Unevello

Privacy Policy

Unevello.com

Effective from: 21 February 2026

1. INTRODUCTION

This Privacy Policy (hereinafter referred to as the "Policy") describes how Petr Jergon, Business ID: 02074079, with registered office at Štichova 581/23, Prague 11 – Háje, 149 00, Czech Republic (hereinafter referred to as the "Controller" or "we") collects, uses, stores and protects the personal data of users of the Unevello service, both through the website unevello.com and the UNEVELLO mobile application (hereinafter collectively referred to as the "Service").

This Policy complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (hereinafter referred to as "GDPR"), Czech Act No. 110/2019 Coll. on the processing of personal data, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy), and Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (hereinafter referred to as the "AI Act").

This Policy informs you about the processing of your personal data within the Service. Personal data is processed on the legal bases set out in Section 4 of this Policy. Where the legal basis is your consent, such consent will be requested separately and explicitly. If you do not agree with the processing conditions, please do not use the Service.

2. DATA CONTROLLER

Petr Jergon

Štichova 581/23

Prague 11 – Háje, 149 00

Czech Republic

Business ID: 02074079

VAT ID: CZ9112150047

Email: support@unevello.com

Data Protection Officer (DPO): Given the nature and scope of our personal data processing activities, no Data Protection Officer has been appointed pursuant to Article 37 of the GDPR. For any enquiries regarding the protection of personal data, please contact us at support@unevello.com.

3. WHAT DATA WE COLLECT

Data provided directly by you:

  • Email address – for account creation, delivery of the result link and communication
  • Test question responses – 7 answers from the initial self-discovery test
  • Message to your future self – an optional text you write for yourself
  • Delivery details – name, address, phone number (only when making a purchase)
  • Password – for logging in to the dashboard (stored exclusively as a one-way hash, never in readable form)
  • My Journey data – your personal goals, motivations, reasons for change, photos and responses in the AI chat
  • Daily Pulse data – daily mood entries and answers to reflective questions
  • Arena data – questionnaire responses, task completion reflections, optional photos and public nickname
  • Activities data – daily records of activity completion
  • SOS data – responses to the crisis support form
  • Month setup data – answers to personalisation questions for individual months
  • Checklist data – responses to monthly checklists
  • Support requests – subject line and message text submitted via the support form
  • Monthly reflection data – photos and written reflections for individual months of your journey
  • Achievement data – records of milestones and badges earned

Data collected automatically:

  • AI analyses and recommendations – personalised results, plans, evaluations and messages generated by artificial intelligence
  • AI profile – an automatically generated summary of your progress and behaviour within the Service, used for AI message personalisation
  • Technical data – IP address, browser type, language, device type, operating system, date and time of access
  • Cookies and similar technologies – essential cookies required for the Service to function (see Section 11)
  • Push notification token – a device identifier used for delivering notifications in the mobile app (not linked to your identity)
  • Platform data – information about whether you access the Service from an iOS or Android device (mobile app only)

4. PURPOSES OF PROCESSING AND LEGAL BASIS

Purpose of processing
Legal basis
Retention period
Provision of the Service (test, analysis, dashboard)
Performance of a contract (Art. 6(1)(b) GDPR)
Duration of the account
Delivery of the tag
Performance of a contract
10 years (accounting records)
Sending transactional emails and push notifications
Performance of a contract
Duration of the Service
Personalisation of content using AI
Performance of a contract / Legitimate interest (Art. 6(1)(f) GDPR – improving the user experience)
Duration of the account
Marketing communications (without purchase)
Consent (Art. 6(1)(a) GDPR)
Until unsubscribed
Marketing communications (after purchase)
Legitimate interest (Art. 6(1)(f) GDPR) in conjunction with Section 7(3) of Czech Act No. 480/2004 Coll. – direct marketing of similar services to existing customers
Until unsubscribed
Fraud prevention and rate limiting
Legitimate interest (prevention of fraud and misuse of the Service)
30 days
Analytics and service improvement
Consent (cookies) / Legitimate interest (improving service quality)
26 months
Delivery of push notifications (mobile app)
Consent (Art. 6(1)(a) GDPR)
Until the app is uninstalled or consent is withdrawn
Biometric authentication (Face ID / Touch ID)
Consent (Art. 6(1)(a) GDPR)
We do not process biometric data – see Section 6

For processing based on legitimate interest, we have carried out a proportionality assessment (balancing test) in accordance with Art. 6(1)(f) GDPR, concluding that our legitimate interests are not overridden by the rights and freedoms of data subjects. Details of this assessment are available upon request at support@unevello.com.

