AutokilometryAutokilometry

Autokilometry Privacy Policy

Version: 1.0 | Effective date: February 19, 2026

§1. Data Controller

The data controller is:

Emversa Maciej Łukowski

ul. Sielska 17a

60-129 Poznań, Poland

NIP (Tax ID): 9720811257

Email: office@emversa.com

§2. Definitions

  1. Autokilometry Platform – a web application (PWA) and iOS mobile application for maintaining vehicle mileage records.
  2. Organization – a business entity that has entered into a service agreement with the Controller.
  3. Driver – a user assigned to an Organization, recording trips.
  4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data.

§3. Roles in Data Processing

3.1. Controller as Data Controller

The Controller (Emversa) is the data controller within the meaning of GDPR with respect to:

  • data of Organization Administrators (management accounts),
  • Organization contact data,
  • marketing data (newsletter, consents),
  • contact form data.

3.2. Controller as Data Processor

The Controller (Emversa) acts as a data processor within the meaning of GDPR with respect to:

  • Driver data processed on behalf of the Organization,
  • Driver trip and location data.

In this scope, the Organization is the data controller for its Drivers' personal data, and Emversa processes data based on the Data Processing Agreement (DPA).

3.3. Organization's Information Obligation

The Organization, as the data controller for Drivers' personal data, is obligated to fulfill the information obligation towards Drivers pursuant to Art. 13 of GDPR before they start using the Platform.

§4. Categories of Processed Data

4.1. User Account Data

DataPurposeLegal BasisRetention Period
Email addressIdentification, login, communicationArt. 6(1)(b) GDPR – contract performanceDuration of account
First and last nameIdentificationArt. 6(1)(b) GDPRDuration of account
Password (hashed)AuthenticationArt. 6(1)(b) GDPRDuration of account
Language preferencesInterface localizationArt. 6(1)(f) GDPR – legitimate interestDuration of account
Working hours and daysAuto-trip configurationArt. 6(1)(b) GDPRDuration of account

4.2. Organization Data

DataPurposeLegal BasisRetention Period
Company nameIdentificationArt. 6(1)(b) GDPRDuration of account
NIP / EU VAT / UK VATInvoicingArt. 6(1)(c) GDPR – legal obligation2 years from last invoice
Registered addressInvoicingArt. 6(1)(b) GDPR2 years from last invoice
Billing emailInvoice deliveryArt. 6(1)(b) GDPRDuration of account
CurrencyBillingArt. 6(1)(b) GDPRDuration of account

4.3. Trip Data

DataPurposeLegal BasisRetention Period
GPS coordinates (start/end)Route documentationArt. 6(1)(b) GDPR + consentDuration of account
Addresses (start/end)Route documentationArt. 6(1)(b) GDPRDuration of account
TimestampsTrip timeArt. 6(1)(b) GDPRDuration of account
Odometer readingsDistance verificationArt. 6(1)(b) GDPRDuration of account
DistanceMileage reportingArt. 6(1)(b) GDPRDuration of account
Speed (max/average)AnalyticsArt. 6(1)(f) GDPRDuration of account
Trip type (business/private)VAT classificationArt. 6(1)(c) GDPRDuration of account
Reimbursement amountCost settlementArt. 6(1)(b) GDPRDuration of account

4.4. GPS Checkpoints

PARTICULARLY SENSITIVE DATA – precise location

DataPurposeLegal BasisRetention Period
Latitude/longitudeRoute recordingArt. 6(1)(b) GDPR + consentDuration of account
AltitudeRoute accuracyArt. 6(1)(b) GDPRDuration of account
GPS accuracy (meters)Data qualityArt. 6(1)(b) GDPRDuration of account
HeadingRoute analysisArt. 6(1)(b) GDPRDuration of account
Instantaneous speedSpeed monitoringArt. 6(1)(b) GDPRDuration of account
Address (geocoded)Location identificationArt. 6(1)(b) GDPRDuration of account
TimestampTime accuracyArt. 6(1)(b) GDPRDuration of account

When GPS points are collected:

  • At trip start
  • Every 5 minutes during active trip
  • Every 250 meters of movement
  • At trip end
  • Backbuffer (up to 5 minutes before trip confirmation in auto-trip mode)

Note: GPS points are NOT collected in manual entry mode.

