PRIVACY POLICY
Data Controller in respect of User (Hotel) data processing:
Wootera Digital Technologies, s.r.o., Company ID: 19160526, registered office: Oldřichova 255/20, Nusle, 128 00 Prague 2
Contact: cleanqr@wootera.com
Data Processor for hotel guest personal data (acting as processor for Hotels as controllers): see DPA (Annex No. 1 to GTC).
2.1 Who does this Policy apply to?
This Policy applies to:
- Users (Hotels) — legal or natural persons using the CleanQR service.
- Hotel Staff — employees and associates of the hotel whose data is entered into the system.
- Hotel Guests — the CleanQR system does not require guests to actively submit personal data; technical transmission parameters may be passively recorded (see Section 2.2 C).
2.2 What data do we process and why?
A) Users — account registration and operation
| Category of Data | Legal Basis (GDPR Art. 6) | Purpose | Retention Period |
|---|---|---|---|
| Business identification (name, company ID, address) | Art. 6(1)(b) — performance of contract | Conclusion and performance of the agreement | Duration of agreement + 3 years |
| User contact email | Art. 6(1)(b) — performance of contract | Communication, sending Service notifications | Duration of agreement + 3 years |
| Billing details (where applicable for the paid version) | Art. 6(1)(c) — legal obligation | Tax and accounting obligations | 10 years pursuant to accounting legislation |
B) Hotel staff (employees entered into the system)
| Category of Data | Legal Basis | Purpose | Retention Period |
|---|---|---|---|
| Name / display name | Art. 6(1)(f) — legitimate interest (system operation) | User identification in the system | Duration of agreement, then deleted within 30 days |
| Email address | Art. 6(1)(f) — legitimate interest | Login, system notifications | Duration of agreement, then deleted within 30 days |
| Activity logs (time, action type, room ID) | Art. 6(1)(f) — legitimate interest | Audit, security, dispute resolution | 90 days from the date of the record |
C) Hotel guests (persons scanning the QR code)
The CleanQR system does not require or actively collect any personal data from guests — no name, email, phone number, or other identifiers. Service requests are identified solely by room number/ID.
Note: As operator of the server infrastructure, standard network transmission parameters (device IP address, browser type, request timestamp) may be passively recorded in technical operational logs (server logs). These records are used exclusively to ensure the security and stability of the Service, are not linked to the identity of the guest, and are not shared with third parties.
2.3 Who do we share data with?
We do not sell your personal information. We do not share personal data with third parties for their own commercial purposes, advertising, or targeted advertising.
Data may be shared only with:
- Sub-processors (hosting, cloud, and email service providers) necessary for the technical operation of the Service — the current public list of sub-processors is available on request at cleanqr@wootera.com;
- Public authorities — only where required by a legal obligation (court, administrative body).
2.4 Security
Data transmission is protected by the encrypted HTTPS (TLS) protocol. Access to data is restricted to authorised persons. The Provider implements reasonable technical and organisational measures pursuant to Article 32 GDPR.
Note: The Provider is not liable for a data breach caused by a cyber attack or third-party infrastructure failure (hosting), provided the above-mentioned reasonable measures have been implemented.
2.5 Your Rights (Data Subject Rights)
As a data subject, you have the following rights under the GDPR:
| Right | What it means |
|---|---|
| Right of access (Art. 15) | Obtain confirmation of whether we process your data and a copy of that data. |
| Right to rectification (Art. 16) | Request correction of inaccurate or incomplete data. |
| Right to erasure (Art. 17) | Request deletion of data where the grounds for processing no longer exist. |
| Right to restriction of processing (Art. 18) | Request temporary restriction of processing in cases provided for by law. |
| Right to data portability (Art. 20) | Receive your data in a structured, machine-readable format. |
| Right to object (Art. 21) | Object to processing based on legitimate interest. |
| Right to withdraw consent | Where processing is based on consent, consent may be withdrawn at any time. |
Requests should be submitted to: cleanqr@wootera.com. We will respond without undue delay, ordinarily within 30 days.
2.6 Right to Lodge a Complaint with the Supervisory Authority
You have the right to lodge a complaint with the Office for Personal Data Protection (ÚOOÚ):
Office for Personal Data Protection
Pplk. Sochora 27, 170 00 Prague 7
www.uoou.cz | data mailbox: qkbaa2n
2.7 Changes to this Policy
Users will be notified of material changes to the Privacy Policy by email or through the Service interface.
This Privacy Policy takes effect on 1 April 2026.