PRIVACY POLICY

Created At: 2026-02-01

Last Updated: 2026-02-20

PRIVACY POLICY

Visionary Hub

Effective Date: February 19, 2026

Last Updated: February 19, 2026


TABLE OF CONTENTS

  1. Introduction and Data Controller Information
  2. Legal Basis for Processing
  3. Data We Collect
  4. Purposes of Processing
  5. Data Retention Periods
  6. Data Subjects' Rights
  7. Data Sharing and Sub-Processors
  8. International Data Transfers
  9. Cookies and Tracking Technologies
  10. Data Security Measures
  11. Data Breach Notification
  12. Children's Privacy
  13. Your Privacy Rights Under CCPA (California Residents Only)
  14. Proprietary Tools and Data Processing
  15. Content Moderation Data (Digital Services Act)
  16. Contact Information and Data Subject Rights Requests
  17. Cookie Management and Analytics
  18. Updates to This Privacy Policy
  19. Additional Important Information
  20. Frequently Asked Questions (FAQ)
  21. Conclusion

1. INTRODUCTION AND DATA CONTROLLER INFORMATION

This Privacy Policy ("Policy") explains how Visionary Studio s.r.o. ("Company," "we," "us," or "our") collects, uses, processes, stores, and protects your personal data in connection with the Visionary Hub platform and related services.

Data Controller Details:

  • Company Name: Visionary Studio s.r.o.
  • Identification Number (IČO): 21641862
  • Tax Identification Number (DIČ): CZ21641862
  • Registered Address: V Zahrádkách 742, 273 06 Libušín, Czech Republic
  • Court Registration: C 404416, Městský soud v Praze (Municipal Court in Prague)
  • Contact Email: [email protected]
  • Privacy Inquiries: [email protected]
  • Legal Inquiries: [email protected]
  • Security Reports: [email protected]
  • Supervisory Authority: ÚOOÚ (Úřad pro ochranu osobních údajů — Czech Data Protection Office)

We are committed to protecting your privacy and ensuring compliance with the General Data Protection Regulation (GDPR) (EU 2016/679), the Czech Personal Data Protection Act (zákon č. 110/2019 Sb.), and where applicable, the California Consumer Privacy Act (CCPA) for residents of California. This Policy applies to all users of the Visionary Hub platform, website, and related services.

Data Protection Contact Person

Visionary Studio s.r.o. has designated its Managing Director as the primary data protection contact. For all data protection matters, please contact [email protected]. While the Company is not required to appoint a Data Protection Officer (DPO) under Article 37 of the GDPR (given the nature and scale of our processing activities), we maintain the same level of commitment to data protection compliance.

Language

This Privacy Policy is published in English and may be translated into other languages for convenience. In the event of any conflict or inconsistency between the English version and any translated version, the English version shall prevail and be considered the authoritative text for all legal purposes.


2. LEGAL BASIS FOR PROCESSING

We process personal data based on one or more of the following legal grounds under Article 6 of the GDPR:

2.1 Legitimate Interest (Article 6(1)(f))

  • Analytics and platform optimization
  • Security and fraud prevention
  • Service delivery and maintenance
  • Marketing communications (with prior consent where required)

2.2 Contract Performance (Article 6(1)(b))

  • Creating and maintaining your account
  • Processing payments and subscriptions
  • Providing support and customer service
  • Fulfilling service obligations
  • Operating Proprietary Tools that you access or use

2.3 Legal Obligation (Article 6(1)(c))

  • Compliance with tax authorities
  • Response to lawful government requests
  • Prevention of fraud and illegal activities
  • Content moderation under the Digital Services Act (Regulation (EU) 2022/2065)

2.4 Consent (Article 6(1)(a))

  • Marketing emails and promotional communications
  • Optional analytics features beyond standard use
  • Cookie deployment beyond essential functionality

2.5 Vital Interests (Article 6(1)(d))

  • Protecting life, health, or safety of individuals (in emergency situations only)

3. DATA WE COLLECT

3.1 Account and Registration Data

  • Full Name: Used for account identification and communication
  • Email Address: Used for account access, communication, and notifications
  • Password Hash: Encrypted using bcrypt algorithm for secure authentication (we do NOT store plain-text passwords)
  • Account Settings: Preferences, timezone, language selection, profile information
  • Legal Basis: Contract performance and legitimate interest

3.2 Usage and Interaction Data

  • Pages Visited: Tracking your navigation through the platform
  • Features Used: Which tools and functionalities you access, including Proprietary Tools
  • Interaction Patterns: Clicks, forms submitted, time spent on sections
  • Device Information: Type of device (desktop, tablet, mobile)
  • Browser Information: Browser type, version, and operating system
  • Session Duration: How long you remain active on the platform
  • Legal Basis: Legitimate interest in service improvement and analytics

3.3 Payment and Billing Data

  • Payment Method Type: Category of payment (credit card, etc.) — NOT the actual card details
  • Transaction Amount: Price of services purchased
  • Transaction Date and Time: When payments occurred
  • Billing Address: For invoice and tax purposes
  • Invoice Records: Stored for financial and tax compliance
  • Legal Basis: Contract performance and legal obligation
  • Important Note: We do NOT collect, store, or have access to credit card numbers, CVV codes, or full payment credentials. Payment processing is handled exclusively by Stripe using PCI DSS-compliant infrastructure.

3.4 Technical and Connection Data

  • IP Address: Collected but ANONYMIZED through removal of the last octet (e.g., 192.168.1.x instead of 192.168.1.123) within 24 hours. Anonymized IPs are retained for up to 90 days for security purposes.
  • Unique Device Identifiers: Browser fingerprints for security
  • Connection Time and Duration: When you connect and for how long
  • Referrer Information: How you arrived at our platform
  • Cookie Data: See Section 9 for detailed cookie information
  • Legal Basis: Legitimate interest in security and analytics

3.5 Support and Communication Data

  • Support Tickets: Messages you send to our support team
  • Correspondence: Email exchanges, chat transcripts
  • Feedback and Surveys: Your responses to our satisfaction surveys
  • Legal Basis: Contract performance and legitimate interest

3.6 Automatically Collected Data

  • Log Files: Server logs capturing access patterns, errors, and security events
  • Aggregate Statistics: De-identified usage patterns and trends
  • System Information: Your system configuration for compatibility purposes
  • Legal Basis: Legitimate interest

3.7 Proprietary Tools Data

  • Input Data: Data you provide when using Proprietary Tools (calculators, generators, converters, and other micro-utilities)
  • Output Data: Results generated by Proprietary Tools based on your input
  • Usage Patterns: Which Proprietary Tools you use and how frequently
  • Legal Basis: Contract performance and legitimate interest
  • Important Note: Proprietary Tools process data in real-time to deliver results. Input data is not stored beyond the active session unless explicitly stated on the relevant tool page. No Proprietary Tool input data is used for AI training purposes.

3.8 Content Moderation Data

  • Reports and Notices: Data submitted through illegal content reporting mechanisms under the Digital Services Act
  • Moderation Decisions: Records of content moderation actions taken, including statements of reasons
  • Complaints: Data provided in internal complaint-handling and dispute resolution proceedings
  • Legal Basis: Legal obligation (Regulation (EU) 2022/2065)

4. PURPOSES OF PROCESSING

We process your personal data for the following purposes:

  1. Account Creation and Management: Creating your account, managing credentials, and maintaining your user profile
  2. Service Delivery: Providing access to Visionary Hub features, functionality, and Proprietary Tools
  3. Payment Processing: Processing subscriptions, invoicing, and financial transactions
  4. Communication: Responding to inquiries, sending transactional emails, account notifications
  5. Analytics and Improvement: Understanding user behavior, optimizing performance, improving features
  6. Security and Fraud Prevention: Detecting unauthorized access, preventing abuse, protecting against cyber threats
  7. Legal Compliance: Meeting tax obligations, responding to legal requests, maintaining compliance records
  8. Marketing: Sending promotional content, newsletters, and service updates (only with consent where required)
  9. Technical Support: Resolving technical issues, troubleshooting problems, providing guidance
  10. Data Analysis: Generating anonymized insights, identifying trends, conducting research
  11. Content Moderation: Processing illegal content reports, maintaining platform integrity, and fulfilling Digital Services Act obligations
  12. Proprietary Tools Operation: Processing input data to deliver tool results, improving tool performance through anonymized analytics

5. DATA RETENTION PERIODS

5.1 Active Account Data

  • Duration: For the entire duration your account remains active
  • Upon Deletion: See Section 5.2

5.2 Account Deletion and Data Retention

  • Deletion Timeline: Your account and associated personal data will be permanently deleted within 30 days of requesting deletion
  • Archive Period: During the 30-day period, your data is marked for deletion but retained for verification and rollback purposes
  • Exceptions to Deletion: See Section 5.3

5.3 Data Retained Beyond Account Deletion

The following data categories are retained beyond account deletion due to legal or operational requirements:

