version, request URL) on the basis of the Operator’s legitimate interest in service reliability under Art. 6(1)(f) GDPR. Transfers outside the EU are secured by standard contractual clauses under Art. 46 GDPR. The Operator does not use Session Replay or any other tools that would require prior consent under Art. 5(3) of the ePrivacy Directive.
- Payment gateway provider (EU/CZ, PCI-DSS certified) – processing of payment transactions, payment identification and refunds. The Operator receives only transaction metadata, not card data.
- The event Organizer (CZ/EU) – as an additional independent controller to the extent necessary for providing the event to the Visitor (name, email, order identifier for entry verification and event-related communication).
6. Your rights
As a data subject you have the right:
- to access your personal data (Art. 15 GDPR)
- to rectify inaccurate data (Art. 16)
- to erasure („right to be forgotten“) where statutory conditions are met (Art. 17)
- to restrict processing (Art. 18)
- to data portability (Art. 20)
- to object to processing based on legitimate interest (Art. 21)
- to lodge a complaint with the supervisory authority – Office for Personal Data Protection (www.uoou.cz)
To exercise your rights, contact the Controller at info@spiritevents.cz. Requests will be handled without undue delay, within 30 days at the latest.
The Controller does not perform automated decision-making or profiling within the meaning of Art. 22 GDPR that would produce legal effects on the Visitor or similarly significantly affect them.
The Controller has not appointed a Data Protection Officer (DPO). The criteria for mandatory appointment under Art. 37(1) GDPR (public authority; core activities consisting of large-scale regular and systematic monitoring of data subjects; or large-scale processing of special categories of data) do not apply to the Controller.
7. Cookies and local state
The Service uses only necessary (functional) cookies, which do not require consent:
- better-auth.session_token – user sign-in (httpOnly, session duration)
- NEXT_LOCALE – stored language preference
- se_last_active_org_id – last active organization for smooth return to admin (httpOnly, 1 year)
The Service does not use analytics or marketing cookies and does not track users via third parties. If this changes in the future, we will publish a cookie banner and update this Policy.
8. Security and incident notification
We adopt reasonable technical and organizational measures to protect personal data – in particular encrypted transport (HTTPS), database-level role separation, audit of sensitive actions, and minimization of access permissions.
In the event of a personal data breach likely to result in a risk to the rights and freedoms of affected data subjects, the Controller will notify the Office for Personal Data Protection without undue delay, and where feasible no later than 72 hours after becoming aware of the breach (Art. 33 GDPR). Where the breach is likely to result in a high risk to the rights and freedoms of affected data subjects, the Controller will also notify them without undue delay (Art. 34 GDPR).
9. Changes to this Policy
This Policy may be updated from time to time. The current version is always published in the Service with its effective date and version. We will notify affected users of material changes by email.