Legal documents

Privacy Policy

Version 2.2

This Privacy Policy fulfils the information obligation arising from Art. 13 and Art. 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR"). It concerns the processing of personal data in connection with the use of the online service biurko.io ("Biurko", "the Service").

The Policy also takes into account:

  • the Act on the provision of electronic services,
  • ustawa z dnia 5 sierpnia 2025 r. o zmianie ustawy o podatku od towarów i usług oraz ustawy o zmianie ustawy o podatku od towarów i usług oraz niektórych innych ustaw (Dz.U. 2025 poz. 1203) — with respect to the transmission of Invoice data to KSeF,
  • Rozporządzenie Parlamentu Europejskiego i Rady (UE) 2024/1689 (AI Act) — with respect to potential AI-based features, including the transparency obligations under Art. 50 applicable from 2 sierpnia 2026 r.,
  • Dyrektywa Parlamentu Europejskiego i Rady (UE) 2022/2555 (NIS2) wdrożona ustawą o krajowym systemie cyberbezpieczeństwa (KSC 2.0) and the Polish Act on the National Cybersecurity System (KSC), in force since 3 kwietnia 2026 r., with respect to information security,
  • the December 2024 UODO guidelines and EDPB Opinion 28/2024 of 17 December 2024 on the processing of personal data in the context of AI models.

Table of Contents

1. Data controller

The controller of personal data is:

ITCompass - ARTEM SHEVCHENKO conducting business activity in the form of działalność jednoosobowa Zawiszy Czarnego 6, 40-872 Katowice, Polska NIP: 6343060594 · REGON: 542705577 e-mail: contact@itcompass.io · tel.: +48 732 959 892

Hereinafter: "the Controller" or "we".

In matters relating to personal data protection, the Controller may be contacted at contact@itcompass.io.

The Controller has not appointed a Data Protection Officer (DPO), as the conditions of Art. 37(1) GDPR are not met (the core activity does not consist in regular and systematic monitoring of data subjects on a large scale, nor in processing special categories of data). Contact for GDPR matters: contact@itcompass.io.

2. Categories of processed data

2.1 Service Recipient data (persons creating an Account)

First name and surname, e-mail address, telephone number (optional), password (stored as a bcrypt hash), interface language, time zone, IP address, session identifier, device/browser data, settings preferences, 2FA verification status.

2.2 Data of the Service Recipient's Companies

Business / trading name, NIP, REGON, KRS (optional), registered office address, bank account numbers, contact data, certificates and private keys used for authentication in KSeF (stored in encrypted form — AES-256, in a separate vault).

2.3 Counterparty (buyer) data

Data entered by the Service Recipient into the Service for the purpose of issuing Invoices: name or first name and surname, NIP/PESEL, address, e-mail, telephone, bank account number, data required on the Invoice. In this respect, the Controller acts as a processor on behalf of the Service Recipient (Art. 28 GDPR).

2.4 Invoice and document data

Invoice numbers, dates, items, VAT rates, amounts, currencies, descriptions, attachments (including attachments submitted to KSeF), KSeF submission status (online / offline24 / emergency mode), UPO confirmations, offline QR codes.

2.5 Subscription payment data

Selected Plan (FREE / SOLO / TEAM / SCALE), billing cycle, payment status, payment operator (Stripe) tokens, data for issuing the VAT invoice for the Subscription. The Controller does not store full payment card data — these are processed exclusively by Stripe Payments Europe, Limited in accordance with the PCI DSS standard.

2.6 Technical and security data

Activity logs (audit log), KSeF authentication logs (including IP addresses, user-agent, content of requests and responses to the extent necessary for diagnostics), session identifiers, Web Push subscriptions (browser endpoint, public keys p256dh and auth — optionally, with a separate consent expressed in the browser).

2.7 Marketing data

E-mail address, consent to marketing communication (confirmed via double opt-in), date and IP of consent, the version of the Privacy Policy in force at the time of consent, sending history.

2.8 DSA notification data

In the case of a notification addressed to the DSA Point of Contact, the Controller processes: the notifier's contact data, the content of the notification, and correspondence concerning the handling of the notification. Legal basis: Art. 6(1)(c) GDPR in conjunction with Art. 11–17 DSA.

Purpose Legal basis (GDPR) Examples of data
Provision of the Services pursuant to the Terms (keeping the Account, handling Invoices) Art. 6(1)(b) — performance of a contract Service Recipient, Company, Invoice data
Issuance and transmission of structured invoices to KSeF Art. 6(1)(c) — legal obligation (ustawa z dnia 11 marca 2004 r. o podatku od towarów i usług (Dz.U. 2025 poz. 775 z późn. zm.), ustawa z dnia 5 sierpnia 2025 r. o zmianie ustawy o podatku od towarów i usług oraz ustawy o zmianie ustawy o podatku od towarów i usług oraz niektórych innych ustaw (Dz.U. 2025 poz. 1203)) Invoice data, NIP, Counterparty data
Settlements and issuance of VAT invoices for the Subscription Art. 6(1)(c) — legal obligation (Tax Ordinance, VAT Act) settlement data, Company data
Payment processing Art. 6(1)(b) — performance of a contract payment data, Stripe tokens
Service communication (notifications, responses to enquiries) Art. 6(1)(b) / (f) — legitimate interest e-mail, message content
Own marketing (blog/changelog newsletter) Art. 6(1)(a) — consent (double opt-in) e-mail, preferences
Security, prevention of abuse, audit logs Art. 6(1)(f) — legitimate interest IP address, user-agent, logs
Handling of DSA notifications Art. 6(1)(c) — legal obligation (Art. 11–17 DSA) notifier's contact data, content of notification
Asserting and defending claims Art. 6(1)(f) — legitimate interest transaction data, correspondence
Maintaining technical Service statistics (without profiling) Art. 6(1)(f) — legitimate interest technical data

4. Retention periods

Data category Period
Account data for the term of the Agreement + 30 days grace after Account deletion
Invoices issued by the Service Recipient 5 years (60 months) from Account deactivation — corresponds to the minimum from Art. 70 § 1 of the Tax Ordinance, Art. 112 of the VAT Act and Art. 74(2)(8) of the Accounting Act (counted from the end of the financial year). A copy in KSeF is available for 10 years on the side of Minister Finansów Rzeczypospolitej Polskiej (Ministerstwo Finansów, ul. Świętokrzyska 12, 00-916 Warszawa) — operacyjnie: Szef Krajowej Administracji Skarbowej
VAT invoices for the Subscription in accordance with Art. 70 of the Tax Ordinance — 5 years + current year
Security and authentication logs 12 months
User sessions up to 120 minutes of inactivity, maximum until the end of the session
Marketing consents and newsletter data until consent is withdrawn or the subscription is cancelled
DSA notifications and moderation correspondence 6 years from closure of the notification
Data necessary for asserting claims until expiry of the limitation period (usually 3–6 years)

Upon the lapse of the indicated periods, the data is permanently deleted or irreversibly anonymised (e.g. zeroing of personal fields in the Invoice archive). The Service Recipient is entitled at any time to download a full copy of the Invoices in a structured format via the data export feature.

5. Data recipients

5.1 Processors acting on behalf of the Controller

The Controller uses the following, individually named processors:

