Privacy Policy

Wersja 1.2 · Ostatnia aktualizacja:

This is an informational English translation. The legally binding version is the Polish original at autolert.pl/polityka-prywatnosci. In case of any discrepancy, the Polish version prevails.

1. Data Controller

DEVSITY Bartłomiej Hudecki, a sole proprietorship (CEIDG), Mordarka 509, 34-600 Limanowa, Poland. NIP 7372210677, REGON 367488827. Data contact: kontakt@autolert.pl. No DPO appointed (not required under Art. 37 GDPR).

2. Data we process

Account data (e-mail, display name, ID; Google ID if you sign in with Google - authentication via Clerk, passwords not stored in plain text); transaction data (Przelewy24 ID, amount, status, invoice data incl. buyer NIP - card details never reach our servers, handled by PayPro SA); usage data (AI Reports, credits, stored consents); technical logs (request ID, user UUID, endpoint, status - no bodies, no e-mails); listing data fetched on demand for an AI Report.

3. Third-party (seller) data from listings

Analysing listings may involve sellers' personal data (name, phone, location, sometimes VIN) obtained not directly from them but from public listings. Legal basis: legitimate interest (Art. 6(1)(f)) in performing the User-requested analysis; we run a balancing test. Where directly informing each person is impossible or a disproportionate effort, we rely on the Art. 14(5) exemption and this section serves as the processing notice. We minimise data, delete VIN and phone numbers after 30 days, and do not profile sellers.

4. Purposes and legal bases

Service performance (Art. 6(1)(b)); payments & invoices (b + c); transactional notifications - report ready, receipts - (b, not marketing); seller data analysis (f); security/logs (f); product analytics via PostHog, consent-gated (Art. 6(1)(a) - consent); marketing e-mail/newsletter (a - consent + UŚUDE); anonymised reports after deletion (f); defence of claims (f).

5. Retention

Account: until deletion + 12 months. Transactions & invoices: 5 years (accounting/tax law - overrides erasure per Art. 17(3)(b)). AI Reports: until deletion, then anonymised. VIN & phone from listings: 30 days. Consent logs: min. 3 years. Technical logs 30 days; Sentry 90 days; Resend e-mail logs 30 days.

6. Processors

Vercel (hosting + Blob), Railway (Postgres/Redis), Cloudflare (CDN/DNS/WAF), Clerk (auth), Google (Google sign-in), PayPro SA / Przelewy24 (payments), OpenAI (AI Reports - no training on API data), Jina AI (listing fetch, DE), Resend (e-mail), Sentry (errors), PostHog Inc. (analytics, EU Cloud Frankfurt - consent-gated), Allegro (offer API, PL). We do not sell user data.

7. Transfers outside the EEA

Transfers rely on Standard Contractual Clauses (SCC) and/or the EU-US Data Privacy Framework (Vercel, Cloudflare, Clerk, Google, OpenAI, Resend, Railway if US, PostHog Inc.). PostHog uses EU Cloud (Frankfurt) - data processed in the EEA. EEA processors (Jina - DE, PayPro & Allegro - PL) need no extra transfer basis.

8. Your rights

Access (15), rectification (16), erasure (17, with legal exceptions), restriction (18), portability (20, JSON/ZIP), objection (21), withdrawal of consent (7(3)), and complaint to PUODO (uodo.gov.pl). Contact: kontakt@autolert.pl; we respond within 30 days.

9. Profiling and automated decisions

The AI Report is automated analysis but not automated decision-making under Art. 22 GDPR - it has no legal or similarly significant effect; the purchase decision is solely the User's. Human explanation available on request. No marketing profiling without consent.

10. Security and breaches

TLS/HTTPS in transit, encryption at rest, access control, data minimisation, secure session cookies, anomaly monitoring (Sentry, PII-scrubbed). Breaches reportable to PUODO within 72 hours (Art. 33) and to data subjects where high risk (Art. 34).

11–14

Cookies: see the Cookie Policy. The Service is for users aged 18+ (consents require min. 16). We notify of material changes 14 days in advance. Contact: kontakt@autolert.pl, DEVSITY Bartłomiej Hudecki, Mordarka 509, 34-600 Limanowa.