GDPR Compliance - Docutee

Our GDPR Commitment

Docutee is fully committed to compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679. We respect the privacy rights of individuals and have implemented comprehensive measures to ensure the protection of personal data.

Data Controller: Martin Krizan, Company ID: 76529819
Registered in: Czech Republic (EU Member State)
Supervisory Authority: Úřad pro ochranu osobních údajů (Czech Office for Personal Data Protection)

Legal Basis for Processing

We process personal data under the following legal bases as defined in Article 6 of the GDPR:

Contract (Article 6(1)(b))

Account creation and management
Service provision and document processing
Billing and payment processing
Customer support

Legitimate Interests (Article 6(1)(f))

Service improvement and development
Security and fraud prevention
Analytics and performance monitoring
Direct marketing to existing customers

Legal Obligation (Article 6(1)(c))

Tax and accounting records
Compliance with court orders
Anti-money laundering requirements

Consent (Article 6(1)(a))

Marketing communications to non-customers
Optional features and services
Cookies (non-essential)

Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

1. Right to Access (Article 15)

You have the right to obtain confirmation whether we process your personal data and, if so, access to the data and information about how it's processed.

2. Right to Rectification (Article 16)

You have the right to correct inaccurate personal data and complete incomplete data.

3. Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when it's no longer necessary for the purposes it was collected, or when you withdraw consent.

4. Right to Restriction of Processing (Article 18)

You have the right to restrict processing of your data while we verify its accuracy or when processing is unlawful but you don't want deletion.

5. Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller.

6. Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

7. Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affects you.

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us:

Email: [email protected]
Subject Line: GDPR Rights Request
Response Time: Within 30 days (may be extended by 2 months for complex requests)

We may request identification to verify your identity before processing your request.

Data Protection Measures

Technical Measures

End-to-end encryption for data transmission
AES-256 encryption for data at rest
Regular security audits and penetration testing
Access controls and authentication mechanisms
Pseudonymization where appropriate

Organizational Measures

Data protection training for all staff
Confidentiality agreements with employees
Limited access on a need-to-know basis
Regular review of data protection policies
Data Protection Impact Assessments (DPIA) for high-risk processing

Data Processing Agreement (DPA)

For business customers who act as data controllers, we provide a Data Processing Agreement that outlines:

Roles and responsibilities
Processing instructions and limitations
Security obligations
Sub-processor management
Audit rights
Data breach notification procedures
Data return and deletion terms

To request a DPA, contact [email protected]

International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions where applicable
Additional technical and organizational measures
Regular assessment of third-country data protection laws

Sub-Processors

We use the following sub-processors to provide our services:

Sub-Processor	Purpose	Location
Amazon Web Services	Cloud Infrastructure	EU (Frankfurt)
Stripe	Payment Processing	EU/USA
OpenAI	AI Document Analysis	USA
MongoDB Atlas	Database Services	EU (Ireland)

Data Breach Notification

In the event of a personal data breach, we will:

Notify the supervisory authority within 72 hours (where feasible)
Notify affected data subjects without undue delay if high risk
Document all breaches and actions taken
Implement measures to prevent recurrence

Privacy by Design

We implement privacy by design principles:

Data minimization - we only collect necessary data
Purpose limitation - data is used only for stated purposes
Storage limitation - data is retained only as long as necessary
Default privacy settings - highest privacy by default
Built-in data protection features

Cookie Policy

We use cookies in compliance with the ePrivacy Directive:

Essential Cookies: Required for service functionality (no consent needed)
Analytics Cookies: Used to improve our service (consent required)
Marketing Cookies: Not currently used

You can manage cookie preferences through your browser settings.

Children's Data

Our service is not intended for children under 16. We do not knowingly collect data from children under 16 without parental consent. If we become aware of such collection, we will delete the data immediately.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority:

Czech Republic:
Úřad pro ochranu osobních údajů
Pplk. Sochora 27, 170 00 Praha 7
Website: www.uoou.cz
Email: [email protected]

You may also contact the supervisory authority in your country of residence.

Contact Our Data Protection Officer

For any GDPR-related questions or concerns:

Email: [email protected]
Mail: Martin Krizan, Petrovicka 510/60, 79401 Krnov, Czech Republic
Response Time: Within 30 days