Personal Data Protection Policy (GDPR)

(Operator: exid s.r.o., Company ID 082 71 275, Ovocný trh 572/11, 110 00 Prague 1, email: necas@exid.zone)

1. Data Controller

exid s.r.o.
Company ID: 082 71 275
Registered office: Ovocný trh 572/11, 110 00 Prague 1, Czech Republic
Registered at the Municipal Court in Prague, file number C 316070
Contact email: necas@exid.zone

2. Sources and Categories of Processed Personal Data

2.1. We collect personal data directly from users (Buyers) when they:

• fill out the order form on the E‑shop,
• register an account and log in at www.exid.zone,
• communicate by email (necas@exid.zone) or by phone (+420 605 707 814).

2.2. We process the following categories of personal data:

• Identification data: first and last names of natural persons; Company ID/VAT ID and organization name for businesses and legal entities.
• Contact data: email address, phone number, mailing address (for invoicing or access credentials delivery).
• Billing data: billing address, variable symbol, bank account number (246 634 599/0600, Komerční banka).
• Order and usage data: purchase dates, products purchased, license keys, update history, account activations, IP addresses at login.
• Technical logs: IP address, browser and operating system information, timestamps—used to ensure operational security and detect unauthorized access.
• Support and complaint data: description of the defect claimed, date of complaint, records of communications and resolution steps.
• Marketing data: consents to newsletters and commercial communications, cookie settings (analytics and marketing).

3. Purposes and Legal Grounds for Processing

3.1. We process personal data for these purposes:

• Performance of contract for Digital Content (Act No. 260/2016 Coll., on Digital Content and Digital Services):
  – providing access credentials and download links
  – sending invoices and payment reminders
  – tracking order status and account administration
  – communication regarding updates, fixes, and new versions of digital content
• Compliance with legal obligations (VAT Act No. 235/2004 Coll.; Accounting Act No. 563/1991 Coll.):
  – archiving accounting documents (min. 10 years per accounting law)
  – complaint records (min. 2 years per Civil Code)
  – mandatory reporting to authorities (tax office, Czech Trade Inspection Authority)
• Legitimate interest of the controller (Art. 6(1)(f) GDPR):
  – ensuring IT system security, preventing fraud
  – generating anonymized traffic statistics, website optimization
  – sending B2B commercial communications (when consent is not required)
• User consent (Art. 6(1)(a) GDPR):
  – sending newsletters and marketing communications
  – using cookies for analytics and marketing (Google Analytics, Facebook Pixel, etc.)
• Processing for complaint handling (Civil Code No. 89/2012 Coll.; Act No. 260/2016 Coll.):
  – collecting defect descriptions, complaint dates, recording resolution processes

4. Technology and Processing Methods

4.1. Personal data are processed electronically (Shoptet databases, CRM, email) and on paper (printed invoices, server logs). All servers and databases are hosted within the EU (ISO 27001–certified provider).

4.2. Personal data are managed by the following entities:

• Shoptet administrator (technical E‑shop maintenance, database backups)
• Payment gateways (Komerční banka, PayPal, etc.) – transaction confirmations and transfer of payment data
• IT providers (hosting, CDN) – ensuring server operation and security per GDPR
• External accountants (invoice processing, tax document archiving)
• Courier/shipping companies (for physical delivery of invoices or marketing materials) – only transfer of recipient name and address
• External auditors and penetration testers – limited access for security audits

5. Data Retention Periods

5.1. Retention periods depend on the processing purpose:

• Business and billing data: at least 10 years after the end of the accounting period (per accounting and VAT laws).
• Digital Content order data: duration of the valid license + 2 years (for complaints or legal claims under the Civil Code and Digital Content Act).
• Complaint data: at least 2 years after complaint resolution (per Civil Code §§ 1969–1977).
• Marketing data (newsletter, cookies): until user consents; after withdrawal, anonymized or deleted within 30 days.
• Technical logs (IP, logins): up to 12 months, then anonymized.
• Server backups (including personal data): retained for 30 days, then overwritten or deleted.

6. Recipients of Personal Data

6.1. Personal data are not provided to third parties for their own processing. Access is limited to entities listed in section 4.2, only to the extent necessary.

6.2. Personal data may be disclosed to authorities (tax office, Czech Trade Inspection Authority, courts) only as required by law.

7. International Data Transfers

7.1. We do not currently transfer personal data outside the European Economic Area (EEA). All data are hosted on servers within the EU.

7.2. If future transfers outside the EEA occur (e.g., use of a US service), we will ensure adequate protection (EU standard contractual clauses, BCRs, or another approved mechanism) and inform users in advance.

8. Data Subject Rights

8.1. Each user has the right to:

• Access to personal data (Art. 15 GDPR) – receive confirmation whether data are processed and obtain a copy.
• Rectification (Art. 16 GDPR) – update or correct inaccurate or incomplete data.
• Erasure (“right to be forgotten”) (Art. 17 GDPR) – if data are no longer needed or consent is withdrawn.
• Restriction of processing (Art. 18 GDPR) – e.g., when contesting data accuracy.
• Data portability (Art. 20 GDPR) – receive data in a machine-readable format and transmit to another controller.
• Objection (Art. 21 GDPR) – to processing based on legitimate interest (e.g., B2B communications).
• Withdraw consent (Art. 7(3) GDPR) – for marketing or cookies; withdrawal does not affect processing prior to withdrawal.
• Lodge a complaint with a supervisory authority (Office for Personal Data Protection) if processing violates GDPR or other laws.

8.2. To exercise rights, users may contact the controller at necas@exid.zone or send a registered letter to exid s.r.o., Ovocný trh 572/11, 110 00 Prague 1. A response will be provided within 30 days of receipt.

9. Security of Personal Data

9.1. We implement technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or leakage, for example:

• SSL/TLS encryption on www.exid.zone,
• regular database backups and encrypted backup storage,
• firewalls and antivirus protection on servers,
• restricted access rights for employees and processors only as needed,
• regular software (CMS, plugins) updates and security audits (internal and external).

9.2. In case of a security incident (leak, loss, unauthorized access), we will notify the supervisory authority (Office for Personal Data Protection) and affected data subjects within 72 hours of discovery.

10. Changes to the Personal Data Policy

10.1. These policies may be updated due to legislative changes (e.g., new digital content rules), internal process changes, or E‑shop service expansions. The current version will be posted at www.exid.zone/podminky-ochrany-osobnich-udaju/ and become effective 15 days after publication unless otherwise stated.

10.2. We recommend users regularly review this page to stay informed of any changes.

11. Contact for Questions and Complaints

11.1. For questions about personal data protection or to exercise your rights, contact the controller at necas@exid.zone or by mail to:

exid s.r.o.
Ovocný trh 572/11
110 00 Prague 1

11.2. You have the right to lodge a complaint with the supervisory authority – Office for Personal Data Protection (www.uoou.cz).

These personal data protection policies were approved by exid s.r.o. management on 6 June 2025 and are effective from 6 June 2025.