Privacy Policy

1. Introduction and Legal Basis

1.1 Data Controller

• –Contact: privacy@domuhq.cz
• –GDPR Rights Page: domuhq.cz/gdpr
• –Postal Address: DomuHq s.r.o., Poličanská 1487, 190 16 Praha - Újezd nad Lesy, Czech Republic
• –Data Protection Contact: privacy@domuhq.cz

1.2 Applicable Laws

• –Regulation (EU) 2016/679 (GDPR)
• –Act No. 110/2019 Coll., on Personal Data Processing (Czech GDPR implementation)
• –Act No. 127/2005 Coll., on Electronic Communications (ePrivacy)
• –EU AI Act (Regulation (EU) 2024/1689) — effective 2026
• –Digital Services Act (Regulation (EU) 2022/2065)
• –Other applicable Czech and EU data protection laws

1.3 Scope of This Policy

• –All users of the DomuHQ platform (website, mobile apps)
• –Visitors to our website (even without creating an account)
• –Anyone who communicates with us via email, forms, or customer support

1.4 Children’s Privacy

• –The Service is not intended for children under 16.
• –We do not knowingly collect personal data from children under 16 without parental consent.
• –If under 16, you must obtain parental/legal guardian consent; we may request proof.
• –If we discover unverified child data, we will delete it promptly.

2. Personal Data We Collect

2.1 Information You Provide Directly

• Account Registration
  • –Email address or phone number (one required for signup)
  • –Password (encrypted/hashed; we cannot see it)
  • –Or social login via Google, Facebook, or Apple (name and email received from provider)
• Roommate Profile (onboarding)
  • –First name, last name, date of birth, gender, pronouns (required during profile setup)
  • –Occupation (free text)
  • –Current city, preferred city, preferred areas/districts
  • –Location visibility preference (show exact area or general area)
  • –Preferred roommate gender, move-in timeframe, flexibility toggle
  • –About me (free text, up to 500 characters)
  • –Budget range (slider, CZK per month)
  • –Photos (up to 5 images, jpg/png, max 10 MB each)
• Lifestyle and Compatibility (onboarding)
  • –Lifestyle sliders (cleanliness level, noise tolerance, sleep schedule, guest frequency)
  • –Smoking habits, drinking habits, pet preferences (dropdowns)
  • –Deal breakers (tag selection from predefined options)
  • –Interests and hobbies (selected from categories, plus custom entries)
  • –Psychometric personality test responses (optional, 20 questions from a 110-question bank, used for compatibility scoring)
• Privacy and Visibility Settings (onboarding)
  • –Profile visibility (Public or Verified Users Only)
  • –Hide last name toggle
  • –Hide exact location toggle
• Renter Profile (if activated)
  • –First name, last name, phone number, date of birth, gender
  • –Occupation, work/study location
  • –Profile photo
• Host Profile (if activated)
  • –First name, last name, email, phone number
  • –About me (free text, up to 500 characters)
  • –Host role type (spare room host, landlord, or real estate agent)
  • –Business ID (IČO) and Tax ID (DIČ) for professional hosts
  • –Profile photo
• Property Listings (For Hosts)
  • –Property type, room configuration, condition
  • –Property description (free text or AI-generated, up to 500 characters)
  • –Size (usable area, total area), floor information, elevator
  • –Building details (type, year of construction, renovations, energy class, energy certificate upload)
  • –Address (auto-filled via Mapy.cz), city, area, postal code, flat/unit number
  • –Location privacy setting (exact address, area only, or approximate on map)
  • –Nearby civic amenities (auto-populated from property location)
  • –Rental price, utilities, security deposit, payment terms
  • –House rules, policies, availability dates
  • –Photos per room (exterior, living room, kitchen, bedroom, bathroom, balcony; min 3, max 100 per space; quality score)
  • –Proof of ownership documents (land registry extract, property deed, or ownership certificate)
  • –ČÚZK verification consent (explicit consent checkbox for property verification against Czech Cadastral Registry)
• Messages and Communications
  • –Messages sent via the Platform
  • –Reviews and ratings
  • –Customer support inquiries
  • –Feedback and survey responses
• Payment Information
  • –Card details (processed by Stripe; we do not store full card numbers)
  • –Payment history and transaction records
  • –Subscription status and plan type
• Verification Documents
  • –Government-issued ID (processed by Didit)
  • –Selfie/biometric photo (processed by Didit for liveness detection)
  • –Property ownership docs (Hosts, verified via ČÚZK)
  • –Business registration (IČO/DIČ for professional Hosts)
  • –Additional documents if requested by a landlord (e.g., income verification, references)
• Squad (Team) Information
  • –Squad name/description
  • –Member roster
  • –Shared property searches/favorites
  • –Group communications

