Privacy Policy
1. Data controller
The controller of the User's personal data is:
Adam Sip, a private individual conducting unregistered business activity
(Article 5 of the Polish Entrepreneurs' Law)
ul. Akacjowa 11, 62-200 Gniezno, Poland
Email: admin@robisie.app
Tax ID / REGON: not applicable (unregistered business activity)
2. Scope of data collected
In connection with the use of the Service, the Controller processes the following categories of data:
- Account data — email address, name, profile photo (retrieved from the Google account during OAuth login), profile settings.
- Payment data — subscription number, transaction dates, payment status (card data is processed exclusively by Stripe — the Service does not store card numbers).
- Communication — the content of complaint messages, support requests, and email correspondence, along with metadata (date, sender's email address).
- AI input and output:
- User Content (links, queries, files) entered into the Service in order to use Plugins;
- Output generated by AI tools based on User Content, assigned to the User's account.
- Technical data — IP address, browser information (User-Agent), activity logs (for security and diagnostic purposes).
3. Purpose and legal basis for processing
- Providing services (Article 6(1)(b) GDPR) — performance of the agreement for the provision of electronic services.
- Payment processing (Article 6(1)(b) GDPR) — processing transactions via Stripe.
- Communication (Article 6(1)(f) GDPR) — responding to inquiries and handling complaints.
- Legal obligations (Article 6(1)(c) GDPR) — maintaining tax and accounting records.
4. Retention period
Personal data is retained for the following periods:
- (a) account data (email, name, profile settings) — for the duration the account exists; after a deletion request is submitted, the account is deactivated and permanently deleted after 30 days (a period allowing the decision to be reversed);
- (b) payment data (transaction numbers, dates) — 5 years from the end of the calendar year in which the transaction took place (Tax Code);
- (c) User Content and generated reports (Output) — for the duration the account exists; report files are automatically deleted within 30 days of generation, and the related database records are deleted together with the account;
- (d) technical logs and the GDPR record of processing activities (accountability) — for the period necessary to ensure the security of the service and to demonstrate compliance with the law (Article 5(2) GDPR);
- (e) database backups (Cloudflare R2) — 14-day rotation.
Once these periods have elapsed, the data is permanently deleted or anonymized.
5. User rights
The User has the right to:
- (a) access their data (Article 15 GDPR);
- (b) rectify their data (Article 16 GDPR);
- (c) erasure of data — the "right to be forgotten" (Article 17 GDPR);
- (d) restriction of processing (Article 18 GDPR);
- (e) data portability (Article 20 GDPR) — to the extent set out in §11 of the Terms (excluding AI models, aggregated data, and the Service Provider's IP);
- (f) object to processing (Article 21 GDPR);
- (g) not be subject to decisions based solely on automated processing (Article 22 GDPR).
Contact: admin@robisie.app. Response within 30 days.
In the event of a dispute with the Service Provider, the User has the right to lodge a complaint with the President of the Personal Data Protection Office (UODO, uodo.gov.pl).
6. Cookies
The Service uses cookies necessary for its proper operation:
- Authentication session — the NextAuth session cookie, necessary to keep the User logged in.
- Cookie preferences — remembering consent to cookies (localStorage).
The Service does not use analytics or marketing cookies.
7. Security + data transfers
7.1 The User's data is protected by technical and organizational measures appropriate to the risk: encryption in transit (TLS), backup encryption, access control, and regular security updates.
7.2 Data transfers to third countries (USA):
The Service uses the following providers that process data in the United States:
- (a) Stripe Payments Europe, Ltd. (Dublin, with transfer to the USA) — payment processing;
- (b) Google Ireland Ltd. (Dublin, with transfer to the USA) — account authentication (OAuth);
- (c) Cloudflare, Inc. (USA) — delivering the Service, DNS, DDoS protection;
- (d) Anthropic PBC (USA) / OpenAI, LLC (USA) — AI model providers (processing User Content to generate Output).
Transfers take place on the basis of the European Commission's Standard Contractual Clauses (SCCs, Decision 2021/914) and/or the EU-US Data Privacy Framework (for certified providers). The User may obtain a copy of the safeguards applied on request — contact: admin@robisie.app.
8. Data breach
8.1 In the event of a personal data breach, the Controller:
- (a) reports the breach to the President of the Personal Data Protection Office within 72 hours of becoming aware of it (Article 33 GDPR), unless it is unlikely to result in a risk to the rights or freedoms of natural persons;
- (b) in the event of a high risk to the User's rights — notifies the affected Users directly without undue delay (Article 34 GDPR).
8.2 The notification includes: the nature of the breach, the likely consequences, the measures taken or proposed to address it, and contact details for obtaining further information.
Last updated: April 23, 2026