Polityka prywatności

1. Controller and scope#

This Privacy Policy explains how Taufolio collects, uses, stores, and otherwise processes personal data when you use the Taufolio website, application, reports, public share links, billing flows, and related support channels.

The controller of your personal data is:

• Jacek Janczura
• Adama Mickiewicza 73, 01-625 Warszawa, Poland
• Email: support@taufolio.com
• NIP: 5253008276
• VAT EU: PL5253008276
• REGON: 528998136

In this Privacy Policy, "Taufolio", "we", "us", and "our" refer to the controller named above.

2. What Taufolio does#

Taufolio is a software service that helps users generate AI-assisted equity research materials, including deep research reports, short recap reports, earnings call analysis, translations, and related portfolio and share-link features.

Taufolio provides informational software outputs only. It does not provide investment, financial, legal, or tax advice, and its output may contain inaccuracies, omissions, stale information, or model hallucinations.

3. Personal data we process#

Depending on how you use Taufolio, we may process the following categories of personal data:

Account and profile data#

• name
• email address
• authentication identifiers
• avatar or profile information you choose to provide

Authentication, session, and device-related data#

• login and account security metadata
• session identifiers
• browser and device metadata
• IP address and related security logs

Workspace and product-usage data#

• workspace membership and role data
• settings and feature preferences
• report requests and usage history
• billing- and credit-related usage records

Portfolio and watchlist data#

• tickers you track
• holdings and watchlist entries
• report preferences associated with those tickers

Billing and transaction data#

• subscription plan details
• billing status
• invoices and payment-related metadata
• checkout and top-up records

We do not intentionally store full payment card details ourselves. Payments are processed by external payment providers such as Stripe.

Uploaded content and generated outputs#

• earnings transcripts
• files or documents you upload
• report payloads and translations generated for your account or workspace
• public share-link content you choose to publish

Communications and support data#

• support requests
• messages you send to us
• operational emails and service notices

Security, audit, and abuse-prevention data#

• security events
• administrative logs
• cost-control and abuse-monitoring signals
• records needed to investigate misuse, errors, or fraud

4. Sources of personal data#

We collect personal data:

• directly from you
• from your use of Taufolio
• from authentication, payment, hosting, AI, market-data, email, and infrastructure providers that help us operate the service

5. Why we process personal data and legal bases#

We process personal data for the following purposes and legal bases under the GDPR:

To provide and operate Taufolio#

This includes account creation, authentication, report generation, portfolio features, subscriptions, credits, support, and service delivery.

• Legal basis: performance of a contract or steps taken at your request before entering into a contract

To manage billing, payments, and accounting#

This includes subscription management, invoicing, fraud checks, charge handling, and accounting records.

• Legal basis: performance of a contract and compliance with legal obligations

To secure the service and prevent abuse#

This includes authentication security, rate limiting, fraud detection, incident investigation, cost controls, and protection of our systems, users, and business.

• Legal basis: legitimate interests in securing and operating the service, and where applicable compliance with legal obligations

To improve and maintain the service#

This includes debugging, troubleshooting, internal diagnostics, availability management, and operational improvement.

• Legal basis: legitimate interests in maintaining and improving the service

To communicate with you#

This includes transactional emails, account notices, support replies, legal notices, and other service communications.

• Legal basis: performance of a contract, legitimate interests, and where required by law, your consent

To comply with legal obligations#

This includes tax, accounting, anti-fraud, consumer-protection, and other legal obligations that apply to our business.

• Legal basis: compliance with legal obligations

Where consent is specifically required#

If a particular processing activity requires consent under applicable law, we will rely on consent for that activity.

• Legal basis: consent

6. Cookies and similar technologies#

Taufolio does not currently use an analytics, advertising, or marketing-tracking stack.

However, Taufolio may use cookies or similar storage technologies that are necessary to operate the service, including for:

• authentication
• session continuity
• security
• billing-related flows
• user preferences
• basic service functionality

Because these technologies are used to deliver and secure the service, blocking them may affect functionality.

If Taufolio later introduces analytics, marketing, or similar non-essential technologies, this Privacy Policy and the service's cookie controls may be updated accordingly.

7. When we share personal data#

We may share personal data where necessary with service providers and partners that help us operate Taufolio, including categories such as:

• authentication providers, including Clerk
• payment providers, including Stripe
• database and infrastructure providers, including Supabase
• hosting, storage, and delivery providers
• email and notification providers
• AI and model providers used to generate, translate, or process report content
• market-data and financial-information providers
• professional advisers, auditors, insurers, and legal counsel

We may also disclose personal data:

• if required by law, court order, or competent authority
• to establish, exercise, or defend legal claims
• in connection with a business reorganization, transfer, or sale

We do not sell your personal data in the ordinary meaning of that term.

8. International data transfers#

Some of our service providers may process personal data outside the European Economic Area.

Where personal data is transferred outside the EEA, we aim to use an appropriate lawful transfer mechanism and suitable safeguards, such as:

• adequacy decisions
• standard contractual clauses
• supplementary contractual, technical, or organizational measures where appropriate

9. How long we keep personal data#

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including:

• to provide the service
• to maintain account history and purchased entitlements
• to satisfy legal, tax, accounting, or reporting obligations
• to resolve disputes
• to enforce our agreements
• to investigate misuse, fraud, or security incidents

Specific retention periods#

The following categories are retained on fixed schedules enforced by automated jobs or by our contractual obligations:

• Raw earnings-call transcripts and uploaded transcript files: deleted from storage 90 days after creation by an automated retention job. The extracted text used to generate reports may be kept for as long as the resulting report is retained, so we do not need to keep the raw file.
• Upload audit events (records of when and by whom a transcript or file was uploaded): deleted 90 days after creation by the same automated retention job.
• Account and workspace data (profile, membership, settings): kept for the life of the account and for a reasonable period after account closure to complete deletion, resolve disputes, and meet legal obligations.
• Generated reports and portfolio data: kept while your account or the relevant workspace remains active, or until you delete the item, whichever is sooner. On account closure, they are removed subject to any legal hold.
• Billing, invoicing, and accounting records: kept for the period required by applicable tax and accounting law (which in Poland is typically 5 years from the end of the relevant accounting year).
• Security, audit, and abuse-prevention logs: kept only for as long as necessary to investigate and respond to incidents and misuse, and for related legal or regulatory purposes.

Other categories are retained only for as long as reasonably necessary for the purposes described above, taking into account applicable legal, tax, accounting, and security obligations.

10. Public share links#

Taufolio allows users to publish certain report outputs via public share links. If you choose to publish a report through a public share link, the content of that shared report may become accessible to anyone who has the link.

Please do not publish confidential, sensitive, or personal data through public share links unless you are comfortable making that content available in that way.

11. Your GDPR rights#

Subject to applicable law and any relevant limitations, you have the following rights in relation to your personal data:

• Right of access (Article 15 GDPR): obtain confirmation of whether we process personal data about you and, if so, a copy of that data and related information.
• Right to rectification (Article 16 GDPR): request that we correct inaccurate personal data or complete incomplete data.
• Right to erasure / "right to be forgotten" (Article 17 GDPR): request that we delete personal data in the cases set out in the GDPR.
• Right to restriction of processing (Article 18 GDPR): request that we limit how we process your data in certain circumstances.
• Right to data portability (Article 20 GDPR): receive personal data you provided to us in a structured, commonly used, machine-readable format, and transmit it to another controller where technically feasible.
• Right to object (Article 21 GDPR): object to processing based on our legitimate interests, including profiling, where applicable.
• Right to withdraw consent (Article 7(3) GDPR): where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
• Right to lodge a complaint with a supervisory authority (Article 77 GDPR): file a complaint with your local data protection authority.

To exercise any of these rights, contact us at support@taufolio.com. We may need to verify your identity before acting on a request, and we will respond within the time period required by applicable law.

If you are in Poland, you may also lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzedu Ochrony Danych Osobowych, UODO). Official contact information is available from UODO at https://uodo.gov.pl/.

12. Data security#

We use reasonable technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction.

However, no method of storage, transmission, or security control is completely secure. For that reason, we cannot guarantee absolute security.

13. Children's data#

Taufolio is not intended for children, and we do not knowingly provide the service to children who are not legally capable of entering into the relevant contract under applicable law.

14. Third-party services and external websites#

Taufolio may link to third-party websites, documents, market-data sources, or tools. We are not responsible for the privacy practices of those third parties.

15. Changes to this Privacy Policy#

We may update this Privacy Policy from time to time to reflect changes to the service, applicable law, or our processing practices. When we do, we will update the "Last updated" date on this page and may provide additional notice where appropriate.

16. Contact#

If you have questions about this Privacy Policy or our processing of personal data, contact:

• Email: support@taufolio.com
• Postal address: Jacek Janczura, Adama Mickiewicza 73, 01-625 Warszawa, Poland