Privacy Policy

1. Data controller

The controller of personal data is:

• Webilio
• Vážany 64
• 68737 Vážany
• Czech Republic
• Tel.: +420 775 257 643
• E-mail: info@webilio.cz
• Company ID (IČO): 23612819

2. What data we process

The scope of personal data we process depends on the information the user fills in the reservation form and on the service the user books.

3. Purposes of processing and legal bases

4. Recipients of personal data

Personal data may be disclosed only to persons who need them to operate the service, in particular:

• IT and hosting providers,
• the operator of the reservation system,
• e-mail and SMS service providers,
• an accountant or tax adviser (where relevant),
• public authorities, where required by law.

Where required by law, we conclude data processing agreements with our processors.

5. Retention period

• Reservation data is retained for the time needed to provide the service and handle any complaints.
• Accounting and tax records are retained for the period set by applicable law.
• Marketing data is retained for the duration of the consent or until an objection / unsubscribe is received.

6. Cookies and similar technologies

If the website uses cookies, an overview of their purposes (essential, analytics, marketing) and the way consent is managed is provided in a dedicated cookie banner. If cookies are not used in a given context, this section does not apply.

7. Your rights

You have the right to:

• access your personal data,
• have inaccurate data corrected,
• have data erased (in cases set out by GDPR),
• restrict the processing,
• data portability,
• object to the processing,
• withdraw consent at any time (where the processing is based on consent).

8. How to exercise your rights and where to complain

You can send your requests by e-mail to info@webilio.cz. We will respond without undue delay, no later than within the period set by applicable law.

If you believe we process your personal data in breach of applicable law, you may file a complaint with the supervisory authority — in the Czech Republic the Office for Personal Data Protection (ÚOOÚ).

9. International transfers

Where we use providers outside the EU/EEA, we ensure an adequate level of protection (e.g. Standard Contractual Clauses). If no such transfer takes place, this is stated explicitly.

10. Security of personal data and protection of sensitive data

We apply technical and organisational measures appropriate to the risks involved to protect personal data — including sensitive data (such as login credentials, third-party OAuth tokens, customer contact details and reservation data) — against unauthorised access, loss, alteration or disclosure.

In particular, we apply the following mechanisms:

• Encryption in transit: all communication between the user's browser, our server and third parties is conducted exclusively over HTTPS / TLS 1.2+.
• Encryption at rest: the database and object storage operated by our providers (Supabase / PostgreSQL, Google Cloud Storage) are encrypted at the storage layer (AES-256).
• Password hashing: user passwords are stored only as one-way salted hashes (bcrypt / scrypt). Plaintext passwords are never stored or logged.
• Third-party OAuth tokens (Google, e-mail gateways, etc.) are stored in our secured database with strict access control, used exclusively server-side and never exposed to the user's browser.
• Access control: administration access is protected by HTTP-only, Secure, SameSite cookies and role-based permissions. Production data is accessible to a limited group of authorised people only.
• Tenant isolation: data of each customer (company) is logically separated using a tenant ID so that other tenants cannot access it.
• Input validation and sanitisation: all inputs are validated on the server to prevent SQL injection, XSS and similar attacks.
• Data minimisation: we process only the data necessary for the given purpose. We do not store the content of payment cards ourselves — payment data is processed by certified payment service providers.
• Logging and monitoring: access and error states are logged to the extent necessary for operations and security audit; logs do not contain passwords or tokens in plain form.
• Backups: regular automated database backups enabling recovery in the event of an incident.
• Patching and hardening: continuous security updates of the server software and libraries, monitoring of security advisories for dependencies.
• Incident response: in case of a suspected security incident we follow an internal procedure and, in cases set out by law, notify the supervisory authority and the data subjects concerned.

If you discover any vulnerability or suspect misuse of your data, please report it to info@webilio.cz.

11. AI integration

For the in-app help chat feature we use a third-party AI service provided by OpenAI (OpenAI, L.L.C., USA), specifically a model from the GPT family accessed through the api.openai.com API. We do not develop or operate our own AI model.

• What data is sent: only the message the user types into the help chat plus minimal context needed for the answer (such as the name of the current page in the application). Customer reservation data, passwords, payment data and OAuth tokens are not sent to the AI service.
• Purpose: generating answers to user questions about how to use the application.
• Legal basis: legitimate interest in providing user support, or performance of the contract for the use of the application.
• OpenAI processing: in accordance with OpenAI's API data usage policies, data sent through the API is, by default, not used to train OpenAI's models. More information: openai.com/policies/privacy-policy.
• International transfer: OpenAI is based in the USA — the transfer is performed on the basis of Standard Contractual Clauses (SCC).
• Opt-out: users who do not wish to use the AI help chat can simply not use it — the application is fully functional without it.

12. Google API integration (Google Calendar)

The application optionally integrates with the Google Calendar API to create, update and delete calendar events corresponding to reservations in the Google Calendar of the user who activates the integration.

• Requested scope: https://www.googleapis.com/auth/calendar.events — exclusively for managing events created by our application.
• Use of Google user data: the access is used only to create, update or delete a calendar event corresponding to a specific reservation. We do not read any other data from the Google account.
• Storage of OAuth tokens: the Google access token and refresh token are stored in our secured database (encrypted storage, strict access control — see section 10) and used exclusively server-side.
• Revoking access: the integration can be disconnected at any time in the application settings or directly in the Google account at myaccount.google.com/permissions. After disconnection we delete the stored tokens.
• Limited Use / Google API Services User Data Policy: our use of data obtained through Google APIs, including Google Calendar API, complies with the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer Google user data to third parties, do not use it for advertising, do not allow humans to read it (except where necessary for security purposes, to comply with applicable law, or where the user has provided explicit consent), and we do not use Google user data to develop, improve or train generalised or non-personalised AI / ML models.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version is always available on this page. Effective date: [insert date].

14. Related documents

The terms of use of the reservation form are available at: Terms and Rules of Use.