checkunpaidinvoices.com

PRIVACY POLICY

Privacy Policy

Effective date: May 11, 2026 · Last updated: May 11, 2026

1. Data controller

The controller of your personal data is:

Netcrafter Damian Urbaniec
Sole proprietorship
ul. Sikorskiego 4A/2
66-460 Witnica, Poland

Tax ID (NIP): 599-317-63-90
EU VAT ID: PL5993176390
REGON: 362003200

Data protection contact: hi@checkunpaidinvoices.com

Due to the scale of processing, no Data Protection Officer (DPO) has been appointed.

2. What we collect

2.1. Uploaded files (Free tier — no account)

When you use the reconciliation tool, you upload two files: a bank statement (CSV) and an invoice list (CSV). These files contain personal data: counterparty names, amounts, dates, IBANs, NIP/VAT IDs, payment references.

Files are encrypted in transit (TLS 1.3) and at rest (AES-256). They live on Cloudflare R2 (EU region) for at most one hour, after which an automated cron deletes them. We keep an audit log of upload metadata (file size, encoding, row count, parse status) for 13 months — never the file contents.

2.2. Account data (Pro / Agency — Phase 1.5)

When you upgrade to a paid plan you create an account. We then collect:

2.3. Billing data

Paid plans are not yet available. When they launch, payments will be handled by a third-party merchant of record. checkunpaidinvoices.com will not store credit card data. This section and our sub-processor list will be updated before any payment processing begins.

2.4. Tax data

For future VAT/MOSS accounting we will collect billing country, Tax ID / VAT number (if provided), and invoice data (company name, address). This section will be updated when paid plans launch.

2.5. Technical data

2.6. Analytics

We use Plausible Analytics (EU, cookieless, no PII, no consent banner required) for aggregated traffic statistics. No Google Analytics, no Facebook Pixel.

3. Legal basis (GDPR Art. 6)

3.1. Performance of contract — Art. 6(1)(b) GDPR

3.2. Legal obligation — Art. 6(1)(c) GDPR

3.3. Legitimate interest — Art. 6(1)(f) GDPR

3.4. Consent — Art. 6(1)(a) GDPR

You can withdraw consent at any time without affecting lawful prior processing.

4. Sub-processors

Your data is shared with the processors listed below. The full machine-readable list, with last-update dates, lives at /sub-processors.

Sub-processor Location Purpose Privacy policy
Cloudflare, Inc. EU region (Frankfurt/Amsterdam) + global edge Hosting (Workers, Pages, D1, R2) DPA
Anthropic PBC USA LLM (Claude Haiku 4.5) used only to generate a parser config from an anonymized sample when we encounter an unfamiliar file format. Never receives full file contents. DPA + SCC
Plausible Insights OÜ Estonia (EU) Cookieless aggregated analytics Privacy
Sentry (Functional Software, Inc.) EU region selected Error monitoring (file contents stripped before upload) Privacy

5. International transfers

Some processing happens in the USA (Anthropic). For these transfers we rely on:

6. Retention periods

CategoryPeriod
Uploaded files (R2)Maximum 1 hour, then permanent deletion
Upload audit log (metadata only, no contents)13 months
Parser configs (anonymized, system-wide)Indefinitely (no personal data; used to recognize file formats globally)
Account data (Pro / Agency)Until account deletion + 30 days, then permanent deletion
Invoices and tax data5 years from end of tax year
HTTP logs90 days
Sentry error logs30 days
"Founding Pro" waitlist emailUntil product launch or unsubscribe + 30 days

7. No-training clause

Files you upload (bank statements, invoices, customer lists) are never used to train, fine-tune, or improve any machine-learning model — neither ours nor any sub-processor's. This is contractually enforced by our Data Processing Agreement with Anthropic. Our pipeline anonymizes every sample (replacing amounts, names, IBANs, NIP/VAT IDs with placeholders that preserve structure but contain no real data) before any sub-processor call. The full file body never leaves our infrastructure.

8. Your rights (GDPR Chapter III)

To exercise these rights write to hi@checkunpaidinvoices.com. We respond within 30 days.

9. Cookies

We do not use tracking cookies. Plausible Analytics is cookieless. The only cookies you may encounter are:

Strictly necessary cookies do not require consent under Art. 5(3) of the ePrivacy Directive.

10. Age restriction

The Service is intended for people aged 16 or older (Art. 8 GDPR in Poland). If you are under 16, you may only use the Service with the consent of a legal representative.

11. Security

We apply the following technical and organizational safeguards:

12. Changes to this policy

We may update this policy when the law or our service changes. Material changes will be announced by email at least 30 days before the new version takes effect. The "Last updated" date at the top is authoritative.

13. Contact

Questions about data protection:
hi@checkunpaidinvoices.com

Last updated: 2026-05-11.