PRIVACY POLICY
Privacy Policy
Effective date: May 11, 2026 · Last updated: May 11, 2026
1. Data controller
The controller of your personal data is:
Netcrafter Damian Urbaniec
Sole proprietorship
ul. Sikorskiego 4A/2
66-460 Witnica, Poland
Tax ID (NIP): 599-317-63-90
EU VAT ID: PL5993176390
REGON: 362003200
Data protection contact: hi@checkunpaidinvoices.com
Due to the scale of processing, no Data Protection Officer (DPO) has been appointed.
2. What we collect
2.1. Uploaded files (Free tier — no account)
When you use the reconciliation tool, you upload two files: a bank statement (CSV) and an invoice list (CSV). These files contain personal data: counterparty names, amounts, dates, IBANs, NIP/VAT IDs, payment references.
Files are encrypted in transit (TLS 1.3) and at rest (AES-256). They live on Cloudflare R2 (EU region) for at most one hour, after which an automated cron deletes them. We keep an audit log of upload metadata (file size, encoding, row count, parse status) for 13 months — never the file contents.
2.2. Account data (Pro / Agency — Phase 1.5)
When you upgrade to a paid plan you create an account. We then collect:
- Email address (used as login)
- Password (Argon2 hashed; we cannot read your plaintext password)
- Saved parser mappings and customer aliases you choose to persist
- Reconciliation history (up to 12 most recent runs)
2.3. Billing data
Paid plans are not yet available. When they launch, payments will be handled by a third-party merchant of record. checkunpaidinvoices.com will not store credit card data. This section and our sub-processor list will be updated before any payment processing begins.
2.4. Tax data
For future VAT/MOSS accounting we will collect billing country, Tax ID / VAT number (if provided), and invoice data (company name, address). This section will be updated when paid plans launch.
2.5. Technical data
- IP address (security, fraud prevention) — kept in HTTP logs for 90 days
- User-agent string
- Server error reports via Sentry (never includes file contents)
2.6. Analytics
We use Plausible Analytics (EU, cookieless, no PII, no consent banner required) for aggregated traffic statistics. No Google Analytics, no Facebook Pixel.
3. Legal basis (GDPR Art. 6)
3.1. Performance of contract — Art. 6(1)(b) GDPR
- Running the reconciliation engine on your uploaded files
- Account management and Pro/Agency feature delivery
- Payment and subscription processing
- Service-related email (receipts, account notifications)
3.2. Legal obligation — Art. 6(1)(c) GDPR
- Issuing invoices
- Maintaining accounting records (5 years from end of tax year — Art. 86 Polish Tax Ordinance)
- VAT/MOSS settlement
3.3. Legitimate interest — Art. 6(1)(f) GDPR
- Application security and fraud prevention
- Anonymous product telemetry (Plausible)
- Defending legal claims
3.4. Consent — Art. 6(1)(a) GDPR
- Marketing newsletter (only if you explicitly subscribe)
- "Founding Pro" waitlist email capture
You can withdraw consent at any time without affecting lawful prior processing.
4. Sub-processors
Your data is shared with the processors listed below. The full machine-readable list, with last-update dates, lives at /sub-processors.
| Sub-processor | Location | Purpose | Privacy policy |
|---|---|---|---|
| Cloudflare, Inc. | EU region (Frankfurt/Amsterdam) + global edge | Hosting (Workers, Pages, D1, R2) | DPA |
| Anthropic PBC | USA | LLM (Claude Haiku 4.5) used only to generate a parser config from an anonymized sample when we encounter an unfamiliar file format. Never receives full file contents. | DPA + SCC |
| Plausible Insights OÜ | Estonia (EU) | Cookieless aggregated analytics | Privacy |
| Sentry (Functional Software, Inc.) | EU region selected | Error monitoring (file contents stripped before upload) | Privacy |
5. International transfers
Some processing happens in the USA (Anthropic). For these transfers we rely on:
- Standard Contractual Clauses (SCC) from EU Commission Decision 2021/914
- Data minimization (anonymized samples only sent to Anthropic — kwoty, nazwy, IBANy, NIP-y replaced by placeholders before transmission)
- Encryption in transit (TLS 1.3)
- No-training commitment: Anthropic's DPA prohibits training on customer data; this is contractually enforced
6. Retention periods
| Category | Period |
|---|---|
| Uploaded files (R2) | Maximum 1 hour, then permanent deletion |
| Upload audit log (metadata only, no contents) | 13 months |
| Parser configs (anonymized, system-wide) | Indefinitely (no personal data; used to recognize file formats globally) |
| Account data (Pro / Agency) | Until account deletion + 30 days, then permanent deletion |
| Invoices and tax data | 5 years from end of tax year |
| HTTP logs | 90 days |
| Sentry error logs | 30 days |
| "Founding Pro" waitlist email | Until product launch or unsubscribe + 30 days |
7. No-training clause
Files you upload (bank statements, invoices, customer lists) are never used to train, fine-tune, or improve any machine-learning model — neither ours nor any sub-processor's. This is contractually enforced by our Data Processing Agreement with Anthropic. Our pipeline anonymizes every sample (replacing amounts, names, IBANs, NIP/VAT IDs with placeholders that preserve structure but contain no real data) before any sub-processor call. The full file body never leaves our infrastructure.
8. Your rights (GDPR Chapter III)
- Access (Art. 15) — request a copy of data we hold about you
- Rectification (Art. 16) — correct inaccurate data
- Erasure (Art. 17) — right to be forgotten
- Restriction (Art. 18) — limit processing in specific situations
- Portability (Art. 20) — receive your data in machine-readable form (JSON)
- Objection (Art. 21) — object to processing based on legitimate interest
- Withdraw consent — for any processing based on consent
- Complaint to supervisory authority: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warszawa, Poland — uodo.gov.pl
To exercise these rights write to hi@checkunpaidinvoices.com. We respond within 30 days.
9. Cookies
We do not use tracking cookies. Plausible Analytics is cookieless. The only cookies you may encounter are:
cf-*— strictly necessary, set by Cloudflare for DDoS protection and routingsession— only after you log in to a paid account; strictly necessary; session-scoped
Strictly necessary cookies do not require consent under Art. 5(3) of the ePrivacy Directive.
10. Age restriction
The Service is intended for people aged 16 or older (Art. 8 GDPR in Poland). If you are under 16, you may only use the Service with the consent of a legal representative.
11. Security
We apply the following technical and organizational safeguards:
- TLS 1.3 in transit, AES-256 at rest
- HSTS with preload, strict CSP without
unsafe-eval - Rate limiting on all public endpoints
- Password hashing with Argon2 (paid accounts only)
- Sample sanitization before any sub-processor call
- Automated 1-hour deletion of uploaded files
- Least-privilege access controls; audit logs of administrative actions
12. Changes to this policy
We may update this policy when the law or our service changes. Material changes will be announced by email at least 30 days before the new version takes effect. The "Last updated" date at the top is authoritative.
13. Contact
Questions about data protection:
hi@checkunpaidinvoices.com
Last updated: 2026-05-11.