1. General provisions
The administrator of personal data collected via VATvocate Intelligence is Dzień Dobry Podatki Sp. z o.o., registered office: Al. 1 Maja 31/33/5, 90-739 Łódź, Poland, VAT UE: PL7272855788, e-mail: contact@vatvocate.com (hereinafter the “Administrator”).
Personal data collected by the Administrator via the Service are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, “GDPR”) and the Polish Personal Data Protection Act of 10 May 2018.
VATvocate Intelligence is an AI-assisted tool that searches CJEU VAT case law and produces answers to user queries. Use of the Service requires the creation of a user account.
2. Type of personal data processed, purpose and legal basis
2.1 Account registration
To use the Service, the user creates an account by providing:
- first name (and, optionally, last name),
- e-mail address,
- a password (stored in hashed form — the Administrator does not have access to the user's password in plain text).
The data are processed in order to create and maintain the user account, authenticate the user, provide the Service and handle related communication, on the basis of:
- Article 6(1)(b) GDPR — performance of the agreement for the provision of services by electronic means concluded between the user and the Administrator (Terms of Service);
- Article 6(1)(f) GDPR — the legitimate interest of the Administrator, consisting in ensuring the security of the Service, fraud prevention and the proper handling of user accounts.
2.2 Use of the Service (queries and answers)
When the user uses the Service, the following data are processed:
- the content of the user's queries (prompts) and any additional context the user voluntarily provides,
- the answers generated by the AI model and the case-law sources presented,
- metadata related to the use of the Service (timestamps, session identifier, technical logs).
These data are processed for the purpose of providing the Service and improving its quality, on the basis of Article 6(1)(b) GDPR (performance of the contract) and Article 6(1)(f) GDPR (legitimate interest of the Administrator in monitoring, securing and improving the Service).
Users are advised not to include personal data of third parties, confidential client information or other sensitive data in their queries. The Administrator is not the controller of personal data that the user voluntarily and unnecessarily includes in queries. If such data are submitted, they may be transmitted to AI sub-processors (see section 4 below).
2.3 Newsletter and commercial communication
If the user separately consents to receiving the newsletter or other commercial communication by electronic means, the e-mail address (and, optionally, name) will be processed for that purpose on the basis of Article 6(1)(a) GDPR (consent). Consent may be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.
2.4 Invoicing and complaints
If the Service is provided against payment or if the user submits a complaint, the Administrator additionally processes the data necessary to issue an invoice (in particular: company name, address, tax identification number — if applicable) and to handle the complaint. The legal basis is Article 6(1)(b) GDPR (performance of the contract) and Article 6(1)(c) GDPR (legal obligations of the Administrator, in particular tax and accounting obligations).
2.5 Technical and analytical data
When using the Service, additional information may be collected, in particular: IP address, domain name, browser type, access time, operating system type, navigation data, device identifiers and information about how the Service is used. The legal basis is Article 6(1)(f) GDPR (legitimate interest of the Administrator in ensuring security and improving the Service) and — for cookies and analytics requiring consent — Article 6(1)(a) GDPR (see section 7 below).
2.6 Contact
When the user contacts the Administrator (e.g. by e-mail), the data provided in the correspondence are processed in order to handle the matter, on the basis of Article 6(1)(f) GDPR.
3. Period of data retention
Personal data are stored by the Administrator:
- Account data — for the duration of the account and thereafter for a period corresponding to the limitation period for claims. Unless a specific provision of law provides otherwise, the limitation period is six years, and three years for claims for periodic performance and claims related to business activity.
- Queries and answers — for the period necessary to provide the Service and for a reasonable period thereafter for security, debugging and quality improvement purposes; the standard retention period for query history is set out in the user account settings and may be adjusted by the user where the Service offers such functionality.
- Newsletter data — until consent is withdrawn, and after withdrawal for a period corresponding to the limitation period for claims.
- Invoicing data — for the period required by tax and accounting law (in principle, 5 years counted from the end of the calendar year in which the tax obligation arose).
- Technical logs — for a period not exceeding 12 months, unless a longer period is required for security or legal reasons.
4. Sharing of personal data and sub-processors
In order to provide the Service, the Administrator entrusts the processing of personal data to selected service providers (sub-processors), in particular:
- providers of hosting and cloud infrastructure,
- providers of AI models / large language models used to generate answers,
- providers of e-mail delivery and communication services,
- providers of analytics and traffic measurement tools,
- providers of payment services (if the Service offers paid functionalities),
- providers of customer support and CRM tools.
Each sub-processor processes personal data on the basis of a written data processing agreement, which guarantees an adequate level of security and compliance with the GDPR.
Transfers outside the European Economic Area
Some sub-processors — in particular providers of AI models and certain analytics tools — may process personal data outside the European Economic Area (so-called third countries, including the United States). Such transfers take place on the basis of:
- adequacy decisions of the European Commission (e.g. the EU–US Data Privacy Framework, where applicable), or
- standard contractual clauses approved by the European Commission, supplemented where necessary by appropriate additional safeguards.
Users may obtain more information about the safeguards applied and a list of sub-processors by contacting the Administrator at contact@vatvocate.com.
Use of queries by AI providers
The Administrator selects AI providers in such a way that the content of user queries and answers is not used by the AI provider for training of its general models, where such an option is available under the provider's terms. The Administrator may, however, store and analyse queries internally for the purposes set out in section 2.2 above.
5. Rights of data subjects
The data subject has the right to:
- access their personal data — Article 15 GDPR,
- rectify their data — Article 16 GDPR,
- erase their data (right to be forgotten) — Article 17 GDPR,
- restrict processing — Article 18 GDPR,
- data portability — Article 20 GDPR,
- object to processing — Article 21 GDPR,
- withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal — Article 7(3) GDPR.
To exercise these rights, please send an e-mail to contact@vatvocate.com.
The Administrator shall respond to the request without undue delay, and in any case within one month of receipt. Where necessary, due to the complexity of the request or the number of requests, this period may be extended by a further two months; the Administrator shall inform the user of any such extension within one month of receipt of the request.
If the user considers that the processing of their personal data infringes the GDPR, they have the right to lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, Poland.
6. Automated decision-making and profiling
The Service uses an AI model to generate answers to user queries. This is a form of automated processing, but it does not produce legal effects concerning the user or similarly significantly affect the user within the meaning of Article 22 GDPR — the answers generated by the Service are informational and do not constitute legal advice or any binding decision.
Personal data may also be processed in an automated manner in the form of profiling for analytical and marketing purposes, provided that the user has consented to this on the basis of Article 6(1)(a) GDPR.
7. Cookies
The Service uses cookies and similar technologies. Cookies are small text files stored on the user's device.
The Administrator stores cookies on the user's device only where they are strictly necessary for the operation of the Service. For all other categories of cookies, the user's prior consent is required, expressed via the cookie consent banner.
The Service uses the following categories of cookies:
Necessary
Required for basic site functions such as navigation, login and access to protected areas. Cannot be turned off.
| Name | Provider | Duration | Type |
|---|---|---|---|
| JSESSIONID | Site | Session | HTTP |
| curia_vat_consent_v1 | Site | Persistent | localStorage |
Preferences (optional)
Remember user choices (e.g. language, layout).
Statistics (after consent)
Help us understand how the Service is used. Scripts are loaded only after consent is given.
| Name | Provider | Duration | Type |
|---|---|---|---|
| _ga, ga* | Google Analytics | up to 2 years | HTTP |
| plausible | Plausible (cookie-less) | — | — |
Marketing (after consent)
Used to measure campaigns and personalise ads.
| Name | Provider | Duration | Type |
|---|---|---|---|
| _fbp, _fbc | Meta | up to 90 days | HTTP |
| li_fat_id | 30 days | HTTP | |
| _gcl_au, IDE | Google Ads / DoubleClick | variable | HTTP |
The user may withdraw or change their consent at any time via the cookie settings in the Service or by sending an e-mail to contact@vatvocate.com. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
The Service may use marketing tools, in particular Facebook Pixel and the LinkedIn Insight Tag, used to personalise advertising. Cookies of these providers are loaded only after the user's consent.
8. Security
The Administrator applies appropriate technical and organisational measures to ensure a level of security appropriate to the risk and the category of data protected, in particular to protect the data against unauthorised disclosure, unauthorised acquisition, processing in violation of applicable law, alteration, loss, damage or destruction.
In particular, the Administrator:
- uses TLS/SSL encryption for data transmission,
- applies access controls based on the principle of least privilege,
- stores user passwords in hashed form,
- selects sub-processors that provide appropriate guarantees of GDPR compliance.
9. Changes to the Privacy Policy
The Administrator may update this Privacy Policy in connection with changes in applicable law, the development of the Service or organisational changes. The current version of the Privacy Policy is always available at https://intelligence.vatvocate.com/privacy-policy. Users will be informed of material changes by e-mail or by means of a notice within the Service.
10. Final provisions
In matters not regulated by this Privacy Policy, the provisions of the GDPR and other relevant provisions of Polish law shall apply.
In the event of any questions or concerns regarding the processing of personal data within the Service, please contact the Administrator at: contact@vatvocate.com.