Privacy Policy

Information on the processing of personal data within the Codrik.ai service operated by Revify s.r.o.

Effective from: April 27, 2026 Version 1.0

This Privacy Policy (the "Policy") describes how Revify s.r.o., with its registered office at Na Čečeličce 425/4, 150 00 Praha 5 — Smíchov, Czech Republic, Company ID (IČO): 23002891, VAT ID: CZ23002891 (the "Company", "Revify" or the "Controller"), processes the personal data of users of the Codrik.ai platform and related services (Codrik Builder, Codrik Redesigner, CodrikFlow and Codrik Hosting). The processing complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR"), Czech Act No. 110/2019 Coll. on Personal Data Processing (the "PDPA"), Czech Act No. 480/2004 Coll. on Certain Information Society Services, and Czech Act No. 89/2012 Coll., the Civil Code (the "Civil Code"). Effective from: 27 April 2026. The legally binding language version of this Policy is the Czech version; other language versions (English, German) are convenience translations only.

Table of contents

1. Identification of the Controller and Contact Details

The data controller within the meaning of Art. 4(7) GDPR is Revify s.r.o., registered with the Commercial Register kept by the Municipal Court in Prague.

  • Company name: Revify s.r.o.
  • Registered office: Na Čečeličce 425/4, 150 00 Praha 5 — Smíchov, Czech Republic
  • Company ID (IČO): 23002891
  • VAT ID: CZ23002891
  • Support email: info@codrik.ai
  • Privacy email: info@codrik.ai

Revify s.r.o. has not appointed a Data Protection Officer (DPO), as such appointment is not mandatory pursuant to Art. 37 GDPR and Section 14 of the PDPA. All inquiries, requests for the exercise of data subject rights and complaints should be directed to info@codrik.ai or by post to the registered office of the Controller.

2. Binding Language Version

This Policy is issued in Czech, English and German. In the event of any discrepancy, inconsistency or doubt in interpretation between the language versions, the Czech version shall prevail and shall be legally binding. The English and German versions are provided solely for the user's convenience and are not authoritative.

3. Description of the Service and Processing Context

Codrik.ai is a platform for the automated creation of websites by means of artificial intelligence. The user describes their objective in natural language (text or voice), or alternatively provides a link to an existing website or uploads visual materials, and the system, based on these inputs, generates a fully functional website using large language models (LLMs) and image generation models.

The service is offered as an hourly rental of computational capacity (CZK 490 per hour, no subscription); optional hosting is available (CZK 249 per month). The average website is completed in approximately 35 minutes. Sub-products include Codrik Builder (the main generator), Codrik Redesigner (redesign of existing websites), CodrikFlow (white-label solution for agencies) and Codrik Hosting.

The target audience consists of both natural persons (students, freelancers, individuals) and legal entities and self-employed persons (agencies, businesses). This Policy applies to both groups, with the qualification that GDPR protection extends only to natural persons.

4. Categories of Personal Data Processed

The Controller processes the following categories of personal data of users and persons entering into a contractual or pre-contractual relationship with it:

4.1 Identification and Contact Data

  • First name and surname
  • Billing address
  • Email address
  • Phone number (optional)

4.2 Account Data

  • Login (email)
  • Password as a security hash (the password is never stored in readable form)
  • Language preferences of the user interface
  • Appearance settings (e.g. light/dark mode)

4.3 Billing and Payment Data

  • VAT ID and Company ID for business users
  • Billing address
  • Payment transaction identifier provided by the payment processor (Stripe, ComGate)
  • Tax document (invoice) number

Payment card data (card number, CVV, expiration) is entered directly on the secure platforms of the payment service providers. Revify has no access to such data and does not store it.

4.4 Service Usage Data

  • Text prompts (input submitted to the generator)
  • Uploaded image files
  • Pasted URLs of existing websites (within Codrik Redesigner)
  • Voice recordings made when using voice mode
  • Generated outputs (generated websites, images, code)
  • IP address
  • Device and browser information (User-Agent)
  • Timestamps of individual actions

4.5 Cookies and Analytics Data

  • Essential session cookies (necessary for the operation of the service)
  • Functional cookies (e.g. saving preferences)
  • Optional analytics cookies (only with consent)
  • Optional marketing cookies (only with consent)

6. Recipients and Processors of Personal Data

In providing the service, the Controller cooperates with carefully selected processors within the meaning of Art. 28 GDPR, with whom the Controller has concluded data processing agreements. The current list of processors:

6.1 AI Model Providers

  • OpenAI, L.L.C., 3180 18th Street, San Francisco, CA 94110, USA — image generation and editing via the gpt-image-2 and gpt-image-1 models. Transfer of data to the USA is based on the Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914 and within the framework of the EU–US Data Privacy Framework (DPF).
  • Anthropic, PBC, 548 Market Street, PMB 90375, San Francisco, CA 94104, USA — generation of text and program code of websites via the Claude API interface. Transfer of data to the USA is based on SCCs and DPF.
  • ElevenLabs Inc., 169 Madison Avenue, STE 2683, New York, NY 10016, USA — transcription of voice recordings made in voice mode (Conversational AI Widget, agent agent_6001kcw018qze6x9k16vfqx2fz7q). Transfer of data to the USA is based on SCCs.

