Privacy Policy
Last updated: March 14, 2026 | Version: 2.0 Bulletproof
1. Introduction and Scope
This Privacy Policy ("Policy") explains how Michal Černáček ("Data Controller," "we," "us," "our," "Company") collects, uses, processes, stores, and protects personal data when you use our website (cernacek.com), services, or contact us. This Policy applies to all website visitors, service clients, prospects, and any individual whose personal data is processed by the service provider.
IMPORTANT GEOGRAPHIC LIMITATION: Data processing complies with GDPR (EU/EEA), CCPA/CPRA (California), UK DPA 2018, PIPEDA (Canada), LGPD (Brazil), Australia Privacy Act 1988, New Zealand Privacy Act 2020, and DPDP Act 2023 (India). Services and data processing are explicitly LIMITED to clients and audiences in EU/EEA, North America, and Oceania. We do NOT process data for clients or audiences in Africa or Asia.
Data Controller Contact: Michal Černáček, Slovakia | Email: michal@cernacek.com
2. Types of Information We Collect
2.1 Information You Provide Directly
- Contact Information: Name, email address, phone number, company name, job title, and physical address
- Service-Related Data: Information about your business, industry, marketing goals, budget, advertising accounts, and campaign preferences
- Communications: Messages, inquiries, feedback, testimonials, and any content you submit through forms or direct communication
- Account Information: Credentials, preferences, and settings if you create an account
- Payment Information: Billing address, invoice details (processed securely through third-party payment processors)
- Content Uploads: Images, videos, documents, and creative assets you provide for campaign creation
2.2 Information Collected Automatically
- Technical Data: IP address, browser type and version, device type, operating system, pages visited, time spent on pages, referral source
- Cookies and Tracking: First-party and third-party cookies, tracking pixels, web beacons, local storage data
- Analytics: User interactions, click patterns, navigation behavior, conversion data through analytics platforms
- Communication Metadata: Email open rates, link click data, delivery status information
2.3 Information from Third Parties
- Data from advertising platforms (META, Google Ads, LinkedIn) for campaign management and optimization
- Information from email service providers and CRM platforms for business communications
- Publicly available information from business directories and social media for professional purposes
- Referral information and publicly available business data
3. Legal Basis for Processing Data
We process your personal data under the following legal bases:
- Contractual Necessity: Processing is necessary to execute contracts and provide agreed-upon services
- Legitimate Interests: Business development, customer service improvement, fraud prevention, and legal compliance
- Consent: Where you have explicitly consented to specific processing activities (e.g., marketing communications)
- Legal Obligation: Compliance with tax laws, accounting regulations, and other statutory requirements
- Vital Interests: Protection of critical interests of data subjects or natural persons
4. How We Use Your Information
We use collected data for the following purposes:
- Service Delivery: Creating, managing, and optimizing advertising campaigns and creative services
- Client Communication: Responding to inquiries, providing updates, and maintaining ongoing business relationships
- Performance Reporting: Tracking campaign metrics, generating analytics, and providing performance insights
- Account Management: Processing payments, managing billing, and maintaining account information
- Quality Improvement: Analyzing user behavior, identifying service improvements, and enhancing user experience
- Marketing Communications: Sending newsletters, promotional materials, and service updates (with prior consent or legitimate interest)
- Legal and Compliance: Meeting legal obligations, preventing fraud, ensuring platform security, and defending against legal claims
- Profiling and Personalization: Creating client profiles to better understand needs and tailor services accordingly
- Advertising Platform Integration: Syncing data with META, Google, and other platforms for accurate campaign management and pixel tracking
5. Data Sharing and Third-Party Recipients
5.1 Service Providers and Data Processors
We engage third-party service providers who process data on our behalf under data processing agreements (DPAs) ensuring compliance with GDPR:
- Advertising Platforms: META, Google Ads, LinkedIn for campaign management and tracking
- Email and CRM Services: Email service providers for communications and customer relationship management
- Payment Processors: Secure payment gateways for invoice processing and billing (PCI-DSS compliant)
- Analytics Platforms: Google Analytics, Hotjar, and similar tools for website and user behavior analysis
- Cloud Storage Services: Secure cloud providers for data backup and storage
- Website Hosting: Server providers for website infrastructure and security
5.2 Legal Requirements
We may disclose personal data when required by law, court order, government request, or to protect our legal rights. Such disclosures are made transparently and with data subject notification where legally permissible.
