Privatumo politika

This Privacy Policy ("Policy") governs how Costless Inc. ("Costless", "we", "us") collects, uses, and protects information processed through the Costless for Business platform available at https://costless.business, the Costless API endpoints, and any related dashboards, mobile or desktop applications used to administer Business Accounts (collectively, the "Service"). PLEASE READ THIS POLICY CAREFULLY. BY CREATING OR USING A BUSINESS ACCOUNT, OR BY INTEGRATING WITH OUR API, YOU AGREE TO THE PROCESSING DESCRIBED BELOW. IF YOU DO NOT AGREE, DO NOT REGISTER FOR THE SERVICE OR USE OUR API. This Policy applies to information processed in connection with paid and trial Business Accounts. It does not apply to costless.online (consumer-facing site) — that property has its own Privacy Policy. 1. Who We Are (Controller and Contact) The Service is operated by: Costless Inc. 1207 Delaware Avenue, 2979, Wilmington, DE 19806, USA General contact: mail@costless.online Data protection requests: data.controller@costless.online For Business Account information (the personal data of administrators, billing contacts and authorised users of your account) Costless acts as a "Controller" under the EU General Data Protection Regulation (GDPR), the UK GDPR, and analogous laws. For data you upload, transmit, or otherwise instruct us to process on your behalf — for example receipt images submitted to the Receipt Verification API, customer emails enrolled in your Loyalty 51 program, or price-label photos captured by your store associates ("Customer Data") — Costless acts as a "Processor" and you (the Business Account holder) are the "Controller". The standard data-processing terms applicable to that relationship are incorporated into our Terms and Conditions and may be supplemented by a separate Data Processing Agreement on request. 2. Definitions "Business Account" means a paid or trial subscription to the Service registered to a legal entity (or to a sole trader acting in a business capacity). "Account Data" means information about your Business Account and the natural persons authorised to use it, including company name, billing address, VAT/EIN/EDRPOU number, administrator name, business email, telephone, role, password (stored as a salted hash), authentication tokens, and audit logs of administrative actions. "Customer Data" means data you (or your end customers acting on your instructions) upload to or generate through the Service, including but not limited to receipt images and the structured data extracted from them, loyalty stamps and tier data for end customers, price-label photographs, product price feeds you transmit via the data-transfer API, and any campaign metadata. "End Customer" means a natural person who is your customer (for example, a Loyalty 51 program participant or a shopper whose receipt is processed through your campaign), and whose personal data you process using the Service. "Personal Data" has the meaning given in the GDPR (Article 4(1)). "Sub-processor" means any third party engaged by Costless that processes Customer Data on our behalf. 3. Categories of Information We Process 3.1 Account Data (we are Controller) - Identification: full name and business email of administrators and authorised users; job title; preferred language. - Company information: legal company name, registered address, billing address, VAT/EIN/EDRPOU or equivalent tax identifier, billing contact name and email. - Authentication and security: hashed passwords, JWT session tokens, API keys (hashed at rest), 2FA secrets, password-reset tokens, IP address and user-agent string of recent sign-ins, CSRF tokens. - Billing: payment method type (card brand, last four digits and expiry stored by Stripe — full card numbers never reach Costless), invoice history, subscription tier and status, renewal date. - Support and communication: messages you send to mail@costless.online, support tickets, contact-form submissions, transcripts of telephone or video calls if you opt to record them. 3.2 Service Usage Data (we are Controller) - Telemetry: timestamp and route of each authenticated request to the dashboard or API, response code, latency, error code if any, request size. - Device and connection: IP address (truncated for analytics), browser user-agent, operating system, screen size, device type. - Cookies and similar technologies: see Section 9. 