  • Transaction Records: Retained for 10 years per Czech accounting laws (zákon č. 563/1991 Sb., o účetnictví) and EU tax requirements
  • Anonymized Analytics: Retained indefinitely (cannot be linked to you personally)
  • Legal Holds: If required by law, litigation, or government request, data may be retained longer
  • Backup Archives: Automated backups may retain data for up to 90 days after deletion (technical limitation)
  • Fraud Prevention Data: Retained for 1 year for security purposes in anonymized form
  • Content Moderation Records: Retained for the duration required by the Digital Services Act (minimum until any pending complaints or disputes are resolved)

5.4 Specific Retention Periods by Data Category

Data Category Retention Period Basis
Account Credentials Active account + 30 days after deletion Contract/Legal
Payment Records 10 years Tax/Legal Obligation (Czech Accounting Act)
Technical Logs 90 days Security/Legitimate Interest
IP Addresses (anonymized) 90 days Security
Support Tickets 2 years Contract/Support
Marketing Consent Records Until withdrawal or 3 years Consent/Legal
Cookies 12 months (where applicable) Consent/Functionality
Backup Data 90 days after creation Technical necessity
Proprietary Tools Input Session only (not stored) Contract
Content Moderation Records 3 years Legal Obligation (DSA)

6. DATA SUBJECTS' RIGHTS

You have the following rights regarding your personal data, which you can exercise by contacting us at [email protected]. We will respond to all requests within 30 days (extendable by 60 days for complex requests under Article 12 of the GDPR).

6.1 Right of Access (Article 15)

  • What It Means: You have the right to request what personal data we hold about you
  • How to Exercise: Submit a written request to [email protected]
  • Our Response: We will provide a copy of your data in a structured, commonly-used, machine-readable format (portable form)
  • Timeline: Within 30 days of request
  • Cost: Free of charge (unless requests are manifestly unfounded or excessive)

6.2 Right to Rectification (Article 16)

  • What It Means: You may correct inaccurate or incomplete data
  • How to Exercise: Log into your account and update profile information directly, or submit a correction request to [email protected]
  • Our Action: We will update your data promptly or inform you of our reasons for refusal
  • Timeline: Within 30 days of request
  • Impact: Rectified data takes effect immediately

6.3 Right to Erasure ("Right to be Forgotten") (Article 17)

  • What It Means: You may request deletion of your personal data in certain circumstances
  • Grounds for Erasure:
    • Data is no longer necessary for the purposes collected
    • You withdraw consent upon which processing is based
    • You object to processing and no compelling reason overrides it
    • Data was processed unlawfully
    • Legal obligation requires erasure
  • How to Exercise: Submit a deletion request via email to [email protected] or use the account deletion feature in your account settings
  • Timeline: Deletion will be completed within 30 days
  • Exceptions: We may retain data if required by law, taxation, or legal compliance obligations (see Section 5.3)
  • Notification: All data processors and sub-processors will be notified of deletion requests

6.4 Right to Restrict Processing (Article 18)

  • What It Means: You may request that we limit how we use your data while we verify accuracy or investigate complaints
  • Grounds for Restriction:
    • You contest the accuracy of data (processing restricted pending verification)
    • Processing is unlawful but you prefer restriction over deletion
    • We no longer need the data, but you need it for legal claims
    • You object to processing pending verification of legitimate interests
  • How to Exercise: Email [email protected] with "Restrict Processing" in the subject line
  • Our Action: Once restricted, data is only processed with your consent or for legal claims
  • Timeline: Within 30 days

6.5 Right to Data Portability (Article 20)

  • What It Means: You may request your data in a structured, commonly-used, machine-readable format to transfer to another service
  • Data Included: Account data, usage history, settings, transaction records
  • How to Exercise: Submit a portability request to [email protected]
  • Format: We will provide data in CSV, JSON, or XML format as requested
  • Timeline: Within 30 days
  • Cost: Free of charge
  • Direct Transfer: Where technically feasible, we will transmit data directly to another service provider

6.6 Right to Object (Article 21)

  • What It Means: You may object to processing based on legitimate interest or for direct marketing
  • Marketing Objection: You can opt-out of all marketing communications by clicking the unsubscribe link in emails or contacting us at [email protected]
  • Other Processing: You may object to other processing; we will cease unless we have compelling legitimate grounds
  • How to Exercise: Email [email protected] with "Object to Processing" in the subject line
  • Timeline: Implemented immediately for marketing; 30 days for other processing
  • Effect: Once objected to, we will not use your data for that purpose unless we can demonstrate overriding legal grounds

6.7 Rights Related to Automated Decision-Making and Profiling (Article 22)

  • Our Policy: We do NOT use automated decision-making or profiling for any significant decisions affecting you
  • Definition: Automated decision-making is decision-making based solely on automated processing without human review
  • Your Right: You have the right to request human review of any automated decision
  • Contact: If you believe you are subject to automated decision-making, contact [email protected] immediately

