I. Personal Data Protection
1.1 Consent to Terms
By browsing the website, subscribing to the newsletter, or using the contact or booking forms, the User confirms they understand, agree to, and fully accept these personal data protection terms.
1.2 Data Controller
The Provider is the data controller under Article 4(7) of Regulation (EU) 2016/679 (GDPR) and commits to processing personal data in accordance with applicable laws, particularly GDPR.
1.3 Definition of Personal Data
Personal data includes any information relating to an identified or identifiable individual, such as name, identification number, location data, online identifier, or factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity.
1.4 Data Collection and Purpose
Personal data (e.g., name, address, contact details) collected via the newsletter, contact, or booking forms are necessary for processing bookings, responding to inquiries, and fulfilling contractual obligations between the Provider and the User. Data is also processed for sending commercial communications and marketing activities. The legal basis for processing is the performance of a contract (Art. 6(1)(b) GDPR), compliance with legal obligations (Art. 6(1)(c) GDPR), and the Provider’s legitimate interest (Art. 6(1)(f) GDPR), which includes processing for direct marketing.
1.5 Sub-processors
To fulfill the contract, the Provider uses sub-processors, such as mailing service and web hosting providers. Sub-processors are vetted for data processing security. The Provider and the web hosting sub-processor have entered into a data processing agreement, under which the sub-processor is responsible for securing the physical, hardware, and software perimeter and bears liability for any data breach or compromise.
1.6 Retention Period
Personal data is retained for the duration necessary to fulfill contractual rights and obligations and to assert claims arising from the contractual relationship (15 years from the termination of the contract). After this period, the data will be deleted.
1.7 User Rights
The User has the right to:
- Access their personal data (Art. 15 GDPR),
- Rectify their data (Art. 16 GDPR),
- Restrict processing (Art. 18 GDPR),
- Erasure of data (Art. 17(1)(a), (c)–(f) GDPR),
- Object to processing (Art. 21 GDPR),
- Data portability (Art. 20 GDPR).
1.8 Complaints
The User may lodge a complaint with the Czech Data Protection Authority if they believe their data protection rights have been violated.
1.9 Voluntary Provision of Data
Providing personal data is not mandatory but is necessary to conclude and fulfill the contract. Without providing the data, the contract cannot be concluded or performed by the Provider.
1.10 Automated Decision-Making
The Provider does not engage in automated individual decision-making under Art. 22 GDPR.
1.11 Marketing Consent
By completing the contact form, the User:
- Consents to the use of their personal data for sending commercial communications, advertisements, market research, and product offers from the Provider or third parties, up to once per week,
- Declares that such communications are not unsolicited advertising under Act No. 40/1995 Coll. and Section 7 of Act No. 480/2004 Coll., as they expressly consent to receiving them,
- May withdraw this consent at any time in writing to info@kokowa.io.
1.12 Cookies
The Provider uses cookies to improve services, personalize offers, collect anonymous data, and for analytical purposes. By using the website, the User consents to this technology.
II. Rights and Obligations Between Controller and Processor
2.1 Role of the Provider
The Provider acts as a data processor under Art. 28 GDPR for the User’s clients’ personal data, while the User is the data controller.
2.2 Scope of Processing
These terms govern the rights and obligations regarding the processing of personal data accessed by the Provider under the license agreement concluded by accepting the general terms and conditions on www.kokowa.io upon creating a user account.
2.3 Provider’s Obligations
The Provider commits to processing data within the scope and purpose outlined in Articles 2.4–2.7. Processing is automated (collection, storage, retention, blocking, deletion). Processing beyond these terms is not permitted.
2.4 Scope of Data
The Provider processes:
- Standard personal data,
- Special categories of data under Art. 9 GDPR obtained by the User in connection with their business activities.
2.5 Purpose of Processing
Data is processed for marketing offers via newsletters, handling inquiries, bookings, and managing discount or credit systems.
2.6 Place of Processing
Processing occurs at the Provider’s or its sub-processors’ premises within the EU.
2.7 Processing Duration
Data is processed for the duration necessary to fulfill contractual rights and obligations and assert claims (15 years from the termination of the contractual relationship).
2.8 Sub-processors
The User consents to the involvement of the web hosting provider for kokowa.io as a sub-processor under Art. 28(2) GDPR. The Provider may engage additional sub-processors, provided it informs the User in writing of any intended changes and allows the User to object. Sub-processors are subject to the same data protection obligations as the Provider.
2.9 Processing Security
The Provider ensures:
- Processing complies with legal requirements and the User’s instructions,
- Technical and organizational measures to prevent unauthorized access, alteration, loss, or misuse of data,
- Measures proportionate to the risk level, ensuring confidentiality, integrity, and availability of systems,
- Internal security regulations,
- Access to data only by authorized persons with unique identifiers,
- Confidentiality obligations for authorized persons, which persist after their relationship with the Provider ends,
- Assistance to the User in meeting GDPR obligations (Art. 32–36),
- Deletion or return of data upon termination of processing, unless required by law to retain it,
- Provision of information and facilitation of audits by the User or their appointed auditor.
2.10 User Obligations
The User commits to promptly report any facts that could adversely affect compliance with these terms and to provide the Provider with necessary cooperation.
III. Final Provisions
3.1 Validity of Terms
These terms cease to be valid upon the expiry of the periods specified in Articles 1.6 and 2.7.
3.2 User Consent
The User agrees to these terms by checking the consent box in the online form, confirming they have read, understood, and accepted them.
3.3 Amendments to Terms
The Provider may amend these terms. The new version will be published on the website or sent to the User’s email.
3.4 Contact
Provider’s contact details: info@kokowa.io.
3.5 Governing Law
Matters not covered by these terms are governed by GDPR and Czech law, particularly Act No. 89/2012 Coll., the Civil Code.
These terms are effective as of 15 May 2018.