Privacy Policy

This Privacy Policy describes how DFirst.AI Sp. z o.o. (“DFirst AI”,
“Controller”, “we”, “us”, “our”), with registered office at Al. Piłsudskiego 17/4,
35-074 Rzeszów, Poland, processes personal data of users accessing our
website at https://dfirst.ai and our SaaS platform (collectively, the "Service").
We comply with the General Data Protection Regulation (GDPR/RODO) and
applicable national data protection laws.

1. Data Controller
The Data Controller is:DFirst.AI Sp. z o.o. Al. Piłsudskiego 17/4, 35-074
Rzeszów, Poland NIP: 8172195459, REGON: 385128960
Contact: hello@dfirst.ai
Information Security Coordinator (Data Protection Officer):
michal@dfirst.ai

2. Categories of Personal Data and Processing Purposes
1) User Account Data:
a) Data: Name, surname, email, hashed password, company name, role,
avatar.
b) Purpose: Account creation, account management, user identification,
service communication.
c) Legal basis: Art. 6(1)(b) and (f) GDPR.

2) Billing and Payment Data:
a) Data: Billing address, payment transactions, card data (processed by third-
party payment providers; we only receive tokens or partial card details).
b) Purpose: Payment processing, subscription management, compliance with
financial obligations.
c) Legal basis: Art. 6(1)(b) and (c) GDPR.

3) User Content (Data Room, Files, AI Workflows):
a) Data: Marketing strategies, documents, images, files, videos, and any user-
generated content.
b) Purpose: Service provision, functionality enablement.
c) Legal basis: Art. 6(1)(b) GDPR.
d) Important: Private user data is not used for AI model training.
d) AI-Generated Content:
*Data: AI-generated outputs based on your input.
*Purpose: Provision of AI-driven features.
*Legal basis: Art. 6(1)(b) GDPR.
e) Analytical and Technical Data:
*Data: IP address, browser type, device info, user session duration.
*Purpose: Security, service improvement, usage analysis.
*Legal basis: Art. 6(1)(f) GDPR or user consent (Art. 6(1)(a) GDPR). Strona | 2
f) Communication Data:
*Data: Correspondence content, customer support interactions.
*Purpose: Customer service, improvement of the Service.
*Legal basis: Art. 6(1)(b) and (f) GDPR.
g) Public AI Workflow Contributions:
*Data: First name, last name, avatar (only with explicit consent).
*Purpose: Public sharing and attribution of AI workflows.
*Legal basis: User consent (Art. 6(1)(a) GDPR).

3. Data Retention
Data retention periods are detailed in our Data Processing Activities Register:
A) Account data: duration of the account's activity plus 5 years after
termination (legal compliance).
B) User content: active account period and 3 months post-deletion.
C) Billing data: retained for 5 years (tax regulations).
D) Marketing data: until consent is withdrawn.
E) Public workflows: may remain anonymous indefinitely after consent
withdrawal.

4. Data Sharing
We may share your personal data with:
A) IT, hosting providers (e.g., AWS), payment processors, and technical
support under Data Processing Agreements (DPAs).
B) AI model providers strictly for service delivery.
C) Public authorities where required by law.

5. International Transfers of Data
When transferring data outside the European Economic Area (EEA), we
implement adequate safeguards such as:
A) European Commission’s Standard Contractual Clauses (SCCs).
B) Additional technical measures ensuring data protection.

6. Data Subject Rights (DSAR)
According to GDPR Articles 12–22, you have rights to:
A) Access your data and obtain a copy.
B) Rectify incorrect data.
C) Request erasure ("right to be forgotten").
D) Restrict processing.
E) Data portability.
F) Object to processing.
G) Withdraw consent (if processing is based on consent).
H) Lodge a complaint with the Polish Data Protection Authority (UODO). Strona | 3
DSAR requests are processed promptly, within 30 days. Detailed procedures are
available in our internal Data Protection Policy.

7. Technical Measures Ensuring Data Security
We apply technical and organizational security measures including:
A) OAuth 2.0 Authentication.
B) Multi-Factor Authentication (MFA).
C) SSL/TLS encryption.
D) Zero-Trust principles.
E) Incident monitoring and response.

8. Cookies
We use cookies according to our separate Cookie Policy available on our website.

9. Children's Privacy
Our Service is not intended for individuals under the age of 16. We do not
knowingly collect personal data from children.

10. Policy Updates
Changes to this policy will be published on our website, with notification of
significant updates.

11. Contact Information
For privacy-related inquiries, please contact:
DFirst.AI Sp. z o.o.
Al. Piłsudskiego 17/4,
35-074 Rzeszów, Poland
Email: hello@dfirst.ai
Information Security Coordinator: michal@dfirst.ai