Privacy Policy

1. Who We Are

This website is operated by Matej Vavro, an individual creator providing productivity tools, content, and resources.

Name: Matej Vavro

Type: Self-employed / Sole proprietor

Location: Brno, Czech Republic

Company ID (IČO): 24391409

Contact: hello@matejvavroproductivity.com

For complete legal information, see our Legal Notice / Imprint.

2. What Data We Collect

We collect minimal data necessary to operate this website and provide our services:

• Account information: When you create an account, we collect your email address, display name, and authentication provider (email/password or GitHub OAuth).
• Payment and billing data: When you purchase a product or subscription, payment is processed by Stripe. We store transaction records (invoice amounts, dates, subscription status, entitlements, license keys) in our database. We do not store your credit card number or full payment details — Stripe handles all sensitive payment data.
• Newsletter subscriptions: Email address, subscription date, and interaction data (opens, clicks) if you subscribe to our newsletter via Kit.
• Hosting and security logs: IP addresses, browser type, and access logs collected automatically by Cloudflare for security, performance, and infrastructure purposes.
• Embedded content interactions: When you interact with embedded YouTube videos, YouTube may collect data according to their privacy policy.
• Anonymous visit statistics (no consent required): We record minimal, anonymous visit statistics on our own servers for aggregate traffic analysis. This data does not include cookies, identifiers, or stored IP addresses and cannot be used to identify you.
• Anonymous consent choice logging (no consent required): We record anonymous statistics about cookie consent choices for compliance monitoring. This data does not identify you.
• Product analytics (consent-based): When you grant analytics consent via our cookie banner, we collect anonymized usage data through PostHog (EU-hosted). This includes page views, button clicks, checkout funnel interactions, device type, and browser type. No IP addresses are stored — IP capture is disabled at every layer (SDK, project, and organization level). Analytics data is only collected after you explicitly opt in. You can withdraw consent at any time via the cookie settings in the footer.
• Plugin telemetry (server-side only): Our Obsidian plugins connect to our license server for license validation and activation. No client-side telemetry or analytics are included in the plugin. During license verification, limited technical information such as plugin version, device identifier, and platform information may be transmitted. No vault content, note content, or personal files are ever transmitted.
• Voluntary donations: If you support us through Ko-fi or GitHub Sponsors, those platforms process your payment information according to their respective privacy policies.

3. What We Do NOT Collect

We believe in minimal data collection and respect Obsidian's offline-first, privacy-focused philosophy. We explicitly do not:

• Include client-side telemetry or analytics in our Obsidian plugins (no Google Analytics, Sentry, Mixpanel, or similar SDKs embedded in the plugin). Note: our website uses PostHog (EU-hosted, consent-gated) for product analytics — this is separate from and unrelated to the plugins.
• Use advertising cookies or tracking pixels
• Use social media tracking or remarketing
• Collect or access the content of your Obsidian vaults — no vault names, file names, file paths, note content, or personal data from your vault is ever transmitted
• Send background analytics, pings, or usage events from the plugin — network requests are only made for license validation
• Fingerprint your device or browser beyond the device ID you can see and reset
• Include any mechanism that auto-updates the plugin outside of Obsidian's built-in update system
• Sell, rent, or trade your personal information to third parties
• Use your data for AI model training or any form of automated profiling

4. Why We Collect Data

• Account management: To create and manage your user account, authenticate you, and provide access to purchased products and subscriptions.
• Payment processing: To process purchases, manage subscriptions, issue license keys, handle refunds, and maintain billing records.
• Newsletter: To send you updates, content, and information about our productivity tools and resources (with your explicit consent).
• Security and performance: To protect the website from attacks, ensure availability, and optimize performance.
• Product analytics: To understand how visitors use our website — which pages are visited, which features are popular, and where the checkout flow can be improved. This helps us improve the product experience. Analytics data is collected only with your explicit consent (GDPR Art. 6(1)(a)).
• Plugin telemetry and license management: To verify license keys, enforce activation limits (up to 5 devices per license), monitor product usage patterns, diagnose issues, and improve our plugins. This data helps us understand how our tools are used across different platforms and Obsidian versions.
• Communication: To respond to your inquiries and provide support.

5. Legal Basis for Processing (GDPR)

• Consent (Art. 6(1)(a)): Product analytics (consent-gated), newsletter subscriptions, and optional YouTube cookie consent. You can withdraw consent at any time via the cookie settings in the footer.
• Contractual necessity (Art. 6(1)(b)): Processing account data, payments, licenses, and service usage required to provide purchased products and subscriptions.
• Legitimate interest (Art. 6(1)(f)): Website security, performance optimization, and anonymous aggregate-only visit statistics and consent choice logging — no identifiers, no cookies, no IP storage.

6. Who Processes Your Data (Third-Party Services)

We use the following trusted third-party processors:

7. Cookies and Tracking

This website uses a minimal number of cookies.

