1. Introduction

Blaze Company s.r.o., registered in the Czech Republic ("we", "us", "our"), operates the džarvis platform ("the Service"). This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable Czech and EU data protection laws.

2. Data Controller

Blaze Company s.r.o. is the data controller for the personal data processed through the Service. You can contact us at mr.sucik@gmail.com for any privacy-related inquiries.

3. Data We Collect

Depending on which features you use, we may process the following categories of personal data:

Account Data

Name, email address, profile image, password (hashed), and authentication provider details.

Health & Wellness Data (Special Category)

Weight measurements, calorie intake, sleep data (including from Oura Ring), heart rate, exercise sessions (yoga, pushups, steps, workouts), caffeine and substance tracking, dental hygiene, and mood data. This data is entered voluntarily and processed only with your explicit consent.

Financial Data

Invoices, expenses, debts, bank connections (via GoCardless/Plaid), cryptocurrency wallet addresses and values, stock portfolio values, and business entity information.

Communication Data

Gmail messages (headers, body, labels), Slack messages, and notification preferences. Accessed only with your explicit authorization via OAuth.

Calendar & Location Data

Google Calendar events, flight records, trip itineraries, and reservation details.

AI & Chat Data

Conversations with the AI assistant, long-term memory entries, custom skills, and personality configurations. AI features are used solely to provide the requested functionality.

Usage & Technical Data

Session information, device type, browser, IP address (for security), and error logs via Sentry.

4. Legal Basis for Processing

Contract performance: Account data and subscription management are necessary to provide the Service
Explicit consent: Health data and special category data are processed only with your explicit consent, which you can withdraw at any time
Legitimate interest: Security logging, error monitoring, and service improvement using anonymized data
Legal obligation: Financial record retention as required by Czech and EU law

5. Data Retention

We retain your data for as long as your account is active. After account deletion:

Personal data is deleted within 30 days
Anonymized analytics data may be retained indefinitely
Financial records are retained for 10 years as required by Czech tax law
Backup copies are purged within 90 days

6. Your Rights (GDPR)

Under the GDPR, you have the following rights:

Right of access: Request a copy of your personal data
Right to rectification: Correct inaccurate or incomplete data
Right to erasure: Request deletion of your personal data (account deletion is available in Settings)
Right to data portability: Receive your data in a structured, machine-readable format
Right to restrict processing: Limit how we process your data
Right to object: Object to processing based on legitimate interest
Right to withdraw consent: Withdraw consent at any time for consent-based processing

To exercise any of these rights, contact us at mr.sucik@gmail.com.

7. Third-Party Processors

We use the following third-party services that may process your data:

Google — Calendar sync, Gmail sync, Google Meet, OAuth authentication
Sentry — Error tracking and performance monitoring
OpenAI / Anthropic — AI assistant features (chat, memory, skills)
Resend — Transactional email delivery
GoCardless — Open banking connections

All third-party processors are bound by data processing agreements and comply with GDPR requirements.

8. International Data Transfers

Some of our third-party processors are based outside the European Economic Area. Where data is transferred outside the EEA, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

Encryption in transit (TLS) and at rest
Bcrypt password hashing with cost factor 12
Session management with secure, HTTP-only cookies
Regular security audits and dependency updates
Role-based access controls and audit logging

10. Cookies

The Service uses essential cookies for authentication and session management. We use localStorage for user preferences (theme, cookie consent). We do not use third-party tracking or advertising cookies.

11. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. For the Czech Republic, this is the Office for Personal Data Protection (UOOU) at www.uoou.cz.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect.

13. Contact

For privacy inquiries, contact us at mr.sucik@gmail.com.