Privacy Policy

The data controller within the meaning of Art. 4(7) of Regulation (EU) 2016/679 (GDPR) is:

• Allier Studio — Vratislav Šrám, ID No.: 17995701
• Registered office: Špičák 125, 381 01 Český Krumlov, Czech Republic
• ID No.: 17995701
• Email for GDPR inquiries: info@allier.studio
• Website: https://allier.studio

We have not appointed a Data Protection Officer (DPO) as we are not required to do so by law (we do not meet the conditions of Art. 37 GDPR). For data protection matters, please contact us at the email address above.

Contact form (/kontakt)

• Name (optional)
• Email (required)
• Company or project (required)
• Message (optional)

AI audit form

• Full name (required)
• Company name (required)
• Email (required)
• Phone number (optional)
• Industry, website URL (optional), business description (required)
• Data is stored in our database for processing your inquiry and delivering results

Offers and contracts (client area)

• Full name, email, company name, ID number (IČO)
• Offer content (selected items, notes, total price)
• IP address and User-Agent upon offer confirmation
• Offer feedback (notes, IP address, User-Agent)
• Billing information (name, email, company, ID number)

Electronic contract signing

• IP address and User-Agent at the time of signing
• Signing timestamp
• Verification code (for signature integrity)
• This data is retained for 10 years as proof of contract conclusion (§ 562 Czech Civil Code, Art. 25 eIDAS Regulation)

Automatically collected data

• IP address (server logs, rate limiting, audit log)
• User-Agent (browser and device type)

• Contact form: legitimate interest — responding to your inquiry (Art. 6(1)(f) GDPR)
• AI audit: consent — processing data for AI analysis and delivery of results (Art. 6(1)(a) GDPR)
• Contract performance: we process data necessary for preparing offers, concluding, and performing contracts (Art. 6(1)(b) GDPR)
• Legal obligation: accounting and tax documents are retained for the period required by the Czech Accounting Act (§ 31) and Tax Code (Art. 6(1)(c) GDPR)
• Server logs and security: legitimate interest — abuse prevention, system security, proof of electronic signatures (Art. 6(1)(f) GDPR)

We share your data only with the following processors with whom we have Data Processing Agreements (DPA):

• Resend (Plus Five Five, Inc.) — email delivery. Based in: USA. DPA: resend.com/legal/dpa
• Anthropic (Anthropic PBC) — AI analysis within the audit. Based in: USA. DPA: anthropic.com/legal/data-processing-addendum. Anthropic does not use commercial data to train its models.
• Vercel Inc. — website hosting and serverless functions (Frankfurt region, EU). Based in: USA. DPA: vercel.com/legal/dpa
• Neon Inc. — PostgreSQL database hosting (EU region). Based in: USA. DPA: neon.tech/legal/dpa
• Upstash Inc. — rate limiting and abuse protection. Based in: USA. DPA: upstash.com/trust/dpa.pdf
• Sentry (Functional Software, Inc.) — application error monitoring. Based in: USA. DPA: sentry.io/legal/dpa/

Data transfers to the USA are carried out on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission and/or the EU-US Data Privacy Framework. Serverless functions run in the Frankfurt (fra1) region to minimize data transfers outside the EU.

The AI audit uses automated analysis of your responses via the Claude language model (Anthropic). Based on your business description and (optionally) analysis of your publicly available website, the AI generates personalized recommendations. The results are indicative and do not constitute binding advice. They have no legal effects and do not significantly affect you within the meaning of Art. 22 GDPR.

Safeguards: Before sending data to the AI model, personal identifiers (emails, phone numbers, addresses) are automatically removed. Anthropic does not use commercial API data to train its models. You have the right to request human review of the results — contact us at info@allier.studio.

We retain personal data only for as long as necessary for the given purpose:

• Contact form: up to 3 years from last contact
• AI audit (inquiries): for the duration of the business relationship, then up to 3 years; deleted upon request at any time
• Offers: for the validity period of the offer and then up to 3 years; anonymized upon request
• Signed contracts: 10 years from contract termination (§ 31 Czech Accounting Act No. 563/1991; § 630 Czech Civil Code — limitation period)
• Invoices and payment data: 10 years (§ 31 Czech Accounting Act, § 148 Czech Tax Code)
• Electronic signature data (IP, User-Agent, timestamp): 10 years (proof of contract conclusion under § 562 Czech Civil Code)
• Server logs: up to 90 days

After the retention period expires, data is permanently deleted or anonymized (name replaced with "[deleted]", email replaced with "anonymized@deleted.invalid", IP address and other identifiers removed). Anonymized data cannot be traced back to a specific individual.

Under GDPR, you have the following rights:

• Right of access (Art. 15 GDPR) — you may request a copy of your data in a machine-readable format
• Right to rectification (Art. 16 GDPR) — you may request correction of inaccurate data
• Right to erasure (Art. 17 GDPR) — you may request deletion of your data, unless there is a legal reason for continued retention
• Right to restriction of processing (Art. 18 GDPR) — you may request temporary restriction of processing, e.g., while verifying data accuracy
• Right to data portability (Art. 20 GDPR) — data processed on the basis of consent or contract will be provided in a structured format (JSON)
• Right to object (Art. 21 GDPR) — especially against processing based on legitimate interest
• Right to withdraw consent (Art. 7 GDPR) — at any time, without affecting the lawfulness of prior processing

To exercise your rights, contact us at info@allier.studio. To verify your identity, we may ask you to send your request from the email address you provided to us. We will respond without undue delay, within 30 days at the latest (Art. 12(3) GDPR).

If you believe we are processing your data in violation of applicable law, you have the right to file a complaint with the Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, https://uoou.gov.cz.

This website does not use any marketing or analytics cookies. For traffic measurement we use self-hosted Plausible Analytics, which does not collect personal data, does not store cookies, and is fully GDPR compliant. No cookie banner is therefore required.

The administration interface uses a single technical HTTP-only cookie (admin_session) for administrator authentication. This cookie is strictly necessary for the operation of the admin area (Art. 5(3) ePrivacy Directive) and expires after 24 hours. Regular website visitors do not encounter this cookie.

We use appropriate technical and organizational measures to protect your data: encrypted transmission (HTTPS/TLS), server-side input validation (zod schemas), form rate limiting, honeypot bot protection, timing-safe authentication token comparison, security HTTP headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), and serverless function hosting in the EU region (Frankfurt). Admin access is protected by HMAC-based session authentication with login attempt limiting.

Our services are not intended for persons under 16 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at info@allier.studio and we will delete the data promptly.

We may update this policy from time to time, particularly when changing processors, processing purposes, or in response to changes in legislation. The current version is always available on this page with the date of the last update. In case of a material change, we will inform you by email (if we have your email) or by a prominent notice on the website.

For questions regarding personal data protection, please contact info@allier.studio. We will respond within 30 days at the latest.