Privacy Policy
Zásady ochrany osobních údajů · Version 1.2, effective 14 July 2026
This English text is a translation. The authoritative version of this document is the Czech one, Ochrana osobních údajů. In case of any discrepancy, the Czech version prevails.
Scope
This policy applies to hexenkraft.cz and to the products sold by HEXENKRAFT s.r.o. directly: Inkluso (website accessibility scanner) and Klariq (EU AI Act documentation generator). Products sold through a separate merchant of record are governed by that merchant's own privacy policy, identified at the relevant checkout.
Controller
The data controller is HEXENKRAFT s.r.o., se sídlem V zahradách 2462/31, 180 00 Praha 8, Česká republika, IČO 296 65 931, zapsaná v obchodním rejstříku vedeném Městským soudem v Praze, oddíl C, vložka 450419. Contact for privacy matters: matic@hexenkraft.cz.
What we collect, and why
Account and entitlement data: email address, sign-in events, purchase and entitlement records, support correspondence. Legal basis: performance of a contract.
Inkluso scan data: the website you submit is scanned against WCAG 2.1 AA and the findings, reports and history are stored so you can track remediation. Because a scan reads publicly rendered page content, it can incidentally capture personal data that appears on your own site, such as names, photos or contact details on team pages. We do not scan to extract anyone's personal data. Where such data appears incidentally, you as the site owner remain responsible for your own lawful basis to publish it, and we process it only for the narrow purpose of accessibility analysis.
Klariq data: your classifier answers, the entity and system facts you supply, and the generated documents. Legal basis: performance of a contract.
Payment data: we never store your card number or credentials; Stripe handles payment directly (see Subprocessors). We keep the transaction records needed for delivery, refunds, disputes and statutory accounting retention.
Email: transactional emails (receipts, sign-in links, scan notifications) are sent on a contract basis and require no marketing consent. Marketing emails are sent only if you tick a separate, unbundled opt-in checkbox, confirmed by double opt-in before the first send.
Analytics: cookieless, EU-hosted analytics in essential-only mode; see Cookies below.
Legal bases
| Basis | Applies to |
|---|---|
| Contract (Art. 6(1)(b) GDPR) | accounts, scans and reports, documentation packs, payments, transactional email, support |
| Consent (Art. 6(1)(a) GDPR) | marketing email only; double opt-in, unbundled, revocable at any time |
| Legitimate interest (Art. 6(1)(f) GDPR) | security and fraud prevention; incidental third-party data in a scanned page, narrowly scoped |
| Legal obligation (Art. 6(1)(c) GDPR) | accounting and invoice retention under Czech law |
How the service is built
- Data location: account, entitlement, scan-history and consent-log data is stored in an EU-region PostgreSQL database.
- Authentication: magic-link email sign-in via a managed provider; no passwords are stored.
- Payments: Stripe processes payments for Inkluso and Klariq; card data never touches HEXENKRAFT systems.
Subprocessors
| Subprocessor | Role | Transfer basis |
|---|---|---|
| Stripe Payments Europe, Ltd. / Stripe, Inc. | Payment processing | Stripe DPA; EU-US Data Privacy Framework and Standard Contractual Clauses |
| Hetzner Online GmbH | Application and database hosting | EU-based (Germany); no third-country transfer |
| Email service provider | Transactional and opted-in marketing email | Named here before first use |
| Authentication provider | Magic-link sign-in | Named here before first use |
International transfers
Production data stays in the EU (Hetzner, Germany). Where a subprocessor is established outside the EU/EEA, the transfer is covered by that subprocessor's participation in the EU-US Data Privacy Framework and/or Standard Contractual Clauses.
Retention
| Data | Retention |
|---|---|
| Account and entitlement data | for the duration of the account, plus a limited wind-down period |
| Scan-history and progress data | anonymized approximately 24 months after the subscription ends |
| Consent-log entries | as long as needed to demonstrate consent, plus the statutory limitation period |
| Invoices and accounting records | 10 years, as required by Czech accounting and VAT law |
Consent logging
Where we rely on consent, we log the timestamp, the source form or page, the version of the policy and terms in effect, and the exact wording shown at the time.
Cookies
hexenkraft.cz uses cookieless, EU-hosted analytics in essential-only mode: no cross-site identifiers and no advertising pixels. Because no non-essential cookies are set, no cookie consent banner is required. If this ever changes, a compliant opt-in banner will be added before any non-essential cookie is set.
Your rights
You have the right of access, rectification, erasure, restriction of processing, objection, data portability and withdrawal of consent. Contact matic@hexenkraft.cz; we respond within 30 days. You may also lodge a complaint with the supervisory authority: Úřad pro ochranu osobních údajů (ÚOOÚ), Pplk. Sochora 27, 170 00 Praha 7, uoou.gov.cz.
Data breach notification
Where a personal data breach is likely to result in a risk to your rights and freedoms, we notify the ÚOOÚ within 72 hours of becoming aware of it (Art. 33 GDPR) and notify affected individuals directly where the risk is high (Art. 34 GDPR).
Changes
We update this policy as the products, subprocessors or law change, and state the effective date of each version. Material changes affecting your rights are notified by email to account holders.
HEXENKRAFT s.r.o. · IČO 29665931 · Privacy Policy version 1.2, effective 14 July 2026 · Impressum · Terms of Service