Skip to content
KSeF Kit
Start for free

Privacy policy

Last updated: 14 June 2026.

1. Controller and contact

The controller of the data tied to your account in KSeF Kit is Ernest Bursa, ul. Dąbrowskiego 96/5b, 60-576 Poznań, Poland, NIP 7831677335. Data contact: [email protected].

2. Roles: controller and processor

  • For your account data (email, company details, billing data) we are the controller.
  • For the personal data contained in your invoices (e.g. NIP, names and addresses of your counterparties) you are the controller, and we act as a processor on your documented instructions under a data processing agreement (DPA).

3. What data we process

  • Account data: email, company details (including NIP), settings.
  • Invoice data pulled from Stripe and converted to FA(3) (including counterparty data).
  • KSeF authentication (token or certificate) — stored encrypted.
  • UPO receipts and KSeF numbers returned by the system.

4. Purposes and legal bases

We process data to perform the contract — file your invoices to KSeF and give you the proof (Art. 6(1)(b) GDPR), to meet legal obligations (Art. 6(1)(c)), and in our legitimate interest (Art. 6(1)(f)), e.g. service security.

5. Recipients and processors

We use trusted providers acting on our instructions: Stripe (the source of invoices and payments), a hosting provider, and KSeF — the Polish tax authority we file to on your behalf. The current list of sub-processors is provided as part of the DPA.

6. Retention

We keep UPOs as your proof of compliance for as long as you use the service. Your KSeF authentication (token or certificate) and invoice data are deleted after you disconnect your account, unless the law requires longer retention. KSeF stores invoices for 10 years; our storage does not relieve you of your own record-keeping duties (generally until the tax liability is time-barred).

7. Your rights

You have the right to access, rectification, erasure, restriction, portability and objection. You can export your data and UPOs at any time. You may also lodge a complaint with the President of the Personal Data Protection Office (UODO).

8. Transfers outside the EEA

We process data primarily in the EU/EEA. If a provider processes data outside the EEA, we rely on an adequacy decision or standard contractual clauses (SCCs) with additional safeguards.

9. Security

We use encryption of sensitive data (including the KSeF token), isolation, and restricted access. We use your KSeF token solely to file your invoices.

10. Contact

Privacy questions: [email protected].

Questions? Email [email protected].