DOCUMENT · VERSION 5 MAY 2026

Privacy and cookies policy

This policy explains how we process personal data on bezchmury.app, in the demo form, on the newsletter/beta list and through technical mechanisms such as cookies, local storage, service worker and PWA caching. It does not govern the desktop BezChmury application, which is covered by separate licence, support and data-processing documents where applicable.

1. Controller identity and contact

The controller of personal data is:

E.P. INVEST SPOLKA Z OGRANICZONA ODPOWIEDZIALNOSCIA VILLA MAMMA SPOLKA KOMANDYTOWA
registered address: ul. Pruszkowska 52, 05-830 Nadarzyn, Poland
VAT ID: PL1251696873, KRS: 0000798843, REGON: 38409082400000
privacy contact: dominik@bezchmury.app

The controller details were verified in the open Polish KRS API: Otwarte API KRS, odpis aktualny z 05.05.2026, stan na 16.04.2026.

2. Scope

This policy covers the website, its forms, email enquiries sent to BezChmury and the website's technical mechanisms. The website itself is an online service. Product claims such as local or on-premise execution refer to the desktop product after installation, not to the public website.

3. Processing activities

Demo form and business contact

We process name, business email, optional phone, company name, optional Polish NIP/VAT ID, use case, number of seats, message, timestamp, a hashed representation of the IP address and browser user agent. The purpose is to handle the enquiry, prepare and run a demo, perform strictly related follow-up and keep evidence of the contact.

Legal basis: Article 6(1)(f) GDPR - legitimate interest in handling B2B enquiries initiated by the user. Where an individual takes steps before entering into a contract concerning them directly, Article 6(1)(b) GDPR may also apply to that extent.

Newsletter / beta list

We process email address, timestamp, consent state, consent version, hashed IP representation and user agent. Legal basis: Article 6(1)(a) GDPR - consent, plus Polish electronic communications rules requiring prior consent for commercial electronic communications.

Current implementation records the address as inactive beta-list interest. We do not currently send automated confirmation emails or a regular newsletter. When regular mailing starts, each message will contain an unsubscribe option.

Security and abuse prevention

We use CSRF tokens, minimum form-fill timing, rate limits, honeypot fields and server logs. We process technical metadata to protect the forms and website. Legal basis: Article 6(1)(f) GDPR and Article 32 GDPR.

4. Cookies, local storage and PWA

The website currently uses first-party technical mechanisms only: BCSESS session cookie for forms and CSRF protection, bc-theme in localStorage for display preference, and the service worker with Cache Storage for faster loading and offline fallback of static website assets. We do not currently use advertising cookies, social pixels, behavioural analytics or marketing automation trackers.

5. Recipients, transfers and retention

Data may be processed by the controller's authorised personnel, a Polish hosting/email provider (storing only the website files, technical logs, demo/newsletter form JSONL and @bezchmury.app email), legal/accounting advisers and public authorities where required by law. The hosting provider has no access to the desktop application or to customer documents processed by it (see section 7). We do not sell data and we do not share demo/newsletter data with third parties for their own marketing.

As a rule, demo and newsletter data is processed in Poland / the EEA. If we later add a payment provider, mailing provider, analytics or CRM involving transfers outside the EEA, this policy will be updated with the appropriate Chapter V GDPR transfer mechanism.

Demo enquiries are kept up to 12 months after the last meaningful contact if no contract follows. Newsletter records are kept until consent withdrawal, with a limited suppression/evidence record where needed. Technical security logs are usually retained for 30-90 days unless needed for an incident or claim.

6. Your rights

You may request access, rectification, erasure, restriction, portability, object to processing based on legitimate interest and withdraw consent at any time where consent is the legal basis. You also have the right to lodge a complaint with the Polish supervisory authority: Prezes Urzędu Ochrony Danych Osobowych. To exercise your rights, contact dominik@bezchmury.app.

7. Desktop application: role split and distribution

The website and the desktop application are two separate regimes. The website bezchmury.app is a standard online site (demo form, content, newsletter list) – its operation involves the hosting provider described in section 5. The BezChmury desktop application, by contrast, is software installed locally on the customer's machine and runs offline after installation.

The application is not made available for download from the website. Distribution happens off-site, in one of the following ways agreed individually with the customer: (a) an encrypted email attachment or one-time download link sent from a Provider @bezchmury.app mailbox, or (b) a physical medium (e.g. USB / SSD drive) delivered to the customer. In both channels the Provider processes only the customer's contact data necessary to deliver the package; the application binary itself is not uploaded to third-party services.

Once installed, the application runs 100% offline on the customer's device. Customer working documents fed into the application (invoices, JPK files, case files, correspondence, prompts and model outputs) do not, as a rule, leave the customer's device and are not transmitted to the Provider's hosting provider or to any third-party LLM provider. The application does not require an active network connection to the Provider's servers for day-to-day operation.

Where, in the course of support, diagnostics or implementation, the Provider would gain access to personal data processed by the customer (e.g. the customer voluntarily sends a sample of logs or an encrypted attachment), the parties enter into a separate data-processing agreement under Article 28 GDPR. Without such an agreement we do not accept customer data for analysis. We do not use customer data to train language models or to build training datasets.

This privacy notice is not a product document: licence scope, updates, support, telemetry, activation, KSeF connectivity and roles under GDPR are provided in the licence agreement and, where applicable, the data-processing agreement.

8. Changes

We may update this policy when the website, technical stack, sales process or legal environment changes. Version: 5 May 2026. Privacy contact: dominik@bezchmury.app.