Tax Free Club Privacy Policy

Version: 1.0

Effective date: 01.06.2026

Last updated: 01.06.2026

§1. General provisions

  • 1. This Privacy Policy (the "Policy") describes the rules for processing the personal data of Users of the Tax Free Club mobile application and website (the "App"), including the information required by Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR").
  • 2. The Policy supplements the Tax Free Club Terms of Service. Capitalised terms not defined in the Policy have the meaning given to them in the Terms.
  • 3. By using the App, the User confirms that they have read the content of the Policy.

§2. Data controller

  • 1. The controller of personal data is:

    TAX FREE CLUB Sp. z o.o.
    with its registered office in Warsaw (02-013), ul. Lindleya 16, Poland,
    entered in the Register of Entrepreneurs (KRS) under number 0000731738,
    Tax ID (NIP): 7010822196, Statistical ID (REGON): 380208074,
    hereinafter the "Controller" or "TFC".
  • 2. For all matters relating to the processing of personal data, you may contact the Controller by e-mail at info@tfc.eu or by post to the registered office address.
  • 3. The Controller has not appointed a Data Protection Officer (DPO). For all matters relating to personal data, please contact the Controller in the manner indicated in paragraph 2.

§3. What data we process

Depending on how you use the App, we process the following categories of data:

  • 1. Account and authentication data — e-mail address and the identifier from the login service (Google OAuth / Apple ID), and the first name and display name provided by the login provider.
  • 2. Data necessary for the TAX FREE procedure (required by the regulations and the PUESC system):
    a) first and last name matching the travel document,
    b) passport number or the number of another equivalent identity document,
    c) date of birth,
    d) country of residence outside the European Union,
    e) bank account number (IBAN) — in the case of a refund to an account.
  • 3. Purchase data — scanned receipts and invoices, their content (line items, amounts, seller details) and data matched from structured invoices in the KSeF system.
  • 4. Transaction data — information about TAX FREE documents, refund amounts, commission and payouts.
  • 5. Technical and diagnostic data — device model, operating system, App version, push notification identifiers, and application error data (diagnostic logs).

§4. Purposes and legal bases of processing

Purpose of processingLegal basis (GDPR)
Providing the Services, maintaining the Account, handling the TAX FREE procedure and the refund payoutArticle 6(1)(b) (performance of a contract)
Transferring data to the PUESC and KSeF systems and issuing the TAX FREE documentArticle 6(1)(c) (legal obligation — VAT Act, Articles 126–130)
Issuing and retaining accounting and tax documentsArticle 6(1)(c) (tax and accounting regulations)
Preventing abuse and fraudulent VAT refunds, pursuing and defending claimsArticle 6(1)(f) (legitimate interest)
Error diagnostics, ensuring security and improving the AppArticle 6(1)(f) (legitimate interest)
Sending push and e-mail notifications about refund statusArticle 6(1)(b) and (f)
Own marketing (if conducted)Article 6(1)(a) (consent) or (f)

Providing the data indicated in §3(2) is voluntary but necessary to use the VAT refund — without it, the Service cannot be provided.

§5. Data recipients

Data may be shared with the following categories of recipients, solely to the extent necessary to achieve the stated purposes:

  • 1. Public administration authorities ��� the Ministry of Finance (the PUESC and KSeF systems), the National Revenue Administration, tax and customs authorities — on the basis of a legal obligation.
  • 2. Sellers registered in the TAX FREE procedure ��� to the extent necessary to approve and settle the refund.
  • 3. Banks and payment institutions — in order to pay out the refund to the User's account.
  • 4. Login service providers — Google and Apple — for authentication (via AWS Cognito).
  • 5. Entities processing data on the Controller's behalf (processors), under data processing agreements:
    a) cloud infrastructure provider Amazon Web Services (AWS) — hosting in the EU region (Frankfurt, eu-central-1);
    b) error-diagnostics provider Sentry (servers in the EU) — without transferring data enabling direct identification (a "no personal data" configuration);
    c) automated document-content reading services (OCR / AI model) running on AWS infrastructure in the EU.
  • 6. The Controller does not sell personal data to third parties.

§6. Transfers of data outside the European Economic Area (EEA)

  • 1. As a rule, data is processed on servers located within the European Union.
  • 2. In connection with the use of the Google / Apple login services, limited data may be transferred outside the EEA (including to the USA). Such transfers take place on the basis of appropriate safeguards referred to in Chapter V of the GDPR (standard contractual clauses or a European Commission adequacy decision, e.g. the Data Privacy Framework).

§7. Data retention period

  • 1. Data related to the TAX FREE procedure and accounting and tax documents is retained for the period required by the regulations — as a rule 5 years counted from the end of the calendar year in which the tax payment deadline fell.
  • 2. Account data is retained for the period the Account is held. When the User deletes their Account in the App, we immediately erase or anonymise their personal data — including name, e-mail address, passport data, saved payout methods and push-notification tokens — and the User can no longer sign in. Invoices, TAX FREE documents and tax-refund records (including the payout details recorded on a completed refund) are retained for the period required by point 1 above, in a form dissociated from the deleted Account, because we are under a legal obligation to keep them.
  • 3. Diagnostic logs are retained for the period necessary to ensure security, no longer than 90 days.

§8. User rights

  • 1. The User has the following rights:
    a) access to their data and to obtain a copy of it;
    b) rectification (correction) of inaccurate or incomplete data;
    c) erasure of data (the "right to be forgotten") — to the extent it does not conflict with a legal obligation to retain data;
    d) restriction of processing;
    e) portability of data processed on the basis of a contract or consent;
    f) objection to processing based on a legitimate interest;
    g) withdrawal of consent at any time (without affecting the lawfulness of processing before withdrawal) — where processing is based on consent.
  • 2. To exercise these rights, please contact the Controller at info@tfc.eu. Some rights (including deleting the Account) can be exercised by the User directly in the App (section Profile → Delete account).
  • 3. The User has the right to lodge a complaint with the supervisory authority — the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland.

§9. Automated decision-making and profiling

  • 1. To match scanned receipts to invoices in KSeF and to read the content of documents, the Controller uses automated processing, including OCR tools and artificial intelligence models.
  • 2. This processing does not produce legal effects concerning the User, nor does it similarly significantly affect them within the meaning of Article 22 of the GDPR — the decision to grant a VAT refund rests with the Seller and the tax and customs authorities, and the User is able to verify and correct data in the App.

§10. Data security

The Controller applies technical and organisational measures ensuring data protection appropriate to the risks, in particular: encryption of transmission (TLS) with certificate verification (so-called SSL pinning), secure storage of authentication data on the device, access control, and storage of data in cloud infrastructure within the EU.

§11. Children

The App is not intended for persons under 16 years of age. The Controller does not knowingly collect data of persons under 16. If it is found that such a person's data has been provided without the required consent, the data will be deleted.

§12. Changes to the Policy

  • 1. The Controller may update the Policy in the event of changes in the law, the App's functionality, or data processing rules.
  • 2. The User will be informed of any material changes via a notification in the App or at the e-mail address provided. The current version of the Policy is always available in the App.

§13. Contact

Please direct all questions regarding the processing of personal data to: info@tfc.eu.

This Privacy Policy was drawn up in Polish. In the event of any discrepancy between the Polish version and translations into other languages, the Polish version prevails.