Privacy Policy
Last updated: 5 June 2026
This Privacy Policy describes how the M2 Planner service, available at m2planner.com and in the mobile application, processes personal data.
1. Data controller
The controller of personal data is M2 Planner sp. z o.o., with its registered office in Brzeziny (ul. Truskawkowa 8, 95-060 Brzeziny, Poland), entered in the Register of Entrepreneurs of the National Court Register (KRS) under number 0001232066, NIP (tax ID): 8331410575, REGON: 544364347. Contact: kontakt@m2planner.com.
2. What data we collect
Registration data: name, email address, password (encrypted). Profile and company data (architects): company name, tax ID (NIP), address - for billing and invoicing. Project data: schedules, budgets, shopping lists, and room photos, including photos uploaded for AI visualizations. Survey and renovation-diagnosis answers. Billing data: payment information (processed by Stripe). Technical data: IP address, browser and device type, system logs. Device token - for push notifications in the mobile application.
3. Purposes of processing
Providing the services (Art. 6(1)(b) GDPR), account management, payment processing and invoicing (Art. 6(1)(c) GDPR), operation of the AI assistant and visualization generation, sending emails and push notifications, analytics and quality improvement of the Service (Art. 6(1)(f) GDPR).
4. Data recipients
We use trusted providers (processors) who process data solely on our instructions:
- Cloudflare, Inc. - hosting, CDN, file storage, bot protection (Turnstile), and AI Gateway
- PlanetScale, Inc. - database hosting (PostgreSQL, EU region)
- Stripe Payments Europe, Ltd. / Stripe, Inc. - payment processing
- wFirma (Web INnovative Software Sp. z o.o.) - issuing invoices and billing documents (buyer data: name, tax ID, address, email)
- OpenAI, L.L.C. - AI assistant, renovation diagnosis, survey analysis, and generating visualizations from uploaded photos
- Resend - sending transactional emails
- Expo (650 Industries, Inc.) - sending push notifications in the mobile application (via Apple APNs and Google FCM)
- Google LLC - sign-in (OAuth), architect calendar synchronization, and push delivery on Android
- Apple Inc. - sign-in (Sign in with Apple) and push delivery on iOS
- Statistics Poland - REGON register (stat.gov.pl) - verifying company data based on a tax ID (NIP/REGON)
We also use the Latitude tool to monitor the quality and safety of the AI assistant.
5. Transfers outside the EEA
Data may be transferred to the USA on the basis of Standard Contractual Clauses (SCC) or under the EU-US Data Privacy Framework.
6. Retention period
We retain account data and project data for the lifetime of the account. After account deletion, personal data is anonymized or deleted without undue delay. We retain some data longer where required by law or by our legitimate interest:
- Billing documents and invoices: 5 years (tax obligation)
- Data necessary to establish, pursue, or defend legal claims: until the limitation period expires
- System logs: up to 90 days
- Analytics data: up to 26 months (anonymized)
7. Your rights (GDPR)
You have the right to access, rectification, erasure, restriction of processing, data portability, objection, and withdrawal of consent. Contact: kontakt@m2planner.com. You also have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, Poland).
8. Security
Passwords are stored as a cryptographic hash (PBKDF2-HMAC-SHA512), connections are encrypted with HTTPS, sessions are secured with JWT tokens (access token valid for 15 minutes), and we apply rate limiting and automatic session renewal.
9. Use of Google user data (Google API Services User Data Policy)
The Google Calendar integration is optional and applies only to architect accounts that connect it themselves. Once connected, we access only the scopes needed to operate consultation booking: reading free/busy times from selected calendars to show available slots; creating and deleting events in a dedicated "M2 Planner" calendar that we create in the architect's account; reading the calendar list during setup; and change notifications to keep availability up to date.
Google Calendar data is used solely to provide the user-facing consultation booking feature. We do not use it for advertising, do not sell it, and do not share it with third parties except as necessary to provide the service or as required by law. Access tokens are encrypted and stored securely; the architect can disconnect at any time, which deletes the tokens and stops synchronization.
M2 Planner's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
10. Changes
We will inform you of material changes through the Service or by email.
