Legal
Privacy Policy
Last updated: 17 Jul 2026
This policy explains what personal data we process in connection with the Cvikio service, for what purpose, for how long, and what rights you have.
01Controller and contact
We provide this information in accordance with Articles 13 and 14 of Regulation (EU) 2016/679 (GDPR).
The controller of service users' personal data is Daniel Hladík, Company ID 22493778, email info@cvikio.cz (the “Provider”). For data protection matters, contact us at that email.
02Dual role – controller and processor
For the personal data of Users (members of the Organization's team), the Provider is the controller.
For the personal data of Clients uploaded to the service by the Organization, the Organization is the controller and the Provider is the processor under Article 28 of the GDPR, processing the data on the Organization's instructions and under a processing agreement.
03Categories of data processed
User data: identification and contact details (name, email, possibly phone) and login credentials; passwords are stored only as a cryptographic hash.
Operational data: records of access and activity in the service, technical data and cookies.
Client data uploaded by the Organization: typically name, contact and labels. The public client program is anonymous – it opens via a code, without a name and without logging in.
04Special categories of data
Exercise programs may relate to a Client's health (indications). This is a special category of data under Article 9 of the GDPR, for which the Organization is the controller and is responsible for an appropriate legal basis, typically the provision of healthcare under Article 9(2)(h) of the GDPR.
The Provider processes such data solely as a processor on the Organization's instructions.
05Purposes and legal bases
Providing the service and performing the contract under Article 6(1)(b) GDPR: setting up and managing the account, providing features and communication.
Legitimate interest under Article 6(1)(f) GDPR: securing the service, preventing misuse, operational records and improving the service.
Compliance with legal obligations under Article 6(1)(c) GDPR: in particular accounting and tax obligations.
Consent under Article 6(1)(a) GDPR where required, for example for non-essential cookies or sending commercial communications; consent can be withdrawn at any time.
06Cookies
We use essential (technical) cookies without consent under Section 89(3) of Act No. 127/2005 Coll., on electronic communications; they are needed for the service to work, for example for login and preferences.
We currently do not use analytics or marketing cookies. If we introduce them, we will ask for your consent first.
07Recipients and processors
Our processors that operate the service may access data to the necessary extent, in particular hosting and database providers (Vercel, Supabase) and email and SMS gateway providers. We have processing agreements with these processors under Article 28 GDPR.
We do not share personal data with third parties for their own marketing.
08Transfers to third countries
Some processors may process data outside the European Economic Area, for example in the USA. In that case the transfer is safeguarded under Article 46 GDPR (standard contractual clauses) or based on an adequacy decision (e.g. the EU‑US Data Privacy Framework).
09Retention
We keep personal data for the term of the contract and account. After it ends, we delete it within a reasonable period, except for data we must keep longer under law (e.g. accounting and tax documents for up to 10 years).
Client data uploaded by the Organization is kept according to the Organization's instructions.
10Security
We have adopted appropriate technical and organizational measures under Article 32 GDPR: separation of each Organization's data at the database level, encryption of sensitive data, storing passwords only as a hash, role-based access control and encrypted transport (TLS).
11Your rights
You have the right to access, rectify or erase your data, to restrict processing, to data portability, to object to processing based on legitimate interest, and to withdraw consent at any time.
Exercise your rights at info@cvikio.cz; we will usually handle them within one month. For Client data, contact the relevant Organization as the controller.
12Right to lodge a complaint
You have the right to lodge a complaint with the supervisory authority, the Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, www.uoou.gov.cz.
13Automated decision-making
We do not carry out automated decision-making or profiling with legal or similarly significant effects on data subjects.
14Changes to this policy
We may update this policy. The current version is always available on this page with the date of the last update.