  1. Stripe Payments Europe, Limited (CRO number 513174) — 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, D02 H210, Ireland (EU). Purpose: processing of subscription payments. Privacy policy: https://stripe.com/privacy · DPA: https://stripe.com/legal/dpa. The global systems of Stripe, Inc. (510 Townsend Street, San Francisco, CA 94103, USA) on the basis of the EU-US Data Privacy Framework (Commission Decision C(2023)4745 of 10 July 2023) and SCC 2021/914.
  2. Mailgun Technologies, Inc. (part of the Sinch AB group) — 112 E Pecan St #1135, San Antonio, TX 78205, USA. Purpose: delivery of e-mail messages (transactional and marketing). Operational processing of messages and metadata of the Service Recipient takes place in Mailgun's European region ("EU region" — AWS eu-central-1, Frankfurt, Germany). The management layer (support, system logs, administration panel) may be processed in the USA. Privacy policy: https://www.mailgun.com/legal/privacy-policy/ · DPA: https://www.mailgun.com/legal/dpa/.
  3. HOSTINGER operations, UAB (Lithuanian registration number 306308157) — Švitrigailos g. 34, LT-03230 Vilnius, Lithuania (EU). Purpose: hosting of application servers, PostgreSQL databases, and backups. Data centres in the EU: Lithuania, Germany, the Netherlands. Privacy policy: https://www.hostinger.com/legal/privacy-policy · DPA: https://www.hostinger.com/legal/dpa.

All sub-processors are obliged to comply with Art. 28 GDPR and to apply security measures adequate to the nature of the processing. The current list is also published in Annex 3 to the Terms.

5.2 Recipient enabled by the Service Recipient — the AI client (MCP integration)

The Service makes available an optional integration interface, activated solely at the Service Recipient's initiative, based on the Model Context Protocol (MCP) protocol, allowing the Service Recipient to connect a third-party AI client/assistant of their choosing (e.g. Claude, Cursor, ChatGPT) to the Service. If and only if the Service Recipient activates such a connection, the data they request via the AI client is transmitted to the provider of that AI client, chosen by the Service Recipient. The AI provider then acts as a separate recipient of data on the Service Recipient's side — it is not a sub-processor of the Controller, and the Controller is not a processor for the AI provider. The details, the scope of data transmitted, the control mechanisms (permissions, audit log, instant disconnection) and the list of supported clients together with links to their privacy policies are set out in section 12.

5.3 Separate controllers

  1. Minister Finansów Rzeczypospolitej Polskiej (Ministerstwo Finansów, ul. Świętokrzyska 12, 00-916 Warszawa) — operacyjnie: Szef Krajowej Administracji Skarbowej — operator of Krajowy System e-Faktur (KSeF). Site: https://ksef.podatki.gov.pl/. Production environment: https://ap.ksef.mf.gov.pl/. DPO: IOD@mf.gov.pl. Helpline: 22 330 03 30 / 801 055 055. Processing on the basis of Art. 6(1)(c) GDPR and the provisions of ustawa z dnia 11 marca 2004 r. o podatku od towarów i usług (Dz.U. 2025 poz. 775 z późn. zm.) and ustawa z dnia 5 sierpnia 2025 r. o zmianie ustawy o podatku od towarów i usług oraz ustawy o zmianie ustawy o podatku od towarów i usług oraz niektórych innych ustaw (Dz.U. 2025 poz. 1203). The Minister of Finance is a separate controller of data contained in KSeF; the data is transmitted in order to fulfil the obligation to issue and receive structured invoices.
  2. Central Statistical Office (GUS) — al. Niepodległości 208, 00-925 Warszawa. In the case of verification of business entity data by NIP or REGON (public REGON register, Art. 6(1)(f) GDPR in conjunction with the Act on public statistics).

5.4 Other entities

  • Public authorities, courts, prosecutor's office — if the transmission of data results from a legal obligation;
  • Digital Services Coordinator — President of the Office of Electronic Communications (UKE), ul. Giełdowa 7/9, 01-211 Warsaw — in the context of fulfilling obligations under the DSA;
  • CSIRT NASK (Computer Security Incident Response Team — NASK PIB), ul. Kolska 12, 01-045 Warsaw — in the event of incident reporting obligations under the KSC Act (in the event of the Controller being classified as an essential or important entity).

6. Transfer of data to third countries

As a rule, the data is processed within the European Union.

