§ 01 · GDPR · ART. 13/14 STATEMENT · v.A.13 · 2026-04-28

GDPR statement.

// Quick nav

§ 02 · Who we are
§ 03 · What data we collect
§ 04 · Lawful basis
§ 05 · Who we share with
§ 06 · How long we keep it
§ 07 · Your rights
§ 08 · Cookies
§ 09 · Transfers outside the EEA
§ 10 · Security
§ 11 · Changes to this document

02 Who we are art. 02

SmartPluvia Studio Sp. z o.o., 18 Bukareszteńska St., Warsaw, Poland, NIP PL5252901188. Controller of your data. DPO contact: dpo@smartpluvia.studio.

03 What data we collect art. 03

(a) Registration — email, name, password hash. (b) Billing — company, VAT, address, last 4 digits of card (Stripe). (c) Project — site coordinates, irrigation plans, BoMs. (d) Technical — IP, user-agent, session time, action logs in the audit log.

04 Lawful basis art. 04

Contract (delivering services — registration, projects, exports). Legitimate interest (security, fraud detection, product analytics). Consent (cookie marketing). Legal obligation (financial reporting, GDPR breach notification).

05 Who we share with art. 05

Only the subprocessors listed in the DPA. We do not sell or share data with third parties for marketing. All subprocessors are DPA-signed. AWS (EU hosting), Stripe (payments), Postmark (email), Sentry (errors). Full list — in the DPA.

06 How long we keep it art. 06

Active account — until you delete it. Deleted account — 30-day grace, then hard delete except: financial records (5 years per Polish AML law), security audit logs (1 year), rolling backups (30 days).

07 Your rights art. 07

Access (export in Settings). Rectification (Settings). Erasure (one click, 30-day grace). Portability (CSV/JSON export). Objection to processing (email DPO). Complaint — to the President of UODO (Poland) or the relevant supervisory authority in your member state.

08 Cookies art. 08

Three categories: essential (auth, CSRF, locale — no consent required), analytics (Plausible, anonymized — opt-in), marketing (none). Settings — banner on first visit + footer link 'Cookie settings'.

09 Transfers outside the EEA art. 09

We do not transfer personal data outside the EEA. All subprocessors are either in the EEA or covered by Standard Contractual Clauses (Stripe Ireland for EU customers, AWS Frankfurt). If this changes, we will notify you 30 days in advance.

10 Security art. 10

AES-256 at rest, TLS 1.3 in transit, MFA, SSO, RBAC, audit log, daily backups, monthly SAST/DAST. On incident — regulator notification within 72 h, data subject within 24 h. Details on the Security page.

11 Changes to this document art. 11

Any changes — email notice 30 days before they take effect. Document version and date — in the footer of this page. Current version: A.13 · 28 April 2026.

§ 99 · EXERCISE YOUR RIGHTS

Request access or deletion.

Easiest path — Settings → Privacy. Export or delete in one click. For a formal DSAR — write to the DPO; reply within 30 days.

Open privacy settings → Email DPO DPA template