lines
All DinoParks are opened on May 1st and 8th!
Dinopark logo
Homepage background
lines
Separator

Privacy Policy

When handling personal data, we act in accordance with the legal system of the Czech Republic and directly applicable regulations of the European Union, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and related legislation. In the following text, we explain how and for what purposes we process your personal data and who may be involved in this processing. These details are important, so we hope you will take the time to read them carefully.

Who is the controller of your personal data?

The controller of personal data is DinoPark, s.r.o., ID No.: 635 06 572, registered office: Stará cesta 2, 312 00 Plzeň, registered in the Commercial Register kept by the Regional Court in Plzeň, Section C, File 6543.
We process personal data in accordance with the GDPR and related legislation. Below you will find information about what data we process, for what purpose, and what rights you have.

What data do we process as the controller?

Data processed when visiting our websites

dinopark.cz, dinopark.eu, dinopark.sk, dinopark.es, ticket.dinopark.eu, dinopark.cz/cs/e-shop/

  • IP address
  • Cookies – see our Cookie Policy
  • Browser and operating system information (to ensure correct website display)
  • Email address – only if you subscribe to our newsletter

Data processed when purchasing online tickets on ticket.dinopark.cz

  • First name
  • Last name
  • Email address
  • Postal code
  • Order details

Data processed when placing an order or registering on the e‑shop (dinopark.cz/cs/e-shop/)

Product order:

  • First and last name
  • Address
  • Phone number
  • Email address
  • Order details

Account registration:

  • First and last name
  • Hashed password
  • Address
  • Phone number
  • Email address

Data processed when submitting a contact form

  • First and last name
  • Phone number
  • Email address
  • Message content

Data processed when participating in competitions or surveys

Organised within DinoPark locations or at external events (trade fairs, family festivals, etc.).
Competition rules are always published here: https://www.dinopark.cz/cz/pravidla-soutezi

  • First and last name
  • Postal code
  • Email address
  • Phone number (if required by the competition)

When is consent NOT required?

We may process your personal data without your consent for the following purposes:

  • Performance of a contract, where the service or product is provided to you.
  • Compliance with legal obligations, arising from generally binding regulations.
  • Legitimate interest, such as direct marketing or ensuring safety and protection of life and health.

Providing consent is not a condition for using our services unless it is necessary for a specific purpose.

Why do we process your personal data and for how long?

We process your personal data only to the extent necessary to provide our services, fulfil legal obligations, and ensure the secure and functional operation of our websites and e‑shops.

Below is a transparent overview of:

  • the purpose of processing,
  • the legal basis,
  • the categories of data,
  • and the retention period.

This overview reflects how DinoPark actually operates — from ticket and product purchases to newsletters, competitions, cookies, and website security.

Overview of processing purposes

Purpose of processing Legal basis Categories of data Retention period
Processing ticket orders (ticket.dinopark.cz) Contract performance (Art. 6(1)(b) GDPR) First name, last name, email, postal code, order details, PDF ticket, QR code, IP address 10 years (accounting obligation)
Processing product orders (dinopark.cz/cs/e-shop) Contract performance First name, last name, address, phone, email, order details 10 years
Registration and management of customer account Contract performance / legitimate interest First name, last name, email, address, phone, hashed password For the duration of the account + 3 years after deletion
Sending newsletters Consent Email, activity data (opens, clicks) Until consent is withdrawn + 3 years archiving
Marketing (personalised advertising) Consent Marketing cookies, IP address, online identifiers According to Cookie Policy (usually 3–13 months)
Analytics and website statistics Consent (analytics cookies) / legitimate interest (anonymous statistics) Analytics cookies, truncated IP address, technical data According to Cookie Policy (usually 6–13 months)
Technical functioning of the website Legitimate interest Technical cookies, IP address, browser data For the session / max. 1 year
Website security and fraud prevention Legitimate interest IP address, server logs 30 days – 6 months (recommended: 3 months)
Handling contact form inquiries Legitimate interest / contract performance First name, email, phone, message content 6 months – 1 year
Competitions and surveys Contract performance / legitimate interest / consent First name, email, postal code, phone (if needed) Duration of competition + 1 year
Archiving consents Legal obligation / legitimate interest Email, consent record 3 years after withdrawal
Accounting and tax obligations Legal obligation Order data 10 years

How do we protect your personal data?

We use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, or damage.

These include:

  • encrypted communication (HTTPS),
  • restricted access based on necessity,
  • separation of user permissions and regular access audits,
  • secure data storage with GDPR‑compliant providers,
  • regular system and security updates,
  • monitoring and protection against misuse or attacks.

Who has access to your personal data?

Employees and collaborators of DinoPark

Only those who need the data to perform their work (customer support, order processing, technical administration, marketing — within the scope of consent).

All employees are bound by confidentiality.

Companies operating individual DinoParks (independent controllers)

For ticket purchases, the controller is not DinoPark, s.r.o., but the company operating the specific DinoPark, because it:

  • provides the service (entry to the park),
  • receives the payment,
  • issues accounting documents,
  • handles complaints and inquiries,
  • checks QR codes at the entrance,
  • bears legal responsibility for the service.

Independent controllers:

  • DinoPark Praha, s.r.o.
  • DinoPark Liberec, s.r.o.
  • DinoPark Ostrava, s.r.o.

All other data — such as website data, cookies, newsletters, marketing, or merchandise e‑shop — is processed by DinoPark, s.r.o. as the main controller.

Our processors (technical and marketing services)

Some services are provided by external suppliers who process personal data only according to our instructions:

  • AETO s.r.o. – ticketing e‑shop
  • ANT Studio s.r.o. – website and merchandise e‑shop
  • LCG New Media s.r.o. – online advertising
  • Ecomail.cz, s.r.o. – newsletters
  • Hosting and server providers

Processors only access data necessary for their services.

Third parties (recipients) – only with consent

If you consent to analytics or marketing cookies, some data may be shared with:

  • Google Ireland Ltd. (Analytics, Ads)
  • Meta Platforms Ireland Ltd. (Facebook/Instagram Ads)
  • Seznam.cz, a.s. (Sklik)
  • Microsoft Clarity (analytics, heatmaps, session recordings)

These entities act as independent controllers.

Payment gateway

Payment card details are not processed by DinoPark.
They are processed by Comgate Payments, a.s. as an independent controller.

DinoPark receives only the payment status and transaction ID.

Public authorities

We may disclose data to public authorities if required by law (e.g., tax office, police).

Your rights

You have the following rights:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object
  • Right to withdraw consent
  • Right to be informed of a data breach

How to exercise your rights

Email: GDPR@dinopark.cz
We will respond without undue delay, no later than 30 days.

Right to lodge a complaint

If you believe your data is processed unlawfully, you may contact:

Office for Personal Data Protection
Pplk. Sochora 27, 170 00 Prague 7
www.uoou.cz

Updates to this Privacy Policy

We may update this policy, especially if our services or legal requirements change.
The current version is always available on this page and is effective upon publication.

Effective date: 1 November 2023
Last updated: 1 May 2026