FlipKing Pro
Get started
GDPR

Privacy policy

Effective date: 23 April 2026 · Last updated 23 April 2026

1. Controller of personal data

The controller of personal data within the meaning of Art. 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter the „GDPR") and the operator of the FlipKing Pro platform (hereinafter the „Controller" or „Operator") is:

  • Prexima Reality s.r.o.
  • Company ID: 08600872
  • Registered office: Nad obcí I 2110/29, 140 00 Prague 4 - Krč
  • Registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, File 321378, case no. C 321378/MSPH
  • Statutory body: Maxim Ponomarenko, managing director

Contact e-mail for exercising data subject rights: privacy@flipking.cz. General support: info@flipking.cz.

The Controller continuously assesses the obligation to appoint a Data Protection Officer (DPO) under Art. 37(1) GDPR in view of the scope and nature of the processing. The current status and the contact to the person responsible for GDPR matters are published on this page. Please direct any data protection inquiries to the e-mail above.

2. What data we process

2.1 Registration data

  • E-mail address
  • Name and surname (optionally nickname)
  • Password hash (bcrypt, cannot be reverse-decrypted)

2.2 Data from Bank Identity

When verifying a Tipster we obtain from Bank Identity (operated by Bankovní identita a.s.) under the OpenID Connect scope openid profile.name profile.birthdate exclusively the following claims:

  • sub — unique pseudonymous subject identifier assigned by Bank Identity.
  • name — given name and surname.
  • birthdate — date of birth (for age-of-majority verification and KYC record keeping).

Broader claims (address, birth number, ID document number) are currently not obtained or stored by the Operator. If extending the scope becomes necessary in the future, the change will be announced at least 14 days in advance by updating this policy.

2.3 Payment data

Payments are processed by Stripe Payments Europe, Limited (Ireland) via Stripe Connect; within the group, Stripe, Inc. (USA) may also be involved as a sub-processor. The Controller does not retain payment card numbers — it holds only a token and transaction metadata (amount, currency, status, last four digits of the card). As a recipient of funds, the Tipster provides Stripe with the data necessary for identity verification (KYC) directly during Stripe Connect onboarding.

2.4 Operational data

  • IP address, user agent, browser language, screen resolution.
  • Logs of access and actions on the Platform (audit trail) — user identifier, time, action, result.
  • Content of published tips and interactions with the Platform.

2.5 Product analytics and session recording (optional)

Only with consent given in the cookie banner (Art. 6(1)(a) GDPR) we record:

  • Click and scroll data — for product analytics, conversion measurement and UX testing.
  • Session recording (session replay via rrweb) — a sequence of DOM interactions (mouse movement, clicks, scrolling, key presses in input fields); values of sensitive fields (passwords, card numbers, BankID claims) are technically masked at capture. The recording is linked to the ID of the logged-in user (if logged in) and to the session identifier — it is not anonymous or merely aggregated data.

The purpose of processing is product improvement, error diagnostics and protection against fraudulent conduct. The data is stored in the EU and is not shared beyond the Operator and its vetted processors. The user may withdraw consent at any time via the footer of the page („Cookie settings") — from the moment of withdrawal no further recording is captured.

3. Legal basis of processing

  • Performance of a contract (Art. 6(1)(b) GDPR) — registration, operation of the account, processing of transactions.
  • Legitimate interest (Art. 6(1)(f) GDPR) — security of the Platform, fraud prevention (including automated anomaly detection), audit logs and necessary technical logging for incident handling. Legitimate interest does not cover product analytics and session recording — these are based solely on consent.
  • Consent (Art. 6(1)(a) GDPR) — product analytics and session recording (rrweb session replay), optional cookies beyond the necessary, marketing e-mails, optional additional profile data. Consent may be withdrawn at any time with the same ease as it was given (Art. 7(3) GDPR).
  • Legal obligation (Art. 6(1)(c) GDPR) — accounting and tax regulations (Acts No. 563/1991 Coll., 235/2004 Coll., 586/1992 Coll.), obligations arising from cooperation with law-enforcement and supervisory authorities.

4. Processors, independent controllers and recipients

We share personal data with the following entities. For each, the GDPR position towards users is indicated:

  • Stripe Payments Europe, Limited (Ireland) — payment services and Stripe Connect. Stripe acts simultaneously as a processor under Art. 28 GDPR (for data we transmit to it as part of our payment instruction) and as an independent controller under Art. 4(7) GDPR for the purposes of fulfilling its own legal obligations (AML, fraud prevention, regulatory reporting, KYC Connect onboarding). Stripe's processing as an independent controller is governed by the Stripe Global Privacy Policy. Within the Stripe group, transfers to the USA may occur, protected by the European Commission's standard contractual clauses and Stripe's participation in the EU-U.S. Data Privacy Framework.
  • Bankovní identita, a.s. (Czech Republic) — Tipster identity verification. For the purposes of issuing verification claims it acts as an independent controller; the Operator becomes controller of the transmitted claims once received.
  • Hosting partner — operation of server infrastructure in the EU (processor under Art. 28 GDPR).
  • E-mail service providers — transactional and notification messages (processor).
  • Public authorities — independent controllers; data is transmitted to them only to the extent required by law (Czech Police, Czech Data Protection Authority, Tax Administration, courts, or the Financial Analytical Office as applicable).

4a. Transfers outside the EEA

Within payments, certain data is transferred to the USA (Stripe, Inc., Delaware). The transfer is protected by the European Commission's standard contractual clauses (Art. 46(2)(c) GDPR) and Stripe's participation in the EU-U.S. Data Privacy Framework (Art. 45 GDPR). The Controller does not carry out other transfers outside Europe as standard. If a selected sub-processor processes data outside the EEA, it will always be listed here with a reference to the safeguard used.

4b. Automated decision-making and profiling

The Platform uses the following automated evaluation:

  • Tipster tier (ROOKIE / VERIFIED / EXPERT / ELITE) — recalculated automatically on the basis of the number of completed sales (only ratings of transactions in the RELEASED state, after disputes and refunds have been handled) and the average rating from Buyers. The tier determines the amount of the commission, the maximum number of active tips and the length of the escrow period; it has no direct effect on the ability to use the account.
  • Anomaly detection — rules identify suspicious patterns (e.g. multiple accounts, unusual transaction sequences, attempts to circumvent rate-limits). When a rule is triggered, the corresponding action is rejected or the account is automatically suspended.

If the system detects a risk signal, the corresponding action is automatically rejected or the account is automatically suspended (account freeze). Such a measure may have substantial effects on the user (in particular inability to withdraw FC) and falls under Art. 22 GDPR.

In accordance with Art. 22(3) GDPR, the user has the right to:

  • obtain human intervention — the Operator will arrange manual review of the decision by a responsible person without undue delay upon receipt of a reasoned request;
  • express their point of view and provide circumstances that the system could not take into account;
  • contest the decision before the Czech Data Protection Authority or in court.

A review request may be submitted directly in the application or by e-mail to privacy@flipking.cz, with account identification and a brief description of the situation. The automatic measure remains in force until the request is evaluated. The review is carried out manually by a responsible person of the Operator; the response time is set individually according to the complexity of the case and the Operator will inform the user about it without undue delay upon receipt of the request.

5. Retention period

Automatic periods (technically enforced by scheduled jobs):

  • Session recording (rrweb) and product analytics — at most 30 days from capture; then automatically deleted.
  • Detailed information on purchased tips (sensitive data on a specific property) — at most 90 days from purchase; then automatically removed.

Managed periods (kept for the necessary time, erasure takes place on request or as part of regular review):

  • Registration and profile data — for the duration of the account. Upon cancellation of the account, it transitions to the regime below.
  • Data after account cancellation (profile data, transaction metadata outside KYC) — kept for the time necessary to settle open claims, complaints and tax inspections; the Operator carries out erasure or anonymisation upon the data subject's request, at the latest upon expiry of the general limitation period (§ 629 of the Civil Code).
  • Identification and transaction data of verified Tipsters (KYC claims from Bank Identity and transaction metadata from Stripe Connect) — at most 10 years from the end of the relationship. The legal basis is legitimate interest (Art. 6(1)(f) GDPR) in being able to settle potential claims and evidence the course of transactions; to the extent that a specific item is required by special regulations (accounting, VAT, or AML if the status of obliged entity arises), the legal basis is legal obligation (Art. 6(1)(c) GDPR).

Statutory periods:

  • Accounting documents — 5 years (or 10 years for VAT payers) under Act No. 563/1991 Coll. on Accounting and Act No. 235/2004 Coll. on VAT.

The periods indicated are maximum. The data subject may at any time request erasure under Art. 17 GDPR by e-mail to privacy@flipking.cz. The Operator will handle the request within 30 days (Art. 12(3) GDPR) and inform which data has been erased and which must be retained for legal-obligation or legitimate-interest reasons.

Note: Account deletion is available as a self-service in Account Settings → „Delete account". The request is subject to a 30-day protective period, after which the Operator automatically anonymises the personal data; selected transaction metadata and accounting documents are retained in anonymised form for the time necessary under the periods above.

6. Data subject rights

As a data subject you have the following rights under the GDPR, which may be exercised by e-mail to privacy@flipking.cz:

  • Right of access to the data we process about you (Art. 15).
  • Right to rectification of inaccurate data (Art. 16).
  • Right to erasure („right to be forgotten", Art. 17) — except for data we are required to retain by law.
  • Right to restriction of processing (Art. 18).
  • Right to data portability in a machine-readable format (Art. 20).
  • Right to object to processing based on legitimate interest (Art. 21).
  • Right to withdraw consent (with effect for the future, Art. 7).
  • Right to lodge a complaint with the supervisory authority — Czech Data Protection Authority (uoou.gov.cz).

7. Cookies, analytics and session recording

The Platform uses technical cookies and local storage necessary for operation (login, CSRF protection, language preference, record of consent given). This processing is carried out on the basis of legitimate interest (Art. 6(1)(f) GDPR) and § 89 of Act No. 127/2005 Coll. — consent is not required.

Analytics and product tools, including session recording (session replay via rrweb), are activated only after consent is given in the cookie banner (Art. 6(1)(a) GDPR). Consent may be withdrawn at any time via the „Cookie settings" button in the page footer — withdrawal has immediate effect and any ongoing recording is terminated. A detailed description of categories and technologies is provided in the Cookie Policy.

8. Security

The Controller has taken appropriate technical and organisational measures to protect personal data — transport encryption (TLS 1.2+), password hashing, backups, access control on a least-privilege basis and regular security audits.

9. Changes to this policy

This policy may be updated. We will inform users of material changes by e-mail or in-app notification at least 14 days before the change takes effect.

Current version dated 23 April 2026.