• NOW USING AI •
• MADE WITH MISTRAL AI •
• IT'S EUROPEAN BASED •
• PRIVACY FRIENDLY •
• NOW USING AI •
• AI THAT DOES USEFUL THINGS •
• IT'S NOT A BUG, IT'S AI •
• THIS FEATURE SHOULD HAVE BEEN RELEASED BEFORE THE AI BUBBLE BUSTED •
• NOW USING AI •
• FIGHT CHAT CONTROL •
• THIS IS AI WRITTEN •
• THE CEO IS AN AI •(it's not true, he's actually a cool human)
• NOW USING AI •
• BIG CLANKER ENERGY •
• THE STOCK MARKET IS RAN BY LIZARD PEOPLE •(allegedly)
• EPSTEIN DID NOT KILL HIMSELF •(that one is true)
• NOW USING AI •

Products

Uptime

 Pricing Documentation Changelog Log in Sign up

Privacy Policy

Last updated: October 20, 2025

Previous versions:

Phare is incorporated as ČAROVNIŠKE TEHNOLOGIJE, Nicolas Paul Beauvais s.p. (“Phare”)

At Phare we are committed to processing personal data securely and respecting privacy of the concerned individuals.

1. Scope and Definitions

This Policy describes Phare's rules for personal data processing and protection. It applies to Phare and all employees and contractors ("we", "us", "our", "Phare"). Management ensures adequate procedures for implementation and monitoring.

The Privacy Manager (Nicolas Beauvais) is responsible for data protection compliance, supervising adherence to this Policy, and must be involved in all projects from the planning phase.

Competent Supervisory Authority: means a public authority that is responsible for regulating and supervising personal data protection with regards to activities of Phare.

Data Breach: means a breach of the security and/or confidentiality leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. This includes but is not limited to e-mails sent to an incorrect or disclosed list of recipients, an unlawful publication of the Personal Data, loss or theft of physical records, and unauthorized access to personal information.

Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines (make a decision) the purposes and means of the processing of Personal Data.

Data Processor: means a natural or legal person, public authority, agency or other body which processes the Personal Data on behalf of the data controller.

Data Protection Laws: mean any laws and legal rules on personal data use and protection applicable to the activities of Phare, including, but not limited to the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR).

Data Subject Request (DSR): means any request from the Data Subject and concerning their personal data and/or data subject rights.

Data Subject: means a natural person, whose Personal Data we process. Data Subjects include but are not limited to users, website visitors, employees, contractors, and partners of Phare.

Personal Data: means any information relating to an identified or identifiable Data Subject; a Data Subject can be identified by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or the combination of factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject.

Processing: means any operation or set of operations which is performed by Phare on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Standard Contractual Clauses: means the European Commission Decision of February, 5 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU).

Third Party: means a natural or legal person, who accesses the Personal Data for further processing and is not an employee, member or corporate affiliate of Phare. This definition does not apply to natural persons, who provide services to Phare as contractors on a regular basis.

User: means a Data Subject who uses our services provided on Phare website.

2. Data Processing Principles

Phare’s processing activities must be in line with the principles specified in this Section. The Privacy Manager must make sure that Phare’s compliance documentation, as well as data processing activities, are compliant with the data protection principles.

We must process the Personal Data in accordance with the following principles:

Lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency). We shall always have a legal ground for the processing (described in Section 3 of this Policy), collect the amount of data adequate to the purpose and legal grounds, and we make sure the Data Subjects are aware of the processing;

Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation). We must not process the Personal Data for the purposes not specified in our compliance documentation without obtaining specific approval of the Privacy Manager;

Adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization). We always make sure the data we collect is not excessive and limited by the strict necessity;

Accurate and, where necessary, kept up to date (accuracy). We endeavor to delete inaccurate or false data about Data Subjects and make sure we update the data. Data Subjects can ask us for a correction of the Personal Data;

Kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed (storage period limitation). The storage periods must be limited as prescribed by Data Protection Laws and this Policy; and

Process in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures (confidentiality, integrity, and availability).

