Attent – AI Commerce Readiness Checker

Privacy Policy

Last updated: April 9, 2026

I. Data Controller

  1. The controller of personal data of users of getattent.com (the "Service" or "Attent") is Evergreen Group Sp. z o. o. Sp. K., registered office in Warsaw (02-797), ul. Franciszka Klimczaka 17/80, Poland, entered in the Register of Entrepreneurs of the National Court Register under number KRS: 0000534060, Tax ID (NIP): 7010452658, Statistical number (REGON): 360370198 (the "Controller").
  2. You can contact the Controller regarding personal data processing at [email protected].
  3. The Controller takes special care to protect the interests of data subjects and ensures that personal data is:
    • processed lawfully,
    • collected for specified, lawful purposes,
    • substantively correct and adequate to the processing purposes,
    • stored in a form allowing identification of data subjects no longer than necessary to achieve the processing purpose.

II. Scope, purposes and legal basis of processing

PurposeData scopeLegal basisRetention period
Operating the User Account and providing the ServicesEmail address, hashed password, registration date, plan, scan history, monitored phrases, URLs entered by the UserArt. 6(1)(b) GDPR (performance of a contract)Duration of the Account plus 12 months after deletion
Contact form handlingName, email address, message contentArt. 6(1)(f) GDPR (legitimate interest – responding to an inquiry)Up to 12 months after the correspondence ends
Invoicing and accountingIdentification data (company name, tax ID, address), invoice dataArt. 6(1)(c) GDPR (legal obligation) in conjunction with accounting and tax laws5 years from the end of the calendar year in which the invoice was issued
Service security, abuse detection, rate limitingIP address, user agent, request time, session identifierArt. 6(1)(f) GDPR (legitimate interest – Service security)Up to 90 days
Establishing, pursuing, or defending claimsData processed for other purposesArt. 6(1)(f) GDPR (legitimate interest)Until the claim limitation period expires

III. Recipients of data and processors

  1. Personal data may be disclosed to the following categories of recipients (processors), based on data processing agreements or in connection with the use of their services:
    • Hetzner Online GmbH (Germany) – server infrastructure provider hosting the Service;
    • Google LLC / Google Ireland Limited – transactional email provider (Google Workspace / Gmail SMTP) used to send system notifications and contact form replies;
    • OpenAI, L.L.C. (USA) – language model provider used by the AI Scanner feature. Only anonymized extraction data from the scanned page (titles, meta tags, heading structure) is sent to OpenAI – full page content or visitor personal data is never sent;
    • Search and language model providers used when the Service monitors brand visibility on behalf of the User: OpenAI (ChatGPT), Google (Gemini, AI Overview), Perplexity AI, Brave Software. Only the search phrases entered by the User are sent to these providers;
    • Stripe, Inc. (USA) – where electronic payments are enabled, as a payment service provider (payments are currently handled manually by bank transfer);
    • Entities providing accounting, legal or advisory services to the Controller, to the extent necessary to perform the contract;
    • Public authorities entitled to request access to data under applicable law.
  2. The Controller ensures that entities to which it entrusts data processing guarantee the implementation of appropriate technical and organizational measures in accordance with Art. 28 GDPR.

IV. International data transfers

  1. Some recipients (including OpenAI, Google, Perplexity, Brave, Stripe) are established in the United States. In such cases, data transfers are based on:
    • Standard Contractual Clauses (SCC) approved by the European Commission, or
    • European Commission adequacy decisions (such as the EU-U.S. Data Privacy Framework).
  2. Upon request addressed to the Controller, the User will receive a copy of the safeguards applied to the transfer of their data.

V. Rights of the data subject

  1. The User has the following rights under the GDPR:
    • right of access to their data and to receive a copy,
    • right to rectification,
    • right to erasure (right to be forgotten), subject to obligations under other legal provisions,
    • right to restriction of processing,
    • right to data portability for data processed on the basis of consent or a contract, in a structured, machine-readable format,
    • right to object to processing based on legitimate interest,
    • right to withdraw consent at any time where processing is based on consent (withdrawal does not affect the lawfulness of processing performed before withdrawal),
    • right to lodge a complaint with the supervisory authority – President of the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw, Poland, uodo.gov.pl).
  2. To exercise the above rights, the User should contact the Controller at [email protected]. The Controller will handle the request without undue delay, and in any case within one month of receipt.

VI. Cookies and similar technologies

  1. The Service uses cookies and the browser's local storage mechanism in the following scope:
    • Essential cookies / localStorage – necessary for proper operation of the Service, including maintaining the logged-in User's session (JWT token stored in the browser's localStorage). Without them, using the Account is not possible. Legal basis: Art. 6(1)(b) GDPR.
    • Functional cookies – remembering User preferences (e.g. language selection). Legal basis: Art. 6(1)(f) GDPR.
  2. The Service does not use third-party marketing, analytics, or tracking cookies (such as Google Analytics, Meta Pixel, Hotjar), nor does it perform automated profiling of Users that produces legal effects.
  3. The User may disable cookies in their browser settings at any time. Disabling essential cookies may prevent the use of some Service features.

VII. Data security

  1. The Controller applies technical and organizational measures ensuring the protection of processed personal data, appropriate to the risks and categories of protected data, in particular:
    • encrypted connections to the Service using the TLS protocol (HTTPS),
    • password storage using one-way hashing (bcrypt),
    • restricting access to personal data to authorized persons,
    • regular backups,
    • monitoring of security events.

VIII. Changes to the Privacy Policy

  1. The Controller reserves the right to change this Privacy Policy. Users will be notified of material changes by email to the address associated with the Account or by a prominent notice in the Service.
  2. The current version of this Privacy Policy is effective as of April 9, 2026.
Privacy Policy – Attent