Privacy Policy

§ 1. General Provisions

  1. The data controller for personal data of users of Smart-Copy.ai service (hereinafter: "Service") available at https://www.smart-copy.ai is eCopywriting.pl Karol Leszczyński, Papowo Biskupie 119/18, Poland, Tax ID: 9562203948, Business ID: 340627879 (hereinafter: "Controller").
  2. Contact with the Controller regarding personal data protection is possible at email address: contact@smart-copy.ai
  3. This Privacy Policy defines the rules for processing personal data of Service Users in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).

§ 2. Scope of Collected Personal Data

2.1. Registration Data

Depending on the chosen registration method, the Controller processes:

  • Form Registration:
    • Email address (required)
    • Password (in encrypted form)
    • First name (optional)
    • Account creation date
  • Google Registration (OAuth 2.0):
    • Email address from Google account
    • First and last name (from Google profile)
    • Google User ID
    • Profile picture (if shared)

2.2. Service Usage Data

  • Order history (topics, length, language of texts)
  • Generated content
  • Source files uploaded by User (PDF, DOC, DOCX)
  • URL links provided as sources
  • Guidelines and preferences for generated content
  • SEO keywords and links to include in texts
  • Transaction and top-up history
  • Credits balance

2.3. Payment Data

  • Processed by Stripe Inc.:
    • Payment card data (stored by Stripe)
    • Transaction amount
    • Transaction date and time
    • Payment status
  • The Controller does not have access to full payment card data - this data is processed exclusively by Stripe in accordance with their privacy policy.

2.4. Technical Data

  • IP address
  • Browser type and version
  • Operating system
  • Visit date and time
  • Visited pages
  • Entry source (e.g., search engine, direct link)
  • Geographic location (approximate, based on IP)

§ 3. Purposes and Legal Basis for Data Processing

Processing Purpose Legal Basis Data
Creating and managing user account Art. 6(1)(b) GDPR (contract performance) Email, password, name
Fulfilling content generation orders Art. 6(1)(b) GDPR (contract performance) All order-related data
Payment processing Art. 6(1)(b) GDPR (contract performance) Payment data
Sending email notifications about order status Art. 6(1)(b) GDPR (contract performance) Email
Handling complaints Art. 6(1)(c) GDPR (legal obligation) Contact data, order history
Direct marketing of own services Art. 6(1)(f) GDPR (legitimate interest) Email
Statistics and user behavior analysis Art. 6(1)(f) GDPR (legitimate interest) Technical data
Ensuring security and detecting abuse Art. 6(1)(f) GDPR (legitimate interest) IP, technical data
Archiving for accounting and tax purposes Art. 6(1)(c) GDPR (legal obligation) Transaction data

§ 4. Personal Data Recipients

In connection with providing services, the Controller may transfer personal data to the following categories of recipients:

4.1. Data Processors

  • Stripe Inc. (USA) – payment processing (card, BLIK, Apple Pay, PayPal, Google Pay). Stripe holds PCI DSS Level 1 certification. Data transferred based on EU Standard Contractual Clauses.
  • Anthropic PBC (USA) – provider of Claude AI model used for content generation. Only data necessary for text generation is processed (topic, guidelines, sources). Anthropic does not store user queries long-term.
  • Amazon Web Services (AWS) (USA/Europe) – application hosting, user file storage (S3), email sending (SES). Data stored in EU region (eu-north-1 Stockholm).
  • Vercel Inc. (USA) – frontend application hosting. Data transferred based on EU Standard Contractual Clauses.
  • Google LLC (USA) – OAuth 2.0 authentication (for Google sign-in), Google Analytics. Data transferred based on EU Standard Contractual Clauses.
  • Cloudflare Inc. (USA) – CDN, DDoS protection, performance optimization.

4.2. Other Entities

  • Accounting and legal service providers (to the extent necessary for proper business operations)
  • Public authorities and state institutions – only in case of legal obligation

§ 5. Data Retention Period

  • Account data: Until account deletion by User or deactivation by Controller in case of Terms violation.
  • Order history: For the limitation period of claims arising from the contract (6 years from the end of the year in which the service was performed).
  • Accounting and transaction data: 5 years from the end of the tax year in which the tax obligation arose (in accordance with Tax Ordinance).
  • Source files uploaded by User: Until deleted by User or for the period necessary to fulfill the order + 30 days (backup).
  • Direct marketing data: Until consent withdrawal or objection.
  • System logs: Up to 12 months (for security and diagnostic purposes).

§ 6. Data Subject Rights

In accordance with GDPR, the User has the right to:

  1. Access to data – download a copy of processed personal data (Art. 15 GDPR)
  2. Rectification of data – correction of incorrect or completion of incomplete data (Art. 16 GDPR)
  3. Erasure of data ("right to be forgotten") – in cases provided in Art. 17 GDPR, e.g., after consent withdrawal (Art. 17 GDPR)
  4. Restriction of processing – in cases provided in Art. 18 GDPR, e.g., when user contests data accuracy
  5. Data portability – receiving data in structured format (CSV/JSON) and transferring it to another controller (Art. 20 GDPR)
  6. Object to processing – particularly to processing for marketing purposes (Art. 21 GDPR)
  7. Lodge a complaint with supervisory authority (President of the Personal Data Protection Office, ul. Stawki 2, 00-193 Warsaw, Poland)

How to exercise your rights?
To exercise the above rights, send an email to: contact@smart-copy.ai with the subject: "Personal Data – GDPR". The Controller will respond within 30 days.

§ 7. Data Security

The Controller applies the following technical and organizational measures to protect personal data:

  • Encryption:
    • HTTPS connection (TLS 1.3) across entire site
    • Passwords stored in hashed form (bcrypt)
    • JWT tokens for authorization
  • Access control:
    • Two-factor authentication (2FA) available for users
    • Administrator login with IP restrictions
    • Automatic logout after inactivity period
  • Monitoring and logs:
    • Monitoring unauthorized access attempts
    • Personal data access logs
    • Regular security audits
  • Backup:
    • Automatic database backups (every 24h)
    • Encrypted backup storage
    • Disaster Recovery plan
  • Attack protection:
    • Web Application Firewall (WAF)
    • DDoS protection (Cloudflare)
    • API rate limiting
    • Input validation and sanitization

§ 8. Cookies

8.1. What are cookies?

Cookies are small text files saved on the User's device while using the Service. Cookies enable device recognition and adjustment of site parameters.

8.2. Types of cookies used

  • Essential cookies (session):
    • Maintaining logged-in user session
    • Storing authorization token
    • CSRF protection
    • Legal basis: Art. 6(1)(b) GDPR (contract performance)
  • Preference cookies:
    • Remembering language preferences
    • Remembering dark/light mode
    • Legal basis: User consent (Art. 6(1)(a) GDPR)
  • Analytics cookies (Google Analytics):
    • Site traffic analysis
    • Visit statistics
    • User behavior analysis
    • Legal basis: User consent (Art. 6(1)(a) GDPR)

8.3. Cookie management

User can change cookie settings in browser at any time or use the cookie consent panel available in the Service. Disabling essential cookies may prevent full functionality of the Service.

Detailed information about cookie management is available in Cookie Policy .

§ 9. External Analytics Services

9.1. Google Analytics

The Service uses Google Analytics to analyze traffic and user behavior. Google Analytics processes:

  • IP address (anonymized)
  • Device and browser data
  • Pages visited and time spent
  • Entry source to site

More information: Google Privacy Policy

9.2. Google reCAPTCHA

To protect against spam and bots, the Service uses Google reCAPTCHA. reCAPTCHA analyzes user interactions with the site and processes data such as: IP address, mouse movements, time spent on site.

More information: Google Privacy Policy

§ 10. Data Transfer Outside EEA

Due to the use of services from providers based in the USA (Stripe, AWS, Anthropic, Google, Vercel, Cloudflare), personal data may be transferred outside the European Economic Area (EEA).

Safeguards applied when transferring data:

  • Standard Contractual Clauses (SCC) approved by the European Commission
  • Data Privacy Framework (DPF) – certificate confirming compliance with European data protection standards
  • Additional safeguards: end-to-end encryption, access control, security audits

List of USA-based entities to whom data is transferred and applied safeguards can be found in § 4 of this Policy.

§ 11. Automated Decision-Making and Profiling

The Controller does not use automated decision-making, including profiling, that produces legal effects concerning Users or similarly significantly affects them (according to Art. 22 GDPR).

Generated content is created by AI based on User guidelines, but the final decision on its use always belongs to the User.

§ 12. Children's Data

The Service is not intended for persons under 18 years of age. The Controller does not knowingly collect personal data from persons under 18 years of age.

If it is determined that data has been collected from a person under 18 years of age without parental/legal guardian consent, the Controller will immediately delete such data.

§ 13. Changes to Privacy Policy

  1. The Controller reserves the right to make changes to this Privacy Policy.
  2. Users will be notified of significant changes at least 14 days in advance through:
    • Notification after logging into the Service
    • Email to the account's email address
  3. The date of the last Privacy Policy update is located at the bottom of the document.
  4. Continued use of the Service after changes are introduced means their acceptance.

📞 Contact for Personal Data Protection Matters

Controller: eCopywriting.pl Karol Leszczyński
Address: Papowo Biskupie 119/18, Poland
Email: contact@smart-copy.ai
Tax ID: 9562203948
Business ID: 340627879

Last updated: October 29, 2025