6.2 Hosting and Technical Infrastructure

  • Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Federal Republic of Germany — primary hosting and data storage. The servers are located in the Falkenstein and Nuremberg data centres (Germany), i.e. within the European Economic Area (EEA); no international transfer outside the EEA takes place.
  • Proprietary email infrastructure operated by the Controller on Hetzner servers (Postfix) — sending of transactional and notification emails. No external email service provider is involved.

6.3 Payment Services

  • Stripe Payments Europe, Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland — payment card processing. Registered office in the EU; primary processing takes place within the EEA.
  • ComGate Payments, a.s., Gočárova třída 1754/48b, 500 02 Hradec Králové, Czech Republic, Company ID: 27924505 — local Czech payment methods (bank transfers, payment buttons). Processing takes place in the Czech Republic.

6.4 Accounting and Invoicing Services

  • Fakturoid s.r.o., Sokolovská 408/51, 186 00 Praha 8 — Karlín, Czech Republic, Company ID: 24148237 — issuance and recording of tax documents. Processing takes place in the Czech Republic.

The Controller does not provide personal data to any other third parties, except where required by law (in particular to public authorities within their statutory scope of competence).

7. International Transfers of Personal Data

In accordance with the duty to inform pursuant to Art. 13(1)(f) GDPR, we hereby disclose that part of the processing of personal data takes place in third countries outside the European Economic Area, specifically in the United States of America. Such transfers concern the processors listed in Section 6.1 (OpenAI, Anthropic, ElevenLabs).

Transfers to the USA are secured by the following appropriate safeguards within the meaning of Art. 46 GDPR:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021
  • Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the adequate level of protection of personal data under the EU–US Data Privacy Framework (where the relevant processor is certified)
  • Contractual prohibition of onward transfer without adequate safeguards
  • Supplementary technical measures (encryption in transit and at rest, minimization of transferred data)

The data subject has the right to obtain a copy of the said Standard Contractual Clauses upon a request sent to info@codrik.ai.

8. Retention Periods

Personal data is retained only for the period strictly necessary to fulfil the purpose of processing, or for the period prescribed by law. Specific retention periods:

  • User account data: for the duration of the account and a further 30 days after its termination (technical retention to allow for restoration)
  • Prompts and generated outputs: 90 days from their creation; in cases where the user uses the Codrik Hosting service and actively elects to retain them, for the duration of the hosting contract
  • Voice recordings: not stored long-term; following transcription, audio files are deleted within 7 days at the latest
  • Billing and accounting data: 10 years from the end of the accounting period pursuant to Sections 31 and 32 of Czech Act No. 563/1991 Coll. on Accounting
  • Records of granted consent: for the duration of the consent and a further 3 years following its withdrawal (to demonstrate the lawfulness of processing)
  • Operational (server) logs: 30 days
  • Data for the establishment, exercise or defence of legal claims: for the duration of the relevant statute of limitations under Section 629 et seq. of the Civil Code, generally 3 years, in special cases up to 10 years

Upon expiry of the above periods, personal data is irreversibly deleted or anonymized so that it cannot be attributed to a specific natural person.

9. Cookies and Similar Technologies

The Codrik.ai websites and applications use cookies and similar technologies in accordance with Section 89 of Czech Act No. 127/2005 Coll. on Electronic Communications, as amended, and Czech Act No. 480/2004 Coll. on Certain Information Society Services.

We classify cookies into the following categories:

  • Essential (necessary) cookies — required for login functionality, session security and basic features. These cookies cannot be refused, as the service does not function without them. Legal basis: legitimate interest pursuant to Art. 6(1)(f) GDPR and the exemption under Section 89(3) of Act No. 127/2005 Coll.
  • Functional cookies — store user settings (language, appearance). Legal basis: legitimate interest.
  • Analytics cookies — measure traffic and user behaviour to improve the service. Only with the user's consent pursuant to Art. 6(1)(a) GDPR.
  • Marketing cookies — for advertising targeting. Only with the user's consent.

The user grants consent to non-mandatory cookies via the cookie banner upon first visit to the website and may change or withdraw such consent at any time in the cookie settings section, or directly via their browser settings.

10. Automated Processing and Use of Artificial Intelligence

A key element of the Codrik.ai service is the processing of user inputs (prompts) by means of large language models and image generation models provided by third parties (OpenAI, Anthropic, ElevenLabs). In this connection, the Controller expressly informs that:

  • User inputs (prompts, uploaded images, voice recordings) are transferred to the processors listed in Section 6.1 solely for the purpose of generating the requested output.
  • Pursuant to the contractual arrangements (Business / API terms) concluded between Revify and the providers OpenAI and Anthropic, customer inputs are NOT used for training or further improvement of the AI models of those providers. This fact is contractually guaranteed.
  • Generated outputs (text, images, code) are the product of a statistical model and do not constitute decisions based solely on automated processing within the meaning of Art. 22 GDPR, as they produce no legal effects on the user nor similarly significantly affect the user.
  • The user bears responsibility for the way the generated outputs are used and for the compliance of such outputs with applicable law (e.g. copyright, protection of personality, competition law).

The Controller does not carry out profiling of users within the meaning of Art. 4(4) GDPR for the purpose of decision-making with legal or similarly significant effects.

11. Rights of the Data Subject

The data subject has the following rights vis-à-vis the Controller pursuant to Art. 15 to 22 and Art. 77 GDPR:

  • Right of access to personal data (Art. 15 GDPR) — to obtain confirmation as to whether the Controller processes the data subject's personal data and to receive a copy of such data
  • Right to rectification (Art. 16 GDPR) — to correct inaccurate or complete incomplete data
  • Right to erasure, the so-called "right to be forgotten" (Art. 17 GDPR) — to request deletion of personal data when no longer necessary, where consent has been withdrawn, where data has been processed unlawfully, etc.
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR) — to receive personal data in a structured, commonly used and machine-readable format
  • Right to object to processing (Art. 21 GDPR), in particular processing based on legitimate interest
  • Right not to be subject to a decision based solely on automated processing (Art. 22 GDPR) — this right has limited application in the context of Codrik.ai, as generator outputs do not constitute automated decisions producing legal effects on the user
  • Right to withdraw consent granted (Art. 7(3) GDPR), at any time and free of charge

11.1 How to Exercise the Rights

A request may be submitted by email to info@codrik.ai or in writing to the registered office of the Controller. The Controller shall handle the request without undue delay, but in any event within one month of receipt pursuant to Art. 12(3) GDPR. This period may be extended by a further two months in the case of complex or numerous requests, in which case the Controller shall inform the data subject. Requests are handled free of charge; for manifestly unfounded or excessive requests, the Controller may charge a reasonable fee or refuse the request.

11.2 Right to Lodge a Complaint with the Supervisory Authority

Pursuant to Art. 77 GDPR and Section 38 of the PDPA, the data subject has the right to lodge a complaint with the supervisory authority, which in the Czech Republic is:

  • Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ)
  • Address: Pplk. Sochora 27, 170 00 Praha 7, Czech Republic
  • +420 234 665 111
  • Web: www.uoou.gov.cz
  • Email: posta@uoou.gov.cz

12. Security of Personal Data

In accordance with Art. 32 GDPR, the Controller has implemented appropriate technical and organizational measures to ensure the security of personal data and to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access. The measures implemented include in particular:

  • Encryption of data in transit using the TLS protocol (HTTPS)
  • Encryption of sensitive data at rest
  • Hashing of passwords using robust algorithms (bcrypt/argon2)
  • Multi-factor authentication for administrative access
  • Regular access management and the principle of least privilege
  • Audit logs of access to personal data
  • Regular backups with backup encryption
  • Operation of infrastructure in secure Hetzner data centres in Germany (ISO 27001)
  • Regular software updates and security patching
  • Internal training of the Controller's staff in personal data protection

In the event of a personal data breach likely to result in a high risk to the rights and freedoms of natural persons, the Controller acts pursuant to Art. 33 and 34 GDPR and notifies the breach to the ÚOOÚ within 72 hours and, in justified cases, also informs the affected data subjects.

14. Changes to the Privacy Policy

The Controller is entitled to unilaterally amend and update this Policy, in particular as a result of changes in legislation, technological developments, expansion of the service offering, or the involvement of new processors. The current version is always available on the website codrik.com under "Privacy Policy".

The Controller shall inform users of substantial changes to the Policy by email sent to the address registered in the user account or by a prominent notice in the service interface, at least 30 days before the changes take effect. If the user does not agree with the changes, the user is entitled to terminate the user account.

15. Final Provisions and Contact

This Privacy Policy enters into effect on 27 April 2026 and supersedes all previous versions. Matters not addressed by this Policy shall be governed by the GDPR, Czech Act No. 110/2019 Coll., Czech Act No. 89/2012 Coll. (the Civil Code) and other generally binding legal regulations of the Czech Republic.

For any inquiries, requests or complaints, please contact the Controller:

  • Revify s.r.o., Na Čečeličce 425/4, 150 00 Praha 5 — Smíchov
  • Company ID (IČO): 23002891, VAT ID: CZ23002891
  • General support: info@codrik.ai
  • Personal data protection: info@codrik.ai

Supervisory authority: Office for Personal Data Protection, Pplk. Sochora 27, 170 00 Praha 7, www.uoou.gov.cz.