Privacy Policy

Effective date: 3 May 2026 Version: 1.0 Controller: AVANTERRO SYSTEMS s.r.o.

What this document must contain

  • Identification of the controller and contact details
  • Purposes of processing and legal bases under Article 6 GDPR
  • Categories of personal data processed
  • Recipients and categories of recipients (sub-processors)
  • Retention period for each category of data
  • Information on transfers outside the EU/EEA and safeguards (SCCs)
  • Data subject rights and how to exercise them
  • Right to lodge a complaint with the supervisory authority (ÚOOÚ)
  • Information on automated decision-making and profiling
  • Brief summary of cookies + link to the Cookie Policy
  • Technical and organisational security measures
  • Rules for amending the document and version control

1. Who we are and how to contact us

This Privacy Policy describes how AVANTERRO SYSTEMS s.r.o. (hereinafter "Avanterro" or "we") processes your personal data in connection with providing the Avanterro service – a cloud-based information system for service businesses (hereinafter the "Service").

Controller identification:

  • Name: AVANTERRO SYSTEMS s.r.o.
  • Company ID (IČO): 24568082
  • Registered office: Příčná 1892/4, Nové Město, 110 00 Prague 1, Czech Republic
  • Registered in the Commercial Register kept by the Municipal Court in Prague, Section C, Insert 442318
  • E-mail for data protection enquiries: info@avanterro.com
  • Website: https://avanterro.com

Avanterro has not appointed a Data Protection Officer (DPO), as it is not required to do so under Article 37 GDPR. Please direct any data protection enquiries to the e-mail address above.

2. When we are a controller and when we are a processor

When providing the Service, we act in two distinct roles:

a) As a controller – when we process data relating to you personally as a customer of Avanterro (e.g. registration, billing, marketing communications, support). This Policy concerns this role.

b) As a processor – when you store data of your own customers on our servers (bookings, contacts, invoices, photographs of work orders, etc.). In that case you remain the controller of such data and Avanterro processes it solely on your instructions. This relationship is governed by the Data Processing Agreement (DPA), which forms part of your subscription.

3. What data we process and why

3.1 Registration and user account management

  • Data: first and last name, e-mail, password hash, language, time zone, IP address at registration, company (tenant) ID, role.
  • Purpose: creating and maintaining the account, authentication, separating data between tenants.
  • Legal basis: performance of a contract (Article 6(1)(b) GDPR).
  • Retention period: for the duration of the subscription plus 60 days after its termination (export window). Accounting and tax documents linked to the account are retained for the period required by law (10 years pursuant to Section 35 of Act No. 235/2004 Coll. on VAT and Section 31 of Act No. 563/1991 Coll. on Accounting).

3.2 Subscription and payments

  • Data: billing name, address, Company ID (IČO), VAT ID (DIČ), e-mail, order and invoice history, payment gateway transaction ID.
  • Purpose: conclusion and performance of the subscription contract, issuance of documents, accounting.
  • Legal basis: performance of a contract (Article 6(1)(b) GDPR), compliance with a legal obligation (Article 6(1)(c) GDPR – accounting and tax legislation).
  • Retention period: 10 years from the end of the tax period.
  • Note on payments: all payment transactions are processed by Paddle.com Market Limited acting as the seller of record under the Merchant of Record model. Avanterro does not receive or process payment card data – you enter such data directly into the Paddle environment, which is PCI-DSS Level 1 certified.

3.3 Operation and support of the Service

  • Data: login logs, IP address, browser identifier (User-Agent), records of user actions in the application (audit log), content of communications with support.
  • Purpose: ensuring security, incident handling, technical support, abuse prevention.
  • Legal basis: legitimate interest (Article 6(1)(f) GDPR) – interest in the secure and reliable operation of the Service; for support, performance of a contract.
  • Retention period: security logs 12 months, audit logs 24 months, support tickets 36 months from closure.

3.4 Error monitoring (diagnostics and Sentry Replay)

  • Data: technical information about the error (stack trace), URL, anonymised user identifier, browser version; subject to your consent, also an anonymised recording of user interface actions for 60 seconds preceding the error (Sentry Session Replay — all text masked, media blocked).
  • Purpose: detecting and fixing application errors.
  • Legal basis: legitimate interest (Article 6(1)(f) GDPR) for basic error monitoring (stack trace, URL). Sentry Session Replay: consent (Article 6(1)(a) GDPR) — granted via the cookie banner on avanterro.com.
  • Sub-processor: Functional Software, Inc. (Sentry.io), San Francisco, USA. Transfer secured by Standard Contractual Clauses (SCCs), Controller-to-Processor module.
  • Retention period: 90 days.

3.5 Marketing communications

  • Data: e-mail, name, segment (e.g. type of business), open and click history.
  • Purpose: sending Service news, tips and commercial communications.
  • Legal basis: legitimate interest in sending commercial communications to existing customers regarding similar services (Section 7(3) of Act No. 480/2004 Coll.); for non-customers, consent (Article 6(1)(a) GDPR).
  • Retention period: until consent is withdrawn or an objection is raised, no longer than 5 years from the last contact.
  • You can unsubscribe at any time with a single click in every e-mail or by writing to info@avanterro.com.

3.6 Visits to avanterro.com

  • Data: IP address, approximate location (country), browser, pages visited, referrer.
  • Purpose: ensuring website security, protection against DoS attacks.
  • Legal basis: legitimate interest (Article 6(1)(f) GDPR).
  • Retention period: 30 days in the server log.

