KladivioHome

Privacy Policy

Last updated: February 27, 2026

Last updated: February 27, 2026

Introduction

This Privacy Policy (hereinafter referred to as the "Policy") aims to inform Users of the Kladivio internet platform (hereinafter referred to as the "Platform") about the principles and practices regarding the collection, processing, use, and protection of their personal data. The protection of your privacy is our highest priority. We are committed to transparently informing you about what data we collect, for what purpose, and what rights you have in this process.

The data controller of your personal data is Hoang Duc Vu, conducting business under the name PROTOSOFT Hoang Duc Vu, based in Poland, NIP: 5252341878, REGON: 382872920 (hereinafter referred to as the "Controller" or "Operator").

§ 1. Definitions

  1. Personal Data – any information relating to an identified or identifiable natural person.
  2. Processing – any operation performed on personal data (collection, recording, storage, use, disclosure, erasure).
  3. Controller – PROTOSOFT Hoang Duc Vu, determining the purposes and means of processing.
  4. User – a natural or legal person using the Platform.
  5. GDPR – Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data.

§ 2. Scope, Purposes, and Legal Bases for Data Processing

Types of Data Collected

  1. Identification and Contact Data: Email address (login, main communication channel), first and last name or company name, Allegro login identifier.
  2. Authentication Data: OAuth access tokens (encrypted with AES-256), stored for secure API communication.
  3. Commercial and Operational Data: Offer data, order data, message content (from Allegro integration) for AI Auto-Responder functionality.
  4. Technical and Analytical Data: IP address, activity logs, browser and device information.
  5. Billing Data: Payment history, invoice data (NIP, company name, address). We do not store full credit card data.

Purposes and Legal Bases

PurposeLegal Basis (GDPR)Description
Platform Service ProvisionArt. 6(1)(b) – Contract performanceAccount creation, Allegro integration, AI Auto-Responder, subscription management
Payment and AccountingArt. 6(1)(c) – Legal obligationInvoicing, transaction records, tax compliance
Direct MarketingArt. 6(1)(f) – Legitimate interestInformation about new features, promotions, offer changes
Analytics and StatisticsArt. 6(1)(f) or (a) – Legitimate interest or consentTraffic analysis, feature popularity, interface optimization
Platform SecurityArt. 6(1)(f) – Legitimate interestLog monitoring, incident detection, attack prevention
Claims and DefenseArt. 6(1)(f) – Legitimate interestData retention for potential legal proceedings
CommunicationArt. 6(1)(f) – Legitimate interestResponding to inquiries, contact forms

§ 3. Data Recipients and Transfer Outside the EEA

Third-Party Sharing

Your personal data may be shared with:

  1. Supabase – Database and authentication infrastructure. Data stored in EU (European Economic Area).
  2. AI Service Provider – AI model provider for Auto-Responder. Data may be transferred outside the EEA. We use Standard Contractual Clauses (SCC) and Data Processing Agreements (DPA) to ensure GDPR compliance.
  3. Allegro – Marketplace integration. Data shared for order, offer, and message synchronization. Based in Poland (EU).
  4. Payment Operators (e.g., Stripe, PayU) – Payment processing. PCI DSS certified.
  5. Public Authorities – When required by law (courts, tax authorities, police).

Transfer Outside EEA

When we transfer data outside the European Economic Area, we ensure appropriate safeguards:

  • Standard Contractual Clauses approved by the European Commission
  • Data Processing Agreements with strict confidentiality and security obligations
  • Verification of partner security standards

§ 4. Rights of Data Subjects

Under GDPR, you have the following rights:

  1. Right of Access (Art. 15) – Obtain confirmation as to whether your data is processed and access to your data.
  2. Right to Rectification (Art. 16) – Request correction of inaccurate or incomplete data.
  3. Right to Erasure (Art. 17) – Request deletion of your data in certain circumstances.
  4. Right to Restriction of Processing (Art. 18) – Request limitation of processing in certain cases.
  5. Right to Data Portability (Art. 20) – Receive your data in a structured, commonly used format.
  6. Right to Object (Art. 21) – Object to processing based on legitimate interest, including direct marketing.
  7. Right to Withdraw Consent – Where processing is based on consent, you may withdraw it at any time.
  8. Right to Lodge a Complaint – You may lodge a complaint with the supervisory authority (in Poland: President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw).

To exercise your rights, contact us at: dev@kladivio.pl. Please include "GDPR" or "Privacy" in the subject line.

§ 5. Data Retention Periods

Data CategoryRetention Period
Account dataUntil account deletion + 30 days for export
Billing and invoice dataAs required by tax law (typically 5 years)
Activity logsUp to 12 months for security purposes
Marketing consentUntil withdrawal of consent
Legal claims dataUntil prescription of claims (typically 3-6 years)

We apply the principle of storage limitation: we retain data only as long as necessary for the purposes for which it was collected or as required by law.

§ 6. Cookies and Tracking Technologies

We use cookies and similar technologies for:

  1. Essential Cookies – Necessary for Platform operation (session, authentication). Legal basis: Art. 6(1)(f) – legitimate interest.
  2. Analytics Cookies – Traffic analysis, feature usage. Legal basis: Art. 6(1)(a) – consent (via cookie banner).
  3. Marketing Cookies – If used in the future, based on consent.

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect Platform functionality.

§ 7. Data Security

We implement technical and organizational measures to protect your data:

  • TLS 1.3 encryption for all data transmission
  • AES-256 encryption for sensitive data at rest (e.g., OAuth tokens)
  • EU-based infrastructure (Hetzner, Germany)
  • Access control – principle of least privilege, role-based access
  • Regular backups – encrypted, regular backup procedures
  • Security audits – periodic penetration testing and vulnerability assessments

In case of a data breach that poses a risk to your rights, we will notify you and the supervisory authority without undue delay, as required by GDPR Art. 33-34.

§ 8. Changes to the Privacy Policy

We reserve the right to amend this Policy. Changes may result from technological development, legal changes, or evolution of our services. We will inform you of significant changes by publishing the updated Policy on our website and, where possible, by email. The new version takes effect from the date indicated in the document.

§ 9. Contact

For all matters regarding personal data processing and exercise of your rights, please contact us:

Email: dev@kladivio.pl

Please include "GDPR" or "Privacy" in the subject line for faster processing.

§ 10. Data Protection Officer (DPO)

For matters requiring contact with a Data Protection Officer, please use the above email address. We will direct your inquiry to the appropriate person.

§ 11. AI Data Processing Details

The AI Auto-Responder feature processes message content to generate reply suggestions. Data is transmitted to our AI service provider under Standard Contractual Clauses. We apply anonymization where possible. Message content is not used to train general AI models. For detailed information on AI processing, see our GDPR Information Clause.