5. MOBILE APPLICATION

The Unevello Service is also available through the UNEVELLO mobile application for iOS and Android. The mobile application serves as an extension of the web platform and displays identical content via WebView technology.

Native features of the mobile application:

  • Push notifications – with your consent, we send you reminders and notifications. For this purpose, we store the push notification token of your device. The token is a technical identifier and is not linked to your name or email address. You may withdraw your consent to push notifications at any time in your phone settings.
  • Biometric authentication (Face ID / Touch ID) – the mobile application offers the option to log in using biometric verification. This feature is entirely optional. Biometric data (fingerprint, facial scan) is processed exclusively by the operating system of your device (Apple iOS / Google Android) and is never transmitted to our servers or to any third party. We do not collect, store or process any biometric data.
  • Camera and photo library – the application may request access to your camera or photo library for uploading photos in the Arena and My Journey sections. Photos are uploaded to our servers and encrypted. Access to the camera and photo library is entirely optional.
  • Offline mode – if an internet connection is unavailable, a local offline screen is displayed. No data is collected in this mode.

The mobile application does not collect location data, contacts, calendar information or any other data from your device sensors beyond what is described herein.

6. BIOMETRIC DATA

In accordance with Article 9 of the GDPR, we inform you that the Unevello service does not directly process biometric data. The Face ID and Touch ID functionality in the mobile application is handled by the operating system of your device. The application only receives information as to whether the authentication was successful (yes/no), without access to the biometric data itself.

The use of biometric authentication is entirely voluntary. If you prefer not to use it, you may log in using your email and password.

7. ARTIFICIAL INTELLIGENCE AND AUTOMATED PROCESSING

The Unevello Service uses artificial intelligence (Claude models by Anthropic) to provide personalised content. In accordance with Article 50 of the AI Act (Regulation (EU) 2024/1689) on transparency obligations, we inform you of the following:

Types of AI processing:

  • Initial test analysis – AI generates a personalised profile based on your answers
  • My Journey personalisation – AI conducts an interactive dialogue and helps you define your goals
  • Month setup – AI generates a personalised plan based on your answers
  • Activity recommendations – AI selects and recommends activities tailored to your profile
  • Checklist and activity evaluation – AI evaluates your responses and progress
  • Daily Pulse – AI evaluates overall mood trends after 30 entries
  • SOS support – AI generates a personalised response based on your situation. The AI response is intended solely for informational purposes and does not replace professional crisis assistance. If you are experiencing an acute crisis, please contact: Child helpline 116 111, Crisis helpline 116 123 or Emergency services 112.
  • Arena tasks – AI generates 24 personalised challenges based on your questionnaire
  • AI messages – AI generates weekly motivational messages based on your profile and progress
  • AI profile – AI creates a summary of your behaviour and progress for improved message personalisation

Important information about AI:

All content generated by artificial intelligence is intended solely for informational and motivational purposes and in no way replaces professional psychological, medical or other expert assistance.

AI-generated content may contain inaccuracies. The Controller shall not be liable for decisions made on the basis of AI content.

Your data is sent to the AI system in pseudonymised form (without direct identifiers such as your email address or name). Data is processed by Anthropic, PBC (see Section 9).

In accordance with Article 50(1) of the AI Act, we inform you that when using certain features of the Service (My Journey chat, SOS, AI messages) you are interacting with an AI system, not a human being.

Automated decision-making and profiling:

Within the Service, automated processing of personal data takes place, including profiling within the meaning of Article 22 of the GDPR. The AI system analyses your responses, mood records, activity completion and other data for the purpose of providing personalised content.

This processing does not produce legal effects nor does it similarly significantly affect you – it serves exclusively to personalise motivational and informational content within the Service.

You have the right to obtain human intervention, to express your point of view and to contest the decision. To exercise these rights, please contact us at support@unevello.com.

For the processing of personal data through artificial intelligence and automated profiling, we have carried out a Data Protection Impact Assessment (DPIA) in accordance with Article 35 of the GDPR, through which we have assessed and minimised the risks to your rights and freedoms.

8. ENCRYPTION AND DATA SECURITY

Your sensitive data is encrypted using AES-256-CBC, a banking-grade encryption standard.

Encrypted data includes:

  • Email address
  • Test question responses and AI analysis
  • Message to your future self
  • Delivery address and tag code
  • All My Journey data (goals, motivations, chat responses)
  • Arena reflections and responses
  • SOS responses
  • Month setup responses and AI plans
  • Daily Pulse entries (responses)
  • AI messages (titles and content)
  • AI user profiles
  • AI activity recommendation reasoning

Encryption keys are stored separately from the database and are accessible only to authorised personnel.

Both the website and the mobile application use the HTTPS protocol for secure communication.

