Privacy Policy
Last updated: 21 June 2026 · Legal review recommended before public launch. The Polish version is authoritative.
1. Data controller
The controller of your personal data is FIFO Prosta Spółka Akcyjna (a Polish simplified joint-stock company), registered office: ul. Kanonia 9, 50-328 Wrocław, Poland, entered in the Register of Entrepreneurs of the Polish National Court Register (KRS) under No. 0001047768 (District Court for Wrocław-Fabryczna in Wrocław, 6th Commercial Division of the National Court Register), Tax ID (NIP) 8982295483, REGON 525881729 ("Controller", "we"). Data contact: jokerwader@googlemail.com. We have not appointed a Data Protection Officer.
2. Scope
This policy describes data processing in AutoQuote / FIFO AQS — a tool for building foodservice equipment quotes, accessible via the admin panel and the connector.
3. Data we process
- Account data: email, password (stored only as an irreversible PBKDF2 hash), 2FA secret, role, organisation, creation and last-login dates.
- Organisation data: company name, plan and limits, logo (if uploaded).
- Activity log: date/time, email/organisation, tool used and a short description (e.g. "searched: oven → 8 results").
- Quotes: number, task name, totals, item count, author, status, links to generated files.
- Quote line items: product identifiers (SKU) and quantities — what is quoted and how much.
- Quote files: generated .xlsx files which may contain data entered in the inquiry (names, parameters, customer data).
- Inquiry content: data you paste into the AI (email, PDF, spec), processed to build the quote.
- Technical data: IP address (abuse protection and login-attempt limiting) and the essential session cookie.
- Contact form: full name, company, email, phone, message content and IP address (spam protection) — processed to handle your enquiry.
4. Purposes and legal bases (GDPR)
- Providing the service — Art. 6(1)(b) (contract).
- Security, abuse prevention, logs, service development/quality and aggregated statistics — Art. 6(1)(f) (legitimate interest).
- Legal obligations (e.g. accounting, lawful requests) — Art. 6(1)(c).
- Consent — Art. 6(1)(a) — where required (e.g. marketing, non-essential cookies); withdrawable anytime.
5. Recipients (processors)
- Railway — application hosting (EU region);
- Supabase — database and quote-file storage (EU region);
- Your chosen AI provider (e.g. Anthropic Claude, OpenAI ChatGPT, Google Gemini) — data pasted into the AI is also processed by that provider under your agreement with it;
- [optionally: email provider, accounting — to be completed.]
6. Sharing aggregated statistics with partners and manufacturers
To develop the service and work with equipment manufacturers, we may share aggregated and anonymised market statistics with partners — e.g. how often an item or category is quoted/sold. Such data is combined and stripped of identifiers, so it cannot identify a person or a single company and is not personal data under the GDPR. We do not share your personal data, quote content or your customers' data with partners without a separate legal basis or your consent.
7. Transfers outside the EEA
Data is stored in the EU region. Some infrastructure providers (e.g. Railway) are US-based — for any transfer outside the EEA we apply GDPR safeguards (standard contractual clauses). [To be confirmed with providers.]
8. Retention
- Account data — for the duration of the service and the limitation period afterwards.
- Activity log — [e.g. 12–24 months — to be set].
- Quotes and files — as needed for operation and as required by law.
- Contact-form messages — up to 12 months from the last contact, unless kept longer to establish or defend legal claims.
- Aggregated (anonymised) statistics — indefinitely (not personal data).
9. Your rights
You have the right to access, rectification, erasure, restriction, portability, objection (to processing based on legitimate interest) and to withdraw consent. Contact jokerwader@googlemail.com. You may also lodge a complaint with the Polish DPA (PUODO, ul. Stawki 2, 00-193 Warsaw).
10. Is providing data required
Providing account data is voluntary but necessary to use the service.
11. Automated decisions and profiling
The service suggests product selection and ordering (e.g. preferred producers), but the final quote is always approved by a human. We do not make decisions based solely on automated processing with legal effects under Art. 22 GDPR.
12. Security
We apply technical and organisational measures: HTTPS, hashed passwords, optional 2FA, per-organisation data access control and login-attempt limiting.
13. Changes
We may update this policy; we will announce material changes in the panel or by email.