The user of the operator’s services, as a data subject, by his free decision (by ticking a box, pressing a button) indicates that he is aware of all the facts listed below and agrees to the further processing of his personal data for the purposes of the business activities of the website operator and the interactive online platform www.kardi.ai, its mobile application and the artificial intelligence model associated with such platform (or consent to the processing of personal data for the purpose of sending newsletters, if he has granted special consent). For the purpose of this policy, an ‘AI model’ refers to the machine learning component integrated into the Kardi Ai platform. This model is trained using historical and user-generated ECG and health-related data to identify patterns and improve the Kardi Ai platform’s ability to interpret heart activity. Such AI model is part of a broader AI system developed and deployed by the controller that provides automated outputs to support user health monitoring.
Personal data is processed by the controller to the extent that the user has provided it to the controller, for the reason, scope and for the following purposes:
The personal data controller mainly processes the following personal data:
The processing of the personal data that does not reveal health-related information is necessary for the fulfillment of the contract between the user and the operator and for the fulfillment of legal obligations that apply to the operator. The health data (special categories of personal data) are processed by the controller including for the purposes of training and improving the AI model used by the Kardi Ai platform, and/or transferred to third parties (providers of health care services) based on explicit consent.
Where personal data is collected together with health-related data (e.g. heartbeat or ECG readings), the entire dataset is considered special category data and is processed only on the basis of the user’s explicit consent, in accordance with Articles 6(1)(a) and 9(2)(a) GDPR. The same applies to any transfer of such data to third parties (e.g. healthcare providers). In this context, explicit consent is the sole legal basis for processing personal and health data within the Kardi Ai platform. Without such consent, or if the user withdraws consent, the controller cannot provide the core functionalities of the Kardi Ai platform that rely on health data processing, and access to the platform will accordingly be restricted. The withdrawal of consent shall not affect the lawfulness of any processing carried out prior to such withdrawal.
Certain data that does not reveal the user’s health status or other data that are not considered special categories of personal data may be processed for purposes in which the provider has a legitimate interest, namely for the purpose of improving the provider’s services, namely: i) for internal use by the controller, for the development of products and the controller’s portal; ii) for processing and publishing (including forwarding to contractual partners of the controller) in aggregated or in an anonymous form (e.g. for the purposes of various studies, statistical reports, infographics, case studies, etc.). Health data is not processed for these purposes without the user’s explicit consent, which can be withdrawn at any time. Consent withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
The user is hereby informed that measured values collected via the operator’s services cannot be retrieved or provided to the user after the deactivation of the user account.
This personal data is also processed for the purpose of presenting customized product offers of the controller and contractual partners of the controller. By granting consent, the user also agrees to the download, processing, storage and use of data by the controller for the following purposes: i) for internal use by the controller, for the development of the controller’s products and presenting the controller’s customized product offer to users; ii) for processing and publishing (including forwarding to contractual partners of the controller) in aggregated or in an anonymous form (e.g. for the purposes of various studies, statistical reports, infographics, case studies, etc.).
The data subject has the right to object at any time to the processing of their personal data for this purpose.
The processing of personal data for this purpose will take place for the duration of the consent granted, at most for the duration of the contractual relationship with the operator. Consent can be revoked at any time at the e-mail address gdpr@kardi.ai or by clicking the unsubscribe link provided in each message. In case of revocation of consent, the user’s personal data will be deleted by the controller.
The processing of personal data for all purposes above is carried out by the controller. Healthcare services providers also have access to health data, if they sell the device with the application to the user. The controller is entitled to transfer personal data to providers of health care services. Providers of health care services are independent controllers of such personal data.
The controller is entitled to transfer personal data to other entities (processors) with whom he has concluded a contract for the processing of personal data, in particular to external specialists (accountant, lawyer, doctor) and persons participating in the provision of the controller’s services.
The controller declares that all entities to which personal data may be made available respect the data subjects’ right to privacy protection and are obliged to proceed in accordance with applicable legal regulations regarding the protection of personal data.
Personal data of the citizens of countries within the European Economic Area are not transferred to countries outside the European Union.
Personal data of the citizens of third countries (outside the European Economic Area) may be transferred to companies in third countries (outside of the European Economic Area). In such cases, if the transfer is performed from the European Economic Area to the third country, the controller transfers the data only if one of the following conditions apply: (i) there is an adequate level of protection in the country in question, as determined by the European Commission, or (ii) the receiving company/importer of data is registered under the EU – U.S. Data Privacy Framework, or (iii) standard contractual clauses (EU model-clauses) approved by the European Commission and additional supplementary measures to regulate the data transfer are implemented.
The controller applies appropriate technical and organizational measures for the protection of personal data that correspond to the nature and type of relevant personal data or categories and the risks associated with their processing.
As a subject of personal data, the user has the following rights in accordance with the GDPR:
Czech Republic:
The Office for Personal Data Protection
Pplk. Sochora 27, 170 00 Praha 7, Czech Republic
https://uoou.gov.cz/en/consultation/contact
depending on the data subject place of habitual residence, place of work, or the place of the alleged infringement.
The data subjects shall further have the right to an effective judicial remedy where the data protection authority does not handle their complaint or does not inform them within three months on the progress or outcome of the complaint lodged. Proceedings against shall be brought before the local competent courts where the supervisory authority has its registered address.
Without prejudice to any available administrative or non-judicial remedy, including the above mentioned right to lodge a complaint with a data protection authority, data subjects shall also have the right to an effective judicial remedy against the controller where they consider that their rights under the GDPR have been infringed as a result of the processing of their personal data in breach of GDPR. Such proceedings shall be brought before the courts of the EU Member State where the controller has an establishment. Alternatively, the data subject may bring the action before the local courts, if the particular country is the data subject’s place of habitual residence.
The controller notes that it is not possible to request the deletion of personal data that the controller is legally obliged to collect based on a statutory obligation.
If the user wishes to correct personal data that the operator processes about him, or exercise any of the above-mentioned rights, he may contact the controller at the e-mail address: gdpr@kardi.ai.
Date: 1 October 2025