Privacy (GDPR)

Privacy Policy (GDPR)

of the 4GlobalEstate portal

Version: 1.1
Effective date: 1 May 2026
Personal data controller: 4DEIVIA Systems s.r.o.

Article I – Identification of the Controller

The Personal Data Controller is the Operator of the 4GlobalEstate portal:

Data	Value
Name / Full Name	4DEIVIA Systems s.r.o.
Registered Office	Stodolní 849/4, 743 01 Bílovec, Česká republika
Company ID	29483930
VAT ID	CZ29483930
Data Box	7nfi7et
Contact email	[email protected]

Article II – What personal data do we process

2.1 Registration and identification data

Private advertiser (B2C): minimum for account operation — specifically email for account verification. Name, phone number, or billing address are not required for placing private advertisements.

Real estate agency / B2B advertiser: additionally, company ID, company name, billing address and agent details to the extent necessary for the contractual relationship and invoicing.

2.2 Advertisement data and contact on the advertisement

Private advertisement: in the advertisement detail, there is no central inquiry form with the inquirer's name and phone number. The advertiser may voluntarily provide a contact method outside the Portal (e.g., Signal, Telegram, Threema) — these details are published by the advertiser, and communication takes place outside the Portal between them and the inquirer; the Operator does not store the content of such communication.

Real estate agency advertisement: in the advertisement contact, the agency's details (phone, email, etc.) may be published. The inquirer can contact the agency via the inquiry form on the Portal — see paragraph 2.5.

2.3 Content of advertisements:

Texts, photos, technical parameters of properties
Saved ad description translations (generated upon user request via machine translation API — see Art. IV para. 2)

2.4 Payment data:

Records of payments made (date, amount, status, payment method)
For card payments, the Operator does not store payment card numbers — these are processed exclusively by integrated payment gateways (Stripe, PayU, Revolut Business Gateway)
For cryptocurrency payments, we only store the transaction hash, currency identifier, amount, and payment status on our infrastructure (without access to the user's private keys)

2.5 Enquiries for real estate agency listings (only for real estate agencies, not for private listings)

If an interested party fills in a form for a real estate agency listing, we process the name, email, optionally phone, and message text only for the purpose of immediate email forwarding to the agent / real estate agency and a brief confirmation to the interested party. We do not store the content of the enquiry in the Portal's database — only the total number of sent enquiries will increase for the listing (without the interested party's personal data), which the real estate agency sees in the listing statistics.

2.6 Technical data:

IP address
Records of access to the Portal (loggers)
Cookies within the scope defined by the Cookie Policy

Article III – Purposes of processing and legal basis

We state the legal basis according to Article 6(1) of the GDPR — the table always indicates the letter (a, b, c or f) on which the given purpose is based on law:

lit. a) — consent of the data subject
lit. b) — performance of a contract
lit. c) — compliance with a legal obligation
lit. f) — legitimate interest of the controller

Purpose of processing	Legal Basis	Art. 6 para. 1 GDPR
User Account and Advertising Management	Performance of a contract	lit. b)
Sending invoices and tax documentation	Fulfilment of a legal obligation	lit. c)
Ad status notification (72h alert)	Performance of a contract	lit. b)
Prevention of fraud, spam and B2B identity verification	Legitimate interest	lit. f)
Bot filtering and protection of statistics integrity	Legitimate interest	lit. f)
Aggregated ad view statistics (anonymised visitor footprint)	Legitimate interest	lit. f)
Forwarding enquiry to real estate agency (form on agency's ad)	Contract performance / legitimate interest	point b) / f)

Communication of the interested party with a private advertiser outside the Portal (Signal, Telegram, Threema, etc.) is not in the table — the Operator is not the controller of the message content for it, only enables the display of the contact chosen by the advertiser.

Article IV – Recipients and Sub-processors

4.1 Transfer of personal data (account, payments, operation)

Registration and identification data from Article II, paragraph 2.1, payment metadata from paragraph 2.4, enquiries from paragraph 2.5 (transfer to REA) and technical data from paragraph 2.6 may be transferred to the following sub-processors:

Sub-processor	Purpose	Registered Office
Stripe, Inc. (stripe.com)	Card payment processing (global / multi-currency)	USA (standard contractual clauses)
PayU S.A. (payu.cz)	Card payment processing (local / regional markets)	Poland / EU (according to product)
Revolut Ltd (Revolut Business Gateway)	Card payment processing in EUR, PLN, USD	EU / UK (depending on product)
Hetzner Online GmbH	Operation of server infrastructure	Finland
Operator (internal processing)	Record-keeping of cryptocurrency transaction hashes and payment status on the blockchain	Finland

Only data necessary for payment processing is passed to payment gateways (typically email for confirmation, payment amount and currency, order identifier). Payment card details are processed exclusively by the respective gateways, and the Operator does not have access to them. For cryptocurrencies, we do not process user private keys — only transaction hash and metadata needed to match the payment with the listing.

