Privacy Policy
Raflia — Secure Document Sharing Platform
(Last updated: April 1, 2026)
1. Who We Are
This Privacy Policy explains how VeroMotion s.r.o., a company registered in the Czech Republic under registration number 27170730, with its registered address at Karla Engliše 3208/5, Prague 5, 150 00, Czech Republic (“VeroMotion”, “we”, “us”, or “our”), collects and processes your Personal Data when you use the Raflia platform at Raflia.com and related websites (the “Service”).
This Privacy Policy covers our role as Data Controller — the data we collect and process for our own purposes to operate the Service (such as account registration, billing, security logs, and analytics).
When Customers and their users upload documents, notes, or other content to the Service, VeroMotion acts as a Data Processor on behalf of the Customer. In that role, VeroMotion processes data only on the Customer’s instructions and does not use uploaded content for its own purposes. The terms governing this processing are set out in our Data Processing Addendum. If you are an Invited User, the Customer who invited you is the Data Controller for the documents you exchange through the Service, and their own privacy policies apply to that data.
2. What Data We Collect
2.1. Data You Provide
- Account data: Name, email address, company name, business address, phone number (if provided)
- Billing data: Subscription plan, invoicing details, VAT number (if applicable). Payment card details are processed directly by our payment providers (Stripe, Wise) and are not stored on our servers.
- Support communications: Messages you send to us via email or through the Service
- Profile and preferences: Language, notification settings, and other preferences you configure
2.2. Data We Collect Automatically
- Technical data: IP address, browser type and version, operating system, device type, screen resolution
- Usage data: Pages visited, features used, time and date of access, referring URL
- Authentication and security logs: Login timestamps, session identifiers, failed login attempts
- Operational logs: System logs that may contain references to Customer Data (such as entries and their attributes, or user actions), processed solely for security, audit, and Service integrity purposes
2.3. Data from Third Parties
- Payment providers: Transaction confirmation and billing status from Stripe or Wise
- Invited Users: When a Customer invites you to a Company Workspace, we receive your email address from the inviting Customer
3. How We Use Your Data
| Purpose | Legal Basis (GDPR Article 6) |
|---|---|
| Providing and operating the Service | Performance of contract (Art. 6(1)(b)) |
| Managing your Account and authentication | Performance of contract (Art. 6(1)(b)) |
| Processing payments and billing | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails (notifications, invitations, password resets) | Performance of contract (Art. 6(1)(b)) |
| Responding to support requests | Performance of contract (Art. 6(1)(b)) |
| Ensuring security and preventing fraud | Legitimate interest (Art. 6(1)(f)) |
| Maintaining audit and security logs | Legitimate interest (Art. 6(1)(f)) |
| Monitoring Service performance and fixing errors | Legitimate interest (Art. 6(1)(f)) |
| Analyzing usage to improve the Service | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal and regulatory obligations | Legal obligation (Art. 6(1)(c)) |
| Sending product updates and service announcements | Legitimate interest (Art. 6(1)(f)) |
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
We do not sell your Personal Data to third parties.
4. Cookies and Similar Technologies
4.1. What Are Cookies
Cookies are small text files placed on your device when you visit a website. We use cookies and similar technologies to operate the Service, ensure security, and understand how the Service is used.
4.2. Cookies We Use
| Cookie Type | Purpose | Examples | Legal Basis |
|---|---|---|---|
| Strictly necessary | Essential for the Service to function (authentication, session management, security) | Session cookies, CSRF tokens | Not required (exempt under ePrivacy Directive) |
| Security | Bot protection and abuse prevention | CAPTCHA service | Legitimate interest |
| Functional | Remembering your preferences (language, settings) | Preference cookies | Consent |
| Analytics | Understanding how the Service is used, improving performance | Self-hosted analytics | Consent |
4.3. Third-Party Cookies
The following third-party services may set cookies on your device:
- CAPTCHA service — Used to protect the Service from bots and automated abuse. The provider may collect IP addresses and browser data. The current provider is listed at https://raflia.com/subprocessors.
- Google Fonts — Used to deliver fonts. Google may collect IP addresses. See Google Fonts FAQ.
- iubenda — Used to manage cookie consent preferences. See iubenda’s Privacy Policy.
4.4. Managing Cookies
When you first visit the Service, you will be shown a cookie consent banner where you can accept or decline non-essential cookies. You can change your preferences at any time through the cookie settings link available in the Service footer.
You can also control cookies through your browser settings. Note that disabling strictly necessary cookies may prevent the Service from functioning properly.
5. Who We Share Your Data With
We share your Personal Data only as necessary to provide the Service:
- Sub-processors — Third-party service providers who process data on our behalf (hosting, payments, email delivery, error monitoring). A full list is available at https://raflia.com/subprocessors.
- Payment providers — Stripe and Wise process your payment data directly under their own privacy policies.
- Other users — Your name and email address are visible to other members of Company Workspaces you belong to. This is necessary for the document exchange functionality of the Service.
- Legal authorities — We may disclose data if required by law, court order, or regulatory authority, or to protect the rights, safety, or property of VeroMotion, our users, or the public.
We do not share your data with advertisers or data brokers.
6. International Transfers
Your data is primarily stored within the European Union. Some sub-processors may be located outside the EEA. Where this is the case, we ensure appropriate safeguards are in place, including:
- EU adequacy decisions
- EU-US Data Privacy Framework
- Standard Contractual Clauses (SCCs)
Details of sub-processor locations are available at https://raflia.com/subprocessors.
7. How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Account data | For the duration of your Account. Deleted within 30 days of Account deletion, unless retention is required by law. |
| Billing and invoicing data | Up to 10 years after the end of the contractual relationship (as required by Czech accounting and tax law). |
| Authentication and security logs | Up to 12 months from the date of the event. |
| Usage and analytics data | Up to 24 months, then anonymized or deleted. |
| Support communications | For the duration of your Account, plus up to 12 months after Account deletion. |
| Cookies | Varies by type — see Section 4. Session cookies are deleted when you close your browser. Persistent cookies expire as set by the relevant provider. |
After termination of the Agreement, Customer Data (documents uploaded to the Service) is handled as described in Section 18 of the Terms and Conditions: the Customer has 30 days to export data, after which VeroMotion may delete it.
8. Your Rights
Under the GDPR and applicable Data Protection Laws, you have the following rights:
- Access — You can request a copy of the Personal Data we hold about you.
- Rectification — You can ask us to correct inaccurate or incomplete data. You can also update most of your data directly through your Account settings.
- Erasure — You can ask us to delete your data, subject to legal retention obligations.
- Restriction — You can ask us to restrict processing of your data in certain circumstances.
- Portability — You can request your data in a structured, commonly used, machine-readable format.
- Objection — You can object to processing based on legitimate interest. We will stop processing unless we have compelling grounds that override your interests.
- Withdraw consent — Where processing is based on consent (e.g., non-essential cookies), you can withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at info@raflia.com. We will respond within 30 days. If we need more time, we will inform you and explain the reason.
If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority. The relevant authority for VeroMotion is:
Office for Personal Data Protection (ÚOOÚ)
Pplk. Sochora 27
170 00 Prague 7
Czech Republic
https://www.uoou.cz
You also have the right to lodge a complaint with the supervisory authority in your country of residence.
9. Children
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect Personal Data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email to the address associated with your Account at least 30 days before the changes take effect.
The “Last updated” date at the top of this page indicates when this Privacy Policy was last revised.
11. Contact
For questions about this Privacy Policy or how we handle your data:
VeroMotion s.r.o.
Karla Engliše 3208/5
Prague 5, 150 00
Czech Republic
Email: info@raflia.com
Web: https://raflia.com