Ochrana osobních údajů


Fasay, s.r.o.


The controller of personal data is Fasay, s.r.o., with registered office Brno, Vídeňská 277/68, ZIP Code 639 00, ID: 241 77 997, registered in the commercial register kept at the Regional Court in Brno, section C, file 99787, for which Siriporn Hofr acts, manager.


For better clarity and orientation, terms that are frequently repeated in these Principles are listed below.


E-SHOP – Internet application available on the Internet, developed for the purpose of displaying, selecting and ordering services by the customer, www.thajske-masaze-brno.cz/produkty; www.thajske-masaze-vyskov.cz/produkty; www.thajske-masaze-olomouc.cz/produkty;


INFORMATION SYSTEM – internal information system that serves to record various activities within the Administrator’s business, including records containing personal data


PERSONAL DATA – any information about the subject, on the basis of which it can be directly or indirectly identified


REGISTERED USER – data subject who used the option to set up and use a user account available on the Administrator’s website


ADMINISTRATOR – determines the goals and means of processing. It is us, mostly in the position of selling our goods or services.


DATA SUBJECT – natural person to whom the Personal Data relate, most often it will be a customer or a potential customer


USER ACCOUNT – an account established under the conditions set out in the terms and conditions, which is protected by a password chosen by the User.


WEBSITE – Administrator’s website www.thajske-masaze-brno.cz, www.thajske-masaze-vyskov.cz, www.thajske-masaze-olomouc.cz


PROCESSOR – performs processing activities on the basis of a contract or other mandate for the Administrator


PROCESSING OF PERSONAL DATA – is any operation or set of operations with personal data or sets of personal data, which is carried out with or without the aid of automated procedures, such as collection, recording, arrangement, structuring, storage, adaptation or modification, retrieval, inspection, use, disclosure by transmission, dissemination or any other disclosure, collation or combination, restriction of erasure or destruction;




The Administrator processes personal data of registered Users as well as its unregistered customers. It determines the purposes and means of processing.


Categories of personal data: name, surname, e-mail, mobile phone, invoicing data, delivery data, bank connection, login to the user account, behaviour in the user account, IP address, cookies.


Voluntarily provided personal data. Users voluntarily provide personal data to the Administrator, as soon as the User registers, purchases in the Administrator’s E-shop or in any other way (e.g., by email, by phone), or in another similar way.


Publicly available personal data. The administrator can process personal data from publicly available sources and combine them with those that were voluntarily provided to the administrator by data subjects.


Website. The administrator processes information about when data subjects visit and view its website. This information may include IP address, website activity and other information about your interaction with our website. We may collect this data as part of a log or through the use of cookies or other tracking technologies.

Social networks. The administrator has a profile on Facebook and Instagram. Any information, communications or materials provided through the Social Media Platform are provided at your own risk. The administrator cannot control all users of social networks or even providers of these networks. The protection of personal data is handled separately within each of the mentioned platforms.


When using the Administrator’s website, the data subject may be logged in to a Facebook or Google Account at the same time. The administrator thus enables the data subject to share his experience with the website with the data subject’s friends on his profile within social networks. A link to the Admin site page can also be done by sending via email.



All mentioned categories of personal data are processed by the Administrator, as they are necessary to fulfil the purposes listed below:


A. Registration for a user account and the E-shop operated by the Administrator enables registration for the Administrator’s services by setting up a user account. During registration, personal data is required in order to create a user account, which is used to review orders that the data subject will place or has already placed in the e-shop, load discounts in the form of bonus credits for further purchases, or manage invoicing and delivery data. The legal reason for processing personal data for the purpose of registering for a user account is the granting of the personal data subject’s voluntary, unconditional consent to the administrator. Members are sent a regular notification from which members can unsubscribe at any time.


B. Fulfilment of a contract the legal reason for processing personal data is the fulfilment of a contract to which the data subject is a contracting party, or the implementation of measures taken before the conclusion of a contract for the provision of services. The processing of personal data is carried out for the purpose of problem-free.