9. SHARING DATA WITH THIRD PARTIES

We only share your data with trusted partners essential for the provision of the Service. All partners provide the same or equivalent level of personal data protection as described in this Policy.

Anthropic, PBC (Claude AI)

Purpose: Generation of AI analyses, personalised plans, evaluations, messages and tasks

Data shared: Pseudonymised responses and data (without direct identifiers such as email address or name)

Location: USA (EU Standard Contractual Clauses)

Retention by provider: Maximum 30 days; data is not used for model training

Stripe, Inc.

Purpose: Payment processing

Data shared: Email, payment details

Location: USA/EU (EU-U.S. Data Privacy Framework, EU Standard Contractual Clauses)

Note: We never see or store your card payment details. Processing is handled exclusively by Stripe.

Expo (Exponential, Inc.)

Purpose: Delivery of push notifications in the mobile application

Data shared: Device push notification token, notification content

Location: USA (EU Standard Contractual Clauses)

Google LLC (Analytics, Ads, Workspace)

Purpose: Traffic analytics, advertising conversion measurement, email communication

Data shared: Pseudonymised traffic and conversion data (with consent only), emails for customer communication

Location: USA/EU (EU-U.S. Data Privacy Framework, EU Standard Contractual Clauses)

Meta Platforms, Inc. (Facebook Pixel)

Purpose: Advertising effectiveness measurement (with consent only)

Data shared: Pseudonymised conversion data

Location: USA/EU (EU Standard Contractual Clauses)

TikTok (ByteDance Ltd.)

Purpose: Advertising effectiveness measurement (with consent only)

Data shared: Pseudonymised conversion data

Location: USA/EU/Singapore (EU Standard Contractual Clauses)

Shipping carriers

Purpose: Delivery of the tag

Data shared: Name, delivery address

Location: EU

10. YOUR RIGHTS

Under the GDPR, you have the following rights:

Right of access (Art. 15 GDPR)

You have the right to obtain confirmation as to whether we process your personal data, and if so, to access such data and information about the processing.

Right to rectification (Art. 16 GDPR)

You have the right to request the rectification of inaccurate data and the completion of incomplete data.

Right to erasure (Art. 17 GDPR)

You have the right to request the erasure of your personal data. You may request the deletion of your account and all associated data via the form in the dashboard (section "Delete my account") or by sending a request to support@unevello.com. We will verify your identity via the email address associated with your account. Erasure will be carried out without undue delay, and no later than one month from receipt of the request. In justified cases, the deadline may be extended by a further two months, of which we will inform you.

Please note: Certain data must be retained for the statutory period (e.g. accounting records for 10 years). Such data will be deleted upon expiry of the statutory period.

Right to restriction of processing (Art. 18 GDPR)

You have the right to request the restriction of processing of your data under certain circumstances, for example where you contest the accuracy of the data.

Right to data portability (Art. 20 GDPR)

You have the right to receive your data in a structured, commonly used and machine-readable format (JSON) and to transmit it to another controller. You may request a data export at support@unevello.com.

Right to object (Art. 21 GDPR)

You have the right to object to processing based on legitimate interest. In the case of direct marketing, processing will be ceased immediately upon objection.

Right to withdraw consent (Art. 7(3) GDPR)

Where processing is based on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing carried out prior to its withdrawal.

Right in relation to automated decision-making (Art. 22 GDPR)

You have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you. The AI features in our Service are used exclusively to personalise content and do not produce legal or similarly significant effects.

Right to lodge a complaint

You have the right to lodge a complaint with the supervisory authority:

Office for Personal Data Protection

Pplk. Sochora 27

170 00 Prague 7

www.uoou.cz

11. COOKIES

Essential cookies (without consent)

These cookies are essential for the functioning of the Service and do not require your consent:

  • Session cookies – maintaining test state, dashboard login
  • Security cookies – fraud protection, rate limiting, CSRF protection
  • Remember me cookie (unevello_remember) – an optional cookie for remembering your login for 30 days. This cookie is only set if you actively check "Remember me" during login.
  • Cookie consent (unevello_consent) – storing your cookie preferences

Analytical and marketing cookies (with consent)

We use these cookies only with your explicit consent:

  • Google Analytics – traffic analysis (pseudonymised)
  • Google Ads – advertising conversion measurement
  • Meta Pixel – advertising conversion measurement
  • TikTok Pixel – advertising conversion measurement

You may change or withdraw your cookie consent at any time via the cookie settings on our website. Analytical and marketing cookies are loaded only after you grant your consent.

12. DATA RETENTION AND DELETION

Unpaid results: If you do not complete your purchase within 48 hours of finishing the test, your result (responses, AI analysis, message) is automatically and irreversibly deleted. Your email address is retained for marketing purposes based on the consent granted when you provided your email.

