Privacy & Cookie Policy - Ekomejl Toolbox

1. Data controller

Ekomejl Toolbox is operated by the Ekomejl team, which acts as the controller for personal data processed through this application.

Privacy contact
E-mail: support@ekomejl.cz

2. Data we process

To run the toolbox, keep it secure, and understand feature usage, we process the following categories of data:

Category	Examples	Purpose
Technical and security data	IP address, request ID, tenant ID, user agent, browser, operating system, device type, and approximate location derived from IP	Security, fraud prevention, troubleshooting, service performance, and first-party usage reporting
Usage and session data	Visited pages and tools, timestamps, referrer, query string, tab activity, session identifiers, and product interaction history	Keeping the application stateful, restoring workspace history, measuring usage patterns, and improving the product
Account and security data	Username, email, password hash, role, plan, permissions, verification/reset tokens stored as hashes, remember-me session metadata, last login details, bans, and activity logs	Authentication, authorization, account protection, rate-limit enforcement, recovery emails, and audit logging
Cookies and browser storage	Consent status, session cookies, request-catcher token, analytics session ID, workspace state, language choice, and per-tool preferences stored in local storage	Session continuity, sign-in persistence, consent memory, feature preferences, and restoring recent workspace context

3. Why we process data

We use the data above to:

Deliver and maintain the public tools and protected workspace features.
Protect the application against abuse, unauthorized access, and operational failures.
Remember session state, cookie choices, and tool preferences across visits.
Understand aggregate product usage and improve the experience over time.
Maintain audit trails for protected account and security actions.

4. Cookies and browser storage currently in use

The application uses first-party cookies and browser storage. It does not use advertising cookies. Key storage items currently used by the product include:

Name	Type	Purpose	Typical retention
cookie_consent	Cookie	Stores your cookie preference choice.	365 days
PHPSESSID or PHPSESSID_<tenant>	Cookie	Maintains the PHP session and secure sign-in state.	Until the browser session ends
devtools_session or devtools_session_<tenant>	Cookie	Keeps the application session stable across visits and supports session-linked history.	Up to 90 days
stats_session_id	Cookie	Supports first-party product analytics and session-level visit tracking.	30 days
legacy_remember_token_<tenant>	Cookie	Keeps a protected account signed in when Remember me is selected.	30 days
toolbox_auth_remember	Cookie	Keeps a unified toolbox account signed in when Remember me is selected.	30 days
reqcatcher_token	Cookie	Associates Request Catcher and log viewer activity with your browser.	365 days
Browser local storage	Local storage	Stores workspace tabs, input history, history sidebar state, knowledge base language, tool preferences, and other on-device UI settings.	Until you clear browser storage

If multi-tenant mode is enabled, some cookie names include a tenant suffix. We do not use third-party advertising or retargeting cookies.

5. Legal bases

Depending on the feature, we rely on one or more of the following legal bases under GDPR:

Legitimate interests for security, service reliability, fraud prevention, operational logging, and first-party product measurement.
Performance of a contract where data is required to provide authenticated features or requested product functionality.
Consent for storing and remembering cookie preference choices and for any optional storage categories that may be introduced later.

6. Retention

Data type	Typical retention
Application session cookies	Until browser close or up to 90 days, depending on the cookie
First-party analytics session cookie	30 days
Admin remember-me token	30 days
Unified account remember-me token	30 days, stored server-side as a hash with revocation metadata
Email confirmation and password reset tokens	1-24 hours, with only token hashes stored
Request Catcher browser token	365 days
Session-linked visitor records	Up to 90 days for the application session record
Account and security audit logs	Typically 180 days for detailed events, longer only when required for security review
Browser local storage	Until you clear it in your browser

7. Who we share data with

We do not sell personal data. We may share limited data with service providers that help us run the application, such as hosting and infrastructure partners. We also use an IP geolocation service to derive approximate location data from IP addresses for reporting. Data may also be disclosed when required by law.

We do not use third-party advertising networks on this site.

8. Your rights

Subject to applicable law, you can request:

Access to the personal data we hold about you.
Correction of inaccurate or incomplete data.
Deletion of data where retention is no longer required.
Restriction of processing in specific circumstances.
Data portability where the legal conditions apply.
Objection to processing based on legitimate interests.
Withdrawal of consent where processing relies on consent.

To exercise any of these rights, contact us at support@ekomejl.cz.

9. Security

We apply technical and organizational safeguards designed to protect the application and the data it processes, including:

Password hashing for account credentials.
Secure cookie settings such as `HttpOnly` and `SameSite` where supported.
Transport security controls and security headers.
Role-based access controls and audit logging for protected features.

10. Supervisory authority

If you believe your personal data has been processed unlawfully, you may lodge a complaint with the Czech Data Protection Authority:

Office for Personal Data Protection
Pplk. Sochora 27
170 00 Prague 7
Web: www.uoou.cz

11. Changes to this policy

We may update this page as the product evolves. Material changes will be reflected here together with a new update date.