Privacy Policy

§1. Data Controller

1. The controller of personal data is UXELLENCE Łukasz S., NIP: 7511671443 (hereinafter: "the Controller").
2. Contact with the Controller: email aivs@cc3.pl.
3. The Controller has not appointed a Data Protection Officer. All matters concerning personal data processing should be directed to the Controller.

§2. Scope of Collected Data

The Controller collects only data necessary for service provision:

AIVS™ Scoring (free):

• Website address (domain)
• Email address

AIVS™ Report (paid):

• Website address (domain)
• Full name
• Email address
• Phone number
• Tax ID (NIP)
• Company name
• Position (optional)
• Competitor domains (optional, up to 3)

Invoice data (PDF report purchase):

• Company name
• Tax ID (NIP / VAT ID)
• Billing address

§3. Purposes and Legal Bases for Processing

Personal data is processed for the following purposes:

1. Service provision (Art. 6(1)(b) GDPR) – performance of the agreement for AIVS™ Scoring or AIVS™ Report services, including report preparation and delivery, payment processing, invoice issuance.
2. Legal obligations (Art. 6(1)(c) GDPR) – maintaining accounting and tax documentation, including storing invoices for the period required by law.
3. Legitimate interest of the Controller (Art. 6(1)(f) GDPR) – pursuing or defending against claims, communicating with the Client regarding service delivery, ensuring Website security.

§4. Data Recipients

Personal data may be transferred to the following categories of recipients:

1. Stripe, Inc. (USA) – electronic payment processing. Stripe processes payment data (card number, transaction data) as an independent controller. Data transferred based on Standard Contractual Clauses (SCC) and certification under the EU-U.S. Data Privacy Framework.
2. Supabase, Inc. (USA) – database and storage data hosting. Data transferred based on Standard Contractual Clauses (SCC).
3. Resend, Inc. (USA) – email delivery (confirmations, access links). Data transferred based on Standard Contractual Clauses (SCC).
4. Vercel, Inc. (USA) – Website hosting. Data transferred based on Standard Contractual Clauses (SCC).

The Controller does not sell personal data or share it with third parties for marketing purposes.

§5. Data Transfers to Third Countries

1. Due to the use of services provided by entities listed in §4, personal data may be transferred to the United States of America.
2. Data transfers are based on Standard Contractual Clauses adopted by the European Commission (Art. 46(2)(c) GDPR) or an adequacy decision (EU-U.S. Data Privacy Framework).

§6. Data Retention Period

1. Data related to service provision – for the duration of the agreement and 3 years after its termination (claims limitation period).
2. Invoice data – 5 years from the end of the tax year in which the tax obligation arose (obligation under tax regulations).
3. Free Scoring data – up to 12 months from scoring generation, unless the Client requests earlier deletion.
4. Access tokens – 30 days from generation, after which they are automatically invalidated.

§7. Data Subject Rights

You have the following rights:

1. Right of access – to obtain information about processed data and copies thereof.
2. Right to rectification – to request correction of inaccurate or completion of incomplete data.
3. Right to erasure ("right to be forgotten") – to request deletion of data when they are no longer necessary for processing purposes, subject to the Controller's legal obligations.
4. Right to restriction of processing – to request restriction of processing in cases specified in Art. 18 GDPR.
5. Right to data portability – to receive data in a structured format and to have them transmitted to another controller.
6. Right to object – to object to processing based on the Controller's legitimate interest.
7. Right to lodge a complaint – to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl).

To exercise the above rights, please contact the Controller: aivs@cc3.pl.

The Controller will process the request within 30 days of receipt.

§8. Cookies

1. The Website uses only technical cookies (strictly necessary) that are essential for proper Website operation.
2. Cookies used:
   • panel_session – a session cookie for client panel access authorization after token login. Validity: until browser session closes. Set only after active panel login.
3. The Website does not use analytics, marketing, advertising, or tracking cookies.
4. The Website does not use tools such as Google Analytics, Facebook Pixel, Hotjar, or any other user profiling tools.
5. Technical cookies are exempt from consent requirements pursuant to Art. 5(3) of Directive 2002/58/EC (ePrivacy). For this reason, the Website does not display a cookie banner.

§9. Data Security

1. The Controller implements appropriate technical and organizational measures to ensure the protection of processed personal data.
2. Communication with the Website is conducted exclusively via HTTPS protocol (TLS encryption).
3. Payment data (card numbers, transaction data) is not stored by the Controller – it is processed directly by Stripe, which holds PCI DSS Level 1 certification.
4. Report access is secured with an individual cryptographic token (48 bytes) with a limited validity period.
5. Database access is protected by API keys with restricted permissions (Row Level Security).

§10. Voluntariness of Data Provision

1. Providing personal data is voluntary but necessary to use the Website's services.
2. Refusal to provide data required for service provision makes it impossible to perform the service.
3. Providing data marked as optional is not necessary for service provision.

§11. Changes to the Privacy Policy

1. The Controller reserves the right to amend this Privacy Policy.
2. Changes take effect on the date of publication of the updated version on the Website.
3. The date of the last update is visible at the top of this document.