Privacy Policy GDPR

Jara Škrabálek
Jara Škrabálek
Last updated 
version 1
last update: August 24th, 2025

I. Basic Provisions
  1. The controller of personal data within the meaning of Art. 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) is Hey Wox, s.r.o., Company ID No. 10866957, with its registered office at Veslařská 563/197, 637 00 Brno, Czech Republic, registered with the Regional Court in Brno, Section C, Insert 123208 (hereinafter referred to as the “Controller”).
  2. Controller’s contact details:
    • Address: Hey Wox, s.r.o., Veslařská 563/197, 637 00 Brno, Czech Republic
    • E-mail: info@heywox.com
  3. The Controller has not appointed a Data Protection Officer (DPO) as it is not obliged to do so under Art. 37 GDPR.
  4. The service is intended only for persons over 18 years of age, or for minors with the consent of their legal guardian; such consent may be requested at any time, and if not provided, the account may be blocked.
II. Categories of Personal Data Processed
  1. The Controller processes:
    1. Data necessary for registration and user account: name, e-mail, password (hashed).
    2. Data uploaded by the user within the service: in particular invoices and information about household appliances (name/type/brand/model, purchase date, price, estimated age, etc.), or other documents provided by the user. Such records may contain personal data (e.g. name on an invoice). These are stored solely for the purpose of providing the service and are not used for the Controller’s own marketing beyond what is described below.
    3. Future functionality: the service may be extended to include uploading of contracts and facilitation of supplier switching (energy, insurance, internet). In such cases, only the data necessary for contract performance and legal obligations will be processed. This functionality is not active at the date of publication of this Policy.
III. Legal Basis and Purpose of Processing
  1. The legal bases for processing are:
    • Performance of a contract (Art. 6(1)(b) GDPR): operation and provision of the Hey Wox service, user account management, storage of user-uploaded documents.
    • Compliance with legal obligations (Art. 6(1)(c) GDPR): especially obligations in accounting, and possibly in the future when facilitating contractual relationships.
    • Legitimate interest of the Controller (Art. 6(1)(f) GDPR): direct marketing towards existing users, IT security, fraud prevention, protection of the Controller’s rights, logging.
    • Legitimate interest / soft opt-in (§ 7(3) of Czech Act No. 480/2004 Coll.): sending commercial communications to users/customers regarding similar services, always with the option of easy opt-out.
    • Consent of the user (Art. 6(1)(a) GDPR): sending newsletters and commercial communications to non-users, i.e. those who are not customers of the service.
  2. The Controller does not carry out automated decision-making with legal effects within the meaning of Art. 22 GDPR. The service uses automated data processing (e.g. invoice data extraction using OpenAI GPT API, recommendations for maintenance or energy savings), but such processing has only a supportive and advisory nature. The final decision is always up to the user.
IV. Data Retention Period
  1. The Controller stores personal data for the following periods:
    1. for the duration of the contractual relationship and for 3 years after its termination (for the resolution of claims and disputes),
    2. for accounting records, for the period prescribed by law (typically 10 years),
    3. for marketing purposes (soft opt-in / consent), for 3 years from the last interaction or until consent is withdrawn.
  2. Data uploaded by the user into the account are stored for the duration of the contractual relationship; after its termination, they are irreversibly deleted, except for data that must be retained under legal regulations (e.g. accounting records).
  3. Backups and logs are stored temporarily only for the necessary period (typically up to 90 days) for security and recovery purposes.
  4. After the retention period expires, personal data will be deleted or anonymized.
V. Recipients of Personal Data (Processors)
  1. Recipients of personal data are verified processors, in particular:
    • providers of IT and hosting services (e.g. cloud services),
    • providers of analytics and communication tools (e.g. mailing services),
    • providers of AI interfaces (e.g. OpenAI – text extraction from invoices and related functions),
    • in the future, providers of energy, insurance and other household services – if the user uses the contract switching function.
  2. For technical reasons, data may be transferred to third countries (outside the EU), in particular to the USA, Canada, or the United Kingdom, through providers of cloud and mailing services (e.g. Google LLC, Amazon Web Services, Mailchimp, OpenAI). Transfers are secured by EU Standard Contractual Clauses and other appropriate safeguards under GDPR. Our processors may store temporary technical logs for a limited period for security and fraud prevention.
VI. Users’ Rights
  1. Under the GDPR, you have the right:
    1. to access your personal data (Art. 15),
    2. to rectification (Art. 16) and erasure (Art. 17),
    3. to restriction of processing (Art. 18),
    4. to data portability (Art. 20),
    5. to object to processing (Art. 21),
    6. to withdraw your consent at any time where processing is based on consent.
  2. You may exercise your rights in writing to the Controller’s address or by e-mail at info@heywox.com. We will respond without undue delay, no later than within 1 month.
  3. You also have the right to lodge a complaint with the Office for Personal Data Protection (Úřad pro ochranu osobních údajů) in the Czech Republic.
VII. Data Security
  1. The Controller has adopted technical and organizational measures consistent with common IT security practice to protect personal data, in particular:
    • encryption of data at rest and in transit,
    • access control and logging,
    • 2FA for administrators,
    • regular updates and testing,
    • minimum necessary access rights.
  2. Personal data are accessible only to authorized persons bound by confidentiality.
VIII. Final Provisions
  1. By submitting the registration form, you confirm that you have read and understood this Privacy Policy.
  2. Where processing is based on consent (e.g. newsletter), such consent is obtained separately and may be withdrawn at any time. Each marketing communication contains a simple unsubscribe option.
  3. The Controller reserves the right to amend this Privacy Policy. Users will be informed of any material changes at least 7 days before they take effect, via e-mail or notification in the application.
  4. The current version of this Privacy Policy is always available on the Controller’s website at www.heywox.com/tos and in the mobile application.