Privacy Notice and Personal Data Processing Agreement

1. PERSONAL DATA

   1. The Provider, PromethistAI a.s., company incorporated and existing under the Czech law, with its registered office at Salvátorská 931/8, Staré Město, 110 00 Praha 1, Identification Number 08671281, entered into Commercial Register maintained by the Prague City Court, Section B., Insert No. 24826, processes the following personal data in relation to operation of the Platform:

      1. personal data Customer enters when creating Account within the Platform, such as name, surname, e-mail and other contact details; with respect to such data the Provider acts as independent data controller;
      2. personal data concerning the Customer as data subject which the Customer enters to the Platform when interacting with the Platform (i.e. data included in the conversations within the Platform); with respect to such data the Provider acts as independent data controller; and
      3. personal data related to other data subjects (e.g. End Users) which the Customer processes as independent controller and which is entered to the Platform when interacting with the Platform (i.e. data included in the conversations within the Platform); with respect to such data the Provider acts as personal data processor.

      Please note that personal data related to the payment for the use of the Platform, such as credit card details are collected and processed by the payment services provider, Stripe Inc. or its local affiliates, please see their Privacy Policy at https://stripe.com/en-cz/privacy for more information.

   2. The legal title and purpose of the above data processing is performance of the contract between the Customer and the Provider, in particular operation of the Platform in accordance with its specification. The Provider may also process personal data to pursue its legitimate interest such as prevention of fraud or maintenance and development of the Platform. The Platform is not intended for processing special categories of personal data such as data related to sexual orientation, political opinion, and health of an individual (sensitive data). All users are strongly discouraged from entering any sensitive personal data to the Platform, however, if they do so, each such user agrees that such data will be processed and stored within the Platform as necessary for interaction with the Platform and its use.

   3. The Provider shall process personal data only for the period necessary to achieve the purpose of data processing above, in any case no longer than for the duration of the Contract, unless it is required to retain personal data for longer period under any Applicable Laws or for resolution of claims or pursuing other legitimate interests.

   4. In case where the Provider acts as personal data processor,

      1. the Provider shall process the personal data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable law to which the Provider is subject; in such a case, the Provider shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. This shall not affect the processing of anonymized data under Article 4.3 of the Terms.
      2. The Provider shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
      3. The Provider shall ensure to take all measures pursuant to Article 32 of the GDPR.
      4. The Provider shall be entitled to engage another processor to process Personal Data only with Customer's prior written consent. Should such consent be granted, the Provider shall adhere to its obligations under Article 28, paragraph 2 and 4 of the Regulation. By accepting these Terms the Customer consents to engagement of sub-processors set out in Section 1.5 below.
      5. While processing personal data, the Provider shall take into account the nature of the processing, assists the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer' obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR and ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Provider.
      6. The Provider undertakes to, at Customer's choice, delete or return all the personal data to the Customer after the end of the provision of services relating to processing, at the latest upon termination of the contract and delete all existing copies unless any applicable law requires storage of the personal data.
      7. The Provider shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this Attachment as well as in any applicable laws and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

   5. The Provider may transfer to personal data to other recipients acting as processors of personal data, in particular providers of technologies used for operation of the platform, including the following entities:

      Microsoft Corporation | One Microsoft Way | Redmond, WA 98052 | United States

      OpenAI, L.L.C. | 3180 18th St | San Francisco, CA 94110 | United States

      ElevenLabs Inc. | 169 Madison Avenue, Suite 2484 | New York, NY 10016 | United States

      The Customer acknowledges and agrees that these entities may transfer personal data outside the European Economic Area (in particular to the United States of America) based on the applicable legal title for such transfer (such as, in particular, the EU-US Data Privacy Framework or the Standard Contractual Clauses).

   6. Each data subject has the following rights: (a) right of access: i.e. right to obtain confirmation from the data controller as to whether or not personal data concerning such data subject are being processed, and, where that is the case, to access such personal data and obtain information as to scope, method, purpose and duration of such processing; (b) right to rectification: i.e. to request correction of inaccurate or amendment of incomplete personal data related to such data subject, (c) right to erasure (right to be forgotten): i.e. the right, under the conditions set out in GDPR, to have personal data related to such data subject erased for example in cases when such data are no longer necessary in relation to the purposes for which they were collected, consent to their processing has been withdrawn, objection to their further processing has been made or they were processed unlawfully; (d) right to restrictions of processing for example when the accuracy of personal data is contested or the personal data were unlawfully processed, (e) right to data portability: i.e. right to receive the personal data provided above in a structured, commonly used and machine-readable format and to transmit those data to another controller, under the conditions set out in GDPR and to the extent of technical capabilities of the data controller; (f) right to object to further processing of personal data by the data controller for example in cases where the processing is based on legitimate interest of the data controller; (g) right to withdraw consent: in case where the data processing is based on consent of data subject such consent may be withdrawn at any time without affecting lawfulness of processing carried out before such withdrawal and (h) right to file complaint at the data protection authority (Office for Protection of Personal Data).

   7. The Customer shall ensure that all personal data entered into the Platform were collected in compliance with all Applicable Laws and by processing thereof in accordance with this Privacy Notice Applicable Laws or contractual undertakings with the relevant data subjects will not be contradicted. The Customer shall also notify all End Users about personal data processing within the Platform as required by Applicable laws.

   8. Capitalized terms undefined here have the same meaning as in the Terms of Use – PromethistAI document.

Download the Privacy Notice in PDF here.