Legal
Privacy Policy
Version 1.0, effective 11 May 2026
1. Who we are and how to reach us
Philip Staehelin, self-employed (osoba samostatně výdělečně činná, OSVČ), IČO 07457120, registered at Křižíkova 710/30, 186 00 Praha 8–Karlín, Czech Republic, is the controller (správce) of personal data processed in connection with The Prague Briefing within the meaning of Article 4(7) of Regulation (EU) 2016/679 (the GDPR) and Act No. 110/2019 Coll. on Personal Data Processing.
Contact for any matter relating to this Policy or to your personal data:
- Email: hello@briefings.eu
- Post: Křižíkova 710/30, 186 00 Praha 8–Karlín, Czech Republic
We do not have a Data Protection Officer. Our processing operations do not meet the Article 37 GDPR thresholds requiring one.
This Policy is available at briefings.eu/privacy and forms part of the Subscription Agreement as incorporated by reference in the Terms and Conditions.
2. What personal data we process
2.1. Subscribers
- Identification and contact data: name, email address, billing address, preferred edition language (English or Czech).
- Payment data: Stripe customer ID, subscription tier, billing period, last four digits of the payment card, country of card issue. Full card numbers, CVV codes, and bank account numbers are not accessible to us and are processed exclusively by Stripe.
- Subscription history: start date, renewal dates, cancellation date (if applicable), refund history, credit balance adjustments.
- Delivery data: which issues were sent to your email address, send timestamps, bounce and delivery-failure status, and whether each issue was opened (open tracking via a small transparent image loaded when the email is displayed). We collect open events to understand delivery reach and content relevance. We do not track individual link clicks within issues.
- Unsubscribe status: whether you have exercised your right to stop email delivery under Section 6.1, and the date you did so.
- Correspondence: messages you send us at hello@briefings.eu or replies to issues, including message metadata.
2.2. Visitors to briefings.eu
- Server and CDN logs: IP address, user-agent string, requested URL, timestamp, HTTP status code. These logs are held by Cloudflare and Hetzner and rotated on standard schedules (typically 30–90 days).
- Aggregate site analytics: page view counts, referrer categories, and country-level visitor counts collected by Cloudflare Web Analytics. This service does not use cookies, does not set any local storage, and does not track individual visitors across sessions or sites. No consent banner is required for this form of analytics.
2.3. Other contacts
Where a person writes to us at hello@briefings.eu without subscribing, we hold the message, the sender's email address, and any personal data the sender voluntarily provides. We use this data solely to respond to the contact.
We do not knowingly collect personal data from children under 16. The Prague Briefing is a business news product not directed at minors.
3. Legal bases and purposes of processing
| Purpose | Data categories | Legal basis |
|---|---|---|
| Delivering The Briefing to paying subscribers | Identification, contact, subscription, delivery | Art. 6(1)(b) GDPR (performance of contract) |
| Processing payments and managing renewals | Payment, subscription | Art. 6(1)(b) GDPR (performance of contract) |
| Issuing invoices and meeting accounting obligations | Identification, billing, payment | Art. 6(1)(c) GDPR (legal obligation): Czech Accounting Act No. 563/1991 Coll., Income Tax Act No. 586/1992 Coll. |
| Customer support and responding to enquiries | Correspondence, identification | Art. 6(1)(b) GDPR (performance of contract); or Art. 6(1)(f) GDPR (legitimate interests) for pre-subscription enquiries |
| Securing the website and infrastructure against abuse | Server logs, aggregate analytics | Art. 6(1)(f) GDPR (legitimate interests): protection of the Publisher's infrastructure and the integrity of the service |
| Aggregate site analytics | Aggregate, non-identifying page-view data | Art. 6(1)(f) GDPR (legitimate interests): improving the product using only anonymised signals |
| Measuring delivery reach via email open tracking | Delivery data, open events per subscriber | Art. 6(1)(f) GDPR (legitimate interests): understanding whether issues are received and read |
| Sending service announcements | Identification, contact | Art. 6(1)(b) GDPR (performance of contract) |
Legitimate interest balancing. For purposes based on Article 6(1)(f) we have weighed our interests against the rights and freedoms of subscribers. For security logging and site analytics, the data is either pseudonymous (CDN logs not accessed or analysed by us directly) or fully aggregated and non-identifying (Cloudflare Web Analytics). For email open tracking, a small transparent image is loaded when an issue is displayed; the resulting event is linked to the individual subscriber to allow per-subscriber and aggregate delivery reporting. Subscribers can prevent open tracking by disabling image loading in their email client, or by stopping email delivery entirely under Section 6.1. The interest in knowing whether paid subscribers receive and read issued content is genuine and proportionate to the limited nature of the data collected.
We do not engage in automated individual decision-making with legal or similarly significant effects within the meaning of Article 22 GDPR. We do not use personal data for behavioural advertising.
4. Retention periods
| Data category | Retention period | Basis |
|---|---|---|
| Active subscription data (name, email, subscription tier, delivery history) | Duration of subscription + 12 months after expiry | Contractual records; refund and dispute resolution |
| Accounting records (invoices, payment records) | 5 years from the end of the calendar year to which they relate | Section 31 of the Czech Accounting Act No. 563/1991 Coll. |
| Server and CDN logs | Per Cloudflare and Hetzner standard rotation (typically 30–90 days) | Security; not processed by us directly |
| Correspondence | Up to 3 years from last contact | Legitimate interest in resolving follow-up matters |
| Stripe-held payment data | Per Stripe's own retention policy | Stripe acts as an independent controller for fraud prevention and regulatory compliance |
The 5-year accounting retention applies because the Publisher is not a registered VAT payer; the 10-year period under Section 35 of the VAT Act does not apply to our invoicing.
After each retention period expires, we delete or anonymise the data. Where anonymisation is applied, the resulting data no longer constitutes personal data and is not subject to this Policy.
5. Who we share your data with
We share personal data only with the processors and public authorities listed below. Where a provider acts as a processor, we have in place a written data processing agreement meeting the requirements of Article 28 GDPR.
5.1. Service providers
| Provider | Role | Purpose | Location | Transfer safeguard |
|---|---|---|---|---|
| Stripe Payments Europe, Ltd. | Processor | Payment processing, subscription billing, customer portal, invoice generation | Ireland; US onward transfer via Stripe, Inc. | EU controller; US transfers under SCCs and EU-US Data Privacy Framework |
| Resend, Inc. | Processor | Outbound email delivery of each issue | EU infrastructure (eu-west-1 region); corporate entity in the US | SCCs and EU-US Data Privacy Framework |
| Google LLC | Processor | Inbound email (Google Workspace); subscriber list management (Google Sheets) | United States | SCCs and EU-US Data Privacy Framework |
| Cloudflare, Inc. | Processor | DNS, CDN, email routing, object storage, aggregate web analytics | United States; EU edge nodes for traffic delivery | SCCs and EU-US Data Privacy Framework |
| Hetzner Online GmbH | Processor | Server hosting (Falkenstein, Germany) | Germany | No transfer outside the EEA |
| Anthropic PBC | Processor (limited) | AI-assisted editorial content generation | United States | SCCs; subscriber personal data is not transmitted to Anthropic. Only public-source RSS content is sent for editorial processing. |
We do not sell, rent, or trade personal data. We do not use behavioural advertising networks or data brokers.
5.2. Public authorities
We disclose personal data to public authorities (Czech tax authorities, courts, law enforcement) only where required by Czech or EU law, or where necessary to establish, exercise, or defend our legal rights.
6. Your rights
Under the GDPR you have the following rights in relation to your personal data:
- Right of access (Art. 15): to obtain confirmation of whether we process your data and to receive a copy.
- Right to rectification (Art. 16): to correct inaccurate data and to have incomplete data completed.
- Right to erasure (Art. 17): to have your data deleted where one of the grounds in Article 17 applies.
- Right to restriction of processing (Art. 18): to require us to restrict processing in specified circumstances.
- Right to data portability (Art. 20): to receive your data in a structured, commonly-used, machine-readable format.
- Right to object (Art. 21): to object to processing carried out on the basis of legitimate interest.
