PRIVACY POLICY
Travel Communications s.r.o. | VOXtours.cz
Reg. No.: 279 14 836 | VAT ID: CZ 279 14 836
Registered office: Chlupáčova 1176/8, 152 00 Prague 5, Czech Republic
Operations: Senovážné nám. 978/23, 110 00 Prague 1
E-mail: welcome@voxtours.cz | Tel.: +420 228 885 641 | Mob.: +420 777 288 443
www.voxtours.cz
Valid from 1 January 2025
Last updated: January 2025
This Privacy Policy describes how Travel Communications s.r.o., operating under the brand VOXtours.cz (hereinafter "Controller"), processes personal data of its customers, business partners, contractors, and website visitors in compliance with Regulation (EU) 2016/679 (GDPR) and Czech Act No. 110/2019 Coll. on personal data processing.
If you have any questions, please contact us at welcome@voxtours.cz.
1. DATA CONTROLLER
Travel Communications s.r.o.
Reg. No.: 279 14 836
Registered office: Chlupáčova 1176/8, 152 00 Prague 5, Czech Republic
Operations: Senovážné nám. 978/23, 110 00 Prague 1
E-mail: welcome@voxtours.cz
Tel.: +420 228 885 641 | Mob.: +420 777 288 443
The Controller has not appointed a Data Protection Officer (DPO) as it is not required to do so under Article 37 GDPR. All data protection enquiries are handled at welcome@voxtours.cz.
2. HOW WE COLLECT PERSONAL DATA
We collect personal data through the following channels:
— Order form on the website www.voxtours.cz
— E-mail communication at welcome@voxtours.cz
— Phone calls and WhatsApp
— Signed written rental agreements
We do not collect personal data from other sources without the knowledge of the data subjects.
3. CATEGORIES OF DATA SUBJECTS
We process personal data of the following categories of individuals:
a) Contact persons of clients — individuals representing travel agencies, tour operators, or other legal entities (B2B clients) who order our services.
b) Guides and tour leaders — individuals (sole traders or employees of clients) who physically receive and use the rented equipment on tours.
c) Contractors and subcontractors — individuals with whom the Controller cooperates under a service or contractor agreement.
We do not process personal data of tourists or other end users of the equipment.
4. WHAT PERSONAL DATA WE PROCESS AND WHY
We process only the data necessary for the purposes described below. We do not process special categories of personal data (sensitive data) as defined in Article 9 GDPR.
══════════════════════════════════════════════════════
4.1 PERFORMANCE OF CONTRACT AND PROVISION OF SERVICES
Legal basis: Article 6(1)(b) GDPR
Applies to: categories a), b)
══════════════════════════════════════════════════════
What data: name of the contact person, organisation name, registration number, VAT ID, address, e-mail address, phone number; name and phone number of the guide or tour leader.
Why: to receive and process orders, coordinate equipment delivery and collection, issue handover protocols, and manage communication throughout the rental.
Retention period: for the duration of the contractual relationship and 3 years after its termination (limitation period under Czech Civil Code, Section 629 et seq.).
══════════════════════════════════════════════════════
4.2 COMPLIANCE WITH LEGAL OBLIGATIONS
Legal basis: Article 6(1)(c) GDPR
Applies to: categories a), c)
══════════════════════════════════════════════════════
What data: invoicing data (company name, address, registration number, VAT ID), accounting records and contracts.
Why: to maintain accounting and tax records under Czech Act No. 563/1991 Coll. (Accounting Act) and Act No. 235/2004 Coll. (VAT Act); to fulfil other statutory obligations to public authorities.
Retention period: 10 years from the end of the tax period in which the service was provided (Section 35 of the Accounting Act).
══════════════════════════════════════════════════════
4.3 LEGITIMATE INTERESTS OF THE CONTROLLER
Legal basis: Article 6(1)(f) GDPR
Applies to: categories a), b)
══════════════════════════════════════════════════════
What data: name, e-mail address, phone number, order and communication history.
Why: to maintain customer records and CRM (see Section 5 — HubSpot), to protect the Controller's legal claims, to document equipment handover and return, to ensure continuity of business relationships.
