Privacy Policy

Last updated: February 20, 2026

1. Data controller

The data controller responsible for your personal data is:

Company: [COMPANY_NAME]
Address: [ADDRESS]
Email: [EMAIL]

As a small business processing personal data only for order fulfillment, we are not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. For all privacy-related inquiries, contact us directly at [EMAIL].

2. What data we collect

Data category	Specific data	Purpose
Contact information	Email address	Order confirmation, Report delivery, communication about your order
Order information	URL submitted for analysis, selected service tier, order date	Service delivery (generating the CRO Report)
Payment information	Payment status, transaction ID	Order validation. Full payment details (card number, billing address) are processed and stored exclusively by Stripe, Inc. We never see or store your card number.
Invoicing data	Company name, tax ID (NIP), billing address (if provided for invoice)	Invoice generation via Fakturownia
Technical data	IP address, browser type, device type	Website functionality, security, analytics

Website analysis data: When generating your Report, our system accesses and analyzes the publicly available content of the submitted URL. This includes visible text, images, page structure, and performance metrics. This is public information, not personal data. We do not access any backend systems, databases, or private areas of your website.

3. Lawful basis for processing

We process your personal data based on the following legal grounds under GDPR:

Processing activity	Lawful basis	GDPR Article
Order processing and Report delivery	Performance of a contract	Art. 6(1)(b)
Invoice generation	Legal obligation (tax law)	Art. 6(1)(c)
Analytics cookies	Legitimate interest	Art. 6(1)(f)
Security and fraud prevention	Legitimate interest	Art. 6(1)(f)

4. Data retention

We retain your data for the minimum period necessary:

Order data and email address: 90 days after Report delivery, then permanently deleted.
Generated Reports: 90 days after delivery (so you can re-download if needed), then permanently deleted from our servers.
Invoice data: 5 years from end of the fiscal year in which the transaction occurred, as required by Polish tax law (Ordynacja podatkowa).
Analytics data: Aggregated, non-identifiable. Individual sessions are not retained beyond 26 months.
Website analysis data: Temporary files generated during the crawl (screenshots, extracted text, HAR files) are deleted within 7 days of Report delivery.

5. Third-party processors

We share your personal data with the following third-party processors, solely for the purposes stated:

Processor	Purpose	Data shared	Location
Stripe, Inc.	Payment processing	Payment details, email, transaction amounts	USA (EU-US Data Privacy Framework certified)
Fakturownia (iFirma S.A.)	Invoice generation	Company name, tax ID, billing address, transaction amount	Poland (EU)
Email service provider	Transactional email (order confirmation, Report delivery)	Email address, order reference	EU

All third-party processors are bound by data processing agreements (DPAs) in compliance with GDPR Article 28. For transfers to the USA (Stripe), we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) as safeguards.

6. Cookies

BuyerEyes.ai uses a minimal set of cookies:

Cookie type	Purpose	Duration	Required
Essential	Session management, checkout functionality	Session	Yes
Analytics	Anonymous usage statistics (page views, bounce rate)	Up to 26 months	No (can be disabled)

We do not use advertising, marketing, or social media tracking cookies. You can disable non-essential cookies in your browser settings without affecting the Service.

7. Your rights under GDPR

As a data subject, you have the following rights:

Right of access (Art. 15) - Request a copy of all personal data we hold about you.
Right to rectification (Art. 16) - Request correction of inaccurate data.
Right to erasure (Art. 17) - Request deletion of your personal data, subject to legal retention requirements.
Right to restrict processing (Art. 18) - Request that we limit how we use your data.
Right to data portability (Art. 20) - Receive your data in a structured, machine-readable format.
Right to object (Art. 21) - Object to processing based on legitimate interest.
Right to lodge a complaint - You may file a complaint with the Polish supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (PUODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.

To exercise any of these rights, contact us at [EMAIL]. We will respond within 30 days.

8. Data security

We implement appropriate technical and organizational measures to protect your data:

All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
Payment data is handled exclusively by Stripe (PCI DSS Level 1 certified).
Access to personal data is restricted to authorized personnel only.
Server infrastructure is monitored for unauthorized access.
Temporary analysis files are stored in isolated environments and deleted after processing.

9. International data transfers

Your data is primarily processed within the European Economic Area (EEA). When data is transferred outside the EEA (specifically to Stripe in the USA), it is protected by:

The EU-US Data Privacy Framework adequacy decision.
Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Children's privacy

The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a minor has provided us with personal data, contact us at [EMAIL] and we will promptly delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. Changes will be published on this page with a revised "Last updated" date. We encourage you to review this page periodically.

12. Contact

For privacy-related questions, data access requests, or complaints:

Email: [EMAIL]
Address: [ADDRESS]
Company: [COMPANY_NAME]