Privacy Policy

Česká verze

1. Data Controller

Recofy is operated by Bc. Martin Vlasák, an individual entrepreneur (OSVČ) registered in the Czech Republic under Company ID (IČO) 69530319, with registered office at Studnická 2115/53, Horní Počernice, 193 00 Praha 9, Czech Republic ("Recofy", "we", "us"). We provide an AI-powered product recommendation service for e-commerce stores on the Shoptet platform. The relationship with merchants is governed by our Terms of Service; personal data processing is governed by our Data Processing Agreement (DPA).

Contact:

2. Who this policy applies to

This policy describes how we handle data of:

3. What data we collect

3.1 From merchants

3.2 From end users of merchant e-shops (anonymous visitors)

We do not collect: names, emails, phone numbers, browser fingerprints, demographic data, financial data of end users, or precise geolocation. IP addresses arrive in HTTP headers, but Recofy does not actively store or process them - platform infrastructure logs may temporarily contain them (see §10).

3.3 From Google APIs (with merchant consent)

When a merchant connects their Google Analytics 4 property, we access:

We do not access: user-level personal data, demographics, campaign or source/medium attribution, revenue breakdowns, conversions outside purchase, custom audiences, or any other GA4 dimensions.

Limited Use disclosure (Google API): Recofy's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use the data exclusively for the cold-start feature of our recommendation models. We do not transfer the data to third parties except as necessary to operate the feature (Google Cloud Vertex AI Search for Commerce). We do not use the data for advertising purposes. Human access to the data is limited - only (a) with the user's explicit consent for support, (b) for security purposes, (c) to comply with applicable law, or (d) for internal operations on aggregated/anonymized data.

4. How we use the data

Data Purpose Legal basis (GDPR)
Merchant identificationProvision of the serviceContract (Art. 6(1)(b))
Encrypted OAuth tokensAuthentication with Shoptet and GoogleContract
Anonymous browsing eventsGenerating recommendationsEnd-user consent obtained by the Merchant (Art. 6(1)(a)); Recofy processes as a Processor under the DPA
Billing dataSubscription managementContract
Support emailsCustomer supportContract
GA4 historical eventsCold-start of recommendation modelsEnd-user consent obtained by the Merchant in GA4 (Art. 6(1)(a)); Recofy processes as a Processor under the DPA

Anonymous end-user browsing events are processed by Recofy as a Processor on behalf of the Merchant (Controller), on the basis of the end-user consent obtained by the Merchant (the e-shop's cookie banner) and the Data Processing Agreement (DPA). Without consent, the Recofy widget and tracker do not set any cookies.

5. Data retention

6. Sub-processors

Sub-processorPurposeLocation
Google Cloud Platform (Cloud Run, Vertex AI Search for Commerce)Compute, AI recommendationsEU
Supabase (PostgreSQL)DatabaseEU
UpstashRedis cacheEU
StripePayment processingEU + US (Stripe is its own controller; DPF)
ResendTransactional emailEU

Sub-processors are bound by data processing agreements in accordance with GDPR Art. 28. Details (including change notifications and the right to object) are set out in our DPA.

7. International transfers

Most processing occurs within the EU. Stripe processes payment data partially in the US under the EU–U.S. Data Privacy Framework (adequacy decision). Other sub-processors operate in the EU only.

8. Your rights (GDPR)

You have the right to access, rectification, erasure, restriction of processing, portability, and to object. You may lodge a complaint with the Czech Office for Personal Data Protection (www.uoou.cz). To exercise your rights, contact [email protected] - we respond within 30 days.

9. Automated decision-making

Product recommendations are generated by an automated system (Vertex AI Search for Commerce). These recommendations serve solely to display relevant products to end users of the e-shop - they have no legal or similarly significant effects on end users and do not constitute automated decision-making within the meaning of GDPR Art. 22.

10. Security

Breach notification: In the event of a personal data breach, we will notify affected merchants without undue delay, no later than 72 hours after becoming aware, in accordance with GDPR Art. 33. Details are set out in our Data Processing Agreement.

11. Cookies

Recofy uses a single cookie on merchant e-shops (_vtx_vid, described in §3.2) only after the visitor consents via the merchant's cookie banner.

The recofy.cz website uses only essential cookies and its own cookie banner.

12. Changes to this policy

Material changes will be notified to merchants by email at least 14 days in advance. The current version is always available at recofy.cz/privacy.

13. Disconnecting Google Analytics

A merchant can disconnect their GA4 integration at any time from the Recofy admin dashboard. Disconnection:

  1. Revokes the refresh token (we call Google's OAuth revocation endpoint).
  2. Deletes the encrypted token and connection metadata from our database.
  3. Imported events remain in Vertex AI Search for Commerce for the lifetime of the account; they can be deleted on request to [email protected] within 30 days.

Effective from: June 1, 2026 · Version: 1.0