Privacy and Cookies Information for zCommerce

  • Document version: GDPR-ZC-2026-06
  • Operator: Zserver s.r.o.
  • Company ID: 26249928
  • VAT ID: CZ26249928
  • Registered office: Heydukova 163, 572 01 Policka, Czech Republic
  • Commercial Register entry: file no. C 21393 kept by the Regional Court in Hradec Kralove
  • zCommerce e-mail: info@zcommerce.cz
  • Phone: +420 776 251 658
  • Website: www.zcommerce.cz
  • Brand: zCommerce by Zserver s.r.o.
  • Effective from: 2026-06-01

This document explains how Zserver s.r.o., as the operator of the www.zcommerce.cz store, processes the personal data of customers, leads, website visitors, customer account users, zCommerce module users and other persons. It also contains information about the use of cookies and similar technologies.

1. Introductory provisions

1.1 When processing personal data, we follow Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR"), Czech Act No. 110/2019 Coll. on the processing of personal data, Czech Act No. 480/2004 Coll. on certain information society services, Czech Act No. 127/2005 Coll. on electronic communications, and other applicable legal regulations.

1.2 The controller of personal data is Zserver s.r.o., Company ID 26249928, registered office Heydukova 163, 572 01 Policka, Czech Republic.

1.3 zCommerce is a trade name and brand of digital products provided by Zserver s.r.o. zCommerce is not a separate legal entity.

1.4 For privacy matters, contact us at info@zcommerce.cz.

1.5 No data protection officer has been appointed for Zserver s.r.o. unless stated otherwise on the website or in an individual agreement.

1.6 Zserver s.r.o. may act:

  • as a controller of personal data, when it determines the purpose and means of processing, for example for orders, invoicing, customer communication, account management, zCommerce licenses, marketing or website operation,
  • as a processor of personal data, when it processes personal data on behalf of a customer, for example during module installation in the customer's store, technical support, diagnostics, service interventions or work with data from the customer's system.

1.7 If we act as a processor of a customer's personal data, such processing is governed in particular by a data processing agreement or another legal act under Article 28 GDPR.

2. What personal data we process

2.1 We primarily process data that you provide to us, data generated when using the store and modules, data generated while providing support, and data obtained from public registers or technical systems.

2.2 Depending on the specific situation, this may include in particular:

  • identification data: first name, last name, company name, company ID, VAT ID, registered office, address,
  • contact data: e-mail, phone number, delivery data,
  • billing and payment data: order number, invoice, variable symbol, payment details, bank account details to the extent needed for payment or refund,
  • contractual data: ordered products, licenses, customer account, order history, update entitlement status,
  • communication data: e-mails, messages from contact forms, support requests, ticket communication, notes about handling the request,
  • technical data: IP address, hostname, domain, URL, server logs, access time, user-agent, technical service status, session identifier, security logs,
  • zCommerce module data: license key, customer identifier, domain, URL, installation ID, module name and version, platform version, PHP version, activation date, license status, update entitlement status, error codes and technical metadata,
  • data provided during technical support: credentials, logs, screenshots, exports, parts of configuration, temporary access data and error descriptions if the customer provides them,
  • data related to cookies and website visits: cookie identifiers, consent settings, analytical data, website visit data to the extent determined by the cookie settings,
  • data needed to exercise rights, handle complaints, withdrawal, refunds, claims, incidents and legal obligations.

2.3 We do not intentionally request or systematically process special categories of personal data under Article 9 GDPR, such as health data. If you provide such data in communication, requests or attachments, we process it only to the extent necessary to handle the request or protect rights.

3. Purposes, legal bases and retention periods

3.1 Orders, contracts and delivery of digital content

We process identification, contact, contractual, billing and technical data for the purpose of concluding and performing a contract, delivering digital content, providing access to the customer account, activating licenses, sending download links, issuing invoices and communicating with the customer.

