Privacy policy

This Privacy Policy describes how personal data is processed when using the voltsteering.com website (the Website) and the Voltsteering application (the Platform). It is compliant with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and the Polish Act of 10 May 2018 on the protection of personal data.

1. Data controller

The controller of your personal data is Voltimer Sp. z o.o., with its registered office in Radom, Poland (the Controller). Voltsteering is a SaaS product operated directly by Voltimer Sp. z o.o.

Controller registration details:
National Court Register (KRS): 0001155063 (District Court Lublin-Wschód in Lublin with its seat in Świdnik, VI Commercial Division of the National Court Register)
Tax ID (NIP): 7963035094
Statistical number (REGON): 540881258
Share capital: PLN 30,000.00 (fully paid)
Address: ul. Henryka Sienkiewicza 36, lok. 5, 26-610 Radom, Poland

Contact: privacy@voltsteering.com.

2. Categories of data collected

We process data depending on how you use the Website:

• Waitlist signup — email address, signup date, source (landing page, campaign), IP address and browser identifier.
• Account registration — first name, last name, email address, password (hashed by Clerk), account metadata (creation date, last login, devices, IP addresses).
• Platform usage — project data entered by the user, documents uploaded to the system, interaction history with AI agents, system logs.
• Payments — billing data (company name, tax ID, address) and tokenised payment card data processed by Stripe. We do not store full card numbers.

3. Purposes and legal bases of processing

• Service provision — GDPR Art. 6(1)(b) (performance of contract).
• Waitlist signup and marketing — GDPR Art. 6(1)(a) (consent), which you may withdraw at any time.
• Billing and accounting — GDPR Art. 6(1)(c) (legal obligation).
• Platform security, fraud prevention — GDPR Art. 6(1)(f) (legitimate interest).
• Analytics and product development — GDPR Art. 6(1)(f) (legitimate interest) or consent.

4. Recipients of data (processors)

We use external service providers (processors) to whom we entrust data processing:

• Clerk (authentication, account management) — USA, SCCs (Standard Contractual Clauses).
• Vercel (application hosting) — USA/EU, SCCs.
• Supabase (database) — Frankfurt region (EU).
• Cloudflare R2 (document storage) — EU region.
• Upstash (queues, cache) — EU region.
• Anthropic (AI agents, Claude API) — USA, SCCs, zero-retention.
• Resend (transactional email) — USA/EU, SCCs.
• Sentry (error monitoring) — EU/USA, SCCs.
• PostHog (product analytics) — EU region.
• Stripe (payments) — Ireland (EU) + USA, SCCs.

We have signed a Data Processing Agreement (DPA) with each processor. Data is encrypted in transit (TLS 1.3) and at rest (AES-256).

5. Transfers to third countries

Some of our processors (Clerk, Anthropic, Resend, Stripe) have infrastructure in the United States. Transfers are based on Standard Contractual Clauses (SCCs) approved by the European Commission or the Data Privacy Framework (DPF). We apply additional technical measures (encryption, pseudonymisation) to enhance transfer security.

6. Data retention periods

• Waitlist data — until consent is withdrawn, maximum 24 months.
• User account data — for the duration of the contract + 12 months after termination.
• Billing data — 5 years from the end of the tax year (statutory obligation).
• System logs — 90 days.
• Data uploaded to the Platform (project documents) — for the duration of the contract; returned/deleted within 30 days after termination.

7. Your rights

You have the following rights in relation to the processing of your data:

• Right of access — request a copy of your data.
• Right to rectification — correction of incorrect data.
• Right to erasure ("right to be forgotten") — removal of data from our systems.
• Right to restrict processing.
• Right to data portability — export in a commonly used format (JSON).
• Right to object to processing based on legitimate interest.
• Right to withdraw consent — at any time, without affecting processing before withdrawal.
• Right to lodge a complaint with the Polish supervisory authority (UODO, ul. Stawki 2, 00-193 Warsaw) or your local DPA.

To exercise your rights, email privacy@voltsteering.com. We respond within 30 days.

8. Cookies and similar technologies

The Website uses cookies and similar technologies (localStorage, session cookies):

• Essential — site functioning, user session (Clerk), CSRF. Basis: legitimate interest / contract performance.
• Analytics — PostHog for usage statistics, IP anonymisation. Basis: consent.
• Marketing — none (we do not run third-party ads).

You can manage cookies in your browser settings.

9. Automated decisions and profiling

The Platform's AI agents (Anthropic's Claude API) assist users in their work (document generation, compliance analysis, recommendations). Final decisions are always made by a human — we do not apply solely automated decisions producing legal effects on individuals. Anthropic does not train models on your data (zero-retention policy).

10. Security

We implement technical and organisational measures proportionate to risk:

• Encryption in transit (TLS 1.3) and at rest (AES-256).
• Tenant data isolation (Row Level Security in Postgres).
• Access control, MFA for administrators.
• Daily backups, point-in-time recovery.
• Audit log for all data operations.
• Regular security audits and penetration testing (planned after MVP).

11. Changes to this policy

We reserve the right to update this Privacy Policy. We will notify you of material changes by email at least 30 days before they take effect.

12. Contact

For data protection matters:
Email: privacy@voltsteering.com
Postal address: Voltimer Sp. z o.o., ul. Henryka Sienkiewicza 36 lok. 5, 26-610 Radom, Poland.