GDPR · Virlya
Personal Data Processing Policy (GDPR)
Effective April 15, 2025
Virlya s.r.o. ("Virlya", "controller") processes your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Czech law. This policy describes what data we collect, how we use it, who we share it with, and what rights you have.
Virlya s.r.o.
Registered office: Prague, Czech Republic
Controller email: [email protected]
Data Protection Officer (DPO): [email protected]
We process the following categories of personal data:
Identity and contact data
• Name, email address (at registration)
• IP address, browser type, device identifier (technical logs)
Company and profile data
• Company name, website, product description, target audience (entered at onboarding)
• Brand colors, tone of communication
Content and campaigns
• Campaign briefs, Q&A answers, uploaded branding documents
• Generated content (posts, images), approved campaign plans
Payment data
• Billing details (processed by third-party payment gateway; we do not store card numbers)
Operational and analytics data
• Logins, session times, features used (for service improvement)
• Error and outage logs
We do not process special categories of personal data (Art. 9 GDPR), such as health records, religious beliefs, or biometric data.
|---------|--------------------------|
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing and operating the service | Contract performance (Art. 6(1)(b)) |
| User account creation | Contract performance (Art. 6(1)(b)) |
| Billing and accounting | Legal obligation (Art. 6(1)(c)) |
| Transactional emails | Contract performance (Art. 6(1)(b)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
| Service improvement and development | Legitimate interest (Art. 6(1)(f)) |
| Fraud prevention and security | Legitimate interest (Art. 6(1)(f)) |
| Fulfilling legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not sell your data. We share it only with necessary service providers (processors):
Infrastructure and authentication
• Supabase Inc. – database, authentication, storage (USA; EU Standard Contractual Clauses)
AI pipeline
• OpenAI, L.P. – text and image generation (USA; EU SCCs)
• ElevenLabs – voice synthesis (USA; EU SCCs)
Payments
• Stripe, Inc. – payment processing (USA/EU; adequacy framework)
Social networks (at your direction)
• Meta Platforms – publishing to Facebook/Instagram (per your integration)
• LinkedIn Corporation – publishing to LinkedIn (per your integration)
Analytics
• Internal anonymized analytics (no third-party analytics)
All processors are bound by a Data Processing Agreement (DPA) and are required to comply with GDPR.
We do not transfer data to third countries without appropriate safeguards (SCCs per Art. 46 GDPR).
|-----------|-----------------|
After the retention period, data is securely deleted or anonymized.
| Data type | Retention period |
|---|---|
| User account and profile | Duration of contract + 30 days after cancellation |
| Campaigns and generated content | Duration of contract + 30 days |
| Billing records | 10 years (tax legal obligations) |
| Marketing consent | 2 years from grant or until withdrawal |
| Access logs | 12 months |
| Consent records | 5 years (for evidentiary purposes) |
As a data subject you have the following rights, which we respond to within 30 days:
**Right of Access (Art. 15)** — You may request a copy of the personal data we process about you.
**Right to Rectification (Art. 16)** — You may request correction of inaccurate or completion of incomplete data.
**Right to Erasure / "Right to be Forgotten" (Art. 17)** — You may request deletion of your data where no legal basis for retention exists.
**Right to Restriction of Processing (Art. 18)** — You may request suspension of processing in certain circumstances.
**Right to Data Portability (Art. 20)** — You may receive your data in a machine-readable format (JSON/CSV) and transfer it to another controller.
**Right to Object (Art. 21)** — You may object to processing based on legitimate interest or for direct marketing purposes.
**Right to Withdraw Consent (Art. 7(3))** — Where processing is consent-based, you may withdraw consent at any time without affecting lawfulness of prior processing.
How to exercise your rights:
Email: [email protected]
We will respond within 30 days. For complex requests, the deadline may be extended by 60 days (we will notify you).
**Right to lodge a complaint:** You have the right to lodge a complaint with a supervisory authority — in the Czech Republic: Úřad pro ochranu osobních údajů (ÚOOÚ), www.uoou.cz. In your EU member state, contact your national DPA.
We use the following types of cookies:
Strictly necessary (always active)
• Authentication tokens (Supabase session)
• CSRF protection
• Language preferences
Analytics (with your consent)
• Anonymized feature usage logs
• Performance metrics
Marketing (with your consent)
• We do not currently use third-party marketing cookies.
You may manage or withdraw cookie consent via your browser settings or the consent banner on our website.
We implement the following technical and organizational measures (TOMs):
• Data encryption at rest (AES-256) and in transit (TLS 1.3)
• Least-privilege access control
• Two-factor authentication for production system access
• Regular backups and recovery testing
• Pseudonymization of analytics data
• Access audit logs for data administration
• Regular security audits and penetration tests
In the event of a security incident affecting your personal data, we will notify you in accordance with Art. 34 GDPR and notify the supervisory authority within 72 hours per Art. 33 GDPR.
The Virlya service is not intended for persons under 16. We do not knowingly collect data from minors. If we discover we have collected data from a person under 16 without parental consent, we will delete it immediately. Parents are encouraged to contact us at [email protected].
Virlya uses AI to automatically generate content based on your inputs. This generation:
• Does not constitute automated decision-making with legal effects under Art. 22 GDPR
• Does not produce legally binding outputs
• Requires your approval before publishing
We do not use profiling for targeted advertising without your consent.
We will notify you of material changes to this Policy by email at least 14 days in advance. The current version is always available at virlya.com/privacy. The date of last update is shown at the top of this document.
Controller:
Data Protection Officer (DPO):
Supervisory authority (Czech Republic):
Úřad pro ochranu osobních údajů (ÚOOÚ)
Pplk. Sochora 27, 170 00 Praha 7
www.uoou.cz