Privacy Policy

The controller for the website, business communication, customer account, billing, and operational security is the Splnit.eu operator as a Czech sole trader. The name, business ID, ARES link, and address will be completed before production launch. For privacy questions, contact hello@splnit.eu.

For personal data customers place in the app as evidence, documents, vendor questionnaires, or audit records, the customer usually acts as controller and Splnit.eu as processor under the DPA.

A data protection officer has not been appointed as of publication. If that changes, the contact details will be added here.

We process identification and contact data, organisation data, user accounts, roles and permissions, billing metadata, audit records, technical logs, security events, and content you upload as evidence or documents.

For website visitors, we process basic technical data, language, cookie settings, and traffic measurement only within the scope allowed by cookie settings.

Connected integrations may process technical data from linked systems, such as MFA status, security configuration, repository metadata, cloud-control results, and synchronisation timestamps.

We use data to provide the service, manage accounts and organisations, secure accounts, run automated compliance checks, bill customers, provide support, communicate with prospects, meet legal obligations, detect abuse, and improve the product.

The legal basis is mainly contract performance, legitimate interest in secure service operation and product development, legal obligations in accounting and tax, and consent for optional cookies or marketing communication where consent is required.

Where processing relies on legitimate interest, it mainly covers security, abuse prevention, basic operational analytics, enforcement of legal claims, and reasonable communication with existing customers.

We use infrastructure and support providers, mainly Vercel, Neon, Clerk, Stripe, Resend, Loops, Upstash, Sentry, Vercel Blob, Inngest, and PostHog where those services are enabled in production.

Personal data may also be shared with legal, accounting, security, and technical advisers where needed to operate the service, meet obligations, or protect rights.

The main sub-processors for customer data are listed on the DPA and Sub-processors page.

Some providers may process data outside the EU/EEA. In those cases we rely on appropriate safeguards such as adequacy decisions, standard contractual clauses, certifications, or supplementary technical and organisational measures depending on the service.

Specific processing locations and transfer mechanisms may differ by provider and production configuration.

Customer account data is retained for the contract term and then for the period needed for legal, accounting, tax, security, and complaint-handling purposes.

Billing and accounting data is retained for the legally required period. Security logs and audit records are retained for a period proportionate to security, incident investigation, and compliance evidence purposes.

Data processed as processor is deleted or returned according to customer instructions and the DPA unless law requires further retention.

You have the right to request access, rectification, erasure, restriction, portability, object to processing, and not be subject to decisions based solely on automated processing where those GDPR rights apply.

Consent can be withdrawn at any time without affecting processing before withdrawal. Cookie choices can be changed on the Cookies page.

Send requests to hello@splnit.eu. We respond without undue delay, usually within one month; in justified cases the period may be extended under GDPR.

You have the right to lodge a complaint with the Czech Data Protection Authority at uoou.gov.cz.

The service calculates compliance scores, risk classifications, and draft questionnaire responses. These outputs are working materials for the customer and do not by themselves create legal effects for natural persons.

Customers should review and supplement automation outputs with their own assessment before use.