Terms of Service

1.1 These general terms and conditions (hereinafter "Terms") govern the rights and obligations between the operator of the DigiDoklad software service and its users.

1.2 The operator of DigiDoklad is: DIGIVO Labs s.r.o. Company ID: 243 35 177 Registered office: Rybná 716/24, Staré Město, 110 00 Prague 1, Czech Republic File reference: C 439430 registered at the Municipal Court in Prague Contact email: info@digidoklad.cz

1.3 DigiDoklad is a software service provided as SaaS (Software as a Service), accessible via the web interface www.digidoklad.cz.

1.4 These Terms form an integral part of the contract concluded between the operator and the user upon registration.

2.1 Service means the DigiDoklad application, its web interface, API, mobile version (PWA), all features, modules, updates and related services.

2.2 User is a natural or legal person who has created a user account and uses the service.

2.3 Consumer is a user who is a natural person and uses the service outside their business activities.

2.4 Account is a non-public user access to the service protected by login credentials.

2.5 Plan is a pricing tier of the service with a defined scope of features, limits, duration and price.

2.6 E2E encryption is end-to-end encryption where data is encrypted and decrypted exclusively on the user's side (in the browser) using a key derived from the user's password.

3.1 The contractual relationship between the operator and the user arises upon completion of user account registration and acceptance of these Terms.

3.2 By registering, the user confirms that they have read, understood and agree to these Terms in their entirety.

3.3 The operator is entitled to refuse registration or cancel an existing account if the user violates these Terms or legal regulations.

3.4 The user expressly agrees to the provision of digital content before the expiry of the withdrawal period and acknowledges that by doing so, they waive their right to withdraw from the contract pursuant to Section 1837(l) of Act No. 89/2012 Coll., the Czech Civil Code.

4.1 The user is obliged to provide truthful, complete and up-to-date information.

4.2 The user is responsible for securing their login credentials and for all activities performed through their account.

4.3 The operator is not liable for account misuse caused by the user's breach of obligations.

4.4 One user is entitled to operate only one account, unless expressly permitted otherwise.

4.5 The user may delete their account at any time in the account settings. Deletion is irreversible and leads to permanent removal of all data.

5.1 DigiDoklad is a tool for digital archiving, management and long-term storage of documents, especially receipts, contracts, warranty cards and other files.

5.2 The service serves as a support tool and does not replace accounting, tax, legal or other professional advice.

5.3 The operator is not responsible for the legal usability, accounting accuracy or completeness of documents stored by the user.

5.4 The service is not an electronic records management system or a system for trusted archiving within the meaning of applicable Czech law.

6.1 The operator grants the user a non-exclusive, non-transferable, time-limited license to use the service within the scope of the selected plan.

6.2 The user does not acquire any ownership or copyright to the service or its parts.

6.3 The user is not entitled to reverse engineer, decompile, copy, sublicense or otherwise interfere with the service.

6.4 The license is bound to the user account and is non-transferable to third parties.

7.1 The service is provided in both free and paid plans according to the current offer published on the website.

7.2 The plan price is paid in advance for the selected period (monthly or annual).

7.3 Payments in the Czech version of the service are processed through the Comgate payment gateway, a.s. (https://www.comgate.cz/cz/platebni-brana).

7.4 Payments in the English version of the service are processed through the Stripe payment platform, Inc. (https://stripe.com).

7.5 The operator does not store user payment data. All payment data is processed exclusively by the respective payment provider (Comgate or Stripe).

7.6 Non-payment may result in restriction or suspension of access to the service.

7.7 All prices are stated including VAT, unless expressly stated otherwise.

8.1 DigiDoklad service is provided exclusively electronically as SaaS (Software as a Service). No physical delivery is required. Access to the service is granted immediately after successful registration and payment (if applicable).

8.2 Payment services for the Czech version are provided by Comgate, a.s. More information at: https://www.comgate.cz/cz/platebni-brana

8.3 Payment services for the English version are provided by Stripe, Inc. More information at: https://stripe.com

8.4 Available payment methods (Comgate): • Card payments – payment takes place on a secure Comgate payment gateway page where the customer enters card details. After verification and bank approval, the transaction is completed. • Bank transfers – the customer is redirected to their bank's internet banking to confirm a pre-filled payment order. Payment is usually credited immediately or within minutes.

8.5 Available payment methods (Stripe): • Card payments (Visa, Mastercard, American Express) – payment takes place on a secure Stripe Checkout page.

8.6 Contact for payment inquiries and complaints (Comgate): Comgate, a.s. Gočárova třída 1754 / 48b Hradec Králové, Czech Republic Email: podpora@comgate.cz Phone: +420 228 224 267

8.7 Contact for payment inquiries (Stripe): Stripe, Inc. Email: support@stripe.com Web: https://support.stripe.com

9.1 DigiDoklad is digital content delivered in intangible form. The user expressly agrees to commence service provision immediately upon registration (or payment), thereby waiving the right to withdraw from the contract pursuant to Section 1837(l) of Act No. 89/2012 Coll., the Czech Civil Code.

9.2 The user is entitled to change or cancel the plan at any time through account settings. Cancellation of a paid plan (unsubscribe) is possible at any time with a single click in account settings, without any written notice requirement.

9.3 When upgrading to a higher plan, the price may be prorated for the remaining period.

9.3.1 The proration pursuant to clause 9.3 is calculated as the difference between the price of the higher plan and the price of the current plan for the remaining part of the already paid period.

9.4 Upon cancellation of a paid plan, there is no entitlement to refund of the already paid price for the current period. The paid plan remains active until the end of the paid period, after which the account transitions to the START plan.

9.5 The operator is entitled to terminate the contractual relationship immediately and without prior notice in case of serious or repeated violation of these Terms.

9.6 The user may terminate the contractual relationship at any time by deleting their account in the settings.

10.1 If the user stops using a paid plan and their account transitions to the free START plan, the user acknowledges that: • features available only in paid plans will be immediately blocked • documents and data stored beyond START plan limits (5 receipts and 3 documents per month) will become inaccessible, non-editable and non-exportable • data stored beyond START plan limits will be kept in inactive mode for 60 days

10.2 After the 60-day retention period, documents and data stored beyond START plan limits may be permanently and irreversibly deleted.

10.3 The user acknowledges that they will be notified of impending data deletion via email sent to the email address in their user account. The operator is not responsible for non-receipt of notification caused by incorrect or outdated email address.

10.4 By renewing a paid plan within the 60-day period, documents and data that have not been deleted will be restored. After the 60-day period and data deletion, the user has no entitlement to their restoration.

10.5 Payment for a paid plan represents payment for active management, storage and security of documents, not one-time access to previously stored data.

11.1 The user is the exclusive owner of all data and documents uploaded to the service.

11.2 The user is responsible for the legality, truthfulness and legitimacy of content stored in the service.

11.3 The operator is entitled to use anonymized or aggregated data for service improvement, statistical and analytical purposes.

11.4 The operator does not perform any review of uploaded document content and is not responsible for their content.

12.1 The service offers automatic text recognition (OCR) from uploaded documents. Processing occurs exclusively based on an active user action (pressing the relevant button).

12.2 For text recognition, we use the Google Gemini model (operator: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) through a paid API interface.

12.3 The document is temporarily transmitted to the Google Gemini model solely for the purpose of extracting text and structured data (store name, date, amount, document type). Google processes data solely for the purpose of generating a response and does not use it to train its models (per Google API Terms of Service for paid APIs).

12.4 Data is not retained by the AI provider beyond the processing of each individual request.

12.5 OCR results are immediately encrypted with end-to-end encryption on the client side (in the user's browser) before being stored in the database. The operator does not have access to recognition results in readable form.

12.6 Data transfer to the USA is carried out on the basis of Standard Contractual Clauses (SCC) pursuant to Article 46 GDPR and in accordance with the European Commission's adequacy decision (EU-US Data Privacy Framework).

12.7 OCR processing is subject to rate limiting to protect the service against abuse.

12.8 The operator does not guarantee 100% accuracy of text recognition. OCR results are informational in nature and the user is obliged to verify the accuracy of the data.

13.1 The service uses end-to-end (E2E) encryption to protect sensitive user data. The encryption key is derived from the user's password using the PBKDF2 cryptographic function and never leaves the user's device in readable form.

13.2 The operator does not have access to the user's encryption key and has no technical ability to decrypt user data.

13.3 In the event of loss or forgetting the password without prior access recovery setup, the operator is unable to recover the user's data. The user acknowledges that password loss may lead to permanent loss of access to encrypted data.

13.4 The operator bears no responsibility for data loss caused by the user's loss of their encryption key (password).

13.5 The user is obliged to keep their password secure and not share it with third parties.

14.1 The user must not use the service to store, distribute or process content that: • violates the laws of the Czech Republic or the EU • infringes intellectual property rights of third parties • contains malicious software (malware, viruses, trojans) • serves fraudulent or criminal activity

14.2 The user must not: • attempt unauthorized access to other users' accounts • perform automated bulk queries or scraping of the service • intentionally overload the service infrastructure • circumvent technical limitations and security measures of the service • use the OCR function for bulk processing of documents in a manner exceeding normal personal or business use

14.3 Violation of this provision entitles the operator to immediately block or delete the user's account without entitlement to refund of payments made.

15.1 The service may send electronic notifications to the user (email alerts, push notifications) regarding: • approaching expiration of warranties, contracts and documents • plan changes and account status • important service updates and security alerts

15.2 The user may disable non-essential notifications at any time in account settings.

15.3 The operator reserves the right to send essential system notifications to the user (e.g., security warnings, Terms changes) that cannot be disabled.

16.1 The operator strives for maximum service availability but does not guarantee uninterrupted operation.

16.2 The operator is entitled to perform scheduled outages, updates and technical interventions, about which the user will be informed where technically feasible.

16.3 The user has no entitlement to compensation or price reduction due to temporary service unavailability.

16.4 The operator is not liable for service unavailability caused by third parties (hosting, network infrastructure, payment gateways).

17.1 The user is entitled to file a complaint about service defects via email at info@digidoklad.cz. Complaints will be resolved without undue delay, within 30 days of receipt at the latest.

17.2 The complaint must include a description of the defect, the date of its occurrence, and the user's contact details.

17.3 Consumers have the right to out-of-court resolution of consumer disputes. The Czech Trade Inspection Authority (www.coi.cz) is competent for out-of-court resolution of consumer disputes. The online dispute resolution platform is available at https://ec.europa.eu/consumers/odr.

17.4 For paid plans, if the service exhibits substantial defects preventing its proper use for more than 72 continuous hours, the user is entitled to a proportional extension of the prepaid period.

17.5 For the purposes of clause 17.4, scheduled maintenance notified to the user in advance pursuant to clause 16.2 and unavailability demonstrably caused exclusively by the user (e.g., user's internet connection failure, user's device malfunction) shall not be counted towards the continuous unavailability period.

18.1 The operator is not liable for lost profits, indirect damages or loss of business opportunities.

18.2 The operator is not liable for data loss caused by user actions (including loss of encryption key/password), technical failures or force majeure.

18.3 The total liability of the operator to the user is limited to the amount of payments made in the last 12 months.

18.4 The operator is not liable for the accuracy of automatic text recognition (OCR) results.

18.5 The operator is not liable for the content of documents uploaded by the user or their legal usability.

18.6 This provision does not affect mandatory consumer rights, in particular rights from defective performance and other rights that cannot be contractually excluded or limited.

19.1 Personal data protection is governed by a separate Privacy Policy document available at www.digidoklad.cz/en/privacy-policy.

19.2 The operator processes personal data in accordance with applicable legal regulations, especially Regulation (EU) 2016/679 (GDPR).

19.3 For business customers using a business plan, the Data Processing Agreement (DPA) set out in the appendix (Article 23) forms an integral part of these Terms.

20.1 The operator is entitled to change the scope of service, features, plans and these Terms at any time.

20.2 The user will be notified of material changes to the Terms at least 14 days in advance via the application or email.

20.3 By continuing to use the service after changes take effect, the user expresses consent to the new Terms. If the user disagrees with the changes, they are entitled to terminate the contractual relationship by deleting their account.

21.1 The operator is not liable for non-performance of obligations caused by force majeure circumstances, including natural disasters, armed conflicts, cyber attacks, third-party outages (cloud services, payment gateways), legislative changes or decisions by public authorities.

21.2 In case of force majeure, the operator shall make reasonable efforts to minimize impact on users and restore full service functionality.

22.1 Legal relations not regulated by these Terms are governed by the laws of the Czech Republic, in particular Act No. 89/2012 Coll., the Civil Code, and Act No. 634/1992 Coll., on Consumer Protection.

22.2 Any disputes will be resolved by the competent courts of the Czech Republic.

22.3 If any provision of these Terms is found to be invalid or unenforceable, this shall not affect the validity and enforceability of the remaining provisions.

22.4 These Terms become effective on February 14, 2026 and supersede all previous versions.

This Data Processing Agreement (hereinafter "DPA") is an integral part of the Terms of Service of DigiDoklad and is concluded in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).

23.1 Contracting Parties Processor: DIGIVO Labs s.r.o. Company ID: 243 35 177 Registered office: Rybná 716/24, Staré Město, 110 00 Prague 1 File reference: C 439430 registered at the Municipal Court in Prague Controller: Business customer using a business plan of the DigiDoklad service.

23.2 Subject and Purpose of Processing 23.2.1 The Processor processes personal data on behalf of the Controller for the purpose of providing the DigiDoklad service. 23.2.2 Processing includes in particular: digital archiving of documents, OCR extraction of data from documents, structuring of accounting data, export of accounting records, and technical administration and security of the system. 23.2.3 Processing is carried out by automated means. 23.2.4 The duration of processing corresponds to the duration of the contractual relationship.

23.3 Categories of Data and Data Subjects 23.3.1 Processed data may include: identification data, contact data, tax identifiers, banking details, payment data, and other data contained in accounting documents. 23.3.2 Data subjects may be: employees of the Controller, customers, suppliers, business partners, and other natural persons mentioned in documents.

