biznesplan.io
Login
Home Legal Privacy Policy (EN)
GDPR-compliant · EU-hosted

Privacy Policy

This document explains in plain language what personal data we collect through biznesplan.io, why we process it, how long we keep it and what rights you have under the EU General Data Protection Regulation (GDPR). The Polish version of this document is the binding original — this English translation is provided for convenience.

GDPR compliant Last update: 1 May 2026 10 sections · ~ 7 min read

§ 1Data controller

The controller of your personal data within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR") is:

Figaro Sofware Sp. z o.o.
Malborska 16c/37, 03-286 Warsaw, Poland
VAT ID (NIP): 5242381942 · REGON: 017204583 · KRS: 0000005863

For all data protection matters, please contact us at [email protected] or in writing at the address above.

§ 2Data we collect

Depending on how you use the Service, we may process the following categories of your data:

Category Specific data Status
Identification Name, email address, password (hashed), phone number (optional) Required
Billing VAT ID, company name, invoice address — for users of paid Plans Required
Technical IP address, session ID, browser type, operating system Required
Project content Business plan text, financial data entered in builders, comments Required
Analytics How you use features, time spent in the application Optional
Marketing Newsletter preferences, email campaign history With consent

§ 3Purposes of processing

We process your data for the following purposes:

  1. Providing the Service (account creation, feature use, document export).
  2. Processing payments and issuing VAT invoices in accordance with tax law.
  3. Handling support requests received via email, in-app chat or the contact form.
  4. Fulfilling legal obligations (accounting, tax, archival requirements).
  5. Marketing our own services, including newsletter delivery — strictly based on your voluntary consent.
  6. Analysing Service usage to improve it (after anonymisation of identifying data).
  7. Establishing, exercising and defending legal claims, based on the controller's legitimate interest.

§ 4Legal basis

Depending on the purpose, the legal basis for processing is:

  • Art. 6(1)(b) GDPR — performance of a contract (delivering the Service to you);
  • Art. 6(1)(c) GDPR — compliance with a legal obligation (invoicing, archival duties);
  • Art. 6(1)(f) GDPR — controller's legitimate interest (analytics, Service security, claims);
  • Art. 6(1)(a) GDPR — your voluntary consent (marketing, newsletter, optional cookies).

§ 5Retention periods

We keep your data no longer than necessary, in particular:

  1. Account data — for the duration of active Service use; after account deletion stored in a "trash" for 14 days (recoverable) and then permanently deleted.
  2. Billing data and invoices — for 5 years from the end of the year of the transaction (Polish Tax Ordinance requirement).
  3. Analytics data — up to 26 months in anonymised form.
  4. Marketing data — until you withdraw consent or object, no longer than 3 years of inactivity.
  5. Claims-related data — until the limitation period expires (usually 3 years, in some cases 6 years).

§ 6Recipients of data

We may share your data with the following categories of recipients:

RecipientPurposeLocation
Hosting providerStoring and serving application dataEU (Frankfurt, DE)
tpay.com (KIP S.A.)Online payment processingPoland
PayPal (Europe) S.à r.l.Online payment processing (user's choice)Luxembourg
Bielik AI provider (SpeakLeash)Processing requests to the language modelPoland
Email service providerTransactional email deliveryEU
External accountingTax compliance servicesPoland
Public authoritiesLegal obligations (court, prosecutor, tax authority orders)Poland

All processors outside Poland are located within the European Economic Area (EEA). We do not transfer your data outside the EEA.

§ 7Your rights

Under the GDPR you have the following rights:

  1. Right of access to your data and to obtain a copy.
  2. Right to rectification of inaccurate or incomplete data.
  3. Right to erasure ("right to be forgotten") — except where retention is legally required.
  4. Right to restriction of processing in specific situations.
  5. Right to data portability — to receive your data in a structured format (JSON / CSV) or have it transmitted to another controller.
  6. Right to object to processing based on legitimate interest, in particular for direct marketing.
  7. Right to withdraw consent at any time — without affecting the lawfulness of processing before withdrawal.
  8. Right to lodge a complaint with the President of the Polish Data Protection Authority (Stawki 2, 00-193 Warsaw).
How to exercise your rights

Most rights can be exercised directly in your account panel (data export, profile edit, account deletion). For everything else, write to [email protected]. We respond within 30 days; in exceptional cases the deadline may be extended by an additional 60 days, in which case we will inform you.

§ 8Security

We apply technical and organisational security measures proportionate to the risk, in particular:

  • Transmission encrypted with TLS 1.3 between browser and server;
  • Databases encrypted at rest using AES-256;
  • User passwords stored as hashes (bcrypt, argon2);
  • Two-factor authentication (2FA) available on every account;
  • Daily backups retained for 30 days in encrypted form;
  • 24/7 security monitoring and periodic penetration testing;
  • Clean-desk and clean-screen policy in the controller's office;
  • Mandatory data protection training for all staff.

In case of a personal data breach, we notify the President of the Polish DPA within 72 hours. Affected data subjects are informed without undue delay where the breach is likely to result in a high risk.

§ 9AI assistant & your data

  1. Content sent to the Bielik AI assistant (prompts and entered data) is processed strictly in inference mode — a single request generates a single response.
  2. Your data is never used to train or fine-tune the Bielik model. It is not transferred to the SpeakLeash team for training purposes.
  3. Requests may be temporarily logged (up to 7 days) only to monitor service quality, detect abuse and resolve support cases.
  4. We recommend not entering particularly sensitive data (e.g. PESEL, health records) into AI prompts beyond what is genuinely necessary for the business plan.

§ 10Changes to this policy

  1. We may update this Privacy Policy when the law, the Service or our processing changes.
  2. We will notify users of any material change at least 14 days in advance, by email to the address associated with the account.
  3. The current version is published at biznesplan.io/privacy. Previous versions are archived and available on request.

GDPR matters — contact

For all data protection requests please use the dedicated email below. We respond within 30 days.

Email[email protected] Postal addressFigaro Sofware Sp. z o.o., Malborska 16c/37, 03-286 Warsaw, Poland Supervisory authorityPresident of UODO, Stawki 2, 00-193 Warsaw, Poland