Privacy Policy (GDPR)

Effective from: 26 June 2026

This is an English translation provided for convenience only. The legally binding version is the Czech original available at https://veritra.io/gdpr. In case of any discrepancy, the Czech text prevails.

This document describes how the veritra.io service processes personal data. The policy complies with Regulation (EU) 2016/679 (GDPR) and the Czech Personal Data Processing Act (Act No. 110/2019 Coll.).

1. Data controller

The data controller within the meaning of Article 4(7) GDPR is:

  • RWX, s.r.o., Czech ID No. (IČO): 14235111
  • Registered office: Sadová 1646, 560 02 Česká Třebová, Czech Republic
  • Registered in the Commercial Register at the Regional Court in Hradec Králové, section C, file 49019
  • Contact email: [email protected]
  • Phone: +420 608 379 273

Given the scope of processing, the provider is not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. The above contact email serves for all data-protection matters.

2. Categories of personal data processed

CategorySpecific dataPurpose
RegistrationEmail, name, company name, company ID (IČO), phoneAccount creation and management, communication
BillingBilling address, VAT status, bank account numberInvoicing, accounting obligations
OperationalIP address, User-Agent, location by IP, timestampsSecurity, abuse prevention, statistics
AuthenticationPassword (hashed), tokens, API keys (hashed)Login, API authorization
ContentFilter configuration, report history, API queriesService delivery
AI analysis (optional)Company questionnaire, company profile, tender documents submitted for analysisAI tender suitability assessment (on user request)
CommunicationEmail correspondence, feedback form contentCustomer support
Marketing (optional)Newsletter open trackingCommunication improvement

Passwords are stored as one-way hashes (bcrypt); the provider never sees passwords in plain text. API keys are stored as SHA-256 hashes; after generation the key is shown to the user once and the provider does not retain it in plain text.

3. Purpose and legal basis

Each category has its legal basis under Article 6 GDPR:

  • Contract performance (Art. 6(1)(b)) — registration, billing, authentication, and content data.
  • Legal obligation (Art. 6(1)(c)) — accounting records retention (10 years per Act No. 563/1991 Coll.).
  • Legitimate interest (Art. 6(1)(f)) — operational data for security and abuse prevention.
  • Consent (Art. 6(1)(a)) — marketing communication beyond the contract.

4. Retention periods

CategoryRetention
Registration and contentDuration of contract + 30 days (export window)
Accounting documents10 years from end of accounting period
Operational logs (IP, UA, timestamps)90 days
Communication history3 years from last contact
Authentication (passwords, API keys)Duration of account

5. Data recipients (subprocessors)

ProcessorPurposeLocation
Vercel Inc. (USA)Web hosting, edge runtimeEU (Frankfurt) + US fallback (SCCs)
DigitalOcean LLC (USA)MySQL, object storageEU (Frankfurt)
Cloudflare Inc. (USA)CDN, DDoS, DNS, WAFGlobal edge
Upstash Inc. (USA)Redis for rate limitingEU (Frankfurt)
Stripe Payments Europe Ltd. (Ireland)Card payment processingEU
Resend Inc. (USA)Transactional and marketing emailEU (Frankfurt) + US (SCCs)
AWS SES (Amazon Web Services EMEA)Some system emails, inbound mailEU (eu-west-1)
Anthropic PBC (USA)AI blog content generation; AI tender analysis (on user request) — processing of the company questionnaire, company profile and the documents of the tender the user analyzes, including sending those documents for assessment. Zero data retention mode (inputs are not used for training and not stored after processing).US (SCCs)
WEDOS Internet, a.s. (Czech Republic)Domain registrationCzech Republic

US subprocessors are covered by Standard Contractual Clauses (SCCs) per Commission Decision (EU) 2021/914 and Data Privacy Framework where applicable.

We do not share data with advertisers, data brokers, or third-party trackers.

6. Your rights

As a data subject, you have the following rights under Articles 15-22 GDPR:

  • Right of access (Art. 15) — request a copy of all personal data we process about you.
  • Right to rectification (Art. 16) — correct inaccurate data. Most can be updated directly in the dashboard.
  • Right to erasure (Art. 17, "right to be forgotten") — request deletion. Data we must retain by law cannot be erased.
  • Right to restrict processing (Art. 18) — request temporary restriction in case of dispute.
  • Right to data portability (Art. 20) — request your data in a machine-readable format (JSON or CSV).
  • Right to object (Art. 21) — to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)) — for marketing communication, anytime via unsubscribe in any email or in account settings.
  • Right not to be subject to automated decision-making (Art. 22) — not applicable.

To exercise your rights, contact us at [email protected]. We respond without undue delay, no later than 1 month from request receipt.

7. Cookies

We use only strictly necessary cookies (session, CSRF, language preference). These do not require consent under § 89(3) of the Czech Electronic Communications Act.

Third-party analytics and marketing cookies (Google Analytics, Facebook Pixel) are not currently used.

8. Security

The provider implements technical and organizational measures:

  • TLS 1.2+ for all client-server communication
  • bcrypt for passwords, SHA-256 for API keys
  • Rate limiting and Cloudflare WAF
  • Principle of least privilege for staff and subprocessor access
  • Regular database backups
  • Storage encryption at rest (Vercel, DigitalOcean, Stripe)

In case of a personal data breach likely to result in high risk to user rights, we will notify users without undue delay (Art. 34 GDPR) and report the incident to the Czech DPA within 72 hours (Art. 33 GDPR).

9. International data transfers

Some subprocessors are based in the USA. Transfers are based on SCCs per Commission Decision (EU) 2021/914 and Data Privacy Framework where applicable.

10. Complaint to the supervisory authority

If you believe your data is being processed in violation of GDPR, you may lodge a complaint with the Czech Data Protection Authority:

11. Changes to this policy

This Privacy Policy may be updated. The current version is always published at https://veritra.io/gdpr. Material changes will be notified 30 days in advance by email.


Version 1.1, effective from 26 June 2026. Controller: RWX, s.r.o., IČO 14235111. Contact: [email protected].