Privacy Policy

Last updated: March 18, 2026

1. Data Controller

The data controller of your personal data is:

Bizautomat P.S.A.
os. Jana III Sobieskiego 40/2N
60-668 Poznań, Poland
KRS: 0001223323
Tax ID (NIP): 9721375723

Contact regarding data protection:
Email: [email protected]

2. Scope of Collected Data

2.1 Data Related to the Use of the s2ksef Application

When using the s2ksef Application (installed from the Stripe App Marketplace), we collect and process:
- Stripe Account ID — obtained automatically during Installation (Stripe OAuth)
- Billing data linked to the Stripe account (company name, registered address, tax ID, email address) — retrieved from Stripe for invoicing purposes
- Data contained in invoices and documents entered into the Application by the User (including counterparty data, tax IDs, amounts, line item descriptions)
- Application configuration data (Application Settings / AppSettings)
- Data related to KSeF communication (Polish National e-Invoicing System) — including KSeF authorisation tokens, session reference numbers, UPO (Official Acknowledgement of Receipt)
- Operation logs of actions performed in the Application

2.2 Newsletter (Mailing List)

When signing up for our newsletter, we collect:
- Email address (required)
- Date and time of consent (timestamp)
- Sign-up source (website form)

2.3 Contact Form

In the contact form, we collect:
- Email address (required)
- Full name (required)
- Company name (optional)
- Message content

2.4 Automatically Collected Data

While using the website, we automatically collect:
- IP address
- Browser type and device
- Information about website usage (Google Analytics)
- Technical security-related data (reCAPTCHA)

3. Purposes and Legal Bases for Processing

Purpose	Legal Basis	Data
Provision of Services via the s2ksef Application (generating and submitting invoices to KSeF, document archiving)	Performance of a contract (Art. 6(1)(b) GDPR)	Stripe ID, billing data, invoice data, KSeF data
Payment processing and subscription management	Performance of a contract (Art. 6(1)(b) GDPR)	Stripe ID, billing data
Issuing VAT invoices for the Services	Legal obligation (Art. 6(1)(c) GDPR)	Company name, address, tax ID, email
Development and improvement of the Application	Legitimate interest (Art. 6(1)(f) GDPR)	Anonymised usage data, operation logs
Sending newsletter with information about S2K application	Consent (Art. 6(1)(a) GDPR)	Email address, consent timestamp
Responding to contact inquiries	Legitimate interest in conducting correspondence (Art. 6(1)(f) GDPR)	Email, name, company name, message content
Website traffic analysis (Google Analytics)	Consent (Art. 6(1)(a) GDPR)	IP address, device data, behavior on site
Protection against spam and attacks (reCAPTCHA)	Legitimate interest in ensuring system security (Art. 6(1)(f) GDPR)	IP address, browser technical data

4. Data Recipients

Your personal data may be transferred to the following entities:

4.1 Stripe, Inc.

Headquarters: San Francisco, CA, USA (354 Oyster Point Blvd, South San Francisco, CA 94080)
Purpose: Payment processing, subscription management, User authentication (Stripe OAuth), Stripe Customer Portal
Basis: Service agreement, Data Processing Agreement (DPA)
Transfer to USA: EU-US Data Privacy Framework and Standard Contractual Clauses

4.2 GetResponse S.A.

Headquarters: Gdańsk, Poland (EU)
Purpose: Storing and managing mailing list
Basis: Data Processing Agreement (DPA)
Transfer to USA: GetResponse uses subcontractors in USA (Google Cloud, Microsoft) based on Standard Contractual Clauses (SCC) approved by the European Commission

4.3 Google LLC

Headquarters: USA
Purpose: Google Analytics (website traffic analysis), reCAPTCHA (bot protection)
Basis: Data Processing Agreement
Transfer to USA: EU-US Data Privacy Framework and Standard Contractual Clauses

4.4 Hetzner Online GmbH

Headquarters: Germany (EU)
Purpose: Website hosting and Application infrastructure
Basis: Hosting service agreement

4.5 Cloudflare, Inc.

Headquarters: USA
Purpose: CDN and proxy (optional)
Basis: Service agreement
Transfer to USA: EU-US Data Privacy Framework

4.6 Ministry of Finance (KSeF)

Headquarters: Warsaw, Poland
Purpose: Submission of structured invoices to the Polish National e-Invoicing System (KSeF) in accordance with applicable law
Basis: Legal obligation (Art. 6(1)(c) GDPR)

5. Data Retention Period

Data Category	Retention Period
Application data (invoices, documents, configuration)	Duration of the Agreement + 5 years (tax documentation retention period required by law)
Billing data (invoices for Services)	5 years from the end of the tax year in which the invoice was issued
Operation logs	Up to 12 months from the date of the operation
Newsletter	Until consent withdrawal + 14 days to process deletion request
Contact form	Up to 12 months from correspondence completion
Google Analytics	14 months from data collection
Inactive newsletter subscribers	Automatic deletion after 24 months of inactivity (no email opens)

Note: Data required to prove consent (timestamp) may be retained for the limitation period of claims arising from data protection regulations.

6. Your Rights

You have the right to:

6.1 Access to Data

You can request information about what data we process about you.

6.2 Data Rectification

You can request correction of inaccurate or incomplete data.
You can update your billing data directly in the Stripe Customer Portal or in the Application Settings.
A link to update your newsletter data is included in every email we send.

6.3 Data Deletion

You can request deletion of your personal data ("right to be forgotten").
Uninstalling the Application and cancelling the subscription in the Stripe Customer Portal results in the cessation of processing data related to the Service. Data subject to archiving obligations (e.g. VAT invoices) will be retained for the period required by law.
An unsubscribe link is included in every newsletter we send.

6.4 Processing Restriction

In certain situations, you can request restriction of processing your data.

6.5 Data Portability

You can receive your data in a structured, commonly used format (CSV/JSON).

6.6 Objection

You can object to processing your data based on legitimate interest.

6.7 Consent Withdrawal

You can withdraw consent to data processing at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

How to Exercise Your Rights?

Email: [email protected]
Stripe Customer Portal: manage billing data and subscription
Link in email: Every newsletter contains a link to manage subscription and unsubscribe
We respond to requests without undue delay, no later than one month from receipt of the request

7. Cookies and Tracking Technologies

7.1 Cookie Consent

During your first visit to the website, you will be asked to consent to the use of analytical cookies. You can:
- Accept - all cookies (including Google Analytics)
- Reject - only necessary technical cookies

You can change your cookie settings at any time by clicking the "Manage cookies" link in the page footer.

7.2 Types of Cookies

Necessary cookies (consent not required):
- Session technical cookies ensuring website operation

Analytical cookies (consent required):
- Google Analytics (ga, _gid, _gat_gtag*) - traffic analysis, retention period: 14 months

7.3 Google Analytics

We use Google Analytics to analyze how the website is used. Google Analytics collects information such as:
- Pages you visit
- Time spent on the website
- Traffic source (where you came from)
- Device and browser data
- Anonymized IP address

Data is stored by Google in USA based on the EU-US Data Privacy Framework.

You can opt out of Google Analytics by installing Google Analytics Opt-out Browser Add-on.

7.4 Google reCAPTCHA

We use the invisible version of Google reCAPTCHA to protect forms against spam and automated attacks. reCAPTCHA analyzes user behavior on the website and may collect:
- IP address
- Browser information
- User behavior (mouse movements, clicks)

Data is transferred to Google LLC (USA) and is subject to Google's Privacy Policy.

8. Data Security

We apply appropriate technical and organizational measures to protect your personal data, including:
- HTTPS connection encryption (SSL/TLS)
- Encryption at rest for data stored in the Application
- Authentication via Stripe OAuth — we do not store user passwords
- Limited access to personal data only for authorized employees
- Data Processing Agreements with all subcontractors
- Regular reviews of security procedures

All newsletter data is stored by GetResponse S.A., which applies advanced security measures described in GetResponse Security Policy.

9. Right to Complain

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates GDPR.

Personal Data Protection Office (UODO)
ul. Stawki 2
00-193 Warsaw, Poland
Phone: +48 22 531 03 00
Email: [email protected]
Website: https://uodo.gov.pl

10. Children's Data

Our website and services are not directed to persons under 16 years of age. We do not knowingly collect personal data from children. If you learn that your child has provided us with their data without your consent, contact us, and we will promptly delete that data.

11. Changes to Privacy Policy

We reserve the right to make changes to this Privacy Policy. We will inform you of any significant changes:
- By updating the "Last updated" date at the top of the document
- By publishing information on the homepage
- By a message in the Application or email (in case of changes requiring renewed consent)

We recommend regularly reviewing this page to familiarize yourself with current data processing rules.

12. Contact

If you have questions about this Privacy Policy or the processing of your personal data, contact us:

Bizautomat P.S.A.
Email: [email protected]
Address: os. Jana III Sobieskiego 40/2N, 60-668 Poznań, Poland

This Privacy Policy has been prepared in accordance with:
- Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)
- Polish Act of May 10, 2018 on the protection of personal data
- Polish Act of July 18, 2002 on the provision of electronic services