Privacy Policy

1. Introduction

Welcome to Illumate UI, operated by Patrik Duch s.r.o. ("Company", "we," "our," or "us"). We take your privacy seriously. This Privacy Policy describes what data we collect, how we use it, how we keep it safe, and your rights under applicable data protection laws.

This Privacy Policy describes how we comply with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and, where applicable, the California Consumer Privacy Act ("CCPA") and similar U.S. state privacy laws.

By using Illumate UI, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this policy, please do not use our Service.

Patrik Duch s.r.o. is the data controller for the purposes of applicable data protection laws.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, name, and password when you create an account
• Payment Information: Billing details and payment information processed by third-party Payment processors (such as Stripe, Inc.). We do not store full payment card details
• Communication Data: Information you provide when contacting us for support
• Feedback: Reviews, comments, and suggestions you submit

2.2 Information Collected Automatically

• Usage Data: Limited information about feature usage necessary to operate, secure, and improve the Service. We do not track user behavior across websites or use this data for advertising or profiling purposes
• Device Information: Browser type, operating system, and basic device characteristics (see Section 2.3 for full details about device identification and security)
• Log Data: IP address, access times, HTTP request paths (for operational debugging only, not analytics), and referring URLs where provided by the browser
• Technical Data: We may process limited technical data such as IP addresses and request metadata strictly for security, debugging, and service operation purposes. IP addresses are automatically anonymized after the security retention period through last-octet truncation, in accordance with Recital 26 GDPR (see Section 2.3 for technical details).
• Cookies: Essential cookies and authentication tokens used to maintain sessions and ensure security

2.3 Device Identification and Security

To protect user accounts, prevent abuse of the Service, and enforce plan-based device limits, Illumate UI uses server-side device identification techniques. These techniques rely solely on passive technical signals already transmitted by your browser with every HTTP request — we do not run client-side JavaScript fingerprinting in your browser.

What we collect

• User-Agent string — the standard browser identification string transmitted by your browser with every HTTP request, containing browser name and version, operating system and version, and basic device type indicators
• IP address — used for security review and anomaly detection. IP addresses are automatically anonymized through last-octet truncation after the retention period (see Retention below)
• Accept-Language header — preferred languages advertised by your browser, used for interface localization and security analytics
• Parsed device metadata — a structured representation derived from the User-Agent string, including browser family (e.g., "Chrome"), browser version, operating system (e.g., "Windows"), OS version, and device type (desktop, mobile, tablet, or bot). No data is collected beyond what is contained in the User-Agent string itself.
• Device hash — a SHA-256 cryptographic hash computed from the above passive signals, used as a stable one-way identifier across sessions for security and anti-abuse purposes. The hash cannot be reverse-engineered to reveal the original signals.

Why we use it

• Account security: Detect session hijacking, unauthorized access, and notify you of new device logins
• Anti-abuse: Prevent ban evasion, mass account creation, and other abusive patterns that would harm the Service or other users
• Plan enforcement: Enforce the device limits associated with your subscription tier. Free plans are limited to 1 device, Pro plans allow up to 5 devices, and Enterprise plans allow unlimited devices.

Persistence and scope

The device hash is persistent across sessions and may remain associated with your account history for the duration described below. We do not use device identification to track users across other websites or services, and the hash is not shared with any third-party advertising, analytics, or marketing networks.

Retention

Session-related device data (User-Agent string, IP address, parsed device metadata) is retained for the duration of the active session and up to 90 days thereafter for security review.

After the retention period, IP addresses are automatically anonymized by truncating the last two octets (for example, 203.0.113.42 becomes 203.0.0.0). This operation is performed by an automated background process and is irreversible — once anonymized, the original IP address cannot be reconstructed and the data no longer qualifies as personal data under Recital 26 GDPR.

Persistent device hashes used for anti-abuse and plan enforcement purposes may be retained for up to 3 years to detect repeat abuse patterns, in accordance with our audit retention policy (see Section 9).

What we do not do

• We do not use canvas fingerprinting, WebGL rendering analysis, audio context fingerprinting, font enumeration, or any client-side JavaScript-based device fingerprinting techniques
• We do not collect screen resolution, timezone, hardware specifications, installed fonts, plugins, or any other information beyond what your browser transmits in standard HTTP headers
• We do not share device identifiers with third-party advertising or analytics networks
• We do not track users across third-party websites or services
• We do not use device data for behavioral profiling, advertising, or marketing purposes

Legal basis: Article 6(1)(f) GDPR — legitimate interest in ensuring account security, preventing fraud and abuse of the Service, and enforcing fair use of subscription tiers, as also recognized under Article 32 GDPR (security of processing). We have conducted a balancing assessment and determined that these processing activities are proportionate to the security and integrity benefits provided, and do not unreasonably override your rights and freedoms.

