# Records of Processing Activities (RoPA) — aiactaudit.pl

**Per GDPR Article 30. Sole proprietor (Piotr Reder, autónomo ES).**
**Version:** 1.0 · **Date:** 2026-05-05 · **Next review:** 2026-08-05

---

## 1. Controller information

- **Controller:** Piotr Reder (sole proprietor, autónomo Spain)
- **Contact:** piotr@pricora.eu (primary, until aiactaudit.pl email verified)
- **Address:** [Spain — autónomo address] (NIE rezydent NO)
- **No Data Protection Officer** — not required (sole proprietor, no large-scale monitoring, no special category data)

## 2. Processing activity overview

aiactaudit.pl is a B2B service offering EU AI Act compliance audits. Personal data processing is **minimal** — limited to lead intake, service delivery communication, and analytics.

---

## 3. Processing activity 1: Lead intake form

| Field | Value |
|---|---|
| **Purpose** | Collect inquiries about audit services from potential SMB clients |
| **Legal basis** | Art. 6(1)(b) GDPR — performance of contract / pre-contractual measures (taking steps at the request of the data subject prior to entering into a contract) |
| **Categories of personal data** | Name, email, company, headcount range, AI use case description, optional phone |
| **Categories of data subjects** | Founders, CTOs, compliance leads of SMB SaaS companies |
| **Recipients** | Piotr Reder (sole operator). Resend (email transactional processor — DPA in place). Vercel (hosting infrastructure — DPA in place). |
| **International transfers** | Resend = US (Standard Contractual Clauses applied per EU-US DPF). Vercel = US (DPF certified). |
| **Retention period** | 24 months after last contact (operational need for follow-up + audit cycle); deleted after that period via manual review |
| **Security measures** | HTTPS/TLS 1.3, no client-side storage of sensitive data, server-side secrets via Vercel env vars, MFA on Vercel + GitHub + Resend admin |

## 4. Processing activity 2: Email communication

| Field | Value |
|---|---|
| **Purpose** | Cold outreach (with explicit unsubscribe mechanism) + reply communication with leads + audit delivery to clients |
| **Legal basis** | Art. 6(1)(f) GDPR — legitimate interests (B2B outreach, balancing test passed for direct relevant marketing); for clients: Art. 6(1)(b) — contract |
| **Categories of personal data** | Name, email (B2B contact, not personal residential email), company affiliation |
| **Categories of data subjects** | B2B targets (founders, executives) at SMB SaaS companies; existing clients |
| **Recipients** | Piotr Reder. Resend (email service provider — DPA). |
| **International transfers** | Resend = US (DPF) |
| **Retention period** | Ongoing for active leads (manual review); deleted on STOP request immediately + reply suppression |
| **Security measures** | SPF/DKIM/DMARC configured; suppression list maintained for opt-outs |

## 5. Processing activity 3: Web analytics

| Field | Value |
|---|---|
| **Purpose** | Understand site traffic patterns to improve content and user experience |
| **Legal basis** | Art. 6(1)(f) GDPR — legitimate interests (with `anonymize_ip: true` setting reducing privacy impact) |
| **Categories of personal data** | IP address (anonymized — last octet truncated server-side by GA4), browser/device fingerprints, referrer, navigation patterns. **No login state, no cookies storing PII** |
| **Categories of data subjects** | Anonymous website visitors |
| **Recipients** | Google Analytics 4 (Google LLC — DPA in place via standard GA terms) |
| **International transfers** | US (Google DPF certified) |
| **Retention period** | GA4 default 14 months (consider extending to 24m post-bramka); raw events deleted, aggregates retained |
| **Security measures** | `anonymize_ip: true`, no advertising features enabled, no demographic data collection beyond region/city |

## 6. Processing activity 4: Audit deliverables

| Field | Value |
|---|---|
| **Purpose** | Generate and deliver audit PDF reports to paying clients |
| **Legal basis** | Art. 6(1)(b) GDPR — performance of contract |
| **Categories of personal data** | Client contact + company info; audit content describes their AI systems but is technical, not personal data of natural persons in client's company beyond named representatives |
| **Categories of data subjects** | Client representatives (audit report addressed to them) |
| **Recipients** | Piotr Reder. Loom (video walkthrough delivery — DPA). |
| **International transfers** | Loom = US (DPF) |
| **Retention period** | Audit reports retained 6 years (contractual + tax record requirement); client deletion request triggers anonymization of internal copies, originals delivered remain client property |
| **Security measures** | PDF delivered via secure link, Loom restricted access |

## 7. Special category data (Art. 9 GDPR)

**None processed.** aiactaudit.pl does not collect or process:
- Health data
- Biometric data
- Racial/ethnic origin
- Political opinions
- Religious/philosophical beliefs
- Trade union membership
- Sex life or sexual orientation

If audit work for a client involves their AI processing such data (e.g. health-tech client), that's their RoPA — we don't ingest it.

## 8. Children's data

**None processed.** Service is B2B aimed at adult founders/executives. No services for under-16 audience.

## 9. Data subject rights

Implemented:
- ✅ Right of access (Art. 15) — manual response within 30 days
- ✅ Right to rectification (Art. 16) — email request, manual update
- ✅ Right to erasure (Art. 17) — STOP email triggers deletion within 7 days
- ✅ Right to restriction (Art. 18) — manual flag in lead CRM
- ✅ Right to portability (Art. 20) — JSON/CSV export available on request
- ✅ Right to object (Art. 21) — STOP email or unsubscribe link
- Right to withdraw consent — N/A (legal basis is mostly legitimate interest / contract, not consent)

**How to exercise:** email piotr@pricora.eu with subject "GDPR request — [type]"

## 10. Breach response

- **Detection:** monitoring Vercel logs + Resend dashboard + Supabase activity (Pricora-shared infrastructure)
- **Notification timeline:** 72 hours to relevant supervisory authority (Spanish AEPD — autónomo ES) + affected data subjects per Art. 34
- **Internal procedure:** isolate breach, assess scope, document incident, notify, remediate, post-mortem

## 11. Sub-processors

| Sub-processor | Purpose | Location | DPA |
|---|---|---|---|
| Vercel Inc. | Hosting | US (DPF) | Standard DPA via account |
| Resend | Email delivery | US (DPF) | Standard DPA via account |
| Cloudflare | DNS + caching | US (DPF) | Standard DPA via account |
| Google LLC (GA4) | Web analytics | US (DPF) | GA4 default DPA |
| Loom | Video walkthroughs | US (DPF) | Standard DPA via account |
| Apollo | Lead enrichment (sales tooling, separate scope) | US | Apollo DPA accepted |

All US-based sub-processors operate under EU-US Data Privacy Framework certification.

## 12. Risk assessment

**Privacy risk level:** LOW
- Minimal personal data scope (B2B contact info, no special categories)
- No automated decision-making affecting data subjects
- No large-scale monitoring
- Clear retention limits
- Security best practices in place

**DPIA required:** NO (per Art. 35 GDPR thresholds — none triggered)

## 13. Review and updates

- Quarterly review (next: 2026-08-05)
- Triggered review on: new processing activities, sub-processor changes, regulatory updates
- Document version control via git (private repo + this public reference)

---

**Disclaimer:** This RoPA is operator's good-faith documentation. Final form for regulatory inspection should be reviewed by EU privacy counsel before submission to supervisory authority.