Dashboard and account: Your account data (Journey, Pulse, Arena, Activities, Checklists, SOS, messages) is retained for the duration of your account. Upon request for account deletion, all data will be irreversibly removed within one month, except for data we are required to retain for legal reasons.

Photos: Photos uploaded in the My Journey and Arena sections are retained for the duration of the account and deleted together with the account.

Push notification tokens: Tokens are automatically deactivated when the mobile application is uninstalled and deleted within 30 days of deactivation.

AI profiles and logs: User AI profiles and AI service usage logs are retained for the duration of the account. They are deleted when the account is deleted.

Accounting records: Data required for accounting and tax purposes (amount, date, transaction identifier) is retained for 10 years in accordance with Czech Act No. 563/1991 Coll. on accounting.

Support requests: Support tickets are retained for 2 years from resolution.

Unsubscribing from marketing: You may unsubscribe from marketing communications at any time:

  • By clicking the "Unsubscribe" link in the footer of each email
  • By sending a request to support@unevello.com

13. ARENA – PUBLICLY SHARED CONTENT

The Arena section contains a public feed (Victory cards) in which the following information about you may be displayed:

  • Nickname (chosen by you)
  • Country code (e.g. CZ, SK)
  • Category of the completed task
  • Text of your task reflection

This information is visible to other users of the Service. Before entering the Arena, you confirm your agreement to these sharing conditions. Your nickname is anonymous and is not linked to your name or email address.

Your real name, email address and other identifying information are never shared publicly.

14. ACCOUNT DELETION

You have the right to request complete deletion of your account and all associated personal data at any time. The account deletion option is easily accessible directly within the application.

You may request deletion:

  • Via the form in the dashboard (section "Delete my account")
  • By sending an email to support@unevello.com with the subject line "Delete account"

Upon receipt and verification of your request, we will carry out the deletion without undue delay, and no later than one month. In justified cases, the deadline may be extended by a further two months, of which we will inform you. Deletion includes:

  • All dashboard data (Journey, Pulse, Arena, Activities, Checklists, SOS, messages, achievements)
  • Your email, password and login credentials
  • Push notification tokens
  • AI analyses, profiles and messages
  • Uploaded photos

Exceptions: Accounting records will be retained for the statutory period of 10 years. If you have an active public Victory card in the Arena, it will be anonymised upon account deletion (reflection removed, nickname replaced with an anonymous label).

15. INTERNATIONAL DATA TRANSFERS

Some of our third-party service providers are located outside the European Economic Area (primarily in the USA).

For these transfers, we rely on lawful safeguards in accordance with Chapter V of the GDPR:

  • European Commission adequacy decision (EU-U.S. Data Privacy Framework, Decision 2023/1795) for providers certified under the DPF
  • Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision 2021/914)
  • Binding Corporate Rules of providers

The lawful transfer mechanism for each provider is specified in Section 9.

16. SECURITY

We have implemented the following technical and organisational security measures:

  • AES-256-CBC encryption for all sensitive data
  • HTTPS (TLS) protocol for all communications
  • One-way password hashing (bcrypt)
  • Encryption keys stored separately
  • Restricted data access limited to authorised personnel only
  • Rate limiting and protection against attacks (CSRF, brute force)
  • Regular security updates
  • Automated deletion of inactive data (CRON processes)

In the event of a personal data breach, we will notify the competent supervisory authority without undue delay, and no later than 72 hours after becoming aware of the breach, in accordance with Article 33 of the GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will inform you directly in accordance with Article 34 of the GDPR.

17. AGE RESTRICTION

The Unevello Service is intended for persons aged 16 and over.

We do not knowingly collect data from persons under the age of 16. Persons under 16 may use the Service only with the consent of a legal guardian.

If we discover that we have collected data from a person under the age of 16 without the consent of a legal guardian, we will delete such data without delay. If you believe this has occurred, please contact us at support@unevello.com.

18. CHANGES TO THIS POLICY

We may update this Policy from time to time to reflect changes in our processing practices or in applicable legislation.

We will notify you of significant changes by email or by notice on the website and in the mobile application at least 14 days before the changes take effect.

The date of the last update is stated at the top of this document. We recommend that you review this Policy regularly.

19. CONTACT

If you have any questions regarding this Policy or the processing of your personal data, please contact us:

Email: support@unevello.com

Postal address:

Petr Jergon

Štichova 581/23

Prague 11 – Háje, 149 00

Czech Republic

We will respond to your enquiries no later than one month from receipt of the request.

This Privacy Policy takes effect on 21 February 2026.