Privacy Policy

albee – Terms of Use & Privacy Policy (Draft)
Provider: albee s.r.o.
Company ID: 57 471 584
Agátová 18
90090 Dubová
Slovakia
Privacy contact: privacy@albee.sk
Last updated: 22.2.2026

3.1 Controller & contact

Controller: albee s.r.o., Company ID 57 471 584, Agátová 18, 90090 Dubová, Slovakia. Contact: privacy@albee.sk.

3.2 Data we process

Account & customer data: Email (required), Name (optional), Phone (optional), Billing details for web shop/invoicing.

Apiary / hive / sensor data: Location (GPS), Sensor data: temperature, humidity, CO2, weight, sound, Sensor/device identifiers including internal record ID, device ID, firmware/app version code, reading timestamps, units and battery level.

User content: Notes, Photos, Audio recordings, Other user-provided content.

Technical & security data: IP address, device identifiers, system logs, authentication logs, API access logs, error logs, crash reports and basic diagnostic metadata required for reliability and security monitoring. Usage analytics may include feature views, button taps, session timestamps, device/platform metadata and service performance events in pseudonymized form.

Push notifications: Push tokens processed through Firebase Cloud Messaging (FCM) and Apple Push Notification service (APNs).

3.3 Purposes & legal bases (GDPR)

Contract performance (Art. 6(1)(b)): account, login codes, service delivery, subscriptions.

Legitimate interests (Art. 6(1)(f)): security, fraud prevention, bug fixing, service improvement and basic analytics.

Consent (Art. 6(1)(a)): cookies/marketing; any optional processing beyond core service delivery that is not strictly necessary and requires user choice.

Legal obligation (Art. 6(1)(c)): accounting/tax compliance for web purchases.

3.4 AI outputs disclaimer

AI outputs are informational and may be inaccurate. They are not veterinary advice or diagnosis.

AI runtime/provider (in-house / AWS Bedrock / other): third-party model providers such as OpenAI and Anthropic, accessed through secured API integrations.

Data sent to AI (sensors, notes, photos, audio): relevant sensor readings with timestamps and units, user notes, selected photos and selected audio-derived inputs only when needed to generate the requested analysis or summary.

Whether user data is used for training and opt-in/out: user content sent through API integrations is not used by us for model training by default; if any optional model-improvement program is introduced in the future, it will be offered only on an explicit opt-in basis.

3.5 Sharing & recipients

Processors: Amazon Web Services (AWS) for hosting and storage, Cloudflare for edge security and traffic delivery, PostHog for product analytics, transactional email providers for service emails, Firebase Cloud Messaging and APNs for push delivery, and Stripe for payment processing where applicable.

Corporate dashboard sharing (user-controlled): The user shares via a link or QR code. The user can select specific hives/apiary sites to share. The user can hide notes and/or photos. Sharing can be revoked at any time.

Shared scope: sensor data and only the user-selected content (photos/notes).

3.6 International transfers

The Service is primarily intended for Slovakia/EU. Some vendors may process data outside the EEA. Where applicable, we use safeguards such as the European Commission's Standard Contractual Clauses (SCCs), vendor transfer impact assessments and contractual data protection commitments. Services that may involve international transfers include OpenAI, Anthropic, Cloudflare, PostHog and Stripe.

3.7 Retention

Account/content: for the life of the account + 12 months.

Invoices: statutory retention periods.

Logs: typically retained for up to 90 days unless a longer retention period is required for security incident investigation, legal compliance or fraud prevention.

3.8 Security

Encryption in transit (TLS): all traffic between apps, browsers, devices and backend services is protected using modern TLS encryption.

Encryption at rest: production databases, backups and object storage are encrypted at rest using industry-standard encryption such as AES-256 or cloud-provider managed equivalent controls.

Access controls/MFA/audit logs: access to production systems is restricted through role-based access control, least-privilege permissions, mandatory multi-factor authentication for administrative access and audit logging of relevant administrative and security events.

3.9 Your rights

You have rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Account deletion must be available in-app. You may lodge a complaint with the Slovak DPA.