Ember Vale

Privacy Policy

 

I. Basic Provisions

  • The controller of personal data within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – “GDPR”) is Ember Vale, registered office at Lužická 32, 120 00 Prague, Czech republic, ID: 035816141, registered in the Commercial Register maintained by the Office of Municipal District of Prague, address: náměstí Míru 20/600, 120 39 Prague (hereinafter referred to as the “Controller”). 
  • The Controller can be contacted at:
    ivet@inbox.embervale.org
  • These Privacy Principles apply to the processing of personal data of customers and website visitors from the Czech Republic, the European Union, and also from non-EU countries, in connection with the purchase of digital products and related services provided by Ember Vale. 
  • The Controller has not appointed a Data Protection Officer.

II. Sources and Categories of Processed Personal Data

  • The Controller processes personal data provided by the Customer or collected by the Controller in the course of fulfilling the Customer’s order. 
  • The Controller processes identification and contact data, payment information, and data necessary for the performance of the contract.

III. Legal Basis and Purpose of Personal Data Processin

  • The legal basis for the processing of personal data is:
    performance of a contract between the Customer and the Controller (Article 6(1)(b) GDPR); legitimate interest of the Controller in providing direct marketing and customer communication (Article 6(1)(f) GDPR); consent of the Customer for the purpose of receiving marketing communications (Article 6(1)(a) GDPR in conjunction with Act No. 480/2004 Coll. on Information Society Services).
  • The purposes of processing personal data include:
    fulfilment of the Customer’s order and related obligations; communication with the Customer and management of customer accounts; sending of commercial communications and newsletters (only with consent or within legitimate interest).
  • For customers outside the European Union, the Controller also processes personal data based on its legitimate interest in maintaining international business relationships and providing digital products and related services globally. The Controller does not use automated decision-making or profiling within the meaning of Article 22 GDPR.

IV. Period of Personal Data Retention 

  • The Controller retains personal data:
    for the period necessary to perform rights and obligations arising from the contractual relationship (usually up to 15 years after its termination); for the period necessary to comply with legal obligations; or until the consent for processing (for marketing purposes) is withdrawn, but not longer than 5 years from its grant. 
  • After the retention period expires, personal data will be securely deleted. 

V. Recipients and Transfers of Personal Data 

  • Personal data may be shared with third parties who assist the Controller in fulfilling contractual or legal obligations, such as:
    providers of payment and billing services (e.g. Stripe, PayPal); hosting and mailing service providers (e.g. Google Workspace, MailerLite, ActiveCampaign); marketing and analytics service providers (e.g. Meta, Google Analytics); IT and cloud service providers. 
  • In some cases, personal data may be transferred outside the European Union. In such cases, the Controller ensures an adequate level of data protection in accordance with Chapter V of the GDPR, specifically through:
    Standard Contractual Clauses (SCCs) approved by the European Commission; or a valid adequacy decision confirming that the country ensures an appropriate level of data protection. 
  • Transfers outside the EU may include providers located in the United States or other countries where major mailing, payment, or cloud platforms operate. 

VI. Customer Rights 

  • Under the GDPR, you have the following rights:
  • right of access to your personal data (Article 15 GDPR); 
  • right to rectification of inaccurate data (Article 16 GDPR); 
  • right to erasure (“right to be forgotten”) (Article 17 GDPR); 
  • right to restriction of processing (Article 18 GDPR);
  • right to data portability (Article 20 GDPR); 
  • right to object to processing (Article 21 GDPR); 
  • right to withdraw consent to processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Customers outside the European Union are granted these rights to the extent permitted by the laws of their country, always in line with the data protection principles based on the GDPR.

If you believe that your rights have been violated, you have the right to lodge a complaint with the Office for Personal Data Protection of the Czech Republic (www.uoou.cz).

VII. Security of Personal Data 

  • The Controller declares that it has adopted all appropriate technical and organisational measures to ensure the protection of personal data. 
  • The Controller uses secure data storage systems, encrypted connections (SSL), and password-protected environments for data access. 
  • Only authorised persons who are bound by confidentiality obligations have access to personal data.

VIII. Final Provisions

  • By submitting an order via the online order form, the Customer confirms that they have read this Privacy Policy and agree to its terms in full. 
  • The Controller may update this Privacy Policy from time to time. The new version will be published on the Website and, where applicable, communicated to the Customer by email. 
  • These Privacy Principles are published in English for international customers. A Czech version is available on request, and in case of discrepancies between the two, the Czech version shall prevail. 

Effective date: 1 November 2025