Privacy Policy

CEE Startup Network is operated by Moravskoslezské inovační centrum Ostrava, a.s.("MSIC") and INOVIA, n.o., jointly. For data-protection enquiries please use the Contact page.

Event RSVPs

When you register for an event we collect your first name, last name, email address, organization (optional), and the event you registered for. We store this so we can confirm your attendance, send event-related logistics, and prepare a participant list for the host.

• Legal basis: consent (Art. 6(1)(a) GDPR), captured by the consent checkbox on the form.
• Where it's stored: Supabase (PostgreSQL) hosted in the EU.
• Retention: for the duration of the event plus up to 24 months for follow-up communication, after which records are deleted unless you separately opted into the newsletter.

Newsletter signup

When you subscribe via the footer form we collect your name and email address to send occasional updates about CEE Startup Network programs and the CEE startup ecosystem.

• Legal basis: consent (Art. 6(1)(a) GDPR).
• Where it's stored: Supabase (PostgreSQL) hosted in the EU.
• Retention: until you unsubscribe.

Contact form

When you contact us via the form we collect your first name, last name, email address, and your message. We use these only to reply.

• Legal basis: taking steps at your request prior to entering a contract or pursuing our legitimate interest of responding to enquiries (Art. 6(1)(b) and (f) GDPR).
• Where it's stored: the message is delivered as an email via our SMTP provider; we keep the email in our mailbox.
• Retention: up to 24 months unless the conversation is ongoing.

Analytics — Google Analytics 4 and Vercel Analytics

With your explicit, opt-in consent via the cookie banner, we use two analytics tools to measure how the site is used:

• Google Analytics 4 — collects pages viewed, approximate location (country), device type, and traffic source. IP addresses are anonymized.
• Vercel Analytics — a cookieless, privacy-friendly counter provided by our hosting platform. Sets no persistent identifier; uses an ephemeral, daily-rotating hash of IP + User-Agent only to dedupe sessions.

• Legal basis: consent (Art. 6(1)(a) GDPR / § 89 ZEK in Czech / § 109 ZEK in Slovak).
• Where it's stored:Google LLC (USA) under the EU-US Data Privacy Framework (see Google's Privacy Policy); and Vercel Inc. (USA) under the EU-US Data Privacy Framework (see Vercel's Privacy Policy).
• Retention: GA4 — 14 months at default settings; aggregated reports may be retained longer. Vercel Analytics — aggregated, with raw IP/UA discarded after the daily hash is computed.

If you do not consent, neither analytics script ever loads on your device and no data is sent to Google or Vercel. You can change your choice on the Cookies page at any time.

We do not sell or trade personal data. We share it only with:

• Supabase Inc. — database hosting (EU region) for RSVP and newsletter records.
• Vercel Inc. — website hosting and CDN. Vercel processes server logs, which include IP addresses, briefly, for the purpose of operating the service.
• Sanity.io — content management for events and blog posts; does not receive your personal data.
• Our SMTP provider — to deliver contact-form messages to our mailbox.
• Google LLC — only if you opt in to analytics.

All processors above act under data-processing agreements consistent with GDPR Art. 28.

Where data leaves the EU/EEA — currently only Google (if you consent to analytics) and Vercel — we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses as appropriate.

Under GDPR you have the right to:

• Access the personal data we hold about you.
• Have inaccurate data corrected.
• Have your data deleted (the "right to be forgotten").
• Restrict or object to processing.
• Receive your data in a portable format.
• Withdraw consent at any time, without affecting prior lawful processing.
• Lodge a complaint with your data-protection authority (in Czechia: Úřad pro ochranu osobních údajů; in Slovakia: Úrad na ochranu osobných údajov SR).

To exercise any of these rights, contact us via the Contact page. We respond within 30 days.

We use HTTPS site-wide, strict Content-Security-Policy and security headers, rate limiting on form endpoints, parameterized database queries to prevent SQL injection, and never expose database credentials to the browser. Server-side secrets are scoped to server modules only.

The site is not directed at children under 16. We do not knowingly collect personal data from children.

We may update this policy when we add features that change how data is processed. Material changes will be communicated through the cookie banner or by email if you are on our newsletter list.