1. Data Controller Identification and Contact Details
The data controller of your personal data is:
Vaybr s.r.o.
Trieda Andrea Hlinku 606/39
949 01 Nitra, Slovak Republic
Business ID: 55656641
Tax ID: 2122052691
Registered in the Commercial Register of the District Court Nitra, Section Sro, Insert No. 55656/N
Contact details:
privacy@berelevant.ai
+421 XXX XXX XXX
https://berelevant.ai
Data Protection Officer (DPO):
For questions regarding the protection of your personal data, you can contact us at:
privacy@berelevant.ai
2. What Personal Data We Process
Depending on how you use our BeRelevant platform, we process the following categories of personal data:
2.1 Registration and Account Data
- • Email address (required)
- • First and last name (optional)
- • Company name (optional)
- • Password (hashed, not stored in readable form)
2.2 Data Related to Service Provision
- • URL of the brand website you want to monitor
- • Keywords and queries for monitoring in AI search engines
- • User settings and preferences (language, notifications)
2.3 Billing Data (paid plans only)
- • Payment data (processed via Stripe, we do not store card numbers)
- • Billing data (name/company name, address, Business ID, Tax ID)
- • Payment and invoice history
2.4 Technical and Analytical Data
- • IP address
- • Browser type and version
- • Device type and operating system
- • Platform usage data (pages visited, features used, time spent)
- • Cookies (see section 8)
2.5 Communication Data
- • Communications with customer support
- • Consent for marketing communications (only with your consent)
3. Purpose and Legal Basis for Processing Personal Data
We process your personal data only on the basis of a valid legal basis under Art. 6(1) GDPR. Below is an overview of the purposes of processing, relevant data, and legal bases:
| Purpose of Processing | Data Processed | Legal Basis (GDPR) | Retention Period |
|---|---|---|---|
| Creation and management of user account | Email, password (hash), name (optional), company name (optional) | Contract performance – Art. 6(1)(b) GDPR | For the duration of the account + 5 years after cancellation (limitation period) |
| Providing GEO monitoring services | Brand URL, keywords, settings, usage data | Contract performance – Art. 6(1)(b) GDPR | For the duration of the account + 30 days after cancellation (for account recovery) |
| Payment processing and invoicing | Billing data, payment data (via Stripe), invoice history | Contract performance – Art. 6(1)(b) GDPR + Legal obligation – Art. 6(1)(c) GDPR (accounting laws) | 10 years (Act No. 431/2002 Coll. on Accounting) |
| Technical operation and platform security | IP address, cookies (necessary), technical device data | Legitimate interest – Art. 6(1)(f) GDPR (security, abuse prevention) | 12 months |
| Analytics and service improvement | Anonymized usage data, analytical cookies | Consent – Art. 6(1)(a) GDPR (from January 1, 2024 in Slovakia) | 26 months |
| Marketing communications (newsletter, tips) | Email, name, communication preferences | Consent – Art. 6(1)(a) GDPR | Until consent is withdrawn |
| Customer support | Email, communication content, account data | Contract performance – Art. 6(1)(b) GDPR + Legitimate interest – Art. 6(1)(f) GDPR | 3 years |
Withdrawal of consent:
In cases where the legal basis is your consent, you have the right to withdraw this consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. You can withdraw consent in your account settings or by contacting privacy@berelevant.ai.
4. Recipients of Personal Data and International Transfers
We may share your personal data with the following categories of recipients:
4.1 Processors (Subcontractors)
To provide our services, we work with trusted processors. We have data processing agreements with all processors under Art. 28 GDPR:
Stripe, Inc.
Payment processing
USA (certified under EU-U.S. Data Privacy Framework)
GDPR-compliant, Standard Contractual Clauses (SCC)
Supabase, Inc.
Database storage and authentication
USA/EU (data stored in EU region)
GDPR-compliant, SOC 2 Type II certified
Vercel Inc.
Web application hosting
USA (certified under EU-U.S. Data Privacy Framework)
GDPR-compliant, Standard Contractual Clauses (SCC)
OpenAI, L.L.C.
AI API for ChatGPT queries (brand URL and keywords only, no personal data)
USA (certified under EU-U.S. Data Privacy Framework)
Data Processing Addendum (DPA) under GDPR
Anthropic PBC
AI API for Claude queries (brand URL and keywords only, no personal data)
USA (certified under EU-U.S. Data Privacy Framework)
GDPR-compliant, Data Processing Addendum
Google LLC
AI API for Gemini queries (brand URL and keywords only, no personal data)
USA (certified under EU-U.S. Data Privacy Framework)
GDPR-compliant, EU Data Processing Terms
4.2 International Transfers of Personal Data
Some of our processors are based in the USA. Personal data transfers to the USA are secured through:
EU-U.S. Data Privacy Framework (DPF)
Stripe, Vercel, OpenAI, Anthropic, and Google are certified under the EU-U.S. Data Privacy Framework, which has been recognized by the European Commission as providing an adequate level of protection for personal data (Commission Implementing Decision (EU) 2023/1795).
Standard Contractual Clauses (SCC)
As additional safeguard, we use Standard Contractual Clauses approved by the European Commission under Art. 46(2)(c) GDPR.
Compliance with GDPR Chapter V
All transfers of personal data to third countries comply with the requirements of GDPR Chapter V and the Schrems II decision (CJEU C-311/18).
4.3 Public Authorities
We may provide your personal data to public authorities (police, courts, tax authorities) if required by law or necessary to protect our rights.
5. Data Retention Period
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:
- Active account:
- For the duration of the contractual relationship (while the account is active)
- Cancelled account:
- 30 days for account recovery (if user changes mind), then 5 years (limitation period for contract rights)
- Invoices and accounting documents:
- 10 years (Act No. 431/2002 Coll. on Accounting)
- Marketing consents:
- Until consent is withdrawn by user
- Analytical data:
- 26 months (in accordance with CNIL and ÚOOÚ SR recommendations)
- Technical logs (IP addresses, security):
- 12 months
- Customer support communications:
- 3 years
Automatic data deletion
After the retention period expires, your personal data will be automatically and securely deleted from our systems (including backups).
6. Your Rights Under GDPR
As a data subject, you have the following rights under GDPR. You can exercise these rights by contacting privacy@berelevant.ai or through your account settings:
6.1 Right of Access (Art. 15 GDPR)
You have the right to obtain confirmation from us as to whether we process your personal data and, if so, the right to access such data and information about how it is processed.
6.2 Right to Rectification (Art. 16 GDPR)
You have the right to rectification of inaccurate personal data and to complete incomplete personal data.
6.3 Right to Erasure – "Right to be Forgotten" (Art. 17 GDPR)
You have the right to request erasure of your personal data if: (a) the data is no longer necessary for the purpose for which it was collected, (b) you withdraw consent and there is no other legal basis for processing, (c) you object to processing, (d) the data was processed unlawfully, or (e) the data must be erased to comply with legal obligation.
6.4 Right to Restriction of Processing (Art. 18 GDPR)
You have the right to restrict processing of your personal data in certain cases (e.g., during verification of data accuracy or when objecting to processing).
6.5 Right to Data Portability (Art. 20 GDPR)
You have the right to receive personal data you have provided to us in a structured, commonly used, and machine-readable format and the right to transmit that data to another controller.
6.6 Right to Object (Art. 21 GDPR)
You have the right to object at any time to processing of your personal data based on legitimate interest (Art. 6(1)(f) GDPR) or public interest. In case of marketing communications, you have an absolute right to object.
6.7 Right Not to be Subject to Automated Decision-Making Including Profiling (Art. 22 GDPR)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Note that BeRelevant does not use automated decision-making that has legal effects on users.
6.8 Right to Withdraw Consent (Art. 7(3) GDPR)
In cases where processing is based on your consent, you have the right to withdraw this consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
6.9 Right to Lodge a Complaint with Supervisory Authority (Art. 77 GDPR)
If you believe that the processing of your personal data violates GDPR, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement.
How to exercise your rights
- • In writing at: privacy@berelevant.ai
- • Through your account settings (access, rectification, data export, account deletion)
- • We will respond to your request within 30 days of receipt. In complex cases, we may extend this period by an additional 60 days, and we will inform you accordingly.
7. Personal Data Security
We take the security of your personal data very seriously. We have implemented appropriate technical and organizational measures to protect your data from unauthorized access, loss, destruction, or unauthorized disclosure:
Data encryption
- • Encryption in transit (TLS/SSL certificates – HTTPS)
- • Encryption at rest (AES-256 for database)
Access control
- • User passwords stored in hashed form (bcrypt)
- • Role-based access control (RBAC) – data access only to authorized employees
- • Support for two-factor authentication (2FA/MFA) for user accounts
Infrastructure security
- • Hosting with certified providers (Vercel, Supabase) with ISO 27001 and SOC 2 certification
- • Regular data backups (encrypted)
- • 24/7 security incident monitoring
Organizational measures
- • Regular employee training on personal data protection
- • Internal policies and procedures for personal data processing
- • Contracts with processors containing data security guarantees (Art. 28 GDPR)
Security incident response
In case of a personal data breach, we will fulfill our notification obligation to the Slovak Data Protection Office within 72 hours of discovering the incident (Art. 33 GDPR) and, in case of high risk to your rights, we will inform you without undue delay (Art. 34 GDPR).
8. Cookies and Similar Technologies
Our website uses cookies and similar technologies. Detailed information about cookies, their types, and how to manage them can be found in our separate Cookie Policy.
Brief overview:
- • Necessary cookies: Used for basic website functionality (login, security, CSRF protection). No consent required.
- • Functional cookies: Remember preferences (language, theme). Consent required.
- • Analytical cookies: Measure website traffic and usage. Consent required (from January 1, 2024 in Slovakia under Act No. 452/2021 Coll.).
- • Marketing cookies: Advertising campaigns and retargeting. Consent required.
Cookie management
You can change your cookie preferences at any time via the "Cookie Settings" button in our website footer or in your browser settings.
Read our complete Cookie Policy9. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons.
Change notifications
We will inform you of any material changes:
- • Via email to your registered email address (for material changes)
- • By posting a notice on our website
- • By updating the "Last updated" date at the top of this document
Consent to changes
By continuing to use our platform after changes are published, you express consent to the updated policy. If you do not agree with the changes, you have the right to cancel your account.
10. Contact Information and Filing Complaints
Data controller contact details
If you have any questions about this Privacy Policy or how we process your data, contact us:
Email (preferred): privacy@berelevant.ai
Postal address: Vaybr s.r.o., Trieda Andrea Hlinku 606/39, 949 01 Nitra, Slovak Republic
Phone: +421 XXX XXX XXX
Data Protection Officer (DPO) contact
Email: privacy@berelevant.ai
Supervisory Authority – Personal Data Protection Office of the Slovak Republic
If you believe that the processing of your personal data violates GDPR or Act No. 18/2018 Coll. on Personal Data Protection, you have the right to lodge a complaint with the supervisory authority:
Personal Data Protection Office of the Slovak Republic (ÚOOÚ SR)
Hraničná 12, 820 07 Bratislava 27, Slovak Republic
Phone: +421 2 3231 3214
Email: statny.dozor@pdp.gov.sk
Website: https://dataprotection.gov.skOnline complaint form: https://www.dataprotection.gov.sk/uoou/sk/content/podajte-podnetOnline Dispute Resolution (ODR)
Consumers can use the European Commission's Online Dispute Resolution platform (ODR):
https://ec.europa.eu/consumers/odr