Privacy Policy
Data Controller:
FitLock s.r.o.
Company ID: 24519286
Registered office: Absolonova 2545/9a, 678 01 Blansko
E-mail: info@fitlock.cz
Web: www.fitlock.cz
Data Protection Officer (DPO): Martin Sokol
Contact: info@fitlock.cz
Effective from: 24 February 2026
I. What data we process
1. Registration data
First and last name
E-mail
Phone
Address
Company ID (for corporate membership)
2. Service usage data
Reservation and visit history
Payment history
IP address
3. Payment data
Payment card details are not stored directly by the Controller. Storage is handled via tokenisation through the GoPay payment gateway. The Controller does not have access to card numbers.
4. CCTV footage
The fitness centre premises are monitored by a CCTV system. Recordings are retained for 30 days.
5. Blacklist
User identification data
Reason for inclusion
Reservation and payment history
Internal note
II. Purposes and legal basis for processing
Performance of contract – registration, reservations, membership
Legal obligation – accounting documents (retention in accordance with law, usually 10 years)
Legitimate interest – property protection, blacklist, operational security
Consent – marketing, newsletter, push notifications, SMS
III. Marketing communications
The Controller may send:
E-mail newsletter
Push notifications (operational and marketing)
SMS messages (operational and marketing)
Marketing communications are sent only on the basis of consent or legitimate interest under applicable legislation. The User may withdraw consent at any time.
The Ecomail tool and the Controller's internal system may be used for sending newsletters.
IV. Transfer of data to third parties
Personal data may be transferred to:
GoPay payment gateway
Google (Google Analytics, Google Ads)
Meta (Meta Pixel)
Seznam (Sklik)
Apple / Google (in the case of the mobile app)
Others listed in cookie consent settings
Some services may involve transfer of data to third countries (e.g. USA). The transfer takes place on the basis of standard contractual clauses (SCC) or other legal mechanisms under GDPR.
V. Retention periods
Account after closure – 2 years
Accounting documents – according to statutory period (usually 10 years)
CCTV footage – 30 days
Blacklist – at least 2 years, or longer if legitimate interest persists
VI. Data subject rights
You have the right to:
access your data
rectification
erasure (unless there is a legitimate interest of the Controller)
restriction of processing
data portability
object to processing
lodge a complaint with the Office for Personal Data Protection (www.uoou.cz)
VII. Security
HTTPS encryption
Database hosted in the EU
Two-factor login for administration
Tokenisation of payment data
Other legal documents