Privacy Policy

In providing the Service, we collect the following categories of personal data: a) Identification and contact data: • Email address (for registration and communication) • Display name (optional) • Profile picture (optional) b) Authentication data: • Password (stored exclusively in hashed form using bcrypt) • Refresh tokens for authentication c) Service usage data: • AI conversation history • Personal journal entries • Progress statistics and assessment results • User settings and preferences (including notification consent) • Gamification data (points, achievements, levels) d) Technical and operational data: • IP address • Browser type and version • Operating system and device type • Time zone and language settings • Date and time of access • Application interaction data • Device push notification token (when push notifications are enabled, processed via OneSignal, Inc.) e) Payment data: • Processed exclusively through Stripe, Inc. • Controller has no access to payment card details

We process personal data for the following purposes: a) Contract performance (Art. 6(1)(b) GDPR): • Providing and operating the Service • User account management • Payment processing and subscription management • Technical support and problem resolution b) Legitimate interest (Art. 6(1)(f) GDPR): • Service improvement and development • Usage analysis and performance optimization • Fraud and abuse prevention • Service security c) Legal obligation (Art. 6(1)(c) GDPR): • Accounting records • Tax compliance • Cooperation with public authorities d) Consent (Art. 6(1)(a) GDPR): • Marketing communications (only with explicit consent) • Preference cookies • Sending push notifications to your device (consent granted in profile settings and can be withdrawn at any time)

We retain personal data only for as long as necessary for the purposes for which it was collected: a) Account data: • For the duration of the account and 30 days after deletion • Backups are deleted within 90 days b) Conversation and journal data: • For the duration of the account • Deleted within 30 days after account deletion c) Billing and payment data: • 10 years from the date of the transaction (legal requirement under tax regulations) d) Technical logs: • IP addresses and access logs: 90 days • Security logs: 1 year e) Support communications: • 3 years from last contact f) Cookies: • Necessary: session duration • Preference: 1 year After the retention period expires, data is irreversibly deleted or anonymized.

We implement comprehensive technical and organizational measures to protect your data: a) Technical measures: • Encryption of all communications using TLS 1.3 • Password hashing with bcrypt algorithm and random salt • Encryption of sensitive data in database (AES-256) • Regular security backups • Firewall and DDoS protection • Automatic detection of suspicious activity b) Organizational measures: • Data access only on need-to-know basis • Regular data protection training • Documented security procedures • Security incident response plan c) Infrastructure: • Hosting in ISO 27001 certified data centers • Servers located exclusively in EU (Germany, Netherlands) • Regular penetration tests and security audits

We use the following categories of cookies: a) Necessary cookies (no consent required): • Authentication cookies for login • Security cookies (CSRF protection) • Language preference cookies • Session management cookies b) Preference cookies (consent required): • Storage of user preferences • Display settings memory • Theme and language settings We currently do not use third-party analytics or marketing cookies. You can withdraw consent at any time through the cookie settings in the application or your browser settings. Refusing necessary cookies may limit Service functionality.

We may share personal data with the following categories of recipients: a) Processors (under data processing agreements): • Stripe, Inc. – payment processing (USA) • Vercel, Inc. – application hosting (EU region) • OpenAI, Inc. – AI conversation processing (data is anonymized) • OneSignal, Inc. – push notification delivery (USA); processed only when you have enabled push notifications in your profile settings b) Transfers to third countries: • Stripe, OpenAI and OneSignal are US-based companies • Transfers are based on Standard Contractual Clauses (SCC) approved by the European Commission • Additional protective measures implemented per Schrems II decision • We regularly assess the adequacy of data protection in recipient countries c) Public authorities: • Only based on legal requirements or court orders • We will notify you of any request unless prohibited by law We never sell personal data to third parties.

We use artificial intelligence (AI) within the Service as follows: a) AI Conversations: • Your messages are processed by third-party AI models (OpenAI) • AI generates responses based on your inputs • No AI decisions have legal effects or significantly affect you b) Feedback and Scoring: • AI analyzes your conversations and provides feedback • Scores and ratings are indicative and educational only • We do not use AI to make decisions about Service access c) Profiling: • We do not use automated decision-making under Art. 22 GDPR • We do not use profiling for marketing purposes • Statistics and gamification serve only to motivate users d) Your Rights: • You have the right to human review of any assessment • You may request an explanation of how AI reached a conclusion • Contact us at [email protected] IMPORTANT: AI responses are automatically generated and may contain inaccuracies. Do not rely on them as professional advice.

In case of a personal data breach, we proceed according to GDPR: a) Internal Response: • Immediate identification and containment of the incident • Assessment of the scope and severity of the breach • Documentation of the incident b) Notification to Supervisory Authority (Art. 33 GDPR): • Within 72 hours of becoming aware of the breach • To the Czech Data Protection Authority (ÚOOÚ) • If the breach is likely to result in a risk to data subjects' rights c) Notification to Data Subjects (Art. 34 GDPR): • Without undue delay • If the breach is likely to result in a high risk • By email to the address associated with the account • Information about the nature of the breach and recommended measures d) Content of Notification: • Description of the nature of the breach • Contact details of the data protection contact • Likely consequences of the breach • Measures taken to address the breach • Recommendations to mitigate potential adverse effects We maintain a record of all personal data breaches.

Under GDPR, you have the following rights: a) Right of access (Art. 15 GDPR): • Obtain confirmation of data processing • Receive a copy of processed data • Information about purposes, recipients, and retention periods b) Right to rectification (Art. 16 GDPR): • Correct inaccurate data • Complete incomplete data c) Right to erasure (Art. 17 GDPR): • Request deletion of all your data • Implementation within 30 days of request • Option to export data before deletion d) Right to restriction of processing (Art. 18 GDPR) e) Right to data portability (Art. 20 GDPR): • Export data in machine-readable format (JSON) • Available in profile settings f) Right to object (Art. 21 GDPR) g) Right to lodge a complaint: • With your local Data Protection Authority • Czech DPA: www.uoou.cz To exercise your rights, contact: [email protected] We will respond within 30 days of receiving your request.

The Service is not intended for persons under 16 years of age. We do not knowingly collect personal data from children under 16. If you discover that a child under 16 has provided us with personal data without parental consent: • Contact us immediately at [email protected] • Data will be promptly and permanently deleted • Account will be deactivated Parents or guardians may request information about processing of their children's data or request deletion at any time.

We may update this Policy from time to time. We will notify you of changes: • By email to the address associated with your account (for significant changes) • Through notification in the application • By updating the "Last updated" date on this page Continued use of the Service after changes are published constitutes acceptance of the updated Policy. If you disagree with changes, stop using the Service and request account deletion. We recommend regularly checking this page.

Data Controller: Tomáš Budina ID: 17905974 VAT: CZ17905974 Data protection contact: Email: [email protected] We will respond to your inquiries within 30 days.