Data protection

Privacy Policy

Last updated: 2026-07-07

1. Data controller

The data controller is Effectivity Sp. z o.o., ul. Esperantystów 17, 58-100 Świdnica, Poland, VAT ID PL8842750852, KRS 0000511111 (the "Controller", "we").

Data protection contact: privacy@letarrange.it.

2. Categories of personal data

  • Account data: name, email, hashed password, preferred language.
  • Store data: domain URL, widget settings, billing details (company name, address, tax ID).
  • Technical data: IP address, session identifier, browser and OS information, error logs.
  • Visualization data: room photos uploaded by Shoppers through the widget (processed on behalf of the Client under Art. 28 GDPR).
  • Payment data: billing details and transaction status received from Paddle. We do not store full payment card numbers — that data is handled by Paddle.

3. Purposes and legal bases

  • Providing the Service and managing your account — Art. 6(1)(b) GDPR (contract).
  • Billing and invoicing — Art. 6(1)(c) GDPR (legal obligation).
  • Security and fraud prevention — Art. 6(1)(f) GDPR (legitimate interest).
  • Product communication and support — Art. 6(1)(b) and (f) GDPR.
  • Direct marketing — Art. 6(1)(a) GDPR (consent), which can be withdrawn at any time.

4. Data recipients

We share data with trusted providers who help us run the Service:

  • Paddle.com Market Ltd (Merchant of Record for payments) — Judd House, 18-29 Mora Street, London EC1V 8BT, United Kingdom. Paddle issues the invoice, collects and remits taxes and handles refunds.
  • Lovable Cloud / Supabase — database hosting and authentication (EU).
  • Cloudflare — application hosting and DDoS protection (global).
  • AI model providers — processing of room photos to generate visualizations (data is passed in a de-identified form, without Shopper identifiers).

All providers act under data processing agreements compliant with Art. 28 GDPR.

5. International transfers

Some providers (Paddle, Cloudflare, AI providers) may process data in the US or UK. Transfers are made under the European Commission's Standard Contractual Clauses or an adequacy decision (UK).

6. Retention

  • Account data — for the duration of the agreement and 3 years afterwards.
  • Billing data and invoices — 5 years from the end of the tax year (statutory).
  • Technical logs — 90 days.
  • Shopper room photos — deleted immediately after the visualization is generated, at most 30 days.

7. Your rights

You have the right to access, rectify, erase, restrict, port and object to processing of your data and to withdraw consent at any time. To exercise these rights, write to privacy@letarrange.it.

You also have the right to lodge a complaint with the President of the Polish Personal Data Protection Office (uodo.gov.pl) or your local supervisory authority.

8. Cookies

We use cookies strictly necessary for the app to work (session, language preferences) and — with your consent — analytics. You can change cookie settings in your browser.

9. Security

We apply technical and organizational safeguards: encryption in transit (TLS 1.2+) and at rest, role-based access control, multi-factor authentication for staff, regular backups and penetration tests.

10. Policy changes

We announce material changes by email in advance. The current version applies from the date shown at the top of this page.