- Right to withdraw consent (Art. 7(3)): at any time where processing is based on consent; withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, email hello@briefings.eu with the subject line "GDPR request" and a description of what you are asking for. We will respond within thirty (30) days. We may extend this once by a further sixty (60) days for complex requests, and will inform you of any extension and the reason for it.
We may need to verify your identity before responding, normally by requiring the request to come from the email address associated with your account.
6.1. Stopping email delivery vs. erasure of personal data
These are two separate rights with different effects:
Stopping email delivery (statutory right under Section 7 of Act No. 480/2004 Coll. on certain information society services). To stop receiving issues by email, click the unsubscribe link in the footer of any issue. The link opens a confirmation page at briefings.eu/unsubscribe where you confirm the request. We act within 48 hours of confirmation. Where your email client supports the RFC 8058 one-click unsubscribe protocol, using that client-side mechanism satisfies the confirmation requirement. Stopping email delivery does not cancel your subscription; any remaining paid period continues, no refund is due on a stop-delivery request alone, and your personal data continues to be held as set out in Section 4. To resume delivery while your subscription is still active, email hello@briefings.eu.
Erasure of personal data (GDPR Article 17 right to erasure). Email hello@briefings.eu with the subject line "GDPR erasure request". We will delete your name and email address from our active records. Erasure is subject to the accounting retention obligations in Section 4: we must retain invoice records for the statutory period. After erasure, what remains in our systems is the minimum accounting information required by Czech law: invoice records for the year(s) in which you held a paid subscription, which may include a name and billing address but will no longer be associated with an active subscriber profile.
You may exercise both rights simultaneously: stop email delivery via the unsubscribe link and send a separate erasure request by email.
7. Right to lodge a complaint
If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Czech supervisory authority:
Úřad pro ochranu osobních údajů (ÚOOÚ)
Pplk. Sochora 27, 170 00 Praha 7
posta@uoou.cz · www.uoou.cz
You may also complain to the supervisory authority in the EU member state where you reside or where you believe the alleged infringement took place.
8. Cookies and similar technologies
briefings.eu uses only the following cookies and storage mechanisms:
| Cookie / mechanism | Purpose | Duration | Strictly necessary |
|---|---|---|---|
| Stripe Customer Portal session cookie | Maintains authentication state when you visit the customer portal at billing.stripe.com | Session | Yes; set by Stripe under the stripe.com domain, governed by Stripe's privacy notice |
Cloudflare bot-challenge cookie (__cf_bm, cf_clearance) | Distinguishes human visitors from automated bots to protect the site | Up to 30 days | Yes; set by Cloudflare for infrastructure security |
We use Cloudflare Web Analytics for aggregate traffic measurement. This service operates without setting any cookies or local storage. It collects page view counts, referrer category, and country-level visitor distribution in fully anonymised, non-individual form. No consent is required for this service under Czech ePrivacy law (Act No. 127/2005 Coll.) or under the EU ePrivacy Directive, because it uses no cookies and does not enable tracking of individual users.
We do not use Google Analytics, Meta Pixel, advertising networks, or any other third-party tracking services.
9. International data transfers
Some of our processors are located in or transfer data to countries outside the European Economic Area, principally the United States. For each such transfer we rely on one or more of the following mechanisms:
- Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR.
- The EU-US Data Privacy Framework (Decision (EU) 2023/1795) where the recipient is certified.
Section 5.1 identifies the transfer safeguard applicable to each processor. Copies of the relevant contractual clauses are available from us on written request.
10. Security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure, including:
- TLS 1.2 or higher for all data in transit
- Encryption at rest where supported by the underlying provider (Cloudflare, Stripe, Hetzner)
- Access controls and least-privilege principles for operational systems
- Monitoring and logging of administrative access
No system is perfectly secure. If we discover a personal data breach that meets the Article 33 GDPR threshold, we will notify the ÚOOÚ within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay.
11. Changes to this Policy
We may update this Policy from time to time. The version number and effective date at the top of this document indicate the current version. Where a change is material to your rights (including any expansion of the data we collect, any new processor, or any new purpose), we will notify you by email at least thirty (30) days before the change takes effect. The current version of the Policy is always available at briefings.eu/privacy.