2.4 Processing of Website Page Content

To provide certain features of the Service, Illumate UI may temporarily retrieve and process publicly accessible website content available without authentication, such as DOM elements, selectors, and on-page interface data, based on a URL submitted by the user.

This content is processed only for the purpose of delivering the requested functionality. We do not use such content for analytics, advertising, profiling, or artificial intelligence processing.

We do not store, cache, or persist any third-party website content. All rendering is ephemeral and limited to the duration of the user session.

We do not intentionally collect, process, or store personal data of third parties (such as end customers of our users). Any personal data incidentally present in publicly accessible website content retrieved through the Service is processed solely as a technical intermediary and is not retained.

Legal basis: Article 6(1)(b) GDPR — performance of a contract (processing of user-submitted URLs is necessary to deliver the Service). For any personal data that may be incidentally present within publicly accessible content, Illumate UI operates as a technical intermediary in accordance with Directive 2000/31/EC (E-Commerce Directive) and Regulation (EU) 2022/2065 (Digital Services Act), relying on Article 6(1)(f) GDPR as the applicable legal basis.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide, maintain, and improve the Service
• Process payments via third-party payment providers and send related transactional information
• Create and manage your account
• Send you technical notices, updates, and support messages
• Respond to your comments, questions, and customer service requests
• Detect, prevent, and address technical issues, security threats, and misuse of the Service, including monitoring and retaining relevant activity logs where necessary
• Send marketing communications, where you have explicitly opted in (see Section 3.1)
• Enforce our Terms of Service and protect our legal rights
• Comply with legal obligations

We do not verify whether website content accessed through the Service contains personal data or whether the user is authorized to process such data.

Users are solely responsible for ensuring that they have the legal right to access and use any website content processed through the Service.

3.1 Marketing Communications

Illumate UI maintains a separate marketing email list for users who explicitly opt in to receive product updates, tips, and announcements. Subscription to this list is entirely voluntary and is not required to use the Service.

What we collect

When you subscribe to our marketing list (for example, via the "Subscribe" form on our website), we collect your email address and the timestamp of your subscription consent.

Current sending status

As of the date of this Privacy Policy, we are building our marketing list and have not yet begun sending marketing emails. You will not receive any communications from this list until our newsletter program launches. When it does, you will receive a clearly identified first email with the option to unsubscribe before any further messages are sent.

What we will send

• Product updates and new feature announcements
• Best practices and tips for user onboarding
• Occasional company news and offers related to Illumate UI

Your control

You may unsubscribe at any time, free of charge and without giving any reason, by clicking the unsubscribe link included in every marketing email, or by contacting us at privacy@illumateui.app. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal (Article 7(3) GDPR).

Retention

Marketing subscription data is retained until you unsubscribe. Once you unsubscribe, your email address is removed from active sending lists immediately and permanently deleted from our marketing database within 30 days, except where limited retention is required to demonstrate compliance with consent obligations under Article 7 GDPR (typically for up to 3 years following withdrawal).

Legal basis: Article 6(1)(a) GDPR — consent. Marketing communications are sent only to users who have explicitly opted in through a clear affirmative action (such as checking an unchecked consent box when submitting the subscription form). We do not send marketing emails based on legitimate interest or as part of the standard Service.

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your personal data based on the following legal bases under Article 6 GDPR:

• Contract Performance (Article 6(1)(b) GDPR): To provide the Service you requested, including account management, authentication, and processing of user-submitted URLs
• Legitimate Interests (Article 6(1)(f) GDPR): To improve our Service, prevent fraud, ensure security, and maintain user experience consistency (such as theme preferences)
• Consent (Article 6(1)(a) GDPR): For marketing communications, which you can withdraw at any time without affecting Service access (Article 7(3) GDPR)
• Legal Obligation (Article 6(1)(c) GDPR): To comply with applicable laws, including retention requirements for audit logs, tax records, and regulatory disclosures

5. Automated Decision-Making and Profiling

Illumate UI does not engage in automated decision-making, including profiling, that produces legal effects or similarly significantly affects you within the meaning of Article 22 GDPR.

All decisions regarding your account, access to features, and use of the Service are made by humans or based on simple operational logic (such as subscription status checks, rate limiting, or session expiration) that does not constitute profiling under Article 4(4) GDPR.

We do not use machine learning, artificial intelligence, or algorithmic systems to make decisions about you, to analyze your behavior for the purposes of evaluating personal aspects, to predict preferences, or to produce personalized assessments.

You have the right under Article 22(3) GDPR to obtain human intervention, express your point of view, and contest any decisions that may significantly affect you. Although we do not currently make such decisions, you may exercise this right at any time by contacting privacy@illumateui.app.

6. Information Sharing and Disclosure

We may share your personal information in the following circumstances:

• Service Providers: With third parties who perform services on our behalf (hosting, payment processing)
• Legal Requirements: If required by law, regulation, legal process, or governmental request
• Protection of Rights: To protect the rights, property, or safety of Illumate UI, our users, or others
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• With Your Consent: When you have given us explicit permission

We do not sell your personal information to third parties.

7. Cookies and Tracking Technologies

We use only cookies that are strictly necessary for the Service to function:

• Essential Cookies: Required for core functionality including authentication, security, and session management
• Functional Cookies: Required to deliver the visual preferences and settings you have explicitly chosen, ensuring a consistent experience across page loads (including server-side rendered content)

We do not use:

• Analytics or performance tracking cookies
• Advertising or marketing cookies
• Cross-site tracking cookies
• Third-party tracking pixels or beacons

No consent banner is required under Article 5(3) ePrivacy Directive 2002/58/EC, as all cookies used are strictly necessary either for authentication or to deliver functionality explicitly requested by the user.

Legal basis: Article 6(1)(b) GDPR (contract performance) for authentication; Article 6(1)(f) GDPR (legitimate interest in user experience consistency) for functional cookies.

You can control cookies through your browser settings, but doing so may affect the functionality of the Service. For more details, please see our Cookie Policy.

8. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, in accordance with Article 32 GDPR, including:

• Encryption of data in transit (HTTPS/TLS)
• Secure password hashing
• Regular security assessments
• Access controls and authentication

However, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify affected users and the competent supervisory authority without undue delay, and where feasible, within 72 hours of becoming aware of the breach, as required by Article 33 GDPR and Article 34 GDPR.

9. Data Retention

We retain your personal information for as long as your account is active, and for a limited period after deletion as described below.

Upon account deletion

• Account access is revoked immediately upon deletion request. You will be logged out of all sessions and unable to access the Service.
• Personal data (email, name, profile) is marked for deletion immediately and physically purged from our primary systems within 30 days. The exact timing depends on background processing queues and system load, but in all cases occurs within the 30-day statutory period under Article 17 GDPR.
• Associated records across our internal systems (websites, tours, hint bubbles, subscription metadata) are permanently purged as part of the same scheduled lifecycle process.
• Backup snapshots containing your data are retained for up to 30 days on a rolling basis. These snapshots are not accessible to restore deleted accounts and are overwritten in the normal course of backup rotation.

Once deletion is requested, the action cannot be reversed. Please ensure you have downloaded any data you wish to keep (see Section 10 for data export options) before requesting deletion.

Aggregated and anonymized data

Statistical data that has been irreversibly anonymized in accordance with Recital 26 GDPR (where re-identification is no longer reasonably possible, even by combining with additional information) is no longer personal data under GDPR and may be retained for product analytics, capacity planning, and historical reporting. Examples include monthly active user counts, aggregated feature usage percentages, and revenue metrics without individual attribution.

Application and infrastructure logs

Technical logs generated by our servers (HTTP requests, error diagnostics, performance metrics) are retained for up to 30 days for operational debugging and service reliability. These logs are not used for analytics or profiling and do not include website page content.

Business and security audit events

Significant application events — including authentication events, account modifications, subscription and billing events, and security-relevant actions — are recorded in an append-only audit trail for compliance and incident investigation purposes. These events are retained for up to 3 years. In accordance with Article 17(3)(b) and (e) GDPR, this audit trail is exempt from erasure requests where retention is necessary to comply with our legal obligations and to protect our legitimate interests in security, fraud prevention, and the establishment or defense of legal claims.

Billing and tax records

Invoices, payment records, and related financial documentation are retained for the duration required by applicable Czech tax and accounting law (typically up to 10 years from the end of the relevant tax period). These records cannot be deleted upon request, as their retention is required by law under Article 6(1)(c) GDPR and exempt from erasure under Article 17(3)(b) GDPR.

