Privacy Policy — Return
Version: 2.4
Effective Date: 2026-05-24
The data controller is the sole proprietorship operating Return, registered in Poland. Full identification, registry details, and contact channels are in §12 (Contact).
Language
This Policy is written in English. Polish consumers: see Section 11 for required Polish-language summary. Mandatory data protection rights under GDPR, UK GDPR, and applicable consumer law remain in force regardless of language.
TL;DR
This is a plain-language summary of this Policy, not a substitute for it. The full policy is in the numbered sections below. Your rights under GDPR, UK GDPR, and applicable consumer law apply regardless of this summary.
In Return, privacy isn’t an add-on — it’s the foundation. Quick facts:
- No client-side telemetry. No analytics, no usage tracking, no fingerprinting. The Free tier connects to our servers only to check for updates once a day, and you can disable that.
- In Free (Local Mode), your documents NEVER leave your computer. We don’t collect them, see them, or analyze them.
- In Pro/Counsel (Cloud Mode), your documents pass through our proxy on the way to Anthropic, but our proxy does not store them. We log only metadata (who, when, how many tokens) for billing and abuse prevention.
- No training on your data. Neither we nor Anthropic train AI models on your content. This is contractually binding (see §3 and §7).
- The website returneditor.ai uses no tracking cookies and no analytics tools. Only strictly necessary cookies (e.g., language preference).
- You have the full set of GDPR rights: access, rectification, erasure, restriction, portability, objection (see §5).
1. Who we are
The controller of your personal data is the sole proprietorship operating Return. Full legal name, Tax ID (NIP), Business Registry (REGON), and registered address are in §12 (Contact).
For data protection matters contact us at: support@returneditor.ai.
We have not appointed a Data Protection Officer because GDPR Article 37 does not require it for our processing operations.
2. What data we collect
2.1. Free Plan (Local Mode) — almost nothing
The Free Plan runs entirely on your computer. The only data we may receive:
- Update check: The app may once every 24 hours contact
returneditor.ai/latest.jsonto check for new versions. This request is unauthenticated and contains no identifying information beyond a standard User-Agent. Our server logs the IP address of the requesting computer (retained 7 days, then anonymized). You can disable update checks in settings. - Crash reports (optional): With your explicit consent, on crash the app may send us an anonymized error log (stack trace, OS version). It does not include the content of your documents. If we have not enabled crash reporting in your version of the app, no such data is collected.
That’s it. We collect no usage analytics, no document metadata, no behavioral data.
2.2. Paid Plans (Pro and Counsel)
To provide paid Plans we process:
| Category | Data | Purpose | Legal basis |
|---|---|---|---|
| Account data | OTP login, service communication | GDPR Art. 6(1)(b) — contract | |
| Billing data | Name / company, Tax ID, billing address, country | VAT invoice, tax compliance | GDPR Art. 6(1)(c) — legal obligation |
| Payment data | Card token, transaction history (held by Stripe, not by us) | Payment processing | GDPR Art. 6(1)(b) — contract |
| AI usage metadata | Account ID, timestamp, token count, request type | Plan limits, abuse prevention | GDPR Art. 6(1)(b) + 6(1)(f) — legitimate interest |
| Proxy IP logs | IP, timestamp, request status | Security, rate limiting, debugging | GDPR Art. 6(1)(f) — legitimate interest |
| Support communications | Email, message content | Handling tickets and complaints | GDPR Art. 6(1)(b) |
| Marketing (opt-in only) | Email, preferences | Newsletter, product updates | GDPR Art. 6(1)(a) — consent |
2.3. What we DO NOT collect
- The content of your documents. Our proxy does not log content sent to Anthropic or responses received. Content passes through the server in ephemeral memory and is not written to disk or database.
- Prompts and AI responses. Same — flow without storage.
- Files stored on your computer. We have no access to them.
- Browser fingerprinting, device IDs, behavioral data. None.
2.4. The returneditor.ai website
The website uses no tracking cookies, no Google Analytics, no Posthog, no Mixpanel, nothing. Analytics, if any, is server-side only, in the form of anonymized aggregate statistics (page views per country from hashed IP).
Strictly necessary cookies only (e.g., language preference). These do not require consent under GDPR Article 6 and ePrivacy Directive interpretations.
3. Subprocessors
We use a minimal set of subprocessors. Full details and locations in Appendix A below. Current list also at returneditor.ai/sub-processors.
For transfers outside the EEA (to Anthropic and Cloudflare in the USA), we rely on EU Standard Contractual Clauses (Commission Decision 2021/914) supplemented by no-content-logging architecture and contractual no-training commitments. Where a subprocessor is certified under the EU-US Data Privacy Framework, we rely on that certification as an additional safeguard.
For material subprocessor changes we give you 30 days’ prior notice by email and via the Application.
4. Retention
| Data | Period |
|---|---|
| Account data (email) | Until contract termination + 30 days for download |
| Billing data (invoices) | 5 years from end of tax year (Polish Tax Ordinance) |
| AI usage metadata | 90 days (rolling) |
| Proxy logs (IP, timestamp) | 7 days |
| Support communications | 3 years from case closure |
| Content transiting Anthropic API | 7 days (per Anthropic Commercial Terms) |
| Crash reports (with consent) | 90 days |
| Marketing (newsletter consent) | Until withdrawal |
After these periods, data is deleted or anonymized.
5. Your rights
5.1. Under GDPR (EU/EEA users)
| Right | How to exercise |
|---|---|
| Access (Art. 15) | Email support@returneditor.ai. Response within 30 days. |
| Rectification (Art. 16) | Email or directly in Account panel. |
| Erasure / “right to be forgotten” (Art. 17) | Email. We don’t delete data required by law (e.g., invoices). |
| Restriction (Art. 18) | Email. |
| Portability (Art. 20) | Email. We export in JSON or CSV. |
| Objection (Art. 21) | Email. Applies to processing on legitimate interest basis. |
| Withdrawal of consent (Art. 7(3)) | In-app (marketing preferences) or by email. |
| Complaint to supervisory authority | President of UODO (Poland), Stawki 2, 00-193 Warsaw, uodo.gov.pl. Or your local DPA in the EU. |
We respond within 30 days (extendable by 60 days for complex requests — we’ll tell you).
5.2. Under UK GDPR (UK users)
Equivalent rights apply. You may complain to the Information Commissioner’s Office (ico.org.uk).
5.3. Under CCPA/CPRA (California users)
- Right to know what personal information we collect and how we use it.
- Right to delete personal information we hold about you.
- Right to correct inaccurate personal information.
- Right to opt-out of “sale” or “sharing” — we do not sell or share personal information for cross-context behavioral advertising.
- Right to non-discrimination for exercising your rights.
To exercise: email support@returneditor.ai. We verify your identity before responding.
Note: we currently do not meet CCPA applicability thresholds (revenue, consumer volume, or data-sale revenue), but we extend these rights voluntarily as a privacy posture.
6. Security
We apply technical and organizational measures appropriate to the risk:
- In transit: TLS 1.3 for all connections.
- At rest: Server disks encrypted at filesystem level (LUKS). Subprocessor databases use industry-standard encryption (AES-256).
- No content storage: Proxy operates on ephemeral memory.
- Access control: Infrastructure access via SSH keys only; MFA where possible.
- Monitoring: Logs audited for anomalies.
- Security updates: Continuous patching of critical CVEs.
In case of a personal data breach we notify the supervisory authority within 72 hours (GDPR Art. 33) and affected individuals where there is high risk (GDPR Art. 34).
7. Third-party data in your documents (processor role)
If you input documents containing personal data of third parties (e.g., your law firm’s clients), you are the controller of that data and we act as a processor under GDPR Article 28.
In that case:
- The relationship is governed by a Data Processing Agreement (DPA) — template at
returneditor.ai/dpa. - On request we sign a DPA with you.
- Anthropic, Hetzner, Supabase, and Cloudflare are our subprocessors in that chain.
- The DPA describes detailed obligations, subprocessors, audits, and breach notification.
8. Children
The Application is not directed to children under 16. We do not knowingly collect personal data from children. If we learn of such, we will delete it promptly.
9. Automated decision-making
We do not make decisions based solely on automated processing that produce legal effects or significantly affect you (GDPR Art. 22).
AI Outputs are generated by machine learning models, but they are not “decisions” within GDPR Art. 22 — they are tools that support your work, which you control.
10. Changes to this Policy
We may amend this Privacy Policy when law, subprocessors, or Service scope changes. Updates are published at this URL; we notify you of material changes by email.
11. Informacje dla polskiego konsumenta (Polish summary)
Niniejsza sekcja zawiera kluczowe informacje w języku polskim dla polskich konsumentów i podmiotów danych. Pełne brzmienie polityki jest w języku angielskim powyżej. Bezwzględne prawa wynikające z RODO pozostają w mocy niezależnie od języka.
Administrator: Michał Jantos, NIP 9452094429, Szlak 77/222, 31-153 Kraków. Email: support@returneditor.ai.
Czego nie zbieramy: Aplikacja nie ma telemetrii po stronie klienta. Plan Free nie zbiera żadnych danych poza opcjonalnym sprawdzaniem aktualizacji raz dziennie. Strona
returneditor.ainie używa cookies trackingowych ani Google Analytics.Co zbieramy w planach płatnych: Email Konta, dane do faktury (imię/nazwa, NIP, adres), metadane operacji AI (ID konta, znacznik czasu, liczba tokenów), logi IP serwera proxy (7 dni). Treść dokumentów NIE jest logowana.
Cele i podstawy prawne: Wykonanie umowy (Art. 6(1)(b) RODO), obowiązek prawny - faktury (Art. 6(1)(c)), uzasadniony interes - bezpieczeństwo (Art. 6(1)(f)), zgoda - marketing (Art. 6(1)(a)).
Sub-procesorzy poza EOG: Anthropic (USA) — Standardowe Klauzule Umowne + EU-US DPF; Cloudflare (USA) — SCC. Lista w Appendix A poniżej oraz na
returneditor.ai/sub-processors.Retencja: Faktury 5 lat (obowiązek podatkowy). Metadane AI 90 dni. Logi IP 7 dni. Treść przekazywana do API Anthropic: do 7 dni (zgodnie z Anthropic Commercial Terms).
Twoje prawa RODO: Dostęp, sprostowanie, usunięcie, ograniczenie, przenoszenie, sprzeciw, cofnięcie zgody, skarga do UODO (ul. Stawki 2, 00-193 Warszawa,
uodo.gov.pl). Realizujemy w 30 dni.Brak decyzji zautomatyzowanych (Art. 22 RODO): Wyniki AI nie są decyzjami w rozumieniu RODO — są narzędziem wspierającym Twoją pracę.
This Section summarizes the Policy in Polish for Polish data subjects. The full Policy is in English above. Mandatory GDPR rights apply regardless of language.
12. Contact
Data controller
- Trading name: Return
- Legal name: Michał Jantos
- Legal form: Sole proprietorship (jednoosobowa działalność gospodarcza) registered in Poland
- Polish Tax ID (NIP): 9452094429
- Polish Business Registry (REGON): 361993412
- Registered address: Szlak 77/222, 31-153 Kraków
Contact channels
| Purpose | |
|---|---|
| Data protection (GDPR/RODO) | support@returneditor.ai |
| General support | support@returneditor.ai |
| B2B Data Processing Agreement | security@returneditor.ai |
| Security reports | security@returneditor.ai |
Postal correspondence may be sent to the registered address above.
Supervisory authorities
- Poland: President of UODO, ul. Stawki 2, 00-193 Warsaw,
uodo.gov.pl - UK: Information Commissioner’s Office,
ico.org.uk - California: California Privacy Protection Agency,
cppa.ca.gov - Other EU/EEA users: Your local data protection authority
Appendix A — Subprocessor list
The list at the Effective Date. Current list always at returneditor.ai/sub-processors. We give 30 days’ prior notice of material changes by email.
Tier 1: Critical infrastructure
| Subprocessor | Purpose | Data | Location | Transfer mechanism |
|---|---|---|---|---|
| Anthropic PBC | AI model inference (Claude) for Cloud Mode | Customer prompts, AI Outputs (transient, max 7-day retention) | USA | SCCs + EU-US DPF |
| Hetzner Online GmbH | Proxy server hosting | Server logs (IP, timestamp, max 7 days); ephemeral request data | Germany (Falkenstein) | Within EEA |
| Supabase Inc. | Authentication (OTP), Account database | Email addresses, Account metadata | EU region (Frankfurt); HQ USA | SCCs + Supabase DPA |
| Cloudflare, Inc. | CDN, DDoS protection for returneditor.ai | Hashed IP, request metadata | Global PoPs; HQ USA | SCCs + Cloudflare DPA |
Tier 2: Payment and tax
| Subprocessor | Purpose | Data | Location | Transfer mechanism |
|---|---|---|---|---|
| Stripe Payments Europe, Ltd. | Payment processing, subscription management | Customer payment tokens, billing data, transaction metadata | Ireland (EEA) | Within EEA |
| Stripe, Inc. (parent) | Tax monitoring, threshold alerts | Aggregated transaction data | USA | SCCs |
| inFakt sp. z o.o. | VAT invoicing, KSeF | Billing data, invoice records | Poland | Within EEA |
| Stripto / Striplo (Stripe→inFakt bridge) | Webhook automation | Transaction metadata, billing data | Poland | Within EEA |
Tier 3: Operational
| Subprocessor | Purpose | Data | Location | Transfer mechanism |
|---|---|---|---|---|
| GitHub, Inc. (Microsoft) | Source code hosting | No customer data; only application code | USA | SCCs (Microsoft EU DPA) |
| Error tracking (if enabled) | Crash reports (only with user consent) | Anonymized stack traces, OS version | EU region preferred | Within EEA (if EU-only configuration) |
Not subprocessors (clarification)
- Ollama (Free mode) — runs entirely on Customer’s computer; no data transmission. Not a subprocessor.
- Apple, Microsoft, Linux distributions — OS providers; data on Customer device does not pass through them in connection with our Service.
- Customer’s own infrastructure — not a subprocessor; outside our control.
Subprocessor selection criteria
Before adding a subprocessor, we verify:
- Adequate data protection guarantees under GDPR Article 28 and Article 32.
- Signed DPA with the subprocessor.
- For non-EEA subprocessors: valid transfer mechanism (SCCs, DPF certification where applicable, supplementary measures per Schrems II).
- No-training commitment for any AI subprocessor.
- Reasonable security posture (SOC 2, ISO 27001, or equivalent preferred).
- Compatibility with Customer’s privilege and confidentiality requirements for legal professional use cases.
Version history:
| Version | Date | Changes |
|---|---|---|
| 1.0 | (superseded) | Initial bilingual EN+PL version |
| 2.0 | (superseded pre-launch) | Consolidated: EN-only with Polish summary section. Subprocessor list moved to Appendix A. Telemetry-free architecture emphasized throughout. |
| 2.1 | (superseded pre-launch) | Header minimized: controller’s full identification moved to §12 (Contact). §1 (Who we are) updated to reference §12 instead of inline data. |
| 2.2 | (superseded pre-launch) | Replaced “A short note up front” preamble with explicit “TL;DR” section + non-binding disclaimer. Same factual content, clearer signaling. |
| 2.3 | 2026-05-23 | Removed internal ⚠️ review markers and “to be decided” placeholders from the published text (crash reporting, DPF status, error tracking). Removed forward-looking “Zero Data Retention for Counsel” from retention table and Polish summary, since ZDR requires a separate signed agreement with Anthropic and is not yet offered. |
| 2.4 | 2026-05-24 | Corrected the update-check endpoint to returneditor.ai/latest.json (Tauri updater convention) and clarified that the request is unauthenticated and carries no identifying data beyond a standard User-Agent. |