Banana Pancakes s.r.o. Homepage
§ Privacy · what the site sees · Praha 5, CZ
Last revised 26 Apr 2026

Almost nothing is collected.

The site is a static page, a contact form, and one analytics script. Below is exactly what each one sees, why it's there, who runs it, how long it sticks around, and how to ask us to delete it. Plain English, no dark patterns — if you'd rather just write, the address is [email protected].

§ I

Who's responsible

Controller & contact
Data controller Správce osobních údajů
Banana Pancakes s.r.o.
IČO 05108438 · Na pomezí 910/2, 158 00 Praha 5, Czech Republic.
Full identity, registration, and statutory body live in the imprint.
Contact for privacy
[email protected]
Same address handles inquiries, data-subject requests, and complaints. One person reads it.
Data Protection Officer Pověřenec pro ochranu osobních údajů
Not appointed. The studio's processing scale doesn't trigger Art. 37 GDPR. The controller is the contact point.
§ II

What gets collected

Data inventory · by source
Contact form Formulář
  • You provideName, email address, and the message you write.
  • Auto-attachedA Cloudflare Turnstile token (anti-bot challenge result) and the request IP and user-agent that pass through the edge.
Submissions are sent via Cloudflare Email Sending and forwarded to a Proton Mail inbox — the email itself is the storage.
Email correspondence
The full thread once you write — whatever you send, whatever we send back, plus standard email headers. Stored in Proton Mail.
Server logs
Cloudflare records standard HTTP access metadata at the edge: request IP, user-agent, timestamp, path, response status. Used for traffic safety and debugging.
Analytics
Google Analytics 4 records pseudonymous events: page views, referrer, device class, approximate country (from a truncated IP). No advertising signals, no cross-site profiling, no User-ID.
What we don't collect
No accounts. No passwords. No payment data on this site. No location beyond country. No fingerprinting beyond standard analytics. No data sold or shared for advertising — ever.
§ III

Why we process it

Purposes & legal bases · GDPR Art. 6
Replying to inquiries
To answer the question you wrote in, and — if it leads to work — to enter and perform a contract.
Art. 6(1)(b) pre-contract / contract performance, and Art. 6(1)(f) legitimate interest in business correspondence.
Anti-spam
To keep the contact form usable and the inbox clean. Cloudflare Turnstile evaluates each submission.
Art. 6(1)(f) legitimate interest in protecting the form from abuse.
Site security & logs
Edge logs help spot abuse and resolve incidents.
Art. 6(1)(f) legitimate interest in operating the site safely.
Analytics
To understand which pages get read and where the traffic comes from. GA4 is configured without advertising features and with IP truncation.
Art. 6(1)(f) legitimate interest in measuring the site's reach. You can opt out at any time (see § VI).
Accounting & tax
If you become a client, invoices and the related correspondence are kept for the periods Czech law requires.
Art. 6(1)(c) legal obligation under the Czech Accounting Act and VAT Act.
§ IV

How long it sticks around

Retention · in plain numbers
Inquiries that go nowhere
Deleted within 12 months unless useful as a reference. Quietly trimmed from the inbox. Earlier on request.
Inquiries that lead to work
Kept while the engagement is live, then for 5 years (accounting) and 10 years (VAT) as Czech law requires. Zákon č. 563/1991 Sb. o účetnictví; zákon č. 235/2004 Sb. o DPH.
Server logs
A short rolling window per Cloudflare's defaults — typically days to weeks, not retained as a long-term archive.
Analytics events
GA4 retention set to 14 months, then events are aggregated or removed.
§ V

Who else sees it

Processors & international transfers
Cloudflare, Inc.
  • RoleHosting (Pages), edge functions (Workers), Email Sending, anti-bot (Turnstile).
  • SeesHTTP request metadata and, for contact form submissions, the name, email address, selected service, message, Turnstile token, and routing metadata needed to deliver the email.
  • WhereGlobal edge network. US-headquartered (101 Townsend St, San Francisco).
  • TransferStandard Contractual Clauses + Cloudflare's DPA cover EEA → US.
Google Ireland Ltd.
  • RoleGoogle Analytics 4 — pseudonymous traffic measurement.
  • SeesPage-view events with truncated IP. No advertising features enabled.
  • WhereController for the EEA: Gordon House, Dublin 4. Sub-processing in the US.
  • TransferStandard Contractual Clauses + Google's DPA cover EEA → US.
Proton AG
  • RoleEmail hosting for [email protected].
  • SeesFull content of email correspondence (encrypted at rest).
  • WhereSwitzerland.
  • TransferSwitzerland is covered by an EU adequacy decision under Art. 45.
Google LLC (Fonts)
The site loads webfonts from Google Fonts at page render. Each request reveals an IP and user-agent to Google. No cookies are set by the Fonts CDN. EEA → US transfer covered by SCCs.
§ VI

Cookies & analytics

What's set, and how to switch it off
Site cookies
None of our own. Banana Pancakes doesn't set account, session, preference, or marketing cookies.
Analytics cookies
Google Analytics 4 sets _ga and _ga_<container-id> — pseudonymous identifiers used to count returning page views. Default expiry: 13 months. They don't fingerprint, they aren't shared with ad networks, and they can be cleared at any time.
How to opt out
  • BrowserBlock third-party scripts or use any tracker-blocking extension — nothing on the site breaks.
  • GoogleInstall Google's Analytics opt-out add-on.
  • DNT / GPCIf your browser sends Do Not Track or Global Privacy Control, the site does not load Google Analytics.
Cloudflare challenges
Turnstile may set short-lived tokens scoped to the form submission. They aren't tracking cookies and don't persist across the site.
§ VII

Your rights

Under the GDPR · Articles 15–22, 77

You can exercise any of the rights below by writing to [email protected]. We answer within 30 days, usually much sooner. There's no fee unless a request is clearly excessive, and we may need to verify identity for sensitive ones.

Access Právo na přístup
Ask what we hold about you and get a copy. Art. 15
Rectification Oprava
Ask us to correct anything that's wrong. Art. 16
Erasure Výmaz
Ask us to delete it — subject to overriding legal obligations (e.g. accounting records). Art. 17
Restriction Omezení zpracování
Ask us to pause processing while a dispute is sorted out. Art. 18
Portability Přenositelnost
Ask for your data in a structured, common, machine-readable format. Art. 20
Objection Námitka
Object to processing based on legitimate interest — including analytics. Art. 21
Complaint Stížnost
Lodge a complaint with the Czech data-protection authority:
Úřad pro ochranu osobních údajů
Pplk. Sochora 27, 170 00 Praha 7 · uoou.gov.cz
Art. 77
Last revised
26 April 2026
version 1.0 · material changes will bump this date · changelog kept in git
Back to the homepage Imprint