Contact form submissions

Contact form data (name, email, message) is retained for up to 12 months for support and follow-up purposes, after which it is permanently deleted.

Session security data

Session-related device data (User-Agent, IP address, and parsed device metadata) is retained together with the associated session record for the duration of active sessions and up to 90 days after session expiry, after which the data is automatically purged.

Legal basis for retention: Article 6(1)(c) GDPR (legal obligation), Article 6(1)(f) GDPR (legitimate interest in the security and integrity of the Service), and Article 6(1)(b) GDPR (contract performance for Service-related data).

10. Your Rights

Depending on your location, you may have the following rights:

GDPR Rights (EEA Residents)

• Access (Article 15 GDPR): Request a copy of your personal data, including information about processing purposes, recipients, and retention periods
• Rectification (Article 16 GDPR): Correct inaccurate or incomplete personal data
• Erasure (Article 17 GDPR): Request deletion of your data ("right to be forgotten"), subject to applicable legal retention obligations (see Section 9)
• Restriction (Article 18 GDPR): Request limitation of processing in specific circumstances
• Portability (Article 20 GDPR): Receive your data in a structured, machine-readable format and transmit it to another controller
• Objection (Article 21 GDPR): Object to processing based on legitimate interests, public interest, or direct marketing
• Withdraw Consent (Article 7(3) GDPR): Withdraw consent at any time, where processing is based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.

CCPA Rights (California Residents)

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell data)
• Right to non-discrimination for exercising your rights

To exercise any of these rights, please contact us at privacy@illumateui.app. We will respond without undue delay and in any event within one month of request receipt, as required by Article 12(3) GDPR. For complex requests, this period may be extended by two further months with notification within the initial month.

11. Data Location and Sub-Processors

Illumate UI is available globally, meaning users from any country may create an account and use the Service. The entire system operates only on servers physically located within the European Union. However, some of these servers are provided by companies headquartered in the United States, operating through their EU subsidiaries under GDPR-compliant Data Processing Agreements.

Our infrastructure sub-processors providing EU-based services:

• Google Cloud EMEA Limited (EU subsidiary of Google LLC) — cloud infrastructure services within the European Union. Data processing is governed by Google's Cloud Data Processing Addendum.
• Amazon Web Services EMEA SARL (EU subsidiary of Amazon.com, Inc.) — cloud infrastructure services within the European Union. Data processing is governed by AWS's Data Processing Addendum.
• Hetzner Online GmbH (EU-owned company) — infrastructure services within the European Union. Data processing is governed by Hetzner's Privacy Policy.

Payment processing is handled by an independent payment service provider:

• Stripe Payments Europe, Limited (EU subsidiary of Stripe, Inc.) — payment processing for all customers. Stripe operates as an independent data controller for payment transactions under its own data processing framework and may process certain transaction data outside the EU/EEA for fraud prevention and regulatory compliance. We share only the billing and transaction metadata required for payment processing. See Stripe's Data Processing Agreement and Privacy Policy for details.

All listed providers have agreed to appropriate contractual safeguards, including Standard Contractual Clauses (SCCs) where applicable, to ensure your personal data is protected in accordance with GDPR requirements.

A detailed list of specific services used is available upon request for existing customers at privacy@illumateui.app.

12. Children's Privacy

The Service is intended exclusively for use by adults aged 18 or older in connection with business or professional activities. We do not knowingly collect personal information from minors under 18 years of age.

Children under 16 (or under the relevant national threshold in their country, where lower) cannot validly provide consent for data processing under Article 8 GDPR without parental authorization. We do not target our Service at, or knowingly accept registrations from, individuals in this age group.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at privacy@illumateui.app. We will delete any such information without undue delay.

13. Third-Party Links and Services

The Service may contain links to third-party websites or integrate with third-party services (such as payment processors, analytics providers used by sub-processors, or external documentation). This Privacy Policy does not apply to those third parties.

We are not responsible for the privacy practices, terms, or content of third-party websites or services. When you click an external link or interact with a third-party integration, you leave the scope of this Privacy Policy and become subject to the respective third party's terms and privacy policy.

We encourage you to review the privacy policies of any third-party services you interact with through Illumate UI. For information about our trusted sub-processors who process data on our behalf within the European Union, see Section 11.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For material changes, we will also notify you by email at the address associated with your account at least 14 days before the changes take effect.

15. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. For Czech residents, the competent supervisory authority is the Czech Office for Personal Data Protection (ÚOOÚ, https://uoou.gov.cz).