Privacy Policy
Effective date: 8 June 2026 · Last updated: 8 June 2026
The Polish version of this Privacy Policy is the binding version. Translations into other languages are for informational purposes only.
Listownia is a service that helps foreigners prepare draft administrative letters for residence and citizenship cases before voivodeship offices. The service is not a law firm and does not provide legal advice.
This Policy sets out the rules for processing personal data of service users in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and applicable national law.
§ 1. Data controller
The data controller is SavvyLed Sp. z o.o., with its registered office at Złota 61/100, 00-819 Warszawa, entered in the register of entrepreneurs of the National Court Register (KRS) under number KRS 0000499181, with NIP 5272709910 and REGON 147122290. For matters relating to personal data, please contact: rodo@listownia.pl.
No Data Protection Officer has been appointed; this is not required in the present case.
§ 2. Categories of personal data processed
Depending on the type of letter being prepared, the controller processes the following categories of data provided by the user: full name, address, nationality, case number (reference), residence-status information, and a description of the situation provided by the user.
The controller also processes:
- email address (to deliver the letter and service-related correspondence),
- preferred interface language,
- if an optional account is created — account data and a password stored exclusively in irreversible form (the controller has no access to the user's password),
- payment data to the extent required to process and settle the payment; the controller does not store payment card details or payment credentials,
- technical data relating to use of the service, including the IP address, necessary to ensure security and proper operation of the service.
Creating an account is entirely optional — the service can be used in full without an account.
Data minimisation. The controller collects only the data necessary to prepare the given letter. The service does not require a PESEL number, passport number or scans of documents unless they are needed. The controller does not log the content of situation descriptions or the full text of documents in technical logs.
Special-category data. If the user includes special-category data in the case description (e.g. health-related information — Art. 9 GDPR), it is processed because this is necessary for the establishment, exercise or defence of legal claims in the user's administrative proceedings (Art. 9(2)(f) GDPR). Additionally, before such data is provided, the controller collects the user's explicit consent (Art. 9(2)(a) GDPR). We recommend providing only information that is necessary for the case.
§ 3. Purposes and legal bases for processing
| Purpose of processing | Legal basis |
|---|---|
| Preparing and making available a draft letter and managing an optional account | Art. 6(1)(b) GDPR — performance of a contract |
| Processing payments and retaining accounting documents | Art. 6(1)(c) GDPR — legal obligation |
| Ensuring service security, preventing abuse, and pursuing or defending claims | Art. 6(1)(f) GDPR — legitimate interests of the controller |
| Processing special-category data provided in the case description | Art. 9(2)(f) GDPR — necessity for the establishment, exercise or defence of legal claims; additionally Art. 9(2)(a) GDPR — explicit consent collected before the data is provided |
Providing data is voluntary but necessary to perform the service — without it, preparing the letter is not possible.
§ 4. Data retention periods
| Data category | Retention period |
|---|---|
| Unsaved wizard drafts | 14 days from the last activity |
| Generated letters and associated files | up to 90 days, after which they are automatically deleted |
| Accounting data | 5 years from the end of the financial year in which the transaction took place (accounting and tax regulations) |
| Technical logs | up to 90 days |
| Account data | until the account is deleted by the user |
Users retain control over their data: they may at any time delete a prepared letter using the link sent by email, and account holders may delete their account together with all associated data.
§ 5. Recipients of data
The controller uses trusted service providers who process data solely on its instructions and to the extent necessary to deliver the service. These include:
- a payment service provider, acting as an independent controller in respect of payment data (payment processing),
- a language-model provider based in the European Union, used solely for the linguistic processing of selected content provided by the user; the controller does not share payment data or unnecessary information with it, and the data is not used for model training,
- IT infrastructure providers (server, file storage, email) located in the European Union.
