Privacy Policy

1. Data Controller

The data controller is:
Marmalade skies s.r.o.
IČO: 24372901
Bělehradská 858/23, 120 00 Praha, Czech Republic
Email: hello@marmaladeskies.dev

We have not appointed a Data Protection Officer, as we are not required to do so under Article 37 GDPR.

2. Information We Collect

We may collect the following data:

• Account data: name, email address, password hash, role, company/workspace details.
• Client and document tracking data: document names, due dates, statuses, notes, communication history, and uploaded files.
• Billing data: subscription plan, payment status, and invoice-related details (payments are processed by third parties).
• Technical data: IP address, browser type, device information, log records, and usage events.
• Connected Storage Data: If a workspace owner connects an external storage provider (such as Google Drive), we process files uploaded through the application and store references (such as file identifiers, folder IDs, and integration tokens) required to operate the service.

3. Role of the Parties (Controller vs Processor)

For account, billing, and service usage data, Marmalade skies s.r.o. acts as a data controller.

For Customer Data uploaded to the service by or on behalf of a workspace owner (including client records, documents, and related metadata), Marmalade skies s.r.o. acts as a data processor on behalf of the workspace owner, who is the data controller.

We process Customer Data only on documented instructions from the workspace owner, as set out in our Data Processing Agreement, unless otherwise required by applicable law.

Our Data Processing Agreement (DPA) forms part of our Terms and applies to all processing of Customer Data where we act as processor. A copy is available on request at hello@marmaladeskies.dev.

4. How We Use Your Information

We use personal information to:

• Provide and operate the application.
• Manage document workflows, reminders, deadlines, and client communication.
• Authenticate users and maintain account security.
• Store and manage documents in connected external storage providers (such as Google Drive) when enabled by the workspace owner.
• Provide support and respond to your requests.
• Process subscriptions and billing operations.
• Monitor performance, troubleshoot issues, and improve the product.
• Comply with legal obligations.

5. Legal Bases for Processing

Depending on your location, we process personal data based on:

• Contract necessity (to provide the service you requested).
• Legitimate interests (service security and quality).
• Legitimate interests for B2B customer relationship management, including service-related email communication with business contacts.
• Consent (where required, e.g., certain cookies).
• Compliance with legal obligations.
• For Customer Data, processing is performed on behalf of the workspace owner under a Data Processing Agreement.

6. Sharing and Disclosure of Data

We do not sell personal data. We may share information with:

• Subprocessors and service providers that support platform operations, including hosting/infrastructure, email delivery, analytics, and payment processing.
• Infrastructure and storage providers (such as cloud hosting providers and, where explicitly connected by the user, external storage services like Google Drive). These providers process data only to the extent necessary to provide the requested storage functionality.
• Professional advisors and authorities when required by law or to protect rights and safety.
• A successor entity in case of merger, acquisition, or asset transfer.

A current list of subprocessors is available at: /subprocessors

7. Data Retention

We retain personal data according to the following periods:

• Account data: for as long as the account is active and up to 12 months after deletion.
• Billing data: retained for 10 years in line with Czech tax and accounting obligations.
• Log data: retained for up to 12 months.
• Backup copies: retained for up to 35 days.

8. Security

We implement appropriate technical and organizational measures to protect personal data, including access controls, encrypted connections, and monitoring.

When Google Drive integration is enabled, files are stored in the user's own Google Drive account. We only access files created through the application using the limited Google Drive scope (drive.file) and do not access unrelated files in the user's Drive. The application does not access, read, or scan existing files in the user's Google Drive outside of files created or uploaded through the service.

9. Security Incident and Data Breach Notification

We implement appropriate technical and organizational measures to protect personal data.

In the event of a personal data breach, we will:

• promptly investigate and assess the scope and impact of the incident,
• take appropriate measures to contain, mitigate, and remediate the breach,
• notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, where required by applicable law,
• notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms.

Where applicable, notifications will include the nature of the breach, categories of affected data, likely consequences, and measures taken or proposed to address the breach.

We will document all personal data breaches as required under Article 33 GDPR.

10. International Data Transfers

Our primary hosting infrastructure is located in the European Union (including Czech Republic and other EU member states). Some service providers (for example payment and email providers) may process personal data in countries outside the European Economic Area (EEA), including the United States.

Where required, we rely on an adequacy decision or implement appropriate safeguards such as the European Commission's Standard Contractual Clauses (SCCs).

You can request more information about the transfer mechanism applicable to your data by contacting hello@marmaladeskies.dev.

11. Cookies and Analytics

We may use cookies and similar technologies to keep you signed in, remember preferences, measure usage, and improve the service. You can manage cookies in your browser settings.

12. Your Data Protection Rights

We believe users should have clear control over their personal data. All DocTracker users have the following rights regarding their personal information:

• Access the personal data we hold about you.
• Request correction of inaccurate or incomplete data.
• Request deletion of your personal data.
• Request restriction of certain processing activities.
• Object to specific types of data processing.
• Request a copy of your personal data in a portable format.
• Withdraw consent where processing is based on consent.

To exercise these rights, contact us using the details below.

We respond to privacy requests within one month where required by applicable data protection laws, including GDPR.

You also have the right to lodge a complaint with the Czech supervisory authority:
Úřad pro ochranu osobních údajů (ÚOOÚ)
https://www.uoou.cz

If your request relates to Customer Data processed on behalf of a workspace owner, you should contact that workspace owner first as the data controller. We will assist the workspace owner as required by applicable law.

13. Children's Privacy

Our service is not intended for children under 16 (or the minimum age in your jurisdiction), and we do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date.

15. Contact Us

For privacy questions or requests, contact:
Marmalade skies s.r.o.
IČO: 24372901
Bělehradská 858/23, 120 00 Praha, Czech Republic
Email: hello@marmaladeskies.dev

For requests related to Customer Data in a specific workspace, please contact the relevant workspace owner (data controller) first.