Privacy Policy

Heatsheet is operated by Heatsheet sp. z o.o., a company registered in Poland (the "data controller").

Registered address: Kuźnicza 11-13, 50-138 Wrocław, Polska.
Privacy contact: privacy@heatsheet.co

For the purposes of GDPR, "we", "us", and "Heatsheet" in this policy mean Heatsheet sp. z o.o.

We only collect the data we need to run the service:

• Account information — your email address, display name, and a hashed copy of your password. We never see your password in plain text; our authentication provider (Supabase) hashes it before storage.
• Subscription & billing — your Stripe customer reference, subscription status (free / Plus / trialing), and the end date of the current billing period. We do not store your card number, CVC, or expiry date — those are held by Stripe directly.
• Newsletter preferences — the countries, alliances, conflicts, or issues you choose to follow, and an unsubscribe token so we can honour opt-outs.
• Usage and technical data — IP address, browser type, pages visited, and timestamps, captured in standard server access logs for security and debugging.
• Communications — any email you send us, kept so we can respond and follow up.

We do not run third-party analytics. No Google Analytics, Plausible, Hotjar, Mixpanel, Meta Pixel, or similar trackers.

We only use your data for the purposes below:

• To create and run your account and let you log in.
• To deliver the heatmap, local news, and any other features you have access to.
• To process payments and manage subscriptions through Stripe.
• To send the briefing email to subscribed users, based on the topics they selected.
• To investigate technical problems, prevent abuse and fraud, and keep the service secure.
• To comply with our legal obligations (for example, keeping accounting records).

• Contract (Art. 6(1)(b)) — for creating your account, providing access to features, processing payments, and delivering the newsletter you signed up for.
• Legitimate interests (Art. 6(1)(f)) — for server logs, debugging, fraud prevention, and improving the service. We balance these interests against your privacy rights.
• Legal obligation (Art. 6(1)(c)) — for keeping invoices and accounting records as required by Polish law.
• Consent (Art. 6(1)(a)) — for any optional marketing communications you specifically opt in to. You can withdraw consent at any time without affecting earlier processing.

We share personal data only with the service providers ("processors") we need to run Heatsheet. Each is bound by a data-processing agreement and may only act on our instructions.

• Supabase, Inc. — hosts our database and authentication service. Stores your account, profile, newsletter preferences, and session tokens.
• Stripe Payments Europe, Ltd. — processes subscription payments and stores card data on PCI-DSS compliant infrastructure.
• Resend, Inc. — delivers the newsletter and any transactional emails. Receives your email address and the email body.
• Amazon Web Services EMEA SARL — hosts the application on an EC2 instance in the Stockholm, Sweden region.
• Mapbox, Inc. — renders the world map. When you load the heatmap your IP address is sent to Mapbox to serve map tiles. No account information is shared.
• Google LLC (Gemini API) — generates editorial summaries from public news articles for the newsletter and local-news features. We do not send personal account data to Gemini.

We do not sell your personal data. We do not share it for advertising.

Some of the processors listed above are based outside the European Economic Area, notably in the United States. Where personal data is transferred outside the EEA we rely on the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework, to ensure an equivalent level of protection.

• Account data — for as long as your account is active, plus 30 days after deletion to allow recovery.
• Newsletter preferences — until you unsubscribe. The unsubscribe record itself is retained indefinitely so we can honour the opt-out.
• Payment records and invoices — five (5) years from the end of the financial year, as required by the Polish Accounting Act of 29 September 1994.
• Server access and error logs — 90 days.
• Support emails — two (2) years after the conversation ends.

Under GDPR you have the right to:

• Access — get a copy of the personal data we hold about you.
• Rectification — correct anything inaccurate.
• Erasure— ask us to delete your data, subject to records we're legally required to keep.
• Restriction — ask us to pause processing while a dispute is resolved.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — for anything you previously consented to.
• Lodge a complaint — with the Polish supervisory authority (see Section 13).

To exercise any of these rights, email privacy@heatsheet.co. We will respond within one month, as required by GDPR.

We use a small number of cookies, all strictly necessary:

• Authentication session cookie (set by Supabase) — keeps you logged in. Expires on log-out or after a period of inactivity.
• Stripe redirect cookies — set when you go through checkout, used to return you to the right page afterwards.
• Cookie-consent flag— a small local-storage entry that remembers you've dismissed the cookie banner.

We do not use any analytics, advertising, or tracking cookies.

We protect your data with TLS (HTTPS) on every connection, encryption at rest in the database, hashed passwords, restricted access to production systems, and routine security reviews. No system is perfectly secure; if we ever discover a breach affecting your personal data we will notify you and the supervisory authority as required by GDPR.

Heatsheet is not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, contact us and we will delete it.

We may update this policy from time to time. The "Last updated" date at the top of the page shows when it was last revised. Material changes will be flagged at the top of the page and, where you have an account, communicated by email.

For any privacy question, request, or concern, email privacy@heatsheet.co or write to us at Kuźnicza 11-13, 50-138 Wrocław, Polska.

If you believe we have not handled your data properly, you have the right to lodge a complaint with the Polish supervisory authority:

Prezes Urzędu Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Polska
Phone: +48 22 531 03 00
Website: uodo.gov.pl