Privacy Policy

1. Data Controller

Hotel Říčky s.r.o. (the “Controller” or “Operator”) is the data controller within the meaning of Regulation (EU) 2016/679 (GDPR) and Czech Act No. 110/2019 Coll. on Personal Data Processing.

2. What data we collect

To operate the MarketingAgency platform (the “Service”), we collect the following categories of personal data:

• Authentication info from Meta / Google / email — name, email address, profile picture obtained during OAuth login (Meta Login, Google Sign In, Clerk Authentication).
• Facebook Page IDs and OAuth access tokens — IDs of Facebook Pages and access tokens required to access Page Insights, publish posts, and manage Page metadata.
• Instagram Business account data — IDs of connected Instagram Business accounts, metadata (name, category, follower count), Insights metrics.
• Page Insights metrics — aggregated performance metrics (impressions, reach, engagement, post performance, follower demographics).
• Google OAuth scopes — tokens to Google Ads, GA4, Search Console, Tag Manager, Google Business Profile for analysing advertising and SEO data.
• Organisation and project data — company name, domain, branding details, monthly budget, team structure.
• AI interactions — AI agent queries and outputs, project knowledge base, generated suggestions.
• Operational data — IP address, browser, login timestamps, action log for security and debugging.

OAuth access tokens are stored encrypted (AES-256-GCM) in our database. We never share them with any third party outside of necessary API calls to Meta / Google on behalf of the user.

3. Purpose of processing

• Marketing performance analysis — aggregating data from Google Ads, Meta Ads, GA4, Search Console, Page Insights for reports and recommendations.
• AI-generated recommendations — AI agents evaluate data and suggest campaign optimisations, content calendars, keywords.
• Content publishing automation — after user approval, the agent may publish posts to a Facebook Page or Instagram Business account.
• Billing and invoicing — payment processing via Stripe, issuing invoices.
• Service security — abuse detection, fraud prevention, audit logs.

4. Legal basis

The primary legal basis for processing is performance of a contract (Article 6(1)(b) GDPR) — the user explicitly connects to Meta / Google OAuth and thereby expresses an unambiguous wish that the Controller processes their data for the purposes of providing the Service.

We also rely on:

• Legitimate interest (Article 6(1)(f)) — Service improvement, security telemetry, fraud prevention.
• Legal obligation (Article 6(1)(c)) — tax and accounting regulations, invoice archival.
• Consent (Article 6(1)(a)) — only for non-essential telemetry (PostHog product analytics), revocable at any time.

5. Who we share data with

We share data with the following processors (sub-processors). We have a DPA and Standard Contractual Clauses (SCC) in place with all of them for transfers outside the EU.

6. Retention period

• Active accounts — for the duration of the contract.
• Archive data after contract termination — 3 years for potential legal claims and audit purposes.
• Accounting documents — 10 years per Czech Act No. 563/1991 Coll. on Accounting.
• OAuth tokens — deleted immediately upon disconnecting the integration or closing the account.
• AI interactions — 90 days for debugging, then anonymised.

You can request permanent deletion of all your data at any time (see section 8).

7. Your rights

Under GDPR you have the following rights, which you may exercise with the Controller:

• Right of access — receive a copy of your personal data.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure(“right to be forgotten”) — remove all your data.
• Right to restriction — pause processing in certain cases.
• Right to object — against processing based on legitimate interest.
• Right to data portability — receive data in machine-readable format (JSON / CSV).
• Right to lodge a complaint — with the Czech DPA (uoou.cz).

Send requests to info@hotelricky.cz. We respond within 30 days of receipt.

8. Data deletion

You can request deletion of your personal data in the following ways:

1. Disconnecting the app in Meta / Google settings — Meta notifies us via data-deletion callback. Our application automatically deactivates your OAuth tokens and marks synchronised data for deletion.
2. Deleting the account in the app— in account settings by clicking “Delete account”.
3. Email request to info@hotelricky.cz.

Permanent deletion is completed within 30 days of receipt. You can verify the status of your request at /data-deletion-status.

Data Deletion Callback URL (for Meta App Review): https://marketingagency.cz/api/auth/data-deletion

9. Cookies

We use the following categories of cookies:

• Strictly necessary — authentication session, CSRF protection. The Service cannot function without them. No consent required.
• Analytics — PostHog with anonymized IP, no cross-site tracking. You may decline in the cookie banner.

We do not use any third-party marketing cookies (Google Analytics / Ads pixel, Facebook Pixel, etc.). Conversion tracking is done exclusively server-to-server.

10. Changes to this policy

We may update this policy. We will notify you of material changes by email at least 30 days in advance. The date of the last update is always shown in the header of this document.

Last updated: May 23, 2026 (version 2.0)

11. Contact / DPO

The Controller is not required to appoint a Data Protection Officer under Article 37 GDPR. The responsible person for GDPR communication is: