Skip to main content

Home / Privacy Policy

Privacy Policy

Last Updated: March 12, 2026

1. Introduction & Controller Identity

This Privacy Policy explains how tofrvique ("we", "us", or "our") collects, uses, and protects your personal data when you visit this website and when you submit a registration or contact request for our online culinary skills course.

Data Controller: Tofrvique Ltd, Nademlejnská 600/1, HloubÄ›tĂ­n (Praha 9), 198 00 Praha, Czechia. Contact email: [email protected].

We do not appoint a Data Protection Officer for this website. If you have questions about privacy, cookies, or your rights, email us and we will respond promptly.

2. Personal Data We Collect

We collect only the data needed to run the course website, respond to requests, and improve the experience. The categories below describe what we may collect depending on how you use the site.

  • Identity and contact data: first name, last name, email address. If you contact us by email, we will also receive your email signature and any details you include.
  • Form content: messages you write in the contact form, such as curriculum questions, equipment constraints, dietary constraints you cook around, or learning preferences.
  • Technical data: IP address, browser type and version, device type, operating system, language settings, and approximate location derived from IP (city/region level).
  • Usage data: pages visited, time spent on pages, navigation paths, referrer page, and interactions such as link clicks that help us understand which lessons and information are most useful.
  • Cookies and identifiers: identifiers stored in your browser to remember consent choices and enable basic site functions (see Section 4).
  • Conversion events: event signals that indicate a registration request or contact request was sent, used to measure form performance and improve the site.

We do not intentionally collect special-category data (such as health information, religious beliefs, political opinions), government identification numbers, or financial account details through our website forms. Please avoid including sensitive personal information in free-text fields.

3. Why We Process Data & Legal Basis

We process personal data for specific purposes and rely on legal bases available under the GDPR and UK GDPR where applicable.

  • Responding to registration and contact requests: to reply to you, provide course information, and handle your enquiry. Legal basis: GDPR Art. 6(1)(b) (steps prior to entering a contract) and Art. 6(1)(a) (consent) where your submission includes consent to be contacted.
  • Website operation and security: to maintain availability, prevent abuse, and protect against fraud or malicious activity. Legal basis: Art. 6(1)(f) (legitimate interest in securing our website and systems).
  • Analytics (if enabled): to understand how visitors use the site and improve navigation, content structure, and form completion flow. Legal basis: Art. 6(1)(a) (consent).
  • Marketing and conversion measurement (if enabled): to measure effectiveness of advertising and show relevant ads to people who have expressed interest. Legal basis: Art. 6(1)(a) (consent).
  • Legal compliance: to comply with applicable laws and respond to lawful requests from authorities. Legal basis: Art. 6(1)(c) (legal obligation).

Automated decision-making (GDPR Art. 22): we do not engage in automated decision-making or profiling that produces legal or similarly significant effects. Any ad targeting based on cookie consent is limited to standard advertising audiences and does not determine eligibility for a service.

4. Cookies & Tracking

Cookies are small files stored by your browser. We also use similar technologies such as pixel tags and server-side event forwarding where implemented. Cookie categories on this website match the choices in our cookie banner and Cookie Policy.

Essential cookies (always active)

These cookies are required for basic site functionality, such as keeping the site stable and remembering your cookie choices. They do not require consent.

  • _site_session for basic session continuity. Retention: session to 30 days depending on implementation.
  • cookie_consent stores your preference selection. Retention: 12 months.

Analytics cookies (consent required)

If you enable analytics cookies, we may use Google Analytics 4 (GA4) to understand aggregated usage. IP anonymization is enabled where supported. Example cookies include _ga (2 years) and _ga_XXXXXXXXXX (2 years). We configure analytics data retention for 14 months.

Marketing cookies (consent required)

If you enable marketing cookies, we may use technologies such as Google Ads cookies (for example _gcl_au, 90 days) and Meta cookies (for example _fbp and _fbc, typically 90 days). These cookies can be used for conversion attribution, remarketing, and creating audiences.

Beyond cookies, some measurement systems use pixel tags in your browser and may use server-side transfer based on event information. Where configured, identifiers may be derived from IP address and user agent data, and some partners support hashed identifiers for matching. We do not authorize partners to use site data for their own independent commercial purposes.

5. Consent (EEA/UK)

Users in the EEA and UK receive a consent notice under GDPR and UK GDPR. Analytics and marketing cookies activate only after explicit, informed, freely given consent (GDPR Art. 6(1)(a)). Consent is recorded in the cookie_consent browser cookie (12 months).

You may withdraw consent at any time via the “Manage cookie preferences” link in the footer or by clearing cookies in your browser. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

6. Sharing With Advertising & Service Partners

We share limited data with service providers and advertising partners to operate the website and, if you consent, to measure and improve our advertising. We do not sell personal data.