§5. Purposes and Legal Bases for Processing

5.1. Contract Performance (Art. 6(1)(b) GDPR)

  • Creating and managing user accounts
  • Recording trips and maintaining mileage records
  • Managing vehicles and drivers
  • Generating reports (Vehicle Mileage Log, Reimbursement Summary) and exports
  • Processing reimbursement claims
  • Subscription management
  • Customer support
  • Sending email invitations
  • Sending authentication emails

5.2. Legal Obligation (Art. 6(1)(c) GDPR)

  • Tax documentation (NIP, VAT ID, UK VAT)
  • Invoice data retention (5 years from end of tax year per Polish tax law)
  • Mileage records for VAT purposes
  • VAT verification data retention

5.3. Legitimate Interest (Art. 6(1)(f) GDPR)

  • Abandoned registration recovery (lead capture)
  • Service improvement and analytics
  • Security monitoring and fraud prevention
  • Fleet map visualization (paid feature)
  • Speed analytics and trip statistics (paid feature)
  • Mileage gap and discrepancy detection

5.4. Consent (Art. 6(1)(a) GDPR)

  • Marketing email communication (optional checkbox, Art. 398 PKE)
  • Marketing phone communication (optional checkbox, Art. 398 PKE)
  • Analytics cookies (cookie banner)
  • GPS checkpoint collection
  • Auto-trip detection
  • Contact form processing

§6. Data Processors (Sub-processors)

The Controller uses the following data processors:

ServiceProviderPurposeLocation
SupabaseSupabase Inc.Database hosting, authentication, RLSEU
StripeStripe Payments Europe, Ltd.Payments, invoicesIreland (EU)
VercelVercel Inc.Application hosting, CDNGlobal
ResendResend, Inc.Transactional email deliveryUSA
Google AnalyticsGoogle LLCWebsite analytics (with consent)USA
OpenStreetMap NominatimOpenStreetMap FoundationGeocoding (coordinates → addresses)Global
OSRMProject OSRMRoute distance calculationGlobal
WeatherAPIWeatherAPIWeather conditions during trips-
GUS BIR1 APICentral Statistical OfficePolish NIP verificationPoland
VIES APIEuropean CommissionEU VAT verificationEU
ipapi.coipapi.coIP-based country detection-
ip-api.comip-api.comBackup IP-based country detection-

§7. Data Transfers to Third Countries

Some data processors may transfer data outside the European Economic Area:

ServiceLocationTransfer Mechanism
VercelGlobal (CDN)Standard Contractual Clauses (SCC)
ResendUSAStandard Contractual Clauses (SCC)
Google AnalyticsUSASCC + EU-US Data Privacy Framework

In case of data transfer to third countries, appropriate safeguards are applied pursuant to Chapter V of GDPR.

§8. Data Retention Periods

8.1. Active Accounts

Data CategoryRetention Period
User account dataDuration of account
Organization dataDuration of subscription
Trip dataDuration of subscription
GPS checkpointsDuration of subscription
Vehicle dataDuration of subscription
Reimbursement claimsDuration of subscription
Invoice data (NIP, address)5 years from end of tax year (Polish tax law)
Marketing subscriber dataUntil unsubscribe

8.2. After Subscription End

Voluntary cancellation:

  • Grace period: 90 days from end of paid period
  • During grace period: All data preserved, export available
  • After grace period: Organization deactivated, data preserved per legal requirements

Non-payment:

  • Immediate access suspension
  • Data preserved for 30 days
  • After 30 days: Organization deactivated

8.3. Account Deletion (GDPR Right to Erasure)

  • Personal data: Deleted
  • Trip and GPS data: Deleted
  • Invoice data (NIP, address): Retained 5 years from end of tax year (Polish tax law)

8.4. Registration Leads

  • Completed registrations: Converted to user account
  • Abandoned registrations: 30 days, then soft delete

8.5. Contact Inquiries

  • Active: Until inquiry resolution
  • Resolved: Deleted after resolution

§9. Data Subject Rights

9.1. Rights Implemented in Platform

RightImplementation
Right of accessUsers can view all their data in the app; Excel export available
Right to rectificationUsers can update profile; Drivers submit trip edit requests
Right to data portabilityExcel/PDF export feature for trip data and reports
Right to withdraw consentCookie settings reset; marketing unsubscribe via profile settings; location consent withdrawal

9.2. Rights Requiring Manual Process

RightProcess
Right to erasureContact: office@emversa.com; Administrator can deactivate users
Right to restriction of processingContact: office@emversa.com
Right to objectContact: office@emversa.com

9.3. Special Notes

  • Invoice data: Retained 5 years from end of tax year (Polish tax law), even after account deletion request
  • Anonymization: Preferred over deletion when legal retention is required

§10. Data Security

10.1. Technical Measures

  • Encryption in transit: TLS/HTTPS for all communication
  • Encryption at rest: Database encryption (Supabase)
  • Password hashing: bcrypt via Supabase Auth
  • Data isolation: Row-Level Security (RLS) at database level
  • Access control: RBAC (Driver < Administrator)

10.2. Organizational Measures

  • Least privilege policy: Users have access only to necessary data
  • Webhook verification: Stripe and Supabase signature verification
  • Rate limiting: Implemented at edge level (Vercel)

§11. Cookies

Detailed information about cookies is contained in the Cookie Policy available at: autokilometry.pl/cookies.

§12. Data Breach

12.1. Supervisory Authority Notification

In case of a personal data breach that may pose a risk to the rights and freedoms of natural persons, the Controller will notify the President of the Personal Data Protection Office (UODO) within 72 hours of breach detection.

12.2. Data Subject Notification

If the breach may pose a high risk to the rights and freedoms of natural persons, the Controller will notify affected data subjects without undue delay.

§13. Minor's Data

  1. The Autokilometry Platform is intended exclusively for business users (B2B). Organization account registration and the Administrator role requires being of legal age (18 years old).
  2. A Driver on the Platform may be a minor (16-17 years old) if they are legally employed by the Organization and hold appropriate driving licenses in accordance with applicable law.
  3. In the case of minor Drivers, the Organization (as the data controller for its employees' personal data) is responsible for:
    • obtaining all required consents from parents or legal guardians in accordance with labor law provisions,
    • fulfilling the information obligation towards the minor and their legal guardians,
    • ensuring data processing compliance with regulations concerning the employment of minors.
  4. Emversa does not direct marketing services or direct communication to minors.

§14. Do Not Track Signals

The Platform does not respond to "Do Not Track" (DNT) signals sent by web browsers. Users may manage their tracking preferences through cookie settings available in the Platform and in the cookie policy.

§15. Automated Decision-Making

The Platform does not use automated decision-making, including profiling, as referred to in Art. 22(1) and (4) of GDPR, which produces legal effects or similarly significantly affects users. All decisions regarding trip approvals, reimbursement claims, and similar matters are made by authorized users (Organization Administrators), not by algorithms.

§16. Changes to Privacy Policy

  1. The Controller reserves the right to change this Privacy Policy.
  2. Users will be notified of changes by email at least 14 days before the changes take effect.
  3. The current version of the Privacy Policy is always available at: autokilometry.pl/prywatnosc.

§17. Contact

For personal data protection matters, please contact:

Emversa Maciej Łukowski

ul. Sielska 17a

60-129 Poznań, Poland

Email: office@emversa.com

Supervisory Authority:

President of the Personal Data Protection Office (UODO)

ul. Stawki 2

00-193 Warsaw, Poland

www.uodo.gov.pl

Document generated: February 19, 2026

Terms of Service|Cookie Policy|DPA|Home