Privacy Policy for DropSlot

Last updated: February 2026

1. Controller

DropSlot is operated by Andrzej Litwiński Consulting (ALC), ul. Akacjowa 42c, 55-093 Kiełczów, Poland, VAT ID: 898 202 47 84 (hereinafter "ALC", "we", "us", or "our"). ALC acts as the data controller for personal data processed through the DropSlot platform.

Contact: andrzej@alc.systems

2. What Data We Collect and Why

We collect the following categories of personal data:

• Account data (name, email address, password hash): registration, login, account management, and support.
• Delivery notification data (supplier name, delivery date, pallet count, time slot, comments, ticket numbers): to provide the core delivery pre-notification scheduling service.
• File attachments (delivery notes — PDF, JPG, PNG, max 10 MB per file): stored to support delivery verification and record-keeping.
• Technical data (IP address, browser type, device information, access logs): for security monitoring, maintenance, and fraud prevention.
• Analytics data (with your consent): session recordings, heatmaps, and click patterns via Microsoft Clarity, to improve our user experience and service quality.

3. Legal Bases for Processing (GDPR)

For users in the European Economic Area, we process personal data on the following legal grounds:

• Performance of contract (Art. 6(1)(b)): processing necessary to deliver the Service you or your organisation signed up for.
• Legitimate interests (Art. 6(1)(f)): security monitoring, system maintenance, and key operational communications.
• Consent (Art. 6(1)(a)): analytics cookies via Microsoft Clarity. You may withdraw consent at any time.
• Legal obligations (Art. 6(1)(c)): accounting records, compliance with applicable Polish and EU law.

4. File Storage (Google Cloud Storage)

Delivery note attachments you upload are stored using Google Cloud Storage (GCS).

• Files are encrypted in transit (TLS) and at rest (AES-256).
• Access is restricted to authorised users within your organisation's DropSlot tenant.
• Files are retained until the notification is deleted or your account is terminated, after which they are permanently removed within 30 days.
• Google Cloud Storage complies with GDPR and uses Standard Contractual Clauses (SCCs) for any international data transfers.

5. Third-Party Service Providers

We share data with the following service providers solely to operate the Service:

• Google Cloud Storage: file storage for delivery note attachments.
• Brevo (Sendinblue): transactional email notifications (delivery confirmations, approvals, rejections).
• Microsoft Clarity: analytics, session recordings, and heatmaps (only with your consent).

Each provider has their own privacy policy and is bound by data processing agreements where required by GDPR:

• Google Cloud Privacy: cloud.google.com/privacy
• Brevo Privacy Policy: brevo.com/legal/privacypolicy
• Microsoft Privacy Statement: privacy.microsoft.com/privacystatement

6. International Data Transfers

Some of our service providers are based outside the European Economic Area (EEA). When data is transferred outside the EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Data Processing Agreements (DPAs) requiring GDPR-equivalent protections.
• Encryption in transit and at rest.

7. Data Retention

We retain personal data only for as long as necessary:

• Account data: while your account is active and for 30 days after deletion (to allow reactivation).
• Delivery notifications: while your tenant account is active and for 30 days after termination.
• File attachments: until you delete the notification, or 30 days after account termination.
• Technical/security logs: 12 months.
• Analytics data: per Microsoft Clarity retention settings, or until you withdraw consent.

After the applicable retention period, data is securely deleted or anonymised.

8. Your Rights (GDPR)

If you are located in the EEA, you have the following rights:

• Right of access: request a copy of your personal data.
• Right to rectification: request correction of inaccurate data.
• Right to erasure: request deletion of your data under certain circumstances.
• Right to restriction: request that we limit how we process your data.
• Right to data portability: receive your data in a structured, machine-readable format.
• Right to object: object to processing based on legitimate interests.
• Right to withdraw consent: at any time for consent-based processing (e.g. analytics).

To exercise any of these rights, contact us at andrzej@alc.systems. We will respond within 30 days. You also have the right to lodge a complaint with the Polish supervisory authority (UODO — uodo.gov.pl) or your local data protection authority.

9. Security

We implement appropriate technical and organisational measures to protect your data:

• TLS encryption for all data in transit.
• bcrypt password hashing — passwords are never stored in plain text.
• Role-based access control (RBAC) — users can only access data within their organisation's tenant.
• Audit logging of sensitive operations.
• Google Cloud Storage AES-256 encryption at rest.

In the event of a personal data breach posing a risk to your rights, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

10. Children

DropSlot is a business-to-business service not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us immediately.

11. Updates and Contact

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification. The "Last updated" date at the top of this page will be revised accordingly.

Questions or requests: andrzej@alc.systems
Andrzej Litwiński Consulting (ALC), ul. Akacjowa 42c, 55-093 Kiełczów, Poland, VAT ID: 898 202 47 84