2.2 Information We Collect Automatically

• Device and Usage Data
  • –IP address
  • –Device type/model/OS; browser type/version
  • –Device identifiers (UDID, Advertising ID)
  • –Screen resolution/display settings; app version; language preferences
• Platform Activity
  • –Pages/features used; searches; profiles/properties viewed
  • –Time spent; clicks/taps/navigation; scroll depth
  • –Errors and crashes (debugging)
• Location Data
  • –Approximate location via IP (city/region)
  • –Precise GPS (only if enabled in app and permission granted)
  • –Used for nearby results, localization, fraud detection
• Cookies and Tracking
  • –Cookies, pixels, similar technologies
  • –Analytics cookies (Google Analytics 4)
  • –Advertising cookies (if applicable)
  • –Essential cookies (login, security, preferences)
  • –See Cookie Policy: domuhq.cz/cookies

2.3 Information From Third Parties

• Identity Verification Provider (Didit)
  • –Verification result (approved/rejected). Processed by Didit Identity Spain SL (AWS Ireland, EEA)
  • –Document authenticity checks
  • –Biometric verification data
  • –Watchlist screening results (AML/KYC)
• Payment Processors (Stripe and Apple StoreKit)
  • –Stripe (web): payment success/failure status, transaction IDs, fraud risk scores
  • –Apple StoreKit (iOS): subscription receipt validation, transaction status
• Social Login Providers
  • –Google OAuth: name, email address, profile photo (when you sign in with Google)
  • –Google Calendar: calendar event data (date, time, title only, used for scheduling viewings, requires separate consent)
  • –Facebook Login: name, email address (when you sign in with Facebook, planned feature)
  • –Apple Sign-In: name, email address (when you sign in with Apple on iOS)
• Google User Data — Limited Use Disclosure
  • –DomuHQ's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
  • –Google user data (name, email, profile photo from Google Sign-In, and calendar event data from Google Calendar) is used ONLY to: (1) authenticate your account and display your identity within the app, and (2) schedule property viewings in your calendar.
  • –Google user data is NOT used for: AI/ML model training, advertising, marketing, analytics, profiling, or any purpose other than providing or improving user-facing features of the DomuHQ platform.
  • –Google user data is NOT sold, transferred to third parties, or used to serve ads.
  • –Google user data is NOT shared with any third-party AI/ML providers.
• Third-Party Data Enrichment (optional, with consent)
  • –Public info (e.g., LinkedIn) to verify occupation/credentials

2.4 Sensitive Personal Data

• –Biometric data (selfies for verification). Used solely for identity verification; processed by Didit Identity Spain SL (AWS Ireland, EEA); retained per AML/KYC requirements.
• –Health data (optional) — disability/accessibility needs if voluntarily provided; used only for matching.
• –We do not request racial/ethnic origin, religious beliefs, or sexual orientation; if voluntarily shared in profiles/messages it is processed as User Content.

3. How We Use Your Personal Data

3.1 Purposes of Processing

• Provide and Operate the Service (Contract — GDPR 6(1)(b))
  • –Create/manage account
  • –Enable matching and compatibility scoring
  • –Display listings and facilitate connections
  • –Process messages, requests, applications
  • –Enable Squad features
  • –Process payments/subscriptions
  • –Provide customer support
• Verify Identity and Prevent Fraud (Legitimate Interests — GDPR 6(1)(f))
  • –Identity verification
  • –Property ownership confirmation
  • –Fraud/scam/abuse detection
  • –Policy violation monitoring
  • –Safety/security protection
  • –AML/KYC compliance
• Improve and Personalize (Legitimate Interests — GDPR 6(1)(f))
  • –Analyze usage patterns
  • –A/B testing and product research
  • –Develop/train AI/ML models (excludes Google user data; see Google User Data Limited Use Disclosure in Section 2.3)
  • –Optimize performance and fix bugs
  • –Personalize recommendations/search
• Communications (Contract / Legitimate Interests / Consent)
  • –Transactional emails (verification, reset, receipts)
  • –Notifications (matches, messages, activity)
  • –Service updates/policy changes
  • –Surveys/feedback (with consent)
  • –Marketing (with consent; opt-out available)
• Legal Obligations (Legal Obligation — GDPR 6(1)(c))
  • –Respond to legal requests
  • –Tax/accounting compliance
  • –Report suspected illegal activity where required
  • –Retain records as required by law
• Enforce Terms and Protect Rights (Legitimate Interests — GDPR 6(1)(f))
  • –Investigate/enforce ToS violations
  • –Defend legal claims/disputes
  • –Protect IP
  • –Prevent misuse

