Last updated: July 15, 2026
The data controller responsible for your personal data is:
As a small business processing personal data only for order fulfillment, we are not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. For all privacy-related inquiries, contact us directly at privacy@buyereyes.ai.
| Data category | Specific data | Purpose |
|---|---|---|
| Contact information | Email address | Order confirmation, Report delivery, communication about your order |
| Order information | URL submitted for analysis, selected service tier, order date | Service delivery (generating the CRO Report) |
| Payment information | Payment status, transaction ID | Order validation. Full payment details (card number, billing address) are processed and stored exclusively by Stripe, Inc. We never see or store your card number. |
| Invoicing data | Company name, tax ID (NIP), billing address (if provided for invoice) | Invoice generation via Fakturownia |
| Technical data | IP address, browser type, device type | Website functionality, security, analytics |
| Support correspondence | Content of emails sent to hello@, support@, or refunds@ buyereyes.ai; order ID referenced in request; date of correspondence | Handling refund requests (Terms §3.1), goodwill consultations (Terms §3.3), customer support inquiries, and statutory complaints under consumer law |
Website analysis data: When generating your Report, our system accesses and analyzes the publicly available content of the submitted URL. This includes visible text, images, page structure, and performance metrics. This is public information, not personal data. We do not access any backend systems, databases, or private areas of your website.
We process your personal data based on the following legal grounds under GDPR:
| Processing activity | Lawful basis | GDPR Article |
|---|---|---|
| Order processing and Report delivery | Performance of a contract | Art. 6(1)(b) |
| Invoice generation | Legal obligation (tax law) | Art. 6(1)(c) |
| Analytics cookies | Legitimate interest | Art. 6(1)(f) |
| Security and fraud prevention | Legitimate interest | Art. 6(1)(f) |
| Handling refund requests, goodwill consultations, and support correspondence | Performance of a contract / legal obligation | Art. 6(1)(b), Art. 6(1)(c) |
| Improving our service and training our own, self-hosted models from anonymised audit telemetry | Legitimate interest | Art. 6(1)(f) |
The telemetry we use to improve our models covers how our own AI agents perform on audits - the agents' outputs, their error patterns, and audit context (which check ran, the verdict). It excludes the substantive content of your website, and any incidental contact identifiers (emails, phone numbers) are removed before storage. We do not use your data to train third-party AI models, and we do not sell it or share it with external AI model providers.
We retain your data for the minimum period necessary:
We share your personal data with the following third-party processors, solely for the purposes stated:
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Payment details, email, transaction amounts | USA (EU-US Data Privacy Framework certified) |
| Fakturownia (iFirma S.A.) | Invoice generation | Company name, tax ID, billing address, transaction amount | Poland (EU) |
| Email service provider | Transactional email (order confirmation, Report delivery) | Email address, order reference | EU |
| Meta Platforms Ireland Ltd / Meta Platforms, Inc. | Measurement and optimization of advertising campaigns (Meta Pixel + Conversions API) - only with your marketing consent (Section 6) | Event identifier, page URL, hashed email address (if provided), fbc/fbp identifiers, IP address, User-Agent | Ireland (EU) / USA (EU-US Data Privacy Framework + Standard Contractual Clauses) |
All third-party processors are bound by data processing agreements (DPAs) in compliance with GDPR Article 28. For transfers to the USA (Stripe, Meta), we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) as safeguards.
BuyerEyes.ai uses three categories of cookies:
| Cookie type | Purpose | Duration | Required |
|---|---|---|---|
| Essential | Session management, checkout functionality | Session | Yes |
| Analytics | Anonymous usage statistics (page views, bounce rate) | Up to 26 months | No (can be disabled) |
| Marketing | Measurement and optimization of advertising campaigns on social media (Meta Pixel + Conversions API) - event identifier, hashed email (if provided), fbc/fbp, IP address, and User-Agent shared with Meta Platforms to match conversions to ads | Up to 90 days (per Meta's rules for fbp) | No - only with your explicit consent, off by default |
We use social media cookies and tracking technologies (Meta Pixel) and the related Conversions API call only with your marketing consent, given via the cookie consent banner. They are off by default (revoke-by-default) - enabling them requires your active action: clicking "Accept all" or checking the "Marketing" category in the "Manage preferences" panel. You can withdraw consent at any time in the same panel - withdrawal takes effect immediately and does not affect access to the Service. Lawful basis: Art. 6(1)(a) GDPR (consent) and Article 173 of the Polish Telecommunications Law (implementing Article 5(3) of Directive 2002/58/EC on ePrivacy) for the underlying access to cookies on your device. You can also disable non-essential cookies in your browser settings without affecting the Service.
As a data subject, you have the following rights. Most are available as self-service - no waiting, no email back-and-forth.
For anything that's not self-service, email privacy@buyereyes.ai. Self-service requests are instant; manual requests are handled within 5 business days.
We implement appropriate technical and organizational measures to protect your data:
Your data is primarily processed within the European Economic Area (EEA). When data is transferred outside the EEA (specifically to Stripe and Meta Platforms in the USA), it is protected by:
This applies in particular to: Stripe, Inc. (payment processing) and Meta Platforms, Inc. (measurement and optimization of advertising campaigns via Meta Pixel and Conversions API, only with your marketing consent as described in Section 6). Both safeguards - the EU-US Data Privacy Framework adequacy decision and Standard Contractual Clauses (SCCs) - apply in parallel to transfers to both of these recipients, in line with Chapter V GDPR (Articles 44-49).
The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a minor has provided us with personal data, contact us at privacy@buyereyes.ai and we will promptly delete it.
We may update this Privacy Policy from time to time. Changes will be published on this page with a revised "Last updated" date. We encourage you to review this page periodically.
For privacy-related questions, data access requests, or complaints: