1. Data Controller

The controller of personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (hereinafter referred to as "GDPR") is:

Martin Hipsch, IČO: 74632680, DIČ: CZ8809033112, with registered office at Ke Knížáku 329, 417 22 Háj u Duchcova (hereinafter referred to as the "Controller").

Contact email: info@chaman.cz

The Controller has not appointed a Data Protection Officer (DPO). For matters related to the processing of personal data, you may contact the Controller directly via the email address above.

2. Categories of Personal Data Processed

In the course of providing the Service, we process the following categories of personal data:

Identification data – first name, last name, company name, IČO, DIČ (for business entities).
Contact data – email address, phone number.
Billing and payment data – billing address, payment transaction details.
Login data – email address and cryptographically hashed password.
Service usage data – date and time of login, IP address, account settings, activity logs.
Guest data entered by the User – first name, last name, contact details, stay information, document number (if entered by the User). For this data, the User is the controller and the Operator is the processor.
Technical data – cookies, browser and device information (see Cookie Policy).

3. Purposes and Legal Basis of Processing

We process personal data for the following purposes and on the following legal bases under Article 6(1) GDPR:

Performance of a contract (Article 6(1)(b) GDPR) – provision of the Service, user account management, payment processing and invoicing, technical support.
Compliance with legal obligations (Article 6(1)(c) GDPR) – accounting and tax record-keeping under Act No. 563/1991 Coll., on Accounting, and Act No. 235/2004 Coll., on VAT; archiving of tax documents.
Legitimate interest of the Controller (Article 6(1)(f) GDPR) – ensuring the security of the Service and preventing misuse, analytics and improvement of the Service, sending commercial communications to existing customers pursuant to § 7(3) of Act No. 480/2004 Coll.
Consent (Article 6(1)(a) GDPR) – sending marketing communications to new prospects, storing analytical cookies. Consent may be withdrawn at any time.

4. Personal Data Retention Period

We retain personal data only for the period necessary to fulfill the purpose of processing:

User account data – for the duration of the contractual relationship and 30 days after account deletion.
Billing and accounting documents – for 10 years from the end of the tax period in which the performance took place, in accordance with Act No. 563/1991 Coll., on Accounting.
Access logs and IP addresses – for a maximum of 12 months from recording.
Guest data – for the duration of the User's (controller's) account, followed by 30 days after account deletion.
Marketing consent – until consent is withdrawn.
Cookies – according to the duration specified in the Cookie Policy.

After the retention period expires, personal data is securely deleted or anonymized.

5. Recipients and Processors of Personal Data

Personal data may be disclosed to the following categories of recipients to the extent necessary:

Hosting service provider – servers within the EU/EEA.
Email service provider – for sending system and transactional emails.
Accountant and tax advisor – to the extent necessary for compliance with legal obligations.
Public authorities – where required by law (e.g., tax authority, courts).

We have concluded a data processing agreement with all processors pursuant to Article 28 GDPR. We do not share personal data with third parties for their own marketing purposes.

6. Transfer of Data to Third Countries

Personal data is stored and processed exclusively on servers located in the European Union / European Economic Area (EU/EEA).

If it becomes necessary in the future to transfer personal data outside the EU/EEA, we will ensure appropriate safeguards in accordance with Article 46 GDPR, in particular through standard contractual clauses approved by the European Commission or an adequacy decision pursuant to Article 45 GDPR.

7. Automated Decision-Making and Profiling

In the course of providing the Service, we do not carry out automated individual decision-making or profiling within the meaning of Article 22 GDPR that would produce legal effects or similarly significantly affect you.

8. Your Rights

As a data subject, you have the following rights under the GDPR:

Right of access (Article 15 GDPR) – the right to obtain confirmation as to whether your personal data is being processed, and if so, to access it and obtain information about the processing.
Right to rectification (Article 16 GDPR) – the right to have inaccurate personal data corrected and incomplete data completed.
Right to erasure (Article 17 GDPR) – the right to have personal data erased if the purpose of processing has ceased, consent has been withdrawn, or the data is being processed unlawfully. Erasure cannot be performed if processing is necessary for compliance with a legal obligation.
Right to restriction of processing (Article 18 GDPR) – the right to request restriction of processing, e.g., if the accuracy of the data is contested or the processing is unlawful.
Right to data portability (Article 20 GDPR) – the right to receive personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
Right to object (Article 21 GDPR) – the right to object at any time to processing based on legitimate interest, including direct marketing.
Right to withdraw consent (Article 7(3) GDPR) – if processing is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal.
Right to lodge a complaint – you have the right to lodge a complaint with the supervisory authority: the Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Praha 7, www.uoou.cz, email: posta@uoou.cz.

You may exercise your rights by sending an email to info@chaman.cz. We will respond to your request without undue delay, no later than within 30 days.

9. Processing of Guest Data

Within the Service, the User (as the controller of personal data) enters personal data of their Guests into the system. The ChaMan Operator acts as a processor with respect to this data pursuant to Article 28 GDPR.

The conditions for processing Guests' personal data are governed by the Data Processing Agreement (DPA), which is available upon request at info@chaman.cz.

The User is obligated to ensure that they have an appropriate legal basis for processing Guests' personal data (in particular, performance of an accommodation contract, compliance with a legal obligation under the Act on the Residence of Foreign Nationals, or consent), and that they provide Guests with information about the processing of their data in accordance with Article 13 GDPR.

10. Personal Data Security

We have implemented appropriate technical and organizational measures to ensure the security of personal data pursuant to Article 32 GDPR, in particular:

Encrypted data transmission via the HTTPS/TLS protocol.
Cryptographic hashing of passwords (passwords are not stored in readable form).
Regular data backups.
Restriction of access to personal data to authorized persons only.
Regular security updates of the application and server infrastructure.

11. Cookies

When visiting our website, we use cookies. Detailed information about the cookies used, their purpose, storage duration, and management options can be found in the Cookie Policy at www.chaman.cz/cookies.

12. Changes to the Privacy Policy

We may update this policy from time to time, in particular due to changes in legal regulations or changes in the way we process personal data. We will inform Users of material changes by email. The current version is always available on the website at www.chaman.cz/soukromi.

13. Contact

If you have any questions, requests, or suggestions regarding the processing of personal data, please contact us:

Email: info@chaman.cz

Supervisory authority: Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Praha 7, www.uoou.cz.