Listoria

Listoriav1.56.2
Join the waitlist

Privacy Policy

This Privacy Policy describes how personal data is processed in connection with the use of the Listoria service (listoria.app), for what purposes and on what legal basis.

1. Data controller

The data controller is Listoria, conducting unregistered economic activity under Article 5(1) of the Polish Entrepreneurs’ Law Act (the “Controller”).

Contact for data protection matters: kontakt@listoria.app.

2. Data we process

  • Account data — email address, first and last name (if provided), hashed password, language, time zone.
  • Studio profile — studio name, logo and contact details entered by the User for PDF exports.
  • User-generated content — projects, product lists, cost estimates, moodboards, images, comments.
  • Payment data — processed solely by Stripe; the Controller receives a customer ID and subscription status only, and has no access to full card numbers.
  • Technical data — IP address, browser type, OS, in-app analytics events.
  • Correspondence — content of messages sent to and from the Controller.

3. Purposes and legal bases

  • Providing the service (account, Free and Pro plan features) — Article 6(1)(b) GDPR (contract).
  • Payments and subscriptions — Article 6(1)(b) GDPR.
  • Issuing receipts and tax records — Article 6(1)(c) GDPR (legal obligation).
  • Communication (transactional notifications, replies) — Article 6(1)(b) and 6(1)(f) GDPR (legitimate interest).
  • Analytics and service improvement — Article 6(1)(f) GDPR. Analytics data is aggregated and not used for profiling.
  • Marketing (newsletter, if subscribed) — Article 6(1)(a) GDPR (consent). Consent may be withdrawn at any time.
  • Claims handling — Article 6(1)(f) GDPR.

4. Recipients (processors)

The Controller engages the following processors, strictly to the extent necessary to provide the service:

  • Supabase Inc. (USA, EU infrastructure) — database and authentication.
  • Vercel Inc. (USA) — application hosting.
  • Stripe Payments Europe, Limited (Ireland) — payments and subscriptions.
  • Resend, Inc. (USA) — transactional email delivery.
  • Google LLC (USA) — Google OAuth authentication (if the User chooses this sign-in method).
  • Umami Software, Inc. — anonymous traffic analytics (no personal identifiers).

Transfers outside the European Economic Area are based on the Standard Contractual Clauses approved by the European Commission (Article 46 GDPR).

5. Retention

  • Account data and user content — for as long as the account exists. After deletion, data is removed within 30 days (excluding backups, which rotate naturally).
  • Billing data — 5 years from the end of the tax year (Polish Tax Ordinance Act).
  • Correspondence — up to 3 years from last contact.
  • Technical logs — up to 90 days.

6. Your rights

You have the right to:

  • access your data,
  • rectify your data,
  • have your data erased (“right to be forgotten”),
  • restrict processing,
  • data portability,
  • object to processing,
  • withdraw consent at any time (where processing is based on consent).

To exercise any of these rights, email kontakt@listoria.app.

You also have the right to lodge a complaint with the supervisory authority — the Polish President of the Office for Personal Data Protection (ul. Stawki 2, 00-193 Warsaw, Poland).

7. Cookies and similar technologies

  • Strictly necessary cookies — required for the service to operate (session, settings, language). No consent required.
  • Analytics cookies — help us understand how the service is used (Umami, anonymous, without advertising identifiers).

You can delete or block cookies in your browser settings at any time. Disabling strictly necessary cookies may prevent the service from working.

8. Security

The Controller applies technical and organisational measures appropriate to the risk: TLS/HTTPS, password hashing, Row Level Security at the database level, and access limited to the Controller. Payments are fully handled by Stripe (PCI DSS Level 1).

9. Children under 16

The service is not directed at children under 16. The Controller does not knowingly process children’s personal data. If you become aware that a child has created an account, please contact us — the account will be removed.

10. Changes to this Policy

This Privacy Policy may be updated. Material changes will be communicated by email or an in-app notice. The current version is always available at listoria.app/en/polityka-prywatnosci.

Last updated: May 12, 2026