C. Newsletter (business communication) Sending promotional e-mails to registered users and/or customers to promote similar products and services. The Administrator may send commercial messages to the contacts of its Users or customers, when, on the basis of legitimate interest, it promotes similar products and services through direct marketing, but only until the recipient expresses their disagreement. Apart from the case of legitimate interest, the Administrator may also send commercial communications to those who have given prior consent to the processing of personal data for marketing and business purposes in advance (e.g. via the contact form on the Administrator’s website, or a paper form that they submitted and signed at the Administrator’s office). The “Unsubscribe” function is set in every marketing communication that the Administrator disseminates, i.e. even if it communicates with its Users.


D. Subscription to commercial communications


The Administrator e-shop allows you to subscribe to commercial communications.


The legal reason for the processing of personal data for the purpose of sending business communications is the granting of the personal data subject’s voluntary, unconditional consent to the administrator, in the form of a confirmation on the relevant subscription page. Each subscriber is properly informed through this policy of his or her rights as a party to the protection of personal data.


Signing up to receive business communications takes place in the so-called double opt-in mode, which prevents possible misuse of the e-mail address. In practice, this means that after confirmation, a confirmation of the request to subscribe to commercial communications is sent to the specified e-mail. This confirmation contains an active link, and only by clicking on it will the e-mail be included in the database of recipients of business communication subscribers.


The Administrator uses the Mailchimp.com service and its own email server to send all business communications.


E. Sending Transaction Messages.

These are messages for registered Users, to ensure information about necessary maintenance or error states of the E-shop, as well as about new functionalities. At the same time, this includes e-mails about the status of the order, delivery of the order or the stage of the complaint procedure, etc. These may be transactional e-mails or messages via the Information System and E-shop, or other similar messages.




The Administrator’s website uses cookies. The Administrator informs about their setting and use on a separate subpage of the website.


Cookies are small files that temporarily store information in your browser and are commonly used to distinguish user behavior on the web. However, the person of the user is not identifiable based on this information. Cookies help, for example:


– for the proper functionality of the website, in order to complete the purchase process with the least possible difficulties, the processing of these cookies cannot be refused;


– when remembering the login data for the account on the website, so that it is not necessary to enter them every time, these cookies can be refused;


– when determining which pages and features are used most often by visitors; based on this to adapt our offer as best as possible, these cookies can be rejected;


– they help to find out which ads visitors view most often, so that they are not shown the same ad over and over again when browsing the pages, or that they are not shown an ad for goods they are not interested in, these cookies can be rejected;


Some marketing cookies may collect information that is subsequently used by third parties, and which, for example, directly support our advertising activities (so-called “third-party cookies”). For example, information about viewed products can be used to show visitors on websites outside the Administrator’s website only such advertising that is relevant to the particular user, without bothering them with advertising that is not of interest to them. However, this data cannot identify you.


The Administrator’s website uses the following third-party cookies:


Google Ads (Google Inc), Sklik (Seznam.cz, as), Facebook (Facebook Inc), Mailchimp (The Rocket Science Group, LLC): for tracking, remarketing


Google Analytics (Google Inc): for web analytics


Cookies can be rejected using your web browser or set to use only some cookies. Cookie settings can also be changed on the Administrator website.


G. Links to External Sites


For optimal visitor information, the Administrator’s website contains links to third-party websites (usually business partners with whom the Administrator cooperates). If the data subject clicks on this link, he/she acknowledges that third-party websites have their own data protection policies, which may differ from the policies of the Administrator’s website.


H. Submitting the Contact Form


The Administrator’s website allows you to contact the Administrator via a contact form.


In addition to the question, name, telephone and e-mail must be entered in the form. By pressing the Submit form button, the data subject agrees to the processing of personal data for the purpose of contacting back and answering the entered question.


The period for processing personal data in the case of sending a contact form, during which the personal data will be stored by the Administrator, is the duration of the resolution of the query, after which the personal data are deleted from the Administrator’s database.


I. Other marketing activities on the Administrator’s website


On the Administrator’s website, you can encounter other marketing activities such as: completing a questionnaire, quiz, participating in a competition, etc. These are extraordinary, time-limited activities, for which it is always separately stated what personal data the Administrator collects and how they are further handled.


Those personal data that are necessary for the proper provision of the service, or in order to fulfill all the obligations of the Administrator, whether these obligations arise from the contract or from generally binding legal regulations, the Administrator is obliged to process, regardless of the consent given by the data subject, for the period determined by the relevant legal regulations, or in accordance with them even after the subject’s consent has been revoked data.


