PRIVACY POLICY STATEMENT

1. Who are we and how can you contact us?

Company iCLT, s. r. o., ID No.: 24106810, with its registered office at Studené 106, 254 01 Jílové u Prahy, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, File No. 140850 (hereinafter referred to as the “Company” or “we”) places great emphasis on compliance with the principles and rules of protection of natural persons in connection with the processing of their personal data. This Privacy Policy Statement (hereinafter referred to as the “Statement”) describes how personal data are processed within the Company. This Statement ensures that the processing of personal data is carried out in accordance with generally binding legal regulations, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “Regulation”) and Act No. 110/2019 Coll., on the processing of personal data, as amended, so that the rights of data subjects are duly protected. Pursuant to Articles 13 and 14 of the Regulation, the Company hereby provides data subjects with information on the processing of their personal data.

Any questions regarding the processing of personal data may be addressed to the Company or its Data Protection Officer:

Correspondence address: Studené 106, 254 01 Jílové u Prahy

E-mail: info@iCLT.eu

Phone: +420 777 088 895

Website: www.iCLT.eu

Data Protection Officer: Bc. Lucie Biskupová

2. What principles do we follow when processing personal data?

We process accurate and up-to-date personal data at all times on the basis of a lawful ground, fairly and transparently, solely for specific, explicitly stated and legitimate purposes, to the minimum necessary extent, store them in a form permitting identification of data subjects only for the period necessary in relation to the purpose of processing, and ensure their integrity and confidentiality through appropriate technical or organizational measures and proper security against unauthorized or unlawful processing and against accidental loss, destruction or damage.

We ensure that inaccurate data, with regard to the purpose for which they are processed, are erased or rectified without delay.

All activities related to personal data and their protection are duly documented. We cooperate with the supervisory authority, in particular the Office for Personal Data Protection, with its registered office at Pplk. Sochora 27, 170 00 Prague 7, e-mail: posta@uoou.cz, phone: +420 234 665 111.

3. Sources of personal data

We obtain your personal data from several sources. Primarily, we obtain personal data directly from you when you provide them to us.

Sources of your personal data also include publicly available sources such as the internet (in particular contact forms located on our websites), including social networks (e.g. Facebook, etc.). Another source of your personal data are cookies in connection with your activity on our websites (cookies). You may increase the protection of your privacy through your own web browser settings.

If you are interested in a specific source of processing of your personal data, you may contact us with this inquiry using the contact details listed above.

4. For what purposes and on what grounds do we process personal data?

Before commencing any processing of personal data, we determine the purpose for which personal data are processed and the means of processing. The processing of your personal data is carried out at all times exclusively within the scope of the predetermined purpose. Once the purpose of processing has been fulfilled, personal data are erased in accordance with the principle of data minimization (processing that is adequate, relevant and limited to what is necessary in relation to the purpose of processing) and the principle of storage limitation. It is possible that certain categories of personal data processed for a specific purpose may also be processed for another purpose; therefore, such personal data will always be erased only after no other purpose and legal ground for their processing exists.

For each such determined purpose, we always seek a legal ground that justifies the processing of personal data. Such legal grounds include in particular:

fulfilment of obligations laid down by law or imposed by public authorities;
fulfilment of contractual obligations;
legitimate interest of the Company;
consent to the processing of personal data.

5. Fulfilment of obligations laid down by law or imposed by public authorities

We process your personal data for the purposes of accounting and performance of accounting audits, fulfilment of registration and record-keeping obligations, preparation, processing and submission of tax returns, tax reports and other tax and accounting statements, performance of audits and related communication with the relevant authorities, and maintenance of statistical data.

Furthermore, we process your personal data even after the original purpose of processing has ceased, for the purposes of fulfilling archiving obligations laid down by relevant legal regulations, in particular the Archives and Records Management Act, tax regulations or accounting regulations.

Last but not least, we process your personal data that may be routinely used by public authorities, such as law enforcement authorities, financial administration authorities, customs authorities, etc.

6. Fulfilment of contractual obligations

6.1. Contractual agenda in general

We process your personal data for the purposes of concluding any contractual relationships between you and us, their amendment and termination (including pre-contractual negotiations), fulfilment of rights and obligations arising from concluded contracts and related agreements, partial legal acts, including maintaining records of these contractual relationships and related communication between you and us.

