Privacy Policy

This policy explains how FakturHuko processes personal data under Regulation (EU) 2016/679 (GDPR) and applicable Czech law. We collect only what we need to run the service and we never sell your data.

1. Controller

For any privacy question or to exercise your rights, write to the e-mail above. We have not appointed a Data Protection Officer, as one is not required for our processing.

2. What data we process

Account data

• E-mail address, display name and language/theme preferences.
• Authentication is handled by Google Firebase Authentication — we do not store your password.
• Last sign-in time and subscription status (plan, trial end, payment state).

Business data you enter

• Your company details: name, address, IČO/DIČ, bank account, logo and signature for invoices.
• Your clients and invoices: client names, contacts, addresses, IDs, invoice items and amounts.

Technical and communication data

• Delivery logs of e-mails sent through the app (recipient, subject, status).
• Error and security logs, which may contain an IP address and the page visited.

3. Purposes and legal bases

• Providing the service and managing your account — performance of a contract (Art. 6(1)(b)).
• Billing and subscriptions — performance of a contract and legal obligations (Art. 6(1)(b), (c)).
• Security, fraud prevention, error monitoring and service improvement — legitimate interest (Art. 6(1)(f)).
• Statutory accounting and tax duties — legal obligation (Art. 6(1)(c)).
• Optional cookies (e.g. analytics) — your consent (Art. 6(1)(a)).

4. Recipients and processors

We share data only with providers that help us run the service, under data-processing agreements:

• Google (Firebase Authentication) — sign-in and account security.
• Railway — application hosting and database.
• E-mail provider (SMTP / Resend) — delivering invoice and notification e-mails.
• Stripe — payment processing for paid plans (when enabled). Card details are handled by Stripe, not by us.
• ARES — public business register lookup when you fill a company ID (no personal data sent).
• FIO Bank API — only if you enable bank payment matching.

5. International transfers

Some providers (e.g. Google, Stripe) may process data outside the EU. Such transfers are protected by the EU Standard Contractual Clauses and/or the EU–US Data Privacy Framework.

6. How long we keep data

• Account and content data: for as long as your account exists.
• After account deletion we erase your data without undue delay; backups are rotated out within 30 days.
• Data we must keep by law (e.g. tax/accounting records) is retained for the statutory period.
• E-mail delivery and error logs: typically up to 12 months.

7. Your rights

Under the GDPR you have the right to:

• access your data and obtain a copy;
• rectification of inaccurate data;
• erasure (“right to be forgotten”);
• restriction of processing;
• data portability;
• object to processing based on legitimate interest;
• withdraw consent at any time (e.g. cookies), without affecting prior processing.

To exercise any right, e-mail us at ondrej.huk@gmail.com. You also have the right to lodge a complaint with the Czech supervisory authority — Úřad pro ochranu osobních údajů (www.uoou.cz).

8. Cookies

We use strictly necessary cookies and, with your consent, preference and analytics cookies. Details and controls are in our Cookie Policy.

9. Security

Data is transmitted over HTTPS, access is protected by authentication, and we apply appropriate technical and organisational measures to protect your data.

10. Children

The service is intended for businesses and is not directed at children under 16.

11. Changes

We may update this policy. The current version is always available here, with the “last updated” date above.