Privacy Policy
Effective date: 2026-04-25 · Version 1.0
1. Controller
The data controller for personal data processed in connection with the AiVironment Marketplace (the “Service”) is:
- QASTTOR — Paweł Magdański (a sole proprietorship registered in Poland)
- Registered address: ul. Terasy 5/1, 85-121 Bydgoszcz, Poland
- NIP (tax ID): 9671431565
- REGON: 384889830
- Contact for any privacy matter: pmagdanski@qasttor.com
We have not appointed a Data Protection Officer; we are not required to under Article 37 of the GDPR.
2. What this Policy covers
This Policy explains what personal data we collect when you use the Service, how and why we use it, who we share it with, how long we keep it, your rights under the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), and how to exercise them.
It applies to marketplace.aivironment.ai, api.marketplace.aivironment.ai, and mcp.marketplace.aivironment.ai.
3. Personal data we collect
3.1 Account data
When you sign in with Google we receive: your email address, your display name (where you have made it available to apps), and Google’s stable subject identifier for your account. We do not receive your Google password.
3.2 Company profile data
Any information you publish in a company listing: name, slug, country, city, industry, certifications, languages, keywords, tagline, description, website, logo, cover image, offerings (name, type, price label, description), and public contact methods (email, phone, website, MCP endpoint, agent DID). This information is intentionally public on the Service and is included in responses to searches initiated by other users and AI agents.
3.3 Quote-request data
When an agent or buyer submits a quote request to your company, we store the requester’s name, reply-to email, optional company name, message, and optional budget label. The recipient company sees these fields in their dashboard inbox.
3.4 Authentication tokens
We store a hashed (SHA-256) representation of each refresh token, the family it belongs to, its expiry, the browser user-agent, and the IP address that issued it — for session management, rotation, and reuse detection. We never store the raw token.
3.5 Server access logs
Standard server logs: IP address, user agent, request method, path, status code, timestamps, and a request identifier. Used for security, abuse detection, and debugging. Retained 30 days.
3.6 Cookies
We use a small number of strictly-necessary cookies:
marketplace_refresh— HttpOnly session cookie (refresh token), 7-day lifetime, scoped to/api/v1/auth.marketplace_access— JS-readable access token cookie, ~15-minute lifetime.marketplace_oauth_stateandmarketplace_oauth_next— HttpOnly CSRF cookies set during the Google sign-in round-trip; ~10-minute lifetime.aiv_cookie_ack_v1— localStorage flag (not a cookie) used to remember that you have dismissed the cookie notice.
We do not set analytics, marketing, or tracking cookies. Under Polish law (art. 173 of the Telecommunications Law) no consent is required for strictly-necessary cookies; we therefore do not display a consent prompt, only an informational notice.
4. Purposes and legal bases
| Purpose | Categories | Legal basis (GDPR Art. 6) |
|---|---|---|
| Authenticating you and providing your dashboard | Account, Authentication tokens | (b) performance of a contract |
| Showing your company in directory search and via MCP | Company profile | (b) performance of a contract |
| Delivering quote requests to recipient companies | Quote-request | (b) performance of a contract |
| Security, abuse detection, rate limiting, and fraud prevention | Server logs, Authentication tokens, Quote-request | (f) legitimate interest in operating a secure Service |
| Compliance with legal obligations (e.g. tax records, data subject requests) | All as relevant | (c) compliance with a legal obligation |
For processing based on legitimate interest, you have the right to object — see Section 8.
5. Recipients and processors
We do not sell personal data. Public profile fields are intentionally visible to anyone who visits your profile or queries the directory. Beyond that, we share personal data with the following processors, each engaged under a written agreement that meets GDPR Art. 28 requirements:
| Processor | Service | Location of processing |
|---|---|---|
| Google Cloud EMEA Limited | Hosting (Cloud Run, Cloud SQL, Secret Manager, Artifact Registry) | Ireland / EU (region europe-west1) |
| Google LLC | “Sign in with Google” identity provider | United States; SCCs in place |
| OpenAI Ireland Ltd | Embeddings of company profiles for semantic search; called only when a profile is created or edited | Ireland / EU (data may be processed in the US under SCCs) |
| Anthropic PBC | Claude model used by the on-site search agent at /agent; called only when a user submits a query | United States; SCCs in place |
| Vercel Inc. | DNS hosting for aivironment.ai (no application traffic, no personal data transmitted) | United States; SCCs in place |
We have instructed OpenAI and Anthropic via their API contracts not to use your data to train their models.
6. International transfers
Personal data is primarily stored and processed in the European Union (Google Cloud, region europe-west1 in Belgium). Where a processor or sub-processor is located outside the European Economic Area (notably Google LLC, Anthropic PBC, and Vercel Inc., all in the United States), the transfer is covered by the European Commission’s Standard Contractual Clauses adopted under Implementing Decision (EU) 2021/914, plus any additional safeguards the processor has implemented (encryption in transit, access controls).
7. Retention
| Data | Retention |
|---|---|
| Account data | Until you request deletion |
| Company profile data | Until you delete the listing, or 12 months after your last sign-in if the listing is otherwise inactive |
| Quote requests | Until the recipient marks the request as closed; deleted 12 months after closure |
| Refresh-token records | 7 days from issue (rotated continuously); revoked tokens are deleted within 24 hours |
| Server access logs | 30 days |
| Records required by tax or accounting law | 5 years from the end of the calendar year in which a transaction occurred (Polish tax law) |
8. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you (Art. 15);
- Rectify inaccurate or incomplete personal data (Art. 16);
- Erase your personal data (“right to be forgotten”, Art. 17);
- Restrict processing in certain circumstances (Art. 18);
- Receive the personal data you have provided to us in a structured, commonly used, machine-readable format and to transmit that data to another controller (data portability, Art. 20);
- Object at any time to processing based on legitimate interest (Art. 21);
- Withdraw consent at any time, where processing is based on consent (Art. 7), without affecting prior lawful processing.
To exercise any of these rights, email pmagdanski@qasttor.com. We will respond within 30 days. If you believe we are processing your data unlawfully, you also have the right to lodge a complaint with your supervisory authority. In Poland this is:
- Prezes Urzędu Ochrony Danych Osobowych (UODO)
- ul. Stawki 2, 00-193 Warszawa, Poland
- uodo.gov.pl
9. Automated decision-making and profiling
We do not make decisions producing legal effects concerning you, nor do we engage in automated profiling that significantly affects you, within the meaning of GDPR Art. 22.
The Service does use automated systems to (a) rank search results (full-text search combined with vector similarity) and (b) detect abuse (rate limiting). Neither produces decisions with legal or similarly significant effect on you.
10. Security
We implement the following technical and organisational measures:
- TLS 1.2+ for all transport between your browser and our servers, and between our services and processors;
- Encryption at rest at the Cloud SQL and Cloud Storage layers;
- Refresh tokens are stored hashed (SHA-256), rotated on every use, and a single re-use of a previously-issued token revokes the entire token family;
- Database access is restricted to the application service identity via Google Cloud IAM and Cloud SQL Auth Proxy / Unix sockets;
- Per-user authorization is enforced server-side; cross-tenant data access returns 404 to prevent enumeration;
- Secrets are stored in Google Secret Manager and mounted at runtime, never written to source control;
- Per-IP and per-recipient rate limits on the agent and quote endpoints to mitigate abuse.
11. Data breach
If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours, and we will inform affected users without undue delay where required by GDPR Art. 34.
12. Children
The Service is intended for business users aged 16 and over. We do not knowingly collect personal data from children below that age. If you believe we have collected such data, contact us and we will delete it.
13. Changes to this Policy
We may update this Policy from time to time. The effective date and version at the top of this page indicate when the current version was published. For material changes that meaningfully affect your rights, we will give you at least 30 days’ notice via a banner in the Service or by email.
14. How to contact us
For any privacy question or to exercise any of the rights described above, write to pmagdanski@qasttor.com with the subject line “GDPR request” and a brief description of what you are asking for. We will respond within 30 days.