6.8 Right to Withdraw Consent (Article 7)

  • What It Means: If you provided consent for processing, you may withdraw it at any time
  • Effect: Withdrawal does not affect processing before withdrawal
  • How to Exercise: Email [email protected] or use account settings to manage consent preferences
  • Timeline: Implemented immediately

6.9 Right to Lodge a Complaint

  • If Unsatisfied: You have the right to lodge a complaint with the supervisory authority
  • Authority: ÚOOÚ (Czech Data Protection Office)
  • Website: https://www.uoou.cz
  • Email: [email protected]
  • Address: Poupětova 1, 130 00 Praha 3, Czech Republic
  • Alternative: You may also file complaints with data protection authorities in the EU member state of your residence or place of work

7. DATA SHARING AND SUB-PROCESSORS

7.1 Third Parties We Work With

We share your personal data with the following data processors and sub-processors only to the extent necessary to provide services:

7.1.1 Stripe (Payment Processing)

  • Purpose: Processing payments, subscriptions, and invoicing
  • Data Shared: Name, email, billing address, transaction amount, transaction date
  • Data NOT Shared: Credit card numbers, CVV codes (Stripe handles these exclusively)
  • Location: USA (with EU data processing capabilities)
  • Data Protection: Transfers are governed by EU Standard Contractual Clauses (SCCs) and supplementary measures in accordance with the requirements following the CJEU's Schrems II decision
  • Website: https://stripe.com/privacy

7.1.2 Google Cloud (Hosting and Infrastructure)

  • Purpose: Hosting our platform, storing data, providing cloud infrastructure
  • Data Shared: All personal data (encrypted)
  • Location: EU Region (Frankfurt, Ireland, or Belgium)
  • Data Protection: Data remains within EU; Google Cloud implements SCCs and additional safeguards including encryption at rest and in transit
  • Website: https://cloud.google.com/privacy

7.1.3 Plausible Analytics (Analytics and Insights)

  • Purpose: Understanding user behavior, platform analytics, performance optimization
  • Data Shared: Anonymized IP address, page views, device type, browser information
  • Privacy Features: Privacy-first analytics with NO cookies, NO tracking pixels, NO data selling
  • Location: EU (Estonia/Finland)
  • Data Protection: Data remains in EU; Plausible does not track individuals across sites; fully GDPR-compliant without requiring user consent
  • Website: https://plausible.io/privacy

7.1.4 Google Workspace (Email and Collaboration)

  • Purpose: Internal email communication, document storage, team collaboration
  • Data Shared: Communication data only when you contact us; internal communications
  • Location: USA (with EU data processing capabilities)
  • Data Protection: Transfers are governed by EU Standard Contractual Clauses (SCCs) and supplementary measures
  • Website: https://workspace.google.com/privacy

7.2 Legal Requirements and Government Requests

We may disclose personal data if required by law, court order, or government request. We will:

  • Notify you of such requests when legally permitted
  • Challenge overly broad requests
  • Provide only the minimum data necessary
  • Maintain confidentiality of classified government requests

7.3 Business Transfers

If Visionary Studio s.r.o. is acquired, merges, or sells assets, your data may be transferred as part of that transaction. We will provide notice and opportunity to opt-out before such transfer. Any successor or acquirer will be bound by the obligations of this Privacy Policy.

7.4 Data Recipients Within the EU/EEA

Any data shared with recipients within the EU/EEA benefits from the GDPR's protective framework.

7.5 No Sale of Personal Data

Visionary Studio s.r.o. does NOT sell, rent, or trade personal data to third parties for profit, advertising, or marketing purposes.


8. INTERNATIONAL DATA TRANSFERS

8.1 Transfer Mechanisms

We process data through processors located outside the EU/EEA (specifically USA-based Stripe and Google Workspace). These transfers are protected by:

  1. European Commission Adequacy Decisions: We rely on current adequacy decisions where applicable, including the EU-US Data Privacy Framework where relevant
  2. Standard Contractual Clauses (SCCs): Stripe and Google Workspace have signed SCCs ensuring GDPR-equivalent protections in accordance with the European Commission's implementing decisions
  3. Supplementary Measures: Additional technical and organizational measures (encryption, access controls, audit rights) as required by the CJEU's Schrems II decision (C-311/18)

8.2 Additional Safeguards

  • All personal data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access to data is restricted to authorized personnel only
  • Data processors must implement equivalent security measures
  • Regular audits verify compliance with contractual obligations

8.3 Your Rights Regarding International Transfers

You have the right to request information about the safeguards we maintain for international transfers. You may also obtain a copy of the SCCs governing such transfers. Contact [email protected] for details.


