Initsale

This Privacy Policy explains how Initsale ("we", "us", "our") collects, uses, stores, and protects personal data when you use our platform and services ("Service"). We are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR) and applicable Polish data protection laws.

1. Data Controller

The data controller for the personal data processed through the Service is:

Initsale
Email: privacy@initsale.com
Poland, European Union

2. Our Dual Role

We process personal data in two distinct roles:

Data Controller — for data we collect directly from you as a user of our platform (your account information, billing data, usage data).
Data Processor — for data you store about your customers and contacts through the Service (contact records, conversations, orders, files). In this role, you are the data controller and we process data on your behalf according to your instructions.

3. Data We Collect as Controller

3.1 Account Data

Name, email address, password (hashed)
Tenant (workspace) name and configuration
Role within your workspace (owner, admin, member)
Last activity timestamp

3.2 Billing Data

Subscription plan and status
Stripe customer ID and subscription ID
Billing period and payment history (managed by Stripe)

We do not store credit card numbers or full payment details. All payment processing is handled by Stripe, Inc. See Stripe's Privacy Policy.

3.3 Usage Data

Feature usage and plan limit consumption
Activity logs (actions performed within the platform)
Session data (login timestamps, language preference)

3.4 Communication Data

Messages sent through the live chat widget on our website
Enterprise inquiry form submissions
Support correspondence

4. Data We Process on Your Behalf (as Processor)

When you use the Service, you may store the following data about your customers:

Contact information (names, email addresses)
Email conversations and message content
Orders and transaction records
Custom field values
Tags and categorizations
Files uploaded to cloud storage
Chat conversations from your storefront
Workflow enrollment and execution data

You are the data controller for this data. You are responsible for ensuring you have a lawful basis to collect and process your customers' data. We process it solely to provide the Service to you.

5. Legal Basis for Processing (GDPR Art. 6)

Purpose	Legal basis
Providing the Service	Performance of contract (Art. 6(1)(b))
Billing and payments	Performance of contract (Art. 6(1)(b))
Account security	Legitimate interest (Art. 6(1)(f))
Service improvement	Legitimate interest (Art. 6(1)(f))
Legal compliance	Legal obligation (Art. 6(1)(c))
Marketing communications	Consent (Art. 6(1)(a)) — only with explicit opt-in

6. Sub-processors

We use the following third-party services to provide the Service. Each has a Data Processing Agreement in place:

Sub-processor	Purpose	Location
OVH SAS	Cloud hosting and object storage	European Union (France)
Stripe, Inc.	Payment processing (billing and Stripe Connect)	United States (SCCs in place)
Wildbit LLC (Postmark)	Transactional email delivery	United States (SCCs in place)

We will notify you before adding new sub-processors. You may object to a new sub-processor within 30 days of notification.

7. International Data Transfers

Your data is primarily stored on OVH servers within the European Union. Some data is transferred to the United States through our sub-processors (Stripe, Postmark). These transfers are protected by:

Standard Contractual Clauses (SCCs) approved by the European Commission
The EU-U.S. Data Privacy Framework, where applicable
Additional technical and organizational safeguards

8. Data Retention

Data type	Retention period
Account data	Duration of account + 30 days after deletion
Customer Data (your contacts, conversations, etc.)	Duration of account; deleted items archived 30 days then purged
Billing records	As required by tax law (typically 5-7 years)
Webhook event logs	30 days
Activity logs	90 days
Chat conversations (support)	Duration of account

9. Your Rights (GDPR Art. 15-22)

As a data subject in the European Economic Area, you have the right to:

Access — request a copy of your personal data
Rectification — correct inaccurate or incomplete data
Erasure — request deletion of your personal data ("right to be forgotten")
Restriction — restrict processing in certain circumstances
Portability — receive your data in a structured, machine-readable format
Objection — object to processing based on legitimate interest
Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise these rights, contact us at privacy@initsale.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Polish supervisory authority:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa
uodo.gov.pl

10. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

Encryption of data in transit (TLS/HTTPS)
Password hashing using industry-standard algorithms
Strict tenant isolation — each workspace's data is logically separated
Role-based access control within workspaces
Rate limiting on public endpoints
Webhook signature verification for all inbound integrations
Regular security updates and dependency patching

11. Cookies

We use essential cookies to operate the Service. For details, see our Cookie Policy.

12. Children's Privacy

The Service is not intended for children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates the latest revision.

14. Contact

For any privacy-related questions or to exercise your data protection rights:

Email: privacy@initsale.com
Initsale
Poland, European Union