Privacy Policy

This Privacy Policy explains how Tomasz Zylka, sole proprietor trading as Tomasz Zylka Veinito.com ("we", "us", "our"), the operator of ClassKasa, collects, uses, and protects your personal data when you use our service. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

The data controller responsible for your personal data is: Tomasz Zylka, sole proprietor trading as Tomasz Zylka Veinito.com, Bierzycka 8, 51-179 Wroclaw, Poland. NIP: PL6452337008, REGON: 521704806. For any privacy-related inquiries, contact us at tomek@classkasa.com.

We have not appointed a Data Protection Officer (DPO) as we are not required to do so under Art. 37 GDPR. For all data protection matters, please contact: tomek@classkasa.com.

We collect the following personal data to provide and improve our service:

• Email address (for authentication via magic links)
• Your name (displayed to class members)
• Family name (used within class groups)
• Parent email addresses (added by treasurers for class management)
• Bank account details (IBAN, entered by treasurers for payment collection)
• Payment status (whether a family has paid a collection)
• Chat messages (if you use the AI chatbot, your messages and the chatbot's responses — stored for 2 days, then permanently deleted)
• Cookies (strictly necessary and functional, see Cookies section below)

If you use the Bank Statement Reconciliation feature (available to ClassKasa Premium subscribers), you may upload bank statement files (PDF or images) for automated transaction extraction. The following describes how we process this data:

• Uploaded documents: bank statement files (PDF or image format) containing transaction details, account holder names, IBANs, account numbers, transaction descriptions, and amounts.
• Extracted transaction data: transaction descriptions, amounts, dates, and sender/recipient names parsed from the uploaded document by AI analysis.
• Bank statements may contain personal data (PII) including sender names, IBANs, account numbers, and transaction descriptions that reference individuals.

Lawful basis: Art. 6(1)(b) GDPR — processing is necessary for the performance of the contract (your ClassKasa Premium subscription). You initiate each scan by uploading a document and explicitly approving extracted results before any payment records are updated.

AI sub-processor: Uploaded documents are sent to Anthropic, PBC (San Francisco, USA) via its API for transaction extraction using the Claude language model. Anthropic processes the data solely to return results to ClassKasa and does not use API inputs to train its models. Transfer basis: Standard Contractual Clauses (SCCs). See the Sub-processors section for details.

Temporary file storage: Uploaded files are temporarily stored in Netlify Blobs (EU region) during processing. Original files are deleted immediately after AI analysis is complete. ClassKasa does not retain copies of your uploaded bank statements.

Data retention: Original uploaded files are deleted immediately after processing. Extracted transaction metadata (descriptions, amounts, dates, matched payment records) is retained as part of your class audit trail for the lifetime of the collection. You may request erasure of extracted data by contacting tomek@classkasa.com.

Your rights: You have the right to access, rectify, or request erasure of AI-extracted transaction data under Articles 15-17 GDPR. You may also object to AI processing under Art. 21 GDPR. Because the treasurer must explicitly approve all AI-suggested matches before records are updated, no automated decision-making within the meaning of Art. 22 GDPR takes place.

We process your data for the following purposes: (a) providing the ClassKasa service, including account management, class membership, and collection tracking — legal basis: Art. 6(1)(b) GDPR (contract performance); (b) sending transactional emails (magic links, notifications, reminders) — legal basis: Art. 6(1)(b) GDPR; (c) processing AI chatbot queries — legal basis: Art. 6(1)(b) GDPR (part of Premium service); (d) service improvement, security, and fraud prevention — legal basis: Art. 6(1)(f) GDPR (legitimate interest); (e) compliance with legal obligations (tax records, invoices) — legal basis: Art. 6(1)(c) GDPR.

If a class treasurer has added your email address to a ClassKasa class, your data (email, name, payment status) is processed jointly by the treasurer and ClassKasa. You were not asked directly — the treasurer provided your data. You have the same rights as any user (access, rectification, erasure, etc.). To exercise them, contact the treasurer or ClassKasa at tomek@classkasa.com. Your data is used solely for class fund management and will be deleted within 30 days of account or class deletion.

