Privacy Notice

Staff Planner — Decathlon Czechia internal tool  |  Last updated: April 2026

This tool is restricted to Decathlon Czechia employees. It is not a public service. This notice explains what personal data the system stores, why, and how it is protected.

1. Data controller

Decathlon Czechia (internal IT / store operations team). For any questions about your data, contact the system administrator directly.

2. What data we store and why

Data Source Purpose
Work email address Google account (OAuth login) Identify you, enforce @decathlon.com domain restriction
Display name (first & last) Google account Show your name in the interface
Profile picture URL Google account Display your avatar in the navigation bar
Google account ID Google account Link your Google identity to your local user record securely
Last login timestamp Generated on login Account management, detect inactive accounts
Access rights (admin / access) Assigned by administrator Control which features you can use
IP address Each request Security audit log (login events, key actions)

3. Cookies

This tool uses two cookies, both strictly necessary for it to function:

  • Session cookie — keeps you logged in during your browser session. Expires when you close the browser or log out.
  • Language preference cookie — remembers the interface language you selected (English / Czech). Persists for 1 year.

No tracking, analytics, or advertising cookies are used.

4. Where data is stored

All user data is stored in an SQLite database that is baked into the Docker container image at deployment time and hosted on Google Cloud Run (region: europe-west4, located in the Netherlands). The database is not persistent — it is reset with every new deployment. Audit logs are written to Google Cloud Logging and retained for 30 days by default.

5. Who has access

Only users with the admin right can view the user list and manage access. No data is shared with third parties. Google receives only the OAuth authentication request — it does not receive any staff planning data.

6. Your rights

Under GDPR you have the right to access, correct, or request deletion of your personal data. To exercise any of these rights, contact the system administrator. Because the database resets on each deployment, all data is automatically deleted within the deployment cycle.

7. Legal basis for processing

Processing is based on legitimate interest (Article 6(1)(f) GDPR) — specifically, the need to authenticate employees and restrict access to an internal operational tool. No sensitive categories of data (Article 9) are processed.