Skip to main content
UdalistUdalist
Back to legal information

Legal

Privacy Policy

What we collect, why, and your choices.

Document content

udalist.app

Effective date: 15 May 2026

1. Introduction

This Privacy Policy (hereinafter the "Policy") describes which personal data the Operator processes in connection with the operation of the web application udalist.app available at https://udalist.app/ (hereinafter the "Service"), for which purposes, on what legal basis, for how long it retains them, to whom it transfers them, and what rights you have as a data subject.

The Policy is drawn up in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, on the protection of natural persons with regard to the processing of personal data (hereinafter the "GDPR"), and with Act No. 110/2019 Coll., on the processing of personal data.

Terms that begin with a capital letter and are not defined in the Policy have the meaning set out in the General Terms and Conditions of the Service (hereinafter the "GTC").

2. Controller of personal data

The controller of personal data within the meaning of Article 4(7) of the GDPR is the Operator of the Service:

BHPS Labs s.r.o. Company ID (IČO): 29574668 Registered office: Klínová 620/1, Hulváky, 709 00 Ostrava Registered in the Commercial Register maintained by the Regional Court in Ostrava, Section B, Insert 103978 E-mail: info@udalist.app

The Operator has not appointed a Data Protection Officer (DPO), as it is not required to do so under Article 37 of the GDPR. For all matters concerning the processing of personal data, you may contact info@udalist.app.

3. The Operator's role in the processing of personal data

The Operator acts in two different roles depending on the data and purpose concerned:

3.1 The Operator as controller

The Operator is the controller of personal data in particular in relation to:

  • data on user accounts (registration, sign-in, account management),
  • payment and billing data,
  • communication between the User or Guest and the Operator,
  • technical, operational, and security logs,
  • data related to the fulfilment of the Operator's legal obligations.

The Operator is not the controller of personal data contained in Content uploaded to Events; in this scope it acts solely as a processor on behalf of the Organizer (see Article 3.2).

The processing of data for which the Operator is the controller is governed by this Policy.

3.2 Event Content — the Organizer as the sole controller

In relation to personal data contained in photographs and other Content uploaded to Events (in particular the likeness and other identifying features of natural persons captured in the photographs), the Organizer is always and exclusively the controller and the Operator is the processor within the meaning of Article 28 of the GDPR.

This means that:

  • The Organizer is responsible for the lawful basis for the processing (consent of the photographed persons or another basis under Article 6 of the GDPR), for fulfilling the information obligation towards these persons, and for handling their requests to exercise data subject rights.
  • The Operator processes this data exclusively in accordance with the Organizer's instructions and to the extent necessary for providing the Service.
  • The terms of this processing are governed by this Policy and the GTC; by agreeing to the GTC, the Organizer instructs the Operator to process data to the extent of the Service. The Operator does not conclude a separate data processing agreement with the Organizer. The technical processors engaged by the Operator for the operation of the Service are listed in the List of personal data processors.

Guests who upload Content to an Event act within the Organizer's instructions; the Organizer is responsible for their contributions as the controller.

