Privacy Policy
This Privacy Policy explains how BerrySoft.cz ("we", "us") processes personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) and applicable Czech law. We currently operate a minimal‑data service with no analytics or marketing tracking.
1. Controller
Ondřej Pavlíček
Za Kovárnou 238, 250 73 Podolanka, Czech Republic
Email: info@berrysoft.cz
No Data Protection Officer is required (Art. 37 GDPR conditions not met). Point of contact for privacy matters: the Controller.
2. Categories of Personal Data
| Category | Elements | Purpose | Legal Basis | Retention |
|---|---|---|---|---|
| Account | Email, password hash, verification flag, user ID | Registration, authentication, account management | Art. 6(1)(b) | Life of account + up to 30 days after closure (backup cycles) |
| Security & Logs | Login attempts (IP, timestamp, success flag), session ID, reset tokens (ephemeral), verification tokens | Abuse prevention, rate limiting, integrity, incident response | Art. 6(1)(f); Art. 6(1)(c) where legal obligations apply | Ephemeral tokens: <=60 min; login attempts: pruned periodically (current policy: <=90 days) |
| Preferences | Language choice (cookie/local storage), cookie consent record | User experience customization, consent demonstration | Art. 6(1)(f) (UX); Art. 6(1)(c)/(f) (compliance record) | Until changed or deleted (consent key versioned) |
| Communications | Support / security messages, contact email metadata | Responding to requests, vulnerability coordination | Art. 6(1)(b) (support), Art. 6(1)(f) (security interest) | Active ticket lifecycle + limited archive (<=24 months) unless legal hold |
We do NOT collect: analytics identifiers, marketing profiles, precise geolocation, behavioural advertising identifiers, or special category data (Art. 9). We do not perform automated decision-making or profiling producing legal effects (Art. 22).
3. Purposes & Legal Bases (Summary)
- Provide and maintain accounts – Art. 6(1)(b).
- Secure the service (rate limiting, fraud/abuse prevention) – Art. 6(1)(f) legitimate interest (security & reliability).
- Comply with legal duties (e.g., responding to lawful requests) – Art. 6(1)(c).
- Demonstrate consent & preferences – Art. 6(1)(c)/(f).
- Communicate with you (support, security disclosure) – Art. 6(1)(b)/(f).
4. Legitimate Interests Assessment
Security logging (IP, attempt count) is necessary to mitigate brute force attacks and service abuse. Impact on individuals is low (minimal data, limited retention) and proportionate to the security aim, so legitimate interest is not overridden by data subject rights.
5. Retention Policy
We implement data minimization: only required fields; ephemeral tokens expire automatically. After account deletion, residual data may remain briefly in backups (encrypted, segregated) until overwritten by rotation cycles.
6. Data Sources
Data is provided directly by you (registration, support messages) or generated by system security processes (login attempts, session identifiers). We do not purchase or enrich with third‑party datasets.
7. Recipients & Processors
At present we do not share data with external analytics, advertising, or social platforms. If infrastructure or email delivery vendors are engaged, they will act as processors under Art. 28 GDPR with appropriate contractual safeguards. Any such processors will be listed here with purpose and location before activation.
8. International Transfers
Data hosting is currently within the EU/EEA. No third‑country transfers occur. If future transfers arise, we will apply GDPR Chapter V safeguards (e.g., Standard Contractual Clauses) and update this section prior to transfer.
9. Cookies & Local Storage
Only strictly necessary cookies/local storage items are used (session, language, consent). No analytics/marketing cookies. See the Cookie Notice for details and your options.
10. Security Measures
Technical/organizational measures include: TLS encryption; security headers (CSP, HSTS, X‑Frame‑Options, Referrer‑Policy, Permissions‑Policy); password hashing (password_hash/bcrypt); session regeneration; rate limiting; tokenized password resets; principle of least privilege; periodic log pruning.
11. Your Rights
- Access (Art. 15) – Confirm processing and obtain a copy.
- Rectification (Art. 16) – Correct inaccurate data.
- Erasure (Art. 17) – Request deletion (subject to legal obligations).
- Restriction (Art. 18) – Temporarily limit processing.
- Portability (Art. 20) – Obtain data in a structured, commonly used format.
- Object (Art. 21) – Object to processing based on legitimate interests.
- Withdraw Consent – Not currently applicable (no optional consent processing), but future optional categories will allow withdrawal without affecting prior lawful processing.
- Complaint – With the Czech Data Protection Authority (ÚOOÚ) or your local EU supervisory authority.
To exercise rights email info@berrysoft.cz. We may request additional information to verify identity.
12. Children’s Data
Services are not directed to children under 16. We do not knowingly collect their data. If you believe a child has provided data, contact us for prompt deletion.
13. Automated Decision-Making
No automated decision-making or profiling producing legal or similarly significant effects (Art. 22) is performed.
14. Changes to this Policy
Updates will be posted here with a new “Last updated” date. Material changes (e.g., adding analytics processors) may trigger prominent notice or renewed consent where required.