Privacy Policy
Last updated: July 9, 2026
This Privacy Policy explains how we process personal data in connection with our website, orders and office subscriptions, in accordance with Regulation (EU) 2016/679 (GDPR) and Czech Act No. 110/2019 Coll., on Personal Data Processing.
We process only the data we genuinely need, we do not sell personal data, and card data never touches our systems.
1. Who is the controller
The controller of your personal data is [Trader / trade name], registered office at [Street 000/0, 110 00 Praha 1, Czech Republic].
You can contact us about anything related to personal data at hello@koftera.co. We have not appointed a data protection officer, as we are not required to under Article 37 GDPR.
2. What data we process
We process the following categories of personal data:
- Contact and identification data — name, work email, phone number, company name, company registration and VAT number, and billing address of the company you represent.
- Order data — order contents, delivery addresses, recipient names for split shipments, communication about the brief, mockups and approvals.
- Account data — email, hashed password and account settings if you create a customer account.
- Payment data — payments are processed by Stripe; card numbers never touch our systems. We receive only payment status, the last four digits of the card and billing details necessary for invoicing.
- Technical data — essential cookies and basic server logs (IP address, browser type, time of request) needed to operate and secure the website.
3. Purposes and legal bases
We process personal data for the following purposes and on the following legal bases (Article 6(1) GDPR):
- Performance of a contract (Art. 6(1)(b)) — handling your brief, preparing mockups, producing and delivering orders, managing subscriptions and customer accounts.
- Legal obligations (Art. 6(1)(c)) — issuing and archiving invoices and accounting records under Czech tax and accounting law.
- Legitimate interest (Art. 6(1)(f)) — website security, fraud prevention, defending legal claims, and direct marketing to existing business customers (you can object at any time).
- Consent (Art. 6(1)(a)) — newsletter and marketing communications for non-customers, and analytics cookies. Consent can be withdrawn at any time with effect for the future.
4. Processors and recipients
We share personal data only with service providers who help us run the business, under data processing agreements pursuant to Article 28 GDPR:
- Supabase — hosting of our application database and authentication.
- Vercel — hosting of the website.
- Stripe — payment processing; Stripe acts as an independent controller for card data.
- Carriers (e.g. Zásilkovna, PPL, DPD, courier services) — name, delivery address and phone/email of recipients, strictly for delivery.
- Accounting and tax advisors — invoicing data as required by law.
5. Fonts and third-party requests
Web fonts on this site are self-hosted and served from our own infrastructure (via next/font). Your browser makes no requests to Google Fonts or other font CDNs, and no data is transmitted to Google when the site loads fonts.
6. How long we keep data
We keep personal data only as long as necessary for the given purpose:
- Order and contract data — for the duration of the contract and 4 years thereafter (limitation periods for legal claims).
- Invoices and tax documents — 10 years, as required by Czech VAT law.
- Customer accounts — until you delete the account or after 3 years of inactivity, whichever comes first.
- Marketing consents — until withdrawn, at most 3 years from the last interaction.
- Server logs — up to 12 months.
7. Your rights
Under the GDPR you have the following rights, exercisable by emailing hello@koftera.co. We respond within one month.
- Right of access — to obtain a copy of the personal data we hold about you (Art. 15).
- Right to rectification — to correct inaccurate or incomplete data (Art. 16).
- Right to erasure — to have data deleted where there is no legal ground to keep it (Art. 17).
- Right to restriction of processing (Art. 18).
- Right to data portability — to receive data you provided in a machine-readable format (Art. 20).
- Right to object — in particular to processing based on legitimate interest and to direct marketing (Art. 21).
- Right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
8. Right to lodge a complaint
If you believe we process your personal data unlawfully, you have the right to lodge a complaint with the Czech supervisory authority: Úřad pro ochranu osobních údajů (ÚOOÚ), Pplk. Sochora 27, 170 00 Praha 7, uoou.gov.cz. We would nevertheless appreciate the chance to resolve your concern directly first.
9. International transfers
Our primary hosting regions are within the EU. Some of our providers (e.g. Vercel, Stripe, Supabase) are US-headquartered companies; where personal data is transferred outside the EEA, the transfer is protected by the EU–US Data Privacy Framework and/or European Commission Standard Contractual Clauses, together with additional safeguards where appropriate.
10. Changes to this policy
We may update this policy from time to time. The current version is always published on this page with the date of the last update. Material changes will be communicated to registered customers by email.