1. Data Controller
The data controller is IVM FIRMA HANDLOWA SP. Z O.O., al. Tadeusza Kościuszki 101, 90-441 Łódź, Poland, NIP (Tax ID): 7272865829, KRS: 0001012820. Contact: kontakt@intrafakt.pl, tel. +48 888 976 159.
2. Data We Collect
As part of the intrafakt.pl service, we collect the following categories of data:
- Account registration data: email address, password (stored encrypted), company name, NIP (Tax ID), REGON, registered address.
- Contact form data: company name, NIP, email address, full name, message content.
- Invoice and trade document data: invoice contents, contractor details, CN codes, transaction values — imported from connected systems (BaseLinker, Comarch Optima, Subiekt GT, enova365) or uploaded manually (CSV/Excel).
- External system credentials: API tokens, logins and passwords for integrations (e.g. BaseLinker, PUESC) — stored encrypted (AES-256).
- Intrastat declaration data: generated declarations, reference numbers, PUESC submission statuses.
- Payment data: PayPal subscription identifier, payment history. We do not store full payment card details.
- Technical data: IP address, browser type, timestamps, panel activity logs.
3. Purpose and Legal Basis
- Art. 6(1)(b) GDPR — contract performance: providing the intrafakt.pl service, including generating and filing Intrastat declarations, managing user accounts, handling subscriptions and payments.
- Art. 6(1)(c) GDPR — legal obligation: maintaining accounting and tax documentation as required by Polish law.
- Art. 6(1)(f) GDPR — legitimate interest of the controller: analytics, service security, support requests, direct marketing of own services.
4. Data Recipients
Data may be shared with the following processors acting on behalf of the controller:
- Vercel Inc. (application hosting) — USA, Standard Contractual Clauses
- Supabase Inc. (database, authentication) — USA, Standard Contractual Clauses
- Resend Inc. (email delivery) — USA, Standard Contractual Clauses
- PayPal (Europe) S.à r.l. et Cie, S.C.A. (payment processing) — Luxembourg/EU
- Polish Customs Electronic Services Platform (PUESC) — Poland, to the extent necessary for filing Intrastat declarations on behalf of the user under a granted Power of Attorney
5. Data Retention
- Account data: for the duration of the agreement and 30 days after account deletion.
- Invoice and declaration data: 5 years from the end of the calendar year in which the declaration was filed (Polish Tax Ordinance requirement).
- Integration credentials: until the integration is removed by the user.
- Contact form data: until a deletion request is received or 3 years from last contact.
- Server logs: 14 days.
- PayPal payment data: in accordance with PayPal's retention policy and accounting requirements (5 years).
6. Data Subject Rights
You have the right to:
- access your data (Art. 15 GDPR),
- rectify your data (Art. 16 GDPR),
- erase your data (Art. 17 GDPR),
- restrict processing (Art. 18 GDPR),
- data portability (Art. 20 GDPR),
- object to processing (Art. 21 GDPR).
To exercise these rights, please contact: kontakt@intrafakt.pl.
7. Right to Complain
You have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland.
8. Data Security
External system credentials (API tokens, integration passwords, PUESC access data) are encrypted at rest using AES-256. All communication with the application is conducted exclusively over encrypted HTTPS connections. Database access is restricted using Row Level Security.
9. Cookies
The website uses functional cookies necessary for the application to work (user session, language preferences) and Vercel Analytics (performance measurement, no user tracking). We do not use marketing cookies.
10. Changes to This Policy
The controller reserves the right to update this privacy policy. Registered users will be notified of significant changes by email. Changes take effect upon publication on the website.