Partial transfer of data to a third country takes place in the following cases:

  • Stripe, Inc. (USA, San Francisco) — global payment systems supporting Stripe Payments Europe, Limited;
  • Mailgun Technologies, Inc. (USA, San Antonio) — party to the contract and administrator of the infrastructure supporting Mailgun's European region; operational processing of messages remains in the EU, however the management layer (support, system logs, administration panel) may be processed in the USA.

These transfers take place solely on the basis of the safeguards required by Art. 46 GDPR:

  • the EU-US Data Privacy Framework (Commission Decision C(2023)4745 of 10 July 2023) — for Stripe, Inc. and Mailgun Technologies, Inc. as entities certified under the DPF,
  • Standard Contractual Clauses (SCC 2021/914) — module 2 (controller → processor outside the EEA) as additional contractual safeguard.

Before commencing the transfer, the Controller carries out a Transfer Impact Assessment in accordance with EDPB guidelines (recommendations 01/2020).

A separate direction of a possible transfer, enabled solely by the Service Recipient, is the transmission of data to the provider of the AI client connected by the Service Recipient via the MCP integration (section 12). Kierunek i podstawa transferu zależą od dostawcy klienta AI wybranego przez Usługobiorcę; część dostawców przetwarza dane poza EOG (USA) na podstawie EU-US Data Privacy Framework oraz Standardowych Klauzul Umownych (SCC 2021/914). Usługodawca nie jest stroną tych transferów ani podmiotem przetwarzającym dla dostawcy AI.

7. Rights of the data subject

Under GDPR you have the following rights:

  • access to data (Art. 15 GDPR),
  • rectification of inaccurate or incomplete data (Art. 16),
  • erasure of data ("right to be forgotten" — Art. 17),
  • restriction of processing (Art. 18),
  • portability of data (Art. 20) — data provided by you, processed on the basis of consent or contract, will be provided to you in a structured, commonly used and machine-readable format (JSON, CSV and — for Invoices — XML compliant with the FA(3) schema of the Minister of Finance),
  • objection to processing based on legitimate interest (Art. 21),
  • withdrawal of consent at any time — without affecting the lawfulness of processing before withdrawal (Art. 7(3)) — applies to data processed on the basis of consent (e.g. marketing, Web Push).

To exercise your rights, please contact: contact@itcompass.io. We respond without undue delay, no later than within one month (Art. 12(3) GDPR).

Right to lodge a complaint

You have the right to lodge a complaint with the supervisory authority:

Prezes Urzędu Ochrony Danych Osobowych (PUODO) ul. Stawki 2, 00-193 Warszawa https://uodo.gov.pl

8. Voluntary nature / data provision requirement

The provision of personal data is voluntary; however, it is necessary in order to:

  • conclude and perform the Agreement (e.g. e-mail address, Company data),
  • issue Invoices compliant with the regulations (e.g. NIP, address),
  • integrate with KSeF (certificates, NIP).

Failure to provide such data prevents the use of the relevant Service features.

9. Automated decision-making and profiling

As at the effective date of the Policy, the Controller does not apply automated decision-making producing legal effects concerning you or significantly affecting your situation within the meaning of Art. 22 GDPR. We also do not apply profiling for marketing purposes.

The AI-client integration made available by the Controller (section 12) serves to carry out operations instructed by the Service Recipient via the AI assistant of their choice and does not constitute automated decision-making by the Controller within the meaning of Art. 22 GDPR. In the event of future deployment of the Controller's own AI-based or algorithmic decision-making features, the Controller will update the Policy and — if required — obtain the explicit consent of the data subject, in accordance with Art. 22(2)(c) GDPR.

10. Data of the Service Recipient's Counterparties (entrustment of processing)

With respect to the personal data of Counterparties entered into the Service by the Service Recipient:

  • the controller of such data remains the Service Recipient,
  • the Controller (ITCompass - ARTEM SHEVCHENKO) acts as a processor under the entrustment agreement entered into by acceptance of the Terms (Annex 2 to the Terms),
  • the information obligation towards Counterparties (in particular informing them of the transmission of data to KSeF) rests on the Service Recipient.

