GDPR · Virlya

Privacy Policy

Personal Data Processing Policy (GDPR)

Effective April 15, 2025

Virlya s.r.o. ("Virlya", "controller") processes your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Czech law. This policy describes what data we collect, how we use it, who we share it with, and what rights you have.

1. Data Controller

Virlya s.r.o.

Registered office: Prague, Czech Republic

Controller email: [email protected]

Data Protection Officer (DPO): [email protected]

2. Personal Data We Process

We process the following categories of personal data:

Identity and contact data

• Name, email address (at registration)

• IP address, browser type, device identifier (technical logs)

Company and profile data

• Company name, website, product description, target audience (entered at onboarding)

• Brand colors, tone of communication

Content and campaigns

• Campaign briefs, Q&A answers, uploaded branding documents

• Generated content (posts, images), approved campaign plans

Payment data

• Billing details (processed by third-party payment gateway; we do not store card numbers)

Operational and analytics data

• Logins, session times, features used (for service improvement)

• Error and outage logs

We do not process special categories of personal data (Art. 9 GDPR), such as health records, religious beliefs, or biometric data.

3. Purposes and Legal Bases for Processing

|---------|--------------------------|

PurposeLegal basis (GDPR Art. 6)
Providing and operating the serviceContract performance (Art. 6(1)(b))
User account creationContract performance (Art. 6(1)(b))
Billing and accountingLegal obligation (Art. 6(1)(c))
Transactional emailsContract performance (Art. 6(1)(b))
Marketing communicationsConsent (Art. 6(1)(a))
Service improvement and developmentLegitimate interest (Art. 6(1)(f))
Fraud prevention and securityLegitimate interest (Art. 6(1)(f))
Fulfilling legal obligationsLegal obligation (Art. 6(1)(c))

4. Recipients and Data Transfers

We do not sell your data. We share it only with necessary service providers (processors):

Infrastructure and authentication

• Supabase Inc. – database, authentication, storage (USA; EU Standard Contractual Clauses)

AI pipeline

• OpenAI, L.P. – text and image generation (USA; EU SCCs)

• ElevenLabs – voice synthesis (USA; EU SCCs)

Payments

• Stripe, Inc. – payment processing (USA/EU; adequacy framework)

Social networks (at your direction)

• Meta Platforms – publishing to Facebook/Instagram (per your integration)

• LinkedIn Corporation – publishing to LinkedIn (per your integration)

Analytics

• Internal anonymized analytics (no third-party analytics)

All processors are bound by a Data Processing Agreement (DPA) and are required to comply with GDPR.

We do not transfer data to third countries without appropriate safeguards (SCCs per Art. 46 GDPR).

5. Data Retention Periods

|-----------|-----------------|

After the retention period, data is securely deleted or anonymized.

Data typeRetention period
User account and profileDuration of contract + 30 days after cancellation
Campaigns and generated contentDuration of contract + 30 days
Billing records10 years (tax legal obligations)
Marketing consent2 years from grant or until withdrawal
Access logs12 months
Consent records5 years (for evidentiary purposes)

6. Your Rights (Art. 15–22 GDPR)

As a data subject you have the following rights, which we respond to within 30 days:

**Right of Access (Art. 15)** — You may request a copy of the personal data we process about you.

**Right to Rectification (Art. 16)** — You may request correction of inaccurate or completion of incomplete data.

**Right to Erasure / "Right to be Forgotten" (Art. 17)** — You may request deletion of your data where no legal basis for retention exists.

**Right to Restriction of Processing (Art. 18)** — You may request suspension of processing in certain circumstances.

**Right to Data Portability (Art. 20)** — You may receive your data in a machine-readable format (JSON/CSV) and transfer it to another controller.

**Right to Object (Art. 21)** — You may object to processing based on legitimate interest or for direct marketing purposes.

**Right to Withdraw Consent (Art. 7(3))** — Where processing is consent-based, you may withdraw consent at any time without affecting lawfulness of prior processing.

How to exercise your rights:

Email: [email protected]

We will respond within 30 days. For complex requests, the deadline may be extended by 60 days (we will notify you).

**Right to lodge a complaint:** You have the right to lodge a complaint with a supervisory authority — in the Czech Republic: Úřad pro ochranu osobních údajů (ÚOOÚ), www.uoou.cz. In your EU member state, contact your national DPA.

7. Cookies and Tracking Technologies

We use the following types of cookies:

Strictly necessary (always active)

• Authentication tokens (Supabase session)

• CSRF protection

• Language preferences

Analytics (with your consent)

• Anonymized feature usage logs

• Performance metrics

Marketing (with your consent)

• We do not currently use third-party marketing cookies.

You may manage or withdraw cookie consent via your browser settings or the consent banner on our website.

8. Security of Personal Data

We implement the following technical and organizational measures (TOMs):

• Data encryption at rest (AES-256) and in transit (TLS 1.3)

• Least-privilege access control

• Two-factor authentication for production system access

• Regular backups and recovery testing

• Pseudonymization of analytics data

• Access audit logs for data administration

• Regular security audits and penetration tests

In the event of a security incident affecting your personal data, we will notify you in accordance with Art. 34 GDPR and notify the supervisory authority within 72 hours per Art. 33 GDPR.

9. Processing of Minors' Data

The Virlya service is not intended for persons under 16. We do not knowingly collect data from minors. If we discover we have collected data from a person under 16 without parental consent, we will delete it immediately. Parents are encouraged to contact us at [email protected].

10. Automated Decision-Making and Profiling

Virlya uses AI to automatically generate content based on your inputs. This generation:

• Does not constitute automated decision-making with legal effects under Art. 22 GDPR

• Does not produce legally binding outputs

• Requires your approval before publishing

We do not use profiling for targeted advertising without your consent.

11. Policy Changes

We will notify you of material changes to this Policy by email at least 14 days in advance. The current version is always available at virlya.com/privacy. The date of last update is shown at the top of this document.

12. Contact and DPO

Controller:

[email protected]

Data Protection Officer (DPO):

[email protected]

Supervisory authority (Czech Republic):

Úřad pro ochranu osobních údajů (ÚOOÚ)

Pplk. Sochora 27, 170 00 Praha 7

www.uoou.cz

© 2026 Virlya s.r.o.