Privacy Policy

Service: AI Execution Coach (the "Service" or "App") Operator / Data Controller: WolfPack Invest, s.r.o., registered office at Ronovská 122, 289 32 Oskořínek, Czech Republic, Company ID (IČO): 08210985, registered in the Czech Commercial Register (the "Controller", "we", "us") Privacy contact e‑mail: support@dailymarcus.ai Effective: May 11, 2026 Version: 1.0

This Privacy Policy explains what personal data we process about you as a user of the Service, why, for how long, and with whom we share it. It is drafted in accordance with Regulation (EU) 2016/679 ("GDPR") and Czech Act No. 110/2019 Coll. on Personal Data Processing.

1. Summary (TL;DR)

The Service is operated by WolfPack Invest, s.r.o., a Czech limited liability company (IČO 08210985). We are the data controller.
The App is an AI execution coach. To do its job, it stores your conversation history with the mentor and specialists, a structured business profile, your goals, tasks and personal events you mention (e.g. holidays, anniversaries, rewards you set for yourself).
Your data is stored inside the EU (Supabase, Frankfurt region). The AI inference itself happens outside the EU with LLM providers (Anthropic, OpenAI, Voyage AI) under the EU Commission's Standard Contractual Clauses.
We do not sell your data, do not use it to train third‑party AI models (contractually enforced with our API providers), and do not share it with advertising networks.
You can export everything as JSON or permanently delete your account any time from Settings — deletion cascades to vector memory and your Stripe customer record.
We use Resend for operational e‑mail, Stripe for payments, and PostHog for product analytics (anonymous events, no conversation content).

Details below.

2. Who we are and how to reach us


Operator / Controller	WolfPack Invest, s.r.o.
Registered office	Ronovská 122, 289 32 Oskořínek, Czech Republic
Company ID (IČO)	08210985
VAT ID (DIČ)	CZ08210985
Commercial Register entry	File No. C 314295 with the Municipal Court in Prague
Contact e‑mail	support@dailymarcus.ai
Data Protection Officer (DPO)	We have not appointed a DPO — our processing does not meet the mandatory thresholds in Art. 37 GDPR. Please contact the Controller at the e‑mail above.

3. What the Service does with your data

AI Execution Coach is a premium AI execution coach for Czech‑speaking solo service founders. To do its job — know your business, remember your life, generate concrete tasks and push you to ship — the App continuously:

loads, on every mentor turn, your business profile, active goals and tasks, the top of your episodic memory (recent distilled insights), and your active life events;
runs an asynchronous distillation pass (Claude Haiku 4.5 LLM) after each meaningful conversation, summarising it into structured insights and updating memory;
sends a personalised check‑in at a time you choose (e.g. Mondays 8:00 in your timezone) via e‑mail, web push and in‑app notification.

This functionality requires the categories of personal data described in Section 4.

4. Categories of personal data processed

Category	Specific data
Identity	E‑mail address, name (if provided), avatar (from Google account on OAuth login), unique user ID.
Authentication	Password hash / magic‑link token (managed by Supabase Auth), Google OAuth tokens (for social login), refresh tokens for integrations (Google Calendar, Google Analytics) — stored encrypted with `INTEGRATIONS_ENCRYPTION_KEY` (AES‑256).
Business profile	Business name, industry, business type, stage, team size, revenue range, target customer, biggest challenge, channels — entered in onboarding, editable any time.
Communication preferences	Formality (informal / formal address), directness (1–5), pressure (1–5), preferred check‑in day and time, voice settings, theme.
Conversations	The full content of your messages to the mentor and specialists (Marketing), model responses, timestamps, author flags, token metrics. Includes 3‑way conversations.
Goals, tasks and decisions	90‑day plan, milestones, weekly tasks, status (done / missed / skipped + reason), explicit decisions you logged.
Episodic memory	Structured insights distilled from your conversations, stored as text + vector embeddings (1024‑dim) in pgvector.
Life events	Personal information you mention to the mentor: holidays, dinners, a child's birthday, anniversaries, partner milestones, health check‑ins and similar — only if you share them. Used solely so the coach can follow up naturally.
Voice recordings	Dictation audio you upload. Stored in a private Supabase Storage bucket `voice-messages` under `<user_id>/`, accessible only via short‑lived signed URLs.
Voice transcripts	Text transcript of your dictation (produced by OpenAI `gpt‑4o‑transcribe`) — stored as the message body.
Stakes & rewards	The reward and optional cost (stake) you set for yourself.
Streaks & badges	Consecutive weeks with ≥ 50 % task completion and earned badges.
Payment data	Subscriptions and credit packs are processed by Stripe Payments Europe. We do not handle card numbers — only customer ID, subscription state, billing e‑mail, invoice metadata, credit balance.
Operational metadata	AI call logs (model, token counts, cache hits, latency, estimated cost), IP address (short‑lived in technical logs), user agent, timezone.
Product analytics	Anonymous events (e.g. "user completed onboarding", "user completed task") — never conversation content — collected via PostHog (EU region if confirmed) to improve the product.
Cookies and similar	See Section 11.

Special categories (Art. 9 GDPR — health, sexual orientation, ethnic origin, political views, biometrics): the Service is not designed to collect them. The coach may ask you to redirect a sensitive topic to a professional. If you voluntarily mention such information in a conversation, it is stored as part of the message body under Art. 9(2)(a) GDPR — your explicit consent given by mentioning it inside a tool you knowingly use for this purpose. You can delete such data any time via export+edit or by requesting erasure.

5. Purposes and legal bases

We process personal data only for clearly defined purposes, each with a matching legal basis under Art. 6 (and where relevant Art. 9) GDPR.

Purpose	Processing activities	Legal basis (Art. 6 GDPR)
Providing the Service	Authentication, onboarding, chat with mentor and specialists, loading the 4 memory layers, generating goals and tasks, distillation, check‑ins, gamification, conversation storage.	Performance of contract — Art. 6(1)(b) (Terms of Service).
Personalisation & memory	Updating business profile, episodic memory, life events, follow‑ups, adaptive tone.	Performance of contract — Art. 6(1)(b) (core product); legitimate interest — Art. 6(1)(f) for ongoing coach quality improvement.
Voice interaction (STT)	Transcription by OpenAI, audio storage in Supabase Storage.	Performance of contract; audio retention follows the opt‑out in Settings.
Payments and billing	Stripe customer record, subscription charges, invoicing.	Performance of contract + legal obligation — Art. 6(1)(c) (Czech Accounting Act No. 563/1991 Coll., VAT Act No. 235/2004 Coll.).
Operational communication	Account status e‑mails, check‑in reminders, billing notices (via Resend).	Performance of contract; legitimate interest for operational notices.
Marketing communication	E‑mails about new features, tips, beta news.	Consent — Art. 6(1)(a). Unsubscribe any time from the e‑mail footer or Settings.
Product analytics	Anonymous events in PostHog.	Legitimate interest — Art. 6(1)(f) in product improvement; conversation content is never sent to PostHog.
Security & abuse prevention	Login logs, rate limiting, Stripe fraud prevention.	Legitimate interest — Art. 6(1)(f) in service security.
Legal compliance	Accounting records, requests from public authorities.	Legal obligation — Art. 6(1)(c).
Defence of legal claims	Retention strictly necessary for dispute defence.	Legitimate interest — Art. 6(1)(f).

Before your first chat you must acknowledge the disclaimer that the Service is not legal, tax or medical advice; the timestamp is recorded in profiles.disclaimer_acknowledged_at.

6. Sources of data

We collect data directly from you — on sign‑up, in onboarding, in chat, on purchase, and when you change settings. With Google social login we receive basic profile data (e‑mail, name, avatar) within the scope you grant. With integrations (Google Calendar, Google Analytics) we receive a refresh token and calendar / GA event metadata within the permissions you grant; these are stored encrypted.

7. Recipients of personal data (sub‑processors)

The Service relies on the following processors. We have a Data Processing Agreement (DPA) compliant with Art. 28 GDPR in place with each of them; where data leaves the EU/EEA, transfers are governed by the EU Commission's Standard Contractual Clauses (SCCs).

Recipient	Purpose	Processing location	Data categories	Transfer mechanism
Supabase, Inc.	Database hosting (Postgres + pgvector), Storage for voice files, authentication.	Frankfurt, EU (`eu-central-1`).	All user data.	Within EEA. Parent entity US — metadata transfers under Supabase DPA + SCCs.
Anthropic, PBC	LLM API (Claude Sonnet 4.6 + Haiku 4.5) — mentor, specialists, distillation, onboarding extraction.	USA.	Message text and memory context sent to the API — not used to train Anthropic models per Anthropic Commercial Terms.	SCCs + Anthropic DPA.
OpenAI, L.L.C.	Speech‑to‑text (`gpt-4o-transcribe`); fallback text embeddings.	USA.	Voice files sent for transcription; episodic text sent for embedding (fallback). Not used for training per OpenAI API Data Usage Policy.	SCCs + OpenAI DPA.
Voyage AI Innovations Inc.	Preferred embeddings provider (`voyage-3`, multilingual incl. Czech).	USA.	Episodic memory text sent for vectorisation. No‑train policy per Voyage.	SCCs + Voyage DPA.
Google Ireland Limited	OAuth login; optional Google Calendar and Google Analytics integrations.	EU + USA.	E‑mail, name, avatar; OAuth tokens; calendar / GA event metadata in granted scopes.	Google DPA + SCCs.
Stripe Payments Europe Ltd. + Stripe, Inc.	Payment processing, subscriptions, billing, fraud prevention.	IE + USA.	Stripe customer ID, billing e‑mail, tokenised payment method (we never see card numbers), payment history.	Stripe DPA + SCCs.
Resend, Inc.	Transactional and check‑in e‑mails.	EU + USA.	E‑mail address, name, e‑mail body (check‑in digests may include a summary of your week).	Resend DPA + SCCs.
PostHog Inc. (PostHog Cloud EU)	Product analytics — anonymous events, no conversation content.	EU (`eu.posthog.com`) if confirmed; otherwise USA under SCCs.	Anonymous user events, anonymised IP, feature‑flag state.	EU region — no transfer; US fallback: SCCs.
Vercel, Inc.	Web hosting, edge functions, cron jobs.	Global edge; configured for EU regions.	Operational logs (IP, user agent, status), HTTPS traffic.	Vercel DPA + SCCs for US.
GitHub, Inc. / Microsoft	Source control and CI. No user data — source code and build artefacts only.	USA.	CI operational logs only, no user data.	SCCs under Microsoft DPA.
Cloudflare / DNS provider	DNS, CDN, DDoS protection.	Global edge.	IP, user agent, HTTPS headers.	DPA + SCCs.

The current sub‑processor list and links to their DPAs are available on request at the contact e‑mail above. We may add a new sub‑processor; we will notify you of material changes at least 30 days in advance.

8. International transfers (outside the EU/EEA)

Some sub‑processors (Anthropic, OpenAI, Voyage AI, Stripe Inc., Resend, Vercel) are based in the USA. Transfers are based on:

the Standard Contractual Clauses (Commission Decision 2021/914);
where applicable, the EU‑U.S. Data Privacy Framework (DPF) certification of Anthropic, OpenAI and Stripe;
supplementary technical measures (TLS 1.2+ in transit, AES‑256 encryption at rest by the provider).

A Transfer Impact Assessment (TIA) is maintained and updated. A summary is available on request.

9. Retention periods

Category	Retention
Active account — profile, memory, conversations, goals, life events	For the lifetime of the account.
Dormant account	After 12 months without login we send a warning; if you do not respond within 30 days, we permanently delete the account.
After erasure / account deletion	Permanent deletion within 30 days across all tables, vector memory, Storage bucket, and the Stripe customer record. Backup snapshots are overwritten on a 30‑day cycle.
Voice recordings	If "retain audio" is on in Settings, kept for the lifetime of the account; otherwise audio is deleted immediately after the transcript is produced.
Accounting and tax records	10 years from the end of the accounting period in which the document was issued (Czech VAT Act No. 235/2004 Coll., § 35; Accounting Act No. 563/1991 Coll., § 31). This is a statutory obligation — even after account deletion we retain billing documents only.
AI operational logs (`ai_calls`) without user identifier	6 months from creation.
Web / operational logs (Vercel, Cloudflare)	30 days.
PostHog product events	24 months from creation, then aggregated anonymously.
Marketing list	Until consent withdrawal, no longer than 3 years since the last interaction.

10. Your rights

As a data subject under the GDPR you have the following rights. Most are available directly in the App (Settings → Data); the rest by e‑mail.

