Privacy Policy

1. Data Controller

The data controller is Lubomír Unar, ID No. 05000386, registered at č.p. 220, 768 75 Loukov, Czech Republic, operator of the Resovu service available at resovu.com (hereinafter "Controller"). The Controller is not required to appoint a Data Protection Officer (DPO) under Art. 37 GDPR, as the core activities do not involve large-scale processing of special categories of data or large-scale systematic monitoring. For all data protection inquiries, contact: resovu@resovu.com. The supervisory authority is the Czech Office for Personal Data Protection (www.uoou.cz).

2. Scope of Data Collected

We process the following categories of personal data: Account data: email address, full name, company name, business address, tax identification numbers (for invoicing), chosen language and timezone. Booking data: customer names, email addresses, phone numbers, booking dates and times, selected services, booking notes, custom form field responses, payment status. Payment data: transaction identifiers, invoice details, subscription plan information. Note: credit card numbers and payment card details are processed exclusively by Stripe and are never stored on Resovu servers. Technical data: IP addresses (for security and rate limiting), browser type and version, operating system, device type, referral URLs, pages visited, session duration, cookies (as described in Section 8). Communication data: email addresses and phone numbers used for sending booking confirmations, reminders, and system notifications. Staff data: staff member names, email addresses, working hours, assigned services, and calendar availability. Data is collected directly from Users during registration and service usage, from Users' customers during the booking process, from the User's browser through cookies and similar technologies (with consent where required), and from third-party services (e.g., Google Calendar data when sync is enabled).

3. Purpose of Processing

We process personal data for the following purposes: Providing and administering the Resovu service, including managing bookings, customers, staff, and services. Processing payments and managing subscriptions through Stripe. Sending booking confirmations, reminders, and system notifications via email (Resend) and SMS (Infobip). Improving the quality of the service through analytics and usage statistics (only with consent via cookie banner). Ensuring the security of the service, including rate limiting, fraud detection, and abuse prevention. Fulfilling legal obligations, particularly accounting, tax, and data retention requirements. Providing customer support and responding to inquiries. Error monitoring and service reliability through Sentry (session replay on errors to diagnose and fix issues). Generating invoices and maintaining accounting records.

4. Legal Basis for Processing

We process personal data based on the following legal grounds: Performance of a contract (Art. 6(1)(b) GDPR): Processing necessary for the provision of the Resovu service, including account management, booking processing, payment handling, and sending transactional communications (confirmations, reminders). Legitimate interest (Art. 6(1)(f) GDPR): Service security (rate limiting, abuse prevention), error monitoring (Sentry), service improvement through aggregated analytics, and ensuring system integrity. We have conducted a balancing test to ensure our legitimate interests do not override data subjects' rights. Consent (Art. 6(1)(a) GDPR): Marketing communications, analytics cookies (Google Analytics, Hotjar, Microsoft Clarity), and marketing cookies (Facebook Pixel, LinkedIn, TikTok, Google Ads). Consent can be withdrawn at any time through the cookie banner or by contacting us. Legal obligation (Art. 6(1)(c) GDPR): Accounting and tax records retention (5 years under Czech accounting law), responding to law enforcement requests, and compliance with court orders.

5. Third-Party Data Sharing

We only share personal data with trusted service providers necessary for operation: Supabase (database hosting, EU), Stripe (payment processing), Vercel (application hosting), Resend (transactional emails), Infobip (SMS reminders), Google (calendar sync, optional; Google Analytics 4 and Google Tag Manager for website analytics), Sentry (error monitoring), Upstash (rate limiting, EU). We have a Data Processing Agreement (DPA) with each processor. Analytics and marketing tools (Google Analytics 4 operated via Google Tag Manager, Hotjar, Microsoft Clarity, Facebook Pixel, LinkedIn Insight Tag, TikTok Pixel) process data only with your explicit consent via the cookie banner. We implement Google Consent Mode v2 with regional differentiation — in the EU/EEA/UK, no analytics or marketing data is collected without explicit consent (opt-in); outside the EU, data is collected automatically with the option to opt out (opt-out). Some personal data may be transferred to countries outside the EU/EEA (primarily the USA) through subprocessor services (Stripe, Resend, Sentry, Google). These transfers are secured by Standard Contractual Clauses (SCCs) approved by the European Commission and/or adequacy decisions under the EU-US Data Privacy Framework. Details of individual processor safeguards can be found in the GDPR — Subprocessors List section.

6. Data Retention Period

We retain personal data for the following periods: Account data: For the duration of the User's account plus 30 days after account deletion. Accounting and invoicing data is retained for 5 years as required by Czech accounting law (Act No. 563/1991 Coll.). Booking data: Configurable by the User (tenant) in the Resovu dashboard. The default retention period is 365 days. After the retention period, personal data in bookings is automatically anonymized by the system's PII purge cron job, while statistical data is preserved in anonymized form. Rate limiting data: IP addresses stored in the rate limiting system are automatically purged after the rate limit window expires (typically 60 seconds). Analytics data: Cookie-based analytics data is subject to the retention policies of the respective analytics providers (Google Analytics: 14 months default, Hotjar: 365 days, Clarity: 13 months). This data is only collected with the User's explicit consent. Error monitoring data: Sentry retains error data including session replays (DOM snapshots on errors) for 90 days. Communication logs: Email and SMS delivery logs are retained for 30 days for troubleshooting purposes. After account deletion, all personal data is deleted within 30 days, except where legal requirements mandate longer retention. Users can request earlier deletion by contacting resovu@resovu.com, subject to legal retention obligations.

7. Your Rights

In accordance with GDPR, you have the following rights: Right of access (Art. 15): You have the right to obtain confirmation of whether personal data concerning you is being processed, and if so, to access that data and receive a copy. Right to rectification (Art. 16): You have the right to request correction of inaccurate personal data or completion of incomplete data. Right to erasure / right to be forgotten (Art. 17): You have the right to request deletion of your personal data when it is no longer necessary for the purpose for which it was collected, when you withdraw consent, or when there is no other legal basis for processing. Right to restriction of processing (Art. 18): You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of data. Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format (CSV export is available in the Resovu dashboard). Right to object (Art. 21): You have the right to object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds. Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority, in particular the Czech Office for Personal Data Protection (UOOU, www.uoou.cz). To exercise any of these rights, contact us at resovu@resovu.com. We will respond within 30 days. Identity verification may be required. There is no fee for exercising these rights, unless requests are manifestly unfounded or excessive.

8. Cookies

Our website uses cookies and similar technologies for ensuring basic functionality (technically necessary cookies), analytics purposes (with your consent), and marketing purposes (with your consent). All analytics and marketing scripts are managed via Google Tag Manager (GTM). Cookie categories: Necessary cookies (always active): cc_cookie (vanilla-cookieconsent, stores your consent preferences, 182 days), sb-*-auth-token (Supabase, authentication session, session duration), locale (language preference, 1 year), geo_consent_region (consent region setting — eu or row, 182 days). These cookies are essential for the service to function and cannot be disabled. Analytics cookies (require consent in EU): _ga, _ga_* (Google Analytics 4, visitor statistics, 14 months), _hjSession*, _hjSessionUser* (Hotjar, session recording and heatmaps, 30 minutes / 1 year), _clck, _clsk (Microsoft Clarity, session recording, 1 year / session). These cookies help us understand how visitors use our website. Marketing cookies (require consent in EU): _fbp (Facebook Pixel, conversion tracking, 90 days), _li_* (LinkedIn Insight Tag, conversion tracking, 90 days), _ttp (TikTok Pixel, conversion tracking, 13 months). These cookies are used for advertising and remarketing. Regional consent mode: In the EU/EEA/UK, no analytics or marketing cookies are stored without your explicit consent (opt-in mode). Outside the EU, cookies are loaded automatically with the option to opt out (opt-out mode). Your location is determined automatically based on your IP address. You can manage your cookie preferences at any time by clicking the cookie settings button in the website footer. Google Analytics 4 operates with IP anonymization enabled, in Google Consent Mode v2, and is operated via Google Tag Manager.

9. Children's Data

The Resovu service is not intended for persons under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have inadvertently collected data from a child under 16, we will promptly delete it. If you suspect a child is using our service, please contact us at resovu@resovu.com.

10. Automated Decision-Making

Resovu does not engage in automated decision-making or profiling within the meaning of Article 22 GDPR that would produce legal or similarly significant effects on data subjects. Automated processing is limited to: rate limiting (abuse protection based on IP address), sorting and filtering of bookings, automated sending of confirmations and reminders. None of these processes produce decisions with legal effects.