Privacy and Cookies Information for zCommerce
- Document version: GDPR-ZC-2026-06
- Operator: Zserver s.r.o.
- Company ID: 26249928
- VAT ID: CZ26249928
- Registered office: Heydukova 163, 572 01 Policka, Czech Republic
- Commercial Register entry: file no. C 21393 kept by the Regional Court in Hradec Kralove
- zCommerce e-mail: info@zcommerce.cz
- Phone: +420 776 251 658
- Website: www.zcommerce.cz
- Brand: zCommerce by Zserver s.r.o.
- Effective from: 2026-06-01
This document explains how Zserver s.r.o., as the operator of the www.zcommerce.cz store, processes the personal data of customers, leads, website visitors, customer account users, zCommerce module users and other persons. It also contains information about the use of cookies and similar technologies.
1. Introductory provisions
1.1 When processing personal data, we follow Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR"), Czech Act No. 110/2019 Coll. on the processing of personal data, Czech Act No. 480/2004 Coll. on certain information society services, Czech Act No. 127/2005 Coll. on electronic communications, and other applicable legal regulations.
1.2 The controller of personal data is Zserver s.r.o., Company ID 26249928, registered office Heydukova 163, 572 01 Policka, Czech Republic.
1.3 zCommerce is a trade name and brand of digital products provided by Zserver s.r.o. zCommerce is not a separate legal entity.
1.4 For privacy matters, contact us at info@zcommerce.cz.
1.5 No data protection officer has been appointed for Zserver s.r.o. unless stated otherwise on the website or in an individual agreement.
1.6 Zserver s.r.o. may act:
- as a controller of personal data, when it determines the purpose and means of processing, for example for orders, invoicing, customer communication, account management, zCommerce licenses, marketing or website operation,
- as a processor of personal data, when it processes personal data on behalf of a customer, for example during module installation in the customer's store, technical support, diagnostics, service interventions or work with data from the customer's system.
1.7 If we act as a processor of a customer's personal data, such processing is governed in particular by a data processing agreement or another legal act under Article 28 GDPR.
2. What personal data we process
2.1 We primarily process data that you provide to us, data generated when using the store and modules, data generated while providing support, and data obtained from public registers or technical systems.
2.2 Depending on the specific situation, this may include in particular:
- identification data: first name, last name, company name, company ID, VAT ID, registered office, address,
- contact data: e-mail, phone number, delivery data,
- billing and payment data: order number, invoice, variable symbol, payment details, bank account details to the extent needed for payment or refund,
- contractual data: ordered products, licenses, customer account, order history, update entitlement status,
- communication data: e-mails, messages from contact forms, support requests, ticket communication, notes about handling the request,
- technical data: IP address, hostname, domain, URL, server logs, access time, user-agent, technical service status, session identifier, security logs,
- zCommerce module data: license key, customer identifier, domain, URL, installation ID, module name and version, platform version, PHP version, activation date, license status, update entitlement status, error codes and technical metadata,
- data provided during technical support: credentials, logs, screenshots, exports, parts of configuration, temporary access data and error descriptions if the customer provides them,
- data related to cookies and website visits: cookie identifiers, consent settings, analytical data, website visit data to the extent determined by the cookie settings,
- data needed to exercise rights, handle complaints, withdrawal, refunds, claims, incidents and legal obligations.
2.3 We do not intentionally request or systematically process special categories of personal data under Article 9 GDPR, such as health data. If you provide such data in communication, requests or attachments, we process it only to the extent necessary to handle the request or protect rights.
3. Purposes, legal bases and retention periods
3.1 Orders, contracts and delivery of digital content
We process identification, contact, contractual, billing and technical data for the purpose of concluding and performing a contract, delivering digital content, providing access to the customer account, activating licenses, sending download links, issuing invoices and communicating with the customer.
Legal basis: performance of a contract or steps taken before entering into a contract; for
some related actions also legitimate interest in proper records and protection of rights.