9. COOKIES AND TRACKING TECHNOLOGIES

9.1 Our Cookie Policy

Visionary Hub uses a privacy-first, cookieless approach through Plausible Analytics, which means:

  • NO tracking cookies: We do not deploy cookies for user tracking or profiling
  • NO third-party cookies: No ad networks or marketing partners place cookies
  • NO data selling: Your data is never sold to advertisers

9.2 Essential Cookies (If Any)

If functional cookies are required for basic site operation (session management, authentication, security), they are:

  • Essential for service delivery
  • Not used for tracking or profiling
  • Covered under legitimate interest (no consent required under the EU ePrivacy Directive 2002/58/EC for strictly necessary cookies)
  • Subject to our separate Cookie Policy, which provides detailed information about each cookie used

9.3 Performance and Analytics

  • Tool: Plausible Analytics
  • Data Collected: Anonymized page views, device type, browser info
  • Processing: No individual user tracking; only aggregate statistics
  • Retention: Typically 90 days
  • Opt-Out: Not applicable (no cookies involved; no personal data tracked)

9.4 Third-Party Cookies

Third-party cookies from analytics or advertising networks are NOT deployed on Visionary Hub.

9.5 Cookie Policy Reference

For detailed information about cookies used on our platform, including any future changes to our cookie practices, please refer to our separate Cookie Policy, which is available on our website and incorporated by reference into this Privacy Policy. In accordance with the EU ePrivacy Directive (2002/58/EC), we will obtain your consent before placing non-essential cookies or similar technologies on your device.

9.6 Browser Cookie Settings

You can control cookies through your browser settings:

  • Chrome, Firefox, Safari, Edge: Privacy Settings → Cookies and Site Data → Manage
  • To disable cookies globally or per site

10. DATA SECURITY MEASURES

We implement comprehensive security measures to protect personal data from unauthorized access, alteration, disclosure, or destruction:

10.1 Encryption

  • In Transit: TLS 1.3 encryption for all data in motion
  • At Rest: AES-256 encryption for sensitive data stored on servers
  • Password Storage: Bcrypt hashing algorithm with salting for all passwords (we never store plain-text passwords)

10.2 Access Controls

  • Role-Based Access Control (RBAC): Only authorized employees access personal data
  • Principle of Least Privilege: Users access only data necessary for their role
  • Access Logging: All data access is logged and monitored
  • Multi-Factor Authentication (MFA): Enabled for all employee accounts accessing systems

10.3 Network Security

  • Firewalls: Advanced firewalls protect against unauthorized access
  • DDoS Protection: Protection against distributed denial-of-service attacks
  • Intrusion Detection: Monitoring systems alert to suspicious activity
  • Regular Security Testing: Third-party security testing identifies vulnerabilities

10.4 Data Center Security

  • Physical Security: Controlled access, surveillance, security personnel
  • Redundancy: Automated backups in multiple locations
  • Disaster Recovery: Procedures for rapid data restoration
  • Compliance: Google Cloud data centers meet ISO 27001, SOC 2 standards

10.5 Incident Response

  • Detection: Continuous monitoring for security incidents
  • Response Plan: Documented procedures for incident response
  • Forensics: Incident investigation and analysis
  • Remediation: Immediate steps to contain and resolve incidents

10.6 Employee Security

  • Training: Regular data protection and security training
  • Confidentiality Agreements: All personnel with access to personal data sign confidentiality agreements
  • Access Restrictions: Employment termination immediately revokes system access

10.7 Vendor Management

  • Due Diligence: Security assessment before engaging vendors
  • Contracts: Data Processing Agreements (DPAs) complying with Article 28 of the GDPR require security commitments
  • Audits: Regular audits verify vendor compliance
  • Incident Clauses: Vendors must report security incidents without undue delay

10.8 Limitations

While we maintain rigorous security, no system is 100% secure. We cannot guarantee absolute protection against all threats.


11. DATA BREACH NOTIFICATION

11.1 Our Notification Obligations

In the event of a personal data breach, we will:

  1. Notify the Supervisory Authority (ÚOOÚ): Within 72 hours of becoming aware of the breach (unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons), in accordance with Article 33 of the GDPR
  2. Notify Affected Individuals: Without undue delay if the breach is likely to result in a high risk to rights and freedoms (Article 34, GDPR)

11.2 Breach Definition

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed (as defined in Article 4(12) of the GDPR).

