Privacy Policy

Last updated: 31 May 2026

This Privacy Policy explains how we collect, use, and protect your personal data when you use Stawka — the VAT, FX and VIES API at stawka.eu (the “Service”). We are the controller of your personal data within the meaning of the EU General Data Protection Regulation (GDPR).

1. Who we are

The controller of your personal data is:

  • CodePile Dawid Redes
  • Wolności 278/0, 41-800 Zabrze, Poland
  • Tax ID (NIP): PL 6482815665
  • Contact: support@codepile.dev

We are not required to appoint a Data Protection Officer and have not done so. For any privacy matter, contact us at the address above.

2. What data we collect

We collect only the data we need to provide and secure the Service:

Account data

  • Your name and email address, received from Google when you sign in with your Google account.

Authentication & technical data

  • IP address and browser user-agent associated with your sessions.
  • Session identifiers used to keep you signed in.

Organization & API data

  • Organization name and settings.
  • API key metadata: an irreversible hash of each key, its short visible prefix, and creation, last-used and rotation timestamps. We never store the key itself in plain text.
  • Allowed browser origins and any webhook endpoint URLs you configure.

Usage data

  • For each API request: the endpoint called, response status, latency, the key and plan used, and a timestamp — recorded to operate, secure, and meter the Service.

Billing data

Payments are processed by Stripe. We never see or store your full card number. We store your Stripe customer and subscription identifiers, your plan, and related billing events.

Cookies

We use only essential and functional cookies — see section 4.

3. How and why we use your data

We process your personal data for the following purposes, on the following legal bases under Article 6 GDPR:

  • Providing the Service — creating your account, issuing API keys, serving API requests, and managing your organization and webhooks (Art. 6(1)(b), performance of a contract).
  • Security and abuse prevention — authentication, rate limiting, and detecting fraud or abuse (Art. 6(1)(f), legitimate interest).
  • Billing and accounting — processing subscriptions and keeping invoicing and tax records (Art. 6(1)(b) and 6(1)(c), contract and legal obligation under Polish tax law).
  • Service communications — sending essential messages about your account, security, or material changes (Art. 6(1)(b) and 6(1)(f)).
  • Maintaining and improving the Service — diagnosing problems and understanding aggregate usage (Art. 6(1)(f), legitimate interest).

4. Cookies

We use only strictly necessary and functional cookies. We do not use advertising, marketing, or third-party analytics cookies, and we do not track you across other websites. Because of this, no cookie-consent banner is required.

  • session — keeps you signed in (essential).
  • lang — remembers your language (English or Polish).
  • theme — remembers your light/dark preference.

5. Who we share data with

We do not sell your personal data. We share it only with the service providers (processors) needed to run Stawka, under data-processing agreements:

  • Cloudflare, Inc. — hosting, edge delivery, database, cache, and usage analytics.
  • Stripe — subscription billing and payment processing.
  • Google LLC — “Sign in with Google” authentication (only the profile data you authorise).

We may also disclose data where required by law or to establish, exercise, or defend legal claims, and to professional advisers (e.g. accountants) bound by confidentiality.

6. International data transfers

Some of our processors (such as Cloudflare, Stripe, and Google) may process data outside the European Economic Area. Where they do, the transfer is protected by an adequacy decision of the European Commission or by Standard Contractual Clauses, so your data continues to enjoy GDPR-level protection.

7. How long we keep your data

  • Account and organization data — for as long as your account exists, then deleted or anonymised within a reasonable period after you delete your account or organization.
  • API usage logs — retained for a limited operational period, then deleted or aggregated.
  • Billing and accounting records — kept for 5 years from the end of the relevant tax year, as required by Polish law.

8. Your rights

Under the GDPR you have the right to:

  • access your personal data and obtain a copy;
  • rectify inaccurate or incomplete data;
  • erase your data (“right to be forgotten”);
  • restrict or object to processing based on our legitimate interest;
  • data portability;
  • withdraw consent at any time, where processing is based on consent.

To exercise any of these rights, email us at support@codepile.dev. You also have the right to lodge a complaint with the Polish supervisory authority:

  • Urząd Ochrony Danych Osobowych (UODO)
  • ul. Stawki 2, 00-193 Warszawa, Poland
  • uodo.gov.pl

9. How we protect your data

We apply appropriate technical and organisational measures to protect your data. API keys are stored only as irreversible SHA-256 hashes — never in plain text. Traffic is encrypted in transit (HTTPS/TLS), and access to production systems is restricted.

10. Children

Stawka is a developer tool intended for businesses and professionals. It is not directed to children, and we do not knowingly collect personal data from anyone under 16.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “last updated” date and, where appropriate, notify you. Continued use of the Service after changes take effect means you accept the updated policy.

12. Contact

For any question about this policy or your personal data, contact us at support@codepile.dev.