We shall be able to demonstrate our compliance with Data Protection Laws (accountability principle). In particular, we must ensure and document all relevant procedures, efforts, internal and external consultations on personal data protection including:

  • the fact of appointing a person responsible for Phare’s data protection compliance;
  • where necessary, a record of a Data Processing Impact Assessment;
  • developed and implemented notices, policies, and procedures, such as Privacy Notice, this policy or Data Breach response procedure;
  • the fact of staff training on compliance with Data Protection laws; and
  • assessment, implementation, and testing organizational and technical data protection measures.

The Privacy Manager must maintain Phare’s Records of processing activities, which is an accountability document that describes personal data processing activities of Phare, prepared in accordance with Art. 30 of the GDPR (the “Records of processing activities”). The Records of processing activities must maintain, at least, the following information about each processing activity:

  • contact details of Phare, the EU Representative, and, where applicable, of the Data Protection Officer;
  • name of the activity, its purposes and legal basis along with, where applicable, the legitimate interests of Phare;
  • data subjects and personal data categories concerned;
  • data retention periods;
  • general description of applicable security measures; recipients, including joint controllers, processors, and contractors involved, as well as the fact of the international data transfer with the safeguards applied to the transfer;
  • where applicable, a reference to the Data Processing Impact Assessment;
  • where applicable, a reference to the record of the data breach occurred involving the personal data;
  • if Phare acts as a data processor, the information to be provided includes the names and contact details of controllers, name and contact details of controller's representative (if applicable), categories of processing (activities), names of third countries or international organizations that personal data are transferred to (if applicable), safeguards for exceptional transfers of personal data to third countries or international organizations (if applicable), and general description of technical and organizational security measures.

3. Access to Personal Data. Legal Grounds and Purposes

Each processing activity must have one of the lawful grounds specified in this Section to process the Personal Data. If we do not have any of the described, we cannot collect or further process the Personal Data.

If Phare is intended to use personal data for other purposes than those specified in the Records of processing activities, the Privacy Manager must evaluate, determine, and, if necessary, collect/record the appropriate legal basis for it.

Performance of the contract. Where Phare has a contract with the Data Subject, e.g. website's Terms of Use or the employment contract, and the contract requires the provision of personal data from the Data Subject, the applicable legal ground will be the performance of the contract.

Consent. To process the personal data based on the consent, we must obtain the consent before the Processing and keep the evidence of the consent with the records of Data Subject's Personal Data. The Privacy Manager must make sure that the consent collected from Data Subjects meet the requirements of Data Protection Laws and this Policy. In particular, the Privacy Manager must make sure that:

  • the Data Subject must be free to give or refuse to give consent.
  • the consent is in the form of an active indication from the Data Subject, i.e., the consent checkbox must not be pre-ticked for the user.
  • the request for the consent clearly articulates the purposes of the processing, and other information specified in Subsection 6.2 is available to the Data Subject.
  • the Data Subject must be free to give one's consent or to revoke it.

We have the right to use personal data in our 'legitimate interests'. The interests can include the purposes that are justified by the nature of our business activities, such as the marketing analysis of personal data. For Phare to use legitimate interests as a legal ground for the processing, the Privacy Manager must make sure that:

  • the legitimate interest in the processing is clearly defined and recorded in the Records of processing activities;
  • any envisaged risks to Data Subject rights and interests are spotted. The examples of the risks can be found in Subsection 7.2.;
  • the Data Subjects have reasonable expectations about the processing, and additional protective measures to address the risks are taken;
  • subject to the conditions of Subsection 6.7 (Right to object against the processing), the Data Subject is provided with the opportunity to opt-out from the processing for the described legitimate interests.

If at least one of the above conditions is not met by Phare, the Privacy Manager must choose and propose a different legal ground for the processing, such as consent.

Legal Compliance and Public Interest. Besides the grounds specified afore, we might be requested by the laws of the European Union or laws of the EU Member State to process Personal Data of our Users. For example, we can be required to collect, analyze, and monitor the information of Users to comply with financial or labor laws.

Whenever we have such an obligation, we must make sure that:

  • we process personal data strictly in accordance with relevant legal requirements;
  • we do not use or store the collected Personal Data for other purposes than legal compliance; and
  • the Data Subjects are properly and timely informed about our obligations, scope, and conditions of personal data processing.

Important: Where Phare has the law requirements of another country to process personal data, the Privacy Manager must propose using another legal ground for the processing under Data Protection Laws, such as legitimate interests or consent.

Employee data access is on a "need-to-know" basis for activities specified in our processing records.

Department heads maintain employee access lists, reviewed by the Privacy Manager. They ensure employees understand Data Protection Laws and receive adequate training.

All employees must maintain strict confidentiality, use prescribed processing methods, assist with compliance efforts, and report suspicious activities or compliance issues to the Privacy Manager.

Employees uncertain about data processing must seek Privacy Manager approval before taking action. Access for activities not in our records requires prior Privacy Manager approval.

4. Third Parties

Before sharing personal data with any person outside of Phare, the Privacy Manager must ensure that this Third Party has an adequate data protection level and provide sufficient data protection guarantees in accordance with Data Protection Laws, including, but not limited to the processorship requirements (Art. 28 of the GDPR) and international transfers compliance (Section 5 of the GDPR). Where necessary, the Privacy Manager must make sure that Phare enters into the appropriate data protection contract with the third party.

An employee can share personal data with third parties only if and to the extent that was directly prescribed by the manager and specified in the Records of processing activities.

If we are required to delete, change, or stop the processing of the Personal Data, we must ensure that the Third Parties, with whom we shared the Personal Data, will fulfill these obligations accordingly.

Whenever Phare is engaged as a data processor on behalf of another entity, the Privacy Manager must make sure Phare complies with the processorship obligation. In particular, the appropriate data processing agreement in accordance with the Data Protection Laws must be in place. The Privacy Manager must supervise the compliance with data processing instructions from the controller, including regarding the scope of processing activities, involvement of sub-processors, international transfers, storage, and further disposal of processed personal data. The personal data processed under the processor role must not be processed for any other purposes than specified in the relevant instructions, agreement or other legal act regulating the relationships with the controller.

5. International Transfers

If we have the employees, contractors, corporate affiliates, or Data Processors outside of the EEA, and we transfer Personal Data to them for the processing, the Privacy Manager must make sure Phare takes all necessary and appropriate safeguards in accordance with Data Protection Laws.

The Privacy Manager must assess the safeguards available and propose to the Phare’s management the appropriate safeguard for each international transfer. The following regimes apply to the transfers of Personal Data outside of the EU:

  • where the European Commission decides that the country has an adequate level of personal data protection, the transfer does not require taking additional safeguards. The full list of adequate jurisdictions can be found on the relevant page of the European Commission’s website.
  • to transfer Personal Data to our contractors or partners (Data Processors or Controllers) in other third countries, we must conclude Standard Contractual Clauses with that party. The draft version along with the guidance can be found on the relevant page of the European Commission’s website;
  • if we have a corporate affiliate or an entity in other countries, we may choose to adopt Binding Corporate Rules in accordance with Article 47 of the GDPR or an approved code of conduct pursuant to Article 40 of the GDPR;
  • we also can transfer Personal Data to entities that have an approved certification in accordance with Article 42 of the GDPR, which certifies an appropriate level of company’s data protection.

As a part of the information obligations, Phare must inform the Data Subjects that their Personal Data is being transferred to other countries, as well as provide them with the information about the safeguards used for the transfer. The information obligation is to be performed in accordance with Subsection 6.2.

