KlasyKasa

Privacy Policy

version 1.1.0 · Jun 11, 2026

1. Data controller

The controller of personal data processed in the KlasyKasa application is Piotr Zalewa, conducting business under the name Piotr Zalewa NOD, ul. Kamykowa 6, 87-134 Rozgarty, Poland, NIP (tax ID) 8791049974, REGON 870598601, registered in the Polish Central Register of Business Activity (CEIDG) (the "Operator"). The Operator can be reached at contact@nod.consulting.

2. Categories of data processed

Account data of the treasurer:

  • email address and full name (if provided by the sign-in provider);
  • account creation timestamp and Terms acceptance timestamp;
  • preferred interface language.

Data entered by the treasurer:

  • class names and student lists (first name, last name, optional initials for public reports);
  • contributions, payments and expenses, plus settlement records;
  • email addresses of parents/guardians entered by the treasurer for report sharing or communication.

Billing data for use of the Service:

  • invoice buyer profile: buyer type (private person / business), full name or company name, address, optional NIP and REGON;
  • payment history for the Service (payment identifiers at the payment provider Stripe, amounts, dates, refund status) and issued invoices, together with a snapshot of the buyer details from the time of purchase.

Payment card or BLIK details are not processed by the Service — you enter them only in the payment provider Stripe's form.

Technical data:

  • IP address and session identifier during sign-in (anti-bot mechanism);
  • application audit log referencing operations performed by the user.

3. Purposes and legal bases of processing

Purpose Legal basis
Providing the Service (account and recordkeeping) Art. 6(1)(b) GDPR — performance of a contract
Processing payments for the Service and issuing invoices (incl. KSeF) Art. 6(1)(b) and (c) GDPR
Compliance with legal obligations (accounting, tax, GDPR) Art. 6(1)(c) GDPR
Application security (anti-bot, audit log) Art. 6(1)(f) GDPR — legitimate interest
Service-related communication (Terms change notices) Art. 6(1)(b)/(f) GDPR
Own marketing (if introduced) Art. 6(1)(a) GDPR — consent

4. Recipients

Data is shared with the following processors under data processing agreements (DPAs):

  • Vercel — application hosting and edge runtime
  • Neon — Postgres database
  • Brevo — transactional email delivery (sign-in links, payment- and invoice-related notifications)
  • Stripe — payment processing for the Service (you provide payment details directly to Stripe; the Service receives payment identifiers and statuses)
  • Cloudflare — Turnstile (anti-bot on the sign-in screen) and R2 storage (encrypted database backups and encrypted invoice artifacts)
  • Google — OAuth sign-in provider (if Google sign-in is selected)
  • Apple — OAuth sign-in provider (if Apple sign-in is selected)

The full list of processors with their roles and processing locations is maintained in docs/legal/processors.md in the application repository and is kept consistent with this policy.

Independently of the list above, data contained on invoices (full name or company name, address, NIP) is transmitted to the Polish National e-Invoicing System (KSeF) operated by the Ministry of Finance — in fulfilment of a legal obligation (Art. 6(1)(c) GDPR). The Ministry of Finance acts as a separate data controller in this respect.

5. Retention

  • Account and recordkeeping data — for the lifetime of an active account. After deletion, data is irreversibly removed in a single database transaction.
  • Audit log — after account deletion, historical entries remain in anonymised form (links to user and class are severed); the entries themselves are retained for forensic purposes pursuant to Art. 6(1)(f) GDPR.
  • Backups — a logical backup of the database is retained for up to 30 days on the weekly cycle and up to 12 months for monthly snapshots. Deleted data disappears from the most recent backups immediately; older backups retain it until the end of the retention cycle.
  • Invoices and related billing data — for the period required by tax law (as a rule, 5 years from the end of the calendar year in which the tax payment deadline fell); independently, KSeF stores invoices for 10 years. Unlike account and recordkeeping data, this data is not deleted when the account is deleted, because its retention follows from a legal obligation (Art. 6(1)(c) GDPR).

6. Your rights

You have the right to:

  • access your data (Art. 15 GDPR);
  • rectification (Art. 16 GDPR);
  • erasure ("right to be forgotten", Art. 17 GDPR) — provided self-service from Account settings;
  • portability (Art. 20 GDPR) — provided self-service via the export function in Account settings;
  • object to processing (Art. 21 GDPR);
  • lodge a complaint with the Polish supervisory authority (UODO).

For data of children entered by the treasurer into class records, these rights are exercised by the treasurer on instruction from the child's guardian — deleting an individual student record is available from Class settings.

7. Cookies

The application uses only cookies necessary for operation and for remembering preferences: session and sign-in security cookies (NextAuth), the Cloudflare Turnstile anti-bot cookie (sign-in screen only), and preference cookies — language choice and last-opened class.

We use no analytics or marketing cookies, so the application shows no cookie banner — none is required under GDPR/PECR for strictly-necessary cookies.

8. Changes to this Privacy Policy

The Operator may change this Policy after notifying Users. For material changes (expanded processing, new processor), the User will be asked to re-accept.

9. Contact

Questions about data processing can be sent to contact@nod.consulting.