Privacy Policy

Last Updated: February 10, 2026

Dokomat (“Company”, “we”, “us”, or “our”), based in Poznań, Poland, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform at https://dokomat.com (“Service”), in compliance with the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and Polish data protection laws (Ustawa o ochronie danych osobowych).

1. Data Controller

The data controller for personal data collected through this website is:

• Company: SOFT AFFAIRS Sp. z o.o.
• KRS: 0000999132
• NIP: 7792546094
• REGON: 523483002
• Address: Pl. Wolnosci 6/108, 60-324 Poznan, Poland
• Email: info@softaffairs.com
• Data Protection Officer: dpo@softaffairs.com

2. Personal Data We Collect

2.1. Account Data

When you register for an account, we collect:

• Full name
• Email address
• Password (stored as a one-way cryptographic hash using Bcrypt)
• Phone number (optional)

2.2. Google OAuth Data

If you register or log in using Google, we receive:

• Google account ID
• Name and email address from your Google profile
• Profile picture URL

2.3. Billing Data

When you subscribe to a plan, we collect:

• Company name and NIP (Polish Tax ID)
• Representative first and last name
• Billing email and phone number
• Full address (street, building number, door number, post code, city, province)

2.4. Company Data

When you register a company profile, we collect:

• Company name, NIP, KRS, and REGON numbers
• Representative contact details
• Headquarters, correspondence, work, and living addresses

2.5. Employee Data

When you manage employees through the Platform, you may enter:

• Names, email, phone, date of birth, department, position
• PESEL (Polish National Identification Number)
• Passport number and residence card (karta pobytu) number
• Home address
• Uploaded documents: passport copies, work permits, employment contracts, medical certificates, safety certifications, and other employment-related documents

Important: Employee data is entered by you as the employer (Data Controller). Dokomat processes this data on your behalf as a Data Processor. You are responsible for ensuring lawful basis for processing employee data.

2.6. Communication Data

• Chat messages and file attachments sent through the support chat system

2.7. Technical and Security Data

We automatically collect:

• IP address
• Browser type and version (User Agent)
• Login timestamps and authentication status
• Activity logs (actions performed within the Platform)
• Security event logs

3. How We Use Your Data

Purpose	Legal Basis (GDPR Art. 6)
Account creation and authentication	Performance of contract (Art. 6(1)(b))
Processing subscription payments via Stripe	Performance of contract (Art. 6(1)(b))
Generating employment documents and letters	Performance of contract (Art. 6(1)(b))
Storing employee data on your behalf	Performance of contract (Art. 6(1)(b))
Providing customer support via chat	Performance of contract (Art. 6(1)(b))
AI-powered document extraction (optional)	Consent (Art. 6(1)(a))
Email notifications and service updates	Legitimate interest (Art. 6(1)(f))
Security monitoring and fraud prevention	Legitimate interest (Art. 6(1)(f))
Legal compliance (tax records, auditing)	Legal obligation (Art. 6(1)(c))

4. Third-Party Data Processors

We share personal data with the following third-party service providers, all of whom are contractually obligated to protect your data:

Service	Provider	Purpose	Data Shared	Location
Payment Processing	Stripe, Inc.	Subscription billing	Name, email, billing address; payment card data handled directly by Stripe	USA (EU-US Data Privacy Framework)
Authentication	Google LLC	OAuth login	Google ID, name, email, avatar	USA (EU-US Data Privacy Framework)
Real-time Messaging	Pusher Ltd.	Chat notifications	Message delivery metadata	EU (Ireland)
Email Delivery	Google LLC (Gmail SMTP)	Transactional emails	Recipient email, message content	USA (EU-US Data Privacy Framework)
AI Document Extraction	OpenRouter / Google Gemini	Extract data from document images	Document images (temporarily processed, not stored by provider)	USA
Bot Protection	ALTCHA (self-hosted)	CAPTCHA verification	No personal data shared	Self-hosted (Poland)
Invoice Generation	Fakturownia (Softie Sp. z o.o.)	Invoice generation and KSeF compliance	Company name, NIP, address, email	Poland

5. International Data Transfers

Some of our service providers are located outside the European Economic Area (EEA). We ensure adequate protection through:

• EU-US Data Privacy Framework certification (Stripe, Google)
• Standard Contractual Clauses (SCCs) where applicable
• Adequacy decisions by the European Commission

6. Data Retention

Data Type	Retention Period
Account data	Duration of account + 30 days after deletion
Billing data	5 years after last transaction (Polish tax law)
Employee data	Duration of account; deleted upon account closure request
Uploaded documents	Duration of account; deleted upon account closure request
Chat messages	Duration of account
Security and activity logs	12 months
Login history	6 months
Session data	120 minutes of inactivity (auto-expired)

7. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of Access (Art. 15) — Request a copy of all personal data we hold about you.
• Right to Rectification (Art. 16) — Correct inaccurate or incomplete data via your account settings.
• Right to Erasure (Art. 17) — Request deletion of your personal data (“right to be forgotten”).
• Right to Restriction (Art. 18) — Request limitation of processing in certain circumstances.
• Right to Data Portability (Art. 20) — Receive your data in a structured, machine-readable format.
• Right to Object (Art. 21) — Object to processing based on legitimate interests.
• Right to Withdraw Consent (Art. 7(3)) — Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at info@softaffairs.com or our Data Protection Officer at dpo@softaffairs.com. We will respond within 30 days.

8. Data Security Measures

We implement the following security measures to protect your data:

• Encrypted sessions (database-stored, encrypted at rest)
• HTTPS-only connections with HSTS enforcement
• Bcrypt password hashing with high cost factor
• CSRF protection on all forms
• Content Security Policy (CSP) headers
• Private file storage with access controls for sensitive documents
• Optional Two-Factor Authentication (2FA)
• Rate limiting on authentication endpoints
• Activity and security logging for audit trails

9. Children’s Privacy

Dokomat is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 14 days before taking effect.

11. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with:

• Urząd Ochrony Danych Osobowych (UODO) — Polish Data Protection Authority
• ul. Stawki 2, 00-193 Warszawa, Poland
• Website: https://uodo.gov.pl

12. Contact

For any privacy-related inquiries:

• Company: SOFT AFFAIRS Sp. z o.o., KRS: 0000999132, NIP: 7792546094, REGON: 523483002
• Address: Pl. Wolnosci 6/108, 60-324 Poznan, Poland
• Email: info@softaffairs.com
• Data Protection Officer: dpo@softaffairs.com
• Website: https://dokomat.com