Privacy policy

Last updated: 19.01.2026 r.

1. Data Controller

The personal data controller is Arnold Sztandarski, ul. Pierwiosnka 9, 83-050 Bąkowo, Poland (“Controller”).

Contact for privacy matters: kontakt@sellstar.pl.

2. Scope and sources of data

We process the data that you provide during registration, use of the Application, payments, or contact with us, in particular:

  • account data: e-mail, password (stored in encrypted form), first and last name (if provided),
  • technical and security data: device identifier (device_id), device fingerprint, operating system, application version, IP address, user-agent, authorization and security event logs,
  • subscription and billing data: plan, status, payment identifiers in Paddle,
  • usage/service data: number of requests, credits used, tokens, costs, statistics on feature usage,
  • data transmitted to AI: content entered by the user as part of AI functions (e.g. files, text excerpts, commands),
  • third-party data contained in files and materials entered into the Application by the user,
  • special categories of data within the meaning of Art. 9 GDPR, if the user enters them in the Customer Content,
  • contact details and correspondence content if you contact us by e-mail or ticketing system,
  • support ticket data: subject, content and attachments (png/jpg/csv/xml),
  • evidence of acceptance of documents: version of the Terms of Service and Privacy Policy and the date and time of acceptance.

3. Purposes and legal bases of processing

  • conclusion and performance of the Agreement and provision of the Service – Art. 6(1)(b) GDPR,
  • processing of Customer Content (including third-party data) and operation of AI functions – Art. 6(1)(b) GDPR; with respect to third-party data, we act as a processor pursuant to Art. 28 GDPR,
  • handling payments and settlements – Art. 6(1)(b) and (c) GDPR,
  • handling tickets, technical support and security – Art. 6(1)(f) GDPR,
  • operation of the ticketing system, including processing of attachments – Art. 6(1)(b) and (f) GDPR,
  • settlement of Service usage and control of limits (credits, tokens, costs, number of requests) – Art. 6(1)(b) and (f) GDPR,
  • documenting acceptance of the Terms of Service and Privacy Policy – Art. 6(1)(f) GDPR,
  • prevention of abuse, pursuit or defense of claims – Art. 6(1)(f) GDPR,
  • fulfilment of legal obligations (e.g. tax) – Art. 6(1)(c) GDPR.

4. Roles in processing third-party data (commissioned processing)

With respect to account, billing and contact data, the Controller acts as a data controller. If Customer Content contains third-party data, the Controller processes it solely for the purpose of providing the Service and in accordance with the Customer’s instructions, acting as a processor within the meaning of Art. 28 GDPR. The Customer remains the controller of this data and is responsible for having a legal basis and fulfilling information obligations towards the data subjects. Upon request, we provide a data processing agreement (DPA).

The Application does not block the entry of special categories of data. If the Customer processes such data, they should ensure an appropriate legal basis and security measures.

5. Data recipients and processors

Data may be transferred to entities processing it on our behalf, in particular:

  • Paddle – payment and invoicing handling (Merchant of Record, a separate data controller for payments),
  • OpenRouter – intermediation (proxy) in access to AI models and transfer of data to the selected model provider,
  • OpenAI – provider of selected AI models (if you choose OpenAI models),
  • Hetzner – server infrastructure,
  • providers of e-mail services (SMTP).

We share data only to the extent necessary to provide the services.

6. AI data and functions

AI functions are activated only at the user’s request. Data from files is transferred off the device only as part of AI functions. Data entered by the user is transmitted via the OpenRouter proxy to the selected model provider. Not all data is masked or anonymized. Some model providers, including selected providers available through OpenRouter, may use data to train models in accordance with their own policies. If you do not want your data to be transferred to AI providers, do not use the AI functions in the Application.

7. Payments

Payments are processed by Paddle, which acts as Merchant of Record. The Controller does not store payment card data. The scope of data transferred to Paddle follows from the payment process and Paddle’s requirements.

8. Data storage

  • account data – for the duration of the Agreement,
  • billing data – for the period required by law,
  • usage/service data – for the duration of the Agreement and the period necessary for settlement and usage analysis,
  • support ticket data and attachments – for the period necessary to handle the ticket and possible defense of claims,
  • evidence of acceptance of documents – for the duration of the Agreement and the period necessary for defense of claims,
  • technical data and logs – for the period necessary to ensure security and quality of services,
  • correspondence data – for the period necessary to handle the request and possible defense of claims.

After termination of the Agreement, data may be stored for the period necessary to fulfil legal obligations, settlements or defense of claims.

9. Your rights

You have the right to: access data, rectification, erasure, restriction of processing, data portability, objection, and to lodge a complaint with the President of the Personal Data Protection Office (UODO).

Requests can be sent to: support@sellstar.pl.

10. Transfer of data outside the EEA

Some service providers may process data outside the European Economic Area. In such a case, we apply appropriate safeguards, such as standard contractual clauses, where required.

11. Security

We apply technical and organizational measures appropriate to the risk of processing, including encryption of transmission, access control and security monitoring.

12. Desktop application vs website

The desktop application does not use cookies. The website may use cookies and other technologies to the extent necessary for its operation. Details will be specified in the cookie policy on the website.

13. User age

The Application is intended for persons who are at least 16 years old. We do not knowingly collect data of persons under 16 years of age. If we receive information that such data has been provided to us, we will take steps to delete it.

14. Changes to the Privacy Policy

The Privacy Policy may be updated, in particular in case of changes to the Application’s functions or legal regulations. The current version is available in the Application and on the Service Provider’s website.