Privacy Policy

Controller: Hubert Szymański — sole proprietor

Address: Spółdzielcza 22/30, 26-110 Skarżysko-Kamienna, Poland

NIP (Tax ID): 6631718187

Contact: contact@redtail.id

• Uploads: photos and PDF documents you submit to generate a provenance record.
• Record content: information you enter (e.g. title, description, and attributes) and information generated as part of the record draft.
• Account data: if you create an account — email address, authentication credentials, and profile information.
• On-chain transaction reference: each record is anchored on the Base blockchain. The only element stored on-chain is the transaction hash (tx hash). No personal data, uploads, or record content is written to the blockchain.
• Billing data: when you place a paid order, we store the charge amount, currency, due date, payment status, and Stripe transaction identifiers. We do not receive or store your card details.
• Billing details for invoicing: if provided by the user, we process invoice-related information such as name, address, and tax identification number (for example VAT ID / NIP).
• Waitlist: if you submit the private beta form, we collect your email address and selected segment.
• Feedback: messages you voluntarily submit via the feedback widget (email is optional).
• Basic technical data: standard server logs may include IP address, timestamps, and device/browser information for security and reliability.

Providing uploads and record details is necessary to generate a record. If you do not provide them, we cannot create a record.

Please do not upload sensitive personal data, confidential documents, or anything you would not want stored or potentially shared via a link.

• To analyze your upload and generate a structured record draft.
• To create, display, and let you revisit provenance records.
• To process payments and manage billing.
• To issue invoices and comply with tax and accounting obligations.
• To send you order confirmations and billing-related communications.
• To improve the product (bug fixes, UX decisions, roadmap priorities).
• To contact you only if you requested it (waitlist / feedback follow-up).
• To help prevent abuse and keep the service secure.

When you upload a file, we use third-party AI services (see §4 below) to analyze the upload and generate a structured record draft. This is automated processing used solely to operate the Service.

This automated analysis does not make decisions that produce legal effects concerning you or similarly significantly affect you. The generated draft is always presented for your review and editing before a record is created. You may modify or discard the draft.

We process personal data based on one or more of the following legal bases:

• Contract / steps prior to contract (Art. 6(1)(b)): to provide the Service, generate records from your inputs, and process billing.
• Legitimate interests (Art. 6(1)(f)): to maintain security, prevent abuse, debug issues, and improve the Service.
• Consent (Art. 6(1)(a), where applicable): for certain optional communications or features that require consent.
• Legal obligations (Art. 6(1)(c), where applicable): to comply with law or respond to lawful requests, and for accounting and tax obligations related to paid services.

Where we rely on legitimate interests, we consider and balance those interests against your rights and expectations, and we minimize data use to what is necessary.

We do not sell your data. We use the following third-party services to operate the platform:

• Supabase (USA): database, authentication, and file storage. Supabase processes account data, uploads, and record content on our behalf. DPA in place.
• OpenAI (USA): AI analysis to generate structured record drafts from uploaded files. Uploads and related metadata are sent to OpenAI solely for draft generation. DPA in place.
• Vercel (USA): hosting and CDN. Vercel processes technical logs (IP addresses, request metadata) required to serve the website. DPA in place.
• Stripe (USA / Ireland): payment processing. When you pay for a record, Stripe processes your payment information. We receive confirmation and transaction identifiers but do not receive card numbers. DPA in place.
• Blockchain explorer (BaseScan): if you click a BaseScan link, your browser connects directly to BaseScan (a third party), which may receive your IP address and standard browser data. We do not control BaseScan.
• Feedback delivery (Discord webhook): feedback messages may be delivered to a private internal channel via Discord webhook so we can review and respond. Only the content you submit is transmitted.

We share data only to the extent needed to run the Service. Where relevant, providers act as processors under contractual terms (Data Processing Agreements).

Some of our processors are located in the United States. Your data may be transferred internationally.

Where required, we rely on appropriate safeguards for such transfers, including: the EU-U.S. Data Privacy Framework (where the processor is certified), Standard Contractual Clauses (SCCs), and supplementary technical measures (such as encryption in transit and at rest). We assess each provider's safeguards before engaging them.

We do not use advertising or behavioural tracking cookies. The following technical storage is used:

• sidebar-collapsed (localStorage): remembers whether you collapsed the navigation sidebar.
• theme (localStorage): stores your light/dark mode preference.
• rt_currency (cookie): stores your preferred display currency (PLN or EUR) for informational pricing display. This does not affect the billing currency, which is always PLN.
• Authentication cookies (httpOnly): session management for logged-in users.

These are all strictly necessary or functional storage. No consent banner is currently required for these categories. If we introduce optional analytics or other non-essential storage in the future, we will request consent where required and provide controls to manage your choices.

Records may be shared via a link. Anyone with the link may be able to view the record. Treat record links as access keys.

Please do not upload sensitive personal data, confidential documents, or anything you would not want potentially shared.

We retain data for the following periods:

• Uploads and record content: as long as the record exists, plus up to 90 days after deletion to handle backup cycles.
• Server logs: up to 90 days.
• Billing and payment data: up to 5 years after the transaction, as required by Polish tax and accounting law.
• Billing details for invoicing: for registered users, billing details may be retained as part of the account profile until changed or removed by the user, subject to legal retention obligations where invoice data must be preserved. For guest users, billing details are processed only for the relevant transaction and are not stored as a reusable billing profile for future use.
• Waitlist entries: until you withdraw or we close the waitlist.
• Feedback messages: up to 12 months, unless needed longer for follow-up.
• On-chain references: immutable. Transaction hashes on the blockchain cannot be deleted.

Off-chain data (uploads, record pages) can be deleted on request where technically feasible. To request deletion, contact us at contact@redtail.id.

Depending on your location (including the EEA/UK), you may have rights to request access, correction, deletion, restriction, portability, or to object to processing.

You can withdraw consent at any time where processing is based on consent.

You also have the right to lodge a complaint with your supervisory authority (for Poland: Urząd Ochrony Danych Osobowych / UODO).

To exercise your rights, contact us at contact@redtail.id. We typically respond within one month. If we need more time due to complexity, we will inform you within that period.