Privacy Policy

1. Data controller

The controller of your personal data is Yevhen Shcherbynskyi, a natural person conducting unregistered business activity, residing in Warsaw. Contact: kontakt@podatekgieldy.pl.

Personal data is processed for the following purposes:

• Providing tax calculator services (Art. 6(1)(b) GDPR)
• Payment processing and order fulfillment (Art. 6(1)(b) GDPR)
• Technical communication and support (Art. 6(1)(f) GDPR)
• Providing optional marketing communications when enabled by the user (Art. 6(1)(a) and (f) GDPR, together with applicable electronic communications rules)
• Operating the optional Referral Program, including participation activation and abuse prevention (Art. 6(1)(b) and (f) GDPR)
• Fulfilling legal obligations (Art. 6(1)(c) GDPR)

Data will not be shared with third parties, except for entities authorized under applicable law and entities providing technical services necessary for the operation of the Service (hosting, payments).

2. What data we collect

When using the Service, we process the following categories of data:

2.1. Identification data

• Email address — required for account creation and communication
• Username — optional, displayed in the interface

2.2. Google OAuth data (optional)

If you choose to log in via Google OAuth, we collect:

• Email address from your Google profile
• First and last name (if available in your profile)
• Profile picture (if available)

We do not have access to: your Gmail inbox, contacts, Google Drive files, or any other Google data beyond the basic profile information listed above.

2.3. Transaction data

Data from imported broker files containing:

• Buy and sell transactions of financial instruments
• Transaction dates, amounts, instrument symbols
• Dividends and other income
• Broker commissions and fees

2.4. Technical data

• IP address, browser information, access time
• System logs used for Service administration

2.5. Payment data

Payment transaction information processed by Stripe, Inc. (payment processor). The Service Provider does not store credit card data.

3. Transaction data processing

Imported files are not shared or sold to third parties. The Service may only analyse the technical file structure (column names, date format, separator, sheet layout, operation types) to improve broker-format recognition. The analysis does not include the use of user-identifying data, account numbers, balances or transaction history. Data is never used to train ML models, sold, or used for marketing profiling. The legal basis is art. 6(1)(f) GDPR — the Administrator's legitimate interest in maintaining and improving the tool's compatibility with broker formats. The user has the right to object to this processing — it is sufficient to email kontakt@podatekgieldy.pl. Upon receiving the objection, the Administrator ceases processing data for algorithm improvement.

4. Sharing data with third parties

Personal data may be shared with the following categories of recipients:

• Google LLC — providing authentication data for Google OAuth login
• Stripe, Inc. — processing online payments for the Professional plan
• Supabase (AWS Frankfurt) — hosting and database in the European Union, including OAuth authentication
• National Bank of Poland — retrieving exchange rates for conversions (public data, no personal data)

We do not sell, trade, or share personal data with third parties for marketing purposes.

5. Data security

We apply appropriate technical and organizational measures to ensure data protection:

• SSL/TLS encryption for all data transmissions
• Encryption at rest on servers
• Data stored exclusively on servers in the European Union (AWS Frankfurt)
• Regular backups
• Access control and multi-factor authentication
• Security event monitoring and logging

6. User rights

Under the GDPR, you have the following rights:

• Right of access — you may request information about the data being processed
• Right to rectification — you may request correction of inaccurate data
• Right to erasure — you may request deletion of data ("right to be forgotten")
• Right to restriction of processing — you may request restriction of data processing
• Right to data portability — you may receive your data in a structured format
• Right to object — you may object to data processing in certain cases
• Right to lodge a complaint — you may file a complaint with the supervisory authority (UODO)

To exercise the above rights, contact us at kontakt@podatekgieldy.pl or use the "Delete account" option in your account settings.

7. Data retention period

Personal data is retained for the period necessary to fulfill the purposes for which it was collected:

• Account data — until the account is deleted by the user
• Transaction data — until the account is deleted by the user (if the user consented to storage)
• Payment data — in accordance with legal requirements (typically 5 years from the end of the contract)
• System logs — up to 12 months

In some cases, we may be required to retain certain data under applicable law (e.g., for tax or accounting purposes). In such cases, we will inform you of the reasons.

8. Cookies and similar technologies

For detailed information about the cookies and similar technologies we use, including the referral_code cookie, the visit-session identifier (sessionStorage), and browser-stored consent preferences, please see ourCookie Policy.

Visit analytics under legitimate interest (RODO art. 6(1)(f) + art. 397 of the Polish Electronic Communications Act)

Regardless of your consent, we collect a minimal set of technical data about visits (URL, country derived from IP, device type, browser, traffic source, UTM parameters, and a hashed visitor identifier that rotates daily in Warsaw time). Legal basis: RODO art. 6(1)(f) and art. 397 of the Act of 12 July 2024 — Polish Electronic Communications Act (Controller's legitimate interest — security, fraud detection, service improvement). The IP address is not stored in raw form — it is hashed with HMAC-SHA256 using a daily-rotated salt. The visitor identifier is pseudonymized personal data within the meaning of recital 30 RODO. Retention: 5 years (aligned with the limitation period for tax claims under art. 70 § 1 of the Polish Tax Ordinance, supporting multi-year fraud-detection windows in the referral program and commission flows).

Under RODO art. 21 you have the right to object to processing based on legitimate interest. You can raise the objection with the toggle in the cookie banner settings (under "Necessary" → "Visit analytics (I can stop it)"). Processing of historical hashes after a successful objection is technically impossible due to the daily salt rotation — subsequent visits will not be recorded.

9. Changes to the privacy policy

We reserve the right to make changes to this Privacy Policy. We will inform you of significant changes through the Service or by email. We recommend regularly reviewing the content of this Policy.

10. Contact

For matters related to personal data protection or exercising user rights, please contact us: