1. This Privacy Policy explains how the Operator collects, uses, and protects personal data when Users use the Partoska service for sharing media from events (hereinafter referred to as "Privacy Policy").

2. This Privacy Policy is an integral and binding part of the Terms and Conditions for the provision of Partoska service for sharing media from events.

3. Capitalized terms and definitions used in this Privacy Policy but not defined herein shall have the meaning ascribed to them in the Terms and Conditions for the provision of Partoska service for sharing media from events (the "Terms").

1. The data controller responsible for the User's personal data is Fabrika Charvát s.r.o., ID No.: 23435526, with registered office at Příčná 1892/4, 110 00 Praha, registered in the Commercial Register maintained by the Municipal Court at Prague under file No. C 426255 (hereinafter referred to as "Operator").

2. The data controller is the entity that determines the purposes and means of processing personal data, i.e., the entity that decides why and how personal data is processed.

3. For privacy-related inquiries or questions not addressed in this document, the User may contact the Operator:

• a. At Fabrika Charvát s.r.o., Příčná 1892/4, 110 00 Praha, Czech Republic;
• b. Through the contact form or support features available in the Platform user interface.

1. The Operator collects and processes the following categories of personal data:

• a. User Account Information. To set up a User Account on the Platform, the Operator requires the User's name and email address. If the User chooses to register using OAuth authentication, the Operator also collects authentication data necessary to verify the User's identity. Through account settings, the User may voluntarily provide additional information such as profile preferences and notification settings.
• b. User Content and Event Data. When the User uses the Services, the Operator collects and stores User Content that the User uploads to the Platform, including media files (photos and videos), Event information (Event names, descriptions, dates), and settings the User configures for Events (such as privacy settings, access restrictions, and sharing preferences). For Event Organizers, the Operator also collects Event management data. For Event Guests, the Operator collects participation information related to the Events they access.
• c. Device and Technical Information. The Operator automatically collects certain technical information when the User uses the Platform, including IP address, browser type and version, operating system type and version, device identifiers, and referring website. If the User uses mobile applications or Progressive Web Application (PWA), the Operator may also obtain information about how the User uses the Services on their device.
• d. Usage Data. Each time the User uses the Services, the Operator automatically records information regarding that use, including pages visited, features accessed, time spent on the Platform, interaction patterns, search queries, and other usage statistics. This data helps the Operator understand how Users interact with the Services and improve functionality.
• e. Communication Data. The Operator collects personal data when the User communicates with the Operator, whether via email, support forms, or other communication channels. This includes the User's name, contact details, the content of communications, and related metadata. The same applies when the User sends feedback about the Services.
• f. Analytics and Cookies Data. The Operator uses cookies and similar technologies to collect information about the User's use of the Platform. The Operator also uses third-party analytics services (such as PostHog) to understand usage patterns. Detailed information about cookies is available in the Cookie Policy.

2. The Operator may also obtain personal data from publicly available sources and from its own activities, primarily by evaluating and analyzing personal data obtained from the sources described above to improve the Services and ensure security.

3. Third-Party Information. Before providing the Operator with personal information (such as email or phone number) of a third party when creating Events or inviting Event Guests, the User shall ensure that such person has agreed to the sharing of their personal information and understands how their data will be processed by the Operator in accordance with this Privacy Policy.

1. The Operator uses certain third-party services that process personal data when the User uses the Platform. Detailed information about each third-party service the Operator uses, the data they process, and how the User can control such processing is provided in the Appendices below.

2. The Operator may engage additional third-party services in the future to improve the Services or provide new functionality. If the Operator introduces new third-party services that process personal data, the Operator will update this Privacy Policy accordingly and notify Users as required by applicable law.