Legal basis: performance of a contract or steps taken before entering into a contract; for some related actions also legitimate interest in proper records and protection of rights.
Retention period: for the duration of the contractual relationship and then for the period necessary to protect rights and legal claims, usually 3 to 4 years after the contractual relationship ends, unless legal regulations require a longer period.

3.2 Invoicing, accounting and tax obligations

We process data stated on accounting and tax documents and data about payments, orders and contractual performance.

Legal basis: compliance with a legal obligation.
Retention period: for the period required by accounting and tax regulations, usually 5 to 10 years depending on the type of document and legal obligation.

3.3 Customer account

We process data necessary to create and manage the customer account, access the interface, manage orders, licenses, invoices, module downloads, requests and contact persons.

Legal basis: performance of a contract and legitimate interest in secure and clear product and license management.
Retention period: for the duration of the account and contractual relationship; after that for the period necessary to fulfil legal obligations and protect rights.

3.4 Technical support, service interventions and remote access

During technical support, we may process data contained in communication, logs, error reports, configuration, screenshots, exports, database extracts or in the environment to which the customer grants us access.

Legal basis: performance of a contract, legitimate interest in resolving the request and protecting rights; if we act as the customer's processor, also the customer's instructions under the processing agreement.
Retention period: for the duration of the request and then usually 3 to 4 years to document the support process and protect rights, unless otherwise agreed or required. Temporary access and exports are deleted or returned without undue delay after the purpose has been fulfilled unless there is a reason to retain them longer.

3.5 zCommerce modules - license activation and license management

For zCommerce modules, we may process the license key, customer identifier, customer e-mail, domain, URL, installation ID, module name and version, platform version, PHP version, IP address, activation time, license status, update entitlement status and activation-related technical error codes.

Purpose: license activation, license management, verification of license scope, protection against unauthorised use, provision of updates and support.
Legal basis: performance of a contract and legitimate interest in license protection, prevention of misuse and management of digital content.
Retention period: for the duration of the license and then for the period necessary to protect rights, resolve disputes and maintain accounting or contractual records.

3.6 zCommerce modules - update checks (version check)

Version checks serve to verify the availability of new versions, security fixes, compatibility information and update entitlement status. They may include the module name, module version, platform version, PHP version, domain or installation ID, license status, check time and IP address.

Legal basis: performance of a contract where updates are involved and legitimate interest in security, compatibility and license management.
Nature: unless stated otherwise for a specific module, automatic version checks may be enabled but should be switchable off in the module administration where the technical nature of the module allows it.
Effect of disabling: disabling version checks does not terminate the license and does not by itself prevent normal module operation, but it may limit automatic information about new versions, security fixes and compatibility.
Retention period: operational logs of version checks are retained only for a reasonable period, usually measured in months, unless longer retention is necessary for protection of rights, security or incident resolution.

3.7 zCommerce modules - optional diagnostics and telemetry

Some modules may allow the sending of optional diagnostics, for example error codes, status information, pseudonymised technical metadata, compatibility details and other data necessary for error analysis and module improvement.

Legal basis: user consent or legitimate interest where the processing concerns necessary security or operational diagnostics.
Nature: enhanced diagnostics that are not necessary for license activation, security, version checks or contractual performance are optional. Unless stated otherwise for a specific module, optional telemetry should be switched off by default and the user can enable it in the module administration.
Effect of disabling: disabling optional diagnostics does not prevent normal module operation but may limit our ability to analyse an issue quickly or recommend a fix.
Retention period: diagnostic data is retained for the period necessary for analysis and improvement, usually no longer than 12 months, unless a longer period is required for incident resolution or protection of rights.

Telemetry and technical metadata are not described as anonymous where they can be linked to a license, customer account, domain, installation ID, IP address or another identifier.

3.8 Security, service protection and misuse prevention

We process operational and security data for the purpose of protecting the store, licensing system, customer account and support tools, preventing misuse, detecting attacks, resolving incidents, limiting malicious traffic and protecting rights.