3.2 AI and Automated Decision-Making

• –Matching and compatibility scoring
• –Content moderation
• –Fraud/spam detection
• –Listing optimization recommendations
• –DomuBot AI customer support

3.3 Marketing and Promotional Communications

• –You can opt-out anytime via Unsubscribe, Profile > Preferences, or privacy@domuhq.cz.
• –Transactional emails cannot be opted out.

4. Legal Basis for Processing

4.1 Contract Performance (GDPR 6(1)(b))

• –Providing platform features
• –Processing payments/subscriptions
• –Facilitating communication and matching

4.2 Legitimate Interests (GDPR 6(1)(f))

• –Fraud prevention and security
• –Platform improvement and analytics
• –Customer support
• –Enforcement and legal defense
• –Internal administration and business intelligence

4.3 Consent (GDPR 6(1)(a))

• –Marketing emails
• –Optional data collection (e.g., health data)
• –Non-essential cookies
• –Non-essential location processing
• –Sharing for non-essential purposes

4.4 Legal Obligation (GDPR 6(1)(c))

• –Tax/accounting retention
• –AML/KYC compliance
• –Law enforcement/court orders
• –Breach notifications (GDPR Art. 33)

4.5 Vital Interests (GDPR 6(1)(d))

• –Emergency support in urgent safety situations
• –Preventing imminent harm or danger

4.6 Public Interest (GDPR 6(1)(e))

5. How We Share Your Personal Data

5.1 Sharing With Other Users

• Public Profile Information (visible to others)
  • –Name, age, gender (if provided)
  • –Profile photo, bio, interests
  • –Compatibility score
  • –Verification status (badge)
  • –Property listings (Hosts)
  • –Reviews and ratings
• Not Shared by default
  • –Email address and phone number (unless you choose to share)
  • –Full date of birth (only age is shown)
  • –Payment info
  • –Verification documents
• Messages
  • –Messages are visible to recipients.
  • –We don’t read private messages except: automated moderation; abuse reports (human review); legal requirements.

5.2 Sharing With Third-Party Service Providers

• Identity Verification Provider (Didit)
  • –Data shared: ID docs, biometric photos, name, DOB
  • –Purpose: verification, authentication, AML/KYC screening
  • –Provider retention: typically 5 years
  • –Provider privacy policies are available upon request at privacy@domuhq.cz
• Payment Processors
  • –Provider: Stripe (web payments)
  • –Data shared: card details and payment amount (card-only, no billing address collected)
  • –We do not store full card numbers (PCI DSS compliance handled by Stripe)
• Cloud Hosting and Infrastructure (AWS EU)
  • –Provider: Amazon Web Services (AWS), EU-Frankfurt and EU-Ireland regions
  • –Services: Cognito (authentication), RDS (database), S3 (file storage), Lambda (serverless compute), ElastiCache (caching), CloudFront (CDN)
  • –All data stored and processed within the EEA. No data transfers outside the EEA.
  • –Encryption in transit (TLS 1.2+) and at rest (AES-256)
• CDN and Security (Cloudflare)
  • –Provider: Cloudflare, Inc.
  • –Data processed: IP addresses, HTTP request metadata (for DDoS protection, DNS resolution, and content delivery)
  • –Cloudflare operates EU data centers; traffic is routed to the nearest node
• Analytics and Monitoring
  • –Google Analytics 4 (anonymized IP; consent required for non-essential cookies; Measurement ID: G-1MWDC6Q4CR)
  • –DataDog (application performance monitoring, error tracking, anonymized logs)
• Email and SMS Providers
  • –Mailgun (Sinch): transactional email delivery via notify.domuhq.cz (EU API endpoint)
  • –MessageBird/Bird: SMS OTP verification codes sent to your phone number
• Translation and Maps
  • –DeepL SE: real-time chat message translation between Czech and English (message text is sent to DeepL API for translation; no personal identifiers are included)
  • –Mapy.cz (Seznam.cz): Czech address autocomplete for property listings and location search (address strings only, no personal data)
• Property Verification
  • –ČÚZK (Czech Office for Surveying, Mapping and Cadastre): property ownership verification via REST API (property data only, no personal user data sent)
• Push Notifications
  • –Apple Push Notification Service (APNS): device tokens for iOS push notifications
• AI and Machine Learning Providers
  • –AWS Bedrock (EU-Frankfurt): powers roommate compatibility matching, listing optimization, and DomuBot AI assistant. Data shared: pseudonymized assessment scores, usage patterns. No raw personal data sent.
  • –AWS Rekognition (EU-Frankfurt): image content moderation for profile photos and listing images. Data shared: uploaded images are scanned and results returned; images are not retained by Rekognition.
  • –Anthropic (Claude API): powers DomuBot AI assistant for product support (currently internal; planned for user-facing support). When user-facing: conversation text is processed; no personal identifiers are included in prompts.
• Payment Processors (iOS)
  • –Apple StoreKit: processes iOS in-app subscription purchases. Apple handles all payment data per their privacy policy. DomuHQ receives only transaction receipts and subscription status.

