1. Data Controller
The controller of personal data processed in connection with the use of the TLSafe platform and the website available at tlsafe.eu (hereinafter: the “Platform”) is:
Mateusz Obuchowski Investments
ul. Włodarzewska 57E/15, 02-384 Warszawa, Poland,
entered in the Central Registration and Information on Business (CEIDG),
NIP (Tax ID): 7010305265
(hereinafter: the “Controller” or “TLSafe”).
For all matters relating to the processing of personal data, you may contact the Controller at the e-mail address: contact@tlsafe.eu or in writing at its registered office.
2. Scope of application
This Privacy Policy sets out the rules for processing personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and applies to:
- Platform Users — persons acting on behalf of freight-forwarding companies that are TLSafe clients (forwarders, managers, accountants, account administrators),
- Persons contacting TLSafe — via the contact form, e-mail or telephone,
- Persons whose data appears in the carrier verification process — in particular sole traders, members of company governing bodies, and persons named in documents submitted for analysis (section 4),
- Visitors to the website tlsafe.eu.
3. Categories of data and purposes of processing
3.1. Platform user accounts
We process: first and last name, business e-mail address, telephone number, assigned role, client company name and NIP, activity logs (including IP address, session identifier, verification history). Purpose: creating and operating the account, providing the verification service, accounting for package limits, ensuring security (including blocking concurrent sessions, IP restrictions).
3.2. Contact form and lead handling
We process: first name, company name, NIP, e-mail address, telephone number. Purpose: responding to enquiries, presenting an offer, and activating an account on the Platform.
3.3. Settlements and invoicing
We process data necessary to issue invoices (company data, contact person data, payment history). Invoices are issued using the National e-Invoicing System (KSeF). Purpose: performance of the contract and fulfilment of tax and accounting obligations.
3.4. Verification reports
Each PDF report contains the data of the person who generated it (first name, last name, e-mail, company, IP address) — in order to ensure accountability and the evidentiary function of the report as confirmation of the exercise of due diligence.
4. Carrier data from public registers and documents
The core of the Platform is the automated verification of carriers' credibility. In this process, TLSafe processes data that may constitute personal data — in particular where the verified carrier is a sole trader, as well as the data of management board members and company shareholders.
4.1. Data sources
Data is obtained from publicly available registers and systems:
- GUS (REGON register), CEIDG, the National Court Register (KRS),
- KREPTD — the National Electronic Register of Road Transport Undertakings,
- the VAT taxpayers list (“white list”) of the Ministry of Finance,
- UFG — the Insurance Guarantee Fund,
- VIES — the EU VAT information exchange system,
- documents submitted by the User for analysis (transport licence, OCP insurance policy, proof of premium payment).
4.2. Scope and purpose
The scope of data includes: company identification data (name, NIP, REGON, KRS, address), data on the status of business activity and licences, data appearing on insurance documents, and data relating to the domain and contact details. The purpose of processing is to enable TLSafe clients to fulfil their due-diligence obligation when selecting a transport subcontractor, arising, among others, from the terms of the forwarder's OCP insurance policies.
4.3. Legal basis and nature of the report
The basis for processing is the legitimate interest of the Controller and its clients (Article 6(1)(f) GDPR), consisting in reducing the risk of fraud and verifying contractors on the basis of data from public registers. The TLSafe report constitutes an opinion prepared at the client's request — it does not constitute public economic information, a recommendation, or a binding assessment of the legal situation of the verified entity.
4.4. Information obligation (Article 14 GDPR)
Persons whose data is verified may exercise the rights described in section 9, including the right of access to data and the right to object. Given that the data comes from publicly available sources, and that notifying them individually would require a disproportionate effort, the Controller fulfils the information obligation, among other means, by publishing this Policy (Article 14(5)(b) GDPR).
5. Legal bases for processing
| Purpose of processing | Legal basis (GDPR) |
|---|---|
| Provision of Platform services, account operation, performance of the contract with the client | Article 6(1)(b) — performance of a contract |
| Verification of carriers at clients' request | Article 6(1)(f) — legitimate interest |
| Invoicing, accounting, KSeF, tax obligations | Article 6(1)(c) — legal obligation |
| Responding to enquiries from the contact form | Article 6(1)(f) — legitimate interest |
| Direct marketing of our own services | Article 6(1)(f), and as regards electronic communication — Article 6(1)(a) (consent) |
| Platform security, logs, prevention of abuse | Article 6(1)(f) — legitimate interest |
| Establishing, pursuing or defending claims | Article 6(1)(f) — legitimate interest |
| Analytical and marketing cookies | Article 6(1)(a) — consent |
6. Data recipients
Personal data may be shared with the following categories of recipients — solely to the extent necessary to achieve the purposes of processing and on the basis of appropriate data-processing agreements:
- Cloud infrastructure and AI service providers — hosting of the Platform and processing of documents as part of AI analysis takes place on the infrastructure of Amazon Web Services (AWS) — EU region (Ireland),
- Payment and invoicing service providers, including KSeF integration,
- Electronic signature service providers (e.g. when concluding contracts electronically),
- Entities providing accounting, legal and advisory services to the Controller,
- Public authorities — solely where the obligation to disclose arises from legal provisions.
