DataPalo

Privacy Policy

Effective Date: March 16, 2026|Version: 1.0|Website: www.datapalo.app

Section 1

Introduction

Welcome to DataPalo. We are committed to protecting your privacy and handling your personal data with transparency and care. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our service at www.datapalo.app.

DataPalo is a SaaS data analysis platform that enables users to upload CSV and Excel files and receive AI-powered insights, charts, and reports. This policy applies to all users of our service, including those on our Free tier and PRO subscription plan.

By creating an account or using DataPalo, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use our service.

Section 2

Data Controller

The data controller responsible for your personal data is:

Organization	Details
Company Name	FORGE CREATIVE \| AI Job Agency
Contact Person	Michael Dedecek
Email	michael@agentforge.tech
Alt. Email	michael@forgecreative.cz
Country	Czech Republic (EU Member State)
Supervisory Authority	ÚOOÚ — Czech Data Protection Authority

Section 3

What Data We Collect

We collect different categories of personal data depending on how you interact with DataPalo. Below is a comprehensive overview of the data we process.

3.1 Account Information

When you create a DataPalo account, we collect:

▶ Name — Your full name as provided during registration
▶ Email — Used for authentication, account management, and communication
▶ Authentication data — Managed securely through Supabase, supporting email/password and Google OAuth

3.2 Payment Information

If you subscribe to our PRO plan (€29/month), payment processing is handled entirely by Stripe, a PCI DSS Level 1 certified payment processor. DataPalo does not store, process, or have access to your full credit card numbers.

3.3 Uploaded Data

When you use DataPalo to analyze data, you upload CSV or Excel files. These files may contain personal data depending on their content. We process this data solely to provide you with AI-powered analysis, insights, charts, and reports.

Important: You are responsible for ensuring you have the right to upload and process any data contained in your files. Do not upload sensitive personal information unless you have a lawful basis to do so.

3.4 Analysis Results

We generate and store AI-produced insights, charts, and reports based on your uploaded data. These results are associated with your account.

3.5 Usage Data and Analytics

We automatically collect usage data through analytics tools:

• Page views, navigation patterns, and feature usage
• Click events, scroll depth, and interaction data
• Session recordings and heatmaps (via Hotjar)
• Browser type, device info, OS, and screen resolution
• IP address (anonymized where possible)
• Referral source and session duration

Section 4

How We Use Your Data

▶Service Delivery — Processing and analyzing your uploaded CSV/Excel files using AI models (Anthropic Claude and Google Gemini) and sandboxed code execution (E2B).
▶Account Management — Creating and maintaining your user account, managing authentication, and providing access to your analysis history.
▶Payment Processing — Processing PRO subscription payments through Stripe, managing your subscription status.
▶Email Communications — Sending welcome emails, service notifications, and (with your consent) marketing communications via Mailchimp.
▶Analytics and Improvement — Understanding how users interact with DataPalo to improve our features and UI using Google Analytics 4 and Hotjar.
▶Research-Augmented Analysis — For PRO users, enriching data analysis with contextual web research via Exa Neural Search.
▶Legal Compliance — Fulfilling our legal obligations, including tax record-keeping.
▶Security — Detecting, preventing, and addressing fraud, abuse, and security incidents.

Section 5

Legal Basis for Processing

Under the GDPR, we process your personal data based on the following legal grounds as set out in Article 6(1):

5.1 Performance of a Contract — Art. 6(1)(b)

Processing your account data and uploaded files is necessary to perform our contract with you — i.e., to deliver the DataPalo service you signed up for.

5.2 Consent — Art. 6(1)(a)

We rely on your explicit consent for:

• Setting non-essential cookies (analytics and behavioral tracking)
• Sending marketing email communications via Mailchimp
• Google OAuth authentication (when you choose to sign in with Google)

5.3 Legitimate Interests — Art. 6(1)(f)

We rely on our legitimate interests for analyzing aggregated usage patterns, maintaining platform security, and internal business administration.

5.4 Legal Obligation — Art. 6(1)(c)

We process certain data where required by law, such as retaining payment records for tax compliance under Czech law.

Section 6

Data Sharing & Third-Party Processors

We do not sell your personal data. We share data only with trusted third-party service providers ("processors") who assist us in operating DataPalo. Each processor is bound by a Data Processing Agreement (DPA).