• Essential cookies: Required for website security, abuse prevention, and basic functionality. These cookies are always enabled and do not require consent under GDPR.
• Authentication cookies: When you sign in, session cookies are set to keep you logged in. These are strictly necessary for account functionality and do not require separate consent.
• Consent preference cookie: We store your cookie preferences in localStorage and/or a small preference cookie for up to 365 days. This does not track you and is used solely to respect your choices.
• Stripe cookies: During checkout, Stripe may set cookies for fraud prevention and payment processing. These are necessary to complete your purchase securely.
• YouTube cookies: When you play embedded YouTube videos, YouTube may set cookies on your device. Where possible, we use YouTube's privacy-enhanced mode (youtube-nocookie.com) to limit tracking until you interact with the video.
• Product analytics cookies (consent-based): When you opt in via our cookie banner, our analytics provider may set a cookie to track session data. Analytics data is processed in the EU and no IP addresses are stored. You can opt out at any time via the "Cookie Settings" link in the footer.

We do not use advertising cookies or third-party marketing/tracking cookies. Our anonymous visit and consent statistics are collected without cookies — they are stateless server-side counters that do not identify or track individual users.

Managing your preferences: You can change or withdraw your cookie consent at any time via the "Cookie Settings" link in the footer of this website, or by clearing cookies in your browser. When you reject optional cookies, only essential cookies will be loaded, YouTube embeds will not auto-load tracking scripts, and no analytics data will be collected.

8. Data Retention

• Account data: Retained for as long as your account is active. You can delete your account at any time from your account settings page. Account deletion is immediate and permanent — your profile, authentication data, entitlements, and license keys are permanently removed and cannot be recovered. You may also request deletion by contacting us.
• Billing and transaction records: Retained for the duration required by applicable tax and accounting laws, even after account deletion. This is the only data that may persist after you delete your account.
• License keys: Retained for as long as the associated product entitlement is active. Revoked and removed upon account deletion.
• Newsletter data: Retained until you unsubscribe or request deletion. Newsletter subscriptions are independent of your account — deleting your account does not automatically unsubscribe you.
• Product analytics data: Retained for up to 12 months. When you delete your account, your analytics profile and all events linked to your identity are deleted.
• Plugin telemetry data: Retained for up to 12 months for product improvement and usage analysis. Aggregated, anonymized statistics may be retained indefinitely. Telemetry data associated with your account is deleted when you delete your account.
• Anonymous visit and consent statistics: Retained indefinitely as aggregate data. Since no identifiers are stored, this data cannot be linked to any individual and does not constitute personal data under GDPR.
• Server logs: Retained by our hosting provider for security purposes (typically 30-90 days).
• Support emails: Retained as long as necessary to provide support and for legal compliance.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS (HTTPS).
• Encryption at rest: Database data is encrypted at rest by our infrastructure providers.
• Data isolation: Database access is enforced so that users can only access their own data. Service operations use separate, restricted credentials.
• Password hashing: Passwords are hashed using industry-standard algorithms and are never stored in plaintext.
• Payment isolation: All sensitive payment data is processed and stored exclusively by Stripe on PCI DSS Level 1 certified infrastructure. We never handle or store card numbers.
• Access control: Internal access to production systems is restricted and logged.
• License key security: License keys are cryptographically generated and use cryptographic signing for secure offline verification.

10. Your Rights (GDPR)

Under GDPR, you have the following rights:

• Right to access: Request a copy of your personal data.
• Right to rectification: Request correction of inaccurate data.
• Right to erasure: Request deletion of your data ("right to be forgotten"). You can exercise this right directly by deleting your account from your account settings, or by contacting us. Account deletion automatically triggers deletion of your identifiable data from all processors.
• Right to restrict processing: Request limitation of data processing.
• Right to data portability: Receive your data in a machine-readable format.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Withdraw analytics consent via the "Cookie Settings" link in the footer, or unsubscribe from newsletters, at any time.
• Right to lodge a complaint: File a complaint with your local data protection authority.

To exercise any of these rights, contact us at: hello@matejvavroproductivity.com

11. International Data Transfers

Some of our service providers may process data outside the European Economic Area (EEA). Product analytics data is processed within the EU. For other providers, international transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the EU Commission
• Adequate safeguards as required by GDPR
• Additional safeguards implemented by our service providers in accordance with GDPR

12. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significant effects on you (as defined in GDPR Article 22). License verification is a straightforward check against your entitlement record and does not involve profiling or scoring.

13. Children's Privacy

This website is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately.

14. Changes to This Policy

We may update this privacy policy from time to time. The "Last updated" date at the top will reflect the most recent changes. Continued use of the website after changes constitutes acceptance of the updated policy.

15. Contact Us

For any questions, concerns, or requests regarding this privacy policy or your personal data:

Email: hello@matejvavroproductivity.com
Response time: We aim to respond within 30 days, or within the timeframe required by GDPR.

For other legal information, please see:

• Terms of Service
• Legal Notice / Imprint