Privacy Policy
Last updated: February 19, 2026
1. Data Controller
The controller of your personal data is:
Progressive Pro Sp. z o.o.
ul. Slowianska 22, 64-140 Wloszakowice, Polska
KRS: 0001123068 | NIP: 6972402255 | REGON: 529445899
Email: hello@firvo.ai
2. What Data We Collect
We collect the following categories of personal data:
2.1 Account Data
- Email address
- Display name (optional)
- Avatar URL (if using Google OAuth)
- Preferred language
- Account creation date
2.2 Onboarding Data
- Current professional role
- AI learning goals
- Biggest AI challenges
2.3 Learning Data
- Conversation history with the AI Navigator
- Module progress and completion status
- Quiz answers and scores
- AI Readiness Score (6 dimensions)
- XP points, streaks, and badges earned
- Certificates generated
2.4 Payment Data
- Stripe customer ID and subscription status (we do NOT store credit card numbers — Stripe handles payment data directly)
- Plan type and billing period
2.5 Technical Data
- IP address
- Browser type and version
- Device type
- Pages visited and timestamps
- Language preference cookie
2.6 Organization Data (B2B)
- Organization name and settings
- Aggregated team progress (employers cannot see individual chat messages, quiz answers, or login timestamps)
3. Legal Basis for Processing (GDPR Art. 6)
| Purpose | Legal Basis |
|---|---|
| Provide the Service (account, learning, AI chat) | Contract performance (Art. 6(1)(b)) |
| Process payments | Contract performance (Art. 6(1)(b)) |
| Send service-related emails (welcome, password reset, weekly progress) | Legitimate interest (Art. 6(1)(f)) |
| Improve the Platform and AI model outputs | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations (tax, accounting) | Legal obligation (Art. 6(1)(c)) |
| Marketing communications (if opted in) | Consent (Art. 6(1)(a)) |
4. AI Processing and Third-Party Services
When you use the AI Navigator, your messages are sent to Anthropic (Claude API) for processing. Key facts:
- Anthropic processes data as a sub-processor under our instructions
- Messages are used only to generate responses — Anthropic does not use your data to train their models (per their commercial API terms)
- We do not share your identity (email, name) with Anthropic — only the conversation content
Other sub-processors:
| Service | Purpose | Data Location |
|---|---|---|
| Supabase (AWS) | Database, authentication, file storage | EU (Frankfurt) |
| Vercel | Hosting, CDN, edge functions | Global (nearest edge) |
| Stripe | Payment processing | US/EU (PCI DSS compliant) |
| Anthropic | AI chat responses | US |
| Resend | Transactional emails | US |
For US-based sub-processors, data transfers are covered by the EU-US Data Privacy Framework or Standard Contractual Clauses (SCCs).
5. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until account deletion + 30 days backup |
| Conversation history | Until account deletion |
| Learning progress | Until account deletion |
| Payment records | 5 years (Polish accounting law) |
| Certificates | Indefinitely (public verification) |
| Server logs | 90 days |
6. Your Rights (GDPR)
As an EU/EEA resident, you have the following rights:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — request limited processing
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest
- Withdraw consent — at any time, without affecting prior processing
To exercise any right, email hello@firvo.ai. We will respond within 30 days.
You also have the right to lodge a complaint with the Polish supervisory authority: Prezes Urzedu Ochrony Danych Osobowych (PUODO), ul. Stawki 2, 00-193 Warszawa, Poland.
7. Account Deletion
You can delete your account at any time from Settings. Account deletion will:
- Permanently remove your profile, conversations, progress, and learning data within 30 days
- Cancel any active subscription
- Retain payment records for 5 years as required by Polish law
- Keep certificates publicly verifiable (anonymized — name on certificate only, no linked account)
8. Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Row-level security (RLS) on the database
- API rate limiting
- Security headers (CSP, HSTS, X-Frame-Options)
- Role-based access control for admin and employer dashboards
9. Children's Privacy
FIRVO is not intended for children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
10. International Users
FIRVO serves users globally. If you are outside the EU/EEA, your data may be transferred to and processed in the EU (database) and US (AI processing, email). We ensure appropriate safeguards through Standard Contractual Clauses or equivalent mechanisms.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 14 days before taking effect. The "Last updated" date at the top indicates the latest revision.
12. Contact
For privacy-related questions or data requests: