Privacy Policy

Portal Stav s.r.o. is the data controller for personal data processed through ConstruMate.

IČO: 11677694

Kaprova 42/14, Praha 1, Czech Republic

Email: portal-stav@seznam.cz

Account data: full name, email address, company name, and hashed password.

Business data: client names, phone numbers, project addresses, and estimate details you enter while using the Service.

Usage data: pages visited, features used, device type, browser, and IP address (used for security and analytics).

Payment data: billing address and last 4 digits of payment card. Full card details are handled exclusively by Stripe, Inc., and are never stored on our servers.

Communications: messages and attachments you send to our support team.

To provide and operate the Service, including generating estimates, proposals, and labor schedules.

To process payments and manage your subscription.

To send transactional notifications (estimate delivery, portal access, invoice reminders).

To send important service updates and security notices (you cannot opt out of these).

To analyze aggregated, anonymized usage patterns to improve the Service.

To comply with legal and regulatory obligations.

Contract performance (Art. 6(1)(b) GDPR): processing necessary to deliver the Service you subscribed to.

Legal obligation (Art. 6(1)(c) GDPR): processing required to comply with applicable law, including tax and accounting obligations.

Legitimate interests (Art. 6(1)(f) GDPR): security monitoring, fraud prevention, and product improvement, where our interests are not overridden by your rights.

Consent (Art. 6(1)(a) GDPR): where you have explicitly opted in, for example for marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Supabase (Supabase Inc. / Amazon Web Services): database hosting and file storage. Data may be stored in EU regions.

Stripe (Stripe, Inc., USA): payment processing. Governed by Stripe's Privacy Policy. Stripe is certified under EU-U.S. Data Privacy Framework.

Resend (Resend Inc.): transactional email delivery.

Vercel (Vercel Inc., USA): application hosting and serverless infrastructure. Data transfers are protected by Standard Contractual Clauses.

We do not sell, rent, or otherwise share your personal data with third parties for their own marketing purposes.

Account data and associated business data are retained for the duration of your subscription and for 90 days after account closure, after which they are permanently deleted.

You may request immediate deletion of your data at any time (see Your Rights below).

Anonymized, aggregated analytics data may be retained indefinitely.

We retain financial transaction records as required by Czech accounting law (generally 5 years).

Right of access: request a copy of all personal data we hold about you.

Right to rectification: request correction of inaccurate or incomplete data.

Right to erasure ("right to be forgotten"): request deletion of your personal data where there is no overriding legal basis for retention.

Right to restriction of processing: request that we temporarily or permanently limit how we use your data.

Right to data portability: receive your data in a structured, machine-readable format (JSON/CSV).

Right to object: object to processing based on our legitimate interests.

Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without penalty.

To exercise any of these rights, email privacy@construmate.app. We will respond within 30 days.

You have the right to lodge a complaint with the Czech Data Protection Authority (Úřad pro ochranu osobních údajů — ÚOOÚ, uoou.cz) if you believe we have breached your rights.

We implement industry-standard technical and organisational measures: TLS encryption in transit, encryption at rest, strict access controls, and regular security reviews.

In the event of a data breach that affects your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33.

We use essential session cookies required for authentication and secure access to the Service.

We do not use third-party advertising or tracking cookies.

We may use anonymized analytics cookies to understand feature usage and improve the Service. You may disable these in your browser without loss of functionality.

Some of our processors (Stripe, Vercel, Resend) may transfer data outside the European Economic Area. All such transfers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent GDPR-compliant mechanisms.

We may update this Privacy Policy periodically. Material changes will be communicated by email or in-app notice before the effective date. The current version is always available at /privacy.

Portal Stav s.r.o.

Email: portal-stav@seznam.cz