Redtail
Log inSign up
Legal & more

Privacy policy

How Redtail handles information across accounts, records, billing, and public verification links.

0. Controller & Contact

Controller: Hubert Szymański — sole proprietor

Address: Spółdzielcza 22/30, 26-110 Skarżysko-Kamienna, Poland

NIP (Tax ID): 6631718187

Contact: contact@redtail.id

1. What We Collect

  • Uploads: photos and PDF documents you submit to generate a provenance record.
  • Record content: information you enter (e.g. title, description, and attributes) and information generated as part of the record draft.
  • Account data: if you create an account — email address, authentication credentials, and profile information.
  • On-chain transaction reference: each record is anchored on the Base blockchain. The only element stored on-chain is the transaction hash (tx hash). No personal data, uploads, or record content is written to the blockchain.
  • Billing data: when you subscribe or make a payment, we store relevant billing metadata such as plan, amount, currency, payment status, renewal/cancellation status, Stripe customer/subscription/invoice identifiers, and legacy one-off billing records where applicable. We do not receive or store your card details.
  • Billing details for invoicing: if provided by the user, we process invoice-related information such as name, address, and tax identification number (for example VAT ID / NIP).
  • Contact form: if you submit the contact form on the homepage, we collect your work email address, the kind-of-operation segment you select, and any context you choose to provide.
  • Feedback: messages you voluntarily submit via the feedback widget (email is optional).
  • Basic technical data: standard server logs may include IP address, timestamps, and device/browser information for security and reliability.

Providing uploads and record details is necessary to generate a record. If you do not provide them, we cannot create a record.

Please do not upload sensitive personal data, confidential documents, or anything you would not want stored or potentially shared via a link.

2. How We Use the Information

  • To analyze your upload and generate a structured record draft.
  • To create, display, and let you revisit provenance records.
  • To process payments and manage billing.
  • To issue invoices and comply with tax and accounting obligations.
  • To send you order confirmations and billing-related communications.
  • To improve the product (bug fixes, UX decisions, roadmap priorities).
  • To respond to your contact form submission or feedback message, where you have requested it.
  • To help prevent abuse and keep the service secure.

2A. Automated Processing (AI)

When you upload a file, we use third-party AI services (see §4 below) to analyse the upload and generate a structured Record draft. This is automated processing used solely to operate the Service.

Uploads processed for AI-assisted draft generation are not used to train AI models, in line with our applicable provider terms.

This automated analysis does not make decisions that produce legal effects concerning you or similarly significantly affect you. The generated draft is always presented for your review and editing before a Record is created. You may modify or discard the draft.

3. Legal Bases (GDPR)

We process personal data based on one or more of the following legal bases:

  • Contract / steps prior to contract (Art. 6(1)(b)): to provide the Service, generate records from your inputs, and process billing.
  • Legitimate interests (Art. 6(1)(f)): to maintain security, prevent abuse, debug issues, and improve the Service.
  • Consent (Art. 6(1)(a), where applicable): for certain optional communications or features that require consent.
  • Legal obligations (Art. 6(1)(c), where applicable): to comply with law or respond to lawful requests, and for accounting and tax obligations related to paid services.

Where we rely on legitimate interests, we consider and balance those interests against your rights and expectations, and we minimize data use to what is necessary.

4. Sharing & Third-Party Services

We do not sell your data. We use the following third-party services to operate the Service:

  • Supabase (USA): database, authentication, and file storage. Supabase processes account data, uploads, and Record content on our behalf, under the provider's applicable data processing terms.
  • OpenAI (USA): AI-assisted analysis to generate structured Record drafts from uploaded files. Uploads and related metadata are sent to OpenAI solely for draft generation, under the provider's applicable data processing terms.
  • Vercel (USA): hosting and CDN. Vercel processes technical logs (IP addresses, request metadata) required to serve the website, under the provider's applicable data processing terms.
  • Stripe Payments Europe Ltd (Ireland), with parent group entities in the United States: payment processing for subscriptions and legacy payments. Stripe processes payment information and may generate subscription invoices, Stripe invoices, or payment documents. We receive confirmations and transaction identifiers but do not receive card numbers. Processing is governed by Stripe's applicable data processing terms.
  • Blockchain explorer (BaseScan): if you click a BaseScan link, your browser connects directly to BaseScan (a third party), which may receive your IP address and standard browser data. We do not control BaseScan.
  • Feedback delivery (Discord webhook): feedback messages may be delivered to a private internal channel via Discord webhook so we can review and respond. Only the content you submit is transmitted.

We share data only to the extent needed to run the Service. Where relevant, providers act as processors under their applicable data processing terms.

5. International Transfers

Some of our processors are located in the United States. Your data may be transferred internationally.

Where required, we rely on appropriate safeguards for such transfers, including: the EU-U.S. Data Privacy Framework (where the processor is certified), Standard Contractual Clauses (SCCs), and supplementary technical measures (such as encryption in transit and at rest). We assess each provider's safeguards before engaging them.

6. Cookies & Local Storage

We do not use advertising or behavioural tracking cookies. The following technical storage is used:

  • sidebar-collapsed (localStorage): remembers whether you collapsed the navigation sidebar.
  • theme (localStorage): stores your light/dark mode preference.
  • rt_currency (cookie): if used, stores your preferred display currency (PLN or EUR) for informational pricing display. This does not affect the binding billing currency, which is always PLN. EUR amounts shown in the interface are approximate and informational only — they are not an offer.
  • Authentication cookies (httpOnly): session management for logged-in users.

These are all strictly necessary or functional storage. No consent banner is currently required for these categories. If we introduce optional analytics or other non-essential storage in the future, we will request consent where required and provide controls to manage your choices.

7. Public Verification Pages

Records published through the Service have a public verification page at a URL of the form redtail.id/v/<...>. These pages are accessible to anyone with the link and may expose the Record's structured data, the issuer's stated identity, the on-chain anchor reference, and any media attached to the Record.

Please do not upload sensitive personal data, confidential documents, or anything you would not want to publish on a public website, unless you have the right and intent to publish it.

8. Data Retention & Deletion

We retain data for the following periods:

  • Uploads and record content: as long as the record exists, plus up to 90 days after deletion to handle backup cycles.
  • Server logs: up to 90 days.
  • Billing and payment data: up to 5 years after the transaction, as required by Polish tax and accounting law.
  • Billing details for invoicing: retained as part of the account profile until changed or removed by the user, subject to legal retention obligations where invoice data must be preserved.
  • Contact form messages: up to 24 months, unless needed longer for legitimate follow-up or business reasons, or shortened on request.
  • Feedback messages: up to 12 months, unless needed longer for follow-up.
  • On-chain references: immutable. Transaction hashes on the blockchain cannot be deleted.

Off-chain data (uploads, record pages) can be deleted on request where technically feasible. To request deletion, contact us at contact@redtail.id.

9. Your Rights

Depending on your location (including the EEA/UK), you may have rights to request access, correction, deletion, restriction, portability, or to object to processing.

You can withdraw consent at any time where processing is based on consent.

You also have the right to lodge a complaint with your supervisory authority (for Poland: Urząd Ochrony Danych Osobowych / UODO).

To exercise your rights, contact us at contact@redtail.id. We typically respond within one month. If we need more time due to complexity, we will inform you within that period.

Last updated: 04 June 2026