GDPR Documentation
Last updated: March 24, 2026 (v2.0)
This page contains key documents regarding personal data protection in the Resovu system, in accordance with EU Regulation 2016/679 (GDPR), applicable throughout the EU and EEA, including relevant national data protection legislation.
Resovu complies with national data protection regulations in all countries where it operates: Act No. 110/2019 Coll. (Czech Republic), Act No. 18/2018 Coll. (Slovakia), Bundesdatenschutzgesetz — BDSG (Germany), Personal Data Protection Act (Poland), Act on Informational Self-Determination — GDPR adaptation (Hungary), Ley Orgánica de Protección de Datos — LOPDGDD (Spain), Personopplysningsloven (Norway), Loi Informatique et Libertés (France).
1. Data Processing Agreement (DPA)
1.1 Parties
This Data Processing Agreement (hereinafter "DPA") is entered into between the business operator using the Resovu system (hereinafter "Controller") and Lubomír Unar, ID 05000386 (hereinafter "Processor"). The DPA is an integral part of the Resovu Terms of Service.
1.2 Subject and Duration of Processing
The Processor processes personal data of the Controller's customers for the purpose of providing the booking system. Processing takes place for the duration of the service agreement. Categories of data subjects: the Controller's customers making bookings. Categories of data: name, surname, email, phone, booking data, optional custom fields.
1.3 Obligations of the Processor
The Processor undertakes to: process personal data only on the basis of documented instructions from the Controller; ensure that persons authorized to process data are bound by confidentiality; implement all measures required by Art. 32 GDPR; comply with the conditions for engaging sub-processors; assist the Controller in fulfilling obligations under Art. 32 to 36 GDPR; delete or return all personal data upon termination of the agreement; provide the Controller with all information necessary to demonstrate compliance.
1.4 Controller's Instructions
The Controller issues a general instruction to the Processor to process personal data to the extent necessary for providing the Resovu service. The Controller may issue further instructions through the system administration settings. The Processor shall immediately inform the Controller if it believes an instruction violates the GDPR.
1.5 Sub-processors
The Controller grants the Processor general consent to engage sub-processors listed in the Sub-processor List section. The Processor shall inform the Controller of any intended changes regarding the addition or replacement of sub-processors. The Controller may object to such changes within 30 days.
1.6 Security Measures
The Processor implements appropriate technical and organizational measures: AES-256-GCM encryption for sensitive fields; HTTPS/TLS for all data transfer; tenant data isolation using Row Level Security; role-based access control (RBAC); IP address hashing; automatic deletion of personal data after the retention period; security headers (CSP, HSTS, X-Frame-Options); rate limiting for abuse protection.
1.7 Breach Notification
The Processor shall notify the Controller of any personal data breach without undue delay after becoming aware of it, no later than 48 hours. The notification shall include: a description of the nature of the breach, the categories and approximate number of affected data subjects, the likely consequences, and the measures taken.
1.8 Assistance with Data Subject Rights
The Processor shall assist the Controller in fulfilling the obligation to respond to data subject requests to exercise their rights under Chapter III of the GDPR. The system enables: customer data export (Art. 20), data anonymization/erasure (Art. 17), overview of processed data (Art. 15).
1.9 Audit
The Processor shall allow and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller. The Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations set out in Art. 28 GDPR. An audit may be conducted once a year with 30 days' notice.
1.10 Processing Duration and Erasure
Upon termination of the service, the Processor shall delete all personal data within 30 days, unless EU or member state law requires their retention. The Controller may export all data before termination using the GDPR export function in the system administration.
2. Record of Processing Activities (ROPA)
Records pursuant to Art. 30 GDPR on processing activities carried out through the Resovu system.
| Processing Purpose | Legal Basis | Data Categories | Subject Categories | Retention Period |
|---|---|---|---|---|
| Booking management | Art. 6(1)(b) — contract performance | Name, email, phone, booking date, note | Customers making bookings | Configurable (default 365 days) |
| Communication (confirmations, reminders) | Art. 6(1)(b) — contract performance | Name, email, phone, booking details | Customers with active bookings | Per booking retention period |
| Payment processing | Art. 6(1)(b) — contract performance | Payment details (processed by Stripe, never stored in Resovu) | Customers making online payments | Per Stripe terms |
| Marketing (with consent) | Art. 6(1)(a) — consent | Name, email | Customers who gave marketing consent | Until consent withdrawal |
| Security and abuse protection | Art. 6(1)(f) — legitimate interest | IP address, user-agent (temporarily for rate limiting) | All system users | Per audit log retention period |
| Accounting and invoicing | Art. 6(1)(c) — legal obligation | Business name, company ID, VAT ID, email, address | System operators (tenants) | 5 years (accounting law) |
3. Personal Data Breach Notification Procedure
3.1 Detection and Reporting
Resovu implements monitoring systems for detecting security incidents. Every employee or collaborator is obligated to immediately report any suspicion of a data security breach to the company management.
3.2 Severity Assessment
Upon detecting an incident, the responsible person shall immediately assess: the scope of affected data, the number of affected data subjects, the likely impact on the rights and freedoms of data subjects, whether the data was encrypted, whether the impact can be mitigated.
3.3 Notification to Supervisory Authority
If the breach is likely to pose a risk to the rights and freedoms of natural persons, Resovu shall notify the relevant supervisory authority within 72 hours of discovery. The notification shall include: a description of the nature of the breach, DPO contact details, a description of the likely consequences, a description of the measures taken. Supervisory authorities: ÚOOÚ — www.uoou.cz (Czech Republic), ÚOOU SR — www.dataprotection.gov.sk (Slovakia), BfDI — www.bfdi.bund.de (Germany), UODO — www.uodo.gov.pl (Poland), NAIH — www.naih.hu (Hungary), AEPD — www.aepd.es (Spain), Datatilsynet — www.datatilsynet.no (Norway); CNIL — www.cnil.fr (France).
3.4 Notification to Data Subjects
If the breach is likely to pose a high risk to the rights and freedoms of natural persons, Resovu shall inform the affected data subjects without undue delay. The notification shall be made in clear language and shall include recommendations for mitigating the impact.
3.5 Documentation
All security incidents are recorded in an internal register, including: date of discovery, description of the incident, affected data and subjects, measures taken, decisions on notification to authorities and subjects, investigation results.
3.6 Incident Reporting Contact
Report security incidents to: security@resovu.com. Include "Security Incident" in the subject line. Provide as much information as possible about the nature and scope of the incident.
4. Sub-processor List
| Provider | Service | Data Location | Guarantees |
|---|---|---|---|
| Supabase (AWS) | Database, authentication, storage | EU (Frankfurt, eu-central-1) | DPA, SOC 2 Type II |
| Stripe | Payment processing | EU (Ireland) + US | DPA, SCC, PCI DSS Level 1 |
| Vercel | Hosting, Edge Network, serverless | Global CDN (edge in EU) | DPA, SOC 2 Type II |
| Resend | Transactional emails | US | DPA, SCC |
| Infobip | SMS reminders | EU (Frankfurt) + global | DPA, SCC, ISO 27001 |
| Google Analytics 4, Google Tag Manager, calendar sync (optional) | US | DPA, SCC | |
| Sentry (Functional Software Inc.) | Error monitoring | US | DPA, SCC, SOC 2 |
| Upstash | Rate limiting (Redis) | EU (Frankfurt) | DPA, SOC 2 |