Privacy Policy

The controller of personal data processed in connection with the use of Solopreneur is Jakub Byliński Development, with its registered office at os. Osiedle Tysiąclecia 4A/4, 73-110 Stargard, Poland, NIP 8542455178, REGON 542043722 (the “Controller”).

You may contact the Controller in matters relating to personal data:

• by email: jakub.bylinski@gmail.com
• by post: os. Osiedle Tysiąclecia 4A/4, 73-110 Stargard, Poland

• account data: email address, hashed password, authentication identifiers;
• profile preferences: language, timezone, gross margin assumption, CAC assumption;
• billing data: company name, VAT (NIP) number, billing address, country, payment method metadata (provided to and stored by Stripe);
• Stripe connection data: connected account identifier, OAuth tokens (stored encrypted), subscription, customer, invoice and refund metadata imported from your own Stripe account for analytics purposes;
• operational data: IP address, browser user agent, request logs, error logs.

• providing the Service (account creation, dashboard, analytics, dunning emails) - art. 6(1)(b) GDPR (performance of a contract);
• issuing invoices and complying with tax and accounting obligations - art. 6(1)(c) GDPR (legal obligation);
• ensuring the security of the Service, preventing fraud and abuse - art. 6(1)(f) GDPR (legitimate interest of the Controller);
• sending the weekly digest email and product communications - art. 6(1)(a) GDPR (consent, withdrawable at any time);
• handling complaints, claims, and the defence of legal claims - art. 6(1)(c) and art. 6(1)(f) GDPR.

Personal data may be transferred to the following categories of processors and recipients, each acting under a written agreement and to the extent necessary:

• Supabase, Inc. - database, authentication, and storage hosting;
• Vercel Inc. - application hosting and edge delivery;
• Stripe Payments Europe, Ltd. and Stripe, Inc. - payment processing, issuance of VAT invoices (Stripe Invoicing), and Stripe Connect platform services;
• Resend, Inc. - transactional and marketing email delivery;
• competent public authorities - only where required by applicable law.

Some of the recipients listed above are established outside the European Economic Area (notably in the United States). Such transfers take place on the basis of Standard Contractual Clauses approved by the European Commission and, where applicable, supplementary safeguards required by the case-law of the Court of Justice of the European Union (Schrems II).

• account data - for the duration of the account, and up to 30 days after deletion for backup and audit purposes;
• billing and invoicing data - for the period required by Polish tax law (currently 5 years counted from the end of the calendar year in which the tax obligation arose);
• data imported from your Stripe account - for as long as the connection exists, and deleted on disconnection of the Stripe account;
• operational and security logs - typically up to 12 months.

Under the GDPR you have the right to:

• access your personal data (art. 15);
• rectify inaccurate or incomplete data (art. 16);
• request erasure of your data (art. 17);
• request restriction of processing (art. 18);
• data portability (art. 20);
• object to processing based on legitimate interest (art. 21);
• withdraw consent at any time, without affecting the lawfulness of prior processing (art. 7(3));
• lodge a complaint with the Polish Data Protection Authority (Prezes Urzędu Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warszawa).

You may exercise these rights by contacting the Controller at jakub.bylinski@gmail.com.

The Service does not subject personal data to automated decision-making within the meaning of art. 22 GDPR, including profiling that produces legal or similarly significant effects.

The Service uses only strictly necessary cookies and browser local storage. These are essential for the Service to function and to keep you signed in, so under art. 173 of the Polish Telecommunications Law and the ePrivacy Directive they do not require your prior consent. We therefore show an informational cookie notice rather than a consent banner, and we do not block any functionality while it is displayed.

The following are used:

• Authentication / session cookies (set by Supabase Auth, e.g. sb-<project>-auth-token) - keep you securely signed in and maintain your session; deleted when you sign out or the session expires;
• Cookie-notice acknowledgement - a single browser local-storage flag (cookie-notice-ack) that remembers you have seen this notice so it is not shown on every visit;
• Language selection - your interface language is carried in the page URL and saved to your profile; no separate tracking cookie is set for this purpose.

We do not place advertising, tracking, profiling, or third-party analytics cookies, and we do not sell or share any data collected via cookies. You can delete or block cookies in your browser settings, but doing so will sign you out and may prevent the Service from working correctly.

Providing personal data is voluntary, however certain data (e.g. email address and password, or billing data) is required to create an account or to conclude and perform the agreement with the Controller. Refusal to provide such data will make it impossible to use the corresponding part of the Service.

The Controller may update this Privacy Policy. Material changes will be communicated by email or via in-app notice at least 14 days before they take effect.