11.3 Notification Content

Our notification will include:

  • The nature of the personal data breach, including the categories and approximate number of data subjects and records concerned
  • The name and contact details of the data protection contact ([email protected])
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate possible adverse effects
  • Recommended steps individuals should take to protect themselves

11.4 Exceptions to Notification

We may not be required to notify individuals directly if:

  • We have implemented appropriate technical and organizational protection measures rendering data unintelligible (e.g., encryption)
  • Subsequent measures have been taken ensuring the high risk to rights and freedoms is no longer likely to materialize
  • Notification would involve disproportionate effort (in which case a public communication or similar measure will be used instead)

11.5 Your Reporting Rights

If you discover a security incident or vulnerability, contact us immediately at [email protected]. We take all security reports seriously and will investigate promptly.


12. CHILDREN'S PRIVACY

12.1 Age Restriction

Visionary Hub is not intended for individuals under 18 years of age. We do NOT knowingly collect personal data from children or minors under 18.

12.2 Verification

If we become aware that data has been collected from someone under 18 without appropriate authorization, we will:

  • Delete the data promptly
  • Notify the individual and/or parent/guardian where possible
  • Terminate the associated account

12.3 GDPR Article 8 Compliance

In the EU, Member States may set the age for consent to information society services between 13 and 16 years. Regardless, our Terms of Service require all users to be at least 18 years of age or the age of majority in their jurisdiction, whichever is greater.


13. YOUR PRIVACY RIGHTS UNDER CCPA (CALIFORNIA RESIDENTS ONLY)

If you are a resident of California, you have additional rights under the California Consumer Privacy Act (CCPA). As Visionary Studio s.r.o. is a Czech company, these rights are provided as a courtesy to California residents where applicable.

13.1 Right to Know

  • What It Means: You have the right to know what personal information we collect, use, and disclose
  • How to Exercise: Submit a request to [email protected] with "CCPA Data Request" in the subject line
  • Our Response: Within 45 days (extendable by 45 days)
  • Information Provided: Categories and specific pieces of personal information collected, sources, purposes, and recipients

13.2 Right to Delete

  • What It Means: You may request deletion of personal information collected from you
  • How to Exercise: Email [email protected] with "CCPA Deletion Request" in the subject line
  • Our Response: Within 45 days (or 90 days for complex requests)
  • Exceptions: We may retain data if required by law or for specific CCPA-permitted purposes

13.3 Right to Opt-Out

  • What It Means: You may opt-out of the "sale" or "sharing" of your personal information (if applicable)
  • Note: Visionary Hub does NOT sell personal information to third parties for profit
  • Marketing Opt-Out: Unsubscribe from marketing emails via the link in any marketing communication

13.4 Right to Correct

  • What It Means: You may correct inaccurate personal information
  • How to Exercise: Log into your account and update information, or email [email protected]

13.5 Right Against Discrimination

  • Our Commitment: We will NOT discriminate against you for exercising CCPA rights
  • Examples: We will not deny services, charge different prices, or retaliate for exercising rights

13.6 Verification

When you submit a CCPA request, we will verify your identity before responding. Verification may require:

  • Confirmation of email address associated with your account
  • Matching account information on file
  • Additional verification steps as reasonably necessary

14. PROPRIETARY TOOLS AND DATA PROCESSING

14.1 Proprietary Tools Overview

Visionary Hub may develop, operate, and offer its own interactive utilities and micro-applications ("Proprietary Tools"), as described in Section 3.3 of our Terms of Service. This section explains how we process personal data in connection with Proprietary Tools.

14.2 Data Processing Principles

When you use Proprietary Tools:

  • Input Data is processed in real-time to deliver results and is not stored beyond the active session unless explicitly stated on the relevant tool page
  • Output Data (results) is generated for your use and is not stored by us unless you choose to save it to your account
  • No AI Training: Input and output data from Proprietary Tools is NOT used to train artificial intelligence models
  • No Third-Party Sharing: Proprietary Tools data is NOT shared with third parties except as necessary for the tool's core functionality (e.g., if a tool integrates with a third-party API, which will be disclosed on the tool page)

14.3 Legal Basis

Processing of data through Proprietary Tools is based on contract performance (Article 6(1)(b) GDPR) — you request the tool's function, and we process your data to deliver the result.

14.4 Supplementary Terms

Specific Proprietary Tools may have supplementary privacy notices published on their respective tool pages. Such supplementary notices are incorporated by reference into this Privacy Policy and will specify any deviations from the default processing described above.


