Privacy Policy — Attestia.eu

The Polish version is legally binding. In case of any discrepancy between the Polish and English versions, the Polish version shall prevail. The English version is provided for information and accessibility purposes.

Version: 1.0 Effective date: 2026-04-22 Last updated: 2026-04-22 Related document: Attestia.eu Terms of Service — attestia.eu/terms

1. Introduction

  1. This Privacy Policy (the "Policy") describes how Trimalert sp. z o.o. (the "Provider", "Attestia", "we", "us", "our") — operator of the platform offered under the "Attestia" trade mark (the "Platform" or "Service") at attestia.eu and app.attestia.eu — processes personal data.

  2. The Policy fulfils the information obligation under Articles 13 and 14 GDPR and is a document tightly linked to the Terms of Service of Attestia.eu (attestia.eu/terms). Capitalised terms not defined herein have the meaning given in the Terms (notably: Platform, User, Organisation, Account, AI System, Risk Classification, Compliance Documents, Organisation Data, Subscription Plan, EU AI Act, GDPR).

  3. The Policy has been prepared in accordance with:

    • Regulation (EU) 2016/679 ("GDPR"),
    • the Polish Data Protection Act of 10 May 2018,
    • the Polish Act of 18 July 2002 on the Provision of Electronic Services,
    • the Polish Telecommunications Act of 16 July 2004 (cookies — Art. 173),
    • Regulation (EU) 2024/1689 (EU AI Act) — transparency obligation under Art. 50.

  4. The Platform is B2B-only (§ 1(4) of the Terms). This Policy covers the processing of personal data of:

    • individuals acting on behalf of an Organisation (Platform Users),
    • website visitors without an Account (leads, contacts, newsletter subscribers),
    • individuals whose data may be incidentally included in Organisation Data (processor role — see section 3.2).

  5. Attestia is a compliance automation tool — it does NOT constitute legal advice and does not replace professional legal counsel (see § 4 of the Terms).

2. Data Controller

The Controller of your personal data within the meaning of Article 4(7) GDPR is:

CompanyTrimalert sp. z o.o.
Registered officeul. Przasnyska 7/319, 01-756 Warsaw, Poland
Polish business register (KRS)0001233147
Tax ID (NIP / EU VAT)5253085087
Statistical number (REGON)54440046800000
Share capitalPLN 5,000.00
Data protection contactprivacy@attestia.eu
General contactcontact@attestia.eu
Technical supportsupport@attestia.eu

2.1. Data Protection Officer (DPO)

At the current stage, Attestia is not required to appoint a DPO under Article 37 GDPR — the statutory criteria are not met (no large-scale regular and systematic monitoring, no large-scale processing of special categories).

For all data-protection matters please contact privacy@attestia.eu. Should a DPO be appointed, their contact details will be published here.

3. Processing Roles and Scope

3.1. Attestia as controller

Attestia is the controller of personal data of:

  • Users of the Platform (Account data),
  • persons contacting us through forms or email,
  • newsletter subscribers,
  • visitors to the Service (technical data, analytics cookies — with consent).

3.2. Attestia as processor

With respect to Organisation Data that may contain personal data (e.g. descriptions of AI Systems referring to natural persons), Attestia acts as a processor within the meaning of Article 28 GDPR, and the Organisation remains the controller.

The details are governed by the Data Processing Agreement (DPA) attached as Annex 1 to the Terms and accepted together with the Terms. This Policy does not replace the DPA and, in the scope of processor activities, refers to Annex 1 to the Terms.

3.3. Independent controllers

Some partners act as independent controllers of their own data:

  • Stripe Payments Europe, Ltd. — payment data (card numbers, bank account details). Attestia has no access to and does not store payment data.

4. Data We Process

4.1. Account data

  • email address (required for registration and login),
  • first and last name,
  • Organisation name,
  • job title / role (optional),
  • interface language (PL/EN) and preferences,
  • profile picture / avatar (optional).

4.2. Authentication data

  • password (Supabase Auth — bcrypt hash or equivalent),
  • identifiers from external OAuth providers (Google, GitHub) — only to the extent necessary for Account identification,
  • session tokens (cookies: HttpOnly, Secure, SameSite; access token TTL 1h, refresh token TTL 7 days).

4.3. Organisation Data containing personal data

Data submitted by Users (AI System descriptions, questionnaire answers, evidence files). May contain personal data only to the extent of description (e.g. noting a system processes job-applicant data). Attestia acts here as a processor — see sections 3.2 and Annex 1 to the Terms (DPA).

Pseudonymisation before AI processing: AI System descriptions sent to Azure OpenAI are pseudonymised (without Organisation name, User personal data or billing data) — in line with § 7(5) of the Terms.

4.4. Billing data

  • invoicing details (company name, address, VAT number, EU tax identification),
  • payment and invoice history.

Payment data (card numbers, bank account details) is processed directly by Stripe — see section 3.3.

4.5. Technical and usage data

  • IP address (anonymised to /24 for IPv4 and /64 for IPv6 before analysis),
  • browser type and version, operating system,
  • session logs (date, time, actions),
  • session and device identifiers,
  • analytics data — only with consent (see section 9).

4.6. Audit Log

Immutable, chronological record of User activity on the Platform, protected with SHA-256 hash-chaining. Contains User identifier, timestamp, action type — see § 3(2)(e) of the Terms.

4.7. Communication data

  • content of messages submitted via contact form or to support@attestia.eu,
  • email correspondence (including support tickets),
  • surveys and feedback (optional).

4.8. Marketing data

  • email address and first name (if provided) in case of newsletter subscription — only with explicit consent.

5. Purposes and Legal Bases of Processing

PurposeData categoryLegal basis (GDPR)
Account creation and Service delivery4.1, 4.2Art. 6(1)(b) — contract
Payment processing, invoicing4.4Art. 6(1)(b) + Art. 6(1)(c) — Polish Accounting Act, VAT
Processing of Organisation Data for Risk Classification and Compliance Document generation4.3Art. 28 GDPR — processing on behalf of the Organisation (Controller)
Maintenance of the Audit Log4.6Art. 6(1)(c) — Art. 18 EU AI Act + Art. 6(1)(f) — evidence of proper Service performance
Platform security, fraud detection4.5Art. 6(1)(f) — legitimate interest
Handling complaints and support tickets4.7Art. 6(1)(b) + Art. 6(1)(f)
Direct marketing of our own services (newsletter)4.8Art. 6(1)(a) — consent
Product communications to existing Organisations (onboarding, updates)4.1Art. 6(1)(f) — legitimate interest
Product analytics, Platform improvement4.5Art. 6(1)(a) — consent (analytics cookies)
Pursuit or defence of legal claimsallArt. 6(1)(f)
Bookkeeping and tax obligations4.4Art. 6(1)(c) — Polish Accounting Act

6. Data Recipients — Sub-processors and Others

6.1. Sub-processors

The list is consistent with § 10(4) of the Terms. A DPA compliant with Art. 28 GDPR has been concluded with each sub-processor.

Sub-processorRole / data scopeLocationTransfer status
Supabase (Pty) Ltd (via AWS)Database hosting, authentication, Audit LogEU — Frankfurt (eu-central-1)Within EU/EEA
Microsoft Corporation (Azure OpenAI)AI processing (Risk Classification, Compliance Document generation) on pseudonymised dataEU — Sweden (swedencentral)Within EU/EEA; transient processing — data not retained after processing and not used for AI model training
Vercel, Inc.Application hosting (edge runtime — no persistent data)EU edge nodesWithin EU/EEA
Stripe, Inc. (Stripe Payments Europe, Ltd.)Payment processing (independent controller of payment data)EU + USUS transfers under Standard Contractual Clauses (SCC) + DPF
Resend, Inc.Transactional email deliveryUSStandard Contractual Clauses (SCC) — Commission Decision 2021/914

Changes to the sub-processor list: Attestia will notify the Organisation of any intended addition or replacement of a sub-processor with at least 30 days' notice — under Art. 5 of the DPA (Annex 1 to the Terms). The Organisation has a right to object.

6.2. Optional external authentication tools

If the User chooses login via:

  • Google OAuth — Google LLC, USA. Transfer under SCC + EU-U.S. Data Privacy Framework.
  • GitHub OAuth — GitHub, Inc., USA. Transfer under SCC + EU-U.S. Data Privacy Framework.

6.3. Recipients who are not processors

  • accounting firm — to the extent necessary for bookkeeping (invoicing data);
  • law firms and advisors — when necessary for pursuing or defending legal claims;
  • public authorities — only in cases provided for by law (court order, request by UODO, tax authority).

7. Transfers Outside the EEA

General rule: Organisation Data, Compliance Documents and data processed by Azure OpenAI remain within the EU/EEA (see § 7(5)(a) of the Terms).

Exceptions:

  • Resend, Inc. (US) — transactional emails; transfer under Standard Contractual Clauses (SCC — Commission Decision 2021/914).
  • Stripe, Inc. (US) — for certain payment operations; SCC + DPF.
  • Google OAuth / GitHub OAuth (US) — if the User chooses that login method; SCC + DPF.

Attestia does NOT transfer outside the EEA:

  • Organisation Data (AI System descriptions, questionnaire answers, evidence files),
  • generated Compliance Documents,
  • data processed by Azure OpenAI (hosted in Sweden Central region).

8. Retention Periods

Retention is consistent with § 12.4 of the Terms and Annex 1 to the Terms (DPA).

Data categoryRetention period
User Account dataDuration of Account; after termination — erasure within 30 days, unless further processing is required by law
Organisation Data (AI System descriptions, evidence, questionnaires)Duration of subscription + 30 days for export (JSON/CSV) + deletion
Generated Compliance DocumentsDuration of subscription; after termination — 30-day export window, then deletion
Audit Log10 years from the date of the last entry, in pseudonymised form (identifiers replaced with irreversible cryptographic hashes) — aligned with Art. 18 EU AI Act and § 12.4 of the Terms
Billing data, invoices5 years from the end of the tax year of the transaction (Art. 74 Polish Accounting Act)
Database backups30 days (Supabase — point-in-time recovery)
Security logs12 months
Analytics data (analytics cookies)12 months — only with consent
Email correspondence and support tickets3 years from last contact
Complaint handling records3 years from closure
Marketing data (newsletter)Until consent is withdrawn or objection raised

After expiry of the retention period, data is permanently erased or anonymised.

9. Cookies and Similar Technologies

The Platform uses cookies and similar technologies (localStorage, sessionStorage) in four categories:

9.1. Strictly necessary cookies

Essential for the Platform (login session, CSRF protection, language preferences, stored consent). No consent required under Art. 173(3)(2) of the Polish Telecommunications Act (exemption for cookies strictly necessary for the service).

Examples: sb-access-token, sb-refresh-token, NEXT_LOCALE, attestia_consent.

9.2. Functional cookies

Enable additional features (theme, sidebar state). Not strictly required, but enhance the experience.

Examples: theme, sidebar_state.

9.3. Analytics cookies

Help us understand how you use the Platform. Require opt-in consent.

9.4. Marketing cookies

Used for communication personalisation. Require opt-in consent. Status: reserved category — not currently used.

9.5. Managing consent

You can manage cookie consent at any time:

  • via the "Privacy settings" panel in the footer of the Service,
  • via your browser settings (deletion and blocking of cookies),
  • by withdrawing analytics consent in the User panel.

Consent is voluntary and can be withdrawn at any time, without affecting the lawfulness of processing before withdrawal.

10. Your Rights

Under the GDPR, you have the following rights:

  1. Right of access (Art. 15 GDPR) — information about processed data and a copy of the data.
  2. Right to rectification (Art. 16 GDPR) — correction of inaccurate data or completion of incomplete data.
  3. Right to erasure ("right to be forgotten") (Art. 17 GDPR) — subject to exceptions (e.g. accounting obligations, defence of claims, Audit Log retention under Art. 18 EU AI Act).
  4. Right to restriction of processing (Art. 18 GDPR).
  5. Right to data portability (Art. 20 GDPR) — receiving data in a structured format (JSON/CSV) and transmitting it to another controller.
  6. Right to object (Art. 21 GDPR) — to processing based on legitimate interest and to direct marketing.
  7. Right to withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal.
  8. Right not to be subject to a decision based solely on automated processing (Art. 22 GDPR) — Attestia applies triple verification (rules engine + AI + User approval) under § 7(3) of the Terms. We do not make fully automated decisions producing legal effects — every Risk Classification and every Compliance Document requires human approval.
  9. Right to lodge a complaint with a supervisory authority — President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl. A complaint may also be lodged with the authority in your EU Member State of residence or where the infringement occurred.

Exercising your rights: send a request to privacy@attestia.eu describing it and providing identification data. We will respond without undue delay, no later than within 30 days (extendable by 60 days for complex requests — with justification).

Due to the identity verification obligation, we may request additional information to confirm the identity of the requester.

11. Data Security

Attestia applies technical and organisational measures consistent with Art. 32 GDPR. The full list is in Annex A to the DPA (Annex 1 to the Terms). In summary:

  • encryption in transit — TLS 1.3 for all HTTPS connections;
  • encryption at rest — AES-256 (Supabase, Azure);
  • access control — RBAC (Owner, Admin, Member, Viewer) + Row-Level Security at the database level;
  • authentication — password, OAuth (Google, GitHub), optional MFA (TOTP);
  • data isolation — multi-tenant with RLS;
  • pseudonymisation — data sent to Azure OpenAI stripped of Organisation identifiers and personal data;
  • Audit Log — hash-chained (SHA-256), append-only, immutable;
  • session management — access token TTL 1h, refresh token TTL 7 days, HttpOnly Secure cookies;
  • backups — daily, 30-day retention (Supabase);
  • security monitoring — Sentry, anomaly alerting;
  • security testing — planned: penetration testing (quarterly), code reviews.

12. Data Breach Notification

In the event of a personal data breach:

  • Attestia will notify the President of UODO within 72 hours of becoming aware (Art. 33 GDPR), where the breach concerns data for which Attestia is the controller;
  • Attestia will promptly (within 24 hours of becoming aware) notify the Organisation of a breach concerning Organisation Data — under Art. 4 of the DPA (Annex 1 to the Terms), enabling the Organisation to meet its own 72-hour deadline;
  • where the breach poses a high risk to the rights or freedoms of data subjects, we will notify them without undue delay (Art. 34 GDPR).

Security contact: privacy@attestia.eu (and in the future: security@attestia.eu — once /security is launched).

13. Information on AI Use

In line with Article 50 of the EU AI Act, the Platform uses the Azure OpenAI GPT-5.4 model (EU — Sweden Central region, provided by Microsoft Corporation) for:

  • generating Risk Classification recommendations,
  • generating draft Compliance Documents,
  • generating explanations and regulatory analyses.

Key principles (consistent with § 7 of the Terms):

  • AI labelling — all AI-generated content is labelled "AI-assisted". PDF/DOCX documents include an AI generation notice.
  • Triple verification — rules engine (deterministic) + AI recommendation + User approval.
  • Right to override — the User can reject or correct an AI recommendation at any stage.
  • Pseudonymisation — data sent to Azure OpenAI contains no Organisation name, User data or billing data.
  • No model training — data is not used by Microsoft to train AI models (in line with Azure OpenAI terms).
  • Transient processing — data is not retained by Azure OpenAI after processing.

Details in § 7 of the Terms and in the AI Transparency Notice at attestia.eu/transparency.

14. Children

The Platform is intended exclusively for business users (B2B) and adults acting on behalf of such entities (§ 1(4) and § 5(2) of the Terms). It is not intended for persons under 16 years of age. We do not knowingly collect data from minors. If we learn that data of a person under 16 has been entered into the Platform without guardian consent, we will promptly delete such data.

15. Changes to this Privacy Policy

We will notify you of material changes to this Policy with at least 30 days' notice (aligned with § 14 of the Terms as to notification mode):

  • via email to the address associated with your Account,
  • via in-app notification on the Platform.

The current version is published at attestia.eu/privacy. Previous versions are archived and available upon request to privacy@attestia.eu.

Continued use of the Platform after the changes take effect constitutes acceptance of the new version.

16. Contact

Data protection mattersprivacy@attestia.eu
General enquiriescontact@attestia.eu
Technical supportsupport@attestia.eu
Postal addressTrimalert sp. z o.o., ul. Przasnyska 7/319, 01-756 Warsaw, Poland