GDPR

1. Who is the controller

Trenér svobody s.r.o., company ID: 142 43 440, registered office at Velehradská 2340/7, Vinohrady, 130 00 Prague 3, Czech Republic, entered in the Commercial Register kept by the Municipal Court in Prague.

We operate the Hermes Journal service (the "service") available at hermesjournal.com. For privacy matters, contact us at [email protected].

2. What data we process

Identification and contact data — name, e‑mail, phone, billing details (if you provide them).
Telegram identifiers — Telegram ID, username, profile picture, the content of messages you send us.
Voice recordings — temporarily, for transcription to text. Recordings are deleted after transcription.
Journal content — texts, photos, links, interpretations and reflections you create within the service.
Payment data — amount, subscription type, payment status. We never see card numbers or CVV codes — Stripe handles those.
Operational and technical data — IP address, access log, browser type, pages you visited.

3. Why we process data and on what legal basis

Purpose	Legal basis	Retention
Providing the service — journaling via Telegram chat and AI interpretations	Performance of contract	Term of subscription + 12 months
Accounting and tax documents	Legal obligation (VAT and accounting acts)	10 years
Sending commercial messages to existing clients (newsletter)	Legitimate interest — you can opt out any time	Until opt-out, max 10 years from the last payment
Marketing messages to non-clients	Explicit consent	Until consent is withdrawn, max 5 years
Protection against abuse, dispute resolution, complaints	Legitimate interest	Service term + 4 years

4. Who we share data with (processors)

Some tasks are handled by vetted vendors. All are bound by a data processing agreement and must keep the same level of protection as we do. For processors outside the EU (typically the USA) we use EU Standard Contractual Clauses for data transfer.

Telegram FZ‑LLC (UAE) — the messenger platform you chat with Hermes through.
Anthropic, PBC (USA) — Claude API, the AI model that understands your entries and generates interpretations. Anthropic does not use API content to train models.
OpenAI, LLC (USA) — Whisper API for voice transcription. Recordings are processed once and not used for training.
Stripe Payments Europe, Ltd. (Ireland, USA) — payment processing. Card details are only visible to Stripe.
ThriveCart, LLC (USA) — checkout and subscription management. Sees name, e‑mail, billing details and subscription state; card numbers and CVV are only visible to Stripe.
Hetzner Online GmbH (Germany) — server capacity on which the service runs.
Cloudflare, Inc. (USA) — DNS, CDN and DDoS protection for hermesjournal.com.
Google Ireland Limited (Ireland, USA) — Gmail (transactional e‑mails), optionally Google Analytics 4.
Ecomail s.r.o. (Czech Republic) — newsletter and commercial message delivery (if you opted in).

We update this list whenever a vendor changes. For a full current list of sub-processors, write to [email protected].

5. Automated decision-making and AI

The service uses AI (Claude, Whisper) to understand your entries and generate interpretations and connections. This is not automated decision-making with legal effects under Article 22 GDPR — every meaningful step (creating an entry, editing it, sharing it) is triggered by you. The AI is a tool, not a decision-maker.

6. Your rights

As a data subject, you have the right to:

know what data we hold about you (access);
request correction of inaccurate data;
request erasure (unless we must keep it by law, e.g. invoices);
request restriction of processing;
request portability in a machine-readable format;
object to processing based on legitimate interest;
withdraw consent for marketing any time — just click in an e‑mail or write to us;
lodge a complaint with the supervisory authority, the Czech Office for Personal Data Protection.

Contact for exercising rights: [email protected]. We reply within 30 days at the latest.

7. Cookies and tracking

On hermesjournal.com we use only technical cookies necessary for operation. Analytics or marketing cookies are deployed only with your explicit consent in the cookie bar.

8. Security

All communication is encrypted (HTTPS/TLS).
Passwords and API keys are stored in encrypted storage.
Servers run in Europe (Hetzner, Germany).
Data is regularly backed up.
Access to data is limited to a narrow circle of people who need it.

9. Changes to this document

We may update this document occasionally — typically when a vendor changes or the service expands. The current version is always at hermesjournal.com/en/gdpr/. We will notify you of material changes by e‑mail.

Your data is safe.