Privacy Policy

Last Updated: 8. prosince 2025

CURLO ("we," "our," or "us") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you visit our website and use our services, in compliance with the General Data Protection Regulation (GDPR) and Czech Republic data protection laws.

1. Data Controller Information

CURLO is the data controller responsible for your personal data. If you have any questions about this privacy policy or our data practices, please contact us at:

2. Information We Collect

2.1 Information You Provide to Us

When you use our contact form to request a quote or inquire about products, we collect:

• First name and last name
• Company name
• Email address
• Phone number (optional)
• Business type (e.g., Restaurant, Office, Retail, Healthcare, Education, Events)
• Product interest and estimated quantity
• Project details and custom messages

2.2 Automatically Collected Information

We automatically collect certain technical information when you visit our website:

• Browser type and version
• Operating system
• IP address (anonymized)
• Session information via cookies (see our Cookie Policy)
• Pages visited and time spent on pages

2.3 Third-Party Services

We use the following third-party services that may collect limited data:

• Neon Database: Secure storage of contact inquiries and business data (PostgreSQL database hosted in EU)
• Cloudinary: Image hosting and optimization for product images
• Vercel: Website hosting and content delivery network
• Google Fonts: Typography services (may collect minimal usage data)

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

• Consent (Art. 6(1)(a)): When you submit the contact form, you consent to us processing your data to respond to your inquiry
• Legitimate Interest (Art. 6(1)(f)): To improve our website, analyze business trends, and prevent fraud
• Contractual Necessity (Art. 6(1)(b)): To fulfill quote requests and provide the services you request

4. How We Use Your Information

We use your personal data for the following purposes:

• Responding to your quote requests and business inquiries
• Providing information about our products and services
• Communicating with you about your orders or projects
• Improving our website and user experience
• Complying with legal obligations
• Detecting and preventing fraud or security issues

5. Data Storage and Security

5.1 Data Storage Location

Your data is stored securely on servers located within the European Union to comply with GDPR data localization requirements. We use industry-standard encryption (TLS/SSL) to protect data in transit and at rest.

5.2 Security Measures

• Encrypted database connections
• Password hashing with bcrypt (12 rounds)
• Secure session management with JWT tokens
• Regular security audits and updates
• Access controls for administrative functions

5.3 Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this policy:

• Contact inquiries: Retained for 2 years from the date of last contact
• Admin user data: Retained for the duration of employment/contract plus 1 year
• Technical logs: Retained for 90 days for security and troubleshooting purposes

After these periods, your data will be securely deleted or anonymized unless we are legally required to retain it longer.

6. Your Rights Under GDPR

As a data subject in the European Union and Czech Republic, you have the following rights:

7. Data Sharing and Transfers

7.1 Third-Party Sharing

We do not sell, rent, or trade your personal data to third parties. We only share your data with:

• Service providers necessary to operate our website (Neon, Cloudinary, Vercel)
• Legal authorities when required by law or to protect our rights
• Business successors in the event of a merger or acquisition (with notice to you)

7.2 International Transfers

All data is primarily stored within the EU. If any data is transferred outside the EU, we ensure adequate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Your explicit consent for the transfer

8. Cookies and Tracking

Our website uses cookies to provide essential functionality. For detailed information about our use of cookies, please see our Cookie Policy.

9. Children's Privacy

Our services are intended for businesses and individuals over the age of 18. We do not knowingly collect personal data from children under 16 (or the applicable age of consent in your country). If we discover that we have collected data from a child, we will delete it promptly.

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority (Úřad pro ochranu osobních údajů - ÚOOÚ in Czech Republic) within 72 hours as required by GDPR Article 33.

11. Supervisory Authority

You have the right to lodge a complaint with the Czech data protection authority:

12. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

• Updating the "Last Updated" date at the top of this policy
• Posting a notice on our website homepage
• Sending an email notification (if we have your email address)

We encourage you to review this policy periodically to stay informed about how we protect your data.

13. Contact Information

If you have any questions, concerns, or requests regarding this privacy policy or our data practices, please contact us: