Privacy Policy and Personal Data Processing – Doučko.org

Last updated: 1. 4. 2026 | In accordance with EU Regulation 2016/679 (GDPR)
ČeštinaEnglishSlovenčinaDeutsch

1. Data Controller

The data controller (hereinafter „Controller") is:

  • Name: Petr Stádník
  • Business ID (IČO): 09454993
  • Place of business: Betlémské náměstí 1004/8, 110 00, Praha 1 - Staré Město, Česká republika
  • E-mail: info@doucko.org

The Controller has not appointed a Data Protection Officer (DPO) as this obligation does not arise under Art. 37 GDPR. For data protection enquiries, please contact info@doucko.org.

2. Personal Data Collected

  • Identity data: first name, surname, date of birth.
  • Contact data: email address, phone number, address.
  • Profile data: photo, description, subjects and prices (tutors), availability.
  • Booking data: time, subject, ratings and reviews.
  • Billing data (not payment card numbers — those are handled by Stripe).
  • Technical data: IP address, session cookie, CSRF token to the extent necessary for operating the Service.
  • ISIC card data, if voluntarily provided by the user.

The Controller does not process special categories of personal data (sensitive data) as defined in Art. 9 GDPR.

3. Purpose and Legal Basis for Processing

a) Performance of contract (Art. 6(1)(b) GDPR): account registration and management, facilitating bookings, subscription and payment management.

b) Legal obligation (Art. 6(1)(c) GDPR): maintaining accounting records and tax documents pursuant to Act No. 563/1991 Coll. for 5 years from the date of the document.

c) Legitimate interests (Art. 6(1)(f) GDPR): securing the Service and preventing misuse, resolving disputes. Users have the right to object to processing on this basis.

d) Consent (Art. 6(1)(a) GDPR): marketing communications and other processing where consent is required. Consent may be withdrawn at any time at info@doucko.org without affecting the lawfulness of prior processing.

4. Retention Periods

  • For the duration of the contractual relationship (active account).
  • Accounting and tax records: 5 years pursuant to Act No. 563/1991 Coll. (or longer where required by specific legislation).
  • Data needed to resolve disputes: for the duration of the limitation period (generally 3 years, max. 10 years).
  • Upon account deletion, data will be anonymised or deleted, except data whose retention is legally required.

5. Your Rights

  • Right of access (Art. 15): the right to obtain a copy of your processed data.
  • Right to rectification (Art. 16): the right to have inaccurate or incomplete data corrected.
  • Right to erasure (Art. 17): the right to request deletion of data no longer necessary.
  • Right to restriction (Art. 18): the right to request restriction of processing in cases provided by law.
  • Right to data portability (Art. 20): the right to receive your data in a machine-readable format.
  • Right to object (Art. 21): the right to object to processing based on legitimate interests.
  • Right to withdraw consent: consent may be withdrawn at any time without affecting prior processing.

Exercise your rights by emailing info@doucko.org. We will respond within 30 days (extendable by 2 months in complex cases).

You also have the right to lodge a complaint with a supervisory authority: Office for Personal Data Protection (ÚOOU), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, www.uoou.cz — or with the supervisory authority in your country of habitual residence (for users in other EU Member States).

6. Cookies and Similar Technologies

The Platform uses only technically necessary cookies:

  • Session cookie: maintains the user's login session during the visit.
  • CSRF token: protects forms against Cross-Site Request Forgery attacks.

These cookies do not require consent under Art. 5(3) of Directive 2002/58/EC (ePrivacy) as they are technically necessary for the operation of the Service. We do not use marketing or analytical cookies without your consent.

You may manage cookies in your browser settings. Blocking necessary cookies may cause login and other Platform functions to stop working.

7. Recipients and International Transfers

  • Hosting and infrastructure: web hosting provider (processor under Art. 28 GDPR).
  • Email services: transactional email provider (processor under Art. 28 GDPR).
  • Stripe payment gateway: Stripe, Inc., USA — transfers to the USA are safeguarded by standard contractual clauses pursuant to Art. 46(2)(c) GDPR.
  • Public authorities and courts: where required by law.

The Controller has entered into a data processing agreement with each processor pursuant to Art. 28 GDPR.

8. Data Security

The Controller protects personal data with technical and organisational measures: encryption in transit (HTTPS/TLS), access controls and regular security testing.

In the event of a security incident that may endanger the rights of users, the Controller will notify the ÚOOU without undue delay (within 72 hours) and will inform affected users in accordance with Arts. 33 and 34 GDPR.

9. Automated Decision-Making and Profiling

The Controller does not carry out automated decision-making or profiling that would have legal or similarly significant effects on users within the meaning of Art. 22 GDPR.

10. Changes to This Policy

This Privacy Policy may be updated. Users will be notified of material changes by email or in-Platform notification before they take effect.

📧 Questions: info@doucko.org