J. Compliance with legal requirements, including participation in legal proceedings and legal requirements of public administration bodies, including compliance with national security or law.




For the purposes of registration and management of the User account, all categories of personal data may be processed for a period of 2 years from the last active viewing of the User account, if the data subject does not request the cancellation of the account earlier.


For the purpose of fulfilling the rights and obligations from the contractual relationship between the Administrator and the customer, for the duration of the contractual relationship between the Administrator and the data subject, or for the time necessary to fulfill legal obligations and protect their legitimate interests, but no later than 5 years from the date of termination contractual relationship with the data subject.


The period for processing personal data in the case of sending commercial communications is 2 years from the last active viewing of the commercial communications by the subscriber, if the data subject does not unsubscribe earlier.


The exception is the tax documents issued by the Administrator of the Administrator in accordance with § 35 of Act No. 235/2004 Coll., Tax documents are kept for a period of 10 years from the end of the tax period in which the performance took place.




Technical and safety measures. With regard to the probability of risks and with regard to the ratio between the price of possible measures as well as technical possibilities, the administrator has introduced technical security and organizational measures – in all areas where personal data is processed (especially website operation, e-shop operation, employee agenda, communication with customers). The administrator meets the strict requirements of the GDPR parties.


The Administrator’s developers work with attorneys to ensure that the operation of the Administrator’s E-shop and website and the provision of services by the Administrator comply with applicable spam and privacy laws.


The administrator cannot disclose all the details and circumstances of a technical nature by which he protects his website and Eshop and the personal data he processes. Publishing the details could make the way easier for those who might seek to break systems and security barriers.


The Administrator declares that it uses a secure Information System that provides Personal Data with security corresponding to the state of the art, costs, nature, scope and purposes of processing. The Administrator considers the Information System to be safe also with regard to possible risks for the rights and freedoms of natural persons.


Organizational measures. All employees who have access to Personal Data are bound by confidentiality and must respect security principles. Access to all systems, including the Information System, is personalized and covered by passwords that are created in different ways. The information system records logs so that the Administrator can control the access of individual employees to individual databases. Employees are regularly trained.


Office. The Administrator’s offices are secure, lockable, and strangers cannot access them without the Administrator’s knowledge. The Administrator does not keep records kept in paper form, only where it is absolutely necessary. In this case, the Administrator keeps them under lock and key (vault).




The Administrator transfers personal data only to entities with which it has concluded a regular processing contract or a contract of joint administrators.


Joint administrators. These are operators of individual establishments in which the Administrator actually provides relaxation and massage services. For their daily activities, these entities have access to the Information Reservation System, which is primarily intended for the management of reservations and orders. Commercial communications, as well as other marketing activities where the personal data of customers are processed, are carried out exclusively by the Administrator. The joint administrators have agreed that the Administrator acts as the contact person via e-mail info@fasay.cz or at the address of the registered office.


Fasay, s.r.o., ID: 24177997, with registered office at Vídeňská 277/68, 639 00 Brno, represented by Siriporn Hofr, managing director


Processors. The Administrator uses only verified processors with whom it has a written contract, and who provide the Administrator with at least the same guarantees as the Administrator to data subjects. The administrator only uses processors that are from the EU or from countries that are safe according to the decision of the European Commission. All these partners are bound by confidentiality obligations and may not use the provided data for any purposes other than those for which the Administrator has made it available to them.


Our processors are accounting firms, payment gateways, lawyers, developers or marketing specialists, as well as software and cloud solutions. We use services and our data can be stored on the servers of Google LLc., Mailchimp.com, WEDOS Internet, as, WebSupport sro. Details of our processors are available upon request.


Legal obligations. The Administrator may transfer personal data to third parties if required by law or in response to legal requirements of public authorities or at the request of a court in legal disputes.




Administrator, it is possible to request access to personal data and to request correction, change, deletion or restriction of processing of personal data where it is inaccurate or has been processed in violation of applicable laws on the protection of personal data. The data subject has the right to portability of personal data, to object to the processing of personal data, the right to withdraw consent to the processing of personal data and the right not to be the subject of automated individual decision-making, including profiling (which the Controller does not do).


The rights of data subjects can be exercised by e-mail info@fasay.cz.


