Privacy Policy
We respect your privacy. This document explains how we process personal data in line with Regulation (EU) 2016/679 (GDPR).
1. Data controller
The controller is ROOT4U s.r.o., Company ID (IČO) 07669470, VAT ID CZ07669470, registered office Palackého 650, 512 51 Lomnice nad Popelkou, Czech Republic, recorded in the Commercial Register kept by the Regional Court in Hradec Králové, Section C, File 42802. Contact: [email protected], tel. +420 727 970 563, data box rmaqf4f.
2. What data we process and from where
- Registration and account: name, e-mail, company name, Company/VAT ID, password (stored encrypted).
- Billing and operational data entered into the system by the user (documents, contacts, products).
- Technical data: IP address, browser type, logs, cookies and analytics identifiers.
- Payment data to the extent necessary to bill the subscription.
We obtain data directly from you (registration, use of the service) and automatically from your device (technical data, cookies).
3. Purposes and legal bases
- Contract performance — providing the MEFYS service and support (Art. 6(1)(b) GDPR).
- Legal obligations — accounting and taxes (point (c)).
- Legitimate interest — security, abuse prevention and service improvement (point (f)).
- Consent — analytics cookies and marketing (point (a)); consent can be withdrawn at any time.
4. Controller and processor roles
For data that a customer (a company using MEFYS) enters about its own clients, the customer is the controller and ROOT4U s.r.o. acts as a processor under a data processing agreement provided on request.
5. Recipients and processors
We disclose personal data only to vetted processors offering sufficient guarantees:
- the server-infrastructure provider (data centre in the EU),
- the e-mail service provider,
- Google Ireland Ltd. — Google Analytics web analytics (only after your consent),
- Microsoft Corporation — Microsoft Clarity analytics (only after your consent),
- Web3Forms — delivery and anti-spam protection of messages sent via the website contact form,
- Intuition Machines, Inc. (hCaptcha) — protection of the contact form against bots and spam,
- Anthropic, PBC — AI document extraction: the content of a document uploaded by the user to the AI extraction feature is passed to this AI service provider as a processor for the sole purpose of automated data extraction. The data is not used by this provider to train AI models.
We do not pass data to other third parties for their own marketing.
AI document extraction: If you use the AI extraction feature, the content of the uploaded document (typically a received invoice or receipt, which may contain the supplier's personal data) is processed by Anthropic, PBC as our processor, solely for the purpose of extracting the data into a document draft. The output is always reviewed and approved by the user.
Connecting AI assistants (MCP): If you enable control of MEFYS via an AI assistant operated by a third party (e.g. over the MCP protocol), you originate that access: the personal data you request through the assistant is disclosed to that assistant's provider as a separate recipient chosen by you. MEFYS discloses data only within the scope of the permissions of the access key you created, and you can revoke that access at any time. The user is responsible for the selection and configuration of the third-party assistant.
6. Transfers outside the EU
Some processors (Google, Microsoft, Web3Forms, hCaptcha, Anthropic) may process data outside the EU. In that case the transfer is safeguarded by appropriate measures, in particular the EU Standard Contractual Clauses.
7. Retention
We keep data for the duration of the contract and further for the period required by law (in particular accounting documents for 10 years). Analytics data are retained for the periods stated in the Cookie Policy. Once the purpose is fulfilled, we delete or anonymise the data.
8. Automated decision-making and profiling
We do not carry out automated decision-making or profiling that would produce legal effects concerning you or similarly significantly affect you.
9. Your rights
- right of access, rectification and erasure,
- right to restriction of processing and to data portability,
- right to object and to withdraw consent at any time,
- right to lodge a complaint with a supervisory authority — in the Czech Republic the Office for Personal Data Protection (uoou.cz).
10. Data Protection Officer (DPO)
Given the nature and scope of processing, we are not legally required to appoint a DPO and none is appointed. For data-protection matters, contact [email protected].
11. Security
We protect data with encryption of transport and passwords, two-factor login, permission management (roles) and database-level isolation of each company’s data. Data is stored in the EU.
12. Contact
For personal-data matters contact [email protected] or see Contact.
Last updated: 20 June 2026.
