Privacy policy
This Privacy Policy describes how personal data is processed when using the voltsteering.com website (the Website) and the Voltsteering application (the Platform). It is compliant with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and the Polish Act of 10 May 2018 on the protection of personal data.
1. Data controller
The controller of your personal data is Voltimer Sp. z o.o., with its registered office in Radom, Poland (the Controller). Voltsteering is a SaaS product operated directly by Voltimer Sp. z o.o.
Controller registration details:
National Court Register (KRS): 0001155063 (District Court Lublin-Wschód in Lublin with its seat in Świdnik, VI Commercial Division of the National Court Register)
Tax ID (NIP): 7963035094
Statistical number (REGON): 540881258
Share capital: PLN 30,000.00 (fully paid)
Address: ul. Henryka Sienkiewicza 36, lok. 5, 26-610 Radom, Poland
Contact: privacy@voltimer.com.pl.
2. Categories of data collected
We process data depending on how you use the Website:
- Waitlist signup — email address, signup date, source (landing page, campaign), IP address and browser identifier.
- Account registration — first name, last name, email address, password (hashed by Clerk), account metadata (creation date, last login, devices, IP addresses).
- Platform usage — project data entered by the user, documents uploaded to the system, interaction history with AI assistants, system logs.
- Payments — billing data (company name, tax ID, address) and tokenised payment card data processed by Krajowy Integrator Płatności S.A. (Tpay). We do not store full card numbers — Tpay returns only a recurring payment token for automatic subscription renewal.
3. Purposes and legal bases of processing
- Service provision — GDPR Art. 6(1)(b) (performance of contract).
- Waitlist signup and marketing — GDPR Art. 6(1)(a) (consent), which you may withdraw at any time.
- Billing and accounting — GDPR Art. 6(1)(c) (legal obligation).
- Platform security, fraud prevention — GDPR Art. 6(1)(f) (legitimate interest).
- Analytics and product development — GDPR Art. 6(1)(f) (legitimate interest) or consent.
4. Recipients of data (processors)
We use external service providers (processors) to whom we entrust data processing:
- Clerk (authentication, account management) — USA, SCCs (Standard Contractual Clauses).
- Vercel (application hosting) — USA/EU, SCCs.
- Supabase (database) — Frankfurt region (EU).
- Cloudflare R2 (document storage) — EU region.
- Upstash (queues, cache) — EU region.
- Anthropic (AI assistants, Claude API) — USA, SCCs, zero-retention.
- Resend (transactional email) — USA/EU, SCCs.
- Sentry (error monitoring) — EU/USA, SCCs.
- PostHog (product analytics) — EU region.
- Tpay (Krajowy Integrator Płatności S.A.) (online payments: BLIK, cards, transfers) — Poznań, Poland. NIP 9542750172. Licensed payment institution supervised by Polish Financial Supervision Authority (KNF). PCI-DSS Level 1.
- Ministry of Finance (KSeF) (Polish national e-invoice system — VAT invoices submission) — Poland. Invoices generated natively by Voltsteering and submitted via KSeF API.
We have signed a Data Processing Agreement (DPA) with each processor. Data is encrypted in transit (TLS 1.3) and at rest (AES-256).
5. Transfers to third countries
Some of our processors (Clerk, Anthropic, Resend) have infrastructure in the United States. Tpay operates only within the EEA (Poland). Transfers are based on Standard Contractual Clauses (SCCs) approved by the European Commission or the Data Privacy Framework (DPF). We apply additional technical measures (encryption, pseudonymisation) to enhance transfer security.
6. Data retention periods
- Waitlist data — until consent is withdrawn, maximum 24 months.
- User account data — for the duration of the contract + 12 months after termination.
- Billing data — 5 years from the end of the tax year (statutory obligation).
- System logs — 90 days.
- Data uploaded to the Platform (project documents) — for the duration of the contract; returned/deleted within 30 days after termination.
7. Your rights
You have the following rights in relation to the processing of your data:
- Right of access — request a copy of your data.
- Right to rectification — correction of incorrect data.
- Right to erasure ("right to be forgotten") — removal of data from our systems.
- Right to restrict processing.
- Right to data portability — export in a commonly used format (JSON).
- Right to object to processing based on legitimate interest.
- Right to withdraw consent — at any time, without affecting processing before withdrawal.
- Right to lodge a complaint with the Polish supervisory authority (UODO, ul. Stawki 2, 00-193 Warsaw) or your local DPA.
To exercise your rights, email privacy@voltimer.com.pl. We respond within 30 days.
8. Cookies and similar technologies
The Service uses cookies, localStorage and sessionStorage to provide core functionality and — with your consent — analytics. On first visit we display a consent banner where you can accept all, accept only necessary, or customise your choice. You can change consent at any time via the "Cookie settings" link in the footer.
8.1. Cookie categories used
a) Necessary (always active, cannot be disabled)
Legal basis: art. 6(1)(b) GDPR (contract performance) and (f) (legitimate interest — security).
| Name | Purpose | Retention |
|---|---|---|
__session, __client_uat, __clerk_* | User session, authentication (Clerk) | up to 7 days / until sign-out |
vs_cookie_consent | Your cookie banner choice | 1 year |
voltsteering-theme (localStorage) | Theme preference (Light / Gray / Dark) | persistent (until user clears) |
voltsteering-projects-view (localStorage) | Projects view preference (Cards / List / Kanban / Gantt) | persistent |
NEXT_LOCALE | Selected language (PL / EN) | 1 year |
voltsteering-tester-greeting-* | Tester thank-you toast state | session + 48h dismiss cooldown |
b) Analytics (opt-in — consent required)
Legal basis: art. 6(1)(a) GDPR (consent). Anonymous data, no personal identification.
| Name | Purpose | Provider | Retention |
|---|---|---|---|
| Vercel Analytics | Anonymous pageview statistics & Core Web Vitals | Vercel Inc., USA (DPF / SCC) | 90 days |
c) Marketing (opt-in — consent required)
We currently do not use marketing cookies. Consent is collected proactively — if in the future we enable remarketing (e.g. Meta / LinkedIn pixel), we will honour your earlier choice from day one. Enabling this category now has no effect until marketing tooling is deployed.
8.2. How to withdraw consent
- Click "Cookie settings" in the footer — settings panel with toggles will open
- Adjust browser settings (clear cookies, block localStorage)
- Email us at info@voltimer.com.pl — we will action within 7 days
Withdrawing consent does not affect the lawfulness of processing done before withdrawal. Necessary cookies remain active — the Service cannot function without them (e.g. sign-in breaks).
9. Automated decisions and profiling
The Platform's AI assistants (Anthropic's Claude API) assist users in their work (document generation, compliance analysis, recommendations). Final decisions are always made by a human — we do not apply solely automated decisions producing legal effects on individuals. Anthropic does not train models on your data (zero-retention policy).
10. Security
We implement technical and organisational measures proportionate to risk:
- Encryption in transit (TLS 1.3) and at rest (AES-256).
- Tenant data isolation (Row Level Security in Postgres).
- Access control, MFA for administrators.
- Daily backups, point-in-time recovery.
- Audit log for all data operations.
- Regular security audits and penetration testing (planned after MVP).
11. Changes to this policy
We reserve the right to update this Privacy Policy. We will notify you of material changes by email at least 30 days before they take effect.
12. Contact
For data protection matters:
Email: privacy@voltimer.com.pl
Postal address: Voltimer Sp. z o.o., ul. Henryka Sienkiewicza 36 lok. 5, 26-610 Radom, Poland.