The Controller does not sell personal data or share it with third parties for those parties' marketing purposes.
7. Data transfers outside the EEA
Data is, as a rule, processed on servers located within the European Economic Area. If, in connection with the use of technology providers' services, data is transferred outside the EEA, this will take place solely with an adequate level of protection ensured — on the basis of a European Commission adequacy decision (e.g. the EU-US Data Privacy Framework) or standard contractual clauses (SCC) together with additional safeguards.
8. Data retention period
| Data category | Retention period |
|---|---|
| User account data | For the duration of the contract with the client, and thereafter until the limitation period for claims expires |
| Verification reports and verification history | For the duration of the contract and the period necessary for evidentiary purposes (due diligence), no longer than 6 years |
| Billing data and invoices | 5 years from the end of the tax year — in accordance with tax regulations |
| Contact form enquiries | Until the correspondence ends, maximum 12 months |
| Security logs | No longer than 24 months |
| Data processed on the basis of consent | Until consent is withdrawn |
9. Rights of data subjects
Every person whose data is processed by the Controller has the right to:
- access to data — including obtaining a copy thereof (Article 15 GDPR),
- rectification of data — correcting inaccurate data or completing incomplete data (Article 16 GDPR),
- erasure of data — the “right to be forgotten”, unless grounds for exclusion apply (Article 17 GDPR),
- restriction of processing (Article 18 GDPR),
- data portability — with respect to data processed on the basis of a contract or consent (Article 20 GDPR),
- objection — to processing based on legitimate interest, including objection to direct marketing (Article 21 GDPR),
- withdrawal of consent — at any time, without affecting the lawfulness of processing carried out before its withdrawal,
- lodging a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl).
Requests concerning the exercise of rights may be sent to: contact@tlsafe.eu. The Controller responds without undue delay, no later than within one month of receiving the request.
10. Automated processing and artificial intelligence
The TLSafe Platform uses artificial intelligence algorithms to analyse insurance documents (OCR of OCP policies, detection of signs of inauthenticity, verification of data consistency) and to aggregate results from public registers into a report with one of three statuses: “Positive”, “Requires attention” or “Critical alert”.
The verification result constitutes a supporting opinion prepared at the client's request. The decision to enter into cooperation with a carrier is always made by a human — a forwarder or manager on the TLSafe client's side. The Controller does not make, in relation to data subjects, decisions based solely on automated processing that would produce legal effects concerning them or similarly significantly affect them within the meaning of Article 22 GDPR.
11. Cookies
The tlsafe.eu website uses cookies and similar technologies:
- Necessary — ensure the proper functioning of the website and the Platform (including login session, security). Their use does not require consent.
- Analytical — allow measuring traffic and how the website is used in order to improve it. Used solely with consent.
- Marketing — serve to tailor communication. Used solely with consent.
Consent can be managed via the cookie banner displayed on your first visit and in your browser settings. Withdrawal of consent does not affect the lawfulness of processing carried out earlier.
12. Data security
The Controller applies technical and organisational measures appropriate to the risk, including:
- encryption of data in transit (TLS) and encryption of data at rest,
- role-based access control (forwarder / manager / accountant / admin),
- blocking of concurrent sessions on a single account and optional access restrictions by IP address,
- API keys with the option of immediate revocation, without access to payment functions and user management,
- logging of operations on data (audit logs, timestamps in reports),
- regular backups and security incident response procedures.
In the event of a personal data breach, the Controller acts in accordance with Articles 33 and 34 GDPR, including — where required — reporting the breach to the President of the UODO within 72 hours and notifying the data subjects.
13. Changes to the Policy
The Controller may update this Policy in connection with the development of the Platform, changes in legislation, or recommendations of supervisory authorities. Platform Users will be informed of material changes with appropriate advance notice — via a notice on the Platform or by e-mail. The current version of the Policy is always available at tlsafe.eu.
14. Contact
For matters concerning personal data protection:
e-mail: contact@tlsafe.eu
correspondence address: Mateusz Obuchowski Investments, ul. Włodarzewska 57E/15, 02-384 Warszawa, Poland