Back to Permit.cz

Privacy Policy

Last updated: March 25, 2026

1. Data Controller (Správce osobních údajů)

Egemen Toprak
OSVČ (Self-employed person / Osoba samostatně výdělečně činná)
IČO (Identification Number): 22240322
Email: privacy@permit.cz
Website: https://permit.cz

The controller processes personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR") and Czech Act No. 110/2019 Coll. on the processing of personal data (Zákon o zpracování osobních údajů).

2. Personal Data We Collect

We collect and process the following categories of personal data:

2.1 Account Data

  • Email address (required for account creation)
  • Name (if provided)
  • Authentication tokens and session identifiers

2.2 Immigration Case Data

  • Permit type, application status, and timeline information
  • Documents and document metadata you upload
  • Checklist progress and notes
  • Deadline and reminder preferences

2.3 AI Assistant Interactions

  • Questions you ask the AI immigration assistant
  • Conversation history (stored for continuity and quality improvement)

2.4 Technical Data

  • IP address, browser type, operating system
  • Pages visited, time of access, referring URL
  • Cookies and similar identifiers (see our Cookie Policy)

3. Legal Bases for Processing (Article 6 GDPR)

PurposeLegal Basis
Providing the Permit.cz service (account, case tracking, AI assistant)Art. 6(1)(b) — Performance of a contract
Analytics and service improvementArt. 6(1)(a) — Your consent (via cookie banner)
Email communications about your accountArt. 6(1)(b) — Performance of a contract
Marketing emails and newslettersArt. 6(1)(a) — Your consent
Legal obligations (invoicing, tax records)Art. 6(1)(c) — Legal obligation
Security, fraud preventionArt. 6(1)(f) — Legitimate interest

4. Data Sharing and Processors

We share personal data only with trusted third-party processors who assist in operating our service:

ProcessorPurposeLocationSafeguards
Supabase Inc.Database, authentication, file storageEU (Frankfurt)Standard Contractual Clauses (SCCs)
Vercel Inc.Website hosting and content deliveryEU edge networkSCCs, DPA
OpenAI Inc.AI assistant responsesUSASCCs, DPA; API data not used for training per OpenAI API terms
Google LLCAnalytics (with consent only)USASCCs, consent-based; IP anonymization enabled

We do not sell your personal data to any third party. We do not share data with advertisers, data brokers, or any party not listed above.

5. International Data Transfers

When data is transferred outside the EU/EEA (to OpenAI and Google in the USA), we rely on European Commission-approved Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR, supplemented by additional technical measures (encryption in transit via TLS 1.2+, encryption at rest).

6. Data Retention

Data CategoryRetention Period
Account dataUntil account deletion + 30 days backup
Immigration case dataUntil account deletion or manual removal by user
AI conversation history90 days, then automatically deleted
Analytics data26 months (Google Analytics default, anonymized)
Invoicing / tax records10 years (Czech Act No. 563/1991 Coll. on Accounting)
Server logs30 days

7. Your Rights Under GDPR

As a data subject, you have the following rights. To exercise any of them, contact us at privacy@permit.cz. We will respond within 30 days.

  • Right of access (Art. 15) — Request a copy of your personal data.
  • Right to rectification (Art. 16) — Correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — Request deletion of your data ("right to be forgotten").
  • Right to restriction (Art. 18) — Restrict processing in certain circumstances.
  • Right to data portability (Art. 20) — Receive your data in a machine-readable format.
  • Right to object (Art. 21) — Object to processing based on legitimate interest.
  • Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time without affecting prior processing.
  • Right to lodge a complaint — File a complaint with the Czech Data Protection Authority (ÚOOÚ).

Czech Data Protection Authority (Supervisory Authority)

Úřad pro ochranu osobních údajů (ÚOOÚ)
Pplk. Sochora 27
170 00 Prague 7
Czech Republic
Web: www.uoou.cz
Email: posta@uoou.gov.cz

8. Cookies

We use cookies and similar technologies. For full details, see our Cookie Policy. You can manage cookie preferences at any time via the cookie settings link in our footer.

9. Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • All data transmitted via TLS 1.2+ encryption
  • Database encryption at rest (AES-256)
  • Row-Level Security (RLS) ensuring users can only access their own data
  • Authentication via industry-standard protocols (Supabase Auth)
  • Regular security reviews and dependency updates
  • API keys and secrets stored in environment variables, never exposed to the client

10. Children's Privacy

Permit.cz is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child, please contact us immediately.

11. Automated Decision-Making and AI

Our AI immigration assistant provides informational guidance only. It does not make legally binding decisions about your immigration case. All AI-generated content should be verified with official Czech government sources or a qualified immigration lawyer.

AI conversations are processed by OpenAI via their API. Per OpenAI's API data usage policy, data sent via the API is not used to train their models.

12. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or a prominent notice on the website. The "Last updated" date at the top indicates when the latest revision was made.

13. Contact

For privacy-related inquiries:
Egemen Toprak
Email: privacy@permit.cz
IČO: 22240322