Data may be disclosed to public authorities only where required by law. The controller enters into a data-processing agreement with each provider.
e-Doręczenia. The service prepares the letter and sending instructions but does not send the letter on the user''s behalf and does not transmit the user''s data to the authority. The user sends the letter independently.
Place of processing. Personal data are processed primarily within the European Economic Area — the controller uses language-model and infrastructure providers (server, file storage, e-mail) located in the European Union. The exception concerns analytics data: if the user consents to analytics cookies, the service uses Google Analytics 4, under which data may be transferred to Google LLC in the United States. Google LLC holds an active certification under the EU–US Data Privacy Framework (DPF), recognised by the European Commission as ensuring an adequate level of protection (Art. 45 GDPR); Standard Contractual Clauses (SCC) additionally apply as a supplementary transfer mechanism. The transfer occurs only after the user consents to analytics cookies and does not encompass payment data or the content of documents prepared.
§ 6. User rights
Users have the following rights: access to data and the right to obtain a copy, rectification of data, erasure of data, restriction of processing, data portability, the right to object to processing based on legitimate interests, and — to the extent that processing is based on consent — the right to withdraw consent at any time (without affecting the lawfulness of processing carried out before withdrawal).
A practical way to exercise the right to erasure and to withdraw consent is to delete the prepared letter independently (using the link sent by email), or, if you hold an account, to delete the account along with associated data. The Controller retains certain data despite an erasure request where required by law — in particular, billing data retained for 5 years (Art. 6(1)(c) GDPR; see §4).
To exercise any of the above rights, please contact us at rodo@listownia.pl.
Users also have the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych), ul. Stawki 2, 00-193 Warsaw, Poland.
§ 7. Cookies
The service uses two categories of cookies:
1. Strictly necessary cookies
Required for the proper functioning of the service; exempt from the consent requirement (Art. 173(3) of the Polish Telecommunications Law / Art. 5(3) of the ePrivacy Directive) — users are merely informed of them. The service uses them for the following purposes: maintaining sessions and secure account login, protecting forms against CSRF attacks, storing the wizard draft token (use without an account), remembering the user's analytics consent decision, and — only at the user's request — persisting the login session. These cookies are not used for tracking or profiling and are deleted when the session expires or the cookie's validity period lapses.
2. Analytics cookies (Google Analytics 4)
Used only with the user's consent. The service applies Consent Mode v2: until consent is given, Google Analytics operates in cookieless mode (no identifiers, statistical modelling only), and analytics cookies (e.g. _ga, _ga_<ID>, up to 2 years) are set only after consent is granted. The service provider is Google LLC (United States), acting as a data processor under Google's data-processing terms. The legal basis for processing is Art. 6(1)(a) GDPR (consent); the legal basis for transfer of data to the USA is the adequacy decision under the Data Privacy Framework and Standard Contractual Clauses (SCC) — see §5. Consent may be withdrawn at any time by clicking "Cookie settings" in the service footer; cookies may also be deleted through browser settings.
| Cookie | Purpose | Duration | Category |
|---|---|---|---|
| _ga | Identifies unique sessions (Google Analytics 4) | 2 years | analytics — consent required |
| _ga_<ID> | Stores Google Analytics session state | 2 years | analytics — consent required |
Users may also manage cookies through their browser settings.
§ 8. Automated decision-making
The controller does not make decisions about users based solely on automated processing that would produce legal effects, and does not engage in profiling. The prepared letter is a draft that the user must independently review before sending.
§ 9. Data security
The controller applies appropriate technical and organisational measures to protect personal data, including connection encryption, restricted access to data, and logging of administrative actions.
§ 10. Changes to this Policy
This Policy may be updated. The controller will notify users of significant changes through the service, and account holders will also be notified by email. The current version of the Policy, with the date of the last update, is always available in the service.
§ 11. Contact
For any matters relating to personal data, please contact us at rodo@listownia.pl or, if necessary, at the controller's correspondence address: Złota 61/100, 00-819 Warszawa.