Legal

Privacy Policy

Last updated: May 19, 2026

This policy explains how PoloPath handles personal data when you use our website, account area, MOS guidance, checklists, reminders, Ada AI features, letter analysis, payments, and contact form. It is intended to satisfy the main GDPR transparency requirements for users in the European Economic Area and the United Kingdom.

1. Who We Are And How To Contact Us

PoloPath is a digital product that helps international students and workers prepare Polish temporary residence permit applications with MOS guidance, document checklists, reminders, AI assistance, and related support tools.

For privacy questions, requests, or complaints, contact us through the contact page. If PoloPath publishes a separate legal entity, registered address, or data protection contact, this page will be updated.

2. Personal Data We Collect

Depending on how you use PoloPath, we may process:

  • Account data, such as name, email address, password authentication data, email verification state, language preference, and session information.
  • Profile and immigration-preparation data, such as nationality, city, voivodeship, visa type, study or work purpose, university or employer name, and whether you have zameldowanie.
  • Guidance and checklist data, such as selected permit path, MOS guide progress, reminders, document checklist context, and free or Plus access status.
  • AI and support content, such as questions sent to Ada, Plus chat messages, source and warning metadata, reported answers, contact form messages, and support comments.
  • Letter analysis content, such as uploaded letter images, optional context, extracted meaning, action-required flags, and related analysis metadata.
  • Payment and entitlement data, such as product type, purchase status, amount, Stripe checkout or subscription identifiers, and payment timestamps. Full card details are handled by Stripe, not PoloPath.
  • Technical data, such as IP address, device and browser information, request metadata, security logs, rate-limit data, cookie preferences, and diagnostic events.
  • Email and reminder delivery data, such as reminder labels, due dates, notification schedules, email provider identifiers, delivery attempts, and delivery errors.
  • Analytics data, where enabled by your consent, such as aggregate website usage events used to understand product performance.

3. How We Collect Data

  • Directly from you when you create an account, complete onboarding, submit a contact form, ask Ada a question, upload a letter, create reminders, or report an issue.
  • Automatically when you use the service, for example through cookies, server logs, security checks, rate limiting, and diagnostics.
  • From service providers, for example payment confirmation from Stripe, email delivery status from Resend, authentication/session handling, AI processing results, and storage services.
  • From official public sources only where needed for product guidance, such as MOS, UDSC, and voivodeship office information. These sources are not used to identify you unless you provide related context yourself.

4. Purposes And Lawful Bases

Under the GDPR, processing must have a lawful basis. PoloPath uses the following bases depending on the context:

  • Contract: to create and maintain your account, provide MOS guidance, show your dashboard, process Plus access, deliver purchased features, and provide customer support.
  • Legitimate interests: to secure the service, prevent abuse, debug failures, improve product reliability, maintain business records, answer contact requests, and understand whether features work as intended.
  • Consent: to send optional analytics cookies or similar non-essential tracking, and where you voluntarily provide optional information for a feature.
  • Legal obligation: to keep records required for tax, accounting, consumer protection, fraud prevention, or lawful requests from authorities.

5. AI Features And Official Guidance

PoloPath uses AI features to explain immigration preparation steps, MOS labels, official letters, and related questions. AI outputs are support tools only. They do not replace official sources, legal representation, or your responsibility for your application.

  • Do not enter MOS, login.gov.pl, banking, payment card, national eID, or password credentials into Ada, Plus chat, the contact form, or letter analysis.
  • AI messages may be sent to AI service providers for processing and may be stored so that conversations, reports, debugging, and safety checks work.
  • For current or office-specific facts, PoloPath may retrieve official MOS, UDSC, or voivodeship information and display source links or warnings.
  • PoloPath may store source cards, retrieval mode, model metadata, warnings, and validation metadata to help audit AI answers.

6. Cookies And Similar Technologies

PoloPath uses essential cookies for authentication, session security, account state, and cookie-consent preference storage. Optional analytics are disabled by default and only run after consent. Your analytics choice is stored in the `pologuide_cookie_consent` cookie for up to 180 days.

You can also control cookies through your browser settings. Blocking essential cookies may prevent login, checkout recovery, dashboard access, and security features from working.

7. Who We Share Data With

We do not sell personal data. We share personal data only where needed to operate PoloPath, comply with law, or protect the service. Categories of recipients may include:

  • Hosting, database, storage, and infrastructure providers, including PostgreSQL, Cloudflare R2-compatible storage, and local MinIO in development.
  • Authentication, email, and communication providers, including Better Auth and Resend.
  • Payment processors, including Stripe, for checkout, payment confirmation, refunds, subscriptions, tax, and fraud prevention.
  • AI service providers, including OpenAI, for embeddings, chat, live official-source search, and letter analysis.
  • Analytics, logging, monitoring, and security providers where configured and permitted.
  • Professional advisers, accountants, legal advisers, auditors, or authorities where reasonably necessary or legally required.

8. International Transfers

Some providers may process data outside your country or outside the European Economic Area. Where this happens, PoloPath relies on lawful transfer mechanisms such as European Commission adequacy decisions, Standard Contractual Clauses, provider transfer safeguards, or another valid GDPR transfer basis.

9. Retention

We keep personal data only for as long as needed for the purposes described in this policy, unless a longer period is required by law. Typical retention criteria include:

  • Account and profile data: while your account is active, then for a limited period needed for backup, security, dispute, and legal purposes.
  • Payment and invoice records: for the period required by tax, accounting, chargeback, and consumer law.
  • AI chat, guidance, letter analysis, and reports: while needed to provide the feature, preserve conversation context, debug issues, investigate reports, and improve safety.
  • Reminder data: until deleted by you, your account is deleted, or retention is no longer needed for delivery and troubleshooting.
  • Contact messages: for as long as needed to respond and keep a reasonable support history.
  • Security logs and rate-limit records: for short periods appropriate to detect abuse, investigate incidents, and protect the service.
  • Backups: until overwritten or deleted under our backup schedule.

10. Your GDPR Rights

Subject to legal limits, you may have the right to access, correct, delete, restrict, object to, or receive a portable copy of your personal data. Where processing is based on consent, you may withdraw consent at any time without affecting earlier lawful processing.

You can exercise these rights through the contact page. We may need to verify your identity before acting on a request. You also have the right to lodge a complaint with your local data protection authority. In Poland, the supervisory authority is the President of the Personal Data Protection Office (UODO).

11. Security

We use technical and organisational safeguards designed to protect personal data, including HTTPS, access controls, password hashing, server-side validation, rate limiting, no-store headers for private routes, provider-side security controls, and limited staff/admin access. No online service can guarantee absolute security.

12. Children

PoloPath is not intended for children. If you believe a child has provided personal data without appropriate consent, contact us so we can review and delete it where required.

13. Automated Decisions

PoloPath does not make automated decisions that legally determine whether you receive a Polish residence permit. Official decisions are made by Polish authorities. PoloPath may automate product access checks, rate limits, source retrieval, AI routing, and internal safety warnings, but these do not decide your immigration case.

14. Changes

We may update this policy when the product, providers, legal requirements, or data practices change. Material changes may be announced through the website, account area, or email where appropriate.