In the exceptional cases (the “Derogation”), where we cannot apply the safeguards mentioned afore and we need to transfer Personal Data, we must take an explicit consent (active statement) from the Data Subject or it must be strictly necessary for the performance of the contract between us and the Data Subject, or other derogation conditions apply in accordance with the Data Protection Laws. The Privacy Manager must pre-approve any Derogation transfers and document the approved Derogations, as well as the rationale for them.

6. Rights of Data Subjects

Privacy Manager is ultimately responsible for handing all DSR received by Phare. In the case of receiving any outstanding or unusual DSR, the employee must seek advice from the Privacy Manager before taking any action.

Customer Support within Phare is responsible for handling DSRs from Phare Users on a daily basis. The Human Resources department is responsible for handling the DSR from Phare employees.

All DSRs from the Users must be addressed at and answered from the following e-mail address: support@phare.io. DSR from the employees can be addressed directly to the HR manager or at support@phare.io.

We respond to DSRs within one month. If more time is needed, we inform the Data Subject and may extend up to two additional months.

DSR analysis criteria:

  • Verify the Data Subject's identity through email address matching or additional verification details
  • If verification fails, refuse the request within one month
  • Check if we have access to the requested data; if not, inform the Data Subject
  • Determine request type and verify it meets Policy and legal requirements
  • Requests are generally free unless excessive or abusive
  • Document all DSRs including decisions and rationale
  • Ensure all relevant parties are informed of actions taken

Phare must notify each Data Subject about the collection and further processing of the Personal Data.

Information provided includes: Phare's contact details; processing purposes and legal basis; data categories; recipients; retention periods; data subject rights including complaint rights; consequences of not providing required data; international transfer safeguards; and data sources.

Users are informed through this Privacy Policy on our website and during registration. Employees receive a standalone privacy statement.

We inform Data Subjects about data processing:

  • when personal data is collected directly, at the time of collection;
  • when collected from other sources: within one month of collection, or at first communication, or before disclosure to recipients;
  • upon request; and
  • at least 30 days before any changes to our privacy practices or significant privacy policy updates.

The Data Subject must be provided only with those personal data records specified in the request. If the Data Subject requests access to all personal data concerning her or him, the employee must seek advice from the Privacy Manager first, to make sure all personal data of the Data Subject is mapped and provided.

A Data Subject has the right to:

  • learn if we process the Data Subject’s Personal Data;
  • obtain disclosure regarding aspects of the processing, including detailed and case-specific information on purposes, categories of Personal Data, recipients/categories of recipients, retention periods, information about one’s rights, details of the relevant safeguards where personal data is transferred outside the EEA, and any third-party source of the personal data; and
  • obtain a copy of the Personal Data undergoing processing upon the request.

If personal data becomes inaccurate or out-of-date, we correct all mistakes and update relevant information upon discovery or request.

Data Subjects can request processing restriction when they:

  • contest data accuracy;
  • believe processing is unlawful; or
  • object to processing pending our review.

During restriction, we only store the data or use it for legal compliance.

Data Subjects can withdraw consent anytime. We record withdrawals and stop consent-based processing, though prior lawful processing remains valid.

Data Subjects can object to processing based on legitimate interests (e.g., marketing). We consider requests and stop processing unless we have compelling interests. We ensure databases record objections to prevent future processing for objected activities.

Objections can only be refused for protected scientific/historical research or statistical purposes.

Data Subjects can request erasure when:

  • Data is no longer necessary for collection purposes;
  • Consent is withdrawn/processing objected to with no other legal ground; or
  • Processing is unlawful or legally required to be erased.

We may refuse erasure for:

  • Protected scientific/historical research or statistical purposes;
  • Legal compliance requirements.

We delete only specified records unless the Privacy Manager maps all data for complete deletion. If account-necessary data is requested for deletion, we inform users this may affect service or require account closure.

Data Subjects can request data portability in machine-readable format when data was collected for:

  • Service provision (contract performance); or
  • Based on consent.

The Privacy Manager checks legal basis in our processing records. If conditions aren't met, we may refuse or comply voluntarily. To fulfill requests, we consolidate requested data in our standard format and send to the specified organization.

7. New Data Processing Activities

New data processing activities must be reported to the Privacy Manager, who will:

  • Determine if DPIA/Supervisory Authority consultation is required;
  • Establish legal basis for processing;
  • Ensure compliance with all policies and laws;
  • Update processing records; and
  • Amend privacy statements and notify Data Subjects as necessary.

We conduct Data Processing Impact Assessments (DPIA) when required by law to assess risks and mitigation measures.

The Privacy Manager conducts a DPIA when:

  • Processing involves new technologies (AI, connected devices) creating legal/economic effects;
  • Systematic profiling assigns scores creating legal effects;
  • Large-scale processing of sensitive data (criminal, health, biometric, etc.);
  • Large-scale public data collection or dataset combination; or
  • Required by Supervisory Authority lists.

DPIA assessments include:

  • Description of processing operations, purposes, data categories, subjects, scale, recipients, retention, and transfers;
  • Necessity and proportionality assessment with less intrusive alternatives;
  • Risk assessment covering discrimination, fraud, financial loss, reputation damage, confidentiality loss, rights deprivation, profiling effects, vulnerable persons processing, and large-scale impacts; and
  • Risk mitigation measures and compliance safeguards.

If risks cannot be effectively addressed, we consult the Supervisory Authority before proceeding.

8. Data Retention

We define clear data storage periods for each processing activity in our Records. Departments must comply with retention schedules under Privacy Manager supervision.

After storage periods end, data is removed or destroyed completely, including backups. If data remains necessary for other purposes, access is restricted to prevent use for ceased activities.

The rules specified in Subsection 8.1 have the following exceptions:

Exceptions to retention periods:

  • Business-critical prolongations up to 60 days (Privacy Manager approval required);
  • Technically impossible deletions (system integrity, backup limitations) with Privacy Manager approval and Records updates; and
  • Fully anonymized data (all identifiers removed) can be retained indefinitely.

9. Security

Each department implements appropriate technical and organizational security measures against unauthorized access, modification, or disclosure.

Our System Administrator supervises data security, implements protection guidelines, advises management, and participates in all projects from planning to ensure security integration.

10. Data Breach Response Procedure

Upon discovering a Data Breach, our CEO forms a Response Team led by the CEO and including the Privacy Manager and security specialists. The Response Team:

  • Notifies competent Supervisory Authorities;
  • Informs Data Subjects if high risk exists;
  • Notifies relevant third parties;
  • Takes measures to stop and mitigate the breach; and
  • Documents the breach in our Records.

We notify Supervisory Authorities within 72 hours, determined by affected Data Subjects' residence. Multi-country breaches require notification to all relevant authorities.

Notifications include:

  • Breach nature, categories and number of affected subjects/records;
  • Response Team contact details;
  • Likely consequences and risks; and
  • Mitigation measures taken or proposed.

For high-risk breaches, we notify affected Data Subjects promptly via email (or other means if email unavailable), including:

  • Breach description;
  • Our response measures;
  • Mitigation recommendations; and
  • Response Team contact information.

Data Subject notification exceptions:

  • Data was protected (encrypted) making it inaccessible;
  • Subsequent measures eliminated high risk; or
  • Disproportionate effort required (public communication substituted).

We document all exemption circumstances and rationale.

Third-party breach notifications occur within 24 hours. When processing on behalf of others, we notify controllers but they handle authority/subject notifications.

11. Questions?

If you have any questions or concerns about Phare’s privacy policy or data protection practices, please don't hesitate to reach out.

Send an email to support@phare.io, or check out the contact page for more options.