Retention period: for the duration of the contractual relationship and then for the period
necessary to protect rights and legal claims, usually 3 to 4 years after the contractual
relationship ends, unless legal regulations require a longer period.
3.2 Invoicing, accounting and tax obligations
We process data stated on accounting and tax documents and data about payments, orders and contractual performance.
Legal basis: compliance with a legal obligation.
Retention period: for the period required by accounting and tax regulations, usually 5 to
10 years depending on the type of document and legal obligation.
3.3 Customer account
We process data necessary to create and manage the customer account, access the interface, manage orders, licenses, invoices, module downloads, requests and contact persons.
Legal basis: performance of a contract and legitimate interest in secure and clear product
and license management.
Retention period: for the duration of the account and contractual relationship; after that
for the period necessary to fulfil legal obligations and protect rights.
3.4 Technical support, service interventions and remote access
During technical support, we may process data contained in communication, logs, error reports, configuration, screenshots, exports, database extracts or in the environment to which the customer grants us access.
Legal basis: performance of a contract, legitimate interest in resolving the request and
protecting rights; if we act as the customer's processor, also the customer's instructions under
the processing agreement.
Retention period: for the duration of the request and then usually 3 to 4 years to document
the support process and protect rights, unless otherwise agreed or required. Temporary access and
exports are deleted or returned without undue delay after the purpose has been fulfilled unless
there is a reason to retain them longer.
3.5 zCommerce modules - license activation and license management
For zCommerce modules, we may process the license key, customer identifier, customer e-mail, domain, URL, installation ID, module name and version, platform version, PHP version, IP address, activation time, license status, update entitlement status and activation-related technical error codes.
Purpose: license activation, license management, verification of license scope, protection
against unauthorised use, provision of updates and support.
Legal basis: performance of a contract and legitimate interest in license protection,
prevention of misuse and management of digital content.
Retention period: for the duration of the license and then for the period necessary to
protect rights, resolve disputes and maintain accounting or contractual records.
3.6 zCommerce modules - update checks (version check)
Version checks serve to verify the availability of new versions, security fixes, compatibility information and update entitlement status. They may include the module name, module version, platform version, PHP version, domain or installation ID, license status, check time and IP address.
Legal basis: performance of a contract where updates are involved and legitimate interest in
security, compatibility and license management.
Nature: unless stated otherwise for a specific module, automatic version checks may be
enabled but should be switchable off in the module administration where the technical nature of
the module allows it.
Effect of disabling: disabling version checks does not terminate the license and does not by
itself prevent normal module operation, but it may limit automatic information about new
versions, security fixes and compatibility.
Retention period: operational logs of version checks are retained only for a reasonable
period, usually measured in months, unless longer retention is necessary for protection of
rights, security or incident resolution.
3.7 zCommerce modules - optional diagnostics and telemetry
Some modules may allow the sending of optional diagnostics, for example error codes, status information, pseudonymised technical metadata, compatibility details and other data necessary for error analysis and module improvement.
Legal basis: user consent or legitimate interest where the processing concerns necessary
security or operational diagnostics.
Nature: enhanced diagnostics that are not necessary for license activation, security, version
checks or contractual performance are optional. Unless stated otherwise for a specific module,
optional telemetry should be switched off by default and the user can enable it in the module
administration.
Effect of disabling: disabling optional diagnostics does not prevent normal module operation
but may limit our ability to analyse an issue quickly or recommend a fix.
Retention period: diagnostic data is retained for the period necessary for analysis and
improvement, usually no longer than 12 months, unless a longer period is required for incident
resolution or protection of rights.
Telemetry and technical metadata are not described as anonymous where they can be linked to a license, customer account, domain, installation ID, IP address or another identifier.
3.8 Security, service protection and misuse prevention
We process operational and security data for the purpose of protecting the store, licensing system, customer account and support tools, preventing misuse, detecting attacks, resolving incidents, limiting malicious traffic and protecting rights.
Legal basis: legitimate interest in the security and protection of services, customers and
rights; where relevant also compliance with a legal obligation.
