LEGAL
Privacy Policy
Last updated
Plain-language note. drobek collects the minimum it needs to run. Customer Content stays in EU regions. The only US transfer is to OpenAI for embedding generation under their Zero Data Retention guarantee. drobek does not sell personal data — ever.
1. Controller
The data controller for personal data processed via drobek.app is the natural person operating the Service from the Czech Republic (Brno). Registry details (IČO, address) will be published here when the operating legal entity is registered; until then, the Operator is reachable via the contact channels listed at tomasgrasl.cz and in-app via Settings → Account → Contact.
For Customer Content stored in your Organisation, you are the controller and the Operator is the processor — see the Data Processing Addendum.
2. Categories of personal data we process
- Account data — email, optional display name, avatar initials, hashed authentication secret or OAuth identifier.
- Organisation data — slug, display name, plan tier, billing email (when applicable), member list with roles.
- Telemetry — page views, feature usage, errors (Sentry). Aggregate; no advertising trackers; no third-party tags loaded by default.
- Agent operational logs — request metadata (tool name, timestamp, token id, response code). Tool payload bodies are not logged.
- Customer Content — text you (or your Agents) explicitly store via the MCP tools (tasks, plans, knowledge entries, comments, attachments).
- Security logs — IP address, user-agent, request method/path, timestamp — retained for fraud and abuse investigation.
3. How we use the data — lawful bases
| Use | Legal basis |
|---|---|
| Operate the Service, deliver MCP traffic, render UI | Contract performance — GDPR Art. 6(1)(b) |
| Aggregate product telemetry, error tracking, abuse detection | Legitimate interest — GDPR Art. 6(1)(f) |
| Send transactional email (verification, billing, security) | Contract performance — GDPR Art. 6(1)(b) |
| Send marketing email | Consent (opt-in) — GDPR Art. 6(1)(a) |
| Comply with legal obligations (tax records, court orders) | Legal obligation — GDPR Art. 6(1)(c) |
| Set non-essential cookies | Consent — GDPR Art. 6(1)(a) + ePrivacy |
We do not use Customer Content to train any AI model. We do not sell personal data. We do not profile users for advertising purposes.
4. Automated decision-making
The Service performs automated processing (verification of PR/CI state, quota enforcement, abuse heuristics) but does not make decisions with legal or similarly significant effects on data subjects within the meaning of GDPR Article 22.
5. Sub-processors
| Sub-processor | Purpose | Region | Transfer mechanism |
|---|---|---|---|
| Hostinger | App hosting (VPS) and transactional email (SMTP) | EU — Espoo, Finland | GDPR; processor DPA in place |
| Sentry.io | Error tracking | EU region | GDPR; DPF-certified |
| OpenAI | Embedding generation only | US | EU-US Data Privacy Framework + Zero Data Retention. Knowledge bodies are sent for embeddings only — not logged, not retained, not used for training |
| GitHub / GitLab API | Per repositories you connect | Vendor's region | Optional; activated only at your request |
| Atlassian (Jira) | Per integrations you connect | EU (Cloud) | Optional; activated only at your request |
No payment processor is engaged today (Pro is waitlist-only). Before any user is charged, this list will be updated 30 days in advance.
The Operator will give 30 days notice before adding or replacing a sub-processor. Your continued use after the effective date is consent.
6. Retention
- Account and Organisation records — retained until you request deletion via Settings → Account → Delete. A 7-day grace window applies, after which deletion is irreversible and cascades through data you own.
- Customer Content — retained for the lifetime of the owning Organisation; deleted on Organisation deletion subject to the same grace window.
- Security and audit logs — retained up to 24 months for fraud and abuse investigation, then either deleted or fully anonymised.
- Backups — daily encrypted snapshots are kept for 30 days off-host and then deleted. A deletion request may persist in a backup for up to 30 days before the backup itself rotates out.
- Email logs (Hostinger SMTP) — per Hostinger's retention policy.
7. International transfers
Primary storage and email infrastructure are in the EU. The only routine transfer outside the EU/EEA is to OpenAI in the United States, under the EU-US Data Privacy Framework and OpenAI's Zero Data Retention regime. No other tenant content leaves the EU.
If a sub-processor's certification lapses, the Operator will fall back to Standard Contractual Clauses (EU 2021/914) without notice and will update this section.
8. Your rights (GDPR Articles 15-22)
- Access — Settings → Account → Export. Returns JSON of every row tied to your Account and the Organisations you own.
- Rectification — edit your profile, Organisation, knowledge.
- Erasure — Settings → Account → Delete. (Erases the Account and any Organisation where you are the sole owner; co-owned Organisations require all owners to delete.)
- Restriction — contact the Operator.
- Portability — same JSON export as Access.
- Objection to processing based on legitimate interest — contact the Operator.
- Withdraw consent for marketing emails or non-essential cookies at any time, without affecting the lawfulness of prior processing.
- Lodge a complaint with the Czech supervisory authority (Úřad pro ochranu osobních údajů) or your local EU supervisory authority.
The Operator will respond to verified requests within one (1) month, extendable by two further months for complex requests (you will be notified of any extension).
9. Security
- TLS 1.2+ on every public endpoint.
- Encryption at rest for Postgres data volumes.
- Argon2 password hashing; secrets rotated at the application layer.
- Tenant isolation enforced at the query layer (every row has org_id).
- Daily encrypted off-host backups, 30-day retention.
- Suspected security incidents notified to the Customer's billing email within 72 hours of confirmation, per GDPR Art. 33-34.
No system is unbreakable. You accept residual risk by using the Service.
10. Children
The Service is not intended for users under 18 years of age. If you become aware that a minor has created an Account, please notify the Operator and the Account will be removed.
11. DPO
The Operator has not formally appointed a Data Protection Officer (the Operator does not meet the threshold under GDPR Art. 37). Privacy questions can be sent via the contact channels at tomasgrasl.cz or in-app via Settings → Account → Contact.
12. Changes
This Privacy Policy may be updated. Material changes are announced at least 30 days in advance by email or in-app banner. The "last updated" date above always reflects the most recent change.