Documents juridiquesPolitique de confidentialité

Politique de confidentialité

Informations destinées aux visiteurs, aux utilisateurs de comptes et aux représentants des clients sur le traitement des données personnelles dans Konfi Cloud.

Dernière mise à jour: 18 mai 2026

Controller and processor roles

The data controller for visitor, account, billing, support, and sales data is Dawid Sobolewski, operating Konfi Cloud as an individual service provider in Poland. Contact e-mail: support@getkonfi.com. Konfi Cloud is not registered for VAT in Poland; paid plans are sold by Konfi Cloud as the seller and service provider, while Stripe processes payments and calculates applicable taxes at checkout. A public correspondence address is available on request through that e-mail.

For personal data uploaded by business customers into workspaces, the customer is usually the controller and the service provider acts as processor under the relevant data processing agreement, unless a separate arrangement says otherwise.

Categories of personal data

  • Account data such as name, e-mail address, authentication identifiers, MFA status, and sign-in metadata.
  • Workspace and tenant data such as company name, workspace slug, plan, billing status, members, limits, and integration state.
  • Customer-content data entered into workspaces, including orders, customers, product records, files, notes, status history, and operational context.
  • Billing and payment data handled directly or indirectly through Stripe as payment processor, including plan selection, subscription state, invoices, tax data, and payment identifiers.
  • Technical data such as IP address, device and browser data, request logs, diagnostics, error reports, security logs, and cookie or storage identifiers.
  • Support and sales communications sent by e-mail, forms, account workflows, or operator-assisted channels.

Purposes and legal bases

  • Creating and maintaining accounts, sessions, workspaces, onboarding, authentication, and MFA - contract performance or steps before contract.
  • Providing SaaS features, quotas, integrations, support, and customer administration - contract performance and legitimate interests.
  • Billing, tax, accounting, fraud prevention, debt collection, and audit records - legal obligations and legitimate interests.
  • Security monitoring, abuse prevention, incident response, uptime monitoring, logs, and diagnostics - legitimate interests and legal obligations where applicable.
  • Product analytics (Firebase Analytics) and any marketing communication - consent.
  • Establishing, exercising, or defending legal claims - legitimate interests.

Recipients and processors

  • Google LLC for Firebase Authentication, App Check, Firestore, and Firebase Analytics that store account, workspace, and tenant data and aggregate product usage.
  • Google LLC sign-in when the user chooses to authenticate with Google.
  • Stripe as payment processor for paid checkout, subscriptions, payment processing, tax calculation, invoices, and billing event handling.
  • Vercel Inc. for application hosting, edge delivery, request logs, and domain operations.
  • Resend, Inc. for transactional email and inbound email handling (sign-in links, billing notifications, support correspondence).
  • Functional Software, Inc. (Sentry) for client and server error tracking.
  • Professional advisers, accounting providers, legal providers, public authorities, and courts where required by law or needed for claims.
  • Konfi runtime environments and integration providers selected by the customer, such as Allegro or dedicated-instance bridges.
  • The full and current subprocessor list, including processing location and transfer safeguards, is published on the Subprocessors page.

International transfers

Some providers process personal data outside the European Economic Area, mainly in the United States (Google, Stripe, Resend, Vercel, Sentry). Transfers rely on European Commission adequacy decisions where they apply (for example the EU-US Data Privacy Framework when the provider is certified) and on Standard Contractual Clauses with supplementary measures where they do not.

The Subprocessors page lists each provider's processing location and the transfer mechanism that applies.

Retention

  • Account and workspace data in Firebase Authentication and Firestore is kept while the account or workspace is active and deleted within 30 days of account closure, unless a backup window or open legal claim requires keeping it longer.
  • Billing and invoice records (handled through Stripe as payment processor, and any control-plane copies) are kept for 5 years from the end of the accounting year, in line with the Polish Accounting Act and VAT rules.
  • Server-side request logs and security/audit logs hosted on Vercel are kept up to 30 days for operations and security investigations and then deleted, unless a specific incident requires keeping them longer.
  • Error and performance diagnostics in Sentry: error events up to 90 days, per Sentry's default retention. Session replay is not enabled.
  • Firebase Analytics aggregate usage data is kept up to 14 months (Google Analytics 4 default user-data retention).
  • Transactional email metadata in Resend is kept up to 30 days; the email provider does not retain message contents long-term.
  • Cookie-consent and other consent records are kept while the consent is active and then up to 3 years to prove the consent was given or withdrawn.
  • Customer workspace content (controlled by the customer) is retained per the customer's plan, deletion settings, and the data processing addendum; default deletion after closure is 30 days unless the customer or applicable law requires otherwise.

Data subject rights

  • Right of access to personal data.
  • Right to rectification of inaccurate data.
  • Right to erasure where the legal conditions are met.
  • Right to restriction of processing.
  • Right to data portability where processing is based on consent or contract and carried out by automated means.
  • Right to object to processing based on legitimate interests.
  • Right to withdraw consent at any time where processing is based on consent.
  • Right to lodge a complaint with the President of the Personal Data Protection Office in Poland.

Automated decision-making

Konfi Cloud does not use personal data for automated decisions that produce legal effects or similarly significant effects for visitors or account users.

The product may apply automated plan limits, security controls, or billing-state restrictions. These controls support contract performance and platform safety and should be described in customer-facing plan and billing flows.

Contact

Privacy requests should be sent to support@getkonfi.com.

When the request concerns data controlled by a customer inside a workspace, the service provider may need to direct the requester to that customer or handle the request under the data processing agreement.