Privacy Policy

Last updated: February 26, 2026

Bellita Mariusz Nowakowski

Os. Kr\u00f3lewska 18/U7, 02-972 Warszawa

NIP: PL5661842922

1. Data Controller

The data controller responsible for processing your personal data is:

Bellita Mariusz Nowakowski
Os. Królewska 18/U7
02-972 Warszawa, Poland
NIP: PL5661842922

Data Protection Officer (DPO) contact: agencjaautomatyzacji.pl@gmail.com

You may contact us regarding any data protection matters at the email address above or by postal mail to the address listed.

2. Types of Data Collected

We collect and process the following categories of personal data:

Account data: email address, display name, password (hashed), company name, preferred language, country, and currency.
Shop credentials: e-commerce platform API keys and access tokens, stored encrypted in a dedicated secrets vault (Supabase Vault, AES-256).
Product data: product names, descriptions, external IDs, and URLs imported from connected e-commerce stores.
Usage logs: refresh timestamps, status (success/failure), duration, and token usage for each product description refresh.
Payment data: Stripe customer ID and subscription details. Full payment card information is processed and stored exclusively by Stripe.
Consent records: records of your cookie consent preferences, including timestamps and consent categories.

3. Legal Bases for Processing

We process your personal data on the following legal bases under the GDPR:

Contract performance (Art. 6(1)(b) GDPR): processing necessary to provide the Service, including account management, product description refresh, and subscription billing.
Legitimate interest (Art. 6(1)(f) GDPR): service improvement, security monitoring, fraud prevention, and technical troubleshooting.
Consent (Art. 6(1)(a) GDPR): analytics cookies (Google Analytics) and optional functionality cookies. You may withdraw consent at any time via the cookie consent banner.
Legal obligation (Art. 6(1)(c) GDPR): retention of billing records as required by Polish tax law and EU VAT regulations.

4. Data Processors

We use the following third-party data processors to provide the Service:

Processor	Location	Purpose
Supabase	EU (Frankfurt)	Database hosting, user authentication, secrets vault
Stripe	EU	Payment processing, subscription billing, tax calculation
OpenAI	US	AI content generation (product description refresh)
Google	US	Google Analytics (website traffic analysis), Google Search Console (page re-indexing)
Vercel	Global (CDN)	Application hosting, content delivery network

Each processor operates under a Data Processing Agreement (DPA) that ensures compliance with GDPR requirements.

5. Data Retention Periods

We retain your data for the following periods:

Refresh logs: 90 days from creation, then automatically deleted.
Product data: retained while your account is active. Inactive product records are archived after 180 days.
Account data: retained until you delete your account. Upon account deletion, all data is permanently removed.
Consent records: retained permanently as an audit trail for GDPR compliance purposes.
Billing records: retained for 5 years as required by Polish tax law.

Automated cleanup processes run daily to enforce these retention periods.

6. Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data:

Right of access: request a copy of all personal data we hold about you.
Right to rectification: update or correct inaccurate personal data.
Right to erasure (“right to be forgotten”): request deletion of your personal data and account.
Right to data portability: receive your data in a structured, machine-readable format (JSON).
Right to restriction of processing: request limitation of data processing in certain circumstances.
Right to object: object to processing based on legitimate interest.

You can exercise most of these rights directly from your dashboard at Settings > Privacy & Data:

Download your data (JSON export)
Delete your account (immediate, irreversible)
Manage consent preferences (cookie banner)

For any other requests, contact us at agencjaautomatyzacji.pl@gmail.com. We will respond within 30 days.

7. International Data Transfers

Some of our data processors (OpenAI, Google) are located in the United States. We ensure adequate protection for international data transfers through the following mechanisms:

EU-US Data Privacy Framework: processors certified under the DPF provide an adequate level of data protection as recognized by the European Commission.
Standard Contractual Clauses (SCCs): where the DPF is not applicable, we rely on EU-approved Standard Contractual Clauses to safeguard your data.

Our primary database and authentication services (Supabase) are hosted in the EU (Frankfurt, Germany), ensuring that the majority of your data remains within the European Economic Area.

8. Data Security Measures

We implement the following technical and organizational measures to protect your data:

Encryption at rest: sensitive data (API keys, access tokens) is encrypted using AES-256 via Supabase Vault.
Encryption in transit: all data transmitted between your browser and our servers uses TLS 1.3.
Row-Level Security (RLS): database-level access controls ensure users can only access their own data.
Service role isolation: administrative operations use isolated service-role credentials, never exposed to client-side code.
Password hashing: user passwords are hashed using bcrypt with appropriate salt rounds.
Session management: secure, httpOnly cookies for authentication sessions with automatic expiration.

9. Children’s Data

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16.

If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take immediate steps to delete such data.

If you believe that a child under 16 has provided us with personal data, please contact us at agencjaautomatyzacji.pl@gmail.com.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, we will:

Notify the Polish supervisory authority (UODO — Urząd Ochrony Danych Osobowych) within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR.
Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the GDPR.

Breach notifications will include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

We will notify you of material changes by email at least 14 days before the updated policy takes effect. The “Last updated” date at the top of this policy indicates the most recent revision.

Continued use of the Service after the effective date of the updated Privacy Policy constitutes acceptance of the changes.

12. Contact Information

For any questions or concerns about this Privacy Policy or our data processing practices, you may contact us at:

Data Protection Officer
Bellita Mariusz Nowakowski
Os. Królewska 18/U7
02-972 Warszawa, Poland

Email: agencjaautomatyzacji.pl@gmail.com

You also have the right to lodge a complaint with the Polish supervisory authority:

UODO — Urząd Ochrony Danych Osobowych
ul. Stawki 2
00-193 Warszawa, Poland
https://uodo.gov.pl