Legitimate Interest Assessment (LIA): the Controller has a legitimate interest in maintaining customer records for the purpose of managing business relationships and protecting its legal claims. Processing is limited to necessary contact and transactional data and does not include sensitive, behavioural, or profiling data. We have assessed that this interest does not override the rights and freedoms of data subjects.
Retention period: 5 years from the last business contact, after which data is anonymised or deleted.
══════════════════════════════════════════════════════
4.4 CONTRACTOR AND SUBCONTRACTOR RELATIONSHIPS
Legal basis: Article 6(1)(b) and (c) GDPR
Applies to: category c)
══════════════════════════════════════════════════════
What data: full name, address, registration number, bank details, e-mail, phone number, and documents necessary for the conclusion and performance of the cooperation agreement.
Why: to enter into and perform cooperation agreements; to fulfil statutory obligations to tax and administrative authorities.
Retention period: for the duration of the cooperation and thereafter in accordance with statutory archival requirements (see Section 4.2), with a minimum of 10 years for tax documents.
══════════════════════════════════════════════════════
4.5 COMMERCIAL COMMUNICATIONS
Legal basis: Article 6(1)(f) GDPR (existing customers); Article 6(1)(a) GDPR (new contacts)
Applies to: categories a), b)
══════════════════════════════════════════════════════
What data: name, e-mail address, organisation name.
Why: to send individual commercial communications about news, price list changes, or seasonal promotions. We do not send regular newsletters.
Right to object: you may object to receiving commercial communications at any time, free of charge, by contacting welcome@voxtours.cz.
Retention period: until consent is withdrawn or an objection is raised, but no longer than 3 years from the last business contact.
5. RECIPIENTS AND PROCESSORS OF PERSONAL DATA
We do not sell or provide your personal data to third parties for their own marketing purposes.
Personal data is shared exclusively with the following categories of recipients (processors within the meaning of Article 28 GDPR), and only to the extent necessary:
──────────────────────────────────────────────────────
5.1 GOOGLE LLC — Gmail, Google Drive, Google Analytics
Headquarters: USA | Transfer basis: Standard Contractual Clauses (SCC) under Article 46 GDPR
──────────────────────────────────────────────────────
Google Workspace (Gmail + Drive): used for e-mail communication and document storage. A Data Processing Agreement (DPA) is in place through Google Workspace terms.
Google Analytics 4: used to analyse website traffic. IP addresses are anonymised; data is processed in pseudonymised form. Processing is based on your consent via the cookie banner. More information: https://policies.google.com/privacy
──────────────────────────────────────────────────────
5.2 HUBSPOT, INC.
Headquarters: USA (Cambridge, MA) | Transfer basis: SCC under Article 46 GDPR; EU–US Data Privacy Framework
──────────────────────────────────────────────────────
We use HubSpot as our CRM system to manage customer contacts and business communication. Data stored in HubSpot includes: name, e-mail address, phone number, company name, and communication history.
HubSpot, Inc. is certified under the EU–US Data Privacy Framework. A Data Processing Agreement (DPA) is in place. Data may be stored or processed on servers in the United States. More information: https://legal.hubspot.com/dpa
──────────────────────────────────────────────────────
5.3 MAKE (formerly Integromat) — Make.com / Celonis SE
Headquarters: EU (Prague / Munich) | No transfer outside EU/EEA
──────────────────────────────────────────────────────
We use Make.com to automate workflows (order processing, data synchronisation). All personal data processed through Make is handled exclusively on servers within the EU. A Data Processing Agreement is incorporated into the platform terms.
──────────────────────────────────────────────────────
5.4 META PLATFORMS IRELAND LTD. — WhatsApp Business
Headquarters: Ireland (EU) | Some data may be shared with Meta Inc., USA — SCC under Article 46 GDPR
──────────────────────────────────────────────────────
Phone numbers and message content sent via WhatsApp are processed by Meta Platforms Ireland Ltd. as the platform operator. We recommend using e-mail as the preferred channel for business communication where full data control is required.
──────────────────────────────────────────────────────
5.5 COURIER SERVICES — Messenger (Prague), DHL, and others
Headquarters: EU / Czech Republic | No transfer outside EU/EEA
──────────────────────────────────────────────────────
We share only the delivery address, contact person's name, and phone number with courier services for the purpose of coordinating equipment delivery and collection.
