Privacy Policy
Last updated: February 10, 2026
This Privacy Policy explains how Nie Przelewki Sp. z o.o. ("we", "us", "our", "the Operator") collects, uses, stores, shares, and protects your personal data when you use the Alcotrade.app platform ("the Service"). This policy has been prepared in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable Polish data protection legislation.
1. Data Controller
The data controller responsible for processing your personal data is:
For all questions, requests, or concerns regarding your personal data, please contact us at the email address above.
2. Data We Collect
We collect and process the following categories of personal data:
2.1 Account Data
- Email address - required for account creation and authentication.
- Password hash - if you set a password (stored in encrypted form; we never store plaintext passwords).
- Account creation date and last login timestamp.
2.2 Business Profile Data
- Full name - your name or the name of the company representative.
- Company name - the legal or trading name of your business.
- NIP (Tax Identification Number) - Polish tax identification number for business verification.
- KRS (National Court Register number) - if applicable, for company verification purposes.
- Phone number - business contact telephone number.
- Company website URL.
- Business category - the type of your business activity (e.g., producer, distributor, retailer, HORECA).
- Business description - a free-text description of your business activities, offerings, and what you are looking for on the Platform.
- Location / region of operation.
2.3 Technical Data
- IP address - collected automatically during interactions with the Service.
- Browser type and version.
- Device information - operating system, screen resolution.
- Access logs - timestamps and pages visited within the Service.
2.4 Communication Data
- Email correspondence - any messages you send to us at [email protected].
3. Legal Basis for Processing
We process your personal data on the following legal bases under Article 6(1) of the GDPR:
| Purpose | Legal Basis | GDPR Article |
|---|---|---|
| Account creation and management | Performance of a contract (these Terms of Service) | Art. 6(1)(b) |
| Profile creation and display to other Members | Performance of a contract | Art. 6(1)(b) |
| Admin approval and identity verification | Legitimate interest (ensuring platform quality and security) | Art. 6(1)(f) |
| Business matching and networking features | Performance of a contract | Art. 6(1)(b) |
| Sending service-related emails (authentication links, notifications) | Performance of a contract | Art. 6(1)(b) |
| Platform security, fraud prevention, and abuse detection | Legitimate interest (protecting users and the Service) | Art. 6(1)(f) |
| Technical maintenance and error logging | Legitimate interest (ensuring service reliability) | Art. 6(1)(f) |
| Compliance with legal obligations | Legal obligation | Art. 6(1)(c) |
| Marketing communications (if you opt in) | Consent | Art. 6(1)(a) |
4. How We Use Your Data
We use your personal data for the following purposes:
- To create and manage your user account.
- To display your business Profile to other approved Members of the Platform.
- To verify your identity and business legitimacy during the Admin Approval process.
- To facilitate business networking, matching, and discovery between Members.
- To send you authentication emails (magic links) and service-related notifications.
- To maintain, improve, and secure the Service.
- To respond to your inquiries and support requests.
- To comply with applicable laws and regulations.
5. Data Sharing and Processors
We do not sell your personal data. We share your data only with the following categories of recipients, acting as data processors on our behalf:
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase, Inc. | Authentication, database hosting, and backend services | United States | Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR; additional technical measures including encryption at rest and in transit |
| Cloudflare, Inc. | Website hosting (Cloudflare Pages), CDN, DDoS protection, and DNS | United States / Global edge network | Standard Contractual Clauses (SCCs); Data Processing Addendum; edge processing minimizes data transfer |
| Brevo (Sendinblue) | Transactional email delivery (authentication links, notifications) | European Union (France) | Data processed within the EU; GDPR-compliant data processing agreement |
We may also share your data with law enforcement or regulatory authorities if required by law or in response to a valid legal request.
5.1 Profile Visibility to Other Members
By creating a Profile on the Platform, you understand and agree that certain information from your Profile (such as company name, business category, business description, and region) will be visible to other approved Members of the Platform. Your email address and phone number are shared with other Members only in accordance with the Platform's contact sharing mechanisms.
6. International Data Transfers
Some of our data processors are located outside the European Economic Area (EEA), specifically in the United States. Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) adopted by the European Commission, as the primary transfer mechanism.
- Supplementary technical measures such as encryption of data at rest and in transit.
- Data processing agreements with all processors, specifying their obligations regarding data protection.
You may request a copy of the relevant safeguards by contacting us at [email protected].
7. Data Retention
We retain your personal data for as long as necessary to fulfill the purposes described in this Privacy Policy, specifically:
- Account and Profile data: retained for the duration of your account's existence. Upon account deletion, your data will be erased within 30 days, except where retention is required by law.
- Technical logs (IP addresses, access logs): retained for up to 12 months for security and diagnostic purposes.
- Communication records: retained for up to 24 months from the date of last communication for support and dispute resolution purposes.
- Data required by law: retained for the period required by applicable Polish or EU legislation (e.g., tax and accounting records for 5 years).
After the applicable retention period, your personal data will be securely deleted or anonymized.
8. Your Rights
Under the GDPR, you have the following rights regarding your personal data:
- Right of Access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and to receive a copy of that data.
- Right to Rectification (Art. 16): You have the right to request correction of inaccurate or incomplete personal data.
- Right to Erasure (Art. 17): You have the right to request deletion of your personal data ("right to be forgotten") where there is no compelling reason for its continued processing.
- Right to Restriction of Processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances.
- Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
- Right to Object (Art. 21): You have the right to object to the processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
- Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days, as required by the GDPR. In exceptional cases, this period may be extended by a further 60 days, in which case we will inform you of the extension and the reasons for it.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/HTTPS.
- Encryption at rest: Data stored in our database is encrypted at rest by our hosting provider (Supabase).
- Access controls: Access to personal data is restricted to authorized personnel only, on a need-to-know basis.
- Authentication security: We use secure authentication methods (magic links and hashed passwords) and do not store plaintext passwords.
- Row-Level Security (RLS): Our database implements row-level security policies to ensure that users can only access data they are authorized to view.
- Regular security assessments: We periodically review and update our security practices.
- DDoS protection: Our hosting infrastructure (Cloudflare) provides protection against distributed denial-of-service attacks.
While we take all reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your personal data.
10. Cookies and Local Storage
For detailed information about how we use cookies and local storage technologies, please refer to our Cookie Policy.
In summary, the Service primarily uses localStorage (a browser-based storage mechanism) to store authentication tokens necessary for the functioning of the Service. Third-party services (Supabase, Cloudflare) may also set cookies for security and performance purposes.
11. Children's Privacy
The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a person under 18, we will take steps to delete such data promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify registered Users via email where the changes are material.
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy.
13. Right to Lodge a Complaint
If you believe that our processing of your personal data violates the GDPR or applicable Polish data protection law, you have the right to lodge a complaint with the competent supervisory authority:
Prezes Urzedu Ochrony Danych Osobowych (UODO)
President of the Personal Data Protection Office
ul. Stawki 2, 00-193 Warszawa, Poland
Website: uodo.gov.pl
We encourage you to contact us first at [email protected] so that we can address your concerns directly.
14. Contact
For any questions, requests, or concerns about this Privacy Policy or our data processing practices, please contact the data controller: