LetterOnCloud

Privacy Policy of the LetterOnCloud Service

1. General Information and Data Controller

This Privacy Policy explains how LetterOnCloud (hereinafter also the "Service") processes the personal data of users and other individuals using our services. We respect your privacy and make every effort to protect the data we collect. Please read the following information carefully.

  • Personal Data Administrator: The administrator of your personal data is Marcin Frątczak Framar with a registered office at ul. Rybnicka 13/30, 40-038 Katowice, Poland, NIP (tax ID): PL6252163911 (hereinafter: the "Administrator" or "Service Provider"). As the Administrator, we ensure that your data are processed securely, in accordance with the agreement and applicable laws, in particular Regulation (EU) 2016/679 (GDPR).

  • Administrator's Contact Details: For matters regarding personal data, you can contact us:

    • by email at: privacy@letteroncloud.com (or support@letteroncloud.com – with the note "Personal Data"),
    • by mail at: Marcin Frątczak Framar, ul. Rybnicka 13/30, 40-038 Katowice, Poland. (Currently, the Administrator has not appointed a Data Protection Officer (DPO); however, for any issues related to data processing you can use the above contact details.)

2. What Data We Collect and For What Purposes (Categories of Data and Legal Bases)

Depending on which features of the Service you use, we process different types of your personal data for various purposes. Below we present the main categories of data processed along with an explanation of for what purpose and on what legal basis (under GDPR) they are processed.

2.1. Data Provided During Account Registration and Account Management

  • Registration Data: When creating an Account in the Service, we ask you to provide the necessary information, such as your email address and password (for standard registration), or we enable login via an external provider (e.g. a Google account), in which case we receive from that provider your email address and basic profile information (e.g. first name, last name – if those are shared). Optionally, you may fill in additional profile information on your Account (e.g. first name, last name, profile photo/avatar).

  • Purpose: To create and manage your user Account on LetterOnCloud, enable you to log in and authenticate, and provide the core service – access to the LetterOnCloud application. Your email address is also used for service-related communications (e.g. registration confirmations, technical notices, notifications of important changes to the Service, messages with verification codes, etc.).

  • Legal Basis: The necessity to perform the contract for electronic services (Art. 6(1)(b) GDPR) – because by registering an Account and accepting the Terms you enter into an agreement with us, and we need to process this data to perform that agreement (provide you with the application service). In the case of optional data (e.g. an avatar), the basis is your consent (Art. 6(1)(a) GDPR) expressed by voluntarily providing this information – it is not necessary for using the services.

  • Technical Account Data: When using your Account, certain technical data are generated, such as user ID, authentication tokens, device identifiers, as well as server logs containing information about your activity (e.g. login dates, IP address, browser/device information).

  • Purpose: Maintaining the security of the system and your Account, preventing unauthorized access (e.g. the ability to detect a suspicious session), as well as ensuring synchronization and proper functioning of the application across different devices. This data is also used to provide technical support – for example, we analyze logs to diagnose a reported problem.

  • Legal Basis: The Controller's legitimate interest (Art. 6(1)(f) GDPR) in ensuring the security of the services and their proper operation. In some cases, there may also be a necessity to perform the contract (Art. 6(1)(b) GDPR) – for example, synchronizing data between devices is part of the functionality promised to you as part of the service.

  • Data Entered by You in the Service: If, as part of using the application, you input certain personal data, e.g. notes, labels, or your own content that contain your personal data (or the personal data of others – discussed further below), we will process them as part of providing the service. For example, you might add your first name and a short bio to the description of your public newsletter collection – this information will be stored and shared as you decide (e.g. publicly, if the collection is public).

  • Purpose: Solely to carry out the specific Service function you have chosen – to store and possibly publish the data that you consciously place. Note: Please try not to include in the Service (e.g. in notes or collection names) personal data about yourself or others that are not necessary – the application is not intended for storing sensitive data.

  • Legal Basis: The necessity to perform the contract (provide the application's functionality) – Art. 6(1)(b) GDPR, or, insofar as third-party data is involved – your legitimate interests (Art. 6(1)(f) GDPR) as a user in using the application for its intended purpose. We assume that if you knowingly post certain information in the Service, you want it to be processed for that specified purpose and that you have the right to do so.

2.2. Data Processed in Connection with Using the LetterOnCloud Service (Newsletters, Integrations)

  • Newsletter and Mailbox Data: A unique feature of LetterOnCloud is integration with your email inbox for receiving newsletters. Consequently, the Service may process the following data:

    • Your email alias in the letteroncloud.com domain (generated for you) and any email messages (newsletters) that are sent to that alias by newsletter publishers to whom you subscribe. These messages, along with their content (and any attachments), will be stored on our servers so that you can read them in the application.
    • If you connect your email account (e.g. Gmail) with the Service: certain limited data from your mailbox may be processed, e.g. information about senders and subjects of messages that our system identifies as newsletters, and possibly the content of those messages if you forward them to us. Important: Our application does not scan your entire inbox – it operates either by automatic filtering (looking for messages that meet newsletter criteria, such as the presence of an unsubscribe link in the footer) or relies on forwarding rules configured by you. We do not fetch or analyze your private correspondence other than newsletters.
    • Newsletter Content: The content of all stored newsletters may be indexed in our database for your use, in order to enable the full-text search feature. This means our system automatically processes the newsletter text (e.g. splitting it into keywords) solely for the purpose of building a search index for you. We do not "read" these contents manually nor use them for any other purposes (such as marketing).
    • Interest Categories: Based on the newsletters you subscribe to and your behavior (e.g. what you read, which newsletters you archive), the system may assign certain interest or preference categories to you (e.g. "technology/IT", "finance", "sport", etc.). This serves to provide you with personalized features – for example, recommendations of similar content and organizing your newsletters. This occurs automatically through algorithms. We do not use this information for profiling for third-party advertising purposes – only for internal LetterOnCloud functionalities for your convenience.

  • Purpose: Strictly to deliver the core service, i.e. managing your newsletters. We store and display to you the content of your newsletters, allow you to categorize them, archive them, search through them, and also suggest new content based on your interests. All the operations on data described above serve to provide you with the promised functionalities of the Service (convenient reading and organizing of your subscribed content).

  • Legal Basis: The necessity to perform the contract (Art. 6(1)(b) GDPR) – without processing your newsletters we would not be able to provide the service that is the essence of LetterOnCloud. For certain more advanced aspects, such as content recommendations based on your preferences, the basis may also be our legitimate interest (Art. 6(1)(f) GDPR) in improving and personalizing our service. However, we consider that these actions are an integral part of the service you expect when using LetterOnCloud.

  • Data of Other Persons in Newsletters: Typically, newsletters you receive from publishers do not contain personal data of third parties other than you (they might include your email address, your name in a salutation, etc.). If, however, a newsletter's content includes personal data of third parties (e.g. an interview with someone containing their data), we process it only passively as part of the stored email – we do not perform any operations on it unrelated to displaying you the original message. Processing of such data is based on Art. 6(1)(b) GDPR (performance of the content storage service you have entrusted to us) and Art. 6(1)(f) (legitimate interest – if third-party rights are concerned, the interest is to enable you, as the recipient of a legally obtained newsletter, to use it under the allowance of personal use).

  • Data Collected About Your Activity: Within the Service we may record information about how you use the application – e.g. which newsletters you marked as read, what you search for in the search engine, which recommendations you clicked on, whether and what content you shared further, time spent reading, etc.

  • Purpose: Analytical purposes and improving the service (e.g. thanks to this data we know which features are popular, which newsletters are most frequently read – which can help improve recommendation algorithms), as well as a strictly user-functional purpose: based on this data the application indicates to you what you have already read, what is unread, and can e.g. suggest "most popular among your newsletters," etc.

  • Legal Basis: Our legitimate interest (Art. 6(1)(f) GDPR) in developing and streamlining the Service's functionalities and ensuring a positive user experience. We believe that such actions do not excessively impact your privacy – they are intended to enhance the service and your experience with it.

2.3. Data Related to Payments

  • Transaction Data: If you decide to purchase a paid subscription, we will process information necessary to handle the payment and fulfill accounting obligations:

    • Name and surname (or company name) of the purchaser, billing address, VAT number (if applicable) – for issuing an invoice or receipt. (Note: for purchasing a consumer subscription we do not require providing a name or address – such data are needed only if you request an invoice or if the law requires it.)
    • Information about the completed payment: amount, date, payment method (e.g. card, PayPal), last 4 digits of the card, unique transaction ID assigned by the payment operator, transaction status. We do not store full credit card details – the payment operation is handled by an external provider (e.g. Stripe Payments), which only passes us the confirmation of the payment.
    • History of your subscriptions: the plan activated, its duration, any cancellations, refunds (if, for example, you used the 30-day guarantee), discount coupons or promo codes (if any were applied).

  • Purpose: Processing your payment for the services and maintaining financial records. This data is needed to allow you to pay for the chosen plan, to confirm associating the payment with your Account (activate the service), as well as to fulfill our legal obligations as a seller (e.g. issuing an invoice, recording the transaction in our books, tax settlement).

  • Legal Basis:

    • To the extent necessary to process the payment and perform the contract – Art. 6(1)(b) GDPR (performance of a contract). Without this data we would not be able to assign the payment to your Account and provide you with the paid service.
    • To the extent of storing transaction data for tax and accounting purposes – Art. 6(1)(c) GDPR (compliance with a legal obligation to which the Controller is subject). Tax and accounting regulations require us to archive sales documents for a certain period (for example, VAT invoices must be kept for at least 5 tax years).
    • If applicable, for the establishment, exercise, or defense of claims – Art. 6(1)(f) GDPR (Controller's legitimate interest in establishing, pursuing, or defending against claims). This can include, for instance, using payment data to prove that a service was paid for or that we issued a refund.

  • Card and Payer Data: Credit card data (number, expiration date, CVV) are entered by you directly in the secure interface of our payment operator (e.g. Stripe). We do not have access to the full content of these details – we receive only a "token" representing your card and the last 4 digits and the card brand (e.g. Visa/Mastercard). Similarly, for example, a billing address you provide for payment authorization may be processed by the payment operator. In our database we store only what is necessary: e.g. the card's country (for correct VAT calculation), the card type (debit/credit) – if relevant for transaction identification.

  • Purpose: Enabling you to make an online payment for the services. The payment operator (as a separate controller of your data for the purpose of processing the payment) may also use this data to secure the transaction (e.g. anti-fraud analysis).

  • Legal Basis: For us – performance of the contract (Art. 6(1)(b) GDPR), since we need to allow you a convenient payment method as part of our service. For the payment operator – depending on the circumstances: performance of their contract with you (if you are the cardholder initiating the payment) or their legal obligations (e.g. anti-money laundering requirements) or legitimate interest (fraud prevention). You can find details in the given operator's privacy policy (for instance, Stripe has its own data protection policy available on their website).

2.4. Newsletter and Marketing Communication

  • Newsletter Data: If you have signed up for our newsletter (either on your own through a form or automatically when making a purchase), we process your email address and possibly your first name (if you provided it to us for message personalization). Additionally, we may collect statistics on whether you open our messages and click on links – this helps us evaluate whether our newsletter is interesting to recipients.

  • Purpose: Sending you commercial and inspirational information by electronic means regarding our Service and related content. In other words, the newsletter includes both marketing content (e.g. information about new plans, promotions, our products) and substantive content (tips, articles, news about app development). The open and click statistics are used for internal effectiveness analysis – we want to know if our subscribers read the newsletter and what interests them in order to improve it.

  • Legal Basis:

    • If you are a person who signed up voluntarily for the newsletter (e.g. via a form on the site), the basis is your consent (Art. 6(1)(a) GDPR) given by explicitly subscribing to the mailing list. You have the right to withdraw this consent at any time (which does not affect the lawfulness of processing prior to withdrawal) – by unsubscribing from the newsletter.
    • If you are our customer (e.g. you purchased a subscription), we may send you the newsletter based on the legitimate interest of the Controller (Art. 6(1)(f) GDPR) in maintaining a relationship with a client and informing them about updates to our own products and services. This is also permitted by Article 10 of the Act on Providing Services by Electronic Means and Article 172 of the Telecommunications Law – these laws allow sending commercial information by email to existing customers regarding our own, similar products or services, provided the customer has the ability to easily opt out. We ensure such an opt-out option at all times (an "unsubscribe" link in the footer of each message). When purchasing a subscription, we inform you that your email may be used for marketing communication about similar LetterOnCloud services.
    • In both of the above cases (consent or legitimate interest) you have the right to object to the processing of your data for marketing purposes – you can always unsubscribe from the newsletter, and we will then stop processing your email for this purpose.

  • Note: Unsubscribing from the newsletter does not affect any potentially important transactional or administrative communications that we may occasionally send to all users (e.g. a notification of a significant change in the Terms or a technical outage). Such messages are not marketing communications, but part of service operation (basis: performance of the contract or a legal obligation to inform of changes).

  • Waiting List: If you provided your email on a waiting list (e.g. before the service launch), we will use it only to send you a one-time (or possibly a few) message informing you about the service launch, beta availability, etc. After fulfilling this purpose, your address may be deleted from the waiting list. If in the meantime you have given consent to join the regular newsletter, your address will be moved to the newsletter database (otherwise, we will not send you further communications).

  • Purpose: Maintaining contact with you prior to the service launch, reminding you about our product when it becomes available.

  • Legal Basis: Your consent (Art. 6(1)(a) GDPR) – you join the waiting list voluntarily in anticipation of information. You can withdraw at any time (for instance, by replying to a received email with a request for removal).

2.5. Data Collected Automatically When Using the Website (Cookies and Logs)

  • Server Logs: When you visit our website (e.g. read a service description, documentation, Privacy Policy) or use the application, our servers automatically record standard HTTP logs. These logs include, among other things, your device's IP address, the date and time of the visit, the URL of the requested resource, information about the browser and operating system (the user-agent string), and possibly the referring page (referrer).

  • Purpose: Ensuring the security and proper functioning of the web service. We primarily use logs for technical purposes – e.g. monitoring the server's operation, diagnosing any issues (HTTP errors, DDoS attacks, etc.), as well as for statistical purposes (e.g. counting which subpages are most frequently viewed, from which countries visitors come).

  • Legal Basis: Our legitimate interest (Art. 6(1)(f) GDPR) – consisting in ensuring the security of the services, detecting errors, and analyzing how the site is used in order to improve it. Log data are not directly associated with specific registered users and are primarily for system administrators. Server logs are retained for a limited period (usually up to 30 days) and only authorized technical personnel have access to them.

  • Cookies: Our website and application use cookies and similar technologies (e.g. localStorage) – these are small files or pieces of information stored in your web browser. Cookies may pertain to:

    • Essential elements – e.g. session cookies storing your session identifier after logging in, so you do not have to re-enter your password when navigating between pages. Without these cookies, our application could not function properly (since HTTP is a stateless protocol and cookies allow maintaining the login state).
    • Preferences – e.g. remembering the selected interface language (if we offer multiple languages) or your settings (dark/light theme).
    • Analytics – we may use analytical tools (like Google Analytics, Matomo, or similar) that use cookies to collect information about traffic on the site (anonymously, for statistics). At present, we are trying to limit the use of external analytics tools – however, if we implement them, we will inform you and ask for consent if required.
    • Marketing – at this moment we do not use any own marketing cookies or third-party tracking (e.g. Facebook pixels) on our site. If this changes, appropriate cookie consent mechanisms will be implemented.

  • Purpose: Essential cookies – ensuring the Service's functionality (maintaining login sessions, saving settings). Analytical cookies – learning about and analyzing user traffic on the site, which allows improving the site's content and usability (e.g. learning which sections of the site are most viewed, how users navigate).

  • Legal Basis:

    • For essential cookies – Art. 6(1)(b) GDPR (necessity to perform a contract/service that the user has requested). These files are necessary for the service to operate as expected (e.g. to keep you logged in). According to the Telecommunications Law, we do not need to obtain separate consent for essential cookies.
    • For any analytical and optional cookies – the basis will be the user's consent (Art. 6(1)(a) GDPR) expressed through the appropriate setting in a cookie banner or the browser (depending on applicable laws and the solution adopted). If we implement such cookies, you will see a relevant message on your first visit asking for acceptance or configuration of preferences. You have the right to refuse and continue using the site without analytical cookies – this will not affect the basic functions.

3. Disclosure of Data – Recipients of Personal Data

In order to provide our services, we use the assistance of trusted third parties. Your personal data may be entrusted to them for processing (or in certain situations disclosed to them as independent controllers) to the extent necessary to support our services. Below is a list of the main categories of data recipients:

  • Hosting and Infrastructure Providers:

    • We use the Supabase platform (Supabase, Inc.) as a database backend and user authentication system. Data such as your profile, newsletter content, etc., are stored in a Supabase database located on servers in the European Union (for example, in the Frankfurt, Germany region). Supabase, Inc. is based in the USA, but has committed to abide by the EU Standard Contractual Clauses (SCCs) for data transfers and maintains EU-based infrastructure compliant with GDPR.
    • DigitalOcean (DigitalOcean, LLC) – cloud services used to host our application (application servers). The servers are located in data centers within the EU (e.g. in Germany or the Netherlands). Although DigitalOcean is a US company, it also ensures standard safeguards (SCCs) for data stored in Europe. These entities process your data only on our instructions, for the purposes of maintaining and managing the Service's infrastructure. We have signed appropriate data processing agreements (DPAs) with them, which guarantee that the data are protected and will not be used for other purposes.

  • Email and Communication Services:

    • AWS SES (Simple Email Service) – a service by Amazon Web Services, Inc. used for sending emails from our system (e.g. verification emails, password resets, system notifications). We select a European region (e.g. AWS EU-West/Ireland) to handle sending, so that data contained in the emails (e.g. your address, the content of the notification) are processed on servers in the EU. AWS, as a US corporation, also operates under compliance mechanisms (SCCs) in the event of any access from outside the EU.
    • Mailgun (Mailgun Technologies) – we use Mailgun's European infrastructure (EU region) to handle certain mail functions: likely for receiving messages sent to your LetterOnCloud alias *@app.letteroncloud.com. When a newsletter publisher sends an email to your LetterOnCloud alias, it is directed to our mail system operated by Mailgun EU. Mailgun logs metadata of the message (sender, recipient, timestamp) and forwards the content of the message to us for storage in our database. Mailgun may also be used for distributing our marketing newsletter. Mailgun has servers among others in the EU, and Mailgun Technologies has an entity in the EU (e.g. Mailgun UK/EU). We have ensured in our agreement that EU users' data will be processed in Europe. These services act as our processors – meaning they utilize your data only according to our instructions, e.g. to deliver an email. They ensure an appropriate level of security (encrypted transmission, anti-spam measures).

  • Payment Operator:

    • We have integrated card and online payment processing with Stripe Payments Europe, Ltd. (Stripe's entity based in Ireland). Stripe operates in compliance with PCI-DSS security standards and meets strict data protection standards for financial data. At the time of payment, Stripe receives your card data and processes it as an independent data controller for the purpose of authorizing the transaction. Stripe provides us with the following data: a unique payer identifier (customer ID), information on whether the payment was successful, the last 4 digits of the card, card type, expiration date, as well as your name and address (if you provided them for invoicing). Stripe may also process your IP address, browser fingerprint, and other data needed for fraud detection.
    • Purpose of data transfer to Stripe: to facilitate a secure payment and manage recurring subscriptions (Stripe stores your card token in order to charge subsequent periodic payments until cancellation).
    • Legal basis for transfer: necessity to perform the contract (Art. 6(1)(b) GDPR) – we cannot provide online payment functionality without involving an intermediary like Stripe. Additionally, by doing so we fulfill the obligation to ensure payment security; using a reputable payment operator is also in the legitimate interest of both us and you (a secure, encrypted transaction).
    • Note: Stripe may transfer your data outside the EEA (e.g. to the USA) as part of its global infrastructure, but it uses the EU Standard Contractual Clauses approved by the European Commission, ensuring GDPR compliance. See Stripe's privacy policy for details: https://stripe.com/privacy.

  • Analytics and Auxiliary Tool Providers:

    • We may use certain tools that improve the functioning of the Service, e.g. analytics services (Google Analytics, Matomo) or user communication tools (support chat, ticketing system). If we use them, we will inform you in this Policy. At present, we aim to limit the use of external tools to minimize data transfer. Any tools that are enabled will be configured to transmit as little personal data as possible (e.g. IP anonymization in Google Analytics). Each such tool will operate either as our processor (processing data on our behalf) or – if it requires your consent – we will only activate it after obtaining such consent (e.g. analytical cookies).

  • Public Authorities:

    • At the request of authorized public authorities (e.g. a court, prosecutor's office, police), we may be obliged to disclose certain personal data of users – in accordance with applicable law. We will provide data only when an authority presents a valid legal basis (e.g. a court order) authorizing the request for data.
    • Moreover, we may disclose certain information to lawyers, advisors, or authorities in the course of defending against legal claims or pursuing our rights (our legitimate legal interest).

  • Change of Ownership:

    • If in the future our business is transformed, sold, or merged with another entity, the Service's user data may become part of the transferred assets. Any potential legal successor will be obliged to protect the data in a manner no less stringent than we do, and users will be informed of the change of data controller. The basis for such transfer is the legitimate interest in enabling continuity of the service (Art. 6(1)(f) GDPR).

We assure you that we do not sell your personal data to any third parties for their own marketing purposes. All recipients to whom we entrust data processing guarantee – by virtue of an agreement with us – the implementation of appropriate data protection and confidentiality measures.

4. Transfer of Data Outside the European Economic Area (EEA)

As far as possible, we try to store and process your personal data within the European Economic Area (EEA). The servers used by our Service are located in EU countries. Nevertheless, some of our technology partners have headquarters or infrastructures outside the EEA (e.g. in the United States). This applies to, among others: Supabase, DigitalOcean, Amazon (AWS), Mailgun, Stripe, Google (if we use their services).

If it happens that your data are transferred outside the EEA, we ensure the application of one of the following compliance mechanisms as required by the GDPR:

  • Adequacy Decision – if data are transferred to a country that the European Commission has deemed as providing an adequate level of personal data protection (e.g. to the United Kingdom, Switzerland, Israel – in case any of our providers operated there).
  • EU Standard Contractual Clauses (SCCs) – i.e. contractual commitments adopted between us and the data recipient which guarantee protection at the level required by EU law. Our providers (like Stripe, AWS, Supabase) incorporate such clauses into agreements with us, obligating them to adhere to GDPR principles when transferring data.
  • Binding Corporate Rules – some global companies have internal data protection policies approved by supervisory authorities (BCRs).
  • Derogations (Art. 49 GDPR) – a transfer may also be legally permissible if it is necessary for the performance of a contract with you (e.g. when communication via email naturally involves servers outside the EEA) or based on your explicit consent (however, we do not rely on consent for routine transfers).

We strive to ensure that any data sent outside the EEA are properly encrypted and secured. If you wish to obtain a copy of the safeguards applied for a transfer (e.g. contractual clauses), please contact us.

Example: Your email address used for sending a marketing newsletter might be processed by Mailgun, which has servers and headquarters also in the USA – in that case it is protected by standard contractual clauses. Similarly, if you log in via Google, certain authentication data flow to Google LLC in the USA – this is based on SCCs and your interaction (your agreement with Google at the moment of logging in).

5. Period of Personal Data Retention

We retain your personal data no longer than is necessary to achieve the purposes for which it was collected, or to fulfill legal requirements. The retention period varies depending on the category of data:

  • Account Data and Newsletter Content: We retain your profile data, settings, and collected newsletters as long as you actively use the Service and have an Account. If you decide to delete your Account, then generally we will delete all data associated with your Account (newsletter content, your notes, email alias, etc.) promptly, and at the latest within 30 days of deletion (sometimes we need a bit of time to remove data from backups). Information that you had an Account (e.g. your email address and the fact of deletion) may be kept longer in a so-called suppression list, to prevent creating another Account with the same email if, for example, it was banned for abuse – this is our legitimate security interest (such data are usually retained for 2–3 years).
  • Transaction Data (Payments, Invoices): Data about payments made (transaction information) will be retained for the period required by tax and accounting regulations. In Poland, accounting documents (VAT invoices) must be archived for 5 fiscal years, counting from the end of the year in which the tax obligation arose (for example, an invoice from 2025 – until the end of 2030). Similarly, records of online sales will be kept for that time. These data may be retained longer if needed for the establishment, exercise, or defense of claims (e.g. if in the 6th year after a transaction it serves as evidence in a court case).
  • System Logs: Server and application logs, which may contain your IP address or session identifiers, are stored for up to 30 days (in typical cases) or slightly longer if they serve security purposes (e.g. security incident logs might be kept until the issue is resolved). Data on activity within the application (e.g. account action logs) may be stored for up to 12 months for analytical purposes and potential auditing.
  • Marketing Newsletter: We process your email address for sending the newsletter until you are a subscriber. After you unsubscribe from the newsletter (or withdraw consent/object), your email address will be removed from the mailing list immediately. However, our system may retain information that you opted out, so that we do not send you messages again (a suppress list of unsubscribed addresses may be kept indefinitely for evidentiary purposes and to prevent accidental re-subscription – this is allowed under GDPR as fulfilling the obligation not to send spam).
  • Waiting List: Email addresses from waiting lists are retained until the promised information is sent (e.g. a message about the service launch). Afterwards, if we do not convert those addresses into newsletter subscribers (with consent), we usually delete them within 3 months from the service launch.
  • Data Needed for Establishment, Pursuit, or Defense of Claims: If you decide to delete your Account or exercise another right to delete data, we may retain certain limited information about you if it is necessary for the establishment, exercise, or defense of claims – for example, a record that you used the service during a given period, correspondence with you, etc. However, we will keep such data only for as long as claims may potentially arise (e.g. the typical limitation period for consumer claims in Poland is 6 years). Afterwards, they will be deleted or anonymized.

After the relevant retention periods have elapsed, your data are deleted or anonymized (irreversibly stripped of identifying characteristics). We may retain certain anonymized, aggregate information for statistical purposes (which is no longer personal data).

6. Your Rights Related to Data Processing

In accordance with the GDPR, you have the following rights with regard to your personal data:

  • Right of Access to Data – you have the right to obtain information on whether we are processing your personal data, and if so, to receive a copy of it along with all essential information about the processing (purposes, categories of data, recipients, planned retention period, your rights, etc.). Most of this information is included in this Policy. You may also request that we confirm what specific data we hold about you and ask for it to be provided (in paper or electronic form). The first copy of data is free of charge; for additional copies we may charge an administrative fee.

  • Right to Rectification of Data – you have the right to request correction of your data if it is incorrect or outdated, as well as the completion of incomplete data. You can edit many of your details (e.g. profile information) yourself after logging into your Account on the Service. In other cases, we will correct them at your request.

  • Right to Erasure of Data ("Right to be Forgotten") – you have the right to request deletion of your personal data if: (a) the data are no longer necessary for the purposes for which they were collected, (b) you have withdrawn consent for processing and we have no other legal basis, (c) you have filed an effective objection to processing (see below), (d) the data were processed unlawfully, or (e) we must delete them to comply with a legal obligation. Keep in mind that the right to erasure is not absolute – for example, we cannot delete data that we must retain by law (see the section on retention periods). When a condition for deletion is met, we will of course comply with your request. Deletion of your Account (which you can do on your own) is equivalent to deletion of most data, subject to exceptions described in this Policy (e.g. transaction data).

  • Right to Restriction of Processing – meaning the right to request that we temporarily "freeze" the processing of your data (aside from storage) in the following situations: (a) you contest the accuracy of the data – for a period allowing us to verify it; (b) processing is unlawful, but you do not want the data erased, only restricted; (c) we no longer need the data, but you need them for the establishment, exercise, or defense of claims; (d) you have objected – pending determination of whether our legitimate grounds override yours. During the restriction, we may only store the data (and possibly process them with your consent or for the establishment or defense of claims or to protect another person's rights). We will inform you before lifting any restriction.

  • Right to Data Portability – you have the right to receive from us the personal data that you have provided to us, in a structured, commonly used, machine-readable format (e.g. CSV, JSON). This pertains to data processed based on your consent or on a contract and processed by automated means (e.g. account data, newsletter history). You may also request that we transmit this data directly to another controller (if technically feasible).

  • Right to Object – you have the right at any time to object to the processing of your data that is based on our legitimate interest (Art. 6(1)(f) GDPR), on grounds related to your particular situation. After an objection, we must cease such processing unless we demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or there are grounds for the establishment, exercise, or defense of legal claims. Important: If your data are processed for direct marketing purposes (e.g. our marketing newsletter), you may object in all cases and without any justification – in which event we must always cease such marketing. In practice, you exercise objection to marketing by unsubscribing from the newsletter (or contacting us).

  • Right to Withdraw Consent – to the extent that processing is based on your consent (Art. 6(1)(a) GDPR), you have the right to withdraw it at any time. Withdrawal of consent, however, does not affect the lawfulness of processing prior to its withdrawal. Examples: you withdraw consent for the newsletter by clicking "Unsubscribe"; you withdraw consent for Google integration by disconnecting our access via your Google account management page; you change analytic cookie consent via the cookie settings. You can also always contact us to withdraw consent.

  • Right not to be Subject to Automated Decision-Making: We ensure that we do not make decisions about you based solely on automated processing (including profiling) that would produce legal effects concerning you or similarly significantly affect you. Profiling in our service is only used for content recommendations and personalization – it does not have a negative impact on your rights. If this ever changes, you would have the right to human intervention in such a decision.

To exercise your rights, please contact us (contact information is provided in point 1 of this Policy). It will facilitate matters if you specify which email address you use in the Service (so we can locate you in our database) and which right you wish to exercise. Upon your request we may ask for additional information to verify your identity (e.g. to log into the Account or to provide certain data associated with it) to make sure that it is you who is entitled to make the request.

We will respond to your requests without undue delay – within 1 month of receiving the request at the latest. This period may be extended by a further 2 months due to the complexity of the request or the number of requests – in such a case we will inform you of the extension and the reasons.

If we consider a request to be manifestly unfounded or excessive (e.g. it repeats without a substantive reason), we may refuse to act on it or charge an administrative fee (in accordance with Art. 12(5) GDPR). Fortunately, to date we have not encountered such situations – we respect your rights and strive to fulfill them diligently.

7. Right to Lodge a Complaint with a Supervisory Authority

We will make every effort to protect your data and respect your rights. However, if you believe that we are processing your data unlawfully or have not fulfilled your requests properly, you have the right to submit a complaint to the competent data protection supervisory authority.

Our headquarters is in Poland, so the competent authority is:

President of the Personal Data Protection Office (PUODO) Address: ul. Stawki 2, 00-193 Warsaw, Poland Helpline: +48 606-950-000 Website: https://uodo.gov.pl/pl/p/kontakt

You may also contact the supervisory authority in the EU member state where you habitually reside or work (if that is a country other than Poland). That authority will forward the case to PUODO.

We do encourage, however, that before lodging an official complaint you reach out to us – we will strive to clarify the situation and resolve the problem amicably. Your satisfaction and privacy are important to us.

8. Information Security

We implement appropriate security measures to protect your data against unauthorized access, disclosure, alteration, or destruction. These include, among others:

  • Encryption of the connection to our website and application via HTTPS/SSL.
  • Storing Account passwords in a hashed form using a modern algorithm – no one (not even us) can see your password in plain text.
  • Limiting access to databases and systems only to persons who need to use them (principle of least privilege), and using multi-factor authentication wherever possible.
  • Regular software updates and monitoring of systems for potential security vulnerabilities.
  • Data backups stored in secure data centers, to protect against loss due to failure.
  • Signing data processing agreements with entities processing data on our behalf that ensure confidentiality and implementation of technical data protection measures.
  • We maintain internal policies and procedures for handling personal data and responding to security incidents.

Remember that you also play an important role in protecting your data. Please:

  • Use a unique, strong password for your LetterOnCloud Account and do not disclose it to anyone.
  • Be vigilant for suspicious emails pretending to be from us (phishing). Genuine messages from us will originate from our official domain (e.g. emails ending in @letteroncloud.com).
  • Log out of your Account and close your browser after finishing your session, especially on shared devices.
  • Notify us immediately if you notice any unusual activity on your Account (e.g. an unknown login).

In the event that we identify a data security breach (e.g. a leak) that may pose a high risk to your rights and freedoms, we commit to inform you as well as the appropriate supervisory authority in accordance with our legal obligation (Articles 33–34 GDPR).

9. Changes to the Privacy Policy

We may periodically update this Privacy Policy in the event of changes in our operations or changes in law. We will inform you of any material changes by a clear notice: a communication on the Service and (if possible) an email message.

Changes to the Policy may result from, among other things: the introduction of new functionalities (e.g. a new partner or integration), legal changes (e.g. new guidelines from a supervisory authority), or the transfer of our operations to another entity. In each case, we ensure that your rights are not infringed.

We encourage you to regularly review the Privacy Policy to stay informed about how we protect your data. The current version of the document will always be available on our website. Each version will have a stated effective date.

If after any changes you continue to use the Service, this will signify acceptance of the updated Privacy Policy (provided the changes do not require separate consent). If obtaining new consent for data processing is required (e.g. if we wanted to process your data for a new purpose), we will ask you for such consent separately.

10. Contact and Summary

If you have any questions, comments, or concerns regarding this Privacy Policy or the protection of your data in LetterOnCloud generally, we encourage you to contact us at: privacy@letteroncloud.com.

Your privacy is important to us. We make every effort to ensure that data are processed minimally, securely, and transparently. Thank you for trusting LetterOnCloud with some of your information – in return we strive to deliver you a valuable service and to protect your rights.

Effective date of this Privacy Policy: __ (day, month, year)__.