Privacy Policy

The data controller is Vladyslav Haiduk, a sole trader (OSVČ), IČO 23484624. Full registration details and supervisory authorities are in the Imprint.

For any data-protection question or to exercise your rights, write to [email protected]. We don't have a separate Data Protection Officer — the controller handles requests personally.

We collect only the data needed to run the platform and operate paid services. The categories are:

• Account and profile data: Email address, password hash if you register with a password, linked OAuth provider identifiers if you use Google Sign-In, first name, last name, country, Czech region, preferred language, phone country code, national phone number, E.164 phone number, account creation, profile completion and last-login timestamps. We do not collect a separate account display name; if Google provides a display name, we use it only to prefill first and last name when needed.
• Listings, messages and moderation: Listings you publish (title, description, photos, price, category, attributes, stock/orderability, delivery options, publication status and listing history), chat messages and attachments, reports and report notes, wishlist entries, blocked-user records, and content moderation actions.
• Seller and storefront data: If you use seller tools, we process seller type/status, public seller badge, customer support email/phone, returns policy text, business verification and storefront status, storefront name, slug, description, logo/banner assets, store locations, opening hours, pickup notes, staff invites/memberships and store-team roles.
• Orders and delivery: Order and delivery data: buyer and seller identifiers, item, quantity, price/currency, order status/events, buyer phone and note, shipping address for home delivery, public-meetup place/address/city/coordinates/schedule/notes, pickup codes, cancellation/help/change requests, shipment tracking numbers, carrier identifiers and tracking events.
• Identity and business verification: Phone verification data: phone number submitted, verification provider (Twilio), attempt/result/status and timestamps. Business verification/KYB data: legal name, legal form, IČO/DIČ or registration details, ARES data, registered address, support contact details, documents or review evidence submitted, verification events, reviewer decisions and timestamps.
• Payment, subscription and boost data: When you pay for a boost or subscription, full card details are collected and stored by Stripe — we never see or store your full PAN/CVC. We retain Stripe customer/payment/subscription/payment-method identifiers, card brand, last four digits and expiry where Stripe returns them, invoice/payment status, amount, currency, billing period, tax/accounting data, discounts/promotion codes, Stripe webhook references, and saved-card or withdrawal-waiver consent text hashes and timestamps.
• Analytics and performance events: Listing/storefront view, impression, click, contact-reveal and promotion delivery events; consented Google Analytics page/event measurements; counted flags, timestamps, listing/storefront/campaign identifiers, viewer user id when logged in, optional session key if analytics consent was given, and hashed IP address/user-agent for anonymous deduplication.
• Place search and location data: Search text, selected addresses, approximate map coordinates, meetup locations, shipping addresses where used, country/language filters, and reverse-geocoding requests sent to the place-search provider.
• Rewards and referrals: If you use referral or rewards features, we process share links, share-click records, conversion records, reward wallets, ledger entries, achievements, redemptions, anti-abuse flags and review decisions.
• Notifications: Notification preferences, notification records, delivery channel, delivery status, notification source, timestamps and related entity identifiers such as listing, order, subscription or storefront ids.
• Support communications: If you write to us by email or through a support/help flow, we retain your message, our reply, attachments and internal handling notes for as long as needed to handle the matter and to defend any legal claims.
• Imported third-party listing data: Public Bazoš listing content imported for discovery: source identifiers, source category, listing title/description, price, location hints, photos/media, timestamps, seller display/contact hints, claim status, and import/review metadata.
• AI enrichment data: When AI enrichment is enabled, imported listing text, category/attribute candidates, and non-sensitive metadata may be sent to an AI provider to classify or normalize listings. We do not intentionally send payment details, passwords, or private chats for this purpose.
• Technical data: When you visit the site or call the API we receive request metadata such as IP address, user-agent, time, endpoint/page requested and authentication/session context. For view analytics we store hashed IP address and hashed user-agent rather than the raw values. Separate security/audit logs may keep request metadata for abuse prevention, troubleshooting and legal claims.
• Cookies and similar storage: See the dedicated Cookie Policy for the full list of cookies and localStorage keys we use, what they do and how to change your choice.
• Legal and consent records: Versioned records of accepted Terms, Privacy Policy, age confirmation, cookie choices, saved-card consents and paid-service withdrawal waivers, together with timestamps and limited request context used to prove the choice.

Some listing pages are created from public Bazoš listings rather than directly by the seller. The source is Bazoš and the source identifier is stored so the record can be traced, claimed, corrected, or removed.

The imported categories may include listing text, public photos, price, category, public source URL or identifier, approximate location, seller display/contact hints, and technical import metadata. We process this for legitimate interests in marketplace discovery, deduplication, anti-fraud, and allowing sellers to claim or object to imported pages.

If an imported listing relates to you, write to [email protected] or use the claim flow shown on the listing to request access, correction, deletion, objection review, or source information.