Retention period: security logs and records are retained for a period appropriate to the
nature of the risk, usually measured in months; for serious incidents, for as long as necessary
to resolve the incident, protect rights or comply with legal obligations.
3.9 Direct marketing and marketing communications
We may send existing customers marketing communications about our own similar products or services if they provided their e-mail in connection with an order of digital content and did not opt out. Each marketing communication must contain a simple unsubscribe option.
Legal basis: legitimate interest and special rules for marketing communications under Czech
Act No. 480/2004 Coll.; consent for non-customer marketing.
Retention period: for the duration of the customer relationship and then for a reasonable
period, at most until an unsubscribe or objection is received; we may keep a record of the opt
out to demonstrate that we no longer send such communications.
3.10 Complaints, withdrawal, refunds and legal claims
We process data required to handle complaints, withdrawal, refunds, grievances, incidents, communication with public authorities, inspections and legal claims.
Legal basis: compliance with a legal obligation and legitimate interest in protecting rights.
Retention period: for the period necessary to handle the matter and then for the relevant
limitation, archiving or statutory periods.
4. Cookies and similar technologies
4.1 Cookies are small files or similar identifiers stored in the visitor's browser or device. They may be used for website operation, storing preferences, measuring traffic, security, personalisation or marketing.
4.2 We use the following main categories of cookies and similar technologies:
| Category | Purpose | Legal basis | Consent |
|---|---|---|---|
| Essential cookies | Website operation, security, checkout, customer account, forms, storing consent preference | legitimate interest / performance of a contract | not required |
| Preference cookies | Saving user settings where not strictly necessary | consent or legitimate interest depending on the case | usually yes |
| Analytics cookies | Measuring traffic and website usage | consent unless a narrow legal exception applies for purely technical anonymised measurement | yes |
| Marketing cookies | Advertising personalisation, remarketing, campaign measurement | consent | yes |
4.3 We may use essential cookies without consent because they are necessary for the operation of the website, security, transmission of communications, storing consent preferences or providing a service explicitly requested by the user.
4.4 Analytics, marketing and other non-technical cookies are used only after prior consent unless the law allows another regime.
4.5 The cookie banner must allow consent and refusal in a comparably easy manner. If the visitor does not provide consent, non-technical cookies must not be activated.
4.6 You can change or withdraw cookie consent at any time via the cookie banner, cookie settings on the website or browser settings. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
4.7 A specific list of cookies used, their providers and retention periods may be stated directly in the cookie banner or in separate cookie settings. If the use of cookies changes, we will update the cookie banner settings or this document.
5. Recipients and processors of personal data
5.1 We do not provide personal data to third parties for their own marketing purposes without an appropriate legal basis.
5.2 Personal data may, where necessary, be made available to the following categories of recipients or processors:
- providers of server, cloud, backup, networking and infrastructure services,
- providers of e-mail, invoicing, accounting, banking, payment and economic services,
- providers of customer support, ticketing, monitoring, security, logging and analytics tools,
- external administrators, developers, consultants, lawyers, accountants and tax advisers,
- providers of software tools, repositories, development, testing and AI tools where used for a specific service and in accordance with legal regulations,
- public authorities, courts, police or other authorised bodies where legal regulations or a legitimate request require such disclosure.
5.3 Where processors are used, we require appropriate safeguards for personal data protection and a contract or other legal instrument where GDPR requires it.
6. Transfers outside the EU/EEA
6.1 We seek to process personal data primarily in the Czech Republic, the European Union or the European Economic Area.
6.2 If in a specific case personal data is transferred outside the EU/EEA, such transfer will be carried out only if GDPR conditions are met, in particular on the basis of an adequacy decision, standard contractual clauses, a GDPR derogation or another lawful mechanism.
6.3 Where we act as the customer's processor, transfers outside the EU/EEA are also governed by the customer's instructions and the processing agreement.
7. Security of personal data
7.1 We implement reasonable technical and organisational measures to protect personal data with regard to the nature of the processing, the scope of the data, the risks and the state of the art.
