Privacy Policy

1. Introduction and Scope

Inkansen s.r.o., a private limited liability company incorporated under the laws of the Czech Republic, with its registered office at Osadní 932/38, 170 00 Praha 7, Czech Republic, and Business Identification Number (IČO): [IČO NUMBER] (referred to in this policy as "InkRider", "we", "us", or "our"), is committed to protecting your personal information. Inkansen s.r.o. is the data controller for personal data processed in connection with the Service described below.

This Privacy Policy describes the personal data we collect, how we use and share it, the legal bases for processing where applicable, your rights, and how to contact us.

This policy applies to the InkRider website (inkrider.com), the InkRider Word add-in, and all related services, support channels, and communications (collectively, the "Service"). It does not apply to third-party services that you may use in connection with the Service, such as Lemon Squeezy's billing and checkout pages or Microsoft's Office add-in infrastructure, which are governed by their own privacy policies.

If you are located in the European Economic Area (EEA), the United Kingdom, Switzerland, or another jurisdiction with comprehensive data protection laws, this policy provides the additional information required by those frameworks, including the GDPR, UK GDPR, and CCPA/CPRA.

2. Information We Collect

Account and Registration Data: When you create an account, we collect your full name, email address, and optionally your company or organisation name. Registration and authentication is handled through Firebase Authentication (Google Cloud). We also record the date and time of your most recent sign-in for security and support purposes. For abuse prevention, we maintain a rolling history (typically up to 90 days) of sign-in events that may include timestamp, IP address, browser or client user-agent, and which InkRider client surface you signed into (for example, the Word add-in or the account dashboard).

Billing and Subscription Data: When you purchase a paid plan, Lemon Squeezy (our merchant of record) provides InkRider with transaction identifiers, subscription plan details, subscription status, renewal dates, billing country, tax status, customer portal access links, and your email address, as needed to provision and manage your access. InkRider does not receive or store your full payment card number, card verification code, or bank account credentials. Those are handled exclusively by Lemon Squeezy on its secured, PCI-compliant checkout pages.

Usage and Technical Data: We may collect certain technical information when you access the Service, including IP address, browser type and version, operating system, referring URLs, and actions taken within authenticated areas of the website. This data is used for security monitoring, abuse prevention, and maintaining service integrity.

Error and Crash Data: We use Sentry (Functional Software, Inc.) to capture application errors and crash reports when they occur. Reports may include technical context such as browser version, operating system, a pseudonymous user identifier, and a partial stack trace. No passwords, payment details, or document content are included in error reports.

Support and Communications Data: When you contact us by email or through support channels, we retain the contents of that correspondence, including your email address and any details you voluntarily share to resolve your issue.

Cookies and Local Storage: We use strictly necessary session cookies and local storage for authentication, secure session maintenance, and interface preference storage. See our Cookie Policy for details.

3. How We Use Your Information

We use your personal data to:

• Provide, operate, maintain, and improve the Service; • Create and manage your account, authenticate your identity, and maintain secure sessions; • Process and manage your subscription, including provisioning access and keeping billing status synchronized; • Send transactional and account communications, including subscription confirmations, billing notifications, security alerts, and password resets; • Respond to your support requests and communications; • Detect, investigate, and prevent fraud, abuse, unauthorized access, and security incidents; • Comply with applicable legal obligations, resolve disputes, and enforce our Terms of Service; • Maintain internal business records and conduct aggregate, non-identifying analysis of how the Service is used.

We do not sell, trade, or rent your personal information to third parties. We do not use your personal information to serve targeted or behavioral advertising.

4. Legal Bases for Processing (GDPR / UK GDPR)

If you are located in the EEA, UK, or Switzerland, we rely on the following legal bases to process your personal data:

Performance of a Contract: Processing your account information, billing data, and subscription status is necessary for us to provide and manage the Service you have requested and to fulfill our agreement with you.

