Skip to content

← hexenkraft.cz  ·  České znění

Privacy Policy

Zásady ochrany osobních údajů · Version 1.2, effective 14 July 2026

This English text is a translation. The authoritative version of this document is the Czech one, Ochrana osobních údajů. In case of any discrepancy, the Czech version prevails.

Scope

This policy applies to hexenkraft.cz and to the products sold by HEXENKRAFT s.r.o. directly: Inkluso (website accessibility scanner) and Klariq (EU AI Act documentation generator). Products sold through a separate merchant of record are governed by that merchant's own privacy policy, identified at the relevant checkout.

Controller

The data controller is HEXENKRAFT s.r.o., se sídlem V zahradách 2462/31, 180 00 Praha 8, Česká republika, IČO 296 65 931, zapsaná v obchodním rejstříku vedeném Městským soudem v Praze, oddíl C, vložka 450419. Contact for privacy matters: matic@hexenkraft.cz.

What we collect, and why

Account and entitlement data: email address, sign-in events, purchase and entitlement records, support correspondence. Legal basis: performance of a contract.

Inkluso scan data: the website you submit is scanned against WCAG 2.1 AA and the findings, reports and history are stored so you can track remediation. Because a scan reads publicly rendered page content, it can incidentally capture personal data that appears on your own site, such as names, photos or contact details on team pages. We do not scan to extract anyone's personal data. Where such data appears incidentally, you as the site owner remain responsible for your own lawful basis to publish it, and we process it only for the narrow purpose of accessibility analysis.

Klariq data: your classifier answers, the entity and system facts you supply, and the generated documents. Legal basis: performance of a contract.

Payment data: we never store your card number or credentials; Stripe handles payment directly (see Subprocessors). We keep the transaction records needed for delivery, refunds, disputes and statutory accounting retention.

Email: transactional emails (receipts, sign-in links, scan notifications) are sent on a contract basis and require no marketing consent. Marketing emails are sent only if you tick a separate, unbundled opt-in checkbox, confirmed by double opt-in before the first send.

Analytics: cookieless, EU-hosted analytics in essential-only mode; see Cookies below.

Legal bases

BasisApplies to
Contract (Art. 6(1)(b) GDPR)accounts, scans and reports, documentation packs, payments, transactional email, support
Consent (Art. 6(1)(a) GDPR)marketing email only; double opt-in, unbundled, revocable at any time
Legitimate interest (Art. 6(1)(f) GDPR)security and fraud prevention; incidental third-party data in a scanned page, narrowly scoped
Legal obligation (Art. 6(1)(c) GDPR)accounting and invoice retention under Czech law

How the service is built

Subprocessors

SubprocessorRoleTransfer basis
Stripe Payments Europe, Ltd. / Stripe, Inc.Payment processingStripe DPA; EU-US Data Privacy Framework and Standard Contractual Clauses
Hetzner Online GmbHApplication and database hostingEU-based (Germany); no third-country transfer
Email service providerTransactional and opted-in marketing emailNamed here before first use
Authentication providerMagic-link sign-inNamed here before first use

International transfers

Production data stays in the EU (Hetzner, Germany). Where a subprocessor is established outside the EU/EEA, the transfer is covered by that subprocessor's participation in the EU-US Data Privacy Framework and/or Standard Contractual Clauses.

Retention

DataRetention
Account and entitlement datafor the duration of the account, plus a limited wind-down period
Scan-history and progress dataanonymized approximately 24 months after the subscription ends
Consent-log entriesas long as needed to demonstrate consent, plus the statutory limitation period
Invoices and accounting records10 years, as required by Czech accounting and VAT law

Consent logging

Where we rely on consent, we log the timestamp, the source form or page, the version of the policy and terms in effect, and the exact wording shown at the time.

Cookies

hexenkraft.cz uses cookieless, EU-hosted analytics in essential-only mode: no cross-site identifiers and no advertising pixels. Because no non-essential cookies are set, no cookie consent banner is required. If this ever changes, a compliant opt-in banner will be added before any non-essential cookie is set.

Your rights

You have the right of access, rectification, erasure, restriction of processing, objection, data portability and withdrawal of consent. Contact matic@hexenkraft.cz; we respond within 30 days. You may also lodge a complaint with the supervisory authority: Úřad pro ochranu osobních údajů (ÚOOÚ), Pplk. Sochora 27, 170 00 Praha 7, uoou.gov.cz.

Data breach notification

Where a personal data breach is likely to result in a risk to your rights and freedoms, we notify the ÚOOÚ within 72 hours of becoming aware of it (Art. 33 GDPR) and notify affected individuals directly where the risk is high (Art. 34 GDPR).

Changes

We update this policy as the products, subprocessors or law change, and state the effective date of each version. Material changes affecting your rights are notified by email to account holders.

HEXENKRAFT s.r.o. · IČO 29665931 · Privacy Policy version 1.2, effective 14 July 2026 · Impressum · Terms of Service