Privacy and GDPR

Privacy Notice

Last updated: July 7, 2026

This notice explains how Critical Web Ops handles personal data for inquiries, diagnostics, orders, billing, support, website operations, and client-site service work.

1. Controller identity

Critical Web Ops is operated by Bc. Michal Poluch in the Czech Republic, business ID 75702592, VAT/tax ID CZ7901204608. Business correspondence starts by email. A postal contact and invoice details are provided before acceptance of paid work and on verified business, legal, or data-protection request.

Privacy requests: hello@criticalwebops.com. General service contact: hello@criticalwebops.com. Security contact: hello@criticalwebops.com.

2. Our data protection roles

For website visits, service inquiries, qualification, orders, billing, support records, legal records, and our own business administration, Critical Web Ops normally acts as an independent controller.

When we access a client website, hosting account, logs, checkout records, customer records, analytics, or payment-provider diagnostics only to deliver the accepted service, we may act as a processor for the client. In that case the client remains responsible for its own lawful basis, notices, access rights, and instructions, and a data processing agreement must be agreed where GDPR processor work is involved.

3. Personal data we collect

  • Contact data: name, email address, company, role, country, timezone, billing contact, and messages.
  • Project intake data: website URL, symptoms, recent changes, screenshots, logs, plugin/theme/hosting details, analytics context, and business impact notes.
  • Access-related data: temporary account identifiers, access approval records, access-removal records, audit notes, and security-relevant communications. Do not send passwords in plain email or public forms.
  • Client-site diagnostic data: error logs, server logs, order-flow evidence, screenshots, configuration exports, plugin lists, and limited customer or order data where strictly necessary for the agreed work.
  • Billing and tax data: order scope, invoices, payment status, VAT/tax treatment, payment references, refunds, accounting records, and related communications.
  • Website and security data: IP-derived security logs, browser metadata, basic analytics, spam prevention signals, and consent records where enabled.

4. Purposes and GDPR legal bases

  • Pre-contract and contract: reviewing inquiries, qualifying fit, quoting work, delivering diagnostics, preparing reports, supporting the engagement, and handling payment.
  • Legitimate interests: securing the website and client engagements, preventing abuse, documenting decisions, improving service quality, managing disputes, and maintaining business records.
  • Legal obligations: accounting, tax, compliance, sanctions, dispute, and statutory recordkeeping duties.
  • Consent: optional marketing, testimonials, non-essential analytics, or other optional processing where consent is required.
  • Client instructions: where Critical Web Ops acts as processor for client-site data under a client order or data processing agreement.

5. Selected service providers and processors

  • Vercel: website hosting, deployment logs, preview/production deployments, TLS, edge delivery, and operational metadata.
  • Cloudflare: DNS, domain security controls, TLS-related records, optional Web Analytics, optional Email Routing, and operational logs.
  • GitHub: source control, deployment integration, issue/PR records, and technical audit trail. Customer secrets must not be committed.
  • Google Workspace, Zoho Mail, Proton Mail, or the chosen mailbox provider: business email, aliases, calendar, and service correspondence.
  • Stripe: payment links, Checkout, payment status, refunds, card network handling, and payment-related fraud controls.
  • Wise, bank provider, UOL, and accounting advisers: bank transfer handling, invoicing support, tax records, accounting, and statutory retention.
  • Linear, GitHub Issues, and Obsidian: internal case tracking, task records, delivery notes, runbooks, and project memory.
  • Additional processors may be added only after purpose, data categories, contract/DPA status, transfer mechanism, and retention are recorded.

6. Automation in the order process

Critical Web Ops may use automation to route intake forms, send confirmation emails, prepare internal tasks, create project notes, generate checklists, and remind about quote, payment, access, delivery, and follow-up steps.

Automation is used for operations and triage support. It does not automatically accept an emergency engagement, approve access, decide legal rights, or make a similarly significant decision about a person.

Public intake may submit a structured request through the website form and send it to the business mailbox. If email delivery is unavailable, the form may prepare an email draft from the visitor's own mail client. A CRM, newsletter, retargeting, or payment automation must not be enabled until this notice and the processor list are updated.

7. International transfers

Some providers may process data outside the EU, EEA, UK, or Switzerland. Where required, Critical Web Ops relies on an appropriate safeguard such as an adequacy decision, the EU-U.S. Data Privacy Framework for certified recipients, Standard Contractual Clauses, a transfer risk assessment, and supplementary measures where needed.

Client-site data should be minimized before transfer. Sensitive exports should not be moved into general-purpose tools unless the accepted order and data-processing terms allow it.

8. Retention

  • Unqualified inquiries: normally up to 18 months unless a shorter period is requested or a legal reason requires retention.
  • Accepted project records, audit evidence, delivery notes, and dispute records: normally up to 6 years unless a longer legal, accounting, tax, or dispute period applies.
  • Billing, tax, invoice, and accounting records: retained for the statutory period required by applicable tax and accounting law.
  • Access credentials and temporary accounts: removed, revoked, rotated, or deleted after the engagement or when no longer needed. Access-removal evidence may be retained as part of project records.
  • Security logs: normally retained only as long as needed for security, abuse prevention, diagnostics, and incident evidence.
  • Marketing consent records: retained while consent remains active and for a reasonable proof period after withdrawal.

9. Security

Our operating model is least-privilege access, temporary accounts, secure credential sharing, backup-first changes, staging where possible, documented change sequence, access-removal reminders, and limited storage of client data.

No website or service can promise absolute security. If a security incident affects personal data, Critical Web Ops will assess investigation, mitigation, client notice, data-subject notice, and supervisory-authority notification duties under applicable law.

10. Your rights

For GDPR-covered individuals, rights may include access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and a complaint to a supervisory authority.

Critical Web Ops responds to valid requests without undue delay and normally within one month, subject to identity verification, client-controller instructions where we act as processor, and legal limits.

11. Cookies and analytics

The current website setup is intended to use necessary hosting, security, and delivery logs only, without advertising cookies or cross-site behavioral advertising. Optional privacy-aware analytics may be added only after the notice, processor record, and consent or opt-out position are checked.

If non-essential analytics, advertising pixels, retargeting, session replay, or similar tools are added, the site must update this notice and add the required consent or opt-out mechanism before those tools are enabled.

12. US and California privacy

Critical Web Ops does not intend to sell personal information or share personal information for cross-context behavioral advertising.

If CCPA/CPRA or another US state privacy law applies to Critical Web Ops or a client-specific processing activity, the required categories, purposes, retention periods, rights instructions, and opt-out mechanisms are added before that processing starts.