5.3 International Data Transfers
Some recipients are located outside the European Economic Area (EEA) and other regions with similar data protection standards. For such transfers, we implement appropriate safeguards including Standard Contractual Clauses (SCCs), Binding Corporate Rules, and adequacy decisions as recognized by regulatory authorities.
6. Data Retention and Storage
We retain personal data for the following periods:
- Client Data: For the duration of the business relationship plus 6 years for accounting and legal compliance purposes (per tax law requirements)
- Campaign Data: Retained during active campaigns; archived for 12 months post-completion for performance reference
- Website Analytics: Typically 26 months per Google Analytics default settings
- Email Communications: Retained for 3 years or as required by law
- Marketing Consent: Retained for the period of active consent plus 1 year for compliance verification
Upon request or service termination, we will delete personal data unless legal or contractual obligations require retention. Deletion is performed securely using industry-standard methods ensuring data cannot be recovered.
7. Data Security Measures
We implement comprehensive technical and organizational security measures:
- Encryption: AES-256 encryption for data at rest; TLS 1.2+ for data in transit
- Access Control: Role-based access controls (RBAC), multi-factor authentication (MFA), and password policies
- Infrastructure Security: Firewalls, intrusion detection systems, DDoS protection, regular security audits
- Backup and Recovery: Redundant backups, disaster recovery plans, business continuity procedures
- Monitoring: Real-time security monitoring, intrusion detection, anomaly detection systems
- Staff Training: Regular data protection and security awareness training for all personnel
- Incident Response: Documented incident response procedures with notification protocols
While we implement robust security measures, no system is 100% secure. You use our services at your own risk, and we encourage you to maintain strong passwords and secure your login credentials.
8. Your Data Rights and Choices
Under GDPR, CCPA, and other applicable privacy laws, you have the following rights:
- Right to Access: You may request and obtain a copy of personal data we hold about you in a structured, commonly used, machine-readable format
- Right to Rectification: You may correct inaccurate or incomplete personal data
- Right to Erasure (Right to be Forgotten): You may request deletion of your data under certain conditions, subject to legal retention obligations
- Right to Restrict Processing: You may request limitation of processing activities while we investigate or await further instruction
- Right to Data Portability: You may request your data in a portable, structured format to transfer to other service providers
- Right to Object: You may object to marketing communications, profiling, and certain processing activities
- Right to Withdraw Consent: For processing based on consent, you may withdraw at any time without affecting prior processing
- Right to Non-Discrimination: We will not discriminate against you for exercising your data rights
- Right to Lodge a Complaint: You may file a complaint with your local data protection authority (DPA)
To exercise these rights, contact us at the address provided in Section 13. We will respond to requests within 30 days (or as required by applicable law).
9. Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies. For detailed information about cookies, including types, purposes, and how to manage them, please refer to our Cookie Policy.
10. Children's Privacy
Our services are not directed to individuals under 16 years of age (or the equivalent age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take immediate steps to delete such data and terminate the child's account.
11. Marketing and Communications Preferences
We send marketing communications (newsletters, promotions, updates) based on your consent or legitimate business interest. You may:
- Unsubscribe from email communications by clicking the "unsubscribe" link in any email
- Update your communication preferences in your account settings
- Contact us directly to manage your preferences
We will honor opt-out requests within 10 business days. Note that you cannot opt out of transactional communications related to your account or services.
