Legal · Privacy

Privacy policy

We take privacy seriously and we keep things short. This policy explains who we are, what personal data we process, why, on what legal basis, who we share it with, and what rights you have. If anything is unclear, write to tomas@cernovsky.cz and we will explain.

1. Who is the controller

Cernovskymedia s.r.o., registered office in Prague, Czech Republic, ID 14196565, VAT CZ14196565, registered in the Commercial Register kept by the Municipal Court in Prague (the "Controller" or "we"). Founder and contact person: Tomáš Černovský.

Contact for any privacy matter: tomas@cernovsky.cz.

We have not appointed a Data Protection Officer — we are not required to under Art. 37 GDPR. We do not perform automated decision-making or profiling that would have legal or similarly significant effects on you.

2. What we process and why

We split the processing into four blocks based on what triggered it. Each block lists the data, the purpose, the legal basis, and the retention period.

A. Inquiries through forms or email

  • Data: name, email, company, phone (optional), and the content of your message.
  • Purpose: respond to your request, send a proposal, schedule a call.
  • Legal basis: Art. 6(1)(b) GDPR — steps prior to entering into a contract; and Art. 6(1)(f) GDPR — our legitimate interest in commercial communication.
  • Retention: up to 12 months after the last communication if no engagement follows. If we sign a contract, the data moves to block B.

B. Service delivery (clients)

  • Data: billing details (company name, address, ID, VAT), contacts of the people we work with, project files, campaign access credentials and reports, invoices and payment records.
  • Purpose: deliver the agreed services, invoice them, and meet our statutory obligations as a Czech limited company.
  • Legal basis: Art. 6(1)(b) GDPR — performance of a contract; Art. 6(1)(c) GDPR — compliance with tax, accounting and other legal obligations.
  • Retention: for the duration of the engagement plus statutory retention periods. Tax documents must be kept for at least 10 years under Czech VAT and accounting law; other client records for up to 4 years after the engagement ends, then deleted.

C. Newsletter and resources

  • Data: email address, optional first name; basic engagement metrics (opens, clicks).
  • Purpose: send marketing emails about our work, paid-media playbooks, and case studies.
  • Legal basis: Art. 6(1)(a) GDPR — consent given via the signup form. You can withdraw consent at any time from the unsubscribe link in every email.
  • Retention: until you unsubscribe, or 4 years after the last interaction — whichever comes first.

D. Site usage data (cookies)

  • Data: aggregated analytics events, ad attribution identifiers, IP-derived approximate location, device and browser type.
  • Purpose: measure what content and which channels actually perform; run our paid campaigns efficiently.
  • Legal basis: Art. 6(1)(a) GDPR — consent given through our cookie banner. You can change your choice any time (Cookie policy).
  • Retention: Google Analytics — up to 14 months (aggregated). Advertising cookies — up to 13 months. Server logs — up to 30 days.

3. Where the data goes (recipients and processors)

We share personal data only with the processors and partners we actually need to run the business. Each one is bound by a Data Processing Agreement (DPA) under Art. 28 GDPR. We do not sell personal data and we do not give it to anyone for their independent marketing.

  • Vercel Inc. (USA) — hosting and CDN for cernovsky.com. Data Privacy Framework certified.
  • Cloudflare Inc. (USA) — DNS and CDN edge in front of cernovsky.com and cms.cernovsky.com. Data Privacy Framework certified.
  • Forpsi (INTERNET CZ, a.s.) (Czech Republic) — hosting for the WordPress CMS used to publish the blog.
  • Google Ireland Ltd. (Ireland) — Google Workspace (email, drive, docs), Google Analytics 4, Google Ads, Google Tag Manager. Some processing happens in the United States under the Data Privacy Framework.
  • Meta Platforms Ireland Ltd. (Ireland) — Meta Pixel, conversions API, and Meta Ads. Some processing in the United States under the Data Privacy Framework.
  • LinkedIn Ireland Unlimited Company (Ireland) — LinkedIn Insight Tag and LinkedIn Ads.
  • Twilio SendGrid (USA) — transactional email delivery, DKIM-signed.
  • Ecomail s.r.o. (Czech Republic) — newsletter delivery and list management.
  • Our accountant and tax advisor — based in the Czech Republic; bound by professional secrecy.

4. International transfers

Most processing takes place in the European Union. Where US-based providers are used, the legal basis for transfer is the EU–US Data Privacy Framework and Standard Contractual Clauses (SCCs) where the provider is not DPF-certified for that data flow. We do not knowingly transfer personal data to countries without an adequate level of protection.

5. How we keep data safe

We apply the technical and organisational measures expected of a modern web business: HTTPS everywhere with up-to-date TLS, role- based access to admin tools, two-factor authentication on critical accounts, encrypted laptops, secret managers for API keys, and minimum-privilege scopes for processors. We do not store payment cards — payments go through invoicing software directly.

6. Your rights

Under Articles 15–22 GDPR you have the right to:

  • Access the personal data we hold about you and receive a copy.
  • Rectify data that is inaccurate or incomplete.
  • Erase data when it is no longer needed, when you withdraw consent, or when processing is unlawful.
  • Restrict processing while a complaint or correction is being investigated.
  • Port data you provided to us, in a structured, machine-readable format.
  • Object to processing based on legitimate interest, including direct marketing.
  • Withdraw consent at any time, without affecting the lawfulness of processing that happened before the withdrawal.

To exercise any of these, write to tomas@cernovsky.cz. We respond within 30 days. We may ask for additional information to verify your identity before disclosing personal data.

You can also lodge a complaint with the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů, Pplk. Sochora 27, 170 00 Praha 7, uoou.cz) or with the supervisory authority in your country of residence.

7. Cookies

For the list of cookies we use, the legal basis for each, and how to change your choice, see the dedicated Cookie policy.

8. Changes to this policy

We update this policy when our processing changes meaningfully — for example when we add a new processor or change retention. The current version is always available at cernovsky.com/privacy. Material changes are communicated to active clients by email.

Last updated: 2 May 2026 · Cookie policy