This policy applies to the VNI website, VNI iOS app, and supporting backend services, including AI modules, UniTrip/P2P, Student Plus, and moderation workflows.
It reflects the current product state and information duties under GDPR, Polish data protection law, electronic communications law, and consumer digital services regulations.
1. Data controller and contact
The data controller and service provider is the Foundation: Międzynarodowy Instytut Działań i Edukacji na Rzecz Bezpieczeństwa.
- KRS
- 0000877282
- Tax ID (NIP)
- 1133028665
- REGON
- 387872282
- Contact email
- jaroslawgrasza@gmail.com
- Correspondence address
- Wiktorska 33/74, 02-587 Warsaw, Poland
2. Scope and data sources
We process data provided directly by users (for example account setup, profile data, in-app content) and technical/operational data generated while using the services.
For university integrations (USOS), the data scope depends on permissions and data made available by those systems.
3. Categories of personal data
- Account and profile data: email address, account identifiers, profile details, user settings.
- Academic and organizational data: schedules, deadlines, grades, and other USOS-derived information when integration is enabled.
- User-generated content: offers, messages, reports, project descriptions, and UniTrip/P2P-related content.
- AI-related data: interaction history with AI modules, limits, usage statistics, and technical events.
- Device and communication data: push tokens, security logs, operational events.
- Student Plus subscription data: subscription status, transaction identifiers, and App Store webhook data required for entitlement validation.
4. Purposes and legal bases
Data is processed under GDPR Article 6 and information requirements under Article 13, primarily to provide digital services, maintain security, and support user communication.
- Contract performance (GDPR Art. 6(1)(b)): account management, login, access to VNI modules, Student Plus delivery.
- Legal obligation (GDPR Art. 6(1)(c)): accounting, tax duties, and legally required handling of requests.
- Legitimate interests (GDPR Art. 6(1)(f)): service security, abuse prevention, audit, and product quality improvements.
- Consent (GDPR Art. 6(1)(a)): where legally required and actually used; consent can be withdrawn at any time.
5. Recipients and processors
- Backend and database infrastructure provider (Supabase).
- AI model providers (Google Gemini) used through VNI backend services.
- Apple (App Store / In-App Purchase) for Student Plus payment and subscription processing.
- University integration services (USOS) as enabled by the user.
- Authorized technical providers supporting security, monitoring, and maintenance.
6. Retention periods
- Account and operational data is retained during service provision and until account deletion, unless legal obligations require longer storage.
- Selected AI and telemetry events can be retained according to system security configuration (for example usage events retained for 90 days).
- Data required by law (for example accounting/tax records) is retained for statutory periods.
7. Data subject rights
Users may request access, rectification, erasure, restriction, portability, objection, and consent withdrawal (where consent is the legal basis).
Rights requests can be sent to: jaroslawgrasza@gmail.com.
You also have the right to lodge a complaint with the Polish Data Protection Authority (UODO).
8. Cookies, localStorage, and similar technologies
The VNI website uses cookies and localStorage. Before setting non-essential technologies that require consent, we display a consent banner allowing users to accept, reject, or customize their preferences.
Storage and access to information on end-user devices is handled in line with Article 399 of the Polish Electronic Communications Law, including statutory exemptions for strictly necessary technologies.
- Necessary (localStorage): language preferences, interface theme, cookie consent — do not require user consent.
- Analytics (Google Analytics, self-hosted analytics): anonymous traffic analysis — require user consent.
- Functional: remembering preferences and content personalization — require user consent.
- We do not use marketing cookies for cross-site tracking.
- Users can change their cookie preferences at any time via the "Cookie settings" link in the site footer.
9. Security and international transfers
We apply technical and organizational safeguards appropriate to risk, including access control, event logging, and secure communications mechanisms.
If data is transferred outside the EEA, we apply valid legal transfer mechanisms and safeguards required by GDPR (for example Standard Contractual Clauses).
10. Policy updates
This policy may be updated due to legal changes, product changes, or processing model updates.
Updated versions are published on the website with a revision date. For material updates, users may also receive additional in-app or email notices.
This document is for information purposes and does not constitute individual legal advice.