Privacy policy
and Personal Data Processing
in accordance with EU Regulation 2016/679 (GDPR)
Effective date: April 10, 2026 | Version 1.0
in accordance with EU Regulation 2016/679 (GDPR)
Effective date: April 10, 2026 | Version 1.0
Data Controller
Volodymyr Dzhevaha
Company No. (ICO)
22552847
Data Protection Contact
Volodymyr Dzhevaha
Email
volodymyr@dzhevaha.design
Applicable law
EU Regulation 2016/679 (GDPR); Act No. 110/2019 Coll. (Czech Republic)
Supervisory authority
Office for Personal Data Protection (UOOU), www.uoou.cz
1. GENERAL PROVISIONS
1.1. This Privacy and Personal Data Processing Policy (hereinafter the "Policy") defines the procedures for collecting, processing, storing and protecting personal data of individuals (hereinafter "Data Subjects") in connection with the activities of Dzhevaha Design Studio (hereinafter the "Company", "we").
1.2. The Company acts as the Data Controller within the meaning of EU Regulation 2016/679 (GDPR) and Act No. 110/2019 Coll. of the Czech Republic.
1.3. This Policy applies to all persons who interact with the Company: website visitors, Clients, prospective clients, business partners and counterparties.
1.4. By providing your personal data or using the Company's services, you confirm that you have read this Policy and agree to the terms of processing of your data.
1.2. The Company acts as the Data Controller within the meaning of EU Regulation 2016/679 (GDPR) and Act No. 110/2019 Coll. of the Czech Republic.
1.3. This Policy applies to all persons who interact with the Company: website visitors, Clients, prospective clients, business partners and counterparties.
1.4. By providing your personal data or using the Company's services, you confirm that you have read this Policy and agree to the terms of processing of your data.
2. PERSONAL DATA WE COLLECT
The Company collects the following categories of personal data:
Category
Specific data
Source
Identification
First name, last name, company name
Contact form, correspondence
Contact
Email, phone, messenger handles
Contact form, correspondence
Billing
Invoice details, VAT/company number
Directly from the client
Technical
IP address, cookies, browser type, OS
Automatically (website)
Project
Briefs, texts, images, project materials
Directly from the client
Communication
Content of emails, messages, comments
Email or messenger correspondence
2.1. The Company does not collect or process special categories of personal data (Art. 9 GDPR): racial or ethnic origin, political opinions, religious beliefs, health data, biometrics, etc.
2.2. The Company does not knowingly collect personal data of children under 16 years of age. If you become aware that a child has provided us with personal data without parental knowledge, please notify us.
2.2. The Company does not knowingly collect personal data of children under 16 years of age. If you become aware that a child has provided us with personal data without parental knowledge, please notify us.
3. PURPOSES AND LEGAL BASES FOR PROCESSING
Personal data are processed exclusively on lawful grounds in accordance with Art. 6 GDPR:
Purpose
Legal basis (Art. 6 GDPR)
Retention period
Contract conclusion and performance
Art. 6(1)(b) - performance of a contract
Duration of contract + 3 years
Invoicing and accounting
Art. 6(1)(c) - legal obligation
10 years (Czech legal requirement)
Service-related communication
Art. 6(1)(b) - performance of a contract
Duration of relationship + 1 year
Marketing email newsletters
Art. 6(1)(a) - consent of the data subject
Until consent is withdrawn
Website analytics (cookies)
Art. 6(1)(a) - consent of the data subject
Until consent withdrawn / 2 years
Protection of legitimate interests
Art. 6(1)(f) - legitimate interests
Until expiry of limitation period
4. DISCLOSURE TO THIRD PARTIES
4.1. The Company may share personal data with the following categories of recipients:
• cloud service and tool providers (Google Workspace, Notion, Figma, Webflow, etc.) - solely to the extent necessary for their service delivery;
• accounting and legal advisors - for the purpose of fulfilling legal obligations;
• payment systems - for transaction processing;
• subcontractors - for the performance of specific project tasks.
4.2. All recipients are required to comply with GDPR requirements. When engaging processors, the Company enters into Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR.
4.3. Transfer of personal data outside the EU/EEA is carried out only with appropriate safeguards in accordance with Art. 44–49 GDPR (Standard Contractual Clauses, adequacy decisions, etc.).
4.4. The Company does not sell or disclose personal data to third parties for commercial purposes.
• cloud service and tool providers (Google Workspace, Notion, Figma, Webflow, etc.) - solely to the extent necessary for their service delivery;
• accounting and legal advisors - for the purpose of fulfilling legal obligations;
• payment systems - for transaction processing;
• subcontractors - for the performance of specific project tasks.
4.2. All recipients are required to comply with GDPR requirements. When engaging processors, the Company enters into Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR.
4.3. Transfer of personal data outside the EU/EEA is carried out only with appropriate safeguards in accordance with Art. 44–49 GDPR (Standard Contractual Clauses, adequacy decisions, etc.).
4.4. The Company does not sell or disclose personal data to third parties for commercial purposes.
5. COOKIES AND TECHNICAL DATA
5.1. The Company's website uses cookies - small text files stored in the visitor's browser.
5.2. Types of cookies used:
• Strictly necessary (technical) cookies - enable basic website functionality. No consent required.
• Analytical cookies - collect anonymous visitor statistics to improve the website (Google Analytics or equivalent). Consent required.
• Marketing cookies - used to display relevant advertising. Consent required.
5.3. On the first visit to the website, a cookie banner is displayed allowing the visitor to select cookie categories. Consent may be withdrawn at any time via the website settings or the browser.
5.4. Session cookies are stored until the browser is closed. Persistent cookies are stored for a maximum of 2 (two) years.
5.2. Types of cookies used:
• Strictly necessary (technical) cookies - enable basic website functionality. No consent required.
• Analytical cookies - collect anonymous visitor statistics to improve the website (Google Analytics or equivalent). Consent required.
• Marketing cookies - used to display relevant advertising. Consent required.
5.3. On the first visit to the website, a cookie banner is displayed allowing the visitor to select cookie categories. Consent may be withdrawn at any time via the website settings or the browser.
5.4. Session cookies are stored until the browser is closed. Persistent cookies are stored for a maximum of 2 (two) years.
6. RIGHTS OF DATA SUBJECTS
Under GDPR (Art. 15–22) you have the following rights:
Right of access (Art. 15)
You may obtain information about what personal data we process, for what purpose and on what legal basis.
Right to rectification (Art. 16)
You may request correction of inaccurate or completion of incomplete personal data.
Right to erasure (Art. 17)
The "right to be forgotten" - you may request deletion of your data under the conditions provided by GDPR (e.g. where the basis for processing no longer exists).
Right to restriction (Art. 18)
You may request temporary suspension of processing of your data in certain cases.
Right to portability (Art. 20)
You may receive your data in a machine-readable format and transfer it to another controller.
Right to object (Art. 21)
You may object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent
Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
Right to lodge a complaint
You have the right to lodge a complaint with the Office for Personal Data Protection (UOOU): www.uoou.cz
6.1. To exercise any of the above rights, please send a written request to: Stefanikova 1262/16,
326 00, Pilsen - Cernice. We will handle your request within 30 (thirty) calendar days in accordance with Art. 12 GDPR.
7.PERSONAL DATA SECURITY
7.1. The Company implements appropriate technical and organisational measures to protect personal data against unauthorised access, destruction, alteration or disclosure.
7.2. Security measures include:
• encryption of data in transit (SSL/TLS);
• restricted access to personal data - only for authorised staff and partners;
• regular software and security updates;
• Data Processing Agreements (DPAs) with all data processors.
7.3. In the event of a personal data breach that may pose a risk to the rights of data subjects, the Company notifies the supervisory authority (UOOU) within 72 hours and, where necessary, informs the affected data subjects in accordance with Art. 33–34 GDPR.
7.2. Security measures include:
• encryption of data in transit (SSL/TLS);
• restricted access to personal data - only for authorised staff and partners;
• regular software and security updates;
• Data Processing Agreements (DPAs) with all data processors.
7.3. In the event of a personal data breach that may pose a risk to the rights of data subjects, the Company notifies the supervisory authority (UOOU) within 72 hours and, where necessary, informs the affected data subjects in accordance with Art. 33–34 GDPR.
8. RETENTION PERIODS
8.1. Personal data are retained no longer than is necessary to fulfil the processing purpose or comply with legal obligations.
8.2. Upon expiry of the retention period, data are destroyed or anonymised.
8.3. Summary retention periods:
• data related to contract performance: 3 years after project completion;
• accounting and financial records: 10 years (Czech statutory requirement);
• marketing newsletter data: until consent is withdrawn;
• technical data (logs, cookies): up to 2 years;
• data processed for the protection of legitimate interests: until expiry of the limitation period.
8.2. Upon expiry of the retention period, data are destroyed or anonymised.
8.3. Summary retention periods:
• data related to contract performance: 3 years after project completion;
• accounting and financial records: 10 years (Czech statutory requirement);
• marketing newsletter data: until consent is withdrawn;
• technical data (logs, cookies): up to 2 years;
• data processed for the protection of legitimate interests: until expiry of the limitation period.
9. AUTOMATED DECISION-MAKING
9.1. The Company does not carry out automated decision-making (including profiling) that would produce legal effects or similarly significantly affect data subjects within the meaning of Art. 22 GDPR.
10. AMENDMENTS TO THE POLICY
10.1. The Company reserves the right to amend this Policy. A new version takes effect upon publication on the website. Where material changes are made, we will notify you by email or via the website.
10.2. We recommend that you periodically review the current version of the Policy on our website.
10.2. We recommend that you periodically review the current version of the Policy on our website.
11.CONTACT DETAILS
Data Controller
Volodymyr Dzhevaha
Registered address
Stefanikova 1262/16, 326 00, Pilsen - Cernice
Company No. (ICO)
22552847
Email for requests
volodymyr@dzhevaha.design
Supervisory authority
Úřad pro ochranu osobních údajů (UOOU)Pplk. Sochora 27170 00 Praha 7Czech Republic
UOOU website
www.uoou.cz
My contacts
Follow me on social media
