Privacy Policy (GDPR)
Effective from: 12 May 2026
This is an English translation provided for convenience only. The legally binding version is the Czech original available at https://veritra.io/gdpr. In case of any discrepancy, the Czech text prevails.
This document describes how the veritra.io service processes personal data. The policy complies with Regulation (EU) 2016/679 (GDPR) and the Czech Personal Data Processing Act (Act No. 110/2019 Coll.).
1. Data controller
The data controller within the meaning of Article 4(7) GDPR is:
- RWX, s.r.o., Czech ID No. (IČO): 14235111
- Registered office: Sadová 1646, 560 02 Česká Třebová, Czech Republic
- Registered in the Commercial Register at the Regional Court in Hradec Králové, section C, file 49019
- Contact email: michal@veritra.io
- Phone: +420 608 379 273
Given the scope of processing, the provider is not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. The above contact email serves for all data-protection matters.
2. Categories of personal data processed
| Category | Specific data | Purpose |
|---|---|---|
| Registration | Email, name, company name, company ID (IČO), phone | Account creation and management, communication |
| Billing | Billing address, VAT status, bank account number | Invoicing, accounting obligations |
| Operational | IP address, User-Agent, location by IP, timestamps | Security, abuse prevention, statistics |
| Authentication | Password (hashed), tokens, API keys (hashed) | Login, API authorization |
| Content | Filter configuration, report history, API queries | Service delivery |
| Communication | Email correspondence, feedback form content | Customer support |
| Marketing (optional) | Newsletter open tracking | Communication improvement |
Passwords are stored as one-way hashes (bcrypt); the provider never sees passwords in plain text. API keys are stored as SHA-256 hashes; after generation the key is shown to the user once and the provider does not retain it in plain text.
3. Purpose and legal basis
Each category has its legal basis under Article 6 GDPR:
- Contract performance (Art. 6(1)(b)) — registration, billing, authentication, and content data.
- Legal obligation (Art. 6(1)(c)) — accounting records retention (10 years per Act No. 563/1991 Coll.).
- Legitimate interest (Art. 6(1)(f)) — operational data for security and abuse prevention.
- Consent (Art. 6(1)(a)) — marketing communication beyond the contract.
4. Retention periods
| Category | Retention |
|---|---|
| Registration and content | Duration of contract + 30 days (export window) |
| Accounting documents | 10 years from end of accounting period |
| Operational logs (IP, UA, timestamps) | 90 days |
| Communication history | 3 years from last contact |
| Authentication (passwords, API keys) | Duration of account |
5. Data recipients (subprocessors)
| Processor | Purpose | Location |
|---|---|---|
| Vercel Inc. (USA) | Web hosting, edge runtime | EU (Frankfurt) + US fallback (SCCs) |
| DigitalOcean LLC (USA) | MySQL, object storage | EU (Frankfurt) |
| Cloudflare Inc. (USA) | CDN, DDoS, DNS, WAF | Global edge |
| Upstash Inc. (USA) | Redis for rate limiting | EU (Frankfurt) |
| Stripe Payments Europe Ltd. (Ireland) | Card payment processing | EU |
| Resend Inc. (USA) | Transactional and marketing email | EU (Frankfurt) + US (SCCs) |
| AWS SES (Amazon Web Services EMEA) | Some system emails, inbound mail | EU (eu-west-1) |
| Anthropic PBC (USA) | AI blog content generation (no user data) | US (SCCs) |
| WEDOS Internet, a.s. (Czech Republic) | Domain registration | Czech Republic |
US subprocessors are covered by Standard Contractual Clauses (SCCs) per Commission Decision (EU) 2021/914 and Data Privacy Framework where applicable.
We do not share data with advertisers, data brokers, or third-party trackers.
6. Your rights
As a data subject, you have the following rights under Articles 15-22 GDPR:
- Right of access (Art. 15) — request a copy of all personal data we process about you.
- Right to rectification (Art. 16) — correct inaccurate data. Most can be updated directly in the dashboard.
- Right to erasure (Art. 17, "right to be forgotten") — request deletion. Data we must retain by law cannot be erased.
- Right to restrict processing (Art. 18) — request temporary restriction in case of dispute.
- Right to data portability (Art. 20) — request your data in a machine-readable format (JSON or CSV).
- Right to object (Art. 21) — to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)) — for marketing communication, anytime via unsubscribe in any email or in account settings.
- Right not to be subject to automated decision-making (Art. 22) — not applicable.
To exercise your rights, contact us at michal@veritra.io. We respond without undue delay, no later than 1 month from request receipt.
7. Cookies
We use only strictly necessary cookies (session, CSRF, language preference). These do not require consent under § 89(3) of the Czech Electronic Communications Act.
Third-party analytics and marketing cookies (Google Analytics, Facebook Pixel) are not currently used.
8. Security
The provider implements technical and organizational measures:
- TLS 1.2+ for all client-server communication
- bcrypt for passwords, SHA-256 for API keys
- Rate limiting and Cloudflare WAF
- Principle of least privilege for staff and subprocessor access
- Regular database backups
- Storage encryption at rest (Vercel, DigitalOcean, Stripe)
In case of a personal data breach likely to result in high risk to user rights, we will notify users without undue delay (Art. 34 GDPR) and report the incident to the Czech DPA within 72 hours (Art. 33 GDPR).
9. International data transfers
Some subprocessors are based in the USA. Transfers are based on SCCs per Commission Decision (EU) 2021/914 and Data Privacy Framework where applicable.
10. Complaint to the supervisory authority
If you believe your data is being processed in violation of GDPR, you may lodge a complaint with the Czech Data Protection Authority:
- Úřad pro ochranu osobních údajů
- Pplk. Sochora 27, 170 00 Praha 7, Czech Republic
- Web: https://www.uoou.cz
- Email: posta@uoou.cz
11. Changes to this policy
This Privacy Policy may be updated. The current version is always published at https://veritra.io/gdpr. Material changes will be notified 30 days in advance by email.
Version 1.0, effective from 12 May 2026. Controller: RWX, s.r.o., IČO 14235111. Contact: michal@veritra.io.