11. KSeF — detailed information

The data contained in Invoices issued via the Service is transmitted to Krajowy System e-Faktur (KSeF) operated by Minister Finansów Rzeczypospolitej Polskiej (Ministerstwo Finansów, ul. Świętokrzyska 12, 00-916 Warszawa) — operacyjnie: Szef Krajowej Administracji Skarbowej. Official site of the system: https://ksef.podatki.gov.pl/. The legal basis for transmission is the obligation arising from ustawa z dnia 11 marca 2004 r. o podatku od towarów i usług (Dz.U. 2025 poz. 775 z późn. zm.) and ustawa z dnia 5 sierpnia 2025 r. o zmianie ustawy o podatku od towarów i usług oraz ustawy o zmianie ustawy o podatku od towarów i usług oraz niektórych innych ustaw (Dz.U. 2025 poz. 1203).

Timetable for the entry into force of mandatory KSeF:

  • from 1 lutego 2026 r. — taxpayers whose sales in 2024 exceeded 200 mln zł,
  • from 1 kwietnia 2026 r. — the remaining active VAT taxpayers,
  • from 1 stycznia 2027 r. — full removal of exemptions (invoices below 10 000 zł, cash registers); on the same date the financial penalties of Art. 106ni of the VAT Act enter into force, deferred until 1 stycznia 2027 r..

Characteristics of the transmission of data:

  • Minister Finansów Rzeczypospolitej Polskiej (Ministerstwo Finansów, ul. Świętokrzyska 12, 00-916 Warszawa) — operacyjnie: Szef Krajowej Administracji Skarbowej stores structured invoices for 10 years.
  • The Minister of Finance is a separate controller of the data contained in KSeF; DPO: IOD@mf.gov.pl.
  • The Service Recipient retains the status of controller of the Counterparties' data entered into the system.
  • In offline24 mode the Invoice is transmitted to KSeF with a delay not exceeding the next business day; in the meantime, the Controller stores it locally with appropriate protection.
  • In emergency mode (Art. 106nf of the VAT Act) the Invoice is transmitted to KSeF within 7 business days of the end of the KSeF unavailability announced by the Minister of Finance.

12. Artificial intelligence (AI) features

The Service makes available an optional integration with an AI assistant (client) based on the Model Context Protocol (MCP) protocol. This is a voluntary feature activated solely at the Service Recipient's initiative — by default, no data is transmitted to AI systems. The Controller does not provide its own AI model and does not use AI models to independently process the Service Recipients' personal data in the Service.

What the integration involves. The Controller makes available on its side a secure interface (the MCP server). The Service Recipient may connect to it a third-party AI client/assistant of their choosing (e.g. Claude, Cursor, ChatGPT). Once the connection is established, the Service Recipient may — via that AI client — issue commands to read and perform operations on their own data in the Service (e.g. listing Invoices, creating Counterparties).

Data flow and roles. The data the Service Recipient requests via the AI client is transmitted to the provider of that AI client — chosen and connected by the Service Recipient themselves. In this respect the AI provider is a separate recipient of data acting on the Service Recipient's side; it processes the data under its own rules and its own privacy policy. The Controller is not a processor for the AI provider, does not control how the AI provider processes the data, and does not list the AI provider among its sub-processors. The choice of AI provider, acceptance of its terms and — where necessary — fulfilment of the data-controller obligations towards it, rest with the Service Recipient.

Transfer to a third country. Kierunek i podstawa transferu zależą od dostawcy klienta AI wybranego przez Usługobiorcę; część dostawców przetwarza dane poza EOG (USA) na podstawie EU-US Data Privacy Framework oraz Standardowych Klauzul Umownych (SCC 2021/914). Usługodawca nie jest stroną tych transferów ani podmiotem przetwarzającym dla dostawcy AI.