Legal basis: legitimate interest in the security and protection of services, customers and rights; where relevant also compliance with a legal obligation.
Retention period: security logs and records are retained for a period appropriate to the nature of the risk, usually measured in months; for serious incidents, for as long as necessary to resolve the incident, protect rights or comply with legal obligations.

3.9 Direct marketing and marketing communications

We may send existing customers marketing communications about our own similar products or services if they provided their e-mail in connection with an order of digital content and did not opt out. Each marketing communication must contain a simple unsubscribe option.

Legal basis: legitimate interest and special rules for marketing communications under Czech Act No. 480/2004 Coll.; consent for non-customer marketing.
Retention period: for the duration of the customer relationship and then for a reasonable period, at most until an unsubscribe or objection is received; we may keep a record of the opt out to demonstrate that we no longer send such communications.

3.10 Complaints, withdrawal, refunds and legal claims

We process data required to handle complaints, withdrawal, refunds, grievances, incidents, communication with public authorities, inspections and legal claims.

Legal basis: compliance with a legal obligation and legitimate interest in protecting rights.
Retention period: for the period necessary to handle the matter and then for the relevant limitation, archiving or statutory periods.

4. Cookies and similar technologies

4.1 Cookies are small files or similar identifiers stored in the visitor's browser or device. They may be used for website operation, storing preferences, measuring traffic, security, personalisation or marketing.

4.2 We use the following main categories of cookies and similar technologies:

Category Purpose Legal basis Consent
Essential cookies Website operation, security, checkout, customer account, forms, storing consent preference legitimate interest / performance of a contract not required
Preference cookies Saving user settings where not strictly necessary consent or legitimate interest depending on the case usually yes
Analytics cookies Measuring traffic and website usage consent unless a narrow legal exception applies for purely technical anonymised measurement yes
Marketing cookies Advertising personalisation, remarketing, campaign measurement consent yes

4.3 We may use essential cookies without consent because they are necessary for the operation of the website, security, transmission of communications, storing consent preferences or providing a service explicitly requested by the user.

4.4 Analytics, marketing and other non-technical cookies are used only after prior consent unless the law allows another regime.

4.5 The cookie banner must allow consent and refusal in a comparably easy manner. If the visitor does not provide consent, non-technical cookies must not be activated.

4.6 You can change or withdraw cookie consent at any time via the cookie banner, cookie settings on the website or browser settings. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

4.7 A specific list of cookies used, their providers and retention periods may be stated directly in the cookie banner or in separate cookie settings. If the use of cookies changes, we will update the cookie banner settings or this document.

5. Recipients and processors of personal data

5.1 We do not provide personal data to third parties for their own marketing purposes without an appropriate legal basis.

5.2 Personal data may, where necessary, be made available to the following categories of recipients or processors:

  • providers of server, cloud, backup, networking and infrastructure services,
  • providers of e-mail, invoicing, accounting, banking, payment and economic services,
  • providers of customer support, ticketing, monitoring, security, logging and analytics tools,
  • external administrators, developers, consultants, lawyers, accountants and tax advisers,
  • providers of software tools, repositories, development, testing and AI tools where used for a specific service and in accordance with legal regulations,
  • public authorities, courts, police or other authorised bodies where legal regulations or a legitimate request require such disclosure.

5.3 Where processors are used, we require appropriate safeguards for personal data protection and a contract or other legal instrument where GDPR requires it.

6. Transfers outside the EU/EEA

6.1 We seek to process personal data primarily in the Czech Republic, the European Union or the European Economic Area.

6.2 If in a specific case personal data is transferred outside the EU/EEA, such transfer will be carried out only if GDPR conditions are met, in particular on the basis of an adequacy decision, standard contractual clauses, a GDPR derogation or another lawful mechanism.

6.3 Where we act as the customer's processor, transfers outside the EU/EEA are also governed by the customer's instructions and the processing agreement.

7. Security of personal data

7.1 We implement reasonable technical and organisational measures to protect personal data with regard to the nature of the processing, the scope of the data, the risks and the state of the art.