Legal Obligation: Certain processing is required to comply with applicable laws, including tax and accounting obligations, fraud prevention requirements, and mandatory data protection obligations.

Legitimate Interests: We process limited technical and usage data to maintain the security and integrity of the Service, prevent abuse, ensure reliable operation, and capture error diagnostics for troubleshooting. We have assessed these interests against your rights and freedoms and expect the privacy impact to be minimal given the purely operational nature of this processing.

Consent: Where you have opted in to receive marketing or newsletter communications during registration, we rely on your consent to send those communications. You may withdraw this consent at any time; either by using the Communications Preferences section in your dashboard account settings, by clicking the unsubscribe link in any marketing email, or by contacting us at privacy@inkrider.com. Withdrawal of consent does not affect the lawfulness of processing that took place before withdrawal.

5. Sharing Your Information

We do not sell your personal data. We share your information only in the following limited circumstances:

Service Providers (Sub-processors): We share personal data with third-party providers who process data on our behalf, subject to written confidentiality and data processing obligations. Current sub-processors include: Firebase / Google Cloud (authentication and user profile database), Cloudflare (website hosting, CDN, and access logs), Lemon Squeezy (merchant of record and billing processor), Sentry / Functional Software, Inc. (error monitoring and crash reporting), and PostHog, Inc. (anonymous in-app usage analytics, consent-gated, EU data residency).

Client-side application delivery: The Service is delivered as a web application. In addition to resources served from InkRider's hosting infrastructure, your browser may fetch certain application components (such as scripting libraries, editor modules, or runtime bundles) from public content delivery networks, including jsDelivr and unpkg, when those components are not served directly from our origin. These requests are initiated by your device to load software required to operate the Service; they do not include your account credentials, document content, or payment information. CDN operators may process technical connection data (such as IP address and requested URL) in accordance with their own privacy policies.

Legal Compliance and Safety: We may disclose your information where required by applicable law, regulation, court order, or governmental authority; to enforce our Terms of Service; to protect the rights, property, or safety of InkRider, our users, or third parties; or in connection with fraud prevention or security investigations.

Business Transfers: If InkRider undergoes a merger, acquisition, financing, reorganization, insolvency proceeding, or sale of all or a substantial portion of its assets or equity, your information may be transferred to the acquiring or successor entity. We will notify you via email or a website notice before your data becomes subject to a materially different privacy policy.

With Your Consent: We may share your information for any other purpose if you expressly consent to that sharing.

6. Billing and Transaction Data

When you subscribe to a paid plan, the payment transaction is processed by Lemon Squeezy, who acts as the merchant of record and is an independent data controller with respect to payment processing, tax compliance, and checkout. Their handling of your payment information, including card number, billing address, and banking credentials, is governed by Lemon Squeezy's own privacy policy and PCI DSS standards.

Lemon Squeezy shares with InkRider only the subscription and billing metadata necessary to provision your access, maintain your subscription status, and support your account. This includes your email address, subscription plan and tier, subscription status, renewal date, billing country, tax status, and customer portal link.

InkRider stores this metadata in our account database (hosted by Firebase / Google Cloud Firestore) to manage your access to the Service. We retain it for the duration of your account and for the period required for tax, accounting, and dispute resolution purposes thereafter.

7. Cookies and Tracking Technologies

At the time of this policy's publication, InkRider uses only strictly necessary authentication cookies and functional local storage to maintain secure user sessions and store user interface preferences such as theme settings. These technologies are required for the Service to function and do not require consent under applicable ePrivacy law.

The Word add-in includes optional anonymous usage analytics (product events such as feature usage counts and error frequencies), provided by PostHog, Inc. These analytics are fully consent-gated: no data is sent until you explicitly opt in via the in-app consent prompt. The analytics use no persistent identifiers, no cookies, and no cross-session user tracking, so every session is fully anonymous. Event data is processed on PostHog's EU infrastructure (eu.i.posthog.com). If you decline or later withdraw consent, analytics are disabled immediately and no further data is sent.

