Privacy Policy

Last updated: March 18, 2026

1. Controller Identity

The data controller for personal data processed through PayGate is:

• Name: [Full Name]
• NIP: [NIP]
• Address: [Address]
• Email: privacy@getpaygate.com

The controller is a sole proprietor registered in the Central Register and Information on Economic Activity (CEIDG) of the Republic of Poland.

2. Data We Collect

2.1 Freelancers (Sellers)

When you register and use PayGate as a Freelancer, we collect:

• Account information: email address, display name.
• Stripe Connect data: Stripe Connected Account ID (created when you connect your Stripe account).
• File metadata: file names, file sizes, upload timestamps, and MIME types for Deliverables you upload.
• Transaction history: records of sales, fees, and payment statuses.
• Technical data: IP address, browser type, and device information collected automatically during your use of the Platform.

2.2 Clients (Buyers)

When you purchase a Deliverable through PayGate, we collect:

• Email address: as provided by the Freelancer or entered during checkout, for the purpose of delivering the purchased Deliverable.
• Technical data: IP address and browser information collected automatically.
• Payment data: all payment processing is handled by Stripe Payments Europe, Ltd. PayGate does not store credit card numbers, bank account details, or other sensitive payment information. Stripe is an independent data controller for payment data.

3. Legal Basis for Processing (GDPR Art. 6)

We process personal data under the following legal bases:

• Performance of a contract — Art. 6(1)(b): Processing is necessary to provide the Service, including account management, file hosting, payment facilitation, and delivery of Deliverables.
• Legitimate interests — Art. 6(1)(f): Processing is necessary for our legitimate interests, including platform security, fraud prevention, analytics to improve the Service, and enforcement of our Terms of Service.
• Legal obligation — Art. 6(1)(c): Processing is required to comply with legal obligations, including tax record-keeping (Polish tax law) and DAC7 reporting requirements (EU Directive 2021/514).
• Consent — Art. 6(1)(a): Where applicable, we process data based on your explicit consent, such as for marketing communications. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4. Data Sharing

We share personal data only with the following categories of recipients, and only to the extent necessary:

• Stripe Payments Europe, Ltd. — payment processing and Stripe Connect account management. Stripe acts as an independent data controller for payment data it processes.
• Supabase, Inc. — database hosting and authentication services (infrastructure hosted on AWS in the EU).
• Resend, Inc. — transactional email delivery (e.g., purchase confirmations, account notifications).
• Vercel, Inc. — application hosting, deployment, and edge network delivery.
• Polish National Revenue Administration (Krajowa Administracja Skarbowa, KAS) — Freelancer identification and transaction data as required by DAC7 reporting obligations.

PayGate does not sell personal data to any third party. We do not share data with advertisers, data brokers, or any party not listed above.

5. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law:

• Account data: retained for the duration of your account. Upon account deletion, personal data is removed within 30 days, except where retention is required by law.
• Transaction records: retained for 5 years from the date of the transaction, as required by Polish tax law (Ordynacja podatkowa).
• Uploaded files: automatically deleted 90 days after the last associated payment or the Deliverable's expiration date, whichever is later.
• DAC7 reporting data: retained for 5 years from the date of reporting, as required by EU Directive 2021/514.

6. Your Rights Under GDPR

As a data subject, you have the following rights under the General Data Protection Regulation:

• Right of access (Art. 15): You have the right to request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): You have the right to request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): You have the right to request deletion of your personal data, subject to legal retention requirements.
• Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
• Right to object (Art. 21): You have the right to object to processing based on legitimate interests, including profiling.

To exercise any of these rights, contact us at privacy@getpaygate.com. We will respond to your request within 30 days.

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, UODO), ul. Stawki 2, 00-193 Warsaw, Poland.

7. Cookies

PayGate uses only essential cookies required for the Service to function:

• Supabase authentication cookies: HTTP-only, secure cookies used to maintain your authenticated session. These are strictly necessary and do not require consent under the ePrivacy Directive.

Analytics: PayGate uses Vercel Analytics, which is a cookie-free analytics solution. It collects aggregated, anonymized performance and usage metrics without placing any cookies on your device or tracking individual users.

PayGate does not use any advertising cookies, tracking cookies, or third-party cookies of any kind.

8. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence. We ensure appropriate safeguards are in place for all international transfers:

• EU/EEA: Stripe Payments Europe, Ltd. processes payment data within the EU/EEA. Supabase infrastructure is hosted on AWS in the EU region.
• United States: Vercel, Inc. and certain AWS infrastructure used by Supabase may process data in the United States. These transfers are protected by the EU-U.S. Data Privacy Framework (adequacy decision by the European Commission, adopted July 10, 2023), under which both Vercel and AWS are certified participants.

Where the EU-U.S. Data Privacy Framework does not apply, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission to ensure an adequate level of data protection.

This document is provided for informational purposes. For legal advice, consult a qualified attorney.