MEFYS
← Back to site Try it free

Privacy Policy

We respect your privacy. This document explains how we process personal data in line with Regulation (EU) 2016/679 (GDPR).

1. Data controller

The controller is ROOT4U s.r.o., Company ID (IČO) 07669470, VAT ID CZ07669470, registered office Palackého 650, 512 51 Lomnice nad Popelkou, Czech Republic, recorded in the Commercial Register kept by the Regional Court in Hradec Králové, Section C, File 42802. Contact: [email protected], tel. +420 727 970 563, data box rmaqf4f.

2. What data we process and from where

We obtain data directly from you (registration, use of the service) and automatically from your device (technical data, cookies).

3. Purposes and legal bases

4. Controller and processor roles

For data that a customer (a company using MEFYS) enters about its own clients, the customer is the controller and ROOT4U s.r.o. acts as a processor under a data processing agreement provided on request.

5. Recipients and processors

We disclose personal data only to vetted processors offering sufficient guarantees:

We do not pass data to other third parties for their own marketing.

AI document extraction: If you use the AI extraction feature, the content of the uploaded document (typically a received invoice or receipt, which may contain the supplier's personal data) is processed by Anthropic, PBC as our processor, solely for the purpose of extracting the data into a document draft. The output is always reviewed and approved by the user.

Connecting AI assistants (MCP): If you enable control of MEFYS via an AI assistant operated by a third party (e.g. over the MCP protocol), you originate that access: the personal data you request through the assistant is disclosed to that assistant's provider as a separate recipient chosen by you. MEFYS discloses data only within the scope of the permissions of the access key you created, and you can revoke that access at any time. The user is responsible for the selection and configuration of the third-party assistant.

6. Transfers outside the EU

Some processors (Google, Microsoft, Web3Forms, hCaptcha, Anthropic) may process data outside the EU. In that case the transfer is safeguarded by appropriate measures, in particular the EU Standard Contractual Clauses.

7. Retention

We keep data for the duration of the contract and further for the period required by law (in particular accounting documents for 10 years). Analytics data are retained for the periods stated in the Cookie Policy. Once the purpose is fulfilled, we delete or anonymise the data.

8. Automated decision-making and profiling

We do not carry out automated decision-making or profiling that would produce legal effects concerning you or similarly significantly affect you.

9. Your rights

10. Data Protection Officer (DPO)

Given the nature and scope of processing, we are not legally required to appoint a DPO and none is appointed. For data-protection matters, contact [email protected].

11. Security

We protect data with encryption of transport and passwords, two-factor login, permission management (roles) and database-level isolation of each company’s data. Data is stored in the EU.

12. Contact

For personal-data matters contact [email protected] or see Contact.

Last updated: 20 June 2026.