Insighteo App

Legal document

Privacy Policy

English working translation. The Polish version is the primary version for the service provided in Poland.

§1. Controller

  1. The controller of personal data is Insighteo Tomasz Łabędzki, tax ID: 8951863348.
  2. The controller can be contacted by e-mail at [email protected].
  3. If the controller appoints a data protection officer, the officer's contact details should be added to this policy.
  4. This policy describes data processing connected with using Insighteo App, in particular accounts, CSV imports, product ranking, mapping templates, Stripe payments and Google login.

§2. Data categories and purposes

  1. Account data: e-mail, hashed password, Google identifier if Google login is used, account status, account creation date and last login date.
  2. Profile and billing data: name or company name, address, postal code, city, country, tax number and invoice type. These data are collected and stored in the application for billing and invoicing purposes.
  3. Import data: uploaded CSV files, mapped CSV files, result CSV files, import status, product row count, token cost, error messages, timestamps and mapping templates.
  4. Payment, subscription and token data: token balance, token ledger entries, import charges, refunds, administrative adjustments, Stripe customer and subscription identifiers, payment status and subscription status where payment integration is used.
  5. Data is processed to provide the application, maintain accounts, process CSV files, generate rankings, provide support, handle payments, comply with accounting/tax duties and protect security.

§3. Purposes and legal bases of processing

  1. Creating and maintaining the account, login, session maintenance and providing the user panel - Article 6(1)(b) GDPR.
  2. CSV import, column mapping, saving templates, file processing, ranking generation and result download - Article 6(1)(b) GDPR.
  3. Handling payments, Premium subscriptions, tokens/import credits, token balance, token ledger, invoices and settlements - Article 6(1)(b) and (c) GDPR.
  4. Complying with accounting, tax and legal obligations - Article 6(1)(c) GDPR.
  5. Application security, error diagnostics, abuse prevention, pursuing or defending claims - Article 6(1)(f) GDPR.
  6. Communication with the user, handling reports and complaints - Article 6(1)(b) or (f) GDPR.
  7. Technical analytics and service development, where consent is not required - Article 6(1)(f) GDPR.
  8. Analytics or marketing cookies, if introduced and requiring consent - Article 6(1)(a) GDPR.

§4. CSV files and data uploaded by the user

  1. The application is intended for e-commerce product data, such as product_id, product_name, category, sold, views, sales_value and cogs.
  2. The application does not require the intentional upload of personal data in CSV files.
  3. If the user includes personal data in a CSV file, the user is responsible for the legality, scope and legal basis for processing and transferring that data to the application.
  4. The controller processes CSV files to perform the service selected by the user: column mapping, ranking calculation, import history storage and result delivery.
  5. The user may delete an import from history. Deleting an import should remove related files, subject to backups, technical logs and legal obligations.

§5. Google login

  1. If the user uses Google OAuth, the application may process the e-mail address from the Google account, Google account identifier and e-mail verification information.
  2. Google acts as an independent login-service provider and may process data according to its own privacy rules.

§6. Stripe and payments

  1. The application uses Stripe to handle payments, payment methods, Premium subscriptions, the customer portal and payment webhooks.
  2. Stripe may process payment data as an independent controller or processor, depending on the service scope and configuration.
  3. The application does not store full payment card details. Card data is handled by Stripe.
  4. The controller stores invoice data in the application and may use it to issue an invoice outside Stripe or in a separate accounting/invoicing process.
  5. The controller may store Stripe identifiers, payment status, subscription status, token balance, token operation history and information needed for settlements.

§7. Data recipients and providers

  1. Data may be processed by DigitalOcean as a hosting, App Platform, PostgreSQL database and S3-compatible file-storage provider, for example DigitalOcean Spaces.
  2. Data may be processed by Google for OAuth login and by Stripe for payments.
  3. Data may be processed by providers of domain/DNS, e-mail, accounting, invoicing, backups, monitoring, technical analytics and security tools if used.
  4. Data may be disclosed to public authorities if required by law.

§8. Transfers outside the EEA

  1. Some providers, in particular Google, Stripe or infrastructure providers, may process data outside the European Economic Area.
  2. If a transfer outside the EEA occurs, it should take place using appropriate legal mechanisms, for example an adequacy decision or standard contractual clauses.
  3. The exact list of transfers and providers requires confirmation before launching production payments and the full toolset.

§9. Data retention period

  1. Account data is stored while the account exists and later as long as required by law or claims limitation periods.
  2. Import and result files are stored for the configured retention period. The default planned period is 7 days unless changed.
  3. Mapping templates are stored until deleted by the user or until account deletion, subject to legal obligations and technical backups.
  4. Settlement data, invoice data and token operation history are stored for the period required by accounting/tax law or needed for complaints, settlements and protection against claims.
  5. Technical and security logs are stored for the period needed to ensure security, diagnostics and protection against claims.

§10. Data subject rights

  1. The user has the right to access data, receive a copy of data, rectify data, erase data, restrict processing, data portability and object to processing.
  2. If data is processed based on consent, the user may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  3. The user has the right to lodge a complaint with the President of the Personal Data Protection Office in Poland.
  4. To exercise rights, the user may contact the controller at [email protected].

§11. Voluntary provision of data and consequences of not providing it

  1. Providing account data is voluntary but necessary to use features requiring login.
  2. Providing invoice data may be necessary to use paid features, receive an invoice or comply with tax obligations.
  3. Uploading a CSV file is voluntary but necessary to generate a product ranking.

§12. Automated decisions and profiling

  1. The application automatically calculates product rankings based on data uploaded by the user.
  2. The ranking is analytical and supportive. The application does not make decisions about the user based solely on automated processing that would produce legal or similarly significant effects within the meaning of GDPR.

§13. Security

  1. Passwords are stored in hashed form.
  2. Sessions are handled by HTTP-only cookies, and the production application should operate over HTTPS.
  3. User data and imports are separated by user accounts.
  4. Administrative access is limited to authorised persons.
  5. Files and the database are stored with external infrastructure providers using security measures appropriate for this type of service.