15. CONTENT MODERATION DATA (DIGITAL SERVICES ACT)

15.1 DSA Data Processing

In compliance with Regulation (EU) 2022/2065 (the Digital Services Act), we process certain personal data for content moderation purposes, including:

  • Data contained in illegal content reports submitted under our reporting mechanisms
  • Data relating to content moderation decisions and statements of reasons
  • Data submitted through our internal complaint-handling system
  • Correspondence related to out-of-court dispute settlement

15.2 Legal Basis and Retention

  • Legal Basis: Legal obligation (Article 6(1)(c) GDPR, in conjunction with Regulation (EU) 2022/2065)
  • Retention: Content moderation records are retained for the minimum period required to fulfill DSA obligations, including any pending complaints, appeals, or dispute resolution proceedings, and in any event no longer than 3 years from the date of the decision
  • Transparency: Anonymized, aggregated content moderation data is included in our annual DSA transparency reports

15.3 Your Rights

Your data subject rights under Section 6 of this Privacy Policy apply fully to content moderation data. In addition, under the DSA, you have the right to receive a statement of reasons for any content moderation decision affecting you and to access internal complaint-handling and out-of-court dispute settlement mechanisms as described in Section 14 of our Terms of Service.


16. CONTACT INFORMATION AND DATA SUBJECT RIGHTS REQUESTS

16.1 Primary Contact for Privacy Matters

Visionary Studio s.r.o.

Mailing Address: V Zahrádkách 742, 273 06 Libušín, Czech Republic

Data Box (Datová schránka): sbskxn7

16.2 Request Submission

To exercise any rights outlined in this Policy, submit a request including:

  • Your name and email address
  • Clear description of the right you wish to exercise
  • Supporting documentation (if applicable)
  • Proof of identity (for verification)

16.3 Request Processing Timeline

  • Acknowledgment: Within 7 calendar days of receipt
  • Full Response: Within 30 days of receipt (extendable by 60 days for complex requests under Article 12 GDPR)
  • No Response Fee: All requests are free of charge (unless manifestly unfounded or excessive, in which case a reasonable administrative fee may be charged)

16.4 Supervisory Authority Contact

For complaints about our privacy practices, contact:


17. COOKIE MANAGEMENT AND ANALYTICS

17.1 Analytics Provider Information

  • Provider: Plausible Analytics
  • Type: Server-side, cookieless analytics
  • Data Collected: Anonymized page views, referrer, device type, browser
  • Retention: 90 days (default, configurable)
  • Privacy Features: No individual tracking, no data selling, GDPR-compliant without consent requirement
  • Website: https://plausible.io/privacy

17.2 Cookie Preferences

Since we use cookieless analytics, no cookie preferences need to be configured for analytics purposes. If we introduce any non-essential cookies in the future, we will update our Cookie Policy and implement a consent mechanism in accordance with the EU ePrivacy Directive (2002/58/EC).


18. UPDATES TO THIS PRIVACY POLICY

18.1 Changes and Notifications

We may update this Privacy Policy to reflect legal changes, new technologies, or operational changes. Material changes will be:

  • Posted on our website
  • Notified via email to registered users
  • Effective 30 days after notice (or as legally required)

18.2 Your Acceptance

By continuing to use Visionary Hub after policy updates, you accept the updated terms. If you disagree, you may request data deletion and account closure.

18.3 Version History

Version Date Changes
1.0 February 1, 2026 Initial Release
2.0 February 19, 2026 Replaced all personal email addresses with professional @visionaryhub.ai domain emails; added Data Box, registered capital, and Data Protection Contact Person; added Proprietary Tools data processing section (§14); added Content Moderation / DSA data processing section (§15); added language clause; updated age restriction to 18 years (consistent with Terms of Service); corrected international transfer mechanisms (removed invalidated Privacy Shield reference, added Schrems II compliance); updated payment record retention to 10 years (Czech Accounting Act); removed inappropriate SSN verification from CCPA section; added explicit no-sale-of-data provision; updated Data Breach Notification section with GDPR Article 4(12) definition; added Cookie Policy cross-reference; added business transfer successor obligations; streamlined CCPA section for Czech company context

19. ADDITIONAL IMPORTANT INFORMATION

19.1 Data Minimization

We collect only data necessary for stated purposes and avoid excessive data collection (Article 5(1)(c), GDPR).

19.2 Purpose Limitation

We use data only for purposes specified in this Policy and in compliance with Article 5(1)(b) of the GDPR.

19.3 Storage Limitation

We delete data according to retention schedules outlined in Section 5 (Article 5(1)(e), GDPR).

19.4 Integrity and Confidentiality

We maintain confidentiality and integrity through security measures outlined in Section 10 (Article 32, GDPR).