Control mechanisms on the Service Recipient's side. To retain control over the scope of disclosed data, the Service provides:

  • permissions (scope) per connection — uprawnienia (scope) nadawane per połączenie — Usługobiorca decyduje, do jakich danych i operacji ma dostęp klient AI;
  • an audit log — dziennik wywołań (audit log) każdego narzędzia uruchomionego przez klienta AI;
  • instant disconnection (revoke) — natychmiastowe odłączenie (revoke) połączenia w dowolnym momencie.

Transparency (Art. 50 AI Act). In accordance with the transparency obligations arising from Art. 50 of the AI Act (applicable from 2 sierpnia 2026 r.), with respect to any AI features surfaced on the Service side the Controller clearly marks the interaction with the AI system and any content generated or modified by AI. Under no circumstances does the Controller use AI systems in a manner constituting a prohibited practice within the meaning of Art. 5 of the AI Act (in force since 2 lutego 2025 r.).

Supported AI clients. The list of third-party AI clients/assistants supported within the integration, together with references to their privacy policies (transparency as to possible recipients of data on the Service Recipient's side):

The above list is informational; of any addition or change of supported AI clients the Controller will inform within a Policy update, with at least 14 days' notice. Before deploying any own AI features, the Controller will carry out a Data Protection Impact Assessment (DPIA) in accordance with Art. 35 GDPR and take into account the recommendations of EDPB Opinion 28/2024 on AI models.

13. Data security and NIS2 / KSC

The Controller applies technical and organisational measures adequate to the threats, in particular:

  • transmission encryption (TLS),
  • encryption of sensitive data (KSeF certificates and private keys) with AES-256, in a separate key vault,
  • password hashing (bcrypt),
  • role- and permission-based access control,
  • multi-factor authentication (2FA),
  • backups and security monitoring,
  • audit logs stored for 12 months.

Status under NIS2 / KSC. The Polish Act on the National Cybersecurity System transposing Dyrektywa Parlamentu Europejskiego i Rady (UE) 2022/2555 (NIS2) wdrożona ustawą o krajowym systemie cyberbezpieczeństwa (KSC 2.0) has been in force since 3 kwietnia 2026 r.. The status of the entity (essential / important) is determined, inter alia, on the basis of the threshold of 50 employees or annual turnover / balance sheet total of 10 mln EUR. In view of the form of business activity (działalność jednoosobowa) and the size of the organisation, as at the effective date of the Policy the Controller does not qualify as an essential or important entity within the meaning of the said provisions. The Controller voluntarily applies selected security standards from Annexes I and II of NIS2.

In the event of exceeding the abovementioned thresholds, the Controller will register in the list by 3 października 2026 r. and implement an Information Security Management System by 3 kwietnia 2027 r..

Security incident reports may be sent to security@itcompass.io. In the event of a personal data breach, the Controller reports the event to PUODO in accordance with Art. 33 GDPR and informs the data subjects in accordance with Art. 34 GDPR. If covered by obligations under the KSC Act, additional reports are sent to CSIRT NASK (ul. Kolska 12, 01-045 Warsaw) within 24 h / 72 h / 1 month.

14. Cookies

Detailed information on the cookies used can be found in the Cookies Policy available at biurko.io/polityka-cookies. As at the effective date of the Policy, the Service uses only essential cookies for the operation of the service (Art. 173(3)(1) of the Polish Telecommunications Law).

Before any future deployment of analytical or marketing cookies, the Controller will launch a consent banner compliant with the UODO guidelines of December 2024, including equally weighted "Accept all" and "Reject all" buttons.

15. Changes to the Privacy Policy

The Controller reserves the right to amend the Privacy Policy. Service Recipients will be informed of the changes at least 14 days before they enter into force, by electronic means to the address provided at registration, together with a list of the most important changes (changelog).

The archive of previous versions is available at biurko.io/legal/polityka-prywatnosci/archiwum.

Previous versions

ITCompass - ARTEM SHEVCHENKO · Katowice · contact@itcompass.io

Cookies

We use cookies to keep the service running and — with your consent — to improve it. You can accept all, reject the optional ones, or customize your choices. Cookie Policy