Privacy Policy

1. Controller

The controller of personal data is: Jan Šafařík IČO: 06061109 Žižkovo náměstí 1769/4 130 00 Praha, Czech Republic

For the purposes of Regulation (EU) 2016/679 ("GDPR"), the controller is the person who determines the purposes and means of processing personal data.

2. Scope of this Policy

This Privacy Policy applies to personal data processed in connection with:

• the website,
• newsletter, waitlist, and email communications,
• user accounts,
• use of the application and its features,
• customer support,
• security and abuse prevention,
• legal and compliance obligations.

3. What data we process

Depending on how you interact with the website or app, we may process the following categories of personal data.

a) Contact and registration data

• email address,
• name, username, or account identifier, if provided,
• password data in protected form, if account login is used,
• subscription status and consent records.

b) App usage and account data

• account settings and preferences,
• records of access to the app,
• feature usage data,
• credit balance and credit allocation records,
• technical identifiers related to account activity,
• logs necessary for operation, troubleshooting, and security.

c) User content and generated content

If the app allows users to input prompts, upload materials, create personas, generate outputs, save drafts, or manage projects, we may process:

• user-submitted text, instructions, prompts, and requests,
• files, images, or other content voluntarily uploaded,
• generated outputs created through the app,
• metadata associated with creation, editing, storage, and export of such content.

d) Communication data

• messages sent to support,
• correspondence relating to requests, complaints, or inquiries,
• records necessary to handle and document communication.

e) Technical and device data

• IP address and network-related technical data,
• browser type, operating system, device type,
• timestamps, access logs, diagnostics, crash data,
• approximate location inferred from IP where necessary for security or service delivery.

f) Payment and billing data

We process billing-related data necessary to manage monthly memberships, allocate the 100 monthly credits included with membership, process extra credit top-ups, issue invoices, record payments, and comply with legal obligations. Payments and invoicing are handled through Stripe. Unless otherwise stated, payment card details are processed by Stripe and not stored directly by the controller.

4. Why we process personal data and the legal bases

We process personal data only to the extent necessary and on a valid legal basis under GDPR.

a) Account creation and app operation

We process data necessary to create and manage user accounts, provide access to the app, store user settings, and operate the requested service on the basis of:
performance of a contract, or
steps taken at the request of the data subject before entering into a contract,
under Article 6(1)(b) GDPR.

b) Processing of user content inside the app

We process prompts, uploaded content, saved drafts, and generated outputs to provide the requested app functionality and enable users to create, manage, and access their content. The legal basis is generally performance of a contract under Article 6(1)(b) GDPR.

c) Newsletter, waitlist, and marketing updates

We process email addresses and related records for newsletters, launch updates, or waitlists on the basis of consent under Article 6(1)(a) GDPR. Consent may be withdrawn at any time.

d) Customer support and service communication

We process personal data to answer questions, resolve issues, and provide support, on the basis of performance of a contract under Article 6(1)(b) GDPR, or legitimate interest in handling support and business communication under Article 6(1)(f) GDPR.

e) Security, fraud prevention, abuse detection, and protection of rights

We may process technical and usage data to ensure security, prevent misuse, monitor suspicious behaviour, enforce terms, and defend legal claims. The legal basis is legitimate interest under Article 6(1)(f) GDPR.

f) Legal and accounting obligations

We may process certain personal data where necessary to comply with obligations under Czech or EU law, including accounting, tax, invoicing, and regulatory obligations. The legal basis is compliance with a legal obligation under Article 6(1)(c) GDPR. Czech Act No. 110/2019 Coll. complements GDPR within the Czech legal framework.

g) Analytics connected to cookies or similar technologies

Where analytics depend on non-essential cookies or similar technologies, the related processing is based on consent under Article 6(1)(a) GDPR, and is governed in more detail by the Cookie Policy. Czech guidance requires consent for analytics or similar non-essential cookies.

h) Payment processing, invoicing, and credit ledger operation

We process personal data required to charge and renew monthly memberships, handle credit top-ups, allocate included monthly credits, deduct credits for generation activity, and present credit spend history in the admin area. The legal basis is performance of a contract under Article 6(1)(b) GDPR. Where required for accounting and tax records, the legal basis is compliance with a legal obligation under Article 6(1)(c) GDPR. Fraud prevention and payment security controls may rely on legitimate interest under Article 6(1)(f) GDPR.

5. Is providing data mandatory?

Providing personal data is voluntary in principle, but some data are necessary:

• without basic registration or account data, the app may not function,
• without an email address, we cannot send updates or reply to support requests,
• without certain technical data, the website or app may not operate securely.

Providing optional data is at your discretion.

6. Recipients of personal data

We may share personal data with categories of recipients that help us operate the service, in particular:

• hosting and cloud infrastructure providers,
• email delivery or mailing providers,
• analytics providers,
• Stripe, as payment processor and invoicing provider,
• IT, security, backup, and monitoring providers,
• legal, tax, and professional advisers,
• public authorities where disclosure is required by law.

These recipients act either as processors on our instructions or, where appropriate, as independent controllers.

In particular, payment transactions and invoice generation are performed through Stripe. We receive from Stripe only the data necessary to confirm payment status, reconcile invoices, support users, and maintain accounting records.

7. International transfers

Some service providers may be located outside the European Economic Area or may access data from outside the EEA. In such cases, personal data will be transferred only where permitted under GDPR and subject to appropriate safeguards, such as an adequacy decision or standard contractual clauses. GDPR requires appropriate safeguards for such transfers.

8. How long we keep data

We retain personal data only for as long as necessary for the relevant purpose, in particular:

• account data: for the duration of the user account and a reasonable period thereafter to handle deletion requests, disputes, security, and legal obligations,
• user content and outputs: for as long as stored within the account or until deleted by the user or the controller according to product settings,
• newsletter / waitlist data: until consent is withdrawn or the user unsubscribes, plus a limited period to maintain suppression records and prove compliance,
• support communications: for as long as necessary to resolve the issue and for a reasonable follow-up period,
• security logs: for a limited period necessary for security, abuse prevention, and defence of claims,
• credit allocation and spend history records: for as long as needed to operate account balances, provide user history in the admin area, resolve disputes, and satisfy legal obligations,
• billing and legal records: for the retention period required by law.

Where exact retention periods depend on the final technical setup, they should be set internally and applied consistently. The Czech DPA also stresses that storage must respect the storage-limitation principle.

9. User rights

Under GDPR, you may have the right to:

• request access to personal data,
• request rectification of inaccurate or incomplete data,
• request erasure,
• request restriction of processing,
• object to processing based on legitimate interests,
• receive personal data in a portable format where applicable,
• withdraw consent at any time where processing is based on consent,
• lodge a complaint with a supervisory authority.

The supervisory authority in the Czech Republic is the Úřad pro ochranu osobních údajů.

10. Automated decision-making

We do not use personal data for decisions based solely on automated processing that would produce legal effects or similarly significant effects on users, unless expressly stated otherwise and permitted by law.

11. Data security

We apply reasonable technical and organisational measures appropriate to the nature of the processed data and the risks involved. These measures are intended to protect personal data against unauthorised access, loss, misuse, disclosure, or alteration. No system can guarantee absolute security.

12. Children

The website and app are not intentionally directed at children under the age at which valid consent can be given under applicable law. If we learn that personal data have been provided unlawfully by a child, we may remove such data.

13. Changes to this Policy

We may update this Privacy Policy from time to time. The current version will always be made available on the website or in the app, with the effective date indicated above.

14. Contact

For privacy-related questions or to exercise your rights, contact:

support@personabakery.com