GDPR Art. 13–14
Zásady ochrany osobních údajů
Effective 3 June 2026.
This Privacy Policy explains how Altvisor collects, uses, and protects personal data when you visit our website, run a WCAG scan, or use the Altvisor application. It also describes your rights under the EU General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) and Polish data-protection law, and how to exercise them.
We are the data controllerfor our own users’ account and usage data. When we process the images and content you submit for alt-text generation, we act as a processor on your behalf — those terms live in our Data Processing Agreement.
Who we are (the controller)
Altvisor is operated by Hleb Malyshau, a sole trader (jednoosobowa działalność gospodarcza) established in Poland.
- Correspondence address: plac Trzech Krzyży 10/14, 00-499 Warszawa, Poland
- NIP (VAT): PL5213990822
- Contact: hi@altvisor.eu
What we collect
- Account data — your email and the organisation name you choose at sign-up. We never read your OAuth provider profile beyond email and name.
- Usage data — quota counters, audit-log events, billing records, and product analytics, all hosted in the EU.
- Uploaded images — processed in memory and deleted from storage before the request returns. Only a content hash, image dimensions, and the generated alt-text are retained; the source image bytes are not.
- Technical data — for anonymous demo scans we store a short-lived rate-limit counter and a salted, daily-rotating hash of your IP address. The raw IP is never stored.
Why we use it, and our legal basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the Altvisor service and your account | Performance of a contract — Art. 6(1)(b) |
| Billing, tax, and accounting records | Legal obligation — Art. 6(1)(c) |
| Product analytics, security, and abuse prevention (EU-hosted, no advertising) | Legitimate interests — Art. 6(1)(f) |
| Marketing-site traffic measurement (Google Analytics) | Consent — Art. 6(1)(a); ePrivacy Art. 5(3) |
Where your data lives
Our database, authentication, and file storage run on Supabase in eu-west-1 (Ireland). All AI processing uses Mistral on EU infrastructure — on every plan, your images are never sent to a non-EU AI provider. The full list — including each processor’s location and transfer basis — is on our subprocessors page.
International transfers
Customer data is hosted in the EU/EEA by default. Where a subprocessor located in the United States is involved (disclosed on the subprocessors page), the transfer relies on the EU-US Data Privacy Framework and/or the European Commission’s Standard Contractual Clauses, together with supplementary technical measures such as encryption in transit and at rest.
How long we keep it
Account data is kept for the life of your account. Compliance artefacts (audit reports, accessibility statements, and the audit log) are retained for 5 years as required by Annex IV of the European Accessibility Act. Demo rate-limit counters and IP-hash buckets are deleted within 48 hours. The full retention schedule is in §6 of the DPA.
Cookies
We use a small set of strictly-necessary cookies (session, language, and abuse-prevention) plus EU-hosted analytics. Google Analytics on our marketing pages is set only after you accept via the consent banner. The full cookie inventory — name, purpose, retention, and lawful basis — is in §7 of the DPA.
Your rights
Under the GDPR you have the right to access, rectify, export (data portability), erase, restrict, and object to the processing of your personal data, and to withdraw consent at any time without affecting prior processing. To exercise any of these rights, contact us at hi@altvisor.eu. You can permanently delete your organisation and all associated data from your account settings.
If you believe we have mishandled your data, you may lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych — UODO), ul. Stawki 2, 00-193 Warszawa, Poland (https://uodo.gov.pl), or with the supervisory authority in your own EU/EEA country.
Changes to this policy
We may update this policy as the service evolves. Material changes will be reflected in the effective date above and, where appropriate, notified to you by email.