Personal data processing policy
Privacy Policy
Information for data subjects pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR) - contact and inquiry form of the Ananta project website.
The company The Personal Resorts BALI s.r.o., acting as the data controller, hereby informs prospective clients who complete and submit the contact/inquiry form on the Ananta project website about the processing of their personal data, in accordance with Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council (the General Data Protection Regulation, "GDPR") and Act No. 110/2019 Coll., on personal data processing.
1. Data controller
A Data Protection Officer has not been appointed, as the controller does not meet the conditions for mandatory appointment under Article 37(1) GDPR.
2. What personal data we process
From the form, we process the data you enter yourself: name (and surname), e-mail address and country. We further process any data you choose to include in the text of your inquiry, together with technical data about the submission (date and time of submission, a record of the consents granted, for the purpose of demonstrating them). The scope of data is limited to the necessary minimum in accordance with the data minimisation principle under Article 5(1)(c) GDPR.
3. Purposes of processing, legal basis and storage period
In accordance with Article 13(1)(c) and (2)(a) GDPR, we set out the legal basis and the storage period for each purpose:
| Purpose of processing | Legal basis | Storage period |
|---|---|---|
| A) Handling your inquiry, sending the requested investment materials for the Ananta projects (presentation, price list, yield model) and contacting you in this matter (mandatory checkbox) | Consent under Article 6(1)(a) GDPR granted by ticking the first checkbox | For the period strictly necessary to handle the inquiry and provide the materials, at most 12 months from the last contact, or until the consent is withdrawn |
| B) Sending commercial and marketing communications - news, updates and investment opportunities of The Personal Resorts BALI s.r.o. (optional checkbox) | Consent under Article 6(1)(a) GDPR granted by ticking the second checkbox | For the period strictly necessary for the marketing purpose, i.e. until the consent is withdrawn |
The controller must be able to demonstrate that consent was given (Article 7(1) GDPR); a record of both the granting and any withdrawal of consent is therefore kept.
4. Voluntary nature of provision and consequences of non-provision
Providing personal data is voluntary. Without entering your name and e-mail and without ticking the first (mandatory) checkbox, we are unable to send you the requested materials or respond to your inquiry. The second checkbox is optional - not ticking it has no effect on the delivery of the requested materials; consent to receive the materials (checkbox A) is not conditional upon consent to marketing (checkbox B), in accordance with Article 7(4) GDPR.
5. Recipients of personal data
Personal data may be disclosed to the following categories of recipients and processors: providers of web hosting and website operation; providers of e-mail, CRM, cloud and marketing tools (in which inquiries are stored and from which communications are sent); where applicable, other companies of the TPRC / FIPOX group involved in the Ananta projects; and external advisers (legal, tax, accounting) bound by a duty of confidentiality. Specific processors: Cloudflare, Inc. (website hosting and operation, secure delivery of the form submission, and anti-bot protection via Cloudflare Turnstile); Microsoft Corporation / Microsoft Ireland Operations Limited (e-mail via Microsoft 365, and the storage and processing of inquiries via Power Automate and OneDrive). We do not sell personal data.
6. Transfer to a third country (outside the EU/EEA)
If any IT service provider processes data outside the EU/EEA (typically in the USA), this takes place on the basis of appropriate safeguards under Article 46 GDPR (Standard Contractual Clauses approved by the European Commission) or on the basis of a Commission adequacy decision. No personal data is transferred to a third country or international organisation beyond such safeguarded processing.
7. Your rights as a data subject
Under the conditions set out in the GDPR, you have in particular the following rights:
- the right of access to your personal data (Article 15 GDPR);
- the right to rectification of inaccurate data (Article 16 GDPR);
- the right to erasure ("right to be forgotten", Article 17 GDPR);
- the right to restriction of processing (Article 18 GDPR);
- the right to data portability (Article 20 GDPR);
- the right to object to processing (Article 21 GDPR); an objection to processing for direct marketing purposes is honoured unconditionally and without exception (Article 21(2) and (3) GDPR);
- the right to withdraw consent at any time (Article 7(3) GDPR - see Section 8 below);
- the right not to be subject to automated individual decision-making (Article 22 GDPR - which does not take place);
- the right to lodge a complaint with the supervisory authority, which is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, www.uoou.cz (Article 77 GDPR).
We will handle your request without undue delay and at the latest within one month of receipt (this period may be extended by a further two months where necessary); handling is generally free of charge (Article 12 GDPR).
8. Withdrawal of consent
You may withdraw either consent at any time, free of charge, without affecting the lawfulness of processing carried out before the withdrawal. Withdrawing consent is as easy as giving it (Article 7(3) GDPR): for marketing communications it is sufficient to click the unsubscribe link contained in every e-mail, or to send a message to the e-mail address set out in Section 1.
9. Automated decision-making and profiling
The processing does not involve automated individual decision-making or profiling producing legal or similarly significant effects within the meaning of Article 22 GDPR.
10. Security of personal data
The controller has implemented appropriate technical and organisational measures to secure personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, in accordance with Article 5(1)(f) and Article 32 GDPR.
11. Effect and changes
This policy is effective from 27 June 2026. The controller is entitled to update the wording from time to time; the current version is always available on the Ananta project website.