Privacy policy

The data controller is the operator of the Vistario portal. For all enquiries, requests to exercise rights, or complaints, contact the controller electronically:

Controller

Ben Barkai, sole trader

Business ID (IČO)

22073264

Data-protection e-mail

[email protected]

Depending on how you use the portal, we process the following categories of data:

• Registration data: e-mail address, password hash, preferred language, registration date.
• Profile and listing data: name/company, business ID (advertisers), phone number (optional), listing content including photos.
• Transaction and billing data: payment records (no card numbers — those are held by Stripe), billing address.
• Operational and technical data: IP address (web server logs and moderation audit log), browser type (server log), device identifier (session cookie), login records (audit log), and error logs (server log).
• Behavioural data (with consent): anonymised visitor statistics via Google Analytics (GA4).

We always process data on the basis of one of the legal grounds below:

Contract performance (Art. 6(1)(b) GDPR)

Operating accounts, displaying listings, sending transactional e-mails (e-mail verification, password reset, registration confirmation).

Legitimate interest (Art. 6(1)(f) GDPR)

Portal security, fraud and abuse prevention, enforcement of Terms, direct marketing to existing customers.

Legal obligation (Art. 6(1)(c) GDPR)

Archiving accounting documents (Act No. 563/1991 Coll.) and fulfilling other statutory obligations.

Consent (Art. 6(1)(a) GDPR)

Google Analytics cookies and marketing e-mail campaigns – only with explicit consent, withdrawable at any time.

The portal uses technical cookies required for operation (login, language preference, cookie consent), and Google Analytics (GA4) cookies only after consent is given. Marketing cookies are not currently deployed; if activated in the future, new consent will be required. Details and consent management are in the Cookies section.

We work with the following contracted processors, each with a Data Processing Agreement in place:

Hetzner

Server hosting and object storage (EU data centres). DPA per Art. 28 GDPR.

Cloudflare

CDN, DNS, and attack protection (USA; EU–USA Data Privacy Framework / Standard Contractual Clauses). Data is primarily processed in the EU.

Resend

Transactional e-mail (verification, password reset, notifications). Data is not shared for the processor's own marketing purposes.

Google Analytics

Portal analytics (consent required). IP anonymisation enabled; no cross-site tracking on the portal. Google LLC – EU SCC.

Stripe

Advertiser payment processing. The portal does not store or process payment card numbers.

Google / Apple OAuth

Sign-in via Google or Apple. The portal receives only an e-mail address and identifier; the third party's password is never shared.

Data is primarily processed within the EU/EEA. For Cloudflare and Google Analytics, data is transferred to the USA under the EU–USA Data Privacy Framework (DPF) or Standard Contractual Clauses (SCC) issued by the European Commission. Stripe is DPF-certified. Users may request a copy of the applicable SCCs from the controller.

Personal data is retained only for as long as necessary for the purpose for which it was collected:

• Active account: for the duration of the contractual relationship.
• After account deletion: operational logs up to 90 days; listing content up to 30 days.
• Accounting and billing documents: 10 years per Act No. 563/1991 Coll. Payment records are managed by Stripe; the operator retains payment evidence in compliance with accounting law.
• Google Analytics data: 14 months (configured in the GA4 console).

As a data subject you have the following rights, exercisable by submitting a request to [email protected]:

• Right of access – to find out whether your data is being processed and to obtain a copy.
• Right to rectification – to request correction of inaccurate or completion of incomplete data.
• Right to erasure (right to be forgotten) – under the conditions of Art. 17 GDPR.
• Right to restriction of processing – in the cases set out in Art. 18 GDPR.
• Right to data portability – to receive data in a machine-readable format.
• Right to object – in particular to processing based on legitimate interest.
• Right to lodge a complaint – with the Czech Data Protection Authority (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz.

The portal employs transport encryption (TLS), password hashing (Argon2id), least-privilege access controls, and regular backups within the EU. In the event of a security breach likely to pose a high risk to individuals' rights and freedoms, the controller will notify ÚOOÚ within 72 hours and affected individuals without undue delay.

The portal uses automated processing (AI filters, listing recommendations) as a user aid. This processing does not result in automated decisions within the meaning of Art. 22 GDPR that would have legal or similarly significant effects on users.

For enquiries, rights requests, or complaints, write to [email protected]. We will respond without undue delay, within 30 days at the latest. This Policy may be updated; for changes that affect users' rights, we will provide at least 14 days' notice by e-mail or a prominent notice on the portal.