Privacy Policy for the [app name] app

Effective date: 29 April 2026

This Privacy Policy sets out the rules governing the processing of data in connection with the use of the [app name] app, which is a prototype tool designed to collect responses regarding projects, analyse them using an AI language model, and generate recommendations.

The app is also used for the purposes of a validation study conducted in connection with the preparation of a Master’s thesis. Users may use the app by providing fictitious, test or anonymised data. The controller recommends that you do not enter personal data, confidential data or information covered by trade secrets into the app.

1. Data Controller

The controller of personal data processed in connection with the use of the application is:

Rozwój&Dotacje Aleksandra Wolniak

address: Sielanki 1a, 92-605 Łódź

VAT number: 7292748713

contact email address: a.wolniak@rd-wolniak.eu

Hereinafter in the Privacy Policy, the controller is referred to as the “Controller”.

2. Nature of the application

The application is a research prototype. Its purpose is to collect responses regarding projects, to test methods of analysing them using an AI language model, and to generate recommendations based on information provided by the user.

The application is not intended for making decisions that have legal consequences for the user or similarly significant effects on them. The recommendations generated by the application are of an auxiliary, informative and experimental nature.

The application does not replace professional legal, tax, financial, medical, psychological, technical or business advice. The user should independently verify the generated recommendations before using them.

3. Does the application require the provision of personal data?

The application does not require the provision of a first name, surname, email address, telephone number, residential address or other contact details of the user.

However, the administrator does not have full control over the content of the responses entered by the user. If the user voluntarily provides information in the application that allows for the identification of a natural person, such information may constitute personal data within the meaning of the GDPR.

For the purposes of the validation study, the user may provide fictitious, example or anonymised information. The controller recommends that the user does not enter data into the application that allows the identification of specific individuals, customers, employees, colleagues or other entities.

4. What data may be processed?

In connection with the use of the application, the following categories of data may be processed:

• the user’s responses regarding projects, in particular descriptions of projects, assumptions, needs, objectives, problems, risks, resources or planned actions;
• data stored in the application’s memory, where necessary to continue the analysis, preserve context or generate recommendations;
• recommendations generated by the application based on the user’s responses;
• technical data necessary for the operation of the application, such as IP address, session ID, date and time of use of the application, information about the browser, operating system or device;
• data relating to errors, technical logs and security, where necessary for the maintenance, security or improvement of the application’s operation.

The controller does not require the provision of special categories of data, such as data concerning health, political opinions, religious beliefs, trade union membership, sexual orientation, biometric data, genetic data, or data relating to criminal convictions or offences.

5. What should the user not enter into the application?

You should not enter the following into the application:

• real personal data, unless necessary;
• special categories of data, in particular data concerning health, political opinions, religious beliefs, sexual orientation, biometric or genetic data;
• data concerning criminal convictions or offences;
• data relating to customers, employees, colleagues or other third parties;
• confidential information;
• trade secrets;
• information that the user does not wish to disclose to an external AI technology provider.

In the case of a validation study, the user may use fictitious, sample or anonymised data.

6. Purposes of data processing

Data may be processed for the following purposes:

• enabling the use of the application;
• collecting responses regarding projects;
• analysing responses using an AI language model;
• generating recommendations for the user;
• storing information in the application’s memory to preserve context and continue analysis;
• conducting a prototype validation study;
• preparing analyses, conclusions and results for the purposes of a master’s thesis;
• testing, maintaining and improving the functioning of the application;
• ensuring the security of the application, detecting errors and preventing misuse;
• handling user reports concerning the functioning of the application or data processing;
• establishing, pursuing or defending claims, if necessary.

7. Legal basis for data processing

To the extent that the information processed constitutes personal data, the legal basis for its processing is:

• Article 6(1)(b) of the GDPR — processing is necessary to make the application available to the user, collect responses, carry out analysis and generate recommendations at the user’s request;
• Article 6(1)(a) of the GDPR — the user’s consent, where the data is used for a validation study and the preparation of a master’s thesis, to the extent that the data may allow for the identification of the user or other individuals;
• Article 6(1)(f) of the GDPR — the Controller’s legitimate interest in ensuring the security, stability and proper functioning of the application, detecting errors, preventing misuse, developing the prototype and defending against claims;
• Article 6(1)(c) of the GDPR — to the extent that processing is necessary for compliance with a legal obligation to which the Controller is subject.

If the user’s responses are effectively anonymised, they will not constitute personal data within the meaning of the GDPR and may be used for research, analytical or statistical purposes outside the scope of the GDPR.

8. Use of data for validation testing and a master’s thesis

Users’ responses may be used to conduct validation testing of the prototype and to prepare a master’s thesis.

The results of the study will be presented in anonymised or aggregated form, without identifying specific users.

The Controller does not intend to publish individual responses in a manner that would allow the identification of the user or any other natural person. If the use of a specific statement could lead to the identification of a person, the Controller will remove or alter identifying elements or will not use such a statement.

9. Use of the OpenAI language model

The application uses a language model provided by OpenAI.

User responses may be transmitted to OpenAI to the extent necessary to generate recommendations. This means that content entered by the user in the application may be sent to the language model for analysis and to prepare a response.

According to information published by OpenAI, data sent via the API is not, by default, used to train or improve OpenAI models, unless the customer explicitly chooses to share data for this purpose. The administrator does not intend to enable the use of user data for training OpenAI models.

Users should avoid entering personal data, confidential data, trade secrets, and information they do not wish to disclose to an external AI technology provider into the application.

10. Hosting and technical infrastructure

The application is hosted using OVHcloud services.

Data processed within the application may be stored or managed on OVHcloud’s infrastructure to the extent necessary to ensure the application’s operation, security, availability, technical maintenance and error handling.

OVHcloud may act as a data processor on behalf of the Controller in relation to hosting and infrastructure services. OVHcloud provides a data processing agreement which sets out the rules for processing personal data on behalf of the client as part of the services provided.

11. Recipients of data

Data may be transferred to the following categories of recipients:

• OpenAI — to the extent necessary for the language model to analyse responses and generate recommendations;
• OVHcloud — for the hosting, storage and operation of the application infrastructure;
• technical service providers, where used for the maintenance, security, monitoring or development of the application;
• persons or entities assisting the Controller in maintaining the application, solely to the extent necessary to perform the tasks entrusted to them;
• entities providing legal, technical or accounting services, where necessary;
• public authorities, where the obligation to disclose data arises from legal provisions.

The Controller does not sell users’ data to third parties.

12. Transfer of data outside the European Economic Area

In connection with the use of OpenAI services, data may be transferred outside the European Economic Area.

In such cases, the Controller applies the safeguards provided for in the GDPR, in particular standard contractual clauses or other appropriate bases for data transfer, where required.

For OVHcloud services, the location of data processing depends on the selected service configuration and data centre. [If hosting is within the EU, the following may be added: “The Controller uses OVHcloud infrastructure located within the European Economic Area.”]

13. Data retention period

Data will be retained for the period necessary to fulfil the purposes for which it was collected.

The following retention periods apply:

• user responses regarding projects — for the duration of the validation study and the preparation of the master’s thesis, not exceeding [●], after which they will be deleted or anonymised;
• data stored in the application’s memory — for the time required for the prototype to function and for analysis to be carried out, no longer than [e.g. 6 months] from the user’s last interaction, unless the user requests its deletion earlier;
• technical data and security logs — for the period necessary to ensure the security and stability of the application, for no longer than [e.g. 90 days], unless longer storage is necessary to investigate an incident, prevent abuse or pursue claims;
• data processed on the basis of consent — until consent is withdrawn, the data is deleted or anonymised;
• data necessary to establish, pursue or defend claims — until the expiry of the relevant limitation period for claims.

14. User rights

The user has the right to:

• access their data;
• rectify data;
• erase data;
• restrict processing;
• data portability, where applicable;
• object to the processing of data on the basis of the Controller’s legitimate interest;
• withdraw consent at any time, if processing is based on consent;
• lodge a complaint with the President of the Personal Data Protection Office.

Requests regarding data may be sent to the following email address: [●].

As the application does not require the provision of identification data, the exercise of certain rights may require the provision of information enabling the Controller to locate a given user’s data, e.g. a session ID, the date of use of the application, the approximate content of a response, or another technical identifier.

15. Automated recommendations

The application generates recommendations automatically using an AI language model.

These recommendations are of an auxiliary, informative and experimental nature. They do not constitute an automated decision within the meaning of Article 22 of the GDPR, as they do not produce legal effects on the user nor do they significantly affect them in a similar manner.

The user should verify the recommendations themselves before using them.

16. Cookies, local storage and similar technologies

The application may use cookies, local storage or similar technologies for the following purposes:

• to ensure the application functions correctly;
• to maintain the user’s session;
• to remember settings;
• to store information necessary to continue the analysis;
• to ensure the security of the application;
• to detect technical errors.

If the application uses analytical, marketing or tracking tools, these will be activated in accordance with applicable regulations, in particular after obtaining the user’s consent where consent is required.

Further details may be set out in a separate Cookie Policy.

17. Data security

The Controller implements technical and organisational measures appropriate to the nature of the application, the scope of the data processed and the level of risk.

These measures may include, in particular:

• limiting the scope of data collected by the application;
• recommending that users use fictitious or anonymised data;
• restricting access to data;
• using a secure hosting infrastructure;
• limiting the scope of data transferred to the language model;
• applying data retention;
• deleting or anonymising data upon completion of the study;
• monitoring errors and technical incidents.

18. Voluntary use of the application

Use of the application is voluntary.

Providing answers within the application is voluntary, but may be necessary to generate recommendations. The user may provide fictitious, test or anonymised data.

19. Changes to the Privacy Policy

The Privacy Policy may be updated in connection with the development of the app, changes to how it operates, changes to technology providers, changes to the scope of data processed, or changes to legislation.