Privacy Policy

Semperia (Semperia, ID: pending registration, registered office: EU-based service operator) is the data controller for personal data processed via this service. For data protection questions, contact us at privacy@semperia.eu.

• Account data: full name, email, phone number, hashed password.
• Content: video, voice and text messages you upload — stored as ciphertext, encrypted with a per-user key.
• Recipient data: names you provide for message recipients and trusted contacts.
• Payment data: order amount, tier, Stripe session ID. Card details are handled by Stripe; we never store them.
• Usage data: QR scan logs (timestamp, IP, user agent), notification delivery status.
• Technical data: cookies for session management, error logs (Sentry).

• Contract performance (GDPR Art. 6(1)(b)): providing the service, processing payments, sending notifications.
• Legitimate interest (Art. 6(1)(f)): security, anti-abuse, rate-limiting, error monitoring.
• Legal obligation (Art. 6(1)(c)): retaining order records for tax purposes (Czech law: 10 years).

We use the following third parties to operate the service. Each is bound by a data processing agreement.

• Supabase Inc. (US, with EU data hosting) — authentication, database
• Cloudflare R2 (US/global) — encrypted media storage
• Stripe Payments Europe (Ireland) — payment processing
• Twilio Inc. (US) — SMS notifications and phone verification
• Resend (US, with EU region) — transactional email
• Vercel Inc. (US) — application hosting
• Sentry (US, with EU region) — error monitoring

Transfers to the United States rely on Standard Contractual Clauses (SCCs) under GDPR Art. 46(2)(c). Where available, we configure providers to keep data in the EU.

• Account data and content: while your account is active. After deletion, removed from primary storage immediately and from backups within 30 days.
• Payment records: 10 years (Czech accounting law).
• Scan logs: 12 months for security and abuse investigation.
• Error logs (Sentry): 30 days.

You have the right to:

• Access your data — use Settings → Export data, or email us.
• Rectify inaccurate data — edit in Settings, or email us.
• Delete your account — use Settings → Delete account.
• Portability — the export feature provides a machine-readable JSON.
• Restrict or object to processing — email us.
• Withdraw consent at any time (where consent is the basis).
• Lodge a complaint with the Czech Office for Personal Data Protection (ÚOOÚ, uoou.cz) or your local supervisory authority.

Message content is encrypted at rest using AES-256-GCM with per-user keys wrapped by a master key held in a KMS. Connections use TLS 1.2+. We do not have access to your payment card details (handled by Stripe).

No system is 100% secure. If we discover a personal data breach, we will notify affected users without undue delay (and the supervisory authority within 72 hours) as required by GDPR Art. 33–34.

We use only essential cookies for authentication (session). We do not use tracking, advertising, or analytics cookies. No cookie banner is shown because no consent is required for essential cookies under ePrivacy.

The service is not directed at children under 16. We do not knowingly process data from children under 16. If we discover such processing, we will delete the account.

We may update this policy. Material changes will be communicated by email at least 14 days before they take effect. The current version always shows the "Last updated" date.

Semperia, EU-based service operator
Email: privacy@semperia.eu