Back to Uselist · PL/en
Operator (Imprint): Roman Usov · Enskild firma (sole proprietorship) registered in Sweden · Postal address: [to be filled before public launch — see TASK-0177] · Personnummer / Org. nr: [to be filled] · VAT (where applicable): [OSS registration via Skatteverket] · Email: [email protected]
Privacy Policy · Poland
Effective date: 2026-05-10 · Jurisdiction: Poland (PL)
1. Controller
The data controller is Roman Usov, a sole proprietorship (enskild firma) registered in Sweden, operating Uselist. Contact: [email protected].
Under GDPR Article 37 we are not required to designate a Data Protection Officer. Privacy questions are handled directly by the controller.
2. What we process and why
| Data | Purpose | Lawful basis |
|---|---|---|
| Telegram ID, name, optional photo URL | Account identification, login via Telegram Login Widget | Contract (GDPR Art. 6(1)(b)) |
| Email (optional) | Billing, support communications | Contract |
| Item descriptions, photos, prices | Inventory storage | Contract |
| Card details | Payment processing — handled directly by Stripe | Contract |
| Country, language, plan | Localization, marketplace selection, plan-based feature gating | Contract |
| IP address (hashed for signup), browser fingerprint | Anti-abuse, fraud prevention, rate limiting | Legitimate interest (GDPR Art. 6(1)(f)) |
| Product analytics events | Understand feature usage to improve the Service | Consent (GDPR Art. 6(1)(a)) — opt-in via cookie banner |
3. Sub-processors
| Processor | Role | Region |
|---|---|---|
| Cloudflare, Inc. | CDN, WAF, DNS | EU edge |
| Stripe Payments Europe, Ltd. | Payment processing | Ireland (EU) |
| Telegram Messenger LLP | Bot platform, Login Widget | Multi-region |
| Google Ireland Ltd. (Gemini) | AI inference | EU + US |
| PostHog Inc. (Cloud EU) | Product analytics — opt-in only | EU (Frankfurt + Helsinki) |
| Hetzner Online GmbH | Server hosting | Finland / Germany (EU) |
| Cloudflare R2 | Photo storage | EU |
4. Cross-border transfers
Most processing happens in the EU/EEA. Telegram (multi-region) and Google (US fallback regions) may transfer data outside the EEA. Such transfers rely on Standard Contractual Clauses (Commission Decision (EU) 2021/914) and the EU-U.S. Data Privacy Framework where applicable.
5. Retention
- Account data, items, photos: kept while your account is active; deleted within 30 days of
/deleteaccount; backups purged within a further 60 days. - Analytics events: 90 days in PostHog.
- Billing records: retained for 7 years per the Swedish Bookkeeping Act (operator residency). Polish accounting law is similar (5 years from end of tax year for VAT) — the longer Swedish retention satisfies both.
- Server logs: 30 days at the edge.
6. Your rights (GDPR Articles 15–22)
- Access (Art. 15): request a copy of your data —
/exportfor items, support for the rest. - Rectification (Art. 16): correct inaccurate data via the dashboard.
- Erasure (Art. 17): delete your account via
/deleteaccount. - Restriction (Art. 18): contact support to pause processing pending dispute resolution.
- Portability (Art. 20):
/exportreturns your inventory in CSV. - Objection (Art. 21): object to processing based on legitimate interest.
- Automated decision-making (Art. 22): we do not make decisions based solely on automated processing that produce legal or similarly significant effects.
7. Cookies and similar technologies
Strictly necessary cookies are set without consent. Analytics cookies (PostHog) are set only after explicit acceptance via the cookie banner; consent can be withdrawn via Settings → Privacy.
8. Security
TLS for all traffic; secrets encrypted at rest; no plaintext passwords; API tokens rotate. We notify affected users and the supervisory authority of personal-data breaches likely to result in risk per GDPR Articles 33–34.
9. Right to lodge a complaint
You may lodge a complaint with the Polish supervisory authority for personal data:
Prezes Urzędu Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warsaw, Poland
[email protected] · +48 22 531 03 00 · uodo.gov.pl
You may also contact the supervisory authority of your habitual residence or place of work in any EU member state.
10. Changes
We may update this Privacy Policy. Material changes affecting your data will be communicated by email or in-app at least 30 days before they take effect.
11. Contact
Privacy questions, data subject requests, security disclosures: [email protected].