Privacy Policy and Cookies
Last updated: March 21, 2026
1. Data controller
The data controller is Balet Klasyczny — Nora Cotter-Szymik, registered at ul. Akacjowa 6i, 37-403 Pysznica, Poland, Tax ID (NIP): 8652590977 (hereinafter: "Controller"). Contact: fszymik@gmail.com. The Controller has not appointed a Data Protection Officer. For all data protection matters, contact the Controller directly at the email address above.
2. Types of data collected
The Controller collects the following personal data:
- Email address: provided during account registration. Providing this data is a contractual requirement necessary for account creation. Without it, use of the Service is not possible.
- Property photos: uploaded to generate virtual staging.
- Property data: information provided in the description generator form (type, area, location, etc.).
- Payment data: processed by Stripe; the Controller does not store credit card data.
3. Processing purposes
- Creating and managing user accounts (authentication).
- Providing the virtual staging service by processing photos through our system.
- Providing the description generator service by generating text based on property data.
- Processing payments for credits (photos).
- Communicating with the user (complaint handling, information about terms changes).
The Controller does not use personal data for profiling or automated decision-making within the meaning of Article 22 of the GDPR.
4. Legal bases for processing (GDPR)
- Art. 6(1)(b): performance of a contract (provision of services).
- Art. 6(1)(a): consent (acceptance of terms of service and privacy policy during registration).
- Art. 6(1)(f): legitimate interest of the controller (service security, fraud prevention).
- Art. 6(1)(c): legal obligation (tax record-keeping requirements).
5. Sharing data with third parties
Data may be shared with the following entities, each acting as a data processor under Article 28 GDPR. The Controller has entered into Data Processing Agreements (DPAs) with each provider:
- Supabase (USA). Database hosting and authentication. Data protected under Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR.
- Stripe (USA). Payment processing. Stripe is PCI DSS certified. Data transfers protected under Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR.
- Google Cloud (USA). Photo processing and description generation via API. Data transfers protected under Standard Contractual Clauses (SCCs) pursuant to Article 46(2)(c) GDPR.
All international data transfers to the United States are carried out in compliance with Chapter V of the GDPR, using Standard Contractual Clauses adopted by the European Commission as the primary safeguard mechanism.
6. Data retention
- Account data (email address, hashed password) is stored until the User deletes their account.
- Uploaded original photos and generated staging images are stored for a maximum of 30 days after generation, after which they are automatically deleted. Users may download their results within this period.
- Payment transaction data is stored for the period required by Polish tax law (5 years from the end of the tax year in which the transaction occurred).
- Property data submitted to the description generator is processed in real time and is not stored after the description is generated.
7. User rights
Under the GDPR, the User has the following rights:
- Right of access: to obtain information about processed data (Art. 15 GDPR).
- Right to rectification: to correct inaccurate data (Art. 16 GDPR).
- Right to erasure: to request data deletion — "right to be forgotten" (Art. 17 GDPR).
- Right to data portability: to receive data in a structured, commonly used, and machine-readable format (Art. 20 GDPR).
- Right to restriction of processing: in cases specified in Art. 18 GDPR.
- Right to object: to processing based on legitimate interest (Art. 21 GDPR).
- Right to withdraw consent: at any time, without affecting the lawfulness of processing carried out before withdrawal (Art. 7(3) GDPR).
To exercise the above rights, please contact the Controller at: fszymik@gmail.com. The Controller will respond to requests within 30 days. The User also has the right to lodge a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland.
8. Cookies
The Service uses only cookies necessary for the proper functioning of the service. We do not use analytics or advertising cookies.
| Cookie / Storage | Purpose | Type | Lifetime |
|---|---|---|---|
| sb-*-auth-token | Authentication session (Supabase) | Essential | Session / until logout |
| __stripe_mid, __stripe_sid | Payment processing (Stripe) | Essential | Payment session |
| cookie_consent (localStorage) | Remembering cookie consent | Essential | Indefinite |
Users can manage cookies in their browser settings. Deleting session cookies will log you out of the service.
Instructions for managing cookies in popular browsers:
- Chrome: Settings → Privacy and security → Cookies
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Preferences → Privacy → Manage Website Data
- Edge: Settings → Privacy → Cookies
9. Data breach notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the Controller will notify the supervisory authority (UODO) within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of Users, the Controller will also notify affected Users without undue delay, in accordance with Article 34 GDPR.
10. Changes to this policy
The Controller reserves the right to amend this Privacy Policy. Users will be notified of material changes by email at least 14 days before the changes take effect. The current version of the Privacy Policy is always available at the Service website.
11. Contact
For matters related to personal data protection, please contact us at: fszymik@gmail.com.