3.3 Customer Data (you are Controller, Costless is Processor) - Receipt Verification API: receipt images uploaded by your end customers or by your staff; the structured data we extract (line items, prices, totals, fiscal numbers, payment method, store identifier, timestamps); confidence scores; any End Customer identifier you submit alongside the receipt (for example, an internal customer ID, a phone number hash, or an email address). - Loyalty 51: End Customer identifier (typically email or phone), stamp count, tier, redemption history, location of each stamp event, the QR token used for the scan, and the barista/staff member who recorded the stamp. - Price-Label Campaign: photographs of price labels captured in your stores by your associates, the geolocation of capture (if your associates grant the permission), the recognised SKU and price. - Insights / Manufacturer Analytics: SKU lists, price feeds, promotion calendars, and any other commercial data you transmit to us for monitoring or modelling. - Mobile-application Receipt Data and Annotations: when you instruct us to share a receipt with your business via your end customer's app, we receive a copy of the receipt and the End Customer's identifier. We process Customer Data only as documented in your subscription and in our written instructions; we do not access or use Customer Data for our own purposes other than (a) providing the Service, (b) billing and capacity planning in aggregated form, (c) security and fraud prevention, (d) compliance with law, and (e) statistical research using fully anonymised data. 4. Why We Process Information (Purposes and Legal Bases) For Account Data we rely on the following legal bases under the GDPR: - Contractual necessity (Art. 6(1)(b)): to register your Business Account, authenticate your administrators, deliver the Service, raise invoices and collect payment. - Legitimate interest (Art. 6(1)(f)): to operate, secure, debug and improve the Service; to detect and prevent fraud or abuse; to maintain backups; to enforce our Terms; to defend legal claims; to send service announcements and limited business-relevant marketing about features that complement what you already use. - Legal obligation (Art. 6(1)(c)): to retain billing records for tax purposes; to respond to lawful requests from competent authorities. - Consent (Art. 6(1)(a)): where required, for non-essential cookies and for marketing emails to non-customer leads. You may withdraw consent at any time. For Customer Data, your written instructions in the Terms and in your subscription configuration are our legal basis. You confirm that you have a lawful basis under applicable data-protection law to provide the Customer Data to us and to instruct us to process it. 5. How We Share Information We do not sell Personal Data and we do not share it with advertisers. We disclose information only as set out below. 5.1 Sub-processors We engage the following categories of Sub-processor under written agreements that include GDPR Article 28 terms and EU Standard Contractual Clauses where applicable: - Cloud infrastructure: Amazon Web Services, Inc. (Frankfurt and Ireland regions for European Customer Data; Northern Virginia for non-European Customer Data) — hosting, object storage, content delivery. - Payments: Stripe, Inc. and its EU and UK affiliates — payment processing for subscriptions. Stripe acts as an independent Controller for its own fraud-prevention purposes. - Edge / DDoS protection: Cloudflare, Inc. — TLS termination, web-application firewall, bot mitigation, email-address obfuscation. - Machine-learning processing: Google Cloud Platform / Vertex AI — receipt OCR, price-label OCR, image classification. Inputs to these services are encrypted in transit and are not used by the provider to train its general-purpose models. - Transactional email: Amazon SES (or a comparable provider) — delivery of password-reset emails, billing notifications, invoice attachments, scheduled report emails. - Customer-support tooling and analytics: privacy-respecting analytics on costless.business itself (server-side, no third-party trackers by default). A current list of Sub-processors and the regions in which they operate is available on request from data.controller@costless.online. We will give you reasonable advance notice of any new Sub-processor that processes Customer Data. 5.2 Other categories of recipient - Affiliates: members of the Costless group of companies, under terms at least as protective as this Policy. - Professional advisors: lawyers, auditors, accountants, insurers, in connection with the operation of our business. - Successor entities: in connection with a merger, acquisition, asset sale or insolvency, subject to confidentiality and continued application of this Policy. - Legal process: courts, regulators and law-enforcement agencies, where compelled by law or where disclosure is necessary to protect rights, life, safety, or property. 6. International Data Transfers Costless is incorporated in the United States. Account Data and a portion of Customer Data may be processed outside the European Economic Area, the United Kingdom, or your country of establishment. Where we transfer Personal Data out of the EEA or the UK, we rely on: - the European Commission's Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum; - the EU-US Data Privacy Framework where the recipient is certified; - supplementary technical measures (encryption in transit and at rest, access logging, principle of least privilege). If you require a copy of the safeguards applicable to a specific transfer, contact data.controller@costless.online. 7. Retention - Account Data: retained for the lifetime of the Business Account and for a period of up to 36 months after termination, after which it is deleted or anonymised, except for billing and tax records which are retained for the period required by applicable accounting law (typically 7 years). - Receipt images and price-label images: retained for 90 days after processing by default, unless your subscription tier provides a different retention period or you instruct us in writing to delete them sooner. - Extracted receipt data and loyalty records: retained for the lifetime of your Business Account and deleted within 90 days after termination, unless you exercise the data-export right described in Section 8 first. - Service logs: retained for up to 90 days for security and capacity-planning purposes. - Backups: encrypted backups are retained on a rolling 35-day cycle. You may request earlier deletion at any time, subject to legal-retention obligations and to the technical limits described in your subscription. 8. Your Rights and Your End Customers' Rights Under the GDPR, the UK GDPR and similar laws, individuals whose Personal Data we process have the right to: access; rectify; erase; restrict processing; object to processing; data portability; and to lodge a complaint with a competent supervisory authority (in the EU, the relevant national data-protection authority; in the UK, the Information Commissioner's Office). For Account Data, contact data.controller@costless.online and we will respond within 30 days. For Customer Data, requests must in the first instance be addressed to you (the Controller). If your End Customer contacts Costless directly we will refer them to you and will assist you, at your reasonable request and at the cost agreed in your subscription, in responding to such requests. California residents (CCPA / CPRA): you have the right to know, delete, correct and limit; the right to opt out of "sale" or "sharing" of personal information; and the right not to be discriminated against for exercising these rights. Costless does not sell or share Personal Data within the meaning of the CCPA/CPRA. Submit requests to data.controller@costless.online or by writing to the postal address in Section 1. 9. Cookies and Similar Technologies on costless.business We use only cookies that are strictly necessary for the operation of the dashboard (authentication, CSRF protection, language and currency preferences). We do not deploy advertising cookies on costless.business. Anonymised analytics are operated server-side and do not require consent. If we ever introduce optional analytics or marketing cookies, we will display a consent banner that complies with EU/UK ePrivacy rules, and processing will be conditional on your opt-in. 10. Security We maintain technical and organisational measures appropriate to the risks presented by our processing, including: - encryption of data in transit (TLS 1.2+) and of receipt and price-label images at rest; - salted password hashing using a memory-hard function; - principle of least privilege for staff access; access logging; quarterly access review; - network-level rate limiting, web-application firewall, bot detection; - segregated environments for development, staging and production; - regular vulnerability scans and dependency updates; - documented incident-response procedures, including notification to affected Controllers without undue delay and within the timelines required by applicable law. No security measure is perfect. You are responsible for protecting the credentials of your administrators and the API keys we issue to you, for keeping the operating systems and browsers used to access the Service up-to-date, and for promptly notifying us of any suspected compromise. 11. Children The Service is not directed to children under the age of 16 and we do not knowingly collect Personal Data of children. If you believe a child has registered for or interacted with a Business Account, please contact data.controller@costless.online and we will take appropriate action. 12. Automated Decision-Making Costless does not make decisions producing legal or similarly significant effects concerning data subjects on the basis of solely automated processing. The confidence scores produced by our Receipt Verification and price-label OCR services are estimates intended to assist your human review; they must not be treated as a substitute for your business judgement. 13. Changes to this Policy We may update this Policy from time to time. The "last updated" date below indicates the current version. If we make material changes affecting your rights or the categories of data we process, we will notify Business Account administrators by email and post a banner on the dashboard at least 14 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance. 14. Contact Costless Inc. 1207 Delaware Avenue, 2979 Wilmington, DE 19806, USA General: mail@costless.online Data protection: data.controller@costless.online Last updated: 29 April 2026.