7.2 These measures include, in particular, access restrictions to authorised persons, individual accounts, appropriate access rights, strong passwords, multi-factor authentication where appropriate, encrypted transmission, logging, monitoring, backups, system updates, data minimisation during support and confidentiality obligations for persons accessing the data.

7.3 During technical support, we recommend that customers provide temporary and limited access, use test environments and change or revoke access after the intervention is completed.

8. Rights of data subjects

8.1 Under GDPR and subject to its conditions, you have in particular the following rights:

  • the right of access to personal data,
  • the right to rectification of inaccurate data,
  • the right to erasure,
  • the right to restriction of processing,
  • the right to data portability,
  • the right to object to processing based on legitimate interest,
  • the right to withdraw consent where processing is based on consent,
  • the right to lodge a complaint with a supervisory authority.

8.2 You may exercise your rights by e-mail at info@zcommerce.cz or in writing to the company's registered office. To facilitate handling of your request, we may require reasonable identity verification.

8.3 We will respond without undue delay, usually no later than within 1 month. In justified cases, this period may be extended as permitted by GDPR.

8.4 Where we process data as a processor on behalf of a customer, we will pass the request to the relevant customer as controller or act according to the customer's instructions.

8.5 The supervisory authority is the Czech Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, website www.uoou.cz.

9. Right to object

9.1 If we process personal data on the basis of legitimate interest, you have the right to object at any time on grounds relating to your particular situation.

9.2 If you object to direct marketing, we will stop processing your personal data for that purpose.

10. Consent and withdrawal

10.1 Where processing is based on consent, giving consent is voluntary. Consent may be withdrawn at any time.

10.2 Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

10.3 Cookie consent can be managed through the cookie banner or cookie settings. Consent to marketing communications can be withdrawn through the unsubscribe link in the e-mail or by sending a message to info@zcommerce.cz.

10.4 Consent to optional diagnostics or telemetry in zCommerce modules may be withdrawn in the module administration if the module contains such a function, or by another method stated in the documentation.

11. Automated decision-making and profiling

11.1 We do not carry out decision-making based solely on automated processing that would produce legal effects concerning the data subject or similarly significantly affect them within the meaning of Article 22 GDPR.

11.2 We may use automated technical tools for security, monitoring, attack detection, spam filtering, license verification, update availability checks or service protection. These tools serve technical administration and service security.

12. AI and development tools

12.1 During development, bug analysis, content preparation, programming or technical support, we may use software, development, analytical or AI tools. Personal data is entered into such tools only to the extent necessary and only where we have a legal basis or the customer's instruction.

12.2 When using such tools, we focus on data minimisation, pseudonymisation or anonymisation where possible and on avoiding unnecessary transfer of production data, credentials, store customer data or other sensitive information.

12.3 If a customer expressly prohibits the use of specific external or AI tools for their data, and such prohibition forms part of the contractual arrangement, we will respect that instruction within the agreed scope.

13. Summary for zCommerce modules

13.1 For zCommerce modules, we distinguish three technical modes:

  • license activation and license management - usually necessary for paid modules, updates, support and license protection,
  • version check - checking the availability of updates, security fixes and compatibility information; this may be switchable off according to the module's technical possibilities,
  • optional diagnostics or telemetry - extended diagnostic data for error analysis and module improvement; this should be explicitly optional unless necessary for security, licensing or contractual performance.

13.2 Normal module operation should not depend on the permanent availability of the licensing server where this is technically possible and unless a specific module states otherwise.

13.3 Disabling version checks or optional diagnostics does not by itself terminate the license. It may, however, limit automatic information about new versions, the availability of updates or the scope of technical support.

14. Changes to this document

14.1 We may update this document in particular when legal regulations, services, the technical design of the store, zCommerce modules, cookies, processors or processing purposes change.

14.2 The current version is available on www.zcommerce.cz. For significant changes that materially affect data subjects' rights, we may also notify customers by e-mail, in the customer account, in module administration or by another suitable means.

14.3 This document takes effect on 2026-06-01.

Loading...
Back to top