12. Data Processing Agreements (DPAs)
For B2B clients, we can execute Data Processing Agreements compliant with GDPR Article 28. These agreements detail our obligations, security measures, liability provisions, and data subject rights. Please contact us to request a DPA template.
13. Contact Information and Data Protection Officer
Data Controller:
Michal Černáček
Slovakia
michal@cernacek.com
To Exercise Your Data Rights:
Please submit requests in writing with clear identification. Include the specific right you wish to exercise and any relevant details. We will respond within 30 days (or within statutory timeframes in your jurisdiction).
Supervisory Authorities:
If you have concerns about our data practices, you may lodge a complaint with your local data protection authority:
- EU: Your national DPA (e.g., GDPR complaints)
- California: California Privacy Protection Agency (CPPA)
- Canada: Office of the Privacy Commissioner (OPC)
- Brazil: National Data Protection Authority (ANPD)
14. Data Breach Notification
In the event of a data breach or unauthorized access to personal data, we will:
- Notify affected individuals without undue delay (typically within 72 hours under GDPR)
- Report to relevant data protection authorities as required by law
- Provide details of the breach, affected data, and remediation measures
- Maintain documentation of all breach incidents and responses
15. Profiling and Automated Decision-Making
We may use automated processing and profiling for client segmentation, campaign targeting, and performance prediction. Under GDPR, you have the right to human review of automated decisions. Contact us if you wish to object to profiling or request human review of automated decisions affecting you.
16. Policy Changes and Updates
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. The "Last updated" date at the top of this policy indicates the most recent revision. Material changes will be communicated to you via email or prominent notice on our website. Your continued use of our services after such notices constitutes acceptance of updated terms.
17. Jurisdiction and Applicable Law
This Privacy Policy is governed by the laws of Slovakia, with the understanding that it is designed to comply with GDPR and other international privacy standards. Any disputes relating to this policy shall be subject to the courts of Slovakia, unless otherwise required by applicable law.
16. CRITICAL LIMITATION: Geographic Scope and Data Processing Boundaries
EXPLICIT GEOGRAPHIC RESTRICTION: The data controller operates under the laws of the Slovak Republic (European Union). Data processing is performed exclusively for clients and audiences located in or targeting the following regions:
- European Union and European Economic Area (all EU27 + UK, Iceland, Norway, Liechtenstein, Switzerland)
- North America (United States, Canada, Mexico)
- Oceania (Australia, New Zealand)
EXPLICIT EXCLUSION: Data processing services are NOT provided for clients or audiences in Africa or Asia. Clients attempting to engage services for these excluded regions shall indemnify the data controller against all regulatory, legal, and compliance claims.
16.1 Special Jurisdictions - Additional Compliances
16.1 Australia (Privacy Act 1988)
Australian users' data is processed in compliance with the Privacy Act 1988 and Australian Privacy Principles (APPs). You have rights to access, correct, and complain to the Office of the Australian Information Commissioner (OAIC).
16.2 New Zealand (Privacy Act 2020)
New Zealand residents' data is processed in compliance with the Privacy Act 2020. You may lodge complaints with the Privacy Commissioner.
16.3 India (DPDP Act 2023)
Indian users' data is processed with explicit consent and in compliance with the Digital Personal Data Protection Act 2023. We comply with data localization and consent management requirements.
16.4 Additional Notices for Specific Jurisdictions
16.5 GDPR (European Union)
If you are located in the EU, GDPR rights and protections apply to your personal data. We maintain appropriate safeguards for data transfers and processing.
16.6 CCPA (California)
California residents have specific rights under CCPA including the right to know, delete, and opt-out of sales of personal information. We do not sell personal data in the traditional sense but may share data with advertising partners for campaign optimization.
16.7 PIPEDA (Canada)
Canadian residents' data is processed in compliance with PIPEDA, ensuring transparency, consent, and data subject rights.
16.8 LGPD (Brazil)
For Brazilian residents, we comply with LGPD requirements for legal basis, data subject rights, and security measures.