Privacy Policy

Páruje.me (paruje.me) is committed to protecting your personal data. This Privacy Policy explains what information we collect, the legal basis for processing it, how we use it, who we share it with, how long we keep it, and your rights under the General Data Protection Regulation (EU) 2016/679 (GDPR) and Czech zákon č. 110/2019 Sb. on personal-data processing.

1. Data We Collect

We collect your Google account identity (name, email address, profile picture) when you sign in via Google OAuth. We also record tournament participation data (player nicknames, round pairings, game results). Organisers who pay for platform services additionally have a billing profile (name, address, optional IČO/DIČ) and Stripe payment records associated with their account.

2. Legal Basis for Processing

Personal data is processed under Article 6(1) of the General Data Protection Regulation (EU) 2016/679. (b) Performance of contract: account creation and authentication, booking management, payment processing. (c) Legal obligation: VAT invoicing (Czech Act 235/2004 Sb.), accounting record retention (Czech Act 563/1991 Sb. [primary source FETCH_FAILED at audit time — counsel to confirm § precedence]). (f) Legitimate interests: platform security and operation (audit logs, fraud detection, access control). We do not rely on consent (Article 6(1)(a) GDPR) as the legal basis for any platform-essential processing. Marketing communications, if introduced in the future, would require separate opt-in consent.

3. Data Retention

Account data is retained for as long as your account is active. If you request deletion or close your account, the account record and associated personal data are removed within 30 days, with the following exceptions for legal-obligation retention: (1) VAT tax invoices are retained for 10 years per §35a of the VAT Act 235/2004 Sb. (the longest applicable period among Czech Accounting Act 563/1991 Sb. §31 and §35 [primary source FETCH_FAILED at audit time — counsel to confirm § precedence and exact period]). (2) Audit logs (booking-creation, payment, refund events) are retained for 3 years per fraud-prevention legitimate interest under GDPR Article 6(1)(f). Tournament data (pairings, results) is retained as long as the organising account exists; on account closure, the organiser may export their data under the right to portability (see Your Rights below).

4. Your Rights

Under GDPR Articles 15–22 you have the right to: (a) access a copy of your personal data; (b) correct inaccurate or incomplete data; (c) request erasure under Article 17 (subject to legal-obligation retention noted in Data Retention above); (d) restrict processing in certain circumstances; (e) data portability — request a machine-readable copy of data you provided (Article 20); (f) object to processing based on legitimate interests (Article 21). To exercise any right, email podpora@paruje.me. We will acknowledge within 5 working days and respond within 30 days (one month per Article 12(3) GDPR), or notify you of an extension. Data-portability requests are fulfilled by exporting your tournament data and account record in JSON format, delivered by encrypted email or shared link within the same 30-day window. You also have the right to lodge a complaint with the Czech supervisory authority, Úřad pro ochranu osobních údajů (ÚOOÚ), at uoou.gov.cz or by post at Pplk. Sochora 27, 170 00 Praha 7.

5. Cookies and Local Storage

Páruje.me uses the minimum cookies necessary for platform operation: (1) auth_token — an HTTP-only JWT session cookie set on sign-in via Google OAuth; secure and SameSite=Lax; expires after 24 hours; cannot be read by JavaScript. (2) NEXT_LOCALE — a preference cookie storing your language choice (en / cs); secure; expires after 1 year; contains no personal data beyond the locale code. We do not use third-party analytics cookies, advertising cookies, or tracking pixels. We do not display cookie consent banners because all cookies used are strictly necessary for service operation under ePrivacy Directive 2002/58/EC (as amended by 2009/136/EC) and do not require prior consent. Browser localStorage is used for the returnTo path during OAuth redirect and an onboarding-tour completion flag — both non-personal and remain in your browser only.

6. Data Processors

To operate the platform we share data with the following sub-processors under data processing agreements: (a) Stripe, Inc. (United States) — payment processing; receives billing name, postal address, email, and payment-method tokens (full card data is processed by Stripe and never reaches our servers). See stripe.com/privacy. (b) Resend, Inc. (United States) — transactional email delivery (booking confirmations, refund notifications, account notices); receives email address and message content. See resend.com/legal/privacy-policy. (c) Google LLC (United States / Ireland) — OAuth identity provider; receives Google account email and profile. After your consent at sign-in, we receive name, email, and profile picture from Google. See policies.google.com/privacy. Google's Mapy.com (Czech Republic) is used for address autocomplete in the booking flow; only the partial address text you type is sent to the autocomplete service. (d) Packeta Group s.r.o. (Česká republika) — shipping for equipment rentals; receives recipient name, postal address, phone number, and booking reference. See packeta.com/gdpr.

7. International Data Transfers

Stripe, Resend, and Google operate from servers in the United States and other countries outside the European Economic Area (EEA). Transfers to these processors are governed by: (a) Standard Contractual Clauses (Article 46(2)(c) GDPR — 2021 European Commission SCC modules) included in each sub-processor's data processing agreement; (b) where applicable, the EU-US Data Privacy Framework adequacy decision (Article 45 GDPR — Commission Implementing Decision (EU) 2023/1795) for processors certified under the framework. Mapy.com (Google partner, Česká republika) and Packeta (Česká republika) operate within the EEA and require no Article 46 safeguards. Copies of the SCCs in force with each processor are available on request to podpora@paruje.me.

8. Contact

Data controller: Mgr. Michal Krajňanský (sole proprietor / fyzická osoba podnikatel), trading as Páruje.me. Registered address: U Náhonu 128, 760 01 Zlín, Česká republika. IČO: 03011429. DIČ: CZ8806094550. Contact for data-subject requests and privacy questions: podpora@paruje.me, +420 732 448 742. No Data Protection Officer (DPO) is designated; the platform's processing activities do not trigger the mandatory DPO appointment criteria under GDPR Article 37 (no large-scale public-authority processing, no systematic monitoring at scale, no large-scale special-category data). The data controller handles data-subject requests personally.