Spisin Application Privacy Policy

Last updated: 05.01.2026

We respect your privacy. This Privacy Policy explains how we collect, use, and protect your personal data in connection with the use of the Spisin web application and the promotional website (Landing Page). This document has been prepared based on the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR).

1. Personal Data Controller

The Administrator (Controller) of your personal data is: Łukasz Słupik conducting business under the name: Łukasz Słupik ul. Gwarków 14, 44-230 Czerwionka-Leszczyny, Poland NIP (Tax ID): PL6423226648. For matters related to personal data protection, you can contact us at the e-mail address: contact@spisin.com.

2. What data do we process and for what purpose?

The scope and purpose of data processing differ depending on whether you are an Application User (account owner) or a visitor to our promotional website (Landing Page).

A. Application Users (Restaurant/Establishment Owners)

Account registration and management

Data: E-mail address, password (hashed), and in the case of Google login: e-mail address and unique user identifier (Google ID).

Purpose: Account creation, enabling login, providing the menu creation service (performance of a contract).

Legal basis: Art. 6(1)(b) GDPR (necessity for the performance of a contract).

Establishment profile configuration

Data: Name of the establishment, address, phone number, social media links, NIP (Tax ID). IP Address: During account configuration, your IP address is processed once to automatically detect your country, currency, and default language to facilitate the registration process. This information is not permanently linked to your profile in a way that allows continuous location tracking.

Purpose: Enabling service functionality, facilitating the configuration process (UX), issuing invoices.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest of the Administrator consisting in improving the customer service process) and Art. 6(1)(b) GDPR (performance of a contract).

System and transactional notifications

Data: E-mail address.

Purpose: Sending information about subscription status, ending trial period, changes to regulations.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

Menu Translation (DeepL)

Data: Content entered into the menu (dish names, descriptions).

Purpose: Automatic translation of the menu into selected languages. Note: The User undertakes not to enter personal data (e.g., names and surnames of employees) in the descriptive fields of the menu intended for translation.

Security and Claims Enforcement (Audit Logs)

Data: IP address, User ID, date and time of the event, and details of critical changes made (e.g., editing allergens, changing prices, changing item visibility in the menu).

Purpose: Ensuring service security, fraud detection, and creating evidence for the purposes of establishing, investigating, or defending against claims (e.g., verifying the correctness of data entered by the User in the event of complaints or health incidents).

Legal Basis: Art. 6(1)(f) GDPR (legitimate interest of the Controller consisting of ensuring accountability of actions within the Application and legal defense).

B. Landing Page Visitors (Promotional Site)

Statistics and Analytics (Google Analytics)

Data: IP address (anonymized), device type, browser, behavior on the site.

Purpose: Analysis of traffic on the marketing site to improve the offer. Legal basis: Art. 6(1)(a) GDPR (Your voluntary consent expressed via the cookie banner).

C. End Customers (People viewing Menus created in Spisin)

We respect the privacy of your establishment's guests. If you are browsing a menu created by our User:

Data: We collect only anonymous statistical data: session duration, time of visit, entry source (UTM parameters). IP Address: We do not save your IP address in the statistics database. Privacy: We do not use tracking cookies nor do we profile end customers in the Application. These data are aggregated (summed up) and do not allow for the identification of a natural person.

3. Data Recipients (Subprocessors)

To provide services at the highest level, we use the services of verified third-party providers. We entrust data to them only to the necessary extent:

- Hetzner Online GmbH (Germany/Finland) – application hosting and database. Data is stored within the EEA.

- Resend, Inc. (USA) – email delivery infrastructure provider (system notifications, activation links). Data (e-mail address) is transferred to the USA. Resend ensures GDPR compliance by participating in the Data Privacy Framework (DPF) or using standard contractual clauses.

- Paddle.com Market Ltd (United Kingdom/Global) – payment operator and "Merchant of Record". Paddle is a separate controller of your payment data. We only receive information about the payment status and data necessary to activate the package.

- DeepL SE (Germany) – automatic translation service. Only text content of the menu is sent there, without user data.

- Google Ireland Ltd – regarding: Login (Google Auth) – only if you choose this option.

- Analytics (Google Analytics 4) – only on the Landing Page.

- Artificial Intelligence (Gemini API): Processing uploaded menu photos for automated text and structure extraction. Photos are processed automatically and are not used by Google to train public models (in accordance with Google Cloud Enterprise/API terms).

- IPinfo (IPinfo.io) – geolocation service. Your IP address is sent to this provider once at the time of registration or profile configuration, solely to automatically detect your country and currency.

- Cloudflare, Inc. (USA/Global) – Cloudflare R2 service. Cloud infrastructure provider used for storing multimedia files (menu photos, logos) uploaded by the User. Data may be processed within Cloudflare's global server network to ensure high availability and fast photo loading speeds.

4. Data retention period

User Account: We store data for the period of possessing an active account. Account deletion: In case of using the "Delete account" option in settings, your personal data and all created menus are removed from our database immediately. Accounting data: If you purchased a subscription, data required by tax law may be stored for a period of 5 years from the end of the tax year (legal requirement, fulfilled mainly by Paddle, but also in our order history).

5. Your rights

In accordance with the GDPR, you have the right to: Access your data and receive a copy of it. Rectify (correct) your data. Delete data ("right to be forgotten"). Restrict data processing. Transfer data (data portability). Object to processing. Lodge a complaint with a supervisory authority (in Poland: President of the Personal Data Protection Office). To exercise these rights, contact us at: contact@spisin.com.

6. Cookies

The Spisin application uses cookies for two purposes: Necessary (Application): Maintaining the logged-in user's session. Remembering the selected interface language. These files are crucial for the application's operation and do not require consent (Art. 173 of the Telecommunications Law). Analytical (Landing Page): Google Analytics files are used exclusively on the main/promotional page for statistical purposes. They are activated only after you express consent on the cookie banner.

7. Security

We apply appropriate technical and organizational measures to protect your data, including: Connection encryption (SSL/TLS certificate). Password hashing in the database. Limited access to the database (only authorized personnel). Regular backups.

8. Changes to the Privacy Policy

We reserve the right to make changes to this Privacy Policy (e.g., in the case of changes in the law or the addition of new functions in the application). We will inform you of any significant changes via e-mail or through a notification in the application.

9. Server logs

Using the website involves sending queries to the server where the page is stored. Each query directed to the server is saved in the server logs. The logs include, among others, your IP address, server date and time, information about the web browser and operating system you use. Logs are saved and stored on the server. Data saved in the server logs are not associated with specific persons using the service and are not used by us for your identification, except where necessary to ensure system security (e.g., defense against attacks) or required by law.