1. The Operator processes personal data based on the following legal grounds and for the following purposes:

• a. Performance of Contract. The Operator processes personal data to enable Users to access and use the Services, create and manage Events, upload and share User Content, participate in Events as an Event Guest, and generally make full use of the Platform's functionality. This processing is necessary for the Operator to fulfill its obligations under the Agreement.
• b. Legitimate Interest. The Operator processes personal data based on its legitimate interest to (i) manage, improve, develop, and optimize the Services by analyzing usage patterns and User behavior; (ii) monitor how the Services are used to ensure a high level of security and data protection; (iii) detect and prevent fraud, abuse, security incidents, and violations of the Terms; (iv) obtain feedback from Users on the operation of the Services; (v) notify Users of important changes to the Services, updates to the Terms, or other service-related communications; (vi) ensure the technical functionality and stability of the Platform; (vii) analyze and improve User experience and Service performance.
• c. Legal Obligation. The Operator processes personal data to comply with legal obligations imposed by applicable law, including obligations related to data protection, consumer protection, taxation, and responding to lawful requests from public authorities.
• d. Consent. In some cases, the Operator processes personal data based on the User's explicit consent. The specific purpose and scope of such processing is always clearly communicated to the User when consent is requested. The User may withdraw consent at any time, which will not affect the lawfulness of processing carried out before the withdrawal. This includes (i) processing for direct marketing purposes, including sending promotional communications via email or push notifications about new features, upgrade programs, or special offers; (ii) use of optional analytics and advertising cookies beyond those strictly necessary for the operation of the Platform; (iii) processing of location data for location-based features, if the User has enabled such functionality; (iv) any other processing activities for which the Operator explicitly requests consent.

1. The Operator will process and retain personal data only for as long as is necessary to fulfill the purposes set out above or as long as is required by applicable legal requirements. The specific retention periods are:

• a. User Account Data. Personal data associated with a User Account is retained until the User deletes the account or until 3 years after the User's last activity on the Platform, whichever occurs first.
• b. User Content. Media files and other User Content uploaded to the Platform are retained until the User deletes them, until the Event expires, or until the User deletes the User Account. Event Organizers may configure automatic deletion policies for their Events.
• c. Event Data. Information about Events (including Event settings, participant lists, and metadata) is retained for the duration of the Event and for a reasonable period thereafter to allow Event Organizers to access historical data, but no longer than 3 years after Event completion or User Account deletion.
• d. Analytics and Usage Data. Analytics data collected through third-party services (such as PostHog) is typically retained for 26 months unless the User opts out of analytics tracking. Aggregated and anonymized analytics data may be retained indefinitely.
• e. Communication Records. Records of communications with Users (such as support inquiries or feedback) are retained for 3 years or until the User requests deletion, whichever is earlier.
• f. Cookies and Similar Technologies. Data collected through cookies and similar technologies is retained according to the periods specified in the Cookie Policy.
• g. Legal and Compliance Data. Where the Operator is required by law to retain certain data for specific periods (such as for tax or accounting purposes), such data will be retained for the legally mandated period.

2. After the applicable retention period expires, the Operator will securely delete or anonymize personal data so that it can no longer be associated with the User. Anonymized data may be retained for statistical and analytical purposes.

3. Where the Operator processes personal data based on legitimate interest, the processing will continue for as long as the legitimate interest persists. The User may object at any time to processing carried out on the basis of legitimate interest by contacting the Operator as specified in paragraph 3. of Section II of this Privacy Policy.

4. If the User objects to processing for direct marketing purposes (which includes profiling for marketing), the Operator will immediately cease processing personal data for such purposes upon receiving the objection.

1. The Operator shares personal data with the following categories of recipients only to the extent necessary to provide the Services and fulfill its obligations:

• a. Service Providers and Processors. The Operator engages third-party service providers who process personal data on behalf of and under the instructions of the Operator, including (i) IT infrastructure and hosting service providers who maintain the servers and systems on which the Platform operates; (ii) cloud storage providers who store User Content and backup data; (iii) analytics service providers (such as PostHog) who help the Operator understand Platform usage; (iv) email service providers who facilitate service-related communications; (v) customer support and communication tools providers; (vi) security and fraud prevention service providers; (vii) payment processors (if and when Paid Services are offered). The Operator ensures that all such processors are bound by data processing agreements that require them to protect personal data in accordance with applicable data protection laws.
• b. Other Users. Depending on the privacy settings the User or the Event Organizer configures, certain personal data may be shared with other Users: (i) Event Organizers can see the names and email addresses of Event Guests who participate in their Events; (ii) Event Guests can see User Content shared within Events they have access to, according to the Event's privacy settings; (iii) if the User chooses to make User Content public, it may be accessible to any User or visitor to the Platform.
• c. Legal Authorities and Compliance. The Operator may be required by law to disclose personal data to public authorities, courts, law enforcement agencies, or other governmental entities without prior consent of the User. Such disclosure is made only to the extent required by applicable law, court orders, or other legal processes. This is the Operator's legal obligation and the Operator will comply with valid legal requests.
• d. Business Transfers. In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, personal data may be transferred to the successor entity or acquiring party. In such cases, the Operator will ensure that the recipient is bound by obligations consistent with this Privacy Policy.

2. International Data Transfers. The processing of personal data for the purposes described above may involve transferring it to countries outside the European Economic Area (EEA). When such transfers occur, the Operator ensures appropriate safeguards are in place:

• a. Where the European Commission has determined that the destination country provides an adequate level of data protection, the Operator relies on such adequacy decision.
• b. Where no adequacy decision exists, the Operator implements appropriate safeguards such as (i) Standard Contractual Clauses (SCCs) approved by the European Commission; (ii) Binding Corporate Rules (BCRs) where applicable; (iii) certification schemes or codes of conduct; (iv) other mechanisms recognized under applicable data protection law.
• c. The Operator expects international data transfers to be minimal and will use service providers located within the EEA whenever reasonably possible. Further details about specific transfers and safeguards can be provided upon request by contacting the Operator as specified in paragraph 3. of Section II of this Privacy Policy.

1. The Operator takes the protection of personal data seriously and has implemented appropriate technical and organizational security measures to protect personal data from accidental loss, destruction, misuse, unauthorized access, alteration, disclosure, or damage. These measures include:

• a. Technical Measures: (i) Encryption of data in transit using industry-standard HTTPS/TLS protocols; (ii) encryption of sensitive data at rest in storage systems; (iii) secure authentication mechanisms, including support for OAuth and multi-factor authentication where available; (iv) regular security updates and patches to systems and infrastructure; (v) firewall protection and intrusion detection systems; (vi) secure backup systems with encryption and access controls; (vii) security monitoring and logging to detect potential security incidents.
• b. Organizational Measures: (i) Access controls ensuring that only authorized personnel can access personal data on a need-to-know basis; (ii) confidentiality obligations binding all employees and contractors who have access to personal data; (iii) data protection and security training for staff; (iv) regular security assessments and audits of systems and practices; (v) incident response procedures to handle security breaches promptly and effectively; (vi) data processing agreements with all processors requiring them to maintain appropriate security measures.

2. The Operator has entered into data processing agreements with all processors who process personal data on behalf of the Operator to ensure that personal data is adequately protected in accordance with applicable data protection law.

3. While the Operator implements industry-standard security measures to protect personal data, no method of transmission over the internet or electronic storage is completely secure. The Operator cannot guarantee absolute security, but continuously strives to improve security practices and respond promptly to any identified vulnerabilities.

4. The User also has a responsibility to protect personal data by maintaining the confidentiality of account credentials, using strong passwords, not sharing the account with others, and promptly notifying the Operator if unauthorized access to the account is suspected.

1. Under applicable data protection law (including the General Data Protection Regulation - GDPR), the User has the following rights regarding personal data, which can be exercised at any time during the processing of personal data:

