Privacy Policy

1. Data Controller and Dual Role

The controller of your personal data is koncal studio s.r.o., with its registered office at Lýskova 2073, Prague 5, Czech Republic, ID No.: 03604071, Tax ID: CZ03604071 (hereinafter "Provider"). The Provider processes personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, "GDPR") and Act No. 110/2019 Sb. on the processing of personal data (Czech Data Protection Act). Important: The Provider acts in a dual role with respect to personal data — (a) as Data Controller for data about the User (account data, login credentials, usage analytics, payment data), and (b) as Data Processor for data the User enters about their clients, suppliers, and contacts (invoicing data, client addresses, financial records). The User is the Data Controller for their clients' data, and the Provider processes such data solely on the User's documented instructions under the Data Processing Agreement. This distinction follows the model recommended by the Czech Office for Personal Data Protection (ÚOOÚ). Data Protection Officer contact: dpo@kansei.works. General contact: info@kansei.works.

2. Categories of Personal Data

We collect and process the following categories of personal data:

• Identification data: full name, email address, company name, business identification number (ICO), tax identification number (DIC)
• Account data: password hash (bcrypt, 12 salt rounds), account creation date, session tokens, token version for session invalidation
• Financial data: invoice data, bank account numbers, expense records, payment information. Sensitive fields (personal ID numbers, bank accounts of workers) are encrypted with AES-256-GCM
• Technical data: IP address, browser type and version, device information, access timestamps, pages visited. Collected for security (audit logs, rate limiting) and service improvement
• User content: documents, uploaded files (stored as base64 in database or on Cloudflare R2), project data, task descriptions, comments, AI chat conversation history

3. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6(1) GDPR:

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary for the provision of the Service, including account management, invoicing, and project management features
• Legal obligation (Art. 6(1)(c) GDPR): Processing required by Czech tax and accounting legislation (Act No. 563/1991 Sb. on Accounting, Act No. 235/2004 Sb. on VAT), including retention of invoices and financial records
• Legitimate interest (Art. 6(1)(f) GDPR): Processing for service security (audit logging, brute-force protection, rate limiting), fraud prevention, and service improvement. Our legitimate interest does not override your fundamental rights and freedoms
• Consent (Art. 6(1)(a) GDPR): Where applicable, for analytics cookies (Google Analytics) and optional marketing communications. Consent may be withdrawn at any time without affecting the lawfulness of prior processing

4. Data Retention Periods

We retain personal data only for as long as necessary for the purposes for which it was collected:

• Account data: retained for the duration of the account and deleted within 30 days of account deletion, unless longer retention is required by law
• Financial documents (invoices, expenses): retained for 10 years in accordance with Czech accounting legislation (Act No. 563/1991 Sb., Section 31) and tax legislation (Act No. 280/2009 Sb., Tax Code)
• Audit logs and security data: retained for 2 years for security incident investigation and compliance purposes, then anonymized or deleted

5. Recipients and International Transfers

Your personal data may be shared with the following categories of recipients, all of whom are bound by data processing agreements compliant with Article 28 GDPR:

• Cloud infrastructure: Neon (PostgreSQL database hosting, EU region), Vercel (application hosting, edge functions with EU presence), Cloudflare (R2 storage, Stream video CDN, Workers)
• AI services: Google (Gemini 2.0 Flash API for AI assistant and OCR features). Data sent to Google AI includes: invoice text for OCR extraction, user queries and entity context for the AI assistant, and expense receipt images for automated categorization. Data is processed under Google's data processing terms, is not used for model training, and is not retained by Google beyond the processing request. The AI assistant has access to the User's entity data (invoices, expenses, clients) only during active queries and does not store conversation context between sessions on Google's servers
• Payment processors: Stripe (international card payments) and GoPay (Czech payment methods), which act as independent data controllers for payment data under PCI DSS compliance
• Email services: Resend (transactional emails for password resets). For international transfers outside the EU/EEA, we rely on EU Standard Contractual Clauses (SCCs) as approved by the European Commission, or the recipient's participation in an adequate framework (e.g., EU-US Data Privacy Framework)

6. Data Subject Rights

Under the GDPR and Czech Data Protection Act, you have the following rights regarding your personal data. You may exercise any of these rights by contacting us at dpo@kansei.works:

• Right of access (Art. 15 GDPR): You may request confirmation of whether your data is being processed and obtain a copy of such data
• Right to rectification (Art. 16 GDPR): You may request correction of inaccurate personal data or completion of incomplete data
• Right to erasure (Art. 17 GDPR): You may request deletion of your personal data, subject to legal retention requirements
• Right to restriction of processing (Art. 18 GDPR): You may request restriction of processing under certain circumstances
• Right to data portability (Art. 20 GDPR): You may request your data in a structured, commonly used, machine-readable format (JSON/CSV export)
• Right to object (Art. 21 GDPR): You may object to processing based on legitimate interest, including profiling
• Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw it at any time via your account settings or by contacting us

7. Consent and Withdrawal

Where we process data based on consent (e.g., analytics cookies, optional communications), you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. You may manage your cookie preferences through the cookie banner displayed on the website, or contact us at dpo@kansei.works. Withdrawal does not affect the lawfulness of processing based on other legal bases (contract performance, legal obligation, legitimate interest).

8. Right to Complain to the Supervisory Authority

If you believe your personal data is being processed in violation of the GDPR or Czech Data Protection Act, you have the right to lodge a complaint with the Office for Personal Data Protection (Urad pro ochranu osobnich udaju, UOOU), Pplk. Sochorova 27, 170 00 Praha 7, www.uoou.cz, email: posta@uoou.cz. You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence or place of work.

9. Automated Decision-Making and Profiling

The Service uses AI-powered features (AI assistant, OCR document processing) that involve automated processing of data. However, no decisions that produce legal effects or similarly significantly affect you are made solely through automated processing. The AI assistant provides suggestions and responses based on your data but all final decisions (invoice creation, payment recording, expense categorization) require explicit user confirmation. We do not engage in profiling for the purposes of direct marketing or credit scoring.

10. Cookies

For detailed information on our use of cookies and similar tracking technologies, please refer to our separate Cookie Policy. In summary, we use strictly necessary cookies for authentication and session management (no consent required under Article 5(3) of the ePrivacy Directive), and optional analytics cookies (Google Analytics) that require your prior consent. You may manage your preferences at any time.

11. Security Measures

We implement appropriate technical and organizational measures to protect your personal data in accordance with Article 32 GDPR, including: encryption in transit (TLS/HTTPS) and at rest (AES-256-GCM for sensitive fields), password hashing with bcrypt (12 salt rounds), rate limiting and account lockout to prevent brute-force attacks, Content Security Policy headers to prevent XSS, file upload validation with magic byte verification, comprehensive audit logging of all write operations, JWT-based session management with token version invalidation on password change, and role-based access control with entity-level isolation for multi-tenant data security.

12. Children's Privacy

The Service is not intended for persons under the age of 16. We do not knowingly collect personal data from children under 16 years of age. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete such data promptly. If you believe we have collected data from a child, please contact us at dpo@kansei.works.

13. Third-Party Integrations (Dropbox & Google Drive)

The Service offers optional integrations with third-party cloud storage providers, specifically Dropbox (operated by Dropbox, Inc.) and Google Drive (operated by Google LLC). These integrations are entirely voluntary and activated only by your explicit action.

What data we access

When you connect your Dropbox or Google Drive account, we request read-only access to your files and folders. Specifically:

• Dropbox: account display name, email address, and read-only access to file/folder metadata and content (scopes: account_info.read, files.metadata.read, files.content.read, sharing.read).
• Google Drive: account email, display name, profile photo, and read-only access to file/folder metadata and content (scopes: drive.readonly, userinfo.email, userinfo.profile).

How we use this data

• To display your cloud storage files within the Kansei interface so you can browse and select files for project deliverables.
• To stream files through our server-side proxy for secure delivery to clients via portal links.
• To display your connected account name and email in Settings for account management purposes.

What we store

We store your OAuth access token and refresh token (encrypted with AES-256-GCM at rest), your account email, display name, and connection metadata. We do NOT store copies of your files — files are streamed on-demand directly from the provider.

How to disconnect

You can disconnect your Dropbox or Google Drive account at any time via Settings. Disconnecting immediately revokes the OAuth token with the provider and deletes all stored tokens and account metadata from our database. Existing deliverable links that reference files will retain their URLs but will no longer be accessible through our proxy.

Third-party policies

Your use of Dropbox is subject to the Dropbox Terms of Service (https://www.dropbox.com/terms) and Dropbox Privacy Policy (https://www.dropbox.com/privacy). Your use of Google Drive is subject to the Google Terms of Service (https://policies.google.com/terms) and Google Privacy Policy (https://policies.google.com/privacy). We encourage you to review these policies.

14. AI Processing (Google Gemini & OpenAI)

The Service uses large language models (LLMs) to power AI features including the AI assistant chat, invoice and receipt OCR processing, and automated data extraction. The following AI providers may process data you submit:

• Google Gemini 2.0 Flash (Google LLC) — primary AI provider for the chat assistant and OCR. Data submitted via chat or OCR (invoice PDFs, receipt images) is processed by Google's API. Subject to Google's Generative AI Additional Terms of Service (https://ai.google.dev/terms).
• OpenAI (OpenAI, Inc.) — optional fallback for OCR processing when Gemini is unavailable. Subject to OpenAI's Usage Policies (https://openai.com/policies/usage-policies).
• Data types processed: text entered in chat conversations, invoice and receipt PDFs/images uploaded for OCR, and structured data returned by the AI models.
• Retention: Data is submitted for inference only and is not used to train models under current API agreements. No data is permanently stored by the AI providers beyond their standard request logging.

AI-generated outputs (OCR results, chat responses, cost estimates) are provided as-is and may contain errors. You are responsible for reviewing and verifying all AI-generated content before relying on it for financial, tax, or legal purposes.

15. Client Notification Services

When you enable client notifications, the following third-party services may process contact information of your clients (email addresses and/or phone numbers) to deliver notifications on your behalf. All notification channels are optional and activated only by your explicit configuration in Settings.

• Email notifications via Resend (Resend Inc.) — transactional emails for password resets, portal invitations, and automated client notifications. Subject to the Resend Privacy Policy (https://resend.com/privacy).
• SMS notifications via Twilio (Twilio Inc., USA) — text message notifications sent to client phone numbers in E.164 format. Phone numbers are transmitted to Twilio only when SMS notifications are enabled and a client has a phone number configured. Subject to the Twilio Privacy Statement (https://www.twilio.com/en-us/legal/privacy). Data transfer to the USA is covered by Standard Contractual Clauses.
• WhatsApp notifications via Meta WhatsApp Cloud API (Meta Platforms, Inc., USA) — WhatsApp Business messages sent to client phone numbers. Phone numbers are transmitted to Meta only when WhatsApp notifications are enabled and a client has WhatsApp configured. Subject to the Meta Privacy Policy (https://www.facebook.com/privacy/explanation) and WhatsApp Business Terms of Service. Data transfer to the USA is covered by Standard Contractual Clauses.