──────────────────────────────────────────────────────
5.6 ACCOUNTING AND INVOICING SOFTWARE — Pohoda, Money S3, or equivalent
Headquarters: Czech Republic | No transfer outside EU/EEA
──────────────────────────────────────────────────────
Invoicing data (company name, address, registration number, VAT ID) is processed in our accounting software for the purpose of bookkeeping and issuing tax documents.
──────────────────────────────────────────────────────
5.7 PUBLIC AUTHORITIES
──────────────────────────────────────────────────────
Tax authorities, courts, Czech Police, and other public bodies — only where required by law or necessary to protect the Controller's legal rights.
6. INTERNATIONAL DATA TRANSFERS
Some processing takes place on servers outside the EU/EEA — specifically through HubSpot, Inc. (USA) and Google LLC (USA). In both cases, Standard Contractual Clauses (SCC) approved by the European Commission under Article 46 GDPR are in place, ensuring an adequate level of protection.
All other tools (Make, Pohoda/Money S3, courier services) process data exclusively within the EU/EEA.
7. COOKIES AND WEBSITE ANALYTICS
The website www.voxtours.cz is operated on the Tilda Publishing platform and uses the following categories of cookies:
— Strictly necessary cookies: ensure the basic functionality of the website. No consent is required and these cookies cannot be disabled.
— Analytical cookies (Google Analytics 4): we use Google Analytics to analyse website traffic and improve our services. IP addresses are anonymised. These cookies are only activated on the basis of your consent via the cookie banner.
You may withdraw your consent to analytical cookies at any time via the cookie banner settings or your browser settings. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
8. YOUR RIGHTS
As a data subject, you have the following rights, which you may exercise free of charge by contacting welcome@voxtours.cz:
Right of access (Article 15): to obtain confirmation of whether we process your personal data and to receive a copy of that data.
Right to rectification (Article 16): to request correction of inaccurate or completion of incomplete data.
Right to erasure (Article 17): to request deletion of your data where it is no longer necessary, processing was unlawful, or consent has been withdrawn. This right does not apply where processing is necessary to comply with a legal obligation or to establish, exercise, or defend legal claims.
Right to restriction of processing (Article 18): to request that processing is temporarily suspended, for example while the accuracy of data is being verified.
Right to data portability (Article 20): to receive your data in a structured, commonly used, machine-readable format, and to transmit it to another controller, where processing is automated and based on a contract or consent.
Right to object (Article 21): to object at any time to processing based on legitimate interests, including direct marketing. Following an objection, we will cease processing for that purpose unless we can demonstrate compelling legitimate grounds that override your interests.
Right to withdraw consent: consent (e.g. to analytical cookies) may be withdrawn at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint with a supervisory authority:
Office for Personal Data Protection (Úřad pro ochranu osobních údajů — ÚOOÚ)
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
www.uoou.cz | posta@uoou.cz | +420 234 665 111
You may also lodge a complaint with the supervisory authority in the EU member state of your habitual residence or place of work.
We will respond to your request within 30 days (up to 90 days in complex cases; we will inform you of any extension). We may ask you to verify your identity before responding.
9. DATA SECURITY
We have implemented the following technical and organisational security measures:
— encrypted e-mail communication (TLS/SSL),
— access to personal data restricted to authorised individuals only,
— documents stored in a secure cloud environment (Google Drive with encryption),
— regular review of access rights to tools (HubSpot, Make, Google Workspace),
— CRM data in HubSpot protected by two-factor authentication.
In the event of a personal data breach likely to result in a risk to the rights and freedoms of individuals, we are obliged to notify the Office for Personal Data Protection within 72 hours and, in serious cases, to notify the affected data subjects directly.
10. UPDATES TO THIS POLICY
We may update this Privacy Policy from time to time. The current version is always available at www.voxtours.cz/gdpr with the date of the last update indicated. We will notify you of any material changes by e-mail or a notice on the website.
11. CONTACT
Travel Communications s.r.o.
Senovážné nám. 978/23, 110 00 Prague 1, Czech Republic
E-mail: welcome@voxtours.cz
Tel.: +420 228 885 641 | Mob.: +420 777 288 443
www.voxtours.cz