6.2. Organization of competitions, seminars, participation in Company events

For inclusion in all competitions organized by our Company and for the further course and evaluation of competitions that we organize for you, we need to process your personal data that you voluntarily provide to us in accordance with the competition rules and conditions of participation in seminars or other events organized for the purpose of marketing promotion of our products and services.

7. Legitimate interest

7.1. Development of business activities and maintaining contacts

We process personal data obtained in B2B or B2C interactions and maintain a contact database for the purposes of developing our business activities and maintaining contact with you, as well as for the purposes of ensuring administrative processes within our Company.

7.2. Information about changes, news, and the Company’s products and services

We wish to stay in contact with you and inform you about news related to our concepts in which you participate and about our products and services that you receive from us, and therefore we use your personal data for the purpose of sending commercial communications and providing assistance in response to your communications with us. Likewise, we wish to inform you about changes that we have made or plan to make to our services that may affect you (e.g. changes to terms and conditions, changes to contact details, etc.).

7.3. Handling complaints, claims, legal claims or disputes relating to you or our Company

In the event that you are not satisfied with our products and services and where such products or services may be complained about by their nature, we may process your personal data for the purposes of handling complaints regarding products supplied or services provided by us and for the purposes of related communication and record-keeping of complaints.

If you wish to submit suggestions, complaints or comments regarding the quality of our products and services, if you raise claims against us or if we, on the other hand, have claims against you that we wish to assert, or if we need to protect our legitimate interests, we will process your personal data for the period necessary for the final resolution of complaints, legal claims or potential disputes.

7.4. Security and protection of IT systems

For the purposes of ensuring IT security and protecting your personal data processed in our systems, and for the prevention of fraud and other criminal activities and misuse of our services, we use the most reliable system and process security tools.

7.5. CCTV systems at our premises

We need to protect our property as well as your safety and health at our premises that you visit. To achieve this purpose, we use a secured CCTV system. More information can be found at our premises.

8. Consent to the processing of personal data

8.1. Profiling and targeting based on your preferences

In order to be able to provide you with quality services and send you marketing communications that may be of interest to you, including online advertising, we may, based on your consent, examine your preferences and collect personal data that we gather during your purchases or visits to our websites, when using Wi-Fi connections at our premises or when using mobile applications.

8.2. Publication of audiovisual data

For the purpose of participation in our competitions, seminars and other promotional events, we may obtain from you or actively create your photographs or audiovisual recordings, or photographs or audiovisual recordings of third parties provided by you. With your explicit consent or the consent of third parties, we may publish these on our websites, on our social networks or in printed promotional materials for the purpose of marketing presentation of our products and services.

You may withdraw your consent to the processing of personal data at any time. If you withdraw your consent, this does not mean that the processing of personal data prior to such withdrawal was unlawful – withdrawal of consent does not have retroactive effect and does not affect the processing of personal data based on this consent prior to its withdrawal. You will be informed of this fact before you give consent to the processing of personal data.

9. What personal data do we process?

We process your personal data only to the extent necessary to fulfil the given purpose. If we had no information about you, we would not be able to provide you with our products and services and would not be able to meet our obligations arising from the law or contractual relationships (whether with you or with third parties). Below is a brief overview of the information we collect:

Depending on the nature of the processing purpose, we may process the following personal data (categories of personal data):

9.1. Identification data

Personal data used to identify you, i.e. title, first name, last name, date of birth.

9.2. Contact data

Personal data used to communicate with you, i.e. phone number, fax, e-mail address, permanent residence address, delivery address.

9.3. Authentication data

Data used to verify your identity in our electronic services, i.e. login name and password.

9.4. Payment data

Data used to process payments, i.e. information about a payment card or other payment method.

9.5. Data about other persons

Data about contact persons obtained in B2B interactions, i.e. first name and last name, e-mail address, phone number.

9.6. Audiovisual data

Photographs or audiovisual recordings capturing identified or identifiable natural persons that you voluntarily provide to us when participating in competitions, or visual recordings obtained from security cameras located at our premises.

9.7. Contractual data

Data obtained from you when fulfilling contractual obligations, i.e. data about products and services supplied to you, your order history, data about your complaints, claims, comments, suggestions and our mutual communication.

9.8. Technical data

Data about your device used to visit our websites or connect to Wi-Fi at our premises, i.e. MAC address, IP address, data contained in cookies, data about your behavior on websites.

10. How do we process personal data?

We process personal data in electronic form by automated means and in printed form by non-automated means.

11. For how long do we process personal data?

We process personal data only for the period necessary to fulfil the purpose of processing, which is determined individually and about which you are also informed individually. In the case of processing based on a contract, we process your personal data for the duration of the contractual relationship and for an additional 3 years after its termination, in particular with regard to potential future claims against you or claims by you against us. If we process your personal data based on consent, we process them for the period specified in such consent, unless the consent is withdrawn by you.

Beyond this period, we are entitled to process your personal data for the period stipulated by special legal regulations or for the period necessary to enforce our rights against you or to protect our legitimate interests.

Once the purpose of processing has been fulfilled and no further purpose exists for which we would be entitled to process personal data, we erase the personal data. In the case of personal data processed on the basis of your consent, we also erase personal data if you withdraw your consent. If we process personal data on the basis of legitimate interest and you object to the processing and there are no overriding legitimate grounds for the processing, we will also erase your personal data after informing you of this fact.

12. What rights do you have in connection with the processing of personal data?

You have the following rights, which you may exercise in one of the ways specified below:

Right to information
Right of access to personal data
Right to rectification
Right to erasure (right to be forgotten)
Right to restriction of processing
Right to data portability
Right to object
Right not to be subject to automated individual decision-making, including profiling
Right to lodge a complaint with the Office for Personal Data Protection or another competent supervisory authority in connection with the processing of personal data.

12.1. Right to information

Each data subject shall receive from the Company information related to the processing of their personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language, at the moment when the Company obtains personal data from them. Information on the processing of personal data is contained in this document (Statement).

12.2. Right of access to personal data

The right of access to personal data consists of three components. In a request addressed to the Company, the data subject specifies which component of the right of access they are exercising. Requests may be submitted in writing to the registered office of the Company or electronically by e-mail.

The data subject has the right to obtain confirmation from the Company as to whether or not personal data concerning them are being processed.
If the Company processes the personal data of the data subject, it is obliged to provide them with the following information (which of these the data subject requests is specified in the request):
purposes of processing;
categories of personal data concerned;
recipients or categories of recipients to whom personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
the envisaged period for which the personal data will be stored, or if not possible, the criteria used to determine that period;
the existence of the right to request rectification or erasure of personal data or restriction of processing or to object to such processing;
the right to lodge a complaint with the Office for Personal Data Protection or another competent supervisory authority;
all available information about the source of the personal data, if not obtained from the data subject;
the existence of automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
If the Company processes personal data of the data subject, it shall provide the data subject with a copy of the personal data undergoing processing free of charge. For any further copies requested by the data subject, the Company may charge a reasonable fee based on administrative costs. The right to obtain a copy must not adversely affect the rights and freedoms of others.
If the data subject submits a request electronically, the information shall be provided in a commonly used electronic form, unless the data subject requests a different format. The Company shall inform the data subject of the measures taken on the basis of the request within one month of receipt of the request, or at the latest within three months if the period is extended due to justified necessity.

12.3. Right to rectification of personal data

The data subject has the right to:

rectification of inaccurate personal data concerning them;
completion of incomplete personal data, taking into account the purposes of processing, including by means of providing a supplementary statement.
The right to rectification or completion is exercised by submitting a request in which the data subject states their identification data, the right being exercised and the manner in which they wish to be informed of the measures taken by the Company. Requests may be submitted in writing to the registered office of the Company or electronically by e-mail. The Company shall inform the data subject of the measures taken within one month of receipt of the request, or at the latest within three months if the period is extended due to justified necessity.

The Company shall notify each recipient to whom the personal data have been disclosed of any rectification of personal data, where feasible with reasonable effort. If requested by the data subject, the Company shall inform the data subject of such recipients.

12.4. Right to erasure / right to be forgotten

The Company shall erase personal data whenever the purpose of their processing has been fulfilled. Upon request of the data subject, the Company shall also erase personal data without undue delay if one of the following grounds applies:

the personal data are no longer necessary for the purposes for which they were collected or otherwise processed and no legal ground for processing exists;
the data subject withdraws consent on which the processing is based and no other legal ground for processing exists;
the data subject objects to the processing and there are no overriding legitimate grounds for processing, or the data subject objects to processing for direct marketing purposes;
the personal data have been processed unlawfully;
the personal data must be erased for compliance with a legal obligation under EU or Member State law applicable to the Company;
the personal data of a child were collected in connection with the offer of information society services directly to a child.
In a request for erasure, the data subject states their identification data, the right being exercised and the manner in which they wish to be informed of the measures taken by the Company. Requests may be submitted in writing or electronically by e-mail.

