Privacy policy

Controller: Dan Burian, Czech sole trader, Business ID (IČO) 03537099, VAT ID CZ8905214076 (VAT-registered), place of business Cyrilská 508/7, Trnitá, 602 00 Brno, Czech Republic, registered with the Czech Trade Licensing Register. Contact: [email protected].

Company billing data. Company name, domain, billing address, VAT ID, admin email, IP at signup. We invoice directly (Dan Burian, Business ID 03537099); no third-party card processor handles your payment. Legal basis: contract (Art. 6(1)(b) GDPR).

User operational data. Email address, name (if shared), last sign-in timestamp, IP at sign-in. Legal basis: legitimate interest (Art. 6(1)(f)).

Conversation content and uploaded documents. Messages, questions, documents you send the agent (web chat, MCP). Used solely to answer you and for audit logs. Legal basis: contract.

Source-system data (connectors). When you connect Shopify, your ERP, monitoring or any other source system, the agent only ever reads and caches data into your private Postgres schema (`tenant_<id>`) which no other customer can access. Encrypted credentials (API keys / OAuth tokens) are stored separately via pgcrypto. You can drop everything in one click in `/account → Erase all my data`. Legal basis: contract. DPA acceptance is required before the first connector and is logged with timestamp.

Audit log. Every API call to your source system, every DDL operation in your private schema, every SQL query the agent runs, is recorded in our `connector_runs` table. Downloadable as CSV at `/account/audit`. Serves as your control + helps satisfy GDPR Art. 30. Legal basis: contract + statutory.

Telemetry. Message counts, channels used, latency, token counts, credit consumption (for billing & optimization). No personal content. Legal basis: legitimate interest.

Primary storage. DigitalOcean LLC - PostgreSQL 16 on Managed Database, Frankfurt (EU). Your data in a private schema `tenant_<id>`. 7-day daily snapshots. EU SCC module 2.

Anthropic, PBC (US) - LLM inference. Anthropic Business tier: your data is not used to train models, contracted in their MSA. Standard Contractual Clauses (EU SCC module 2) cover the US transfer.

Google LLC - Google Workspace mailbox `[email protected]` for support correspondence. EU servers, EU SCC + Workspace DPA.

Your connected source systems (Shopify, ERP, monitoring, etc.). We read via audit-logged GET calls. We never write back. Detail in DPA.

We give 30 days notice before adding a sub-processor.

• Billing + credit_transactions: 10 years (Czech accounting law).
• Conversations + uploaded documents: while the account is active + 90 days, then deleted.
• Data in your private schema `tenant_<id>`: while the connector is active; deleted within 60 s of clicking "Erase all my data" (`DROP SCHEMA tenant_<id> CASCADE`).
• Audit log (`connector_runs`): 12 months, then archive. Exportable as CSV anytime.
• Telemetry: 24 months.
• Anthropic data: per their own policies (Business tier - no training on customer data).

Earlier deletion anytime: `/account → Erase all my data` (confirm by typing your company name). Or write to [email protected].

Under GDPR, you have the right to: access, rectify, erase, restrict, port, object.

Requests: [email protected]. We respond within 30 days. You can lodge a complaint with your national supervisory authority (Úřad pro ochranu osobních údajů - uoou.cz - for Czech residents).

We use strictly necessary cookies only (no consent banner needed under ePrivacy / Czech ZEK §89):

• `cdo_session` - HMAC-signed session cookie. HttpOnly, SameSite=Lax, max 30 days. Required for web-chat authentication.

No analytics, marketing, tracking, or third-party cookies. Pure first-party.

TLS 1.2+ on every connection. Passwords are stored as scrypt hashes (`users.password_hash`); never in plaintext.

Connector credentials encryption: pgcrypto symmetric encryption (`pgp_sym_encrypt`) keyed by env `CONNECTOR_ENCRYPTION_KEY` - separate from the database.

MCP keys: stored as SHA-256 hashes; plaintext shown once on creation.

Read-only invariant on connectors: TypeScript types + runtime guard + DB CHECK constraint forbid anything other than GET/HEAD HTTP and `read_*`/`view_*`/`select_*` scopes. Detail in `/legal/dpa` + `SECURITY_REVIEW.md`.

Cross-tenant isolation: every company in a private Postgres schema `tenant_<id>`; the agent's SQL role is per-session bound via `SET search_path` - physically cannot reach another tenant's schema.

If you are an EU B2B customer, we offer a separate DPA aligned with Art. 28 GDPR. Request it at [email protected].

We may update this policy. We'll notify the admin email at least 30 days before any material change.