LabelMaker LabelMaker

Privacy Policy

Last updated: February 25, 2026

1. Introduction #

This Privacy Policy explains how LabelMaker, operated by Matěj Pavlíček, a sole proprietor (OSVČ) registered in the Czech Republic ("we", "us", "our"), collects, uses, and protects your personal data when you use our web application ("Service").

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable Czech data protection laws.

2. Data Controller #

The data controller responsible for your personal data is:

Matěj Pavlíček
Email: labelmaker@matejpavlicek.cz

3. Data We Collect #

We collect and process the following personal data:

Account Information #

  • Email address — used for account creation, login, and communication
  • Password — stored as a bcrypt hash; we never store or access your plain-text password
  • Google account identifier — if you sign in with Google, we store your Google user ID to link your Google account. We also receive your email address from Google, which becomes your LabelMaker account email.

Uploaded Data #

  • Spreadsheet files — XLSX and CSV files you upload to generate labels. File content is encrypted at rest and associated with your account if you are logged in. Guest uploads are not linked to any account.
  • Google Sheets data — if you connect Google Drive, we import spreadsheet data from your Google Sheets into our system. The imported data is treated identically to uploaded files and encrypted at rest.

Google Drive Integration #

If you connect Google Drive to your account, we store:

  • OAuth access token and refresh token — used to access your Google Drive and Google Sheets on your behalf. We request read-only access (drive.readonly, spreadsheets.readonly scopes).
  • Token expiry timestamp — to know when to refresh the access token.
  • Granted scopes — the permissions you granted during authorization.

You can disconnect Google Drive at any time from your account page, which permanently deletes all stored tokens. We only read file listings and spreadsheet data from your Google Drive; we never modify, create, or delete any files in your Google account.

Label Presets #

  • Preset name and settings — saved label layout configurations (dimensions, spacing, fonts, field mappings) stored in your account to reuse across spreadsheets.

Subscription Data #

  • Subscription metadata — we store your Paddle subscription ID, customer ID, subscription status, plan type, current billing period dates, cancellation timestamp, and any scheduled subscription changes. We do not store payment card details or billing addresses; those are held exclusively by Paddle.

Technical Data #

  • IP address — collected in server logs for security and abuse prevention
  • Browser user agent — collected in server logs
  • Language preference — stored in a cookie to remember your language setting

4. Purpose of Processing #

We process your data for the following purposes:

  • Service delivery — to provide the label generation functionality
  • Account management — to create and maintain your account
  • Communication — to send verification emails, password reset links, and important service notifications
  • Security — to protect against unauthorized access and abuse
  • Legal compliance — to meet our legal obligations

The legal basis for processing is: performance of a contract (Art. 6(1)(b) GDPR), legitimate interests (Art. 6(1)(f) GDPR), and your consent where applicable (Art. 6(1)(a) GDPR).

5. Third Parties #

We share data with the following third parties:

Paddle (Payment Processor) #

Paddle.com Market Limited acts as our Merchant of Record and processes all payments. When you subscribe, Paddle collects your payment information directly. We do not store your credit card or payment details. Please refer to Paddle's Privacy Policy for details on how they handle your payment data.

We store limited subscription metadata locally (subscription ID, customer ID, status, billing period) to manage your access tier. See Subscription Data above for details.

Google #

If you sign in with Google or connect Google Drive, your browser communicates directly with Google's OAuth servers. We receive and store the data described in the Google Drive Integration section. Google's handling of your data is governed by Google's Privacy Policy. Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.

Hosting Provider #

Our Service is hosted on infrastructure within the European Union. Your data is stored on servers located in the EU.

Email Service #

We use SMTP email services to send transactional emails (verification, password reset). Only your email address is shared for this purpose.

6. Cookies #

We use the following cookies:

  • Session cookie (session_token) — essential for keeping you logged in. Secure, HTTP-only, SameSite=Lax. Expires after 30 days.
  • Language cookie (lang) — stores your language preference (English or Czech). HTTP-only, SameSite=Lax. Expires after 1 year.
  • OAuth state cookie (oauth_state) — temporary cookie used during Google sign-in and Google Drive authorization to prevent cross-site request forgery. HTTP-only, SameSite=Lax. Automatically deleted after 10 minutes.

We do not use any third-party tracking or analytics cookies.

7. Data Retention #

  • Account data is retained as long as your account is active. You can request account deletion at any time by emailing labelmaker@matejpavlicek.cz.
  • Guest uploads are not linked to any account. They may be deleted automatically after a reasonable period without notice.
  • Registered user uploads are linked to your account and retained until you delete them or close your account.
  • Google Drive tokens are deleted immediately when you disconnect Google Drive, or when your account is deleted.
  • Label presets are retained until you delete them or close your account.
  • Subscription data is retained for as long as your account exists and for a reasonable period afterward for legal and accounting purposes.
  • Server logs are retained for up to 90 days.

8. Your Rights (GDPR) #

Under the GDPR, you have the following rights:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate data
  • Right to erasure — request deletion of your personal data
  • Right to restriction — request that we limit how we process your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at labelmaker@matejpavlicek.cz. We will respond within 30 days.

You also have the right to lodge a complaint with the Czech Data Protection Authority (Úřad pro ochranu osobních údajů).

9. Data Security #

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encrypted connections (HTTPS) for all data in transit
  • Encryption at rest for uploaded spreadsheet content
  • Bcrypt hashing for passwords
  • Secure, HTTP-only session cookies
  • Access controls and regular security reviews

10. Changes to This Policy #

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top of this page indicates the most recent revision.

11. Contact #

For any privacy-related questions or data requests, contact us at:

Matěj Pavlíček
Email: labelmaker@matejpavlicek.cz