Optional analytics on this marketing website, when enabled, load only after you accept them via the cookie settings control (see our Cookie Policy). We do not deploy advertising cookies or cross-site tracking pixels on the public website. If we introduce additional non-essential technologies in the future, we will update this policy and obtain your consent where required before activating them.

For full details of the specific cookies and storage technologies in use, their categories, purposes, and durations, as well as your controls, see our Cookie Policy.

8. Data Retention

We retain your personal data for as long as is necessary to provide the Service and fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

Account data is retained for the duration of your active account. Following account deletion, we delete or anonymize your personal data within a commercially reasonable timeframe, subject to legal retention requirements.

Billing and transaction records are retained for the period required by applicable tax and accounting laws, typically seven (7) years.

Support correspondence is retained for the duration of your account and for a reasonable period thereafter, or as required to resolve open disputes or meet legal obligations.

Aggregate or fully anonymized data, which no longer constitutes personal data, may be retained and used indefinitely.

9. Data Security and Breach Notification

We implement and maintain appropriate technical and organizational security measures to protect your personal data against unauthorized access, disclosure, alteration, destruction, or accidental loss. These include:

• Encryption of data in transit using TLS/HTTPS; • Encryption of data at rest; • Access controls and role-based permissions on our account database; • Secure authentication via Firebase Authentication (Google Cloud); • Hosting on Cloudflare's infrastructure with associated DDoS protection, WAF, and access controls; • Application-level error monitoring via Sentry to detect and respond to technical incidents promptly.

While we apply reasonable security measures, no method of transmission or storage over the internet is completely secure, and we cannot guarantee absolute security. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority, which for Inkansen s.r.o. ("InkRider"), as a Czech-established controller, is the Úřad pro ochranu osobních údajů (ÚOOÚ, uoou.gov.cz), within 72 hours of becoming aware of the breach, as required under Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users directly without undue delay under Article 34 GDPR.

If you suspect unauthorized access to your account, contact us immediately at support@inkrider.com.

10. International Data Transfers

InkRider operates internationally. Your personal data may be transferred to, stored in, and processed in countries other than your own, including the United States. Our primary service providers, Firebase / Google Cloud (firebase.com), Cloudflare (cloudflare.com), Lemon Squeezy (lemonsqueezy.com), and Sentry (sentry.com), may process data in the United States or other countries.

For transfers of personal data from the EEA, UK, or Switzerland to countries not recognized by the European Commission or UK ICO as providing an adequate level of data protection, we rely on appropriate safeguards, which may include the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA) or Addendum, or other lawful transfer mechanisms available under applicable data protection law.

If you would like more information about the specific transfer mechanisms used or copies of the relevant safeguards, please contact us at privacy@inkrider.com.

11. Your Privacy Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

Right of Access: Request a copy of the personal data InkRider holds about you. Right to Rectification: Request correction of inaccurate or incomplete personal data. Right to Erasure: Request deletion of your personal data, subject to legal retention requirements and other exceptions. Right to Restrict Processing: Request that we restrict processing of your data in certain circumstances (for example, while accuracy is contested). Right to Data Portability: Request a copy of your data in a structured, commonly used, machine-readable format, where applicable under GDPR. Right to Object: Object to processing based on legitimate interests or for direct marketing purposes. Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time for future processing (this does not affect the lawfulness of processing based on consent before withdrawal).

To exercise any of these rights, contact us at privacy@inkrider.com. We may need to verify your identity before processing your request. We will respond within the timeframe required by applicable law, generally 30 days, extendable to 45 or 90 days for complex requests with notice to you.

If you believe your privacy rights have been violated, you have the right to lodge a complaint with a data protection supervisory authority. As a Czech-established company, Inkansen s.r.o.'s lead supervisory authority under GDPR is the Úřad pro ochranu osobních údajů (ÚOOÚ), Office for Personal Data Protection of the Czech Republic (uoou.cz, posta@uoou.gov.cz). EEA residents outside the Czech Republic may also lodge a complaint with the supervisory authority in their own EU member state of habitual residence.

12. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you specific rights. This section supplements the rest of this policy.

Categories of Personal Information Collected: Over the preceding 12 months, we have collected identifiers (such as email address and name), internet or other electronic network activity information (such as log data and usage information), and commercial information (such as subscription and transaction records). We do not collect sensitive personal information as defined under CPRA (such as precise geolocation, financial account numbers, racial or ethnic origin, or health information) in the ordinary course of providing the Service.

Purpose of Collection: Personal information is collected and used for the business purposes described in Section 3 of this policy, primarily to provide the Service, manage your account, process billing, and maintain security.

Sale or Sharing of Personal Information: InkRider does not sell personal information. InkRider does not share personal information for cross-context behavioral advertising.

Right to Know: You may request disclosure of the categories and specific pieces of personal information collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom it is shared.

Right to Delete: Subject to applicable exceptions, you may request deletion of personal information we have collected.

Right to Correct: You may request correction of inaccurate personal information.

Right of Non-Discrimination: We will not discriminate against you for exercising any rights under CCPA/CPRA.

Submitting a Request: To submit a verifiable consumer request, contact us at privacy@inkrider.com. We will acknowledge receipt within 10 business days and respond within 45 calendar days, with a possible single 45-day extension if reasonably necessary.

13. Children's Privacy

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. We require all users to be at least 18 years of age (see our Terms of Service). The Service is not designed for, nor do we intend to collect data from, minors.

If we become aware that we have inadvertently collected personal information from a child under the age of 13 without verifiable parental consent, we will take prompt steps to delete that information from our systems. If you are a parent or guardian and believe we have collected information about your child without proper authorization, please contact us at privacy@inkrider.com.

14. Marketing, Opt-Out, and Do Not Track

Transactional Communications: We send account-related and transactional emails that are necessary for the operation of the Service, including subscription confirmations, billing notifications, security alerts, and password resets. You cannot opt out of these communications while your account is active, as they are required to manage your account.

Marketing Communications: If you opted in to receive marketing or newsletter communications during registration, we will send those to the email address on your account. You can withdraw this consent and unsubscribe at any time by visiting the Communications Preferences section in your dashboard account settings, by clicking the unsubscribe link in any marketing email, or by contacting privacy@inkrider.com. We will stop sending marketing emails promptly after receiving your withdrawal.

Do Not Track: Some web browsers include a "Do Not Track" (DNT) signal. Because there is no universally recognized standard for interpreting DNT signals, and because InkRider does not engage in cross-site behavioral tracking, we do not currently change our data collection practices in response to DNT signals. If industry standards or legal requirements change, we will update this policy accordingly.

15. Links to Third-Party Websites

The Service may contain links to third-party websites, platforms, or resources that are not operated or controlled by InkRider, including Microsoft documentation, Lemon Squeezy billing pages, and other external resources. Accessing those sites is subject to their own privacy policies and terms, not this policy.

InkRider is not responsible for the content, privacy practices, or policies of third-party sites, and a link to a third-party site does not constitute an endorsement. We encourage you to review the privacy policy of any third-party site you visit.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page and, where required by applicable law or where reasonably practicable, notify users by email or by posting a prominent notice in the Service.

We encourage you to review this policy periodically. Your continued use of the Service after any changes become effective constitutes your acceptance of the updated policy.

17. Contact Us and Data Protection Inquiries

For privacy questions, data subject rights requests, or concerns about this policy, please contact us:

Privacy inquiries: privacy@inkrider.com General support: support@inkrider.com Postal address: Osadní 932/38, 170 00 Praha 7, Czech Republic (Inkansen s.r.o.)

We aim to respond to all privacy inquiries within the legally required timeframe. For EEA or UK residents who are not satisfied with our response to a privacy request, you have the right to escalate to the relevant supervisory authority as described in Section 11.