Processor	Purpose	Data Processed	Location
Supabase	Authentication & database	Name, email, account data	US
Stripe	Payment processing	Payment & billing data	US
Anthropic (Claude)	AI data analysis	Uploaded file contents	US
Google (Gemini)	AI data analysis	Uploaded file contents	US
E2B	Sandboxed code execution	Data for analysis	EU
Mailchimp (Intuit)	Email marketing	Name, email	US
Vercel	Hosting & deployment	Usage data, IP addresses	US
Google Analytics 4	Website analytics	Usage data, device info	US
Hotjar	Behavioral analytics	Clicks, scrolls, sessions	EU (Malta)
Exa Neural Search	Research augmentation (PRO)	Search queries	US

Section 7

International Data Transfers

As DataPalo is operated from the Czech Republic (EU) but relies on several US-based service providers, your personal data may be transferred outside the European Economic Area (EEA).

We ensure compliance through:

▶EU-US Data Privacy Framework (DPF) — We use processors certified under the EU-US Data Privacy Framework.
▶Standard Contractual Clauses (SCCs) — For transfers not covered by an adequacy decision, we rely on the European Commission's SCCs (2021/914).
▶Supplementary Measures — Where necessary, we implement additional technical and organizational measures, such as encryption in transit and at rest.

Section 8

Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law.

Data Category	Retention Period	Rationale
Account data (name, email)	Until account deletion + 30 days	Service delivery; grace period for reactivation
Authentication credentials	Until account deletion	Managed by Supabase
Uploaded files (CSV/Excel)	Processed in memory; not permanently stored	Data minimization
Analysis results	Until account deletion or manual deletion	User access to past analyses
Payment records	10 years after transaction	Czech tax law (Act No. 563/1991 Coll.)
Google Analytics data	14 months (GA4 default)	Analytics improvement
Hotjar data	365 days	Behavioral analytics defaults
Mailchimp data	Until consent withdrawal or account deletion	Email marketing

Section 9

Your Rights Under GDPR

As a data subject under the GDPR and the Czech Personal Data Processing Act (Act No. 110/2019 Coll.), you have the following rights:

▶Right of Access (Art. 15) — You may request a copy of the personal data we hold about you.
▶Right to Rectification (Art. 16) — You may request correction of inaccurate or incomplete personal data.
▶Right to Erasure (Art. 17) — You may request deletion of your personal data ("right to be forgotten").
▶Right to Restrict Processing (Art. 18) — You may request that we limit the processing of your personal data.
▶Right to Data Portability (Art. 20) — You may request to receive your data in a structured, machine-readable format.
▶Right to Object (Art. 21) — You may object to the processing of your personal data based on legitimate interests.
▶Right to Withdraw Consent (Art. 7) — Where processing is based on consent, you may withdraw it at any time.
▶Right to Lodge a Complaint — You have the right to lodge a complaint with the Czech Data Protection Authority (ÚOOÚ).

How to Exercise Your Rights

To exercise any of these rights, please contact us at michael@agentforge.tech. We will respond within 30 days, as required by the GDPR.

Supervisory Authority Contact

ÚOOÚ — Úřad pro ochranu osobních údajů

www.uoou.cz · posta@uoou.gov.cz

Pplk. Sochora 27, 170 00 Prague 7, Czech Republic

Section 10

Cookies & Tracking Technologies

DataPalo uses cookies and similar technologies to provide, secure, and improve our service. In accordance with Czech law, we require your opt-in consent before setting any non-essential cookies.

10.1 Essential Cookies

These cookies are strictly necessary. They enable core functionality like authentication. They cannot be disabled.

• Supabase session cookies — Maintain your logged-in state

10.2 Analytics Cookies

These cookies are set only with your consent:

• Google Analytics 4 (G-FQ11DN6HD9) — Anonymized page views and engagement metrics
• Hotjar (6601763) — Anonymized session recordings and heatmaps

Section 11

Data Security

We implement appropriate technical and organizational measures to protect your personal data:

■Encryption in Transit — All data transmitted between your browser and our servers is encrypted using TLS.
■Encryption at Rest — Data stored in our database (Supabase) is encrypted at rest using AES-256.
■Secure Authentication — Supabase handles authentication with industry-standard security practices.
■PCI DSS Compliance — All payment data is processed by Stripe, PCI DSS Level 1 certified.
■Sandboxed Execution — Data analysis code runs in isolated, sandboxed environments (E2B).
■Access Controls — Access to user data is strictly limited and follows the principle of least privilege.

Section 12

Children's Privacy

DataPalo is not directed at children. In accordance with Czech law, the minimum age for providing consent is 15 years. We do not knowingly collect personal data from individuals under 15.

Section 13

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify registered users via email about significant changes
• Display a prominent notice on our website

Section 14

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Method	Details
Email (Primary)	michael@agentforge.tech
Email (Alternative)	michael@forgecreative.cz
Website	www.datapalo.app
Data Controller	FORGE CREATIVE \| AI Job Agency — Czech Republic

We aim to respond to all inquiries within 30 days.

DataPalo — AI-Powered Data Analysis