Privacy Policy
Kaiser Quarry Studios — kaiserquarry.com | Verze 1.0
[COMPANY NAME]
Registration No. (ICO): [ICO]
Registered office: [REGISTERED ADDRESS]
Registered in the Commercial Register maintained by [RELEVANT COURT], file no. [FILE NUMBER]
Contact: info@kaiserquarry.com
Data Protection Officer (DPO): dpo@kaiserquarry.com
(hereinafter referred to as the “Controller” or “we”)
This Privacy Policy (hereinafter the “Policy”) describes how the Controller collects, processes, and protects the personal data of visitors and users of the website kaiserquarry.com (hereinafter the “Website”), the Vesna platform (hereinafter the “Platform”), and related services.
Kaiser Quarry Studios is a digital studio that provides web storytelling, digital infrastructure, and legal compliance services through the Platform (Story · System · Shield). This Policy applies to:
- visitors of the Website kaiserquarry.com,
- customers using the Controller's services and the Platform,
- end users of customer websites operated on the Platform (see Section 6 — Controller and Processor Roles).
The Controller processes personal data in accordance with:
- Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (hereinafter “GDPR”),
- Czech Act No. 110/2019 Coll., on the Processing of Personal Data,
- Czech Act No. 127/2005 Coll., on Electronic Communications, and
- other applicable legislation.
3.1 Website Visitor Data
| Category | Examples | When Collected |
|---|---|---|
| Contact data | Name, email address | Contact/inquiry form, newsletter subscription |
| Communication data | Message content, subject, project type, scope, budget | During mutual communication and service inquiries |
3.2 Customer Data (Story · System · Shield)
| Category | Examples | When Collected |
|---|---|---|
| Identification data | Name, company, registration number, registered office | Upon entering into a service agreement |
| Access data | Email, password (hashed), session token | Upon creation of a customer account on the Platform |
| Business data | Products, pricing, bookings, orders | When using Platform modules (Commerce, Booking, Billing) |
| Billing data | Billing address, bank details, VAT ID | When invoicing services |
3.3 End-User Data from Customer Websites
Where the Controller processes personal data of end users of customer websites operated on the Platform, it does so in the role of a processor based on the customer's instructions as the controller of such data (see Section 6).
3.4 Data Collected Automatically
| Category | Examples | Purpose |
|---|---|---|
| Technical data | IP address, browser type, operating system, screen resolution | Ensuring Website and Platform functionality |
| Visit data | Pages visited, time of visit, referral source | Analysis and improvement of services |
| Session data | Authentication tokens, active organisation, role | Access control and security |
| Cookies and similar technologies | See separate Cookie Policy | See Cookie Policy |
4.1 Website kaiserquarry.com
| Purpose | Legal Basis (GDPR Article) | Retention Period |
|---|---|---|
| Responding to inquiries and service requests | Art. 6(1)(b) — performance of a contract / pre-contractual measures | 2 years from last communication |
| Sending newsletters and marketing communications | Art. 6(1)(a) — consent | Until consent is withdrawn |
| Website traffic analysis and improvement | Art. 6(1)(f) — legitimate interest | [SEE COOKIE POLICY] |
| Ensuring Website security | Art. 6(1)(f) — legitimate interest | Max. 90 days (server logs) |
4.2 Vesna Platform and KQS Services
| Purpose | Legal Basis (GDPR Article) | Retention Period |
|---|---|---|
| Customer account management and authentication | Art. 6(1)(b) — performance of a contract | Duration of contractual relationship + statutory periods |
| Providing Story · System · Shield services | Art. 6(1)(b) — performance of a contract | Duration of contractual relationship |
| Operating the customer business panel | Art. 6(1)(b) — performance of a contract | Duration of contractual relationship |
| Invoicing and accounting | Art. 6(1)(c) — legal obligation | Per tax and accounting regulations (min. 10 years) |
| Compliance with legal obligations | Art. 6(1)(c) — legal obligation | As required by applicable law |
Where we process personal data based on legitimate interest (Art. 6(1)(f) GDPR), such interests include:
- ensuring the security and stability of the Website and the Platform,
- analysing traffic to improve user experience,
- protecting against misuse of services,
- enforcement of contractual claims.
You have the right to object to such processing (see Section 9 of this Policy).
6.1 KQS as Controller
The Controller processes personal data as a controller within the meaning of the GDPR in relation to:
- visitors of the Website kaiserquarry.com,
- customers using KQS services,
- persons who subscribe to newsletters.
6.2 KQS as Processor
Where a customer operates their own website on the Vesna Platform and collects personal data of their end users through it (e.g., orders, bookings, contact forms), KQS acts as a processor within the meaning of Art. 28 GDPR. In such cases:
- the customer is the controller of their end users' personal data,
- KQS processes such data only based on the customer's documented instructions,
- the relationship is governed by a Data Processing Agreement (DPA) concluded between the customer and KQS,
- KQS has implemented appropriate technical and organisational measures to protect such data.
We may share personal data with the following categories of recipients:
| Category | Purpose | Location |
|---|---|---|
| Hosting and server infrastructure provider | Website and Platform operation | [EU/EEA — TO BE SPECIFIED] |
| [Analytics service] | [Traffic analysis — TO BE SPECIFIED] | [TO BE SPECIFIED] |
| [Email service] | [Transactional emails and newsletter — TO BE SPECIFIED] | [TO BE SPECIFIED] |
| [Payment gateway] | [Payment processing — FUTURE: Stripe] | [TO BE SPECIFIED] |
| Accountants and tax advisors | Compliance with accounting and tax obligations | Czech Republic |
| Public authorities | Compliance with legal obligations | Czech Republic |
Personal data are not transferred to third countries outside the EU/EEA unless stated otherwise. Should such a transfer occur, an adequate level of protection will be ensured in accordance with Chapter V of the GDPR (standard contractual clauses, adequacy decisions, etc.).
We retain personal data only for as long as necessary to fulfil the purpose of processing, or for the period required by applicable legislation. Specific retention periods are set out in the tables in Section 4.
Upon expiry of the retention period, personal data are securely deleted or anonymised.
Upon termination of a contractual relationship with a customer:
- customer business panel data will be exported to the customer and subsequently deleted, unless agreed otherwise,
- data required for compliance with legal obligations (accounting, taxes) will be retained for the statutory period,
- personal data of end users of customer websites will be processed in accordance with the customer's instructions as controller.
As a data subject, you have the following rights under the GDPR:
Right of access (Art. 15 GDPR) — You have the right to obtain confirmation as to whether your personal data are being processed and, if so, to access them and receive information about the processing.
Right to rectification (Art. 16 GDPR) — You have the right to have inaccurate personal data corrected or incomplete data completed.
Right to erasure (Art. 17 GDPR) — You have the right to request erasure of your personal data where the conditions set out in the GDPR are met.
Right to restriction of processing (Art. 18 GDPR) — You have the right to request restriction of processing in the cases provided for by the GDPR.
Right to data portability (Art. 20 GDPR) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
Right to object (Art. 21 GDPR) — You have the right to object at any time to processing based on the Controller's legitimate interest.
Right to withdraw consent — Where processing is based on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing carried out prior to withdrawal.
Right to lodge a complaint — You have the right to lodge a complaint with the supervisory authority:
Office for Personal Data Protection (UOOU)
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
www.uoou.cz
You may exercise your rights:
- by email at: dpo@kaiserquarry.com
- in writing to the Controller's registered office
We will respond to your request without undue delay, and no later than one month from receipt. This period may be extended by a further two months in exceptional cases, of which we will inform you.
The Controller has implemented appropriate technical and organisational measures to protect personal data, including:
- encrypted data transmission (HTTPS/TLS),
- password hashing using the Argon2id algorithm,
- session tokens stored exclusively as SHA-256 hashes,
- HttpOnly, Secure, and SameSite cookies,
- Content Security Policy (CSP) with nonce-based inline scripts,
- HSTS, X-Content-Type-Options, X-Frame-Options,
- rate limiting on authentication endpoints,
- access to personal data limited to authorised persons,
- organisationally separated customer data (multi-tenant architecture),
- regular security reviews.
The Controller does not carry out automated decision-making or profiling within the meaning of Art. 22 GDPR.
The Controller reserves the right to update this Policy. We will inform you of material changes through the Website, or by email for registered customers. We recommend reviewing this Policy regularly.
This Policy takes effect on [DATE].