23.4 Controller's Instructions 23.4.1 The Processor processes personal data only on the basis of documented instructions from the Controller. 23.4.2 By entering into the agreement, the Controller instructs processing to the extent necessary for the provision of the service. 23.4.3 If the Controller's instruction would conflict with legal regulations, the Processor shall notify the Controller accordingly.

23.5 Technical and Organizational Measures 23.5.1 The Processor has adopted measures pursuant to Art. 32 GDPR appropriate to the risks of processing. 23.5.2 Documents and OCR outputs are encrypted using client-side end-to-end encryption. 23.5.3 Encryption keys are derived from the user's password and are not accessible to the Processor. 23.5.4 The Processor has no technical ability to access document content. 23.5.5 Employee access is limited to technical metadata and governed by the "need-to-know" principle. 23.5.6 Data transmission is carried out exclusively through encrypted communication channels (TLS).

23.6 Confidentiality 23.6.1 The Processor shall ensure that persons authorized to process data are bound by confidentiality obligations.

23.7 Sub-processors 23.7.1 The Controller grants general consent to the use of sub-processors. 23.7.2 Current list of sub-processors: • Supabase – database, authentication, storage • Google (Gemini API) – OCR and data structuring • Vercel – hosting • Resend – email communication • Comgate and Stripe – payment services • Upstash – cache 23.7.3 The Processor shall ensure that sub-processors are contractually bound by obligations equivalent to this DPA. 23.7.4 The Processor shall inform the Controller of any change in sub-processors at least 14 days in advance by publishing an updated list. 23.7.5 The Controller is entitled to raise a written objection within 14 days of being notified of a sub-processor change if they believe the change may lead to a reduction in the level of personal data protection. 23.7.6 In the event of a justified objection, the Parties shall negotiate a possible solution in good faith. If no agreement is reached, the Controller is entitled to terminate the contractual relationship as of the effective date of the sub-processor change; this shall not affect rights and obligations arising prior to the date of termination.

23.8 Transfers Outside the EU 23.8.1 If personal data is transferred outside the EU/EEA (e.g., use of Google API), such transfer is carried out on the basis of Standard Contractual Clauses (SCC) or another lawful mechanism under Chapter V of GDPR.

23.9 Security Breach 23.9.1 The Processor shall notify the Controller of a security breach without undue delay after becoming aware of it. 23.9.1.1 The notification pursuant to clause 23.9.1 shall be made no later than 72 hours from the moment the Processor becomes aware of the security breach, insofar as the nature of the incident and the availability of information permit. 23.9.2 The notification shall include: a description of the nature of the incident, probable consequences, and measures taken or proposed.

23.10 Cooperation and Data Subject Rights 23.10.1 The Processor shall provide reasonable cooperation in handling data subject requests. 23.10.2 If a data subject contacts the Processor directly, the request shall be forwarded to the Controller without undue delay.

23.11 Audit 23.11.1 The Controller is entitled to verify compliance with this DPA. 23.11.2 The audit shall be conducted upon prior written notice, in a reasonable scope, without disrupting service operations, and no more than once per year unless there is a justified need for more frequent review. 23.11.3 Audit costs shall be borne by the Controller, unless the audit reveals a material breach of the Processor's obligations.

23.12 Deletion and Return of Data 23.12.1 Upon termination of the contractual relationship, personal data shall be deleted. 23.12.2 In case of a downgrade, a maximum 60-day retention period may apply before deletion. 23.12.2.1 The Controller acknowledges that the service provides data and metadata export functionality within the scope of the selected plan features, and the Controller is entitled to use these export functions before termination of the contractual relationship. 23.12.3 Backups shall be deleted within the regular backup overwrite cycle.

23.13 Liability 23.13.1 Each Party shall be liable for GDPR violations in accordance with applicable legal regulations. 23.13.2 The Processor's liability is limited to the extent set out in the Terms of Service, except in cases of intentional breach or gross negligence.

23.14 Final Provisions of the DPA 23.14.1 This DPA is concluded by acceptance of the Terms of Service. 23.14.2 In the event of a conflict between this DPA and other parts of the Terms of Service, this DPA shall prevail.

24.1 The operator provides support via email at info@digidoklad.cz.

24.2 Support is provided on business days. The operator endeavors to respond without undue delay, typically within 2 business days.

24.3 Scheduled maintenance and outages may be performed primarily for updates and security interventions. Where technically feasible, the operator shall inform users of scheduled maintenance in advance.

24.4 The user acknowledges that service availability may be affected by third parties (hosting, cloud services, payment gateways). This shall not affect clause 17.4 regarding proportional extension of the prepaid period in case of substantial service defects.