Privacy Policy

1. Who is the controller

The data controller is:

• Radovan Pelka, Company ID (IČO) 08951012, VAT ID CZ9704084500
• registered office: Podhoří 172/102, 664 34 Kuřim, Česká republika
• a sole trader registered in the Czech Trade Register
• data protection contact e-mail: [email protected]

We have not appointed a Data Protection Officer, as we are not legally required to. For all data protection matters, contact us at the e-mail above.

2. What data we process

Data you provide to us

• Identification and contact data: name, e-mail, phone, company name, company ID and VAT ID.
• Billing data: address, details needed to issue a tax document, payment history.
• Content you create in the platform: products, orders, customers, invoices and other data of your eshop.

Data generated by using the service

• Technical data: IP address, browser and device type, date and time of access.
• Operational logs and feature-usage data, to keep the service running and secure.
• Cookies and similar technologies (see the Cookies section).

3. Purposes and legal bases

We process personal data only for specific purposes and always on one of the legal bases under the GDPR:

• Providing the service and performing the contract (Art. 6(1)(b) GDPR): account management, eshop operation, payment and subscription processing.
• Compliance with legal obligations (Art. 6(1)(c) GDPR): accounting, taxes, archiving of documents.
• Legitimate interest (Art. 6(1)(f) GDPR): security and stability of the service, abuse prevention, handling enquiries and basic product development.
• Consent (Art. 6(1)(a) GDPR): sending commercial messages and optional (analytics) cookies. You can withdraw consent at any time.

4. How long we keep data

• Account data and eshop content: for the duration of the contract and afterwards for as long as necessary to settle mutual claims.
• Billing and accounting documents: for the period required by law (typically 10 years).
• Data processed on the basis of consent: until consent is withdrawn.
• Operational logs: for a limited period necessary for security and diagnostics.

After these periods we erase or anonymise the data.

5. Recipients and sub-processors

We do not sell personal data. We share it only with vetted providers that help us run the service, to the extent necessary for the given purpose and under data processing agreements. The main sub-processors are:

• Hetzner Online GmbH (Germany) – server operation and application hosting.
• Cloudflare, Inc. (EU infrastructure) – CDN, file and image storage, attack protection.
• Google Ireland Ltd. / Firebase – user sign-in and authentication.
• Stripe, GoPay, ComGate, PayPal – payment and subscription processing.
• Resend, Mailgun – sending of transactional and system e-mails.
• Anthropic, OpenAI – AI features of the platform (the assistant Tomáš).
• Carriers (Zásilkovna/Packeta, PPL, DPD, GLS) – order delivery, where you use them.
• Price-comparison sites (Heureka, Zboží.cz) – product feed export, where you enable it.

We are happy to provide an up-to-date list of sub-processors on request at the e-mail above.

6. Transfers outside the EU

Some providers (for example payment gateways or AI providers) may process data outside the European Economic Area. In that case we ensure appropriate safeguards under the GDPR, in particular the European Commission's standard contractual clauses or the EU-US Data Privacy Framework.

7. Behio as a processor for eshop operators

If you run your own eshop on the Behio platform, you are the controller of your customers' personal data. In this role Behio is a processor and processes your end customers' personal data only on your instructions and for the purpose of providing the service.

• We process it only to the extent necessary to run your eshop.
• We use the same sub-processors listed above and bind them to the same level of protection.
• On termination we erase or return the data at your request, unless a legal obligation prevents it.

This section serves as a data processing agreement (DPA). If you need a separate signed DPA, contact us.

8. Cookies

The website and app use cookies. Necessary cookies are required for the service to work (sign-in, security) and we use them on the basis of legitimate interest. Optional (analytics) cookies are used only with your consent, and you can change your settings at any time.

9. Your rights

Regarding your personal data, you have the following rights under the GDPR:

• Right of access to your data and to a copy of it.
• Right to rectification of inaccurate and completion of incomplete data.
• Right to erasure (right to be forgotten), where the data is no longer needed.
• Right to restriction of processing.
• Right to data portability.
• Right to object to processing based on legitimate interest.
• Right to withdraw consent at any time, where processing is based on consent.
• Right to lodge a complaint with a supervisory authority.

To exercise your rights, contact us at [email protected]. We will handle them without undue delay, at the latest within one month.

10. Security

We protect data with appropriate technical and organisational measures. Communication is encrypted over HTTPS, access is controlled, and sensitive data (such as access keys to integrations) is stored encrypted.

11. Changes to this policy

We may update this policy, for example when features or legislation change. The current version is always available on this page with the effective date shown. We will inform you appropriately of any material changes.

12. Contact and supervisory authority

For any data protection question, contact us at [email protected].

You also have the right to lodge a complaint with the supervisory authority: the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz.