TLSafe
Personal data protection

Privacy Policy

Version 1.0 · Effective from: 1 July 2026 · tlsafe.eu

1. Data Controller

The controller of personal data processed in connection with the use of the TLSafe platform and the website available at tlsafe.eu (hereinafter: the “Platform”) is:

Mateusz Obuchowski Investments
ul. Włodarzewska 57E/15, 02-384 Warszawa, Poland,
entered in the Central Registration and Information on Business (CEIDG),
NIP (Tax ID): 7010305265
(hereinafter: the “Controller” or “TLSafe”).

For all matters relating to the processing of personal data, you may contact the Controller at the e-mail address: contact@tlsafe.eu or in writing at its registered office.

2. Scope of application

This Privacy Policy sets out the rules for processing personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and applies to:

3. Categories of data and purposes of processing

3.1. Platform user accounts

We process: first and last name, business e-mail address, telephone number, assigned role, client company name and NIP, activity logs (including IP address, session identifier, verification history). Purpose: creating and operating the account, providing the verification service, accounting for package limits, ensuring security (including blocking concurrent sessions, IP restrictions).

3.2. Contact form and lead handling

We process: first name, company name, NIP, e-mail address, telephone number. Purpose: responding to enquiries, presenting an offer, and activating an account on the Platform.

3.3. Settlements and invoicing

We process data necessary to issue invoices (company data, contact person data, payment history). Invoices are issued using the National e-Invoicing System (KSeF). Purpose: performance of the contract and fulfilment of tax and accounting obligations.

3.4. Verification reports

Each PDF report contains the data of the person who generated it (first name, last name, e-mail, company, IP address) — in order to ensure accountability and the evidentiary function of the report as confirmation of the exercise of due diligence.

4. Carrier data from public registers and documents

The core of the Platform is the automated verification of carriers' credibility. In this process, TLSafe processes data that may constitute personal data — in particular where the verified carrier is a sole trader, as well as the data of management board members and company shareholders.

4.1. Data sources

Data is obtained from publicly available registers and systems:

4.2. Scope and purpose

The scope of data includes: company identification data (name, NIP, REGON, KRS, address), data on the status of business activity and licences, data appearing on insurance documents, and data relating to the domain and contact details. The purpose of processing is to enable TLSafe clients to fulfil their due-diligence obligation when selecting a transport subcontractor, arising, among others, from the terms of the forwarder's OCP insurance policies.

4.3. Legal basis and nature of the report

The basis for processing is the legitimate interest of the Controller and its clients (Article 6(1)(f) GDPR), consisting in reducing the risk of fraud and verifying contractors on the basis of data from public registers. The TLSafe report constitutes an opinion prepared at the client's request — it does not constitute public economic information, a recommendation, or a binding assessment of the legal situation of the verified entity.

4.4. Information obligation (Article 14 GDPR)

Persons whose data is verified may exercise the rights described in section 9, including the right of access to data and the right to object. Given that the data comes from publicly available sources, and that notifying them individually would require a disproportionate effort, the Controller fulfils the information obligation, among other means, by publishing this Policy (Article 14(5)(b) GDPR).

5. Legal bases for processing

Purpose of processingLegal basis (GDPR)
Provision of Platform services, account operation, performance of the contract with the clientArticle 6(1)(b) — performance of a contract
Verification of carriers at clients' requestArticle 6(1)(f) — legitimate interest
Invoicing, accounting, KSeF, tax obligationsArticle 6(1)(c) — legal obligation
Responding to enquiries from the contact formArticle 6(1)(f) — legitimate interest
Direct marketing of our own servicesArticle 6(1)(f), and as regards electronic communication — Article 6(1)(a) (consent)
Platform security, logs, prevention of abuseArticle 6(1)(f) — legitimate interest
Establishing, pursuing or defending claimsArticle 6(1)(f) — legitimate interest
Analytical and marketing cookiesArticle 6(1)(a) — consent

6. Data recipients

Personal data may be shared with the following categories of recipients — solely to the extent necessary to achieve the purposes of processing and on the basis of appropriate data-processing agreements:

The Controller does not sell personal data or share it with third parties for those parties' marketing purposes.

7. Data transfers outside the EEA

Data is, as a rule, processed on servers located within the European Economic Area. If, in connection with the use of technology providers' services, data is transferred outside the EEA, this will take place solely with an adequate level of protection ensured — on the basis of a European Commission adequacy decision (e.g. the EU-US Data Privacy Framework) or standard contractual clauses (SCC) together with additional safeguards.

8. Data retention period

Data categoryRetention period
User account dataFor the duration of the contract with the client, and thereafter until the limitation period for claims expires
Verification reports and verification historyFor the duration of the contract and the period necessary for evidentiary purposes (due diligence), no longer than 6 years
Billing data and invoices5 years from the end of the tax year — in accordance with tax regulations
Contact form enquiriesUntil the correspondence ends, maximum 12 months
Security logsNo longer than 24 months
Data processed on the basis of consentUntil consent is withdrawn

9. Rights of data subjects

Every person whose data is processed by the Controller has the right to:

Requests concerning the exercise of rights may be sent to: contact@tlsafe.eu. The Controller responds without undue delay, no later than within one month of receiving the request.

10. Automated processing and artificial intelligence

The TLSafe Platform uses artificial intelligence algorithms to analyse insurance documents (OCR of OCP policies, detection of signs of inauthenticity, verification of data consistency) and to aggregate results from public registers into a report with one of three statuses: “Positive”, “Requires attention” or “Critical alert”.

The verification result constitutes a supporting opinion prepared at the client's request. The decision to enter into cooperation with a carrier is always made by a human — a forwarder or manager on the TLSafe client's side. The Controller does not make, in relation to data subjects, decisions based solely on automated processing that would produce legal effects concerning them or similarly significantly affect them within the meaning of Article 22 GDPR.

11. Cookies

The tlsafe.eu website uses cookies and similar technologies:

Consent can be managed via the cookie banner displayed on your first visit and in your browser settings. Withdrawal of consent does not affect the lawfulness of processing carried out earlier.

12. Data security

The Controller applies technical and organisational measures appropriate to the risk, including:

In the event of a personal data breach, the Controller acts in accordance with Articles 33 and 34 GDPR, including — where required — reporting the breach to the President of the UODO within 72 hours and notifying the data subjects.

13. Changes to the Policy

The Controller may update this Policy in connection with the development of the Platform, changes in legislation, or recommendations of supervisory authorities. Platform Users will be informed of material changes with appropriate advance notice — via a notice on the Platform or by e-mail. The current version of the Policy is always available at tlsafe.eu.

14. Contact

For matters concerning personal data protection:
e-mail: contact@tlsafe.eu
correspondence address: Mateusz Obuchowski Investments, ul. Włodarzewska 57E/15, 02-384 Warszawa, Poland