4. Recipients of personal data (sub-processors)

To deliver the Service, we use the following vetted providers. All are bound by contractual confidentiality obligations and process data in compliance with the GDPR:

RecipientLocationPurposeTransfer safeguard
Hetzner Online GmbHNuremberg, Germany (EU)Hosting of application servers and databasesNot required (EU/EEA)
Paddle.com Market LimitedDublin, Ireland (EU)Seller of record for billing, payment processingNot required (EU/EEA)
Make.com (Celonis SE / Integromat s.r.o.)Prague, Czech Republic (EU)Webhook automationNot required (EU/EEA)
Functional Software, Inc. (Sentry.io)San Francisco, USAError monitoringStandard Contractual Clauses (SCCs), Controller-to-Processor module
Amazon Web Services EMEA SARL or Backblaze, Inc.Frankfurt (DE) / USAObject storage (attachments, photographs)EU region by default; for the US region SCCs, Controller-to-Processor module
Google LLC (Google Gemini API)Mountain View, USAMachine translation of UI strings (anonymised strings)SCCs; no personal data is transmitted to the API
SMTP relay provider (Google Workspace, Postmark or similar)EU / USA depending on choiceSending of transactional e-mailsSCCs, Controller-to-Processor module; the relay processes only the e-mail address and message content

We may also transfer personal data to:

  • public authorities to the extent required by law (Czech Police, courts, tax authorities, etc.),
  • legal and tax advisors and auditors bound by professional confidentiality,
  • a successor in business in the event of the sale or merger of Avanterro – in such a case you will be informed in advance and the same safeguards will be preserved.

Avanterro does not sell personal data to third parties.

5. Transfers outside the EU/EEA

Some sub-processors (Sentry, the AWS US region where applicable, Google Gemini, the SMTP relay) may process data in the United States or other countries outside the EU/EEA. In such cases the transfer is secured by Standard Contractual Clauses adopted by the European Commission (Implementing Decision (EU) 2021/914) in the relevant module, supplemented where appropriate by technical measures (encryption, pseudonymisation).

An up-to-date list of sub-processors and copies of the SCCs are available upon request at info@avanterro.com.

6. Your rights

In connection with the processing of your personal data you have the following rights:

  • Right of access (Article 15 GDPR) – to obtain confirmation as to whether we process your data and to receive a copy of it.
  • Right to rectification (Article 16 GDPR) – to have inaccurate data corrected and incomplete data completed.
  • Right to erasure (Article 17 GDPR) – the "right to be forgotten" where data is no longer needed, you withdraw consent, you successfully object, or we process the data unlawfully.
  • Right to restriction of processing (Article 18 GDPR) – in certain cases, to have processing limited to mere storage.
  • Right to data portability (Article 20 GDPR) – to receive your data in a structured, machine-readable format (JSON/CSV).
  • Right to object (Article 21 GDPR) – to processing based on legitimate interests, in particular to direct marketing.
  • Right to withdraw consent (Article 7(3) GDPR) – at any time, without affecting the lawfulness of processing prior to withdrawal.
  • Right not to be subject to automated decision-making (Article 22 GDPR) – see section 7 below.

You may exercise these rights by writing to info@avanterro.com. We respond without undue delay, no later than within 30 days; in more complex cases this period may be extended by a further two months, of which we will inform you. We may request additional information to verify your identity.

If you believe that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority:

Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů – ÚOOÚ) Pplk. Sochora 27, 170 00 Prague 7, Czech Republic www.uoou.cz, posta@uoou.gov.cz

7. Automated decision-making and profiling

Avanterro does not carry out automated individual decision-making within the meaning of Article 22 GDPR, nor does it carry out profiling that produces legal or similarly significant effects on the data subject. Algorithmic features within the Service (e.g. ordering, scheduling suggestions) are mere aids; the final decision is always taken by the human operator of the application.

8. Cookies and similar technologies

The Avanterro website (avanterro.com) displays a cookie banner with two options: "Accept all" (allows strictly necessary cookies and the Sentry Replay error diagnostics service) and "Only necessary" (only cookies essential for website functionality — sign-in, language). You may change your selection at any time by removing the avanterro_cookies_v2 key from localStorage and reloading the page. For details, please see our separate Cookie Policy available at https://avanterro.com/en/cookies.

9. Security of processing

Taking into account the risks involved and the state of the art, we apply in particular the following technical and organisational measures:

  • encryption of data in transit (TLS 1.2+) and encryption of backups and data at rest (AES-256) at the cloud storage level,
  • separation of data between tenants at the application level (multi-tenant isolation) and at the database permission level,
  • multi-factor authentication (MFA) for access by Avanterro administrators,
  • principle of least privilege and access logging (audit log),
  • regular backups with defined RPO/RTO and recovery testing,
  • vulnerability scanning and dependency updates, static security analysis in CI/CD,
  • penetration testing in line with the significance of changes,
  • contractual confidentiality obligations and training for persons with access to the data,
  • processes for handling data subject requests and for incident reporting (Incident Response Plan).

10. Personal data breaches

In the event of a personal data breach that poses a risk to the rights and freedoms of natural persons, we will notify the supervisory authority (ÚOOÚ) without undue delay, no later than within 72 hours of becoming aware of it (Article 33 GDPR). Where the breach is likely to result in a high risk, we will also notify the affected data subjects without undue delay (Article 34 GDPR).

11. Changes to this Policy

We may update this Policy from time to time, for example in response to changes in legislation or expansion of the Service. We will inform you of material changes at least 30 days in advance by e-mail or by an in-app notice. Minor wording adjustments are published without separate notice.

The current version is always available at https://avanterro.com/en/privacy. Version history is maintained internally and a copy will be provided upon request.

This document takes effect on 3 May 2026. Version 1.0.