4.2 Ad description translation (AI) — without user account data

Google Ireland Limited (Gemini, Google Cloud machine translation API) is used exclusively for the voluntary translation of the ad title and description text, which the user initiates in the ad detail. We do not send registration or profile data to the machine translation API: no email, phone, name, company ID, or billing address.

Technically, only the title and property description text (and source and target language codes) are passed to the API. We store the translation result in the Portal's database. Translations of static portal interface texts are carried out outside of operational traffic (administrator's internal tools) and do not contain personal data of visitors or advertisers.

Note: If an advertiser were to insert contact details into the description themselves, it could appear in the description text even outside the account; the Operator does not automatically send such text for translation and recommends providing contacts in structured listing fields, not in the description.

Article V – Personal Data Flow (data diagram)

Advertiser (account + ad)
        │
        ▼
4GlobalEstate (controller)
        │
        ├──► Hosting ──────────────────────────── account personal data, logs
        │
        ├──► Stripe / PayU / Revolut ── card payments
        │
        ├──► Internal records ─────────────────── crypto transaction hash
        │
        └──► Google (Gemini API — only on "Translate" click)
                    └── only ad title and description text, not email / phone from account

Article VI – Cookies and Browser Storage

6.1 The Portal uses cookies and also localStorage (device-side storage) in the browser. We do not use third-party cookies for advertising, remarketing, or services like Google Analytics. There is currently no cookie banner for third-party marketing or analytical cookies on the Portal — so there is nothing to 'approve' in categories that the Portal does not deploy.

6.2 Cookies that the Portal actually stores:

Name (indicative)	Purpose	Typical validity
`sessionid`	Login, session security, or favourites in session for unlogged users	Until session termination / according to browser
`csrftoken`	Form protection (CSRF)	Per browser
`django_language`	Remembering selected interface language	up to 365 days
`ge_preferred_fiat`	Remembering selected fiat currency (ROW foreign market)	up to 365 days
`g4e_vid`	Anonymous visitor identification for aggregated statistics of ad views (without profiling for advertising)	up to 365 days
`geo_banner_dismissed`	Remembering the dismissal of the informational geo banner	7 days

6.3 Favourite ads for a logged-out user are primarily stored in the browser's localStorage (not in a marketing cookie). After logging in, favourites can be synchronised to the account in the Operator's database.

6.4 Language and currency for a logged-in user — preferences can be stored in the account profile (database). For convenience and for visitors without an account, the Portal simultaneously uses django_language and ge_preferred_fiat cookies; for a logged-in user, these cookies are not technically necessary if the preference is maintained in the profile. Logging in as such requires a session cookie (sessionid).

6.5 If in the future we implement third-party traffic measurement or marketing cookies, we will add informed consent (opt-in) and cookie settings; until then, only the above categories apply.

Article VII – Account deletion and how long we retain data

User account deletion occurs exclusively upon request sent by email to the Operator's address (). After verifying the applicant's identity, we will remove the account, login, profile, and advertisements from the Portal's operation — the user will not be able to log in again and will not see their data in the interface. We do not keep the entire account 'for another three years' — that would not be consistent with deletion.[email protected]

What may exceptionally remain outside the Portal (law or accounting, not a regular account database):

What	Why
Invoices and tax documents	If you have paid us, we must archive them for 10 years (Accounting Act). This is an accounting document, not an active account on the Portal.
Server backups	Technical copies are overwritten over time (usually within 30 days).
Logs (IP)	Operational security, max. 12 months.

Article VIII – Rights of Data Subjects

As a data subject, you have the following rights:

Right of access – you have the right to request a list of processed personal data.
Right to rectification – you have the right to request the correction of inaccurate personal data.
Right to erasure ("right to be forgotten") – after deleting the account, we will remove data from the Portal; the only exceptions remain the obligations from Article VII (e.g., invoice archive).
Right to restriction of processing – you have the right to request the restriction of processing in cases stipulated by law.
Right to data portability – you have the right to obtain your data in a machine-readable format.
Right to object – you have the right to object to processing based on legitimate interest.
Right to withdraw consent – you have the right to withdraw consent to processing at any time (cookies, etc.).

Method of exercising rights: Please send requests electronically to . We will respond to the request within 30 days of its receipt.[email protected]

Supervisory Authority: If you believe that the processing of your personal data violates GDPR, you have the right to lodge a complaint with Úřadu pro ochranu osobních údajů (ÚOOÚ), Pplk. Sochora 27, 170 00 Praha 7, www.uoou.cz.