4. What data we process, for what purpose, and on what legal basis

Purpose of processingCategory of personal dataLegal basis (Art. 6 GDPR)Retention period
Creation and management of a user accounte-mail address, password (hash), date of registration, language and user preferencesArt. 6(1)(b) – performance of a contract (GTC)for the duration of the account + 30 days after its termination
Operation of the Service and provision of functions (Events, QR codes, uploading and downloading Content)account identifier, Event data, IP address, technical metadata, session identifiersArt. 6(1)(b) – performance of a contractfor the duration of the account + 30 days after its termination; for an Event under GTC Art. 9.1 – Free Event: 2 days of uploading + at the latest 37 days after uploading is locked; Premium Event: 7 days of uploading + at the latest 120 days after uploading is locked
Guest access via QR codesession identifier, IP address, user-agent, time stamps, possibly uploaded ContentArt. 6(1)(b) – performance of a contract (consent to the GTC before first use)for the duration of the Event under GTC Art. 9.1 – Free Event: 2 days of uploading + at the latest 37 days after uploading is locked; Premium Event: 7 days of uploading + at the latest 120 days after uploading is locked
Processing of payments for a Premium Eventname, e-mail, billing address, payment data (amount, date, transaction identifier) – the Operator does not retain payment cardsArt. 6(1)(b) – performance of a contractfor the duration of performance + according to statutory periods (see tax documents)
Issuance and archiving of tax documentsbilling and identification dataArt. 6(1)(c) – compliance with a legal obligation (Act No. 235/2004 Coll. on VAT, Act No. 563/1991 Coll. on accounting)10 years from the end of the tax period
Communication with the User or Guest (support, complaints, notices under Art. 8 of the GTC)e-mail, name, content of communicationArt. 6(1)(b) – performance of a contract, or Art. 6(1)(f) – legitimate interest in resolving queries and complaintsat the latest 3 years from the end of the communication
Sending service and transactional e-mails (registration confirmation, deletion notices, tax documents)e-mail address, nameArt. 6(1)(b) – performance of a contractfor the duration of the account
Ensuring the security of the Service, preventing misuse and fraud, debugging errorsIP address, user-agent, access logs, technical metadata about errorsArt. 6(1)(f) – legitimate interest in the security and integrity of the Serviceat the latest 12 months
Handling notices of illegal content (Notice and Action under the DSA)identification and contact data of the notifier, description of the notice, related ContentArt. 6(1)(c) – compliance with a legal obligation (Regulation (EU) 2022/2065 – DSA, Act No. 480/2004 Coll.)at the latest 3 years from the handling of the notice
Establishment or defence of legal claimsdata necessary for conducting a disputeArt. 6(1)(f) – legitimate interestfor the duration of the limitation period

The purposes of processing may overlap, i.e. specific personal data may be used simultaneously for several purposes of processing, and therefore may be and will be retained for the period corresponding to the purpose of processing with the longest retention period.

4.1 Special categories of data and children

The Operator does not knowingly process special categories of personal data (Art. 9 of the GDPR). If uploaded Content contains such data, responsibility for the lawfulness of its processing lies with the Organizer as the controller.

The Service may be used independently by persons over 15 years of age (Art. 1.4 of the GTC). The Operator does not knowingly process the data of children under 15 years of age without the consent of a legal guardian.

5. Recipients of personal data (processors)

For the purposes set out above, the Operator engages other processors (hosting, backups, e-mails, payments, error monitoring, etc.). The current list of processors, including the purpose of processing, registered office, and a link to their own policies, is available in the document List of personal data processors.

The Operator does not sell personal data to third parties and does not use it for targeted marketing purposes without the User's consent.

Personal data may further be transferred to public authorities to the extent required by generally binding legal regulations (e.g. courts, law enforcement authorities).

6. Transfer of personal data outside the EU/EEA

Some of the Operator's processors are based outside the EU/EEA (in particular the USA and the United Kingdom). The transfer takes place on the basis of:

  • United Kingdom – the European Commission's adequacy decision of 28 June 2021,
  • USA – Standard Contractual Clauses (SCC) adopted by the European Commission, or the EU–U.S. Data Privacy Framework, where the given processor is certified.

Details on the individual processors are set out in the document List of personal data processors.

7. Cookies and similar technologies

The Service uses cookies and similar technologies to the following extent. A detailed list of cookies, their purpose, and validity period is set out in a separate document Policy on the use of cookies and similar technologies.

7.1 Strictly necessary cookies

They serve to ensure the basic functionality of the Service (sign-in, maintaining the session, language preferences, completing registration via Google). Without them, the Service cannot function properly. These cookies are processed on the basis of Art. 6(1)(b) of the GDPR (performance of a contract), and consent for setting them is not required under Section 89(3) of Act No. 127/2005 Coll., on electronic communications.

7.2 Web analytics (Umami)

To measure traffic on the public website, we use Umami (data.udalist.app). We collect only aggregated visit data (page visited, referrer, time of visit, general browser/device type). We do not use names, e-mails, or profiling. Analytics runs in cookieless mode — for this purpose we do not set an analytics cookie and consent via a cookie banner is not required. The processing takes place on the basis of Art. 6(1)(f) of the GDPR (legitimate interest in understanding the use of the public part of the Service).

7.3 Error monitoring (Sentry)

To detect and fix technical errors, we use Sentry. It collects information about the error (stack trace), browser/OS type, and the URL of the page where the error occurred. It serves exclusively to maintain the reliability of the Service, not for marketing. The processing takes place on the basis of Art. 6(1)(f) of the GDPR (legitimate interest in the security and stability of the Service); for details see Art. 4, table "Ensuring the security of the Service, preventing misuse and fraud, debugging errors".

7.4 Third-party cookies — payments (Paddle)

To process payments and subscriptions, we use Paddle (Merchant of Record). Paddle loads only when a payment or subscription management is initiated and may store third-party cookies from its domains to complete the payment, prevent fraud, and maintain the checkout session. The processing of payment data takes place on the basis of Art. 6(1)(b) of the GDPR (performance of a contract). The Operator does not use marketing cookies or cookies for targeted advertising.

7.5 Browser settings

Cookie settings can be managed directly in the web browser (blocking, deleting). Restricting necessary cookies may affect the functionality of the Service (in particular sign-in).

8. Automated decision-making and profiling

The Operator does not carry out automated individual decision-making or profiling within the meaning of Article 22 of the GDPR that would have legal effects or similarly significantly affect the data subject.

9. Your rights as a data subject

In connection with the processing of your personal data by the Operator, you have the following rights:

  • Right of access (Art. 15 of the GDPR) – to obtain confirmation as to whether we process your data and to obtain a copy of it.
  • Right to rectification (Art. 16 of the GDPR) – to request the rectification of inaccurate data or the completion of incomplete data.
  • Right to erasure ("right to be forgotten", Art. 17 of the GDPR) – to request erasure where the statutory conditions are met.
  • Right to restriction of processing (Art. 18 of the GDPR).
  • Right to data portability (Art. 20 of the GDPR) – to receive the data you have provided to us in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21 of the GDPR) to processing based on legitimate interest.
  • Right to withdraw consent – where the processing is based on consent, you may withdraw it at any time, without this affecting the lawfulness of the processing prior to withdrawal.
  • Right to lodge a complaint with a supervisory authority, which in the Czech Republic is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.gov.cz.

9.1 Exercising rights

A request can be sent electronically to [CONTACT E-MAIL]. The Operator will handle it without undue delay, at the latest within 1 month of receipt; this period may, if necessary, be extended by a further 2 months (Art. 12(3) of the GDPR), of which the Operator will inform the data subject.

Handling a request is generally free of charge. Only where requests are manifestly unfounded or excessive, in particular because they are repetitive, is the Operator entitled to charge a reasonable fee, or to refuse the request.

The Operator is entitled to request proof of identity in order to prevent the disclosure of data to an unauthorized person.

9.2 Rights vis-à-vis the Organizer

If your request concerns personal data contained in uploaded Content (in particular photographs capturing your person), exercise it primarily with the Organizer of the relevant Event, who is the controller in relation to the personal data processed in connection with that Event (see Art. 3.2). The Operator, as a processor, will forward such a request to the Organizer and provide the necessary cooperation.

10. Security of personal data

With regard to the nature, scope, and purpose of the processing, the Operator adopts appropriate technical and organizational measures to protect personal data, in particular:

  • encryption of data transmission (TLS),
  • encryption of sensitive fields in the database and encrypted backups,
  • access control on the principle of least privilege,
  • regular backups,
  • monitoring of security incidents,
  • a confidentiality commitment of persons who become acquainted with the data in the course of their activities.

In the event of a personal data security breach (data breach) that is likely to result in a high risk to the rights and freedoms of data subjects, the Operator proceeds in accordance with Articles 33 and 34 of the GDPR and informs the affected data subjects without undue delay.

11. Changes to the Policy

The Operator is entitled to update this Policy at any time, in particular in response to changes in legal regulations, technologies, or the operation of the Service. The User will be informed of material changes by e-mail or through the Service interface at least 30 days before they take effect. The current wording of the Policy is always available at the Service address.

12. Contact

In any matter concerning the protection of personal data, please contact:

BHPS Labs s.r.o. Company ID (IČO): 29574668 Registered office: Klínová 620/1, Hulváky, 709 00 Ostrava E-mail: info@udalist.app

This Policy takes effect on 15 May 2026.