The administrator strives to comply with the rights of data subjects without delay. However, there may be circumstances in which the Administrator cannot provide access (for example, if the requested information threatens the privacy of other persons or other legitimate rights, or where the costs of providing access would be disproportionate to the risks threatening the privacy of the individual in the given case). The Administrator will take reasonable steps to verify the identity of the User before taking any action on the part of the rights of the data subjects.


Details of data subject rights:


1. Right of access to personal data


Pursuant to Article 15 of the GDPR, you will have the right to access personal data, which includes the right to obtain from the Administrator:


• confirmation of whether it processes personal data,


• information on the purposes of the processing, the categories of personal data concerned, the recipients to whom the personal data have been or will be made available, the planned period of processing, the existence of the right to request from the Administrator the correction or deletion of personal data concerning the data subject or the limitation of their processing or to raise an objection to this processing , the right to file a complaint with the supervisory authority, about all available information about the source of personal data, if not obtained from the data subject, the fact that automated decision-making takes place, including profiling, about appropriate safeguards when transferring data outside the EU,


• in the event that the rights and freedoms of other persons are not adversely affected, including a copy of personal data.


In the event of a repeated request, the Administrator will be entitled to charge a reasonable fee for a copy of personal data.


2. The right to correct inaccurate data


According to Article 16 GDPR, the data subject has the right to correct inaccurate personal data. The data subject is also obliged to notify changes to his personal data. At the same time, he is obliged to cooperate if it is found that the personal data that the Administrator processes about him are not accurate. The repair will be carried out by the Administrator without undue delay, but always taking into account the given technical possibilities.


3. Right to erasure


According to Article 17 of the GDPR, the data subject will have the right to delete personal data relating to him, if the Controller does not demonstrate legitimate reasons for processing this personal data. The administrator has set up mechanisms to ensure automatic anonymization or deletion of personal data in the event that they are no longer needed for the purpose for which they were processed.


4. Right to restriction of processing


According to Article 18 of the GDPR, the data subject has the right to limit processing until the resolution of the complaint, if he denies the accuracy of personal data, the reasons for their processing or if he objects to their processing.


5. Right to notification of correction, erasure or limitation of processing


According to Article 19 of the GDPR, the data subject has the right to be notified in the event of correction, deletion or restriction of the processing of personal data. If personal data is rectified or deleted, the Administrator will inform the individual recipients, except in cases where this proves impossible or requires unreasonable efforts.


6. Right to portability of personal data


According to Article 20 of the GDPR, the data subject has the right to the portability of the data concerning him and which he has provided to the administrator, in a structured, commonly used and machine-readable format, and the right to request the transfer of this data to another administrator.


If you provide personal data in connection with the Agreement on the provision of services to the Administrator or on the basis of consent and their processing is carried out automatically, you have the right to receive such data from the Administrator in a structured, commonly used and machine-readable format. If it is technically feasible, the data can also be transferred to the administrator designated by you, if the person acting on behalf of the relevant Administrator is properly designated and it is possible to authorize him.


If the exercise of this right could adversely affect the rights and freedoms of third parties, your request cannot be granted.


7. The right to object to the processing of personal data


According to Article 21 of the GDPR, the data subject has the right to object to the processing of his personal data on grounds of legitimate interest.


In the event that the Controller does not prove that there is a serious legitimate reason for the processing that outweighs the interests or rights and freedoms of the data subject, the processing will be terminated without undue delay based on the objection. If the objection is filed in the case of processing related to direct marketing, then the Administrator will terminate the processing without undue delay.


8. The right to withdraw consent to the processing of personal data


Consent to the processing of personal data for marketing and business purposes can be revoked at any time after this date. It is necessary to make the appeal explicit, understandable and a certain manifestation of the will.


The processing of data from cookies can be prevented by setting the web browser.


9. Automated individual decision-making, including profiling


The data subject has the right not to be the subject of any decision based solely on automated processing, including profiling, which would have legal effects for him or significantly affect him in a similar way. The controller states that it does not make automated decisions without the influence of human judgment with legal effects for data subjects.




This policy may only be changed in writing. Users will be informed about this via the Administrator’s website.


In case of any questions regarding our Personal Data Processing Policy, please feel free to contact us via e-mail info@fasay.cz.