19.5 Right to Erasure Limitations

As per Article 17(3), GDPR, we may not be able to comply with erasure requests if data is necessary for:

  • Exercising freedom of expression and information
  • Fulfilling legal obligations
  • Performing public interest tasks
  • Establishing, exercising, or defending legal claims

19.6 Right to Restrict Processing

When you exercise your right to restrict processing, we will still store data but cease active processing except as noted in Article 18(2), GDPR.

19.7 Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities as required by Article 35, GDPR.

19.8 Data Processing Agreements

Our data processors have signed Data Processing Agreements (DPAs) complying with Article 28, GDPR, ensuring they process data only on our instructions and maintain appropriate security measures.


20. FREQUENTLY ASKED QUESTIONS (FAQ)

Q1: How long do you keep my data?

A: We keep your data as long as your account is active. After deletion, we permanently remove your data within 30 days, except for transaction records (retained 10 years for tax compliance under Czech law) and anonymized analytics (retained indefinitely).

Q2: Will you sell my data?

A: No. We never sell, rent, or trade personal data to third parties. We only share data with processors necessary to provide services (Stripe, Google Cloud, Plausible, Google Workspace).

Q3: Do you use cookies?

A: We use privacy-first, cookieless analytics through Plausible Analytics. We do not deploy tracking cookies or third-party cookies. Essential cookies (e.g., for session management) may be used as described in our Cookie Policy.

Q4: How can I delete my account?

A: You can delete your account through account settings, or email [email protected] with "Account Deletion Request." Your data will be deleted within 30 days.

Q5: Is my payment information secure?

A: Yes. We do not store credit card numbers. Stripe handles all payment processing using PCI DSS-compliant, encrypted infrastructure.

Q6: How do I exercise my data rights?

A: Email [email protected] with your request. Specify which right (access, correction, deletion, etc.) and include identification. We will respond within 30 days.

Q7: Who can I contact for privacy concerns?

A: Contact [email protected] or the Czech Data Protection Office (ÚOOÚ) at [email protected].

Q8: How do you protect against data breaches?

A: We use AES-256 encryption, TLS 1.3, bcrypt password hashing, firewalls, MFA, access controls, and continuous monitoring. In the event of a breach, we notify the ÚOOÚ within 72 hours and affected individuals without undue delay.

Q9: Do you comply with GDPR?

A: Yes. This Policy fully implements GDPR requirements. We are subject to oversight by the Czech Data Protection Office (ÚOOÚ).

Q10: What is the age requirement?

A: Visionary Hub requires all users to be at least 18 years of age or the age of majority in their jurisdiction, whichever is greater.

Q11: What happens to my data when I use Proprietary Tools?

A: Input data is processed in real-time and is not stored beyond the active session. Output data is generated for your use. Neither is used for AI training or shared with third parties.


21. CONCLUSION

At Visionary Studio s.r.o., we are committed to protecting your privacy and maintaining the highest standards of data protection in compliance with the GDPR, Czech data protection law, and the Digital Services Act. This Privacy Policy provides complete transparency about how we collect, use, store, and protect your data.

If you have questions or concerns about this Policy or our privacy practices, please contact us at [email protected].


DOCUMENT INFORMATION

Document Title: Privacy Policy — Visionary Hub

Effective Date: February 19, 2026

Version: 2.0

Language: English (authoritative version)

Jurisdiction: Czech Republic (Primary), European Union

Company: Visionary Studio s.r.o.

IČO: 21641862

Court Registration: C 404416, Městský soud v Praze

Next Review Date: February 19, 2027


Appendix A: Data Processing Activity Matrix

Processing Activity Legal Basis Data Category Processor Retention Retention Basis
Account Management Contract Account Data Google Cloud Active + 30 days Contract
Authentication Contract Credentials Google Cloud Active + 30 days Contract
Payment Processing Contract Payment Data Stripe 10 years Legal/Tax (Czech Accounting Act)
Analytics Legitimate Interest Usage Data, Technical Data Plausible 90 days Analytics necessity
Communications Contract/Consent Support Data Google Workspace 2 years Support necessity
Security Monitoring Legitimate Interest Technical Data, Logs Google Cloud 90 days Security
Invoicing Legal Obligation Payment, Address Data Google Cloud 10 years Tax requirement (Czech Accounting Act)
Marketing Consent Email, Preferences Google Workspace 3 years or withdrawal Consent/Legal
Proprietary Tools Contract Input/Output Data Google Cloud Session only Contract
Content Moderation Legal Obligation (DSA) Reports, Decisions Google Cloud 3 years DSA Compliance

END OF PRIVACY POLICY

This document is part of the binding agreement between users and Visionary Studio s.r.o. together with the Terms of Service, Cookie Policy, Acceptable Use Policy, Intellectual Property Notice, and Content Disclaimer.