7.2 These measures include, in particular, access restrictions to authorised persons, individual accounts, appropriate access rights, strong passwords, multi-factor authentication where appropriate, encrypted transmission, logging, monitoring, backups, system updates, data minimisation during support and confidentiality obligations for persons accessing the data.
7.3 During technical support, we recommend that customers provide temporary and limited access, use test environments and change or revoke access after the intervention is completed.
8. Rights of data subjects
8.1 Under GDPR and subject to its conditions, you have in particular the following rights:
- the right of access to personal data,
- the right to rectification of inaccurate data,
- the right to erasure,
- the right to restriction of processing,
- the right to data portability,
- the right to object to processing based on legitimate interest,
- the right to withdraw consent where processing is based on consent,
- the right to lodge a complaint with a supervisory authority.
8.2 You may exercise your rights by e-mail at info@zcommerce.cz or in writing to the company's registered office. To facilitate handling of your request, we may require reasonable identity verification.
8.3 We will respond without undue delay, usually no later than within 1 month. In justified cases, this period may be extended as permitted by GDPR.
8.4 Where we process data as a processor on behalf of a customer, we will pass the request to the relevant customer as controller or act according to the customer's instructions.
8.5 The supervisory authority is the Czech Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Prague 7, website www.uoou.cz.
9. Right to object
9.1 If we process personal data on the basis of legitimate interest, you have the right to object at any time on grounds relating to your particular situation.
9.2 If you object to direct marketing, we will stop processing your personal data for that purpose.
10. Consent and withdrawal
10.1 Where processing is based on consent, giving consent is voluntary. Consent may be withdrawn at any time.
10.2 Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
10.3 Cookie consent can be managed through the cookie banner or cookie settings. Consent to marketing communications can be withdrawn through the unsubscribe link in the e-mail or by sending a message to info@zcommerce.cz.
10.4 Consent to optional diagnostics or telemetry in zCommerce modules may be withdrawn in the module administration if the module contains such a function, or by another method stated in the documentation.
11. Automated decision-making and profiling
11.1 We do not carry out decision-making based solely on automated processing that would produce legal effects concerning the data subject or similarly significantly affect them within the meaning of Article 22 GDPR.
11.2 We may use automated technical tools for security, monitoring, attack detection, spam filtering, license verification, update availability checks or service protection. These tools serve technical administration and service security.
12. AI and development tools
12.1 During development, bug analysis, content preparation, programming or technical support, we may use software, development, analytical or AI tools. Personal data is entered into such tools only to the extent necessary and only where we have a legal basis or the customer's instruction.
12.2 When using such tools, we focus on data minimisation, pseudonymisation or anonymisation where possible and on avoiding unnecessary transfer of production data, credentials, store customer data or other sensitive information.
12.3 If a customer expressly prohibits the use of specific external or AI tools for their data, and such prohibition forms part of the contractual arrangement, we will respect that instruction within the agreed scope.
13. Summary for zCommerce modules
13.1 For zCommerce modules, we distinguish three technical modes:
- license activation and license management - usually necessary for paid modules, updates, support and license protection,
- version check - checking the availability of updates, security fixes and compatibility information; this may be switchable off according to the module's technical possibilities,
- optional diagnostics or telemetry - extended diagnostic data for error analysis and module improvement; this should be explicitly optional unless necessary for security, licensing or contractual performance.
13.2 Normal module operation should not depend on the permanent availability of the licensing server where this is technically possible and unless a specific module states otherwise.
13.3 Disabling version checks or optional diagnostics does not by itself terminate the license. It may, however, limit automatic information about new versions, the availability of updates or the scope of technical support.
14. Changes to this document
14.1 We may update this document in particular when legal regulations, services, the technical design of the store, zCommerce modules, cookies, processors or processing purposes change.
14.2 The current version is available on www.zcommerce.cz. For significant changes that materially affect data subjects' rights, we may also notify customers by e-mail, in the customer account, in module administration or by another suitable means.
14.3 This document takes effect on 2026-06-01.