  • Google LLC (Google Analytics 4, Google Ads, Google Tag Manager, remarketing): cookie IDs, usage data, and conversion events. Reference: policies.google.com/privacy
  • Meta Platforms (Meta Pixel, custom and lookalike audiences, conversion measurement): page views, conversions, audience membership signals, and (where configured) hashed identifiers. Reference: facebook.com/privacy/policy
  • Cloudflare (CDN and security): IP-based threat detection and performance optimization. Reference: cloudflare.com/privacypolicy

These providers may process data as our processors or as independent controllers depending on the product and configuration. We configure tools to reduce unnecessary data collection, and we restrict activation of non-essential tools until consent is provided where required.

7. International Transfers

Some service providers process data outside the EEA/UK, including in the United States. Where applicable, transfers rely on the EU-US Data Privacy Framework (and UK Extension / Swiss-US DPF as relevant). If a provider is not covered, we use Standard Contractual Clauses (EU 2021/914) as a fallback, and for the UK we use the UK IDTA or an approved addendum.

Transfer safeguards are applied at the provider and configuration level. You can limit transfers by declining analytics and marketing cookies using our cookie banner controls.

8. Retention

We keep personal data only as long as necessary for the purposes described in this policy.

  • Contact and registration submissions: up to 2 years from the last interaction to support follow-ups and course administration.
  • Analytics data: 14 months (tool configuration), subject to cookie lifetimes and provider settings.
  • Marketing cookies: retained for the cookie lifetime (often 90 days) unless you withdraw consent earlier.
  • Email correspondence: for the duration of the relationship plus 1 year, unless law requires longer retention.
  • Server logs: typically 90 days for security and diagnostics.
  • Cookie consent record: up to 3 years for audit and compliance tracking, stored as a cookie and/or internal log where applicable.
  • Legal and tax records: retained as required by law (often 6 to 10 years for invoices and statutory records, where applicable).

9. Your Rights (GDPR & UK GDPR)

Depending on your location, you may have rights under GDPR or UK GDPR, including:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to withdraw consent at any time (Art. 7(3))
  • Right to lodge a complaint with a supervisory authority (Art. 77)

To exercise your rights, email [email protected]. We typically respond within 30 days. If a request is complex, we may extend the response time by up to 60 days and will explain why.

Supervisory authority references: EU guidance at edpb.europa.eu; UK authority at ico.org.uk; Czech authority at uoou.gov.cz.

10. Children

This site is not directed at individuals under 16. We do not knowingly collect personal data from minors. If we learn that we have collected personal data from a child under 16 without verifiable parental consent, we will delete it promptly.

11. Do Not Track

This website does not respond to Do Not Track (DNT) browser signals. Third-party providers may offer their own mechanisms for opt-out or preference management.

12. Data Deletion Requests

You can request deletion of your personal data by emailing us with the subject line “Data Deletion Request”. For security, we may ask you to verify ownership of the email address associated with the request. We aim to complete requests within 30 days, unless a legal obligation requires us to keep certain records.

13. Business Transfers

In a merger, acquisition, asset sale, financing, or insolvency event, personal data may be transferred to a successor entity. If a transfer materially changes how personal data is used, we will provide notice on the website.

14. California (CCPA / CPRA)

This section applies to California residents where the CCPA/CPRA applies. In the past 12 months, we may have disclosed the following categories of personal information to service providers and advertising partners: identifiers (such as name, email, IP address, device IDs), internet or network activity (such as browsing interactions), and inferences (such as content preferences derived from usage).

We do not sell personal information as defined by CCPA. We may share personal information for cross-context behavioral advertising if you consent to marketing cookies. You can opt out by using the cookie preferences panel.

California rights may include the right to know, delete, correct, and opt out of sale or sharing, and the right to non-discrimination. To submit a request, email [email protected] with the subject line “California Privacy Request”. We will verify your request as required. Authorized agents must provide proof of authorization.

15. Virginia (VCDPA)

Virginia residents may have rights to access, correct, delete, and obtain a copy of personal data, and to opt out of targeted advertising. We do not sell personal data and we do not engage in profiling producing legal or similarly significant effects.

To submit a request, email [email protected] with the subject line “Virginia Privacy Request”. If we decline a request, you may appeal by emailing “Appeal of Refusal — Privacy Request”. We will respond to appeals within 60 days.

16. Nevada

Nevada residents may submit a verified opt-out request by emailing us with the subject line “Nevada Do Not Sell Request”. We do not currently sell personal information under Nevada Revised Statutes Chapter 603A.

17. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Material changes will be announced via a site notice at least 14 days before taking effect. The “Last Updated” date at the top of this page reflects the latest revision.

18. Contact

For privacy questions, requests, or complaints, contact:

Tofrvique Ltd
Nademlejnská 600/1
Hloubětín (Praha 9), 198 00 Praha, Czechia
Email: [email protected]
Phone: +420 233 233 812