Privacy Policy

1. Data controller

The controller of the User's personal data is:

Adam Sip, a private individual conducting unregistered business activity

(Article 5 of the Polish Entrepreneurs' Law)

ul. Akacjowa 11, 62-200 Gniezno, Poland

Email: admin@robisie.app

Tax ID / REGON: not applicable (unregistered business activity)

2. Scope of data collected

In connection with the use of the Service, the Controller processes the following categories of data:

  • Account dataemail address, name, profile photo (retrieved from the Google account during OAuth login), profile settings.
  • Payment datasubscription number, transaction dates, payment status (card data is processed exclusively by Stripe — the Service does not store card numbers).
  • Communicationthe content of complaint messages, support requests, and email correspondence, along with metadata (date, sender's email address).
  • AI input and output:
    • User Content (links, queries, files) entered into the Service in order to use Plugins;
    • Output generated by AI tools based on User Content, assigned to the User's account.
  • Technical dataIP address, browser information (User-Agent), activity logs (for security and diagnostic purposes).

3. Purpose and legal basis for processing

  • Providing services (Article 6(1)(b) GDPR) — performance of the agreement for the provision of electronic services.
  • Payment processing (Article 6(1)(b) GDPR) — processing transactions via Stripe.
  • Communication (Article 6(1)(f) GDPR) — responding to inquiries and handling complaints.
  • Legal obligations (Article 6(1)(c) GDPR) — maintaining tax and accounting records.

4. Retention period

Personal data is retained for the following periods:

  • (a) account data (email, name, profile settings) — for the duration the account exists; after a deletion request is submitted, the account is deactivated and permanently deleted after 30 days (a period allowing the decision to be reversed);
  • (b) payment data (transaction numbers, dates) — 5 years from the end of the calendar year in which the transaction took place (Tax Code);
  • (c) User Content and generated reports (Output) — for the duration the account exists; report files are automatically deleted within 30 days of generation, and the related database records are deleted together with the account;
  • (d) technical logs and the GDPR record of processing activities (accountability) — for the period necessary to ensure the security of the service and to demonstrate compliance with the law (Article 5(2) GDPR);
  • (e) database backups (Cloudflare R2) — 14-day rotation.

Once these periods have elapsed, the data is permanently deleted or anonymized.

5. User rights

The User has the right to:

  • (a) access their data (Article 15 GDPR);
  • (b) rectify their data (Article 16 GDPR);
  • (c) erasure of data — the "right to be forgotten" (Article 17 GDPR);
  • (d) restriction of processing (Article 18 GDPR);
  • (e) data portability (Article 20 GDPR) — to the extent set out in §11 of the Terms (excluding AI models, aggregated data, and the Service Provider's IP);
  • (f) object to processing (Article 21 GDPR);
  • (g) not be subject to decisions based solely on automated processing (Article 22 GDPR).

Contact: admin@robisie.app. Response within 30 days.

In the event of a dispute with the Service Provider, the User has the right to lodge a complaint with the President of the Personal Data Protection Office (UODO, uodo.gov.pl).

6. Cookies

The Service uses cookies necessary for its proper operation:

  • Authentication sessionthe NextAuth session cookie, necessary to keep the User logged in.
  • Cookie preferencesremembering consent to cookies (localStorage).

The Service does not use analytics or marketing cookies.

7. Security + data transfers

7.1 The User's data is protected by technical and organizational measures appropriate to the risk: encryption in transit (TLS), backup encryption, access control, and regular security updates.

7.2 Data transfers to third countries (USA):

The Service uses the following providers that process data in the United States:

  • (a) Stripe Payments Europe, Ltd. (Dublin, with transfer to the USA) — payment processing;
  • (b) Google Ireland Ltd. (Dublin, with transfer to the USA) — account authentication (OAuth);
  • (c) Cloudflare, Inc. (USA) — delivering the Service, DNS, DDoS protection;
  • (d) Anthropic PBC (USA) / OpenAI, LLC (USA) — AI model providers (processing User Content to generate Output).

Transfers take place on the basis of the European Commission's Standard Contractual Clauses (SCCs, Decision 2021/914) and/or the EU-US Data Privacy Framework (for certified providers). The User may obtain a copy of the safeguards applied on request — contact: admin@robisie.app.

8. Data breach

8.1 In the event of a personal data breach, the Controller:

  • (a) reports the breach to the President of the Personal Data Protection Office within 72 hours of becoming aware of it (Article 33 GDPR), unless it is unlikely to result in a risk to the rights or freedoms of natural persons;
  • (b) in the event of a high risk to the User's rights — notifies the affected Users directly without undue delay (Article 34 GDPR).

8.2 The notification includes: the nature of the breach, the likely consequences, the measures taken or proposed to address it, and contact details for obtaining further information.

Last updated: April 23, 2026