Privacy Policy
Last updated: 3 July 2026 · Draft for legal review — not yet in force
First draft under the GDPR. Not legal advice. Have counsel review before publishing.
1. Data controller
The controller of your personal data is DigiatPPSolutions s.r.o., seat Nové sady 988/2, Staré Brno, 602 00 Brno, Czech Republic, company ID (IČO) 23623632 ("Gardlio"). Contact: privacy@gardlio.eu. As a microenterprise, Gardlio is not required to appoint a data protection officer and has not appointed one; the data-protection contact is privacy@gardlio.eu.
2. Who this policy covers
We process personal data of three groups, described separately below:
- Gardeners (self-employed service providers who list on Gardlio)
- Customers (people who look for and book gardening work)
- Visitors (anyone browsing the site or app without an account)
3. What we process, why, and on what legal basis
Gardeners
| Data | Purpose | Legal basis |
|---|---|---|
| Identity & contact, profile, portfolio, service area, pricing | Operate your listing and bookings; contract performance | Art. 6(1)(b) — contract |
| Billing data for a visibility boost you buy (via Stripe) | Charge you for Gardlio's own paid service; comply with tax/accounting law | (b) contract; (c) legal obligation |
| Ratings, reviews, dispute records | Trust & safety, ranking | (f) legitimate interest |
Customers
| Data | Purpose | Legal basis |
|---|---|---|
| Account & contact | Provide the service | (b) contract |
| Booking and message records | Facilitate and evidence bookings | (b); (f) |
| Billing data for a subscription you buy (via Stripe) | Charge you for Gardlio's own paid service; comply with tax/accounting law | (b) contract; (c) legal obligation |
| Reviews you write | Publish feedback | (b); (f) |
| Support correspondence | Help you | (f) |
Visitors
| Data | Purpose | Legal basis |
|---|---|---|
| Device/log data, essential cookies | Run and secure the site | (f) legitimate interest |
| Analytics / marketing cookies | Measure and improve | (a) consent — see the Cookie Policy |
4. Where your data comes from
From you, from your use of the service, from our billing provider (Stripe) for the outcome of a subscription or boost payment, and from the other party to a booking (e.g. a review about a gardener). We do not receive payment or KYC data about the gardening job itself, because the customer pays the gardener directly and Gardlio does not handle that money.
5. Recipients and processors
We share data only as needed with: Supabase (hosting, database, auth, storage — region EU, Frankfurt / eu-central-1), Stripe (billing for Gardlio's own paid services — customer subscriptions and gardener visibility boosts; not the gardening job, which the customer pays the gardener directly), Firebase Cloud Messaging (Android) and Apple Push Notification service (iOS) for push notifications, no analytics or marketing providers at launch, and authorities where legally required. Processors act under data-processing agreements.
6. International transfers
We host in the EU/EEA where possible. Where a processor transfers data outside the EEA (e.g. Stripe), it is protected by Standard Contractual Clauses or an adequacy decision. Stripe may process data outside the EEA under Standard Contractual Clauses; see stripe.com/privacy.
7. Retention
We keep data for as long as your account is active and thereafter only as required. Specifically: account data for the life of the account; accounting and tax documents for the statutory period (up to 10 years under Czech law); and dispute records until the dispute is resolved. Consent-based cookies expire within 13 months.
8. Your rights
You have the right to access, rectify, erase, restrict, port, and object, and to withdraw consent at any time (without affecting prior processing). To exercise them, contact privacy@gardlio.eu. You may also complain to your supervisory authority (see annex).
9. Automated decisions
Gardlio makes no decisions producing legal or similarly significant effects solely by automated means. Search ranking and fraud checks are automated, but they are not by themselves determinative.
10. Security
We use appropriate technical and organisational measures (encryption in transit, access controls, RLS on the database, least-privilege). No system is perfectly secure.
Country-specific annex — national data-protection overlay & supervisory authority
| National DP law | Supervisory authority | |
|---|---|---|
| 🇨🇿 Czech Republic | Act No. 110/2019 Sb. | ÚOOÚ — Úřad pro ochranu osobních údajů (uoou.cz) |
| 🇩🇪 Germany | BDSG | Your competent Landesdatenschutzbehörde or the BfDI |
| 🇦🇹 Austria | DSG | Datenschutzbehörde (DSB) (dsb.gv.at) |
| 🇵🇱 Poland | Act of 10 May 2018 (UODO) | PUODO — Prezes Urzędu Ochrony Danych Osobowych (uodo.gov.pl) |