Privacy Policy.
How we handle the personal data of website visitors, contact-form submitters and clients. No analytical tracking, no data exports beyond what is strictly necessary for operation.
If you are an EEA, UK or Swiss resident, this policy applies to you under the EU GDPR.
1. Who we are (data controller)
The controller of your personal data is accelapps s.r.o., Reg. No.: 06628362, VAT No.: CZ06628362, with registered office in Prague, registered in the Commercial Register kept by the Municipal Court in Prague, Section C, File 285754. We operate the product brand EasyPortal 365.
Controller contact details:
- Email: info@easyportal365.com
- Phone: +420 234 715 878
- Address: see contact page
We have not appointed a Data Protection Officer (DPO) — our processing does not fall within the categories where the GDPR requires one. Please direct any data protection enquiries to the email above.
2. What data we process
2.1 Contact form
When you send us a message via the contact form at /en/contact, we process:
- first name and surname (required)
- email address (required)
- message content (required)
- optionally: company name, phone number
2.2 Meeting bookings
If you book a consultation or support slot through our online widget (Zoho Bookings), we process the data you fill into the widget — typically name, email, phone number and a note.
2.3 Contractual relationship with clients
If you become our client, we process the data necessary for the performance of the contract and for invoicing: company name, Reg. No./VAT No., billing address, contact persons (name, email, phone, position).
2.4 Web server logs
The web server (GitHub Pages) records standard access logs (IP address, timestamp, HTTP request, user-agent). They are used solely for operation, security and error analysis. We do not use classic tools like Google Analytics — for traffic analysis we only use the in-house solution described in section 2.5.
2.5 Identifying business visitors (B2B)
On the website we use a lightweight in-house analytics that attempts to determine, from the visitor's IP address, which organisation (company) they came from — for B2B sales purposes (so we know which companies are interested in us). In connection with a visit we process:
- the IP address and the organisation or internet provider name derived from it, the autonomous system number (ASN) and the approximate location (city, region, country);
- technical details about the device and browser (browser and operating-system type, device type, screen resolution, browser language, time zone);
- information about the visit and its source (pages visited and their order, the entry page, where the visitor came from — the referrer and any campaign UTM parameters);
- for business visitors, optionally supplementary public company data from the public ARES register (company ID, registered address) based on the determined organisation name.
To link pages within a single visit we use a temporary identifier stored only for the duration of the visit (the browser's sessionStorage), which is cleared when the window is closed; we do not create a persistent identifier of an individual and we do not track visitors across visits. We do not identify specific individuals — only the organisation; for ordinary home or mobile connections no company is usually determined at all. Records stay in our private storage (a private GitHub repository); we do not sell them or pass them on for third-party marketing. The legal basis is our legitimate interest (Article 6(1)(f) GDPR); you may object to this processing at any time (see section 7).
2.6 AI assistant (website chat)
On the website we offer an optional AI assistant (the floating chat in the bottom-right corner) that answers questions about our products and services. When you use it, we process the content of the messages you type into the chat so we can generate a reply.
- The text of your messages is sent to the Azure OpenAI language model operated in Microsoft's EU data centre (Sweden). In the Azure OpenAI mode, Microsoft does not use the submitted content to train its models.
- We do not store the conversation on our side — it exists only temporarily for the duration of your visit in the browser (sessionStorage) and is cleared when the window is closed.
- Please do not enter sensitive personal data or confidential information into the chat — the assistant is intended for general orientation in our offering, not for processing your data.
The legal basis is our legitimate interest (Article 6(1)(f) GDPR) in providing you with quick information about our products and services.
3. Purposes of processing
- handling your enquiry from the contact form
- arranging and conducting a meeting
- performance of the contractual relationship including invoicing
- protecting the operation and security of the website
- B2B website traffic analysis — identifying which companies are interested in us (section 2.5)
- operating the website's AI assistant — answering your questions about our products and services (section 2.6)
- compliance with legal obligations (accounting, tax, AML)
4. Legal basis for processing
We process your personal data on the basis of:
- your consent (contact form — given by ticking the GDPR checkbox) — Article 6(1)(a) GDPR;
- performance of a contract or pre-contractual measures (meeting bookings, client data) — Article 6(1)(b) GDPR;
- compliance with a legal obligation (accounting and tax records, archiving) — Article 6(1)(c) GDPR;
- legitimate interest (server logs, B2B traffic analysis per section 2.5, operating the AI assistant per section 2.6, website security, enforcement of claims) — Article 6(1)(f) GDPR.
5. How long we retain data
| Category of data | Retention period |
|---|---|
| Contact form (after handling) | up to 24 months or until consent is withdrawn |
| Meeting booking data | up to 24 months |
| Client data (contractual relationship) | for the duration of the contract + statutory periods |
| Accounting documents | 10 years (Czech Accounting Act) |
| Web server logs | maximum 30 days |
| Company traffic analytics (section 2.5) | up to 24 months |
| AI assistant conversations (section 2.6) | not stored — only temporarily in the browser for the duration of the visit |
6. To whom we disclose your data
We share your data only with processors that help us operate our services — always under a data processing agreement and only to the extent strictly necessary:
- Zoho Corporation B.V. — operation of the contact form and online bookings; data hosted in EU data centres (forms.zohopublic.eu, bookings.nimbuspop.com).
- Microsoft Ireland Operations Limited — Microsoft 365 as our internal email and office infrastructure.
- GitHub, Inc. — hosting of the website via GitHub Pages and private storage of the traffic analytics (section 2.5).
- IPinfo (ipinfo.io, IPinfo LLC, USA) — one-off lookup of the organisation, internet provider and approximate location from the visitor's IP address (reverse IP lookup) for the analytics under section 2.5.
- ARES — public register (Czech Ministry of Finance) — verification of public company data (company ID, registered address) based on the organisation name determined under section 2.5.
- Microsoft (Azure OpenAI Service) — processing of the queries you enter into the website's AI assistant (section 2.6); operated in an EU data centre (Sweden), the submitted content is not used to train models.
- providers of accounting and tax services (under a written contract);
- public authorities, where required by law.
We do not routinely transfer data outside the European Economic Area. Where this exceptionally happens with certain third-party services (typically GitHub and IPinfo), it is carried out under the Standard Contractual Clauses approved by the European Commission (Article 46 GDPR).
Note on EP365 products: EasyPortal 365 applications deployed as part of client projects run directly within the customer's Microsoft 365 tenant. Data processed by these applications never leaves the customer's tenant, and we as the supplier access it only to the extent agreed in the contract (typically support and maintenance).
7. Your rights
In relation to your personal data you have the following rights under the GDPR (Articles 15–22):
- right of access — to find out what data we process about you and obtain a copy;
- right to rectification of inaccurate or incomplete data;
- right to erasure ("right to be forgotten"), where the reason for processing has ceased;
- right to restriction of processing in specific cases;
- right to data portability in a structured, machine-readable format;
- right to object to processing based on legitimate interest;
- right to withdraw consent at any time (where processing is based on consent) — withdrawal does not have retroactive effect;
- right to lodge a complaint with a supervisory authority. In the Czech Republic this is the Czech Data Protection Authority (ÚOOÚ) — Úřad pro ochranu osobních údajů.
It is enough to send your request to info@easyportal365.com. We will handle it within 30 days of receipt at the latest; if the request is complex, we may extend this period by a further two months and will inform you of the extension.
8. Cookies and similar technologies
The EasyPortal 365 website deliberately uses a minimum of cookies. We have no Google Analytics or third-party advertising tools. Our in-house B2B analytics (section 2.5) uses only the browser's temporary storage (sessionStorage) for the duration of the visit, not persistent cookies. Fonts are served locally from our hosting, so no information about your visit is leaked to third parties just because of typography.
Details in the separate Cookies document.
9. Security
We implement appropriate technical and organisational measures to protect personal data: HTTPS across the entire site, restricted access to systems containing personal data, multi-factor authentication for internal systems, and regular review of security procedures.
10. Changes to this policy
This policy may be updated from time to time — typically when the scope of processing, legal obligations or processors change. The current version is always available on this page. We will give you advance notice of material changes (by email to addresses you have provided to us, or via a visible notice on the website).