Privacy Policy

Document type: PRIVACY · Version: 1.1 · Effective from: 9 June 2026

This Privacy Policy explains how The Mixed Essence s.r.o., IČO 19537212 (“we”, “us”), as data controller, processes your personal data when you purchase and use the She Came Back program and member portal. We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Czech law.

1. Controller and contact

The Mixed Essence s.r.o. IČO: 19537212 Registered office: Varšavská 715/36, 120 00 Praha, Czech Republic, Contact email: hello@themixedessence.com

2. What data we process

• Account & identity: name, email, password (stored hashed), authentication identifiers.
• Login via Google / Facebook (optional): identifiers and email provided by the provider when you choose social login.
• Payment data: transaction details, amount, currency, status, and payment identifiers. Card details are handled by our payment provider; we do not store full card numbers.
• Program activity: your progress, completed days, your responses to exercises and journal entries, and related metrics.
• AI assessment output: the Day 14 analysis generated for you at the end of the program.
• Consent records: the legal documents you accepted, with version, timestamp, IP address, and user agent.
• Technical & usage data: device/browser information, log data, and (if enabled) product analytics.

3. Special category data

Your exercise and journal responses, and the AI assessment based on them, may reveal information about your health or mental wellbeing and may therefore be special category data under Article 9 GDPR. We process this data only on the basis of your explicit consent (Article 9(2)(a)), which you may withdraw at any time.

4. Purposes and legal bases

• Providing the Service and your account — performance of a contract (Art. 6(1)(b)).
• Processing payments and meeting tax/accounting duties — legal obligation (Art. 6(1)©).
• Processing your exercise/journal data and generating your fully automated AI assessment — your explicit consent (Art. 6(1)(a) + Art. 9(2)(a)).
• Keeping consent records and securing the Service — legitimate interests (Art. 6(1)(f)) and legal obligation.
• Product analytics (if enabled) — your consent.

5. Automated processing and AI

The end-of-program assessment (Day 14 Analysis) is generated using an AI language model (Microsoft Azure OpenAI) based on your program data. This is fully automated processing that may include profiling. The assessment is provided for your information and self-development; it does not produce legal or similarly significant effects and is not used to make automated decisions about you. You can request human review, express your view, and contest the output. We send only the data needed to generate the assessment and apply data minimisation by stripping direct identifiers before transmission.

6. Recipients and processors (sub-processors)

We share data with service providers acting on our instructions under data processing agreements:

• Vercel — application hosting.
• Neon — database hosting (PostgreSQL).
• Stripe — payment processing.
• Resend — transactional email; Zoho — inbound email.
• Google / Meta — only if you use social login.
• Microsoft Azure OpenAI — AI assessment generation.
• PostHog — product analytics (if enabled).
• AWS S3 / Vercel Blob — media storage.

7. International transfers

Where a provider processes data outside the EEA (such as the United States), we rely on appropriate safeguards, including the EU-US Data Privacy Framework for certified vendors, or EU Standard Contractual Clauses. Our database and AI endpoints are hosted within EU regions to minimize international data transfers.

8. Retention

We keep your data only as long as necessary: account and program data for the duration of your account; consent and payment/tax records for the period required by law; analytics for 14 months. On deletion, we erase or anonymise your data, except records we must retain by law.

9. Your rights

You have the right to access, rectify, erase, restrict, and port your data, to object to certain processing, and to withdraw consent at any time (without affecting prior processing). You can exercise data export and deletion in the portal, or contact us. You may lodge a complaint with the Czech supervisory authority, the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, ÚOOÚ).

10. Security

We apply technical and organisational measures appropriate to the sensitivity of the data, including encryption in transit, access controls, and audit logging of access to sensitive data.

11. Cookies

We use cookies as described in our separate Cookie Policy, and obtain consent where required.

12. Changes

We may update this Policy; the current version is always available in the portal, and material changes will be notified to you.