Privacy Policy

1. Introduction

Blaze Company s.r.o., registered in the Czech Republic ("we", "us", "our"), operates the džarvis platform ("the Service"). This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable Czech and EU data protection laws.

2. Data Controller

Blaze Company s.r.o. is the data controller for the personal data processed through the Service. You can contact us at mr.sucik@gmail.com for any privacy-related inquiries.

3. Data We Collect

Depending on which features you use, we may process the following categories of personal data:

Account Data

Name, email address, profile image, password (hashed), and authentication provider details.

Health & Wellness Data (Special Category)

Weight measurements, calorie intake, sleep data (including from Oura Ring), heart rate, exercise sessions (yoga, pushups, steps, workouts), caffeine and substance tracking, dental hygiene, and mood data. This data is entered voluntarily and processed only with your explicit consent.

Financial Data

Invoices, expenses, debts, bank connections (via GoCardless/Plaid), cryptocurrency wallet addresses and values, stock portfolio values, and business entity information.

Communication Data

Gmail messages (headers, body, labels), Slack messages, and notification preferences. Accessed only with your explicit authorization via OAuth.

Calendar & Location Data

Google Calendar events, flight records, trip itineraries, and reservation details.

AI & Chat Data

Conversations with the AI assistant, long-term memory entries, custom skills, and personality configurations. AI features are used solely to provide the requested functionality.

Usage & Technical Data

Session information, device type, browser, IP address (for security), and error logs via Sentry.

Browser Automation Data

When the AI assistant performs browser automation on your behalf, we may process: screenshots of web pages, extracted page content and DOM elements, form field data, URLs visited, and interaction logs. Browser sessions are isolated per user and do not persist cookies or local storage to disk.

Automated Task Data

For scheduled jobs and automated reactions, we process: task configurations (schedule, triggers, instructions), trigger input data (e.g., incoming emails that activate an automation), output and action logs, and execution history. This data is retained for as long as the automation is active plus a reasonable period after deletion for debugging purposes.

4. Legal Basis for Processing

• Contract performance: Account data and subscription management are necessary to provide the Service
• Explicit consent: Health data and special category data are processed only with your explicit consent, which you can withdraw at any time
• Legitimate interest: Security logging, error monitoring, and service improvement using anonymized data
• Legal obligation: Financial record retention as required by Czech and EU law

5. Data Retention

We retain your data for as long as your account is active. After account deletion:

• Personal data is deleted within 30 days
• Anonymized analytics data may be retained indefinitely
• Financial records are retained for 10 years as required by Czech tax law
• Backup copies are purged within 90 days

6. Your Rights (GDPR)

Under the GDPR, you have the following rights:

• Right of access: Request a copy of your personal data
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data (account deletion is available in Settings)
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to restrict processing: Limit how we process your data
• Right to object: Object to processing based on legitimate interest
• Right to withdraw consent: Withdraw consent at any time for consent-based processing

To exercise any of these rights, contact us at mr.sucik@gmail.com.

7. Cross-Service Data Flow

When the AI assistant processes your requests, data from one connected service may be used to inform or execute actions on another. For example:

• Email content may be used to create or update calendar events
• Financial data may be referenced when generating communications or reports
• Content extracted from browser automation on one website may inform actions taken on another
• File contents may be included in messages or used to populate forms

This cross-service data flow is necessary to provide the integrated AI assistant experience. You can limit the scope of data flow by disconnecting integrations you do not wish the AI to access. We process cross-service data only to fulfill your requests and do not use it for purposes beyond providing the Service.

8. Third-Party Processors

We use the following third-party services that may process your data:

• Google — Calendar sync, Gmail sync, Google Meet, OAuth authentication
• Sentry — Error tracking and performance monitoring
• OpenAI / Anthropic — AI assistant features (chat, memory, skills)
• Resend — Transactional email delivery
• GoCardless — Open banking connections
• Playwright (Browser Infrastructure) — Per-user isolated browser sessions for AI-powered web automation

All third-party processors are bound by data processing agreements and comply with GDPR requirements.

9. International Data Transfers

Some of our third-party processors are based outside the European Economic Area. Where data is transferred outside the EEA, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (TLS) and at rest
• Bcrypt password hashing with cost factor 12
• Session management with secure, HTTP-only cookies
• Regular security audits and dependency updates
• Role-based access controls and audit logging

11. Cookies

The Service uses essential cookies for authentication and session management. We use localStorage for user preferences (theme, cookie consent). We do not use third-party tracking or advertising cookies.

12. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For the Czech Republic, this is the Office for Personal Data Protection (UOOU) at www.uoou.cz.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect.

14. Contact

For privacy inquiries, contact us at mr.sucik@gmail.com.