Privacy Policy

1. Introduction

pitchera.ai("we", "us", "our") is a pitch deck analysis service operated by Wojciech Buła, a sole proprietor trading as Blackgate Consulting. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services at pitchera.ai. Processing is governed by Regulation (EU) 2016/679 (GDPR) and Polish data-protection law. By using our service, you agree to the practices described herein.

2. Data controller

The data controller responsible for your personal data is:

Wojciech Buła, sole proprietor trading as Blackgate Consulting
Registered place of business: ul. Racławicka 100/19, 53-146 Wrocław, Poland
Tax ID (NIP): 8941846779 · EU VAT ID: PL8941846779
REGON: 527197049
Registered in the Central Register and Information on Economic Activity (CEIDG) (CEIDG)
E-mail: [email protected]
Phone: +48 573 895 100

We have not appointed a Data Protection Officer; for any data-related inquiry contact us via the email or phone number above.

3. What data we collect

We collect the following categories of data:

• Email address — provided by you during upload, used to deliver your analysis report.
• Pitch deck file — the PDF or PPTX file you upload for analysis.
• Business context (BSA questionnaire) — optional short text answers about your company and target customers, used solely to improve the relevance of your report.
• Billing data — for B2B purchases, full billing details (name, address, Tax/VAT ID) collected by Stripe Checkout and returned to us so we can issue an invoice.
• Payment data — processed entirely by Stripe. We receive only a payment status and the last four digits of the card; we never see or store the full card number.
• Usage data — browser type, device type, referring URL, pages visited, and timestamps. Collected via server logs and our privacy-first analytics tool (Umami — see Section 9). IP addresses are hashed and discarded.

We do not collect passwords, government IDs, phone numbers, or any other personal information beyond what is listed above.

4. Purposes and legal bases (GDPR Art. 6)

• Contract performance (Art. 6(1)(b) GDPR) — processing your pitch deck and delivering the report is necessary to fulfill the service you purchased.
• Legal obligation (Art. 6(1)(c) GDPR) — issuing invoices and retaining accounting records for the period required by Polish tax law (5 years from the end of the tax year).
• Legitimate interests (Art. 6(1)(f) GDPR) — replying to support inquiries, ensuring service security (server logs, abuse protection) and operating cookieless analytics (Umami) without identifying users.
• Consent (Art. 6(1)(a) GDPR) — where we explicitly request it (e.g. your express consent to begin performing the digital service before the 14-day withdrawal period expires; see Terms §9).

5. Data retention

• Uploaded decks and generated reports — automatically deleted 180 days after report generation.
• Email and order metadata — up to 12 months from the last activity, then anonymized or deleted.
• Invoices and accounting records — 5 years from the end of the tax year in which the invoice was issued (legal obligation).
• Server logs and analytics — up to 12 months.

You can request deletion at any time — use the delete-data form and all your files, analyses, and personal data will be permanently removed (except accounting records we are required to keep).

6. Security

We use industry-standard security measures including TLS encryption in transit, encrypted storage at rest, access controls limiting who can view stored data, and encrypted off-site backups (rclone crypt to GDrive). Despite these measures, no method of transmission or storage is 100% secure; we cannot guarantee absolute security.

7. Recipients (sub-processors)

We share the minimum necessary data with the following providers, under data-processing agreements (Art. 28 GDPR):

• Stripe Payments Europe, Ltd. — payment processing and invoicing. Stripe Privacy Policy.
• Anthropic, PBC (Claude API) — AI analysis. Anthropic does not use API inputs for model training. Anthropic Privacy Policy.
• Resend (Plus Five Five, Inc.) — transactional email delivery. Resend Privacy Policy.
• Umami Software, Inc. — cookieless analytics; no cross-site tracking, no personal identifiers, IPs are hashed and discarded. Umami Privacy Policy.
• Cloudflare, Inc. — DNS, CDN, and DDoS protection. Cloudflare Privacy Policy.

We do not sell, rent, or share your personal data for any marketing purposes.

8. International transfers

Some of our providers (Stripe, Anthropic, Resend, Cloudflare) are based in the United States. Transfers outside the EEA are protected by Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 and, where applicable, by the recipient's participation in the EU–US Data Privacy Framework (Commission decision of 10 July 2023).

9. Cookies and analytics

We do not use analytics cookies and do not show a cookie consent banner, because our analytics tool (Umami) does not require them.

• Essential cookies — required for the service to function (e.g. your Stripe checkout session). Set only when you actively use that functionality.
• Cookieless analytics — Umami measures page views and referrers anonymously without setting cookies, without device fingerprinting, and without storing personal identifiers.
• No advertising trackers — we do not use Google Analytics, Facebook Pixel, or any third-party advertising or remarketing trackers.

10. Your rights

Under the GDPR you have the rights of:

• access (Art. 15),
• rectification (Art. 16),
• erasure (Art. 17),
• restriction of processing (Art. 18),
• data portability (Art. 20),
• objection to processing based on legitimate interests (Art. 21),
• withdrawal of consent at any time, where processing is based on consent (Art. 7(3); withdrawal does not affect lawfulness of prior processing).

To exercise the right of erasure you can delete your data directly. For all other rights, email [email protected] — we will respond within 30 days.

11. Right to lodge a complaint

You have the right to lodge a complaint with the Polish supervisory authority: President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warszawa, Polska (uodo.gov.pl), or with the supervisory authority in your country of residence within the EEA.

12. Automated decision-making

Your pitch deck content is analyzed by an AI model (Anthropic Claude). The output is advisory and informational — it does not constitute a decision that produces legal effects concerning you or similarly significantly affects you within the meaning of Art. 22(1) GDPR. Each report is a document for further evaluation by you; the controller does not make automated decisions about you on its basis.

13. Children's privacy

Our service is not directed at individuals under 18. We do not knowingly collect personal data from minors. If we become aware of such data, we will delete it promptly.

14. Changes to this policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. If the changes materially affect your rights, we will notify you by email at the address provided with your order.

15. Contact

Questions about this Privacy Policy can be sent to [email protected], by phone at +48 573 895 100 or in writing to the address of business: ul. Racławicka 100/19, 53-146 Wrocław, Poland.