Privacy policy

Last updated: 2026-05-14 · Effective date: TBD (on counsel sign-off)

Draft — not yet effective

This document is a working draft pending review by external counsel. It is not enforceable until the effective date below is replaced with a real date. For commercial commitments, refer to the executed agreement we send with your order form. Effective date: TBD — adopting on counsel sign-off.

This policy explains how the platform service (“platform”, “we”, “us”) collects and uses personal data. It is written for the EU General Data Protection Regulation (GDPR) and the Czech Act No. 110/2019 Coll.; if you are based elsewhere, equivalent local rights apply.

1. Who we are

The platform service is operated by Advisio s.r.o., a Czech limited-liability company registered in Prague (Ostrava office), IČO/Company ID to be confirmed in the executed Order Form. We are the controller of the data you share with us in order to register and operate your account, and the processor of the analytics and advertising data you connect through the service on behalf of your own customers. The split is described in detail in our Data Processing Addendum (DPA).

Privacy contact: privacy@advisio.cz. We respond within 30 days of any request.

2. What we collect

We process four narrow categories of personal data:

  • Account data — your work email, full name, locale and timezone, the password hash (Argon2id), 2FA enrolment status and TOTP seed (server-side only), and your role in the customer organisation.
  • Authentication credentials — OAuth refresh tokens and third-party API keys you connect to ingest data from advertising platforms. Encrypted at rest using a per-record data encryption key (envelope encryption) wrapped by a platform master key.
  • Audit log — append-only record of significant actions (sign-in, configuration changes, credential lifecycle, internal-staff impersonation). Used for forensic investigation and customer-facing change history.
  • Connected-account metadata + aggregated metrics — advertising and analytics performance pulled from platforms you connect (Google Ads, GA4, Meta, Sklik, Heureka, …). We pull aggregated daily metrics by campaign; we do not ingest personal data about your end-users.

3. Legal basis (Article 6 GDPR)

  • Performance of a contract — operating the service you subscribed to (Art. 6(1)(b)).
  • Legitimate interests — security, fraud prevention, audit logging, basic product analytics on internal admin actions (Art. 6(1)(f)).
  • Legal obligation — invoicing, tax records, and statutory retention (Art. 6(1)(c)).
  • Consent — only for optional marketing emails. You may withdraw at any time without affecting service access (Art. 6(1)(a)).

4. Retention

We keep data only as long as it has a defined purpose:

  • Account data — for the duration of your subscription plus 6 months grace for re-activation, then deleted.
  • Authentication credentials — revoked the moment you delete the connected account, or when the third-party token is invalidated by the provider.
  • Audit log — 90 days hot in Postgres, then archived to encrypted cold storage; total retention 7 years for tax and statutory reasons.
  • Daily ad metrics — 5 years (TTL date + INTERVAL 5 YEAR), then the partition is dropped automatically.
  • Backups — daily Postgres dumps kept 7 days, weekly 4 weeks, monthly 6 months, then overwritten.

5. Where data is hosted

All production data is hosted within the European Union (Hetzner Online GmbH, Falkenstein / Helsinki). Daily metrics are stored in ClickHouse on the same physical region; nothing is shipped to non-EU destinations unless a sub-processor explicitly requires it, in which case we use Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable.

6. Sub-processors

We use a small list of vendors to deliver the service (hosting, CDN/DNS, error monitoring, billing). Full list, purpose, data shared, and location are public at our sub-processors page. We notify you 30 days before adding or replacing any sub-processor; you may object under your DPA.

7. Your rights

Under GDPR you have the right to:

  • Access a copy of your data (Art. 15) — self-service via GET /api/v1/auth/me/export/ while signed in, or by emailing privacy@advisio.cz.
  • Rectify inaccurate data (Art. 16) — edit on your profile page.
  • Erase your account and all linked personal data (Art. 17) — delete your account in Settings or email us.
  • Restrict processing during a dispute (Art. 18).
  • Port your data in a machine-readable format (Art. 20).
  • Object to processing based on legitimate interests (Art. 21).
  • Not be subject to automated decisions with legal effect (Art. 22) — we don't do this.
  • Lodge a complaint with the Czech Office for Personal Data Protection (uoou.cz).

8. Cookies

We use only essential cookies (session, CSRF, locale). No tracking cookies, no advertising pixels on our marketing site. If we add an analytics or marketing cookie later, we will request consent through a standards-compliant banner before any non-essential cookie is set.

9. Security

Concrete measures we apply today:

  • TLS 1.3 in transit, encryption at rest with per-record DEKs wrapped by a master key.
  • Argon2id password hashing; mandatory 2FA for internal staff.
  • Postgres row-level security on every tenant-scoped table.
  • Append-only audit log with database-level triggers blocking UPDATE/DELETE.
  • Daily encrypted backups; quarterly restore drills.

More detail is in Annex 2 of the DPA.

10. Children

The service is sold B2B and not intended for individuals under 16. We do not knowingly process data of minors. If we learn we have, we will delete it.

11. Changes to this policy

Material changes are notified by email and in-product banner at least 14 days before they take effect. The change history is committed to the public repository so anyone can review the diff.