If the Company has made the personal data public and is obliged to erase them, it shall take reasonable steps, taking into account available technology and the cost of implementation, including technical measures, to inform other controllers processing the personal data that the data subject has requested the erasure of any links to, or copies or replications of, those personal data.

The above does not apply where processing is necessary:

for exercising the right of freedom of expression and information;
for compliance with a legal obligation or performance of a task carried out in the public interest or in the exercise of official authority vested in the Company; for reasons of public interest in the area of public health;
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing;
for the establishment, exercise or defence of legal claims.
The Company shall notify recipients of any erasure, where feasible with reasonable effort. If requested, the data subject shall be informed which recipients were notified. The Company shall inform the data subject of measures taken within one month, or up to three months if extended. If erasure is refused based on an exception, the Company shall inform the data subject, justify the refusal and inform them of the right to lodge a complaint or seek judicial remedy.

12.5. Right to restriction of processing

The data subject has the right to request restriction of processing in any of the following cases:

the accuracy of the personal data is contested;
processing is unlawful and the data subject opposes erasure;
the Company no longer needs the personal data but the data subject requires them for legal claims;
the data subject has objected to processing pending verification of legitimate grounds.
Requests must include identification data, the right exercised, the reason for restriction and the preferred method of notification.

Restricted data may only be processed with consent or for legal claims, protection of rights of others or important public interest. The data subject will be informed before restriction is lifted.

The Company shall notify recipients of restriction where feasible and inform the data subject upon request.

12.6. Right to data portability

The data subject has the right to receive personal data concerning them which they have provided to the Company and which are processed by automated means, provided that:

processing is based on consent;
special categories of personal data are processed based on explicit consent; or
processing is necessary for performance of a contract or pre-contractual measures.
Provided data include data actively supplied or generated through use of services.

Requests must specify identification data, the right exercised, recipient and preferred notification method.

Data shall be provided in a structured, commonly used and machine-readable format. Data portability must not adversely affect the rights and freedoms of others.

12.7. Right to object

Where processing is based on legitimate interest, the data subject has the right to object for reasons relating to their particular situation. Objections may be submitted electronically, by phone or in writing. The Company shall respond within one month or up to three months if extended.

If an objection is upheld, processing will cease and data will be erased. If overriding legitimate grounds exist, the data subject will be informed.

The data subject may object at any time to processing for direct marketing, after which such processing will cease.

12.8. Right not to be subject to automated decision-making, including profiling

The Company respects the right not to be subject to decisions based solely on automated processing, including profiling, that significantly affect the data subject.

Automated decisions may occur where necessary for contract performance, permitted by law with safeguards, or based on explicit consent.

Requests must include identification data, the right exercised and preferred notification method.

12.9. Where and how to exercise rights?

You may exercise your rights as follows:

electronically at info@iCLT.eu
by phone at +420 777 088 895;
in writing at Studené 106, 254 01 Jílové u Prahy.
Complaints may be lodged with the Office for Personal Data Protection:

electronically at posta(zavináč)uoou.cz;
via data box ID: qkbaa2n;
by phone at +420 234 665 111; or
in writing at Pplk. Sochora 27, 170 00 Prague 7,
or with another competent supervisory authority.

13. Under what conditions do we transfer personal data?

We may process personal data directly through our employees or through third-party processors. We have concluded data processing agreements with all processors. Personal data are transferred to the following entities as necessary to fulfil processing purposes:

Website and cloud service administrators; public authorities; companies within the Company group; marketing and PR partners (BLUE SYSTEM, s.r.o., ID No.: 28383656, Učňovská 379/6, Hrdlořezy 190 00, Praha 9).

We do not transfer personal data for consideration.

Personal data may be transferred to third countries outside the EU/EEA. Details will be provided individually.

14. How do we secure personal data?

We have implemented appropriate technical and organizational measures to ensure security proportional to risk.

We use firewalls, data encryption and reliable IT service providers.

Employees and authorized persons are bound by confidentiality obligations.

15. Final provisions

This Statement was approved by the statutory body of the Company and became effective on 27 January 2026. The Data Protection Officer is responsible for its completeness, accuracy and timeliness. The Statement is reviewed and updated regularly every 12 months or as needed.