• a. Right of Access. The User has the right to obtain confirmation of whether and what personal data the Operator is processing about the User, and to receive a copy of such personal data. The User also has the right to receive information about the purposes of processing, categories of data, recipients, retention periods, and other rights. The Operator may not be able to disclose information in a way that would compromise business secrets, security measures, or the rights and freedoms of others.
• b. Right to Rectification. If the User finds that personal data the Operator processes is inaccurate, incomplete, or outdated, the User has the right to request that the Operator correct and update it without undue delay.
• c. Right to Erasure ("Right to be Forgotten"). In certain circumstances, the User has the right to request the deletion of personal data. The Operator will comply with such requests unless (i) the processing is necessary for compliance with a legal obligation; (ii) the processing is necessary for the establishment, exercise, or defense of legal claims; (iii) there are other overriding legitimate grounds for retaining the data under applicable law. The User can delete the User Account and associated data through the Platform's user interface settings.
• d. Right to Restriction of Processing. In certain situations, the User has the right to request that the Operator restrict the processing of personal data, including when (i) the User contests the accuracy of the personal data (restriction applies for the period necessary to verify accuracy); (ii) the processing is unlawful and the User opposes erasure and requests restriction instead; (iii) the Operator no longer needs the personal data but the User requires it for legal claims; (iv) the User has objected to processing based on legitimate interest (restriction applies pending verification of whether the Operator's legitimate grounds override the User's). When processing is restricted, the Operator will only store the personal data and will not actively process it further without the User's consent, except for legal claims, protection of rights of others, or important public interest reasons. The Operator will inform the User before lifting any restriction.
• e. Right to Data Portability. The User has the right to receive personal data that the User has provided to the Operator in a structured, commonly used, and machine-readable format, and to transmit such data to another data controller. The User may also request that the Operator transmit the data directly to another controller where technically feasible. This right applies only where (i) the processing is based on the User's consent or on the performance of a contract; and (ii) the processing is carried out by automated means.
• f. Right to Object. The User has the right to object to processing of personal data where the legal basis for processing is legitimate interest (or that of a third party) or where processing is carried out for direct marketing purposes: (i) Objection based on legitimate interest: The User may object to processing based on legitimate interest at any time. If the User objects, the Operator will cease processing unless the Operator can demonstrate compelling legitimate grounds for continued processing that override the User's interests, rights, and freedoms, or unless the processing is necessary for the establishment, exercise, or defense of legal claims. (ii) Objection to direct marketing: If the User objects to processing for direct marketing purposes (including profiling for such purposes), the Operator will immediately cease processing personal data for direct marketing without further consideration of whether there are other grounds for processing.
• g. Right to Withdraw Consent. Where the Operator processes personal data based on the User's consent, the User has the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal. The User can manage consent preferences through account settings or by contacting the Operator.
• h. Right to Lodge a Complaint. If the User believes that the processing of personal data violates applicable data protection law, the User has the right to lodge a complaint with a supervisory authority. In the Czech Republic, the competent supervisory authority is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů), available at www.uoou.cz. The User may also lodge a complaint with the supervisory authority in the User's country of residence, place of work, or place of the alleged infringement.

2. Exercising Rights. To exercise any of the rights described above, the User should contact the Operator using the contact information provided in paragraph 3. of Section II of this Privacy Policy. When submitting a request, the User should (a) clearly identify which right(s) the User wishes to exercise; (b) provide sufficient information to enable the Operator to verify the User's identity (the Operator may request additional proof of identity to prevent unauthorized access); (c) specify the scope and nature of the request as precisely as possible.

3. Response Time. The Operator will respond to requests without undue delay and in any event within one month of receiving the request. Where requests are complex or numerous, the Operator may extend this period by an additional two months, in which case the Operator will inform the User of the extension and the reasons for delay within one month of receiving the request.

4. No Fee. The User can exercise rights free of charge. However, if requests are manifestly unfounded or excessive (particularly because of their repetitive character), the Operator may either charge a reasonable fee taking into account administrative costs or refuse to act on the request.

1. The Services are not directed to or intended for use by children under the age of 18. The Operator does not knowingly collect personal data from children under 18 years of age.

2. If the Operator becomes aware that it has inadvertently collected personal data from a child under 18 without proper parental consent, the Operator will take prompt steps to delete such information from its systems.

3. If a parent or legal guardian believes that a child under the age of 18 has provided personal data to the Operator without consent, the parent or legal guardian should contact the Operator immediately using the contact information in paragraph 3. of Section II of this Privacy Policy so that the Operator can take appropriate action.

4. Event Organizers who create Events that may involve participation by children are responsible for ensuring that appropriate parental or guardian consent is obtained before any child's personal data is provided to the Operator through the Platform.

1. The Operator does not engage in automated decision-making (including profiling) that produces legal effects concerning Users or similarly significantly affects Users, except where:

• a. Such processing is necessary for entering into or performance of a contract between the User and the Operator;
• b. It is authorized by applicable law; or
• c. It is based on the User's explicit consent.

2. Where the Operator uses automated processing for purposes such as analyzing usage patterns to improve the Services or to provide personalized content recommendations, such processing does not produce legal effects or similarly significantly affect Users.

3. The Operator may use analytics tools to understand User behavior and improve the Services, but such analytics are used for aggregate analysis and Service improvement rather than for automated individual decision-making.

4. If the Operator implements any automated decision-making in the future that significantly affects Users, the Operator will provide Users with meaningful information about the logic involved and the significance and envisaged consequences of such processing, and ensure Users have the right to obtain human intervention, express their point of view, and contest the decision.

1. The Operator may modify or update this Privacy Policy from time to time to reflect changes in data processing practices, the Services, applicable legal requirements, or other operational, legal, or regulatory reasons.

2. When the Operator makes changes to this Privacy Policy, the Operator will:

• a. Update the "Last Change" date at the beginning of this document;
• b. Where changes are material and may significantly impact privacy rights of Users, notify Users through appropriate means such as (i) a prominent notice on the Platform; (ii) an email to the address associated with the User Account; (iii) a notification through the Platform user interface; (iv) other communication methods as appropriate.

3. If required by applicable law, the Operator will obtain consent before implementing changes that materially affect how personal data is processed.

4. Material changes to this Privacy Policy will take effect on the date specified in the notice provided to Users. Non-material changes (such as clarifications, corrections of typographical errors, or updates to contact information) may take effect immediately upon posting the updated Privacy Policy.

5. Users are encouraged to review this Privacy Policy periodically to stay informed about how the Operator collects, uses, and protects personal data.

6. Continued use of the Services after the effective date of any changes to this Privacy Policy constitutes acceptance of the revised Privacy Policy. If the User does not agree with the changes, the User should discontinue use of the Services and may exercise the right to erasure in accordance with paragraph 1. subparagraph c. of Section IX of this Privacy Policy.

1. Cookie Policy. This Privacy Policy should be read in conjunction with the Cookie Policy, which provides detailed information about the cookies and similar technologies used on the Platform.

2. Third-Party Links. The Platform may contain links to third-party websites, services, or applications that are not operated by the Operator. This Privacy Policy does not apply to such third-party services. The Operator is not responsible for the privacy practices of third parties, and Users are encouraged to review the privacy policies of any third-party services accessed through links on the Platform.

3. Data Protection Officer. Given the size and nature of operations, the Operator is not required to appoint a Data Protection Officer under applicable law. However, management is responsible for overseeing compliance with data protection obligations. For privacy-related inquiries, Users should contact the Operator as specified in paragraph 3. of Section II of this Privacy Policy.

4. Changes to Contact Information. If contact information changes, the Operator will update this Privacy Policy and, where appropriate, notify Users through the Platform.

1. If the User has any questions, concerns, or requests regarding this Privacy Policy, the Operator's data processing practices, or the exercise of rights, the User should contact the Operator:

• a. At Fabrika Charvát s.r.o., Příčná 1892/4, 110 00 Praha, Czech Republic;
• b. Through the contact form or support features available in the Platform user interface.

2. The Operator will make reasonable efforts to respond to inquiries promptly and thoroughly.

1. Service Provider. The Operator uses PostHog to understand how Users interact with the Platform and to improve the Services.

2. Data Processed. When the User uses the Platform, PostHog automatically collects and processes the following types of data:

• a. Usage data including pages visited, features used, buttons clicked, and user interactions with the Platform;
• b. Technical data including IP address (which may be anonymized), browser type and version, operating system, device type, screen resolution, and referring website;
• c. Session data including session duration, time spent on pages, and navigation patterns;
• d. Performance data including page load times and error events;
• e. Event data related to specific actions the User takes on the Platform (such as creating an Event, uploading User Content, or changing settings).

3. Purpose of Processing. PostHog processes this data on behalf of the Operator for the following purposes:

• a. To analyze how Users interact with the Platform and identify usage patterns;
• b. To measure the performance and effectiveness of Platform features;
• c. To identify technical issues, errors, and areas for improvement;
• d. To understand User behavior and optimize the user experience;
• e. To generate aggregated statistics and reports about Platform usage.

4. Legal Basis. The processing of data by PostHog is based on:

• a. The Operator's legitimate interest in improving the Services, understanding user behavior, and optimizing Platform performance; and
• b. The User's consent where required for non-essential analytics cookies and tracking, which the User can manage through cookie preferences.

5. Data Location and Security. PostHog processes data within the European Union. PostHog maintains appropriate technical and organizational security measures to protect personal data. PostHog is compliant with applicable data protection regulations including GDPR.

6. Data Retention. Data processed by PostHog is retained for 26 months from the date of collection, after which it is automatically deleted. The User may opt out of PostHog analytics at any time through cookie preferences or account settings.

7. Privacy Policy. For more information about how PostHog processes personal data, please refer to PostHog's privacy policy available at: https://posthog.com/privacy

8. User Control. The User has the following options to control PostHog analytics:

• a. The User can opt out of analytics tracking through the cookie consent banner when first visiting the Platform;
• b. The User can change analytics preferences at any time through account settings or cookie preferences;
• c. The User can use browser settings or extensions that block analytics scripts;
• d. If the User opts out, the Operator will respect that choice and PostHog will not collect analytics data from the User's usage of the Platform.

1. Service Provider. The Operator uses Comgate Payment Gateway to process payments for Paid Services.

2. Data Processed. When the User purchases Paid Services, Comgate processes the following types of data:

• a. Payment information including payment method details (card information, bank account details, or other payment instrument data depending on the payment method chosen);
• b. Transaction data including transaction amount, currency, date and time of transaction, and transaction status;
• c. Billing information including the User's name, billing address, and email address;
• d. Technical data including IP address, device information, and browser type for fraud prevention purposes;
• e. Order information including details of the Paid Services purchased and order identifiers linking the payment to the User Account.

3. Purpose of Processing. Comgate processes this data for the following purposes:

• a. To process and complete payment transactions for Paid Services;
• b. To verify payment authenticity and prevent fraudulent transactions;
• c. To provide payment confirmation and transaction receipts;
• d. To handle payment disputes, chargebacks, and refunds;
• e. To comply with financial regulations, anti-money laundering requirements, and payment industry standards (including PCI DSS);
• f. To maintain transaction records as required by law.

4. Legal Basis. The processing of data by Comgate is based on:

• a. Performance of contract - processing is necessary to complete the payment transaction for Paid Services requested by the User;
• b. Legal obligation - compliance with financial regulations, tax requirements, and payment industry standards;
• c. Legitimate interest - fraud prevention and security of payment transactions.

5. Data Location and Security. Comgate processes payment data within the European Union and is compliant with PCI DSS (Payment Card Industry Data Security Standard). Comgate maintains appropriate technical and organizational security measures to protect payment data, including encryption of sensitive payment information. Comgate is compliant with applicable data protection regulations including GDPR.

6. Data Retention. Comgate retains transaction data for the periods required by applicable financial and tax regulations, typically 7 years from the date of transaction. Payment instrument details (such as card numbers) are tokenized and not stored in full form after transaction completion, except where required for recurring payments or as mandated by law.

7. Privacy Policy. For more information about how Comgate processes personal data, please refer to Comgate's privacy policy available at: https://www.comgate.cz/files/cz-informace-o-zpracovani-osobnich-udaju.pdf

8. User Control. When making a payment:

• a. The User can choose a preferred payment method from the options provided by Comgate;
• b. The User can request copies of transaction receipts and payment confirmations;
• c. The User can contact the Operator to request information about payment transactions or to exercise data protection rights in relation to payment data;
• d. For recurring payments (if applicable), the User can cancel authorization through account settings or by contacting the Operator.