Privacy Protection (GDPR)

Personal Data Protection Policy (GDPR)

of the 4GlobalEstate portal

Version: 1.1
Effective Date: May 1, 2026
Personal Data Controller: 4DEIVIA Systems s.r.o.

Article I – Identification of the Controller

The Personal Data Controller is the Operator of the 4GlobalEstate portal:

Data	Value
Name / First and Last Name	4DEIVIA Systems s.r.o.
Registered office	Stodolní 849/4, 743 01 Bílovec, Česká republika
Company ID	29483930
VAT ID	CZ29483930
Data Box	7nfi7et
Contact email	[email protected]

Article II – What personal data do we process

2.1 Registration and identification data

Private advertiser (B2C): minimum for account operation — specifically email for account verification. Name, phone number, or billing address are not required for posting private advertisements.

Real estate agency / B2B advertiser: additionally, company ID, company name, billing address, and broker data to the extent necessary for the contractual relationship and invoicing.

2.2 Ad data and contact on the ad

Private ad: in the ad detail, there is no central inquiry form with the inquirer's name and phone number. The advertiser may voluntarily provide a contact method outside the Portal (e.g., Signal, Telegram, Threema) — these details are published by the advertiser themselves, and communication takes place outside the Portal between them and the inquirer; The Operator does not store the content of such communication.

Real estate agency ad: in the ad contact, the agency's details (phone, email, etc.) may be published. The inquirer can contact the agency via the inquiry form on the Portal — see section 2.5.

2.3 Ad content:

Texts, photos, technical parameters of properties
Saved ad description translations (generated upon user request via machine translation API — see Art. IV para. 2)

2.4 Payment data:

Records of completed payments (date, amount, status, payment method)
For card payments, the Operator does not store credit card numbers — these are processed exclusively by integrated payment gateways (Stripe, PayU, Revolut Business Gateway)
For cryptocurrency payments, we only store the transaction hash, currency identifier, amount, and payment status on our infrastructure (without access to user's private keys)

2.5 Inquiries for real estate agency listings (only for RAs, not for private listings)

If an interested party fills out a form for an RA listing, we process the name, email, optionally phone, and message text only for the purpose of immediate email forwarding to the agent / RA and a brief confirmation to the interested party. We do not store the content of the inquiry in the Portal's database — only the total number of sent inquiries (without the interested party's personal data) for the listing will increase, which the RA sees in the listing statistics.

2.6 Technical data:

IP address
Records of access to the Portal (loggers)
Cookies to the extent defined by the Cookie Policy

Article III – Purposes of Processing and Legal Basis

We state the legal basis according to Article 6(1) of the GDPR — the table always indicates the letter (a, b, c, or f) on which the given purpose is based on law:

lit. a) — consent of the data subject
lit. b) — performance of a contract
lit. c) — compliance with a legal obligation
lit. f) — legitimate interest of the controller

Purpose of processing	Legal Basis	Art. 6 para. 1 GDPR
User account and advertisement management	Performance of a contract	lit. b)
Sending invoices and tax documentation	Fulfillment of a legal obligation	lit. c)
Ad status notification (72h alert)	Performance of a contract	lit. b)
Fraud and spam prevention and B2B identity verification	Legitimate interest	lit. f)
Bot filtering and protection of statistical integrity	Legitimate interest	lit. f)
Aggregated ad view statistics (anonymized visitor footprint)	Legitimate interest	lit. f)
Forwarding inquiry to real estate agency (form on agency's ad)	Contract fulfillment / legitimate interest	subparagraph b) / f)

Communication of the interested party with a private advertiser outside the Portal (Signal, Telegram, Threema, etc.) is not in the table — The Operator is not the administrator of message content for it, only allows the display of contact information that the advertiser chooses themselves.

Article IV – Recipients and Sub-processors

4.1 Transfer of personal data (account, payments, operation)

Registration and identification data from Art. II para. 2.1, payment metadata from para. 2.4, inquiries from para. 2.5 (transfer to REA) and technical data from para. 2.6 may be transferred to the following sub-processors:

Sub-processor	Purpose	Registered office
Stripe, Inc. (stripe.com)	Card payment processing (global / multi-currency)	USA (standard contractual clauses)
PayU S.A. (payu.cz)	Card payment processing (local / regional markets)	Poland / EU (per product)
Revolut Ltd (Revolut Business Gateway)	Card payment processing in EUR, PLN, USD	EU / UK (depending on the product)
Hetzner Online GmbH	Operation of server infrastructure	Finland
Operator (internal processing)	Record-keeping of cryptocurrency transaction hashes and payment status on the blockchain	Finland

Only data necessary for payment processing is transferred to payment gateways (typically email for confirmation, payment amount and currency, order identifier). Payment card data is processed exclusively by the respective gateways, and the Operator does not have access to it. For cryptocurrencies, we do not process user private keys — only transaction hash and metadata needed to match the payment with the advertisement.

4.2 Ad description translation (AI) — without user account data

Google Ireland Limited (Gemini machine translation API, Google Cloud) is used exclusively for voluntary translation of the ad title and description text, which the user initiates in the ad detail. We do not send registration or profile data to the machine translation API: no email, phone, name, company ID, or billing address.

Technically, only the title and property description text (and source and target language codes) are passed to the API. We store the translation result in the Portal's database. Translations of static portal interface texts occur outside of operational traffic (administrator's internal tools) and do not contain personal data of visitors or advertisers.

Note: If an advertiser were to insert contact information into the description themselves, it could appear in the description text even outside the account; the Operator does not automatically send such text for translation and recommends listing contacts in structured ad fields, not in the description.

Article V – Personal Data Flow (Data Diagram)

Advertiser (account + ad)
        │
        ▼
4GlobalEstate (controller)
        │
        ├──► Hosting ──────────────────────────── account personal data, logs
        │
        ├──► Stripe / PayU / Revolut ── card payments
        │
        ├──► Internal records ─────────────────── crypto transaction hash
        │
        └──► Google (Gemini API — only on click “Translate”)
                    └── only ad title and description text, not email / phone from account

Article VI – Cookies and Browser Storage

6.1 The Portal uses cookies and also localStorage (device-side storage) in the browser. We do not use third-party cookies for advertising, remarketing, or services like Google Analytics. There is currently no cookie banner for third-party marketing or analytical cookies on the Portal — so there is nothing to "approve" in categories that the Portal does not deploy.

6.2 Cookies that the Portal actually stores:

Name (approximate)	Purpose	Typical validity
`sessionid`	Login, session security, or favorites in session for an unlogged user	Until session termination / according to browser
`csrftoken`	Form Protection (CSRF)	By browser
`django_language`	Remembering the selected interface language	up to 365 days
`ge_preferred_fiat`	Remembering the selected fiat currency (ROW foreign market)	up to 365 days
`g4e_vid`	Anonymous visitor distinction for aggregated ad view statistics (without profiling for advertising)	up to 365 days
`geo_banner_dismissed`	Remembering the dismissal of the informational geo banner	7 days

6.3 Favorite listings for an unregistered user are primarily stored in the localStorage of the browser (not in a marketing cookie). After logging in, favorites can be synchronized to the account in the Operator's database.

6.4 Language and currency for a logged-in user — preferences can be saved in the account profile (database). For convenience and for visitors without an account, the Portal simultaneously uses django_language and ge_preferred_fiat cookies; for a logged-in user, these cookies are not technically necessary if the preference is maintained in the profile. Logging in as such requires a session cookie (sessionid).

6.5 If we implement third-party traffic measurement or marketing cookies in the future, we will add informed consent (opt-in) and cookie settings; until then, only the above categories apply.

Article VII – Account Deletion and Data Retention Period

User account deletion occurs exclusively based on a request sent by email to the Operator's address (). After verifying the applicant's identity, we will remove the account, login, profile, and advertisements from the Portal's operation — the user will not be able to log in again and will not see their data in the interface. We do not keep the entire account 'for another three years' — that would not correspond to deletion.[email protected]

What may exceptionally remain outside the Portal (law or accounting, not a regular account database):

What	Why
Invoices and tax documents	If you paid us, we must archive them for 10 years (accounting law). This is an accounting document, not an active account on the Portal.
Server backups	Technical copies are overwritten over time (usually within 30 days).
Logs (IP)	Operational security, max. 12 months.

Article VIII – Rights of Data Subjects

As a data subject, you have the following rights:

Right of access – you have the right to request a copy of your processed personal data.
Right to rectification – you have the right to request the correction of inaccurate personal data.
Right to erasure ("right to be forgotten") – after account deletion, we will remove data from the Portal; the only exceptions are obligations from Article VII (e.g., invoice archive).
Right to restriction of processing – you have the right to request restriction of processing in cases stipulated by law.
Right to data portability – you have the right to obtain your data in a machine-readable format.
Right to object – you have the right to object to processing based on legitimate interest.
Right to withdraw consent – you have the right to withdraw consent to processing at any time (cookies, etc.).

Method of exercising rights: Send requests electronically to . We will respond to the request within 30 days of its receipt.[email protected]

Supervisory Authority: If you believe that the processing of your personal data violates GDPR, you have the right to file a complaint with the Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz.