Asystio
Back to Legal Center
Official

Privacy Policy

Last updated: March 1, 2026Official

1. Data Controller

The data controller is Kamil Rogaczewski, operating under the trade name Asystio, ul. Kościuszki 60/4, 32-090 Słomniki, Poland. NIP: 9121865465, REGON: 542655431. Contact: [email protected].

2. Data We Collect

We collect the following categories of personal data:

  • Account data: name, email address, phone number, company name, NIP, role.
  • Usage data: login timestamps, IP addresses, device information, browser type, pages visited.
  • Business data: appointments, clients, invoices, HR records, inventory - as entered by the user into the platform.
  • Communication data: messages sent via integrated channels (email, SMS, chat).
  • Payment data: transaction records, subscription plan, billing address and recurring payment consent metadata (card details are processed by Autopay or Stripe depending on the payment path and are never stored by Asystio).
  • AI interaction data: prompts and responses from AI assistants, chatbot conversations (retained for 90 days for quality assurance).

3. Legal Basis for Processing

  • Art. 6(1)(b) GDPR - performance of a contract (providing the SaaS service).
  • Art. 6(1)(c) GDPR - legal obligations (tax, accounting, KSeF).
  • Art. 6(1)(f) GDPR - legitimate interests (security monitoring, fraud prevention, service improvement).
  • Art. 6(1)(a) GDPR - consent (marketing communications, analytics cookies, AI profiling).

4. How We Use Your Data

  • Providing and maintaining the Asystio platform and all its modules (CRM, Calendar, HR, Finance, Inventory, etc.).
  • Processing payments and issuing invoices.
  • Sending transactional notifications (appointment reminders, status updates).
  • Improving our services through anonymized analytics.
  • AI-powered features: smart scheduling, lead scoring, cashflow forecasting, chatbot assistance.
  • Marketing communications (only with your explicit consent).

5. Data Sharing

We do not sell your personal data. We share data only with:

  • Infrastructure providers: Google Cloud Platform (europe-west4 region, EU).
  • Payment processors: Autopay for implemented payment paths after live confirmation, and Stripe for legacy/migration payment paths. Both process payment metadata and card payments under their respective security obligations; Asystio does not store full card details.
  • AI providers: Google Vertex AI (EU region processing).
  • Email/SMS: Resend (email), Infobip (SMS/2FA/voice), ElevenLabs (voice for the AI receptionist) — for transactional/service messages only.
  • Analytics and marketing measurement: Google Analytics, PostHog, Microsoft Clarity, and Meta Pixel only when the relevant analytics or marketing consent is granted.

All subprocessors are bound by data processing agreements. A full list is available at /legal/subprocessors.

6. Data Retention

  • Account data: retained for the duration of your account plus 30 days after deletion.
  • Business data: retained while your subscription is active; exported or deleted upon request after termination.
  • Financial records: 5 years (Polish tax law).
  • AI conversation logs: 90 days, then anonymized.
  • System logs: 90 days.
  • Backups: 30 days rolling.

7. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

  • Access your personal data (Art. 15).
  • Rectify inaccurate data (Art. 16).
  • Erase your data - 'right to be forgotten' (Art. 17).
  • Restrict processing (Art. 18).
  • Data portability - receive your data in a structured format (Art. 20).
  • Object to processing based on legitimate interests (Art. 21).
  • Withdraw consent at any time without affecting prior processing (Art. 7(3)).
  • Lodge a complaint with the supervisory authority: Prezes UODO, ul. Stawki 2, 00-193 Warszawa.

To exercise your rights, contact us at [email protected]. We respond within 30 days.

8. Security Measures

  • All data encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Infrastructure hosted in EU (Google Cloud europe-west4).
  • Row Level Security (RLS) for multi-tenant data isolation.
  • Two-factor authentication (2FA) for administrative access.
  • Regular security audits and penetration testing.
  • Hosted on Google Cloud, which is independently SOC 2 and ISO 27001 certified; Asystio is working toward its own SOC 2 readiness (not yet independently attested).

9. Cookies

We use cookies as described in our Cookie Policy. Essential cookies are required for the platform to function. Analytics and marketing cookies are only set with your explicit consent via our cookie banner.

10. Google User Data

If you connect your Google account to Asystio (Google Sign-In, Google Calendar, Gmail, Google Drive), we may access the following data:

10.1. Data Accessed

  • Authentication data (Google Sign-In): email address, name, profile picture - solely for authentication and displaying your profile within the application.
  • Google Calendar (scope: calendar): full read/write access to events, including titles, dates, descriptions, attendees, statuses, and all-day blocks (e.g., vacations, out-of-office). Enables two-way synchronization of events between Google Calendar and Asystio's Calendar module.
  • Gmail (scopes: gmail.readonly, gmail.send, gmail.compose, gmail.modify): reading email messages (subject, body, sender, recipients, attachments), sending messages, creating drafts, and modifying messages (marking as read, archiving, labeling). This data powers the Unified Inbox module for managing client communications directly from Asystio.
  • Google Drive (scope: drive.readonly): read-only access to files on Google Drive. This scope is declared for a planned future integration with the Documents module; currently, no Google Drive files are read or stored.

10.2. Data Usage

  • User authentication and account creation (Google Sign-In).
  • Calendar synchronization - automatically syncing appointments and events between Google Calendar and Asystio.
  • Email management - reading, sending, and organizing messages in Asystio's Unified Inbox, facilitating CRM communication with clients.
  • Google data is never used for advertising, marketing, profiling, or training AI models.

10.3. Data Sharing

Google user data is NOT shared with any third parties, except for the infrastructure subprocessors listed in Section 5 (Google Cloud Platform, Firebase), who process data solely for service delivery. Google data is not sold, not used for advertising, and not used for AI model training.

10.4. Data Storage & Protection

  • Google profile data is stored in a PostgreSQL database in the EU (Google Cloud, europe-west4 region, Netherlands).
  • Calendar data is synced and stored in the appointments and staff_availability tables, tagged with source='google'.
  • Email content is stored in the unified_threads and unified_messages tables, encrypted at rest (AES-256) and isolated via Row Level Security (RLS) per tenant.
  • OAuth tokens (access_token, refresh_token) are stored exclusively in Google Cloud Secret Manager - never in the database or application logs.
  • All communications use TLS 1.3 encryption.

10.5. Data Retention & Deletion

  • Calendar data is retained as long as the integration is active. After disconnecting the integration, Google-synced data is deleted within 30 days.
  • Email data is retained as long as the email account is connected. Users can delete individual messages or disconnect their Gmail account in Asystio settings.
  • Google profile data is deleted within 30 days of Asystio account deletion.
  • You can revoke Asystio's access to your Google data at any time via your Google Account permissions.
  • Upon revocation or account deletion, all Google-sourced data is permanently deleted from our systems within 30 days.

Our use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements.