Privacy Policy
This document describes how Mentální lázně s.r.o. processes personal data of users of the connector.mentalnilazne.cz platform. It is drafted in accordance with Regulation (EU) 2016/679 (GDPR) and Czech Act No. 110/2019 Coll. on the Processing of Personal Data.
1. Data controller
The data controller is Mentální lázně s.r.o., ID No. 21269114, VAT No. CZ21269114, registered at Staré nám. 50, 363 01 Ostrov, Czech Republic. For any privacy-related matter, contact us at info@mentalnilazne.cz.
2. Definitions
The terms "personal data", "processing", "controller", "processor" and "data subject" are used in the meaning given to them by Article 4 GDPR.
3. Categories of personal data processed
- Account identification and contact data: first and last name, email address, preferred language, hashed password.
- Authentication data: session tokens, password-reset tokens, email-verification tokens.
- Onboarding answers: the responses you submit during onboarding so we can tailor recommendations.
- BUDDHO conversation content: the messages you exchange with the guided journey assistant, if you use it.
- Technical operational data: IP address, user-agent identifier, access timestamps, session metadata.
- Cookies: see "Cookies" below.
4. Purposes of processing and legal bases
- Operating your account and providing the service – Art. 6(1)(b) GDPR (performance of a contract).
- Securing the platform and preventing abuse – Art. 6(1)(f) GDPR (legitimate interest in service security).
- Analytics and marketing cookies – Art. 6(1)(a) GDPR (the consent you grant in the cookie banner).
- Compliance with legal obligations – Art. 6(1)(c) GDPR (accounting and tax law, where applicable).
5. Recipients and processors
Your personal data may be shared with the following categories of recipients:
- Hosting provider: ARODAX Servis s.r.o., ID No. 27991831, registered at Rybná 716/24, Staré Město, 110 00 Praha 1, Czech Republic.
- Email service provider: ARODAX Servis s.r.o. (the same entity as the hosting provider).
- Language-model providers for BUDDHO: none – the language model runs locally on our own infrastructure.
- Analytics provider: none – we do not currently operate an analytics service.
- Public authorities, where required by law.
We have a Data Processing Agreement in place with each processor pursuant to Art. 28 GDPR.
6. International transfers
All processing takes place within the European Economic Area. Because the BUDDHO language model runs locally on our own infrastructure in the Czech Republic, conversation data is not transferred to any non-EEA processor.
7. Retention periods
- Account data: for the lifetime of the account and 12 months after its deletion.
- Operational and security logs: 12 months.
- Marketing data (based on consent): until consent is withdrawn, no more than 36 months.
- Accounting records: 10 years under the Czech Accounting Act.
8. Your rights
Under Articles 15–22 GDPR you have the right to:
- access your personal data and obtain a copy;
- correct inaccurate or incomplete data;
- erasure ("right to be forgotten") in the cases set out in Art. 17 GDPR;
- restrict processing;
- data portability for data we process by automated means on the basis of a contract or consent;
- object to processing based on legitimate interest;
- withdraw consent at any time; withdrawal does not affect the lawfulness of processing before the withdrawal.
To exercise your rights, email info@mentalnilazne.cz. We will respond without undue delay, and in any case within one month.
You also have the right to lodge a complaint with the supervisory authority: Úřad pro ochranu osobních údajů (Office for Personal Data Protection), Pplk. Sochora 27, 170 00 Praha 7, Czech Republic, www.uoou.cz.
9. Cookies
The site uses strictly necessary cookies (login sessions, language preference) and – only with your consent – analytics and marketing cookies. You manage consent through the cookie consent banner, which can be reopened and changed at any time.
10. Automated decision-making and profiling
We do not make decisions based solely on automated processing that would produce legal effects concerning you or similarly significantly affect you.
11. Children's data
The service is not directed at persons under the age of 16. If we discover that we have collected data from a person under 16 without parental consent, we will delete it without undue delay.
12. Changes to this policy
We may update this policy from time to time. The current version is always available at /en/privacy. The "last updated" date is shown at the bottom of this page.
13. Effective date
This policy is effective as of 1 May 2026.