Privacy Policy

Last Updated: May 8, 2026

This Privacy Policy describes how NejedNiko.cz (the "Site", "we", "us") collects, uses, stores, and protects your personal data in accordance with the EU General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable Czech law (Act No. 110/2019 Coll.).

1. Data Controller

The data controller for this website is Nikola Nejedlý, the sole operator of NejedNiko.cz. Contact: use the official contact form.

2. What Data We Collect and Why

2.1 Analytics & Security Data

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) - to understand how the site is used, detect and block malicious automated traffic, and maintain site security.

  • IP address - collected at each visit; used for geolocation (country only), bot detection, and security threat analysis. Stored as a hashed or raw value in the security cache for bot classification purposes. IP-to-user links are stored for registered users to support account security.
  • User-Agent string - browser, OS, and device type, used for compatibility analysis and bot detection.
  • Visited pages, timestamps, and referrers - to understand popular content and traffic sources. Detailed pageviews are deleted after 90 days; daily visitor summaries are kept indefinitely in anonymized aggregate form.
  • Error and security logs - unauthorized access attempts, SQL injection probes, and scanner activity. Deleted after 90 days.
  • External link clicks - anonymized record of external links clicked, to understand content engagement.

Admin users' own browsing is excluded from all analytics tracking.

2.2 Account Data

Legal basis: Contract performance (Art. 6(1)(b) GDPR) - necessary to provide registered user features.

  • Username, email address, password (stored as a secure one-way hash)
  • Account creation date, last login time
  • Google OAuth identifier (if you use Google sign-in)
  • Content you create: blog comments, likes, favourites, and uploaded files

2.3 Messages

Legal basis: Contract performance (Art. 6(1)(b) GDPR) / Consent (Art. 6(1)(a) GDPR) for contact form messages from non-registered users.

  • Message text, subject, and any file attachments you upload
  • Sender and recipient identifiers, read status, timestamps
  • For contact form messages: email address and optional consent to be contacted back

2.4 Cookies & Local Storage

Legal basis: Consent (Art. 6(1)(a) GDPR) for non-essential cookies; legitimate interest for strictly necessary session cookies.

See the Cookie Policy for full details.

2.5 Download Tracking

Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) - abuse prevention. IP addresses are logged per file download and deleted after 30 days.

3. Automated Decision-Making & Bot Classification

This site uses an automated security system (NNShield) that classifies IP addresses as human or automated based on request patterns. This classification may result in access being automatically blocked for IPs identified as bots or malicious scanners. This does not constitute automated decision-making with legal or significant effects on natural persons (Art. 22 GDPR) as it applies to automated software clients, not to individuals personally.

You can view public aggregate statistics at NNShield.

4. Data Sharing and Third Parties

  • We do not sell personal data to any third party.
  • We do not use third-party advertising networks or tracking pixels.
  • We use ip-api.com and ipapi.co for IP geolocation lookups (country-level only). Your IP address is sent to these services as part of the lookup. Both services process IPs under their own privacy policies.
  • We may disclose data to comply with a legal obligation (Art. 6(1)(c) GDPR), protect vital interests, or respond to verified law enforcement requests.
  • Messages are shared only with their intended recipients.

5. International Transfers

Geolocation lookups may involve data transfer outside the EEA to ip-api.com (US) and ipapi.co (US). These are minimal, necessary transfers (IP address only, country returned) and are covered by the legitimate interest basis for security processing.

6. Data Retention

Data type Retention period
Account data Until account deletion is requested
User-created content (posts, likes, favourites) Indefinitely unless removed by user or admin
Messages Until deleted by the sender or recipient
Detailed analytics pageviews 90 days (automatic deletion)
Security / error logs 90 days (automatic deletion)
Daily visitor summaries Indefinitely (anonymized aggregates only)
IP bot classification cache Indefinitely (security-critical; no personal data beyond IP)
IP-to-user security mappings Until account deletion
Download access logs 30 days (automatic deletion)
Event / security audit logs 180 days

7. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

  • Right of access (Art. 15) - obtain a copy of your personal data
  • Right to rectification (Art. 16) - correct inaccurate data
  • Right to erasure (Art. 17) - request deletion of your data ("right to be forgotten")
  • Right to restriction of processing (Art. 18) - limit how your data is used
  • Right to data portability (Art. 20) - receive your data in a structured, machine-readable format
  • Right to object (Art. 21) - object to processing based on legitimate interests (including analytics and security profiling)
  • Right to withdraw consent (Art. 7(3)) - withdraw consent at any time without affecting prior processing
  • Right not to be subject to solely automated decisions (Art. 22) - see Section 3 above

To exercise any of these rights, contact us. We will respond within 30 days as required by Art. 12 GDPR. In complex cases, this may be extended by a further 60 days with notice.

If you believe your rights have been violated, you have the right to lodge a complaint with the supervisory authority:

Office for Personal Data Protection (UOOU)
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
www.uoou.cz

8. Security

We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or misuse, including:

  • Password hashing (one-way, not reversible)
  • HTTPS encryption for all connections
  • Automated bot and attack detection (NNShield)
  • Session-based authentication with secure cookie flags
  • CSRF protection on all forms
  • Prepared SQL statements and input validation throughout

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours and affected individuals without undue delay, as required by Art. 33-34 GDPR.

9. Children's Privacy

This site is not directed at children under the age of 16. We do not knowingly collect personal data from minors. If you believe a minor's data has been submitted, please contact us for immediate deletion.

10. Policy Updates

We may update this policy. The "Last Updated" date at the top reflects the most recent change. Material changes will be communicated via the site notification system where possible. Continued use of the site after changes constitutes acceptance of the updated policy.

11. Contact

Use the official contact form for any privacy-related questions or requests.

Thank you for using NejedNiko.cz!

Niklák Photography portfolio

Portfolio

Niklák Photography