Privacy Protection
Data processing is carried out in accordance with Regulation (EU) 2016/679 (GDPR) and Act No. 110/2019 Coll.
updated: October 3, 2025
Controller: Ing. Petra Vlčková, Zdice, Zahradní 302, 26751, Česká republika, IČO: 10881263, nejsem plátce DPH (dále jen „VEXAIO").
Contact: support@vexaio.com (do předmětu uveďte „[GDPR]").
Data Protection Officer (DPO): We do not have a designated Data Protection Officer (DPO). For inquiries, please contact us at support@vexaio.com.
Response time: We respond to requests within 30 days according to Art. 12 GDPR.
Account personal data
- Email (registration, communication)
- 👤First and last name (optional)
- 🏢Company name (optional)
Technical data
- IP address and device/browser information
- 📊Usage logs and service statistics
- Cookies and similar technologies (see Cookies section)
Chatbot data (service content)
- Knowledge base uploaded by customer (texts, FAQ)
- 💬Conversations between chatbot and your end users
- ⚙️Chatbot settings and configuration
- 📈Operational metrics and performance statistics
What we never knowingly store
- • Special category data (sensitive data under Art. 9 GDPR - e.g., health, biometric)
- • Payment data (e.g., card numbers) is processed exclusively by Stripe with PCI DSS certification
- • Children's data, unless we are explicitly informed
Contract (Art. 6(1)(b) GDPR)
Account creation and management, service provision and operation, billing.
Legitimate interest (Art. 6(1)(f) GDPR)
Service security (abuse prevention, incident response), functionality and performance improvement (aggregated/statistical analyses without marketing profiling).
We conduct a balancing test, the result of which is available upon request. We respect your right to object (Art. 21 GDPR).
Legal obligation (Art. 6(1)(c) GDPR)
Accounting and tax obligations.
Consent (Art. 6(1)(a) GDPR)
Optional marketing communications and marketing cookies.
Consent can be withdrawn at any time without affecting the lawfulness of processing before withdrawal.
For data uploaded to the knowledge base and conversations between the chatbot and your end users, our customer acts as the controller.
VEXAIO acts as a processor (Art. 28 GDPR) in this relationship and processes data according to customer instructions.
Upon request, we provide DPA (Data Processing Agreement). After contract termination, data is irreversibly anonymized or deleted according to DPA.
Used processor services
- Hosting a databáze: Hosting and databases: providers with security standards (e.g., ISO/IEC 27001, SOC 2).
- Vektorové vyhledávání (např. Pinecone): Vector search (e.g., Pinecone): EU/US regions; for transfers outside EEA we use Standard Contractual Clauses (SCC) under Art. 46 GDPR.
- Platby: Payments: Stripe (payment processor, PCI DSS certification). VEXAIO does not store payment card data.
- AI modely: AI models: API access to third-party models (e.g., OpenAI, Google). Data sent to APIs is used exclusively to provide responses and is not used to train our or third-party models (according to API settings).
Legal framework for transfers outside EEA
If data is transferred to countries outside the EEA, we apply SCC under Regulation (EU) 2016/679 and assess supplementary measures (EDPB recommendations).
If data is transferred outside the EEA, we assess supplementary measures according to recommendations of the European Data Protection Board (EDPB 01/2020).
- Účetní doklady: Accounting documents: for the period required by legal regulations (usually 10 years).
- Provozní logy a technická telemetrie: Operational logs and technical telemetry: typically 90 days (without identifiers beyond necessity).
- Data chatbotů (znalostní báze, konverzace): Chatbot data (knowledge base, conversations): for the duration of the contract or until deleted by customer. After contract termination, we delete or anonymize data according to DPA.
How to exercise your rights
- • Write to support@vexaio.com (předmět „[GDPR]")
- • We respond without undue delay, within 30 days (Art. 12 GDPR)
- • You have the right to request: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), object (Art. 21), not be subject to automated decision-making (Art. 22)
Right of access
You can request information about processed data
Right to rectification
You can request correction of incorrect data
Right to erasure
You can request deletion of your data
Right to restriction
You can request restriction of processing
Right to data portability
You can obtain your data in a structured format
Right to object
You can object to processing for marketing
- • Transmission encryption using TLS 1.3
- • Encryption of stored data and access control on need-to-know principle
- • We use providers with established security standards (e.g., ISO/IEC 27001, SOC 2)
- • Hosting providers also meet ISO/IEC 27018 (personal data protection in cloud)
- • Regular backups and 24/7 availability monitoring
- • We continuously improve security processes; no system can be guaranteed as 100% secure
- • Nezbytné: Necessary: for functionality and security (cannot be disabled)
- • Analytické: Analytical: service usage measurement (activated only with your consent)
- • Marketingové: Marketing: personalization and remarketing (activated only with your consent)
- • You manage consents in the cookie bar and can change or withdraw them at any time
- • You can change or withdraw consents at any time in our cookie bar
If you are not satisfied with the handling of your request, you can file a complaint with the supervisory authority:
Office for Personal Data Protection (ÚOOÚ) – https://www.uoou.cz
Legal links
• GDPR – Regulation (EU) 2016/679 (zejm. čl. 6, čl. 12–22, čl. 28, čl. 44–49)
• SCC – Standard Contractual Clauses under Art. 46 GDPR
• PCI DSS – Stripe (payment cards) (platební karty)
• ISO/IEC 27001, SOC 2 – cloud provider security standards
• Act No. 110/2019 Coll. on personal data processing (CZ)