Privacy Policy

1. Introduction

Welcome to Illumate UI, operated by Patrik Duch s.r.o. ("Company", "we," "our," or "us"). We take your privacy seriously. This Privacy Policy explains what data we collect, how we use it, and how we keep it safe.

By using Illumate UI, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please do not use our Service.

Patrik Duch s.r.o. is the data controller for the purposes of applicable data protection laws.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, name, and password when you create an account
• Profile Information: Company name, website URL, and preferences
• Payment Information: Billing details and payment information processed by third-party Payment processors (such as Stripe, Inc.). We do not store full payment card details
• Communication Data: Information you provide when contacting us for support
• Feedback: Reviews, comments, and suggestions you submit

2.2 Information Collected Automatically

• Usage Data: Features used and interactions with the Service
• Device Information: Browser type, operating system, and basic device characteristics
• Log Data: IP address, access times, pages viewed, and referring URLs
• Cookies: Essential cookies and authentication tokens used to maintain sessions and ensure security

2.3 Device Identification and Security

To protect user accounts and ensure the security of the Service, we use limited device identification techniques. These techniques help us detect suspicious activity, prevent unauthorized access.

• Data processed and stored: User-Agent string, IP address, device type, and a parsed representation of browser and OS information for security and session management purposes. This information may be associated with your user account and session activity for security purposes.
• Purpose: Account security, fraud prevention, session protection, and detection of suspicious activity
• Storage: A SHA-256 hash is generated for device matching purposes. In addition, the User-Agent string and parsed device metadata (such as browser family, operating system, and device type) are stored alongside the session record for security monitoring and incident investigation.
• Retention: Session-related device data is retained for the duration of the active session and up to 90 days thereafter for security review, after which it is automatically deleted or anonymized.

We do not use device identification techniques for tracking users across websites, advertising, profiling, or marketing purposes.

We do not employ invasive fingerprinting methods such as canvas fingerprinting, WebGL rendering, audio context analysis, or font enumeration. Our approach is limited, proportionate, and focused exclusively on protecting the security and integrity of user accounts.

Legal basis: Article 6(1)(f) GDPR — legitimate interest in ensuring account security, preventing fraud, and protecting the Service from abuse.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide, maintain, and improve the Service
• Process payments via third-party payment providers and send related transactional information
• Create and manage your account
• Send you technical notices, updates, and support messages
• Respond to your comments, questions, and customer service requests
• Detect, prevent, and address technical issues, security threats, and misuse of the Service, including monitoring and retaining relevant activity logs where necessary
• Enforce our Terms of Service and protect our legal rights
• Comply with legal obligations

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your personal data based on the following legal bases:

• Contract Performance: To provide the Service you requested
• Legitimate Interests: To improve our Service, prevent fraud, and ensure security
• Consent: For marketing communications (which you can withdraw at any time)
• Legal Obligation: To comply with applicable laws

5. Information Sharing and Disclosure

We may share your personal information in the following circumstances:

• Service Providers: With third parties who perform services on our behalf (hosting, payment processing)
• AI Processing Providers: With trusted third-party AI providers for AI-assisted features operating on content provided by the user, which is typically publicly available, as described in Section 13
• Legal Requirements: If required by law, regulation, legal process, or governmental request
• Protection of Rights: To protect the rights, property, or safety of Illumate UI, our users, or others
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Your Consent: When you have given us explicit permission

We do not sell your personal information to third parties.

6. Cookies and Tracking Technologies

We use the following types of cookies:

• Essential Cookies: Required for the Service to function (authentication, security)
• Functional Cookies: Remember your preferences and settings

These cookies are used based on our legitimate interest in ensuring the proper functioning and security of the Service.

We only use essential and functional cookies required for the Service to work. We do not use tracking or advertising cookies. You can control cookies through your browser settings, but doing so may affect the functionality of the Service. For more details, please see our Cookie Policy.

7. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

• Encryption of data in transit (HTTPS/TLS)
• Secure password hashing
• Regular security assessments
• Access controls and authentication

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. After account deletion, we may retain certain data for up to 90 days for backup, security, and incident investigation purposes. After this period, data is either deleted or irreversibly anonymized and may be retained indefinitely for analytics. We may also retain data as required by law or to protect our legitimate interests in security and fraud prevention.

Application and infrastructure logs are retained for a limited period necessary to ensure system security, reliability, and performance.

Security audit logs may be retained for up to 3 years to protect our legitimate security interests and comply with applicable regulations.

Session security data (User-Agent, IP address, device metadata): Retained for the duration of active sessions and up to 90 days after session expiry; automatically purged thereafter.

9. Your Rights

Depending on your location, you may have the following rights:

GDPR Rights (EEA Residents)

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Request limitation of processing
• Portability: Receive your data in a portable format
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time

CCPA Rights (California Residents)

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell data)
• Right to non-discrimination for exercising your rights

To exercise any of these rights, please contact us at privacy@illumateui.app. We will respond within 30 days.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws. We rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) for international data transfers to ensure your data remains protected.

11. Children's Privacy

The Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. If we discover that a child under 16 has provided us with personal information, we will delete it promptly.

12. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third parties. We are not responsible for the privacy practices of third-party websites or services. We encourage you to review their privacy policies.

13. AI Processing

We may process certain content you create within the Service using AI models to enhance your experience. AI-assisted features are available depending on your current subscription plan.

AI-assisted features process publicly available content based on user-selected inputs, such as specific elements or sections of publicly accessible websites. This content is generally publicly accessible and should not include sensitive personal data.

However, users are responsible for how they use the Service and must ensure that they do not use it to process content that contains personal data or other information they are not authorized to use.

AI-generated outputs may not always be accurate or complete and should not be solely relied upon. Use of AI-generated outputs is at your own risk. The Company shall not be liable for any decisions or actions taken based on such outputs. Processing may be performed by trusted third-party AI providers, including OpenAI, for the purpose of providing AI-assisted features. In such cases, only the minimum necessary data is processed, and appropriate safeguards are in place to protect your information.

Where applicable, such providers act as data processors on our behalf, subject to applicable data protection agreements.

When AI-assisted features are available for your subscription plan, you will have the option to opt out at any time through your account settings without affecting the core functionality of the Service.

We do not use your data for fine-tuning or training our own AI models. We do not intentionally process special categories of personal data (as defined under GDPR). Processing by third-party AI providers, including OpenAI, is subject to their respective terms and privacy policies. We encourage you to review OpenAI’s privacy policy at https://openai.com/privacy.

We may in the future transition to proprietary or self-hosted AI models to further enhance data protection and control over processing.

We carefully select and regularly evaluate trusted third-party providers and implement appropriate contractual and technical safeguards to protect your data. Processing by such providers is subject to their respective terms and privacy policies.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For material changes, we will also notify you by email at the address associated with your account at least 14 days before the changes take effect.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.