Each processing activity rests on one of the GDPR lawful bases:

• Performance of a contract: Most processing — your account, your listings, your messages, your purchases of boosts or subscriptions — is necessary to provide the service you signed up for.
• Legitimate interest: We rely on legitimate interest for security (rate-limiting, fraud detection, audit logs), moderation, preventing misuse of rewards/promotions, limited aggregate analytics including anonymous listing/storefront view counts from hashed request metadata, imported-listing discovery, deduplication, and claim/removal handling.
• Consent: We rely on consent for optional cookies/browser storage such as the analytics session key, Google Analytics cookies and referral attribution cookie, saved payment-method consent, paid-service withdrawal-waiver acknowledgements where required, and any future marketing email.
• Legal obligation: Some processing is required by Czech law — accounting and tax records for transactions involving the operator, responses to lawful requests from public authorities, and obligations to act on notices about illegal content, unsafe products, or rights violations.

To run the platform we use the following processors and sub-processors. Production processors operate under written data-processing terms and only process data on the operator's instructions.

Most core hosting/database processing happens inside the EU/EEA on Hetzner (Germany). Some processors or their group companies/subprocessors may process data outside the EU/EEA, including Cloudflare, Stripe, Google (including Google Workspace/Gmail SMTP), Twilio and OpenAI when enabled. Geoapify processing is primarily EU-based. Where a transfer outside the EU/EEA happens, it relies on provider data-processing terms and applicable safeguards such as the EU-U.S. Data Privacy Framework or standard contractual clauses.

We keep personal data only as long as needed for the purpose it was collected for, and then delete or anonymise it.

• Account/profile data is kept while the account is active. To request account deletion, write to the support email listed in the Imprint; after we verify the request, identifying account/profile fields are anonymised within 30 days. Records we must keep for law, security, disputes or accounting are retained as described below.
• Listings stay published until you delete them or the listing reaches its lifecycle end. Closed listings and their statistics are retained for 24 months for fraud and dispute history.
• Order, delivery, meetup, shipment and user-to-user transaction coordination records are retained for 24 months after closure for fraud, support and dispute history, unless law or active claims require longer.
• Phone and business verification records are kept while the account or seller status is active and then for up to 3 years for audit, fraud-prevention and legal-claims purposes, unless law or active claims require longer.
• Payment records, invoices and accounting documents are retained for 10 years as required by Czech accounting law.
• View, impression, click, contact-reveal and promotion analytics events are retained for 24 months; aggregate statistics that no longer identify a user or browser may be kept longer.
• Imported Bazoš listings and related import metadata are kept while they are useful for discovery, claim/removal handling, deduplication, fraud prevention, and audit history. Removed or objected-to records may be retained in restricted form where needed to prevent re-import or defend legal claims.
• Cookie-consent, legal-acceptance, saved-card and withdrawal-waiver consent log entries are retained for 3 years from the date of the choice, for audit purposes.
• Support emails and help requests are kept for 3 years from the last reply, then deleted unless an active legal matter requires longer.

Under GDPR you have these rights regarding your personal data:

• Access: You can request a copy of the personal data we hold about you and information about how we process it.
• Rectification: You can ask us to correct inaccurate data or complete incomplete data.
• Erasure (right to be forgotten): You can ask us to delete your personal data when it is no longer needed for the purpose it was collected, when you withdraw consent, or when processing is unlawful. Some records (accounting, audit logs) we are required by law to keep.
• Restriction of processing: You can ask us to limit how we process your data while a request to rectify or object is being resolved.
• Data portability: For data you provided to us under contract or consent, you can ask for a structured, machine-readable export.
• Objection: You can object to processing based on legitimate interest. We will stop unless we show overriding compelling grounds, or unless the processing is needed for legal claims.
• Withdraw consent: Where we process data based on your consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that took place before the withdrawal.
• Complaint: You have the right to lodge a complaint with the data-protection authority of your country of residence.

To exercise any of these rights, write to [email protected]. We will respond within 30 days; we may extend by another 60 days for complex requests, in which case we will tell you within the first 30 days.

Skarbex is open to people aged 16 and over. People aged 16 or 17 may use the platform with the awareness and consent of a parent or legal guardian. We do not knowingly collect personal data from people under 16; if we become aware that we have, we will delete the data and the account.

We use TLS for traffic, hashed passwords (bcrypt), tokenised card data via Stripe, application-level encryption for selected sensitive verification fields, role-based access control on the admin side, and audit logs for sensitive actions. No system is fully secure; if a breach affecting your data happens, we will notify the supervisory authority within 72 hours and you without undue delay where the law requires it.

We may update this policy. Material privacy changes are notified through the platform and, where legally required, we will ask for fresh consent before continuing the affected processing. Non-material clarifications take effect when published. The date above reflects the current version.

For any data-protection question, request, or complaint, write to [email protected].