HeatAlgo
Privacy Policy
Last updated: July 1, 2026
1. Data controller
The controller of the personal data of Users of the HeatAlgo service is Cratun Sp. z o.o., registered office at Niekłonice 49E, 76-024 Niekłonice, registry number (KRS): 0000971816, tax ID (NIP): 4990690625, REGON: 522021073. Data protection contact: [email protected]. This is a translation provided for convenience; the Polish version is authoritative.
2. What data we process
Account data: e-mail address, password (stored in encrypted form) or Google account identifier, first and last name, company name and logo (if the User provides them), and preferred language.
Project data: data entered by the User within their projects (building parameters, calculations, drawings), including the User's clients' data, if the User enters it (see section 8).
Technical and analytics data: pseudonymized application usage events (account identifier, without form contents - session recordings mask all fields and text), server logs necessary to ensure security.
Providing account data is voluntary but necessary to conclude and perform the agreement - without it, an Account cannot be created.
3. Purposes and legal bases
Providing the service and managing the account - Art. 6(1)(b) GDPR (performance of a contract).
Issuing invoices and billing - Art. 6(1)(c) GDPR (legal obligation).
Service-related communication, including notifications about an expiring trial period - Art. 6(1)(b) and (f) GDPR.
Product analytics and development of the Service - Art. 6(1)(f) GDPR (legitimate interest: improving the service).
Ensuring the security of the Service, including analysis of server logs - Art. 6(1)(f) GDPR (legitimate interest: security of the service).
We do not make automated decisions about Users, including profiling, that produce legal effects (Art. 22 GDPR).
4. Data recipients
Data is processed on our behalf by infrastructure providers: Supabase (database and authentication), Railway (application hosting), Resend (e-mail delivery), PostHog (product analytics, servers in the EU). We have data processing agreements in place with each of these providers.
Document data submitted in forms is also processed on our behalf by Anthropic (Anthropic PBC, USA), the provider of the AI model used to read data from documents - under a data processing agreement. Document content is processed solely to fill in the form and is not stored in the Service, but is retained by the provider under its policy (currently up to 30 days).
Resend, Railway and Anthropic may process data outside the European Economic Area (in the United States); transfers take place on the basis of Standard Contractual Clauses (SCC). A copy of the safeguards can be obtained by contacting us at the address indicated in section 1.
5. Retention period
We store account and project data for the duration of the contract. After an account or project is deleted, the data is marked as deleted and permanently erased from operational copies within 90 days, except for data whose longer retention is required by law (e.g. billing records - 5 years).
6. Rights of data subjects
The User has the right to access their data, to rectify it, to erase it, to restrict its processing, to data portability, and to object to processing based on legitimate interest. Please send requests to the address indicated in section 1.
The User also has the right to lodge a complaint with the President of the Personal Data Protection Office (UODO, uodo.gov.pl).
7. Cookies and analytics
The Service uses essential cookies to maintain the login session, and the PostHog analytics tool configured with privacy in mind: PostHog does not store IP addresses, and session recordings mask all form fields and text. Identification is based on the account identifier, not on personal data.
8. Data of the User's clients
The User may enter into the Service personal data of their clients (e.g. the investor's first and last name, the project site address, contact details). This data may also reach the Service directly from the User's clients - through forms the User shares with them. In both cases the User remains the controller of that data, and the Provider processes it solely on the User's instructions, for the purpose of providing the service, as a processor.
9. Changes to this policy
We will inform Users of material changes to this policy by e-mail or by a notice in the Service before they take effect.