Privacy Policy

Last updated: 2026-04-26 · cz-agents.dev

cz-agents (the service) is operated by Martin Havel, IČO 02175614, registered in the Czech Republic. This policy describes what data the service processes, why, and how long.

What data we process

The service consists of MCP (Model Context Protocol) servers that look up publicly-available data from Czech and EU government registries. We process three categories of data:

• Public registry data — IČO, company names, statutory bodies, sanction list entries, insolvency proceedings, FX rates. Sourced in real time or with short cache (≤24 h) from ARES (Ministry of Finance), ČNB, ISIR (Ministry of Justice), EU Financial Sanctions Files, and OFAC SDN. We do not store this data beyond cache TTL except for sanctions snapshots (kept for change-detection) and the ISIR event feed (append-only log).
• Request metadata — IP address (for rate limiting), Bearer API tokens (for paid tiers), HTTP headers, request/response timing. Retained for up to 30 days in server logs, then deleted.
• Billing data — for paid tiers we use Stripe as a payment processor. Stripe holds card data and customer email; we hold the Stripe customer/subscription IDs linked to an opaque API token (no card data).

Legal basis (GDPR Art. 6)

• Public registry data — Art. 6(1)(f) legitimate interest. Czech business registers are public-by-law (zákon č. 304/2013 Sb. on public registers; § 125 zákona č. 120/2001 Sb. for ISIR). Republishing them via API does not change the data's public character.
• Request metadata — Art. 6(1)(f) legitimate interest in operating, securing, and rate-limiting the service.
• Billing data — Art. 6(1)(b) contract performance.

What we do not do

• We do not sell or share data with third parties for marketing.
• We do not use data subjects' information for profiling beyond rate limits.
• We do not store credit card data — Stripe handles all card processing.
• We do not transfer data outside the EU. Servers are hosted in Falkenstein, DE (Hetzner).

Data subject rights

If you are an identifiable individual whose data appears in our service (typically as a statutory body member or sanctioned person from a public registry), you have the rights under GDPR Art. 15–22 (access, rectification, erasure, restriction, portability, objection). For data that originates from a public registry, the appropriate erasure path is to address the original registry (e.g. ARES). We can confirm what we cache about you and refresh from source on request.

Contact: [email protected].

Children

The service is not directed at, and does not knowingly collect data from, children under 16.

Changes to this policy

Material changes will be announced on the project's GitHub repository (github.com/martinhavel/cz-agents-mcp) at least 14 days before they take effect. The current version is always authoritative at cz-agents.dev/privacy.

Supervisory authority

If you believe your rights are being violated, you may lodge a complaint with the Czech Office for Personal Data Protection (Úřad pro ochranu osobních údajů, uoou.gov.cz).

← Back to cz-agents.dev