5.3 Sharing With Legal Authorities

• –Required by law (subpoenas/court orders/legal process)
• –Protecting rights and safety (fraud/abuse/illegal activity; preventing harm)
• –National security requests where legally mandated
• –Enforcement and legal defense

5.4 Business Transfers

• –If merger/acquisition/sale/bankruptcy: data may transfer to successor
• –Successor bound by this policy or will notify you of changes
• –We will notify you via email and Platform notice

5.5 Sharing With Your Consent

• –Integrations you authorize (future)
• –Marketing partnerships (opt-in only)
• –Research/academic studies (anonymized only)

5.6 We Do NOT Sell Your Personal Data

6. International Data Transfers

6.1 Data Storage Location

• –All personal data is stored and processed within the European Economic Area (EEA).
• –Primary infrastructure: AWS EU-Frankfurt (Germany) and AWS EU-Ireland.
• –Identity verification: Didit, hosted on AWS Ireland (EEA).
• –Email delivery: Mailgun EU endpoint.
• –File storage: Hetzner (Germany) for internal operations.
• –DomuHQ does not use Google Cloud or any non-EEA primary infrastructure.

6.2 Transfers Outside the EEA

• –In limited cases, certain third-party sub-processors (e.g., Stripe for payment processing, Anthropic for AI services) may process data in the United States under Standard Contractual Clauses (SCCs) approved by the European Commission.
• –Google Analytics may process anonymized/pseudonymized data on Google servers; IP anonymization is enabled.
• –Where transfers occur, we ensure GDPR Chapter V safeguards are in place (SCCs, adequacy decisions, or explicit consent).

6.3 Your Rights Regarding Transfers

• –Request information about transfers and safeguards
• –Object if you believe transfers violate GDPR
• –Request a copy of safeguards (e.g., SCCs) for specific providers

7. Your Data Protection Rights

7.1 Right of Access (GDPR Art. 15)

• –Profile > Data & Security > Download My Data
• –Request via privacy@domuhq.cz or domuhq.cz/gdpr
• –Format provided: PDF or JSON
• –Response: within 30 days (may extend by 60 days for complex requests)

7.2 Right to Rectification (GDPR Art. 16)

• –Update most info in Profile > Manage Profile
• –For non-editable data (e.g., verification status) contact privacy@domuhq.cz with evidence
• –Corrections processed within 30 days

7.3 Right to Erasure (GDPR Art. 17)

• –Delete account via Profile > Preferences > Danger Zone > Delete Account, or request via privacy@domuhq.cz / domuhq.cz/gdpr
• –Deletion within 30 days (subject to legal exceptions)
• –Exceptions: legal retention (financial 10 years; verification 5 years), legal claims, shared messages, reviews (may be anonymized), backups up to 90 days

7.4 Right to Restriction (GDPR Art. 18)

• –Request restriction via privacy@domuhq.cz with reason
• –We store data but suspend processing except with consent/legal claims/protect third parties
• –Response within 30 days

7.5 Right to Data Portability (GDPR Art. 20)

• –Download via Profile > Data & Security (JSON/CSV) or request via privacy@domuhq.cz
• –Applies to data you provided and processing based on consent/contract
• –Includes: account/profile, assessment responses, sent messages (your copies), listings, transaction history
• –Response within 30 days

7.6 Right to Object (GDPR Art. 21)

• –Object via privacy@domuhq.cz with specific processing you object to
• –We stop unless compelling grounds override your interests
• –Absolute right to object to direct marketing (we stop immediately)

7.7 Right to Withdraw Consent (GDPR Art. 7(3))

• –Profile > Preferences > Notifications (toggle off Marketing Communications), or email privacy@domuhq.cz to withdraw other consents
• –Or contact privacy@domuhq.cz
• –Withdrawal does not affect prior lawful processing

7.8 Right to Lodge a Complaint

• –Czech authority: ÚOOÚ (uoou.cz)
• –Address: Pplk. Sochora 27, 170 00 Prague 7
• –Phone: +420 234 665 111
• –Email: posta@uoou.cz
• –EU residents may also complain in their country

7.9 Automated Decision-Making and Profiling (GDPR Art. 22)

• –Right not to be subject to solely automated decisions with legal/similarly significant effects
• –Right to contest AI decisions, request human review, and understand AI logic

8. Artificial Intelligence and Automated Decision-Making

8.1 AI Systems We Use

• Matching and Recommendations
  • –Personality compatibility scoring (Five-Factor Model)
  • –Roommate and property recommendations
  • –Squad compatibility analysis
• Content Moderation
  • –Detection of prohibited content (hate speech, nudity, scams) using AWS Bedrock and AWS Rekognition
  • –Spam and fraud detection
• Platform Optimization
  • –Listing quality recommendations
  • –UX personalization
• Customer Support
  • –DomuBot AI assistant (powered by Anthropic Claude)
  • –Currently used internally for product support; planned for user-facing customer assistance
  • –When user-facing: processes conversation text to provide housing and platform support

8.2 Legal Basis for AI Processing

• –Legitimate interests: safety, fraud prevention, UX improvement
• –Contract performance: providing matching/platform services
• –Consent: optional AI features (advanced analytics, listing optimization)

8.3 Your Rights Under GDPR Article 22

• –Human oversight for high-impact decisions (bans, verification failures)
• –Right to contest AI decisions
• –Right to explanation
• –How to request: email privacy@domuhq.cz with subject “AI Decision Review Request” and details; response within 30 days

8.4 AI Data Retention and Security

• –Training data is anonymized/aggregated; individual training points pseudonymized
• –AI decision logs retained 12 months (unless needed for legal/compliance); encrypted and access-controlled

8.5 EU AI Act Compliance

• –Designed to comply with EU AI Act (Regulation (EU) 2024/1689), effective 2026
• –High-risk: personality matching — audits, transparency, human oversight, governance, documentation, conformity assessment where required
• –Limited-risk: DomuBot/content moderation — transparency, testing, human escalation
• –User rights: contest decisions, request review, opt-out of non-essential AI features, complain to ÚOOÚ

8.6 AI Fairness and Non-Discrimination

• –Diverse training data; bias testing; fairness metrics; human review of high-impact decisions
• –Report discrimination concerns to support@domuhq.cz or privacy@domuhq.cz

8.7 Third-Party AI Providers

• –Identity verification AI: Didit Identity Spain SL (biometric liveness detection, document authenticity checks, hosted on AWS Ireland)
• –Content moderation AI: DomuHq internal system using AWS Bedrock (text moderation) and AWS Rekognition (image moderation), both EU-Frankfurt
• –Roommate matching AI: DomuHq internal system using AWS Bedrock (compatibility scoring from psychometric assessments), EU-Frankfurt
• –DomuBot AI assistant: powered by Anthropic Claude API (currently internal; planned for user-facing product support)
• –Analytics: Google Analytics 4 (anonymized behavioral data)

9. Data Retention

9.1 Retention Principles

• –We keep personal data only as long as needed for purposes or legal requirements.
• –Retention depends on purpose, legal obligations, legitimate interests, and consent.

9.2 Retention Periods by Data Type

• Account Data
  • –Active: while account is active
  • –Deleted: deleted within 30 days (subject to exceptions)
  • –Inactive: if no login for 2 years, may delete after notice
• Verification Data
  • –5 years from verification date (AML/KYC; Act No. 253/2008 Coll.)
• Transaction and Payment Data
  • –10 years from transaction date (Accounting Act No. 563/1991; Tax Code No. 280/2009)
• Messages and Communications
  • –Until deletion or as needed for disputes (up to 3 years), enforcement, or legal obligations
  • –You can delete messages from your inbox view; recipient may retain
• Reviews and Ratings
  • –Remain visible unless deleted
  • –After account deletion: may be anonymized (name removed) to preserve integrity
• Support Tickets
  • –3 years from ticket closure
• Analytics and Usage Data
  • –24 months (individual usage); anonymized analytics retained indefinitely
• AI Training Data
  • –Anonymized/pseudonymized training data retained indefinitely (de-identified/aggregated)
• Backups
  • –Up to 90 days (disaster recovery); deleted data may persist until rotation

9.3 Account Deletion and Data Erasure

• Immediate (within 24 hours)
  • –Account access terminated and all sessions invalidated
  • –Profile hidden from other users
  • –Personally identifiable information (name, email, phone, photos, profile bio, assessment responses, social login IDs) anonymized in production systems
  • –Active listings and squad memberships removed
• Within 30 days
  • –Account row permanently purged from production database
  • –Identity provider account permanently deleted
  • –Profile photos and documents permanently deleted from object storage
  • –Data anonymized but retained where legal retention obligations apply (see Exceptions below)
• Exceptions (data retained beyond 30 days)
  • –Verification data: 5 years from verification date (AML/KYC; Act No. 253/2008 Coll.)
  • –Financial and transaction records: 10 years (Czech accounting law)
  • –Ongoing disputes, litigation, or investigations: until resolved + applicable limitation periods
  • –Messages you sent: remain in recipients' inboxes (their copies)
  • –Reviews you wrote: may be anonymized (your name removed) and kept to preserve integrity for other users
  • –Encrypted backups: deleted data may persist up to 90 days until backup rotation

10. Data Security

10.1 Security Measures

• Technical Safeguards
  • –Encryption in transit (TLS 1.2+)
  • –Encryption at rest (AES-256)
  • –Passwords hashed with bcrypt + salt
  • –RBAC access controls; MFA for admins
  • –Firewalls, IDS/IPS, DDoS protection, rate limiting
  • –Code reviews, security testing, annual penetration tests, vulnerability scanning
• Organizational Safeguards
  • –Employee security training
  • –Confidentiality agreements (NDAs)
  • –Background checks for sensitive access
  • –Data minimization
  • –Incident response plan
• Third-Party Security
  • –DPAs required
  • –Audits/certifications where appropriate
  • –Breach notification to DomuHq within 24 hours

10.2 Data Breach Notification

• –Notify ÚOOÚ within 72 hours where required (GDPR Art. 33).
• –Notify affected users without undue delay for high-risk breaches (GDPR Art. 34).
• –Contain/remediate, investigate, prevent recurrence; offer assistance if appropriate.

10.3 Your Responsibility

• –Use strong, unique password; don’t share it.
• –Secure your device and keep software updated.
• –Report suspicious activity to privacy@domuhq.cz.
• –Be cautious of phishing/social engineering.

11. Cookies and Tracking Technologies

11.1 What Are Cookies?

11.2 Types of Cookies We Use

• –Essential cookies: required for login, security, session management (cannot be disabled).
• –Analytics cookies: usage measurement (requires consent for non-essential cookies).
• –Marketing cookies: targeted ads (if applicable; requires explicit consent).
• –Preference cookies: remember settings (language/timezone).

11.3 Managing Cookies

• –Cookie banner options: Accept All; Reject Non-Essential; Customize.
• –Change anytime: clear browser cookies to reset the consent popup, or visit domuhq.cz/cookies.
• –Browser settings can also control cookies (may affect functionality).

11.4 Third-Party Cookies

12. Children’s Privacy

12.1 Minimum Age Requirement

• –Not intended for children under 16.
• –No knowing collection without verified parental consent.
• –If under 16: parental consent required; proof may be requested.

12.2 Discovery and Deletion

• –If unverified child data is found: delete within 7 days; terminate child account; notify parent/guardian if possible.

12.3 Parental Rights

• –Parents/guardians can access, rectify, delete, withdraw consent, object, and complain to ÚOOÚ.
• –To exercise: contact privacy@domuhq.cz with proof of guardianship.

13. Changes to This Privacy Policy

13.1 Amendments

• –We may update this policy for new features, practice changes, legal/regulatory updates, or feedback.
• –Material changes communicated via email, prominent platform notice, and/or in-app notification.
• –Notice period: at least 30 days before changes take effect (longer if required by law).
• –Continued use after effective date = acceptance; you can delete your account if you disagree.

13.2 Version History

• –Version 1.1 — Effective April 1, 2026 (Updated vendor disclosures, international transfers, AI providers).
• –Previous versions available upon request: privacy@domuhq.cz.

For questions, concerns, or requests regarding this Privacy Policy, please contact: