Privacy Policy
Last updated: April 2026
1. Data Controller
Your personal data is controlled by: Vitaliy Mileshko, sole proprietor operating under the trade name Rozlio, registered in CEIDG (hereinafter: the Controller).
For all matters regarding the protection of your personal data, please contact us:
- Email: kontakt@rozlio.pl
- Postal address: available upon request via email
The Controller has not appointed a Data Protection Officer (DPO) as this is not required under Art. 37 GDPR. Please direct all privacy-related inquiries to the email address above.
2. Categories of personal data processed
- Account data: email address, display name, language preferences, account creation date.
- Financial data: revenue, expenses, selected ZUS regime, calculated ZUS contributions and taxes — stored in your profile.
- NIP (Tax ID): optional — used solely to generate individual ZUS micro-account numbers and to connect to KSeF.
- KSeF invoice data: data derived from invoices retrieved from the National e-Invoice System (KSeF), including invoice numbers, amounts, and counterparty details; stored in encrypted form; raw XML may be stored for verification and reconciliation.
- Client data (Module 3): if you use the payment collection module, you may enter data about your counterparties: company name or full name, NIP, email address, phone number, and postal address. See section 7 for details.
- Technical data: IP address, browser type, operating system, event logs — for security and error diagnostics.
3. Purposes and legal bases for processing
The table below lists all processing purposes and their corresponding legal bases under Art. 6 GDPR.
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Providing the service (account, ZUS/PIT/VAT calculator, deadlines) | Art. 6(1)(b) — performance of a contract |
| Sending email notifications about payment deadlines | Art. 6(1)(a) — user consent |
| Retrieving and processing invoices from KSeF | Art. 6(1)(b) — performance of a contract |
| Payment collection module (counterparty data) | Art. 6(1)(b) — performance of a contract (Rozlio as processor) |
| Account security and fraud prevention | Art. 6(1)(f) — legitimate interests of the Controller |
| Technical and diagnostic logs | Art. 6(1)(f) — legitimate interests of the Controller |
| Generating exports and reports | Art. 6(1)(b) — performance of a contract |
| Compliance with legal obligations | Art. 6(1)(c) — legal obligation |
4. Sub-processors and data sharing
We do not sell your data. We use the following trusted sub-processors, with each of whom we have signed a Data Processing Agreement (DPA) or applied equivalent safeguards:
| Entity | Role | Location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Database and authentication | EU region (eu-west-1, Ireland) | DPA signed; data stays within EEA |
| Hetzner Online GmbH | Application hosting | Germany (EU) | DPA signed; data stays within EEA |
| Resend Inc. | Transactional email delivery | USA | Standard Contractual Clauses (SCCs) per Art. 46(2)(c) GDPR |
5. International data transfers
The vast majority of your data is processed exclusively within the European Economic Area (EEA).
The only exception is Resend Inc. (USA), our transactional email delivery provider. Transfers to the USA are made on the basis of Standard Contractual Clauses (SCCs) approved by the European Commission on 4 June 2021 under Art. 46(2)(c) GDPR, ensuring an adequate level of protection. Resend processes only the recipient email address and message content — no financial data is transmitted.
You may request a copy of the applicable safeguards by emailing kontakt@rozlio.pl.
6. Retention periods
| Data category | Retention period |
|---|---|
| Account data (email, settings) | Duration of account + 30 days after deletion |
| Financial data (ZUS/PIT/VAT calculations) | Duration of account; deleted together with the account |
| KSeF invoice data | Duration of account; user may delete at any time |
| Collection pipeline data (client/case data) | 6 years from case closure (civil law limitation period) |
| Technical and security logs | 90 days |
7. Processing of your clients' data in Module 3 (debt collection)
If you use Module 3 (payment tracking and debt collection), you may enter personal data relating to your counterparties (clients), including: company name or full name, NIP, email address, phone number, and postal address.
In this context, you are the data controller for your clients' personal data, and Rozlio acts solely as a data processor within the meaning of Art. 4(8) GDPR, processing that data on your documented instructions (Art. 28 GDPR). As the controller of your clients' data, you are responsible for having a valid legal basis for processing it (e.g., Art. 6(1)(b) GDPR — contract performance, or Art. 6(1)(f) — legitimate interest in debt collection).
This data is retained for 6 years from case closure, in line with the general civil law limitation periods applicable in Poland (Art. 118 of the Polish Civil Code).
8. KSeF invoice data
At your request, Rozlio connects to the National e-Invoice System (KSeF) using your credentials (a KSeF token linked to your NIP). Retrieved invoices — including counterparty data, amounts, and invoice numbers — are:
- stored in encrypted form, accessible only on your account;
- raw invoice XML may be stored for verification, audit, and reconciliation with ZUS/PIT calculations;
- never shared with other users or third parties.
You can delete your KSeF data at any time from the account settings.
9. Automated processing and profiling
Rozlio uses automated data processing in the following cases:
- ZUS and tax calculations: results are generated automatically based on the financial data you provide. They do not produce legal effects or similarly significantly affect you within the meaning of Art. 22 GDPR — they are purely advisory calculations.
- Collection pipeline — case escalation: the system automatically suggests the next escalation step (reminder, formal demand letter) based on case status and elapsed time. The final decision on every action (such as sending a demand letter) requires your explicit confirmation — nothing is sent automatically.
10. Personal data breach notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the Controller will:
- notify the supervisory authority (in Poland: UODO — the President of the Personal Data Protection Office) within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR;
- inform you without undue delay if the breach is likely to result in a high risk to your rights and freedoms (Art. 34 GDPR).
11. Cookies
Rozlio uses only essential cookies required to maintain your login session (Supabase Auth session cookies). Details:
- Type: session and persistent (HttpOnly, Secure, SameSite=Lax)
- Purpose: authentication and session maintenance
- Lifetime: browser session or until logout
We do not use tracking, analytics, or advertising cookies. We do not use Google Analytics, Meta Pixel, or any similar tools.
12. Your rights under GDPR
Under GDPR you have the following rights, which you may exercise by contacting us at kontakt@rozlio.pl:
- Right of access (Art. 15 GDPR): you can download a JSON export of your data directly from account settings.
- Right to rectification (Art. 16 GDPR): you can correct your data in account settings or by contacting us.
- Right to erasure (Art. 17 GDPR): you can delete your account and all associated data from settings — data will be permanently removed within 30 days (subject to collection pipeline data — see section 7).
- Right to data portability (Art. 20 GDPR): data processed on the basis of contract or consent can be provided in JSON format.
- Right to restriction of processing (Art. 18 GDPR): you may request restriction of processing in certain circumstances.
- Right to object (Art. 21 GDPR): you may object to processing based on legitimate interests.
- Right to withdraw consent: consent to email notifications may be withdrawn at any time in account settings or via the unsubscribe link in any email. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
13. Right to lodge a complaint
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the competent supervisory authority. In Poland this is the President of the Personal Data Protection Office (UODO — Urząd Ochrony Danych Osobowych):
- Address: ul. Stawki 2, 00-193 Warsaw, Poland
- Website: uodo.gov.pl
- Hotline: +48 606-950-000
We encourage you to contact us first — we will do our best to resolve any issue without involving the supervisory authority.
14. Privacy contact
For all matters relating to personal data protection, please contact us:
- Email: kontakt@rozlio.pl
- Postal address: available upon request via email
We respond to personal data inquiries within 30 calendar days of receipt, in accordance with Art. 12(3) GDPR.