Right of access (Art. 15) — download a full JSON export (profile, conversations, memory, life events, goals, tasks, billing) in Settings → Data → Export.
Right to rectification (Art. 16) — all editable fields are editable in Settings or by e‑mail request.
Right to erasure / "right to be forgotten" (Art. 17) — Settings → Data → Delete account. Cascades to profile, business data, conversations, memory, vector embeddings, life events, badges, streaks, Storage objects and the Stripe customer record. Accounting records are retained for the statutory period per Section 9.
Right to restriction of processing (Art. 18).
Right to data portability (Art. 20) — machine‑readable JSON export.
Right to object (Art. 21) — to processing based on legitimate interest (typically analytics, marketing).
Right to withdraw consent (Art. 7(3)) — any time, without affecting the lawfulness of prior processing.
Right not to be subject to automated decision‑making with legal effects (Art. 22) — the App does not carry out automated decision‑making with legal or similarly significant effect (we do not grant credit, sign contracts with third parties, etc.). The coach's intelligence is personalised, but you decide and act.
Right to lodge a complaint with the supervisory authority — Czech Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz, tel. +420 234 665 111.

We respond without undue delay, and at the latest within 1 month of the request (extendable by 2 further months under Art. 12(3) GDPR for complex cases — we will inform you).

11. Cookies and tracking

The App uses only cookies and similar technologies strictly necessary for operation (Supabase auth session cookie, UI preferences, CSRF protection). For product analytics we use PostHog without cross‑site tracking and without advertising cookies.

A cookie banner is shown on the first visit and lets you fine‑tune optional categories. We store cookies only within the scope permitted by § 89 of Czech Act No. 127/2005 Coll. on Electronic Communications.

Category	Examples	Storage	Consent required?
Strictly necessary	Auth session, CSRF, language	Session / 1 year	No
Analytics (PostHog)	Distinct ID, feature flags	12 months	Yes
Marketing	Not used	—	—

12. Security

We have implemented technical and organisational measures per Art. 32 GDPR:

Encryption in transit: all communication over TLS 1.2+.
Encryption at rest: Supabase encrypts the database and Storage objects with AES‑256. OAuth refresh tokens are additionally encrypted in the application layer with INTEGRATIONS_ENCRYPTION_KEY.
Row‑Level Security (RLS): enabled on every Postgres table from day one — a user only ever sees their own rows. The service‑role key is server‑side only and never reaches the browser.
Least privilege: access to the production database is limited to the operator; rotatable roles and an audit trail.
Backups are taken daily, encrypted, and overwritten on a 30‑day cycle.
Development & CI: no production secrets in the repository; every commit goes through pre‑commit ESLint and strict TypeScript checks.
Incident response: in case of a personal data breach we will notify you within 72 hours if the breach is likely to result in a high risk to your rights, and we will notify ÚOOÚ in line with Art. 33–34 GDPR.

13. Automated decision‑making and profiling

The mentor and specialists generate personalised suggestions for tasks, goals and questions based on memory and conversation. This is not decision‑making with legal or similarly significant effect under Art. 22 GDPR — the output is always a suggestion that you accept or decline. The App does not grant or deny any formal right, contract or service on the basis of an automated assessment.

14. Children and minors

The Service is intended for founders 18 years of age or older. We do not knowingly process data of persons under 16. If we learn that we have collected data from a person under 16 without verifiable parental consent, we will delete it.

15. Changes to this Policy

We may update this Policy — typically for new features, new legislation, or new sub‑processors. We will notify you of any material change at least 30 days in advance by e‑mail and in‑app. Previous versions are archived with their effective dates.

16. Contact and complaints

For any question, rights request or complaint:

WolfPack Invest, s.r.o. Ronovská 122, 289 32 Oskořínek, Czech Republic Company ID (IČO): 08210985 E‑mail: support@dailymarcus.ai

Supervisory authority: Czech Office for Personal Data Protection (ÚOOÚ) Pplk. Sochora 27, 170 00 Prague 7, Czech Republic www.uoou.cz · posta@uoou.cz · +420 234 665 111

Version 1.0 · Effective: May 11, 2026. This Policy was prepared as a working draft reflecting the current state of the App. Before production launch we recommend a final review by a lawyer specialised in IT/GDPR (per SPEC §19).