When a treasurer creates a class and enters parent data, ClassKasa and the treasurer act as joint controllers. The treasurer decides which parents to add and for what class purpose. ClassKasa provides the technical infrastructure and processes the data accordingly. Parents may exercise their GDPR rights by contacting either party. ClassKasa is the point of contact for data subjects: tomek@classkasa.com.

We retain your personal data for the lifetime of your account. If you delete your account, we will erase your personal data within 30 days of deletion, except where we are required by law to retain certain records.

• Invoices and tax records are retained for 5 years after the end of the tax year in which the transaction occurred, as required by Polish tax law and the Accounting Act.
• Security logs (anonymised IP addresses, login timestamps) are retained for up to 90 days for fraud prevention and security purposes.
• AI chatbot messages are automatically deleted after 2 days.

We use the following third-party services to operate ClassKasa:

• Neon (database hosting, Frankfurt, Germany) — stores your account and class data within the EU.
• Netlify (application hosting, EU) — serves the ClassKasa web application from EU data centres.
• Resend (email delivery, US with EU processing) — sends magic link emails and notifications on our behalf. Transfer basis: EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs).
• Stripe, Inc. (payment processing, US/EU) — processes ClassKasa Premium subscription payments. Stripe is certified under the EU-US Data Privacy Framework. ClassKasa shares your email address and class identifier with Stripe to create a checkout session. Stripe's privacy policy: https://stripe.com/privacy.
• Anthropic, PBC (AI chatbot, San Francisco, USA) — processes AI chatbot messages using the Claude language model. When you use the chatbot, your messages and relevant class context are sent to Anthropic's API. Anthropic does not use your data to train its models. Transfer basis: Standard Contractual Clauses (SCCs).

Under the GDPR, you have the following rights regarding your personal data:

• Right of access — request a copy of your personal data.
• Right to rectification — correct inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data.
• Right to data portability — receive your data in a machine-readable format.
• Right to restriction — request limited processing of your data.
• Right to object — object to processing based on legitimate interest.
• Right to withdraw consent — withdraw consent at any time where processing is based on consent.
• Right to lodge a complaint — file a complaint with your local data protection authority (see Supervisory Authority section).

To exercise any of your rights, send an email to tomek@classkasa.com with the subject "GDPR Request". Please include your registered email address so we can verify your identity. We will respond within one month of receiving your request, as required by Art. 12(3) GDPR. If the request is complex, we may extend this period by two additional months and will inform you of the extension.

The lead supervisory authority for ClassKasa is the President of the Office for Personal Data Protection (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland (https://uodo.gov.pl). Regardless of your location, you have the right to lodge a complaint with the supervisory authority in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR).

In the event of a personal data breach that poses a risk to your rights, we will notify the competent supervisory authority within 72 hours (Art. 33 GDPR). If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay (Art. 34 GDPR).

ClassKasa is designed for adult users (18+). If a treasurer enters a child's name as part of a class roster (e.g. "Class 3B — Leo K."), this data is processed under the joint controllership described above. ClassKasa does not knowingly collect personal data from children under 16. If you believe data of a minor has been processed without appropriate consent, contact us at tomek@classkasa.com.

ClassKasa uses a minimal set of cookies, all essential for the service to function:

• ck_token — Strictly necessary. Contains your encrypted authentication session. Expires when you log out.
• ck_logged_in — Functional. A non-sensitive flag indicating whether you are logged in, used for UI display purposes.
• ck_locale — Functional. Stores your preferred language for a consistent experience across visits.

Your data is primarily stored and processed within the European Union (Neon database in Frankfurt, Netlify hosting in EU). Certain sub-processors (Resend, Stripe, Anthropic) may process data in the United States. These transfers are protected by the EU-US Data Privacy Framework (DPF) where the provider is certified, or by Standard Contractual Clauses (SCCs) approved by the European Commission. For details, see the Sub-processors section above.

For privacy-related questions or to exercise your rights, contact us at tomek@classkasa.com.

If you tap 'Accept All' on the cookie banner, ClassKasa shares a small set of signals with Meta (Facebook + Instagram) so they can stop showing you ads for things you'll never want and start showing our app to parents like you.

What we share

Hashed email and IP, your browser type, the page you landed on, and the names of in-app events (sign-up, class created, payment). Raw email never leaves your browser — we hash it first using SHA-256.

You can change your mind any time on our .